holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Partition chain table for iptables/ip6tables

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7315 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-10 23:30:55 +00:00
parent a2c145418c
commit 597c8fecc0
4 changed files with 78 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-perl/Shorewall/Actions.pm
View File

@ -266,7 +266,7 @@ sub createlogactionchain( $$ ) {
$chain = substr $chain, 0, 28 if ( length $chain ) > 28; $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) { while ( $chain_table->{'%' . $chain . $actionref->{actchain}} ) {
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28; $chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
} }

118
Shorewall-perl/Shorewall/Chains.pm
View File

@ -118,7 +118,8 @@ our @EXPORT = qw( STANDARD
create_netfilter_load create_netfilter_load
create_chainlist_reload create_chainlist_reload
%chain_table $chain_table
$ipv
$nat_table $nat_table
$mangle_table $mangle_table
$filter_table $filter_table
@ -132,27 +133,28 @@ our $VERSION = '4.04';
# #
# Chain Table # Chain Table
# #
# %chain_table { <table> => { <chain1> => { name => <chain name> # %chains { <4|6> => { <table> => { <chain1> => { name => <chain name>
# table => <table name> # table => <table name>
# is_policy => 0|1 # is_policy => 0|1
# is_optional => 0|1 # is_optional => 0|1
# referenced => 0|1 # referenced => 0|1
# log => <logging rule number for use when LOGRULENUMBERS> # log => <logging rule number for use when LOGRULENUMBERS>
# policy => <policy> # policy => <policy>
# policychain => <name of policy chain> -- self-reference if this is a policy chain # policychain => <name of policy chain> -- self-reference if this is a policy chain
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies # policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
# loglevel => <level> # loglevel => <level>
# synparams => <burst/limit> # synparams => <burst/limit>
# synchain => <name of synparam chain> # synchain => <name of synparam chain>
# default => <default action> # default => <default action>
# cmdlevel => <number of open loops or blocks in runtime commands> # cmdlevel => <number of open loops or blocks in runtime commands>
# rules => [ <rule1> # rules => [ <rule1>
# <rule2> # <rule2>
# ... # ...
# ] # ]
# } , # } ,
# <chain2> => ... # <chain2> => ...
# } # }
# }
# } # }
# #
# 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be # 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
@ -162,7 +164,10 @@ our $VERSION = '4.04';
# #
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. # 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
# #
our %chain_table;
our %chains;
our $ipv;
our $chain_table;
our $nat_table; our $nat_table;
our $mangle_table; our $mangle_table;
our $filter_table; our $filter_table;
@ -229,14 +234,13 @@ our $mode;
# #
sub initialize() { sub initialize() {
%chain_table = ( raw => {} , %chains = ( 4 => { raw => {} ,
mangle => {}, mangle => {} ,
nat => {}, nat => {} ,
filter => {} ); filter => {} } ,
6 => { raw => {} ,
$nat_table = $chain_table{nat}; mangle => {} ,
$mangle_table = $chain_table{mangle}; filter => {} } );
$filter_table = $chain_table{filter};
# #
# These get set to 1 as sections are encountered. # These get set to 1 as sections are encountered.
@ -308,8 +312,31 @@ sub initialize() {
%interfacebcasts = (); %interfacebcasts = ();
} }
sub switch_to_ipv4() {
$ipv = 4;
$chain_table = $chains{4};
$nat_table = $chain_table->{nat};
$mangle_table = $chain_table->{mangle};
$filter_table = $chain_table->{filter};
}
sub switch_to_ipv6() {
$ipv = 6;
$chain_table = $chains{6};
$nat_table = undef;
$mangle_table = $chain_table->{mangle};
$filter_table = $chain_table->{filter};
}
INIT { INIT {
initialize; initialize;
switch_to_ipv4;
} }
# #
@ -574,14 +601,15 @@ sub new_chain($$)
{ {
my ($table, $chain) = @_; my ($table, $chain) = @_;
warning_message "Internal error in new_chain()" if $chain_table{$table}{$chain}; warning_message "Internal error in new_chain()" if $chain_table->{$table}{$chain};
$chain_table{$table}{$chain} = { name => $chain, $chain_table->{$table}{$chain} = { name => $chain,
rules => [], rules => [],
table => $table, table => $table,
loglevel => '', ipv => $ipv,
log => 1, loglevel => '',
cmdlevel => 0 }; log => 1,
cmdlevel => 0 };
} }
# #
@ -601,7 +629,7 @@ sub ensure_chain($$)
{ {
my ($table, $chain) = @_; my ($table, $chain) = @_;
my $ref = $chain_table{$table}{$chain}; my $ref = $chain_table->{$table}{$chain};
return $ref if $ref; return $ref if $ref;
@ -735,7 +763,7 @@ sub finish_section ( $ ) {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; my $chainref = $chain_table->{'filter'}{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) { if ( $chainref->{referenced} ) {
finish_chain_section $chainref, $sections; finish_chain_section $chainref, $sections;
} }
@ -1964,7 +1992,7 @@ sub create_netfilter_load() {
# iptables-restore seems to be quite picky about the order of the builtin chains # iptables-restore seems to be quite picky about the order of the builtin chains
# #
for my $chain ( @builtins ) { for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table->{$table}{$chain};
if ( $chainref ) { if ( $chainref ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
emit_unindented ":$chain $chainref->{policy} [0:0]"; emit_unindented ":$chain $chainref->{policy} [0:0]";
@ -1974,8 +2002,8 @@ sub create_netfilter_load() {
# #
# First create the chains in the current table # First create the chains in the current table
# #
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { for my $chain ( grep $chain_table->{$table}{$_}->{referenced} , ( sort keys %{$chain_table->{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table->{$table}{$chain};
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
emit_unindented ":$chainref->{name} - [0:0]"; emit_unindented ":$chainref->{name} - [0:0]";
@ -2058,7 +2086,7 @@ sub create_chainlist_reload($) {
( $table , $chain ) = split ':', $chain if $chain =~ /:/; ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain}; fatal_error "No $table chain found with name $chain" unless $chain_table->{$table}{$chain};
$chains{$table} = [] unless $chains{$table}; $chains{$table} = [] unless $chains{$table};
@ -2070,7 +2098,7 @@ sub create_chainlist_reload($) {
emit_unindented "*$table"; emit_unindented "*$table";
my $tableref=$chain_table{$table}; my $tableref=$chain_table->{$table};
@chains = sort @{$chains{$table}}; @chains = sort @{$chains{$table}};

