mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-17 20:01:09 +01:00
First set of Policy.pm changes for IPv6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8941 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
64fd8cd1f3
commit
96af8e6a62
@ -815,9 +815,9 @@ sub compiler {
|
|||||||
#
|
#
|
||||||
process_actions1;
|
process_actions1;
|
||||||
#
|
#
|
||||||
# Process the Policy File.
|
# Process the Policy File(s).
|
||||||
#
|
#
|
||||||
validate_policy;
|
validate_policy 'policy';
|
||||||
#
|
#
|
||||||
# Compile the 'stop_firewall()' function
|
# Compile the 'stop_firewall()' function
|
||||||
#
|
#
|
||||||
|
@ -28,17 +28,31 @@ use Shorewall::Config qw(:DEFAULT :internal);
|
|||||||
use Shorewall::Zones;
|
use Shorewall::Zones;
|
||||||
use Shorewall::Chains qw( :DEFAULT :internal) ;
|
use Shorewall::Chains qw( :DEFAULT :internal) ;
|
||||||
use Shorewall::Actions;
|
use Shorewall::Actions;
|
||||||
|
use Shorewall::IPAddrs;
|
||||||
|
|
||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
|
our @EXPORT = qw( use_ipv4_policies use_ipv6_policies validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
|
||||||
our @EXPORT_OK = qw( );
|
our @EXPORT_OK = qw( );
|
||||||
our $VERSION = 4.1.1;
|
our $VERSION = 4.1.1;
|
||||||
|
|
||||||
# @policy_chains is a list of references to policy chains in the filter table
|
# @policy_chains is a list of references to policy chains in the filter table
|
||||||
|
|
||||||
our @policy_chains;
|
my @policy_chains4;
|
||||||
|
my @policy_chains6;
|
||||||
|
my $policy_chains;
|
||||||
|
my $policy_family;
|
||||||
|
|
||||||
|
sub use_ipv4_policies() {
|
||||||
|
$policy_chains = \@policy_chains4;
|
||||||
|
$policy_family = F_INET;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub use_ipv6_policies() {
|
||||||
|
$policy_chains = \@policy_chains6;
|
||||||
|
$policy_family = F_INET6;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||||
@ -50,7 +64,9 @@ our @policy_chains;
|
|||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@policy_chains = ();
|
@policy_chains4 = ();
|
||||||
|
@policy_chains6 = ();
|
||||||
|
use_ipv4_policies;
|
||||||
}
|
}
|
||||||
|
|
||||||
INIT {
|
INIT {
|
||||||
@ -112,7 +128,7 @@ sub set_policy_chain($$$$$)
|
|||||||
|
|
||||||
$chainref1->{default} = $chainref->{default} if defined $chainref->{default};
|
$chainref1->{default} = $chainref->{default} if defined $chainref->{default};
|
||||||
$chainref1->{is_policy} = 1;
|
$chainref1->{is_policy} = 1;
|
||||||
push @policy_chains, $chainref1;
|
push @{$policy_chains}, $chainref1;
|
||||||
} else {
|
} else {
|
||||||
$chainref1->{policychain} = $chainref->{name};
|
$chainref1->{policychain} = $chainref->{name};
|
||||||
}
|
}
|
||||||
@ -135,10 +151,10 @@ sub add_or_modify_policy_chain( $$ ) {
|
|||||||
if ( $chainref ) {
|
if ( $chainref ) {
|
||||||
unless( $chainref->{is_policy} ) {
|
unless( $chainref->{is_policy} ) {
|
||||||
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
|
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||||
push @policy_chains, $chainref;
|
push @{$policy_chains}, $chainref;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
|
push @{$policy_chains}, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -153,8 +169,9 @@ sub print_policy($$$$) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub validate_policy()
|
sub validate_policy( $ )
|
||||||
{
|
{
|
||||||
|
my $filename = shift;
|
||||||
my %validpolicies = (
|
my %validpolicies = (
|
||||||
ACCEPT => undef,
|
ACCEPT => undef,
|
||||||
REJECT => undef,
|
REJECT => undef,
|
||||||
@ -194,7 +211,7 @@ sub validate_policy()
|
|||||||
}
|
}
|
||||||
|
|
||||||
for $zone ( all_zones ) {
|
for $zone ( all_zones ) {
|
||||||
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
|
push @{$policy_chains}, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
|
||||||
|
|
||||||
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
|
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
|
||||||
for my $zone1 ( all_zones ) {
|
for my $zone1 ( all_zones ) {
|
||||||
@ -206,7 +223,7 @@ sub validate_policy()
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $fn = open_file 'policy';
|
my $fn = open_file $filename;
|
||||||
|
|
||||||
first_entry "$doing $fn...";
|
first_entry "$doing $fn...";
|
||||||
|
|
||||||
@ -292,11 +309,11 @@ sub validate_policy()
|
|||||||
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
|
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
|
||||||
} else {
|
} else {
|
||||||
convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
|
convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
|
||||||
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
push @{$policy_chains}, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$chainref = new_policy_chain $client, $server, $policy, 0;
|
$chainref = new_policy_chain $client, $server, $policy, 0;
|
||||||
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
push @{$policy_chains}, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
||||||
@ -403,7 +420,7 @@ sub default_policy( $$$ ) {
|
|||||||
sub apply_policy_rules() {
|
sub apply_policy_rules() {
|
||||||
progress_message2 'Applying Policies...';
|
progress_message2 'Applying Policies...';
|
||||||
|
|
||||||
for my $chainref ( @policy_chains ) {
|
for my $chainref ( @{$policy_chains} ) {
|
||||||
my $policy = $chainref->{policy};
|
my $policy = $chainref->{policy};
|
||||||
my $loglevel = $chainref->{loglevel};
|
my $loglevel = $chainref->{loglevel};
|
||||||
my $optional = $chainref->{is_optional};
|
my $optional = $chainref->{is_optional};
|
||||||
@ -465,7 +482,7 @@ sub complete_standard_chain ( $$$$ ) {
|
|||||||
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
|
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
|
||||||
#
|
#
|
||||||
sub setup_syn_flood_chains() {
|
sub setup_syn_flood_chains() {
|
||||||
for my $chainref ( @policy_chains ) {
|
for my $chainref ( @{$policy_chains} ) {
|
||||||
my $limit = $chainref->{synparams};
|
my $limit = $chainref->{synparams};
|
||||||
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
|
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
|
||||||
my $level = $chainref->{loglevel};
|
my $level = $chainref->{loglevel};
|
||||||
|
Loading…
Reference in New Issue
Block a user