Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

This commit is contained in:
Tom Eastep 2016-02-03 10:56:19 -08:00
commit 1fa2ecf6b9
17 changed files with 227 additions and 190 deletions

View File

@ -1,5 +1,5 @@
# #
# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Accounting.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Chains.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -623,9 +623,12 @@ our %ipset_exists;
# Omitted, if target is ''. # Omitted, if target is ''.
# target => Rule target, if jump is 'j' or 'g'. # target => Rule target, if jump is 'j' or 'g'.
# targetopts => Target options. Only included if non-empty # targetopts => Target options. Only included if non-empty
# matches => List of matches in the rule
# <option> => iptables/ip6tables -A options (e.g., i => eth0) # <option> => iptables/ip6tables -A options (e.g., i => eth0)
# <match> => iptables match. Value may be a scalar or array. # <match> => iptables match. Value may be a scalar or array.
# if an array, multiple "-m <match>"s will be generated # if an array, multiple "-m <match>"s will be generated
# <origin> => configuration file and line number that generated the rule
# May be empty.
# } # }
# #
# The following constants and hash are used to classify keys in a rule hash # The following constants and hash are used to classify keys in a rule hash
@ -919,7 +922,7 @@ sub set_rule_option( $$$ ) {
sub transform_rule( $;\$ ) { sub transform_rule( $;\$ ) {
my ( $input, $completeref ) = @_; my ( $input, $completeref ) = @_;
my $ruleref = { mode => CAT_MODE, matches => [], target => '' , origin => shortlineinfo1( '' ) }; my $ruleref = { mode => CAT_MODE, matches => [], target => '' , origin => shortlineinfo( '' ) };
my $simple = 1; my $simple = 1;
my $target = ''; my $target = '';
my $jump = ''; my $jump = '';
@ -1243,6 +1246,21 @@ sub add_commands ( $$;@ ) {
$chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE ); $chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE );
} }
#
# Set the comment member of an irule
#
sub set_irule_comment( $$ ) {
my ( $chainref, $ruleref ) = @_;
our $rule_comments;
if ( $rule_comments ) {
$ruleref->{comment} = $ruleref->{origin} || $comment;
} else {
$ruleref->{comment} = $comment;
}
}
# #
# Transform the passed rule and add it to the end of the passed chain's rule list. # Transform the passed rule and add it to the end of the passed chain's rule list.
# #
@ -1254,7 +1272,8 @@ sub push_rule( $$ ) {
my $complete = 0; my $complete = 0;
my $ruleref = transform_rule( $_[1], $complete ); my $ruleref = transform_rule( $_[1], $complete );
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment; set_irule_comment( $chainref, $ruleref );
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel}; $ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
push @{$chainref->{rules}}, $ruleref; push @{$chainref->{rules}}, $ruleref;
@ -1475,7 +1494,7 @@ sub create_irule( $$$;@ ) {
( $target, my $targetopts ) = split ' ', $target, 2; ( $target, my $targetopts ) = split ' ', $target, 2;
my $ruleref = { matches => [] , origin => shortlineinfo1( '' ) }; my $ruleref = { matches => [] , origin => shortlineinfo( $chainref->{origin} ) };
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@ -1488,7 +1507,7 @@ sub create_irule( $$$;@ ) {
$ruleref->{target} = ''; $ruleref->{target} = '';
} }
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $ruleref->{comment} || $comment; set_irule_comment( $chainref, $ruleref );
$iprangematch = 0; $iprangematch = 0;
@ -1644,7 +1663,7 @@ sub insert_rule1($$$)
my $ruleref = transform_rule( $rule ); my $ruleref = transform_rule( $rule );
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment; set_irule_comment( $chainref, $ruleref );
assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} ); assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
$ruleref->{mode} = CAT_MODE; $ruleref->{mode} = CAT_MODE;
@ -1670,7 +1689,7 @@ sub insert_irule( $$$$;@ ) {
my ( $chainref, $jump, $target, $number, @matches ) = @_; my ( $chainref, $jump, $target, $number, @matches ) = @_;
my $rulesref = $chainref->{rules}; my $rulesref = $chainref->{rules};
my $ruleref = { origin => shortlineinfo1( '' ) }; my $ruleref = { origin => shortlineinfo( $chainref->{origin} ) };
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
@ -1686,8 +1705,7 @@ sub insert_irule( $$$$;@ ) {
$chainref->{optflags} |= push_matches( $ruleref, @matches ); $chainref->{optflags} |= push_matches( $ruleref, @matches );
