forked from extern/shorewall_code
Add IP version arg to more functions
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7324 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
0075879b4c
commit
63f74768e2
@ -616,7 +616,7 @@ sub ensure_filter_chain( $$$ )
|
|||||||
{
|
{
|
||||||
my ($ipv, $chain, $populate) = @_;
|
my ($ipv, $chain, $populate) = @_;
|
||||||
|
|
||||||
my $chainref = $filter_table->{4}{$chain};
|
my $chainref = $filter_table->{$ipv}{$chain};
|
||||||
|
|
||||||
$chainref = new_chain 'filter', $ipv, $chain unless $chainref;
|
$chainref = new_chain 'filter', $ipv, $chain unless $chainref;
|
||||||
|
|
||||||
@ -633,10 +633,10 @@ sub ensure_filter_chain( $$$ )
|
|||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub ensure_mangle_chain($) {
|
sub ensure_mangle_chain($$) {
|
||||||
my $chain = $_[0];
|
my ($ipv, $chain ) = @_;
|
||||||
|
|
||||||
my $chainref = ensure_chain 'mangle', IPv4, $chain;
|
my $chainref = ensure_chain 'mangle', $ipv, $chain;
|
||||||
|
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
|
|
||||||
@ -646,18 +646,18 @@ sub ensure_mangle_chain($) {
|
|||||||
#
|
#
|
||||||
# Add a builtin chain
|
# Add a builtin chain
|
||||||
#
|
#
|
||||||
sub new_builtin_chain($$$)
|
sub new_builtin_chain($$$$)
|
||||||
{
|
{
|
||||||
my ( $table, $chain, $policy ) = @_;
|
my ( $table, $ipv, $chain, $policy ) = @_;
|
||||||
|
|
||||||
my $chainref = new_chain $table, IPv4, $chain;
|
my $chainref = new_chain $table, $ipv, $chain;
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
$chainref->{policy} = $policy;
|
$chainref->{policy} = $policy;
|
||||||
$chainref->{builtin} = 1;
|
$chainref->{builtin} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub new_standard_chain($) {
|
sub new_standard_chain($$) {
|
||||||
my $chainref = new_chain 'filter', IPv4, ,$_[0];
|
my $chainref = new_chain 'filter', $_[0] ,$_[1];
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
@ -669,24 +669,24 @@ sub new_standard_chain($) {
|
|||||||
sub initialize_chain_table()
|
sub initialize_chain_table()
|
||||||
{
|
{
|
||||||
for my $chain qw(OUTPUT PREROUTING) {
|
for my $chain qw(OUTPUT PREROUTING) {
|
||||||
new_builtin_chain 'raw', $chain, 'ACCEPT';
|
new_builtin_chain 'raw', IPv4, $chain, 'ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $chain qw(INPUT OUTPUT FORWARD) {
|
for my $chain qw(INPUT OUTPUT FORWARD) {
|
||||||
new_builtin_chain 'filter', $chain, 'DROP';
|
new_builtin_chain 'filter', IPv4, $chain, 'DROP';
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
|
for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
|
||||||
new_builtin_chain 'nat', $chain, 'ACCEPT';
|
new_builtin_chain 'nat', IPv4, $chain, 'ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $chain qw(PREROUTING INPUT OUTPUT ) {
|
for my $chain qw(PREROUTING INPUT OUTPUT ) {
|
||||||
new_builtin_chain 'mangle', $chain, 'ACCEPT';
|
new_builtin_chain 'mangle', IPv4, $chain, 'ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||||
for my $chain qw( FORWARD POSTROUTING ) {
|
for my $chain qw( FORWARD POSTROUTING ) {
|
||||||
new_builtin_chain 'mangle', $chain, 'ACCEPT';
|
new_builtin_chain 'mangle', IPv4, $chain, 'ACCEPT';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -217,15 +217,15 @@ sub add_rule_pair( $$$$ ) {
|
|||||||
sub setup_rfc1918_filteration( $ ) {
