mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 00:34:04 +01:00
Change IP version enumeration
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7326 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
a9708f1baa
commit
9b079d57e9
@ -197,19 +197,19 @@ sub setup_accounting() {
|
||||
clear_comment;
|
||||
|
||||
if ( have_bridges ) {
|
||||
if ( $filter_table->{4}->{accounting} ) {
|
||||
if ( $filter_table->{1}->{accounting} ) {
|
||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||
insert_rule $filter_table->{4}{$chain}, 1, '-j accounting';
|
||||
insert_rule $filter_table->{1}{$chain}, 1, '-j accounting';
|
||||
}
|
||||
}
|
||||
|
||||
if ( $filter_table->{4}->{accountout} ) {
|
||||
insert_rule $filter_table->{4}{OUTPUT}, 1, '-j accountout';
|
||||
if ( $filter_table->{1}->{accountout} ) {
|
||||
insert_rule $filter_table->{1}{OUTPUT}, 1, '-j accountout';
|
||||
}
|
||||
} else {
|
||||
if ( $filter_table->{4}->{accounting} ) {
|
||||
if ( $filter_table->{1}->{accounting} ) {
|
||||
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
||||
insert_rule $filter_table->{4}{$chain}, 1, '-j accounting';
|
||||
insert_rule $filter_table->{1}{$chain}, 1, '-j accounting';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -266,7 +266,7 @@ sub createlogactionchain( $$ ) {
|
||||
|
||||
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
|
||||
|
||||
while ( $chain_table{filter}{4}{'%' . $chain . $actionref->{actchain}} ) {
|
||||
while ( $chain_table{filter}{1}{'%' . $chain . $actionref->{actchain}} ) {
|
||||
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
|
||||
}
|
||||
|
||||
|
||||
@ -132,9 +132,9 @@ our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.04';
|
||||
|
||||
#
|
||||
# IP Versions
|
||||
# IP Versions. Rather than using 4 and 6, we use 1 and 2 to match the zone IPVs.
|
||||
#
|
||||
use constant { IPv4 => 4, IPv6 => 6 };
|
||||
use constant { IPv4 => ZT_IPV4, IPv6 => ZT_IPV6 };
|
||||
|
||||
#
|
||||
# Chain Table
|
||||
@ -237,10 +237,10 @@ our $mode;
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
%chain_table = ( raw => { 4 => {} , 6=> {} },
|
||||
mangle => { 4 => {} , 6=> {} },
|
||||
nat => { 4 => {} },
|
||||
filter => { 4 => {} , 6=> {} } );
|
||||
%chain_table = ( raw => { 1 => {} , 2=> {} },
|
||||
mangle => { 1 => {} , 2=> {} },
|
||||
nat => { 1 => {} },
|
||||
filter => { 1 => {} , 2=> {} } );
|
||||
|
||||
$nat_table = $chain_table{nat};
|
||||
$mangle_table = $chain_table{mangle};
|
||||
@ -582,9 +582,9 @@ sub new_chain($$$)
|
||||
{
|
||||
my ($table, $ipv, $chain) = @_;
|
||||
|
||||
warning_message "Internal error in new_chain()" if $chain_table{$table}{4}{$chain};
|
||||
warning_message "Internal error in new_chain()" if $chain_table{$table}{1}{$chain};
|
||||
|
||||
$chain_table{$table}{4}{$chain} = { name => $chain,
|
||||
$chain_table{$table}{1}{$chain} = { name => $chain,
|
||||
rules => [],
|
||||
table => $table,
|
||||
ipv => $ipv,
|
||||
@ -1808,10 +1808,10 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
sub addnatjump( $$$ ) {
|
||||
my ( $source , $dest, $predicates ) = @_;
|
||||
|
||||
my $destref = $nat_table->{4}{$dest} || {};
|
||||
my $destref = $nat_table->{1}{$dest} || {};
|
||||
|
||||
if ( $destref->{referenced} ) {
|
||||
add_rule $nat_table->{4}{$source} , $predicates . "-j $dest";
|
||||
add_rule $nat_table->{1}{$source} , $predicates . "-j $dest";
|
||||
} else {
|
||||
clearrule;
|
||||
}
|
||||
@ -1823,10 +1823,10 @@ sub addnatjump( $$$ ) {
|
||||
sub insertnatjump( $$$$ ) {
|
||||
my ( $source, $dest, $countref, $predicates ) = @_;
|
||||
|
||||
my $destref = $nat_table->{4}{$dest} || {};
|
||||
my $destref = $nat_table->{1}{$dest} || {};
|
||||
|
||||
if ( $destref->{referenced} ) {
|
||||
insert_rule $nat_table->{4}{$source} , ($$countref)++, $predicates . "-j $dest";
|
||||
