mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 00:23:28 +01:00
Apply inversion changes to trunk
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9395 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ba14c45cf4
commit
6651c2d6ce
@ -1206,8 +1206,8 @@ sub do_proto( $$$ )
|
||||
|
||||
if ( $proto ne '' ) {
|
||||
|
||||
my $synonly = ( $proto =~ s/:syn$//i );
|
||||
|
||||
my $synonly = ( $proto =~ s/:syn$//i );
|
||||
my $invert = ( $proto =~ s/^!// ? '! ' : '' );
|
||||
my $protonum = resolve_proto $proto;
|
||||
|
||||
if ( defined $protonum ) {
|
||||
@ -1219,41 +1219,44 @@ sub do_proto( $$$ )
|
||||
# $proto now contains the protocol number and $pname contains the canonical name of the protocol
|
||||
#
|
||||
unless ( $synonly ) {
|
||||
$output = "-p $proto ";
|
||||
$output = "-p ${invert}${proto} ";
|
||||
} else {
|
||||
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP;
|
||||
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
|
||||
$output = "-p $proto --syn ";
|
||||
}
|
||||
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
|
||||
|
||||
PROTO:
|
||||
{
|
||||
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) {
|
||||
my $multiport = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
$ports = validate_port_list $pname , $ports;
|
||||
$output .= "-m multiport --dports $ports ";
|
||||
$output .= "-m multiport --dports ${invert}${ports} ";
|
||||
$multiport = 1;
|
||||
} else {
|
||||
$ports = validate_portpair $pname , $ports;
|
||||
$output .= "--dport $ports ";
|
||||
$output .= "--dport ${invert}${ports} ";
|
||||
}
|
||||
} else {
|
||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
|
||||
}
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
$invert = $sports =~ s/^!// ? '! ' : '';
|
||||
if ( $multiport ) {
|
||||
fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15;
|
||||
$sports = validate_port_list $pname , $sports;
|
||||
$output .= "-m multiport --sports $sports ";
|
||||
$output .= "-m multiport --sports ${invert}${sports} ";
|
||||
} else {
|
||||
$sports = validate_portpair $pname , $sports;
|
||||
$output .= "--sport $sports ";
|
||||
$output .= "--sport ${invert}${sports} ";
|
||||
}
|
||||
}
|
||||
|
||||
@ -1262,9 +1265,10 @@ sub do_proto( $$$ )
|
||||
if ( $proto == ICMP ) {
|
||||
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6;
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
||||
$ports = validate_icmp $ports;
|
||||
$output .= "--icmp-type $ports ";
|
||||
$output .= "--icmp-type ${invert}${ports} ";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
|
||||
@ -1274,9 +1278,10 @@ sub do_proto( $$$ )
|
||||
if ( $proto == IPv6_ICMP ) {
|
||||
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
||||
$ports = validate_icmp6 $ports;
|
||||
$output .= "--icmpv6-type $ports ";
|
||||
$output .= "--icmpv6-type ${invert}${ports} ";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
||||
@ -1929,10 +1934,12 @@ sub get_interface_gateway ( $ ) {
|
||||
|
||||
my $variable = interface_gateway( $interface );
|
||||
|
||||
my $routine = $config{USE_DEFAULT_RT} ? 'detect_gateway' : 'detect_dynamic_gateway';
|
||||
|
||||
if ( interface_is_optional $interface ) {
|
||||
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)\n);
|
||||
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
|
||||
} else {
|
||||
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
|
||||
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
|
||||
[ -n "\$$variable" ] || fatal_error "Unable to detect the gateway through interface $interface"
|
||||
);
|
||||
}
|
||||
@ -2581,7 +2588,8 @@ sub emitr( $$ ) {
|
||||
#
|
||||
# Generate the netfilter input
|
||||
#
|
||||
sub create_netfilter_load() {
|
||||
sub create_netfilter_load( $ ) {
|
||||
my $test = shift;
|
||||
|
||||
my @table_list;
|
||||
|
||||
@ -2613,6 +2621,14 @@ sub create_netfilter_load() {
|
||||
|
||||
enter_cat_mode;
|
||||
|
||||
my $date = localtime;
|
||||
|
||||
unless ( $test ) {
|
||||
emit_unindented '#';
|
||||
emit_unindented "# Generated by Shorewall-perl $globals{VERSION} - $date";
|
||||
emit_unindented '#';
|
||||
}
|
||||
|
||||
for my $table ( @table_list ) {
|
||||
emit_unindented "*$table";
|
||||
|
||||
|
@ -697,7 +697,7 @@ sub generate_script_4($) {
|
||||
} else {
|
||||
progress_message2 "Creating ip6tables-restore input...";
|
||||
}
|
||||
create_netfilter_load;
|
||||
create_netfilter_load( $test );
|
||||
create_chainlist_reload( $_[0] );
|
||||
|
||||
emit "#\n# Start/Restart the Firewall\n#";
|
||||
|
Loading…
Reference in New Issue
Block a user