First set of Policy.pm changes for IPv6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8941 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-07 22:57:06 +00:00
parent 64fd8cd1f3
commit 96af8e6a62
2 changed files with 32 additions and 15 deletions

View File

@ -815,9 +815,9 @@ sub compiler {
# #
process_actions1; process_actions1;
# #
# Process the Policy File. # Process the Policy File(s).
# #
validate_policy; validate_policy 'policy';
# #
# Compile the 'stop_firewall()' function # Compile the 'stop_firewall()' function
# #

View File

@ -28,17 +28,31 @@ use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones; use Shorewall::Zones;
use Shorewall::Chains qw( :DEFAULT :internal) ; use Shorewall::Chains qw( :DEFAULT :internal) ;
use Shorewall::Actions; use Shorewall::Actions;
use Shorewall::IPAddrs;
use strict; use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); our @EXPORT = qw( use_ipv4_policies use_ipv6_policies validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
our $VERSION = 4.1.1; our $VERSION = 4.1.1;
# @policy_chains is a list of references to policy chains in the filter table # @policy_chains is a list of references to policy chains in the filter table
our @policy_chains; my @policy_chains4;
my @policy_chains6;
my $policy_chains;
my $policy_family;
sub use_ipv4_policies() {
$policy_chains = \@policy_chains4;
$policy_family = F_INET;
}
sub use_ipv6_policies() {
$policy_chains = \@policy_chains6;
$policy_family = F_INET6;
}
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
@ -50,7 +64,9 @@ our @policy_chains;
# #
sub initialize() { sub initialize() {
@policy_chains = (); @policy_chains4 = ();
@policy_chains6 = ();
use_ipv4_policies;
} }
INIT { INIT {
@ -112,7 +128,7 @@ sub set_policy_chain($$$$$)
$chainref1->{default} = $chainref->{default} if defined $chainref->{default}; $chainref1->{default} = $chainref->{default} if defined $chainref->{default};
$chainref1->{is_policy} = 1; $chainref1->{is_policy} = 1;
push @policy_chains, $chainref1; push @{$policy_chains}, $chainref1;
} else { } else {
$chainref1->{policychain} = $chainref->{name}; $chainref1->{policychain} = $chainref->{name};
} }
@ -135,10 +151,10 @@ sub add_or_modify_policy_chain( $$ ) {
if ( $chainref ) { if ( $chainref ) {
unless( $chainref->{is_policy} ) { unless( $chainref->{is_policy} ) {
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL ); convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
push @policy_chains, $chainref; push @{$policy_chains}, $chainref;
} }
} else { } else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); push @{$policy_chains}, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
} }
} }
@ -153,8 +169,9 @@ sub print_policy($$$$) {
} }
} }
sub validate_policy() sub validate_policy( $ )
{ {
my $filename = shift;
my %validpolicies = ( my %validpolicies = (
ACCEPT => undef, ACCEPT => undef,
REJECT => undef, REJECT => undef,
@ -194,7 +211,7 @@ sub validate_policy()
} }
for $zone ( all_zones ) { for $zone ( all_zones ) {
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL ); push @{$policy_chains}, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) { if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
@ -206,7 +223,7 @@ sub validate_policy()
} }
} }
my $fn = open_file 'policy'; my $fn = open_file $filename;
first_entry "$doing $fn..."; first_entry "$doing $fn...";
@ -292,11 +309,11 @@ sub validate_policy()
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
} else { } else {
convert_to_policy_chain( $chainref, $client, $server, $policy, 0 ); convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); push @{$policy_chains}, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
} }
} else { } else {
$chainref = new_policy_chain $client, $server, $policy, 0; $chainref = new_policy_chain $client, $server, $policy, 0;
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); push @{$policy_chains}, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
} }
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
@ -403,7 +420,7 @@ sub default_policy( $$$ ) {
sub apply_policy_rules() { sub apply_policy_rules() {
progress_message2 'Applying Policies...'; progress_message2 'Applying Policies...';
for my $chainref ( @policy_chains ) { for my $chainref ( @{$policy_chains} ) {
my $policy = $chainref->{policy}; my $policy = $chainref->{policy};
my $loglevel = $chainref->{loglevel}; my $loglevel = $chainref->{loglevel};
my $optional = $chainref->{is_optional}; my $optional = $chainref->{is_optional};
@ -465,7 +482,7 @@ sub complete_standard_chain ( $$$$ ) {
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
# #
sub setup_syn_flood_chains() { sub setup_syn_flood_chains() {
for my $chainref ( @policy_chains ) { for my $chainref ( @{$policy_chains} ) {
my $limit = $chainref->{synparams}; my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) { if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel}; my $level = $chainref->{loglevel};