Eliminate trailing whitespace

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6968 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-07-26 18:36:18 +00:00
parent a7786b5a2f
commit 767fea403a
21 changed files with 218 additions and 218 deletions

View File

@ -1,2 +1,2 @@
This is the Shorewall-perl Stable 4.0 branch of SVN.

View File

@ -43,7 +43,7 @@ our $VERSION = 4.00;
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -59,7 +59,7 @@ INIT {
# Accounting
#
sub process_accounting_rule( $$$$$$$$$ ) {
our $jumpchainref;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_;
@ -163,7 +163,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
}
sub setup_accounting() {
my $first_entry = 1;
my $fn = open_file 'accounting';

View File

@ -88,7 +88,7 @@ our %macros;
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -276,7 +276,7 @@ sub createlogactionchain( $$ ) {
mark_referenced $chainref; # Just in case the action body is empty.
unless ( $targets{$action} & STANDARD ) {
my $file = find_file $chain;
if ( -f $file ) {
@ -298,13 +298,13 @@ sub createlogactionchain( $$ ) {
sub createsimpleactionchain( $ ) {
my $action = shift;
my $chainref = new_chain 'filter', $action;
$logactionchains{"$action:none"} = $chainref;
mark_referenced $chainref; # Just in case the action body is empty.
unless ( $targets{$action} & STANDARD ) {
my $file = find_file $action;
if ( -f $file ) {
@ -395,15 +395,15 @@ sub process_macro1 ( $$ ) {
fatal_error "Invalid target ($mtarget)"
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $mtarget eq 'LOG' );
}
progress_message " ..End Macro $macrofile";
pop_open;
}
sub process_action1 ( $$ ) {
my ( $action, $wholetarget ) = @_;
my ( $target, $level ) = split_action $wholetarget;
$level = 'none' unless $level;
@ -412,9 +412,9 @@ sub process_action1 ( $$ ) {
if ( defined $targettype ) {
return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & LOGRULE );
fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
fatal_error "An action may not invoke itself" if $target eq $action;
add_requiredby $wholetarget, $action if $targettype & ACTION;
@ -438,7 +438,7 @@ sub process_action1 ( $$ ) {
}
}
}
sub process_actions1() {
progress_message2 "Preprocessing Action Files...";
@ -548,7 +548,7 @@ sub process_macro3( $$$$$$$$$$$ ) {
my $standard = ( $fn =~ /^($globals{SHAREDIR})/ );
while ( read_a_line ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 1, 8, 'macro file';
if ( $mtarget =~ /^PARAM:?/ ) {
@ -581,7 +581,7 @@ sub process_macro3( $$$$$$$$$$$ ) {
} else {
$mdest = '';
}
$mdest = '' if $mdest eq '-';
$mproto = merge_macro_column $mproto, $proto;
@ -589,12 +589,12 @@ sub process_macro3( $$$$$$$$$$$ ) {
$msports = merge_macro_column $msports, $sports;
$mrate = merge_macro_column $mrate, $rate;
$muser = merge_macro_column $muser, $user;
process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
}
pop_open;
progress_message '..End Macro'
}
@ -672,7 +672,7 @@ sub process_actions3 () {
add_command $chainref, 'done';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne '';
}
}
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
}

