mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-08 22:58:50 +01:00
Implement INLINE_MATCHES
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
2bc329aa1d
commit
33c5893bdb
@ -82,7 +82,8 @@ sub match_arp_net( $$$ ) {
|
||||
# Process a rule in the arprules file
|
||||
#
|
||||
sub process_arprule() {
|
||||
my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } );
|
||||
my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry',
|
||||
{action => 0, source => 1, dest => 2, opcode => 3 } );
|
||||
|
||||
my $chainref;
|
||||
my $iifaceref;
|
||||
|
||||
@ -424,7 +424,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
|
||||
sub process_accounting_rule( ) {
|
||||
|
||||
my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
|
||||
split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
|
||||
split_line1( 'Accounting File',
|
||||
{ action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 } );
|
||||
|
||||
my $nonempty = 0;
|
||||
|
||||
|
||||
@ -125,6 +125,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
split_list2
|
||||
split_line
|
||||
split_line1
|
||||
split_line2
|
||||
first_entry
|
||||
open_file
|
||||
close_file
|
||||
@ -226,7 +227,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
|
||||
our $VERSION = '4.5.20-Beta1';
|
||||
our $VERSION = '4.6.0-Beta1';
|
||||
|
||||
#
|
||||
# describe the current command, it's present progressive, and it's completion.
|
||||
@ -833,6 +834,7 @@ sub initialize( $;$$) {
|
||||
CHAIN_SCRIPTS => undef,
|
||||
TRACK_RULES => undef,
|
||||
REJECT_ACTION => undef,
|
||||
INLINE_MATCHES => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -2050,8 +2052,8 @@ sub supplied( $ ) {
|
||||
# Handles all of the supported forms of column/pair specification
|
||||
# Handles segragating raw iptables input in INLINE rules
|
||||
#
|
||||
sub split_line1( $$;$$ ) {
|
||||
my ( $description, $columnsref, $nopad, $maxcolumns ) = @_;
|
||||
sub split_line2( $$;$$$ ) {
|
||||
my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_;
|
||||
|
||||
unless ( defined $maxcolumns ) {
|
||||
my @maxcolumns = ( keys %$columnsref );
|
||||
@ -2070,18 +2072,25 @@ sub split_line1( $$;$$ ) {
|
||||
#
|
||||
fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
|
||||
|
||||
if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/) {
|
||||
$inline_matches = $pairs;
|
||||
if ( $inline ) {
|
||||
#
|
||||
# This file supports INLINE
|
||||
#
|
||||
if ( $config{INLINE_MATCHES} || $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/) {
|
||||
$inline_matches = $pairs;
|
||||
|
||||
if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
|
||||
#
|
||||
# Pairs are enclosed in curly brackets.
|
||||
#
|
||||
$columns = $1;
|
||||
$pairs = $2;
|
||||
} else {
|
||||
$pairs = '';
