holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More IPv6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8942 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-08 00:21:20 +00:00
parent 96af8e6a62
commit e8586bbdb9
7 changed files with 202 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
Shorewall-perl/Shorewall/Actions.pm
View File

@ -28,6 +28,7 @@ require Exporter;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
use Shorewall::Chains qw(:DEFAULT :internal);
use Shorewall::IPAddrs;
use strict;
@ -48,11 +49,11 @@ our @EXPORT = qw( merge_levels
merge_macro_source_dest
merge_macro_column
%usedactions
%default_actions
%actions
$usedactions
$default_actions
$actions
%macros
$macros
$macro_commands
);
our @EXPORT_OK = qw( initialize );
@ -61,11 +62,15 @@ our $VERSION = 4.1.1;
#
# Used Actions. Each action that is actually used has an entry with value 1.
#
our %usedactions;
our %usedactions4;
our %usedactions6;
our $usedactions;
#
# Default actions for each policy.
#
our %default_actions;
our %default_actions4;
our %default_actions6;
our $default_actions;
# Action Table
#
@ -75,19 +80,47 @@ our %default_actions;
# } ,
# actchain => <action chain number> # Used for generating unique chain names for each <level>:<tag> pair.
#
our %actions;
our %actions4;
our %actions6;
our $actions;
#
# Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
#
our %logactionchains;
our %logactionchains4;
our %logactionchains6;
our $logactionchains;
our %macros;
our $action_prefix;
our %macros4;
our %macros6;
our $macros;
our $macro_prefix;
#
# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
#
our $macro_commands = { COMMENT => 0, FORMAT => 2 };
sub use_ipv4_actions() {
$usedactions = \%usedactions4;
$default_actions = \%default_actions4;
$actions = \%actions4;
$macros = \%macros4;
$action_prefix = 'action4';
$macro_prefix = 'macro4';
}
sub use_ipv6_actions() {
$usedactions = \%usedactions6;
$default_actions = \%default_actions6;
$actions = \%actions6;
$macros = \%macros6;
$action_prefix = 'action6';
$macro_prefix = 'macro6';
}
#
# Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The
@ -98,14 +131,24 @@ our $macro_commands = { COMMENT => 0, FORMAT => 2 };
#
sub initialize() {
%usedactions = ();
%default_actions = ( DROP => 'none' ,
REJECT => 'none' ,
ACCEPT => 'none' ,
QUEUE => 'none' );
%actions = ();
%logactionchains = ();
%macros = ();
%usedactions4 = ();
%usedactions6 = ();
%default_actions4 = ( DROP => 'none' ,
REJECT => 'none' ,
ACCEPT => 'none' ,
QUEUE => 'none' );
%default_actions6 = ( DROP => 'none' ,
REJECT => 'none' ,
ACCEPT => 'none' ,
QUEUE => 'none' );
%actions4 = ();
%actions6 = ();
%logactionchains4 = ();
%logactionchains6 = ();
%macros4 = ();
%macros6 = ();
use_ipv4_actions;
}
INIT {
@ -153,11 +196,13 @@ sub merge_levels ($$) {
sub find_macro( $ )
{
my $macro = $_[0];
my $macrofile = find_file "macro.$macro";
my $macrofile = find_file "${macro_prefix}.$macro";
$macrofile = find_file "macro.$macro" unless -f $macrofile;
if ( -f $macrofile ) {
$macros{$macro} = $macrofile;
$targets{$macro} = MACRO;
$macros->{$macro} = $macrofile;
$targets->{$macro} = MACRO;
} else {
0;
}
@ -252,7 +297,7 @@ sub new_action( $ ) {
my $action = $_[0];
$actions{$action} = { actchain => '', requires => {} };
$actions->{$action} = { actchain => '', requires => {} };
}
#
@ -260,7 +305,7 @@ sub new_action( $ ) {
#
sub add_requiredby ( $$ ) {
my ($requiredby , $requires ) = @_;
$actions{$requires}{requires}{$requiredby} = 1;
$actions->{$requires}{requires}{$requiredby} = 1;
}
#
@ -280,7 +325,7 @@ sub add_requiredby ( $$ ) {
sub createlogactionchain( $$ ) {
my ( $action, $level ) = @_;
my $chain = $action;
my $actionref = $actions{$action};
my $actionref = $actions->{$action};
my $chainref;
my ($lev, $tag) = split ':', $level;
@ -293,15 +338,15 @@ sub createlogactionchain( $$ ) {
CHECKDUP:
{
$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
$actionref->{actchain}++ while $filter_table->{'%' . $chain . $actionref->{actchain}};
$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
}
$logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
$logactionchains->{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
unless ( $targets{$action} & STANDARD ) {
unless ( $targets->{$action} & STANDARD ) {
my $file = find_file $chain;
@ -325,9 +370,9 @@ sub createsimpleactionchain( $ ) {
