mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-02 10:59:27 +01:00
Bring trunk up to date with branch
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7095 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c27b3fb5b7
commit
8472d60c28
@ -42,6 +42,7 @@ loadmodule xt_limit
|
||||
loadmodule xt_mac
|
||||
loadmodule xt_mark
|
||||
loadmodule xt_MARK
|
||||
loadmodule xt_multiport
|
||||
loadmodule xt_NFLOG
|
||||
loadmodule xt_NFQUEUE
|
||||
loadmodule xt_physdev
|
||||
|
@ -213,13 +213,13 @@ our %interfacebcasts;
|
||||
our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
|
||||
|
||||
#
|
||||
# State of the generator.
|
||||
# Mode of the generator.
|
||||
#
|
||||
use constant { NULL_STATE => 0 , # Generating neither shell commands nor iptables-restore input
|
||||
CAT_STATE => 1 , # Generating iptables-restore input
|
||||
CMD_STATE => 2 }; # Generating shell commands.
|
||||
use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptables-restore input
|
||||
CAT_MODE => 1 , # Generating iptables-restore input
|
||||
CMD_MODE => 2 }; # Generating shell commands.
|
||||
|
||||
our $state;
|
||||
our $mode;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
@ -1838,18 +1838,18 @@ sub insertnatjump( $$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub emit_comment( $ ) {
|
||||
sub emit_comment() {
|
||||
emit ( '#',
|
||||
'# Establish the values of shell variables used in the following function calls',
|
||||
'#' );
|
||||
${$_[0]} = 1;
|
||||
our $emitted_comment = 1;
|
||||
}
|
||||
|
||||
sub emit_test( $ ) {
|
||||
sub emit_test() {
|
||||
emit ( 'if [ "$COMMAND" != restore ]; then' ,
|
||||
'' );
|
||||
push_indent;
|
||||
${$_[0]} = 1;
|
||||
our $emitted_test = 1;
|
||||
}
|
||||
|
||||
#
|
||||
@ -1857,28 +1857,28 @@ sub emit_test( $ ) {
|
||||
#
|
||||
sub set_global_variables() {
|
||||
|
||||
my ( $emitted_comment, $emitted_test ) = (0, 0);
|
||||
our ( $emitted_comment, $emitted_test ) = (0, 0);
|
||||
|
||||
for ( values %interfaceaddr ) {
|
||||
emit_comment( \$emitted_comment ) unless $emitted_comment;
|
||||
emit_comment unless $emitted_comment;
|
||||
emit $_;
|
||||
}
|
||||
|
||||
for ( values %interfaceaddrs ) {
|
||||
emit_comment( \$emitted_comment ) unless $emitted_comment;
|
||||
emit_test( \$emitted_test ) unless $emitted_test;
|
||||
emit_comment unless $emitted_comment;
|
||||
emit_test unless $emitted_test;
|
||||
emit $_;
|
||||
}
|
||||
|
||||
for ( values %interfacenets ) {
|
||||
emit_comment( \$emitted_comment ) unless $emitted_comment;
|
||||
emit_test( \$emitted_test ) unless $emitted_test;
|
||||
emit_comment unless $emitted_comment;
|
||||
emit_test unless $emitted_test;
|
||||
emit $_;
|
||||
}
|
||||
|
||||
unless ( $capabilities{ADDRTYPE} ) {
|
||||
emit_comment( \$emitted_comment ) unless $emitted_comment;
|
||||
emit_test( \$emitted_test ) unless $emitted_test;
|
||||
emit_comment unless $emitted_comment;
|
||||
emit_test unless $emitted_test;
