mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-08 22:58:50 +01:00
Delete old Shorewall6 Code
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8854 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
8b5792052b
commit
8517734a60
File diff suppressed because it is too large
Load Diff
@ -1,761 +0,0 @@
|
|||||||
#! /usr/bin/perl -w
|
|
||||||
#
|
|
||||||
# The Shoreline Firewall4 (Shorewall-perl) Packet Filtering Firewall Compiler - V4.0
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
||||||
#
|
|
||||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Complete documentation is available at http://shorewall.net
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
#
|
|
||||||
|
|
||||||
package Shorewall::Compiler;
|
|
||||||
require Exporter;
|
|
||||||
use Shorewall::Config;
|
|
||||||
use Shorewall::Chains;
|
|
||||||
use Shorewall::Zones;
|
|
||||||
use Shorewall::Policy;
|
|
||||||
use Shorewall::Tc;
|
|
||||||
use Shorewall::Tunnels;
|
|
||||||
use Shorewall::Actions;
|
|
||||||
use Shorewall::Accounting;
|
|
||||||
use Shorewall::Rules;
|
|
||||||
use Shorewall::Proc;
|
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
|
||||||
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
|
|
||||||
our @EXPORT_OK = qw( $export );
|
|
||||||
our $VERSION = '4.04';
|
|
||||||
|
|
||||||
our $export;
|
|
||||||
|
|
||||||
our $reused = 0;
|
|
||||||
|
|
||||||
use constant { EXPORT => 0x01 ,
|
|
||||||
TIMESTAMP => 0x02 ,
|
|
||||||
DEBUG => 0x04 };
|
|
||||||
|
|
||||||
#
|
|
||||||
# Reinitilize the package-globals in the other modules
|
|
||||||
#
|
|
||||||
sub reinitialize() {
|
|
||||||
Shorewall::Config::initialize;
|
|
||||||
Shorewall::Chains::initialize;
|
|
||||||
Shorewall::Zones::initialize;
|
|
||||||
Shorewall::Policy::initialize;
|
|
||||||
Shorewall::Tc::initialize;
|
|
||||||
Shorewall::Actions::initialize;
|
|
||||||
Shorewall::Accounting::initialize;
|
|
||||||
Shorewall::Rules::initialize;
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# First stage of script generation.
|
|
||||||
#
|
|
||||||
# Copy the prog.header to the generated script.
|
|
||||||
# Generate the various user-exit jacket functions.
|
|
||||||
# Generate the 'initialize()' function.
|
|
||||||
#
|
|
||||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
|
||||||
# than those related to writing to the object file.
|
|
||||||
|
|
||||||
sub generate_script_1() {
|
|
||||||
|
|
||||||
my $date = localtime;
|
|
||||||
|
|
||||||
emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl $globals{VERSION} - $date\n#";
|
|
||||||
|
|
||||||
copy $globals{SHAREDIRPL} . 'prog.header';
|
|
||||||
|
|
||||||
for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed/ {
|
|
||||||
emit "\nrun_${exit}_exit() {";
|
|
||||||
push_indent;
|
|
||||||
append_file $exit or emit 'true';
|
|
||||||
pop_indent;
|
|
||||||
emit '}';
|
|
||||||
}
|
|
||||||
|
|
||||||
emit ( '',
|
|
||||||
'#',
|
|
||||||
'# This function initializes the global variables used by the program',
|
|
||||||
'#',
|
|
||||||
'initialize()',
|
|
||||||
'{',
|
|
||||||
' #',
|
|
||||||
' # These variables are required by the library functions called in this script',
|
|
||||||
' #'
|
|
||||||
);
|
|
||||||
|
|
||||||
push_indent;
|
|
||||||
|
|
||||||
if ( $export ) {
|
|
||||||
emit ( 'SHAREDIR=/usr/share/shorewall-lite',
|
|
||||||
'CONFDIR=/etc/shorewall-lite',
|
|
||||||
'PRODUCT="Shorewall Lite"'
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
emit ( 'SHAREDIR=/usr/share/shorewall',
|
|
||||||
'CONFDIR=/etc/shorewall',
|
|
||||||
'PRODUCT=\'Shorewall\'',
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
emit( '[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir' );
|
|
||||||
|
|
||||||
if ( $export ) {
|
|
||||||
emit ( 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' ,
|
|
||||||
'[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]' );
|
|
||||||
} else {
|
|
||||||
emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
|
|
||||||
'[ -n "${VARDIR:=/var/lib/shorewall}" ]' );
|
|
||||||
}
|
|
||||||
|
|
||||||
emit 'TEMPFILE=';
|
|
||||||
|
|
||||||
propagateconfig;
|
|
||||||
|
|
||||||
emit ( '[ -n "${COMMAND:=restart}" ]',
|
|
||||||
'[ -n "${VERBOSE:=0}" ]',
|
|
||||||
qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
|
|
||||||
'[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"',
|
|
||||||
qq(VERSION="$globals{VERSION}") ,
|
|
||||||
qq(PATH="$config{PATH}") ,
|
|
||||||
'TERMINATOR=fatal_error' ,
|
|
||||||
''
|
|
||||||
);
|
|
||||||
|
|
||||||
if ( $config{IP6TABLES} ) {
|
|
||||||
emit( qq(IP6TABLES="$config{IP6TABLES}"),
|
|
||||||
'[ -x "$IP6TABLES" ] || startup_error "IP6TABLES=$IP6TABLES does not exist or is not executable"',
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
emit( '[ -z "$IP6TABLES" ] && IP6TABLES=$(mywhich ip6tables) # /sbin/shorewall6 exports IP6TABLES',
|
|
||||||
'[ -n "$IP6TABLES" -a -x "$IP6TABLES" ] || startup_error "Can\'t find ip6tables executable"'
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
|
|
||||||
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
|
|
||||||
|
|
||||||
append_file 'params' if $config{EXPORTPARAMS};
|
|
||||||
|
|
||||||
emit ( '',
|
|
||||||
"STOPPING=",
|
|
||||||
'',
|
|
||||||
'#',
|
|
||||||
'# The library requires that ${VARDIR} exist',
|
|
||||||
'#',
|
|
||||||
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
|
|
||||||
);
|
|
||||||
|
|
||||||
emit ( '',
|
|
||||||
'#',
|
|
||||||
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
|
|
||||||
'#',
|
|
||||||
'qt $IP6TABLES -N foox1234',
|
|
||||||
'qt $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
|
|
||||||
'result=$?',
|
|
||||||
'qt $IP6TABLES -F foox1234',
|
|
||||||
'qt $IP6TABLES -X foox1234',
|
|
||||||
'[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
|
|
||||||
'' );
|
|
||||||
|
|
||||||
pop_indent;
|
|
||||||
|
|
||||||
emit "}\n"; # End of initialize()
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
