forked from extern/shorewall_code
Partition chain table for iptables/ip6tables
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7315 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a2c145418c
commit
597c8fecc0
@ -266,7 +266,7 @@ sub createlogactionchain( $$ ) {
|
|||||||
|
|
||||||
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
|
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
|
||||||
|
|
||||||
while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) {
|
while ( $chain_table->{'%' . $chain . $actionref->{actchain}} ) {
|
||||||
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
|
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -118,7 +118,8 @@ our @EXPORT = qw( STANDARD
|
|||||||
create_netfilter_load
|
create_netfilter_load
|
||||||
create_chainlist_reload
|
create_chainlist_reload
|
||||||
|
|
||||||
%chain_table
|
$chain_table
|
||||||
|
$ipv
|
||||||
$nat_table
|
$nat_table
|
||||||
$mangle_table
|
$mangle_table
|
||||||
$filter_table
|
$filter_table
|
||||||
@ -132,27 +133,28 @@ our $VERSION = '4.04';
|
|||||||
#
|
#
|
||||||
# Chain Table
|
# Chain Table
|
||||||
#
|
#
|
||||||
# %chain_table { <table> => { <chain1> => { name => <chain name>
|
# %chains { <4|6> => { <table> => { <chain1> => { name => <chain name>
|
||||||
# table => <table name>
|
# table => <table name>
|
||||||
# is_policy => 0|1
|
# is_policy => 0|1
|
||||||
# is_optional => 0|1
|
# is_optional => 0|1
|
||||||
# referenced => 0|1
|
# referenced => 0|1
|
||||||
# log => <logging rule number for use when LOGRULENUMBERS>
|
# log => <logging rule number for use when LOGRULENUMBERS>
|
||||||
# policy => <policy>
|
# policy => <policy>
|
||||||
# policychain => <name of policy chain> -- self-reference if this is a policy chain
|
# policychain => <name of policy chain> -- self-reference if this is a policy chain
|
||||||
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
|
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
|
||||||
# loglevel => <level>
|
# loglevel => <level>
|
||||||
# synparams => <burst/limit>
|
# synparams => <burst/limit>
|
||||||
# synchain => <name of synparam chain>
|
# synchain => <name of synparam chain>
|
||||||
# default => <default action>
|
# default => <default action>
|
||||||
# cmdlevel => <number of open loops or blocks in runtime commands>
|
# cmdlevel => <number of open loops or blocks in runtime commands>
|
||||||
# rules => [ <rule1>
|
# rules => [ <rule1>
|
||||||
# <rule2>
|
# <rule2>
|
||||||
# ...
|
# ...
|
||||||
# ]
|
# ]
|
||||||
# } ,
|
# } ,
|
||||||
# <chain2> => ...
|
# <chain2> => ...
|
||||||
# }
|
# }
|
||||||
|
# }
|
||||||
# }
|
# }
|
||||||
#
|
#
|
||||||
# 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
|
# 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
|
||||||
@ -162,7 +164,10 @@ our $VERSION = '4.04';
|
|||||||
#
|
#
|
||||||
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
|
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
|
||||||
#
|
#
|
||||||
our %chain_table;
|
|
||||||
|
our %chains;
|
||||||
|
our $ipv;
|
||||||
|
our $chain_table;
|
||||||
our $nat_table;
|
our $nat_table;
|
||||||
our $mangle_table;
|
our $mangle_table;
|
||||||
our $filter_table;
|
our $filter_table;
|
||||||
@ -229,14 +234,13 @@ our $mode;
|
|||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
%chain_table = ( raw => {} ,
|
%chains = ( 4 => { raw => {} ,
|
||||||
mangle => {},
|
mangle => {} ,
|
||||||
nat => {},
|
nat => {} ,
|
||||||
filter => {} );
|
filter => {} } ,
|
||||||
|
6 => { raw => {} ,
|
||||||
$nat_table = $chain_table{nat};
|
mangle => {} ,
|
||||||
$mangle_table = $chain_table{mangle};
|
filter => {} } );
|
||||||
$filter_table = $chain_table{filter};
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# These get set to 1 as sections are encountered.
