forked from extern/shorewall_code
Add chain information to the builtin_target table.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
5985a6e9b3
commit
11e61ec6e5
@ -108,6 +108,10 @@ our @EXPORT = ( qw(
|
||||
INLINERULE
|
||||
OPTIONS
|
||||
IPTABLES
|
||||
FILTER_TABLE
|
||||
NAT_TABLE
|
||||
MANGLE_TABLE
|
||||
RAW_TABLE
|
||||
|
||||
%chain_table
|
||||
%targets
|
||||
@ -419,6 +423,11 @@ use constant { STANDARD => 0x1, #defined by Netfilter
|
||||
INLINERULE => 0x40000, #INLINE
|
||||
OPTIONS => 0x80000, #Target Accepts Options
|
||||
IPTABLES => 0x100000, #IPTABLES or IP6TABLES
|
||||
|
||||
FILTER_TABLE => 0x1000000,
|
||||
MANGLE_TABLE => 0x2000000,
|
||||
RAW_TABLE => 0x4000000,
|
||||
NAT_TABLE => 0x8000000,
|
||||
};
|
||||
#
|
||||
# Valid Targets -- value is a combination of one or more of the above
|
||||
@ -525,59 +534,59 @@ our $family;
|
||||
#
|
||||
# These are the current builtin targets
|
||||
#
|
||||
our %builtin_target = ( ACCEPT => 1,
|
||||
ACCOUNT => 1,
|
||||
AUDIT => 1,
|
||||
CHAOS => 1,
|
||||
CHECKSUM => 1,
|
||||
CLASSIFY => 1,
|
||||
CLUSTERIP => 1,
|
||||
CONNMARK => 1,
|
||||
CONNSECMARK => 1,
|
||||
COUNT => 1,
|
||||
CT => 1,
|
||||
DELUDE => 1,
|
||||
DHCPMAC => 1,
|
||||
DNAT => 1,
|
||||
DNETMAP => 1,
|
||||
DROP => 1,
|
||||
DSCP => 1,
|
||||
ECHO => 1,
|
||||
ECN => 1,
|
||||
HL => 1,
|
||||
IDLETIMER => 1,
|
||||
IPMARK => 1,
|
||||
LOG => 1,
|
||||
LOGMARK => 1,
|
||||
MARK => 1,
|
||||
MASQUERADE => 1,
|
||||
MIRROR => 1,
|
||||
NETMAP => 1,
|
||||
NFLOG => 1,
|
||||
NFQUEUE => 1,
|
||||
NOTRACK => 1,
|
||||
QUEUE => 1,
|
||||
RATEEST => 1,
|
||||
RAWDNAT => 1,
|
||||
RAWSNAT => 1,
|
||||
REDIRECT => 1,
|
||||
REJECT => 1,
|
||||
RETURN => 1,
|
||||
SAME => 1,
|
||||
SECMARK => 1,
|
||||
SET => 1,
|
||||
SNAT => 1,
|
||||
STEAL => 1,
|
||||
SYSRQ => 1,
|
||||
TARPIT => 1,
|
||||
TCPMSS => 1,
|
||||
TCPOPTSTRIP => 1,
|
||||
TEE => 1,
|
||||
TOS => 1,
|
||||
TPROXY => 1,
|
||||
TRACE => 1,
|
||||
TTL => 1,
|
||||
ULOG => 1,
|
||||
our %builtin_target = ( ACCEPT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
ACCOUNT => STANDARD + MANGLE_TABLE,
|
||||
AUDIT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
CHAOS => STANDARD + FILTER_TABLE,
|
||||
CHECKSUM => STANDARD + MANGLE_TABLE,
|
||||
CLASSIFY => STANDARD + MANGLE_TABLE,
|
||||
CLUSTERIP => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||
CONNMARK => STANDARD + MANGLE_TABLE,
|
||||
CONNSECMARK => STANDARD + MANGLE_TABLE,
|
||||
COUNT => STANDARD + FILTER_TABLE,
|
||||
CT => STANDARD + RAW_TABLE,
|
||||
DELUDE => STANDARD + FILTER_TABLE,
|
||||
DHCPMAC => STANDARD + MANGLE_TABLE,
|
||||
DNAT => STANDARD + NAT_TABLE,
|
||||
DNETMAP => STANDARD + NAT_TABLE,
|
||||
DROP => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
DSCP => STANDARD + MANGLE_TABLE,
|
||||
ECHO => STANDARD + FILTER_TABLE,
|
||||
ECN => STANDARD + MANGLE_TABLE,
|
||||
HL => STANDARD + MANGLE_TABLE,
|
||||
IDLETIMER => STANDARD,
|
||||
IPMARK => STANDARD + MANGLE_TABLE,
|
||||
LOG => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
LOGMARK => STANDARD + MANGLE_TABLE,
|
||||
MARK => STANDARD + FILTER_TABLE + MANGLE_TABLE,
|
||||
MASQUERADE => STANDARD + NAT_TABLE,
|
||||
MIRROR => STANDARD + FILTER_TABLE,
|
||||
NETMAP => STANDARD + NAT_TABLE,,
|
||||
NFLOG => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||
