extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-27 10:03:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove whitespace from blank lines

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9479 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-22 15:55:20 +00:00
parent 45c6c2ad1f
commit 5ff0ac8961
19 changed files with 233 additions and 245 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall-perl/Shorewall/Actions.pm
View File

@ -286,7 +286,7 @@ sub createlogactionchain( $$ ) {
my $chain = $action;
my $actionref = $actions{$action};
my $chainref;
my ($lev, $tag) = split ':', $level;
validate_level $lev;
@ -304,7 +304,7 @@ sub createlogactionchain( $$ ) {
$logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
unless ( $targets{$action} & STANDARD ) {
my $file = find_file $chain;
@ -752,7 +752,7 @@ sub process_actions3 () {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
}
if ( $family == F_IPV4 ) {
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
} else {

113
Shorewall-perl/Shorewall/Chains.pm
View File

@ -68,7 +68,7 @@ our %EXPORT_TAGS = (
OUTPUT_RESTRICT
POSTROUTE_RESTRICT
ALL_RESTRICT
add_command
add_commands
move_rules
@ -140,7 +140,6 @@ our %EXPORT_TAGS = (
match_ipsec_out
log_rule
expand_rule
addrawjump
addnatjump
get_interface_address
get_interface_addresses
@ -384,7 +383,7 @@ sub clear_comment() {
#
sub macro_comment( $ ) {
my $macro = $_[0];
$comment = $macro unless $comment || ! ( $capabilities{COMMENTS} && $config{AUTO_COMMENT} );
}
@ -443,22 +442,22 @@ sub push_rule( $$ ) {
sub handle_sport_list( $$$$$ ) {
my ($chainref, $rule, $first, $ports, $rest) = @_;
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
#
# More than 15 ports specified
#
my @ports = split '([,:])', $ports;
while ( @ports ) {
my $count = 0;
my $newports = '';
while ( @ports && $count < 15 ) {
my ($port, $separator) = ( shift @ports, shift @ports );
$separator ||= '';
if ( ++$count == 15 ) {
if ( $separator eq ':' ) {
unshift @ports, $port, ':';
@ -471,7 +470,7 @@ sub handle_sport_list( $$$$$ ) {
$newports .= "${port}${separator}";
}
}
push_rule ( $chainref, join( '', $first, $newports, $rest ) );
}
} else {
@ -486,22 +485,22 @@ sub handle_sport_list( $$$$$ ) {
sub handle_dport_list( $$$$$ ) {
my ($chainref, $rule, $first, $ports, $rest) = @_;
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
#
# More than 15 ports specified
#
my @ports = split '([,:])', $ports;
while ( @ports ) {
my $count = 0;
my $newports = '';
while ( @ports && $count < 15 ) {
my ($port, $separator) = ( shift @ports, shift @ports );
$separator ||= '';
if ( ++$count == 15 ) {
if ( $separator eq ':' ) {
unshift @ports, $port, ':';
@ -516,7 +515,7 @@ sub handle_dport_list( $$$$$ ) {
}
my $newrule = join( '', $first, $newports, $rest );
if ( $newrule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
handle_sport_list( $chainref, $newrule, $1, $2, $3 );
} else {
@ -548,7 +547,7 @@ sub add_rule($$;$)
#
# By post-processing each rule generated by expand_rule(), we avoid all of that
# messiness and replace it with the following localized messiness.
if ( $expandports ) {
if ( $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) {
#
@ -592,7 +591,7 @@ sub add_jump( $$$;$ ) {
#
$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to };
}
#
# If the destination is a chain, mark it referenced
#
@ -638,7 +637,7 @@ sub add_tunnel_rule( $$ ) {
insert_rule1( $chainref, $chainref->{new}++, $rule );
}
#
# Move the rules from one chain to another
#
@ -746,7 +745,7 @@ sub use_input_chain($) {
return 0 unless $nets;
my $zone = $interfaceref->{zone};
return 1 unless $zone;
#
# Interface associated with a single zone -- Must use the interface chain if
@ -1081,7 +1080,7 @@ sub initialize_chain_table()
for my $chain qw(INPUT OUTPUT FORWARD) {
new_builtin_chain 'filter', $chain, 'DROP';
}
for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
new_builtin_chain 'nat', $chain, 'ACCEPT';
}
@ -1128,7 +1127,7 @@ sub initialize_chain_table()
for my $chain qw(INPUT OUTPUT FORWARD) {
new_builtin_chain 'filter', $chain, 'DROP';
}
for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
new_builtin_chain 'nat', $chain, 'ACCEPT';
}
@ -1145,7 +1144,7 @@ sub finish_chain_section ($$) {
my ($chainref, $state ) = @_;
my $chain = $chainref->{name};
my $savecomment = $comment;
$comment = '';
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
@ -1169,7 +1168,7 @@ sub finish_chain_section ($$) {
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
}
$chainref->{new} = @{$chainref->{rules}};
}
@ -1269,27 +1268,27 @@ sub newexclusionchain() {
#
sub source_exclusion( $$ ) {
