forked from extern/shorewall_code
Add an argument to new_chain()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7321 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5c5f2b3a06
commit
12d19c8ec3
@ -272,7 +272,7 @@ sub createlogactionchain( $$ ) {
|
|||||||
|
|
||||||
$actionref = new_action $action unless $actionref;
|
$actionref = new_action $action unless $actionref;
|
||||||
|
|
||||||
$logactionchains{"$action:$level"} = $chainref = new_chain 'filter', '%' . $chain . $actionref->{actchain}++;
|
$logactionchains{"$action:$level"} = $chainref = new_chain 'filter', IPv4, '%' . $chain . $actionref->{actchain}++;
|
||||||
|
|
||||||
mark_referenced $chainref; # Just in case the action body is empty.
|
mark_referenced $chainref; # Just in case the action body is empty.
|
||||||
|
|
||||||
@ -298,7 +298,7 @@ sub createlogactionchain( $$ ) {
|
|||||||
|
|
||||||
sub createsimpleactionchain( $ ) {
|
sub createsimpleactionchain( $ ) {
|
||||||
my $action = shift;
|
my $action = shift;
|
||||||
my $chainref = new_chain 'filter', $action;
|
my $chainref = new_chain 'filter', IPv4, $action;
|
||||||
|
|
||||||
$logactionchains{"$action:none"} = $chainref;
|
$logactionchains{"$action:none"} = $chainref;
|
||||||
|
|
||||||
@ -768,7 +768,7 @@ sub process_actions3 () {
|
|||||||
add_rule $chainref, "-m recent --name $set --set";
|
add_rule $chainref, "-m recent --name $set --set";
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
my $xchainref = new_chain 'filter' , IPv4, "$chainref->{name}%";
|
||||||
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
||||||
add_rule $xchainref, '-j DROP';
|
add_rule $xchainref, '-j DROP';
|
||||||
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
||||||
|
@ -51,6 +51,8 @@ our @EXPORT = qw( STANDARD
|
|||||||
OUTPUT_RESTRICT
|
OUTPUT_RESTRICT
|
||||||
POSTROUTE_RESTRICT
|
POSTROUTE_RESTRICT
|
||||||
ALL_RESTRICT
|
ALL_RESTRICT
|
||||||
|
IPv4
|
||||||
|
IPv6
|
||||||
|
|
||||||
process_comment
|
process_comment
|
||||||
clear_comment
|
clear_comment
|
||||||
@ -129,6 +131,11 @@ our @EXPORT = qw( STANDARD
|
|||||||
our @EXPORT_OK = qw( initialize );
|
our @EXPORT_OK = qw( initialize );
|
||||||
our $VERSION = '4.04';
|
our $VERSION = '4.04';
|
||||||
|
|
||||||
|
#
|
||||||
|
# IP Versions
|
||||||
|
#
|
||||||
|
use constant { IPv4 => 4, IPv6 => 6 };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Chain Table
