mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 16:13:18 +01:00
Add an argument to new_chain()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7322 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
12d19c8ec3
commit
8a9b9c2714
@ -75,7 +75,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
|
||||
sub jump_to_chain( $ ) {
|
||||
my $jumpchain = $_[0];
|
||||
$jumpchainref = ensure_chain( 'filter', $jumpchain );
|
||||
$jumpchainref = ensure_chain( 'filter', IPv4, $jumpchain );
|
||||
check_for_builtin( $jumpchainref );
|
||||
mark_referenced $jumpchainref;
|
||||
"-j $jumpchain";
|
||||
|
||||
@ -593,28 +593,18 @@ sub new_chain($$$)
|
||||
cmdlevel => 0 };
|
||||
}
|
||||
|
||||
#
|
||||
# Create an anonymous chain
|
||||
#
|
||||
sub new_anon_chain( $ ) {
|
||||
my $chainref = $_[0];
|
||||
my $seq = $chainseq++;
|
||||
new_chain( $chainref->{table}, IPv4, 'chain' . "$seq" );
|
||||
}
|
||||
|
||||
#
|
||||
#
|
||||
# Create a chain if it doesn't exist already
|
||||
#
|
||||
sub ensure_chain($$)
|
||||
sub ensure_chain($$$)
|
||||
{
|
||||
my ($table, $chain) = @_;
|
||||
my ($table, $ipv, $chain) = @_;
|
||||
|
||||
my $ref = $chain_table{$table}{4}{$chain};
|
||||
my $ref = $chain_table{$table}{$ipv}{$chain};
|
||||
|
||||
return $ref if $ref;
|
||||
|
||||
new_chain $table, IPv4, $chain;
|
||||
new_chain $table, $ipv, $chain;
|
||||
}
|
||||
|
||||
sub finish_chain_section( $$ );
|
||||
@ -646,7 +636,7 @@ sub ensure_filter_chain( $$ )
|
||||
sub ensure_mangle_chain($) {
|
||||
my $chain = $_[0];
|
||||
|
||||
my $chainref = ensure_chain 'mangle', $chain;
|
||||
my $chainref = ensure_chain 'mangle', IPv4, $chain;
|
||||
|
||||
$chainref->{referenced} = 1;
|
||||
|
||||
@ -713,7 +703,7 @@ sub finish_chain_section ($$) {
|
||||
if ($sections{RELATED} ) {
|
||||
if ( $chainref->{is_policy} ) {
|
||||
if ( $chainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
||||
my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $chainref;
|
||||
if ( $section eq 'DONE' ) {
|
||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
@ -725,7 +715,7 @@ sub finish_chain_section ($$) {
|
||||
} else {
|
||||
my $policychainref = $filter_table->{4}{$chainref->{policychain}};
|
||||
if ( $policychainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
||||
my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $policychainref;
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
}
|
||||
}
|
||||
@ -757,7 +747,7 @@ sub finish_section ( $ ) {
|
||||
#
|
||||
sub set_mss1( $$ ) {
|
||||
my ( $chain, $mss ) = @_;
|
||||
my $chainref = ensure_chain 'filter', $chain;
|
||||
my $chainref = ensure_chain 'filter', IPv4, $chain;
|
||||
|
||||
if ( $chainref->{policy} ne 'NONE' ) {
|
||||
my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
|
||||
|
||||
@ -171,7 +171,7 @@ sub setup_one_masq($$$$$$$)
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root};
|
||||
|
||||
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
|
||||
my $chainref = ensure_chain('nat', IPv4, $pre_nat ? snat_chain $interface : masq_chain $interface);
|
||||
#
|
||||
# If there is no source or destination then allow all addresses
|
||||
#
|
||||
@ -341,7 +341,7 @@ sub do_one_nat( $$$$$ )
|
||||
fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
|
||||
|
||||
sub add_nat_rule( $$ ) {
|
||||
add_rule ensure_chain( 'nat', $_[0] ) , $_[1];
|
||||
add_rule ensure_chain( 'nat', IPv4, $_[0] ) , $_[1];
|
||||
}
|
||||
|
||||
my $add_ip_aliases = $config{ADD_IP_ALIASES};
|
||||
@ -442,9 +442,9 @@ sub setup_netmap() {
|
||||
fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2";
|
||||
