mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 14:48:51 +01:00
Reverse screwup
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8956 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b0827cd9ae
commit
a1ec27247d
@ -1,220 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Accounting.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module contains the code that handles the /etc/shorewall/accounting
|
||||
# file.
|
||||
#
|
||||
package Shorewall::Accounting;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_accounting );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.0.6;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
our $jumpchainref;
|
||||
$jumpchainref = undef;
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
#
|
||||
# Accounting
|
||||
#
|
||||
sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
|
||||
our $jumpchainref;
|
||||
|
||||
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_;
|
||||
|
||||
our $disposition = '';
|
||||
|
||||
sub check_chain( $ ) {
|
||||
my $chainref = shift;
|
||||
fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
|
||||
}
|
||||
|
||||
sub accounting_error() {
|
||||
fatal_error "Invalid Accounting rule";
|
||||
}
|
||||
|
||||
sub jump_to_chain( $ ) {
|
||||
my $jumpchain = $_[0];
|
||||
$jumpchainref = ensure_accounting_chain( $jumpchain );
|
||||
check_chain( $jumpchainref );
|
||||
$disposition = $jumpchain;
|
||||
"-j $jumpchain";
|
||||
}
|
||||
|
||||
my $target = '';
|
||||
|
||||
$proto = '' if $proto eq 'any';
|
||||
$ports = '' if $ports eq 'any' || $ports eq 'all';
|
||||
$sports = '' if $sports eq 'any' || $sports eq 'all';
|
||||
|
||||
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
|
||||
my $rule2 = 0;
|
||||
|
||||
unless ( $action eq 'COUNT' ) {
|
||||
if ( $action eq 'DONE' ) {
|
||||
$target = '-j RETURN';
|
||||
} else {
|
||||
( $action, my $cmd ) = split /:/, $action;
|
||||
if ( $cmd ) {
|
||||
if ( $cmd eq 'COUNT' ) {
|
||||
$rule2=1;
|
||||
} elsif ( $cmd ne 'JUMP' ) {
|
||||
accounting_error;
|
||||
}
|
||||
}
|
||||
|
||||
$target = jump_to_chain $action;
|
||||
}
|
||||
}
|
||||
|
||||
my $restriction = NO_RESTRICT;
|
||||
|
||||
$source = ALLIP if $source eq 'any' || $source eq 'all';
|
||||
|
||||
if ( have_bridges ) {
|
||||
my $fw = firewall_zone;
|
||||
|
||||
if ( $source =~ /^$fw:?(.*)$/ ) {
|
||||
$source = $1 ? $1 : ALLIP;
|
||||
$restriction = OUTPUT_RESTRICT;
|
||||
$chain = 'accountout' unless $chain and $chain ne '-';
|
||||
$dest = ALLIP if $dest eq 'any' || $dest eq 'all';
|
||||
} else {
|
||||
$chain = 'accounting' unless $chain and $chain ne '-';
|
||||
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
|
||||
expand_rule(
|
||||
ensure_filter_chain( 'accountout' , 0 ) ,
|
||||
OUTPUT_RESTRICT ,
|
||||
$rule ,
|
||||
$source ,
|
||||
$dest = ALLIP ,
|
||||
'' ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
$disposition ,
|
||||
'' );
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$chain = 'accounting' unless $chain and $chain ne '-';
|
||||
$dest = ALLIP if $dest eq 'any' || $dest eq 'all';
|
||||
}
|
||||
|
||||
my $chainref = ensure_accounting_chain $chain;
|
||||
|
||||
expand_rule
|
||||
$chainref ,
|
||||
$restriction ,
|
||||
$rule ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
$disposition ,
|
||||
'' ;
|
||||
|
||||
if ( $rule2 ) {
|
||||
expand_rule
|
||||
$jumpchainref ,
|
||||
$restriction ,
|
||||
$rule ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
'' ,
|
||||
'' ,
|
||||
'' ,
|
||||
'' ,
|
||||
'' ;
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_accounting() {
|
||||
|
||||
my $fn = open_file 'accounting';
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
my $nonEmpty = 0;
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
|
||||
|
||||
if ( $action eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
} else {
|
||||
$nonEmpty = 1;
|
||||
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark;
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
|
||||
|
||||
clear_comment;
|
||||
|
||||
if ( have_bridges ) {
|
||||
if ( $filter_table->{accounting} ) {
|
||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
||||
}
|
||||
}
|
||||
|
||||
if ( $filter_table->{accountout} ) {
|
||||
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout';
|
||||
}
|
||||
} else {
|
||||
if ( $filter_table->{accounting} ) {
|
||||
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
@ -1,870 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Actions.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module contains the code for dealing with actions (built-in,
|
||||
# standard and user-defined) and Macros.
|
||||
#
|
||||
package Shorewall::Actions;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( merge_levels
|
||||
isolate_basic_target
|
||||
get_target_param
|
||||
add_requiredby
|
||||
createactionchain
|
||||
find_logactionchain
|
||||
process_actions1
|
||||
process_actions2
|
||||
process_actions3
|
||||
|
||||
find_macro
|
||||
split_action
|
||||
substitute_param
|
||||
merge_macro_source_dest
|
||||
merge_macro_column
|
||||
|
||||
%usedactions
|
||||
%default_actions
|
||||
%actions
|
||||
|
||||
%macros
|
||||
$macro_commands
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = 4.1.1;
|
||||
|
||||
#
|
||||
# Used Actions. Each action that is actually used has an entry with value 1.
|
||||
#
|
||||
our %usedactions;
|
||||
#
|
||||
# Default actions for each policy.
|
||||
#
|
||||
our %default_actions;
|
||||
|
||||
# Action Table
|
||||
#
|
||||
# %actions{ <action1> => { requires => { <requisite1> = 1,
|
||||
# <requisite2> = 1,
|
||||
# ...
|
||||
# } ,
|
||||
# actchain => <action chain number> # Used for generating unique chain names for each <level>:<tag> pair.
|
||||
#
|
||||
our %actions;
|
||||
#
|
||||
# Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
|
||||
#
|
||||
our %logactionchains;
|
||||
|
||||
our %macros;
|
||||
|
||||
#
|
||||
# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
|
||||
#
|
||||
our $macro_commands = { COMMENT => 0, FORMAT => 2 };
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
%usedactions = ();
|
||||
%default_actions = ( DROP => 'none' ,
|
||||
REJECT => 'none' ,
|
||||
ACCEPT => 'none' ,
|
||||
QUEUE => 'none' );
|
||||
%actions = ();
|
||||
%logactionchains = ();
|
||||
%macros = ();
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
#
|
||||
# This function determines the logging for a subordinate action or a rule within a superior action
|
||||
#
|
||||
sub merge_levels ($$) {
|
||||
my ( $superior, $subordinate ) = @_;
|
||||
|
||||
my @supparts = split /:/, $superior;
|
||||
my @subparts = split /:/, $subordinate;
|
||||
|
||||
my $subparts = @subparts;
|
||||
|
||||
my $target = $subparts[0];
|
||||
|
||||
push @subparts, '' while @subparts < 3; #Avoid undefined values
|
||||
|
||||
my $level = $supparts[1];
|
||||
my $tag = $supparts[2];
|
||||
|
||||
if ( @supparts == 3 ) {
|
||||
return "$target:none!:$tag" if $level eq 'none!';
|
||||
return "$target:$level:$tag" if $level =~ /!$/;
|
||||
return $subordinate if $subparts >= 2;
|
||||
return "$target:$level:$tag";
|
||||
}
|
||||
|
||||
if ( @supparts == 2 ) {
|
||||
return "$target:none!" if $level eq 'none!';
|
||||
return "$target:$level" if ($level =~ /!$/) || ($subparts < 2);
|
||||
}
|
||||
|
||||
$subordinate;
|
||||
}
|
||||
|
||||
#
|
||||
# Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does.