my ( $exclusions, $target ) = @_;
return $target unless @$exclusions;
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
add_jump( $chainref, $target, 1 );
reftype $target ? $chainref : $chainref->{name};
}
sub dest_exclusion( $$ ) {
my ( $exclusions, $target ) = @_;
return $target unless @$exclusions;
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
add_jump( $chainref, $target, 1 );
reftype $target ? $chainref : $chainref->{name};
}
@ -1318,7 +1317,7 @@ sub do_proto( $$$ )
$sports = '' if $sports eq '-';
if ( $proto ne '' ) {
my $synonly = ( $proto =~ s/:syn$//i );
my $invert = ( $proto =~ s/^!// ? '! ' : '' );
my $protonum = resolve_proto $proto;
@ -1360,7 +1359,7 @@ sub do_proto( $$$ )
} else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
}
if ( $sports ne '' ) {
$invert = $sports =~ s/^!// ? '! ' : '';
if ( $multiport ) {
@ -1372,9 +1371,9 @@ sub do_proto( $$$ )
$output .= "--sport ${invert}${sports} ";
}
}
last PROTO; }
if ( $proto == ICMP ) {
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6;
if ( $ports ne '' ) {
@ -1383,7 +1382,7 @@ sub do_proto( $$$ )
$ports = validate_icmp $ports;
$output .= "--icmp-type ${invert}${ports} ";
}
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
last PROTO; }
@ -1396,7 +1395,7 @@ sub do_proto( $$$ )
$ports = validate_icmp6 $ports;
$output .= "--icmpv6-type ${invert}${ports} ";
}
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
last PROTO; }
@ -1408,18 +1407,18 @@ sub do_proto( $$$ )
} else {
fatal_error '":syn" is only allowed with tcp' if $synonly;
if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
my $p = $2 ? lc $3 : 'tcp';
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
$proto = '-p ' . proto_name($p) . ' ';
my $options = '';
if ( $ports ne 'ipp2p' ) {
$options .= " --$_" for split /,/, $ports;
}
$options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
$output .= "${proto}-m ipp2p${options} ";
@ -1552,7 +1551,7 @@ sub do_time( $ ) {
require_capability 'TIME_MATCH', 'A non-empty TIME', 's';
my $result = '-m time ';
for my $element (split /&/, $time ) {
fatal_error "Invalid time element list ($time)" unless defined $element && $element;
@ -1577,7 +1576,7 @@ sub do_time( $ ) {
fatal_error "Invalid time element ($element)";
}
}
$result;
}
@ -1657,7 +1656,7 @@ sub do_connbytes( $ ) {
my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max;
my $dir = $5 || 'B';
my $mode = $6 || 'B';
$dir =~ s/://;
$mode =~ s/://;
@ -1876,7 +1875,7 @@ sub log_rule_limit( $$$$$$$$ ) {
$level = validate_level $level; # Do this here again because this function can be called directly from user exits.
return 1 if $level eq '';
$predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' ';
unless ( $predicates =~ /-m limit / ) {
@ -1905,7 +1904,7 @@ sub log_rule_limit( $$$$$$$$ ) {
}
$disposition =~ s/\s+.*//;
if ( $globals{LOGRULENUMBERS} ) {
$prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag;
} else {
@ -2261,7 +2260,7 @@ sub expand_rule( $$$$$$$$$$$ )
push_command $chainref, join( '', 'for source in ', $networks, '; do' ), 'done';
$rule .= '-s $source ';
} else {
fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT;
$rule .= match_source_dev( $iiface );
@ -2569,18 +2568,6 @@ sub expand_rule( $$$$$$$$$$$ )
#
# If the destination chain exists, then at the end of the source chain add a jump to the destination.
#
sub addrawjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_;
my $destref = $raw_table->{$dest} || {};
if ( $destref->{referenced} ) {
add_rule $raw_table->{$source} , $predicates . "-j $dest";
} else {
clearrule;
}
}
sub addnatjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_;
@ -2606,7 +2593,7 @@ sub emit_test() {
push_indent;
our $emitted_test = 1;
}
#
# Generate setting of global variables
#
@ -2849,12 +2836,12 @@ sub create_chainlist_reload($) {
emit '';
my $table = 'filter';
my %chains;
for my $chain ( @chains ) {
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
$chains{$table} = [] unless $chains{$table};
@ -2873,7 +2860,7 @@ sub create_chainlist_reload($) {
emit 'exec 3>${VARDIR}/.iptables-restore-input';
enter_cat_mode;
for $table qw(nat mangle filter) {
next unless $chains{$table};
@ -2887,11 +2874,11 @@ sub create_chainlist_reload($) {
my $chainref = $tableref->{$chain};
emit_unindented ":$chainref->{name} - [0:0]";
}
for my $chain ( @chains ) {
my $chainref = $tableref->{$chain};
my @rules = @{$chainref->{rules}};
@rules = () unless @rules;
#
# Emit the chain rules
@ -2902,7 +2889,7 @@ sub create_chainlist_reload($) {
# Commit the changes to the table
#
enter_cat_mode unless $mode == CAT_MODE;
emit_unindented 'COMMIT';
}