View File

@ -20,7 +20,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# This is the low-level iptables module. It provides the basic services
# This is the low-level iptables module. It provides the basic services
# of chain and rule creation. It is used by the higher level modules such
# as Rules to create iptables-restore input.
#
@ -228,7 +228,7 @@ our $emitted_comment;
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -325,7 +325,7 @@ INIT {
#
#
# Process a COMMENT line (in $currentline)
# Process a COMMENT line (in $currentline)
#
sub process_comment() {
if ( $capabilities{COMMENTS} ) {
@ -357,7 +357,7 @@ sub add_command($$)
sub add_commands {
my $chainref = shift @_;
for my $command ( @_ ) {
push @{$chainref->{rules}}, join ('', ' ' x ( $chainref->{loopcount} + $chainref->{cmdcount} ), $command );
}
@ -382,7 +382,7 @@ sub add_file( $$ ) {
if ( -f $file ) {
open EF , '<', $file or fatal_error "Unable to open $file: $!";
add_commands( $chainref,
add_commands( $chainref,
qq(progress_message "Processing $file..."),
'' );
@ -395,7 +395,7 @@ sub add_file( $$ ) {
close EF;
}
}
}
#
# Add a rule to a chain. Arguments are:
@ -778,7 +778,7 @@ sub setup_zone_mss() {
set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss};
set_mss( $zone, $zoneref->{options}{out}{mss}, '_out' ) if $zoneref->{options}{out}{mss};
}
}
}
sub newexclusionchain() {
my $seq = $exclseq++;
@ -810,13 +810,13 @@ sub validate_portpair( $ ) {
for my $port ( @ports ) {
my $value = $services{$port};
unless ( defined $value ) {
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
}
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
$port = $value;
}
@ -938,7 +938,7 @@ sub do_proto( $$$ )
}
if ( $sports ne '' ) {
if ( $multiport ) {
if ( $multiport ) {
fatal_error "Too many entries in port list ($sports)" if port_count( $sports ) > 15;
$sports = validate_port_list $sports;
$output .= "-m multiport --sports $sports ";
@ -1108,7 +1108,7 @@ sub match_source_dev( $ ) {
} else {
"-i $interface ";
}
}
}
#
# Match Dest device
@ -1121,7 +1121,7 @@ sub match_dest_dev( $ ) {
} else {
"-o $interface ";
}
}
}
#
# Avoid generating a second '-m iprange' in a single rule.
@ -1303,7 +1303,7 @@ sub log_rule_limit( $$$$$$$$ ) {
if ( $chainref->{loopcount} || $chainref->{cmdcount} ) {
#
# The rule will be converted to an "echo" shell command. We must insure that the
# The rule will be converted to an "echo" shell command. We must insure that the
# quotes are preserved in the iptables-input file.
#
if ( $level eq 'ULOG' ) {
@ -1423,7 +1423,7 @@ sub get_interface_addresses ( $ ) {
[ -n "\$$variable" ] || fatal_error "Unable to determine the IP address(es) of $interface"
);
}
"\$$variable";
}
@ -1461,15 +1461,15 @@ sub get_interface_nets ( $ ) {
#
sub expand_rule( $$$$$$$$$$ )
{
my ($chainref , # Chain
my ($chainref , # Chain
$restriction, # Determines what to do with interface names in the SOURCE or DEST
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
$source, # SOURCE
$dest, # DEST
$origdest, # ORIGINAL DEST
$target, # Target ('-j' part of the rule)
$loglevel , # Log level (and tag)
$disposition, # Primative part of the target (RETURN, ACCEPT, ...)
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
$source, # SOURCE
$dest, # DEST
$origdest, # ORIGINAL DEST
$target, # Target ('-j' part of the rule)
$loglevel , # Log level (and tag)
$disposition, # Primative part of the target (RETURN, ACCEPT, ...)
$exceptionrule # Caller's matches used in exclusion case
) = @_;
@ -1666,7 +1666,7 @@ sub expand_rule( $$$$$$$$$$ )
#
if ( $inets ) {
fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/;
if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
$inets = $1;
$iexcl = $2;
@ -1680,7 +1680,7 @@ sub expand_rule( $$$$$$$$$$ )
$rule .= match_source_net "!$iexcl";
$iexcl = '';
}
}
} else {
$iexcl = '';
@ -1691,7 +1691,7 @@ sub expand_rule( $$$$$$$$$$ )
#
if ( $dnets ) {
fatal_error "Invalid DEST" if $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/;
if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
$dnets = $1;
$dexcl = $2;
@ -1887,7 +1887,7 @@ sub set_global_variables() {
# file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
# has (have) something to look at to determine the error
#
# We may have to generate part of the input at run-time. The rules array in each chain
# We may have to generate part of the input at run-time. The rules array in each chain
# table entry may contain rules (begin with '-A') or shell source. We alternate between
# writing the rules ('-A') into the temporary file to be bassed to iptables-restore
# (CAT_STATE) and and writing shell source into the generated script.
@ -1939,7 +1939,7 @@ sub create_netfilter_load() {
push @table_list, 'filter';
$state = NULL_STATE;
emit ( 'setup_netfilter()',
'{'
);
@ -1953,7 +1953,7 @@ sub create_netfilter_load() {
emit 'exec 3>${VARDIR}/.iptables-restore-input';
enter_cat_state;
for my $table ( @table_list ) {
emit_unindented "*$table";
@ -2019,7 +2019,7 @@ sub create_netfilter_load() {
sub create_blacklist_reload() {
$state = NULL_STATE;
emit( 'blacklist_reload()',
'{'
);
@ -2044,7 +2044,7 @@ sub create_blacklist_reload() {
# Commit the changes to the table
#
enter_cat_state unless $state == CAT_STATE;
emit_unindented 'COMMIT';
enter_cmd_state;

