From cfa3212b3031c86746c253b8cb96c37982e4ae8f Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 7 Dec 2008 19:51:52 +0000 Subject: [PATCH] Restructure chain table for IPv6 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8938 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 113 ++++++++++++++++++++--------- 1 file changed, 78 insertions(+), 35 deletions(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 65ce76d19..3fd7151ad 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -44,6 +44,9 @@ our @EXPORT = qw( log_rule_limit %chain_table + %xlatetable + %ipv4tables + %ipv6tables $nat_table $mangle_table $filter_table @@ -191,6 +194,16 @@ our %chain_table; our $nat_table; our $mangle_table; our $filter_table; +our %xlatetable = ( raw => 'raw' , + nat => 'nat' , + mangle => 'mangle' , + filter => 'filter' , + raw6 => 'raw' , + mangle6 => 'mangle' , + filter6 => 'filter' ); + +our @ipv4tables = qw( raw mangle nat filter ); +our @ipv6tables = qw( raw6 mangle6 filter6 ); # # It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file # and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent @@ -212,6 +225,7 @@ use constant { STANDARD => 1, #defined by Netfilter LOGRULE => 256, #'LOG' NFQ => 512, #'NFQUEUE' CHAIN => 1024, #Manual Chain + IPV4ONLY => 2048, #Not Available with IPV6 }; our %targets; @@ -247,6 +261,18 @@ use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptabl our $mode; +sub use_ipv4() { + $nat_table = $chain_table{nat}; + $mangle_table = $chain_table{mangle}; + $filter_table = $chain_table{filter}; +} + +sub use_ipv6() { + $nat_table = undef; + $mangle_table = $chain_table{mangle6}; + $filter_table = $chain_table{filter6}; +} + # # Initialize globals -- we take this novel approach to globals initialization to allow # the compiler to run multiple times in the same process. The @@ -257,15 +283,22 @@ our $mode; # sub initialize() { - %chain_table = ( raw => {} , - mangle => {}, - nat => {}, - filter => {} ); + %chain_table = ( raw => {} , + mangle => {} , + nat => {} , + filter => {} , + raw6 => {} , + filter6 => {} ); - $nat_table = $chain_table{nat}; - $mangle_table = $chain_table{mangle}; - $filter_table = $chain_table{filter}; + $chain_table{raw}{__NAME__} = 'raw'; + $chain_table{mangle}{__NAME__} = 'mangle'; + $chain_table{nat}{__NAME__} = 'nat'; + $chain_table{filter}{__NAME__} = 'filter'; + $chain_table{raw6}{__NAME__} = 'raw'; + $chain_table{mangle6}{__NAME__} = 'mangle'; + $chain_table{filter6}{__NAME__} = 'filter'; + use_ipv4; # # These get set to 1 as sections are encountered. # @@ -285,35 +318,35 @@ sub initialize() { # As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table # %targets = ('ACCEPT' => STANDARD, - 'ACCEPT+' => STANDARD + NONAT, + 'ACCEPT+' => STANDARD + NONAT + IPV4ONLY, 'ACCEPT!' => STANDARD, - 'NONAT' => STANDARD + NONAT + NATONLY, + 'NONAT' => STANDARD + NONAT + NATONLY + IPV4ONLY, 'DROP' => STANDARD, 'DROP!' => STANDARD, 'REJECT' => STANDARD, 'REJECT!' => STANDARD, - 'DNAT' => NATRULE, - 'DNAT-' => NATRULE + NATONLY, - 'REDIRECT' => NATRULE + REDIRECT, - 'REDIRECT-' => NATRULE + REDIRECT + NATONLY, - 'LOG' => STANDARD + LOGRULE, + 'DNAT' => NATRULE + IPV4ONLY, + 'DNAT-' => NATRULE + NATONLY + IPV4ONLY, + 'REDIRECT' => NATRULE + REDIRECT + IPV4ONLY, + 'REDIRECT-' => NATRULE + REDIRECT + NATONLY + IPV4ONLY, + 'LOG' => STANDARD + LOGRULE, 'CONTINUE' => STANDARD, 'CONTINUE!' => STANDARD, 'QUEUE' => STANDARD, 'QUEUE!' => STANDARD, - 'NFQUEUE' => STANDARD + NFQ, - 'NFQUEUE!' => STANDARD + NFQ, - 'SAME' => NATRULE, - 'SAME-' => NATRULE + NATONLY, - 'dropBcast' => BUILTIN + ACTION, - 'allowBcast' => BUILTIN + ACTION, - 'dropNotSyn' => BUILTIN + ACTION, - 'rejNotSyn' => BUILTIN + ACTION, - 'dropInvalid' => BUILTIN + ACTION, - 'allowInvalid' => BUILTIN + ACTION, - 