diff --git a/Shorewall/Perl/Shorewall/Actions.pm b/Shorewall/Perl/Shorewall/Actions.pm index 71975fced..f0249245c 100644 --- a/Shorewall/Perl/Shorewall/Actions.pm +++ b/Shorewall/Perl/Shorewall/Actions.pm @@ -777,7 +777,7 @@ sub dropBcast( $$$ ) { log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 '; } else { log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP '; - } + } } add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP'; diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 13117ee07..7e3871a77 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -211,7 +211,7 @@ our $VERSION = '4.4_11'; # } # # 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be -# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1 as are intra-zone +# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1 as are intra-zone # ACCEPT policies. # # Only 'referenced' chains get written to the iptables-restore input. @@ -629,7 +629,7 @@ sub insert_rule($$$) { # the target in the second argument. The third argument determines if a GOTO may be # used rather than a jump. The optional fourth argument specifies any matches to be # included in the rule and must end with a space character if it is non-null. The -# optional 5th argument causes long port lists to be split. The optional 6th +# optional 5th argument causes long port lists to be split. The optional 6th # argument, if passed, gives the 0-relative index where the jump is to be inserted. # sub add_jump( $$$;$$$ ) { @@ -648,7 +648,7 @@ sub add_jump( $$$;$$$ ) { # # Ensure that we have the chain unless it is a builtin like 'ACCEPT' # - $toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin. + $toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin. } # @@ -759,7 +759,7 @@ sub move_rules( $$ ) { my $name2 = $chain2->{name}; my $rules = $chain2->{rules}; my $count = @{$chain1->{rules}}; - my $tableref = $chain_table{$chain1->{table}}; + my $tableref = $chain_table{$chain1->{table}}; # # We allow '+' in chain names and '+' is an RE meta-character. Escape it. # @@ -767,7 +767,7 @@ sub move_rules( $$ ) { for ( @{$chain1->{rules}} ) { adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/; - } + } if ( $debug ) { my $rule = @{$chain1->{rules}}; @@ -828,7 +828,7 @@ sub copy_rules( $$ ) { delete $chain1->{references}{$name2}; unless ( keys %{$chain1->{references}} ) { delete_chain $chain1; - } + } } } @@ -1411,8 +1411,8 @@ sub optimize_chain( $ ) { if ( $chainref->{referenced} ) { my $rules = $chainref->{rules}; my $count = 0; - - pop @$rules; # Pop the plain -j ACCEPT rule at the end of the chain + + pop @$rules; # Pop the plain -j ACCEPT rule at the end of the chain pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT(?:$|\s)/; @@ -1439,7 +1439,7 @@ sub optimize_chain( $ ) { $count++; trace( $chainref, 'R', $rule, $_ ) if $debug; } - } + } } progress_message " $count references to ACCEPT policy chain $chainref->{name} replaced"; @@ -1499,7 +1499,7 @@ sub replace_references( $$ ) { $count++; trace( $fromref, 'R', $rule, $_ ) if $debug; } - } + } } } @@ -1539,7 +1539,7 @@ sub replace_references1( $$$ ) { # # The caller has ensured that $matches does not contain /! -[piosd] / # - my $hasp = $matches =~ / -p /; + my $hasp = $matches =~ / -p /; my $hasi = $matches =~ / -i /; my $haso = $matches =~ / -o /; my $hass = $matches =~ / -s /; @@ -1606,7 +1606,7 @@ sub replace_references1( $$$ ) { } } - + progress_message " $count references to chain $chainref->{name} replaced" if $count; @@ -1614,7 +1614,7 @@ sub replace_references1( $$$ ) { } # -# The passed builtin chain has a single rule. If the target is a user chain without 'dont"move', copy the rules from the +# The passed builtin chain has a single rule. If the target is a user chain without 'dont"move', copy the rules from the # chain to the builtin and return true; otherwise, do nothing and return false. # sub conditionally_copy_rules( $$ ) { @@ -1626,7 +1626,7 @@ sub conditionally_copy_rules( $$ ) { # my $basictarget = $1; my $targetref = $chain_table{$chainref->{table}}{$basictarget}; - + if ( $targetref && ! $targetref->{dont_move} ) { # # Move is safe -- start with an empty rule list @@ -1689,10 +1689,10 @@ sub optimize_ruleset() { delete_chain $chainref; next; } - + unless ( $chainref->{dont_optimize} ) { my $numrules = @{$chainref->{rules}}; - + if ( $numrules == 0 ) { # # No rules in this chain @@ -1763,25 +1763,25 @@ sub optimize_ruleset() { } } } - + # # In this loop, we look for chains that end in an unconditional jump. If the target of the jump # is subject to deletion (dont_delete = false), the jump is replaced by target's rules. # $progress = 1; - + while ( $progress ) { $progress = 0; $passes++; - + for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) { my $lastrule = $chainref->{rules}[-1]; - + if ( defined $lastrule && $lastrule =~ /^-A -[jg] (.*)$/ ) { # # Last rule is a simple branch my $targetref = $chain_table{$table}{$1}; - + if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) ) { copy_rules( $targetref, $chainref ); $progress = 1; @@ -1806,11 +1806,11 @@ sub optimize_ruleset() { my $rules1 = $chainref1->{rules}; next if @$rules != @$rules1; next if $chainref1->{dont_delete}; - + for ( my $i = 0; $i <= $#$rules; $i++ ) { next CHAIN unless $rules->[$i] eq $rules1->[$i]; } - + replace_references1 $chainref1, $chainref->{name}, ''; } } @@ -1901,12 +1901,12 @@ sub logchain( $$$$$$ ) { $logtag, 'add', '' ); - + add_rule( $logchainref, $exceptionrule . $target ); } $logchainref; -} +} sub newnonatchain() { my $seq = $chainseq++; @@ -2224,7 +2224,7 @@ sub do_ratelimit( $$ ) { } $limit .= "--hashlimit-htable-expire $expire "; - } + } $limit; } elsif ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { @@ -3109,7 +3109,7 @@ sub expand_rule( $$$$$$$$$$;$ ) if ( $target =~ /-[jg]\s+([^\s]+)/ ) { my $targetref = $chain_table{$chainref->{table}}{$1}; if ( $targetref ) { - $targetref->{referenced} = 1; + $targetref->{referenced} = 1; add_reference $chainref, $targetref; } } @@ -3448,9 +3448,9 @@ sub expand_rule( $$$$$$$$$$;$ ) # Find/Create a chain that both logs and applies the target action # and jump to the log chain if all of the rule's conditions are met # - add_jump( $chainref, - logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ), - $builtin_target{$disposition}, + add_jump( $chainref, + logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ), + $builtin_target{$disposition}, $matches, 1 ); } else { diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 4e160a797..e90e936f8 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -87,22 +87,22 @@ sub generate_script_1( $ ) { emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#"; } else { my $date = localtime; - + emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#"; - + if ( $family == F_IPV4 ) { copy $globals{SHAREDIRPL} . 'prog.header'; } else { copy $globals{SHAREDIRPL} . 'prog.header6'; } - + copy2 $globals{SHAREDIR} . '/lib.common', 0; } - + } my $lib = find_file 'lib.private'; - + copy2( $lib, $debug ) if -f $lib; emit <<'EOF'; @@ -256,7 +256,7 @@ sub generate_script_2() { push_indent; if ( $global_variables ) { - + emit( 'case $COMMAND in' ); push_indent; @@ -300,7 +300,7 @@ sub generate_script_2() { pop_indent; emit "\n}\n"; # End of detect_configuration() - + } # @@ -342,7 +342,7 @@ sub save_dynamic_chains() { pop_indent; emit ( 'else' ); push_indent; - + emit ( 'rm -f ${VARDIR}/UPnP' ); emit ( 'rm -f ${VARDIR}/forwardUPnP' ); emit ( 'rm -f ${VARDIR}/dynamic' ); @@ -500,7 +500,7 @@ sub generate_script_3($) { emit "disable_ipv6\n" if $config{DISABLE_IPV6}; } else { - emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', '' ); save_dynamic_chains; mark_firewall_not_started; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ad16be927..8621cbd43 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1181,7 +1181,7 @@ sub copy1( $ ) { print $script $here_documents if $here_documents; print $script "\n"; } - + if ( $debug ) { print "GS-----> $here_documents" if $here_documents; print "GS----->\n"; @@ -1281,7 +1281,7 @@ EOF s/^(\s*)/$indent1$1$indent2/; s/ /\t/ if $indent2; } - + if ( $script ) { print $script $_; print $script "\n"; @@ -1295,9 +1295,9 @@ EOF $lastlineblank = 0; } } - + close IF; - + unless ( $lastlineblank ) { print $script "\n" if $script; print "GS----->\n" if $trace; @@ -1924,7 +1924,7 @@ sub numeric_option( $$$ ) { my $value = $config{$option}; my $val = $default; - + if ( defined $value && $value ne '' ) { $val = numeric_value $value; fatal_error "Invalid value ($value) for '$option'" unless defined $val && $val <= 32; @@ -1937,7 +1937,7 @@ sub numeric_option( $$$ ) { sub make_mask( $ ) { 0xffffffff >> ( 32 - $_[0] ); -} +} my @suffixes = qw(group range threshold nlgroup cprange qthreshold); @@ -2183,14 +2183,14 @@ sub Persistent_Snat() { $result = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" ); qt1( "$iptables -t nat -F $sillyname" ); qt1( "$iptables -t nat -X $sillyname" ); - + } $result; } sub Mangle_Enabled() { - if ( qt1( "$iptables -t mangle -L -n" ) ) { + if ( qt1( "$iptables -t mangle -L -n" ) ) { system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname"; } } @@ -2484,7 +2484,7 @@ sub have_capability( $ ) { $capabilities{ $capability } = detect_capability( $capability ) unless defined $capabilities{ $capability }; - $capabilities{ $capability }; + $capabilities{ $capability }; } # @@ -2505,11 +2505,11 @@ sub determine_capabilities() { qt1( "$iptables -N $sillyname1" ); fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system' - unless + unless qt1( "$iptables -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") || qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");; - - + + unless ( $config{ LOAD_HELPERS_ONLY } ) { # # Using 'detect_capability()' is a bit less efficient than calling the individual detection @@ -2518,7 +2518,7 @@ sub determine_capabilities() { $capabilities{NAT_ENABLED} = detect_capability( 'NAT_ENABLED' ); $capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' ); $capabilities{MANGLE_ENABLED} = detect_capability( 'MANGLE_ENABLED' ); - + if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) { $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' ); $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' ); @@ -2531,7 +2531,7 @@ sub determine_capabilities() { $capabilities{KLUDGEFREE} = Kludgefree1; } - $capabilities{XMULTIPORT} = detect_capability( 'XMULTIPORT' ); + $capabilities{XMULTIPORT} = detect_capability( 'XMULTIPORT' ); $capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' ); if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) { @@ -2837,7 +2837,7 @@ sub get_configuration( $ ) { } check_trivalue ( 'IP_FORWARDING', 'on' ); - + my $val; if ( have_capability( 'KERNELVERSION' ) < 20631 ) { @@ -2856,7 +2856,7 @@ sub get_configuration( $ ) { } if ( $family == F_IPV6 ) { - $val = $config{ROUTE_FILTER}; + $val = $config{ROUTE_FILTER}; fatal_error "ROUTE_FILTER=$val is not supported in IPv6" if $val && $val ne 'off'; } @@ -2955,7 +2955,7 @@ sub get_configuration( $ ) { numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS}; numeric_option 'PROVIDER_BITS' , 8, 0; numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0; - + if ( $config{PROVIDER_OFFSET} ) { $config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS}; fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32; diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index 5316b7c21..e39df4d49 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -501,7 +501,7 @@ sub valid_6address( $ ) { unless ( $address =~ /::$/ ) { return 0 if $address =~ /:$/; } - + for my $a ( @address ) { return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 ); } @@ -570,7 +570,7 @@ sub normalize_6addr( $ ) { 1 while $addr =~ s/::/:0:/; $addr =~ s/^0+:/0:/; - + $addr; } } diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 1dc77b59c..c90b7a04e 