50
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -508,7 +508,7 @@ EOF
if ( @$interfaces ) {
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
for my $interface ( @$interfaces ) {
emit "do_iptables -A INPUT -p udp -i $interface --dport $ports -j ACCEPT";
emit "do_iptables -A OUTPUT -p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
@ -631,7 +631,7 @@ sub generate_script_2($) {
'qt1 $IPTABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
'' );
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
'if [ -n "$addr" ]; then',
@ -643,7 +643,7 @@ sub generate_script_2($) {
' done',
"fi\n" );
}
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
@ -663,7 +663,7 @@ sub generate_script_2($) {
}
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else {
emit ( '#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
@ -675,13 +675,13 @@ sub generate_script_2($) {
'qt1 $IP6TABLES -X foox1234',
'[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
'' );
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
'',
'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
''
);
}
emit qq(delete_tc1\n) if $config{CLEAR_TC};
@ -697,35 +697,35 @@ sub generate_script_2($) {
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
dump_proxy_arp;
emit_unindented '__EOF__';
emit( '',
'if [ "$COMMAND" != refresh ]; then' );
push_indent;
emit 'cat > ${VARDIR}/zones << __EOF__';
dump_zone_contents;
emit_unindented '__EOF__';
pop_indent;
emit "fi\n";
emit '> ${VARDIR}/nat';
add_addresses;
emit( '',
'if [ $COMMAND = restore ]; then',
' iptables_save_file=${VARDIR}/$(basename $0)-iptables',
' if [ -f $iptables_save_file ]; then' );
if ( $family == F_IPV4 ) {
emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
} else {
emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
}
emit<<'EOF';
else
fatal_error "$iptables_save_file does not exist"
@ -761,7 +761,7 @@ EOF
[ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore
fi
date > ${VARDIR}/restarted
case $COMMAND in
@ -842,10 +842,10 @@ sub compiler {
if ( $ref->{edit} ) {
fatal_error "Invalid value ( $val ) supplied for parameter $name" unless $ref->{edit}->($val);
}
${$ref->{store}} = $val;
}
reinitialize if $reused++ || $family == F_IPV6;
if ( $directory ne '' ) {
@ -869,7 +869,7 @@ sub compiler {
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS};
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT};
set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
initialize_chain_table;
@ -945,7 +945,7 @@ sub compiler {
copy $globals{SHAREDIRPL} . 'prog.functions6';
}
}
emit( "\n#",
'# Setup Common Rules (/proc)',
'#',
@ -981,21 +981,21 @@ sub compiler {
pop_indent;
emit '}';
}
disable_object;
#
# R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
# (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
#
enable_object;
unless ( $command eq 'check' ) {
emit( "\n#",
'# Setup routing and traffic shaping',
'#',
'setup_routing_and_traffic_shaping() {'
);
push_indent;
}
#
@ -1006,12 +1006,12 @@ sub compiler {
# TCRules and Traffic Shaping
#
setup_tc;
unless ( $command eq 'check' ) {
pop_indent;
emit "}\n";
}
disable_object;
#
# N E T F I L T E R

