Add lookup hash for standard targets

2024-11-15 12:14:32 +01:00 · 2011-01-08 15:29:10 -08:00 · 2011-01-08 15:29:10 -08:00 · 97bba29c07
commit 97bba29c07
parent 8dc60e788f
2 changed files with 83 additions and 24 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -77,6 +77,7 @@ our %EXPORT_TAGS = (
 				       NOT_RESTORE

 				       initialize_chain_table
+				       lookup_shorewall_action
 				       add_commands
 				       move_rules
 				       insert_rule1
@ -179,6 +180,19 @@ our %EXPORT_TAGS = (
 				       $section
 				       %sections
 				       %targets
+				       %shorewall_targets
+                                       TGT_ACCEPT
+	                               TGT_REJECT
+	                               TGT_DROP
+	                               TGT_NONAT
+	                               TGT_LOG
+	                               TGT_CONTINUE
+	                               TGT_COUNT
+                                       TGT_QUEUE
+	                               TGT_NFQUEUE
+                                       TGT_ADD
+	                               TGT_DEL
+	                               TGT_REDIRECT
 				     ) ],
 		   );

@ -266,6 +280,38 @@ use constant { STANDARD => 1,              #defined by Netfilter
 # Valid Targets -- value is a combination of one or more of the above
 #
 our %targets;
+
+#
+# Shorewall-defined targets
+#
+
+use constant { TGT_ACCEPT   => 1,
+	       TGT_REJECT   => 2,
+	       TGT_DROP     => 3,
+	       TGT_NONAT    => 4,
+	       TGT_LOG      => 5,
+	       TGT_CONTINUE => 6,
+	       TGT_COUNT    => 7,
+               TGT_QUEUE    => 8,
+	       TGT_NFQUEUE  => 9,
+               TGT_ADD      => 10,
+	       TGT_DEL      => 11,
+	       TGT_REDIRECT => 12,
+	   };
+
+our %shorewall_targets = ( ACCEPT     => TGT_ACCEPT,
+			   REJECT     => TGT_REJECT,
+			   DROP       => TGT_DROP,
+			   NONAT      => TGT_NONAT,
+			   LOG        => TGT_LOG,
+			   CONTINUE   => TGT_CONTINUE,
+			   COUNT      => TGT_COUNT,
+			   QUEUE      => TGT_QUEUE,
+			   NFQUEUE    => TGT_NFQUEUE,
+			   ADD        => TGT_ADD,
+			   DEL        => TGT_DEL,
+			   REDIRECT   => TGT_REDIRECT,
+			 );
 #
 # expand_rule() restrictions
 #
@ -404,6 +450,17 @@ sub initialize( $ ) {
    #
 }

+#
+# Lookup a standard action
+#
+sub lookup_shorewall_action( $ ) {
+    my $target = shift;
+
+    $target =~ s/[-+!]$//;
+
+    $shorewall_targets{ $target };
+}
+
 #
 # Process a COMMENT line (in $currentline)
 #
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1020,31 +1020,33 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
    #
    my $log_action = $action;

-    if ( $actiontype & REDIRECT ) {
-	my $z = $actiontype & NATONLY ? '' : firewall_zone;
-	if ( $dest eq '-' ) {
-	    $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
-	} elsif ( $inaction ) {
-	    $dest = ":$dest";
-	} else {
-	    $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
-	}
-    } elsif ( $action eq 'REJECT' ) {
-	$action = 'reject';
-    } elsif ( $action eq 'CONTINUE' ) {
-	$action = 'RETURN';
-    } elsif ( $action eq 'COUNT' ) {
-	$action = '';
-    } elsif ( $actiontype & LOGRULE ) {
-	fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne '';
-    } elsif ( $actiontype & SET ) {
-	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
+    if ( my $shorewall_target = lookup_shorewall_action( $basictarget ) ) {
+	if ( $shorewall_target == TGT_REDIRECT ) {
+	    my $z = $actiontype & NATONLY ? '' : firewall_zone;
+	    if ( $dest eq '-' ) {
+		$dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
+	    } elsif ( $inaction ) {
+		$dest = ":$dest";
+	    } else {
+		$dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
+	    }
+	} elsif ( $shorewall_target == TGT_REJECT ) {
+	    $action = 'reject';
+	} elsif ( $shorewall_target == TGT_CONTINUE ) {
+	    $action = 'RETURN';
+	} elsif ( $shorewall_target == TGT_COUNT ) {
+	    $action = '';
+	} elsif ( $shorewall_target == TGT_LOG ) {
+	    fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne '';
+	} elsif ( $actiontype & SET ) {
+	    my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );

-	my ( $setname, $flags, $rest ) = split ':', $param, 3;
-	fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
-	fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
-	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
-	$action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
+	    my ( $setname, $flags, $rest ) = split ':', $param, 3;
+	    fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
+	    fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
+	    fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
+	}
    }
    #
    # Isolate and validate source and destination zones