NFQUEUE => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
NOTRACK => STANDARD + RAW_TABLE,
|
||||
QUEUE => STANDARD + FILTER_TABLE,
|
||||
RATEEST => STANDARD + MANGLE_TABLE,
|
||||
RAWDNAT => STANDARD + RAW_TABLE,
|
||||
RAWSNAT => STANDARD + RAW_TABLE,
|
||||
REDIRECT => STANDARD + NAT_TABLE,
|
||||
REJECT => STANDARD + FILTER_TABLE,
|
||||
RETURN => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||
SAME => STANDARD,
|
||||
SECMARK => STANDARD + MANGLE_TABLE,
|
||||
SET => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||
SNAT => STANDARD + NAT_TABLE,
|
||||
STEAL => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
SYSRQ => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
TARPIT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
TCPMSS => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
TCPOPTSTRIP => STANDARD + MANGLE_TABLE,
|
||||
TEE => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
TOS => STANDARD + MANGLE_TABLE,
|
||||
TPROXY => STANDARD + MANGLE_TABLE,
|
||||
TRACE => STANDARD + RAW_TABLE,
|
||||
TTL => STANDARD + MANGLE_TABLE,
|
||||
ULOG => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||
);
|
||||
|
||||
our %ipset_exists;
|
||||
@ -8462,8 +8471,8 @@ sub get_target_param1( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub handle_inline( $$$$ ) {
|
||||
my ( $action, $basictarget, $param, $loglevel ) = @_;
|
||||
sub handle_inline( $$$$$$ ) {
|
||||
my ( $table, $tablename, $action, $basictarget, $param, $loglevel ) = @_;
|
||||
my $inline_matches = get_inline_matches(1);
|
||||
my $raw_matches = '';
|
||||
|
||||
@ -8471,7 +8480,9 @@ sub handle_inline( $$$$ ) {
|
||||
$raw_matches .= $1 if supplied $1;
|
||||
$action = $2;
|
||||
my ( $target ) = split ' ', $action;
|
||||
fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK';
|
||||
my $target_type = $builtin_target{$target};
|
||||
fatal_error "Unknown jump target ($action)" unless $target_type;
|
||||
fatal_error "The $target TARGET is not allowed in the $tablename table" unless $target_type & $table;
|
||||
fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne '';
|
||||
} else {
|
||||
$raw_matches .= $inline_matches;
|
||||
|
@ -1735,6 +1735,10 @@ sub process_actions() {
|
||||
my $noinline = 0;
|
||||
my $nolog = ( $type == INLINE ) || 0;
|
||||
my $builtin = 0;
|
||||
my $raw = 0;
|
||||
my $mangle = 0;
|
||||
my $filter = 0;
|
||||
my $nat = 0;
|
||||
|
||||
if ( $action =~ /:/ ) {
|
||||
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
||||
@ -1753,6 +1757,14 @@ sub process_actions() {
|
||||
$nolog = 1;
|
||||
} elsif ( $_ eq 'builtin' ) {
|
||||
$builtin = 1;
|
||||
} elsif ( $_ eq 'mangle' ) {
|
||||
$mangle = 1;
|
||||
} elsif ( $_ eq 'raw' ) {
|
||||
$raw = 1;
|
||||
} elsif ( $_ eq 'filter' ) {
|
||||
$filter = 1;
|
||||
} elsif ( $_ eq 'nat' ) {
|
||||
$nat = 1;
|
||||
} else {
|
||||
fatal_error "Invalid option ($_)";
|
||||
}
|
||||
@ -1777,9 +1789,18 @@ sub process_actions() {
|
||||
}
|
||||
|
||||
if ( $builtin ) {
|
||||
$targets{$action} = USERBUILTIN + OPTIONS;
|
||||
$builtin_target{$action} = 1;
|
||||
my $actiontype = USERBUILTIN | OPTIONS;
|
||||
$actiontype |= MANGLE_TABLE if $mangle;
|
||||
$actiontype |= RAW_TABLE if $raw;
|
||||
$actiontype |= NAT_TABLE if $nat;
|
||||
#
|
||||
# For backward compatibility, we assume that user-defined builtins are valid in the filter table
|