View File

@ -296,7 +296,7 @@ EOF
for chain in PREROUTING OUTPUT; do
qt $IPTABLES -t raw -P $chain ACCEPT
done
EOF
}
@ -471,7 +471,7 @@ EOF
# Second Phase of Script Generation
#
# copies the 'prog.functions' file into the script, generates
# clear_routing_and_traffic_shaping() and the first part of
# clear_routing_and_traffic_shaping() and the first part of
# 'setup_routing_and_traffic_shaping()'
#
# The bulk of that function is produced by the various config file
@ -542,7 +542,7 @@ sub generate_script_2 () {
'delete_proxyarp',
''
);
if ( $capabilities{NAT_ENABLED} ) {
emit( 'if [ -f ${VARDIR}/nat ]; then',
' while read external interface; do',
@ -646,7 +646,7 @@ else
set_state "Started"
run_started_exit
fi
cp -f $(my_pathname) ${VARDIR}/.restore
fi

View File

@ -22,10 +22,10 @@
#
# This module is responsible for lower level configuration file handling.
# It also exports functions for generating warning and error messages.
# The get_configuration function parses the shorewall.conf, capabilities and
# modules files during compiler startup. The module also provides the basic
# The get_configuration function parses the shorewall.conf, capabilities and
# modules files during compiler startup. The module also provides the basic
# output file services such as creation of temporary 'object' files, writing
# into those files (emitters) and finalizing those files (renaming
# into those files (emitters) and finalizing those files (renaming
# them to their final name and setting their mode appropriately).
#
package Shorewall::Config;
@ -176,7 +176,7 @@ our $debug; # If true, use Carp to report errors with stack tr
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
@ -461,21 +461,21 @@ sub save_progress_message_short( $ ) {
#
# Set $timestamp
#
#
sub set_timestamp( $ ) {
$timestamp = shift;
}
#
# Set $verbose
#
#
sub set_verbose( $ ) {
$verbose = shift;
}
#
# Print the current TOD to STDOUT.
#
#
sub timestamp() {
my ($sec, $min, $hr) = ( localtime ) [0,1,2];
printf '%02d:%02d:%02d ', $hr, $min, $sec;
@ -739,7 +739,7 @@ sub split_line2( $$$ ) {
if ( defined $columns ) {
fatal_error "Invalid $first entry" if $columns && @line != $columns;
return @line
return @line
}
fatal_error "Shorewall Configuration file entries may not contain single quotes" if $currentline =~ /'/;
@ -843,7 +843,7 @@ sub read_a_line() {
#
# Remove Trailing Comments -- result might be a blank line
#
$currentline =~ s/#.*$//;
$currentline =~ s/#.*$//;
#
# Ignore ( concatenated ) Blank Lines
#
@ -935,14 +935,14 @@ sub default_yes_no ( $$ ) {
my %validlevels = ( debug => 7,
info => 6,
notice => 5,
warning => 4,
warn => 4,
notice => 5,
warning => 4,
warn => 4,
err => 3,
error => 3,
crit => 2,
alert => 1,
emerg => 0,
crit => 2,
alert => 1,
emerg => 0,
panic => 0,
none => '',
ULOG => 'ULOG' );
@ -1002,7 +1002,7 @@ sub check_trivalue( $$ ) {
$config{var} = $default
}
}
#
# Produce a report of the detected capabilities
#
@ -1180,7 +1180,7 @@ sub determine_capabilities() {
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
qt( "$iptables -F $sillyname" );
qt( "$iptables -X $sillyname" );
@ -1279,7 +1279,7 @@ sub process_shorewall_conf() {
sub get_capabilities( $ ) {
my $export = $_[0];
if ( ! $export && $> == 0 ) { # $> == $EUID
unless ( $config{IPTABLES} ) {
fatal_error "Can't find iptables executable" unless $config{IPTABLES} = mywhich 'iptables';
@ -1358,7 +1358,7 @@ sub get_configuration( $ ) {
check_trivalue ( 'IP_FORWARDING', 'on' );
check_trivalue ( 'ROUTE_FILTER', '' );
check_trivalue ( 'LOG_MARTIANS', '' );
default_yes_no 'ADD_IP_ALIASES' , 'Yes';
default_yes_no 'ADD_SNAT_ALIASES' , '';
default_yes_no 'DETECT_DNAT_IPADDRS' , '';
@ -1632,7 +1632,7 @@ sub run_user_exit2( $$ ) {
}
pop_open;
}
}

