extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-09 01:04:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Get rid of minimum column requirement

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-10-01 09:56:25 -07:00
parent 5aa4534fbe
commit 072f4752fc
12 changed files with 127 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -142,7 +142,9 @@ sub process_accounting_rule( ) {
$jumpchainref = 0;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
split_line1 1, 11, 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
split_line1 11, 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
fatal_error 'ACTION must be specified' if $action eq '-';
if ( $action eq 'COMMENT' ) {
process_comment;

10
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1338,8 +1338,8 @@ sub supplied( $ ) {
# ensure that it has an appropriate number of columns.
# supply '-' in omitted trailing columns.
#
sub split_line( $$$$ ) {
my ( $mincolumns, $maxcolumns, $description, $columnsref ) = @_;
sub split_line( $$$ ) {
my ( $maxcolumns, $description, $columnsref ) = @_;
my ( $columns, $pairs, $rest ) = split( ';', $currentline );
@ -1376,8 +1376,8 @@ sub split_line( $$$$ ) {
#
# Version of 'split_line' used on files with exceptions
#
sub split_line1( $$$$;$ ) {
my ( $mincolumns, $maxcolumns, $description, $columnsref, $nopad) = @_;
sub split_line1( $$$;$ ) {
my ( $maxcolumns, $description, $columnsref, $nopad) = @_;
my ( $columns, $pairs, $rest ) = split( ';', $currentline );
@ -1405,8 +1405,6 @@ sub split_line1( $$$$;$ ) {
$line-- while $line > 0 && $line[$line-1] eq '-';
fatal_error "Invalid $description entry (too few columns)" if $line < $mincolumns;
push @line, '-' while @line < $maxcolumns;
if ( supplied $pairs ) {

12
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -82,7 +82,7 @@ sub process_tos() {
while ( read_a_line ) {
my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 6, 7, 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 7, 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
$first_entry = 0;
@ -159,8 +159,9 @@ sub setup_ecn()
while ( read_a_line ) {
my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry', { interface => 0, hosts => 1 };
my ($interface, $hosts ) = split_line 2, 'ecn file entry', { interface => 0, hosts => 1 };
fatal_error 'INTERFACE must be specified' if $interface eq '-';
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$interfaces{$interface} = 1;
@ -256,7 +257,7 @@ sub setup_blacklist() {
$first_entry = 0;
}
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
my ( $networks, $protocol, $ports, $options ) = split_line 4, 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
if ( $options eq '-' ) {
$options = 'src';
@ -359,10 +360,11 @@ sub process_routestopped() {
while ( read_a_line ) {
my ($interface, $hosts, $options , $proto, $ports, $sports ) =
split_line 1, 6, 'routestopped file', { interface => 1, hosts => 2, options => 3, proto => 4, dport => 5, sport => 6 };
split_line 6, 'routestopped file', { interface => 1, hosts => 2, options => 3, proto => 4, dport => 5, sport => 6 };
my $interfaceref;
fatal_error 'INTERFACE must be specified' if $interface eq '-';
fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
$hosts = ALLIP unless $hosts && $hosts ne '-';
@ -898,7 +900,7 @@ sub setup_mac_lists( $ ) {
while ( read_a_line ) {
my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file', { origdisposition => 0, interface => 1, mac => 2, addresses => 3 };
my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 4, 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
if ( $original_disposition eq 'COMMENT' ) {
process_comment;

14
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -55,13 +55,15 @@ sub initialize() {
sub process_one_masq( )
{
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) =
split_line1 2, 8, 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
split_line1 8, 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
if ( $interfacelist eq 'COMMENT' ) {
process_comment;
return 1;
}
fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
my $pre_nat;
my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
my $destnets = '';
@ -375,7 +377,7 @@ sub setup_nat() {
while ( read_a_line ) {
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file', { external => 1, interface => 1, internal => 2, allints => 3, localnat => 4 };
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 5, 'nat file', { external => 1, interface => 1, internal => 2, allints => 3, localnat => 4 };
if ( $external eq 'COMMENT' ) {
process_comment;
@ -384,6 +386,9 @@ sub setup_nat() {
$digit = defined $digit ? ":$digit" : '';
fatal_error 'EXTERNAL must be specified' if $external eq '-';
fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
for my $interface ( split_list $interfacelist , 'interface' ) {
fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
@ -408,7 +413,7 @@ sub setup_netmap() {
while ( read_a_line ) {
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 4, 8, 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 4, dport => 5, sport => 6 };
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 8, 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 4, dport => 5, sport => 6 };
$net3 = ALLIP if $net3 eq '-';
@ -498,7 +503,8 @@ sub setup_netmap() {
@match );
}
} else {
fatal_error "Invalid type ($type)";
fatal_error 'TYPE must be specified' if $type eq '-';
fatal_error "Invalid TYPE ($type)";
}
progress_message " Network $net1 on $iface mapped to $net2 ($type)";