|
||||
# If the file exists, the macro is entered into the 'targets' table and the fully-qualified
|
||||
# name of the file is stored in the 'macro' table.
|
||||
#
|
||||
sub find_macro( $ )
|
||||
{
|
||||
my $macro = $_[0];
|
||||
my $macrofile = find_file "macro.$macro";
|
||||
|
||||
if ( -f $macrofile ) {
|
||||
$macros{$macro} = $macrofile;
|
||||
$targets{$macro} = MACRO;
|
||||
} else {
|
||||
0;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Return ( action, level[:tag] ) from passed full action
|
||||
#
|
||||
sub split_action ( $ ) {
|
||||
my $action = $_[0];
|
||||
my @a = split( /:/ , $action, 4 );
|
||||
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
|
||||
( shift @a, join ":", @a );
|
||||
}
|
||||
|
||||
#
|
||||
# This function substitutes the second argument for the first part of the first argument up to the first colon (":")
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# substitute_param DNAT PARAM:info:FTP
|
||||
#
|
||||
# produces "DNAT:info:FTP"
|
||||
#
|
||||
sub substitute_param( $$ ) {
|
||||
my ( $param, $action ) = @_;
|
||||
|
||||
if ( $action =~ /:/ ) {
|
||||
my $logpart = (split_action $action)[1];
|
||||
$logpart =~ s!/$!!;
|
||||
return "$param:$logpart";
|
||||
}
|
||||
|
||||
$param;
|
||||
}
|
||||
|
||||
#
|
||||
# Combine fields from a macro body with one from the macro invocation
|
||||
#
|
||||
sub merge_macro_source_dest( $$ ) {
|
||||
my ( $body, $invocation ) = @_;
|
||||
|
||||
if ( $invocation ) {
|
||||
if ( $body ) {
|
||||
return $body if $invocation eq '-';
|
||||
return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
|
||||
return "$invocation:$body";
|
||||
}
|
||||
|
||||
return $invocation;
|
||||
}
|
||||
|
||||
$body || '';
|
||||
}
|
||||
|
||||
sub merge_macro_column( $$ ) {
|
||||
my ( $body, $invocation ) = @_;
|
||||
|
||||
if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) {
|
||||
$invocation;
|
||||
} else {
|
||||
$body;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Get Macro Name -- strips away trailing /* and :* from the first column in a rule, macro or action.
|
||||
#
|
||||
sub isolate_basic_target( $ ) {
|
||||
my $target = ( split '[/:]', $_[0])[0];
|
||||
|
||||
$target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
|
||||
}
|
||||
|
||||
#
|
||||
# Split the passed target into the basic target and parameter
|
||||
#
|
||||
sub get_target_param( $ ) {
|
||||
my ( $target, $param ) = split '/', $_[0];
|
||||
|
||||
unless ( defined $param ) {
|
||||
( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
|
||||
}
|
||||
|
||||
( $target, $param );
|
||||
}
|
||||
|
||||
#
|
||||
# Define an Action
|
||||
#
|
||||
sub new_action( $ ) {
|
||||
|
||||
my $action = $_[0];
|
||||
|
||||
$actions{$action} = { actchain => '', requires => {} };
|
||||
}
|
||||
|
||||
#
|
||||
# Record a 'requires' relationship between a pair of actions.
|
||||
#
|
||||
sub add_requiredby ( $$ ) {
|
||||
my ($requiredby , $requires ) = @_;
|
||||
$actions{$requires}{requires}{$requiredby} = 1;
|
||||
}
|
||||
|
||||
#
|
||||
# Create and record a log action chain -- Log action chains have names
|
||||
# that are formed from the action name by prepending a "%" and appending
|
||||
# a 1- or 2-digit sequence number. In the functions that follow,
|
||||
# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
|
||||
# exit. We call the exit corresponding to the name of the action but we
|
||||
# set CHAIN to the name of the iptables chain where rules are to be added.
|
||||
# Similarly, LEVEL and TAG contain the log level and log tag respectively.
|
||||
#
|
||||
# The maximum length of a chain name is 30 characters -- since the log
|
||||
# action chain name is 2-3 characters longer than the base chain name,
|
||||
# this function truncates the original chain name where necessary before
|
||||
# it adds the leading "%" and trailing sequence number.
|
||||
#
|
||||
sub createlogactionchain( $$ ) {
|
||||
my ( $action, $level ) = @_;
|
||||
my $chain = $action;
|
||||
my $actionref = $actions{$action};
|
||||
my $chainref;
|
||||
|
||||
my ($lev, $tag) = split ':', $level;
|
||||
|
||||
validate_level $lev;
|
||||
|
||||
$actionref = new_action $action unless $actionref;
|
||||
|
||||
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
|
||||
|
||||
CHECKDUP:
|
||||
{
|
||||
$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
|
||||
$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
|
||||
}
|
||||
|
||||
$logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
|
||||
|
||||
fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
|
||||
|
||||
unless ( $targets{$action} & STANDARD ) {
|
||||
|
||||
my $file = find_file $chain;
|
||||
|
||||
if ( -f $file ) {
|
||||
progress_message "Processing $file...";
|
||||
|
||||
( $level, my $tag ) = split /:/, $level;
|
||||
|
||||
$tag = $tag || '';
|
||||
|
||||
unless ( my $return = eval `cat $file` ) {
|
||||
fatal_error "Couldn't parse $file: $@" if $@;
|
||||
fatal_error "Couldn't do $file: $!" unless defined $return;
|
||||
fatal_error "Couldn't run $file" unless $return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub createsimpleactionchain( $ ) {
|
||||
my $action = shift;
|
||||
my $chainref = new_standard_chain $action;
|
||||
|
||||
$logactionchains{"$action:none"} = $chainref;
|
||||
|
||||
unless ( $targets{$action} & STANDARD ) {
|
||||
|
||||
my $file = find_file $action;
|
||||
|
||||
if ( -f $file ) {
|
||||
progress_message "Processing $file...";
|
||||
|
||||
my ( $level, $tag ) = ( '', '' );
|
||||
|
||||
unless ( my $return = eval `cat $file` ) {
|
||||
fatal_error "Couldn't parse $file: $@" if $@;
|
||||
fatal_error "Couldn't do $file: $!" unless defined $return;
|
||||
fatal_error "Couldn't run $file" unless $return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Create an action chain and run it's associated user exit
|
||||
#
|
||||
sub createactionchain( $ ) {
|
||||
my ( $action , $level ) = split_action $_[0];
|
||||
|
||||
my $chainref;
|
||||
|
||||
if ( defined $level && $level ne '' ) {
|
||||
if ( $level eq 'none' ) {
|
||||
createsimpleactionchain $action;
|
||||
} else {
|
||||
createlogactionchain $action , $level;
|
||||
}
|
||||
} else {
|
||||
createsimpleactionchain $action;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Find the chain that handles the passed action. If the chain cannot be found,
|
||||
# a fatal error is generated and the function does not return.
|
||||
#
|
||||
sub find_logactionchain( $ ) {
|
||||
my $fullaction = $_[0];
|
||||
my ( $action, $level ) = split_action $fullaction;
|
||||
|
||||
$level = 'none' unless $level;
