mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-29 17:09:32 +01:00
Permit "[<ipv6 address>]/vlsm" in addition to "[<ipv6 address>/vlsm]"
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
86c35339cd
commit
70c76f577c
@ -85,7 +85,7 @@ our @EXPORT = ( qw(
|
|||||||
$nat_table
|
$nat_table
|
||||||
$mangle_table
|
$mangle_table
|
||||||
$filter_table
|
$filter_table
|
||||||
),
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
our %EXPORT_TAGS = (
|
our %EXPORT_TAGS = (
|
||||||
@ -248,7 +248,7 @@ our %EXPORT_TAGS = (
|
|||||||
%targets
|
%targets
|
||||||
%dscpmap
|
%dscpmap
|
||||||
%nfobjects
|
%nfobjects
|
||||||
), ],
|
) ],
|
||||||
);
|
);
|
||||||
|
|
||||||
Exporter::export_ok_tags('internal');
|
Exporter::export_ok_tags('internal');
|
||||||
@ -4930,7 +4930,7 @@ sub match_source_net( $;$\$ ) {
|
|||||||
return '! -s ' . record_runtime_address $1, $2;
|
return '! -s ' . record_runtime_address $1, $2;
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
return "! -s $net ";
|
return "! -s $net ";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4938,7 +4938,7 @@ sub match_source_net( $;$\$ ) {
|
|||||||
return '-s ' . record_runtime_address $1, $2;
|
return '-s ' . record_runtime_address $1, $2;
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
$net eq ALLIP ? '' : "-s $net ";
|
$net eq ALLIP ? '' : "-s $net ";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5003,7 +5003,7 @@ sub imatch_source_net( $;$\$ ) {
|
|||||||
return ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
|
return ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
return ( s => "! $net " );
|
return ( s => "! $net " );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5011,7 +5011,7 @@ sub imatch_source_net( $;$\$ ) {
|
|||||||
return ( s => record_runtime_address( $1, $2, 1 ) );
|
return ( s => record_runtime_address( $1, $2, 1 ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
$net eq ALLIP ? () : ( s => $net );
|
$net eq ALLIP ? () : ( s => $net );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5072,7 +5072,7 @@ sub match_dest_net( $;$ ) {
|
|||||||
return '! -d ' . record_runtime_address $1, $2;
|
return '! -d ' . record_runtime_address $1, $2;
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
return "! -d $net ";
|
return "! -d $net ";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5080,7 +5080,7 @@ sub match_dest_net( $;$ ) {
|
|||||||
return '-d ' . record_runtime_address $1, $2;
|
return '-d ' . record_runtime_address $1, $2;
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
$net eq ALLIP ? '' : "-d $net ";
|
$net eq ALLIP ? '' : "-d $net ";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5139,7 +5139,7 @@ sub imatch_dest_net( $;$ ) {
|
|||||||
return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
|
return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
return ( d => "! $net " );
|
return ( d => "! $net " );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5147,7 +5147,7 @@ sub imatch_dest_net( $;$ ) {
|
|||||||
return ( d => record_runtime_address( $1, $2, 1 ) );
|
return ( d => record_runtime_address( $1, $2, 1 ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
$net eq ALLIP ? () : ( d => $net );
|
$net eq ALLIP ? () : ( d => $net );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5164,7 +5164,7 @@ sub match_orig_dest ( $ ) {
|
|||||||
if ( $net =~ /^&(.+)/ ) {
|
if ( $net =~ /^&(.+)/ ) {
|
||||||
$net = record_runtime_address '&', $1;
|
$net = record_runtime_address '&', $1;
|
||||||
} else {
|
} else {
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
|
have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
|
||||||
@ -5172,7 +5172,7 @@ sub match_orig_dest ( $ ) {
|
|||||||
if ( $net =~ /^&(.+)/ ) {
|
if ( $net =~ /^&(.+)/ ) {
|
||||||
$net = record_runtime_address '&', $1;
|
$net = record_runtime_address '&', $1;
|
||||||
} else {
|
} else {
|
||||||
validate_net $net, 1;
|
$net = validate_net $net, 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
|
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
|
||||||
@ -5903,7 +5903,11 @@ sub isolate_source_interface( $ ) {
|
|||||||
} else {
|
} else {
|
||||||
$iiface = $source;
|
$iiface = $source;
|
||||||
}
|
}
|
||||||
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
|
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ ||
|
||||||
|
$source =~ /^(.+?):\[(.+)\]\s*$/ ||
|
||||||
|
$source =~ /^(.+?):(!?\+.+)$/ ||
|
||||||