my $action = shift;
my $chainref = new_standard_chain $action;
$logactionchains{"$action:none"} = $chainref;
$logactionchains->{"$action:none"} = $chainref;
unless ( $targets{$action} & STANDARD ) {
unless ( $targets->{$action} & STANDARD ) {
my $file = find_file $action;
@ -374,7 +419,7 @@ sub find_logactionchain( $ ) {
$level = 'none' unless $level;
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
fatal_error "Fatal error in find_logactionchain" unless $logactionchains->{"$action:$level"};
}
#
@ -416,7 +461,7 @@ sub process_macro1 ( $$ ) {
$mtarget = (split '/' , $mtarget)[0];
my $targettype = $targets{$mtarget};
my $targettype = $targets->{$mtarget};
$targettype = 0 unless defined $targettype;
@ -436,7 +481,7 @@ sub process_action1 ( $$ ) {
$level = 'none' unless $level;
my $targettype = $targets{$target};
my $targettype = $targets->{$target};
if ( defined $targettype ) {
return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE | NFQ | CHAIN ) );
@ -454,7 +499,7 @@ sub process_action1 ( $$ ) {
return if $target eq 'NFQUEUE';
if ( defined $param ) {
my $paramtype = $targets{$param} || 0;
my $paramtype = $targets->{$param} || 0;
fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE;
}
@ -462,7 +507,7 @@ sub process_action1 ( $$ ) {
fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target;
if ( find_macro $target ) {
process_macro1( $action, $macros{$target} );
process_macro1( $action, $macros->{$target} );
} else {
fatal_error "Invalid TARGET ($target)";
}
@ -473,7 +518,7 @@ sub process_actions1() {
progress_message2 "Preprocessing Action Files...";
for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
for my $act ( grep $targets->{$_} & ACTION , keys %{$targets} ) {
new_action $act;
}
@ -490,18 +535,20 @@ sub process_actions1() {
next unless $action;
if ( $targets{$action} ) {
warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
if ( $targets->{$action} ) {
warning_message "Duplicate Action Name ($action) Ignored" unless $targets->{$action} & ACTION;
next;
}
$targets{$action} = ACTION;
$targets->{$action} = ACTION;
fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
new_action $action;
my $actionfile = find_file "action.$action";
my $actionfile = find_file "${action_prefix}.$action";
$actionfile = find_file "action.$action" unless -f $actionfile;
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
@ -529,14 +576,14 @@ sub process_actions2 () {
while ( $changed ) {
$changed = 0;
for my $target (keys %usedactions) {
for my $target (keys %{$usedactions}) {
my ($action, $level) = split_action $target;
my $actionref = $actions{$action};
my $actionref = $actions->{$action};
fatal_error "Null Action Reference in process_actions2" unless $actionref;
for my $action1 ( keys %{$actionref->{requires}} ) {
my $action2 = merge_levels $target, $action1;
unless ( $usedactions{ $action2 } ) {
$usedactions{ $action2 } = 1;
unless ( $usedactions->{ $action2 } ) {
$usedactions->{ $action2 } = 1;
createactionchain $action2;
$changed = 1;
}
@ -588,7 +635,7 @@ sub process_macro3( $$$$$$$$$$$ ) {
macro_comment $macro;
my $fn = $macros{$macro};
my $fn = $macros->{$macro};
progress_message "..Expanding Macro $fn...";
@ -673,7 +720,9 @@ sub process_macro3( $$$$$$$$$$$ ) {
#
sub process_action3( $$$$$ ) {
my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
my $actionfile = find_file "action.$action";
my $actionfile = find_file "${action_prefix}.$action";
$actionfile = find_file "action.$action" unless -f $actionfile;
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
@ -696,7 +745,7 @@ sub process_action3( $$$$$ ) {
( $action2 , my $param ) = get_target_param $action2;
my $action2type = $targets{$action2} || 0;
my $action2type = $targets->{$action2} || 0;
unless ( $action2type == STANDARD ) {
if ( $action2type & ACTION ) {
@ -851,14 +900,14 @@ sub process_actions3 () {
'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit, );
for my $wholeaction ( keys %usedactions ) {
for my $wholeaction ( keys %{$usedactions} ) {
my $chainref = find_logactionchain $wholeaction;
my ( $action, $level, $tag ) = split /:/, $wholeaction;
$level = '' unless defined $level;
$tag = '' unless defined $tag;
if ( $targets{$action} & BUILTIN ) {
if ( $targets->{$action} & BUILTIN ) {
$level = '' if $level =~ /none!?/;
$builtinops{$action}->($chainref, $level, $tag);
} else {

