mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-09 23:28:13 +01:00
Resolve RFC 1918 Mess
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8372 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ab1b25a2a6
commit
a141478319
@ -16,7 +16,7 @@ Changes in 4.1.7
|
|||||||
|
|
||||||
8) Fix ":" parsing errors.
|
8) Fix ":" parsing errors.
|
||||||
|
|
||||||
9) Add macros for RFC 1918 filtering.
|
9) Add ORIGINAL DEST column to macros.
|
||||||
|
|
||||||
Changes in 4.1.6
|
Changes in 4.1.6
|
||||||
|
|
||||||
|
14
Shorewall-common/macro.Rfc1918
Normal file
14
Shorewall-common/macro.Rfc1918
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4 - Macro Template
|
||||||
|
#
|
||||||
|
# /usr/share/shorewall/macro.Rfc1918
|
||||||
|
#
|
||||||
|
# This macro handles pkts with a SOURCE or ORIGINAL DEST address reserved by RFC 1918
|
||||||
|
#############################################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||||
|
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||||
|
FORMAT 2
|
||||||
|
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
|
||||||
|
DEST - - - - - -
|
||||||
|
PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -264,6 +264,10 @@
|
|||||||
# Otherwise, a separate rule will be generated for each
|
# Otherwise, a separate rule will be generated for each
|
||||||
# port.
|
# port.
|
||||||
#
|
#
|
||||||
|
# ORIGINAL Original destination IP address. Must be omitted (
|
||||||
|
# DEST or '-') if the macro is to be used from within
|
||||||
|
# an action. See 'man shorewall-rules'.
|
||||||
|
#
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||||
# this colume:
|
# this colume:
|
||||||
#
|
#
|
||||||
@ -304,8 +308,8 @@
|
|||||||
#
|
#
|
||||||
# /etc/shorewall/macro.FwdFTP:
|
# /etc/shorewall/macro.FwdFTP:
|
||||||
#
|
#
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||||
# # PORT(S) PORT(S) LIMIT GROUP
|
# # PORT(S) PORT(S) DEST LIMIT GROUP
|
||||||
# DNAT - - tcp 21
|
# DNAT - - tcp 21
|
||||||
#
|
#
|
||||||
# /etc/shorewall/rules:
|
# /etc/shorewall/rules:
|
||||||
@ -345,7 +349,6 @@
|
|||||||
# the rules file is appended with a ":"
|
# the rules file is appended with a ":"
|
||||||
# separator.
|
# separator.
|
||||||
#
|
#
|
||||||
#
|
|
||||||
# Example: ###############################################
|
# Example: ###############################################
|
||||||
# #ACTION SOURCE DEST PROTO DEST
|
# #ACTION SOURCE DEST PROTO DEST
|
||||||
# # PORT(S)
|
# # PORT(S)
|
||||||
@ -356,8 +359,10 @@
|
|||||||
# Remaining Any value in the rules file REPLACES the value
|
# Remaining Any value in the rules file REPLACES the value
|
||||||
# columns given in the macro file.
|
# columns given in the macro file.
|
||||||
#
|
#
|
||||||
#
|
#######################################################################################################
|
||||||
###############################################################################
|
# DO NOT REMOVE THE FOLLOWING LINE
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
FORMAT 2
|
||||||
# PORT(S) PORT(S) LIMIT GROUP
|
#######################################################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL
|
||||||
|
# PORT(S) PORT(S) DEST LIMIT GROUP DEST
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -71,6 +71,10 @@ Migration Issues.
|
|||||||
5) The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
|
5) The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
|
||||||
been changed from Yes to No.
|
been changed from Yes to No.
|
||||||
|
|
||||||
|
6) The 'norfc1918' option is deprecated. Use explicit rules instead.
|
||||||
|
Note that there is a new 'Rfc1918' option that acts on addresses
|
||||||
|
reserved by RFC 1918.
|
||||||
|
|
||||||
Problems corrected in Shorewall-perl 4.1.7.
|
Problems corrected in Shorewall-perl 4.1.7.
|
||||||
|
|
||||||
1) Perl run-time errors occurred if an unknown service was named in
|
1) Perl run-time errors occurred if an unknown service was named in
|
||||||
@ -188,22 +192,29 @@ New Features in 4.1.7.
|
|||||||
This allows for another application running on your firewall to
|
This allows for another application running on your firewall to
|
||||||
take over the mangle table and use it for it's own purposes.
