diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index ab4cce768..60c0d1032 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1206,8 +1206,8 @@ sub do_proto( $$$ ) if ( $proto ne '' ) { - my $synonly = ( $proto =~ s/:syn$//i ); - + my $synonly = ( $proto =~ s/:syn$//i ); + my $invert = ( $proto =~ s/^!// ? '! ' : '' ); my $protonum = resolve_proto $proto; if ( defined $protonum ) { @@ -1219,41 +1219,44 @@ sub do_proto( $$$ ) # $proto now contains the protocol number and $pname contains the canonical name of the protocol # unless ( $synonly ) { - $output = "-p $proto "; + $output = "-p ${invert}${proto} "; } else { - fatal_error '":syn" is only allowed with tcp' unless $proto == TCP; + fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert; $output = "-p $proto --syn "; } + fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne ''); + PROTO: { - if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) { my $multiport = 0; if ( $ports ne '' ) { + $invert = $ports =~ s/^!// ? '! ' : ''; if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT}; fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; $ports = validate_port_list $pname , $ports; - $output .= "-m multiport --dports $ports "; + $output .= "-m multiport --dports ${invert}${ports} "; $multiport = 1; } else { $ports = validate_portpair $pname , $ports; - $output .= "--dport $ports "; + $output .= "--dport ${invert}${ports} "; } } else { $multiport = ( ( $sports =~ tr/,/,/ ) > 0 ); } if ( $sports ne '' ) { + $invert = $sports =~ s/^!// ? '! ' : ''; if ( $multiport ) { fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15; $sports = validate_port_list $pname , $sports; - $output .= "-m multiport --sports $sports "; + $output .= "-m multiport --sports ${invert}${sports} "; } else { $sports = validate_portpair $pname , $sports; - $output .= "--sport $sports "; + $output .= "--sport ${invert}${sports} "; } } @@ -1262,9 +1265,10 @@ sub do_proto( $$$ ) if ( $proto == ICMP ) { fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; if ( $ports ne '' ) { + $invert = $ports =~ s/^!// ? '! ' : ''; fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; $ports = validate_icmp $ports; - $output .= "--icmp-type $ports "; + $output .= "--icmp-type ${invert}${ports} "; } fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; @@ -1274,9 +1278,10 @@ sub do_proto( $$$ ) if ( $proto == IPv6_ICMP ) { fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4; if ( $ports ne '' ) { + $invert = $ports =~ s/^!// ? '! ' : ''; fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; $ports = validate_icmp6 $ports; - $output .= "--icmpv6-type $ports "; + $output .= "--icmpv6-type ${invert}${ports} "; } fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne ''; @@ -1929,10 +1934,12 @@ sub get_interface_gateway ( $ ) { my $variable = interface_gateway( $interface ); + my $routine = $config{USE_DEFAULT_RT} ? 'detect_gateway' : 'detect_dynamic_gateway'; + if ( interface_is_optional $interface ) { - $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)\n); + $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n); } else { - $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface) + $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface) [ -n "\$$variable" ] || fatal_error "Unable to detect the gateway through interface $interface" ); } @@ -2581,7 +2588,8 @@ sub emitr( $$ ) { # # Generate the netfilter input # -sub create_netfilter_load() { +sub create_netfilter_load( $ ) { + my $test = shift; my @table_list; @@ -2613,6 +2621,14 @@ sub create_netfilter_load() { enter_cat_mode; + my $date = localtime; + + unless ( $test ) { + emit_unindented '#'; + emit_unindented "# Generated by Shorewall-perl $globals{VERSION} - $date"; + emit_unindented '#'; + } + for my $table ( @table_list ) { emit_unindented "*$table"; diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index adffb9909..bf9e13f68 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -697,7 +697,7 @@ sub generate_script_4($) { } else { progress_message2 "Creating ip6tables-restore input..."; } - create_netfilter_load; + create_netfilter_load( $test ); create_chainlist_reload( $_[0] ); emit "#\n# Start/Restart the Firewall\n#";