86
Shorewall-perl/Shorewall/Config.pm
View File

@ -317,7 +317,7 @@ sub initialize( $ ) {
TC_SCRIPT => '',
EXPORT => 0,
UNTRACKED => 0,
VERSION => "4.2.6",
VERSION => "4.2.7",
CAPVERSION => 40205 ,
);
@ -676,7 +676,7 @@ sub fatal_error {
close $log;
$log = undef;
}
confess " ERROR: @_$currentlineinfo" if $debug;
die " ERROR: @_$currentlineinfo\n";
}
@ -697,7 +697,7 @@ sub fatal_error1 {
close $log;
$log = undef;
}
confess " ERROR: @_" if $debug;
die " ERROR: @_\n";
}
@ -747,7 +747,7 @@ sub in_hex8( $ ) {
#
sub emit {
fatal_error 'Internal Error in emit' unless $object_enabled;
if ( $object ) {
#
# 'compile' as opposed to 'check'
@ -1030,7 +1030,7 @@ sub copy1( $ ) {
s/^(\s*)/$indent1$1$indent2/;
s/ /\t/ if $indent2;
}
print $object $_;
print $object "\n";
$do_indent = ! ( $here_documents || /\\$/ );
@ -1159,7 +1159,7 @@ sub split_list( $$ ) {
my ($list, $type ) = @_;
fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
split /,/, $list;
}
@ -1167,11 +1167,11 @@ sub split_list1( $$ ) {
my ($list, $type ) = @_;
fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
my @list1 = split /,/, $list;
my @list2;
my $element = '';
for ( @list1 ) {
if ( /\(/ ) {
fatal_error "Invalid $type list ($list)" if $element;
@ -1295,7 +1295,7 @@ sub close_file() {
my $result = close $currentfile;
pop_include;
fatal_error "SHELL Script failed" unless $result;
$first_entry = 0;
@ -1367,7 +1367,7 @@ sub embedded_shell( $ ) {
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
if ( $multiline ) {
#
# Multi-line script
@ -1376,19 +1376,19 @@ sub embedded_shell( $ ) {
$command .= "\n";
my $last = 0;
while ( <$currentfile> ) {
$currentlinenumber++;
last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
$command .= $_;
}
fatal_error ( "Missing END SHELL" ) unless $last;
fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/;
}
$command .= q(');
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
@ -1399,7 +1399,7 @@ sub embedded_shell( $ ) {
sub embedded_perl( $ ) {
my $multiline = shift;
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
if ( $multiline ) {
@ -1408,19 +1408,19 @@ sub embedded_perl( $ ) {
#
fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/;
$command .= "\n";
my $last = 0;
while ( <$currentfile> ) {
$currentlinenumber++;
last if $last = s/^\s*END(\s+PERL)?\s*;?//;
$command .= $_;
}
fatal_error ( "Missing END PERL" ) unless $last;
fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/;
}
unless (my $return = eval $command ) {
if ( $@ ) {
#
@ -1429,7 +1429,7 @@ sub embedded_perl( $ ) {
$@ =~ s/, <\$currentfile> line \d+//g;
fatal_error1 "$@";
}
unless ( defined $return ) {
fatal_error "Perl Script failed: $!" if $!;
fatal_error "Perl Script failed";
@ -1437,23 +1437,23 @@ sub embedded_perl( $ ) {
fatal_error "Perl Script Returned False";
}
if ( $scriptfile ) {
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
close $scriptfile or fatal_error "Internal Error in embedded_perl()";
$scriptfile = undef;
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
$scriptfilename = '';
$currentfilename = "PERL\@$currentfilename:$linenumber";
$currentline = '';
$currentlinenumber = 0;
@ -1525,19 +1525,19 @@ sub read_a_line() {
$currentline = join( '', $1 , $val , $4 );
fatal_error "Variable Expansion Loop" if ++$count > 100;
}
if ( $currentline =~ /^\s*INCLUDE\s/ ) {
my @line = split ' ', $currentline;
fatal_error "Invalid INCLUDE command" if @line != 2;
fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
my $filename = find_file $line[1];
fatal_error "INCLUDE file $filename not found" unless -f $filename;
fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
if ( -s _ ) {
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
@ -1545,7 +1545,7 @@ sub read_a_line() {
} else {
$currentlinenumber = 0;
}
$currentline = '';
} else {
return 1;
@ -1646,7 +1646,7 @@ sub validate_level( $ ) {
$index++;
}
return $olevel;
}
@ -1817,11 +1817,11 @@ sub determine_capabilities( $ ) {
my $pid = $$;
my $sillyname = "fooX$pid";
my $sillyname1 = "foo1X$pid";
$capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
$capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
qt1( "$iptables -N $sillyname" );
qt1( "$iptables -N $sillyname1" );
@ -1835,7 +1835,7 @@ sub determine_capabilities( $ ) {
$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
$capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
}
if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
$capabilities{MULTIPORT} = 1;
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
@ -2092,7 +2092,7 @@ sub get_capabilities( $ ) {
#
sub unsupported_yes_no( $ ) {
my $option = shift;
default_yes_no $option, '';
fatal_error "$option=Yes is not supported by Shorewall-perl $globals{VERSION}" if $config{$option};
@ -2110,7 +2110,7 @@ sub get_configuration( $ ) {
$globals{EXPORT} = $export;
our ( $once, @originalinc );
@originalinc = @INC unless $once++;
ensure_config_path;
@ -2135,7 +2135,7 @@ sub get_configuration( $ ) {
if ( defined $config{LOGRATE} ) {
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
}
if ( defined $config{LOGBURST} ) {
fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
}
@ -2231,7 +2231,7 @@ sub get_configuration( $ ) {
default_yes_no 'NULL_ROUTE_RFC1918' , '';
default_yes_no 'USE_DEFAULT_RT' , '';
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
default 'BLACKLIST_DISPOSITION' , 'DROP';
@ -2402,12 +2402,12 @@ sub run_user_exit( $ ) {
unless (my $return = eval $command ) {
fatal_error "Couldn't parse $file: $@" if $@;
unless ( defined $return ) {
fatal_error "Couldn't do $file: $!" if $!;
fatal_error "Couldn't do $file";
}
fatal_error "$file returned a false value";
}
}

14
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -139,7 +139,7 @@ sub validate_4address( $$ ) {
my ( $addr, $allow_name ) = @_;
my @addrs = ( $addr );
unless ( valid_4address $addr ) {
fatal_error "Invalid IP Address ($addr)" unless $allow_name;
fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname $addr);
@ -267,7 +267,7 @@ sub decompose_net( $ ) {
( $net, my $vlsm ) = validate_net( $net , 0 );
( in_hex8( $net ) , vlsm_to_mask( $vlsm ) );
}
sub allipv4() {
@ -281,7 +281,7 @@ sub allipv6() {
sub rfc1918_networks() {
@rfc1918_networks
}
#
# Protocol/port validation
#
@ -455,7 +455,7 @@ sub expand_port_range( $$ ) {
my $mask = 0xffff; #Mask for current ports in group.
my $y = 2; #Next power of two to test
my $z = 1; #Number of ports in current group (Previous value of $y).
while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
$mask <<= 1;
$z = $y;
@ -466,7 +466,7 @@ sub expand_port_range( $$ ) {
push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
$first += $z;
}
fatal_error "Invalid port range ($range)" unless @result; # first port > last port
@result;
@ -489,7 +489,7 @@ sub valid_6address( $ ) {
} else {
$max = 8;
}
return 0 if @address > $max;
return 0 unless ( @address == $max ) || $address =~ /::/;
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
@ -513,7 +513,7 @@ sub validate_6address( $$ ) {
my ( $addr, $allow_name ) = @_;
my @addrs = ( $addr );
unless ( valid_6address $addr ) {
fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
require Socket6;