View File

@ -20,7 +20,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# This module exports the %protocols and %services hashes built from
# This module exports the %protocols and %services hashes built from
# /etc/protocols and /etc/services respectively.
#
# Module generated using buildports.pl 4.0.0-Beta7 - Fri Jun 29 14:10:45 2007

View File

@ -20,8 +20,8 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# This module provides interfaces for dealing with IPv4 addresses.
#
# This module provides interfaces for dealing with IPv4 addresses.
#
package Shorewall::IPAddrs;
require Exporter;
use Shorewall::Config;
@ -121,7 +121,7 @@ sub validate_range( $$ ) {
my $last = decodeaddr $high;
fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
}
}
sub ip_range_explicit( $ ) {
my $range = $_[0];
@ -151,7 +151,7 @@ sub ip_range_explicit( $ ) {
sub validate_host( $ ) {
my $host = $_[0];
if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
validate_range $1, $2;
} else {

View File

@ -47,7 +47,7 @@ our %addresses_to_add;
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -237,7 +237,7 @@ sub setup_one_masq($$$$$$$)
#
# And Generate the Rule(s)
#
expand_rule( $chainref ,
expand_rule( $chainref ,
POSTROUTE_RESTRICT ,
$rule ,
$networks ,

View File

@ -208,10 +208,10 @@ sub validate_policy()
unless ( $clientwild || $serverwild ) {
if ( $zones{$server}{type} eq 'bport4' ) {
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
unless $zones{$client}{bridge} eq $zones{$server}{bridge} || single_interface( $client ) eq $zones{$server}{bridge};
}
}
}
my $chain = "${client}2${server}";
my $chainref;
@ -238,12 +238,12 @@ sub validate_policy()
}
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
if ( $synparams ne '' ) {
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
$chainref->{synchain} = $chain
$chainref->{synchain} = $chain
}
$chainref->{default} = $default if $default;
if ( $clientwild ) {
@ -277,7 +277,7 @@ sub validate_policy()
#
sub policy_rules( $$$$ ) {
my ( $chainref , $target, $loglevel, $default ) = @_;
unless ( $target eq 'NONE' ) {
add_rule $chainref, "-j $default" if $default && $default ne 'none';
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
@ -392,7 +392,7 @@ sub setup_syn_flood_chains() {
for my $chainref ( @policy_chains ) {
my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel};
my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''

View File

@ -157,7 +157,7 @@ sub setup_martian_logging() {
" echo $value > $file" );
emit ( 'else' ,
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
emit "fi\n";
}

