From 597c8fecc01869e418371c96c80745f6595f1f80 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 10 Sep 2007 23:30:55 +0000 Subject: [PATCH] Partition chain table for iptables/ip6tables git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7315 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Actions.pm | 2 +- Shorewall-perl/Shorewall/Chains.pm | 118 +++++++++++++++++----------- Shorewall-perl/Shorewall/Rules.pm | 6 +- Shorewall-perl/Shorewall/Zones.pm | 2 +- 4 files changed, 78 insertions(+), 50 deletions(-) diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 55856beac..6fb10e804 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -266,7 +266,7 @@ sub createlogactionchain( $$ ) { $chain = substr $chain, 0, 28 if ( length $chain ) > 28; - while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) { + while ( $chain_table->{'%' . $chain . $actionref->{actchain}} ) { $chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28; } diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 8b2ed2af2..a9493be33 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -118,7 +118,8 @@ our @EXPORT = qw( STANDARD create_netfilter_load create_chainlist_reload - %chain_table + $chain_table + $ipv $nat_table $mangle_table $filter_table @@ -132,27 +133,28 @@ our $VERSION = '4.04'; # # Chain Table # -# %chain_table { => { => { name => -# table =>
-# is_policy => 0|1 -# is_optional => 0|1 -# referenced => 0|1 -# log => -# policy => -# policychain => -- self-reference if this is a policy chain -# policypair => [ , ] -- Used for reporting duplicated policies -# loglevel => -# synparams => -# synchain => -# default => -# cmdlevel => -# rules => [ -# -# ... -# ] -# } , -# => ... -# } +# %chains { <4|6> => {
=> { => { name => +# table =>
+# is_policy => 0|1 +# is_optional => 0|1 +# referenced => 0|1 +# log => +# policy => +# policychain => -- self-reference if this is a policy chain +# policypair => [ , ] -- Used for reporting duplicated policies +# loglevel => +# synparams => +# synchain => +# default => +# cmdlevel => +# rules => [ +# +# ... +# ] +# } , +# => ... +# } +# } # } # # 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be @@ -162,7 +164,10 @@ our $VERSION = '4.04'; # # 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. # -our %chain_table; + +our %chains; +our $ipv; +our $chain_table; our $nat_table; our $mangle_table; our $filter_table; @@ -229,14 +234,13 @@ our $mode; # sub initialize() { - %chain_table = ( raw => {} , - mangle => {}, - nat => {}, - filter => {} ); - - $nat_table = $chain_table{nat}; - $mangle_table = $chain_table{mangle}; - $filter_table = $chain_table{filter}; + %chains = ( 4 => { raw => {} , + mangle => {} , + nat => {} , + filter => {} } , + 6 => { raw => {} , + mangle => {} , + filter => {} } ); # # These get set to 1 as sections are encountered. @@ -308,8 +312,31 @@ sub initialize() { %interfacebcasts = (); } +sub switch_to_ipv4() { + $ipv = 4; + + $chain_table = $chains{4}; + + $nat_table = $chain_table->{nat}; + $mangle_table = $chain_table->{mangle}; + $filter_table = $chain_table->{filter}; + +} + +sub switch_to_ipv6() { + $ipv = 6; + + $chain_table = $chains{6}; + + $nat_table = undef; + $mangle_table = $chain_table->{mangle}; + $filter_table = $chain_table->{filter}; + +} + INIT { initialize; + switch_to_ipv4; } # @@ -574,14 +601,15 @@ sub new_chain($$) { my ($table, $chain) = @_; - warning_message "Internal error in new_chain()" if $chain_table{$table}{$chain}; + warning_message "Internal error in new_chain()" if $chain_table->{$table}{$chain}; - $chain_table{$table}{$chain} = { name => $chain, - rules => [], - table => $table, - loglevel => '', - log => 1, - cmdlevel => 0 }; + $chain_table->{$table}{$chain} = { name => $chain, + rules => [], + table => $table, + ipv => $ipv, + loglevel => '', + log => 1, + cmdlevel => 0 }; } # @@ -601,7 +629,7 @@ sub ensure_chain($$) { my ($table, $chain) = @_; - my $ref = $chain_table{$table}{$chain}; + my $ref = $chain_table->{$table}{$chain}; return $ref if $ref; @@ -735,7 +763,7 @@ sub finish_section ( $ ) { for my $zone ( all_zones ) { for my $zone1 ( all_zones ) { - my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; + my $chainref = $chain_table->{'filter'}{"${zone}2${zone1}"}; if ( $chainref->{referenced} ) { finish_chain_section $chainref, $sections; } @@ -1964,7 +1992,7 @@ sub create_netfilter_load() { # iptables-restore seems to be quite picky about the order of the builtin chains # for my $chain ( @builtins ) { - my $chainref = $chain_table{$table}{$chain}; + my $chainref = $chain_table->{$table}{$chain}; if ( $chainref ) { fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; emit_unindented ":$chain $chainref->{policy} [0:0]"; @@ -1974,8 +2002,8 @@ sub create_netfilter_load() { # # First create the chains in the current table # - for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { - my $chainref = $chain_table{$table}{$chain}; + for my $chain ( grep $chain_table->{$table}{$_}->{referenced} , ( sort keys %{$chain_table->{$table}} ) ) { + my $chainref = $chain_table->{$table}{$chain}; unless ( $chainref->{builtin} ) { fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; emit_unindented ":$chainref->{name} - [0:0]"; @@ -2058,7 +2086,7 @@ sub create_chainlist_reload($) { ( $table , $chain ) = split ':', $chain if $chain =~ /:/; fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; - fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain}; + fatal_error "No $table chain found with name $chain" unless $chain_table->{$table}{$chain}; $chains{$table} = [] unless $chains{$table}; @@ -2070,7 +2098,7 @@ sub create_chainlist_reload($) { emit_unindented "*$table"; - my $tableref=$chain_table{$table}; + my $tableref=$chain_table->{$table}; @chains = sort @{$chains{$table}}; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index e606b32c6..8f5f2f4ca 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -756,7 +756,7 @@ sub setup_mac_lists( $ ) { fatal_error "No hosts on $interface have the maclist option specified"; } - my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; + my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; $mac = '' unless $mac && ( $mac ne '-' ); $addresses = '' unless $addresses && ( $addresses ne '-' ); @@ -802,7 +802,7 @@ sub setup_mac_lists( $ ) { } } else { for my $interface ( @maclist_interfaces ) { - my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; + my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chain = $chainref->{name}; if ( $level ne '' || $disposition ne 'ACCEPT' ) { @@ -1867,7 +1867,7 @@ sub generate_matrix() { for my $chain ( @{$builtins{$table}} ) { log_rule_limit $config{LOGALLNEW} , - $chain_table{$table}{$chain} , + $chain_table->{$table}{$chain} , $table , $chain , '' , diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 4d666f91f..098cc0b9a 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -129,7 +129,7 @@ our %reservedName = ( all => 1, # Zone Types # use constant { ZT_IPV4 => 1, - ZT_IPV6 => 2 + ZT_IPV6 => 2, ZT_FIREWALL => 3, #ZT_IPV4 + ZT_IPV6 ZT_IPSEC => 4, ZT_IPSEC4 => 5, #ZT_IPV4 + ZT_IPSEC