forked from extern/shorewall_code
Add an argument to new_chain()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7321 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
5c5f2b3a06
commit
12d19c8ec3
@ -272,7 +272,7 @@ sub createlogactionchain( $$ ) {
|
||||
|
||||
$actionref = new_action $action unless $actionref;
|
||||
|
||||
$logactionchains{"$action:$level"} = $chainref = new_chain 'filter', '%' . $chain . $actionref->{actchain}++;
|
||||
$logactionchains{"$action:$level"} = $chainref = new_chain 'filter', IPv4, '%' . $chain . $actionref->{actchain}++;
|
||||
|
||||
mark_referenced $chainref; # Just in case the action body is empty.
|
||||
|
||||
@ -298,7 +298,7 @@ sub createlogactionchain( $$ ) {
|
||||
|
||||
sub createsimpleactionchain( $ ) {
|
||||
my $action = shift;
|
||||
my $chainref = new_chain 'filter', $action;
|
||||
my $chainref = new_chain 'filter', IPv4, $action;
|
||||
|
||||
$logactionchains{"$action:none"} = $chainref;
|
||||
|
||||
@ -768,7 +768,7 @@ sub process_actions3 () {
|
||||
add_rule $chainref, "-m recent --name $set --set";
|
||||
|
||||
if ( $level ne '' ) {
|
||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||
my $xchainref = new_chain 'filter' , IPv4, "$chainref->{name}%";
|
||||
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
||||
add_rule $xchainref, '-j DROP';
|
||||
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
||||
|
||||
@ -51,6 +51,8 @@ our @EXPORT = qw( STANDARD
|
||||
OUTPUT_RESTRICT
|
||||
POSTROUTE_RESTRICT
|
||||
ALL_RESTRICT
|
||||
IPv4
|
||||
IPv6
|
||||
|
||||
process_comment
|
||||
clear_comment
|
||||
@ -129,6 +131,11 @@ our @EXPORT = qw( STANDARD
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.04';
|
||||
|
||||
#
|
||||
# IP Versions
|
||||
#
|
||||
use constant { IPv4 => 4, IPv6 => 6 };
|
||||
|
||||
#
|
||||
# Chain Table
|
||||
#
|
||||
@ -571,16 +578,16 @@ sub first_chains( $ ) #$1 = interface
|
||||
#
|
||||
# Create a new chain and return a reference to it.
|
||||
#
|
||||
sub new_chain($$)
|
||||
sub new_chain($$$)
|
||||
{
|
||||
my ($table, $chain) = @_;
|
||||
my ($table, $ipv, $chain) = @_;
|
||||
|
||||
warning_message "Internal error in new_chain()" if $chain_table{$table}{4}{$chain};
|
||||
|
||||
$chain_table{$table}{4}{$chain} = { name => $chain,
|
||||
rules => [],
|
||||
table => $table,
|
||||
ipv => 4,
|
||||
ipv => $ipv,
|
||||
loglevel => '',
|
||||
log => 1,
|
||||
cmdlevel => 0 };
|
||||
@ -592,7 +599,7 @@ sub new_chain($$)
|
||||
sub new_anon_chain( $ ) {
|
||||
my $chainref = $_[0];
|
||||
my $seq = $chainseq++;
|
||||
new_chain( $chainref->{table}, 'chain' . "$seq" );
|
||||
new_chain( $chainref->{table}, IPv4, 'chain' . "$seq" );
|
||||
}
|
||||
|
||||
#
|
||||
@ -607,7 +614,7 @@ sub ensure_chain($$)
|
||||
|
||||
return $ref if $ref;
|
||||
|
||||
new_chain $table, $chain;
|
||||
new_chain $table, IPv4, $chain;
|
||||
}
|
||||
|
||||
sub finish_chain_section( $$ );
|
||||
@ -621,7 +628,7 @@ sub ensure_filter_chain( $$ )
|
||||
|
||||
my $chainref = $filter_table->{4}{$chain};
|
||||
|
||||
$chainref = new_chain 'filter' , $chain unless $chainref;
|
||||
$chainref = new_chain 'filter', IPv4, $chain unless $chainref;
|
||||
|
||||
if ( $populate and ! $chainref->{referenced} ) {
|
||||
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
||||
@ -653,14 +660,14 @@ sub new_builtin_chain($$$)
|
||||
{
|
||||
my ( $table, $chain, $policy ) = @_;
|
||||
|
||||
my $chainref = new_chain $table, $chain;
|
||||
my $chainref = new_chain $table, IPv4, $chain;
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref->{policy} = $policy;
|
||||
$chainref->{builtin} = 1;
|
||||
}
|
||||
|
||||
sub new_standard_chain($) {
|
||||
my $chainref = new_chain 'filter' ,$_[0];
|
||||
my $chainref = new_chain 'filter', IPv4, ,$_[0];