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -286,7 +286,7 @@ sub save_policies() { } } } -} +} sub validate_policy() { diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm index 727fd6482..ab98a7bfd 100644 --- a/Shorewall/Perl/Shorewall/Proc.pm +++ b/Shorewall/Perl/Shorewall/Proc.pm @@ -58,7 +58,7 @@ sub setup_arp_filtering() { for my $interface ( @$interfaces ) { my $value = get_interface_option $interface, 'arp_filter'; my $optional = interface_is_optional $interface; - + $interface = get_physical $interface; my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter"; @@ -74,7 +74,7 @@ sub setup_arp_filtering() { for my $interface ( @$interfaces1 ) { my $value = get_interface_option $interface, 'arp_ignore'; my $optional = interface_is_optional $interface; - + $interface = get_physical $interface; my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore"; @@ -118,7 +118,7 @@ sub setup_route_filtering() { for my $interface ( @$interfaces ) { my $value = get_interface_option $interface, 'routefilter'; my $optional = interface_is_optional $interface; - + $interface = get_physical $interface; my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter"; @@ -169,7 +169,7 @@ sub setup_martian_logging() { for my $interface ( @$interfaces ) { my $value = get_interface_option $interface, 'logmartians'; my $optional = interface_is_optional $interface; - + $interface = get_physical $interface; my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians"; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index be9d97060..d3d322ecb 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -158,7 +158,7 @@ sub copy_and_edit_table( $$$$ ) { my ( $duplicate, $number, $copy, $realm) = @_; # # Hack to work around problem in iproute - # + # my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : ''; # # Map physical names in $copy to logical names @@ -295,7 +295,7 @@ sub add_a_provider( ) { $gateway = ''; } - my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $local ) = + my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $local ) = (0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 ); unless ( $options eq '-' ) { @@ -340,7 +340,7 @@ sub add_a_provider( ) { } elsif ( $option eq 'local' ) { $local = 1; $track = 0 if $config{TRACK_PROVIDERS}; - $default_balance = 0 if$config{USE_DEFAULT_RT}; + $default_balance = 0 if$config{USE_DEFAULT_RT}; } else { fatal_error "Invalid option ($option)"; } @@ -546,7 +546,7 @@ sub start_new_if( $ ) { emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) ); push_indent; } - + # # Complete any current 'if' statement in the output script # @@ -846,7 +846,7 @@ sub handle_optional_interfaces( $ ) { my $returnvalue = verify_required_interfaces( shift ); # # find_interfaces_by_option1() does not return wildcard interfaces. If an interface is defined - # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that + # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that # wildcard are returned. # my $interfaces = find_interfaces_by_option1 'optional'; @@ -891,7 +891,7 @@ sub handle_optional_interfaces( $ ) { } if ( $config{REQUIRE_INTERFACE} ) { - emit( '', + emit( '', 'if [ -z "$HAVE_INTERFACE" ]; then' , ' case "$COMMAND" in', ' start|restart|restore|refresh)' @@ -902,7 +902,7 @@ sub handle_optional_interfaces( $ ) { } else { emit( ' if shorewall6_is_started; then' ); } - + emit( ' fatal_error "No network interface available"', ' else', ' startup_error "No network interface available', diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 87ecb7fc3..8dd9f6de8 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -370,8 +370,8 @@ sub process_routestopped() { my $chainref = $filter_table->{FORWARD}; for my $host ( split /,/, $hosts ) { - add_rule( $chainref , - match_source_dev( $interface ) . + add_rule( $chainref , + match_source_dev( $interface ) . match_dest_dev( $interface ) . match_source_net( $host ) . match_dest_net( $host ) ); @@ -466,18 +466,18 @@ sub add_common_rules() { progress_message2 