insert_rule $nat_table->{1}{$source} , ($$countref)++, $predicates . "-j $dest";
|
||||
} else {
|
||||
clearrule;
|
||||
}
|
||||
@ -1966,7 +1966,7 @@ sub create_netfilter_load() {
|
||||
# iptables-restore seems to be quite picky about the order of the builtin chains
|
||||
#
|
||||
for my $chain ( @builtins ) {
|
||||
my $chainref = $chain_table{$table}{4}{$chain};
|
||||
my $chainref = $chain_table{$table}{1}{$chain};
|
||||
if ( $chainref ) {
|
||||
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
|
||||
emit_unindented ":$chain $chainref->{policy} [0:0]";
|
||||
@ -1976,8 +1976,8 @@ sub create_netfilter_load() {
|
||||
#
|
||||
# First create the chains in the current table
|
||||
#
|
||||
for my $chain ( grep $chain_table{$table}{4}{$_}->{referenced} , ( sort keys %{$chain_table{$table}{4}} ) ) {
|
||||
my $chainref = $chain_table{$table}{4}{$chain};
|
||||
for my $chain ( grep $chain_table{$table}{1}{$_}->{referenced} , ( sort keys %{$chain_table{$table}{1}} ) ) {
|
||||
my $chainref = $chain_table{$table}{1}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
|
||||
emit_unindented ":$chainref->{name} - [0:0]";
|
||||
@ -2026,7 +2026,7 @@ sub create_chainlist_reload($) {
|
||||
my @chains = split ',', $chains;
|
||||
|
||||
unless ( @chains ) {
|
||||
@chains = qw( blacklst ) if $filter_table->{4}{blacklst};
|
||||
@chains = qw( blacklst ) if $filter_table->{1}{blacklst};
|
||||
}
|
||||
|
||||
$mode = NULL_MODE;
|
||||
@ -2060,7 +2060,7 @@ sub create_chainlist_reload($) {
|
||||
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
||||
|
||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
|
||||
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{4}{$chain};
|
||||
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{1}{$chain};
|
||||
|
||||
$chains{$table} = [] unless $chains{$table};
|
||||
|
||||
@ -2072,7 +2072,7 @@ sub create_chainlist_reload($) {
|
||||
|
||||
emit_unindented "*$table";
|
||||
|
||||
my $tableref=$chain_table{$table}{4};
|
||||
my $tableref=$chain_table{$table}{1};
|
||||
|
||||
@chains = sort @{$chains{$table}};
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ sub set_policy_chain($$$$$)
|
||||
{
|
||||
my ($source, $dest, $chain1, $chainref, $policy ) = @_;
|
||||
|
||||
my $chainref1 = $filter_table->{4}{$chain1};
|
||||
my $chainref1 = $filter_table->{1}{$chain1};
|
||||
|
||||
$chainref1 = new_chain 'filter', IPv4, $chain1 unless $chainref1;
|
||||
|
||||
@ -130,7 +130,7 @@ use constant { OPTIONAL => 1 };
|
||||
sub add_or_modify_policy_chain( $$ ) {
|
||||
my ( $zone, $zone1 ) = @_;
|
||||
my $chain = "${zone}2${zone1}";
|
||||
my $chainref = $filter_table->{4}{$chain};
|
||||
my $chainref = $filter_table->{1}{$chain};
|
||||
|
||||
if ( $chainref ) {
|
||||
unless( $chainref->{is_policy} ) {
|
||||
@ -279,8 +279,8 @@ sub validate_policy()
|
||||
my $chain = "${client}2${server}";
|
||||
my $chainref;
|
||||
|
||||
if ( defined $filter_table->{4}{$chain} ) {
|
||||
$chainref = $filter_table->{4}{$chain};
|
||||
if ( defined $filter_table->{1}{$chain} ) {
|
||||
$chainref = $filter_table->{1}{$chain};
|
||||
|
||||
if ( $chainref->{is_policy} ) {
|
||||
if ( $chainref->{is_optional} ) {
|
||||
@ -362,7 +362,7 @@ sub report_syn_flood_protection() {
|
||||
|
||||
sub default_policy( $$$ ) {
|
||||
my $chainref = $_[0];
|
||||
my $policyref = $filter_table->{4}{$chainref->{policychain}};
|
||||
my $policyref = $filter_table->{1}{$chainref->{policychain}};
|
||||
my $synparams = $policyref->{synparams};
|
||||
my $default = $policyref->{default};
|
||||
my $policy = $policyref->{policy};
|
||||
@ -420,7 +420,7 @@ sub apply_policy_rules() {
|
||||
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $chainref = $filter_table->{4}{"${zone}2${zone1}"};
|
||||
my $chainref = $filter_table->{1}{"${zone}2${zone1}"};
|
||||
|
||||
if ( $chainref->{referenced} ) {
|
||||
run_user_exit $chainref;