|
||||
}
|
||||
if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
|
||||
#
|
||||
# Pairs are enclosed in curly brackets.
|
||||
#
|
||||
$columns = $1;
|
||||
$pairs = $2;
|
||||
} else {
|
||||
$pairs = '';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)"
|
||||
}
|
||||
} elsif ( $currentline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) {
|
||||
#
|
||||
@ -2140,6 +2149,10 @@ sub split_line1( $$;$$ ) {
|
||||
@line;
|
||||
}
|
||||
|
||||
sub split_line1( $$;$$ ) {
|
||||
&split_line2( @_, undef );
|
||||
}
|
||||
|
||||
sub split_line($$) {
|
||||
&split_line1( @_, {} );
|
||||
}
|
||||
@ -5522,6 +5535,7 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
|
||||
default_yes_no 'TRACK_RULES' , '';
|
||||
default_yes_no 'INLINE_MATCHES' , '';
|
||||
|
||||
if ( $val = $config{REJECT_ACTION} ) {
|
||||
fatal_error "Invalid Reject Action Name ($val)" unless $val =~ /^[a-zA-Z][\w-]*$/;
|
||||
|
||||
@ -82,7 +82,9 @@ sub process_tos() {
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
|
||||
my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
|
||||
split_line( 'tos file entry',
|
||||
{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
|
||||
|
||||
$first_entry = 0;
|
||||
|
||||
@ -153,7 +155,10 @@ sub setup_ecn()
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ($interface, $hosts ) = split_line1 'ecn file entry', { interface => 0, host => 1, hosts => 1 }, {}, 2;
|
||||
my ($interface, $hosts ) = split_line1( 'ecn file entry',
|
||||
{ interface => 0, host => 1, hosts => 1 },
|
||||
{},
|
||||
2 );
|
||||
|
||||
fatal_error 'INTERFACE must be specified' if $interface eq '-';
|
||||
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
|
||||
@ -240,7 +245,8 @@ sub setup_blacklist() {
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
|
||||
my ( $networks, $protocol, $ports, $options ) = split_line( 'blacklist file',
|
||||
{ networks => 0, proto => 1, port => 2, options => 3 } );
|
||||
|
||||
if ( $options eq '-' ) {
|
||||
$options = 'src';
|
||||
@ -400,7 +406,9 @@ sub convert_blacklist() {
|
||||
first_entry "Converting $fn...";
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
|
||||
my ( $networks, $protocol, $ports, $options ) =
|
||||
split_line( 'blacklist file',
|
||||
{ networks => 0, proto => 1, port => 2, options => 3 } );
|
||||
|
||||
if ( $options eq '-' ) {
|
||||
$options = 'src';
|
||||
@ -560,7 +568,8 @@ sub process_routestopped() {
|
||||
while ( read_a_line ( NORMAL_READ ) ) {
|
||||
|
||||
my ($interface, $hosts, $options , $proto, $ports, $sports ) =
|
||||
split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
|
||||
split_line( 'routestopped file',
|
||||
{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
|
||||
|
||||
my $interfaceref;
|
||||
|
||||
@ -686,7 +695,8 @@ sub process_stoppedrules() {
|
||||
$result = 1;
|
||||
|
||||
my ( $target, $source, $dest, $protos, $ports, $sports ) =
|
||||
split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 };
|
||||
split_line1( 'stoppedrules file',
|
||||
{ target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 } );
|
||||
|
||||
fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
|
||||
|
||||
@ -1220,7 +1230,9 @@ sub setup_mac_lists( $ ) {
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
|
||||
my ( $original_disposition, $interface, $mac, $addresses ) =
|
||||
split_line1( 'maclist file',
|
||||
{ disposition => 0, interface => 1, mac => 2, addresses => 3 } );
|
||||
|
||||
my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
|
||||
|
||||
|
||||
@ -78,7 +78,9 @@ sub process_one_masq1( $$$$$$$$$$ )
|
||||
if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
|
||||
$interfacelist = $1;
|
||||
$inlinematches = get_inline_matches;
|
||||
}
|
||||
} elsif ( $config{INLINE_MATCHES} ) {
|
||||
$inlinematches = get_inline_matches;
|
||||
}
|
||||
#
|
||||
# Parse the remaining part of the INTERFACE column
|
||||
#
|
||||
@ -374,7 +376,11 @@ sub process_one_masq1( $$$$$$$$$$ )
|
||||
sub process_one_masq( )
|
||||
{
|
||||
my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
|
||||
split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
|
||||
split_line2( 'masq file',
|
||||
{ interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 },