|
||||
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
|
||||
|
||||
for ( values %interfacebcasts ) {
|
||||
@ -1900,19 +1900,19 @@ sub set_global_variables() {
|
||||
# We may have to generate part of the input at run-time. The rules array in each chain
|
||||
# table entry may contain rules (begin with '-A') or shell source. We alternate between
|
||||
# writing the rules ('-A') into the temporary file to be bassed to iptables-restore
|
||||
# (CAT_STATE) and and writing shell source into the generated script.
|
||||
# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
|
||||
#
|
||||
# The following two functions are responsible for the state transitions.
|
||||
# The following two functions are responsible for the mode transitions.
|
||||
#
|
||||
sub enter_cat_state() {
|
||||
sub enter_cat_mode() {
|
||||
emit '';
|
||||
emit 'cat >&3 << __EOF__';
|
||||
$state = CAT_STATE;
|
||||
$mode = CAT_MODE;
|
||||
}
|
||||
|
||||
sub enter_cmd_state() {
|
||||
emit_unindented "__EOF__\n" if $state == CAT_STATE;
|
||||
$state = CMD_STATE;
|
||||
sub enter_cmd_mode() {
|
||||
emit_unindented "__EOF__\n" if $mode == CAT_MODE;
|
||||
$mode = CMD_MODE;
|
||||
}
|
||||
|
||||
#
|
||||
@ -1925,13 +1925,13 @@ sub emitr( $ ) {
|
||||
#
|
||||
# A rule
|
||||
#
|
||||
enter_cat_state unless $state == CAT_STATE;
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
emit_unindented $rule;
|
||||
} else {
|
||||
#
|
||||
# A command
|
||||
#
|
||||
enter_cmd_state unless $state == CMD_STATE;
|
||||
enter_cmd_mode unless $mode == CMD_MODE;
|
||||
emit $rule;
|
||||
}
|
||||
}
|
||||
@ -1948,7 +1948,7 @@ sub create_netfilter_load() {
|
||||
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$state = NULL_STATE;
|
||||
$mode = NULL_MODE;
|
||||
|
||||
emit ( 'setup_netfilter()',
|
||||
'{'
|
||||
@ -1962,7 +1962,7 @@ sub create_netfilter_load() {
|
||||
|
||||
emit 'exec 3>${VARDIR}/.iptables-restore-input';
|
||||
|
||||
enter_cat_state;
|
||||
enter_cat_mode;
|
||||
|
||||
for my $table ( @table_list ) {
|
||||
emit_unindented "*$table";
|
||||
@ -1991,22 +1991,19 @@ sub create_netfilter_load() {
|
||||
}
|
||||
}
|
||||
#
|
||||
# then emit the rules
|
||||
# Then emit the rules
|
||||
#
|
||||
for my $chainref ( @chains ) {
|
||||
my $name = $chainref->{name};
|
||||
for my $rule ( @{$chainref->{rules}} ) {
|
||||
emitr $rule;
|
||||
}
|
||||
emitr $_ for ( @{$chainref->{rules}} );
|
||||
}
|
||||
#
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_state unless $state == CAT_STATE;
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
emit_unindented 'COMMIT';
|
||||
}
|
||||
|
||||
enter_cmd_state;
|
||||
enter_cmd_mode;
|
||||
#
|
||||
# Now generate the actual iptables-restore command
|
||||
#
|
||||
@ -2030,7 +2027,7 @@ sub create_netfilter_load() {
|
||||
#
|
||||
sub create_blacklist_reload() {
|
||||
|
||||
$state = NULL_STATE;
|
||||
$mode = NULL_MODE;
|
||||
|
||||
emit( 'blacklist_reload()',
|
||||
'{'
|
||||
@ -2044,22 +2041,22 @@ sub create_blacklist_reload() {
|
||||
|
||||
emit 'exec 3>${VARDIR}/.iptables-restore-input';
|
||||
|
||||
enter_cat_state;
|
||||
enter_cat_mode;
|
||||
|
||||
emit_unindented '*filter';
|
||||
emit_unindented ':blacklst - [0:0]';
|
||||
|
||||
for my $rule ( @{$filter_table->{blacklst}{rules}} ) {
|
||||
emitr $rule;
|
||||
}
|
||||
#
|
||||
# Emit the Blacklist rules
|
||||
#
|
||||
emitr $_ for ( @{$filter_table->{blacklst}{rules}} );
|
||||
#
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_state unless $state == CAT_STATE;
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
|
||||
emit_unindented 'COMMIT';
|
||||
|
||||
enter_cmd_state;
|
||||
enter_cmd_mode;
|
||||
#
|
||||
# Now generate the actual iptables-restore command
|
||||
#
|
||||
|
@ -604,6 +604,11 @@ sub generate_script_3() {
|
||||
dump_proxy_arp;
|
||||
emit_unindented '__EOF__';
|
||||
|
||||
emit( '',
|
||||
'if [ "$COMMAND" != refresh ]; then' );
|
||||
|
||||
push_indent;
|
||||
|
||||
emit 'cat > ${VARDIR}/chains << __EOF__';
|
||||
dump_rule_chains;
|
||||
emit_unindented '__EOF__';
|
||||
@ -612,6 +617,10 @@ sub generate_script_3() {
|
||||
dump_zone_contents;
|
||||
emit_unindented '__EOF__';
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "fi\n";
|
||||
|
||||
emit '> ${VARDIR}/nat';
|
||||
|
||||
