Add an argument to new_chain()

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7321 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-11 20:21:51 +00:00
parent 5c5f2b3a06
commit 12d19c8ec3
5 changed files with 28 additions and 21 deletions

View File

@ -272,7 +272,7 @@ sub createlogactionchain( $$ ) {
$actionref = new_action $action unless $actionref; $actionref = new_action $action unless $actionref;
$logactionchains{"$action:$level"} = $chainref = new_chain 'filter', '%' . $chain . $actionref->{actchain}++; $logactionchains{"$action:$level"} = $chainref = new_chain 'filter', IPv4, '%' . $chain . $actionref->{actchain}++;
mark_referenced $chainref; # Just in case the action body is empty. mark_referenced $chainref; # Just in case the action body is empty.
@ -298,7 +298,7 @@ sub createlogactionchain( $$ ) {
sub createsimpleactionchain( $ ) { sub createsimpleactionchain( $ ) {
my $action = shift; my $action = shift;
my $chainref = new_chain 'filter', $action; my $chainref = new_chain 'filter', IPv4, $action;
$logactionchains{"$action:none"} = $chainref; $logactionchains{"$action:none"} = $chainref;
@ -768,7 +768,7 @@ sub process_actions3 () {
add_rule $chainref, "-m recent --name $set --set"; add_rule $chainref, "-m recent --name $set --set";
if ( $level ne '' ) { if ( $level ne '' ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%"; my $xchainref = new_chain 'filter' , IPv4, "$chainref->{name}%";
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', ''; log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
add_rule $xchainref, '-j DROP'; add_rule $xchainref, '-j DROP';
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}"; add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";

View File

@ -51,6 +51,8 @@ our @EXPORT = qw( STANDARD
OUTPUT_RESTRICT OUTPUT_RESTRICT
POSTROUTE_RESTRICT POSTROUTE_RESTRICT
ALL_RESTRICT ALL_RESTRICT
IPv4
IPv6
process_comment process_comment
clear_comment clear_comment
@ -129,6 +131,11 @@ our @EXPORT = qw( STANDARD
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = '4.04'; our $VERSION = '4.04';
#
# IP Versions
#
use constant { IPv4 => 4, IPv6 => 6 };
# #
# Chain Table # Chain Table
# #
@ -571,16 +578,16 @@ sub first_chains( $ ) #$1 = interface
# #
# Create a new chain and return a reference to it. # Create a new chain and return a reference to it.
# #
sub new_chain($$) sub new_chain($$$)
{ {
my ($table, $chain) = @_; my ($table, $ipv, $chain) = @_;
warning_message "Internal error in new_chain()" if $chain_table{$table}{4}{$chain}; warning_message "Internal error in new_chain()" if $chain_table{$table}{4}{$chain};
$chain_table{$table}{4}{$chain} = { name => $chain, $chain_table{$table}{4}{$chain} = { name => $chain,
rules => [], rules => [],
table => $table, table => $table,
ipv => 4, ipv => $ipv,
loglevel => '', loglevel => '',
log => 1, log => 1,
cmdlevel => 0 }; cmdlevel => 0 };
@ -592,7 +599,7 @@ sub new_chain($$)
sub new_anon_chain( $ ) { sub new_anon_chain( $ ) {
my $chainref = $_[0]; my $chainref = $_[0];
my $seq = $chainseq++; my $seq = $chainseq++;
new_chain( $chainref->{table}, 'chain' . "$seq" ); new_chain( $chainref->{table}, IPv4, 'chain' . "$seq" );
} }
# #
@ -607,7 +614,7 @@ sub ensure_chain($$)
return $ref if $ref; return $ref if $ref;
new_chain $table, $chain; new_chain $table, IPv4, $chain;
} }
sub finish_chain_section( $$ ); sub finish_chain_section( $$ );
@ -621,7 +628,7 @@ sub ensure_filter_chain( $$ )
my $chainref = $filter_table->{4}{$chain}; my $chainref = $filter_table->{4}{$chain};
$chainref = new_chain 'filter' , $chain unless $chainref; $chainref = new_chain 'filter', IPv4, $chain unless $chainref;
if ( $populate and ! $chainref->{referenced} ) { if ( $populate and ! $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) { if ( $section eq 'NEW' or $section eq 'DONE' ) {
@ -653,14 +660,14 @@ sub new_builtin_chain($$$)
{ {
my ( $table, $chain, $policy ) = @_; my ( $table, $chain, $policy ) = @_;
my $chainref = new_chain $table, $chain; my $chainref = new_chain $table, IPv4, $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref->{policy} = $policy; $chainref->{policy} = $policy;
$chainref->{builtin} = 1; $chainref->{builtin} = 1;
} }
sub new_standard_chain($) { sub new_standard_chain($) {
my $chainref = new_chain 'filter' ,$_[0]; my $chainref = new_chain 'filter', IPv4, ,$_[0];
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref; $chainref;
} }
@ -1745,7 +1752,7 @@ sub expand_rule( $$$$$$$$$$ )
# #
# Create the Exclusion Chain # Create the Exclusion Chain
# #
my $echainref = new_chain $chainref->{table}, $echain; my $echainref = new_chain $chainref->{table}, IPv4, $echain;
# #
# Generate RETURNs for each exclusion # Generate RETURNs for each exclusion