|
||||
{}, #Nopad
|
||||
undef, #Columns
|
||||
1 ); #Allow inline matches
|
||||
|
||||
fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
|
||||
|
||||
@ -489,7 +495,9 @@ sub setup_nat() {
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
|
||||
my ( $external, $interfacelist, $internal, $allints, $localnat ) =
|
||||
split_line1( 'nat file',
|
||||
{ external => 0, interface => 1, internal => 2, allints => 3, local => 4 } );
|
||||
|
||||
( $interfacelist, my $digit ) = split /:/, $interfacelist;
|
||||
|
||||
@ -519,7 +527,9 @@ sub setup_netmap() {
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
|
||||
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) =
|
||||
split_line( 'netmap file',
|
||||
{ type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 } );
|
||||
|
||||
$net3 = ALLIP if $net3 eq '-';
|
||||
|
||||
|
||||
@ -416,7 +416,8 @@ sub process_a_provider( $ ) {
|
||||
my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
|
||||
|
||||
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) =
|
||||
split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
|
||||
split_line('providers file',
|
||||
{ table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 } );
|
||||
|
||||
fatal_error "Duplicate provider ($table)" if $providers{$table};
|
||||
|
||||
@ -1047,7 +1048,9 @@ CEOF
|
||||
}
|
||||
|
||||
sub add_an_rtrule( ) {
|
||||
my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'rtrules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
|
||||
my ( $source, $dest, $provider, $priority, $originalmark ) =
|
||||
split_line( 'rtrules file',
|
||||
{ source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } );
|
||||
|
||||
our $current_if;
|
||||
|
||||
@ -1137,7 +1140,9 @@ sub add_an_rtrule( ) {
|
||||
}
|
||||
|
||||
sub add_a_route( ) {
|
||||
my ( $provider, $dest, $gateway, $device ) = split_line 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };
|
||||
my ( $provider, $dest, $gateway, $device ) =
|
||||
split_line( 'routes file',
|
||||
{ provider => 0, dest => 1, gateway => 2, device => 3 } );
|
||||
|
||||
our $current_if;
|
||||
|
||||
|
||||
@ -123,7 +123,9 @@ sub setup_proxy_arp() {
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ( $address, $interface, $external, $haveroute, $persistent ) =
|
||||
split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
|
||||
split_line( $file_opt .
|
||||
'file ',
|
||||
{ address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 } );
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing $fn...";
|
||||
|
||||
@ -240,7 +240,9 @@ sub setup_conntrack() {
|
||||
my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
|
||||
|
||||
if ( $file_format == 1 ) {
|
||||
( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
|
||||
( $source, $dest, $protos, $ports, $sports, $user, $switch ) =
|
||||
split_line1( 'Conntrack File',
|
||||
{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
|
||||
$action = 'NOTRACK';
|
||||
} else {
|
||||
( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
|
||||
|
||||
@ -1675,11 +1675,16 @@ sub process_action($$) {
|
||||
|
||||
if ( $file_format == 1 ) {
|
||||
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
|
||||
split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
|
||||
split_line1(
|
||||
'action file',
|
||||
{ target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 },
|
||||
$rule_commands );
|
||||
$origdest = $connlimit = $time = $headers = $condition = $helper = '-';
|
||||
} else {
|
||||
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
|
||||
= split_line1 'action file', \%rulecolumns, $action_commands;
|
||||
= split_line1( 'action file',
|
||||
\%rulecolumns,
|
||||
$action_commands );
|
||||
}
|
||||
|
||||
fatal_error 'TARGET must be specified' if $target eq '-';
|
||||
@ -1746,7 +1751,11 @@ sub process_actions() {
|
||||
open_file( $file, 2 );
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 };
|
||||
my ( $action, $options ) = split_line2( 'action file',
|
||||
{ action => 0, options => 1 },
|
||||
{}, #Nopad
|
||||
undef, #Columns
|
||||
1 ); #Allow inline matches
|
||||
|
||||
my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION );
|
||||
my $noinline = 0;
|
||||