||||
#
|
||||
$actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);
|
||||
$builtin_target{$action} = $actiontype;
|
||||
$targets{$action} = $actiontype;
|
||||
} else {
|
||||
fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
|
||||
new_action $action, $type, $noinline, $nolog;
|
||||
|
||||
my $actionfile = find_file( "action.$action" );
|
||||
@ -2168,7 +2189,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
$param = '' unless defined $param;
|
||||
|
||||
if ( $basictarget eq 'INLINE' ) {
|
||||
( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( $action, $basictarget, $param, $loglevel );
|
||||
( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel );
|
||||
} elsif ( $config{INLINE_MATCHES} ) {
|
||||
$raw_matches = get_inline_matches(0);
|
||||
}
|
||||
@ -2326,7 +2347,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
if ( $param ) {
|
||||
fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
|
||||
my ( $tgt, $options ) = split / /, $param;
|
||||
fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
|
||||
my $target_type = $builtin_target{$tgt};
|
||||
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||
fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
|
||||
$action = $param;
|
||||
} else {
|
||||
$action = '';
|
||||
@ -2337,7 +2360,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
if ( $param ) {
|
||||
fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
|
||||
my ( $tgt, $options ) = split / /, $param;
|
||||
fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
|
||||
my $target_type = $builtin_target{$tgt};
|
||||
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||
fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
|
||||
$action = $param;
|
||||
} else {
|
||||
$action = '';
|
||||
|
@ -471,7 +471,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
||||
function => sub () {
|
||||
fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
|
||||
my ( $tgt, $options ) = split( ' ', $params );
|
||||
fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
|
||||
my $target_type = $builtin_target{$tgt};
|
||||
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||
fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
|
||||
fatal_error "The $tgt TARGET is not allowed in the mangle table" unless
|
||||
$target = $params;
|
||||
},
|
||||
},
|
||||
@ -484,7 +487,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
||||
function => sub () {
|
||||
fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
|
||||
my ( $tgt, $options ) = split( ' ', $params );
|
||||
fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
|
||||
my $target_type = $builtin_target{$tgt};
|
||||
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||
fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
|
||||
$target = $params;
|
||||
},
|
||||
},
|
||||
@ -681,7 +686,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
||||
fatal_error "Invalid ACTION ($cmd)" unless $commandref;
|
||||
|
||||
if ( $cmd eq 'INLINE' ) {
|
||||
( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( $action, $cmd, $params, '' );
|
||||
( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' );
|
||||
} elsif ( $config{INLINE_MATCHES} ) {
|
||||
$raw_matches = get_inline_matches(0);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user