Bring 4.0 changes to trunk

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8271 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-07 00:36:16 +00:00
parent 77be234a24
commit 1e7c0d0947
5 changed files with 26 additions and 9 deletions

View File

@ -1036,12 +1036,13 @@ sub do_proto( $$$ )
PROTO: PROTO:
{ {
if ( $proto == TCP || $proto == UDP ) { if ( $proto == TCP || $proto == UDP || $proto == SCTP ) {
my $multiport = 0; my $multiport = 0;
if ( $ports ne '' ) { if ( $ports ne '' ) {
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT}; fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
$ports = validate_port_list $pname , $ports; $ports = validate_port_list $pname , $ports;
$output .= "-m multiport --dports $ports "; $output .= "-m multiport --dports $ports ";
$multiport = 1; $multiport = 1;

View File

@ -1212,7 +1212,12 @@ sub read_a_line() {
# $1 $2 $3 - $4 # $1 $2 $3 - $4
while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) { while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
my $val = $ENV{$3}; my $val = $ENV{$3};
$val = '' unless defined $val;
unless ( defined $val ) {
fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
$val = '';
}
$currentline = join( '', $1 , $val , $4 ); $currentline = join( '', $1 , $val , $4 );
fatal_error "Variable Expansion Loop" if ++$count > 100; fatal_error "Variable Expansion Loop" if ++$count > 100;
} }

View File

@ -35,6 +35,7 @@ our @EXPORT = qw( ALLIPv4
TCP TCP
UDP UDP
ICMP ICMP
SCTP
validate_address validate_address
validate_net validate_net
@ -58,7 +59,7 @@ our $VERSION = 4.1.5;
# #
our @allipv4 = ( '0.0.0.0/0' ); our @allipv4 = ( '0.0.0.0/0' );
use constant { ALLIPv4 => '0.0.0.0/0' , ICMP => 1, TCP => 6, UDP => 17 }; use constant { ALLIPv4 => '0.0.0.0/0' , ICMP => 1, TCP => 6, UDP => 17 , SCTP => 132 };
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

View File

@ -1015,6 +1015,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
my $destref; my $destref;
if ( $source =~ /^(.+?):(.*)/ ) { if ( $source =~ /^(.+?):(.*)/ ) {
fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
$sourcezone = $1; $sourcezone = $1;
$source = $2; $source = $2;
} else { } else {
@ -1023,6 +1024,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
} }
if ( $dest =~ /^(.*?):(.*)/ ) { if ( $dest =~ /^(.*?):(.*)/ ) {
fatal_error "Missing DEST Qualifier ($dest)" if $2 eq '';
$destzone = $1; $destzone = $1;
$dest = $2; $dest = $2;
} else { } else {

View File

@ -81,17 +81,20 @@ use constant { NOMARK => 0 ,
our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
target => 'CONNMARK --save-mark --mask' , target => 'CONNMARK --save-mark --mask' ,
mark => SMALLMARK , mark => SMALLMARK ,
mask => '0xFF' mask => '0xFF' ,
connmark => 1
} , } ,
{ match => sub ( $ ) { $_[0] eq 'RESTORE' }, { match => sub ( $ ) { $_[0] eq 'RESTORE' },
target => 'CONNMARK --restore-mark --mask' , target => 'CONNMARK --restore-mark --mask' ,
mark => SMALLMARK , mark => SMALLMARK ,
mask => '0xFF' mask => '0xFF' ,
connmark => 1
} , } ,
{ match => sub ( $ ) { $_[0] eq 'CONTINUE' }, { match => sub ( $ ) { $_[0] eq 'CONTINUE' },
target => 'RETURN' , target => 'RETURN' ,
mark => NOMARK , mark => NOMARK ,
mask => '' mask => '' ,
connmark => 0
} , } ,
{ match => sub ( $ ) { $_[0] =~ '\|.*'} , { match => sub ( $ ) { $_[0] =~ '\|.*'} ,
target => 'MARK --or-mark' , target => 'MARK --or-mark' ,
@ -100,7 +103,8 @@ our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
{ match => sub ( $ ) { $_[0] =~ '&.*' }, { match => sub ( $ ) { $_[0] =~ '&.*' },
target => 'MARK --and-mark ' , target => 'MARK --and-mark ' ,
mark => HIGHMARK , mark => HIGHMARK ,
mask => '' mask => '' ,
connmark => 0
} }
); );
@ -204,6 +208,8 @@ sub process_tc_rule( $$$$$$$$$$ ) {
$target = $tcsref->{target} if $tcsref->{target}; $target = $tcsref->{target} if $tcsref->{target};
$mark = "$mark/0xFF" if $connmark = $tcsref->{connmark}; $mark = "$mark/0xFF" if $connmark = $tcsref->{connmark};
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
} else { } else {
fatal_error "Invalid MARK ($original_mark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/; fatal_error "Invalid MARK ($original_mark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
@ -228,6 +234,8 @@ sub process_tc_rule( $$$$$$$$$$ ) {
for my $tccmd ( @tccmd ) { for my $tccmd ( @tccmd ) {
if ( $tccmd->{match}($cmd) ) { if ( $tccmd->{match}($cmd) ) {
fatal_error "$mark not valid with :C[FPT]" if $connmark; fatal_error "$mark not valid with :C[FPT]" if $connmark;
require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
$target = "$tccmd->{target} "; $target = "$tccmd->{target} ";
my $marktype = $tccmd->{mark}; my $marktype = $tccmd->{mark};
@ -327,9 +335,9 @@ sub validate_tc_device( $$$$$ ) {
} }
} }
my @redirected; my @redirected = ();
@redirected = split_list( $redirected , 'device' ) if defined $redirected; @redirected = split_list( $redirected , 'device' ) if defined $redirected && $redirected ne '-';;
for my $rdevice ( @redirected ) { for my $rdevice ( @redirected ) {
fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/; fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;