28
Shorewall-perl/Shorewall/Nat.pm
View File

@ -151,13 +151,13 @@ sub setup_one_masq($$$$$$$)
#
$networks = ALLIPv4 if $networks eq '-';
$destnets = ALLIPv4 if $destnets eq '-';
#
# Handle IPSEC options, if any
#
if ( $ipsec ne '-' ) {
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH};
if ( $ipsec =~ /^yes$/i ) {
$baserule .= '-m policy --pol ipsec --dir out ';
} elsif ( $ipsec =~ /^no$/i ) {
@ -178,7 +178,7 @@ sub setup_one_masq($$$$$$$)
# Handle Mark
#
$baserule .= do_test( $mark, 0xFF) if $mark ne '-';
for my $fullinterface (split_list $interfacelist, 'interface' ) {
my $rule = '';
my $target = '-j MASQUERADE ';
@ -194,7 +194,7 @@ sub setup_one_masq($$$$$$$)
my $realm = lookup_provider( $provider ) unless $provider =~ /^\d+$/;
fatal_error "$provider is not a shared-interface provider" unless $realm;
$rule .= "-m realm --realm $realm ";
}
@ -218,7 +218,7 @@ sub setup_one_masq($$$$$$$)
$randomize = '--random ';
} else {
$addresses =~ s/:random$// and $randomize = '--random ';
if ( $addresses =~ /^SAME:nodst:/ ) {
fatal_error "':random' is not supported by the SAME target" if $randomize;
$target = '-j SAME --nodst ';
@ -236,7 +236,7 @@ sub setup_one_masq($$$$$$$)
} elsif ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface;
$target = "-j SNAT --to-source $variable";
if ( interface_is_optional $interface ) {
add_commands( $chainref,
'',
@ -283,12 +283,12 @@ sub setup_one_masq($$$$$$$)
'' ,
'' ,
$exceptionrule );
if ( $detectaddress ) {
decr_cmd_level( $chainref );
add_command( $chainref , 'fi' );
}
if ( $add_snat_aliases ) {
my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
@ -311,7 +311,7 @@ sub setup_one_masq($$$$$$$)
}
}
}
progress_message " Masq record \"$currentline\" $done";
}
@ -324,7 +324,7 @@ sub setup_masq()
my $fn = open_file 'masq';
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
while ( read_a_line ) {
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
@ -435,7 +435,7 @@ sub setup_nat() {
my $fn = open_file 'nat';
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
while ( read_a_line ) {
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
@ -474,13 +474,13 @@ sub setup_netmap() {
my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
for my $interface ( split_list $interfacelist, 'interface' ) {
my $rulein = '';
my $ruleout = '';
my $iface = $interface;
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
unless ( $interfaceref->{root} ) {
$rulein = "-i $interface ";
$ruleout = "-o $interface ";

7
Shorewall-perl/Shorewall/Policy.pm
View File

@ -32,7 +32,7 @@ use Shorewall::Actions;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
our @EXPORT_OK = qw( );
our $VERSION = 4.2.4;
@ -131,7 +131,7 @@ sub add_or_modify_policy_chain( $$ ) {
my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}";
my $chainref = $filter_table->{$chain};
if ( $chainref ) {
unless( $chainref->{is_policy} ) {
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
@ -355,9 +355,8 @@ sub policy_rules( $$$$$ ) {
add_rule $chainref, "-j $default" if $default && $default ne 'none';
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target;
$target = 'reject' if $target eq 'REJECT';
add_jump( $chainref , $target, 1 ) unless $target eq 'CONTINUE';
add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
}
}

4
Shorewall-perl/Shorewall/Proc.pm
View File

@ -219,9 +219,9 @@ sub setup_forwarding( $ ) {
emit ' echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
emit ' progress_message2 IPv6 Forwarding Disabled!';
}
emit '';
my $interfaces = find_interfaces_by_option 'forward';
if ( @$interfaces ) {

20
Shorewall-perl/Shorewall/Providers.pm
View File

@ -77,7 +77,7 @@ sub initialize( $ ) {
$fallback = 0;
$first_default_route = 1;
$first_fallback_route = 1;
%providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 } ,
main => { number => MAIN_TABLE , mark => 0 , optional => 0 } ,
default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } ,
@ -121,7 +121,7 @@ sub setup_route_marking() {
} else {
add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
}
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
}
@ -221,7 +221,7 @@ sub balance_fallback_route( $$$$ ) {
sub start_provider( $$$ ) {
my ($table, $number, $test ) = @_;
emit $test;
push_indent;
@ -364,7 +364,7 @@ sub add_a_provider( $$$$$$$$ ) {
if ( $track ) {
fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
if ( $routemarked_interfaces{$interface} ) {
fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1;
fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
@ -436,7 +436,7 @@ sub add_a_provider( $$$$$$$$ ) {
"echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
} else {
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
emit "\nrulenum=0\n";
emit ( "find_interface_addresses $interface | while read address; do" );
@ -675,9 +675,9 @@ sub setup_providers() {
'# local',
'#',
"EOF\n" );
emit "echocommand=\$(find_echo)\n";
for my $table ( @providers ) {
emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables";
}
@ -692,7 +692,7 @@ sub setup_providers() {
if ( $fn ) {
first_entry "$doing $fn...";
emit '';
while ( read_a_line ) {
@ -723,7 +723,7 @@ sub setup_providers() {
'> ${VARDIR}/undo_routing' );
setup_null_routing;
emit "\nrun_ip route flush cache";
pop_indent;
emit "fi\n";
@ -746,7 +746,7 @@ sub lookup_provider( $ ) {
last;
}
}
fatal_error "Unknown provider ($provider)" unless $providerref;
}