|
||||
|
||||
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
|
||||
}
|
||||
|
||||
#
|
||||
# The functions process_actions1-3() implement the three phases of action processing.
|
||||
#
|
||||
# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
|
||||
# and ${CONFDIR}/actions are scanned (in that order) and for each action:
|
||||
#
|
||||
# a) The related action definition file is located and scanned.
|
||||
# b) Forward and unresolved action references are trapped as errors.
|
||||
# c) A dependency graph is created using the 'requires' field in the 'actions' table.
|
||||
#
|
||||
# As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an <action>
|
||||
# is merged into the hash, its action chain is created. Where logging is specified, a chain with the name
|
||||
# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
|
||||
# length of the chain name does not exceed 30 characters.
|
||||
#
|
||||
# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
|
||||
# %usedactions is generated; again, as new actions are merged into the hash, their action chains are created.
|
||||
#
|
||||
# The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately
|
||||
# by reading the action definition files and creating rules. Note that a given action definition file is
|
||||
# processed once for each unique [:level[:tag]] applied to an invocation of the action.
|
||||
#
|
||||
|
||||
sub process_macro1 ( $$ ) {
|
||||
my ( $action, $macrofile ) = @_;
|
||||
|
||||
progress_message " ..Expanding Macro $macrofile...";
|
||||
|
||||
push_open( $macrofile );
|
||||
|
||||
while ( read_a_line ) {
|
||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
|
||||
|
||||
next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT';
|
||||
|
||||
$mtarget =~ s/:.*$//;
|
||||
|
||||
$mtarget = (split '/' , $mtarget)[0];
|
||||
|
||||
my $targettype = $targets{$mtarget};
|
||||
|
||||
$targettype = 0 unless defined $targettype;
|
||||
|
||||
fatal_error "Invalid target ($mtarget)"
|
||||
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
|
||||
}
|
||||
|
||||
progress_message " ..End Macro $macrofile";
|
||||
|
||||
pop_open;
|
||||
}
|
||||
|
||||
sub process_action1 ( $$ ) {
|
||||
my ( $action, $wholetarget ) = @_;
|
||||
|
||||
my ( $target, $level ) = split_action $wholetarget;
|
||||
|
||||
$level = 'none' unless $level;
|
||||
|
||||
my $targettype = $targets{$target};
|
||||
|
||||
if ( defined $targettype ) {
|
||||
return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE | NFQ | CHAIN ) );
|
||||
|
||||
fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
|
||||
|
||||
fatal_error "An action may not invoke itself" if $target eq $action;
|
||||
|
||||
add_requiredby $wholetarget, $action if $targettype & ACTION;
|
||||
} elsif ( $target eq 'COMMENT' ) {
|
||||
fatal_error "Invalid TARGET ($wholetarget)" unless $wholetarget eq $target;
|
||||
} else {
|
||||
( $target, my $param ) = get_target_param $target;
|
||||
|
||||
return if $target eq 'NFQUEUE';
|
||||
|
||||
if ( defined $param ) {
|
||||
my $paramtype = $targets{$param} || 0;
|
||||
|
||||
fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE;
|
||||
}
|
||||
|
||||
fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target;
|
||||
|
||||
if ( find_macro $target ) {
|
||||
process_macro1( $action, $macros{$target} );
|
||||
} else {
|
||||
fatal_error "Invalid TARGET ($target)";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub process_actions1() {
|
||||
|
||||
progress_message2 "Preprocessing Action Files...";
|
||||
|
||||
for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
|
||||
new_action $act;
|
||||
}
|
||||
|
||||
for my $file ( qw/actions.std actions/ ) {
|
||||
open_file $file;
|
||||
|
||||
while ( read_a_line ) {
|
||||
my ( $action ) = split_line 1, 1, 'action file';
|
||||
|
||||
if ( $action =~ /:/ ) {
|
||||
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
||||
$action =~ s/:.*$//;
|
||||
}
|
||||
|
||||
next unless $action;
|
||||
|
||||
if ( $targets{$action} ) {
|
||||
warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
|
||||
next;
|
||||
}
|
||||
|
||||
$targets{$action} = ACTION;
|
||||
|
||||
fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
|
||||
|
||||
new_action $action;
|
||||
|
||||
my $actionfile = find_file "action.$action";
|
||||
|
||||
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
|
||||
|
||||
progress_message2 " Pre-processing $actionfile...";
|
||||
|
||||
push_open( $actionfile );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
|
||||
|
||||
process_action1( $action, $wholetarget );
|
||||
|
||||
}
|
||||
|
||||
pop_open;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub process_actions2 () {
|
||||
progress_message2 'Generating Transitive Closure of Used-action List...';
|
||||
|
||||
my $changed = 1;
|
||||
|
||||
while ( $changed ) {
|
||||
$changed = 0;
|
||||
for my $target (keys %usedactions) {
|
||||
my ($action, $level) = split_action $target;
|
||||
my $actionref = $actions{$action};
|
||||
fatal_error "Null Action Reference in process_actions2" unless $actionref;
|
||||
for my $action1 ( keys %{$actionref->{requires}} ) {
|
||||
my $action2 = merge_levels $target, $action1;
|
||||
unless ( $usedactions{ $action2 } ) {
|
||||
$usedactions{ $action2 } = 1;
|
||||
createactionchain $action2;
|
||||
$changed = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# This function is called to process each rule generated from an action file.
|
||||
#
|
||||
sub process_action( $$$$$$$$$$ ) {
|
||||
my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
|
||||
|
||||
my ( $action , $level ) = split_action $target;
|
||||
|
||||
if ( $action eq 'REJECT' ) {
|
||||
$action = 'reject';
|
||||
} elsif ( $action eq 'CONTINUE' ) {
|
||||
$action = 'RETURN';
|
||||
} elsif ( $action =~ /^NFQUEUE/ ) {
|
||||
( $action, my $param ) = get_target_param $action;
|
||||
$param = 1 unless defined $param;
|
||||
$action = "NFQUEUE --queue-num $param";
|
||||
}
|
||||
|
||||
expand_rule ( $chainref ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'', #Original Dest
|
||||
'', #Original Dest port
|
||||
"-j $action" ,
|
||||
$level ,
|
||||
$action ,
|
||||
'' );