6
Shorewall-perl/Shorewall/Rules.pm
View File

@ -756,7 +756,7 @@ sub setup_mac_lists( $ ) {
fatal_error "No hosts on $interface have the maclist option specified"; fatal_error "No hosts on $interface have the maclist option specified";
} }
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
$mac = '' unless $mac && ( $mac ne '-' ); $mac = '' unless $mac && ( $mac ne '-' );
$addresses = '' unless $addresses && ( $addresses ne '-' ); $addresses = '' unless $addresses && ( $addresses ne '-' );
@ -802,7 +802,7 @@ sub setup_mac_lists( $ ) {
} }
} else { } else {
for my $interface ( @maclist_interfaces ) { for my $interface ( @maclist_interfaces ) {
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
my $chain = $chainref->{name}; my $chain = $chainref->{name};
if ( $level ne '' || $disposition ne 'ACCEPT' ) { if ( $level ne '' || $disposition ne 'ACCEPT' ) {
@ -1867,7 +1867,7 @@ sub generate_matrix() {
for my $chain ( @{$builtins{$table}} ) { for my $chain ( @{$builtins{$table}} ) {
log_rule_limit log_rule_limit
$config{LOGALLNEW} , $config{LOGALLNEW} ,
$chain_table{$table}{$chain} , $chain_table->{$table}{$chain} ,
$table , $table ,
$chain , $chain ,
'' , '' ,

2
Shorewall-perl/Shorewall/Zones.pm
View File

@ -129,7 +129,7 @@ our %reservedName = ( all => 1,
# Zone Types # Zone Types
# #
use constant { ZT_IPV4 => 1, use constant { ZT_IPV4 => 1,
ZT_IPV6 => 2 ZT_IPV6 => 2,
ZT_FIREWALL => 3, #ZT_IPV4 + ZT_IPV6 ZT_FIREWALL => 3, #ZT_IPV4 + ZT_IPV6
ZT_IPSEC => 4, ZT_IPSEC => 4,
ZT_IPSEC4 => 5, #ZT_IPV4 + ZT_IPSEC ZT_IPSEC4 => 5, #ZT_IPV4 + ZT_IPSEC