mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-21 13:50:59 +01:00
parent
6e7a7b7f39
commit
512008170d
@ -507,9 +507,7 @@ sub decr_cmd_level( $ ) {
|
|||||||
sub trace( $$$$ ) {
|
sub trace( $$$$ ) {
|
||||||
my ($chainref, $action, $rulenum, $message) = @_;
|
my ($chainref, $action, $rulenum, $message) = @_;
|
||||||
|
|
||||||
my $heading = $rulenum ?
|
my $heading = $rulenum ? sprintf "NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum : sprintf "NF-(%s)-> %s:%s", $action, $chainref->{table}, $chainref->{name};
|
||||||
sprintf "NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum :
|
|
||||||
sprintf "NF-(%s)-> %s:%s", $action, $chainref->{table}, $chainref->{name};
|
|
||||||
|
|
||||||
my $length = length $heading;
|
my $length = length $heading;
|
||||||
|
|
||||||
@ -1256,8 +1254,7 @@ sub add_jump( $$$;$$$ ) {
|
|||||||
#
|
#
|
||||||
# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
|
# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
|
||||||
#
|
#
|
||||||
$toref = ensure_chain( $fromref->{table} , $to )
|
$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin.
|
||||||
unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin.
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1389,13 +1386,11 @@ sub ensure_accounting_chain( $$$ )
|
|||||||
my $chainref = $filter_table->{$chain};
|
my $chainref = $filter_table->{$chain};
|
||||||
|
|
||||||
if ( $chainref ) {
|
if ( $chainref ) {
|
||||||
fatal_error "Non-accounting chain ($chain) used in an accounting rule"
|
fatal_error "Non-accounting chain ($chain) used in an accounting rule" unless $chainref->{accounting};
|
||||||
unless $chainref->{accounting};
|
|
||||||
$chainref->{restriction} |= $restriction;
|
$chainref->{restriction} |= $restriction;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Chain name ($chain) too long" if length $chain > 29;
|
fatal_error "Chain name ($chain) too long" if length $chain > 29;
|
||||||
fatal_error "Invalid Chain name ($chain)"
|
fatal_error "Invalid Chain name ($chain)" unless $chain =~ /^[-\w]+$/ && ! ( $builtin_target{$chain} || $config_files{$chain} );
|
||||||
unless $chain =~ /^[-\w]+$/ && ! ( $builtin_target{$chain} || $config_files{$chain} );
|
|
||||||
$chainref = new_chain 'filter' , $chain;
|
$chainref = new_chain 'filter' , $chain;
|
||||||
$chainref->{accounting} = 1;
|
$chainref->{accounting} = 1;
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
@ -1486,8 +1481,7 @@ sub new_nat_chain($) {
|
|||||||
sub new_manual_chain($) {
|
sub new_manual_chain($) {
|
||||||
my $chain = $_[0];
|
my $chain = $_[0];
|
||||||
fatal_error "Chain name ($chain) too long" if length $chain > 29;
|
fatal_error "Chain name ($chain) too long" if length $chain > 29;
|
||||||
fatal_error "Invalid Chain name ($chain)"
|
fatal_error "Invalid Chain name ($chain)" unless $chain =~ /^[-\w]+$/ && ! ( $builtin_target{$chain} || $config_files{$chain} );
|
||||||
unless $chain =~ /^[-\w]+$/ && ! ( $builtin_target{$chain} || $config_files{$chain} );
|
|
||||||
fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
|
fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
|
||||||
$targets{$chain} = CHAIN;
|
$targets{$chain} = CHAIN;
|
||||||
( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
|
( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
|
||||||