sub compile_stop_firewall() {
|
|
||||||
|
|
||||||
emit <<'EOF';
|
|
||||||
#
|
|
||||||
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
|
||||||
#
|
|
||||||
stop_firewall() {
|
|
||||||
|
|
||||||
deletechain() {
|
|
||||||
qt $IP6TABLES -L $1 -n && qt $IP6TABLES -F $1 && qt $IP6TABLES -X $1
|
|
||||||
}
|
|
||||||
|
|
||||||
deleteallchains() {
|
|
||||||
$IP6TABLES -F
|
|
||||||
$IP6TABLES -X
|
|
||||||
}
|
|
||||||
|
|
||||||
setcontinue() {
|
|
||||||
$IP6TABLES -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
}
|
|
||||||
|
|
||||||
case $COMMAND in
|
|
||||||
stop|clear|restore)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
set +x
|
|
||||||
|
|
||||||
case $COMMAND in
|
|
||||||
start)
|
|
||||||
logger -p kern.err "ERROR:$PRODUCT start failed"
|
|
||||||
;;
|
|
||||||
restart)
|
|
||||||
logger -p kern.err "ERROR:$PRODUCT restart failed"
|
|
||||||
;;
|
|
||||||
restore)
|
|
||||||
logger -p kern.err "ERROR:$PRODUCT restore failed"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [ "$RESTOREFILE" = NONE ]; then
|
|
||||||
COMMAND=clear
|
|
||||||
clear_firewall
|
|
||||||
echo "$PRODUCT Cleared"
|
|
||||||
|
|
||||||
kill $$
|
|
||||||
exit 2
|
|
||||||
else
|
|
||||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
|
||||||
|
|
||||||
if [ -x $RESTOREPATH ]; then
|
|
||||||
echo Restoring ${PRODUCT:=Shorewall6}...
|
|
||||||
|
|
||||||
if $RESTOREPATH restore; then
|
|
||||||
echo "$PRODUCT restored from $RESTOREPATH"
|
|
||||||
set_state "Started"
|
|
||||||
else
|
|
||||||
set_state "Unknown"
|
|
||||||
fi
|
|
||||||
|
|
||||||
kill $$
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
set_state "Stopping"
|
|
||||||
|
|
||||||
STOPPING="Yes"
|
|
||||||
|
|
||||||
TERMINATOR=
|
|
||||||
|
|
||||||
deletechain shorewall
|
|
||||||
|
|
||||||
run_stop_exit;
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
|
||||||
emit <<'EOF';
|
|
||||||
run_iptables -t mangle -F
|
|
||||||
run_iptables -t mangle -X
|
|
||||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
|
||||||
qt $IP6TABLES -t mangle -P $chain ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $capabilities{RAW_TABLE} ) {
|
|
||||||
emit <<'EOF';
|
|
||||||
run_ip6tables -t raw -F
|
|
||||||
run_ip6tables -t raw -X
|
|
||||||
for chain in PREROUTING OUTPUT; do
|
|
||||||
qt $IP6TABLES -t raw -P $chain ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
push_indent;
|
|
||||||
|
|
||||||
emit 'delete_tc1' if $config{CLEAR_TC};
|
|
||||||
|
|
||||||
my $criticalhosts = process_criticalhosts;
|
|
||||||
|
|
||||||
if ( @$criticalhosts ) {
|
|
||||||
if ( $config{ADMINISABSENTMINDED} ) {
|
|
||||||
emit ( 'for chain in INPUT OUTPUT; do',
|
|
||||||
' setpolicy $chain ACCEPT',
|
|
||||||
'done',
|
|
||||||
'',
|
|
||||||
'setpolicy FORWARD DROP',
|
|
||||||
'',
|
|
||||||
'deleteallchains',
|
|
||||||
''
|
|
||||||
);
|
|
||||||
|
|
||||||
for my $hosts ( @$criticalhosts ) {
|
|
||||||
my ( $interface, $host ) = ( split /:/, $hosts );
|
|
||||||
my $source = match_source_net $host;
|
|
||||||
my $dest = match_dest_net $host;
|
|
||||||
|
|
||||||
emit( "\$IP6TABLES -A INPUT -i $interface $source -j ACCEPT",
|
|
||||||
"\$IP6TABLES -A OUTPUT -o $interface $dest -j ACCEPT"
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
emit( '',
|
|
||||||
'for chain in INPUT OUTPUT; do',
|
|
||||||
' setpolicy $chain DROP',
|
|
||||||
"done\n"
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
emit( '',
|
|
||||||
'for chain in INPUT OUTPUT; do',
|
|
||||||
' setpolicy \$chain ACCEPT',
|
|
||||||
'done',
|
|
||||||
'',
|
|
||||||
'setpolicy FORWARD DROP',
|
|
||||||
'',
|
|
||||||
"deleteallchains\n"
|
|
||||||
);
|
|
||||||
|
|
||||||
for my $hosts ( @$criticalhosts ) {
|
|
||||||
my ( $interface, $host ) = ( split /:/, $hosts );
|
|
||||||
my $source = match_source_net $host;
|
|
||||||
my $dest = match_dest_net $host;
|
|
||||||
|
|
||||||
emit( "\$IP6TABLES -A INPUT -i $interface $source -j ACCEPT",
|
|
||||||
"\$IP6TABLES -A OUTPUT -o $interface $dest -j ACCEPT"
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
emit( "\nsetpolicy INPUT DROP",
|
|
||||||
'',
|
|
||||||
'for chain in INPUT FORWARD; do',
|
|
||||||
' setcontinue $chain',
|
|
||||||
"done\n"
|
|
||||||
);
|
|
||||||
}
|
|
||||||
} elsif ( $config{ADMINISABSENTMINDED} ) {
|
|
||||||
emit( 'for chain in INPUT FORWARD; do',
|
|
||||||
' setpolicy $chain DROP',
|
|
||||||
'done',
|
|
||||||
'',
|
|
||||||
'setpolicy OUTPUT ACCEPT',
|
|
||||||
'',
|
|
||||||
'deleteallchains',
|
|
||||||
'',
|
|
||||||
'for chain in INPUT FORWARD; do',
|
|
||||||
' setcontinue $chain',
|
|
||||||
"done\n",
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
emit( 'for chain in INPUT OUTPUT FORWARD; do',
|
|
||||||
' setpolicy $chain DROP',
|
|
||||||
'done',
|
|
||||||
'',
|
|
||||||
"deleteallchains\n"
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
process_routestopped;
|
|
||||||
|
|
||||||
emit( '$IP6TABLES -A INPUT -i lo -j ACCEPT',
|
|
||||||
'$IP6TABLES -A OUTPUT -o lo -j ACCEPT'
|
|
||||||
);
|
|
||||||
|
|
||||||
emit '$IP6TABLES -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
|
|
||||||
|
|
||||||
my $interfaces = find_interfaces_by_option 'dhcp';
|
|
||||||
|
|
||||||
for my $interface ( @$interfaces ) {
|
|
||||||
emit "\$IP6TABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
|
|
||||||
emit "\$IP6TABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
|
||||||
#
|
|
||||||
# This might be a bridge
|
|
||||||
#
|
|
||||||
emit "\$IP6TABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
|
|
||||||
}
|
|
||||||
|
|
||||||
emit '';
|
|
||||||
|
|
||||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
|
||||||
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
|
|
||||||
'progress_message2 IP Forwarding Enabled' );
|
|
||||||
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
|
|
||||||
emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward',
|
|
||||||
'progress_message2 IP Forwarding Disabled!'