|
take over the mangle table and use it for it's own purposes.
|
||||||
|
|
||||||
4) Shorewall-perl implements four new built-in actions that deal with
|
4) Shorewall-perl now supports an ORIGINAL DEST column in macro files.
|
||||||
RFC 1918 addresses. These actions should be used in place of
|
The column must be left empty if the macro is to be used in the
|
||||||
|
body of an action.
|
||||||
|
|
||||||
|
Note that the position of the ORIGINAL DEST column is different
|
||||||
|
from its position in the /etc/shorewall/rules file. Beware!
|
||||||
|
|
||||||
|
5) Shorewall-perl implements a new Rfc1918 macro that deals with
|
||||||
|
RFC 1918 addresses. This macro should be used in place of
|
||||||
the 'norfc1918' interface option which is deprecated.
|
the 'norfc1918' interface option which is deprecated.
|
||||||
|
|
||||||
drop1918src - Drops packets with an RFC 1918 source address.
|
The macro body is:
|
||||||
drop1918dst - Drops packets with an RFC 1918 original
|
|
||||||
destination IP address.
|
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ ORIGINAL
|
||||||
rej1918dst - Rejects packets with an RFC 1918 source address.
|
# PORT(S) PORT(S) LIMIT GROUP DEST
|
||||||
rej1918dst - Rejectss packets with an RFC 1918 original
|
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
|
||||||
destination IP address.
|
DEST - - - - - -
|
||||||
|
PARAM SOURCE DEST - - - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
||||||
|
|
||||||
The 'norfc1918' option on the interface associated with zone 'z'
|
The 'norfc1918' option on the interface associated with zone 'z'
|
||||||
and with RFC1018_STRICT=Yes is equivalent to:
|
and with RFC1018_STRICT=Yes is equivalent to:
|
||||||
|
|
||||||
drop1918src z all
|
Rfc1918(DROP) z all
|
||||||
drop1918dst z all
|
|
||||||
|
|
||||||
New Features in Shorewall 4.1.
|
New Features in Shorewall 4.1.
|
||||||
|
|
||||||
|
@ -183,6 +183,8 @@ AUTO_COMMENT=Yes
|
|||||||
|
|
||||||
MANGLE_ENABLED=Yes
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
NEW_MACRO_LAYOUT=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -53,6 +53,7 @@ our @EXPORT = qw( merge_levels
|
|||||||
%actions
|
%actions
|
||||||
|
|
||||||
%macros
|
%macros
|
||||||
|
%macro_commands
|
||||||
);
|
);
|
||||||
our @EXPORT_OK = qw( initialize );
|
our @EXPORT_OK = qw( initialize );
|
||||||
our $VERSION = 4.1.1;
|
our $VERSION = 4.1.1;
|
||||||
@ -82,6 +83,11 @@ our %logactionchains;
|
|||||||
|
|
||||||
our %macros;
|
our %macros;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
|
||||||
|
#
|
||||||
|
our %macro_commands = ( COMMENT => 0, FORMAT => 2 );
|
||||||
|
|
||||||
#
|
#
|
||||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||||
# the compiler to run multiple times in the same process. The
|
# the compiler to run multiple times in the same process. The
|
||||||
@ -401,9 +407,9 @@ sub process_macro1 ( $$ ) {
|
|||||||
push_open( $macrofile );
|
push_open( $macrofile );
|
||||||
|
|
||||||
while ( read_a_line ) {
|
while ( read_a_line ) {
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file';
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', \%macro_commands;
|
||||||
|
|
||||||
next if $mtarget eq 'COMMENT';
|
next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT';
|
||||||
|
|
||||||
$mtarget =~ s/:.*$//;
|
$mtarget =~ s/:.*$//;
|
||||||
|
|
||||||
@ -576,6 +582,8 @@ sub process_macro3( $$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
my $nocomment = no_comment;
|
my $nocomment = no_comment;
|
||||||
|
|
||||||
|
my $format = 1;
|
||||||
|
|
||||||
macro_comment $macro;
|
macro_comment $macro;
|
||||||
|
|
||||||
my $fn = $macros{$macro};
|
my $fn = $macros{$macro};
|
||||||
@ -586,18 +594,34 @@ sub process_macro3( $$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
while ( read_a_line ) {
|
while ( read_a_line ) {
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file';