add_addresses;
|
||||
|
@ -587,11 +587,11 @@ sub create_temp_object( $ ) {
|
||||
|
||||
die if $@;
|
||||
|
||||
fatal_error "Directory $dir does not exist" unless -d $dir;
|
||||
fatal_error "Directory $dir is not writable" unless -w _;
|
||||
fatal_error "$dir is a Symbolic Link" if -l $dir;
|
||||
fatal_error "$objectfile is a Directory" if -d $objectfile;
|
||||
fatal_error "$dir is a Symbolic Link" if -l $objectfile;
|
||||
fatal_error "Directory $dir does not exist" unless -d _;
|
||||
fatal_error "Directory $dir is not writable" unless -w _;
|
||||
fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
|
||||
fatal_error "$objectfile is a Directory" if -d _;
|
||||
fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
|
||||
|
||||
eval {
|
||||
@ -864,12 +864,13 @@ sub read_a_line() {
|
||||
|
||||
my @line = split ' ', $currentline;
|
||||
|
||||
fatal_error "Invalid INCLUDE command: $currentline" if @line != 2;
|
||||
fatal_error "INCLUDEs nested too deeply: $currentline" if @includestack >= 4;
|
||||
fatal_error "Invalid INCLUDE command" if @line != 2;
|
||||
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
|
||||
|
||||
my $filename = find_file $line[1];
|
||||
|
||||
fatal_error "INCLUDE file $filename not found" unless ( -f $filename );
|
||||
fatal_error "INCLUDE file $filename not found" unless -f $filename;
|
||||
fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
|
||||
|
||||
if ( -s _ ) {
|
||||
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
|
||||
|
@ -200,9 +200,9 @@ sub validate_policy()
|
||||
fatal_error "Invalid policy $policy" unless exists $validpolicies{$policy};
|
||||
|
||||
if ( $policy eq 'NONE' ) {
|
||||
fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
|
||||
fatal_error "NONE policy not allowed with \"all\""
|
||||
if $clientwild || $serverwild;
|
||||
fatal_error "$client, $server, $policy, $loglevel, $synparams: NONE policy not allowed to/from firewall zone"
|
||||
fatal_error "NONE policy not allowed to/from firewall zone"
|
||||
if ( $zones{$client}{type} eq 'firewall' ) || ( $zones{$server}{type} eq 'firewall' );
|
||||
}
|
||||
|
||||
|
@ -294,7 +294,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
if ( $optional ) {
|
||||
emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" );
|
||||
} else {
|
||||
emit( " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" );
|
||||
emit( " fatal_error \"Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" );
|
||||
}
|
||||
|
||||
emit "fi\n";
|
||||
|
@ -1617,11 +1617,7 @@ sub generate_matrix() {
|
||||
next unless $chain;
|
||||
|
||||
if ( $zone eq $zone1 ) {
|
||||
#
|
||||
# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
|
||||
#
|
||||
no warnings;
|
||||
next if ( %{ $zoneref->{interfaces} } < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
|
||||
next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
|
||||
}
|
||||
|
||||
if ( $zone1ref->{type} eq 'bport4' ) {
|
||||
@ -1675,12 +1671,7 @@ sub generate_matrix() {
|
||||
my $num_ifaces = 0;
|
||||
|
||||
if ( $zone eq $zone1 ) {
|
||||
#
|
||||
# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
|
||||
#
|
||||
no warnings;
|
||||
next ZONE1 if ( $num_ifaces = %{$zoneref->{interfaces}} ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
|
||||
use warnings;
|
||||
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
|
||||
|
||||
if ( $chain3 ) {
|
||||
while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) {
|
||||
|
@ -425,16 +425,12 @@ sub dump_zone_contents()
|
||||
sub single_interface( $ ) {
|
||||
my $zone = $_[0];
|
||||
my $zoneref = $zones{$zone};
|
||||
|
||||
fatal_error "Internal Error in single_zone()" unless $zoneref;
|
||||
|
||||
{
|
||||
no warnings;
|
||||
if ( %{$zoneref->{interfaces}} == 1 ) {
|
||||
( keys %{$zoneref->{interfaces}} )[0];
|
||||
} else {
|
||||
'';
|
||||
}
|
||||
}
|
||||
my @keys = keys( %{$zoneref->{interfaces}} );
|
||||
|
||||
@keys == 1 ? $keys[0] : '';
|
||||
}
|
||||
|
||||
sub add_group_to_zone($$$$$)
|
||||
|
@ -1,4 +1,3 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Clear Proxy Arp
|
||||
#
|
||||
@ -145,24 +144,6 @@ restore_dynamic_rules() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# The following functions also appear in lib.base. They are duplicated here so that