|
||||
@ -446,11 +446,11 @@ sub complete_standard_chain ( $$$ ) {
|
||||
|
||||
run_user_exit $stdchainref;
|
||||
|
||||
my $ruleschainref = $filter_table->{4}{"${zone}2${zone2}"};
|
||||
my $ruleschainref = $filter_table->{1}{"${zone}2${zone2}"};
|
||||
my ( $policy, $loglevel, $default ) = ( 'DROP', 6, $config{DROP_DEFAULT} );
|
||||
my $policychainref;
|
||||
|
||||
$policychainref = $filter_table->{4}{$ruleschainref->{policychain}} if $ruleschainref;
|
||||
$policychainref = $filter_table->{1}{$ruleschainref->{policychain}} if $ruleschainref;
|
||||
|
||||
( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
|
||||
|
||||
@ -463,7 +463,7 @@ sub complete_standard_chain ( $$$ ) {
|
||||
sub setup_syn_flood_chains() {
|
||||
for my $chainref ( @policy_chains ) {
|
||||
my $limit = $chainref->{synparams};
|
||||
if ( $limit && ! $filter_table->{4}{syn_flood_chain $chainref} ) {
|
||||
if ( $limit && ! $filter_table->{1}{syn_flood_chain $chainref} ) {
|
||||
my $level = $chainref->{loglevel};
|
||||
my $synchainref = new_chain 'filter' , IPv4, syn_flood_chain $chainref;
|
||||
add_rule $synchainref , "${limit}-j RETURN";
|
||||
|
||||
@ -89,13 +89,13 @@ sub setup_route_marking() {
|
||||
require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
|
||||
require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' );
|
||||
|
||||
add_rule $mangle_table->{4}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||
add_rule $mangle_table->{4}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||
add_rule $mangle_table->{1}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||
add_rule $mangle_table->{1}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||
|
||||
my $chainref = new_chain 'mangle', IPv4, 'routemark';
|
||||
|
||||
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
|
||||
add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
||||
add_rule $mangle_table->{1}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
||||
add_rule $chainref, " -i $interface -j MARK $mark_op $mark";
|
||||
}
|
||||
|
||||
|
||||
@ -150,8 +150,8 @@ sub process_tos() {
|
||||
}
|
||||
|
||||
unless ( $first_entry ) {
|
||||
add_rule $mangle_table->{4}{$stdchain}, "-j $chain" if $pretosref->{referenced};
|
||||
add_rule $mangle_table->{4}{OUTPUT}, "-j outtos" if $outtosref->{referenced};
|
||||
add_rule $mangle_table->{1}{$stdchain}, "-j $chain" if $pretosref->{referenced};
|
||||
add_rule $mangle_table->{1}{OUTPUT}, "-j outtos" if $outtosref->{referenced};
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -196,12 +196,12 @@ sub setup_ecn()
|
||||
for my $interface ( @interfaces ) {
|
||||
my $chainref = ensure_chain 'mangle', IPv4, ecn_chain( $interface );
|
||||
|
||||
add_rule $mangle_table->{4}{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
|
||||
add_rule $mangle_table->{4}{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
|
||||
add_rule $mangle_table->{1}{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
|
||||
add_rule $mangle_table->{1}{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
|
||||
}
|
||||
|
||||
for my $host ( @hosts ) {
|
||||
add_rule $mangle_table->{4}{ecn_chain $host->[0]}, join ('', '-p tcp ', match_dest_net( $host->[1] ) , ' -j ECN --ecn-tcp-remove' );
|
||||
add_rule $mangle_table->{1}{ecn_chain $host->[0]}, join ('', '-p tcp ', match_dest_net( $host->[1] ) , ' -j ECN --ecn-tcp-remove' );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -266,7 +266,7 @@ sub setup_rfc1918_filteration( $ ) {
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
for my $chain ( @{first_chains $interface}) {
|
||||
add_rule $filter_table->{4}{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
|
||||
add_rule $filter_table->{1}{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -339,7 +339,7 @@ sub setup_blacklist() {
|
||||
my $source = match_source_net $network;
|
||||
|
||||