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
emit 'run_stopped_exit';
|
|
||||||
|
|
||||||
pop_indent;
|
|
||||||
|
|
||||||
emit '
|
|
||||||
set_state "Stopped"
|
|
||||||
|
|
||||||
logger -p kern.info "$PRODUCT Stopped"
|
|
||||||
|
|
||||||
case $COMMAND in
|
|
||||||
stop|clear)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
#
|
|
||||||
# The firewall is being stopped when we were trying to do something
|
|
||||||
# else. Kill the shell in case we\'re running in a subshell
|
|
||||||
#
|
|
||||||
kill $$
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
';
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Second Phase of Script Generation
|
|
||||||
#
|
|
||||||
# copies the 'prog.functions' file into the script, generates
|
|
||||||
# clear_routing_and_traffic_shaping() and the first part of
|
|
||||||
# 'setup_routing_and_traffic_shaping()'
|
|
||||||
#
|
|
||||||
# The bulk of that function is produced by the various config file
|
|
||||||
# parsing routines that are called directly out of 'compiler()'.
|
|
||||||
#
|
|
||||||
# We create two separate functions rather than one so that the
|
|
||||||
# define_firewall() shell can set global IP configuration variables
|
|
||||||
# after the old config has been cleared and before we start instantiating
|
|
||||||
# the new config. That way, the variables reflect the way that the
|
|
||||||
# distribution's tools have configured IP without any Shorewall
|
|
||||||
# modifications.
|
|
||||||
#
|
|
||||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
|
||||||
# than those related to writing to the object file.
|
|
||||||
#
|
|
||||||
sub generate_script_2 () {
|
|
||||||
|
|
||||||
copy $globals{SHAREDIRPL} . 'prog.functions';
|
|
||||||
|
|
||||||
emit( '',
|
|
||||||
'#',
|
|
||||||
'# Clear Routing and Traffic Shaping',
|
|
||||||
'#',
|
|
||||||
'clear_routing_and_traffic_shaping() {'
|
|
||||||
);
|
|
||||||
|
|
||||||
push_indent;
|
|
||||||
|
|
||||||
save_progress_message 'Initializing...';
|
|
||||||
|
|
||||||
if ( $export ) {
|
|
||||||
my $fn = find_file 'modules';
|
|
||||||
|
|
||||||
if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
|
|
||||||
emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
|
|
||||||
emit 'cat > ${VARDIR}/.modules << EOF';
|
|
||||||
open_file $fn;
|
|
||||||
while ( read_a_line ) {
|
|
||||||
emit_unindented $currentline;
|
|
||||||
}
|
|
||||||
emit_unindented 'EOF';
|
|
||||||
emit 'reload_kernel_modules < ${VARDIR}/.modules';
|
|
||||||
} else {
|
|
||||||
emit 'load_kernel_modules Yes';
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
emit 'load_kernel_modules Yes';
|
|
||||||
}
|
|
||||||
|
|
||||||
emit '';
|
|
||||||
|
|
||||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
|
||||||
'',
|
|
||||||
);
|
|
||||||
|
|
||||||
emit "delete_tc1\n" if $config{CLEAR_TC};
|
|
||||||
|
|
||||||
pop_indent;
|
|
||||||
|
|
||||||
emit "}\n";
|
|
||||||
|
|
||||||
emit( '#',
|
|
||||||
'# Setup Routing and Traffic Shaping',
|
|
||||||
'#',
|
|
||||||
'setup_routing_and_traffic_shaping() {'
|
|
||||||
);
|
|
||||||
|
|
||||||
push_indent;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Third (final) stage of script generation.
