extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-17 20:01:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Last batch of IPv6 changes for the day

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8952 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-08 22:51:17 +00:00
parent 285225b87a
commit 65745cd6a2
5 changed files with 142 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1140,7 +1140,7 @@ sub do_proto( $$$ )
PROTO:
{
if ( $proto == TCP || $proto == UDP || $proto == SCTP ) {
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) {
my $multiport = 0;
if ( $ports ne '' ) {
@ -1172,6 +1172,7 @@ sub do_proto( $$$ )
last PROTO; }
if ( $proto == ICMP ) {
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6;
if ( $ports ne '' ) {
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
$ports = validate_icmp $ports;
@ -1182,6 +1183,19 @@ sub do_proto( $$$ )
last PROTO; }
if ( $proto == IPv6_ICMP ) {
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
if ( $ports ne '' ) {
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
$ports = validate_icmp6 $ports;
$output .= "--icmpv6-type $ports ";
}
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
last PROTO; }
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
} # PROTO
@ -1965,7 +1979,7 @@ sub expand_rule( $$$$$$$$$$$ )
if ( $source eq '-' ) {
$source = '';
} elsif ( $family == F_IPV4 ) {
if ( $source =~ /^([^:]+):([^:]+)$/ ) {
if ( $source =~ /^(.+?):(.+)$/ ) {
$iiface = $1;
$inets = $2;
} elsif ( $source =~ /\+|~|\..*\./ ) {
@ -1973,7 +1987,7 @@ sub expand_rule( $$$$$$$$$$$ )
} else {
$iiface = $source;
}
} elsif ( $source =~ /^([^;]+);([^;]+)$/ ) {
} elsif ( $source =~ /^(.+?):\[(.+)\]\s+$/ ) {
$iiface = $1;
$inets = $2;
} elsif ( $source =~ /\+|~|\..*\./ ) {
@ -2046,7 +2060,7 @@ sub expand_rule( $$$$$$$$$$$ )
$dest = '';
} elsif ( $family == F_IPV4 ) {
if ( $dest =~ /^([^:]+):([^:]+)$/ ) {
if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1;
$dnets = $2;
} elsif ( $dest =~ /\+|~|\..*\./ ) {
@ -2054,7 +2068,7 @@ sub expand_rule( $$$$$$$$$$$ )
} else {
$diface = $dest;
}
} elsif ( $dest =~ /^([^;]+);([^;]+)$/ ) {
} elsif ( $dest =~ /^(.+?):\[(.+)\]\s+$/ ) {
$diface = $1;
$dnets = $2;
} elsif ( $dest =~ /\+|~|\..*\./ ) {

2
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -69,7 +69,7 @@ sub reinitialize() {
Shorewall::Tc::initialize;
Shorewall::Actions::initialize;
Shorewall::Accounting::initialize;
Shorewall::Rules::initialize;
Shorewall::Rules::initialize($family);
Shorewall::Proxyarp::initialize;
}

4
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -39,6 +39,7 @@ our @EXPORT = qw( ALLIPv4
TCP
UDP
ICMP
DCCP
IPv6_ICMP
SCTP
@ -75,7 +76,8 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
ICMP => 1,
TCP => 6,
UDP => 17,
ICMPv6_ICMP => 58,
DCCP => 33,
IPv6_ICMP => 58,
SCTP => 132 };
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