for my $chain ( @{first_chains $interface}) {
|
||||
add_rule $filter_table->{4}{$chain} , "${source}${state}${policy}-j blacklst";
|
||||
add_rule $filter_table->{1}{$chain} , "${source}${state}${policy}-j blacklst";
|
||||
}
|
||||
|
||||
progress_message " Blacklisting enabled on ${interface}:${network}";
|
||||
@ -503,7 +503,7 @@ sub add_common_rules() {
|
||||
|
||||
if ( $config{FASTACCEPT} ) {
|
||||
for $chain qw( INPUT FORWARD OUTPUT ) {
|
||||
$chainref = $filter_table->{4}{$chain};
|
||||
$chainref = $filter_table->{1}{$chain};
|
||||
add_rule( $chainref , "-m state --state ESTABLISHED,RELATED -j ACCEPT" );
|
||||
}
|
||||
}
|
||||
@ -568,7 +568,7 @@ sub add_common_rules() {
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
for $chain ( @{first_chains $interface}) {
|
||||
add_rule $filter_table->{4}{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
|
||||
add_rule $filter_table->{1}{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -590,10 +590,10 @@ sub add_common_rules() {
|
||||
|
||||
for $interface ( @$list ) {
|
||||
for $chain ( input_chain $interface, output_chain $interface ) {
|
||||
add_rule $filter_table->{4}{$chain} , '-p udp --dport 67:68 -j ACCEPT';
|
||||
add_rule $filter_table->{1}{$chain} , '-p udp --dport 67:68 -j ACCEPT';
|
||||
}
|
||||
|
||||
add_rule $filter_table->{4}{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
|
||||
add_rule $filter_table->{1}{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
|
||||
}
|
||||
}
|
||||
|
||||
@ -643,7 +643,7 @@ sub add_common_rules() {
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
for $chain ( @{first_chains $interface}) {
|
||||
add_rule $filter_table->{4}{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" );
|
||||
add_rule $filter_table->{1}{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -656,9 +656,9 @@ sub add_common_rules() {
|
||||
|
||||
mark_referenced( new_chain 'nat' , IPv4, $chain = dynamic_in($interface) );
|
||||
|
||||
add_rule $filter_table->{4}{input_chain $interface}, "-j $chain";
|
||||
add_rule $filter_table->{4}{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
||||
add_rule $filter_table->{4}{output_chain $interface}, '-j ' . dynamic_out $interface;
|
||||
add_rule $filter_table->{1}{input_chain $interface}, "-j $chain";
|
||||
add_rule $filter_table->{1}{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
||||
add_rule $filter_table->{1}{output_chain $interface}, '-j ' . dynamic_out $interface;
|
||||
}
|
||||
}
|
||||
|
||||
@ -670,7 +670,7 @@ sub add_common_rules() {
|
||||
mark_referenced( new_chain( 'nat', IPv4, 'UPnP' ) );
|
||||
|
||||
for $interface ( @$list ) {
|
||||
add_rule $nat_table->{4}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
|
||||
add_rule $nat_table->{1}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
|
||||
}
|
||||
}
|
||||
|
||||
@ -756,7 +756,7 @@ sub setup_mac_lists( $ ) {
|
||||
fatal_error "No hosts on $interface have the maclist option specified";
|
||||
}
|
||||
|
||||
my $chainref = $chain_table{$table}{4}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||
my $chainref = $chain_table{$table}{1}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||
|
||||
$mac = '' unless $mac && ( $mac ne '-' );
|
||||
$addresses = '' unless $addresses && ( $addresses ne '-' );
|
||||
@ -794,15 +794,15 @@ sub setup_mac_lists( $ ) {
|
||||
my $target = mac_chain $interface;
|
||||
if ( $table eq 'filter' ) {
|
||||
for my $chain ( @{first_chains $interface}) {
|
||||
add_rule $filter_table->{4}{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
||||
add_rule $filter_table->{1}{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
||||
}
|
||||
} else {
|
||||
add_rule $mangle_table->{4}{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
||||
add_rule $mangle_table->{1}{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for my $interface ( @maclist_interfaces ) {