} }
set_irule_comment( $chainref, $ruleref );
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
if ( $number >= @$rulesref ) { if ( $number >= @$rulesref ) {
# #
@ -2302,7 +2320,7 @@ sub new_chain($$)
references => {}, references => {},
filtered => 0, filtered => 0,
optflags => 0, optflags => 0,
origin => shortlineinfo1( '' ) || shortlineinfo( '' ), origin => shortlineinfo( '' ),
}; };
trace( $chainref, 'N', undef, '' ) if $debug; trace( $chainref, 'N', undef, '' ) if $debug;
@ -2396,7 +2414,7 @@ sub add_ijump_internal( $$$$$;@ ) {
return $dummyrule if $fromref->{complete}; return $dummyrule if $fromref->{complete};
our $splitcount; our ( $splitcount, $file_comments, $rule_comments );
my $toref; my $toref;
my $ruleref; my $ruleref;
@ -2413,7 +2431,7 @@ sub add_ijump_internal( $$$$$;@ ) {
my ( $target ) = split ' ', $to; my ( $target ) = split ' ', $to;
$toref = $chain_table{$fromref->{table}}{$target}; $toref = $chain_table{$fromref->{table}}{$target};
fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target}; fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
$origin ||= $fromref->{origin} if $globals{TRACK_RULES}; $origin ||= $fromref->{origin} if $file_comments || $rule_comments;
} }
# #
@ -2423,7 +2441,7 @@ sub add_ijump_internal( $$$$$;@ ) {
$toref->{referenced} = 1; $toref->{referenced} = 1;
add_reference $fromref, $toref; add_reference $fromref, $toref;
$jump = 'j' unless have_capability 'GOTO_TARGET'; $jump = 'j' unless have_capability 'GOTO_TARGET';
$origin ||= $toref->{origin} if $globals{TRACK_RULES}; $origin ||= $toref->{origin} if $file_comments || $rule_comments;
$ruleref = create_irule ($fromref, $jump => $to, @matches ); $ruleref = create_irule ($fromref, $jump => $to, @matches );
} else { } else {
$ruleref = create_irule( $fromref, 'j' => $to, @matches ); $ruleref = create_irule( $fromref, 'j' => $to, @matches );
@ -2433,7 +2451,7 @@ sub add_ijump_internal( $$$$$;@ ) {
$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to}; $fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
} }
$ruleref->{origin} ||= $origin; $ruleref->{origin} = $origin if $origin;
$expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref ); $expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref );
} }
@ -2739,7 +2757,7 @@ sub ensure_manual_chain($) {
$chainref; $chainref;
} }
sub log_irule_limit( $$$$$$$@ ); sub log_irule_limit( $$$$$$$$@ );
sub ensure_blacklog_chain( $$$$$ ) { sub ensure_blacklog_chain( $$$$$ ) {
my ( $target, $disposition, $level, $tag, $audit ) = @_; my ( $target, $disposition, $level, $tag, $audit ) = @_;
@ -2750,7 +2768,7 @@ sub ensure_blacklog_chain( $$$$$ ) {
$target =~ s/A_//; $target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT'; $target = 'reject' if $target eq 'REJECT';
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' ); log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add', '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target ); add_ijump( $logchainref, g => $target );
@ -2765,7 +2783,7 @@ sub ensure_audit_blacklog_chain( $$$ ) {
unless ( $filter_table->{A_blacklog} ) { unless ( $filter_table->{A_blacklog} ) {
my $logchainref = new_manual_chain 'A_blacklog'; my $logchainref = new_manual_chain 'A_blacklog';
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' ); log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' , '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
@ -2979,6 +2997,9 @@ sub initialize_chain_table($) {
$globals{iLOGLIMIT} = $globals{iLOGLIMIT} =
( $ruleref->{hashlimit} ? [ hashlimit => $ruleref->{hashlimit} ] : ( $ruleref->{hashlimit} ? [ hashlimit => $ruleref->{hashlimit} ] :
$ruleref->{limit} ? [ limit => $ruleref->{limit} ] : [] ); $ruleref->{limit} ? [ limit => $ruleref->{limit} ] : [] );
our $file_comments = $config{TRACK_RULES} eq 'File';
our $rule_comments = $config{TRACK_RULES} eq 'Yes';
} }
# #
@ -3706,7 +3727,7 @@ sub get_multi_sports( $ ) {
} }
# #
# Return an array of keys for the passed rule. 'dport' and 'comment' are omitted; # Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
# #
sub get_keys( $ ) { sub get_keys( $ ) {
my %skip = ( dport => 1, comment => 1, origin => 1 ); my %skip = ( dport => 1, comment => 1, origin => 1 );
@ -3984,10 +4005,12 @@ sub get_conntrack( $ ) {
} }
# #
# Return an array of keys for the passed rule. 'conntrack' and 'comment' are omitted; # Return an array of keys for the passed rule. 'conntrack', 'comment' & origin are omitted;
# #
sub get_keys1( $ ) { sub get_keys1( $ ) {