@ -2242,23 +2236,17 @@ sub do_proto( $$$;$ )
|
|||||||
$output = "-p $proto --syn ";
|
$output = "-p $proto --syn ";
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname"
|
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
|
||||||
if $invert && ($ports ne '' || $sports ne '');
|
|
||||||
|
|
||||||
PROTO:
|
PROTO:
|
||||||
{
|
{
|
||||||
if ( $proto == TCP ||
|
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
|
||||||
$proto == UDP ||
|
|
||||||
$proto == SCTP ||
|
|
||||||
$proto == DCCP ||
|
|
||||||
$proto == UDPLITE ) {
|
|
||||||
my $multiport = 0;
|
my $multiport = 0;
|
||||||
|
|
||||||
if ( $ports ne '' ) {
|
if ( $ports ne '' ) {
|
||||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||||
fatal_error "Port lists require Multiport support in your kernel/iptables"
|
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
|
||||||
unless have_capability( 'MULTIPORT' );
|
|
||||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||||
|
|
||||||
if ( port_count ( $ports ) > 15 ) {
|
if ( port_count ( $ports ) > 15 ) {
|
||||||
@ -2303,8 +2291,7 @@ sub do_proto( $$$;$ )
|
|||||||
last PROTO; }
|
last PROTO; }
|
||||||
|
|
||||||
if ( $proto == ICMP ) {
|
if ( $proto == ICMP ) {
|
||||||
fatal_error "ICMP not permitted in an IPv6 configuration"
|
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
|
||||||
if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
|
|
||||||
if ( $ports ne '' ) {
|
if ( $ports ne '' ) {
|
||||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||||
|
|
||||||
@ -2328,8 +2315,7 @@ sub do_proto( $$$;$ )
|
|||||||
last PROTO; }
|
last PROTO; }
|
||||||
|
|
||||||
if ( $proto == IPv6_ICMP ) {
|
if ( $proto == IPv6_ICMP ) {
|
||||||
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration"
|
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
|
||||||
if $family == F_IPV4;
|
|
||||||
if ( $ports ne '' ) {
|
if ( $ports ne '' ) {
|
||||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||||
|
|
||||||
@ -2353,8 +2339,7 @@ sub do_proto( $$$;$ )
|
|||||||
last PROTO; }
|
last PROTO; }
|
||||||
|
|
||||||
|
|
||||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname"
|
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
|
||||||
if $ports ne '' || $sports ne '';
|
|
||||||
|
|
||||||
} # PROTO
|
} # PROTO
|
||||||
|
|
||||||
@ -2372,10 +2357,7 @@ sub do_proto( $$$;$ )
|
|||||||
$options .= " --$_" for split /,/, $ports;
|
$options .= " --$_" for split /,/, $ports;
|
||||||
}
|
}
|
||||||
|
|
||||||
$options = have_capability( 'OLD_IPP2P_MATCH' ) ?
|
$options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
|
||||||
' --ipp2p' :
|
|
||||||
' --edk --kazaa --gnu --dc'
|
|
||||||
unless $options;
|
|
||||||
|
|
||||||
$output .= "${proto}-m ipp2p${options} ";
|
$output .= "${proto}-m ipp2p${options} ";
|
||||||
} else {
|
} else {
|
||||||
@ -2386,8 +2368,7 @@ sub do_proto( $$$;$ )
|
|||||||
#
|
#
|
||||||
# No protocol
|
# No protocol
|
||||||
#
|
#
|
||||||
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO"
|
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne '';
|
||||||
if $ports ne '' || $sports ne '';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$output;
|
$output;
|
||||||
@ -2400,8 +2381,7 @@ sub mac_match( $ ) {
|
|||||||
my $invert = ( $1 ? '! ' : '');
|
my $invert = ( $1 ? '! ' : '');