13
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -268,14 +268,16 @@ sub start_provider( $$$ ) {
sub process_a_provider() {
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) =
split_line 6, 8, 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
split_line 8, 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
fatal_error "Duplicate provider ($table)" if $providers{$table};
fatal_error 'NAME must be specified' if $table eq '-';
fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
my $num = numeric_value $number;
fatal_error 'NUMBER must be specified' if $number eq '-';
fatal_error "Invalid Provider number ($number)" unless defined $num;
$number = $num;
@ -284,6 +286,8 @@ sub process_a_provider() {
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
}
fatal_error 'INTERFACE must be specified' if $interface eq '-';
( $interface, my $address ) = split /:/, $interface;
my $shared = 0;
@ -730,7 +734,7 @@ sub add_a_provider( $$ ) {
}
sub add_an_rtrule( ) {
my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 };
my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 };
our $current_if;
@ -805,10 +809,12 @@ sub add_an_rtrule( ) {
}
sub add_a_route( ) {
my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };
my ( $provider, $dest, $gateway, $device ) = split_line 4, 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };
our $current_if;
fatal_error 'PROVIDER must be specified' if $provider eq '-';
unless ( $providers{$provider} ) {
my $found = 0;
@ -827,6 +833,7 @@ sub add_a_route( ) {
fatal_error "Unknown provider ($provider)" unless $found;
}
fatal_error 'DEST must be specified' if $dest eq '-';
validate_net ( $dest, 1 );
validate_address ( $gateway, 1 ) if $gateway ne '-';

3
Shorewall/Perl/Shorewall/Proxyarp.pm
View File

@ -123,13 +123,14 @@ sub setup_proxy_arp() {
while ( read_a_line ) {
my ( $address, $interface, $external, $haveroute, $persistent ) =
split_line 3, 5, { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 }, $file_opt;
split_line 5, { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 }, $file_opt;
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
fatal_error 'EXTERNAL must be specified' if $external eq '-';
fatal_error "Unknown interface ($external)" unless known_interface $external;
fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
$reset{$external} = 1 unless $set{$external};

2
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -84,7 +84,7 @@ sub setup_notrack() {
while ( read_a_line ) {
my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 6, 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
if ( $source eq 'COMMENT' ) {
process_comment;

24
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -313,12 +313,16 @@ sub process_a_policy() {
our @zonelist;
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
split_line 3, 6, 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
split_line 6, 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
$loglevel = '' if $loglevel eq '-';
$synparams = '' if $synparams eq '-';
$connlimit = '' if $connlimit eq '-';
fatal_error 'SOURCE must be specified' if $client eq '-';
fatal_error 'DEST must be specified' if $server eq '-';
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
my $clientwild = ( "\L$client" eq 'all' );
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
@ -1370,7 +1374,7 @@ sub process_actions() {
open_file $file;
while ( read_a_line ) {
my ( $action ) = split_line 1, 1, 'action file' , { action => 0 };
my ( $action ) = split_line 1, 'action file' , { action => 0 };
if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@ -1434,13 +1438,15 @@ sub process_action( $) {
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
if ( $format == 1 ) {
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file', $rule_commands, {};
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 9, 'action file', $rule_commands, {};
$origdest = $connlimit = $time = $headers = $condition = '-';
} else {
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
= split_line1 1, 14, 'action file', \%rulecolumns, $action_commands;
= split_line1 14, 'action file', \%rulecolumns, $action_commands;
}
fatal_error 'TARGET must be specified' if $target eq '-';
if ( $target eq 'COMMENT' ) {
process_comment;
next;
@ -1524,12 +1530,14 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
if ( $format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', \%rulecolumns, $rule_commands;
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 8, 'macro file', \%rulecolumns, $rule_commands;
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
} else {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 1, 14, 'macro file', \%rulecolumns, $rule_commands;
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 14, 'macro file', \%rulecolumns, $rule_commands;
}
fatal_error 'TARGET must be specified' if $mtarget eq '-';
if ( $mtarget eq 'COMMENT' ) {
process_comment unless $nocomment;
next;
@ -2338,7 +2346,9 @@ sub build_zone_list( $$$\$\$ ) {
#
sub process_rule ( ) {
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
= split_line1 1, 14, 'rules file', \%rulecolumns, $rule_commands;
= split_line1 14, 'rules file', \%rulecolumns, $rule_commands;
fatal_error 'ACTION must be specified' if $target eq '-';
process_comment, return 1 if $target eq 'COMMENT';
process_section( $source ), return 1 if $target eq 'SECTION';

