forked from extern/shorewall_code
Better modularization of Chains and Actions
This commit is contained in:
parent
496a9449f1
commit
ec94ed638e
@ -413,8 +413,9 @@ sub process_macro1 ( $$ ) {
|
||||
#
|
||||
# The functions process_actions1-3() implement the three phases of action processing.
|
||||
#
|
||||
# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
|
||||
# and ${CONFDIR}/actions are scanned (in that order) and for each action:
|
||||
# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
|
||||
# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
|
||||
# ${CONFDIR}/actions are scanned (in that order). For each action:
|
||||
#
|
||||
# a) The related action definition file is located and scanned.
|
||||
# b) Forward and unresolved action references are trapped as errors.
|
||||
@ -476,9 +477,13 @@ sub process_action1 ( $$ ) {
|
||||
sub process_actions1() {
|
||||
|
||||
progress_message2 "Preprocessing Action Files...";
|
||||
|
||||
for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
|
||||
new_action $act;
|
||||
#
|
||||
# Add built-in actions to the target table and create those actions
|
||||
#
|
||||
if ( $family == F_IPV4 ) {
|
||||
$targets{$_} = ACTION + BUILTIN, new_action $_ for qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
|
||||
} else {
|
||||
$targets{$_} = ACTION + BUILTIN, new_action $_ for qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
|
||||
}
|
||||
|
||||
for my $file ( qw/actions.std actions/ ) {
|
||||
|
@ -165,7 +165,7 @@ our %EXPORT_TAGS = (
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
|
||||
our $VERSION = '4.4_1';
|
||||
our $VERSION = '4.4_2';
|
||||
|
||||
#
|
||||
# Chain Table
|
||||
@ -916,7 +916,8 @@ sub ensure_filter_chain( $$ )
|
||||
|
||||
my $chainref = ensure_chain 'filter', $chain;
|
||||
|
||||
if ( $populate and ! $chainref->{referenced} ) {
|
||||
unless ( $chainref->{referenced} ) {
|
||||
if ( $populate ) {
|
||||
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
||||
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
|
||||
} elsif ( $section eq 'RELATED' ) {
|
||||
@ -925,6 +926,7 @@ sub ensure_filter_chain( $$ )
|
||||
}
|
||||
|
||||
$chainref->{referenced} = 1;
|
||||
}
|
||||
|
||||
$chainref;
|
||||
}
|
||||
@ -1018,7 +1020,6 @@ sub ensure_manual_chain($) {
|
||||
# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
|
||||
# The function also initializes the target table with the pre-defined targets available for the specfied address family.
|
||||
#
|
||||
#
|
||||
sub initialize_chain_table()
|
||||
{
|
||||
if ( $family == F_IPV4 ) {
|
||||
@ -1045,15 +1046,6 @@ sub initialize_chain_table()
|
||||
'QUEUE!' => STANDARD,
|
||||
'NFQUEUE' => STANDARD + NFQ,
|
||||
'NFQUEUE!' => STANDARD + NFQ,
|
||||
'dropBcast' => BUILTIN + ACTION,
|
||||
'allowBcast' => BUILTIN + ACTION,
|
||||
'dropNotSyn' => BUILTIN + ACTION,
|
||||
'rejNotSyn' => BUILTIN + ACTION,
|
||||
'dropInvalid' => BUILTIN + ACTION,
|
||||
'allowInvalid' => BUILTIN + ACTION,
|
||||
'allowinUPnP' => BUILTIN + ACTION,
|
||||
'forwardUPnP' => BUILTIN + ACTION,
|
||||
'Limit' => BUILTIN + ACTION,
|
||||
);
|
||||
|
||||
for my $chain qw(OUTPUT PREROUTING) {
|
||||
@ -1095,12 +1087,6 @@ sub initialize_chain_table()
|
||||
'QUEUE!' => STANDARD,
|
||||
'NFQUEUE' => STANDARD + NFQ,
|
||||
'NFQUEUE!' => STANDARD + NFQ,
|
||||
'dropBcast' => BUILTIN + ACTION,
|
||||
'allowBcast' => BUILTIN + ACTION,
|
||||
'dropNotSyn' => BUILTIN + ACTION,
|
||||
'rejNotSyn' => BUILTIN + ACTION,
|
||||
'dropInvalid' => BUILTIN + ACTION,
|
||||
'allowInvalid' => BUILTIN + ACTION,
|
||||
);
|
||||
|
||||
for my $chain qw(OUTPUT PREROUTING) {
|
||||
|
@ -1,10 +1,13 @@
|
||||
Changes in Shorewall 4.4.2
|
||||
|
||||
1) Correct detection of Persistent SNAT support
|
||||
1) BUGFIX: Correct detection of Persistent SNAT support
|
||||
|
||||
2) Fix chain table initialization
|
||||
2) BUGFIX: Fix chain table initialization
|
||||
|
||||
3) Validate routestopped file on 'check'
|
||||
3) BUGFIX: Validate routestopped file on 'check'
|
||||
|
||||
4) Let the Actions module add the builtin actions to
|
||||
%Shorewall::Chains::targets. Much better modularization that way.
|
||||
|
||||
Changes in Shorewall 4.4.1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user