|
|
||||||
#
|
|
||||||
# Generate the end of 'setup_routing_and_traffic_shaping()':
|
|
||||||
# Generate code for loading the various files in /var/lib/shorewall6[-lite]
|
|
||||||
#
|
|
||||||
# Generate the 'setup_netfilter()' function that runs ip6tables-restore.
|
|
||||||
# Generate the 'define_firewall()' function.
|
|
||||||
#
|
|
||||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
|
||||||
# than those related to writing to the object file.
|
|
||||||
#
|
|
||||||
sub generate_script_3($) {
|
|
||||||
|
|
||||||
emit( '',
|
|
||||||
'if [ "$COMMAND" != refresh ]; then' );
|
|
||||||
|
|
||||||
push_indent;
|
|
||||||
|
|
||||||
emit 'cat > ${VARDIR}/chains << __EOF__';
|
|
||||||
dump_rule_chains;
|
|
||||||
emit_unindented '__EOF__';
|
|
||||||
|
|
||||||
emit 'cat > ${VARDIR}/zones << __EOF__';
|
|
||||||
dump_zone_contents;
|
|
||||||
emit_unindented '__EOF__';
|
|
||||||
|
|
||||||
pop_indent;
|
|
||||||
|
|
||||||
emit "fi\n";
|
|
||||||
|
|
||||||
add_addresses;
|
|
||||||
|
|
||||||
pop_indent;
|
|
||||||
|
|
||||||
emit "}\n";
|
|
||||||
|
|
||||||
progress_message2 "Creating ip6tables-restore input...";
|
|
||||||
create_netfilter_load;
|
|
||||||
create_chainlist_reload( $_[0] );
|
|
||||||
|
|
||||||
emit "#\n# Start/Restart the Firewall\n#";
|
|
||||||
emit 'define_firewall() {';
|
|
||||||
push_indent;
|
|
||||||
|
|
||||||
emit "\nclear_routing_and_traffic_shaping";
|
|
||||||
|
|
||||||
set_global_variables;
|
|
||||||
|
|
||||||
emit '';
|
|
||||||
|
|
||||||
emit<<'EOF';
|
|
||||||
setup_routing_and_traffic_shaping
|
|
||||||
|
|
||||||
if [ $COMMAND = restore ]; then
|
|
||||||
ip6tables_save_file=${VARDIR}/$(basename $0)-ip6tables
|
|
||||||
if [ -f $ip6tables_save_file ]; then
|
|
||||||
cat $ip6tables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux
|
|
||||||
else
|
|
||||||
fatal_error "$ip6tables_save_file does not exist"
|
|
||||||
fi
|
|
||||||
set_state "Started"
|
|
||||||
else
|
|
||||||
if [ $COMMAND = refresh ]; then
|
|
||||||
chainlist_reload
|
|
||||||
run_refreshed_exit
|
|
||||||
$IP6TABLES -N shorewall
|
|
||||||
set_state "Started"
|
|
||||||
else
|
|
||||||
setup_netfilter
|
|
||||||
restore_dynamic_rules
|
|
||||||
run_start_exit
|
|
||||||
$IP6TABLES -N shorewall
|
|
||||||
set_state "Started"
|
|
||||||
run_started_exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
cp -f $(my_pathname) ${VARDIR}/.restore
|
|
||||||
fi
|
|
||||||
|
|
||||||
date > ${VARDIR}/restarted
|
|
||||||
|
|
||||||
case $COMMAND in
|
|
||||||
start)
|
|
||||||
logger -p kern.info "$PRODUCT started"
|
|
||||||
;;
|
|
||||||
restart)
|
|
||||||
logger -p kern.info "$PRODUCT restarted"
|
|
||||||
;;
|
|
||||||
refresh)
|
|
||||||
logger -p kern.info "$PRODUCT refreshed"
|
|
||||||
;;
|
|
||||||
restore)
|
|
||||||
logger -p kern.info "$PRODUCT restored"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
EOF
|
|
||||||
|
|
||||||
pop_indent;
|
|
||||||
|
|
||||||
emit "}\n";
|
|
||||||
|
|
||||||
copy $globals{SHAREDIRPL} . 'prog.footer';
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# The Compiler.
|
|
||||||
#
|
|
||||||
# If the first argument is non-null, it names the script file to generate.
|
|
||||||
# Otherwise, this is a 'check' command and no script is produced.
|
|
||||||
#
|
|
||||||
sub compiler( $$$$$ ) {
|
|
||||||
|
|
||||||
my ( $objectfile, $directory, $verbosity, $options , $chains ) = @_;
|
|
||||||
|
|
||||||
$export = 0;
|
|
||||||
|
|
||||||
reinitialize if $reused++;
|
|
||||||
|
|
||||||
if ( $directory ne '' ) {
|
|
||||||
fatal_error "$directory is not an existing directory" unless -d $directory;
|
|
||||||
set_shorewall_dir( $directory );
|
|
||||||
}
|
|
||||||
|
|
||||||
set_verbose( $verbosity ) unless $verbosity eq '';
|
|
||||||
$export = 1 if $options & EXPORT;
|
|
||||||
set_timestamp( 1 ) if $options & TIMESTAMP;
|
|
||||||
set_debug( 1 ) if $options & DEBUG;
|
|
||||||
#
|
|
||||||
# Get shorewall.conf and capabilities.
|
|
||||||
#
|
|
||||||
get_configuration( $export );
|
|
||||||
|
|
||||||
report_capabilities;
|
|
||||||
|
|
||||||
require_capability( 'MULTIPORT' , "Shorewall6 $globals{VERSION}" , 's' );
|
|
||||||
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
|
|
||||||
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS};
|
|
||||||
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
|
|
||||||
|
|
||||||
set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
|
|
||||||
|
|
||||||
initialize_chain_table;
|
|
||||||
|
|
||||||
unless ( $command eq 'check' ) {
|
|
||||||
create_temp_object( $objectfile );
|
|
||||||
generate_script_1;
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Process the zones file.
|
|
||||||
#
|
|
||||||
determine_zones;
|
|
||||||
#
|
|
||||||
# Process the interfaces file.
|
|
||||||
#
|
|
||||||
validate_interfaces_file ( $export );
|
|
||||||
#
|
|
||||||
# Process the hosts file.
|
|
||||||
#
|
|
||||||
validate_hosts_file;
|
|
||||||
#
|
|
||||||
# Report zone contents
|
|
||||||
#
|
|
||||||
zone_report;
|
|
||||||
#
|
|
||||||
# Do action pre-processing.
|
|
||||||
#
|
|
||||||
process_actions1;
|
|
||||||
#
|
|
||||||
# Process the Policy File.
|
|
||||||
#
|
|
||||||
validate_policy;
|
|
||||||
#
|
|
||||||
# Compile the 'stop_firewall()' function
|
|
||||||
#
|
|
||||||
compile_stop_firewall;
|
|
||||||
#
|
|
||||||
# Start Second Part of script
|
|
||||||
#
|
|
||||||
generate_script_2 unless $command eq 'check';
|
|
||||||
#
|
|
||||||
# Set up MSS rules
|
|
||||||
#
|
|
||||||
setup_mss;
|
|
||||||
#
|
|
||||||
# Do all of the zone-independent stuff
|
|
||||||
#
|
|
||||||
add_common_rules;
|
|
||||||
#
|
|
||||||
# /proc stuff
|
|
||||||
#
|
|
||||||
setup_arp_filtering;
|
|
||||||
setup_route_filtering;
|
|
||||||
setup_martian_logging;
|
|
||||||
setup_source_routing;
|
|
||||||
setup_forwarding;
|
|
||||||
#
|
|
||||||
# Handle MSS setings in the zones file
|
|
||||||
#
|
|
||||||
setup_zone_mss;
|
|
||||||
#
|
|
||||||
# TOS
|
|
||||||
#
|
|
||||||
process_tos;
|
|
||||||
#
|
|
||||||
# ECN
|
|
||||||
#
|
|
||||||
setup_ecn;
|
|
||||||
#
|
|
||||||
# MACLIST Filtration
|
|
||||||
#
|
|
||||||
setup_mac_lists 1;
|
|
||||||
#
|
|
||||||
# Process the rules file.
|
|
||||||
#
|
|
||||||
process_rules;
|
|
||||||
#
|
|
||||||
# Add Tunnel rules.
|
|
||||||
#
|
|
||||||
setup_tunnels;