'allowinUPnP' => BUILTIN + ACTION, - 'forwardUPnP' => BUILTIN + ACTION, - 'Limit' => BUILTIN + ACTION, + 'NFQUEUE' => STANDARD + NFQ, + 'NFQUEUE!' => STANDARD + NFQ, + 'SAME' => NATRULE + IPV4ONLY, + 'SAME-' => NATRULE + NATONLY + IPV4ONLY, + 'dropBcast' => BUILTIN + ACTION, + 'allowBcast' => BUILTIN + ACTION, + 'dropNotSyn' => BUILTIN + ACTION, + 'rejNotSyn' => BUILTIN + ACTION, + 'dropInvalid' => BUILTIN + ACTION, + 'allowInvalid' => BUILTIN + ACTION, + 'allowinUPnP' => BUILTIN + ACTION, + 'forwardUPnP' => BUILTIN + ACTION, + 'Limit' => BUILTIN + ACTION, ); # # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ... @@ -336,6 +369,8 @@ sub initialize() { %interfacemacs = (); %interfacebcasts = (); %interfacegateways = (); + + @ipv4tables = ( qw/ filter / ); } INIT { @@ -813,7 +848,7 @@ sub ensure_filter_chain( $$ ) my $chainref = $filter_table->{$chain}; - $chainref = new_chain 'filter' , $chain unless $chainref; + $chainref = new_chain $filter_table->{__NAME__} , $chain unless $chainref; if ( $populate and ! $chainref->{referenced} ) { if ( $section eq 'NEW' or $section eq 'DONE' ) { @@ -840,7 +875,7 @@ sub ensure_accounting_chain( $ ) if ( $chainref ) { fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting}; } else { - $chainref = new_chain 'filter' , $chain unless $chainref; + $chainref = new_chain $filter_table->{__NAME__} , $chain unless $chainref; $chainref->{accounting} = 1; $chainref->{referenced} = 1; } @@ -851,7 +886,7 @@ sub ensure_accounting_chain( $ ) sub ensure_mangle_chain($) { my $chain = $_[0]; - my $chainref = ensure_chain 'mangle', $chain; + my $chainref = ensure_chain $mangle_table->{__NAME__}, $chain; $chainref->{referenced} = 1; @@ -882,7 +917,7 @@ sub new_builtin_chain($$$) } sub new_standard_chain($) { - my $chainref = new_chain 'filter' ,$_[0]; + my $chainref = new_chain $filter_table->{__NAME__} ,$_[0]; $chainref->{referenced} = 1; $chainref; } @@ -916,11 +951,13 @@ sub ensure_manual_chain($) { sub initialize_chain_table() { for my $chain qw(OUTPUT PREROUTING) { - new_builtin_chain 'raw', $chain, 'ACCEPT'; + new_builtin_chain 'raw' , $chain, 'ACCEPT'; + new_builtin_chain 'raw6', $chain, 'ACCEPT'; } for my $chain qw(INPUT OUTPUT FORWARD) { - new_builtin_chain 'filter', $chain, 'DROP'; + new_builtin_chain 'filter', $chain, 'DROP'; + new_builtin_chain 'filter6', $chain, 'DROP'; } for my $chain qw(PREROUTING POSTROUTING OUTPUT) { @@ -929,6 +966,7 @@ sub initialize_chain_table() for my $chain qw(PREROUTING INPUT OUTPUT ) { new_builtin_chain 'mangle', $chain, 'ACCEPT'; + new_builtin_chain 'mangle6', $chain, 'ACCEPT'; } if ( $capabilities{MANGLE_FORWARD} ) { @@ -936,6 +974,10 @@ sub initialize_chain_table() new_builtin_chain 'mangle', $chain, 'ACCEPT'; } } + + for my $chain qw( FORWARD POSTROUTING ) { + new_builtin_chain 'mangle6', $chain, 'ACCEPT'; + } } # @@ -986,7 +1028,7 @@ sub finish_section ( $ ) { for my $zone ( all_zones ) { for my $zone1 ( all_zones ) { - my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; + my $chainref = $filter_table->{"${zone}2${zone1}"}; if ( $chainref->{referenced} ) { finish_chain_section $chainref, $sections; } @@ -2402,7 +2444,7 @@ sub create_netfilter_load() { # # First create the chains in the current table # - for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { + for my $chain ( grep reftype $chain_table{$table}{$_} && $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { my $chainref = $chain_table{$table}{$chain}; unless ( $chainref->{builtin} ) { fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; @@ -2495,6 +2537,7 @@ sub create_chainlist_reload($) { push @{$chains{$table}}, $chain; } else { while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) { + next unless reftype $chainref; push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin}; } }