@ -1889,7 +1898,12 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
|
||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
|
||||
|
||||
if ( $file_format == 1 ) {
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) =
|
||||
split_line2( 'macro file',
|
||||
\%rulecolumns,
|
||||
$rule_commands,
|
||||
undef, #Columns
|
||||
1 ); #Allow inline matches
|
||||
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
|
||||
} else {
|
||||
( $mtarget,
|
||||
@ -1906,7 +1920,11 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) {
|
||||
$mtime,
|
||||
$mheaders,
|
||||
$mcondition,
|
||||
$mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
|
||||
$mhelper ) = split_line2( 'macro file',
|
||||
\%rulecolumns,
|
||||
$rule_commands,
|
||||
undef, #Columns
|
||||
1 ); #Allow inline matches
|
||||
}
|
||||
|
||||
fatal_error 'TARGET must be specified' if $mtarget eq '-';
|
||||
@ -2031,7 +2049,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) {
|
||||
$mtime,
|
||||
$mheaders,
|
||||
$mcondition,
|
||||
$mhelper ) = split_line1 'inline action file', \%rulecolumns, $rule_commands;
|
||||
$mhelper ) = split_line2( 'inline action file',
|
||||
\%rulecolumns,
|
||||
$rule_commands,
|
||||
undef, #Columns
|
||||
1 ); #Allow inline matches
|
||||
|
||||
|
||||
fatal_error 'TARGET must be specified' if $mtarget eq '-';
|
||||
|
||||
@ -2190,6 +2213,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
$param = '' unless defined $param;
|
||||
}
|
||||
}
|
||||
} elsif ( $config{INLINE_MATCHES} ) {
|
||||
$raw_matches = get_inline_matches;
|
||||
}
|
||||
#
|
||||
# Determine the validity of the action
|
||||
@ -3116,7 +3141,12 @@ sub build_zone_list( $$$\$\$ ) {
|
||||
#
|
||||
sub process_raw_rule ( ) {
|
||||
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
|
||||
= split_line1 'rules file', \%rulecolumns, $rule_commands;
|
||||
= split_line2( 'rules file',
|
||||
\%rulecolumns,
|
||||
$rule_commands,
|
||||
undef, #Columns
|
||||
1 ); #Allow inline matches
|
||||
|
||||
|
||||
fatal_error 'ACTION must be specified' if $target eq '-';
|
||||
|
||||
|
||||
@ -316,13 +316,14 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
fatal_error 'MARK must be specified' if $originalmark eq '-';
|
||||
|
||||
my $inline;
|
||||
my $raw = '';
|
||||
|
||||
if ( $inline = ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) ) {
|
||||
if ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) {
|
||||
$originalmark = $1;
|
||||
$originalmark .= $2 if $2;
|
||||
$raw = get_inline_matches;
|
||||
} elsif ( $config{INLINE_MATCHES} ) {
|
||||
$raw = get_inline_matches;
|
||||
}
|
||||
|
||||
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
|
||||
@ -828,11 +829,19 @@ sub process_tc_rule( ) {
|
||||
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
|
||||
if ( $family == F_IPV4 ) {
|
||||
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
|
||||
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15;
|
||||
split_line2( 'tcrules file',
|
||||
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 },
|
||||
{},
|
||||
15,
|
||||
1 );
|
||||
$headers = '-';
|
||||
} else {
|
||||
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
|
||||
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16;
|
||||
split_line2( 'tcrules file',
|
||||
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },
|
||||
{},
|
||||
16,
|
||||
1 );
|
||||
}
|
||||
|
||||
for my $proto (split_list( $protos, 'Protocol' ) ) {
|
||||
@ -959,7 +968,9 @@ sub process_flow($) {
|
||||
}
|
||||
|
||||
sub process_simple_device() {
|
||||
my ( $device , $type , $in_rate , $out_part ) = split_line 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };
|
||||
my ( $device , $type , $in_rate , $out_part ) =
|
||||
split_line( 'tcinterfaces',
|
||||
{ interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 } );
|
||||
|
||||
fatal_error 'INTERFACE must be specified' if $device eq '-';
|
||||
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
|
||||
@ -1088,7 +1099,9 @@ sub process_simple_device() {
|
||||
my %validlinklayer = ( ethernet => 1, atm => 1, adsl => 1 );
|
||||
|
||||
sub validate_tc_device( ) {
|
||||
my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
|
||||
my ( $device, $inband, $outband , $options , $redirected ) =