|
|
||||||
#
|
|
||||||
# Post-rules action processing.
|
|
||||||
#
|
|
||||||
process_actions2;
|
|
||||||
process_actions3;
|
|
||||||
#
|
|
||||||
# MACLIST Filtration again
|
|
||||||
#
|
|
||||||
setup_mac_lists 2;
|
|
||||||
#
|
|
||||||
# Apply Policies
|
|
||||||
#
|
|
||||||
apply_policy_rules;
|
|
||||||
#
|
|
||||||
# TCRules and Traffic Shaping
|
|
||||||
#
|
|
||||||
setup_tc;
|
|
||||||
#
|
|
||||||
# Accounting.
|
|
||||||
#
|
|
||||||
setup_accounting;
|
|
||||||
#
|
|
||||||
# We generate the matrix even though we don't write out the rules. That way, we insure that
|
|
||||||
# a compile of the script won't blow up during that step.
|
|
||||||
#
|
|
||||||
generate_matrix;
|
|
||||||
|
|
||||||
if ( $command eq 'check' ) {
|
|
||||||
progress_message3 "Shorewall configuration verified";
|
|
||||||
} else {
|
|
||||||
#
|
|
||||||
# Finish the script.
|
|
||||||
#
|
|
||||||
generate_script_3( $chains );
|
|
||||||
finalize_object ( $export );
|
|
||||||
#
|
|
||||||
# And generate the auxilary config file
|
|
||||||
#
|
|
||||||
generate_aux_config if $export;
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
@ -1,518 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Ports.pm
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
||||||
#
|
|
||||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Complete documentation is available at http://shorewall.net
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
#
|
|
||||||
# This module exports the %protocols and %services hashes built from
|
|
||||||
# /etc/protocols and /etc/services respectively.
|
|
||||||
#
|
|
||||||
# Module generated using buildports.pl 4.0.0-Beta7 - Fri Jun 29 14:10:45 2007
|
|
||||||
#
|
|
||||||
package Shorewall::Ports;
|
|
||||||
|
|
||||||
use strict;
|
|
||||||
use warnings;
|
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
|
||||||
our @EXPORT = qw( %protocols %services );
|
|
||||||
our @EXPORT_OK = qw();
|
|
||||||
our $VERSION = '4.00';
|
|
||||||
|
|
||||||
our %protocols = (
|
|
||||||
ip => 0,
|
|
||||||
IP => 0,
|
|
||||||
icmp => 1,
|
|
||||||
ICMP => 1,
|
|
||||||
igmp => 2,
|
|
||||||
IGMP => 2,
|
|
||||||
ggp => 3,
|
|
||||||
GGP => 3,
|
|
||||||
ipencap => 4,
|
|
||||||
'IP-ENCAP' => 4,
|
|
||||||
st => 5,
|
|
||||||
ST => 5,
|
|
||||||
tcp => 6,
|
|
||||||
TCP => 6,
|
|
||||||
egp => 8,
|
|
||||||
EGP => 8,
|
|
||||||
igp => 9,
|
|
||||||
IGP => 9,
|
|
||||||
pup => 12,
|
|
||||||
PUP => 12,
|
|
||||||
udp => 17,
|
|
||||||
UDP => 17,
|
|
||||||
hmp => 20,
|
|
||||||
HMP => 20,
|
|
||||||
'xns-idp' => 22,
|
|
||||||
'XNS-IDP' => 22,
|
|
||||||
rdp => 27,
|
|
||||||
RDP => 27,
|
|
||||||
'iso-tp4' => 29,
|
|
||||||
'ISO-TP4' => 29,
|
|
||||||
xtp => 36,
|
|
||||||
XTP => 36,
|
|
||||||
ddp => 37,
|
|
||||||
DDP => 37,
|
|
||||||
'idpr-cmtp' => 38,
|
|
||||||
'IDPR-CMTP' => 38,
|
|
||||||
ipv6 => 41,
|
|
||||||
IPv6 => 41,
|
|
||||||
'ipv6-route' => 43,
|
|
||||||
'IPv6-Route' => 43,
|
|
||||||
'ipv6-frag' => 44,
|
|
||||||
'IPv6-Frag' => 44,
|
|
||||||
idrp => 45,
|
|
||||||
IDRP => 45,
|
|
||||||
rsvp => 46,
|
|
||||||
RSVP => 46,
|
|
||||||
gre => 47,
|
|
||||||
GRE => 47,
|
|
||||||
esp => 50,
|
|
||||||
'IPSEC-ESP' => 50,
|
|
||||||
ah => 51,
|
|
||||||
'IPSEC-AH' => 51,
|
|
||||||
skip => 57,
|
|
||||||
SKIP => 57,
|
|
||||||
'ipv6-icmp' => 58,
|
|
||||||
'IPv6-ICMP' => 58,
|
|
||||||
'ipv6-nonxt' => 59,
|
|
||||||
'IPv6-NoNxt' => 59,
|
|
||||||
'ipv6-opts' => 60,
|
|
||||||
'IPv6-Opts' => 60,
|
|
||||||
rspf => 73,
|
|
||||||
RSPF => 73,
|
|
||||||
CPHB => 73,
|
|
||||||
vmtp => 81,
|
|
||||||
VMTP => 81,
|
|
||||||
eigrp => 88,
|
|
||||||
EIGRP => 88,
|
|
||||||
ospf => 89,
|
|
||||||
OSPFIGP => 89,
|
|
||||||
'ax.25' => 93,
|
|
||||||
'AX.25' => 93,
|
|
||||||
ipip => 94,
|
|
||||||
IPIP => 94,
|
|
||||||
etherip => 97,
|
|
||||||
ETHERIP => 97,
|
|
||||||
encap => 98,
|
|
||||||
ENCAP => 98,
|
|
||||||
pim => 103,
|
|
||||||
PIM => 103,
|
|
||||||
ipcomp => 108,
|
|
||||||
IPCOMP => 108,
|
|
||||||
vrrp => 112,
|
|
||||||
VRRP => 112,
|
|
||||||
l2tp => 115,
|
|
||||||
L2TP => 115,
|
|
||||||
isis => 124,
|
|
||||||
ISIS => 124,
|
|
||||||
sctp => 132,
|
|
||||||
SCTP => 132,
|
|
||||||
fc => 133,
|
|
||||||
FC => 133,
|
|
||||||
);
|
|
||||||
|
|
||||||
our %services = (
|
|
||||||
tcpmux => 1,
|
|
||||||
echo => 7,
|
|
||||||
discard => 9,
|
|
||||||
sink => 9,
|
|
||||||
