Move section processing to the Rules module where it belongs

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-09 15:18:12 +01:00 · 2011-02-20 15:35:58 -08:00 · 2011-02-20 15:35:58 -08:00 · cf60752988
commit cf60752988
parent c03caf7c2f
7 changed files with 163 additions and 114 deletions
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.17';
+our $VERSION = '4.4.18';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
@ -244,7 +244,7 @@ sub process_accounting_rule( ) {
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_filter_chain( 'accountout' , 0 ) ,
+			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $rule ,
 			    $source ,
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -86,6 +86,8 @@ our %EXPORT_TAGS = (
 				       no_comment
 				       macro_comment
 				       clear_comment
 				       push_coment
 				       pop_comment
 				       incr_cmd_level
 				       decr_cmd_level
 				       forward_chain
@ -119,7 +121,6 @@ our %EXPORT_TAGS = (
 				       new_builtin_chain
 				       new_nat_chain
 				       ensure_filter_chain
 				       finish_section
 				       optimize_chain
 				       check_optimization
 				       optimize_ruleset
@ -180,8 +181,6 @@ our %EXPORT_TAGS = (
 				       preview_netfilter_load
 				       create_chainlist_reload
 				       create_stop_load
 				       $section
 				       %sections
 				       %targets
 				     ) ],
 		   );
@ -242,15 +241,8 @@ our $raw_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
 #
 # It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file
 # and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent
 # on Shorewall::Rules.
 #
 our %sections;
 our $section;
 our $comment;
 our @comments;
 #
 # Target Types
@ -406,22 +398,11 @@ sub initialize( $ ) {
    $nat_table    = $chain_table{nat};
    $mangle_table = $chain_table{mangle};
    $filter_table = $chain_table{filter};
    #
    # These are set to 1 as sections are encountered.
    #
    %sections = ( ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
 		  );
    #
    # Current rules file section.
    #
    $section  = '';
    #
    # Contents of last COMMENT line.
    #
    $comment  = '';
    @comments = ();
    #
    # Used to sequence chain names.
    #
@ -472,10 +453,30 @@ sub no_comment() {
 }
 #
-# Clear the $comment variable
+# Clear the $comment variable and the comment stack
 #
 sub clear_comment() {
    $comment  = '';
    @comments = ();
 }
 #
 # Push and Pop comment stack
 #
 sub push_comment( $ ) {
    push @comments, $comment;
    $comment = shift;
 }
 sub pop_comment() {
    $comment = pop @comments;
 }
 #
 # Set comment
 #
 sub set_comment( $ ) {
    $comment = shift;
 }
 #
@ -1312,10 +1313,8 @@ sub dont_move( $ ) {
    $chainref;
 }
 sub finish_chain_section( $$ );
 #
-# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
+# Create a filter chain if necessary.
 #
 # Return a reference to the chain's table entry.
 #
@ -1325,17 +1324,7 @@ sub ensure_filter_chain( $$ )
    my $chainref = ensure_chain 'filter', $chain;
    unless ( $chainref->{referenced} ) {
 	if ( $populate ) {
 	    if ( $section eq 'NEW' or $section eq 'DONE' ) {
 		finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	    } elsif ( $section eq 'RELATED' ) {
 		finish_chain_section $chainref , 'ESTABLISHED';
 	    }
 	}
    $chainref->{referenced} = 1;
    }
    $chainref;
 }
@ -1554,60 +1543,6 @@ sub initialize_chain_table()
    }
 }
 #
 # Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
 #
 sub finish_chain_section ($$) {
    my ($chainref, $state ) = @_;
    my $chain = $chainref->{name};
    my $savecomment = $comment;
    $comment = '';
    add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
    if ($sections{NEW} ) {
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
 		if ( $section eq 'DONE' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 		    }
 		} else {
 		    add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 		}
 	    }
 	} else {
 	    my $policychainref = $filter_table->{$chainref->{policychain}};
 	    if ( $policychainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
 		add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 	    }
 	}
 	$chainref->{new} = @{$chainref->{rules}};
    }
    $comment = $savecomment;
 }
 #
 # Do section-end processing
 #
 sub finish_section ( $ ) {
    my $sections = $_[0];
    $sections{$_} = 1 for split /,/, $sections;
    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
 	    my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
 	    finish_chain_section $chainref, $sections if $chainref->{referenced};
 	}
    }
 }
 #
 # Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT
 #
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -12,7 +12,7 @@
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       but WITHOUT ANY WARRANTY; without even the implied warranty ofs
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
@ -1091,7 +1091,7 @@ sub generate_matrix() {
 	#
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
-	    add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
+	    add_jump ensure_rules_chain( rules_chain( $zone, $_ ) ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
 	    if ( $simple ) {
 		#
@ -1102,7 +1102,7 @@ sub generate_matrix() {
 		    my $ruleschainref = $filter_table->{$ruleschain};
 		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-			add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
+			add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 );
 		    }
 		}
 	    }
@ -1110,14 +1110,14 @@ sub generate_matrix() {
 	if ( $zoneref->{options}{out}{blacklist} ) {
 	    my $blackref = $filter_table->{blackout};
-	    add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, -1;
+	    add_jump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , $blackref , 0, $state, 0, -1;
 	    for my $zone1 ( @zones, @vservers ) {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};
 		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-		    add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
+		    add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 );
 		}
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -20,9 +20,10 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains
+#   This module handles policies and rules. It contains:
 #
 #       validate_policy() and it's associated helpers.
-#       process_rule() and it's associated helpers for handling Actions and Macros.