|
# Chain Table
|
||||||
#
|
#
|
||||||
@ -571,16 +578,16 @@ sub first_chains( $ ) #$1 = interface
|
|||||||
#
|
#
|
||||||
# Create a new chain and return a reference to it.
|
# Create a new chain and return a reference to it.
|
||||||
#
|
#
|
||||||
sub new_chain($$)
|
sub new_chain($$$)
|
||||||
{
|
{
|
||||||
my ($table, $chain) = @_;
|
my ($table, $ipv, $chain) = @_;
|
||||||
|
|
||||||
warning_message "Internal error in new_chain()" if $chain_table{$table}{4}{$chain};
|
warning_message "Internal error in new_chain()" if $chain_table{$table}{4}{$chain};
|
||||||
|
|
||||||
$chain_table{$table}{4}{$chain} = { name => $chain,
|
$chain_table{$table}{4}{$chain} = { name => $chain,
|
||||||
rules => [],
|
rules => [],
|
||||||
table => $table,
|
table => $table,
|
||||||
ipv => 4,
|
ipv => $ipv,
|
||||||
loglevel => '',
|
loglevel => '',
|
||||||
log => 1,
|
log => 1,
|
||||||
cmdlevel => 0 };
|
cmdlevel => 0 };
|
||||||
@ -592,7 +599,7 @@ sub new_chain($$)
|
|||||||
sub new_anon_chain( $ ) {
|
sub new_anon_chain( $ ) {
|
||||||
my $chainref = $_[0];
|
my $chainref = $_[0];
|
||||||
my $seq = $chainseq++;
|
my $seq = $chainseq++;
|
||||||
new_chain( $chainref->{table}, 'chain' . "$seq" );
|
new_chain( $chainref->{table}, IPv4, 'chain' . "$seq" );
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -607,7 +614,7 @@ sub ensure_chain($$)
|
|||||||
|
|
||||||
return $ref if $ref;
|
return $ref if $ref;
|
||||||
|
|
||||||
new_chain $table, $chain;
|
new_chain $table, IPv4, $chain;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub finish_chain_section( $$ );
|
sub finish_chain_section( $$ );
|
||||||
@ -621,7 +628,7 @@ sub ensure_filter_chain( $$ )
|
|||||||
|
|
||||||
my $chainref = $filter_table->{4}{$chain};
|
my $chainref = $filter_table->{4}{$chain};
|
||||||
|
|
||||||
$chainref = new_chain 'filter' , $chain unless $chainref;
|
$chainref = new_chain 'filter', IPv4, $chain unless $chainref;
|
||||||
|
|
||||||
if ( $populate and ! $chainref->{referenced} ) {
|
if ( $populate and ! $chainref->{referenced} ) {
|
||||||
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
||||||
@ -653,14 +660,14 @@ sub new_builtin_chain($$$)
|
|||||||
{
|
{
|
||||||
my ( $table, $chain, $policy ) = @_;
|
my ( $table, $chain, $policy ) = @_;
|
||||||
|
|
||||||
my $chainref = new_chain $table, $chain;
|
my $chainref = new_chain $table, IPv4, $chain;
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
$chainref->{policy} = $policy;
|
$chainref->{policy} = $policy;
|
||||||
$chainref->{builtin} = 1;
|
$chainref->{builtin} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub new_standard_chain($) {
|
sub new_standard_chain($) {
|
||||||
my $chainref = new_chain 'filter' ,$_[0];
|
my $chainref = new_chain 'filter', IPv4, ,$_[0];
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
@ -1745,7 +1752,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
# Create the Exclusion Chain
|
# Create the Exclusion Chain
|
||||||
#
|
#
|
||||||
my $echainref = new_chain $chainref->{table}, $echain;
|
my $echainref = new_chain $chainref->{table}, IPv4, $echain;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate RETURNs for each exclusion
|
# Generate RETURNs for each exclusion
|
||||||
|
@ -78,7 +78,7 @@ sub new_policy_chain($$$$)
|
|||||||
{
|
{
|
||||||
my ($source, $dest, $policy, $optional) = @_;
|
my ($source, $dest, $policy, $optional) = @_;
|
||||||
|
|
||||||
my $chainref = new_chain( 'filter', "${source}2${dest}" );
|
my $chainref = new_chain( 'filter', IPv4, "${source}2${dest}" );
|
||||||
|
|
||||||
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
|
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
|
||||||
|
|
||||||
@ -94,7 +94,7 @@ sub set_policy_chain($$$$$)
|
|||||||
|
|
||||||
my $chainref1 = $filter_table->{4}{$chain1};
|
my $chainref1 = $filter_table->{4}{$chain1};
|
||||||
|
|
||||||
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
|
$chainref1 = new_chain 'filter', IPv4, $chain1 unless $chainref1;
|
||||||
|
|
||||||
unless ( $chainref1->{policychain} ) {
|
unless ( $chainref1->{policychain} ) {