null => 9,
|
|
||||||
systat => 11,
|
|
||||||
users => 11,
|
|
||||||
daytime => 13,
|
|
||||||
netstat => 15,
|
|
||||||
qotd => 17,
|
|
||||||
quote => 17,
|
|
||||||
msp => 18,
|
|
||||||
chargen => 19,
|
|
||||||
ttytst => 19,
|
|
||||||
source => 19,
|
|
||||||
'ftp-data' => 20,
|
|
||||||
ftp => 21,
|
|
||||||
fsp => 21,
|
|
||||||
fspd => 21,
|
|
||||||
ssh => 22,
|
|
||||||
telnet => 23,
|
|
||||||
smtp => 25,
|
|
||||||
mail => 25,
|
|
||||||
time => 37,
|
|
||||||
timserver => 37,
|
|
||||||
rlp => 39,
|
|
||||||
resource => 39,
|
|
||||||
nameserver => 42,
|
|
||||||
name => 42,
|
|
||||||
whois => 43,
|
|
||||||
nicname => 43,
|
|
||||||
tacacs => 49,
|
|
||||||
're-mail-ck' => 50,
|
|
||||||
domain => 53,
|
|
||||||
mtp => 57,
|
|
||||||
'tacacs-ds' => 65,
|
|
||||||
bootps => 67,
|
|
||||||
bootpc => 68,
|
|
||||||
tftp => 69,
|
|
||||||
gopher => 70,
|
|
||||||
rje => 77,
|
|
||||||
netrjs => 77,
|
|
||||||
finger => 79,
|
|
||||||
www => 80,
|
|
||||||
http => 80,
|
|
||||||
link => 87,
|
|
||||||
ttylink => 87,
|
|
||||||
kerberos => 88,
|
|
||||||
kerberos5 => 88,
|
|
||||||
krb5 => 88,
|
|
||||||
'kerberos-sec' => 88,
|
|
||||||
supdup => 95,
|
|
||||||
hostnames => 101,
|
|
||||||
hostname => 101,
|
|
||||||
'iso-tsap' => 102,
|
|
||||||
tsap => 102,
|
|
||||||
'acr-nema' => 104,
|
|
||||||
dicom => 104,
|
|
||||||
'csnet-ns' => 105,
|
|
||||||
'cso-ns' => 105,
|
|
||||||
rtelnet => 107,
|
|
||||||
pop2 => 109,
|
|
||||||
postoffice => 109,
|
|
||||||
'pop-2' => 109,
|
|
||||||
pop3 => 110,
|
|
||||||
'pop-3' => 110,
|
|
||||||
sunrpc => 111,
|
|
||||||
portmapper => 111,
|
|
||||||
auth => 113,
|
|
||||||
authentication => 113,
|
|
||||||
tap => 113,
|
|
||||||
ident => 113,
|
|
||||||
sftp => 115,
|
|
||||||
'uucp-path' => 117,
|
|
||||||
nntp => 119,
|
|
||||||
readnews => 119,
|
|
||||||
untp => 119,
|
|
||||||
ntp => 123,
|
|
||||||
pwdgen => 129,
|
|
||||||
'loc-srv' => 135,
|
|
||||||
epmap => 135,
|
|
||||||
'netbios-ns' => 137,
|
|
||||||
'netbios-dgm' => 138,
|
|
||||||
'netbios-ssn' => 139,
|
|
||||||
imap2 => 143,
|
|
||||||
imap => 143,
|
|
||||||
snmp => 161,
|
|
||||||
'snmp-trap' => 162,
|
|
||||||
snmptrap => 162,
|
|
||||||
'cmip-man' => 163,
|
|
||||||
'cmip-agent' => 164,
|
|
||||||
mailq => 174,
|
|
||||||
xdmcp => 177,
|
|
||||||
nextstep => 178,
|
|
||||||
NeXTStep => 178,
|
|
||||||
NextStep => 178,
|
|
||||||
bgp => 179,
|
|
||||||
prospero => 191,
|
|
||||||
irc => 194,
|
|
||||||
smux => 199,
|
|
||||||
'at-rtmp' => 201,
|
|
||||||
'at-nbp' => 202,
|
|
||||||
'at-echo' => 204,
|
|
||||||
'at-zis' => 206,
|
|
||||||
qmtp => 209,
|
|
||||||
z3950 => 210,
|
|
||||||
wais => 210,
|
|
||||||
ipx => 213,
|
|
||||||
imap3 => 220,
|
|
||||||
pawserv => 345,
|
|
||||||
zserv => 346,
|
|
||||||
fatserv => 347,
|
|
||||||
rpc2portmap => 369,
|
|
||||||
codaauth2 => 370,
|
|
||||||
clearcase => 371,
|
|
||||||
Clearcase => 371,
|
|
||||||
ulistserv => 372,
|
|
||||||
ldap => 389,
|
|
||||||
imsp => 406,
|
|
||||||
https => 443,
|
|
||||||
snpp => 444,
|
|
||||||
'microsoft-ds' => 445,
|
|
||||||
kpasswd => 464,
|
|
||||||
saft => 487,
|
|
||||||
isakmp => 500,
|
|
||||||
rtsp => 554,
|
|
||||||
nqs => 607,
|
|
||||||
'npmp-local' => 610,
|
|
||||||
dqs313_qmaster => 610,
|
|
||||||
'npmp-gui' => 611,
|
|
||||||
dqs313_execd => 611,
|
|
||||||
'hmmp-ind' => 612,
|
|
||||||
dqs313_intercell => 612,
|
|
||||||
ipp => 631,
|
|
||||||
exec => 512,
|
|
||||||
biff => 512,
|
|
||||||
comsat => 512,
|
|
||||||
login => 513,
|
|
||||||
who => 513,
|
|
||||||
whod => 513,
|
|
||||||
shell => 514,
|
|
||||||
cmd => 514,
|
|
||||||
syslog => 514,
|
|
||||||
printer => 515,
|
|
||||||
spooler => 515,
|
|
||||||
talk => 517,
|
|
||||||
ntalk => 518,
|
|
||||||
route => 520,
|
|
||||||
router => 520,
|
|
||||||
routed => 520,
|
|
||||||
timed => 525,
|
|
||||||
timeserver => 525,
|
|
||||||
tempo => 526,
|
|
||||||
newdate => 526,
|
|
||||||
courier => 530,
|
|
||||||
rpc => 530,
|
|
||||||
conference => 531,
|
|
||||||
chat => 531,
|
|
||||||
netnews => 532,
|
|
||||||
netwall => 533,
|
|
||||||
gdomap => 538,
|
|
||||||
uucp => 540,
|
|
||||||
uucpd => 540,
|
|
||||||
klogin => 543,
|
|
||||||
kshell => 544,
|
|
||||||
krcmd => 544,
|
|
||||||
afpovertcp => 548,
|
|
||||||
remotefs => 556,
|
|
||||||
rfs_server => 556,
|
|
||||||
rfs => 556,
|
|
||||||
nntps => 563,
|
|
||||||
snntp => 563,
