mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 23:53:30 +01:00
Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code
This commit is contained in:
Tom Eastep
commit
1fa2ecf6b9
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Accounting.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Chains.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
@ -623,9 +623,12 @@ our %ipset_exists;
|
||||
# Omitted, if target is ''.
|
||||
# target => Rule target, if jump is 'j' or 'g'.
|
||||
# targetopts => Target options. Only included if non-empty
|
||||
# matches => List of matches in the rule
|
||||
# <option> => iptables/ip6tables -A options (e.g., i => eth0)
|
||||
# <match> => iptables match. Value may be a scalar or array.
|
||||
# if an array, multiple "-m <match>"s will be generated
|
||||
# <origin> => configuration file and line number that generated the rule
|
||||
# May be empty.
|
||||
# }
|
||||
#
|
||||
# The following constants and hash are used to classify keys in a rule hash
|
||||
@ -919,7 +922,7 @@ sub set_rule_option( $$$ ) {
|
||||
|
||||
sub transform_rule( $;\$ ) {
|
||||
my ( $input, $completeref ) = @_;
|
||||
my $ruleref = { mode => CAT_MODE, matches => [], target => '' , origin => shortlineinfo1( '' ) };
|
||||
my $ruleref = { mode => CAT_MODE, matches => [], target => '' , origin => shortlineinfo( '' ) };
|
||||
my $simple = 1;
|
||||
my $target = '';
|
||||
my $jump = '';
|
||||
@ -1243,6 +1246,21 @@ sub add_commands ( $$;@ ) {
|
||||
$chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE );
|
||||
}
|
||||
|
||||
#
|
||||
# Set the comment member of an irule
|
||||
#
|
||||
sub set_irule_comment( $$ ) {
|
||||
my ( $chainref, $ruleref ) = @_;
|
||||
|
||||
our $rule_comments;
|
||||
|
||||
if ( $rule_comments ) {
|
||||
$ruleref->{comment} = $ruleref->{origin} || $comment;
|
||||
} else {
|
||||
$ruleref->{comment} = $comment;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Transform the passed rule and add it to the end of the passed chain's rule list.
|
||||
#
|
||||
@ -1254,7 +1272,8 @@ sub push_rule( $$ ) {
|
||||
my $complete = 0;
|
||||
my $ruleref = transform_rule( $_[1], $complete );
|
||||
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
|
||||
set_irule_comment( $chainref, $ruleref );
|
||||
|
||||
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
|
||||
|
||||
push @{$chainref->{rules}}, $ruleref;
|
||||
@ -1475,7 +1494,7 @@ sub create_irule( $$$;@ ) {
|
||||
|
||||
( $target, my $targetopts ) = split ' ', $target, 2;
|
||||
|
||||
my $ruleref = { matches => [] , origin => shortlineinfo1( '' ) };
|
||||
my $ruleref = { matches => [] , origin => shortlineinfo( $chainref->{origin} ) };
|
||||
|
||||
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
|
||||
|
||||
@ -1488,7 +1507,7 @@ sub create_irule( $$$;@ ) {
|
||||
$ruleref->{target} = '';
|
||||
}
|
||||
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $ruleref->{comment} || $comment;
|
||||
set_irule_comment( $chainref, $ruleref );
|
||||
|
||||
$iprangematch = 0;
|
||||
|
||||
@ -1644,7 +1663,7 @@ sub insert_rule1($$$)
|
||||
|
||||
my $ruleref = transform_rule( $rule );
|
||||
|
||||
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
|
||||
set_irule_comment( $chainref, $ruleref );
|
||||
|
||||
assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
|
||||
$ruleref->{mode} = CAT_MODE;
|
||||
@ -1670,7 +1689,7 @@ sub insert_irule( $$$$;@ ) {
|
||||
my ( $chainref, $jump, $target, $number, @matches ) = @_;
|
||||
|
||||
my $rulesref = $chainref->{rules};
|
||||
my $ruleref = { origin => shortlineinfo1( '' ) };
|
||||
my $ruleref = { origin => shortlineinfo( $chainref->{origin} ) };
|
||||
|
||||
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
|
||||
|
||||
@ -1686,8 +1705,7 @@ sub insert_irule( $$$$;@ ) {
|
||||