107
Shorewall-perl/Shorewall/Chains.pm
View File

@ -50,6 +50,7 @@ our @EXPORT = qw(
$nat_table
$mangle_table
$filter_table
$targets
);
our %EXPORT_TAGS = (
@ -149,7 +150,7 @@ our %EXPORT_TAGS = (
create_chainlist_reload
$section
%sections
%targets
$targets
) ],
);
@ -231,7 +232,6 @@ use constant { STANDARD => 1, #defined by Netfilter
IPV4ONLY => 2048, #Not Available with IPV6
};
our %targets;
#
# expand_rule() restrictions
#
@ -264,16 +264,22 @@ use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptabl
our $mode;
our %targets4;
our %targets6;
our $targets;
sub use_ipv4_chains() {
$nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter};
$targets = \%targets4;
}
sub use_ipv6_chains() {
$nat_table = undef;
$mangle_table = $chain_table{mangle6};
$filter_table = $chain_table{filter6};
$targets = \%targets6;
}
#
@ -318,40 +324,6 @@ sub initialize() {
#
$comment = '';
#
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
#
%targets = ('ACCEPT' => STANDARD,
'ACCEPT+' => STANDARD + NONAT + IPV4ONLY,
'ACCEPT!' => STANDARD,
'NONAT' => STANDARD + NONAT + NATONLY + IPV4ONLY,
'DROP' => STANDARD,
'DROP!' => STANDARD,
'REJECT' => STANDARD,
'REJECT!' => STANDARD,
'DNAT' => NATRULE + IPV4ONLY,
'DNAT-' => NATRULE + NATONLY + IPV4ONLY,
'REDIRECT' => NATRULE + REDIRECT + IPV4ONLY,
'REDIRECT-' => NATRULE + REDIRECT + NATONLY + IPV4ONLY,
'LOG' => STANDARD + LOGRULE,
'CONTINUE' => STANDARD,
'CONTINUE!' => STANDARD,
'QUEUE' => STANDARD,
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
'SAME' => NATRULE + IPV4ONLY,
'SAME-' => NATRULE + NATONLY + IPV4ONLY,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
);
#
# Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
#
$exclseq = 0;
@ -374,6 +346,63 @@ sub initialize() {
%interfacegateways = ();
@ipv4tables = ( qw/ filter / );
#
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
#
%targets4 = ('ACCEPT' => STANDARD,
'ACCEPT+' => STANDARD + NONAT,
'ACCEPT!' => STANDARD,
'NONAT' => STANDARD + NONAT + NATONLY,
'DROP' => STANDARD,
'DROP!' => STANDARD,
'REJECT' => STANDARD,
'REJECT!' => STANDARD,
'DNAT' => NATRULE,
'DNAT-' => NATRULE + NATONLY,
'REDIRECT' => NATRULE + REDIRECT,
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
'LOG' => STANDARD + LOGRULE,
'CONTINUE' => STANDARD,
'CONTINUE!' => STANDARD,
'QUEUE' => STANDARD,
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
'SAME' => NATRULE,
'SAME-' => NATRULE + NATONLY,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
);
%targets6 = ('ACCEPT' => STANDARD,
'NONAT' => STANDARD + NONAT + NATONLY,
'DROP!' => STANDARD,
'LOG' => STANDARD + LOGRULE,
'CONTINUE' => STANDARD,
'CONTINUE!' => STANDARD,
'QUEUE' => STANDARD,
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
'rejNotSyn' => BUILTIN + ACTION,
'dropInvalid' => BUILTIN + ACTION,
'allowInvalid' => BUILTIN + ACTION,
'allowinUPnP' => BUILTIN + ACTION,
'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
);
}
INIT {
@ -557,7 +586,7 @@ sub add_jump( $$$;$ ) {
#
# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
#
$toref = ensure_chain( $fromref->{table} , $to ) unless ( $targets{$to} || 0 ) & STANDARD;
$toref = ensure_chain( $fromref->{table} , $to ) unless ( $targets->{$to} || 0 ) & STANDARD;
}
#
@ -933,8 +962,8 @@ sub new_nat_chain($) {
sub new_manual_chain($) {
my $chain = $_[0];
fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
$targets{$chain} = CHAIN;
fatal_error "Duplicate Chain Name ($chain)" if $targets->{$chain} || $filter_table->{$chain};
$targets->{$chain} = CHAIN;
( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
$chainref->{referenced} = 1;
$chainref;

