More framework

7 years ago · 8533148fa3
18 changed files with 124 additions and 49 deletions
--- a/etc/chains.conf
+++ b/etc/chains.conf
@ -1,42 +1,14 @@
 # Chain name mapping
 # Don't change these unless you know what your doing

-InCustomPreRules="In-CustomPreRules"
-
 InPreRules="In-PreRules"
-
-OutCustomPreRules="Out-CustomPreRules"
-
 OutPreRules="Out-PreRules"
-
 Trusted="In-Trusted"
-
 InEasyBlock="In-EasyBlock"
-
 OutEasyBlock="Out-EasyBlock"
-
-InCustomFilter="In-CustomFilter"
-
-OutCustomFilter="Out-CustomFilter"
-
-FwdCustomFilter="Fwd-CustomFilter"
-
 InFilter="In-Filter"
-
 OutFilter="Out-Filter"
-
-CustomPostRouting="CustomPostRouting"
-
 NAT="NAT"
-
-CustomPreRouting="Custom-PreRouting"
-
 PortForward="PortForward"
-
-InCustomPostRules="In-CustomPostRules"
-
 InPostRules="In-PostRules"
-
-OutCustomOstRules="Out-CustomPostRules"
-
 OutPostRules="Out-PostRules"
--- a/etc/ipv4/custom.conf
+++ b/etc/ipv4/custom.conf
@ -0,0 +1,14 @@
+# These are the custom files that can be used to inject rules during loading.  Please don't change them
+# unless you have a good reason.
+# To allow variable propagation/change and some creative changes of rules that I haven't tought of,
+# these files are sourced into the main file during setup of the order of chains.
+
+$V4CUSTPREFIX="${FWPREFIX}/ipv4/"
+
+$v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh"
+$v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh"
+$v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh"
+$v4_Custom_Filter="$V4CUSTPREFIX/filter.sh"
+$v4_Custom_NAT="$V4CUSTPREFIX/nat.sh"
+$v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh"
+$v4_Custom_Post="$V4CUSTPREFIX/postrun.sh"
--- a/etc/ipv4/custom/easyblock.sh
+++ b/etc/ipv4/custom/easyblock.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the easyblock in/out rules are setup
--- a/etc/ipv4/custom/filter.sh
+++ b/etc/ipv4/custom/filter.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the main filter rules are set up
--- a/etc/ipv4/custom/nat.sh
+++ b/etc/ipv4/custom/nat.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the main nat rules are set up
--- a/etc/ipv4/custom/portfw.sh
+++ b/etc/ipv4/custom/portfw.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the main port forwardings are set up
--- a/etc/ipv4/custom/postrun.sh
+++ b/etc/ipv4/custom/postrun.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the final post rules are set up
--- a/etc/ipv4/custom/prerules.sh
+++ b/etc/ipv4/custom/prerules.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the main chains are setup.
--- a/etc/ipv4/custom/trusted.sh
+++ b/etc/ipv4/custom/trusted.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the trusted chains are set up
--- a/etc/ipv6/custom.conf
+++ b/etc/ipv6/custom.conf
@ -0,0 +1,14 @@
+# These are the custom files that can be used to inject rules during loading.  Please don't change them
+# unless you have a good reason.
+# To allow variable propagation/change and some creative changes of rules that I haven't tought of,
+# these files are sourced into the main file during setup of the order of chains.
+
+$V6CUSTPREFIX="${FWPREFIX}/ipv6/"
+
+$v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh"
+$v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh"
+$v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh"
+$v6_Custom_Filter="$V6CUSTPREFIX/filter.sh"
+$v6_Custom_NAT="$V6CUSTPREFIX/nat.sh"
+$v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh"
+$v6_Custom_Post="$V6CUSTPREFIX/postrun.sh"
--- a/etc/ipv6/custom/easyblock.sh
+++ b/etc/ipv6/custom/easyblock.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the easyblock in/out rules are setup
--- a/etc/ipv6/custom/filter.sh
+++ b/etc/ipv6/custom/filter.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the main filter rules are set up
--- a/etc/ipv6/custom/nat.sh
+++ b/etc/ipv6/custom/nat.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the main nat rules are set up
--- a/etc/ipv6/custom/portfw.sh
+++ b/etc/ipv6/custom/portfw.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the main port forwardings are set up
--- a/etc/ipv6/custom/postrun.sh
+++ b/etc/ipv6/custom/postrun.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the final post rules are set up
--- a/etc/ipv6/custom/prerules.sh
+++ b/etc/ipv6/custom/prerules.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the main chains are setup.
--- a/etc/ipv6/custom/trusted.sh
+++ b/etc/ipv6/custom/trusted.sh
@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before the trusted chains are set up
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@ -60,54 +60,45 @@ function iptables_policy_reset {
 function setup_iptables_chains {
 	IP_VERSION=$1
 	case $IP_VERSION in
-		ipv6) VER_IPTABLES=${IP6TABLES} ;;
-		ipv4|*) VER_IPTABLES=${IPTABLES} ;;
+		ipv6) VER_IPTABLES=${IP6TABLES};
+				IPVER="6" ;;
+		ipv4|*) VER_IPTABLES=${IPTABLES}
+				IPVER="4" ;;
 	esac
 	# Create the actual chains
 	${display_c} GREEN "Setting up chains for ${IP_VERSION}..."
-	${VER_IPTABLES} -N ${InCustomPreRules}
 	${VER_IPTABLES} -N ${InPreRules}
-	${VER_IPTABLES} -N ${OutCustomPreRules}
 	${VER_IPTABLES} -N ${OutPreRules}
 	${VER_IPTABLES} -N ${Trusted}
 	${VER_IPTABLES} -N ${InEasyBlock}
 	${VER_IPTABLES} -N ${OutEasyBlock}
-	${VER_IPTABLES} -N ${InCustomFilter}
 	${VER_IPTABLES} -N ${InFilter}
-	${VER_IPTABLES} -N ${OutCustomFilter}
 	${VER_IPTABLES} -N ${OutFilter}
-	${VER_IPTABLES} -N ${FwdCustomFilter}
 	${VER_IPTABLES} -N ${FwdFilter}
-	${VER_IPTABLES} -N ${CustomPostRouting}
 	${VER_IPTABLES} -N ${NAT}
-	${VER_IPTABLES} -N ${CustomPreRouting}
 	${VER_IPTABLES} -N ${PortForward}
-	${VER_IPTABLES} -N ${InCustomPostRules}
 	${VER_IPTABLES} -N ${InPostRules}
-	${VER_IPTABLES} -N ${OutCustomPostRules}
 	${VER_IPTABLES} -N ${OutPostRules}
 	