View File

@ -78,7 +78,7 @@ sub new_policy_chain($$$$)
{ {
my ($source, $dest, $policy, $optional) = @_; my ($source, $dest, $policy, $optional) = @_;
my $chainref = new_chain( 'filter', "${source}2${dest}" ); my $chainref = new_chain( 'filter', IPv4, "${source}2${dest}" );
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional ); convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
@ -94,7 +94,7 @@ sub set_policy_chain($$$$$)
my $chainref1 = $filter_table->{4}{$chain1}; my $chainref1 = $filter_table->{4}{$chain1};
$chainref1 = new_chain 'filter', $chain1 unless $chainref1; $chainref1 = new_chain 'filter', IPv4, $chain1 unless $chainref1;
unless ( $chainref1->{policychain} ) { unless ( $chainref1->{policychain} ) {
if ( $config{EXPAND_POLICIES} ) { if ( $config{EXPAND_POLICIES} ) {
@ -465,7 +465,7 @@ sub setup_syn_flood_chains() {
my $limit = $chainref->{synparams}; my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{4}{syn_flood_chain $chainref} ) { if ( $limit && ! $filter_table->{4}{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel}; my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref; my $synchainref = new_chain 'filter' , IPv4, syn_flood_chain $chainref;
add_rule $synchainref , "${limit}-j RETURN"; add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , '' log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
if $level ne ''; if $level ne '';

View File

@ -92,7 +92,7 @@ sub setup_route_marking() {
add_rule $mangle_table->{4}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{4}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
add_rule $mangle_table->{4}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{4}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
my $chainref = new_chain 'mangle', 'routemark'; my $chainref = new_chain 'mangle', IPv4, 'routemark';
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) { while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";

View File

@ -654,7 +654,7 @@ sub add_common_rules() {
new_standard_chain $chain; new_standard_chain $chain;
} }
mark_referenced( new_chain 'nat' , $chain = dynamic_in($interface) ); mark_referenced( new_chain 'nat' , IPv4, $chain = dynamic_in($interface) );
add_rule $filter_table->{4}{input_chain $interface}, "-j $chain"; add_rule $filter_table->{4}{input_chain $interface}, "-j $chain";
add_rule $filter_table->{4}{forward_chain $interface}, '-j ' . dynamic_fwd $interface; add_rule $filter_table->{4}{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
@ -667,7 +667,7 @@ sub add_common_rules() {
if ( @$list ) { if ( @$list ) {
progress_message2 '$doing UPnP'; progress_message2 '$doing UPnP';
mark_referenced( new_chain( 'nat', 'UPnP' ) ); mark_referenced( new_chain( 'nat', IPv4, 'UPnP' ) );
for $interface ( @$list ) { for $interface ( @$list ) {
add_rule $nat_table->{4}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP'; add_rule $nat_table->{4}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
@ -710,13 +710,13 @@ sub setup_mac_lists( $ ) {
if ( $phase == 1 ) { if ( $phase == 1 ) {
for my $interface ( @maclist_interfaces ) { for my $interface ( @maclist_interfaces ) {
my $chainref = new_chain $table , mac_chain $interface; my $chainref = new_chain $table , IPv4, mac_chain $interface;
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' ); if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' );
if ( $ttl ) { if ( $ttl ) {
my $chain1ref = new_chain $table, macrecent_target $interface; my $chain1ref = new_chain $table, IPv4, macrecent_target $interface;
my $chain = $chainref->{name}; my $chain = $chainref->{name};
@ -1902,7 +1902,7 @@ sub setup_mss( ) {
# #
# Since we will need multiple rules, we create a separate chain # Since we will need multiple rules, we create a separate chain
# #
$chainref = new_chain 'filter', 'settcpmss'; $chainref = new_chain 'filter', IPv4, 'settcpmss';
# #
# Send all forwarded SYN packets to the 'settcpmss' chain # Send all forwarded SYN packets to the 'settcpmss' chain
# #