|
||||||
if ( $config{EXPAND_POLICIES} ) {
|
if ( $config{EXPAND_POLICIES} ) {
|
||||||
@ -465,7 +465,7 @@ sub setup_syn_flood_chains() {
|
|||||||
my $limit = $chainref->{synparams};
|
my $limit = $chainref->{synparams};
|
||||||
if ( $limit && ! $filter_table->{4}{syn_flood_chain $chainref} ) {
|
if ( $limit && ! $filter_table->{4}{syn_flood_chain $chainref} ) {
|
||||||
my $level = $chainref->{loglevel};
|
my $level = $chainref->{loglevel};
|
||||||
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
my $synchainref = new_chain 'filter' , IPv4, syn_flood_chain $chainref;
|
||||||
add_rule $synchainref , "${limit}-j RETURN";
|
add_rule $synchainref , "${limit}-j RETURN";
|
||||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||||
if $level ne '';
|
if $level ne '';
|
||||||
|
@ -92,7 +92,7 @@ sub setup_route_marking() {
|
|||||||
add_rule $mangle_table->{4}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
add_rule $mangle_table->{4}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||||
add_rule $mangle_table->{4}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
add_rule $mangle_table->{4}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||||
|
|
||||||
my $chainref = new_chain 'mangle', 'routemark';
|
my $chainref = new_chain 'mangle', IPv4, 'routemark';
|
||||||
|
|
||||||
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
|
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
|
||||||
add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
||||||
|
@ -654,7 +654,7 @@ sub add_common_rules() {
|
|||||||
new_standard_chain $chain;
|
new_standard_chain $chain;
|
||||||
}
|
}
|
||||||
|
|
||||||
mark_referenced( new_chain 'nat' , $chain = dynamic_in($interface) );
|
mark_referenced( new_chain 'nat' , IPv4, $chain = dynamic_in($interface) );
|
||||||
|
|
||||||
add_rule $filter_table->{4}{input_chain $interface}, "-j $chain";
|
add_rule $filter_table->{4}{input_chain $interface}, "-j $chain";
|
||||||
add_rule $filter_table->{4}{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
add_rule $filter_table->{4}{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
||||||
@ -667,7 +667,7 @@ sub add_common_rules() {
|
|||||||
if ( @$list ) {
|
if ( @$list ) {
|
||||||
progress_message2 '$doing UPnP';
|
progress_message2 '$doing UPnP';
|
||||||
|
|
||||||
mark_referenced( new_chain( 'nat', 'UPnP' ) );
|
mark_referenced( new_chain( 'nat', IPv4, 'UPnP' ) );
|
||||||
|
|
||||||
for $interface ( @$list ) {
|
for $interface ( @$list ) {
|
||||||
add_rule $nat_table->{4}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
|
add_rule $nat_table->{4}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
|
||||||
@ -710,13 +710,13 @@ sub setup_mac_lists( $ ) {
|
|||||||
if ( $phase == 1 ) {
|
if ( $phase == 1 ) {
|
||||||
|
|
||||||
for my $interface ( @maclist_interfaces ) {
|
for my $interface ( @maclist_interfaces ) {
|
||||||
my $chainref = new_chain $table , mac_chain $interface;
|
my $chainref = new_chain $table , IPv4, mac_chain $interface;
|
||||||
|
|
||||||
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
|
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
|
||||||
if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' );
|
if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' );
|
||||||
|
|
||||||
if ( $ttl ) {
|
if ( $ttl ) {
|
||||||
my $chain1ref = new_chain $table, macrecent_target $interface;
|
my $chain1ref = new_chain $table, IPv4, macrecent_target $interface;
|
||||||
|
|
||||||
my $chain = $chainref->{name};
|
my $chain = $chainref->{name};
|
||||||
|
|
||||||
@ -1902,7 +1902,7 @@ sub setup_mss( ) {
|
|||||||
#
|
#
|
||||||
# Since we will need multiple rules, we create a separate chain
|
# Since we will need multiple rules, we create a separate chain
|
||||||
#
|
#
|
||||||
$chainref = new_chain 'filter', 'settcpmss';
|
$chainref = new_chain 'filter', IPv4, 'settcpmss';
|
||||||
#
|
#
|
||||||
# Send all forwarded SYN packets to the 'settcpmss' chain
|
# Send all forwarded SYN packets to the 'settcpmss' chain
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user