extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add an argument to new_chain()

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7322 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-11 20:27:45 +00:00
parent 12d19c8ec3
commit 8a9b9c2714
5 changed files with 26 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -75,7 +75,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
sub jump_to_chain( $ ) { sub jump_to_chain( $ ) {
my $jumpchain = $_[0]; my $jumpchain = $_[0];
$jumpchainref = ensure_chain( 'filter', $jumpchain ); $jumpchainref = ensure_chain( 'filter', IPv4, $jumpchain );
check_for_builtin( $jumpchainref ); check_for_builtin( $jumpchainref );
mark_referenced $jumpchainref; mark_referenced $jumpchainref;
"-j $jumpchain"; "-j $jumpchain";

26
Shorewall-perl/Shorewall/Chains.pm
View File

@ -593,28 +593,18 @@ sub new_chain($$$)
cmdlevel => 0 }; cmdlevel => 0 };
} }
#
# Create an anonymous chain
#
sub new_anon_chain( $ ) {
my $chainref = $_[0];
my $seq = $chainseq++;
new_chain( $chainref->{table}, IPv4, 'chain' . "$seq" );
}
#
# #
# Create a chain if it doesn't exist already # Create a chain if it doesn't exist already
# #
sub ensure_chain($$) sub ensure_chain($$$)
{ {
my ($table, $chain) = @_; my ($table, $ipv, $chain) = @_;
my $ref = $chain_table{$table}{4}{$chain}; my $ref = $chain_table{$table}{$ipv}{$chain};
return $ref if $ref; return $ref if $ref;
new_chain $table, IPv4, $chain; new_chain $table, $ipv, $chain;
} }
sub finish_chain_section( $$ ); sub finish_chain_section( $$ );
@ -646,7 +636,7 @@ sub ensure_filter_chain( $$ )
sub ensure_mangle_chain($) { sub ensure_mangle_chain($) {
my $chain = $_[0]; my $chain = $_[0];
my $chainref = ensure_chain 'mangle', $chain; my $chainref = ensure_chain 'mangle', IPv4, $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
@ -713,7 +703,7 @@ sub finish_chain_section ($$) {
if ($sections{RELATED} ) { if ($sections{RELATED} ) {
if ( $chainref->{is_policy} ) { if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) { if ( $chainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $chainref;
if ( $section eq 'DONE' ) { if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
@ -725,7 +715,7 @@ sub finish_chain_section ($$) {
} else { } else {
my $policychainref = $filter_table->{4}{$chainref->{policychain}}; my $policychainref = $filter_table->{4}{$chainref->{policychain}};
if ( $policychainref->{synparams} ) { if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $policychainref;
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
} }
} }
@ -757,7 +747,7 @@ sub finish_section ( $ ) {
# #
sub set_mss1( $$ ) { sub set_mss1( $$ ) {
my ( $chain, $mss ) = @_; my ( $chain, $mss ) = @_;
my $chainref = ensure_chain 'filter', $chain; my $chainref = ensure_chain 'filter', IPv4, $chain;
if ( $chainref->{policy} ne 'NONE' ) { if ( $chainref->{policy} ne 'NONE' ) {
my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';

8
Shorewall-perl/Shorewall/Nat.pm
View File

@ -171,7 +171,7 @@ sub setup_one_masq($$$$$$$)
fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root}; fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root};
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface); my $chainref = ensure_chain('nat', IPv4, $pre_nat ? snat_chain $interface : masq_chain $interface);
# #
# If there is no source or destination then allow all addresses # If there is no source or destination then allow all addresses
# #
@ -341,7 +341,7 @@ sub do_one_nat( $$$$$ )
fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
sub add_nat_rule( $$ ) { sub add_nat_rule( $$ ) {
add_rule ensure_chain( 'nat', $_[0] ) , $_[1]; add_rule ensure_chain( 'nat', IPv4, $_[0] ) , $_[1];
} }
my $add_ip_aliases = $config{ADD_IP_ALIASES}; my $add_ip_aliases = $config{ADD_IP_ALIASES};
@ -442,9 +442,9 @@ sub setup_netmap() {
fatal_error "Unknown Interface ($interface)" unless known_interface $interface; fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
if ( $type eq 'DNAT' ) { if ( $type eq 'DNAT' ) {
add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2"; add_rule ensure_chain( 'nat' , IPv4, input_chain $interface ) , "-d $net1 -j NETMAP --to $net2";
} elsif ( $type eq 'SNAT' ) { } elsif ( $type eq 'SNAT' ) {
add_rule ensure_chain( 'nat' , output_chain $interface ) , "-s $net1 -j NETMAP --to $net2"; add_rule ensure_chain( 'nat' , IPv4, output_chain $interface ) , "-s $net1 -j NETMAP --to $net2";
} else { } else {
fatal_error "Invalid type ($type)"; fatal_error "Invalid type ($type)";
} }