sort grep $_ ne 'conntrack --ctstate' && $_ ne 'comment' && $_ ne 'origin', keys %{$_[0]}; my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
sort grep ! $skip{$_}, keys %{$_[0]};
} }
# #
@ -4273,7 +4296,8 @@ sub logchain( $$$$$$ ) {
$disposition , $disposition ,
[] , [] ,
$logtag, $logtag,
'add' ); 'add',
'' );
add_jump( $logchainref, $target, 0, $exceptionrule ); add_jump( $logchainref, $target, 0, $exceptionrule );
} }
@ -6232,8 +6256,8 @@ sub do_ipsec($$) {
# #
# Generate a log message # Generate a log message
# #
sub log_rule_limit( $$$$$$$$ ) { sub log_rule_limit( $$$$$$$$;$ ) {
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_; my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
my $prefix = ''; my $prefix = '';
my $chain = get_action_chain_name || $chn; my $chain = get_action_chain_name || $chn;
@ -6326,11 +6350,13 @@ sub log_rule_limit( $$$$$$$$ ) {
$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix ); $ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
} }
$ruleref->{origin} = $origin ||= $chainref->{origin} if reftype $ruleref;
$ruleref; $ruleref;
} }
sub log_irule_limit( $$$$$$$@ ) { sub log_irule_limit( $$$$$$$$@ ) {
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, @matches ) = @_; my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $origin, @matches ) = @_;
my $prefix = ''; my $prefix = '';
my %matches; my %matches;
@ -6418,7 +6444,7 @@ sub log_irule_limit( $$$$$$$@ ) {
} }
if ( $command eq 'add' ) { if ( $command eq 'add' ) {
add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches ); add_ijump_internal ( $chainref, j => $prefix , $original_matches, $origin, @matches );
} else { } else {
insert_ijump ( $chainref, j => $prefix, 0 , @matches ); insert_ijump ( $chainref, j => $prefix, 0 , @matches );
} }
@ -6433,7 +6459,7 @@ sub log_rule( $$$$ ) {
sub log_irule( $$$;@ ) { sub log_irule( $$$;@ ) {
my ( $level, $chainref, $disposition, @matches ) = @_; my ( $level, $chainref, $disposition, @matches ) = @_;
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches; log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
} }
# #
@ -7443,7 +7469,8 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ), $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
[] , [] ,
$logtag , $logtag ,
'add' ) 'add' ,
'' )
if $loglevel; if $loglevel;
# #
# Generate Final Rule # Generate Final Rule
@ -7818,9 +7845,10 @@ sub add_interface_options( $ ) {
} else { } else {
for my $interface ( @input_interfaces ) { for my $interface ( @input_interfaces ) {
$chain1ref = $input_chains{$interface}; $chain1ref = $input_chains{$interface};
add_ijump ( $chainref , add_ijump_extended ( $chainref ,
j => $chain1ref->{name}, j => $chain1ref->{name},
@input_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}}; interface_origin( $interface ) ,
@input_interfaces > 1 ? imatch_source_dev( $interface ) : () );
} }
} }
} else { } else {
@ -7833,7 +7861,10 @@ sub add_interface_options( $ ) {
} else { } else {
for my $interface ( @forward_interfaces ) { for my $interface ( @forward_interfaces ) {
$chain1ref = $forward_chains{$interface}; $chain1ref = $forward_chains{$interface};
add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}}; add_ijump_extended( $chainref ,
j => $chain1ref->{name},
interface_origin( $interface ) ,
@forward_interfaces > 1 ? imatch_source_dev( $interface ) : () );
} }
} }
} }
@ -7922,6 +7953,8 @@ sub enter_cmd_mode() {
sub emitr( $$ ) { sub emitr( $$ ) {
my ( $chainref, $ruleref ) = @_; my ( $chainref, $ruleref ) = @_;
our $file_comments;
assert( $chainref ); assert( $chainref );
if ( $ruleref ) { if ( $ruleref ) {
@ -7931,7 +7964,7 @@ sub emitr( $$ ) {
# #
enter_cat_mode unless $mode == CAT_MODE; enter_cat_mode unless $mode == CAT_MODE;
if ( my $origin = $ruleref->{origin} ) { if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
emit_unindented '# ' . $origin; emit_unindented '# ' . $origin;
} }
@ -7945,6 +7978,9 @@ sub emitr( $$ ) {
if ( exists $ruleref->{cmd} ) { if ( exists $ruleref->{cmd} ) {
emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} ); emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
} else { } else {
if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
emit join( '', ' ' x $ruleref->{cmdlevel} , '# ' , $origin );
}
# #
# Must preserve quotes in the rule # Must preserve quotes in the rule
# #