View File

@ -59,7 +59,7 @@ our @providers;
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -104,7 +104,7 @@ sub setup_route_marking() {
sub copy_table( $$ ) {
my ( $duplicate, $number ) = @_;
emit ( "ip route show table $duplicate | while read net route; do",
' case $net in',
' default|nexthop)',
@ -119,7 +119,7 @@ sub copy_table( $$ ) {
sub copy_and_edit_table( $$$ ) {
my ( $duplicate, $number, $copy ) = @_;
emit ( "ip route show table $duplicate | while read net route; do",
' case $net in',
' default|nexthop)',
@ -137,18 +137,18 @@ sub copy_and_edit_table( $$$ ) {
sub balance_default_route( $$$ ) {
my ( $weight, $gateway, $interface ) = @_;
$balance = 1;
emit '';
if ( $first_default_route ) {
if ( $gateway ) {
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\"";
} else {
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\"";
}
$first_default_route = 0;
} else {
if ( $gateway ) {
@ -164,21 +164,21 @@ sub add_a_provider( $$$$$$$$ ) {
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
fatal_error "Duplicate provider ($table)" if $providers{$table};
for my $providerref ( values %providers ) {
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
}
emit "#\n# Add Provider $table ($number)\n#";
emit "if interface_is_usable $interface; then";
push_indent;
my $iface = chain_base $interface;
emit "${iface}_up=Yes";
emit "qt ip route flush table $number";
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
if ( $duplicate ne '-' ) {
if ( $copy eq '-' ) {
copy_table ( $duplicate, $number );
@ -218,17 +218,17 @@ sub add_a_provider( $$$$$$$$ ) {
my $val = 0;
if ( $mark ne '-' ) {
$val = numeric_value $mark;
verify_mark $mark;
if ( $val < 256) {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
} else {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
}
for my $providerref ( values %providers ) {
fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
}
@ -244,9 +244,9 @@ sub add_a_provider( $$$$$$$$ ) {
$providers{$table} = {};
$providers{$table}{number} = $number;
$providers{$table}{mark} = $val;
my ( $loose, $optional ) = (0,0);
unless ( $options eq '-' ) {
for my $option ( split /,/, $options ) {
if ( $option eq 'track' ) {
@ -270,9 +270,9 @@ sub add_a_provider( $$$$$$$$ ) {
if ( $loose ) {
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
emit "\nrulenum=0\n";
emit ( "find_interface_addresses $interface | while read address; do",
' qt ip rule del from $address',
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
@ -286,12 +286,12 @@ sub add_a_provider( $$$$$$$$ ) {
'done'
);
}
emit "\nprogress_message \" Provider $table ($number) Added\"\n";
pop_indent;
emit 'else';
if ( $optional ) {
emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"",
" ${iface}_up="
@ -299,19 +299,19 @@ sub add_a_provider( $$$$$$$$ ) {
} else {
emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"";
}
emit "fi\n";
}
sub add_an_rtrule( $$$$ ) {
my ( $source, $dest, $provider, $priority ) = @_;
unless ( $providers{$provider} ) {
my $found = 0;
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
my $provider_number = numeric_value $provider;
for my $provider ( keys %providers ) {
if ( $providers{$provider}{number} == $provider_number ) {
$found = 1;
@ -319,14 +319,14 @@ sub add_an_rtrule( $$$$ ) {
}
}
}
fatal_error "Unknown provider ($provider)" unless $found;
}
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
$dest = $dest eq '-' ? '' : "to $dest";
if ( $source eq '-' ) {
$source = '';
} elsif ( $source =~ /:/ ) {
@ -338,21 +338,21 @@ sub add_an_rtrule( $$$$ ) {
} else {
$source = "iif $source";
}
fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/;
$priority = "priority $priority";
emit ( "qt ip rule del $source $dest $priority",
"run_ip rule add $source $dest $priority table $provider",
"echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing"
);
progress_message " Routing rule \"$currentline\" $done";
}
sub setup_providers() {
my $providers = 0;
my $fn = open_file 'providers';
while ( read_a_line ) {

View File

@ -45,7 +45,7 @@ our @proxyarp;
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -145,7 +145,7 @@ sub setup_proxy_arp() {
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
" echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
emit ( 'else' ,
" error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
" error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
emit "fi\n";
}
}