|
||||
my $chainref = $chain_table{$table}{4}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||
my $chainref = $chain_table{$table}{1}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||
my $chain = $chainref->{name};
|
||||
|
||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||
@ -1077,7 +1077,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
# Handle Optimization
|
||||
#
|
||||
if ( $optimize > 0 ) {
|
||||
my $loglevel = $filter_table->{4}{$chainref->{policychain}}{loglevel};
|
||||
my $loglevel = $filter_table->{1}{$chainref->{policychain}}{loglevel};
|
||||
if ( $loglevel ne '' ) {
|
||||
return 1 if $target eq "${policy}:$loglevel}";
|
||||
} else {
|
||||
@ -1416,13 +1416,13 @@ sub generate_matrix() {
|
||||
sub rules_target( $$ ) {
|
||||
my ( $zone, $zone1 ) = @_;
|
||||
my $chain = "${zone}2${zone1}";
|
||||
my $chainref = $filter_table->{4}{$chain};
|
||||
my $chainref = $filter_table->{1}{$chain};
|
||||
|
||||
return $chain if $chainref && $chainref->{referenced};
|
||||
return 'ACCEPT' if $zone eq $zone1;
|
||||
|
||||
if ( $chainref->{policy} ne 'CONTINUE' ) {
|
||||
my $policyref = $filter_table->{4}{$chainref->{policychain}};
|
||||
my $policyref = $filter_table->{1}{$chainref->{policychain}};
|
||||
return $policyref->{name} if $policyref;
|
||||
fatal_error "No policy defined for zone $zone to zone $zone1";
|
||||
}
|
||||
@ -1541,7 +1541,7 @@ sub generate_matrix() {
|
||||
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
add_rule(
|
||||
$filter_table->{4}{forward_chain $interface} ,
|
||||
$filter_table->{1}{forward_chain $interface} ,
|
||||
join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" )
|
||||
);
|
||||
}
|
||||
@ -1566,7 +1566,7 @@ sub generate_matrix() {
|
||||
my %needbroadcast;
|
||||
|
||||
if ( $complex ) {
|
||||
$frwd_ref = $filter_table->{4}{"${zone}_frwd"};
|
||||
$frwd_ref = $filter_table->{1}{"${zone}_frwd"};
|
||||
my $dnat_ref = ensure_chain 'nat' , IPv4, dnat_chain( $zone );
|
||||
if ( @$exclusions ) {
|
||||
insert_exclusions $dnat_ref, $exclusions if $dnat_ref->{referenced};
|
||||
@ -1592,10 +1592,10 @@ sub generate_matrix() {
|
||||
|
||||
if ( $chain1 ) {
|
||||
if ( @$exclusions ) {
|
||||
add_rule $filter_table->{4}{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
|
||||
add_rule $filter_table->{4}{"${zone}_output"} , "-j $chain1";
|
||||
add_rule $filter_table->{1}{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
|
||||
add_rule $filter_table->{1}{"${zone}_output"} , "-j $chain1";
|
||||
} else {
|
||||
add_rule $filter_table->{4}{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
|
||||
add_rule $filter_table->{1}{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
|
||||
}
|
||||
}
|
||||
|
||||
@ -1605,14 +1605,14 @@ sub generate_matrix() {
|
||||
|
||||
if ( $chain2 ) {
|
||||
if ( @$exclusions ) {
|
||||
add_rule $filter_table->{4}{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" );
|
||||
add_rule $filter_table->{4}{"${zone}_input"} , "-j $chain2";
|
||||
add_rule $filter_table->{1}{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" );
|
||||
add_rule $filter_table->{1}{"${zone}_input"} , "-j $chain2";
|
||||
} else {
|
||||
add_rule $filter_table->{4}{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" );
|
||||
add_rule $filter_table->{1}{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" );
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $filter_table->{4}{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
|
||||
add_rule $filter_table->{1}{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
|
||||
if $complex && $hostref->{ipsec} ne 'ipsec';
|
||||
|
||||
$needbroadcast{$interface}{$source} = 1 if get_interface_option $interface, 'detectnets';
|
||||
@ -1624,11 +1624,11 @@ sub generate_matrix() {
|
||||
if ( $chain1 ) {
|
||||