|
# These get set to 1 as sections are encountered.
|
||||||
@ -308,8 +312,31 @@ sub initialize() {
|
|||||||
%interfacebcasts = ();
|
%interfacebcasts = ();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub switch_to_ipv4() {
|
||||||
|
$ipv = 4;
|
||||||
|
|
||||||
|
$chain_table = $chains{4};
|
||||||
|
|
||||||
|
$nat_table = $chain_table->{nat};
|
||||||
|
$mangle_table = $chain_table->{mangle};
|
||||||
|
$filter_table = $chain_table->{filter};
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
sub switch_to_ipv6() {
|
||||||
|
$ipv = 6;
|
||||||
|
|
||||||
|
$chain_table = $chains{6};
|
||||||
|
|
||||||
|
$nat_table = undef;
|
||||||
|
$mangle_table = $chain_table->{mangle};
|
||||||
|
$filter_table = $chain_table->{filter};
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
INIT {
|
INIT {
|
||||||
initialize;
|
initialize;
|
||||||
|
switch_to_ipv4;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -574,14 +601,15 @@ sub new_chain($$)
|
|||||||
{
|
{
|
||||||
my ($table, $chain) = @_;
|
my ($table, $chain) = @_;
|
||||||
|
|
||||||
warning_message "Internal error in new_chain()" if $chain_table{$table}{$chain};
|
warning_message "Internal error in new_chain()" if $chain_table->{$table}{$chain};
|
||||||
|
|
||||||
$chain_table{$table}{$chain} = { name => $chain,
|
$chain_table->{$table}{$chain} = { name => $chain,
|
||||||
rules => [],
|
rules => [],
|
||||||
table => $table,
|
table => $table,
|
||||||
loglevel => '',
|
ipv => $ipv,
|
||||||
log => 1,
|
loglevel => '',
|
||||||
cmdlevel => 0 };
|
log => 1,
|
||||||
|
cmdlevel => 0 };
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -601,7 +629,7 @@ sub ensure_chain($$)
|
|||||||
{
|
{
|
||||||
my ($table, $chain) = @_;
|
my ($table, $chain) = @_;
|
||||||
|
|
||||||
my $ref = $chain_table{$table}{$chain};
|
my $ref = $chain_table->{$table}{$chain};
|
||||||
|
|
||||||
return $ref if $ref;
|
return $ref if $ref;
|
||||||
|
|
||||||
@ -735,7 +763,7 @@ sub finish_section ( $ ) {
|
|||||||
|
|
||||||
for my $zone ( all_zones ) {
|
for my $zone ( all_zones ) {
|
||||||
for my $zone1 ( all_zones ) {
|
for my $zone1 ( all_zones ) {
|
||||||
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
|
my $chainref = $chain_table->{'filter'}{"${zone}2${zone1}"};
|
||||||
if ( $chainref->{referenced} ) {
|
if ( $chainref->{referenced} ) {
|
||||||
finish_chain_section $chainref, $sections;
|
finish_chain_section $chainref, $sections;
|
||||||
}
|
}
|
||||||
@ -1964,7 +1992,7 @@ sub create_netfilter_load() {
|
|||||||
# iptables-restore seems to be quite picky about the order of the builtin chains
|
# iptables-restore seems to be quite picky about the order of the builtin chains
|
||||||
#
|
#
|
||||||
for my $chain ( @builtins ) {
|
for my $chain ( @builtins ) {
|
||||||
my $chainref = $chain_table{$table}{$chain};
|
my $chainref = $chain_table->{$table}{$chain};
|
||||||
if ( $chainref ) {
|
if ( $chainref ) {
|
||||||
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
|
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
|
||||||
emit_unindented ":$chain $chainref->{policy} [0:0]";
|
emit_unindented ":$chain $chainref->{policy} [0:0]";
|
||||||
@ -1974,8 +2002,8 @@ sub create_netfilter_load() {
|
|||||||
#
|
#
|
||||||
# First create the chains in the current table
|
