Implement IP[6]TABLES in the rules files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-12-29 13:46:58 -08:00 · 2013-12-29 13:46:58 -08:00 · 5985a6e9b3
commit 5985a6e9b3
parent 4cc5ee6b73
2 changed files with 48 additions and 23 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -107,6 +107,7 @@ our @EXPORT = ( qw(
 		    USERBUILTIN
 		    INLINERULE
 		    OPTIONS
+                    IPTABLES

 		    %chain_table
 		    %targets
@ -417,6 +418,7 @@ use constant { STANDARD     =>     0x1,       #defined by Netfilter
 	       USERBUILTIN  =>  0x20000,       #Builtin action from user's actions file.
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
+	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@ -2816,6 +2818,7 @@ sub initialize_chain_table($) {
 		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
+		    'IPTABLES'        => IPTABLES,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@ -2880,6 +2883,7 @@ sub initialize_chain_table($) {
 		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
+		    'IP6TABLES'       => IPTABLES,
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2233,7 +2233,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@ -2243,7 +2243,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    #
    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
    
-    unless ( $actiontype & ( ACTION | INLINE) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
 	#
 	# Catch empty parameter list
 	#
@ -2321,6 +2321,28 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
 		  fatal_error "HELPER rules may only appear in the NEW section" unless $section == NEW_SECTION;
 		  $action = ''; } ,
+
+	      IPTABLES => sub {
+		  if ( $param ) {
+		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
+		      my ( $tgt, $options ) = split / /, $param;
+		      fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
+		      $action = $param;
+		  } else {
+		      $action = '';
+		  }
+	      },
+
+	      IP6TABLES => sub {
+		  if ( $param ) {
+		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
+		      my ( $tgt, $options ) = split / /, $param;
+		      fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
+		      $action = $param;
+		  } else {
+		      $action = '';
+		  }
+	      },
 	    );

 	my $function = $functions{ $bt };
@ -2744,7 +2766,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {

 	verify_audit( $action ) if $actiontype & AUDIT;

-	
 	expand_rule( $chainref ,
 		     $restriction ,
 		     '' ,