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
|
||||||
|
|
||||||
|
if ( $format == 1 ) {
|
||||||
|
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', \%macro_commands;
|
||||||
|
} else {
|
||||||
|
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', \%macro_commands;
|
||||||
|
}
|
||||||
|
|
||||||
if ( $mtarget eq 'COMMENT' ) {
|
if ( $mtarget eq 'COMMENT' ) {
|
||||||
process_comment unless $nocomment;
|
process_comment unless $nocomment;
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $mtarget eq 'FORMAT' ) {
|
||||||
|
fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
|
||||||
|
$format = $msource;
|
||||||
|
next;
|
||||||
|
}
|
||||||
|
|
||||||
|
fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
|
||||||
|
|
||||||
if ( $mtarget =~ /^PARAM:?/ ) {
|
if ( $mtarget =~ /^PARAM:?/ ) {
|
||||||
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
||||||
$mtarget = substitute_param $param, $mtarget;
|
$mtarget = substitute_param $param, $mtarget;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-';
|
||||||
|
|
||||||
if ( $msource ) {
|
if ( $msource ) {
|
||||||
if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
|
if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
|
||||||
$msource = $source || '';
|
$msource = $source || '';
|
||||||
@ -815,62 +839,6 @@ sub process_actions3 () {
|
|||||||
add_rule $chainref, '-j ACCEPT';
|
add_rule $chainref, '-j ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub drop1918src( $$$ ) {
|
|
||||||
my ($chainref, $level, $tag) = @_;
|
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
|
||||||
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 10.0.0.0/8 ';
|
|
||||||
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 172.16.0.0/12 ';
|
|
||||||
log_rule_limit $level, $chainref, 'dropRFC1918src', 'DROP', '', $tag, 'add', '-s 192.168.0.0/16 ';
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, '-s 10.0.0.0/8 -j DROP';
|
|
||||||
add_rule $chainref, '-s 172.16.0.0/12 -j DROP';
|
|
||||||
add_rule $chainref, '-s 192.168.0.0/16 -j DROP';
|
|
||||||
}
|
|
||||||
|
|
||||||
sub drop1918dst( $$$ ) {
|
|
||||||
my ($chainref, $level, $tag) = @_;
|
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
|
||||||
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 10.0.0.0/8 ';
|
|
||||||
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 172.16.0.0/12 ';
|
|
||||||
log_rule_limit $level, $chainref, 'drop1918src', 'DROP', '', $tag, 'add', '-m conntrack --ctorigdst 192.168.0.0/16 ';
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, '-m conntrack --ctorigdst 10.0.0.0/8 -j DROP';
|
|
||||||
add_rule $chainref, '-m conntrack --ctorigdst 172.16.0.0/12 -j DROP';
|
|
||||||
add_rule $chainref, '-m conntrack --ctorigdst 192.168.0.0/16 -j DROP';
|
|
||||||
}
|
|
||||||
|
|
||||||
sub rej1918src( $$$ ) {
|
|
||||||
my ($chainref, $level, $tag) = @_;
|
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
|
||||||
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 10.0.0.0/8 ';
|
|
||||||
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 172.16.0.0/12 ';
|
|
||||||
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-s 192.168.0.0/16 ';
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, '-s 10.0.0.0/8 -j reject';
|
|
||||||
add_rule $chainref, '-s 172.16.0.0/12 -j reject';
|
|
||||||
add_rule $chainref, '-s 192.168.0.0/16 -j reject';
|
|
||||||
}
|
|
||||||
|
|
||||||
sub rej1918dst( $$$ ) {
|
|
||||||
my ($chainref, $level, $tag) = @_;
|
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
|
||||||
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 10.0.0.0/8 ';
|
|
||||||
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 172.16.0.0/12 ';
|
|
||||||
log_rule_limit $level, $chainref, 'rej1918src', 'REJECT', '', $tag, 'add', '-m conntrack --ctorigdst 192.168.0.0/16 ';
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, '-m conntrack --ctorigdst 10.0.0.0/8 -j reject';
