holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Restructure chain table for IPv6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8938 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-07 19:51:52 +00:00
parent 038a4c0756
commit cfa3212b30
1 changed files with 78 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
Shorewall-perl/Shorewall/Chains.pm
View File

@ -44,6 +44,9 @@ our @EXPORT = qw(
log_rule_limit
%chain_table
%xlatetable
%ipv4tables
%ipv6tables
$nat_table
$mangle_table
$filter_table
@ -191,6 +194,16 @@ our %chain_table;
our $nat_table;
our $mangle_table;
our $filter_table;
our %xlatetable = ( raw => 'raw' ,
nat => 'nat' ,
mangle => 'mangle' ,
filter => 'filter' ,
raw6 => 'raw' ,
mangle6 => 'mangle' ,
filter6 => 'filter' );
our @ipv4tables = qw( raw mangle nat filter );
our @ipv6tables = qw( raw6 mangle6 filter6 );
#
# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file
# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent
@ -212,6 +225,7 @@ use constant { STANDARD => 1, #defined by Netfilter
LOGRULE => 256, #'LOG'
NFQ => 512, #'NFQUEUE'
CHAIN => 1024, #Manual Chain
IPV4ONLY => 2048, #Not Available with IPV6
};
our %targets;
@ -247,6 +261,18 @@ use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptabl
our $mode;
sub use_ipv4() {
$nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter};
}
sub use_ipv6() {
$nat_table = undef;
$mangle_table = $chain_table{mangle6};
$filter_table = $chain_table{filter6};
}
#
# Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The
@ -257,15 +283,22 @@ our $mode;
#
sub initialize() {
%chain_table = ( raw => {} ,
mangle => {},
nat => {},
filter => {} );
%chain_table = ( raw => {} ,
mangle => {} ,
nat => {} ,
filter => {} ,
raw6 => {} ,
filter6 => {} );
$nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter};
$chain_table{raw}{__NAME__} = 'raw';
$chain_table{mangle}{__NAME__} = 'mangle';
$chain_table{nat}{__NAME__} = 'nat';
$chain_table{filter}{__NAME__} = 'filter';
$chain_table{raw6}{__NAME__} = 'raw';
$chain_table{mangle6}{__NAME__} = 'mangle';
$chain_table{filter6}{__NAME__} = 'filter';
use_ipv4;
#
# These get set to 1 as sections are encountered.
#
@ -285,35 +318,35 @@ sub initialize() {
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
#
%targets = ('ACCEPT' => STANDARD,
'ACCEPT+' => STANDARD + NONAT,
'ACCEPT+' => STANDARD + NONAT + IPV4ONLY,
'ACCEPT!' => STANDARD,
'NONAT' => STANDARD + NONAT + NATONLY,
'NONAT' => STANDARD + NONAT + NATONLY + IPV4ONLY,
'DROP' => STANDARD,
'DROP!' => STANDARD,
'REJECT' => STANDARD,
'REJECT!' => STANDARD,
'DNAT' => NATRULE,
'DNAT-' => NATRULE + NATONLY,
'REDIRECT' => NATRULE + REDIRECT,
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
'LOG' => STANDARD + LOGRULE,
'DNAT' => NATRULE + IPV4ONLY,
'DNAT-' => NATRULE + NATONLY + IPV4ONLY,
'REDIRECT' => NATRULE + REDIRECT + IPV4ONLY,
'REDIRECT-' => NATRULE + REDIRECT + NATONLY + IPV4ONLY,
'LOG' => STANDARD + LOGRULE,
'CONTINUE' => STANDARD,
'CONTINUE!' => STANDARD,
'QUEUE' => STANDARD,
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
'SAME' => NATRULE,
'SAME-' => NATRULE + NATONLY,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
'SAME' => NATRULE + IPV4ONLY,
'SAME-' => NATRULE + NATONLY + IPV4ONLY,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
);
#
# Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
@ -336,6 +369,8 @@ sub initialize() {
%interfacemacs = ();
%interfacebcasts = ();
%interfacegateways = ();
@ipv4tables = ( qw/ filter / );
}
INIT {
@ -813,7 +848,7 @@ sub ensure_filter_chain( $$ )
my $chainref = $filter_table->{$chain};
$chainref = new_chain 'filter' , $chain unless $chainref;
$chainref = new_chain $filter_table->{__NAME__} , $chain unless $chainref;
if ( $populate and ! $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) {
@ -840,7 +875,7 @@ sub ensure_accounting_chain( $ )
if ( $chainref ) {
fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting};
} else {
$chainref = new_chain 'filter' , $chain unless $chainref;
$chainref = new_chain $filter_table->{__NAME__} , $chain unless $chainref;
$chainref->{accounting} = 1;
$chainref->{referenced} = 1;
}
@ -851,7 +886,7 @@ sub ensure_accounting_chain( $ )
sub ensure_mangle_chain($) {
my $chain = $_[0];
my $chainref = ensure_chain 'mangle', $chain;
my $chainref = ensure_chain $mangle_table->{__NAME__}, $chain;
$chainref->{referenced} = 1;
@ -882,7 +917,7 @@ sub new_builtin_chain($$$)
}
sub new_standard_chain($) {
my $chainref = new_chain 'filter' ,$_[0];
my $chainref = new_chain $filter_table->{__NAME__} ,$_[0];
$chainref->{referenced} = 1;
$chainref;
}
@ -916,11 +951,13 @@ sub ensure_manual_chain($) {
sub initialize_chain_table()
{
for my $chain qw(OUTPUT PREROUTING) {
new_builtin_chain 'raw', $chain, 'ACCEPT';
new_builtin_chain 'raw' , $chain, 'ACCEPT';
new_builtin_chain 'raw6', $chain, 'ACCEPT';
}
for my $chain qw(INPUT OUTPUT FORWARD) {
new_builtin_chain 'filter', $chain, 'DROP';
new_builtin_chain 'filter', $chain, 'DROP';
new_builtin_chain 'filter6', $chain, 'DROP';
}
for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
@ -929,6 +966,7 @@ sub initialize_chain_table()
for my $chain qw(PREROUTING INPUT OUTPUT ) {
new_builtin_chain 'mangle', $chain, 'ACCEPT';
new_builtin_chain 'mangle6', $chain, 'ACCEPT';
}
if ( $capabilities{MANGLE_FORWARD} ) {
@ -936,6 +974,10 @@ sub initialize_chain_table()
new_builtin_chain 'mangle', $chain, 'ACCEPT';
}
}
for my $chain qw( FORWARD POSTROUTING ) {
new_builtin_chain 'mangle6', $chain, 'ACCEPT';
}
}
#
@ -986,7 +1028,7 @@ sub finish_section ( $ ) {
for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
my $chainref = $filter_table->{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) {
finish_chain_section $chainref, $sections;
}
@ -2402,7 +2444,7 @@ sub create_netfilter_load() {
#
# First create the chains in the current table
#
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
for my $chain ( grep reftype $chain_table{$table}{$_} && $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
@ -2495,6 +2537,7 @@ sub create_chainlist_reload($) {
push @{$chains{$table}}, $chain;
} else {
while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
next unless reftype $chainref;
push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin};
}
}