|
||||
}
|
||||
|
||||
#
|
||||
# Expand Macro in action files.
|
||||
#
|
||||
sub process_macro3( $$$$$$$$$$$ ) {
|
||||
my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
|
||||
|
||||
my $nocomment = no_comment;
|
||||
|
||||
my $format = 1;
|
||||
|
||||
macro_comment $macro;
|
||||
|
||||
my $fn = $macros{$macro};
|
||||
|
||||
progress_message "..Expanding Macro $fn...";
|
||||
|
||||
push_open $fn;
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
|
||||
|
||||
if ( $format == 1 ) {
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
|
||||
} else {
|
||||
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
|
||||
}
|
||||
|
||||
if ( $mtarget eq 'COMMENT' ) {
|
||||
process_comment unless $nocomment;
|
||||
next;
|
||||
}
|
||||
|
||||
if ( $mtarget eq 'FORMAT' ) {
|
||||
fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
|
||||
$format = $msource;
|
||||
next;
|
||||
}
|
||||
|
||||
fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
|
||||
|
||||
if ( $mtarget =~ /^PARAM:?/ ) {
|
||||
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
||||
$mtarget = substitute_param $param, $mtarget;
|
||||
}
|
||||
|
||||
fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-';
|
||||
|
||||
if ( $msource ) {
|
||||
if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
|
||||
$msource = $source || '';
|
||||
} elsif ( $msource eq 'DEST' ) {
|
||||
$msource = $dest || '';
|
||||
} else {
|
||||
$msource = merge_macro_source_dest $msource, $source;
|
||||
}
|
||||
} else {
|
||||
$msource = '';
|
||||
}
|
||||
|
||||
$msource = '' if $msource eq '-';
|
||||
|
||||
if ( $mdest ) {
|
||||
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
|
||||
$mdest = $dest || '';
|
||||
} elsif ( $mdest eq 'SOURCE' ) {
|
||||
$mdest = $source || '';
|
||||
} else {
|
||||
$mdest = merge_macro_source_dest $mdest, $dest;
|
||||
}
|
||||
} else {
|
||||
$mdest = '';
|
||||
}
|
||||
|
||||
$mdest = '' if $mdest eq '-';
|
||||
|
||||
$mproto = merge_macro_column $mproto, $proto;
|
||||
$mports = merge_macro_column $mports, $ports;
|
||||
$msports = merge_macro_column $msports, $sports;
|
||||
$mrate = merge_macro_column $mrate, $rate;
|
||||
$muser = merge_macro_column $muser, $user;
|
||||
|
||||
process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
|
||||
}
|
||||
|
||||
pop_open;
|
||||
|
||||
progress_message '..End Macro';
|
||||
|
||||
clear_comment unless $nocomment;
|
||||
}
|
||||
|
||||
#
|
||||
# Generate chain for non-builtin action invocation
|
||||
#
|
||||
sub process_action3( $$$$$ ) {
|
||||
my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
|
||||
my $actionfile = find_file "action.$action";
|
||||
|
||||
fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
|
||||
|
||||
progress_message2 "Processing $actionfile for chain $chainref->{name}...";
|
||||
|
||||
open_file $actionfile;
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
|
||||
|
||||
if ( $target eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
next;
|
||||
}
|
||||
|
||||
my $target2 = merge_levels $wholeaction, $target;
|
||||
|
||||
my ( $action2 , $level2 ) = split_action $target2;
|
||||
|
||||
( $action2 , my $param ) = get_target_param $action2;
|
||||
|
||||
my $action2type = $targets{$action2} || 0;
|
||||
|
||||
unless ( $action2type == STANDARD ) {
|
||||
if ( $action2type & ACTION ) {
|
||||
$target2 = (find_logactionchain ( $target = $target2 ))->{name};
|
||||
} else {
|
||||
fatal_error "Internal Error" unless $action2type & ( MACRO | LOGRULE | NFQ | CHAIN );
|
||||
}
|
||||
}
|
||||
|
||||
if ( $action2type == MACRO ) {
|
||||
process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
|
||||
} else {
|
||||
process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
|
||||
}
|
||||
}
|
||||
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
sub process_actions3 () {
|
||||
#
|
||||
# The following small functions generate rules for the builtin actions of the same name
|
||||
#
|
||||
sub dropBcast( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
||||
}
|
||||
|
||||
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
|
||||
} else {
|
||||
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_rule $chainref, '-d $address -j DROP';
|
||||
decr_cmd_level $chainref;
|
||||
add_command $chainref, 'done';
|
||||
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
}
|
||||
|
||||
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||
}
|
||||
|
||||
sub allowBcast( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
||||
}
|
||||
|
||||
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
|
||||
} else {
|
||||
add_command $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_rule $chainref, '-d $address -j ACCEPT';
|
||||
decr_cmd_level $chainref;
|
||||
add_command $chainref, 'done';
|
||||
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
}
|
||||
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
|
||||
}
|
||||
|
||||
sub dropNotSyn ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
|
||||
add_rule $chainref , '-p tcp ! --syn -j DROP';
|
||||
}
|
||||
|
||||
sub rejNotSyn ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
|
||||
add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
|
||||
}
|
||||
|
||||
sub dropInvalid ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
|
||||
add_rule $chainref , '-m state --state INVALID -j DROP';
|
||||
}
|
||||
|
||||
sub allowInvalid ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
|
||||
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
|
||||
}
|
||||
|
||||
sub forwardUPnP ( $$$ ) {
|
||||
}
|
||||
|
||||
sub allowinUPnP ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
|
||||
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
|
||||
}
|
||||
|
||||
add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
|
||||
add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
|
||||
}
|
||||
|
||||
sub Limit( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
my @tag = split /,/, $tag;
|
||||
|
||||
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3;
|
||||
|
||||
my $set = $tag[0];
|
||||
|
||||
for ( @tag[1,2] ) {
|
||||
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
|
||||
}
|
||||
|
||||
my $count = $tag[1] + 1;
|
||||
|
||||
require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
|
||||
|
||||
add_rule $chainref, "-m recent --name $set --set";
|
||||
|
||||
if ( $level ne '' ) {
|
||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
||||
add_rule $xchainref, '-j DROP';
|
||||
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
||||
} else {
|
||||
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
|
||||
}
|
||||
|
||||
add_rule $chainref, '-j ACCEPT';
|
||||
}
|
||||
|
||||
my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||
'allowBcast' => \&allowBcast,
|
||||
'dropNotSyn' => \&dropNotSyn,
|
||||
'rejNotSyn' => \&rejNotSyn,
|
||||
'dropInvalid' => \&dropInvalid,
|
||||
'allowInvalid' => \&allowInvalid,
|
||||
'allowinUPnP' => \&allowinUPnP,
|
||||
'forwardUPnP' => \&forwardUPnP,
|
||||
'Limit' => \&Limit, );
|
||||
|
||||
for my $wholeaction ( keys %usedactions ) {
|
||||
my $chainref = find_logactionchain $wholeaction;
|
||||
my ( $action, $level, $tag ) = split /:/, $wholeaction;
|
||||
|
||||
$level = '' unless defined $level;
|
||||
$tag = '' unless defined $tag;
|
||||
|
||||
if ( $targets{$action} & BUILTIN ) {
|
||||
$level = '' if $level =~ /none!?/;
|
||||
$builtinops{$action}->($chainref, $level, $tag);
|
||||
} else {
|
||||
process_action3 $chainref, $wholeaction, $action, $level, $tag;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
File diff suppressed because it is too large
Load Diff
@ -1,947 +0,0 @@
|
||||
#! /usr/bin/perl -w
|
||||
#
|
||||
# The Shoreline Firewall4 (Shorewall-perl) Packet Filtering Firewall Compiler - V4.2
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
package Shorewall::Compiler;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Policy;
|
||||
use Shorewall::Nat;
|
||||
use Shorewall::Providers;
|
||||
use Shorewall::Tc;
|
||||
use Shorewall::Tunnels;
|
||||
use Shorewall::Actions;
|
||||
use Shorewall::Accounting;
|
||||
use Shorewall::Rules;
|
||||
use Shorewall::Proc;
|
||||
use Shorewall::Proxyarp;
|
||||
use Shorewall::IPAddrs;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
|
||||
our @EXPORT_OK = qw( $export );
|
||||
our $VERSION = 4.1.4;
|
||||
|
||||
our $export;
|
||||
|
||||
our $test;
|
||||
|
||||
our $reused = 0;
|
||||
|
||||
our $family = F_IPV4;
|
||||
|
||||
use constant { EXPORT => 0x01 ,
|
||||
TIMESTAMP => 0x02 ,
|
||||
DEBUG => 0x04 };
|
||||
|
||||
#
|
||||
# Reinitilize the package-globals in the other modules
|
||||
#
|
||||
sub reinitialize() {
|
||||
Shorewall::Config::initialize($family);
|
||||
Shorewall::Chains::initialize ($family);
|
||||
Shorewall::Zones::initialize ($family);
|
||||
Shorewall::Policy::initialize;
|
||||
Shorewall::Nat::initialize;
|
||||
Shorewall::Providers::initialize;
|
||||
Shorewall::Tc::initialize;
|
||||
Shorewall::Actions::initialize;
|
||||
Shorewall::Accounting::initialize;
|
||||
Shorewall::Rules::initialize($family);
|
||||
Shorewall::Proxyarp::initialize;