|
sub setup_rfc1918_filteration( $ ) {
|
||||||
|
|
||||||
my $listref = $_[0];
|
my $listref = $_[0];
|
||||||
my $norfc1918ref = new_standard_chain 'norfc1918';
|
my $norfc1918ref = new_standard_chain IPv4, 'norfc1918';
|
||||||
my $rfc1918ref = new_standard_chain 'rfc1918';
|
my $rfc1918ref = new_standard_chain IPv4, 'rfc1918';
|
||||||
my $chainref = $norfc1918ref;
|
my $chainref = $norfc1918ref;
|
||||||
|
|
||||||
log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , '';
|
log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , '';
|
||||||
|
|
||||||
add_rule $rfc1918ref , '-j DROP';
|
add_rule $rfc1918ref , '-j DROP';
|
||||||
|
|
||||||
$chainref = new_standard_chain 'rfc1918d' if $config{RFC1918_STRICT};
|
$chainref = new_standard_chain IPv4, 'rfc1918d' if $config{RFC1918_STRICT};
|
||||||
|
|
||||||
my $fn = open_file 'rfc1918';
|
my $fn = open_file 'rfc1918';
|
||||||
|
|
||||||
@ -279,10 +279,10 @@ sub setup_blacklist() {
|
|||||||
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||||
|
|
||||||
if ( @$hosts ) {
|
if ( @$hosts ) {
|
||||||
$chainref = new_standard_chain 'blacklst';
|
$chainref = new_standard_chain IPv4, 'blacklst';
|
||||||
|
|
||||||
if ( defined $level && $level ne '' ) {
|
if ( defined $level && $level ne '' ) {
|
||||||
my $logchainref = new_standard_chain 'blacklog';
|
my $logchainref = new_standard_chain IPv4, 'blacklog';
|
||||||
|
|
||||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||||
|
|
||||||
@ -508,23 +508,23 @@ sub add_common_rules() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $rejectref = new_standard_chain 'reject';
|
my $rejectref = new_standard_chain IPv4, 'reject';
|
||||||
|
|
||||||
$level = $config{BLACKLIST_LOGLEVEL};
|
$level = $config{BLACKLIST_LOGLEVEL};
|
||||||
|
|
||||||
add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ;
|
add_rule_pair new_standard_chain( IPv4, 'logdrop' ), ' ' , 'DROP' , $level ;
|
||||||
add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'reject' , $level ;
|
add_rule_pair new_standard_chain( IPv4, 'logreject' ), ' ' , 'reject' , $level ;
|
||||||
|
|
||||||
new_standard_chain 'dynamic';
|
new_standard_chain IPv4, 'dynamic';
|
||||||
|
|
||||||
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
||||||
|
|
||||||
for $interface ( all_interfaces ) {
|
for $interface ( all_interfaces ) {
|
||||||
for $chain ( @{first_chains $interface} ) {
|
for $chain ( @{first_chains $interface} ) {
|
||||||
add_rule new_standard_chain( $chain ) , "$state -j dynamic";
|
add_rule new_standard_chain( IPv4, $chain ) , "$state -j dynamic";
|
||||||
}
|
}
|
||||||
|
|
||||||
new_standard_chain output_chain( $interface );
|
new_standard_chain IPv4, output_chain( $interface );
|
||||||
}
|
}
|
||||||
|
|
||||||
run_user_exit1 'initdone';
|
run_user_exit1 'initdone';
|
||||||
@ -533,7 +533,7 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
$list = find_hosts_by_option 'nosmurfs';
|
$list = find_hosts_by_option 'nosmurfs';
|
||||||
|
|
||||||
$chainref = new_standard_chain 'smurfs';
|
$chainref = new_standard_chain IPv4, 'smurfs';
|
||||||
|
|
||||||
if ( $capabilities{ADDRTYPE} ) {
|
if ( $capabilities{ADDRTYPE} ) {
|
||||||
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
|
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
|
||||||
