Come cleanup of the Chains module

This commit is contained in:
Tom Eastep 2009-07-13 16:54:39 -07:00
parent 3c326841ce
commit d64b526319

View File

@ -226,7 +226,7 @@ use constant { STANDARD => 1, #defined by Netfilter
REDIRECT => 32, #'REDIRECT' REDIRECT => 32, #'REDIRECT'
ACTION => 64, #An action (may be built-in) ACTION => 64, #An action (may be built-in)
MACRO => 128, #A Macro MACRO => 128, #A Macro
LOGRULE => 256, #'LOG' LOGRULE => 256, #'LOG','NFLOG'
NFQ => 512, #'NFQUEUE' NFQ => 512, #'NFQUEUE'
CHAIN => 1024, #Manual Chain CHAIN => 1024, #Manual Chain
}; };
@ -249,15 +249,21 @@ our $idiotcount;
our $global_variables; our $global_variables;
#
# Determines the commands for which a particular interface-oriented shell variable needs to be set
#
use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 }; use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
our %interfaceaddr; #
our %interfaceaddrs; # These hashes hold the shell code to set shell variables
our %interfacenets; #
our %interfacemacs; our %interfaceaddr; # First interface address
our %interfacebcasts; our %interfaceaddrs; # All interface addresses
our %interfaceacasts; our %interfacenets; # Networks routed out of the interface
our %interfacegateways; our %interfacemacs; # Interface MAC
our %interfacebcasts; # Broadcast addresses associated with the interface (IPv4)
our %interfaceacasts; # Anycast addresses associated with the interface (IPv6)
our %interfacegateways; # Gateway of default route out of the interface
# #
# Built-in Chains # Built-in Chains
@ -945,9 +951,7 @@ sub ensure_filter_chain( $$ )
{ {
my ($chain, $populate) = @_; my ($chain, $populate) = @_;
my $chainref = $filter_table->{$chain}; my $chainref = ensure_chain 'filter', $chain;
$chainref = new_chain 'filter' , $chain unless $chainref;
if ( $populate and ! $chainref->{referenced} ) { if ( $populate and ! $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) { if ( $section eq 'NEW' or $section eq 'DONE' ) {
@ -1041,7 +1045,6 @@ sub new_manual_chain($) {
fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain}; fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
$targets{$chain} = CHAIN; $targets{$chain} = CHAIN;
( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1; ( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
$chainref->{referenced} = 1;
$chainref; $chainref;
} }
@ -1734,7 +1737,7 @@ sub do_helper( $ ) {
} }
# #
# Create a "-m length" match for the passed TOS # Create a "-m length" match for the passed LENGTH
# #
sub do_length( $ ) { sub do_length( $ ) {
my $length = $_[0]; my $length = $_[0];
@ -1836,7 +1839,7 @@ sub match_source_net( $;$ ) {
} }
# #
# Match a Desgination. # Match a Destination.
# #
sub match_dest_net( $ ) { sub match_dest_net( $ ) {
my $net = $_[0]; my $net = $_[0];
@ -2818,7 +2821,7 @@ sub expand_rule( $$$$$$$$$$ )
# #
# We may have to generate part of the input at run-time. The rules array in each chain # We may have to generate part of the input at run-time. The rules array in each chain
# table entry may contain rules (begin with '-A') or shell source. We alternate between # table entry may contain rules (begin with '-A') or shell source. We alternate between
# writing the rules ('-A') into the temporary file to be bassed to iptables-restore # writing the rules ('-A') into the temporary file to be passed to iptables-restore
# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE). # (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
# #
# The following two functions are responsible for the mode transitions. # The following two functions are responsible for the mode transitions.
@ -2997,13 +3000,10 @@ sub create_chainlist_reload($) {
push_indent; push_indent;
if ( @chains ) { if ( @chains ) {
if ( @chains == 1 ) { my $word = @chains == 1 ? 'chain' : 'chains';
progress_message2 "Compiling iptables-restore input for chain @chains...";
save_progress_message "Preparing iptables-restore input for chain @chains..."; progress_message2 "Compiling iptables-restore input for $word @chains...";
} else { save_progress_message "Preparing iptables-restore input for $word @chains...";
progress_message2 "Compiling iptables-restore input for chains $chains...";
save_progress_message "Preparing iptables-restore input for chains $chains...";
}
emit ''; emit '';
@ -3014,7 +3014,7 @@ sub create_chainlist_reload($) {
for my $chain ( @chains ) { for my $chain ( @chains ) {
( $table , $chain ) = split ':', $chain if $chain =~ /:/; ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
$chains{$table} = [] unless $chains{$table}; $chains{$table} = [] unless $chains{$table};
@ -3033,7 +3033,7 @@ sub create_chainlist_reload($) {
enter_cat_mode; enter_cat_mode;
for $table qw(nat mangle filter) { for $table qw(raw nat mangle filter) {
next unless $chains{$table}; next unless $chains{$table};
emit_unindented "*$table"; emit_unindented "*$table";
@ -3068,23 +3068,28 @@ sub create_chainlist_reload($) {
enter_cmd_mode; enter_cmd_mode;
# #
# Now generate the actual iptables-restore command # Now generate the actual ip[6]tables-restore command
# #
emit( 'exec 3>&-', emit( 'exec 3>&-',
'',
'progress_message2 "Running iptables-restore..."',
'' ); '' );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit ( 'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux' ); emit ( 'progress_message2 "Running iptables-restore..."',
'',
'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
'if [ $? != 0 ]; then',
' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
"fi\n"
);
} else { } else {
emit ( 'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux' ); emit ( 'progress_message2 "Running ip6tables-restore..."',
'',
'cat ${VARDIR}/.iptables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
'if [ $? != 0 ]; then',
' fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
"fi\n"
);
} }
emit ( 'if [ $? != 0 ]; then',
' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
"fi\n"
);
} else { } else {
emit('true'); emit('true');
} }
@ -3173,7 +3178,7 @@ sub create_stop_load( $ ) {
# #
emit ('', emit ('',
'if [ $? != 0 ]; then', 'if [ $? != 0 ]; then',
' error_message "ERROR: \$command Failed."', ' error_message "ERROR: $command Failed."',
"fi\n" "fi\n"
); );