$chainref->{optflags} |= push_matches( $ruleref, @matches );
|
||||
}
|
||||
|
||||
|
||||
$ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment;
|
||||
set_irule_comment( $chainref, $ruleref );
|
||||
|
||||
if ( $number >= @$rulesref ) {
|
||||
#
|
||||
@ -2302,7 +2320,7 @@ sub new_chain($$)
|
||||
references => {},
|
||||
filtered => 0,
|
||||
optflags => 0,
|
||||
origin => shortlineinfo1( '' ) || shortlineinfo( '' ),
|
||||
origin => shortlineinfo( '' ),
|
||||
};
|
||||
|
||||
trace( $chainref, 'N', undef, '' ) if $debug;
|
||||
@ -2396,7 +2414,7 @@ sub add_ijump_internal( $$$$$;@ ) {
|
||||
|
||||
return $dummyrule if $fromref->{complete};
|
||||
|
||||
our $splitcount;
|
||||
our ( $splitcount, $file_comments, $rule_comments );
|
||||
|
||||
my $toref;
|
||||
my $ruleref;
|
||||
@ -2413,7 +2431,7 @@ sub add_ijump_internal( $$$$$;@ ) {
|
||||
my ( $target ) = split ' ', $to;
|
||||
$toref = $chain_table{$fromref->{table}}{$target};
|
||||
fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
|
||||
$origin ||= $fromref->{origin} if $globals{TRACK_RULES};
|
||||
$origin ||= $fromref->{origin} if $file_comments || $rule_comments;
|
||||
}
|
||||
|
||||
#
|
||||
@ -2423,7 +2441,7 @@ sub add_ijump_internal( $$$$$;@ ) {
|
||||
$toref->{referenced} = 1;
|
||||
add_reference $fromref, $toref;
|
||||
$jump = 'j' unless have_capability 'GOTO_TARGET';
|
||||
$origin ||= $toref->{origin} if $globals{TRACK_RULES};
|
||||
$origin ||= $toref->{origin} if $file_comments || $rule_comments;
|
||||
$ruleref = create_irule ($fromref, $jump => $to, @matches );
|
||||
} else {
|
||||
$ruleref = create_irule( $fromref, 'j' => $to, @matches );
|
||||
@ -2433,7 +2451,7 @@ sub add_ijump_internal( $$$$$;@ ) {
|
||||
$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
|
||||
}
|
||||
|
||||
$ruleref->{origin} ||= $origin;
|
||||
$ruleref->{origin} = $origin if $origin;
|
||||
|
||||
$expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref );
|
||||
}
|
||||
@ -2739,7 +2757,7 @@ sub ensure_manual_chain($) {
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub log_irule_limit( $$$$$$$@ );
|
||||
sub log_irule_limit( $$$$$$$$@ );
|
||||
|
||||
sub ensure_blacklog_chain( $$$$$ ) {
|
||||
my ( $target, $disposition, $level, $tag, $audit ) = @_;
|
||||
@ -2750,7 +2768,7 @@ sub ensure_blacklog_chain( $$$$$ ) {
|
||||
$target =~ s/A_//;
|
||||
$target = 'reject' if $target eq 'REJECT';
|
||||
|
||||
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' );
|
||||
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add', '' );
|
||||
|
||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||
add_ijump( $logchainref, g => $target );
|
||||
@ -2765,7 +2783,7 @@ sub ensure_audit_blacklog_chain( $$$ ) {
|
||||
unless ( $filter_table->{A_blacklog} ) {
|
||||
my $logchainref = new_manual_chain 'A_blacklog';
|
||||
|
||||
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' );
|
||||
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' , '' );
|
||||
|
||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
|
||||
|
||||
@ -2979,6 +2997,9 @@ sub initialize_chain_table($) {
|
||||
$globals{iLOGLIMIT} =
|
||||
( $ruleref->{hashlimit} ? [ hashlimit => $ruleref->{hashlimit} ] :
|
||||
$ruleref->{limit} ? [ limit => $ruleref->{limit} ] : [] );
|
||||
|
||||
our $file_comments = $config{TRACK_RULES} eq 'File';
|
||||
our $rule_comments = $config{TRACK_RULES} eq 'Yes';
|
||||
}
|
||||
|
||||
#
|
||||
@ -3706,7 +3727,7 @@ sub get_multi_sports( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Return an array of keys for the passed rule. 'dport' and 'comment' are omitted;
|
||||
# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
|
||||
#
|
||||
sub get_keys( $ ) {
|
||||
my %skip = ( dport => 1, comment => 1, origin => 1 );
|
||||