|
$source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
|
||||||
|
) {
|
||||||
$iiface = $1;
|
$iiface = $1;
|
||||||
$inets = $2;
|
$inets = $2;
|
||||||
} elsif ( $source =~ /:/ ) {
|
} elsif ( $source =~ /:/ ) {
|
||||||
@ -6008,7 +6012,11 @@ sub isolate_dest_interface( $$$$ ) {
|
|||||||
} else {
|
} else {
|
||||||
$diface = $dest;
|
$diface = $dest;
|
||||||
}
|
}
|
||||||
} elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
|
} elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ ||
|
||||||
|
$dest =~ /^(.+?):\[(.+)\]\s*$/ ||
|
||||||
|
$dest =~ /^(.+?):(!?\+.+)$/ ||
|
||||||
|
$dest =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
|
||||||
|
) {
|
||||||
$diface = $1;
|
$diface = $1;
|
||||||
$dnets = $2;
|
$dnets = $2;
|
||||||
} elsif ( $dest =~ /:/ ) {
|
} elsif ( $dest =~ /:/ ) {
|
||||||
|
|||||||
@ -32,7 +32,7 @@ use Socket;
|
|||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( ALLIPv4
|
our @EXPORT = ( qw( ALLIPv4
|
||||||
ALLIPv6
|
ALLIPv6
|
||||||
NILIPv4
|
NILIPv4
|
||||||
NILIPv6
|
NILIPv6
|
||||||
@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
|
|||||||
validate_port_list
|
validate_port_list
|
||||||
validate_icmp
|
validate_icmp
|
||||||
validate_icmp6
|
validate_icmp6
|
||||||
);
|
) );
|
||||||
our @EXPORT_OK = qw( );
|
our @EXPORT_OK = qw( );
|
||||||
our $VERSION = 'MODULEVERSION';
|
our $VERSION = 'MODULEVERSION';
|
||||||
|
|
||||||
@ -178,7 +178,7 @@ sub encodeaddr( $ ) {
|
|||||||
$result;
|
$result;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub validate_4net( $$ ) {
|
sub validate_4net( $$; $ ) {
|
||||||
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
|
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
|
||||||
my $allow_name = $_[1];
|
my $allow_name = $_[1];
|
||||||
|
|
||||||
@ -207,11 +207,13 @@ sub validate_4net( $$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( defined wantarray ) {
|
if ( defined wantarray ) {
|
||||||
assert ( ! $allow_name );
|
|
||||||
if ( wantarray ) {
|
if ( wantarray ) {
|
||||||
|
assert( ! $allow_name );
|
||||||
( decodeaddr( $net ) , $vlsm );
|
( decodeaddr( $net ) , $vlsm );
|
||||||
|
} elsif ( valid_4address $net ) {
|
||||||
|
$vlsm == 32 ? $net : "$net/$vlsm";
|
||||||
} else {
|
} else {
|
||||||
"$net/$vlsm";
|
$net;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -606,9 +608,9 @@ sub validate_6address( $$ ) {
|
|||||||
defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
|
defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub validate_6net( $$ ) {
|
sub validate_6net( $$;$ ) {
|
||||||
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
|
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
|
||||||
my $allow_name = $_[1];
|
my $allow_name = $_[0];
|
||||||
|
|
||||||
if ( $net =~ /\+(\[?)/ ) {
|
if ( $net =~ /\+(\[?)/ ) {
|
||||||
if ( $1 ) {
|
if ( $1 ) {
|
||||||
@ -620,22 +622,28 @@ sub validate_6net( $$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fatal_error "Invalid Network address ($_[0])" unless supplied $net;
|
||||||
|
|
||||||
|
$net = $1 if $net =~ /^\[(.*)\]$/;
|
||||||
|
|
||||||
if ( defined $vlsm ) {
|
if ( defined $vlsm ) {
|
||||||
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
|
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
|
||||||
fatal_error "Invalid Network address ($_[0])" if defined $rest;
|
fatal_error "Invalid Network address ($_[0])" if defined $rest;
|
||||||
fatal_error "Invalid IPv6 address ($net)" unless valid_6address $net;
|
fatal_error "Invalid IPv6 address ($net)" unless valid_6address $net;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
|
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
|
||||||
validate_6address $net, $allow_name;
|
validate_6address $net, $allow_name;
|
||||||
$vlsm = 128;
|
$vlsm = 128;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( defined wantarray ) {
|
if ( defined wantarray ) {
|
||||||
assert ( ! $allow_name );
|
|
||||||
if ( wantarray ) {
|
if ( wantarray ) {
|
||||||
|
assert( ! $allow_name );
|
||||||
( $net , $vlsm );
|
( $net , $vlsm );
|
||||||
|
} elsif ( valid_6address ( $net ) ) {
|
||||||
|
$vlsm == 32 ? $net : "$net/$vlsm";
|
||||||
} else {
|
} else {
|
||||||
"$net/$vlsm";
|
$net;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -431,8 +431,8 @@ sub setup_netmap() {
|
|||||||
my @rulein;
|
my @rulein;
|
||||||
my @ruleout;
|
my @ruleout;
|
||||||
|
|
||||||
validate_net $net1, 0;
|