+#       process_rules() and it's associated helpers for handling Actions and Macros.
 #
 #   This module combines the former Policy, Rules and Actions modules.
 #
@ -43,6 +44,7 @@ our @EXPORT = qw(
 		  complete_standard_chain
 		  setup_syn_flood_chains
 		  save_policies
 		  ensure_rules_chain
 		  optimize_policy_chains
 		  process_actions1
 		  process_actions2
@ -50,9 +52,11 @@ our @EXPORT = qw(
 	       );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_17';
+our $VERSION = '4.4_18';
-# @policy_chains is a list of references to policy chains in the filter table
+our %sections;
 our $section;
 our @policy_chains;
@ -106,6 +110,17 @@ sub initialize( $ ) {
 		 	  REJECT   => 'none' ,
 			  ACCEPT   => 'none' ,
 			  QUEUE    => 'none' );
    #
    # These are set to 1 as sections are encountered.
    #
    %sections = ( ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
 		  );
    #
    # Current rules file section.
    #
    $section  = '';
    %macros            = ();
    @actionstack       = ();
    %active            = ();
@ -120,6 +135,9 @@ sub initialize( $ ) {
    }
 }
 ###############################################################################
 # Functions moved from the former Policy Module
 ###############################################################################
 #
 # Split the passed target into the basic target and parameter
 #
@ -500,6 +518,8 @@ sub default_policy( $$$ ) {
 }
 sub ensure_rules_chain( $ );
 sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
@ -521,9 +541,9 @@ sub apply_policy_rules() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		    ensure_rules_chain $name if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
 		} else {
-		    ensure_filter_chain $name, 1;
+		    ensure_rules_chain $name;
 		}
 	    }
@ -546,6 +566,9 @@ sub apply_policy_rules() {
    }
 }
 ################################################################################
 # Modules moved from the Chains module in 4.4.18
 ################################################################################
 #
 # Complete a standard chain
 #
@ -620,6 +643,87 @@ sub optimize_policy_chains() {
    progress_message '';
 }
 sub finish_chain_section( $$ );
 #
 # Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
 #
 # Return a reference to the chain's table entry.
 #
 sub ensure_rules_chain( $ )
 {
    my ($chain) = @_;
    my $chainref = ensure_chain 'filter', $chain;
    unless ( $chainref->{referenced} ) {
 	if ( $section eq 'NEW' or $section eq 'DONE' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	} elsif ( $section eq 'RELATED' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED';
 	}
 	$chainref->{referenced} = 1;
    }
    $chainref;
 }
 #
 # Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
 #
 sub finish_chain_section ($$) {
    my ($chainref, $state ) = @_;
    my $chain = $chainref->{name};
    push_comment(''); #These rules should not have comments
    add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
    if ($sections{NEW} ) {
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
 		if ( $section eq 'DONE' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 		    }
 		} else {
 		    add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 		}
 	    }
 	} else {
 	    my $policychainref = $filter_table->{$chainref->{policychain}};
 	    if ( $policychainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
 		add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 	    }
 	}
 	$chainref->{new} = @{$chainref->{rules}};
    }
    pop_comment;
 }
 #
 # Do section-end processing
 #
 sub finish_section ( $ ) {
    my $sections = $_[0];
    $sections{$_} = 1 for split /,/, $sections;
    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
 	    my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
 	    finish_chain_section $chainref, $sections if $chainref->{referenced};
 	}
    }
 }
 ################################################################################
 # Functions moved from the Actions module in 4.4.16
 ################################################################################
 #
 # Return ( action, level[:tag] ) from passed full action
 #
@ -1276,7 +1380,9 @@ sub process_actions2 () {
 	}
    }
 }
-
+################################################################################
 # End of functions moved from the Actions module in 4.4.16
 ################################################################################
 #
 # Expand a macro rule from the rules file
 #
@ -1681,7 +1787,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Mark the chain as referenced and add appropriate rules from earlier sections.
 	    #
-	    $chainref = ensure_filter_chain $chain, 1;
+	    $chainref = ensure_rules_chain $chain;
 	    #
 	    # Don't let the rules in this chain be moved elsewhere
 	    #
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@ -28,13 +28,14 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Rules;
 use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_14';
+our $VERSION = '4.4_18';
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@ -83,8 +84,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
@ -239,8 +240,8 @@ sub setup_tunnels() {
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
-	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 	$gateway = ALLIP if $gateway eq '-';
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -4,6 +4,10 @@ Changes in Shorewall 4.4.18 Beta 4
 2)  Change default value of MODULE_PREFIX.
 3)  Combine Policy and Rules Modules
 4)  Move section processing to the Rules modules.
 Changes in Shorewall 4.4.18 Beta 3
 1)  Change default chain in FORWARD section of the accounting file.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -127,6 +127,9 @@ None.
    Netfilter releases which disallow the owner match in rules
    reachable from the INPUT and FORWARD hooks.
 3)  Internals Change: The Policy.pm module has been merged into the
    Rules.pm module.
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------