@ -3984,10 +4005,12 @@ sub get_conntrack( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Return an array of keys for the passed rule. 'conntrack' and 'comment' are omitted;
|
||||
# Return an array of keys for the passed rule. 'conntrack', 'comment' & origin are omitted;
|
||||
#
|
||||
sub get_keys1( $ ) {
|
||||
sort grep $_ ne 'conntrack --ctstate' && $_ ne 'comment' && $_ ne 'origin', keys %{$_[0]};
|
||||
my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
|
||||
|
||||
sort grep ! $skip{$_}, keys %{$_[0]};
|
||||
}
|
||||
|
||||
#
|
||||
@ -4273,7 +4296,8 @@ sub logchain( $$$$$$ ) {
|
||||
$disposition ,
|
||||
[] ,
|
||||
$logtag,
|
||||
'add' );
|
||||
'add',
|
||||
'' );
|
||||
add_jump( $logchainref, $target, 0, $exceptionrule );
|
||||
}
|
||||
|
||||
@ -6232,8 +6256,8 @@ sub do_ipsec($$) {
|
||||
#
|
||||
# Generate a log message
|
||||
#
|
||||
sub log_rule_limit( $$$$$$$$ ) {
|
||||
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_;
|
||||
sub log_rule_limit( $$$$$$$$;$ ) {
|
||||
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
|
||||
|
||||
my $prefix = '';
|
||||
my $chain = get_action_chain_name || $chn;
|
||||
@ -6326,11 +6350,13 @@ sub log_rule_limit( $$$$$$$$ ) {
|
||||
$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
|
||||
}
|
||||
|
||||
$ruleref->{origin} = $origin ||= $chainref->{origin} if reftype $ruleref;
|
||||
|
||||
$ruleref;
|
||||
}
|
||||
|
||||
sub log_irule_limit( $$$$$$$@ ) {
|
||||
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, @matches ) = @_;
|
||||
sub log_irule_limit( $$$$$$$$@ ) {
|
||||
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $origin, @matches ) = @_;
|
||||
|
||||
my $prefix = '';
|
||||
my %matches;
|
||||
@ -6418,7 +6444,7 @@ sub log_irule_limit( $$$$$$$@ ) {
|
||||
}
|
||||
|
||||
if ( $command eq 'add' ) {
|
||||
add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches );
|
||||
add_ijump_internal ( $chainref, j => $prefix , $original_matches, $origin, @matches );
|
||||
} else {
|
||||
insert_ijump ( $chainref, j => $prefix, 0 , @matches );
|
||||
}
|
||||
@ -6433,7 +6459,7 @@ sub log_rule( $$$$ ) {
|
||||
sub log_irule( $$$;@ ) {
|
||||
my ( $level, $chainref, $disposition, @matches ) = @_;
|
||||
|
||||
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches;
|
||||
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
|
||||
}
|
||||
|
||||
#
|
||||
@ -7443,7 +7469,8 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
[] ,
|
||||
$logtag ,
|
||||
'add' )
|
||||
'add' ,
|
||||
'' )
|
||||
if $loglevel;
|
||||
#
|
||||
# Generate Final Rule
|
||||
@ -7818,9 +7845,10 @@ sub add_interface_options( $ ) {
|
||||
} else {
|
||||
for my $interface ( @input_interfaces ) {
|
||||
$chain1ref = $input_chains{$interface};
|
||||
add_ijump ( $chainref ,
|
||||
add_ijump_extended ( $chainref ,
|
||||
j => $chain1ref->{name},
|
||||
@input_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
|
||||
interface_origin( $interface ) ,
|
||||
@input_interfaces > 1 ? imatch_source_dev( $interface ) : () );
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@ -7833,7 +7861,10 @@ sub add_interface_options( $ ) {
|
||||
} else {
|
||||
for my $interface ( @forward_interfaces ) {
|
||||
$chain1ref = $forward_chains{$interface};
|
||||
add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}};
|
||||
add_ijump_extended( $chainref ,
|
||||
j => $chain1ref->{name},
|
||||
interface_origin( $interface ) ,
|
||||
@forward_interfaces > 1 ? imatch_source_dev( $interface ) : () );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -7922,6 +7953,8 @@ sub enter_cmd_mode() {
|
||||
sub emitr( $$ ) {
|
||||
my ( $chainref, $ruleref ) = @_;
|
||||
|
||||
our $file_comments;
|
||||
|
||||
assert( $chainref );
|
||||
|
||||
if ( $ruleref ) {
|
||||
@ -7931,7 +7964,7 @@ sub emitr( $$ ) {
|
||||