add_rule ensure_chain( 'nat' , IPv4, input_chain $interface ) , "-d $net1 -j NETMAP --to $net2";
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , output_chain $interface ) , "-s $net1 -j NETMAP --to $net2";
|
||||
add_rule ensure_chain( 'nat' , IPv4, output_chain $interface ) , "-s $net1 -j NETMAP --to $net2";
|
||||
} else {
|
||||
fatal_error "Invalid type ($type)";
|
||||
}
|
||||
|
||||
@ -102,8 +102,8 @@ sub process_tos() {
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing $fn...";
|
||||
$pretosref = ensure_chain 'mangle' , $chain;
|
||||
$outtosref = ensure_chain 'mangle' , 'outtos';
|
||||
$pretosref = ensure_chain 'mangle' , IPv4, $chain;
|
||||
$outtosref = ensure_chain 'mangle' , IPv4, 'outtos';
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
@ -194,7 +194,7 @@ sub setup_ecn()
|
||||
progress_message "$doing ECN control on @interfaces...";
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
|
||||
my $chainref = ensure_chain 'mangle', IPv4, ecn_chain( $interface );
|
||||
|
||||
add_rule $mangle_table->{4}{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
|
||||
add_rule $mangle_table->{4}{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
|
||||
@ -1061,7 +1061,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
# Take care of chain
|
||||
#
|
||||
my $chain = "${sourcezone}2${destzone}";
|
||||
my $chainref = ensure_chain 'filter', $chain;
|
||||
my $chainref = ensure_chain 'filter', IPv4, $chain;
|
||||
#
|
||||
# Validate Policy
|
||||
#
|
||||
@ -1175,7 +1175,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
#
|
||||
# And generate the nat table rule(s)
|
||||
#
|
||||
expand_rule ( ensure_chain ('nat' , $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
|
||||
expand_rule ( ensure_chain ('nat' , IPv4, $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
|
||||
PREROUTE_RESTRICT ,
|
||||
$rule ,
|
||||
$source ,
|
||||
@ -1212,7 +1212,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
$origdest = $interfaces ? "detect:$interfaces" : ALLIPv4;
|
||||
}
|
||||
|
||||
expand_rule( ensure_chain ('nat' , $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone) ,
|
||||
expand_rule( ensure_chain ('nat' , IPv4, $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone) ,
|
||||
PREROUTE_RESTRICT ,
|
||||
$rule ,
|
||||
$source ,
|
||||
@ -1239,7 +1239,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
$origdest = '';
|
||||
}
|
||||
|
||||
expand_rule( ensure_chain ('filter', $chain ) ,
|
||||
expand_rule( ensure_chain ('filter', IPv4, $chain ) ,
|
||||
$restriction ,
|
||||
$rule ,
|
||||
$source ,
|
||||
@ -1567,7 +1567,7 @@ sub generate_matrix() {
|
||||
|
||||
if ( $complex ) {
|
||||
$frwd_ref = $filter_table->{4}{"${zone}_frwd"};
|
||||
my $dnat_ref = ensure_chain 'nat' , dnat_chain( $zone );
|
||||
my $dnat_ref = ensure_chain 'nat' , IPv4, dnat_chain( $zone );
|
||||
if ( @$exclusions ) {
|
||||
insert_exclusions $dnat_ref, $exclusions if $dnat_ref->{referenced};
|
||||
}
|
||||
|
||||
@ -275,7 +275,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
if ( ( my $result = expand_rule(
|
||||
ensure_chain( 'mangle' , $chain ) ,
|
||||
ensure_chain( 'mangle' , IPv4, $chain ) ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) ,
|
||||
$source ,
|
||||
@ -618,9 +618,10 @@ sub setup_tc() {
|
||||
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
for ( @deferred_rules ) {
|
||||
add_rule ensure_chain( 'mangle' , 'tcpost' ), $_;
|
||||
|
||||
if ( @deferred_rules ) {
|
||||
my $chainref = ensure_chain( 'mangle' , IPv4, 'tcpost' );
|
||||
add_rule $chainref, $_ for ( @deferred_rules );
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user