From 8a9b9c27140debc18cc2d59c27d0862af58381dd Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 11 Sep 2007 20:27:45 +0000 Subject: [PATCH] Add an argument to new_chain() git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7322 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Accounting.pm | 2 +- Shorewall-perl/Shorewall/Chains.pm | 26 ++++++++------------------ Shorewall-perl/Shorewall/Nat.pm | 8 ++++---- Shorewall-perl/Shorewall/Rules.pm | 16 ++++++++-------- Shorewall-perl/Shorewall/Tc.pm | 9 +++++---- 5 files changed, 26 insertions(+), 35 deletions(-) diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index e76b45441..d27c6873a 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -75,7 +75,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { sub jump_to_chain( $ ) { my $jumpchain = $_[0]; - $jumpchainref = ensure_chain( 'filter', $jumpchain ); + $jumpchainref = ensure_chain( 'filter', IPv4, $jumpchain ); check_for_builtin( $jumpchainref ); mark_referenced $jumpchainref; "-j $jumpchain"; diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index d2aace36b..18c07f5cb 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -593,28 +593,18 @@ sub new_chain($$$) cmdlevel => 0 }; } -# -# Create an anonymous chain -# -sub new_anon_chain( $ ) { - my $chainref = $_[0]; - my $seq = $chainseq++; - new_chain( $chainref->{table}, IPv4, 'chain' . "$seq" ); -} - -# # # Create a chain if it doesn't exist already # -sub ensure_chain($$) +sub ensure_chain($$$) { - my ($table, $chain) = @_; + my ($table, $ipv, $chain) = @_; - my $ref = $chain_table{$table}{4}{$chain}; + my $ref = $chain_table{$table}{$ipv}{$chain}; return $ref if $ref; - new_chain $table, IPv4, $chain; + new_chain $table, $ipv, $chain; } sub finish_chain_section( $$ ); @@ -646,7 +636,7 @@ sub ensure_filter_chain( $$ ) sub ensure_mangle_chain($) { my $chain = $_[0]; - my $chainref = ensure_chain 'mangle', $chain; + my $chainref = ensure_chain 'mangle', IPv4, $chain; $chainref->{referenced} = 1; @@ -713,7 +703,7 @@ sub finish_chain_section ($$) { if ($sections{RELATED} ) { if ( $chainref->{is_policy} ) { if ( $chainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; + my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $chainref; if ( $section eq 'DONE' ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; @@ -725,7 +715,7 @@ sub finish_chain_section ($$) { } else { my $policychainref = $filter_table->{4}{$chainref->{policychain}}; if ( $policychainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; + my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $policychainref; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; } } @@ -757,7 +747,7 @@ sub finish_section ( $ ) { # sub set_mss1( $$ ) { my ( $chain, $mss ) = @_; - my $chainref = ensure_chain 'filter', $chain; + my $chainref = ensure_chain 'filter', IPv4, $chain; if ( $chainref->{policy} ne 'NONE' ) { my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index 321a7bcbd..a183dc1a6 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -171,7 +171,7 @@ sub setup_one_masq($$$$$$$) fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root}; - my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface); + my $chainref = ensure_chain('nat', IPv4, $pre_nat ? snat_chain $interface : masq_chain $interface); # # If there is no source or destination then allow all addresses # @@ -341,7 +341,7 @@ sub do_one_nat( $$$$$ ) fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; sub add_nat_rule( $$ ) { - add_rule ensure_chain( 'nat', $_[0] ) , $_[1]; + add_rule ensure_chain( 'nat', IPv4, $_[0] ) , $_[1]; } my $add_ip_aliases = $config{ADD_IP_ALIASES}; @@ -442,9 +442,9 @@ sub setup_netmap() { fatal_error "Unknown Interface ($interface)" unless known_interface $interface; if ( $type eq 'DNAT' ) { - add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2"; + add_rule ensure_chain( 'nat' , IPv4, input_chain $interface ) , "-d $net1 -j NETMAP --to $net2"; } elsif ( $type eq 'SNAT' ) { - add_rule ensure_chain( 'nat' , output_chain $interface ) , "-s $net1 -j NETMAP --to $net2"; + add_rule ensure_chain( 'nat' , IPv4, output_chain $interface ) , "-s $net1 -j NETMAP --to $net2"; } else { fatal_error "Invalid type ($type)"; } diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index de1e4ce6d..717b2392d 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -102,8 +102,8 @@ sub process_tos() { if ( $first_entry ) { progress_message2 "$doing $fn..."; - $pretosref = ensure_chain 'mangle' , $chain; - $outtosref = ensure_chain 'mangle' , 'outtos'; + $pretosref = ensure_chain 'mangle' , IPv4, $chain; + $outtosref = ensure_chain 'mangle' , IPv4, 'outtos'; $first_entry = 0; } @@ -194,7 +194,7 @@ sub setup_ecn() progress_message "$doing ECN control on @interfaces..."; for my $interface ( @interfaces ) { - my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); + my $chainref = ensure_chain 'mangle', IPv4, ecn_chain( $interface ); add_rule $mangle_table->{4}{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}"; add_rule $mangle_table->{4}{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}"; @@ -1061,7 +1061,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # Take care of chain # my $chain = "${sourcezone}2${destzone}"; - my $chainref = ensure_chain 'filter', $chain; + my $chainref = ensure_chain 'filter', IPv4, $chain; # # Validate Policy # @@ -1175,7 +1175,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # # And generate the nat table rule(s) # - expand_rule ( ensure_chain ('nat' , $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ), + expand_rule ( ensure_chain ('nat' , IPv4, $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ), PREROUTE_RESTRICT , $rule , $source , @@ -1212,7 +1212,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { $origdest = $interfaces ? "detect:$interfaces" : ALLIPv4; } - expand_rule( ensure_chain ('nat' , $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone) , + expand_rule( ensure_chain ('nat' , IPv4, $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone) , PREROUTE_RESTRICT , $rule , $source , @@ -1239,7 +1239,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { $origdest = ''; } - expand_rule( ensure_chain ('filter', $chain ) , + expand_rule( ensure_chain ('filter', IPv4, $chain ) , $restriction , $rule , $source , @@ -1567,7 +1567,7 @@ sub generate_matrix() { if ( $complex ) { $frwd_ref = $filter_table->{4}{"${zone}_frwd"}; - my $dnat_ref = ensure_chain 'nat' , dnat_chain( $zone ); + my $dnat_ref = ensure_chain 'nat' , IPv4, dnat_chain( $zone ); if ( @$exclusions ) { insert_exclusions $dnat_ref, $exclusions if $dnat_ref->{referenced}; } diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index a89c1022e..1746d5c14 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -275,7 +275,7 @@ sub process_tc_rule( $$$$$$$$$$ ) { } if ( ( my $result = expand_rule( - ensure_chain( 'mangle' , $chain ) , + ensure_chain( 'mangle' , IPv4, $chain ) , NO_RESTRICT , do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) , $source , @@ -618,9 +618,10 @@ sub setup_tc() { clear_comment; } - - for ( @deferred_rules ) { - add_rule ensure_chain( 'mangle' , 'tcpost' ), $_; + + if ( @deferred_rules ) { + my $chainref = ensure_chain( 'mangle' , IPv4, 'tcpost' ); + add_rule $chainref, $_ for ( @deferred_rules ); } }