Make IP[6]TABLES transparent

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-30 22:50:02 +02:00 · 2016-01-04 13:10:03 -08:00
parent 89d91d37a1
commit 70a9240de6
7 changed files with 47 additions and 22 deletions
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -292,6 +292,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 			    $target ,
 			    '' ,
 		            $disposition ,
 		            '' ,
 			    ''  );
 	    }
 	}
@ -386,6 +387,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	$target ,
 	'' ,
 	$disposition ,
 	'' ,
 	'' ;
    if ( $rule2 || $jump ) {
@ -415,6 +417,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    '' ,
 		    '' ,
 	            '' ,
 	            '' ,
 		    '' );
    }
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -7428,7 +7428,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule( $$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@ -7441,6 +7441,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
 	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
       ) = @_;
@ -7605,9 +7606,9 @@ sub expand_rule( $$$$$$$$$$$;$ )
 		    my $cond3 = conditional_rule( $chainref, $dnet );
-		    if ( $loglevel eq '' ) {
+		    if ( $loglevel eq '' || $usergenerated ) {
 			#
-			# No logging -- add the target rule with matches to the rule chain
+			# No logging or user-specified logging -- add the target rule with matches to the rule chain
 			#
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref, $targetref , 0, $matches );
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -614,7 +614,8 @@ sub process_stoppedrules() {
 				 $target,
 				 '',
 				 $disposition,
-				 do_proto( $proto, '-', '-' ) );
+				 do_proto( $proto, '-', '-' ),
 				 '');
 		}
 	    } else {
 		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@ -345,7 +345,8 @@ sub process_one_masq1( $$$$$$$$$$$ )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule )
+		     $exceptionrule ,
 		     '' )
 	    unless unreachable_warning( 0, $chainref );
 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
@ -795,7 +796,8 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 		  $target ,
 		  $loglevel ,
 		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '',
+		  $serverport ? do_proto( $proto, '', '' ) : '' ,
 		  '' ,
 		)
 	unless unreachable_warning( $wildcard, $chainref );
@ -867,6 +869,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
 			 '',
 			 dnat_chain( $sourcezone  ) )
 		unless unreachable_warning( $wildcard, $chn );
@ -888,6 +891,7 @@ sub handle_nonat_rule( $$$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
 		 '',
 	       )
 	unless unreachable_warning( $wildcard, $nonat_chain );
 }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@ -98,6 +98,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 	$action = join( ":" , 'LOG', $action );
    }
    my $usergenerated;
    if ( $action eq 'NOTRACK' ) {
 	#
 	# A patch that deimplements the NOTRACK target has been posted on the
@ -204,7 +206,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		 $action ,
 		 $level || '' ,
 		 $disposition ,
-		 $exception_rule );
+		 $exception_rule ,
 		 $usergenerated && ! $level );
    progress_message "  Conntrack rule \"$currentline\" $done";
 }
@ -247,6 +250,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '',
 			 'CT' ,
 			 '' ,
 			 '' );
 	} else {
 	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
@ -261,6 +265,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 $action_target ,
 			 '' ,
 			 'CT' ,
 			 '' ,
 			 '' );
 	}
    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2264,6 +2264,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $matches     = $rule;
    my $raw_matches = '';
    my $exceptionrule = '';
    my $usergenerated;
    if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@ -2287,6 +2288,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    fatal_error "Unknown ACTION ($action)" unless $actiontype;
    $usergenerated = $actiontype & IPTABLES;
    if ( $actiontype == MACRO ) {
 	#
 	# process_macro() will call process_rule() recursively for each rule in the macro body
@ -2333,7 +2336,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$param = $param eq '' ? 'drop' : $param;
 	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
 	$actiontype = STANDARD;
-    } elsif ( $actiontype & NFLOG ) {
+    } elsif ( ! $usergenerated ) {
 	if ( $actiontype & NFLOG ) {
 	    validate_level( $action );
 	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	    $action   = 'LOG';
@ -2341,7 +2345,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
 	}
-
+    }
    #
    # We can now dispense with the postfix character
    #
@ -2909,7 +2913,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     $exceptionrule )
+		     $exceptionrule ,
 		     $usergenerated && ! $loglevel )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
    }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -227,6 +227,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
    our $designator;
    our $ttl            = 0;
    my $fw              = firewall_zone;
    my $usergenerated;
    sub handle_mark_param( $$ ) {
 	my ( $option, $marktype ) = @_;
@ -290,7 +291,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 			     "$target $option " . join( '/', in_hex( $markval ) , $mask ) ,
 			     '',
 			     $target ,
-			     $exceptionrule );
+			     $exceptionrule ,
 			     ''  );
 	    }
 	    $done = 1;
@ -525,6 +527,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
 		$target        = $params;
 		$usergenerated = 1;
 	    },
 	},
@ -540,6 +543,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 		fatal_error "Unknown target ($tgt)" unless $target_type;
 		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
 		$target        = $params;
 		$usergenerated = 1;
 	    },
 	},
@ -850,7 +854,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 					 $target,
 					 '' ,
 					 $target ,
-					 $exceptionrule ) )
+					 $exceptionrule ,
 					 $usergenerated ) )
 	     && $device ) {
 	    #
 	    # expand_rule() returns destination device if any
@ -3118,6 +3123,7 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
 		 $target ,
 		 '' ,
 		 $disposition,
 		 '' ,
 		 '' );
    progress_message "Secmarks rule \"$currentline\" $done";