# First create the chains in the current table
|
||||||
#
|
#
|
||||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
for my $chain ( grep $chain_table->{$table}{$_}->{referenced} , ( sort keys %{$chain_table->{$table}} ) ) {
|
||||||
my $chainref = $chain_table{$table}{$chain};
|
my $chainref = $chain_table->{$table}{$chain};
|
||||||
unless ( $chainref->{builtin} ) {
|
unless ( $chainref->{builtin} ) {
|
||||||
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
|
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
|
||||||
emit_unindented ":$chainref->{name} - [0:0]";
|
emit_unindented ":$chainref->{name} - [0:0]";
|
||||||
@ -2058,7 +2086,7 @@ sub create_chainlist_reload($) {
|
|||||||
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
||||||
|
|
||||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
|
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
|
||||||
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain};
|
fatal_error "No $table chain found with name $chain" unless $chain_table->{$table}{$chain};
|
||||||
|
|
||||||
$chains{$table} = [] unless $chains{$table};
|
$chains{$table} = [] unless $chains{$table};
|
||||||
|
|
||||||
@ -2070,7 +2098,7 @@ sub create_chainlist_reload($) {
|
|||||||
|
|
||||||
emit_unindented "*$table";
|
emit_unindented "*$table";
|
||||||
|
|
||||||
my $tableref=$chain_table{$table};
|
my $tableref=$chain_table->{$table};
|
||||||
|
|
||||||
@chains = sort @{$chains{$table}};
|
@chains = sort @{$chains{$table}};
|
||||||
|
|
||||||
|
@ -756,7 +756,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
fatal_error "No hosts on $interface have the maclist option specified";
|
fatal_error "No hosts on $interface have the maclist option specified";
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||||
|
|
||||||
$mac = '' unless $mac && ( $mac ne '-' );
|
$mac = '' unless $mac && ( $mac ne '-' );
|
||||||
$addresses = '' unless $addresses && ( $addresses ne '-' );
|
$addresses = '' unless $addresses && ( $addresses ne '-' );
|
||||||
@ -802,7 +802,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
for my $interface ( @maclist_interfaces ) {
|
for my $interface ( @maclist_interfaces ) {
|
||||||
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||||
my $chain = $chainref->{name};
|
my $chain = $chainref->{name};
|
||||||
|
|
||||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||||
@ -1867,7 +1867,7 @@ sub generate_matrix() {
|
|||||||
for my $chain ( @{$builtins{$table}} ) {
|
for my $chain ( @{$builtins{$table}} ) {
|
||||||
log_rule_limit
|
log_rule_limit
|
||||||
$config{LOGALLNEW} ,
|
$config{LOGALLNEW} ,
|
||||||
$chain_table{$table}{$chain} ,
|
$chain_table->{$table}{$chain} ,
|
||||||
$table ,
|
$table ,
|
||||||
$chain ,
|
$chain ,
|
||||||
'' ,
|
'' ,
|
||||||
|
@ -129,7 +129,7 @@ our %reservedName = ( all => 1,
|
|||||||
# Zone Types
|
# Zone Types
|
||||||
#
|
#
|
||||||
use constant { ZT_IPV4 => 1,
|
use constant { ZT_IPV4 => 1,
|
||||||
ZT_IPV6 => 2
|
ZT_IPV6 => 2,
|
||||||
ZT_FIREWALL => 3, #ZT_IPV4 + ZT_IPV6
|
ZT_FIREWALL => 3, #ZT_IPV4 + ZT_IPV6
|
||||||
ZT_IPSEC => 4,
|
ZT_IPSEC => 4,
|
||||||
ZT_IPSEC4 => 5, #ZT_IPV4 + ZT_IPSEC
|
ZT_IPSEC4 => 5, #ZT_IPV4 + ZT_IPSEC
|
||||||
|
Loading…
Reference in New Issue
Block a user