|
||||
}
|
||||
|
||||
#
|
||||
# First stage of script generation.
|
||||
#
|
||||
# Copy the prog.header to the generated script.
|
||||
# Generate the various user-exit jacket functions.
|
||||
# Generate the 'initialize()' function.
|
||||
#
|
||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
||||
# than those related to writing to the object file.
|
||||
|
||||
sub generate_script_1() {
|
||||
|
||||
my $date = localtime;
|
||||
|
||||
if ( $test ) {
|
||||
emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
|
||||
} else {
|
||||
emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl $globals{VERSION} - $date\n#";
|
||||
if ( $family == F_IPV4 ) {
|
||||
copy $globals{SHAREDIRPL} . 'prog.header';
|
||||
} else {
|
||||
copy $globals{SHAREDIRPL} . 'prog.header6';
|
||||
}
|
||||
}
|
||||
|
||||
for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed/ {
|
||||
emit "\nrun_${exit}_exit() {";
|
||||
push_indent;
|
||||
append_file $exit or emit 'true';
|
||||
pop_indent;
|
||||
emit '}';
|
||||
}
|
||||
|
||||
emit ( '',
|
||||
'#',
|
||||
'# This function initializes the global variables used by the program',
|
||||
'#',
|
||||
'initialize()',
|
||||
'{',
|
||||
' #',
|
||||
' # These variables are required by the library functions called in this script',
|
||||
' #'
|
||||
);
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $export ) {
|
||||
emit ( 'SHAREDIR=/usr/share/shorewall-lite',
|
||||
'CONFDIR=/etc/shorewall-lite',
|
||||
'PRODUCT="Shorewall Lite"'
|
||||
);
|
||||
} else {
|
||||
emit ( 'SHAREDIR=/usr/share/shorewall',
|
||||
'CONFDIR=/etc/shorewall',
|
||||
'PRODUCT=\'Shorewall\'',
|
||||
);
|
||||
}
|
||||
|
||||
emit( '[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir' );
|
||||
|
||||
if ( $export ) {
|
||||
emit ( 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' ,
|
||||
'[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]' );
|
||||
} else {
|
||||
emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
|
||||
'[ -n "${VARDIR:=/var/lib/shorewall}" ]' );
|
||||
}
|
||||
|
||||
emit 'TEMPFILE=';
|
||||
|
||||
propagateconfig;
|
||||
|
||||
my @dont_load = split_list $config{DONT_LOAD}, 'module';
|
||||
|
||||
emit ( '[ -n "${COMMAND:=restart}" ]',
|
||||
'[ -n "${VERBOSE:=0}" ]',
|
||||
qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
|
||||
'[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
|
||||
|
||||
emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
|
||||
|
||||
emit ( qq(PATH="$config{PATH}") ,
|
||||
'TERMINATOR=fatal_error' ,
|
||||
qq(DONT_LOAD="@dont_load") ,
|
||||
qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
|
||||
"LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
|
||||
''
|
||||
);
|
||||
|
||||
if ( $config{IPTABLES} ) {
|
||||
emit( qq(IPTABLES="$config{IPTABLES}"),
|
||||
'[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
|
||||
);
|
||||
} else {
|
||||
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
|
||||
'[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
|
||||
);
|
||||
}
|
||||
|
||||
emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
|
||||
'[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
|
||||
|
||||
append_file 'params' if $config{EXPORTPARAMS};
|
||||
|
||||
emit ( '',
|
||||
"STOPPING=",
|
||||
'',
|
||||
'#',
|
||||
'# The library requires that ${VARDIR} exist',
|
||||
'#',
|
||||
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
|
||||
);
|
||||
|
||||
emit ( '',
|
||||
'#',
|
||||
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
|
||||
'#',
|
||||
'qt1 $IPTABLES -N foox1234',
|
||||
'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
|
||||
'result=$?',
|
||||
'qt1 $IPTABLES -F foox1234',
|
||||
'qt1 $IPTABLES -X foox1234',
|
||||
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
|
||||
'' );
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "}\n"; # End of initialize()
|
||||
|
||||
}
|
||||
|
||||
sub compile_stop_firewall() {
|
||||
|
||||
emit <<'EOF';
|
||||
#
|
||||
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
||||
#
|
||||
stop_firewall() {
|
||||
|
||||
deletechain() {
|
||||
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
|
||||
}
|
||||
|
||||
deleteallchains() {
|
||||
do_iptables -F
|
||||
do_iptables -X
|
||||
}
|
||||
|
||||
setcontinue() {
|
||||
do_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
}
|
||||
|
||||
delete_nat() {
|
||||
do_iptables -t nat -F
|
||||
do_iptables -t nat -X
|
||||
|
||||
if [ -f ${VARDIR}/nat ]; then
|
||||
while read external interface; do
|
||||
del_ip_addr $external $interface
|
||||
done < ${VARDIR}/nat
|
||||
|
||||
rm -f ${VARDIR}/nat
|
||||
fi
|
||||
}
|
||||
|
||||
case $COMMAND in
|
||||
stop|clear|restore)
|
||||
;;
|
||||
*)
|
||||
set +x
|
||||
|
||||
case $COMMAND in
|
||||
start)
|
||||
logger -p kern.err "ERROR:$PRODUCT start failed"
|
||||
;;
|
||||
restart)
|
||||
logger -p kern.err "ERROR:$PRODUCT restart failed"
|
||||
;;
|
||||
restore)
|
||||
logger -p kern.err "ERROR:$PRODUCT restore failed"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "$RESTOREFILE" = NONE ]; then
|
||||
COMMAND=clear
|
||||
clear_firewall
|
||||
echo "$PRODUCT Cleared"
|
||||
|
||||
kill $$
|
||||
exit 2
|
||||
else
|
||||
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
progress_message2 Restoring Ipsets...
|
||||
#
|
||||
# We must purge iptables to be sure that there are no
|
||||
# references to ipsets
|
||||
#
|
||||
for table in mangle nat filter; do
|
||||
do_iptables -t $table -F
|
||||
do_iptables -t $table -X
|
||||
done
|
||||
|
||||
${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring ${PRODUCT:=Shorewall}...
