holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add restriction argument to expand_rule()

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5568 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-18 18:50:34 +00:00
parent d97ef334ed
commit f27c33a46e
6 changed files with 43 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
New/Shorewall/Accounting.pm
View File

@ -83,6 +83,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
expand_rule expand_rule
$chainref , $chainref ,
NO_RESTRICT ,
$rule , $rule ,
$source , $source ,
$dest , $dest ,
@ -95,6 +96,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
if ( $rule2 ) { if ( $rule2 ) {
expand_rule expand_rule
$jumpchainref , $jumpchainref ,
NO_RESTRICT ,
$rule , $rule ,
$source , $source ,
$dest , $dest ,

1
New/Shorewall/Actions.pm
View File

@ -388,6 +388,7 @@ sub process_action3( $$$$$ ) {
my ( $action , $level ) = split_action $target; my ( $action , $level ) = split_action $target;
expand_rule ( $chainref , expand_rule ( $chainref ,
NO_RESTRICT ,
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user , do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
$source , $source ,
$dest , $dest ,

38
New/Shorewall/Chains.pm
View File

@ -41,6 +41,9 @@ our @EXPORT = qw( STANDARD
ACTION ACTION
MACRO MACRO
LOGRULE LOGRULE
NO_RESTRICT
PREROUTE_RESTRICT
POSTROUTE_RESTRICT
add_rule add_rule
insert_rule insert_rule
@ -198,6 +201,13 @@ our %targets = ('ACCEPT' => STANDARD,
'forwardUPnP' => BUILTIN + ACTION, 'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION, 'Limit' => BUILTIN + ACTION,
); );
#
# expand_rule() restrictions
#
use constant { NO_RESTRICT => 0,
PREROUTE_RESTRICT => 1,
POSTROUTE_RESTRICT => 2 };
# #
# Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ... # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
# #
@ -208,7 +218,9 @@ my $exclseq = 0;
my $ipsetmatch = 0; my $ipsetmatch = 0;
my $iprangematch = 0; my $iprangematch = 0;
# #
# Keep track of whether there are run-time commands in the chain rules
#
my $slowstart = 0;
# #
# Add a rule to a chain. Arguments are: # Add a rule to a chain. Arguments are:
# #
@ -228,6 +240,24 @@ sub add_rule($$)
$ipsetmatch = 0; $ipsetmatch = 0;
} }
#
# Add a run-time command to a chain. Arguments are:
#
# Chain reference , Command
#
sub add_command($$)
{
my ($chainref, $command) = @_;
$command =~ s/^/~/mg;
push @{$chainref->{rules}}, $command;
$chainref->{referenced} = 1;
$slowstart = 1;
}
# #
# Insert a rule into a chain. Arguments are: # Insert a rule into a chain. Arguments are:
# #
@ -904,9 +934,9 @@ sub log_rule( $$$$ ) {
# #
# This function provides a uniform way to generate rules (something the original Shorewall sorely needed). # This function provides a uniform way to generate rules (something the original Shorewall sorely needed).
# #
sub expand_rule( $$$$$$$$$ ) sub expand_rule( $$$$$$$$$$ )
{ {
my ($chainref , $rule, $source, $dest, $origdest, $target, $loglevel , $disposition, $exceptionrule ) = @_; my ($chainref , $restrictions, $rule, $source, $dest, $origdest, $target, $loglevel , $disposition, $exceptionrule ) = @_;
my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl ); my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl );
# #
@ -1146,7 +1176,7 @@ sub insertnatjump( $$$$ ) {
sub create_netfilter_load() { sub create_netfilter_load() {
emit 'setup_netfilter()'; emit 'setup_netfilter()';
emit '{'; emit '{';
emit ' iptables-restore << __EOF__'; emit( $slowstart ? ' iptables_slow_restore << __EOF__' : ' iptables-restore << __EOF__' );
for my $table qw/raw nat mangle filter/ { for my $table qw/raw nat mangle filter/ {
emit "*$table"; emit "*$table";

2
New/Shorewall/Nat.pm
View File

@ -209,7 +209,7 @@ sub setup_one_masq($$$$$$)
# #
# And Generate the Rule(s) # And Generate the Rule(s)
# #
expand_rule ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface), $rule, $networks, $destnets, '', $target, '', '' , ''; expand_rule ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface), POSTROUTE_RESTRICT , $rule, $networks, $destnets, '', $target, '', '' , '';
progress_message " Masq record \"$line\" $done"; progress_message " Masq record \"$line\" $done";

4
New/Shorewall/Rules.pm
View File

@ -193,6 +193,7 @@ sub setup_blacklist() {
expand_rule expand_rule
ensure_filter_chain( 'blacklst' , 0 ) , ensure_filter_chain( 'blacklst' , 0 ) ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) , do_proto( $protocol , $ports, '' ) ,
$networks , $networks ,
'' , '' ,
@ -906,6 +907,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
# #
expand_rule expand_rule
ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ) , ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ) ,
PREROUTE_RESTRICT ,
$rule , $rule ,
$source , $source ,
$origdest , $origdest ,
@ -929,6 +931,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
expand_rule expand_rule
ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
PREROUTE_RESTRICT ,
$rule , $rule ,
$source , $source ,
$dest , $dest ,
@ -950,6 +953,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
expand_rule expand_rule
ensure_chain ('filter', $chain ) , ensure_chain ('filter', $chain ) ,
NO_RESTRICT ,
$rule , $rule ,
$source , $source ,
$dest , $dest ,

1
New/Shorewall/Tc.pm
View File

@ -199,6 +199,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
expand_rule expand_rule
ensure_chain( 'mangle' , $chain ) , ensure_chain( 'mangle' , $chain ) ,
NO_RESTRICT ,
do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) , do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) ,
$source , $source ,
$dest , $dest ,