View File

@ -1,10 +1,10 @@
#! /usr/bin/perl -w #! /usr/bin/perl -w
# #
# The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5 # The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Config.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -52,8 +52,6 @@ our @EXPORT = qw(
assert assert
currentlineinfo currentlineinfo
shortlineinfo shortlineinfo
shortlineinfo1
shortlineinfo2
clear_currentfilename clear_currentfilename
validate_level validate_level
@ -738,7 +736,6 @@ sub initialize( $;$$) {
RPFILTER_LOG_TAG => '', RPFILTER_LOG_TAG => '',
INVALID_LOG_TAG => '', INVALID_LOG_TAG => '',
UNTRACKED_LOG_TAG => '', UNTRACKED_LOG_TAG => '',
TRACK_RULES => '',
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -1211,23 +1208,25 @@ sub shortlineinfo2() {
} }
} }
sub shortlineinfo1( $ ) {
$globals{TRACK_RULES} ? $currentfile ? shortlineinfo2 : $_[0] || '' : '';
}
sub shortlineinfo( $ ) { sub shortlineinfo( $ ) {
if ( $config{TRACK_RULES} ) { if ( my $track = $config{TRACK_RULES} ) {
if ( $currentfile ) { if ( $currentfile ) {
if ( $track eq 'Yes' ) {
my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@'; my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
$comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255; $comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
$comment = '@@@ Filename Too Long @@@' if length $comment > 255; $comment = '@@@ Filename Too Long @@@' if length $comment > 255;
$comment; $comment;
} else {
join( ':', $currentfilename, $currentlinenumber );
}
} else { } else {
# #
# Alternate lineinfo may have been passed # Alternate lineinfo may have been passed
# #
$_[0] || '' $_[0] || ''
} }
} else {
'';
} }
} }
@ -5839,17 +5838,21 @@ sub get_configuration( $$$$ ) {
if ( supplied ( $val = $config{TRACK_RULES} ) ) { if ( supplied ( $val = $config{TRACK_RULES} ) ) {
if ( lc( $val ) eq 'file' ) { if ( lc( $val ) eq 'file' ) {
$globals{TRACK_RULES} = 'Yes'; $config{TRACK_RULES} = 'File';
$config{TRACK_RULES} = '';
} else { } else {
default_yes_no 'TRACK_RULES' , ''; default_yes_no 'TRACK_RULES' , '';
$globals{TRACK_RULES} = '';
} }
} else { } else {
default_yes_no 'TRACK_RULES' , ''; $config{TRACK_RULES} = '';
} }
%origin = () unless $globals{TRACK_RULES}; %origin = () unless $config{TRACK_RULES} eq 'File';
#
# Ensure that all members of %origin have defined values
#
for ( keys %config ) {
$origin{$_} ||= '';
}
default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'INLINE_MATCHES' , '';
default_yes_no 'BASIC_FILTERS' , ''; default_yes_no 'BASIC_FILTERS' , '';