29
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -192,10 +192,12 @@ sub initialize( $ ) {
sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) =
split_line1 2, 13, 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
split_line1 13, 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
our @tccmd;
fatal_error 'MARK must be specified' if $originalmark eq '-';
if ( $originalmark eq 'COMMENT' ) {
process_comment;
return;
@ -511,8 +513,9 @@ sub process_flow($) {
}
sub process_simple_device() {
my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces', { device => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };
my ( $device , $type , $in_bandwidth , $out_part ) = split_line 4, 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };
fatal_error 'INTERFACE must be specified' if $device eq '-';
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@ -645,9 +648,10 @@ sub process_simple_device() {
}
sub validate_tc_device( ) {
my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices', { device => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
my ( $device, $inband, $outband , $options , $redirected ) = split_line 5, 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
fatal_error "Invalid tcdevices entry" if $outband eq '-';
fatal_error 'INTERFACE must be specified' if $device eq '-';
fatal_error "Invalid tcdevices entry" if $outband eq '-';
my $devnumber;
@ -809,7 +813,7 @@ sub dev_by_number( $ ) {
sub validate_tc_class( ) {
my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
split_line 4, 6, 'tcclasses file', { device => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
split_line 6, 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
my $classnumber = 0;
my $devref;
my $device = $devclass;
@ -817,6 +821,9 @@ sub validate_tc_class( ) {
my $parentclass = 1;
my $parentref;
fatal_error 'INTERFACE must be specified' if $devclass eq '-';
fatal_error 'CEIL must be specified' if $ceil eq '-';
if ( $devclass =~ /:/ ) {
( $device, my ($number, $subnumber, $rest ) ) = split /:/, $device, 4;
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
@ -1030,7 +1037,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
#
sub process_tc_filter() {
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file', { device => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 8, 'tcfilters file', { interface => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
fatal_error 'CLASS must be specified' if $devclass eq '-';
my ($device, $class, $rest ) = split /:/, $devclass, 3;
@ -1330,7 +1339,9 @@ sub process_tcfilters() {
# Process a tcpri record
#
sub process_tc_priority() {
my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 6, 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
fatal_error 'BAND must be specified' if $band eq '-';
if ( $band eq 'COMMENT' ) {
process_comment;
@ -1669,7 +1680,9 @@ sub setup_traffic_shaping() {
#
sub process_secmark_rule() {
my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
split_line1( 2, 9 , 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
split_line1( 9 , 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
fatal_error 'SECMARK must be specified' if $secmark eq '-';
if ( $secmark eq 'COMMENT' ) {
process_comment;

5
Shorewall/Perl/Shorewall/Tunnels.pm
View File

@ -284,7 +284,10 @@ sub setup_tunnels() {
while ( read_a_line ) {
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file', { kind => 0, zone => 1, gateway => 2, gateway_zone => 3 };
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 4, 'tunnels file', { kind => 0, zone => 1, gateway => 2, gateway_zone => 3 };
fatal_error 'TYPE must be specified' if $kind eq '-';
fatal_error 'ZONE must be specified' if $zone eq '-';
if ( $kind eq 'COMMENT' ) {
process_comment;