|
||||||
$mac =~ tr/-/:/;
|
$mac =~ tr/-/:/;
|
||||||
|
|
||||||
fatal_error "Invalid MAC address ($mac)"
|
fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
|
||||||
unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
|
|
||||||
|
|
||||||
"--match mac ${invert}--mac-source $mac ";
|
"--match mac ${invert}--mac-source $mac ";
|
||||||
}
|
}
|
||||||
@ -2422,16 +2402,13 @@ sub verify_mark( $ ) {
|
|||||||
#
|
#
|
||||||
# Not a valid TC mark -- must be a provider mark or a user mark
|
# Not a valid TC mark -- must be a provider mark or a user mark
|
||||||
#
|
#
|
||||||
fatal_error "Invalid Mark or Mask value ($mark)"
|
fatal_error "Invalid Mark or Mask value ($mark)" unless ( $value & $globals{PROVIDER_MASK} ) == $value || ( $value & $globals{USER_MASK} ) == $value;
|
||||||
unless ( $value & $globals{PROVIDER_MASK} ) == $value ||
|
|
||||||
( $value & $globals{USER_MASK} ) == $value;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub verify_small_mark( $ ) {
|
sub verify_small_mark( $ ) {
|
||||||
verify_mark ( (my $mark) = $_[0] );
|
verify_mark ( (my $mark) = $_[0] );
|
||||||
fatal_error "Mark value ($mark) too large"
|
fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX};
|
||||||
if numeric_value( $mark ) > $globals{TC_MAX};
|
|
||||||
}
|
}
|
||||||
|
|
||||||
sub validate_mark( $ ) {
|
sub validate_mark( $ ) {
|
||||||
@ -2462,9 +2439,7 @@ sub do_test ( $$ )
|
|||||||
$mask = '' unless defined $mask;
|
$mask = '' unless defined $mask;
|
||||||
|
|
||||||
my $invert = $testval =~ s/^!// ? '! ' : '';
|
my $invert = $testval =~ s/^!// ? '! ' : '';
|
||||||
my $match = $testval =~ s/:C$// ?
|
my $match = $testval =~ s/:C$// ? "-m connmark ${invert}--mark" : "-m mark ${invert}--mark";
|
||||||
"-m connmark ${invert}--mark" :
|
|
||||||
"-m mark ${invert}--mark";
|
|
||||||
|
|
||||||
fatal_error "Invalid MARK value ($originaltestval)" if $testval eq '/';
|
fatal_error "Invalid MARK value ($originaltestval)" if $testval eq '/';
|
||||||
|
|
||||||
@ -2578,16 +2553,13 @@ sub do_time( $ ) {
|
|||||||
} elsif ( $element =~ /^weekdays=(.*)$/ ) {
|
} elsif ( $element =~ /^weekdays=(.*)$/ ) {
|
||||||
my $days = $1;
|
my $days = $1;
|
||||||
for my $day ( split /,/, $days ) {
|
for my $day ( split /,/, $days ) {
|
||||||
fatal_error "Invalid weekday ($day)"
|
fatal_error "Invalid weekday ($day)" unless $day =~ /^(Mon|Tue|Wed|Thu|Fri|Sat|Sun)$/ || ( $day =~ /^\d$/ && $day && $day <= 7);
|
||||||
unless $day =~ /^(Mon|Tue|Wed|Thu|Fri|Sat|Sun)$/ ||
|
|
||||||
( $day =~ /^\d$/ && $day && $day <= 7);
|
|
||||||
}
|
}
|
||||||
$result .= "--weekday $days ";
|
$result .= "--weekday $days ";
|
||||||
} elsif ( $element =~ /^monthdays=(.*)$/ ) {
|
} elsif ( $element =~ /^monthdays=(.*)$/ ) {
|
||||||
my $days = $1;
|
my $days = $1;
|
||||||
for my $day ( split /,/, $days ) {
|
for my $day ( split /,/, $days ) {
|
||||||
fatal_error "Invalid day of the month ($day)"
|
fatal_error "Invalid day of the month ($day)" unless $day =~ /^\d{1,2}$/ && $day && $day <= 31;
|
||||||
unless $day =~ /^\d{1,2}$/ && $day && $day <= 31;
|
|
||||||
}
|
}
|
||||||
} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
|
} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
|
||||||
$result .= "--$1 $2 ";
|
$result .= "--$1 $2 ";
|
||||||
|
Loading…
Reference in New Issue
Block a user