Prepare for more parameterized actions

- Export add_commands, incr_cmd_level and decr_cmd_level by default - Move ensure_audit_chain and require_audit from Rules.pm to Chains.pm - Add get_action_logging() function - Export require_capability and have_capability by default Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-12-19 21:01:20 +01:00 · 2011-07-03 06:22:51 -07:00 · 2011-07-03 06:22:51 -07:00 · 7e3f97c154
commit 7e3f97c154
parent ad71faacaa
3 changed files with 99 additions and 122 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -35,23 +35,29 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw(
-		  add_rule
-		  add_jump
-		  insert_rule
-		  new_chain
-		  new_manual_chain
-		  ensure_manual_chain
-		  log_rule_limit
-		  dont_optimize
-		  dont_delete
-		  dont_move
+		    add_rule
+		    add_jump
+		    insert_rule
+		    add_commands
+		    incr_cmd_level
+		    decr_cmd_level
+		    new_chain
+		    new_manual_chain
+		    ensure_manual_chain
+		    ensure_audit_chain
+		    require_audit
+		    log_rule_limit
+		    dont_optimize
+		    dont_delete
+		    dont_move
+		    get_action_logging

-		  %chain_table
-		  $raw_table
-		  $nat_table
-		  $mangle_table
-		  $filter_table
-		  );
+		    %chain_table
+		    $raw_table
+		    $nat_table
+		    $mangle_table
+		    $filter_table
+	       );

 our %EXPORT_TAGS = (
 		    internal => [  qw( STANDARD
@ -78,7 +84,6 @@ our %EXPORT_TAGS = (
 				       NOT_RESTORE

 				       initialize_chain_table
-				       add_commands
 				       copy_rules
 				       move_rules
 				       insert_rule1
@ -90,8 +95,6 @@ our %EXPORT_TAGS = (
 				       clear_comment
 				       push_comment
 				       pop_comment
-				       incr_cmd_level
-				       decr_cmd_level
 				       forward_chain
 				       rules_chain
 				       zone_forward_chain
@ -1559,6 +1562,77 @@ sub ensure_manual_chain($) {
    $chainref;
 }

+#
+# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
+#
+
+sub ensure_audit_chain( $;$$ ) {
+    my ( $target, $action, $tgt ) = @_;
+
+    push_comment( '' );
+
+    my $ref = $filter_table->{$target};
+
+    unless ( $ref ) {
+	$ref = new_chain 'filter', $target;
+
+	unless ( $action ) {
+	    $action = $target;
+	    $action =~ s/^A_//;
+	}
+
+	$tgt ||= $action;
+
+	if ( $config{FAKE_AUDIT} ) {
+	    add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
+	} else {
+	    add_rule $ref, '-j AUDIT --type ' . lc $action;
+	}
+
+	
+	if ( $tgt eq 'REJECT' ) {
+	    add_jump $ref , 'reject', 1;
+	} else {
+	    add_jump $ref , $tgt, 0;
+	}
+    }
+
+    pop_comment;
+
+    return $target;
+}
+
+#
+# Return the appropriate target based on whether the second argument is 'audit'
+#
+
+sub require_audit($$;$) {
+    my ($action, $audit, $tgt ) = @_;
+
+    return $action unless supplied $audit;
+
+    my $target = 'A_' . $action;
+
+    fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
+
+    require_capability 'AUDIT_TARGET', 'audit', 's';
+
+    return ensure_audit_chain $target, $action, $tgt;
+}   
+  
+#
+# Returns the Level and Tag for the current action chain
+#
+sub get_action_logging() {
+    my $chainref = get_action_chain;
+    my $wholeaction = $chainref->{action};
+    my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
+    
+    $level = '' if $level =~ /^none/;
+
+    ( $level, $tag );
+}
+
 #
 # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
 # The function also initializes the target table with the pre-defined targets available for the specfied address family.
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -47,14 +47,20 @@ our @EXPORT = qw(
 		 warning_message
 		 fatal_error
 		 assert
+		 
 		 progress_message
 		 progress_message_nocompress
 		 progress_message2
 		 progress_message3
+		 
 		 supplied
+		 
 		 get_action_params
 		 get_action_chain
 		 set_action_param
+		 
+		 have_capability
+		 require_capability
                );

 our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall);
@ -113,8 +119,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       add_param
 				       export_params
 				       get_configuration
-				       require_capability
-				       have_capability
 				       report_capabilities
 				       propagateconfig
 				       append_file
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -663,8 +663,6 @@ sub complete_standard_chain ( $$$$ ) {
    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }

-sub require_audit($$;$);
-
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
@ -1148,105 +1146,6 @@ sub map_old_actions( $ ) {
    }
 }

-#
-# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
-
-sub ensure_audit_chain( $;$$ ) {
-    my ( $target, $action, $tgt ) = @_;
-
-    push_comment( '' );
-
-    my $ref = $filter_table->{$target};
-
-    unless ( $ref ) {
-	$ref = new_chain 'filter', $target;
-
-	unless ( $action ) {
-	    $action = $target;
-	    $action =~ s/^A_//;
-	}
-
-	$tgt ||= $action;
-
-	if ( $config{FAKE_AUDIT} ) {
-	    add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
-	} else {
-	    add_rule $ref, '-j AUDIT --type ' . lc $action;
-	}
-
-	
-	if ( $tgt eq 'REJECT' ) {
-	    add_jump $ref , 'reject', 1;
-	} else {
-	    add_jump $ref , $tgt, 0;
-	}
-    }
-
-    pop_comment;
-
-    return $target;
-}
-
-#
-# Return the appropriate target based on whether the second argument is 'audit'
-#
-
-sub require_audit($$;$) {
-    my ($action, $audit, $tgt ) = @_;
-
-    return $action unless supplied $audit;
-
-    my $target = 'A_' . $action;
-
-    fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
-
-    require_capability 'AUDIT_TARGET', 'audit', 's';
-
-    return ensure_audit_chain $target, $action, $tgt;
-}   
-  
-#
-# The following small functions generate rules for the builtin actions of the same name
-#
-sub dropBcast( $$$$ ) {
-    my ($chainref, $level, $tag, $audit) = @_;
-
-    my $target = require_audit ( 'DROP', $audit );
-
-    if ( have_capability( 'ADDRTYPE' ) ) {
-	if ( $level ne '' ) {
-	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	    if ( $family == F_IPV4 ) {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
-	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
-	    }
-	}
-	
-	add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
-    } else {
-	if ( $family == F_IPV4 ) {
-	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
-	} else {
-	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
-	}
-
-	incr_cmd_level $chainref;
-	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
-	add_jump $chainref, $target, 0, "-d \$address ";
-	decr_cmd_level $chainref;
-	add_commands $chainref, 'done';
-
-	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-    }
-
-    if ( $family == F_IPV4 ) {
-	add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
-    } else {
-	add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
-    }
-}
-
 sub allowBcast( $$$$ ) {
    my ($chainref, $level, $tag, $audit) = @_;