From 5dd41249c6c47a708c0cfa621514bb7538f7b728 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 20 Aug 2009 14:32:15 -0700 Subject: [PATCH] Remove trailing whitespace --- Shorewall/Perl/Shorewall/Accounting.pm | 2 +- Shorewall/Perl/Shorewall/Actions.pm | 12 ++-- Shorewall/Perl/Shorewall/Chains.pm | 76 +++++++++++++------------- Shorewall/Perl/Shorewall/Compiler.pm | 26 ++++----- Shorewall/Perl/Shorewall/Config.pm | 54 +++++++++--------- Shorewall/Perl/Shorewall/IPAddrs.pm | 24 ++++---- Shorewall/Perl/Shorewall/Policy.pm | 10 ++-- Shorewall/Perl/Shorewall/Providers.pm | 44 +++++++-------- Shorewall/Perl/Shorewall/Proxyarp.pm | 2 +- Shorewall/Perl/Shorewall/Raw.pm | 2 +- Shorewall/Perl/Shorewall/Rules.pm | 76 +++++++++++++------------- Shorewall/Perl/Shorewall/Tc.pm | 54 +++++++++--------- Shorewall/Perl/Shorewall/Zones.pm | 36 ++++++------ Shorewall/Perl/compiler.pl | 8 +-- Shorewall/Perl/prog.footer | 4 +- Shorewall/Perl/prog.footer6 | 6 +- Shorewall/Perl/prog.header6 | 6 +- 17 files changed, 221 insertions(+), 221 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 0fa7fd639..e6648b33c 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -98,7 +98,7 @@ sub process_accounting_rule( ) { } elsif ( $cmd ne 'JUMP' ) { accounting_error; } - } + } $target = jump_to_chain $action; } diff --git a/Shorewall/Perl/Shorewall/Actions.pm b/Shorewall/Perl/Shorewall/Actions.pm index dc2c10ce8..64432c002 100644 --- a/Shorewall/Perl/Shorewall/Actions.pm +++ b/Shorewall/Perl/Shorewall/Actions.pm @@ -91,7 +91,7 @@ our $family; our $macro_commands = { COMMENT => 0, FORMAT => 2 }; # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't @@ -228,7 +228,7 @@ sub merge_macro_column( $$ ) { # Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action. # sub isolate_basic_target( $ ) { - my $target = ( split '[/:]', $_[0])[0]; + my $target = ( split '[/:]', $_[0])[0]; $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target; } @@ -701,7 +701,7 @@ sub process_action3( $$$$$ ) { ( $action2 , my $param ) = get_target_param $action2; - my $action2type = $targets{$action2} || 0; + my $action2type = $targets{$action2} || 0; unless ( $action2type == STANDARD ) { if ( $action2type & ACTION ) { @@ -871,10 +871,10 @@ sub process_actions3 () { 'allowBcast' => \&allowBcast, 'dropNotSyn' => \&dropNotSyn, 'rejNotSyn' => \&rejNotSyn, - 'dropInvalid' => \&dropInvalid, + 'dropInvalid' => \&dropInvalid, 'allowInvalid' => \&allowInvalid, - 'allowinUPnP' => \&allowinUPnP, - 'forwardUPnP' => \&forwardUPnP, + 'allowinUPnP' => \&allowinUPnP, + 'forwardUPnP' => \&forwardUPnP, 'Limit' => \&Limit, ); for my $wholeaction ( keys %usedactions ) { diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 688fe2203..e0b8102ca 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -50,7 +50,7 @@ our @EXPORT = qw( $filter_table ); -our %EXPORT_TAGS = ( +our %EXPORT_TAGS = ( internal => [ qw( STANDARD NATRULE BUILTIN @@ -83,7 +83,7 @@ our %EXPORT_TAGS = ( clear_comment incr_cmd_level decr_cmd_level - chain_base + chain_base forward_chain zone_forward_chain use_forward_chain @@ -298,7 +298,7 @@ our %builtin_target = ( ACCEPT => 1, sub initialize_chain_table(); # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't @@ -434,7 +434,7 @@ sub push_rule( $$ ) { add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3); } else { # - # We omit the chain name for now -- this makes it easier to move rules from one + # We omit the chain name for now -- this makes it easier to move rules from one # chain to another # push @{$chainref->{rules}}, join( ' ', '-A' , $rule ); @@ -472,7 +472,7 @@ sub handle_sport_list( $$$$$ ) { last; } else { $newports .= $port; - } + } } else { $newports .= "${port}${separator}"; } @@ -515,7 +515,7 @@ sub handle_dport_list( $$$$$ ) { last; } else { $newports .= $port; - } + } } else { $newports .= "${port}${separator}"; } @@ -612,7 +612,7 @@ sub add_jump( $$$;$$ ) { } # -# Purge jumps previously added via add_jump. If the target chain is empty, reset its +# Purge jumps previously added via add_jump. If the target chain is empty, reset its # referenced flag # sub purge_jump ( $$ ) { @@ -622,7 +622,7 @@ sub purge_jump ( $$ ) { for ( @{$fromref->{rules}} ) { $_ = undef if / -[gj] ${to}\b/; } - + $toref->{referenced} = 0 unless @{$toref->{rules}}; } @@ -672,7 +672,7 @@ sub add_tunnel_rule( $$ ) { # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to # a zone-oriented chain, hence this function. # -# The source chain must not have any run-time code included in its rules. +# The source chain must not have any run-time code included in its rules. # sub move_rules( $$ ) { my ($chain1, $chain2 ) = @_; @@ -785,12 +785,12 @@ sub use_input_chain($) { my $nets = $interfaceref->{nets}; # # We must use the interfaces's chain if: - # + # # - the interface is associated with multiple zone nets; or # - the interface has the 'upnpclient' option. # # In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules(). - # + # return 1 if $nets > 1 || $interfaceref->{options}{upnpclient}; # # Don't need it if it isn't associated with any zone @@ -817,7 +817,7 @@ sub use_input_chain($) { $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )}; ! ( $chainref->{referenced} || $chainref->{is_policy} ) -} +} # # Output Chain for an interface @@ -843,7 +843,7 @@ sub use_output_chain($) { my $nets = $interfaceref->{nets}; # # We must use the interfaces's chain if the interface is associated with multiple zone nets - # + # return 1 if $nets > 1; # # Don't need it if it isn't associated with any zone @@ -851,7 +851,7 @@ sub use_output_chain($) { return 0 unless $nets; # # Interface associated with a single zone -- use the zone's output chain if it has one - # + # my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}}; return 