16
Shorewall-perl/Shorewall/Rules.pm
View File

@ -102,8 +102,8 @@ sub process_tos() {
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
$pretosref = ensure_chain 'mangle' , $chain; $pretosref = ensure_chain 'mangle' , IPv4, $chain;
$outtosref = ensure_chain 'mangle' , 'outtos'; $outtosref = ensure_chain 'mangle' , IPv4, 'outtos';
$first_entry = 0; $first_entry = 0;
} }
@ -194,7 +194,7 @@ sub setup_ecn()
progress_message "$doing ECN control on @interfaces..."; progress_message "$doing ECN control on @interfaces...";
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); my $chainref = ensure_chain 'mangle', IPv4, ecn_chain( $interface );
add_rule $mangle_table->{4}{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}"; add_rule $mangle_table->{4}{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
add_rule $mangle_table->{4}{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}"; add_rule $mangle_table->{4}{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
@ -1061,7 +1061,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
# Take care of chain # Take care of chain
# #
my $chain = "${sourcezone}2${destzone}"; my $chain = "${sourcezone}2${destzone}";
my $chainref = ensure_chain 'filter', $chain; my $chainref = ensure_chain 'filter', IPv4, $chain;
# #
# Validate Policy # Validate Policy
# #
@ -1175,7 +1175,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
# #
# And generate the nat table rule(s) # And generate the nat table rule(s)
# #
expand_rule ( ensure_chain ('nat' , $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ), expand_rule ( ensure_chain ('nat' , IPv4, $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
$rule , $rule ,
$source , $source ,
@ -1212,7 +1212,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$origdest = $interfaces ? "detect:$interfaces" : ALLIPv4; $origdest = $interfaces ? "detect:$interfaces" : ALLIPv4;
} }
expand_rule( ensure_chain ('nat' , $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone) , expand_rule( ensure_chain ('nat' , IPv4, $sourceref->{type} == ZT_FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone) ,
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
$rule , $rule ,
$source , $source ,
@ -1239,7 +1239,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$origdest = ''; $origdest = '';
} }
expand_rule( ensure_chain ('filter', $chain ) , expand_rule( ensure_chain ('filter', IPv4, $chain ) ,
$restriction , $restriction ,
$rule , $rule ,
$source , $source ,
@ -1567,7 +1567,7 @@ sub generate_matrix() {
if ( $complex ) { if ( $complex ) {
$frwd_ref = $filter_table->{4}{"${zone}_frwd"}; $frwd_ref = $filter_table->{4}{"${zone}_frwd"};
my $dnat_ref = ensure_chain 'nat' , dnat_chain( $zone ); my $dnat_ref = ensure_chain 'nat' , IPv4, dnat_chain( $zone );
if ( @$exclusions ) { if ( @$exclusions ) {
insert_exclusions $dnat_ref, $exclusions if $dnat_ref->{referenced}; insert_exclusions $dnat_ref, $exclusions if $dnat_ref->{referenced};
} }

9
Shorewall-perl/Shorewall/Tc.pm
View File

@ -275,7 +275,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
} }
if ( ( my $result = expand_rule( if ( ( my $result = expand_rule(
ensure_chain( 'mangle' , $chain ) , ensure_chain( 'mangle' , IPv4, $chain ) ,
NO_RESTRICT , NO_RESTRICT ,
do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) , do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) ,
$source , $source ,
@ -618,9 +618,10 @@ sub setup_tc() {
clear_comment; clear_comment;
} }
for ( @deferred_rules ) { if ( @deferred_rules ) {
add_rule ensure_chain( 'mangle' , 'tcpost' ), $_; my $chainref = ensure_chain( 'mangle' , IPv4, 'tcpost' );
add_rule $chainref, $_ for ( @deferred_rules );
} }
} }