holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Restructure chain table for IPv6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8938 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-07 19:51:52 +00:00
parent 038a4c0756
commit cfa3212b30
1 changed files with 78 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
Shorewall-perl/Shorewall/Chains.pm
View File

@ -44,6 +44,9 @@ our @EXPORT = qw(
log_rule_limit log_rule_limit
%chain_table %chain_table
%xlatetable
%ipv4tables
%ipv6tables
$nat_table $nat_table
$mangle_table $mangle_table
$filter_table $filter_table
@ -191,6 +194,16 @@ our %chain_table;
our $nat_table; our $nat_table;
our $mangle_table; our $mangle_table;
our $filter_table; our $filter_table;
our %xlatetable = ( raw => 'raw' ,
nat => 'nat' ,
mangle => 'mangle' ,
filter => 'filter' ,
raw6 => 'raw' ,
mangle6 => 'mangle' ,
filter6 => 'filter' );
our @ipv4tables = qw( raw mangle nat filter );
our @ipv6tables = qw( raw6 mangle6 filter6 );
# #
# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file # It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file
# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent # and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent
@ -212,6 +225,7 @@ use constant { STANDARD => 1, #defined by Netfilter
LOGRULE => 256, #'LOG' LOGRULE => 256, #'LOG'
NFQ => 512, #'NFQUEUE' NFQ => 512, #'NFQUEUE'
CHAIN => 1024, #Manual Chain CHAIN => 1024, #Manual Chain
IPV4ONLY => 2048, #Not Available with IPV6
}; };
our %targets; our %targets;
@ -247,6 +261,18 @@ use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptabl
our $mode; our $mode;
sub use_ipv4() {
$nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter};
}
sub use_ipv6() {
$nat_table = undef;
$mangle_table = $chain_table{mangle6};
$filter_table = $chain_table{filter6};
}
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The # the compiler to run multiple times in the same process. The
@ -257,15 +283,22 @@ our $mode;
# #
sub initialize() { sub initialize() {
%chain_table = ( raw => {} , %chain_table = ( raw => {} ,
mangle => {}, mangle => {} ,
nat => {}, nat => {} ,
filter => {} ); filter => {} ,
raw6 => {} ,
filter6 => {} );
$nat_table = $chain_table{nat}; $chain_table{raw}{__NAME__} = 'raw';
$mangle_table = $chain_table{mangle}; $chain_table{mangle}{__NAME__} = 'mangle';
$filter_table = $chain_table{filter}; $chain_table{nat}{__NAME__} = 'nat';
$chain_table{filter}{__NAME__} = 'filter';
$chain_table{raw6}{__NAME__} = 'raw';
$chain_table{mangle6}{__NAME__} = 'mangle';
$chain_table{filter6}{__NAME__} = 'filter';
use_ipv4;
# #
# These get set to 1 as sections are encountered. # These get set to 1 as sections are encountered.
# #
@ -285,35 +318,35 @@ sub initialize() {
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table # As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
# #
%targets = ('ACCEPT' => STANDARD, %targets = ('ACCEPT' => STANDARD,
'ACCEPT+' => STANDARD + NONAT, 'ACCEPT+' => STANDARD + NONAT + IPV4ONLY,
'ACCEPT!' => STANDARD, 'ACCEPT!' => STANDARD,
'NONAT' => STANDARD + NONAT + NATONLY, 'NONAT' => STANDARD + NONAT + NATONLY + IPV4ONLY,
'DROP' => STANDARD, 'DROP' => STANDARD,
'DROP!' => STANDARD, 'DROP!' => STANDARD,
'REJECT' => STANDARD, 'REJECT' => STANDARD,
'REJECT!' => STANDARD, 'REJECT!' => STANDARD,
'DNAT' => NATRULE, 'DNAT' => NATRULE + IPV4ONLY,
'DNAT-' => NATRULE + NATONLY, 'DNAT-' => NATRULE + NATONLY + IPV4ONLY,
'REDIRECT' => NATRULE + REDIRECT, 'REDIRECT' => NATRULE + REDIRECT + IPV4ONLY,
'REDIRECT-' => NATRULE + REDIRECT + NATONLY, 'REDIRECT-' => NATRULE + REDIRECT + NATONLY + IPV4ONLY,
'LOG' => STANDARD + LOGRULE, 'LOG' => STANDARD + LOGRULE,
'CONTINUE' => STANDARD, 'CONTINUE' => STANDARD,
'CONTINUE!' => STANDARD, 'CONTINUE!' => STANDARD,
'QUEUE' => STANDARD, 'QUEUE' => STANDARD,
'QUEUE!' => STANDARD, 'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ, 'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ, 'NFQUEUE!' => STANDARD + NFQ,
'SAME' => NATRULE, 'SAME' => NATRULE + IPV4ONLY,
'SAME-' => NATRULE + NATONLY, 'SAME-' => NATRULE + NATONLY + IPV4ONLY,
'dropBcast' => BUILTIN + ACTION, 'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION, 'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION, 'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION, 'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION, 'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION, 'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION, 'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION, 'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION, 'Limit' => BUILTIN + ACTION,