|
|
||||||
add_rule $chainref, '-m conntrack --ctorigdst 172.16.0.0/12 -j reject';
|
|
||||||
add_rule $chainref, '-m conntrack --ctorigdst 192.168.0.0/16 -j reject';
|
|
||||||
}
|
|
||||||
|
|
||||||
my %builtinops = ( 'dropBcast' => \&dropBcast,
|
my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||||
'allowBcast' => \&allowBcast,
|
'allowBcast' => \&allowBcast,
|
||||||
'dropNotSyn' => \&dropNotSyn,
|
'dropNotSyn' => \&dropNotSyn,
|
||||||
@ -879,10 +847,6 @@ sub process_actions3 () {
|
|||||||
'allowInvalid' => \&allowInvalid,
|
'allowInvalid' => \&allowInvalid,
|
||||||
'allowinUPnP' => \&allowinUPnP,
|
'allowinUPnP' => \&allowinUPnP,
|
||||||
'forwardUPnP' => \&forwardUPnP,
|
'forwardUPnP' => \&forwardUPnP,
|
||||||
'drop1918src' => \&drop1918src,
|
|
||||||
'drop1918dst' => \&drop1918dst,
|
|
||||||
'rej1918src' => \&drop1918src,
|
|
||||||
'rej1918dst' => \&drop1918dst,
|
|
||||||
'Limit' => \&Limit, );
|
'Limit' => \&Limit, );
|
||||||
|
|
||||||
for my $wholeaction ( keys %usedactions ) {
|
for my $wholeaction ( keys %usedactions ) {
|
||||||
|
@ -309,10 +309,6 @@ sub initialize() {
|
|||||||
'allowInvalid' => BUILTIN + ACTION,
|
'allowInvalid' => BUILTIN + ACTION,
|
||||||
'allowinUPnP' => BUILTIN + ACTION,
|
'allowinUPnP' => BUILTIN + ACTION,
|
||||||
'forwardUPnP' => BUILTIN + ACTION,
|
'forwardUPnP' => BUILTIN + ACTION,
|
||||||
'drop1918src' => BUILTIN + ACTION,
|
|
||||||
'drop1918dst' => BUILTIN + ACTION,
|
|
||||||
'rej1918src' => BUILTIN + ACTION,
|
|
||||||
'rej1918dst' => BUILTIN + ACTION,
|
|
||||||
'Limit' => BUILTIN + ACTION,
|
'Limit' => BUILTIN + ACTION,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
|
@ -80,7 +80,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
|
|||||||
split_list
|
split_list
|
||||||
split_line
|
split_line
|
||||||
split_line1
|
split_line1
|
||||||
split_line2
|
|
||||||
first_entry
|
first_entry
|
||||||
open_file
|
open_file
|
||||||
close_file
|
close_file
|
||||||
@ -920,52 +919,19 @@ sub split_line( $$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Version of 'split_line' that handles COMMENT lines
|
# Version of 'split_line' used on files with exceptions
|
||||||
#
|
#
|
||||||
sub split_line1( $$$ ) {
|
sub split_line1( $$$;$ ) {
|
||||||
my ( $mincolumns, $maxcolumns, $description ) = @_;
|
my ( $mincolumns, $maxcolumns, $description, $nopad) = @_;
|
||||||
|
|
||||||
fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
|
fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
|
||||||
|
|
||||||
my @line = split( ' ', $currentline );
|
my @line = split( ' ', $currentline );
|
||||||
|
|
||||||
return @line if $line[0] eq 'COMMENT';
|
$nopad = { COMMENT => 0 } unless $nopad;
|
||||||
|
|
||||||
fatal_error "Shorewall Configuration file entries may not contain single quotes" if $currentline =~ /'/;
|
|
||||||
fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
|
|
||||||
|
|
||||||
my $line = @line;
|
|
||||||
|
|
||||||
fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns;
|
|
||||||
|
|
||||||
$line-- while $line > 0 && $line[$line-1] eq '-';
|
|
||||||
|
|
||||||
fatal_error "Invalid $description entry (too few columns)" if $line < $mincolumns;
|
|
||||||
|
|
||||||
push @line, '-' while @line < $maxcolumns;
|
|
||||||
|
|
||||||
@line;
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
|
|
||||||
#
|
|
||||||
|
|
||||||
my %no_pad = ( COMMENT => 0,
|
|
||||||
SECTION => 2 );
|
|
||||||
|
|
||||||
#
|
|
||||||
# Version of 'split_line' used on rules file entries
|
|
||||||
#
|
|
||||||
sub split_line2( $$$ ) {
|
|
||||||
my ( $mincolumns, $maxcolumns, $description ) = @_;
|
|
||||||
|
|
||||||
fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
|
|
||||||
|
|
||||||
my @line = split( ' ', $currentline );
|
|
||||||
|
|
||||||
my $first = $line[0];
|
my $first = $line[0];
|
||||||
my $columns = $no_pad{$first};
|
my $columns = $nopad->{$first};
|
||||||
|
|
||||||