#
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
|
||||
if ( my $origin = $ruleref->{origin} ) {
|
||||
if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
|
||||
emit_unindented '# ' . $origin;
|
||||
}
|
||||
|
||||
@ -7945,6 +7978,9 @@ sub emitr( $$ ) {
|
||||
if ( exists $ruleref->{cmd} ) {
|
||||
emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
|
||||
} else {
|
||||
if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
|
||||
emit join( '', ' ' x $ruleref->{cmdlevel} , '# ' , $origin );
|
||||
}
|
||||
#
|
||||
# Must preserve quotes in the rule
|
||||
#
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
#! /usr/bin/perl -w
|
||||
#
|
||||
# The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
|
||||
# The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Config.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
@ -52,8 +52,6 @@ our @EXPORT = qw(
|
||||
assert
|
||||
currentlineinfo
|
||||
shortlineinfo
|
||||
shortlineinfo1
|
||||
shortlineinfo2
|
||||
clear_currentfilename
|
||||
validate_level
|
||||
|
||||
@ -738,7 +736,6 @@ sub initialize( $;$$) {
|
||||
RPFILTER_LOG_TAG => '',
|
||||
INVALID_LOG_TAG => '',
|
||||
UNTRACKED_LOG_TAG => '',
|
||||
TRACK_RULES => '',
|
||||
);
|
||||
#
|
||||
# From shorewall.conf file
|
||||
@ -1211,23 +1208,25 @@ sub shortlineinfo2() {
|
||||
}
|
||||
}
|
||||
|
||||
sub shortlineinfo1( $ ) {
|
||||
$globals{TRACK_RULES} ? $currentfile ? shortlineinfo2 : $_[0] || '' : '';
|
||||
}
|
||||
|
||||
sub shortlineinfo( $ ) {
|
||||
if ( $config{TRACK_RULES} ) {
|
||||
if ( my $track = $config{TRACK_RULES} ) {
|
||||
if ( $currentfile ) {
|
||||
if ( $track eq 'Yes' ) {
|
||||
my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@';
|
||||
$comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255;
|
||||
$comment = '@@@ Filename Too Long @@@' if length $comment > 255;
|
||||
$comment;
|
||||
} else {
|
||||
join( ':', $currentfilename, $currentlinenumber );
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# Alternate lineinfo may have been passed
|
||||
#
|
||||
$_[0] || ''
|
||||
}
|
||||
} else {
|
||||
'';
|
||||
}
|
||||
}
|
||||
|
||||
@ -5839,17 +5838,21 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
if ( supplied ( $val = $config{TRACK_RULES} ) ) {
|
||||
if ( lc( $val ) eq 'file' ) {
|
||||
$globals{TRACK_RULES} = 'Yes';
|
||||
$config{TRACK_RULES} = '';
|
||||
$config{TRACK_RULES} = 'File';
|
||||
} else {
|
||||
default_yes_no 'TRACK_RULES' , '';
|
||||
$globals{TRACK_RULES} = '';
|
||||
}
|
||||
} else {
|
||||
default_yes_no 'TRACK_RULES' , '';
|
||||
$config{TRACK_RULES} = '';
|
||||
}
|
||||
|
||||
%origin = () unless $globals{TRACK_RULES};
|
||||
%origin = () unless $config{TRACK_RULES} eq 'File';
|
||||
#
|
||||
# Ensure that all members of %origin have defined values
|
||||
#
|
||||
for ( keys %config ) {
|
||||
$origin{$_} ||= '';
|
||||
}
|
||||
|
||||
default_yes_no 'INLINE_MATCHES' , '';
|
||||
default_yes_no 'BASIC_FILTERS' , '';
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
@ -107,13 +107,15 @@ sub setup_ecn()
|
||||
fatal_error 'INTERFACE must be specified' if $interface eq '-';
|
||||
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
|
||||
|
||||
$interfaces{$interface} ||= shortlineinfo1( '' );
|
||||
my $lineinfo = shortlineinfo( '' );
|
||||
|
||||
$interfaces{$interface} ||= $lineinfo;
|
||||
|
||||
$hosts = ALLIP if $hosts eq '-';
|
||||
|
||||
for my $host( split_list $hosts, 'address' ) {
|
||||
validate_host( $host , 1 );
|
||||
push @hosts, [ $interface, shortlineinfo1( '' ), $host ];
|
||||
push @hosts, [ $interface, $lineinfo, $host ];
|
||||
}
|
||||
}
|
||||
|
||||
@ -671,17 +673,15 @@ sub add_common_rules ( $ ) {
|
||||
#
|
||||
$chainref = new_standard_chain 'sfilter';
|
||||
|
||||
if ( $level ne '' ) {
|
||||
