diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm new file mode 100644 index 000000000..ed9f15bd0 --- /dev/null +++ b/New/Shorewall/Chains.pm @@ -0,0 +1,227 @@ +package Shorewall::Chains; +require Exporter; + +our @ISA = qw(Exporter); +our @EXPORT = qw( add_rule + insert_rule + chain_base + forward_chain + input_chain + output_chain + masq_chain + syn_chain + mac_chain + macrecent_target + dynamic_fwd + dynamic_in + dynamic_out + cynamic_chains + dnat_chain + snat_chain + ecn_chain + first_chains + + @policy_chains + %chain_table + $nat_table + $mangle_table + $filter_table ); +our @EXPORT_OK = (); +our @VERSION = 1.00; + +# +# Chain Table +# +# @policy_chains is a list of references to policy chains in the filter table +# +# %chain_table { => { => { name => +# is_policy => 0|1 +# is_optionsl => 0|1 +# referenced => 0|1 +# policy => +# loglevel => +# synparams => +# default => +# policy_chain => +# rules => [ +# +# ... +# ] +# +# 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be +# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are optional. +# +# Only 'referenced' chains get written to the iptables-restore output. +# +# 'loglevel', 'synparams' and 'default' only apply to policy chains. +# +my @policy_chains; +my %chain_table = ( raw => {} , + mangle => {}, + nat => {}, + filter => {} ); + +my $nat_table = $chain_table{nat}; +my $mangle_table = $chain_table{mangle}; +my $filter_table = $chain_table{filter}; + +# +# Add a rule to a chain. Arguments are: +# +# Chain reference , Rule +# +sub add_rule($$) +{ + my ($chainref, $rule) = @_; + + $rule .= " -m comment --comment \"$comment\"" if $comment; + + push @{$chainref->{rules}}, $rule; + + $chainref->{referenced} = 1; + + $iprangematch = 0; + $ipsetmatch = 0; +} + +# +# Insert a rule into a chain. Arguments are: +# +# Table , Chain , Rule Number, Rule +# +sub insert_rule($$$) +{ + my ($chainref, $number, $rule) = @_; + + $rule .= "-m comment --comment \"$comment\"" if $comment; + + splice @{$chainref->{rules}}, $number - 1, 0, $rule; + + $chainref->{referenced} = 1; + + $iprangematch = 0; + $ipsetmatch = 0; +} + +# +# Form the name of a chain. +# +sub chain_base($) { + my $chain = $_[0]; + + $chain =~ s/^@/at_/; + $chain =~ s/[.\-%@]/_/g; + $chain; +} + +# +# Forward Chain for an interface +# +sub forward_chain($) +{ + chain_base $_[0] . '_fwd'; +} + +# +# Input Chain for an interface +# +sub input_chain($) +{ + chain_base $_[0] . '_in'; +} + +# +# Output Chain for an interface +# +sub output_chain($) +{ + chain_base $_[0] . '_out'; +} + +# +# Masquerade Chain for an interface +# +sub masq_chain($) +{ + chain_base $_[0] . '_masq'; +} + +# +# Syn_chain +# +sub syn_chain ( $ ) { + '@' . $_[0]; +} +# +# MAC Verification Chain for an interface +# +sub mac_chain( $ ) +{ + chain_base $_[0] . '_mac'; +} + +sub macrecent_target($) +{ + $config{MACLIST_TTL} ? chain_base $_[0] . '_rec' : 'RETURN'; +} + +# +# Functions for creating dynamic zone rules +# +sub dynamic_fwd( $ ) +{ + chain_base $_[0] . '_dynf'; +} + +sub dynamic_in( $ ) +{ + chain_base $_[0] . '_dyni'; +} + +sub dynamic_out( $ ) # $1 = interface +{ + chain_base $_[0] . '_out'; +} + +sub dynamic_chains( $ ) #$1 = interface +{ + my $c = chain_base $_[0]; + + [ $c . '_dyni' , $c . '_dynf' , $c . '_dyno' ]; +} + +# +# DNAT Chain from a zone +# +sub dnat_chain( $ ) +{ + chain_base $_[0] . '_dnat'; +} + +# +# SNAT Chain to an interface +# +sub snat_chain( $ ) +{ + chain_base $_[0] . '_snat'; +} + +# +# ECN Chain to an interface +# +sub ecn_chain( $ ) +{ + chain_base $_[0] . '_ecn'; +} + +# +# First chains for an interface +# +sub first_chains( $ ) #$1 = interface +{ + my $c = chain_base $_[0]; + + [ $c . '_fwd', $c . '_in' ]; +} + +1; diff --git a/New/compiler.pl b/New/compiler.pl index cfcd66804..1e8051e76 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -6,6 +6,7 @@ use File::Temp qw/ tempfile tempdir /; use lib "$ENV{HOME}/shorewall/trunk/New"; use Shorewall::Common; use Shorewall::Config; +use Shorewall::Chains; # # IPSEC Option types @@ -70,41 +71,6 @@ my $firewall_zone; my @interfaces; my %interfaces; -# -# Chain Table -# -# @policy_chains is a list of references to policy chains in the filter table -# -# %chain_table {
=> { => { name => -# is_policy => 0|1 -# is_optionsl => 0|1 -# referenced => 0|1 -# policy => -# loglevel => -# synparams => -# default => -# policy_chain => -# rules => [ -# -# ... -# ] -# -# 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be -# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are optional. -# -# Only 'referenced' chains get written to the iptables-restore output. -# -# 'loglevel', 'synparams' and 'default' only apply to policy chains. -# -my @policy_chains; -my %chain_table = ( raw => {} , - mangle => {}, - nat => {}, - filter => {} ); - -my $nat_table = $chain_table{nat}; -my $mangle_table = $chain_table{mangle}; -my $filter_table = $chain_table{filter}; # # Contents of last COMMENT line. # @@ -1341,165 +1307,6 @@ sub validate_policy() close POLICY; } -# -# Add a rule to a chain. Arguments are: -# -# Chain reference , Rule -# -sub add_rule($$) -{ - my ($chainref, $rule) = @_; - - $rule .= " -m comment --comment \"$comment\"" if $comment; - - push @{$chainref->{rules}}, $rule; - - $chainref->{referenced} = 1; - - $iprangematch = 0; - $ipsetmatch = 0; -} - -# -# Insert a rule into a chain. Arguments are: -# -# Table , Chain , Rule Number, Rule -# -sub insert_rule($$$) -{ - my ($chainref, $number, $rule) = @_; - - $rule .= "-m comment --comment \"$comment\"" if $comment; - - splice @{$chainref->{rules}}, $number - 1, 0, $rule; - - $chainref->{referenced} = 1; - - $iprangematch = 0; - $ipsetmatch = 0; -} - -# -# Form the name of a chain. -# -sub chain_base($) { - my $chain = $_[0]; - - $chain =~ s/^@/at_/; - $chain =~ s/[.\-%@]/_/g; - $chain; -} - -# -# Forward Chain for an interface -# -sub forward_chain($) -{ - chain_base $_[0] . '_fwd'; -} - -# -# Input Chain for an interface -# -sub input_chain($) -{ - chain_base $_[0] . '_in'; -} - -# -# Output Chain for an interface -# -sub output_chain($) -{ - chain_base $_[0] . '_out'; -} - -# -# Masquerade Chain for an interface -# -sub masq_chain($) -{ - chain_base $_[0] . '_masq'; -} - -# -# Syn_chain -# -sub syn_chain ( $ ) { - '@' . $_[0]; -} -# -# MAC Verification Chain for an interface -# -sub mac_chain( $ ) -{ - chain_base $_[0] . '_mac'; -} - -sub macrecent_target($) -{ - $config{MACLIST_TTL} ? chain_base $_[0] . '_rec' : 'RETURN'; -} - -# -# Functions for creating dynamic zone rules -# -sub dynamic_fwd( $ ) -{ - chain_base $_[0] . '_dynf'; -} - -sub dynamic_in( $ ) -{ - chain_base $_[0] . '_dyni'; -} - -sub dynamic_out( $ ) # $1 = interface -{ - chain_base $_[0] . '_out'; -} - -sub dynamic_chains( $ ) #$1 = interface -{ - my $c = chain_base $_[0]; - - [ $c . '_dyni' , $c . '_dynf' , $c . '_dyno' ]; -} - -# -# DNAT Chain from a zone -# -sub dnat_chain( $ ) -{ - chain_base $_[0] . '_dnat'; -} - -# -# SNAT Chain to an interface -# -sub snat_chain( $ ) -{ - chain_base $_[0] . '_snat'; -} - -# -# ECN Chain to an interface -# -sub ecn_chain( $ ) -{ - chain_base $_[0] . '_ecn'; -} - -# -# First chains for an interface -# -sub first_chains( $ ) #$1 = interface -{ - my $c = chain_base $_[0]; - - [ $c . '_fwd', $c . '_in' ]; -} - # # Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string. #