|
||||
|
||||
if $RESTOREPATH restore; then
|
||||
echo "$PRODUCT restored from $RESTOREPATH"
|
||||
set_state "Started"
|
||||
else
|
||||
set_state "Unknown"
|
||||
fi
|
||||
|
||||
kill $$
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
set_state "Stopping"
|
||||
|
||||
STOPPING="Yes"
|
||||
|
||||
TERMINATOR=
|
||||
|
||||
deletechain shorewall
|
||||
|
||||
run_stop_exit
|
||||
EOF
|
||||
|
||||
if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
|
||||
emit <<'EOF';
|
||||
run_iptables -t mangle -F
|
||||
run_iptables -t mangle -X
|
||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||
qt1 $IPTABLES -t mangle -P $chain ACCEPT
|
||||
done
|
||||
EOF
|
||||
}
|
||||
|
||||
if ( $capabilities{RAW_TABLE} ) {
|
||||
emit <<'EOF';
|
||||
run_iptables -t raw -F
|
||||
run_iptables -t raw -X
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
EOF
|
||||
}
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
emit <<'EOF';
|
||||
delete_nat
|
||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t nat -P $chain ACCEPT
|
||||
done
|
||||
EOF
|
||||
}
|
||||
|
||||
emit <<'EOF';
|
||||
if [ -f ${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||
[ -f $f ] && echo 0 > $f
|
||||
done < ${VARDIR}/proxyarp
|
||||
fi
|
||||
|
||||
rm -f ${VARDIR}/proxyarp
|
||||
EOF
|
||||
|
||||
push_indent;
|
||||
|
||||
emit 'delete_tc1' if $config{CLEAR_TC};
|
||||
|
||||
emit( 'undo_routing',
|
||||
'restore_default_route'
|
||||
);
|
||||
|
||||
my $criticalhosts = process_criticalhosts;
|
||||
|
||||
if ( @$criticalhosts ) {
|
||||
if ( $config{ADMINISABSENTMINDED} ) {
|
||||
emit ( 'for chain in INPUT OUTPUT; do',
|
||||
' setpolicy $chain ACCEPT',
|
||||
'done',
|
||||
'',
|
||||
'setpolicy FORWARD DROP',
|
||||
'',
|
||||
'deleteallchains',
|
||||
''
|
||||
);
|
||||
|
||||
for my $hosts ( @$criticalhosts ) {
|
||||
my ( $interface, $host ) = ( split /:/, $hosts );
|
||||
my $source = match_source_net $host;
|
||||
my $dest = match_dest_net $host;
|
||||
|
||||
emit( "do_iptables -A INPUT -i $interface $source -j ACCEPT",
|
||||
"do_iptables -A OUTPUT -o $interface $dest -j ACCEPT"
|
||||
);
|
||||
}
|
||||
|
||||
emit( '',
|
||||
'for chain in INPUT OUTPUT; do',
|
||||
' setpolicy $chain DROP',
|
||||
"done\n"
|
||||
);
|
||||
} else {
|
||||
emit( '',
|
||||
'for chain in INPUT OUTPUT; do',
|
||||
' setpolicy $chain ACCEPT',
|
||||
'done',
|
||||
'',
|
||||
'setpolicy FORWARD DROP',
|
||||
'',
|
||||
"deleteallchains\n"
|
||||
);
|
||||
|
||||
for my $hosts ( @$criticalhosts ) {
|
||||
my ( $interface, $host ) = ( split /:/, $hosts );
|
||||
my $source = match_source_net $host;
|
||||
my $dest = match_dest_net $host;
|
||||
|
||||
emit( "do_iptables -A INPUT -i $interface $source -j ACCEPT",
|
||||
"do_iptables -A OUTPUT -o $interface $dest -j ACCEPT"
|
||||
);
|
||||
}
|
||||
|
||||
emit( "\nsetpolicy INPUT DROP",
|
||||
'',
|
||||
'for chain in INPUT FORWARD; do',
|
||||
' setcontinue $chain',
|
||||
"done\n"
|
||||
);
|
||||
}
|
||||
} elsif ( $config{ADMINISABSENTMINDED} ) {
|
||||
emit( 'for chain in INPUT FORWARD; do',
|
||||
' setpolicy $chain DROP',
|
||||
'done',
|
||||
'',
|
||||
'setpolicy OUTPUT ACCEPT',
|
||||
'',
|
||||
'deleteallchains',
|
||||
'',
|
||||
'for chain in INPUT FORWARD; do',
|
||||
' setcontinue $chain',
|
||||
"done\n",
|
||||
);
|
||||
} else {
|
||||
emit( 'for chain in INPUT OUTPUT FORWARD; do',
|
||||
' setpolicy $chain DROP',
|
||||
'done',
|
||||
'',
|
||||
"deleteallchains\n"
|
||||
);
|
||||
}
|
||||
|
||||
process_routestopped;
|
||||
|
||||
emit( 'do_iptables -A INPUT -i lo -j ACCEPT',
|
||||
'do_iptables -A OUTPUT -o lo -j ACCEPT'
|
||||
);
|
||||
|
||||
emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'dhcp';
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
|
||||
emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
||||
#
|
||||
# This might be a bridge
|
||||
#
|
||||
emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
|
||||
}
|
||||
|
||||
emit '';
|
||||
|
||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
|
||||
'progress_message2 IP Forwarding Enabled' );
|
||||
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
|
||||
emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward',
|
||||
'progress_message2 IP Forwarding Disabled!'
|
||||
);
|
||||
}
|
||||
|
||||
emit 'run_stopped_exit';
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit '
|
||||
set_state "Stopped"
|
||||
|
||||
logger -p kern.info "$PRODUCT Stopped"
|
||||
|
||||
case $COMMAND in
|
||||
stop|clear)
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# The firewall is being stopped when we were trying to do something
|
||||
# else. Kill the shell in case we\'re running in a subshell
|
||||
#
|
||||
kill $$
|
||||
;;
|
||||
esac
|
||||
}
|
||||
';
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Second Phase of Script Generation
|
||||
#
|
||||
# copies the 'prog.functions' file into the script, generates
|
||||
# clear_routing_and_traffic_shaping() and the first part of
|
||||
# 'setup_routing_and_traffic_shaping()'
|
||||
#
|
||||
# The bulk of that function is produced by the various config file
|
||||
# parsing routines that are called directly out of 'compiler()'.
|
||||
#
|
||||
# We create two separate functions rather than one so that the
|
||||
# define_firewall() shell function can set global IP configuration variables
|
||||
# after the old config has been cleared and before we start instantiating
|
||||
# the new config. That way, the variables reflect the way that the
|
||||
# distribution's tools have configured IP without any Shorewall
|
||||
# modifications and the firewall configuration is the same after
|
||||
# 'restart' as it is after 'start'.
|
||||
#
|
||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
||||
# than those related to writing to the object file.
|
||||
#
|
||||
sub generate_script_2 () {
|
||||
|
||||
unless ( $test ) {
|
||||
if ( $family == F_IPV4 ) {
|
||||
copy $globals{SHAREDIRPL} . 'prog.functions';
|
||||
} else {
|
||||
copy $globals{SHAREDIRPL} . 'prog.functions6';
|
||||
}
|
||||
}
|
||||
|
||||
emit( '',
|
||||
'#',
|
||||
'# Clear Routing and Traffic Shaping',
|
||||
'#',
|
||||
'clear_routing_and_traffic_shaping() {'
|
||||
);
|
||||
|
||||
push_indent;
|
||||
|
||||
save_progress_message 'Initializing...';
|
||||
|
||||
if ( $export ) {
|
||||
my $fn = find_file 'modules';
|
||||
|
||||
if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
|
||||
emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
|
||||
emit 'cat > ${VARDIR}/.modules << EOF';
|
||||
open_file $fn;
|
||||
while ( read_a_line ) {
|
||||
emit_unindented $currentline;
|
||||
}
|
||||
emit_unindented 'EOF';
|
||||
emit 'reload_kernel_modules < ${VARDIR}/.modules';
|
||||
} else {
|
||||
emit 'load_kernel_modules Yes';
|
||||
}
|
||||
} else {
|
||||
emit 'load_kernel_modules Yes';
|
||||
}
|
||||
|
||||
emit '';
|
||||
|
||||
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
|
||||
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
|
||||
'if [ -n "$addr" ]; then',
|
||||
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
|
||||
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
|
||||
' if in_network $addr $network; then',
|
||||
" error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
|
||||
' fi',
|
||||
' done',
|
||||
"fi\n" );
|
||||
}
|
||||
|
||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||
'',
|
||||
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
|
||||
'',
|
||||
'delete_proxyarp',
|
||||
''
|
||||
);
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
||||
' while read external interface; do',
|
||||
' del_ip_addr $external $interface',
|
||||
' done < ${VARDIR}/nat',
|
||||
'',
|
||||
' rm -f ${VARDIR}/nat',
|
||||
"fi\n" );
|
||||
}
|
||||
|
||||
emit "delete_tc1\n" if $config{CLEAR_TC};
|
||||
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "}\n";
|
||||
|
||||
emit( '#',
|
||||
'# Setup Routing and Traffic Shaping',
|
||||
'#',
|
||||
'setup_routing_and_traffic_shaping() {'
|
||||
);
|
||||
|
||||
push_indent;
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Third (final) stage of script generation.