13
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -403,7 +403,9 @@ sub process_zone( \$ ) {
my @parents;
my ($zone, $type, $options, $in_options, $out_options ) =
split_line 1, 5, 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
split_line 5, 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
fatal_error 'ZONE must be specified' if $zone eq '-';
if ( $zone =~ /(\w+):([\w,]+)/ ) {
$zone = $1;
@ -872,7 +874,7 @@ sub process_interface( $$ ) {
my ( $nextinum, $export ) = @_;
my $netsref = '';
my $filterref = [];
my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
my ($zone, $originalinterface, $bcasts, $options ) = split_line 4, 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
my $zoneref;
my $bridge = '';
@ -885,6 +887,8 @@ sub process_interface( $$ ) {
fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
}
fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
@ -1728,7 +1732,10 @@ sub compile_updown() {
#
sub process_host( ) {
my $ipsec = 0;
my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file', { zone => 0, hosts => 1, options => 2 };
my ($zone, $hosts, $options ) = split_line 3, 'hosts file', { zone => 0, hosts => 1, options => 2 };
fatal_error 'ZONE must be specified' if $zone eq '-';
fatal_error 'HOSTS must be specified' if $hosts eq '-';
my $zoneref = $zones{$zone};
my $type = $zoneref->{type};

135
docs/configuration_file_basics.xml
View File

@ -504,10 +504,8 @@ ACCEPT net:\
as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
pairs.</para>
<para>Each file has both required and optional columns. The columns up to
the last required column must be specified in the normal way. After that,
at any point, you can enter a semicolon (';') followed by one or more
specifications of the form:</para>
<para>At any point, you can enter a semicolon (';') followed by one or
more specifications of the form:</para>
<simplelist>
<member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
@ -524,225 +522,169 @@ ACCEPT net:\
</note>
<informaltable>
<tgroup cols="3">
<tgroup cols="2">
<tbody>
<row>
<entry><emphasis role="bold">File</emphasis></entry>
<entry><emphasis role="bold">Right-most required
Column</emphasis></entry>
<entry><emphasis role="bold">Remaining column
names</emphasis></entry>
<entry><emphasis role="bold">Column names</emphasis></entry>
</row>
<row>
<entry>accounting</entry>
<entry>ACTION</entry>
<entry>chain, source, dest, proto, dport, sport, user, mark,
ipsec, headers</entry>
<entry>action,chain, source, dest, proto, dport, sport, user,
mark, ipsec, headers</entry>
</row>
<row>
<entry>blacklist</entry>
<entry>ADDRESS/SUBNET</entry>
<entry>proto,port,options</entry>
<entry>networks,proto,port,options</entry>
</row>
<row>
<entry>ecn</entry>
<entry>INTERFACE</entry>
<entry>hosts</entry>
<entry>interface,hosts</entry>
</row>
<row>
<entry>hosts</entry>
<entry>ZONE</entry>
<entry>hosts,options</entry>
<entry>zone,hosts,options</entry>
</row>
<row>
<entry>interfaces</entry>
<entry>INTERFACE</entry>
<entry>broadcast,options</entry>
<entry>zone,interface,broadcast,options</entry>
</row>
<row>
<entry>maclist</entry>
<entry>MAC</entry>
<entry>addresses</entry>
<entry>disposition,interface,mac,addresses</entry>
</row>
<row>
<entry>masq</entry>
<entry>SOURCE</entry>
<entry>address,proto,port,ipsec,mark,user</entry>
<entry>interface,source,address,proto,port,ipsec,mark,user</entry>
</row>
<row>
<entry>nat</entry>
<entry>EXTERNAL</entry>
<entry>interface,internal,allints,localnat</entry>
<entry>external,interface,internal,allints,localnat</entry>
</row>
<row>
<entry>netmap</entry>
<entry>NET2</entry>
<entry>net3,proto,dport,sport</entry>
<entry>type,net1,interface,net2,net3,proto,dport,sport</entry>
</row>
<row>
<entry>notrack</entry>
<entry>SOURCE</entry>
<entry>dest,proto,dport,sport,user</entry>
<entry>source,dest,proto,dport,sport,user</entry>
</row>
<row>
