mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
Merge branch 'master' into 4.4.23
This commit is contained in:
commit
95d6e454ba
@ -151,6 +151,7 @@ our %EXPORT_TAGS = (
|
||||
clearrule
|
||||
port_count
|
||||
do_proto
|
||||
do_iproto
|
||||
do_mac
|
||||
do_imac
|
||||
verify_mark
|
||||
@ -3125,6 +3126,181 @@ sub do_mac( $ ) {
|
||||
"-m mac ${invert}--mac-source $mac ";
|
||||
}
|
||||
|
||||
sub do_iproto( $$$ )
|
||||
{
|
||||
my ($proto, $ports, $sports ) = @_;
|
||||
|
||||
my @output = ();
|
||||
|
||||
my $restricted = 1;
|
||||
|
||||
$proto = '' if $proto eq '-';
|
||||
$ports = '' if $ports eq '-';
|
||||
$sports = '' if $sports eq '-';
|
||||
|
||||
if ( $proto ne '' ) {
|
||||
|
||||
my $synonly = ( $proto =~ s/:syn$//i );
|
||||
my $invert = ( $proto =~ s/^!// ? '! ' : '' );
|
||||
my $protonum = resolve_proto $proto;
|
||||
|
||||
if ( defined $protonum ) {
|
||||
#
|
||||
# Protocol is numeric and <= 255 or is defined in /etc/protocols or NSS equivalent
|
||||
#
|
||||
fatal_error "'!0' not allowed in the PROTO column" if $invert && ! $protonum;
|
||||
|
||||
my $pname = proto_name( $proto = $protonum );
|
||||
#
|
||||
# $proto now contains the protocol number and $pname contains the canonical name of the protocol
|
||||
#
|
||||
unless ( $synonly ) {
|
||||
@output = ( p => "${invert}${proto}" );
|
||||
} else {
|
||||
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
|
||||
@output = ( p => "$proto --syn" );
|
||||
}
|
||||
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
|
||||
|
||||
PROTO:
|
||||
{
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
|
||||
my $multiport = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
|
||||
if ( port_count ( $ports ) > 15 ) {
|
||||
if ( $restricted ) {
|
||||
fatal_error "A port list in this file may only have up to 15 ports";
|
||||
} elsif ( $invert ) {
|
||||
fatal_error "An inverted port list may only have up to 15 ports";
|
||||
}
|
||||
}
|
||||
|
||||
$ports = validate_port_list $pname , $ports;
|
||||
push @output, multiport => "${invert}--dports ${ports}";
|
||||
$multiport = 1;
|
||||
} else {
|
||||
fatal_error "Missing DEST PORT" unless supplied $ports;
|
||||
$ports = validate_portpair $pname , $ports;
|
||||
push @output, dport => "${invert}${ports}";
|
||||
}
|
||||
} else {
|
||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
|
||||
}
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
$invert = $sports =~ s/^!// ? '! ' : '';
|
||||
if ( $multiport ) {
|
||||
|
||||
if ( port_count( $sports ) > 15 ) {
|
||||
if ( $restricted ) {
|
||||
fatal_error "A port list in this file may only have up to 15 ports";
|
||||
} elsif ( $invert ) {
|
||||
fatal_error "An inverted port list may only have up to 15 ports";
|
||||
}
|
||||
}
|
||||
|
||||
$sports = validate_port_list $pname , $sports;
|
||||
push @output, multiport => "${invert}--sports ${sports}";
|
||||
} else {
|
||||
fatal_error "Missing SOURCE PORT" unless supplied $sports;
|
||||
$sports = validate_portpair $pname , $sports;
|
||||
push @output, sport => "${invert}${sports}";
|
||||
}
|
||||
}
|
||||
|
||||
last PROTO; }
|
||||
|
||||
if ( $proto == ICMP ) {
|
||||
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
|
||||
my $types;
|
||||
|
||||
if ( $ports =~ /,/ ) {
|
||||
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||
$types = '';
|
||||
for my $type ( split_list( $ports, 'ICMP type list' ) ) {
|
||||
$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
|
||||
}
|
||||
} else {
|
||||
$types = validate_icmp $ports;
|
||||
}
|
||||
|
||||
push @output, 'icmp-type' => "${invert}${types}";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
|
||||
|
||||
last PROTO; }
|
||||
|
||||
if ( $proto == IPv6_ICMP ) {
|
||||