View File

@ -66,7 +66,7 @@ our @param_stack;
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -111,12 +111,12 @@ sub process_tos() {
fatal_error "TOS field required" unless $tos ne '-';
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
$tos = $tosval;
} elsif ( numeric_value( $tos ) > 0x1e ) {
fatal_error "Invalid TOS value ($tos)";
}
my $chainref;
my $restriction = NO_RESTRICT;
@ -521,13 +521,13 @@ sub add_common_rules() {
}
run_user_exit1 'initdone';
setup_blacklist;
$list = find_hosts_by_option 'nosmurfs';
$chainref = new_standard_chain 'smurfs';
if ( $capabilities{ADDRTYPE} ) {
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
@ -541,7 +541,7 @@ sub add_common_rules() {
}
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
if ( $capabilities{ADDRTYPE} ) {
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
} else {
@ -652,7 +652,7 @@ sub add_common_rules() {
add_rule $filter_table->{input_chain $interface}, "-j $chain";
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
}
}
}
$list = find_interfaces_by_option 'upnp';
@ -689,7 +689,7 @@ sub setup_mac_lists( $ ) {
my $level = $config{MACLIST_LOG_LEVEL};
my $disposition = $config{MACLIST_DISPOSITION};
my $ttl = $config{MACLIST_TTL};
progress_message2 "$doing MAC Filtration -- Phase $phase...";
for my $hostref ( @$maclist_hosts ) {
@ -761,7 +761,7 @@ sub setup_mac_lists( $ ) {
if ( $addresses ) {
for my $address ( split ',', $addresses ) {
my $source = match_source_net $address;
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if defined $level && $level ne '';
add_rule $chainref , "${mac}${source}-j $targetref->{target}";
}
@ -800,9 +800,9 @@ sub setup_mac_lists( $ ) {
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
my $variable = get_interface_addresses $interfaces{$interface}{bridge};
if ( $capabilities{ADDRTYPE} ) {
add_commands( $chainref,
add_commands( $chainref,
"for address in $variable; do",
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
@ -810,7 +810,7 @@ sub setup_mac_lists( $ ) {
} else {
my $variable1 = get_interface_bcasts $interfaces{$interface}{bridge};
add_commands( $chainref,
add_commands( $chainref,
"for address in $variable; do",
" for address1 in $variable1; do",
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
@ -915,12 +915,12 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
$param = '' unless defined $param;
#
# Determine the validity of the action
#
my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
fatal_error "Unknown action ($action)" unless $actiontype;
if ( $actiontype == MACRO ) {
@ -933,7 +933,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
push @param_stack, $current_param;
$current_param = $param;
}
process_macro( $macros{$basictarget},
$target ,
$current_param,
@ -949,7 +949,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$wildcard );
$macro_nest_level--;
$current_param = pop @param_stack if $param ne '';
return;
@ -988,7 +988,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
#
my $sourcezone;
my $destzone;
if ( $source =~ /^(.+?):(.*)/ ) {
$sourcezone = $1;
$source = $2;
@ -1004,7 +1004,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$destzone = $dest;
$dest = ALLIPv4;
}
fatal_error "Missing source zone" if $sourcezone eq '-';
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
fatal_error "Missing destination zone" if $destzone eq '-';
@ -1069,7 +1069,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
unless ( $section eq 'NEW' ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT;
$rule .= "-m state --state $section "
$rule .= "-m state --state $section "
}
#
@ -1211,7 +1211,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
}
#
# Process a Record in the rules file
# Process a Record in the rules file
#
# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
#
@ -1264,7 +1264,7 @@ sub process_rule ( $$$$$$$$$$ ) {
} else {
fatal_error "Invalid DEST ($dest)" unless $dest eq 'all';
}
}
my $action = isolate_basic_target $target;
@ -1425,7 +1425,7 @@ sub generate_matrix() {
}
#
# Set a breakpoint in this function if you want to step through generate_matrix().
# Set a breakpoint in this function if you want to step through generate_matrix().
#
sub start_matrix() {
progress_message2 'Generating Rule Matrix...';
@ -1497,7 +1497,7 @@ sub generate_matrix() {
for my $hostref ( @{$arrayref} ) {
my $ipsec_match = match_ipsec_in $zone , $hostref;
for my $net ( @{$hostref->{hosts}} ) {
add_rule(
add_rule(
$filter_table->{forward_chain $interface} ,
join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" )
);
@ -1586,13 +1586,13 @@ sub generate_matrix() {
my $variable = get_interface_bcasts $interface;
my $chain = output_chain $interface;
my $chainref = $filter_table->{$chain};
add_commands( $chainref,
add_commands( $chainref,
"for address in $variable; do",
" echo \"-A $chain -d \$address -j $chain1\" >&3",
'done' );
}
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
}
}
@ -1847,7 +1847,7 @@ sub setup_mss( $ ) {
$match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
$option = "--set-mss $clampmss";
}
add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option";
}

View File

@ -158,7 +158,7 @@ our $prefix = '1';
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -231,7 +231,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
for my $tccmd ( @tccmd ) {
if ( $tccmd->{match}($cmd) ) {
fatal_error "$mark not valid with :C[FPT]" if $connmark;
$target = "$tccmd->{target} ";
my $marktype = $tccmd->{mark};
@ -243,9 +243,9 @@ sub process_tc_rule( $$$$$$$$$$ ) {
if ( $rest ) {
fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK;
$mark = $rest if $tccmd->{mask};
if ( $marktype == SMALLMARK ) {
verify_small_mark $mark;
} else {
@ -254,7 +254,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
} elsif ( $tccmd->{mask} ) {
$mark = $tccmd->{mask};
}
last MARK;
}
}
@ -339,7 +339,7 @@ sub convert_rate( $$ ) {
} else {
$rate = rate_to_kbit $rate
}
"${rate}kbit";
}
@ -588,7 +588,7 @@ sub setup_tc() {
} elsif ( $config{TC_ENABLED} eq 'Internal' ) {
setup_traffic_shaping;
}
if ( my $fn = open_file 'tcrules' ) {
while ( read_a_line ) {

View File

@ -84,17 +84,17 @@ sub setup_tunnels() {
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
unless ( $capabilities{POLICY_MATCH} ) {
add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
}
}
if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport 500 $options";
add_rule $outchainref, "-p udp $dest --dport 500 $options";