<entry>policy</entry>
<entry>POLICY</entry>
<entry>loglevel,limit,connlimit</entry>
<entry>source,dest,policy,loglevel,limit,connlimit</entry>
</row>
<row>
<entry>providers</entry>
<entry>GATEWAY</entry>
<entry>options,copy</entry>
<entry>table,number,mark,duplicate,interface,gateway,options,copy</entry>
</row>
<row>
<entry>proxyarp</entry>
<entry>EXTERNAL</entry>
<entry>haveroute,persistent</entry>
<entry>address,interface,external,haveroute,persistent</entry>
</row>
<row>
<entry>route_rules</entry>
<entry>PRIORITY</entry>
<entry>N/A</entry>
<entry>source,dest,provider,priority</entry>
</row>
<row>
<entry>routestopped</entry>
<entry>INTERFACE</entry>
<entry>hosts,options,proto,dport,sport</entry>
<entry>interface,hosts,options,proto,dport,sport</entry>
</row>
<row>
<entry>rules</entry>
<entry>ACTION</entry>
<entry>source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch</entry>
<entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch</entry>
</row>
<row>
<entry>secmarks</entry>
<entry>CHAIN</entry>
<entry>source,dest,proto,dport,sport,user,mark</entry>
<entry>secmark,source,dest,proto,dport,sport,user,mark</entry>
</row>
<row>
<entry>tcclasses</entry>
<entry>CEIL</entry>
<entry>prio,options</entry>
<entry>interface,mark,rate,ceil,prio,options</entry>
</row>
<row>
<entry>tcdevices</entry>
<entry>OUT_BANDWIDTH</entry>
<entry>options,redirect</entry>
<entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
</row>
<row>
<entry>tcfilters</entry>
<entry>SOURCE</entry>
<entry>dest,proto,dport,sport,tos,length</entry>
<entry>interface,source,dest,proto,dport,sport,tos,length</entry>
</row>
<row>
<entry>tcinterfaces</entry>
<entry>DEVICE</entry>
<entry>type,in_bandwidth,out_bandwidth</entry>
<entry>interface,type,in_bandwidth,out_bandwidth</entry>
</row>
<row>
<entry>tcpri</entry>
<entry>BAND</entry>
<entry>proto,port,address,interface,helper</entry>
<entry>band,proto,port,address,interface,helper</entry>
</row>
<row>
<entry>tcrules</entry>
<entry>SOURCE</entry>
<entry>dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
<entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
</row>
<row>
<entry>tos</entry>
<entry>TOS</entry>
<entry>mark</entry>
<entry>source,dest,proto,dport,sport,tos,mark</entry>
</row>
<row>
<entry>tunnels</entry>
<entry>ZONE</entry>
<entry>gateway,gateway_zone</entry>
<entry>type,zone,gateway,gateway_zone</entry>
</row>
<row>
<entry>zones</entry>
<entry>ZONE</entry>
<entry>type,options,in_options,out_options</entry>
<entry>zone,type,options,in_options,out_options</entry>
</row>
</tbody>
</tgroup>
@ -968,9 +910,9 @@ DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</
<caution>
<para>Prior to Shorewall 4.4.17, if you are using <ulink
url="Shorewall-Lite.html">Shorewall Lite</ulink> , it is not
advisable to use INCLUDE in the <filename>params</filename> file in an
export directory if you set EXPORTPARAMS=Yes in <ulink
url="Shorewall-Lite.html">Shorewall Lite</ulink> , it is not advisable
to use INCLUDE in the <filename>params</filename> file in an export
directory if you set EXPORTPARAMS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). If you do
that, you must ensure that the included file is also present on the
firewall system's <filename
@ -1235,11 +1177,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
</listitem>
<listitem>
<para>If you are using <ulink
url="Shorewall-Lite.html">Shorewall Lite</ulink> and if the
<filename>params</filename> script needs to set shell variables based
on the configuration of the firewall system, you can use this
trick:</para>
<para>If you are using <ulink url="Shorewall-Lite.html">Shorewall
Lite</ulink> and if the <filename>params</filename> script needs to
set shell variables based on the configuration of the firewall system,
you can use this trick:</para>
<programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>