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/IPAddrs.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -107,13 +107,15 @@ sub setup_ecn()
fatal_error 'INTERFACE must be specified' if $interface eq '-'; fatal_error 'INTERFACE must be specified' if $interface eq '-';
fatal_error "Unknown interface ($interface)" unless known_interface $interface; fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$interfaces{$interface} ||= shortlineinfo1( '' ); my $lineinfo = shortlineinfo( '' );
$interfaces{$interface} ||= $lineinfo;
$hosts = ALLIP if $hosts eq '-'; $hosts = ALLIP if $hosts eq '-';
for my $host( split_list $hosts, 'address' ) { for my $host( split_list $hosts, 'address' ) {
validate_host( $host , 1 ); validate_host( $host , 1 );
push @hosts, [ $interface, shortlineinfo1( '' ), $host ]; push @hosts, [ $interface, $lineinfo, $host ];
} }
} }
@ -671,17 +673,15 @@ sub add_common_rules ( $ ) {
# #
$chainref = new_standard_chain 'sfilter'; $chainref = new_standard_chain 'sfilter';
if ( $level ne '' ) { log_rule_limit( $level,
my $ruleref = log_rule_limit( $level,
$chainref, $chainref,
$chainref->{name}, $chainref->{name},
$policy, $policy,
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag, $tag,
'add', 'add',
'' ); '',
$ruleref->{origin} = $origin{SFILTER_LOG_LEVEL}; $origin{SFILTER_LOG_LEVEL} ) if $level ne '';
}
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
@ -702,17 +702,15 @@ sub add_common_rules ( $ ) {
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
if ( $level ne '' ) { log_rule_limit( $level,
my $ruleref = log_rule_limit( $level,
$chainref, $chainref,
$chainref->{name}, $chainref->{name},
$policy, $policy,
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag, $tag,
'add', 'add',
'' ); '' ,
$ruleref->{origin} = $origin; $origin ) if $level ne '';
}
add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit; add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
@ -789,17 +787,15 @@ sub add_common_rules ( $ ) {
# #
$chainref = ensure_mangle_chain 'rplog'; $chainref = ensure_mangle_chain 'rplog';
if ( $level ne '' ) { log_rule_limit( $level,
my $ruleref = log_rule_limit( $level,
$chainref, $chainref,
$chainref->{name}, $chainref->{name},
$policy, $policy,
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag, $tag,
'add', 'add',
'' ); '',
$ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL}; $origin{RPFILTER_LOG_LEVEL} );
}
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
@ -858,15 +854,14 @@ sub add_common_rules ( $ ) {
if ( supplied $config{SMURF_LOG_LEVEL} ) { if ( supplied $config{SMURF_LOG_LEVEL} ) {
my $smurfref = new_chain( 'filter', 'smurflog' ); my $smurfref = new_chain( 'filter', 'smurflog' );
my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL}, log_irule_limit( $config{SMURF_LOG_LEVEL},
$smurfref, $smurfref,
'smurfs' , 'smurfs' ,
'DROP', 'DROP',
$globals{LOGILIMIT}, $globals{LOGILIMIT},
$globals{SMURF_LOG_TAG}, $globals{SMURF_LOG_TAG},
'add' ); 'add',
$origin{SMURF_LOG_LEVEL} );
$ruleref->{origin} = $origin{SMURF_LOG_LEVEL};
add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
@ -1013,16 +1008,15 @@ sub add_common_rules ( $ ) {
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
my $ruleref = log_rule_limit( $level, log_rule_limit( $level,
$logflagsref, $logflagsref,
'logflags', 'logflags',
$disposition, $disposition,
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag, $tag,
'add', 'add',
'' ); '' ,
$origin{TCP_FLAGS_LOG_LEVEL} );
$ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL};
$globals{LOGPARMS} = $savelogparms; $globals{LOGPARMS} = $savelogparms;
@ -1299,7 +1293,7 @@ sub setup_mac_lists( $ ) {
run_user_exit2( 'maclog', $chainref ); run_user_exit2( 'maclog', $chainref );
log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne ''; log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
add_ijump $chainref, j => $target; add_ijump $chainref, j => $target;
} }
} }
@ -2278,15 +2272,15 @@ sub generate_matrix() {
for my $table ( qw/mangle nat filter/ ) { for my $table ( qw/mangle nat filter/ ) {
for my $chain ( @{$builtins{$table}} ) { for my $chain ( @{$builtins{$table}} ) {
my $ruleref = log_rule_limit( $config{LOGALLNEW} , log_rule_limit( $config{LOGALLNEW} ,
$chain_table{$table}{$chain} , $chain_table{$table}{$chain} ,
$table , $table ,
$chain , $chain ,
'' , '' ,
'' , '' ,
'insert' , 'insert' ,
state_match('NEW') ); state_match('NEW') ,
$ruleref->{origin} = $origin; $origin );
} }
} }
} }