71
Shorewall-perl/Shorewall/Rules.pm
View File

@ -55,6 +55,7 @@ our $sectioned;
our $macro_nest_level;
our $current_param;
our @param_stack;
our $family;
#
# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
@ -72,7 +73,8 @@ my %rules_commands = ( COMMENT => 0,
# the second and subsequent calls to that function.
#
sub initialize() {
sub initialize( $ ) {
$family = shift;
$sectioned = 0;
$macro_nest_level = 0;
$current_param = '';
@ -80,7 +82,7 @@ sub initialize() {
}
INIT {
initialize;
initialize( F_IPV4 );
}
use constant { MAX_MACRO_NEST_LEVEL => 5 };
@ -121,9 +123,17 @@ sub process_tos() {
my $restriction = NO_RESTRICT;
my ( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
my ( $srczone , $source , $remainder );
fatal_error 'Invalid SOURCE' if defined $remainder;
if ( $family == F_IPV4 ) {
( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
fatal_error 'Invalid SOURCE' if defined $remainder;
} elsif ( $src =~ /^(.+?):\[(.*)]\s$/ ) {
$srczone = $1;
$source = $2;
} else {
$srczone = $src;
}
if ( $srczone eq firewall_zone ) {
$chainref = $outtosref;
@ -518,24 +528,26 @@ sub add_common_rules() {
setup_blacklist;
$list = find_hosts_by_option 'nosmurfs';
if ( $family == F_IPV4 ) {
$list = find_hosts_by_option 'nosmurfs';
$chainref = new_standard_chain 'smurfs';
$chainref = new_standard_chain 'smurfs';
if ( $capabilities{ADDRTYPE} ) {
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
} else {
add_command $chainref, 'for address in $ALL_BCASTS; do';
incr_cmd_level $chainref;
log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
add_rule $chainref, '-s $address -j DROP';
decr_cmd_level $chainref;
add_command $chainref, 'done';
if ( $capabilities{ADDRTYPE} ) {
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
} else {
add_command $chainref, 'for address in $ALL_BCASTS; do';
incr_cmd_level $chainref;
log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' );
add_rule $chainref, '-s $address -j DROP';
decr_cmd_level $chainref;
add_command $chainref, 'done';
}
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
}
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
if ( $capabilities{ADDRTYPE} ) {
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
} else {
@ -585,9 +597,10 @@ sub add_common_rules() {
}
}
$list = find_hosts_by_option 'norfc1918';
setup_rfc1918_filteration $list if @$list;
if ( $family == F_IPV4 ) {
$list = find_hosts_by_option 'norfc1918';
setup_rfc1918_filteration $list if @$list;
}
$list = find_hosts_by_option 'tcpflags';
@ -634,15 +647,17 @@ sub add_common_rules() {
}
}
$list = find_interfaces_by_option 'upnp';
if ( $family == F_IPV4 ) {
$list = find_interfaces_by_option 'upnp';
if ( @$list ) {
progress_message2 '$doing UPnP';
if ( @$list ) {
progress_message2 '$doing UPnP';
new_nat_chain( 'UPnP' );
for $interface ( @$list ) {
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
new_nat_chain( 'UPnP' );
for $interface ( @$list ) {
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
}
}
}

111
Shorewall-perl/Shorewall/Zones.pm
View File

@ -593,25 +593,40 @@ sub validate_interfaces_file( $ )
IF_OPTION_ZONEONLY => 8 };
my %validoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
logmartians => BINARY_IF_OPTION,
norfc1918 => SIMPLE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
proxyarp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
routefilter => BINARY_IF_OPTION,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION,
upnp => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION,
my %validoptions;
if ( $family == F_IPV4 ) {
%validoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
logmartians => BINARY_IF_OPTION,
norfc1918 => SIMPLE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
proxyarp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
routefilter => BINARY_IF_OPTION,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION,
upnp => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION,
);
} else {
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION,
forward => NUMERIC_IF_OPTION,
);
}
my $fn = open_file 'interfaces';
@ -933,18 +948,33 @@ sub set_interface_option( $$$ ) {
#
sub validate_hosts_file()
{
my %validoptions = (
blacklist => 1,
maclist => 1,
norfc1918 => 1,
nosmurfs => 1,
routeback => 1,
routefilter => 1,
tcpflags => 1,
broadcast => 1,
destonly => 1,
sourceonly => 1,
my %validoptions;
if ( $family == F_IPV4 ) {
%validoptions = (
blacklist => 1,
maclist => 1,
norfc1918 => 1,
nosmurfs => 1,
routeback => 1,
routefilter => 1,
tcpflags => 1,
broadcast => 1,
destonly => 1,
sourceonly => 1,
);
} else {
%validoptions = (
blacklist => 1,
maclist => 1,
nosmurfs => 1,
routeback => 1,
tcpflags => 1,
broadcast => 1,
destonly => 1,
sourceonly => 1,
);
}
my $ipsec = 0;
my $first_entry = 1;
@ -968,13 +998,24 @@ sub validate_hosts_file()
my $interface;
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
$interface = $1;
$hosts = $2;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
if ( $family == F_IPV4 ) {
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
$interface = $1;
$hosts = $2;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts";
}
} else {
fatal_error "Invalid HOST(S) column contents: $hosts";
if ( $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]\s+$/ ) {
$interface = $1;
$hosts = $2;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts";
}
}
if ( $type eq 'bport' ) {