my $ruleref = log_rule_limit( $level,
|
||||
log_rule_limit( $level,
|
||||
$chainref,
|
||||
$chainref->{name},
|
||||
$policy,
|
||||
$globals{LOGLIMIT},
|
||||
$tag,
|
||||
'add',
|
||||
'' );
|
||||
$ruleref->{origin} = $origin{SFILTER_LOG_LEVEL};
|
||||
}
|
||||
'',
|
||||
$origin{SFILTER_LOG_LEVEL} ) if $level ne '';
|
||||
|
||||
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
|
||||
|
||||
@ -702,17 +702,15 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
|
||||
|
||||
if ( $level ne '' ) {
|
||||
my $ruleref = log_rule_limit( $level,
|
||||
log_rule_limit( $level,
|
||||
$chainref,
|
||||
$chainref->{name},
|
||||
$policy,
|
||||
$globals{LOGLIMIT},
|
||||
$tag,
|
||||
'add',
|
||||
'' );
|
||||
$ruleref->{origin} = $origin;
|
||||
}
|
||||
'' ,
|
||||
$origin ) if $level ne '';
|
||||
|
||||
add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
|
||||
|
||||
@ -789,17 +787,15 @@ sub add_common_rules ( $ ) {
|
||||
#
|
||||
$chainref = ensure_mangle_chain 'rplog';
|
||||
|
||||
if ( $level ne '' ) {
|
||||
my $ruleref = log_rule_limit( $level,
|
||||
log_rule_limit( $level,
|
||||
$chainref,
|
||||
$chainref->{name},
|
||||
$policy,
|
||||
$globals{LOGLIMIT},
|
||||
$tag,
|
||||
'add',
|
||||
'' );
|
||||
$ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL};
|
||||
}
|
||||
'',
|
||||
$origin{RPFILTER_LOG_LEVEL} );
|
||||
|
||||
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
|
||||
|
||||
@ -858,15 +854,14 @@ sub add_common_rules ( $ ) {
|
||||
if ( supplied $config{SMURF_LOG_LEVEL} ) {
|
||||
my $smurfref = new_chain( 'filter', 'smurflog' );
|
||||
|
||||
my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL},
|
||||
log_irule_limit( $config{SMURF_LOG_LEVEL},
|
||||
$smurfref,
|
||||
'smurfs' ,
|
||||
'DROP',
|
||||
$globals{LOGILIMIT},
|
||||
$globals{SMURF_LOG_TAG},
|
||||
'add' );
|
||||
|
||||
$ruleref->{origin} = $origin{SMURF_LOG_LEVEL};
|
||||
'add',
|
||||
$origin{SMURF_LOG_LEVEL} );
|
||||
|
||||
add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
|
||||
|
||||
@ -1013,16 +1008,15 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
|
||||
|
||||
my $ruleref = log_rule_limit( $level,
|
||||
log_rule_limit( $level,
|
||||
$logflagsref,
|
||||
'logflags',
|
||||
$disposition,
|
||||
$globals{LOGLIMIT},
|
||||
$tag,
|
||||
'add',
|
||||
'' );
|
||||
|
||||
$ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL};
|
||||
'' ,
|
||||
$origin{TCP_FLAGS_LOG_LEVEL} );
|
||||
|
||||
$globals{LOGPARMS} = $savelogparms;
|
||||
|
||||
@ -1299,7 +1293,7 @@ sub setup_mac_lists( $ ) {
|
||||
|
||||
run_user_exit2( 'maclog', $chainref );
|
||||
|
||||
log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne '';
|
||||
log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
|
||||
add_ijump $chainref, j => $target;
|
||||
}
|
||||
}
|
||||
@ -2278,15 +2272,15 @@ sub generate_matrix() {
|
||||
|
||||
for my $table ( qw/mangle nat filter/ ) {
|
||||
for my $chain ( @{$builtins{$table}} ) {
|
||||
my $ruleref = log_rule_limit( $config{LOGALLNEW} ,
|
||||
log_rule_limit( $config{LOGALLNEW} ,
|
||||
$chain_table{$table}{$chain} ,
|
||||
$table ,
|
||||
$chain ,
|
||||
'' ,
|
||||
'' ,
|
||||
'insert' ,
|
||||
state_match('NEW') );
|
||||
$ruleref->{origin} = $origin;
|
||||
state_match('NEW') ,
|
||||
$origin );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Nat.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Proc.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Providers.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
@ -144,20 +144,21 @@ sub setup_route_marking() {
|
||||
my $interface = $providerref->{interface};
|
||||
my $physical = $providerref->{physical};
|
||||
my $mark = $providerref->{mark};
|
||||
my $origin = $providerref->{origin};
|
||||
|
||||
unless ( $marked_interfaces{$interface} ) {