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref;
|
||||
}
|
||||
@ -1745,7 +1752,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
#
|
||||
# Create the Exclusion Chain
|
||||
#
|
||||
my $echainref = new_chain $chainref->{table}, $echain;
|
||||
my $echainref = new_chain $chainref->{table}, IPv4, $echain;
|
||||
|
||||
#
|
||||
# Generate RETURNs for each exclusion
|
||||
|
||||
@ -78,7 +78,7 @@ sub new_policy_chain($$$$)
|
||||
{
|
||||
my ($source, $dest, $policy, $optional) = @_;
|
||||
|
||||
my $chainref = new_chain( 'filter', "${source}2${dest}" );
|
||||
my $chainref = new_chain( 'filter', IPv4, "${source}2${dest}" );
|
||||
|
||||
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
|
||||
|
||||
@ -94,7 +94,7 @@ sub set_policy_chain($$$$$)
|
||||
|
||||
my $chainref1 = $filter_table->{4}{$chain1};
|
||||
|
||||
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
|
||||
$chainref1 = new_chain 'filter', IPv4, $chain1 unless $chainref1;
|
||||
|
||||
unless ( $chainref1->{policychain} ) {
|
||||
if ( $config{EXPAND_POLICIES} ) {
|
||||
@ -465,7 +465,7 @@ sub setup_syn_flood_chains() {
|
||||
my $limit = $chainref->{synparams};
|
||||
if ( $limit && ! $filter_table->{4}{syn_flood_chain $chainref} ) {
|
||||
my $level = $chainref->{loglevel};
|
||||
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
||||
my $synchainref = new_chain 'filter' , IPv4, syn_flood_chain $chainref;
|
||||
add_rule $synchainref , "${limit}-j RETURN";
|
||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||
if $level ne '';
|
||||
|
||||
@ -92,7 +92,7 @@ sub setup_route_marking() {
|
||||
add_rule $mangle_table->{4}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||
add_rule $mangle_table->{4}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||
|
||||
my $chainref = new_chain 'mangle', 'routemark';
|
||||
my $chainref = new_chain 'mangle', IPv4, 'routemark';
|
||||
|
||||
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
|
||||
add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
||||
|
||||
@ -654,7 +654,7 @@ sub add_common_rules() {
|
||||
new_standard_chain $chain;
|
||||
}
|
||||
|
||||
mark_referenced( new_chain 'nat' , $chain = dynamic_in($interface) );
|
||||
mark_referenced( new_chain 'nat' , IPv4, $chain = dynamic_in($interface) );
|
||||
|
||||
add_rule $filter_table->{4}{input_chain $interface}, "-j $chain";
|
||||
add_rule $filter_table->{4}{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
||||
@ -667,7 +667,7 @@ sub add_common_rules() {
|
||||
if ( @$list ) {
|
||||
progress_message2 '$doing UPnP';
|
||||
|
||||
mark_referenced( new_chain( 'nat', 'UPnP' ) );
|
||||
mark_referenced( new_chain( 'nat', IPv4, 'UPnP' ) );
|
||||
|
||||
for $interface ( @$list ) {
|
||||
add_rule $nat_table->{4}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
|
||||
@ -710,13 +710,13 @@ sub setup_mac_lists( $ ) {
|
||||
if ( $phase == 1 ) {
|
||||
|
||||
for my $interface ( @maclist_interfaces ) {
|
||||
my $chainref = new_chain $table , mac_chain $interface;
|
||||
my $chainref = new_chain $table , IPv4, mac_chain $interface;
|
||||
|
||||
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
|
||||
if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' );
|
||||
|
||||
if ( $ttl ) {
|
||||
my $chain1ref = new_chain $table, macrecent_target $interface;
|
||||
my $chain1ref = new_chain $table, IPv4, macrecent_target $interface;
|
||||
|
||||
my $chain = $chainref->{name};
|
||||
|
||||
@ -1902,7 +1902,7 @@ sub setup_mss( ) {
|
||||
#
|
||||
# Since we will need multiple rules, we create a separate chain
|
||||
#
|
||||
$chainref = new_chain 'filter', 'settcpmss';
|
||||
$chainref = new_chain 'filter', IPv4, 'settcpmss';
|
||||
#
|
||||
# Send all forwarded SYN packets to the 'settcpmss' chain
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user