8
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -108,7 +108,7 @@ sub setup_proxy_arp() {
my $first_entry = 1;
save_progress_message "Setting up Proxy ARP...";
my ( %set, %reset );
while ( read_a_line ) {
@ -122,7 +122,7 @@ sub setup_proxy_arp() {
$set{$interface} = 1;
$reset{$external} = 1 unless $set{$external};
setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
}
@ -135,7 +135,7 @@ sub setup_proxy_arp() {
emit "fi\n";
}
}
for my $interface ( keys %set ) {
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
" echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
@ -143,7 +143,7 @@ sub setup_proxy_arp() {
" error_message \" WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
emit "fi\n";
}
for my $interface ( @$interfaces ) {
my $value = get_interface_option $interface, 'proxyarp';
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,

46
Shorewall-perl/Shorewall/Rules.pm
View File

@ -99,7 +99,7 @@ sub process_tos() {
if ( my $fn = open_file 'tos' ) {
my $first_entry = 1;
my ( $pretosref, $outtosref );
first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
@ -111,7 +111,7 @@ sub process_tos() {
$first_entry = 0;
fatal_error 'A value must be supplied in the TOS column' if $tos eq '-';
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
$tos = $tosval;
} else {
@ -307,7 +307,7 @@ sub setup_blacklist() {
if ( my $fn = open_file 'blacklist' ) {
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
@ -601,7 +601,7 @@ sub add_common_rules() {
decr_cmd_level $rejectref;
add_command $rejectref, 'done';
}
if ( $family == F_IPV4 ) {
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
} else {
@ -622,7 +622,7 @@ sub add_common_rules() {
for $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy );
}
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
}
@ -633,7 +633,7 @@ sub add_common_rules() {
if ( $capabilities{ENHANCED_REJECT} ) {
add_rule $rejectref , '-p 17 -j REJECT';
if ( $family == F_IPV4 ) {
add_rule $rejectref, '-p 1 -j REJECT --reject-with icmp-host-unreachable';
add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited';
@ -646,12 +646,12 @@ sub add_common_rules() {
}
$list = find_interfaces_by_option 'dhcp';
if ( @$list ) {
progress_message2 'Adding rules for DHCP';
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
for $interface ( @$list ) {
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
@ -659,7 +659,7 @@ sub add_common_rules() {
for $chain ( input_chain $interface, output_chain $interface ) {
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
}
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
}
}
@ -726,7 +726,7 @@ sub add_common_rules() {
progress_message2 "$doing UPnP";
new_nat_chain( 'UPnP' );
for $interface ( @$list ) {
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
}
@ -857,7 +857,7 @@ sub setup_mac_lists( $ ) {
if ( $table eq 'filter' ) {
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
for my $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}";
}
@ -873,7 +873,7 @@ sub setup_mac_lists( $ ) {
for my $interface ( @maclist_interfaces ) {
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
my $chain = $chainref->{name};
if ( $family == F_IPV4 ) {
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
my $variable = get_interface_addresses source_port_to_bridge( $interface );
@ -887,10 +887,10 @@ sub setup_mac_lists( $ ) {
} else {
my $bridge = source_port_to_bridge( $interface );
my $bridgeref = find_interface( $bridge );
add_commands( $chainref,
"for address in $variable; do" );
if ( $bridgeref->{broadcasts} ) {
for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
add_commands( $chainref ,
@ -898,7 +898,7 @@ sub setup_mac_lists( $ ) {
}
} else {
my $variable1 = get_interface_bcasts $bridge;
add_commands( $chainref,
" for address1 in $variable1; do" ,
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
@ -911,7 +911,7 @@ sub setup_mac_lists( $ ) {
}
}
}
run_user_exit2( 'maclog', $chainref );
log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
@ -1187,7 +1187,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
#
# Take care of chain
#
unless ( $actiontype & NATONLY ) {
#
# Check for illegal bridge port rule
@ -1253,13 +1253,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$server = $1; # May be empty
$serverport = $3; # Not Empty due to RE
$origdstports = $ports;
if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
$origdstports = validate_port( $proto, $origdstports );
} else {
$origdstports = '';
}
if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
#
# Server Port Range
@ -1396,7 +1396,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$action ,
'' );
}
#
# Add filter table rule, unless this is a NATONLY rule type
#
@ -1680,7 +1680,7 @@ sub generate_matrix() {
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
my $sourcechainref;
my $interfacematch = '';
if ( use_forward_chain( $interface ) ) {
$sourcechainref = $filter_table->{forward_chain $interface};
} else {
@ -1690,7 +1690,7 @@ sub generate_matrix() {
}
my $arrayref = $source_ref->{$interface};
for my $hostref ( @{$arrayref} ) {
my $ipsec_match = match_ipsec_in $zone , $hostref;
for my $net ( @{$hostref->{hosts}} ) {
@ -1847,7 +1847,7 @@ sub generate_matrix() {
$inputchainref = $filter_table->{INPUT};
$interfacematch = match_source_dev $interface;
}
if ( $chain2 ) {
add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;