|
||||
#
|
||||
# Generate the end of 'setup_routing_and_traffic_shaping()':
|
||||
# Generate code for loading the various files in /var/lib/shorewall[-lite]
|
||||
# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
|
||||
#
|
||||
# Generate the 'setup_netfilter()' function that runs iptables-restore.
|
||||
# Generate the 'define_firewall()' function.
|
||||
#
|
||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
||||
# than those related to writing to the object file.
|
||||
#
|
||||
sub generate_script_3($) {
|
||||
|
||||
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
|
||||
dump_proxy_arp;
|
||||
emit_unindented '__EOF__';
|
||||
|
||||
emit( '',
|
||||
'if [ "$COMMAND" != refresh ]; then' );
|
||||
|
||||
push_indent;
|
||||
|
||||
emit 'cat > ${VARDIR}/zones << __EOF__';
|
||||
dump_zone_contents;
|
||||
emit_unindented '__EOF__';
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "fi\n";
|
||||
|
||||
emit '> ${VARDIR}/nat';
|
||||
|
||||
add_addresses;
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "}\n";
|
||||
|
||||
progress_message2 "Creating iptables-restore input...";
|
||||
create_netfilter_load;
|
||||
create_chainlist_reload( $_[0] );
|
||||
|
||||
emit "#\n# Start/Restart the Firewall\n#";
|
||||
emit 'define_firewall() {';
|
||||
push_indent;
|
||||
|
||||
emit "\nclear_routing_and_traffic_shaping";
|
||||
|
||||
set_global_variables;
|
||||
|
||||
emit '';
|
||||
|
||||
emit<<'EOF';
|
||||
setup_routing_and_traffic_shaping
|
||||
|
||||
if [ $COMMAND = restore ]; then
|
||||
iptables_save_file=${VARDIR}/$(basename $0)-iptables
|
||||
if [ -f $iptables_save_file ]; then
|
||||
cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux
|
||||
else
|
||||
fatal_error "$iptables_save_file does not exist"
|
||||
fi
|
||||
EOF
|
||||
pop_indent;
|
||||
setup_forwarding;
|
||||
push_indent;
|
||||
emit<<'EOF';
|
||||
set_state "Started"
|
||||
else
|
||||
if [ $COMMAND = refresh ]; then
|
||||
chainlist_reload
|
||||
EOF
|
||||
setup_forwarding;
|
||||
emit<<'EOF';
|
||||
run_refreshed_exit
|
||||
do_iptables -N shorewall
|
||||
set_state "Started"
|
||||
else
|
||||
setup_netfilter
|
||||
restore_dynamic_rules
|
||||
conditionally_flush_conntrack
|
||||
EOF
|
||||
setup_forwarding;
|
||||
emit<<'EOF';
|
||||
run_start_exit
|
||||
do_iptables -N shorewall
|
||||
set_state "Started"
|
||||
run_started_exit
|
||||
fi
|
||||
|
||||
[ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore
|
||||
fi
|
||||
|
||||
date > ${VARDIR}/restarted
|
||||
|
||||
case $COMMAND in
|
||||
start)
|
||||
logger -p kern.info "$PRODUCT started"
|
||||
;;
|
||||
restart)
|
||||
logger -p kern.info "$PRODUCT restarted"
|
||||
;;
|
||||
refresh)
|
||||
logger -p kern.info "$PRODUCT refreshed"
|
||||
;;
|
||||
restore)
|
||||
logger -p kern.info "$PRODUCT restored"
|
||||
;;
|
||||
esac
|
||||
EOF
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "}\n";
|
||||
|
||||
copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
|
||||
}
|
||||
|
||||
#
|
||||
# The Compiler.
|
||||
#
|
||||
# Arguments are named -- see %parms below.
|
||||
#
|
||||
sub compiler {
|
||||
|
||||
my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
|
||||
( '', '', -1, '', 0, '', '', -1 );
|
||||
|
||||
$export = 0;
|
||||
$test = 0;
|
||||
|
||||
sub edit_boolean( $ ) {
|
||||
my $val = numeric_value( shift );
|
||||
defined($val) && ($val >= 0) && ($val < 2);
|
||||
}
|
||||
|
||||
sub edit_verbosity( $ ) {
|
||||
my $val = numeric_value( shift );
|
||||
defined($val) && ($val >= MIN_VERBOSITY) && ($val <= MAX_VERBOSITY);
|
||||
}
|
||||
|
||||
sub edit_family( $ ) {
|
||||
my $val = numeric_value( shift );
|
||||
defined($val) && ($val == F_IPV4 || $val == F_IPV6);
|
||||
}
|
||||
|
||||
my %parms = ( object => { store => \$objectfile },
|
||||
directory => { store => \$directory },
|
||||
family => { store => \$family , edit => \&edit_family } ,
|
||||
verbosity => { store => \$verbosity , edit => \&edit_verbosity } ,
|
||||
timestamp => { store => \$timestamp, edit => \&edit_boolean } ,
|
||||
debug => { store => \$debug, edit => \&edit_boolean } ,
|
||||
export => { store => \$export , edit => \&edit_boolean } ,
|
||||
chains => { store => \$chains },
|
||||
log => { store => \$log },
|
||||
log_verbosity => { store => \$log_verbosity, edit => \&edit_verbosity } ,
|
||||
test => { store => \$test },
|
||||
);
|
||||
|
||||
while ( defined ( my $name = shift ) ) {
|
||||
fatal_error "Unknown parameter ($name)" unless my $ref = $parms{$name};
|
||||
fatal_error "Undefined value supplied for parameter $name" unless defined ( my $val = shift ) ;
|
||||
if ( $ref->{edit} ) {
|
||||
fatal_error "Invalid value ( $val ) supplied for parameter $name" unless $ref->{edit}->($val);
|
||||
}
|
||||
|
||||
${$ref->{store}} = $val;
|
||||
}
|
||||
|
||||
reinitialize if ++$reused || $family == F_IPV6;
|
||||
|
||||
if ( $directory ne '' ) {
|
||||
fatal_error "$directory is not an existing directory" unless -d $directory;
|
||||
set_shorewall_dir( $directory );
|
||||
}
|
||||
|
||||
set_verbose( $verbosity );
|
||||
set_log($log, $log_verbosity) if $log;
|
||||
set_timestamp( $timestamp );
|
||||
set_debug( $debug );
|
||||
#
|
||||
# Get shorewall.conf and capabilities.
|
||||
#
|
||||
get_configuration( $export );
|
||||
|
||||
report_capabilities;
|
||||
|
||||
require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" , 's' );
|
||||
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
|
||||
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS};
|
||||
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
|
||||
require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT};
|
||||
|
||||
set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
|
||||
|
||||
initialize_chain_table;
|
||||
|
||||
unless ( $command eq 'check' ) {
|
||||
create_temp_object( $objectfile );
|
||||
generate_script_1;
|
||||
}
|
||||
|
||||
#
|
||||
# Allow user to load Perl modules
|
||||
#
|
||||
run_user_exit1 'compile';
|
||||
#
|
||||
# Process the zones file.
|
||||
#
|
||||
determine_zones;
|
||||
#
|
||||
# Process the interfaces file.
|
||||
#
|
||||
validate_interfaces_file ( $export );
|
||||
#
|
||||
# Process the hosts file.
|
||||
#
|
||||
validate_hosts_file;
|
||||
#
|
||||
# Report zone contents
|
||||
#
|
||||
zone_report;
|
||||
#
|
||||
# Do action pre-processing.
|
||||
#
|
||||
process_actions1;
|
||||
#
|
||||
# Process the Policy File.
|
||||
#
|
||||
validate_policy;
|
||||
#
|
||||
# Compile the 'stop_firewall()' function
|
||||
#
|
||||
compile_stop_firewall;
|
||||
#
|
||||
# Start Second Part of script
|
||||
#
|
||||
generate_script_2 unless $command eq 'check';
|
||||
#
|
||||
# Do all of the zone-independent stuff
|
||||
#
|
||||
add_common_rules;
|
||||
#
|
||||
# /proc stuff
|
||||
#
|
||||
setup_arp_filtering;
|
||||
setup_route_filtering;
|
||||
setup_martian_logging;
|
||||
setup_source_routing;
|
||||
#
|
||||
# Proxy Arp
|
||||
#
|
||||
setup_proxy_arp;
|
||||
#
|
||||
# Handle MSS setings in the zones file
|
||||
#
|
||||
setup_zone_mss;
|
||||
#
|
||||
# [Re-]establish Routing
|
||||
#
|
||||
setup_providers;
|
||||
#
|
||||
# TOS
|
||||
#
|
||||
process_tos;
|
||||
#
|
||||
# ECN
|
||||
#
|
||||
setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
#
|
||||
# Setup Masquerading/SNAT
|
||||
#
|
||||
setup_masq;
|
||||
#
|
||||
# MACLIST Filtration
|
||||
#
|
||||
setup_mac_lists 1;