@ -608,10 +608,10 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
progress_message2 "$doing TCP Flags filtering...";
|
progress_message2 "$doing TCP Flags filtering...";
|
||||||
|
|
||||||
$chainref = new_standard_chain 'tcpflags';
|
$chainref = new_standard_chain IPv4, 'tcpflags';
|
||||||
|
|
||||||
if ( $config{TCP_FLAGS_LOG_LEVEL} ne '' ) {
|
if ( $config{TCP_FLAGS_LOG_LEVEL} ne '' ) {
|
||||||
my $logflagsref = new_standard_chain 'logflags';
|
my $logflagsref = new_standard_chain IPv4, 'logflags';
|
||||||
|
|
||||||
my $savelogparms = $globals{LOGPARMS};
|
my $savelogparms = $globals{LOGPARMS};
|
||||||
|
|
||||||
@ -651,7 +651,7 @@ sub add_common_rules() {
|
|||||||
if ( $config{DYNAMIC_ZONES} ) {
|
if ( $config{DYNAMIC_ZONES} ) {
|
||||||
for $interface ( all_interfaces ) {
|
for $interface ( all_interfaces ) {
|
||||||
for $chain ( @{dynamic_chains $interface} ) {
|
for $chain ( @{dynamic_chains $interface} ) {
|
||||||
new_standard_chain $chain;
|
new_standard_chain IPv4, $chain;
|
||||||
}
|
}
|
||||||
|
|
||||||
mark_referenced( new_chain 'nat' , IPv4, $chain = dynamic_in($interface) );
|
mark_referenced( new_chain 'nat' , IPv4, $chain = dynamic_in($interface) );
|
||||||
@ -1436,7 +1436,7 @@ sub generate_matrix() {
|
|||||||
sub create_zone_dyn_chain( $$ ) {
|
sub create_zone_dyn_chain( $$ ) {
|
||||||
my ( $zone , $chainref ) = @_;
|
my ( $zone , $chainref ) = @_;
|
||||||
my $name = "${zone}_dyn";
|
my $name = "${zone}_dyn";
|
||||||
new_standard_chain $name;
|
new_standard_chain IPv4, $name;
|
||||||
add_rule $chainref, "-j $name";
|
add_rule $chainref, "-j $name";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1507,13 +1507,13 @@ sub generate_matrix() {
|
|||||||
# Special processing for complex zones
|
# Special processing for complex zones
|
||||||
#
|
#
|
||||||
for my $zone ( complex_zones ) {
|
for my $zone ( complex_zones ) {
|
||||||
my $frwd_ref = new_standard_chain "${zone}_frwd";
|
my $frwd_ref = new_standard_chain IPv4, "${zone}_frwd";
|
||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
my $exclusions = $zoneref->{exclusions};
|
my $exclusions = $zoneref->{exclusions};
|
||||||
|
|
||||||
if ( @$exclusions ) {
|
if ( @$exclusions ) {
|
||||||
my $in_ref = new_standard_chain "${zone}_input";
|
my $in_ref = new_standard_chain IPv4, "${zone}_input";
|
||||||
my $out_ref = new_standard_chain "${zone}_output";
|
my $out_ref = new_standard_chain IPv4, "${zone}_output";
|
||||||
|
|
||||||
add_rule ensure_filter_chain( IPv4, "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT';
|
add_rule ensure_filter_chain( IPv4, "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT';
|
||||||
|
|
||||||
|
|||||||
@ -556,12 +556,12 @@ sub setup_tc() {
|
|||||||
my $first_entry = 1;
|
my $first_entry = 1;
|
||||||
|
|
||||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||||
ensure_mangle_chain 'tcpre';
|
ensure_mangle_chain IPv4, 'tcpre';
|
||||||
ensure_mangle_chain 'tcout';
|
ensure_mangle_chain IPv4, 'tcout';
|
||||||
|
|
||||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||||
ensure_mangle_chain 'tcfor';
|
ensure_mangle_chain IPv4, 'tcfor';
|
||||||
ensure_mangle_chain 'tcpost';
|
ensure_mangle_chain IPv4, 'tcpost';
|
||||||
}
|
}
|
||||||
|
|
||||||
my $mark_part = '';
|
my $mark_part = '';
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user