View File

@ -1,5 +1,5 @@
#
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Zones.pm
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Zones.pm
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -20,7 +20,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# This module contains the code which deals with /etc/shorewall/zones,
# This module contains the code which deals with /etc/shorewall/zones,
# /etc/shorewall/interfaces and /etc/shorewall/hosts.
#
package Shorewall::Zones;
@ -54,7 +54,7 @@ our @EXPORT = qw( NOTHING
@zones
%zones
$firewall_zone
%interfaces
%interfaces
@interfaces
@bridges );
@ -134,7 +134,7 @@ our @bridges;
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
# the second and subsequent calls to that function.
#
sub initialize() {
@ -285,8 +285,8 @@ sub determine_zones()
}
$zones{$zone} = { type => $type,
parents => \@parents,
exclusions => [],
parents => \@parents,
exclusions => [],
bridge => '',
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) ,
@ -300,7 +300,7 @@ sub determine_zones()
}
fatal_error "No firewall zone defined" unless $firewall_zone;
my $pushed = 1;
my %ordered;
@ -435,7 +435,7 @@ sub single_interface( $ ) {
'';
}
}
}
}
sub add_group_to_zone($$$$$)
{
@ -491,7 +491,7 @@ sub add_group_to_zone($$$$$)
$zoneref->{options}{complex} = 1 if @$arrayref || ( @newnetworks > 1 ) || ( @exclusions );
push @{$zoneref->{exclusions}}, @exclusions;
push @{$arrayref}, { options => $options,
hosts => \@newnetworks,
ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' };
@ -533,9 +533,9 @@ sub validate_interfaces_file( $ )
use constant { SIMPLE_IF_OPTION => 1,
BINARY_IF_OPTION => 2,
ENUM_IF_OPTION => 3,
ENUM_IF_OPTION => 3,
MASK_IF_OPTION => 3,
IF_OPTION_ZONEONLY => 4 };
my %validoptions = (arp_filter => BINARY_IF_OPTION,
@ -569,7 +569,7 @@ sub validate_interfaces_file( $ )
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ($zone, $interface, $networks, $options ) = split_line 2, 4, 'interfaces file';
my $zoneref;
my $bridge = '';
@ -588,7 +588,7 @@ sub validate_interfaces_file( $ )
( $interface, my ($port, $extra) ) = split /:/ , $interface, 3;
fatal_error "Invalid INTERFACE" if defined $extra || ! $interface;
fatal_error "Invalid INTERFACE" if defined $extra || ! $interface;
fatal_error "Invalid Interface Name ($interface)" if $interface eq '+';
@ -620,13 +620,13 @@ sub validate_interfaces_file( $ )
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4';
$interfaces{$interface}{bridge} = $interface;
}
my $wildcard = 0;
if ( $interface =~ /\+$/ ) {
$wildcard = 1;
$interfaces{$interface}{root} = substr( $interface, 0, -1 );
} else {
} else {
$interfaces{$interface}{root} = $interface;
}
@ -642,7 +642,7 @@ sub validate_interfaces_file( $ )
my $optionsref = {};
my %options;
if ( $options ) {
for my $option (split ',', $options ) {
@ -653,7 +653,7 @@ sub validate_interfaces_file( $ )
fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option};
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
$type &= MASK_IF_OPTION;
if ( $type == SIMPLE_IF_OPTION ) {
@ -672,7 +672,7 @@ sub validate_interfaces_file( $ )
$options{arp_ignore} = $value;
} else {
fatal_error "Invalid value ($value) for arp_ignore";
}
}
} else {
$options{arp_ignore} = 1;
}
@ -692,7 +692,7 @@ sub validate_interfaces_file( $ )
} elsif ( $port ) {
$options{port} = 1;
}
$interfaces{$interface}{options} = $optionsref = \%options;
push @ifaces, $interface;
@ -713,7 +713,7 @@ sub validate_interfaces_file( $ )
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
progress_message " Interface \"$currentline\" Validated";
}
@ -723,7 +723,7 @@ sub validate_interfaces_file( $ )
#
for my $interface ( @ifaces ) {
my $interfaceref = $interfaces{$interface};
if ( $interfaceref->{options}{bridge} ) {
my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces;
@ -735,7 +735,7 @@ sub validate_interfaces_file( $ )
}
push @interfaces, $interface unless $interfaceref->{options}{port};
}
}
}
#
@ -902,7 +902,7 @@ sub validate_hosts_file()
#
# Now add a comma before '!'. Do it globally - add_group_to_zone() correctly checks for multiple exclusions
#
$hosts =~ s/!/,!/g;
$hosts =~ s/!/,!/g;
#
# Take care of case where the hosts list begins with '!'
#