for my $interface ( keys %needbroadcast ) {
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
add_rule $filter_table->{4}{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
|
||||
add_rule $filter_table->{1}{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
|
||||
} else {
|
||||
my $interfaceref = find_interface( $interface );
|
||||
my $chain = output_chain $interface;
|
||||
my $chainref = $filter_table->{4}{$chain};
|
||||
my $chainref = $filter_table->{1}{$chain};
|
||||
|
||||
if ( $interfaceref->{broadcasts} ) {
|
||||
for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) {
|
||||
@ -1644,7 +1644,7 @@ sub generate_matrix() {
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $filter_table->{4}{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
|
||||
add_rule $filter_table->{1}{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
|
||||
}
|
||||
}
|
||||
#
|
||||
@ -1659,7 +1659,7 @@ sub generate_matrix() {
|
||||
ZONE1:
|
||||
for my $zone1 ( non_firewall_zones ) {
|
||||
my $zone1ref = find_zone( $zone1 );
|
||||
my $policy = $filter_table->{4}{"${zone}2${zone1}"}->{policy};
|
||||
my $policy = $filter_table->{1}{"${zone}2${zone1}"}->{policy};
|
||||
|
||||
next if $policy eq 'NONE';
|
||||
|
||||
@ -1709,7 +1709,7 @@ sub generate_matrix() {
|
||||
ZONE1:
|
||||
for my $zone1 ( @dest_zones ) {
|
||||
my $zone1ref = find_zone( $zone1 );
|
||||
my $policy = $filter_table->{4}{"${zone}2${zone1}"}->{policy};
|
||||
my $policy = $filter_table->{1}{"${zone}2${zone1}"}->{policy};
|
||||
|
||||
next if $policy eq 'NONE';
|
||||
|
||||
@ -1728,8 +1728,8 @@ sub generate_matrix() {
|
||||
while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) {
|
||||
if ( get_interface_option( $interface, 'bridge' ) ) {
|
||||
for my $source ( keys %$sourceref ) {
|
||||
add_rule $filter_table->{4}{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3";
|
||||
add_rule $filter_table->{4}{forward_chain $interface} , "-o $interface ${source}-d 224.0.0.0/4 -j $chain3";
|
||||
add_rule $filter_table->{1}{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3";
|
||||
add_rule $filter_table->{1}{forward_chain $interface} , "-o $interface ${source}-d 224.0.0.0/4 -j $chain3";
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1740,7 +1740,7 @@ sub generate_matrix() {
|
||||
next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
|
||||
}
|
||||
|
||||
my $chainref = $filter_table->{4}{$chain};
|
||||
my $chainref = $filter_table->{1}{$chain};
|
||||
my $exclusions1 = $zone1ref->{exclusions};
|
||||
|
||||
my $dest_hosts_ref = $zone1ref->{hosts};
|
||||
@ -1787,7 +1787,7 @@ sub generate_matrix() {
|
||||
for my $typeref ( values %$source_hosts_ref ) {
|
||||
for my $interface ( keys %$typeref ) {
|
||||
my $arrayref = $typeref->{$interface};
|
||||
my $chain3ref = $filter_table->{4}{forward_chain $interface};
|
||||
my $chain3ref = $filter_table->{1}{forward_chain $interface};
|
||||
for my $hostref ( @$arrayref ) {
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
for my $type1ref ( values %$dest_hosts_ref ) {
|
||||
@ -1826,7 +1826,7 @@ sub generate_matrix() {
|
||||
for my $typeref ( values %$source_hosts_ref ) {
|
||||
for my $interface ( keys %$typeref ) {
|
||||
my $arrayref = $typeref->{$interface};
|
||||
my $chain2ref = $filter_table->{4}{forward_chain $interface};
|
||||
my $chain2ref = $filter_table->{1}{forward_chain $interface};
|
||||
for my $hostref ( @$arrayref ) {
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
add_rule $chain2ref, match_source_net($net) . "-j $last_chain";
|
||||
@ -1842,32 +1842,32 @@ sub generate_matrix() {
|
||||
# Now add the jumps to the interface chains from FORWARD, INPUT, OUTPUT and POSTROUTING
|
||||
#
|
||||
for my $interface ( @interfaces ) {
|
||||
add_rule $filter_table->{4}{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface;
|
||||