58
Shorewall-perl/Shorewall/Tc.pm
View File

@ -251,7 +251,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
$target = 'CLASSIFY --set-class';
}
}
my $mask = 0xffff;
my ($cmd, $rest) = split( '/', $mark, 2 );
@ -262,7 +262,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
for my $tccmd ( @tccmd ) {
if ( $tccmd->{match}($cmd) ) {
fatal_error "$mark not valid with :C[FPT]" if $connmark;
require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
$target = "$tccmd->{target} ";
@ -365,10 +365,10 @@ sub process_flow($) {
for ( @flow ) {
fatal_error "Invalid flow key ($_)" unless $flow_keys{$_};
}
$flow;
}
sub validate_tc_device( $$$$$ ) {
my ( $device, $inband, $outband , $options , $redirected ) = @_;
@ -378,7 +378,7 @@ sub validate_tc_device( $$$$$ ) {
( my $number, $device, my $rest ) = split /:/, $device, 3;
fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
if ( defined $number ) {
$devnumber = numeric_value( $number );
fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
@ -390,7 +390,7 @@ sub validate_tc_device( $$$$$ ) {
} else {
$devnumber = ++$devnum;
}
$devnums[ $devnumber ] = $device;
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
@ -469,7 +469,7 @@ sub dev_by_number( $ ) {
my $dev = $_[0];
my $devnum = numeric_value( $dev );
my $devref;
if ( defined $devnum ) {
$dev = $devnums[ $devnum ];
fatal_error "Undefined INTERFACE number ($_[0])" unless defined $dev;
@ -481,7 +481,7 @@ sub dev_by_number( $ ) {
}
( $dev , $devref );
}
sub validate_tc_class( $$$$$$ ) {
@ -500,9 +500,9 @@ sub validate_tc_class( $$$$$$ ) {
if ( $devclass =~ /:/ ) {
( $device, my ($number, $rest ) ) = split /:/, $device, 3;
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
( $device , $devref) = dev_by_number( $device );
if ( defined $number ) {
if ( $devref->{classify} ) {
$classnumber = numeric_value( $number );
@ -518,12 +518,12 @@ sub validate_tc_class( $$$$$$ ) {
($device, $devref ) = dev_by_number( $device );
fatal_error "Missing class NUMBER" if $devref->{classify};
}
my $full = rate_to_kbit $devref->{out_bandwidth};
$tcclasses{$device} = {} unless $tcclasses{$device};
my $tcref = $tcclasses{$device};
my $markval = 0;
if ( $mark ne '-' ) {
@ -600,15 +600,15 @@ sub process_tc_filter( $$$$$$ ) {
my ($device, $class, $rest ) = split /:/, $devclass, 3;
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
( $device , my $devref ) = dev_by_number( $device );
my $devnum = $devref->{number};
my $tcref = $tcclasses{$device};
fatal_error "No Classes were defined for INTERFACE $device" unless $tcref;
$tcref = $tcref->{$class};
fatal_error "Unknown CLASS ($devclass)" unless $tcref;
@ -616,7 +616,7 @@ sub process_tc_filter( $$$$$$ ) {
my $rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32";
my ( $net , $mask ) = decompose_net( $source );
$rule .= "\\\n match u32 $net $mask at 12" unless $mask eq '0x00000000';
( $net , $mask ) = decompose_net( $dest );
@ -634,7 +634,7 @@ sub process_tc_filter( $$$$$$ ) {
$rule .= "\\\n match u8 $pnumber 0xff at 9";
}
}
if ( $portlist eq '-' && $sportlist eq '-' ) {
emit( "\nrun_tc $rule\\" ,
" flowid $devref->{number}:$class" ,
@ -693,12 +693,12 @@ sub process_tc_filter( $$$$$$ ) {
for my $portrange ( split_list $portlist, 'port list' ) {
if ( $protonumber == ICMP ) {
fatal_error "SOURCE PORT(S) are not allowed with ICMP" if $sportlist ne '-';
my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $portrange );
$icmptype = in_hex2 numeric_value1 $icmptype;
$icmpcode = in_hex2 numeric_value1 $icmpcode if defined $icmpcode;
my $rule1 = " match u8 $icmptype 0xff at nexthdr+0";
$rule1 .= "\\\n match u8 $icmpcode 0xff at nexthdr+1" if defined $icmpcode;
emit( "\nrun_tc ${rule}\\" ,
@ -706,12 +706,12 @@ sub process_tc_filter( $$$$$$ ) {
" flowid $devref->{number}:$class" );
} else {
my @portlist = expand_port_range $protonumber , $portrange;
while ( @portlist ) {
my ( $port, $mask ) = ( shift @portlist, shift @portlist );
my $rule1 = "match u32 0x0000${port} 0x0000${mask} at nexthdr+0";
if ( $sportlist eq '-' ) {
emit( "\nrun_tc ${rule}\\" ,
" $rule1\\" ,
@ -719,10 +719,10 @@ sub process_tc_filter( $$$$$$ ) {
} else {
for my $sportrange ( split_list $sportlist , 'port list' ) {
my @sportlist = expand_port_range $protonumber , $sportrange;
while ( @sportlist ) {
my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
emit( "\nrun_tc ${rule}\\",
" $rule1\\" ,
" match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" ,
@ -885,9 +885,9 @@ sub setup_traffic_shaping() {
if ( $fn ) {
first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } );
while ( read_a_line ) {
my ( $devclass, $source, $dest, $proto, $port, $sport ) = split_line 2, 6, 'tcfilters file';
process_tc_filter( $devclass, $source, $dest, $proto, $port, $sport );
@ -956,9 +956,9 @@ sub setup_tc() {
} else {
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper;
}
}
clear_comment;
}
}