|
|
||||||
submission => 587,
|
|
||||||
ldaps => 636,
|
|
||||||
tinc => 655,
|
|
||||||
silc => 706,
|
|
||||||
'kerberos-adm' => 749,
|
|
||||||
webster => 765,
|
|
||||||
rsync => 873,
|
|
||||||
'ftps-data' => 989,
|
|
||||||
ftps => 990,
|
|
||||||
telnets => 992,
|
|
||||||
imaps => 993,
|
|
||||||
ircs => 994,
|
|
||||||
pop3s => 995,
|
|
||||||
socks => 1080,
|
|
||||||
proofd => 1093,
|
|
||||||
rootd => 1094,
|
|
||||||
openvpn => 1194,
|
|
||||||
rmiregistry => 1099,
|
|
||||||
kazaa => 1214,
|
|
||||||
nessus => 1241,
|
|
||||||
lotusnote => 1352,
|
|
||||||
lotusnotes => 1352,
|
|
||||||
'ms-sql-s' => 1433,
|
|
||||||
'ms-sql-m' => 1434,
|
|
||||||
ingreslock => 1524,
|
|
||||||
'prospero-np' => 1525,
|
|
||||||
datametrics => 1645,
|
|
||||||
'old-radius' => 1645,
|
|
||||||
'sa-msg-port' => 1646,
|
|
||||||
'old-radacct' => 1646,
|
|
||||||
kermit => 1649,
|
|
||||||
l2f => 1701,
|
|
||||||
l2tp => 1701,
|
|
||||||
radius => 1812,
|
|
||||||
'radius-acct' => 1813,
|
|
||||||
radacct => 1813,
|
|
||||||
msnp => 1863,
|
|
||||||
'unix-status' => 1957,
|
|
||||||
'log-server' => 1958,
|
|
||||||
remoteping => 1959,
|
|
||||||
nfs => 2049,
|
|
||||||
'rtcm-sc104' => 2101,
|
|
||||||
cvspserver => 2401,
|
|
||||||
venus => 2430,
|
|
||||||
'venus-se' => 2431,
|
|
||||||
codasrv => 2432,
|
|
||||||
'codasrv-se' => 2433,
|
|
||||||
mon => 2583,
|
|
||||||
dict => 2628,
|
|
||||||
gpsd => 2947,
|
|
||||||
gds_db => 3050,
|
|
||||||
icpv2 => 3130,
|
|
||||||
icp => 3130,
|
|
||||||
mysql => 3306,
|
|
||||||
nut => 3493,
|
|
||||||
distcc => 3632,
|
|
||||||
daap => 3689,
|
|
||||||
svn => 3690,
|
|
||||||
subversion => 3690,
|
|
||||||
iax => 4569,
|
|
||||||
'radmin-port' => 4899,
|
|
||||||
rfe => 5002,
|
|
||||||
mmcc => 5050,
|
|
||||||
sip => 5060,
|
|
||||||
'sip-tls' => 5061,
|
|
||||||
aol => 5190,
|
|
||||||
'xmpp-client' => 5222,
|
|
||||||
'jabber-client' => 5222,
|
|
||||||
'xmpp-server' => 5269,
|
|
||||||
'jabber-server' => 5269,
|
|
||||||
cfengine => 5308,
|
|
||||||
postgresql => 5432,
|
|
||||||
postgres => 5432,
|
|
||||||
x11 => 6000,
|
|
||||||
'x11-0' => 6000,
|
|
||||||
'x11-1' => 6001,
|
|
||||||
'x11-2' => 6002,
|
|
||||||
'x11-3' => 6003,
|
|
||||||
'x11-4' => 6004,
|
|
||||||
'x11-5' => 6005,
|
|
||||||
'x11-6' => 6006,
|
|
||||||
'x11-7' => 6007,
|
|
||||||
'gnutella-svc' => 6346,
|
|
||||||
'gnutella-rtr' => 6347,
|
|
||||||
'afs3-fileserver' => 7000,
|
|
||||||
bbs => 7000,
|
|
||||||
'afs3-callback' => 7001,
|
|
||||||
'afs3-prserver' => 7002,
|
|
||||||
'afs3-vlserver' => 7003,
|
|
||||||
'afs3-kaserver' => 7004,
|
|
||||||
'afs3-volser' => 7005,
|
|
||||||
'afs3-errors' => 7006,
|
|
||||||
'afs3-bos' => 7007,
|
|
||||||
'afs3-update' => 7008,
|
|
||||||
'afs3-rmtsys' => 7009,
|
|
||||||
'font-service' => 7100,
|
|
||||||
xfs => 7100,
|
|
||||||
'bacula-dir' => 9101,
|
|
||||||
'bacula-fd' => 9102,
|
|
||||||
'bacula-sd' => 9103,
|
|
||||||
amanda => 10080,
|
|
||||||
hkp => 11371,
|
|
||||||
bprd => 13720,
|
|
||||||
bpdbm => 13721,
|
|
||||||
'bpjava-msvc' => 13722,
|
|
||||||
vnetd => 13724,
|
|
||||||
bpcd => 13782,
|
|
||||||
vopied => 13783,
|
|
||||||
wnn6 => 22273,
|
|
||||||
kerberos4 => 750,
|
|
||||||
'kerberos-iv' => 750,
|
|
||||||
kdc => 750,
|
|
||||||
kerberos_master => 751,
|
|
||||||
passwd_server => 752,
|
|
||||||
krb_prop => 754,
|
|
||||||
krb5_prop => 754,
|
|
||||||
hprop => 754,
|
|
||||||
krbupdate => 760,
|
|
||||||
kreg => 760,
|
|
||||||
swat => 901,
|
|
||||||
kpop => 1109,
|
|
||||||
knetd => 2053,
|
|
||||||
'zephyr-srv' => 2102,
|
|
||||||
'zephyr-clt' => 2103,
|
|
||||||
'zephyr-hm' => 2104,
|
|
||||||
eklogin => 2105,
|
|
||||||
kx => 2111,
|
|
||||||
iprop => 2121,
|
|
||||||
supfilesrv => 871,
|
|
||||||
supfiledbg => 1127,
|
|
||||||
linuxconf => 98,
|
|
||||||
poppassd => 106,
|
|
||||||
ssmtp => 465,
|
|
||||||
smtps => 465,
|
|
||||||
moira_db => 775,
|
|
||||||
moira_update => 777,
|
|
||||||
moira_ureg => 779,
|
|
||||||
spamd => 783,
|
|
||||||
omirr => 808,
|
|
||||||
omirrd => 808,
|
|
||||||
customs => 1001,
|
|
||||||
skkserv => 1178,
|
|
||||||
predict => 1210,
|
|
||||||
rmtcfg => 1236,
|
|
||||||
wipld => 1300,
|
|
||||||
xtel => 1313,
|
|
||||||
xtelw => 1314,
|
|
||||||
support => 1529,
|
|
||||||
sieve => 2000,
|
|
||||||
cfinger => 2003,
|
|
||||||
ndtp => 2010,
|
|
||||||
frox => 2121,
|
|
||||||
ninstall => 2150,