0 if $chainref; @@ -902,7 +902,7 @@ sub dnat_chain( $ ) # # Notrack Chain from a zone # -sub notrack_chain( $ ) +sub notrack_chain( $ ) { $_[0] . '_notrk'; } @@ -989,7 +989,7 @@ sub ensure_filter_chain( $$ ) } # -# Create an accounting chain if necessary. +# Create an accounting chain if necessary. # sub ensure_accounting_chain( $ ) { @@ -1266,7 +1266,7 @@ sub set_mss( $$$ ) { } # -# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate. +# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate. # sub setup_zone_mss() { for my $zone ( all_zones ) { @@ -1305,7 +1305,7 @@ sub newnonatchain() { # # Add a jump to the passed chain # -# Return the exclusion chain. The type of the returned value +# Return the exclusion chain. The type of the returned value # matches what was passed (reference # or name). # @@ -1374,7 +1374,7 @@ sub do_proto( $$$;$ ) my $invert = ( $proto =~ s/^!// ? '! ' : '' ); my $protonum = resolve_proto $proto; - if ( defined $protonum ) { + if ( defined $protonum ) { # # Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent # @@ -1533,7 +1533,7 @@ sub verify_mark( $ ) { sub verify_small_mark( $ ) { verify_mark ( (my $mark) = $_[0] ); - fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x3FFF : 0xFF ); + fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x3FFF : 0xFF ); } sub validate_mark( $ ) { @@ -1580,7 +1580,7 @@ sub do_ratelimit( $$ ) { fatal_error "Rate Limiting not available with $action" if $norate{$action}; # - # "-m hashlimit" match for the passed LIMIT/BURST + # "-m hashlimit" match for the passed LIMIT/BURST # if ( $rate =~ /^[sd]:{1,2}/ ) { require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's'; @@ -1616,7 +1616,7 @@ sub do_connlimit( $ ) { return '' unless $limit and $limit ne '-'; - require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's'; + require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's'; my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below' @@ -1741,8 +1741,8 @@ sub do_connbytes( $ ) { my $invert = $1 || ''; $invert = '! ' if $invert; my $min = $2; $min = 0 unless defined $min; my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max; - my $dir = $5 || 'B'; - my $mode = $6 || 'B'; + my $dir = $5 || 'B'; + my $mode = $6 || 'B'; $dir =~ s/://; $mode =~ s/://; @@ -1858,7 +1858,7 @@ sub match_source_net( $;$ ) { validate_range $addr1, $addr2; iprange_match . "${invert}--src-range $net "; } elsif ( $net =~ /^!?~/ ) { - fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT; + fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT; mac_match $net; } elsif ( $net =~ /^(!?)\+/ ) { require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' ); @@ -1873,7 +1873,7 @@ sub match_source_net( $;$ ) { } # -# Match a Destination. +# Match a Destination. # sub match_dest_net( $ ) { my $net = $_[0]; @@ -1950,7 +1950,7 @@ sub match_ipsec_out( $$ ) { unless ( $optionsref->{super} ) { $match = '-m policy --dir out --pol '; - + if ( $zoneref->{type} eq 'ipsec' ) { $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; } elsif ( $capabilities{POLICY_MATCH} ) { @@ -2145,7 +2145,7 @@ sub set_chain_variables() { } else { emit 'IP=ip'; } - + if ( $config{TC} ) { emit( qq(TC="$config{TC}") , '[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"' @@ -2373,21 +2373,21 @@ sub have_global_variables() { # sub set_global_variables( $ ) { - + my $setall = shift; emit $_ for values %interfaceaddr; emit $_ for values %interfacegateways; emit $_ for values %interfacemacs; - - if ( $setall ) { + + if ( $setall ) { emit $_ for values %interfaceaddrs; emit $_ for values %interfacenets; unless ( $capabilities{ADDRTYPE} ) { if ( $family == F_IPV4 ) { - emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; + emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; emit $_ for values %interfacebcasts; } else { emit 'ALL_ACASTS="$(get_all_acasts)"'; @@ -2563,7 +2563,7 @@ sub expand_rule( $$$$$$$$$$;$ ) } $dest = ''; - } elsif ( $family == F_IPV4 ) { + } elsif ( $family == F_IPV4 ) { if ( $dest =~ /^(.+?):(.+)$/ ) { $diface = $1; $dnets = $2; @@ -2604,7 +2604,7 @@ sub expand_rule( $$$$$$$$$$;$ ) push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' ); $rule .= '-d $dest '; } else { - + fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; @@ -2800,7 +2800,7 @@ sub expand_rule( $$$$$$$$$$;$ ) $source_match = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE}; my $dest_match = match_dest_net( $dnet ); my $predicates = join( '', $rule, $source_match, $dest_match, $onet ); - + if ( $loglevel ne '' ) { if ( $disposition ne 'LOG' ) { unless ( $logname ) { @@ -2815,7 +2815,7 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Now add the log rule and target rule without predicates to the log chain. # - log_rule_limit( + log_rule_limit( $loglevel , $chainref = $logchainref , $chain , @@ -2827,7 +2827,7 @@ sub expand_rule( $$$$$$$$$$;$ ) add_rule( $chainref, $exceptionrule . $target ); } else { - log_rule_limit( + log_rule_limit( $loglevel , $chainref , $logname , @@ -3229,7 +3229,7 @@ sub create_stop_load( $ ) { # # Test result # - emit ('', + emit ('', 'if [ $? != 0 ]; then', ' error_message "ERROR: $command Failed."', "fi\n" diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 409e28952..fb6d68268 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -246,7 +246,7 @@ sub generate_script_2() { } else { emit( 'start|restart|refresh|restore)' ); } - + push_indent; set_global_variables(1); @@ -254,10 +254,10 @@ sub generate_script_2() { handle_optional_interfaces; emit ';;'; - + if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) { pop_indent; - + emit 'restore)'; push_indent; @@ -362,7 +362,7 @@ sub generate_script_3($) { emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; - emit ( '' , + emit ( '' , ' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' , ' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' , ' fi' ); @@ -381,7 +381,7 @@ sub generate_script_3($) { '' ); mark_firewall_not_started; - + emit ('', 'delete_proxyarp', '' @@ -524,14 +524,14 @@ EOF # sub compiler { - my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = + my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = ( '', '', -1, '', 0, '', '', -1 ); $export = 0; $test = 0; sub validate_boolean( $ ) { - my $val = numeric_value( shift ); + my $val = numeric_value( shift ); defined($val) && ($val >= 0) && ($val < 2); } @@ -639,7 +639,7 @@ sub compiler { setup_notrack; enable_object; - + if ( $objectfile ) { # # Place Header in the object @@ -656,7 +656,7 @@ sub compiler { ); push_indent; - } + } # # Do all of the zone-independent stuff # @@ -692,7 +692,7 @@ sub compiler { # (Writes the setup_routing_and_traffic_shaping() function to the compiled script) # enable_object; - + if ( $objectfile ) { emit( "\n#", '# Setup routing and traffic shaping', @@ -731,7 +731,7 @@ sub compiler { # # Setup Masquerading/SNAT # - setup_masq; + setup_masq; # # Setup Nat # @@ -796,7 +796,7 @@ sub compiler { # for stopping the firewall # Shorewall::Chains::initialize( $family ); - compile_stop_firewall( $test ); + compile_stop_firewall( $test ); # # Copy the footer to the object # @@ -807,7 +807,7 @@ sub compiler { copy $globals{SHAREDIRPL} . 'prog.footer6'; } } - + disable_object; # # Close, rename and secure the object diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index c812389b1..0f7ffbf9e 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -54,7 +54,7 @@ our @EXPORT = qw( our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall); -our %EXPORT_TAGS = ( internal => [ qw( create_temp_object +our %EXPORT_TAGS = ( internal => [ qw( create_temp_object finalize_object enable_object disable_object @@ -123,7 +123,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object MIN_VERBOSITY MAX_VERBOSITY - ) ] ); + ) ] ); Exporter::export_ok_tags('internal'); @@ -202,9 +202,9 @@ our %capdesc = ( NAT_ENABLED => 'NAT', MULTIPORT => 'Multi-port Match' , XMULTIPORT => 'Extended Multi-port Match', CONNTRACK_MATCH => 'Connection Tracking Match', - OLD_CONNTRACK_MATCH => + OLD_CONNTRACK_MATCH => 'Old conntrack match syntax', - NEW_CONNTRACK_MATCH => + NEW_CONNTRACK_MATCH => 'Extended Connection Tracking Match', USEPKTTYPE => 'Packet Type Match', POLICY_MATCH => 'Policy Match', @@ -285,7 +285,7 @@ use constant { MIN_VERBOSITY => -1, our %validlevels; # Valid log levels. # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't @@ -301,7 +301,7 @@ sub initialize( $ ) { ( $product, $Product, $toolname, $toolNAME ) = qw( shorewall Shorewall iptables IPTABLES ); } else { ( $product, $Product, $toolname, $toolNAME ) = qw( shorewall6 Shorewall6 ip6tables IP6TABLES ); - } + } ( $command, $doing, $done ) = qw/compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion. @@ -466,7 +466,7 @@ sub initialize( $ ) { LOGMARK => 'LOGMARK' ); } else { $globals{SHAREDIR} = '/usr/share/shorewall6'; - $globals{CONFDIR} = '/etc/shorewall6'; + $globals{CONFDIR} = '/etc/shorewall6'; $globals{PRODUCT} = 'shorewall6'; %config = @@ -874,9 +874,9 @@ sub set_log ( $$ ) { $log_verbose = $value; } - if ( $l && $log_verbose >= 0 ) { + if ( $l && $log_verbose >= 0 ) { unless ( open $log , '>>' , $l ) { - $log = undef; + $log = undef; fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!"; } } else { @@ -926,7 +926,7 @@ sub progress_message { if ( $log_verbose > 1 ) { our @localtime; - @localtime = localtime unless $havelocaltime; + @localtime = localtime unless $havelocaltime; printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; print $log "${leading}${line}\n"; @@ -945,7 +945,7 @@ sub progress_message_nocompress { if ( $log_verbose > 1 ) { our @localtime; - @localtime = localtime unless $havelocaltime; + @localtime = localtime unless $havelocaltime; printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; print $log "@_\n"; @@ -966,7 +966,7 @@ sub progress_message2 { if ( $log_verbose > 0 ) { our @localtime; - @localtime = localtime unless $havelocaltime; + @localtime = localtime unless $havelocaltime; printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; print $log "@_\n"; @@ -1036,7 +1036,7 @@ sub copy( $ ) { $lastlineblank = 1; } else { if ( $indent ) { - s/^(\s*)/$indent1$1$indent2/; + s/^(\s*)/$indent1$1$indent2/; s/ /\t/ if $indent2; } @@ -1368,7 +1368,7 @@ sub pop_include() { } else { $currentfile = undef; } -} +} # # This function is normally called below in read_a_line() when EOF is reached. Clients of the @@ -1425,18 +1425,18 @@ sub shorewall { } # -# We don't announce that we are checking/compiling a file until we determine that the file contains +# We don't announce that we are checking/compiling a file until we determine that the file contains # at least one non-blank, non-commentary line. # # The argument to this function may be either a scalar or a function reference. When the first -# non-blank/non-commentary line is reached: +# non-blank/non-commentary line is reached: # # - if a function reference was passed to first_entry(), that function is called # - otherwise, the argument to first_entry() is passed to progress_message2(). # # We do this processing in read_a_line() rather than in the higher-level routines because # Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement -# until we get back to the caller of read_a_line(), we could issue error messages about parsing and +# until we get back to the caller of read_a_line(), we could issue error messages about parsing and # running scripts in the file before we'd even indicated that we are processing it. # sub