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Nat.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Proc.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Providers.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -144,20 +144,21 @@ sub setup_route_marking() {
my $interface = $providerref->{interface}; my $interface = $providerref->{interface};
my $physical = $providerref->{physical}; my $physical = $providerref->{physical};
my $mark = $providerref->{mark}; my $mark = $providerref->{mark};
my $origin = $providerref->{origin};
unless ( $marked_interfaces{$interface} ) { unless ( $marked_interfaces{$interface} ) {
add_ijump $mangle_table->{PREROUTING} , j => $chainref, i => $physical, mark => "--mark 0/$mask"; add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref, $origin, i => $physical, mark => "--mark 0/$mask";
add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark $mark/$mask"; add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark $mark/$mask";
add_ijump $mangle_table->{OUTPUT} , j => $chainref2, mark => "--mark $mark/$mask"; add_ijump_extended $mangle_table->{OUTPUT} , j => $chainref2, $origin, mark => "--mark $mark/$mask";
$marked_interfaces{$interface} = 1; $marked_interfaces{$interface} = 1;
} }
if ( $providerref->{shared} ) { if ( $providerref->{shared} ) {
add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}"; add_ijump_extended $chainref, j => 'MARK', $origin, targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional}; decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
} else { } else {
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ); add_ijump_extended $chainref, j => 'MARK', $origin, targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
} }
} }
@ -650,7 +651,7 @@ sub process_a_provider( $ ) {
$balance = $default_balance unless $balance; $balance = $default_balance unless $balance;
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
if ( $duplicate ne '-' ) { if ( $duplicate ne '-' ) {
fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
@ -699,6 +700,7 @@ sub process_a_provider( $ ) {
persistent_routes => [], persistent_routes => [],
routedests => {} , routedests => {} ,
persistent => $persistent, persistent => $persistent,
origin => shortlineinfo( '' ),
}; };
$provider_interfaces{$interface} = $table unless $shared; $provider_interfaces{$interface} = $table unless $shared;