|
||||
add_ijump $mangle_table->{PREROUTING} , j => $chainref, i => $physical, mark => "--mark 0/$mask";
|
||||
add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark $mark/$mask";
|
||||
add_ijump $mangle_table->{OUTPUT} , j => $chainref2, mark => "--mark $mark/$mask";
|
||||
add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref, $origin, i => $physical, mark => "--mark 0/$mask";
|
||||
add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark $mark/$mask";
|
||||
add_ijump_extended $mangle_table->{OUTPUT} , j => $chainref2, $origin, mark => "--mark $mark/$mask";
|
||||
$marked_interfaces{$interface} = 1;
|
||||
}
|
||||
|
||||
if ( $providerref->{shared} ) {
|
||||
add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
||||
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
|
||||
add_ijump_extended $chainref, j => 'MARK', $origin, targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
|
||||
decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
|
||||
} else {
|
||||
add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
|
||||
add_ijump_extended $chainref, j => 'MARK', $origin, targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
|
||||
}
|
||||
}
|
||||
|
||||
@ -650,7 +651,7 @@ sub process_a_provider( $ ) {
|
||||
|
||||
$balance = $default_balance unless $balance;
|
||||
|
||||
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
|
||||
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
|
||||
|
||||
if ( $duplicate ne '-' ) {
|
||||
fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
@ -699,6 +700,7 @@ sub process_a_provider( $ ) {
|
||||
persistent_routes => [],
|
||||
routedests => {} ,
|
||||
persistent => $persistent,
|
||||
origin => shortlineinfo( '' ),
|
||||
};
|
||||
|
||||
$provider_interfaces{$interface} = $table unless $shared;
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2011,2011 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Raw.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Rules.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Rules.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
@ -975,7 +975,8 @@ sub setup_syn_flood_chains() {
|
||||
'DROP',
|
||||
@{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
|
||||
'' ,
|
||||
'add' )
|
||||
'add',
|
||||
'' )
|
||||
if $level ne '';
|
||||
add_ijump $synchainref, j => 'DROP';
|
||||
}
|
||||
@ -1027,7 +1028,7 @@ sub finish_chain_section ($$$) {
|
||||
|
||||
for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
|
||||
if ( $state{$_} ) {
|
||||
my ( $char, $level, $tag, $target ) = @{$statetable{$_}};
|
||||
my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
|
||||
my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
|
||||
|
||||
if ( $twochains || $level || $target ne 'ACCEPT' ) {
|
||||
@ -1047,17 +1048,18 @@ sub finish_chain_section ($$$) {
|
||||
$globals{LOGLIMIT},
|
||||
$tag ,
|
||||
'add' ,
|
||||
'');
|
||||
'',
|
||||
$level_origin );
|
||||
|
||||
$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
|
||||
|
||||
add_ijump( $chain2ref, g => $target ) if $target;
|
||||
add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
|
||||
|
||||
$target = $chain2ref->{name} unless $twochains;
|
||||
}
|
||||
|
||||
if ( $twochains ) {
|
||||
add_ijump $chainref, g => $target if $target;
|
||||
add_ijump_extended $chainref, g => $target , $origin if $target;
|
||||
delete $state{$_};
|
||||
last;
|
||||
}
|
||||
@ -1072,7 +1074,7 @@ sub finish_chain_section ($$$) {
|
||||
delete $state{ESTABLISHED};
|
||||
}
|
||||
|
||||
add_ijump( $chainref, j => $target, state_imatch $_ );
|
||||
add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
|
||||
}
|
||||
|
||||
delete $state{$_};
|
||||
@ -1547,11 +1549,11 @@ sub dropBcast( $$$$ ) {
|
||||
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