first_entry( $ ) { @@ -1445,7 +1445,7 @@ sub first_entry( $ ) { if ( $reftype ) { fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE'; } -} +} sub embedded_shell( $ ) { my $multiline = shift; @@ -1485,7 +1485,7 @@ sub embedded_shell( $ ) { sub embedded_perl( $ ) { my $multiline = shift; - my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); + my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); if ( $multiline ) { # @@ -1516,9 +1516,9 @@ sub embedded_perl( $ ) { } unless ( defined $return ) { - fatal_error "Perl Script failed: $!" if $!; + fatal_error "Perl Script failed: $!" if $!; fatal_error "Perl Script failed"; - } + } fatal_error "Perl Script Returned False"; } @@ -2013,7 +2013,7 @@ sub determine_capabilities( $ ) { $capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); $capabilities{IPMARK_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" ); - + qt1( "$iptables -t mangle -F $sillyname" ); qt1( "$iptables -t mangle -X $sillyname" ); @@ -2272,7 +2272,7 @@ sub get_configuration( $ ) { } check_trivalue ( 'IP_FORWARDING', 'on' ); - check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6; + check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6; if ( $family == F_IPV4 ) { check_trivalue ( 'LOG_MARTIANS', 'on' ); @@ -2517,7 +2517,7 @@ sub append_file( $;$ ) { } else { # # Include progress message -- Pretend progress_message call was in the file - # + # $result = 1; save_progress_message "Processing $user_exit ..."; copy1 $user_exit; @@ -2544,9 +2544,9 @@ sub run_user_exit( $ ) { fatal_error "Couldn't parse $file: $@" if $@; unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; + fatal_error "Couldn't do $file: $!" if $!; fatal_error "Couldn't do $file"; - } + } fatal_error "$file returned a false value"; } @@ -2662,7 +2662,7 @@ END { # unlink $tempfile if $tempfile; unlink $scriptfilename if $scriptfilename; - unlink $_ for @tempfiles; + unlink $_ for @tempfiles; } 1; diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index e171ca9a0..52f07b244 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -21,7 +21,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # This module provides interfaces for dealing with IPv4 addresses, protocol names, and -# port names. It also exports functions for validating protocol- and port- (service) +# port names. It also exports functions for validating protocol- and port- (service) # related constructs. # package Shorewall::IPAddrs; @@ -98,8 +98,8 @@ use constant { ALLIPv4 => '0.0.0.0/0' , IPv6_LINK_ALLRTRS => 'FF01::2' , IPv6_SITE_ALLNODES => 'FF02::1' , IPv6_SITE_ALLRTRS => 'FF02::2' , - ICMP => 1, - TCP => 6, + ICMP => 1, + TCP => 6, UDP => 17, DCCP => 33, IPv6_ICMP => 58, @@ -200,7 +200,7 @@ sub validate_4net( $$ ) { ( decodeaddr( $net ) , $vlsm ); } else { "$net/$vlsm"; - } + } } } @@ -437,7 +437,7 @@ sub expand_port_range( $$ ) { # Break the range into groups: # # - If the first port in the remaining range is odd, then the next group is ( , ffff ). - # - Otherwise, find the largest power of two P that divides the first address such that + # - Otherwise, find the largest power of two P that divides the first address such that # the remaining range has less than or equal to P ports. The next group is # ( , ~( P-1 ) ). # @@ -463,8 +463,8 @@ sub expand_port_range( $$ ) { } else { ( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' ); - } -} + } +} sub valid_6address( $ ) { my $address = $_[0]; @@ -625,7 +625,7 @@ sub ALLIP() { sub allip() { @allip; -} +} sub valid_address ( $ ) { $valid_address->(@_); @@ -639,16 +639,16 @@ sub validate_net ( $$ ) { $validate_net->(@_); } -sub validate_range ($$ ) { +sub validate_range ($$ ) { $validate_range->(@_); } -sub validate_host ($$ ) { +sub validate_host ($$ ) { $validate_host->(@_); } # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't @@ -676,7 +676,7 @@ sub initialize( $ ) { $validate_net = \&validate_6net; $validate_range = \&validate_6range; $validate_host = \&validate_6host; - } + } } 1; diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 8c1322d4f..100365c79 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -130,7 +130,7 @@ sub add_or_modify_policy_chain( $$ ) { } else { push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); } -} +} sub print_policy($$$$) { my ( $source, $dest, $policy , $chain ) = @_; @@ -159,7 +159,7 @@ sub process_a_policy() { fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client ); my $serverwild = ( "\L$server" eq 'all' ); - + fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server ); my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 ); @@ -193,7 +193,7 @@ sub process_a_policy() { if ( defined $queue ) { fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE'; - require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); + require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); my $queuenum = numeric_value( $queue ); fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535; $policy = "NFQUEUE --queue-num $queuenum"; @@ -234,7 +234,7 @@ sub process_a_policy() { $chainref = new_policy_chain $client, $server, $policy, 0; push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); } - + $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; if ( $synparams ne '' || $connlimit ne '' ) { @@ -267,7 +267,7 @@ sub process_a_policy() { set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy; print_policy $client, $zone, $policy, $chain; } - + } else { print_policy $client, $server, $policy, $chain; } diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index a73687fb8..682f64e8f 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -62,7 +62,7 @@ our $family; use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 }; # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't @@ -117,7 +117,7 @@ sub setup_route_marking() { } else { add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); } - + incr_cmd_level( $chainref ); } @@ -270,7 +270,7 @@ sub add_a_provider( ) { } fatal_error "Unknown Interface ($interface)" unless known_interface $interface; - + my $provider = chain_base $table; my $base = uc chain_base $interface; my $gatewaycase = ''; @@ -395,7 +395,7 @@ sub add_a_provider( ) { my $realm = ''; fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; - + if ( $shared ) { my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); $realm = "realm $number"; @@ -408,7 +408,7 @@ sub add_a_provider( ) { } else { start_provider( $table, $number, "if interface_is_usable $interface; then" ); } - + $provider_interfaces{$interface} = $table; emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none'; @@ -537,7 +537,7 @@ sub add_an_rtrule( ) { fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-'; if ( $dest eq '-' ) { - $dest = 'to ' . ALLIP; + $dest = 'to ' . ALLIP; } else { validate_net( $dest, 0 ); $dest = "to $dest"; @@ -599,12 +599,12 @@ sub setup_null_routing() { for ( rfc1918_networks ) { emit( qq(run_ip route replace unreachable $_) ); emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) ); - } + } } sub start_providers() { require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' ); - + emit ( '#', '# Undo any changes made since the last time that we [re]started -- this will not restore the default route', '#', @@ -616,7 +616,7 @@ sub start_providers() { '# Save current routing table database so that it can be restored later', '#', 'cp /etc/iproute2/rt_tables ${VARDIR}/' ); - + } emit ( '#', @@ -627,9 +627,9 @@ sub start_providers() { '# Initialize the file that holds \'undo\' commands', '#', '> ${VARDIR}/undo_routing' ); - + save_progress_message 'Adding Providers...'; - + emit 'DEFAULT_ROUTE='; emit 'FALLBACK_ROUTE='; emit ''; @@ -660,7 +660,7 @@ sub finish_providers() { } else { emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table"); } - + emit( 'fi', '' ); } else { @@ -724,7 +724,7 @@ sub setup_providers() { first_entry "$doing $fn..."; emit ''; - + add_an_rtrule while read_a_line; } @@ -741,10 +741,10 @@ sub setup_providers() { emit "\nif [ -z \"\$NOROUTES\" ]; then"; push_indent; - + emit "\nundo_routing"; emit 'restore_default_route'; - + if ( $config{NULL_ROUTE_RFC1918} ) { emit ( '#', '# Initialize the file that holds \'undo\' commands', @@ -838,18 +838,18 @@ sub handle_stickiness( $ ) { if ( $havesticky ) { fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers; - + for my $providerref ( @routemarked_providers ) { my $interface = $providerref->{interface}; my $base = uc chain_base $interface; my $mark = $providerref->{mark}; - + for ( grep /-j sticky/, @{$tcpreref->{rules}} ) { my $stickyref = ensure_mangle_chain 'sticky'; my ( $rule1, $rule2 ); my $list = sprintf "sticky%03d" , $sticky++; - + for my $chainref ( $stickyref, $setstickyref ) { add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; @@ -863,7 +863,7 @@ sub handle_stickiness( $ ) { $rule1 = $_; $rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/; } - + $rule1 =~ s/-A //; add_rule $chainref, $rule1; @@ -874,7 +874,7 @@ sub handle_stickiness( $ ) { } decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional}; - + } } @@ -895,7 +895,7 @@ sub handle_stickiness( $ ) { $rule1 = $_; $rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/; } - + $rule1 =~ s/-A //; add_rule $chainref, $rule1; @@ -913,7 +913,7 @@ sub handle_stickiness( $ ) { if ( @routemarked_providers ) { purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}}; - purge_jump $mangle_table->{OUTPUT}, $setstickoref unless @{$setstickoref->{rules}}; + purge_jump $mangle_table->{OUTPUT}, $setstickoref unless @{$setstickoref->{rules}}; } } 1; diff --git a/Shorewall/Perl/Shorewall/Proxyarp.pm b/Shorewall/Perl/Shorewall/Proxyarp.pm index eb91e4444..6c9e6aeae 100644 --- a/Shorewall/Perl/Shorewall/Proxyarp.pm +++ b/Shorewall/Perl/Shorewall/Proxyarp.pm @@ -42,7 +42,7 @@ our @proxyarp; our $family; # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 20c827a4d..7ee8baf33 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -47,7 +47,7 @@ sub process_notrack_rule( $$$$$$ ) { $ports = '' if $ports eq 'any' || $ports eq 'all'; $sports = '' if $sports eq 'any' || $sports eq 'all'; - ( my $zone, $source) = split /:/, $source, 2; + ( my $zone, $source) = split /:/, $source, 2; my $zoneref = find_zone $zone; my $chainref = ensure_raw_chain( notrack_chain $zone ); my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 4a3f67462..8956bc8e0 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -63,7 +63,7 @@ my %rules_commands = ( COMMENT => 0, SECTION => 2 ); # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't @@ -525,7 +525,7 @@ sub add_common_rules() { add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited'; } else { add_rule $rejectref, '-p 58 -j REJECT --reject-with icmp6-addr-unreachable'; - add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited'; + add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited'; } } else { add_rule $rejectref , '-j REJECT'; @@ -628,7 +628,7 @@ sub add_common_rules() { my $variable = get_interface_gateway $interface; if ( interface_is_optional $interface ) { - add_commands( $chainref, + add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) , qq( echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) , qq(fi) ); @@ -676,7 +676,7 @@ sub setup_mac_lists( $ ) { my $chainref = new_chain $table , mac_chain $interface; if ( $family == F_IPV4 ) { - add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' + add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' if $table eq 'mangle' && get_interface_option( $interface, 'dhcp'); } else { # @@ -805,7 +805,7 @@ sub setup_mac_lists( $ ) { } else { my $variable1 = get_interface_bcasts $bridge; - add_commands( $chainref, + add_commands( $chainref, " for address1 in $variable1; do" , " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3", " done" ); @@ -888,7 +888,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) { if ( $msource eq '-' ) { $msource = $source || ''; } elsif ( $msource =~ s/^DEST:?