if ( defined $columns ) {
|
if ( defined $columns ) {
|
||||||
if ( $columns ) {
|
if ( $columns ) {
|
||||||
|
@ -60,6 +60,14 @@ our $sectioned;
|
|||||||
our $macro_nest_level;
|
our $macro_nest_level;
|
||||||
our $current_param;
|
our $current_param;
|
||||||
our @param_stack;
|
our @param_stack;
|
||||||
|
|
||||||
|
#
|
||||||
|
# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
|
||||||
|
#
|
||||||
|
|
||||||
|
my %rules_commands = ( COMMENT => 0,
|
||||||
|
SECTION => 2 );
|
||||||
|
|
||||||
#
|
#
|
||||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||||
# the compiler to run multiple times in the same process. The
|
# the compiler to run multiple times in the same process. The
|
||||||
@ -215,7 +223,7 @@ sub setup_rfc1918_filteration( $ ) {
|
|||||||
my $rfc1918ref = new_standard_chain 'rfc1918';
|
my $rfc1918ref = new_standard_chain 'rfc1918';
|
||||||
my $chainref = $norfc1918ref;
|
my $chainref = $norfc1918ref;
|
||||||
|
|
||||||
warning_message q(The 'norfc1918' option is deprecated in favor of the RFC1918-oriented built-in actions);
|
warning_message q(The 'norfc1918' option is deprecated);
|
||||||
|
|
||||||
log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , '';
|
log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , '';
|
||||||
|
|
||||||
@ -834,6 +842,8 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
my $nocomment = no_comment;
|
my $nocomment = no_comment;
|
||||||
|
|
||||||
|
my $format = 1;
|
||||||
|
|
||||||
macro_comment $macro;
|
macro_comment $macro;
|
||||||
|
|
||||||
my $macrofile = $macros{$macro};
|
my $macrofile = $macros{$macro};
|
||||||
@ -844,13 +854,27 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
while ( read_a_line ) {
|
while ( read_a_line ) {
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file';
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
|
||||||
|
|
||||||
|
if ( $format == 1 ) {
|
||||||
|
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', \%macro_commands;
|
||||||
|
} else {
|
||||||
|
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', \%macro_commands;
|
||||||
|
}
|
||||||
|
|
||||||
if ( $mtarget eq 'COMMENT' ) {
|
if ( $mtarget eq 'COMMENT' ) {
|
||||||
process_comment unless $nocomment;
|
process_comment unless $nocomment;
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $mtarget eq 'FORMAT' ) {
|
||||||
|
fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
|
||||||
|
$format = $msource;
|
||||||
|
next;
|
||||||
|
}
|
||||||
|
|
||||||
|
fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
|
||||||
|
|
||||||
$mtarget = merge_levels $target, $mtarget;
|
$mtarget = merge_levels $target, $mtarget;
|
||||||
|
|
||||||
if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
|
if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
|
||||||
@ -899,7 +923,7 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
|
|||||||
merge_macro_column( $mproto, $proto ) ,
|
merge_macro_column( $mproto, $proto ) ,
|
||||||
merge_macro_column( $mports, $ports ) ,
|
merge_macro_column( $mports, $ports ) ,
|
||||||
merge_macro_column( $msports, $sports ) ,
|
merge_macro_column( $msports, $sports ) ,
|
||||||
$origdest,
|
merge_macro_column( $morigdest, $origdest ) ,
|
||||||
merge_macro_column( $mrate, $rate ) ,
|
merge_macro_column( $mrate, $rate ) ,
|
||||||
merge_macro_column( $muser, $user ) ,
|
merge_macro_column( $muser, $user ) ,
|
||||||
$mark,
|
$mark,
|
||||||
@ -1397,7 +1421,7 @@ sub process_rules() {
|
|||||||
|
|
||||||
while ( read_a_line ) {
|
while ( read_a_line ) {
|
||||||
|
|
||||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line2 1, 10, 'rules file';
|
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line1 1, 10, 'rules file', \%rules_commands;
|
||||||
|
|
||||||
if ( $target eq 'COMMENT' ) {
|
if ( $target eq 'COMMENT' ) {
|
||||||
process_comment;
|
process_comment;
|
||||||
|
Loading…
Reference in New Issue
Block a user