|
||||
if ( $family == F_IPV4 ) {
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' );
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
|
||||
} else {
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST );
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
|
||||
}
|
||||
}
|
||||
|
||||
@ -1564,17 +1566,17 @@ sub dropBcast( $$$$ ) {
|
||||
}
|
||||
|
||||
incr_cmd_level $chainref;
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne '';
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
|
||||
add_ijump $chainref, j => $target, d => '$address';
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
}
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne '';
|
||||
log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
|
||||
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
||||
} else {
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
|
||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
|
||||
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
||||
}
|
||||
}
|
||||
@ -1586,8 +1588,8 @@ sub allowBcast( $$$$ ) {
|
||||
|
||||
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' );
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' );
|
||||
}
|
||||
|
||||
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
|
||||
@ -1599,17 +1601,17 @@ sub allowBcast( $$$$ ) {
|
||||
}
|
||||
|
||||
incr_cmd_level $chainref;
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne '';
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
|
||||
add_ijump $chainref, j => $target, d => '$address';
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
}
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ) if $level ne '';
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
|
||||
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
||||
} else {
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
|
||||
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
||||
}
|
||||
}
|
||||
@ -1619,7 +1621,7 @@ sub dropNotSyn ( $$$$ ) {
|
||||
|
||||
my $target = require_audit( 'DROP', $audit );
|
||||
|
||||
log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
|
||||
log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
|
||||
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
||||
}
|
||||
|
||||
@ -1634,7 +1636,7 @@ sub rejNotSyn ( $$$$ ) {
|
||||
$target = require_audit( 'REJECT' , $audit );
|
||||
}
|
||||
|
||||
log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
|
||||
log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
|
||||
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
||||
}
|
||||
|
||||
@ -1650,8 +1652,8 @@ sub allowinUPnP ( $$$$ ) {
|
||||
my $target = require_audit( 'ACCEPT', $audit );
|
||||
|
||||
if ( $level ne '' ) {
|
||||
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' );
|
||||
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' );
|
||||
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
|
||||
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
|
||||
}
|
||||
|
||||
add_ijump $chainref, j => $target, p => '17 --dport 1900';
|
||||
@ -1688,7 +1690,7 @@ sub Limit( $$$$ ) {
|
||||
|
||||
if ( $level ne '' ) {
|
||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' );
|
||||
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
|
||||
add_ijump $xchainref, j => 'DROP';
|
||||
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
|
||||
} else {
|
||||
@ -3453,9 +3455,9 @@ sub process_rules() {
|
||||
# Populate the state table
|
||||
#
|
||||
%statetable = ( ESTABLISHED => [ '^', '', '', 'ACCEPT' ] ,
|
||||
RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_LOG_TAG}, $globals{RELATED_TARGET} ] ,
|
||||
INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_LOG_TAG}, $globals{INVALID_TARGET} ] ,
|
||||
UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} ] ,