// ) { - $msource = merge_macro_source_dest $msource, $dest; + $msource = merge_macro_source_dest $msource, $dest; } else { $msource =~ s/^SOURCE:?//; $msource = merge_macro_source_dest $msource, $source; @@ -910,17 +910,17 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) { $mdest = ''; } - process_rule1( - $mtarget, - $msource, - $mdest, - merge_macro_column( $mproto, $proto ) , + process_rule1( + $mtarget, + $msource, + $mdest, + merge_macro_column( $mproto, $proto ) , merge_macro_column( $mports, $ports ) , merge_macro_column( $msports, $sports ) , - merge_macro_column( $morigdest, $origdest ) , + merge_macro_column( $morigdest, $origdest ) , merge_macro_column( $mrate, $rate ) , merge_macro_column( $muser, $user ) , - $mark, + $mark, $connlimit, $time, $wildcard @@ -995,7 +995,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { return; } elsif ( $actiontype & NFQ ) { - require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); + require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); my $paramval = $param eq '' ? 0 : numeric_value( $param ); fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535; $action = "NFQUEUE --queue-num $paramval"; @@ -1074,7 +1074,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { if ( $actiontype & NATONLY ) { unless ( $destzone eq '-' || $destzone eq '' ) { $destref = defined_zone( $destzone ); - + if ( $destref ) { warning_message "Destination zone ($destzone) ignored"; } else { @@ -1161,14 +1161,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { require_capability( 'NAT_ENABLED' , "$basictarget rules", '' ); # - # Isolate server port + # Isolate server port # if ( $dest =~ /^(.*)(:(.+))$/ ) { # # Server IP and Port # $server = $1; # May be empty - $serverport = $3; # Not Empty due to RE + $serverport = $3; # Not Empty due to RE $origdstports = $ports; if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) { @@ -1297,7 +1297,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { my $nonat_chain; my $chn; - + if ( $sourceref->{type} == FIREWALL ) { $nonat_chain = $nat_table->{OUTPUT}; } else { @@ -1358,7 +1358,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { # if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) { # - # It was -- delete that rule + # It was -- delete that rule # pop @{$nonat_chain->{rules}}; # @@ -1413,7 +1413,7 @@ sub process_rule ( ) { process_comment; return 1; } - + if ( $target eq 'SECTION' ) { # # read_a_line has already verified that there are exactly two tokens on the line @@ -1422,7 +1422,7 @@ sub process_rule ( ) { fatal_error "Duplicate or out of order SECTION $source" if $sections{$source}; $sectioned = 1; $sections{$source} = 1; - + if ( $source eq 'RELATED' ) { $sections{ESTABLISHED} = 1; finish_section 'ESTABLISHED'; @@ -1430,7 +1430,7 @@ sub process_rule ( ) { @sections{'ESTABLISHED','RELATED'} = ( 1, 1 ); finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); } - + $section = $source; return 1; } @@ -1459,7 +1459,7 @@ sub process_rule ( ) { # # Handle Wildcards # - + if ( $source =~ /^all[-+]/ ) { if ( $source eq 'all+' ) { $source = 'all'; @@ -1506,7 +1506,7 @@ sub process_rule ( ) { } unshift @source, firewall_zone if $includesrcfw; - } + } if ( $dest eq 'all' ) { if ( $anydest ) { @@ -1516,7 +1516,7 @@ sub process_rule ( ) { } unshift @dest, firewall_zone if $includedstfw; - } + } fatal_error "Invalid or missing ACTION ($target)" unless defined $action; @@ -1806,7 +1806,7 @@ sub generate_matrix() { clearrule; - next if $hostref->{options}{destonly}; + next if $hostref->{options}{destonly}; my $source = match_source_net $net; @@ -1996,11 +1996,11 @@ sub generate_matrix() { $excl3ref , dest_exclusion( $host1ref->{exclusions}, $chain ), 0, - join( '', - $match_source_dev, - match_dest_dev($interface1), - match_source_net($net), - match_dest_net($net1), + join( '', + $match_source_dev, + match_dest_dev($interface1), + match_source_net($net), + match_dest_net($net1), $ipsec_out_match ) ); } @@ -2084,11 +2084,11 @@ sub setup_mss( ) { if ( $capabilities{POLICY_MATCH} ) { $in_match = '-m policy --pol none --dir in '; $out_match = '-m policy --pol none --dir out '; - } + } for ( @$interfaces ) { my $mss = get_interface_option( $_, 'mss' ); - my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; + my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; add_rule $chainref, "-o $_ -j RETURN" if $clampmss; add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss"; @@ -2222,7 +2222,7 @@ EOF ); my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/; - + add_rule $filter_table->{$_}, '-m state --state ESTABLISHED,RELATED -j ACCEPT' for @chains; if ( $family == F_IPV6 ) { @@ -2274,7 +2274,7 @@ EOF } else { for my $interface ( all_bridges ) { emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT"; - } + } if ( $config{IP_FORWARDING} eq 'on' ) { emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding', @@ -2291,7 +2291,7 @@ EOF emit ' run_stopped_exit'; - my @ipsets = all_ipsets; + my @ipsets = all_ipsets; if ( @ipsets ) { emit <<'EOF'; @@ -2306,8 +2306,8 @@ EOF fi EOF } - - emit ' + + emit ' set_state "Stopped" logger -p kern.info "$PRODUCT Stopped" diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 28f72a266..f822ad9d5 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -202,7 +202,7 @@ our %restrictions = ( tcpre => PREROUTE_RESTRICT , our $family; # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't @@ -340,7 +340,7 @@ sub process_tc_rule( ) { fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff; $mask2 = $m2; } - + if ( defined $s ) { $val = numeric_value ($s); fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128; @@ -349,7 +349,7 @@ sub process_tc_rule( ) { } else { fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK'; } - + $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift"; } @@ -385,12 +385,12 @@ sub process_tc_rule( ) { if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , $restrictions{$chain} , - do_proto( $proto, $ports, $sports) . - do_user( $user ) . - do_test( $testval, $mask ) . - do_length( $length ) . - do_tos( $tos ) . - do_connbytes( $connbytes ) . + do_proto( $proto, $ports, $sports) . + do_user( $user ) . + do_test( $testval, $mask ) . + do_length( $length ) . + do_tos( $tos ) . + do_connbytes( $connbytes ) . do_helper( $helper ), $source , $dest , @@ -506,7 +506,7 @@ sub validate_tc_device( ) { if ( @redirected ) { fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband; $classify = 1; - } + } for my $rdevice ( @redirected ) { fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/; @@ -557,7 +557,7 @@ sub convert_rate( $$$ ) { sub convert_delay( $ ) { my $delay = shift; - + return 0 unless $delay; return $1 if $delay =~ /^(\d+)(ms)?$/; fatal_error "Invalid Delay ($delay)"; @@ -615,7 +615,7 @@ sub validate_tc_class( ) { fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber; $parentclass = $classnumber; $classnumber = hex_value $subnumber; - } + } fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber; fatal_error "Duplicate interface/class number ($devclass)" if defined $devnums[ $classnumber ]; @@ -667,13 +667,13 @@ sub validate_tc_class( ) { if ( $devref->{qdisc} eq 'hfsc' ) { ( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4; - + fatal_error "Invalid RATE ($rate)" if defined $rest; $rate = convert_rate ( $full, $trate, 'RATE' ); $dmax = convert_delay( $dmax ); $umax = convert_size( $umax ); - fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax; + fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax; } else { $rate = convert_rate ( $full, $rate, 'RATE' ); } @@ -734,7 +734,7 @@ sub validate_tc_class( ) { fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1; fatal_error q(The 'occurs' option is not valid with 'default') if $devref->{default} == $classnumber; fatal_error q(The 'occurs' option is not valid with 'tos') if @{$tcref->{tos}}; - warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-'; + warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-'; $tcref->{occurs} = $occurs; $devref->{occurs} = 1; @@ -746,7 +746,7 @@ sub validate_tc_class( ) { unless ( $devref->{classify} || $occurs > 1 ) { fatal_error "Missing MARK" if $mark eq '-'; - warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option" if $devclass =~ /:/; + warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option" if $devclass =~ /:/; } $tcref->{flow} = $devref->{flow} unless $tcref->{flow}; @@ -780,7 +780,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x # sub process_tc_filter( ) { my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file'; - + my ($device, $class, $rest ) = split /:/, $devclass, 3; fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class ); @@ -831,13 +831,13 @@ sub process_tc_filter( ) { $rule .= "\\\n match ip tos $tosval $mask"; } - + if ( $length ne '-' ) { my $len = numeric_value( $length ) || 0; my $mask = $validlengths{$len}; fatal_error "Invalid LENGTH ($length)" unless $mask; $rule .="\\\n match u16 0x0000 $mask at 2"; - } + } my $protonumber = 0; @@ -886,7 +886,7 @@ sub process_tc_filter( ) { $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0"; if ( $portlist eq '-' ) { - fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT" + fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT" unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP; for my $sportrange ( split_list $sportlist , 'port list' ) { @@ -910,7 +910,7 @@ sub process_tc_filter( ) { } } } else { - fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT" + fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT" unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP; for my $portrange ( split_list $portlist, 'port list' ) { @@ -931,7 +931,7 @@ sub process_tc_filter( ) { my ( $port, $mask ) = ( shift @portlist, shift @portlist ); my $rule1; - + if ( $protonumber == TCP ) { $rule1 = join( ' ', 'match tcp dst', hex_value( $port ), "0x$mask" ); } elsif ( $protonumber == UDP ) { @@ -967,9 +967,9 @@ sub process_tc_filter( ) { " flowid $devref->{number}:$class" ); } } - } + } } - } + } } } } @@ -984,7 +984,7 @@ sub process_tc_filter( ) { emit ''; -} +} sub setup_traffic_shaping() { our $lastrule = ''; @@ -1116,7 +1116,7 @@ sub setup_traffic_shaping() { } emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" ); - + if ( $devref->{qdisc} eq 'htb' ) { emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" ); } else { @@ -1129,7 +1129,7 @@ sub setup_traffic_shaping() { emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" ); } } - + emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo}; # # add filters diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 0ce162c42..f7426a07c 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -164,7 +164,7 @@ use constant { SIMPLE_IF_OPTION => 1, OBSOLETE_IF_OPTION => 5, IPLIST_IF_OPTION => 6, MASK_IF_OPTION => 7, - + IF_OPTION_ZONEONLY => 8, IF_OPTION_HOST => 16, }; @@ -174,7 +174,7 @@ our %validinterfaceoptions; our %validhostoptions; # -# Rather than initializing globals in an INIT block or during declaration, +# Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # # 1. Proper initialization depends on the address family which isn't @@ -326,7 +326,7 @@ sub set_super( $ ); sub set_super( $ ) { my $zoneref = shift; - + unless ( $zoneref->{options}{super} ) { $zoneref->{options}{super} = 1; set_super( $zones{$_} ) for @{$zoneref->{parents}}; @@ -358,7 +358,7 @@ sub process_zone( \$ ) { fatal_error "Invalid zone name ($zone)" unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH}; fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/; fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone}; - + if ( $type =~ /ipv([46])?