$net1 = validate_net $net1, 0;
|
||||||
validate_net $net2, 0;
|
$net2 = validate_net $net2, 0;
|
||||||
|
|
||||||
unless ( $interfaceref->{root} ) {
|
unless ( $interfaceref->{root} ) {
|
||||||
@rulein = imatch_source_dev( $interface );
|
@rulein = imatch_source_dev( $interface );
|
||||||
@ -466,7 +466,7 @@ sub setup_netmap() {
|
|||||||
|
|
||||||
require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
|
require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
|
||||||
|
|
||||||
validate_net $net2, 0;
|
$net2 = validate_net $net2, 0;
|
||||||
|
|
||||||
unless ( $interfaceref->{root} ) {
|
unless ( $interfaceref->{root} ) {
|
||||||
@match = imatch_dest_dev( $interface );
|
@match = imatch_dest_dev( $interface );
|
||||||
|
|||||||
@ -938,7 +938,7 @@ sub add_an_rtrule( ) {
|
|||||||
if ( $dest eq '-' ) {
|
if ( $dest eq '-' ) {
|
||||||
$dest = 'to ' . ALLIP;
|
$dest = 'to ' . ALLIP;
|
||||||
} else {
|
} else {
|
||||||
validate_net( $dest, 0 );
|
$dest = validate_net( $dest, 0 );
|
||||||
$dest = "to $dest";
|
$dest = "to $dest";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -950,22 +950,22 @@ sub add_an_rtrule( ) {
|
|||||||
if ( $source =~ /:/ ) {
|
if ( $source =~ /:/ ) {
|
||||||
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
|
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
|
||||||
fatal_error "Invalid SOURCE" if defined $remainder;
|
fatal_error "Invalid SOURCE" if defined $remainder;
|
||||||
validate_net ( $source, 0 );
|
$source = validate_net ( $source, 0 );
|
||||||
$interface = physical_name $interface;
|
$interface = physical_name $interface;
|
||||||
$source = "iif $interface from $source";
|
$source = "iif $interface from $source";
|
||||||
} elsif ( $source =~ /\..*\..*/ ) {
|
} elsif ( $source =~ /\..*\..*/ ) {
|
||||||
validate_net ( $source, 0 );
|
$source = validate_net ( $source, 0 );
|
||||||
$source = "from $source";
|
$source = "from $source";
|
||||||
} else {
|
} else {
|
||||||
$source = 'iif ' . physical_name $source;
|
$source = 'iif ' . physical_name $source;
|
||||||
}
|
}
|
||||||
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ ) {
|
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
|
||||||
my ($interface, $source ) = ($1, $2);
|
my ($interface, $source ) = ($1, $2);
|
||||||
validate_net ($source, 0);
|
$source = validate_net ($source, 0);
|
||||||
$interface = physical_name $interface;
|
$interface = physical_name $interface;
|
||||||
$source = "iif $interface from $source";
|
$source = "iif $interface from $source";
|
||||||
} elsif ( $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
|
} elsif ( $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
|
||||||
validate_net ( $source, 0 );
|
$source = validate_net ( $source, 0 );
|
||||||
$source = "from $source";
|
$source = "from $source";
|
||||||
} else {
|
} else {
|
||||||
$source = 'iif ' . physical_name $source;
|
$source = 'iif ' . physical_name $source;
|
||||||
@ -1020,7 +1020,7 @@ sub add_a_route( ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fatal_error 'DEST must be specified' if $dest eq '-';
|
fatal_error 'DEST must be specified' if $dest eq '-';
|
||||||
validate_net ( $dest, 1 );
|
$dest = validate_net ( $dest, 1 );
|
||||||
|
|
||||||
validate_address ( $gateway, 1 ) if $gateway ne '-';
|
validate_address ( $gateway, 1 ) if $gateway ne '-';
|
||||||
|
|
||||||
|
|||||||
@ -372,7 +372,11 @@ sub process_tc_rule( ) {
|
|||||||
|
|
||||||
if ( supplied $ip ) {
|
if ( supplied $ip ) {
|
||||||
if ( $family == F_IPV6 ) {
|
if ( $family == F_IPV6 ) {
|
||||||
$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
|
if ( $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/ ) {
|
||||||
|
$ip = $1;
|
||||||
|
} elsif ( $ip =~ /^\[(.+)\]\/(\d+)$/ ) {
|
||||||
|
$ip = join( $1, $2 );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_address $ip, 1;
|
validate_address $ip, 1;
|
||||||
|
|||||||
@ -1153,7 +1153,7 @@ sub process_interface( $$ ) {
|
|||||||
$hostoptions{broadcast} = 1;
|
$hostoptions{broadcast} = 1;
|
||||||
} elsif ( $option eq 'sfilter' ) {
|
} elsif ( $option eq 'sfilter' ) {
|
||||||
$filterref = [ split_list $value, 'address' ];
|
$filterref = [ split_list $value, 'address' ];
|
||||||
validate_net( $_, 1) for @{$filterref}
|
$_ = validate_net( $_, 1) for @{$filterref}
|
||||||
} else {
|
} else {
|
||||||
assert(0);
|
assert(0);
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user