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
|
||||
my $types;
|
||||
|
||||
if ( $ports =~ /,/ ) {
|
||||
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||
$types = '';
|
||||
for my $type ( list_split( $ports, 'ICMP type list' ) ) {
|
||||
$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
|
||||
}
|
||||
} else {
|
||||
$types = validate_icmp6 $ports;
|
||||
}
|
||||
|
||||
push @output, 'icmpv6-type' => "${invert}${types}";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
||||
|
||||
last PROTO; }
|
||||
|
||||
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
|
||||
|
||||
} # PROTO
|
||||
|
||||
} else {
|
||||
fatal_error '":syn" is only allowed with tcp' if $synonly;
|
||||
|
||||
if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
|
||||
my $p = $2 ? lc $3 : 'tcp';
|
||||
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
|
||||
$proto = '-p ' . proto_name($p) . ' ';
|
||||
|
||||
my $options = '';
|
||||
|
||||
if ( $ports ne 'ipp2p' ) {
|
||||
$options .= " --$_" for split /,/, $ports;
|
||||
}
|
||||
|
||||
$options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
|
||||
|
||||
push @output, ipp2p => "${proto}${options}";
|
||||
} else {
|
||||
fatal_error "Invalid/Unknown protocol ($proto)"
|
||||
}
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# No protocol
|
||||
#
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne '';
|
||||
}
|
||||
|
||||
@output;
|
||||
}
|
||||
|
||||
sub do_imac( $ ) {
|
||||
my $mac = $_[0];
|
||||
|
||||
|
@ -407,7 +407,7 @@ sub setup_netmap() {
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
|
||||
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 4, 8, 'netmap file';
|
||||
|
||||
validate_net $net1, 0;
|
||||
validate_net $net2, 0;
|
||||
@ -420,6 +420,8 @@ sub setup_netmap() {
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
my @rule = do_iproto( $proto, $sport, $dport );
|
||||
|
||||
unless ( $type =~ /:/ ) {
|
||||
my @rulein;
|
||||
my @ruleout;
|
||||
@ -465,6 +467,7 @@ sub setup_netmap() {
|
||||
targetopts => "--to-dest $net2",
|
||||
imatch_source_net( $net3 ) ,
|
||||
imatch_dest_net( $net1 ) ,
|
||||
@rule ,
|
||||
@match );
|
||||
} else {
|
||||
add_ijump( ensure_chain( $table, $chain ) ,
|
||||
@ -472,6 +475,7 @@ sub setup_netmap() {
|
||||
targetopts => "--to-source $net2",
|
||||
imatch_dest_net( $net3 ) ,
|
||||
imatch_source_net( $net1 ) ,
|
||||
@rule ,
|
||||
@match );
|
||||
}
|
||||
} else {
|
||||
|
@ -20,7 +20,13 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
#
|
||||
# Parameters:
|
||||
#
|
||||
# $1 = Path name of params file
|
||||
# $2 = $CONFIG_PATH
|
||||
# $3 = Address family (4 o4 6)
|
||||
#
|
||||
if [ "$3" = 6 ]; then
|
||||
. /usr/share/shorewall6/lib.base
|
||||
. /usr/share/shorewall6/lib.cli
|
||||
|
@ -6,5 +6,6 @@
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3
|
||||
##############################################################################################
|
||||
#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
|
@ -118,6 +118,60 @@
|
||||
network for SNAT rules.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO (Optional - Added in Shorewall
|
||||
4.4.14)</emphasis> -
|
||||
<emphasis>protocol-number-or-name</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only packets specifying this protocol will have their IP
|
||||
header modified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.14)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
||||
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
|
||||
assumed.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||
any of the following field is supplied.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.14)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user