/i ) { fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; $type = IP; @@ -391,11 +391,11 @@ sub process_zone( \$ ) { } } } - + for ( $options, $in_options, $out_options ) { $_ = '' if $_ eq '-'; } - + $zones{$zone} = { type => $type, parents => \@parents, bridge => '', @@ -410,9 +410,9 @@ sub process_zone( \$ ) { children => [] , hosts => {} }; - + return $zone; - + } # # Parse the zones file. @@ -476,7 +476,7 @@ sub zone_report() if ( $family == F_IPV4 ) { @translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); - } else { + } else { @translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); } @@ -530,7 +530,7 @@ sub dump_zone_contents() if ( $family == F_IPV4 ) { @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); - } else { + } else { @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); } @@ -629,7 +629,7 @@ sub add_group_to_zone($$$$$) if ( substr( $host, 0, 1 ) eq '+' ) { fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/; - require_capability( 'IPSET_MATCH', 'Ipset names in host lists', ''); + require_capability( 'IPSET_MATCH', 'Ipset names in host lists', ''); } else { validate_host $host, 0; } @@ -767,7 +767,7 @@ sub process_interface( $ ) { unless ( $networks eq '' || $networks eq 'detect' ) { my @broadcasts = split_list $networks, 'address'; - + for my $address ( @broadcasts ) { fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; } @@ -788,7 +788,7 @@ sub process_interface( $ ) { if ( $options ) { my %hostoptions = ( dynamic => 0 ); - + for my $option (split_list1 $options, 'option' ) { next if $option eq '-'; @@ -846,13 +846,13 @@ sub process_interface( $ ) { # Add all IP to the front of a list if the list begins with '!' # $value = join ',' , ALLIP , $value if $value =~ /^!/; - + if ( $value eq 'dynamic' ) { require_capability( 'IPSET_MATCH', 'Dynamic nets', ''); $value = "+${zone}_${interface}"; $hostoptions{dynamic} = 1; $ipsets{"${zone}_${interface}"} = 1; - } + } # # Convert into a Perl array reference # @@ -885,7 +885,7 @@ sub process_interface( $ ) { broadcasts => $broadcasts , options => \%options }; - $nets = [ allip ] unless $nets; + $nets = [ allip ] unless $nets; add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone; @@ -1150,9 +1150,9 @@ sub process_host( ) { $hosts = "+${zone}_${interface}"; $optionsref->{dynamic} = 1; $ipsets{"${zone}_${interface}"} = 1; - + } - + add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); progress_message " Host \"$currentline\" validated"; diff --git a/Shorewall/Perl/compiler.pl b/Shorewall/Perl/compiler.pl index f99dae63c..89bcceea6 100755 --- a/Shorewall/Perl/compiler.pl +++ b/Shorewall/Perl/compiler.pl @@ -105,11 +105,11 @@ my $result = GetOptions('h' => \$help, usage(1) unless $result && @ARGV < 2; usage(0) if $help; -compiler( object => defined $ARGV[0] ? $ARGV[0] : '', - directory => $shorewall_dir, - verbosity => $verbose, +compiler( object => defined $ARGV[0] ? $ARGV[0] : '', + directory => $shorewall_dir, + verbosity => $verbose, timestamp => $timestamp, - debug => $debug, + debug => $debug, export => $export, chains => $chains, log => $log, diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 20708fa11..3847ce97b 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -200,7 +200,7 @@ get_all_bcasts() debug_restore_input() { local first second rest table chain # - # Clear the ruleset + # Clear the ruleset # qt1 $IPTABLES -t mangle -F qt1 $IPTABLES -t mangle -X @@ -291,7 +291,7 @@ usage() { # # Start trace if first arg is "debug" or "trace" # -if [ $# -gt 1 ]; then +if [ $# -gt 1 ]; then if [ "x$1" = "xtrace" ]; then set -x shift diff --git a/Shorewall/Perl/prog.footer6 b/Shorewall/Perl/prog.footer6 index cb4d8febd..84153b65b 100644 --- a/Shorewall/Perl/prog.footer6 +++ b/Shorewall/Perl/prog.footer6 @@ -168,7 +168,7 @@ restore_dynamic_rules() { debug_restore_input() { local first second rest table chain # - # Clear the ruleset + # Clear the ruleset # qt1 $IP6TABLES -t mangle -F qt1 $IP6TABLES -t mangle -X @@ -252,7 +252,7 @@ usage() { # # Start trace if first arg is "debug" or "trace" # -if [ $# -gt 1 ]; then +if [ $# -gt 1 ]; then if [ "x$1" = "xtrace" ]; then set -x shift @@ -319,7 +319,7 @@ kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' if [ $kernel -lt 20624 ]; then error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later" status=2 -else +else case "$COMMAND" in start) [ $# -ne 1 ] && usage 2 diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 6155336bc..66b497c6a 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -578,7 +578,7 @@ convert_to_anycast() { local l while read address; do - case $address in + case $address in 2*|3*) vlsm=${address#*/} vlsm=${vlsm:=128} @@ -626,7 +626,7 @@ convert_to_anycast() { badress=$address fi # - # Note: at this point $address and $badress are the same except possibly for + # Note: at this point $address and $badress are the same except possibly for # the contents of the last half-word # list_count $(split $address) @@ -663,7 +663,7 @@ convert_to_anycast() { # # Generate a list of anycast addresses for a given interface -# +# get_interface_acasts() # $1 = interface {