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Proxyarp.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2011,2011 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Raw.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Rules.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Rules.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #
@ -975,7 +975,8 @@ sub setup_syn_flood_chains() {
'DROP', 'DROP',
@{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] , @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
'' , '' ,
'add' ) 'add',
'' )
if $level ne ''; if $level ne '';
add_ijump $synchainref, j => 'DROP'; add_ijump $synchainref, j => 'DROP';
} }
@ -1027,7 +1028,7 @@ sub finish_chain_section ($$$) {
for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) { for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
if ( $state{$_} ) { if ( $state{$_} ) {
my ( $char, $level, $tag, $target ) = @{$statetable{$_}}; my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char; my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
if ( $twochains || $level || $target ne 'ACCEPT' ) { if ( $twochains || $level || $target ne 'ACCEPT' ) {
@ -1047,17 +1048,18 @@ sub finish_chain_section ($$$) {
$globals{LOGLIMIT}, $globals{LOGLIMIT},
$tag , $tag ,
'add' , 'add' ,
''); '',
$level_origin );
$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT; $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
add_ijump( $chain2ref, g => $target ) if $target; add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
$target = $chain2ref->{name} unless $twochains; $target = $chain2ref->{name} unless $twochains;
} }
if ( $twochains ) { if ( $twochains ) {
add_ijump $chainref, g => $target if $target; add_ijump_extended $chainref, g => $target , $origin if $target;
delete $state{$_}; delete $state{$_};
last; last;
} }
@ -1072,7 +1074,7 @@ sub finish_chain_section ($$$) {
delete $state{ESTABLISHED}; delete $state{ESTABLISHED};
} }
add_ijump( $chainref, j => $target, state_imatch $_ ); add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
} }
delete $state{$_}; delete $state{$_};
@ -1547,11 +1549,11 @@ sub dropBcast( $$$$ ) {
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' ); log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
} else { } else {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ); log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
} }
} }
@ -1564,17 +1566,17 @@ sub dropBcast( $$$$ ) {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne ''; log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
add_ijump $chainref, j => $target, d => '$address'; add_ijump $chainref, j => $target, d => '$address';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne ''; log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
add_ijump $chainref, j => $target, d => '224.0.0.0/4'; add_ijump $chainref, j => $target, d => '224.0.0.0/4';
} else { } else {
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
add_ijump $chainref, j => $target, d => IPv6_MULTICAST; add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
} }
} }
@ -1586,8 +1588,8 @@ sub allowBcast( $$$$ ) {
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) { if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ); log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' );
} }
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
@ -1599,17 +1601,17 @@ sub allowBcast( $$$$ ) {
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
add_ijump $chainref, j => $target, d => '$address'; add_ijump $chainref, j => $target, d => '$address';
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ) if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
add_ijump $chainref, j => $target, d => '224.0.0.0/4'; add_ijump $chainref, j => $target, d => '224.0.0.0/4';
} else { } else {
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
add_ijump $chainref, j => $target, d => IPv6_MULTICAST; add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
} }
} }
@ -1619,7 +1621,7 @@ sub dropNotSyn ( $$$$ ) {
my $target = require_audit( 'DROP', $audit ); my $target = require_audit( 'DROP', $audit );
log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
add_ijump $chainref , j => $target, p => '6 ! --syn'; add_ijump $chainref , j => $target, p => '6 ! --syn';
} }
@ -1634,7 +1636,7 @@ sub rejNotSyn ( $$$$ ) {
$target = require_audit( 'REJECT' , $audit ); $target = require_audit( 'REJECT' , $audit );
} }
log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
add_ijump $chainref , j => $target, p => '6 ! --syn'; add_ijump $chainref , j => $target, p => '6 ! --syn';
} }
@ -1650,8 +1652,8 @@ sub allowinUPnP ( $$$$ ) {
my $target = require_audit( 'ACCEPT', $audit ); my $target = require_audit( 'ACCEPT', $audit );
if ( $level ne '' ) { if ( $level ne '' ) {
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' ); log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' ); log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
} }
add_ijump $chainref, j => $target, p => '17 --dport 1900'; add_ijump $chainref, j => $target, p => '17 --dport 1900';
@ -1688,7 +1690,7 @@ sub Limit( $$$$ ) {
if ( $level ne '' ) { if ( $level ne '' ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%"; my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' ); log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
add_ijump $xchainref, j => 'DROP'; add_ijump $xchainref, j => 'DROP';
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count"; add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
} else { } else {
@ -3453,9 +3455,9 @@ sub process_rules() {
# Populate the state table # Populate the state table
# #
%statetable = ( ESTABLISHED => [ '^', '', '', 'ACCEPT' ] , %statetable = ( ESTABLISHED => [ '^', '', '', 'ACCEPT' ] ,
RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_LOG_TAG}, $globals{RELATED_TARGET} ] , RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_LOG_TAG}, $globals{RELATED_TARGET} , $origin{RELATED_DISPOSITION} , $origin{RELATED_LOG_LEVEL} ] ,
INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_LOG_TAG}, $globals{INVALID_TARGET} ] , INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_LOG_TAG}, $globals{INVALID_TARGET} , $origin{INVALID_DISPOSITION} , $origin{INVALID_LOG_LEVEL} ] ,
UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} ] , UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} , $origin{UNTRACKED_DISPOSITION} , $origin{UNTRACKED_LOG_LEVEL} ] ,
); );
%section_states = ( BLACKLIST_SECTION , $globals{BLACKLIST_STATES}, %section_states = ( BLACKLIST_SECTION , $globals{BLACKLIST_STATES},
ESTABLISHED_SECTION, 'ESTABLISHED', ESTABLISHED_SECTION, 'ESTABLISHED',