|
||||
# restore scripts from prior versions continue to work.
|
||||
#
|
||||
get_device_mtu1() # $1 = device
|
||||
{
|
||||
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
|
||||
local mtu
|
||||
|
||||
if [ -n "$output" ]; then
|
||||
mtu=$(find_mtu $output)
|
||||
if [ -n "$mtu" ]; then
|
||||
[ $mtu = 1500 ] || echo mtu $(($mtu + 100))
|
||||
fi
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Get a list of all configured broadcast addresses on the system
|
||||
#
|
||||
@ -170,4 +151,3 @@ get_all_bcasts()
|
||||
{
|
||||
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
}
|
||||
|
||||
|
@ -1671,11 +1671,11 @@ add_a_rule() {
|
||||
|
||||
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
||||
for adr in $(separate_list $addr); do
|
||||
run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
|
||||
run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack --ctorigdst $adr -j $chain
|
||||
done
|
||||
addr=
|
||||
else
|
||||
run_iptables -A $logchain $state $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain
|
||||
run_iptables -A $logchain $state $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain
|
||||
fi
|
||||
|
||||
cli=
|
||||
@ -1884,7 +1884,7 @@ __EOF__
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
|
||||
$user $mrk $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
|
||||
$user $mrk $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports) $state
|
||||
fi
|
||||
|
||||
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
|
||||
@ -1899,7 +1899,7 @@ __EOF__
|
||||
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
|
||||
$state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||
$state $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports)
|
||||
fi
|
||||
|
||||
if [ -n "$nonat" ]; then
|
||||
@ -1922,7 +1922,7 @@ __EOF__
|
||||
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
|
||||
$state $(fix_bang $proto $sports $multiport $cli $dports)
|
||||
$state $(fix_bang $proto $multiport $sports $cli $dports)
|
||||
fi
|
||||
|
||||
[ -n "$nonat" ] && \
|
||||
|
@ -80,7 +80,7 @@ add_an_action()
|
||||
{
|
||||
build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
|
||||
|
||||
run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain1
|
||||
run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain1
|
||||
|
||||
cli=
|
||||
proto=
|
||||
@ -219,7 +219,7 @@ add_an_action()
|
||||
for srv in $(firewall_ip_range $serv1); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dest_interface $dports)
|
||||
$(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dest_interface $dports)
|
||||
fi
|
||||
|
||||
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
|
||||
@ -229,7 +229,7 @@ add_an_action()
|
||||
else
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
|
||||
$(fix_bang $proto $multiport $sports $cli $dest_interface $dports)
|
||||
fi
|
||||
|
||||
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \
|
||||
|
@ -175,7 +175,7 @@ setup_traffic_shaping()
|
||||
|
||||
dev=$(chain_base $device)
|
||||
|
||||
save_command "if interface_is_usable $device; then"
|
||||
save_command "if interface_is_up $device; then"
|
||||
indent="$INDENT"
|
||||
INDENT="$INDENT "
|
||||
save_command ${dev}_exists=Yes
|
||||
@ -201,7 +201,7 @@ setup_traffic_shaping()
|
||||
INDENT="$indent"
|
||||
save_command else
|
||||
INDENT="$INDENT "
|
||||
save_command error_message "\"WARNING: Device $device not up and configured -- traffic-shaping configuration skipped\""
|
||||
save_command error_message "\"WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped\""
|
||||
save_command "${dev}_exists="
|
||||
INDENT="$indent"
|
||||
save_command "fi"
|
||||
|
@ -1136,7 +1136,7 @@ DROP net fw udp 10619</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="faq17">
|
||||
<title>(FAQ 17) Why are these packets being Dropped/Rejected?/How do I
|
||||
<title>(FAQ 17) Why are these packets being Dropped/Rejected? How do I
|
||||
decode Shorewall log messages?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> Logging of
|
||||
|
Loading…
Reference in New Issue
Block a user