|
||||
RELATED => [ '+', $config{RELATED_LOG_LEVEL}, $globals{RELATED_LOG_TAG}, $globals{RELATED_TARGET} , $origin{RELATED_DISPOSITION} , $origin{RELATED_LOG_LEVEL} ] ,
|
||||
INVALID => [ '_', $config{INVALID_LOG_LEVEL}, $globals{INVALID_LOG_TAG}, $globals{INVALID_TARGET} , $origin{INVALID_DISPOSITION} , $origin{INVALID_LOG_LEVEL} ] ,
|
||||
UNTRACKED => [ '&', $config{UNTRACKED_LOG_LEVEL}, $globals{UNTRACKED_LOG_TAG}, $globals{UNTRACKED_TARGET} , $origin{UNTRACKED_DISPOSITION} , $origin{UNTRACKED_LOG_LEVEL} ] ,
|
||||
);
|
||||
%section_states = ( BLACKLIST_SECTION , $globals{BLACKLIST_STATES},
|
||||
ESTABLISHED_SECTION, 'ESTABLISHED',
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tc.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Traffic Control is from tc4shorewall Version 0.5
|
||||
# (c) 2005 Arne Bernin <arne@ucbering.de>
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
#
|
||||
# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm
|
||||
# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
|
||||
@ -894,7 +894,7 @@ sub add_group_to_zone($$$$$$)
|
||||
hosts => \@newnetworks,
|
||||
ipsec => $type & IPSEC ? 'ipsec' : 'none' ,
|
||||
exclusions => \@exclusions ,
|
||||
origin => shortlineinfo1( '' ) ,
|
||||
origin => shortlineinfo( '' ) ,
|
||||
};
|
||||
|
||||
if ( $type != IPSEC ) {
|
||||
@ -1397,7 +1397,7 @@ sub process_interface( $$ ) {
|
||||
physical => $physical ,
|
||||
base => var_base( $physical ),
|
||||
zones => {},
|
||||
origin => shortlineinfo1('') || shortlineinfo( '' ),
|
||||
origin => shortlineinfo( '' ),
|
||||
wildcard => $wildcard,
|
||||
};
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
<!--/$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall 4.4/4.5/4.6 Documentation</title>
|
||||
<title>Shorewall 4.4/4.5/4.6/5.0 Documentation</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@ -18,7 +18,7 @@
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2014</year>
|
||||
<year>2001-2016</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -327,7 +327,7 @@
|
||||
<entry><ulink url="PortKnocking.html">Port Knocking
|
||||
(deprecated)</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -337,7 +337,7 @@
|
||||
<entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
|
||||
and Other Uses of the 'Recent Match'</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -345,7 +345,7 @@
|
||||
|
||||
<entry><ulink url="PPTP.htm">PPTP</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -354,7 +354,7 @@
|
||||
|
||||
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -364,7 +364,7 @@
|
||||
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -373,7 +373,7 @@
|
||||
|
||||
<entry><ulink url="NewRelease.html">Release Model</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -382,7 +382,7 @@
|
||||
<entry><ulink
|
||||
url="shorewall_prerequisites.htm">Requirements</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -391,7 +391,7 @@
|
||||
<entry><ulink url="Shorewall_and_Routing.html">Routing and
|
||||
Shorewall</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -400,7 +400,7 @@
|
||||
<entry><ulink url="Multiple_Zones.html">Routing on One
|
||||
Interface</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -408,7 +408,7 @@
|
||||
|
||||
<entry><ulink url="samba.htm">Samba</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -417,7 +417,7 @@
|
||||
|
||||
<entry><ulink url="Events.html">Shorewall Events</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -427,7 +427,7 @@
|
||||
<entry><ulink url="Shorewall-init.html">Shorewall
|
||||
Init</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -437,7 +437,7 @@
|
||||
<entry><ulink url="Shorewall-Lite.html">Shorewall
|
||||
Lite</ulink></entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user