10
Shorewall-perl/Shorewall/Zones.pm
View File

@ -475,7 +475,7 @@ sub dump_zone_contents()
sub single_interface( $ ) {
my $zone = $_[0];
my $zoneref = $zones{$zone};
fatal_error "Internal Error in single_zone()" unless $zoneref;
my @keys = keys( %{$zoneref->{interfaces}} );
@ -537,7 +537,7 @@ sub add_group_to_zone($$$$$)
$interfaceref = ( $typeref->{$interface} || ( $typeref->{$interface} = [] ) );
$zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
push @{$interfaceref}, { options => $options,
hosts => \@newnetworks,
ipsec => $type eq 'ipsec' ? 'ipsec' : 'none' ,
@ -800,7 +800,7 @@ sub validate_interfaces_file( $ )
root => $root ,
broadcasts => $broadcasts ,
options => $optionsref };
push @ifaces, $interface;
my @networks = allip;
@ -846,7 +846,7 @@ sub known_interface($)
{
my $interface = $_[0];
my $interfaceref = $interfaces{$interface};
return $interfaceref if $interfaceref;
for my $i ( @interfaces ) {
@ -891,7 +891,7 @@ sub all_bridges() {
sub find_interface( $ ) {
my $interface = $_[0];
my $interfaceref = $interfaces{ $interface };
fatal_error "Unknown Interface ($interface)" unless $interfaceref;
$interfaceref;

2
Shorewall-perl/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.6
VERSION=4.2.7
usage() # $1 = exit status
{

4
Shorewall-perl/prog.footer6
View File

@ -127,7 +127,7 @@ else
error_message "$PRODUCT is not running"
progress_message3 "Starting $PRODUCT...."
fi
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
@ -174,7 +174,7 @@ else
echo "$PRODUCT is stopped"
status=4
fi
if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)"
case $state in

8
Shorewall-perl/prog.functions
View File

@ -54,7 +54,7 @@ fatal_error()
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
stop_firewall
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
exit 2
@ -80,7 +80,7 @@ startup_error() # $* = Error Message
if [ $LOG_VERBOSE -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
case $COMMAND in
start)
echo "${timestamp} ERROR:$PRODUCT start failed" >> $STARTUP_LOG
@ -209,14 +209,14 @@ debug_restore_input() {
for chain in PREROUTING OUTPUT; do
qt1 $IPTABLES -t raw -P $chain ACCEPT
done
run_iptables -t nat -F
run_iptables -t nat -X
for chain in PREROUTING POSTROUTING OUTPUT; do
qt1 $IPTABLES -t nat -P $chain ACCEPT
done
qt1 $IPTABLES -t filter -F
qt1 $IPTABLES -t filter -X

6
Shorewall-perl/prog.functions6
View File

@ -30,7 +30,7 @@ fatal_error()
timestamp="$(date +'%_b %d %T') "
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
fi
stop_firewall
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
exit 2
@ -56,7 +56,7 @@ startup_error() # $* = Error Message
if [ $LOG_VERBOSE -gt 1 ]; then
timestamp="$(date +'%_b %d %T') "
case $COMMAND in
start)
echo "${timestamp} ERROR:$PRODUCT start failed" >> $STARTUP_LOG
@ -177,7 +177,7 @@ debug_restore_input() {
for chain in PREROUTING OUTPUT; do
qt1 $IP6TABLES -t raw -P $chain ACCEPT
done
qt1 $IP6TABLES -t filter -F
qt1 $IP6TABLES -t filter -X

4
Shorewall-perl/prog.header6
View File

@ -537,7 +537,7 @@ normalize_address() # $1 = valid IPv6 Address
list_count $(split $address)
j=$?
if [ $j -eq 7 ]; then
address=${address%::*}:0:${address#*::}
elif [ $j -eq 8 ]; then
@ -585,7 +585,7 @@ convert_to_anycast() {
# Defines a viable subnet -- first get the subnet-router anycast address
#
host=$((128 - $vlsm))
address=$(normalize_address ${address%/*})
while [ $host -ge 16 ]; do

4
Shorewall-perl/shorewall-perl.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-perl
%define version 4.2.6
%define version 4.2.7
%define release 0base
Summary: Shoreline Firewall Perl-based compiler.
@ -62,6 +62,8 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING releasenotes.txt
%changelog
* Sat Feb 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.7-0base
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net