|
|
||||||
zebrasrv => 2600,
|
|
||||||
zebra => 2601,
|
|
||||||
ripd => 2602,
|
|
||||||
ripngd => 2603,
|
|
||||||
ospfd => 2604,
|
|
||||||
bgpd => 2605,
|
|
||||||
ospf6d => 2606,
|
|
||||||
ospfapi => 2607,
|
|
||||||
isisd => 2608,
|
|
||||||
afbackup => 2988,
|
|
||||||
afmbackup => 2989,
|
|
||||||
xtell => 4224,
|
|
||||||
fax => 4557,
|
|
||||||
hylafax => 4559,
|
|
||||||
distmp3 => 4600,
|
|
||||||
munin => 4949,
|
|
||||||
lrrd => 4949,
|
|
||||||
'enbd-cstatd' => 5051,
|
|
||||||
'enbd-sstatd' => 5052,
|
|
||||||
pcrd => 5151,
|
|
||||||
noclog => 5354,
|
|
||||||
hostmon => 5355,
|
|
||||||
rplay => 5555,
|
|
||||||
rptp => 5556,
|
|
||||||
nsca => 5667,
|
|
||||||
mrtd => 5674,
|
|
||||||
bgpsim => 5675,
|
|
||||||
canna => 5680,
|
|
||||||
'sane-port' => 6566,
|
|
||||||
sane => 6566,
|
|
||||||
saned => 6566,
|
|
||||||
ircd => 6667,
|
|
||||||
'zope-ftp' => 8021,
|
|
||||||
webcache => 8080,
|
|
||||||
tproxy => 8081,
|
|
||||||
omniorb => 8088,
|
|
||||||
'clc-build-daemon' => 8990,
|
|
||||||
xinetd => 9098,
|
|
||||||
mandelspawn => 9359,
|
|
||||||
mandelbrot => 9359,
|
|
||||||
zope => 9673,
|
|
||||||
kamanda => 10081,
|
|
||||||
amandaidx => 10082,
|
|
||||||
amidxtape => 10083,
|
|
||||||
smsqp => 11201,
|
|
||||||
xpilot => 15345,
|
|
||||||
'sgi-cmsd' => 17001,
|
|
||||||
'sgi-crsd' => 17002,
|
|
||||||
'sgi-gcd' => 17003,
|
|
||||||
'sgi-cad' => 17004,
|
|
||||||
isdnlog => 20011,
|
|
||||||
vboxd => 20012,
|
|
||||||
binkp => 24554,
|
|
||||||
asp => 27374,
|
|
||||||
csync2 => 30865,
|
|
||||||
dircproxy => 57000,
|
|
||||||
tfido => 60177,
|
|
||||||
fido => 60179,
|
|
||||||
);
|
|
||||||
|
|
||||||
1;
|
|
@ -1,102 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall-6 4.1 -- /usr/share/shorewall6/Shorewall6/IPAddrs.pm
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
||||||
#
|
|
||||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Complete documentation is available at http://shorewall.net
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
#
|
|
||||||
# This module provides interfaces for dealing with IPv6 addresses.
|
|
||||||
#
|
|
||||||
package Shorewall::IPAddrs;
|
|
||||||
require Exporter;
|
|
||||||
use Shorewall::Config;
|
|
||||||
|
|
||||||
use strict;
|
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
|
||||||
our @EXPORT = qw( ALLIPv6
|
|
||||||
|
|
||||||
validate_address
|
|
||||||
validate_net
|
|
||||||
validate_host
|
|
||||||
validate_range
|
|
||||||
ip_range_explicit
|
|
||||||
allipv6
|
|
||||||
);
|
|
||||||
our @EXPORT_OK = qw( );
|
|
||||||
our $VERSION = '4.03';
|
|
||||||
|
|
||||||
#
|
|
||||||
# Some IPv6 useful stuff
|
|
||||||
#
|
|
||||||
our @allipv6 = ( '::/0' );
|
|
||||||
|
|
||||||
sub allipv6() {
|
|
||||||
@allipv6
|
|
||||||
}
|
|
||||||
|
|
||||||
use constant { ALLIPv6 => '::/0' };
|
|
||||||
|
|
||||||
sub valid_address( $ ) {
|
|
||||||
my $address = $_[0];
|
|
||||||
|
|
||||||
my @address = split /:/, $address;
|
|
||||||
|
|
||||||
return 0 if @address > 8;
|
|
||||||
return 0 if @address < 8 && ! $address =~ /::/;
|
|
||||||
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
|
|
||||||
|
|
||||||
if ( $address =~ /^:/ ) {
|
|
||||||
unless ( $address eq '::' ) {
|
|
||||||
return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
|
|
||||||
}
|
|
||||||
} elsif ( $address =~ /:$/ ) {
|
|
||||||
return 0 if $address =~ /::.*:$/;
|
|
||||||
}
|
|
||||||
|
|
||||||
for my $a ( @address ) {
|
|
||||||
return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub validate_address( $ ) {
|
|
||||||
my $addr = $_[0];
|
|
||||||
|
|
||||||
unless ( valid_address $addr ) {
|
|
||||||
fatal_error "Unknown Host ($addr)" unless defined gethostbyname $addr;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sub validate_net( $ ) {
|
|
||||||
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
|
|
||||||
|
|
||||||
fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
|
|
||||||
|
|
||||||
if ( defined $vlsm ) {
|
|
||||||
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 64;
|
|
||||||
fatal_error "Invalid Network address ($_[0])" if defined $rest;
|
|
||||||
fatal_error "Invalid IPv6 address ($net)" unless valid_address $net;
|
|
||||||
} else {
|
|
||||||
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
|
|
||||||
validate_address $net;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user