add_rule $filter_table->{4}{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface;
|
||||
add_rule $filter_table->{4}{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
||||
add_rule $filter_table->{1}{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface;
|
||||
add_rule $filter_table->{1}{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface;
|
||||
add_rule $filter_table->{1}{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
||||
addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
|
||||
}
|
||||
|
||||
my $fw = firewall_zone;
|
||||
my $chainref = $filter_table->{4}{"${fw}2${fw}"};
|
||||
my $chainref = $filter_table->{1}{"${fw}2${fw}"};
|
||||
|
||||
add_rule $filter_table->{4}{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
||||
add_rule $filter_table->{4}{INPUT} , '-i lo -j ACCEPT';
|
||||
add_rule $filter_table->{1}{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
||||
add_rule $filter_table->{1}{INPUT} , '-i lo -j ACCEPT';
|
||||
|
||||
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
|
||||
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
|
||||
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
|
||||
|
||||
complete_standard_chain $filter_table->{4}{INPUT} , 'all' , firewall_zone;
|
||||
complete_standard_chain $filter_table->{4}{OUTPUT} , firewall_zone , 'all';
|
||||
complete_standard_chain $filter_table->{4}{FORWARD} , 'all' , 'all';
|
||||
complete_standard_chain $filter_table->{1}{INPUT} , 'all' , firewall_zone;
|
||||
complete_standard_chain $filter_table->{1}{OUTPUT} , firewall_zone , 'all';
|
||||
complete_standard_chain $filter_table->{1}{FORWARD} , 'all' , 'all';
|
||||
|
||||
if ( $config{LOGALLNEW} ) {
|
||||
for my $table qw/mangle nat filter/ {
|
||||
for my $chain ( @{$builtins{$table}} ) {
|
||||
log_rule_limit
|
||||
$config{LOGALLNEW} ,
|
||||
$chain_table{$table}{4}{$chain} ,
|
||||
$chain_table{$table}{1}{$chain} ,
|
||||
$table ,
|
||||
$chain ,
|
||||
'' ,
|
||||
@ -1883,7 +1883,7 @@ sub setup_mss( ) {
|
||||
my $clampmss = $config{CLAMPMSS};
|
||||
my $option;
|
||||
my $match = '';
|
||||
my $chainref = $filter_table->{4}{FORWARD};
|
||||
my $chainref = $filter_table->{1}{FORWARD};
|
||||
|
||||
if ( $clampmss ) {
|
||||
if ( "\L$clampmss" eq 'yes' ) {
|
||||
@ -1906,7 +1906,7 @@ sub setup_mss( ) {
|
||||
#
|
||||
# Send all forwarded SYN packets to the 'settcpmss' chain
|
||||
#
|
||||
add_rule $filter_table->{4}{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
|
||||
add_rule $filter_table->{1}{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
|
||||
|
||||
my $in_match = '';
|
||||
my $out_match = '';
|
||||
|
||||
@ -570,21 +570,21 @@ sub setup_tc() {
|
||||
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
|
||||
|
||||
for my $interface ( @routemarked_interfaces ) {
|
||||
add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -j tcpre";
|
||||
add_rule $mangle_table->{1}{PREROUTING} , "-i $interface -j tcpre";
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $mangle_table->{4}{PREROUTING} , "$mark_part -j tcpre";
|
||||
add_rule $mangle_table->{4}{OUTPUT} , "$mark_part -j tcout";
|
||||
add_rule $mangle_table->{1}{PREROUTING} , "$mark_part -j tcpre";
|
||||
add_rule $mangle_table->{1}{OUTPUT} , "$mark_part -j tcout";
|
||||
|
||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||
add_rule $mangle_table->{4}{FORWARD} , '-j tcfor';
|
||||
add_rule $mangle_table->{4}{POSTROUTING} , '-j tcpost';
|
||||
add_rule $mangle_table->{1}{FORWARD} , '-j tcfor';
|
||||
add_rule $mangle_table->{1}{POSTROUTING} , '-j tcpost';
|
||||
}
|
||||
|
||||
if ( $config{HIGH_ROUTE_MARKS} ) {
|
||||
for my $chain qw(INPUT FORWARD POSTROUTING) {
|
||||
insert_rule $mangle_table->{4}{$chain}, 1, '-j MARK --and-mark 0xFF';
|
||||
insert_rule $mangle_table->{1}{$chain}, 1, '-j MARK --and-mark 0xFF';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user