'Adding Anti-smurf Rules'; $chainref = new_standard_chain 'smurfs'; - + my $smurfdest; if ( defined $config{SMURF_LOG_LEVEL} && $config{SMURF_LOG_LEVEL} ne '' ) { my $smurfref = new_chain( 'filter', $smurfdest = 'smurflog' ); - + log_rule_limit( $config{SMURF_LOG_LEVEL}, $smurfref, 'smurfs' , 'DROP', $globals{LOGLIMIT}, - '', + '', 'add', '' ); add_rule( $smurfref, '-j DROP' ); @@ -499,7 +499,7 @@ sub add_common_rules() { } else { add_commands $chainref, 'for address in $ALL_ACASTS; do'; } - + incr_cmd_level $chainref; add_jump( $chainref, $smurfdest, 1, '-s $address ' ); decr_cmd_level $chainref; @@ -582,7 +582,7 @@ sub add_common_rules() { add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; } - add_rule( $filter_table->{forward_chain $interface} , + add_rule( $filter_table->{forward_chain $interface} , "-p udp " . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT" ) @@ -1199,14 +1199,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { # # Either a DNAT, REDIRECT or ACCEPT+ rule; don't apply rate limiting twice # - $rule = join( '', + $rule = join( '', do_proto($proto, $ports, $sports), do_user( $user ) , do_test( $mark , $globals{TC_MASK} ) , do_connlimit( $connlimit ), do_time( $time ) ); } else { - $rule = join( '', + $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , @@ -1290,7 +1290,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $origdest = ALLIP; } } - } else { + } else { if ( $server eq '' ) { fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport; } elsif ( $server =~ /^(.+)-(.+)$/ ) { @@ -1652,7 +1652,7 @@ sub rules_target( $$ ) { my ( $zone, $zone1 ) = @_; my $chain = rules_chain( ${zone}, ${zone1} ); my $chainref = $filter_table->{$chain}; - + return $chain if $chainref && $chainref->{referenced}; return 'ACCEPT' if $zone eq $zone1; @@ -2272,7 +2272,7 @@ EOF if [ -x $g_restorepath ]; then echo Restoring ${g_product:=Shorewall}... - + g_recovering=Yes if run_it $g_restorepath restore; then diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 5570a195d..4db861f21 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -317,7 +317,7 @@ sub process_tc_rule( ) { require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's'); fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest; - + $chain = 'tcpre'; $cmd =~ /TPROXY\((.+?)\)$/; @@ -337,15 +337,15 @@ sub process_tc_rule( ) { } $target .= "--on-port $port"; - + if ( defined $ip && $ip ne '' ) { validate_address $ip, 1; $target .= " --on-ip $ip"; } - $target .= ' --tproxy-mark'; + $target .= ' --tproxy-mark'; } - + if ( $rest ) { fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK; @@ -471,13 +471,13 @@ sub process_simple_device() { emit ( "${dev}_exists=Yes", "qt \$TC qdisc del dev $physical root", - "qt \$TC qdisc del dev $physical ingress\n" + "qt \$TC qdisc del dev $physical ingress\n" ); emit ( "run_tc qdisc add dev $physical handle ffff: ingress", "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n" ) if $bandwidth; - + emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}"; for ( my $i = 1; $i <= 3; $i++ ) { @@ -488,7 +488,7 @@ sub process_simple_device() { } save_progress_message_short qq(" TC Device $physical defined."); - + pop_indent; emit 'else'; push_indent; @@ -497,9 +497,9 @@ sub process_simple_device() { emit "${dev}_exists="; pop_indent; emit "fi\n"; - + progress_message " Simple tcdevice \"$currentline\" $done."; -} +} sub validate_tc_device( ) { my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices'; @@ -1094,14 +1094,14 @@ sub process_tc_priority() { 1 ); } else { my $postref = $mangle_table->{tcpost}; - + if ( $address ne '-' ) { fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-'; add_rule( $postref , join( '', match_source_net( $address) , $rule ) , 1 ); } else { - add_rule( $postref , + add_rule( $postref , join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) , 1 ); @@ -1113,7 +1113,7 @@ sub process_tc_priority() { $ipp2p = 1; } - add_rule( $postref , + add_rule( $postref , join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) , 1 ) unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP; @@ -1139,8 +1139,8 @@ sub setup_simple_traffic_shaping() { my $fn1 = open_file 'tcpri'; if ( $fn1 ) { - first_entry - sub { + first_entry + sub { progress_message2 "$doing $fn1..."; warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces; }; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index d39cdfa85..813bc35f2 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -524,7 +524,7 @@ sub zone_report() my $grouplist = join ',', ( @$hosts ); my $exclusions = join ',', @{$groupref->{exclusions}}; $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions; - + if ( $family == F_IPV4 ) { progress_message_nocompress " $iref->{physical}:$grouplist"; } else { @@ -734,7 +734,7 @@ sub firewall_zone() { # sub is_a_bridge( $ ) { which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" ); -} +} # # Transform the passed interface name into a legal shell variable name. @@ -960,7 +960,7 @@ sub process_interface( $$ ) { # No options specified -- auto-detect bridge # $hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export; - } + } $physical{$physical} = $interfaces{$interface} = { name => $interface , bridge => $bridge , @@ -976,12 +976,12 @@ sub process_interface( $$ ) { if ( $zone ) { $netsref ||= [ allip ]; add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref ); - add_group_to_zone( $zone, - $zoneref->{type}, - $interface, - [ IPv4_MULTICAST ], + add_group_to_zone( $zone, + $zoneref->{type}, + $interface, + [ IPv4_MULTICAST ], { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone; - } + } progress_message " Interface \"$currentline\" Validated"; @@ -1034,13 +1034,13 @@ sub validate_interfaces_file( $ ) { sub map_physical( $$ ) { my ( $name, $interfaceref ) = @_; my $physical = $interfaceref->{physical}; - + return $physical if $name eq $interfaceref->{name}; $physical =~ s/\+$//; $physical . substr( $name, length $interfaceref->{root} ); -} +} # # Returns true if passed interface matches an entry in /etc/shorewall/interfaces @@ -1061,9 +1061,9 @@ sub known_interface($) # # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root; # - return $interfaces{$interface} = { options => $interfaceref->{options}, - bridge => $interfaceref->{bridge} , - name => $i , + return $interfaces{$interface} = { options => $interfaceref->{options}, + bridge => $interfaceref->{bridge} , + name => $i , number => $interfaceref->{number} , physical => map_physical( $interface, $interfaceref ) }; @@ -1164,7 +1164,7 @@ sub find_interfaces_by_option( $ ) { for my $interface ( @interfaces ) { my $interfaceref = $interfaces{$interface}; - + next unless $interfaceref->{root}; my $optionsref = $interfaceref->{options}; @@ -1222,9 +1222,9 @@ sub set_interface_option( $$$ ) { sub verify_required_interfaces( $ ) { my $generate_case = shift; - + my $returnvalue = 0; - + my $interfaces = find_interfaces_by_option 'wait'; if ( @$interfaces ) { @@ -1235,7 +1235,7 @@ sub verify_required_interfaces( $ ) { if ( $wait ) { my $physical = get_physical $interface; - + if ( $physical =~ /\+$/ ) { my $base = uc chain_base $physical; @@ -1309,7 +1309,7 @@ sub verify_required_interfaces( $ ) { emit qq(fi\n); } } - + if ( $generate_case ) { emit( ';;' ); pop_indent; @@ -1404,19 +1404,19 @@ sub compile_updown() { emit( ' detect_configuration', ' define_firewall' ); - + if ( $wildcard ) { emit( ' elif [ "$state" = started ]; then', ' COMMAND=restart', ' detect_configuration', ' define_firewall' ); } else { - emit( ' else', + emit( ' else', ' COMMAND=stop', ' detect_configuration', ' stop_firewall' ); } - + emit( ' fi', ' ;;' ); @@ -1454,11 +1454,11 @@ sub compile_updown() { ' detect_configuration', ' define_firewall', ' ;;', - ' esac', + ' esac', ); pop_indent; - + emit( 'esac' ); pop_indent; @@ -1466,7 +1466,7 @@ sub compile_updown() { emit( '}', '', ); -} +} # # Process a record in the hosts file