From c57f627a21d8b702d901452edcad28f8ed485e83 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 11 Jun 2012 11:25:19 -0700 Subject: [PATCH] Add some comments. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 2904cc3c9..5f9a3931f 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -301,7 +301,28 @@ our $VERSION = 'MODULEVERSION'; # Only 'referenced' chains get written to the iptables-restore input. # # 'loglevel', 'synparams', 'synchain', 'audit' and 'default' only apply to policy chains. +########################################################################################################################################### # +# For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name if this chain is formed by +# joining the names of the zones using the ZONE_SEPARATOR ('2' or '-'). This chain contains the rules that specifically deal with +# connections from the first zone to the second. These chains will end with the policy rules when EXPAND_POLICIES=Yes and when there is an +# explicit policy for the order pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a +# wildcard policy chain (all[2-]zone, zone[2-]all, or all[2-]all). +# +# +# Except in the most trivial one-interface configurations, each zone has a "forward chain" which is branched to from the filter table +# FORWARD chain. +# +# For each network interface, there are up to 6 chains in the filter table: +# +# - Input, Output, Forward "Interface Chains" +# These are present when there is more than one zone associated with the interface. They are jumped to from the INPUT, OUTPUT and +# FORWARD chains respectively. +# - Input Option, Output Option and Forward "Interface Option Chains" +# Used when blacklisting is involved for enforcing interface options that require Netfilter rules. When these chains are not used, +# any rules that they contained are moved to the corresponding interface chains. +# + our %chain_table; our $raw_table; our $rawpost_table;