View File

@ -31,18 +31,18 @@ use lib '/usr/share/shorewall-perl';
use Shorewall::Config qw( open_file
push_open
pop_open
read_a_line1
split_line
fatal_error
%globals
ensure_config_path
read_a_line1
split_line
fatal_error
%globals
ensure_config_path
set_shorewall_dir
set_config_path );
our $offset = "\t\t ";
our %service_hash;
sub print_it( $$ ) {
my ( $name, $number ) = @_;
my $tabs;
@ -61,7 +61,7 @@ sub print_it( $$ ) {
sub print_service( $$ ) {
my ( $service, $number ) = @_;
unless ( exists $service_hash{$service} ) {
print_it( $service, $number );
$service_hash{$service} = $number;
@ -107,7 +107,7 @@ print <<"EOF";
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# This module exports the %protocols and %services hashes built from
# This module exports the %protocols and %services hashes built from
# /etc/protocols and /etc/services respectively.
#
# Module generated using buildports.pl $globals{VERSION} - $date
@ -132,7 +132,7 @@ while ( read_a_line1 ) {
my ( $proto1, $number, @aliases ) = split_line( 2, 10, '/etc/protocols entry');
print_it( $proto1, $number );
for my $alias ( @aliases ) {
last if $alias eq '-';
print_it( $alias, $number );

View File

@ -70,7 +70,7 @@
#
@@ -111,20 +90,6 @@
}
#
-# Undo the effect of 'separate_list()'
-#
@ -91,7 +91,7 @@
qt()
@@ -310,83 +275,6 @@
}
#
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
@ -150,7 +150,7 @@
-
- if [ -z "$loaded" ]; then
- [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
-
-
- if [ -f $lib ]; then
- progress_message "Loading library $lib..."
- . $lib
@ -175,7 +175,7 @@
# the IP address is 128.0.0.0 or 128.0.0.1.
@@ -395,32 +283,6 @@
LEFTSHIFT='<<'
#
-# Validate an IP address
-#
@ -196,7 +196,7 @@
- ;;
- esac
- done
-
-
- IFS=$ifs
-
- return 0
@ -208,7 +208,7 @@
decodeaddr() {
@@ -456,88 +318,6 @@
}
#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
@ -297,7 +297,7 @@
ip_netmask() {
@@ -588,60 +368,6 @@
}
#
-# Netmask to VLSM
-#
@ -331,7 +331,7 @@
- case $c in
- @*)
- c=at_${c#@}
- ;;
- ;;
- *.*)
- c="${c%.*}_${c##*.}"
- ;;
@ -358,7 +358,7 @@
chain_exists() # $1 = chain name
@@ -879,21 +605,6 @@
}
#
-# Set default config path
-#
@ -380,7 +380,7 @@
find_file()
@@ -918,54 +629,6 @@
}
#
-# Get fully-qualified name of file
-#
@ -435,7 +435,7 @@
set_state () # $1 = state
@@ -974,200 +637,6 @@
}
#
-# Determine which optional facilities are supported by iptables/netfilter
-#
@ -626,7 +626,7 @@
- report_capability1 MANGLE_FORWARD
- report_capability1 COMMENTS
- report_capability1 ADDRTYPE
-
-
- echo CAPVERSION=$SHOREWALL_CAPVERSION
-}
-
@ -637,7 +637,7 @@
@@ -1286,82 +755,6 @@
cut -b -${1}
}
-#
-# Add a logging rule.
-#
@ -718,8 +718,8 @@
{
clear_one_tc() {
@@ -1496,65 +889,6 @@
echo echo
echo echo
}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:

View File

@ -168,6 +168,6 @@ get_device_mtu1() # $1 = device
#
get_all_bcasts()
{
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}

View File

@ -267,7 +267,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
fi
elif [ $savemoduleinfo = Yes ]; then
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
> ${VARDIR}/.modulesdir
> ${VARDIR}/.modulesdir
> ${VARDIR}/.modules
fi
@ -585,9 +585,9 @@ get_interface_bcasts() # $1 = interface
{
local addresses=
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
#
# Internal version of 'which'
#
@ -887,7 +887,7 @@ find_echo() {
result=$(which echo)
[ -n "$result" ] && { echo "$result -e"; return; }
echo echo
echo echo
}
################################################################################
# End of functions imported from /usr/share/shorewall/lib.base