extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 16:54:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into 4.4.23

Browse Source
This commit is contained in:
Tom Eastep 2011-09-12 16:49:30 -07:00
commit 95d6e454ba
5 changed files with 245 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -151,6 +151,7 @@ our %EXPORT_TAGS = (
clearrule
port_count
do_proto
do_iproto
do_mac
do_imac
verify_mark
@ -3125,6 +3126,181 @@ sub do_mac( $ ) {
"-m mac ${invert}--mac-source $mac ";
}
sub do_iproto( $$$ )
{
my ($proto, $ports, $sports ) = @_;
my @output = ();
my $restricted = 1;
$proto = '' if $proto eq '-';
$ports = '' if $ports eq '-';
$sports = '' if $sports eq '-';
if ( $proto ne '' ) {
my $synonly = ( $proto =~ s/:syn$//i );
my $invert = ( $proto =~ s/^!// ? '! ' : '' );
my $protonum = resolve_proto $proto;
if ( defined $protonum ) {
#
# Protocol is numeric and <= 255 or is defined in /etc/protocols or NSS equivalent
#
fatal_error "'!0' not allowed in the PROTO column" if $invert && ! $protonum;
my $pname = proto_name( $proto = $protonum );
#
# $proto now contains the protocol number and $pname contains the canonical name of the protocol
#
unless ( $synonly ) {
@output = ( p => "${invert}${proto}" );
} else {
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
@output = ( p => "$proto --syn" );
}
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
PROTO:
{
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
my $multiport = 0;
if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : '';
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
if ( port_count ( $ports ) > 15 ) {
if ( $restricted ) {
fatal_error "A port list in this file may only have up to 15 ports";
} elsif ( $invert ) {
fatal_error "An inverted port list may only have up to 15 ports";
}
}
$ports = validate_port_list $pname , $ports;
push @output, multiport => "${invert}--dports ${ports}";
$multiport = 1;
} else {
fatal_error "Missing DEST PORT" unless supplied $ports;
$ports = validate_portpair $pname , $ports;
push @output, dport => "${invert}${ports}";
}
} else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
}
if ( $sports ne '' ) {
$invert = $sports =~ s/^!// ? '! ' : '';
if ( $multiport ) {
if ( port_count( $sports ) > 15 ) {
if ( $restricted ) {
fatal_error "A port list in this file may only have up to 15 ports";
} elsif ( $invert ) {
fatal_error "An inverted port list may only have up to 15 ports";
}
}
$sports = validate_port_list $pname , $sports;
push @output, multiport => "${invert}--sports ${sports}";
} else {
fatal_error "Missing SOURCE PORT" unless supplied $sports;
$sports = validate_portpair $pname , $sports;
push @output, sport => "${invert}${sports}";
}
}
last PROTO; }
if ( $proto == ICMP ) {
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : '';
my $types;
if ( $ports =~ /,/ ) {
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
$types = '';
for my $type ( split_list( $ports, 'ICMP type list' ) ) {
$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
}
} else {
$types = validate_icmp $ports;
}
push @output, 'icmp-type' => "${invert}${types}";
}
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
last PROTO; }
if ( $proto == IPv6_ICMP ) {
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : '';
my $types;
if ( $ports =~ /,/ ) {
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
$types = '';
for my $type ( list_split( $ports, 'ICMP type list' ) ) {
$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
}
} else {
$types = validate_icmp6 $ports;
}
push @output, 'icmpv6-type' => "${invert}${types}";
}
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
last PROTO; }
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
} # PROTO
} else {
fatal_error '":syn" is only allowed with tcp' if $synonly;
if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
my $p = $2 ? lc $3 : 'tcp';
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
$proto = '-p ' . proto_name($p) . ' ';
my $options = '';
if ( $ports ne 'ipp2p' ) {
$options .= " --$_" for split /,/, $ports;
}
$options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
push @output, ipp2p => "${proto}${options}";
} else {
fatal_error "Invalid/Unknown protocol ($proto)"
}
}
} else {
#
# No protocol
#
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne '';
}
@output;
}
sub do_imac( $ ) {
my $mac = $_[0];

6
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -407,7 +407,7 @@ sub setup_netmap() {
while ( read_a_line ) {
my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 4, 8, 'netmap file';
validate_net $net1, 0;
validate_net $net2, 0;
@ -420,6 +420,8 @@ sub setup_netmap() {
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
my @rule = do_iproto( $proto, $sport, $dport );
unless ( $type =~ /:/ ) {
my @rulein;
my @ruleout;
@ -465,6 +467,7 @@ sub setup_netmap() {
targetopts => "--to-dest $net2",
imatch_source_net( $net3 ) ,
imatch_dest_net( $net1 ) ,
@rule ,
@match );
} else {
add_ijump( ensure_chain( $table, $chain ) ,
@ -472,6 +475,7 @@ sub setup_netmap() {
targetopts => "--to-source $net2",
imatch_dest_net( $net3 ) ,
imatch_source_net( $net1 ) ,
@rule ,
@match );
}
} else {

8
Shorewall/Perl/getparams
View File

@ -20,7 +20,13 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Parameters:
#
# $1 = Path name of params file
# $2 = $CONFIG_PATH
# $3 = Address family (4 o4 6)
#
if [ "$3" = 6 ]; then
. /usr/share/shorewall6/lib.base
. /usr/share/shorewall6/lib.cli

5
Shorewall/configfiles/netmap
View File

@ -6,5 +6,6 @@
# See http://shorewall.net/netmap.html for an example and usage
# information.
#
###############################################################################
#TYPE NET1 INTERFACE NET2 NET3
##############################################################################################
#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE
# PORT(S) PORT(S)

54
manpages/shorewall-netmap.xml
View File

@ -118,6 +118,60 @@
network for SNAT rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO (Optional - Added in Shorewall
4.4.14)</emphasis> -
<emphasis>protocol-number-or-name</emphasis></term>
<listitem>
<para>Only packets specifying this protocol will have their IP
header modified.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
Shorewall 4.4.14)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term>
<listitem>
<para>Destination Ports. A comma-separated list of Port names (from
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or
a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para>
<para>An entry in this field requires that the PROTO column specify
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
any of the following field is supplied.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
Shorewall 4.4.14)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term>
<listitem>
<para>Source port(s). If omitted, any source port is acceptable.
Specified as a comma-separated list of port names, port numbers or
port ranges.</para>
<para>An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
the following fields is supplied.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>