|
||||
split_line( 'tcdevices',
|
||||
{ interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 } );
|
||||
|
||||
fatal_error 'INTERFACE must be specified' if $device eq '-';
|
||||
fatal_error "Invalid tcdevices entry" if $outband eq '-';
|
||||
@ -1299,7 +1312,8 @@ sub validate_filter_priority( $$ ) {
|
||||
|
||||
sub validate_tc_class( ) {
|
||||
my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
|
||||
split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
|
||||
split_line( 'tcclasses file',
|
||||
{ interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 } );
|
||||
my $classnumber = 0;
|
||||
my $devref;
|
||||
my $device = $devclass;
|
||||
@ -1962,7 +1976,8 @@ sub process_tc_filter1( $$$$$$$$$ ) {
|
||||
sub process_tc_filter() {
|
||||
|
||||
my ( $devclass, $source, $dest , $protos, $portlist , $sportlist, $tos, $length, $priority )
|
||||
= split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
|
||||
= split_line( 'tcfilters file',
|
||||
{ class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 } );
|
||||
|
||||
fatal_error 'CLASS must be specified' if $devclass eq '-';
|
||||
|
||||
@ -2061,7 +2076,9 @@ sub process_tc_priority1( $$$$$$ ) {
|
||||
}
|
||||
|
||||
sub process_tc_priority() {
|
||||
my ( $band, $protos, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
|
||||
my ( $band, $protos, $ports , $address, $interface, $helper ) =
|
||||
split_line1( 'tcpri',
|
||||
{ band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
|
||||
|
||||
fatal_error 'BAND must be specified' if $band eq '-';
|
||||
|
||||
@ -2505,7 +2522,8 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
|
||||
#
|
||||
sub process_secmark_rule() {
|
||||
my ( $secmark, $chainin, $source, $dest, $protos, $dport, $sport, $user, $mark ) =
|
||||
split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
|
||||
split_line1( 'Secmarks file' ,
|
||||
{ secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
|
||||
|
||||
fatal_error 'SECMARK must be specified' if $secmark eq '-';
|
||||
|
||||
|
||||
@ -291,7 +291,11 @@ sub setup_tunnels() {
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4;
|
||||
my ( $kind, $zone, $gateway, $gatewayzones ) =
|
||||
split_line1( 'tunnels file',
|
||||
{ type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 },
|
||||
{},
|
||||
4 );
|
||||
|
||||
fatal_error 'TYPE must be specified' if $kind eq '-';
|
||||
|
||||
|
||||
@ -503,7 +503,8 @@ sub process_zone( \$ ) {
|
||||
my @parents;
|
||||
|
||||
my ($zone, $type, $options, $in_options, $out_options ) =
|
||||
split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
|
||||
split_line( 'zones file',
|
||||
{ zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 } );
|
||||
|
||||
fatal_error 'ZONE must be specified' if $zone eq '-';
|
||||
|
||||
@ -1079,9 +1080,12 @@ sub process_interface( $$ ) {
|
||||
my $bridge = '';
|
||||
|
||||
if ( $file_format == 1 ) {
|
||||
($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
|
||||
($zone, $originalinterface, $bcasts, $options ) =
|
||||
split_line1( 'interfaces file',
|
||||
{ zone => 0, interface => 1, broadcast => 2, options => 3 } );
|
||||
} else {
|
||||
($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 };
|
||||
($zone, $originalinterface, $options ) = split_line1( 'interfaces file',
|
||||
{ zone => 0, interface => 1, options => 2 } );
|
||||
$bcasts = '-';
|
||||
}
|
||||
|
||||
@ -1939,7 +1943,10 @@ sub verify_required_interfaces( $ ) {
|
||||
#
|
||||
sub process_host( ) {
|
||||
my $ipsec = 0;
|
||||
my ($zone, $hosts, $options ) = split_line1 'hosts file', { zone => 0, host => 1, hosts => 1, options => 2 }, {}, 3;
|
||||
my ($zone, $hosts, $options ) = split_line1( 'hosts file',
|
||||
{ zone => 0, host => 1, hosts => 1, options => 2 },
|
||||
{},
|
||||
3 );
|
||||
|
||||
fatal_error 'ZONE must be specified' if $zone eq '-';
|
||||
fatal_error 'HOSTS must be specified' if $hosts eq '-';
|
||||
|
||||
@ -162,6 +162,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=On
|
||||
|
||||
@ -173,6 +173,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=Off
|
||||
|
||||
@ -171,6 +171,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=On
|
||||
|
||||
