Implement IP[6]TABLES in the rules files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-12-29 13:46:58 -08:00 · 2013-12-29 13:46:58 -08:00 · 5985a6e9b3
commit 5985a6e9b3
parent 4cc5ee6b73
2 changed files with 48 additions and 23 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -107,6 +107,7 @@ our @EXPORT = ( qw(
 		    USERBUILTIN
 		    INLINERULE
 		    OPTIONS
+                    IPTABLES

 		    %chain_table
 		    %targets
@ -397,26 +398,27 @@ our %nfobjects;
 #
 # Target Types
 #
-use constant { STANDARD     =>     0x1,       #defined by Netfilter
-	       NATRULE      =>     0x2,       #Involves NAT
-	       BUILTIN      =>     0x4,       #A built-in action
-	       NONAT        =>     0x8,       #'NONAT' or 'ACCEPT+'
-	       NATONLY      =>    0x10,       #'DNAT-' or 'REDIRECT-'
-	       REDIRECT     =>    0x20,       #'REDIRECT'
-	       ACTION       =>    0x40,       #An action (may be built-in)
-	       MACRO        =>    0x80,       #A Macro
-	       LOGRULE      =>   0x100,       #'LOG','NFLOG'
-	       NFQ          =>   0x200,       #'NFQUEUE'
-	       CHAIN        =>   0x400,       #Manual Chain
-	       SET          =>   0x800,       #SET
-	       AUDIT        =>  0x1000,       #A_ACCEPT, etc
-	       HELPER       =>  0x2000,       #CT:helper
-	       NFLOG        =>  0x4000,       #NFLOG or ULOG
-	       INLINE       =>  0x8000,       #Inline action
-	       STATEMATCH   => 0x10000,       #action.Invalid, action.Related, etc.
-	       USERBUILTIN  => 0x20000,       #Builtin action from user's actions file.
-	       INLINERULE   => 0x40000,       #INLINE
-	       OPTIONS      => 0x80000,       #Target Accepts Options
+use constant { STANDARD     =>      0x1,       #defined by Netfilter
+	       NATRULE      =>      0x2,       #Involves NAT
+	       BUILTIN      =>      0x4,       #A built-in action
+	       NONAT        =>      0x8,       #'NONAT' or 'ACCEPT+'
+	       NATONLY      =>     0x10,       #'DNAT-' or 'REDIRECT-'
+	       REDIRECT     =>     0x20,       #'REDIRECT'
+	       ACTION       =>     0x40,       #An action (may be built-in)
+	       MACRO        =>     0x80,       #A Macro
+	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
+	       NFQ          =>    0x200,       #'NFQUEUE'
+	       CHAIN        =>    0x400,       #Manual Chain
+	       SET          =>    0x800,       #SET
+	       AUDIT        =>   0x1000,       #A_ACCEPT, etc
+	       HELPER       =>   0x2000,       #CT:helper
+	       NFLOG        =>   0x4000,       #NFLOG or ULOG
+	       INLINE       =>   0x8000,       #Inline action
+	       STATEMATCH   =>  0x10000,       #action.Invalid, action.Related, etc.
+	       USERBUILTIN  =>  0x20000,       #Builtin action from user's actions file.
+	       INLINERULE   =>  0x40000,       #INLINE
+	       OPTIONS      =>  0x80000,       #Target Accepts Options
+	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@ -2816,6 +2818,7 @@ sub initialize_chain_table($) {
 		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
+		    'IPTABLES'        => IPTABLES,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@ -2880,6 +2883,7 @@ sub initialize_chain_table($) {
 		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
+		    'IP6TABLES'       => IPTABLES,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2233,7 +2233,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@ -2243,7 +2243,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    #
    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
    
-    unless ( $actiontype & ( ACTION | INLINE) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
 	#
 	# Catch empty parameter list
 	#
@ -2321,6 +2321,28 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
 		  fatal_error "HELPER rules may only appear in the NEW section" unless $section == NEW_SECTION;
 		  $action = ''; } ,
+
+	      IPTABLES => sub {
+		  if ( $param ) {
+		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
+		      my ( $tgt, $options ) = split / /, $param;
+		      fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
+		      $action = $param;
+		  } else {
+		      $action = '';
+		  }
+	      },
+
+	      IP6TABLES => sub {
+		  if ( $param ) {
+		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
+		      my ( $tgt, $options ) = split / /, $param;
+		      fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
+		      $action = $param;
+		  } else {
+		      $action = '';
+		  }
+	      },
 	    );

 	my $function = $functions{ $bt };
@ -2744,7 +2766,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {

 	verify_audit( $action ) if $actiontype & AUDIT;

-	
 	expand_rule( $chainref ,
 		     $restriction ,
 		     '' ,