19
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -37,6 +37,7 @@ use Shorewall::Accounting;
use Shorewall::Rules;
use Shorewall::Proc;
use Shorewall::Proxyarp;
use Shorewall::IPAddrs;
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
@ -49,6 +50,8 @@ our $test;
our $reused = 0;
our $family;
use constant { EXPORT => 0x01 ,
TIMESTAMP => 0x02 ,
DEBUG => 0x04 };
@ -68,6 +71,21 @@ sub reinitialize() {
Shorewall::Accounting::initialize;
Shorewall::Rules::initialize;
Shorewall::Proxyarp::initialize;
$family = 0;
}
sub use_ipv4() {
use_ipv4_addrs;
use_ipv4_interfaces;
use_ipv4_policies;
$family = F_INET;
}
sub use_ipv6() {
use_ipv6_addrs;
use_ipv6_interfaces;
use_ipv6_policies;
$family = F_INET;
}
#
@ -799,6 +817,7 @@ sub compiler {
#
# Process the interfaces file(s).
#
use_ipv4;
validate_interfaces_file ( 'interfaces', $export );
#
# Process the hosts file.

6
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -89,7 +89,7 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
sub use_ipv4() {
sub use_ipv4_addrs() {
$family = F_INET;
}
@ -97,7 +97,7 @@ sub using_ipv4() {
$family == F_INET;
}
sub use_ipv6() {
sub use_ipv6_addrs() {
$family = F_INET6;
}
@ -115,7 +115,7 @@ sub using_ipv6() {
#
sub initialize() {
use_ipv4;
use_ipv4_addrs;
}
INIT {

16
Shorewall-perl/Shorewall/Policy.pm
View File

@ -194,7 +194,7 @@ sub validate_policy( $ )
for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
my $action = $config{$option};
next if $action eq 'none';
my $actiontype = $targets{$action};
my $actiontype = $targets->{$action};
if ( defined $actiontype ) {
fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
@ -202,12 +202,12 @@ sub validate_policy( $ )
fatal_error "Default Action $option=$action not found";
}
unless ( $usedactions{$action} ) {
$usedactions{$action} = 1;
unless ( $usedactions->{$action} ) {
$usedactions->{$action} = 1;
createactionchain $action;
}
$default_actions{$map{$option}} = $action;
$default_actions->{$map{$option}} = $action;
}
for $zone ( all_zones ) {
@ -255,11 +255,11 @@ sub validate_policy( $ )
if ( "\L$default" eq 'none' ) {
$default = 'none';
} else {
my $defaulttype = $targets{$default} || 0;
my $defaulttype = $targets->{$default} || 0;
if ( $defaulttype & ACTION ) {
unless ( $usedactions{$default} ) {
$usedactions{$default} = 1;
unless ( $usedactions->{$default} ) {
$usedactions->{$default} = 1;
createactionchain $default;
}
} else {
@ -267,7 +267,7 @@ sub validate_policy( $ )
}
}
} else {
$default = $default_actions{$policy} || '';
$default = $default_actions->{$policy} || '';
}
fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};

10
Shorewall-perl/Shorewall/Rules.pm
View File

@ -827,7 +827,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
macro_comment $macro;
my $macrofile = $macros{$macro};
my $macrofile = $macros->{$macro};
progress_message "..Expanding Macro $macrofile...";
@ -867,7 +867,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
fatal_error "Invalid or missing ACTION ($mtarget)" unless defined $action;
my $actiontype = $targets{$action} || find_macro( $action );
my $actiontype = $targets->{$action} || find_macro( $action );
fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO );
@ -944,7 +944,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
#
# Determine the validity of the action
#
my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
my $actiontype = $targets->{$basictarget} || find_macro( $basictarget );
fatal_error "Unknown action ($action)" unless $actiontype;
@ -997,8 +997,8 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# Mark target as used
#
if ( $actiontype & ACTION ) {
unless ( $usedactions{$target} ) {
$usedactions{$target} = 1;
unless ( $usedactions->{$target} ) {
$usedactions->{$target} = 1;
createactionchain $target;
}
}

3
Shorewall-perl/Shorewall/Zones.pm
View File

@ -37,6 +37,9 @@ our @EXPORT = qw( NOTHING
IPSECPROTO
IPSECMODE
use_ipv4_interfaces
use_ipv6_interfaces
determine_zones
zone_report
dump_zone_contents