@ -174,6 +174,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=On
|
||||
|
||||
@ -162,6 +162,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=On
|
||||
|
||||
@ -142,7 +142,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term> (Formerly called SUBNET) -
|
||||
<term>(Formerly called SUBNET) -
|
||||
{<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
|
||||
|
||||
@ -677,6 +677,17 @@
|
||||
INLINE(eth1) 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
|
||||
eth1 0.0.0.0/0 70.90.191.123
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>, then these
|
||||
rules may be specified as follows:</para>
|
||||
|
||||
<programlisting>/etc/shorewall/masq:
|
||||
|
||||
#INTERFACE SOURCE ADDRESS
|
||||
eth1 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
|
||||
eth1 0.0.0.0/0 70.90.191.123
|
||||
</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -498,6 +498,12 @@ INLINE(2):P eth0 - ; -p tcp
|
||||
INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
|
||||
INLINE eth0 - ; -p tcp -j MARK --set-mark 2
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink> then the
|
||||
third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -1005,6 +1005,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INLINE_MATCHES=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
||||
url="shorewall6-rules.html">shorewall-rules(5)</ulink>, a semicolon
|
||||
separates column-oriented specifications on the left from <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#Pairs">alternative
|
||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||
specified, the specifications on the right are interpreted as if
|
||||
INLINE had been specified in the ACTION column. If not specified or
|
||||
if specified as the empty value, the value 'No' is assumed for
|
||||
backward compatibility.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
|
||||
|
||||
@ -151,6 +151,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=Off
|
||||
|
||||
@ -151,6 +151,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=Off
|
||||
|
||||
@ -151,6 +151,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=On
|
||||
|
||||
@ -151,6 +151,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=On
|
||||
|
||||
@ -151,6 +151,8 @@ HELPERS=
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
|
||||
IPSET_WARNINGS=Yes
|
||||
|
||||
IP_FORWARDING=Off
|
||||
|
||||
@ -533,6 +533,17 @@
|
||||
INLINE(sit1) 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
|
||||
sit1 0.0.0.0/0 2001:470:a:227::2
|
||||
</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall6.conf(5)</ulink>, then these
|
||||
rules may be specified as follows:</para>
|
||||
|
||||
<programlisting>/etc/shorewall/masq:
|
||||
|
||||
#INTERFACE SOURCE ADDRESS
|
||||
sit1 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
|
||||
sit1 0.0.0.0/0 2001:470:a:227::2
|
||||
</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -527,6 +527,15 @@ INLINE(2):P eth0 - tcp 22
|
||||
INLINE(2):P eth0 - ; -p tcp
|
||||
INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
|
||||
INLINE eth0 - ; -p tcp -j MARK --set-mark 2</programlisting>
|
||||
|
||||
<para>If INLINE_MATCHES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink> then the
|
||||
third rule above can be specified as follows:</para>
|
||||
|
||||
<programlisting>2:P eth0 - ; -p tcp</programlisting>
|
||||
|
||||
<para>In other words, when only matches are given after the ';',
|
||||
INLINE is unnecessary.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -876,6 +876,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INLINE_MATCHES=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.0. Traditionally in <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules(5)</ulink>, a semicolon
|
||||
separates column-oriented specifications on the left from <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#Pairs">alternative
|
||||
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
|
||||
specified, the specifications on the right are interpreted as if
|
||||
INLINE had been specified in the ACTION column. If not specified or
|
||||
if specified as the empty value, the value 'No' is assumed for
|
||||
backward compatibility.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user