Mangle - The PCXFireWall Mangle Table Module.
use PCXFireWall::Mangle;
my $obj = PCXFireWall::Mangle->new(configObj => $configObj,
interfaceObj => $interfaceObj);
Mangle is the Module for the PCXFireWall representing the Mangle Table.
scalar new(configObj, interfaceObj)
Creates a new instance of the PCXFireWall::Mangle
object. This is called by the generator script. configObj
allows us to be aware of the config changes the user makes in
regards to the installPath, comments, etc. interfaceObj allows
us to be aware of the network interfaces the user defines.
void policy(chain, policy, preComment, postComment)
Sets the default policy of chain to policy. Valid values are
INPUT, OUTPUT, PREROUTING, POSTROUTING and FORWARD for chain and
ACCEPT or DENY for policy.
void createChain(name, preComment, postComment)
Makes an entry in userChains for the specified chain and then makes
an entry in rules for the command to create the chain.
void flushChain(name, preComment, postComment)
name can be 'All' which will empty all user defined chains.
A rule will be added which would flush the specified chain.
void deleteChain(name, preComment, postComment)
name can be 'All' which will delete all user defined chains.
The chain(s) will be removed from userChains (if present) and then
a rule(s) will be added which would delete the chain. The chain(s)
will have rules created to flush them before we delete it so that
it will always work. Thus you don't need to call flushChain unless
you are not planning on deleting the chain.
Valid parameters for the "rules" methods. If string is empty, then that parameter is left out of the generated rule and iptables will use whatever default it deems fit. Items marked with a * are boolean values and take 1 or 0. If 0, then they are ignored (they default to being 0). Any parameters marked with a ** are required.
i = input interface (only valid in INPUT, PREROUTING, FORWARD)
o = output interface (only valid in OUTPUT, POSTROUTING, FORWARD)
s = source address (if value is inInterfaceIP then I will substitue
the IP address of i, else if value is
outInterfaceIP then I will substitue the IP
address of o, else we use the specified value.
If value is !inInterfaceIP or !outInterfaceIP,
then the resulting IP Address is prefixed with
a ! space.
inInterfaceBroadcast and outInterfaceBroadcast
will use the value of the shell variable
<interface>BROADCAST for the source address.)
d = destination address (same as s for inInterfaceIP/outInterfaceIP
and inInterfaceBroadcast/outInterfaceBroadcast)
f = fragment *
nf = ! fragment (nf and f can not both be 1) *
tcp-flags format is "!? flag,flag,flag flag,flag" (? = optional)
syn = --syn *
nsyn = ! --syn (syn and nsyn can not both be 1) *
mac = -m mac (only valid with chain = PREROUTING, FORWARD or INPUT) *
mac-source = !? MAC address to match (mac must = 1)
limit = -m limit *
limit-rate = --limit rate (limit must be 1)
limit-burst (limit must be 1)
multiport = -m multiport *
source-port (multiport must be 1)
destination-port (multiport must be 1)
port (multiport must be 1)
mark = -m mark *
mark-value = --mark value
state = -m state *
states = --state
unclean = -m unclean *
tos = -m tos *
tos-value = --tos tos
chain = name of chain to use (INPUT, OUTPUT, FORWARD or user defined)**
p = protocol (tcp, udp, icmp or "" = all)
dport = destination port
sport = source port
(dport and sport are only valid when p = tcp or udp)
int = interface ("" = all interfaces)
insert = insert the rule at the specified offset. *
append = append the rule to the chain. * (This is the default action)
rule-offset = Offset to insert the rule at. Defaults to 1.
(If append = 1 (by default) and insert = 1 then the insert and
rule-offset values will be used, else we append the rule.)
log (in all rules except log, generate a log rule before the action) *
log-level = syslog level (defaults to notice)
log-prefix = string to identify the log entry by.
log-tcp-sequence * (This is a security risk)
log-tcp-options *
log-ip-options *
(to use any of these options, log must be = 1 or in rule log)
log-limit = -m limit *
log-limit-rate = --limit rate (log-limit must be 1)
log-limit-burst (log-limit must be 1)
tcp-option (only valid with p = tcp)
icmp-type (only valid with p = icmp)
ttl = --ttl ttl
preComment - text before the rule. postComment - text after the rule.
ruleMode - (setup or normal) Allows you to specify which array the rule
should be placed in so that it gets output correctly.
See the man page for iptables for valid combinations.
NOTE: When using any of the following methods and you specify log => 1,
you must also specify log-limit, log-limit-rate, log-limit-burst
as seperate from limit, limit-rate and limit-burst if you want to
limit the log rule and the parent rule at different rates. If you
only specify limit, limit-rate and limit-burst then only the parent
rule will be limited, the log rule will not be limited. Thus if you
want to limit both the log and the parent rule you must specify both
limit, log-limit, limit-rate, and log-limit-rate, etc. This allows
you to limit the logging but not the rule itself, and vice a versa.
The parent rule will set log = 0 to make sure that any limiting you
wanted to be done will take place.
void log()
A rule will be created to log the specified packets based upon the
given parameters. If nothing is specified, then the rule will be
generated for all chains, all protocols, all interfaces.
void queue()
A rule will be created to QUEUE the packet to user space.
void jump(dchain)
A rule will be created to JUMP to the specified chain based upon
the given parameters. chain must be specified. dchain is the
destination chain to jump to and must also be specified. dchain can
only be a user defined chain.
void mark(markValue)
A rule will be created to MARK the packet with markValue.
void tos(tosValue)
A rule will be created to set the TOS of the packet to tosValue. If
not specified then tosValue defaults to 16.
void ttl(ttl-set, ttl-dec, ttl-inc)
A rule will be created to set, decrement or increment the ttl
of the specified packet. Only one of ttl-set, ttl-dec or ttl-inc
can be specified at a time.
Helper methods for /proc entries.
You must use the Proc modules methods.
Internally used methods.
void display(fh, mode)
This routine will write the rules to the file via fh. This is called
by the generator script. If mode = 'normal' then we display all rules
from the rules array, else if mode = 'setup' then we display all
rules from the setupRules array which contains chain creation,
flushing, etc. and any rules that are detected to relate to DNS.
void appendRule(rule, mode)
This routine will append the rule to the end of the rules array.
This is called internally by all the rule generating routines in this
module. If mode = 'normal' then the rule is appended to the rules
array else if mode = 'setup' then the rule is appened to the
setupRules array.
userChains - The chains that the user creates. Type is hash.
rules - All rules that will be generated are stored here.
Type is array.
setupRules - All setup and dns related rules will be stored here.
Type is array.
NOTE: All data fields are accessible by specifying the object
and pointing to the data member to be modified on the
left-hand side of the assignment.
Ex. $obj->variable($newValue); or $value = $obj->variable;
Xperience, Inc. (mailto:admin at pcxperience.com)
perl(1)