View File

@ -1,9 +1,9 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tc.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Traffic Control is from tc4shorewall Version 0.5 # Traffic Control is from tc4shorewall Version 0.5
# (c) 2005 Arne Bernin <arne@ucbering.de> # (c) 2005 Arne Bernin <arne@ucbering.de>

View File

@ -1,8 +1,8 @@
# #
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm # Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net) # (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
# #
# Complete documentation is available at http://shorewall.net # Complete documentation is available at http://shorewall.net
# #

View File

@ -894,7 +894,7 @@ sub add_group_to_zone($$$$$$)
hosts => \@newnetworks, hosts => \@newnetworks,
ipsec => $type & IPSEC ? 'ipsec' : 'none' , ipsec => $type & IPSEC ? 'ipsec' : 'none' ,
exclusions => \@exclusions , exclusions => \@exclusions ,
origin => shortlineinfo1( '' ) , origin => shortlineinfo( '' ) ,
}; };
if ( $type != IPSEC ) { if ( $type != IPSEC ) {
@ -1397,7 +1397,7 @@ sub process_interface( $$ ) {
physical => $physical , physical => $physical ,
base => var_base( $physical ), base => var_base( $physical ),
zones => {}, zones => {},
origin => shortlineinfo1('') || shortlineinfo( '' ), origin => shortlineinfo( '' ),
wildcard => $wildcard, wildcard => $wildcard,
}; };

View File

@ -5,7 +5,7 @@
<!--/$Id$--> <!--/$Id$-->
<articleinfo> <articleinfo>
<title>Shorewall 4.4/4.5/4.6 Documentation</title> <title>Shorewall 4.4/4.5/4.6/5.0 Documentation</title>
<authorgroup> <authorgroup>
<author> <author>
@ -18,7 +18,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright> <copyright>
<year>2001-2014</year> <year>2001-2016</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -327,7 +327,7 @@
<entry><ulink url="PortKnocking.html">Port Knocking <entry><ulink url="PortKnocking.html">Port Knocking
(deprecated)</ulink></entry> (deprecated)</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -337,7 +337,7 @@
<entry><ulink url="Events.html">Port Knocking, Auto Blacklisting <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
and Other Uses of the 'Recent Match'</ulink></entry> and Other Uses of the 'Recent Match'</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -345,7 +345,7 @@
<entry><ulink url="PPTP.htm">PPTP</ulink></entry> <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -354,7 +354,7 @@
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry> <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -364,7 +364,7 @@
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
Guides</ulink></entry> Guides</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -373,7 +373,7 @@
<entry><ulink url="NewRelease.html">Release Model</ulink></entry> <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -382,7 +382,7 @@
<entry><ulink <entry><ulink
url="shorewall_prerequisites.htm">Requirements</ulink></entry> url="shorewall_prerequisites.htm">Requirements</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -391,7 +391,7 @@
<entry><ulink url="Shorewall_and_Routing.html">Routing and <entry><ulink url="Shorewall_and_Routing.html">Routing and
Shorewall</ulink></entry> Shorewall</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -400,7 +400,7 @@
<entry><ulink url="Multiple_Zones.html">Routing on One <entry><ulink url="Multiple_Zones.html">Routing on One
Interface</ulink></entry> Interface</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -408,7 +408,7 @@
<entry><ulink url="samba.htm">Samba</ulink></entry> <entry><ulink url="samba.htm">Samba</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -417,7 +417,7 @@
<entry><ulink url="Events.html">Shorewall Events</ulink></entry> <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -427,7 +427,7 @@
<entry><ulink url="Shorewall-init.html">Shorewall <entry><ulink url="Shorewall-init.html">Shorewall
Init</ulink></entry> Init</ulink></entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -437,7 +437,7 @@
<entry><ulink url="Shorewall-Lite.html">Shorewall <entry><ulink url="Shorewall-Lite.html">Shorewall
Lite</ulink></entry> Lite</ulink></entry>
<entry></entry> <entry/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>