); );
# #
# Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ... # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
@ -336,6 +369,8 @@ sub initialize() {
%interfacemacs = (); %interfacemacs = ();
%interfacebcasts = (); %interfacebcasts = ();
%interfacegateways = (); %interfacegateways = ();
@ipv4tables = ( qw/ filter / );
} }
INIT { INIT {
@ -813,7 +848,7 @@ sub ensure_filter_chain( $$ )
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{$chain};
$chainref = new_chain 'filter' , $chain unless $chainref; $chainref = new_chain $filter_table->{__NAME__} , $chain unless $chainref;
if ( $populate and ! $chainref->{referenced} ) { if ( $populate and ! $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) { if ( $section eq 'NEW' or $section eq 'DONE' ) {
@ -840,7 +875,7 @@ sub ensure_accounting_chain( $ )
if ( $chainref ) { if ( $chainref ) {
fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting}; fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting};
} else { } else {
$chainref = new_chain 'filter' , $chain unless $chainref; $chainref = new_chain $filter_table->{__NAME__} , $chain unless $chainref;
$chainref->{accounting} = 1; $chainref->{accounting} = 1;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
} }
@ -851,7 +886,7 @@ sub ensure_accounting_chain( $ )
sub ensure_mangle_chain($) { sub ensure_mangle_chain($) {
my $chain = $_[0]; my $chain = $_[0];
my $chainref = ensure_chain 'mangle', $chain; my $chainref = ensure_chain $mangle_table->{__NAME__}, $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
@ -882,7 +917,7 @@ sub new_builtin_chain($$$)
} }
sub new_standard_chain($) { sub new_standard_chain($) {
my $chainref = new_chain 'filter' ,$_[0]; my $chainref = new_chain $filter_table->{__NAME__} ,$_[0];
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref; $chainref;
} }
@ -916,11 +951,13 @@ sub ensure_manual_chain($) {
sub initialize_chain_table() sub initialize_chain_table()
{ {
for my $chain qw(OUTPUT PREROUTING) { for my $chain qw(OUTPUT PREROUTING) {
new_builtin_chain 'raw', $chain, 'ACCEPT'; new_builtin_chain 'raw' , $chain, 'ACCEPT';
new_builtin_chain 'raw6', $chain, 'ACCEPT';
} }
for my $chain qw(INPUT OUTPUT FORWARD) { for my $chain qw(INPUT OUTPUT FORWARD) {
new_builtin_chain 'filter', $chain, 'DROP'; new_builtin_chain 'filter', $chain, 'DROP';
new_builtin_chain 'filter6', $chain, 'DROP';
} }
for my $chain qw(PREROUTING POSTROUTING OUTPUT) { for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
@ -929,6 +966,7 @@ sub initialize_chain_table()
for my $chain qw(PREROUTING INPUT OUTPUT ) { for my $chain qw(PREROUTING INPUT OUTPUT ) {
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
new_builtin_chain 'mangle6', $chain, 'ACCEPT';
} }
if ( $capabilities{MANGLE_FORWARD} ) { if ( $capabilities{MANGLE_FORWARD} ) {
@ -936,6 +974,10 @@ sub initialize_chain_table()
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
} }
} }
for my $chain qw( FORWARD POSTROUTING ) {
new_builtin_chain 'mangle6', $chain, 'ACCEPT';
}
} }
# #
@ -986,7 +1028,7 @@ sub finish_section ( $ ) {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; my $chainref = $filter_table->{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) { if ( $chainref->{referenced} ) {
finish_chain_section $chainref, $sections; finish_chain_section $chainref, $sections;
} }
@ -2402,7 +2444,7 @@ sub create_netfilter_load() {
# #
# First create the chains in the current table # First create the chains in the current table
# #
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { for my $chain ( grep reftype $chain_table{$table}{$_} && $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{$chain};
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
@ -2495,6 +2537,7 @@ sub create_chainlist_reload($) {
push @{$chains{$table}}, $chain; push @{$chains{$table}}, $chain;
} else { } else {
while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) { while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
next unless reftype $chainref;
push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin}; push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin};
} }
} }