 	# Set up rules - the order matters - we do it separately here
 	# for easy viewing of order
-	${VER_IPTABLES} -A INPUT -j ${InCustomPreRules}
+	if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi
 	${VER_IPTABLES} -A INPUT -j ${InPreRules}
-	${VER_IPTABLES} -A OUTPUT -j ${OutCustomPreRules}
 	${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
+	if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi
 	${VER_IPTABLES} -A INPUT -j ${Trusted}
+	if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi
 	${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
 	${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
-	${VER_IPTABLES} -A INPUT -j ${InCustomFilter}
+	if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi
 	${VER_IPTABLES} -A INPUT -j ${InFilter}
-	${VER_IPTABLES} -A OUTPUT -j ${OutCustomFilter}
 	${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
-	${VER_IPTABLES} -A FORWARD -j ${FwdCustomFilter}
 	${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
-	${VER_IPTABLES} -A POSTROUTING -j ${CustomPostRouting}
+	if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi
 	${VER_IPTABLES} -A POSTROUTING -j ${NAT}
-	${VER_IPTABLES} -A PREROUTING -j ${CustomPreRouting}
+	if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi
 	${VER_IPTABLES} -A PREROUTING -j ${PortForward}
-	${VER_IPTABLES} -A INPUT -j ${InCustomPostRules}
+	if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi
 	${VER_IPTABLES} -A INPUT -j ${InPostRules}
-	${VER_IPTABLES} -A OUTPUT -j ${OutCustomPostRules}
-	${VER_IPTABLES} -A OUTPUT -j${OutPostRules}
+	${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
 }