|
||||
#
|
||||
# Process the rules file.
|
||||
#
|
||||
process_rules;
|
||||
#
|
||||
# Add Tunnel rules.
|
||||
#
|
||||
setup_tunnels;
|
||||
#
|
||||
# Post-rules action processing.
|
||||
#
|
||||
process_actions2;
|
||||
process_actions3;
|
||||
#
|
||||
# MACLIST Filtration again
|
||||
#
|
||||
setup_mac_lists 2;
|
||||
#
|
||||
# Apply Policies
|
||||
#
|
||||
apply_policy_rules;
|
||||
#
|
||||
# TCRules and Traffic Shaping
|
||||
#
|
||||
setup_tc;
|
||||
#
|
||||
# Setup Nat
|
||||
#
|
||||
setup_nat;
|
||||
#
|
||||
# Setup NETMAP
|
||||
#
|
||||
setup_netmap;
|
||||
#
|
||||
# Accounting.
|
||||
#
|
||||
setup_accounting;
|
||||
#
|
||||
# We generate the matrix even though we don't write out the rules. That way, we insure that
|
||||
# a compile of the script won't blow up during that step.
|
||||
#
|
||||
generate_matrix;
|
||||
|
||||
if ( $command eq 'check' ) {
|
||||
progress_message3 "Shorewall configuration verified";
|
||||
} else {
|
||||
#
|
||||
# Finish the script.
|
||||
#
|
||||
generate_script_3( $chains );
|
||||
finalize_object ( $export );
|
||||
#
|
||||
# And generate the auxilary config file
|
||||
#
|
||||
generate_aux_config if $export;
|
||||
}
|
||||
|
||||
close_log if $log;
|
||||
|
||||
1;
|
||||
}
|
||||
|
||||
1;
|
File diff suppressed because it is too large
Load Diff
@ -1,634 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/IPAddrs.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module provides interfaces for dealing with IPv4 addresses, protocol names, and
|
||||
# port names. It also exports functions for validating protocol- and port- (service)
|
||||
# related constructs.
|
||||
#
|
||||
package Shorewall::IPAddrs;
|
||||
require Exporter;
|
||||
use Socket6;
|
||||
use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( ALLIPv4
|
||||
ALLIPv6
|
||||
IPv6_MULTICAST
|
||||
IPv6_LINKLOCAL
|
||||
IPv6_SITELOCAL
|
||||
IPv6_LINKLOCAL
|
||||
IPv6_LOOPBACK
|
||||
IPv6_LINK_ALLNODES
|
||||
IPv6_LINK_ALLRTRS
|
||||
IPv6_SITE_ALLNODES
|
||||
IPv6_SITE_ALLRTRS
|
||||
ALLIP
|
||||
ALL
|
||||
TCP
|
||||
UDP
|
||||
ICMP
|
||||
DCCP
|
||||
IPv6_ICMP
|
||||
SCTP
|
||||
|
||||
validate_address
|
||||
validate_net
|
||||
decompose_net
|
||||
validate_host
|
||||
validate_range
|
||||
ip_range_explicit
|
||||
expand_port_range
|
||||
allipv4
|
||||
allipv6
|
||||
allip
|
||||
rfc1918_networks
|
||||
resolve_proto
|
||||
proto_name
|
||||
validate_port
|
||||
validate_portpair
|
||||
validate_port_list
|
||||
validate_icmp
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.3.0;
|
||||
|
||||
#
|
||||
# Some IPv4/6 useful stuff
|
||||
#
|
||||
our @allipv4 = ( '0.0.0.0/0' );
|
||||
our @allipv6 = ( '::/0' );
|
||||
our $family;
|
||||
|
||||
use constant { ALLIPv4 => '0.0.0.0/0' ,
|
||||
ALLIPv6 => '::/0' ,
|
||||
IPv6_MULTICAST => 'FF00::/10' ,
|
||||
IPv6_LINKLOCAL => 'FF80::/10' ,
|
||||
IPv6_SITELOCAL => 'FFC0::/10' ,
|
||||
IPv6_LINKLOCAL => 'FF80::/10' ,
|
||||
IPv6_LOOPBACK => '::1' ,
|
||||
IPv6_LINK_ALLNODES => 'FF01::1' ,
|
||||
IPv6_LINK_ALLRTRS => 'FF01::2' ,
|
||||
IPv6_SITE_ALLNODES => 'FF02::1' ,
|
||||
IPv6_SITE_ALLRTRS => 'FF02::2' ,
|
||||
ICMP => 1,
|
||||
TCP => 6,
|
||||
UDP => 17,
|
||||
DCCP => 33,
|
||||
IPv6_ICMP => 58,
|
||||
SCTP => 132 };
|
||||
|
||||
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize( $ ) {
|
||||
$family = shift;
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize( F_IPV4 );
|
||||
}
|
||||
|
||||
sub vlsm_to_mask( $ ) {
|
||||
my $vlsm = $_[0];
|
||||
|
||||
in_hex8 ( ( 0xFFFFFFFF << ( 32 - $vlsm ) ) && 0xFFFFFFFF );
|
||||
}
|
||||
|
||||
sub valid_4address( $ ) {
|
||||
my $address = $_[0];
|
||||
|
||||
my @address = split /\./, $address;
|
||||
return 0 unless @address == 4;
|
||||
for my $a ( @address ) {
|
||||
return 0 unless $a =~ /^\d+$/ && $a < 256;
|
||||
}
|
||||
|
||||
1;
|
||||
}
|
||||
|
||||
sub validate_4address( $$ ) {
|
||||
my ( $addr, $allow_name ) = @_;
|
||||
|
||||
my @addrs = ( $addr );
|
||||
|
||||
unless ( valid_4address $addr ) {
|
||||
fatal_error "Invalid IP Address ($addr)" unless $allow_name;
|
||||
fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname $addr);
|
||||
|
||||
if ( defined wantarray ) {
|
||||
shift @addrs for (1..4);
|
||||
for ( @addrs ) {
|
||||
$_ = inet_htoa $_;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
|
||||
}
|
||||
|
||||
sub decodeaddr( $ ) {
|
||||
my $address = $_[0];
|
||||
|
||||
my @address = split /\./, $address;
|
||||
|
||||
my $result = shift @address;
|
||||
|
||||
for my $a ( @address ) {
|
||||
$result = ( $result << 8 ) | $a;
|
||||
}
|
||||
|
||||
$result;
|
||||
}
|
||||
|
||||
sub encodeaddr( $ ) {
|
||||
my $addr = $_[0];
|
||||
my $result = $addr & 0xff;
|
||||
|
||||
for my $i ( 1..3 ) {
|
||||
my $a = ($addr = $addr >> 8) & 0xff;
|
||||
$result = "$a.$result";
|
||||
}
|
||||
|
||||
$result;
|
||||
}
|
||||
|
||||
sub validate_4net( $$ ) {
|
||||
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
|
||||
my $allow_name = $_[1];
|
||||
|
||||
$net = '' unless defined $net;
|
||||
|
||||
fatal_error "Missing address" if $net eq '';
|
||||
fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
|
||||
|
||||
if ( defined $vlsm ) {
|
||||
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
|
||||
fatal_error "Invalid Network address ($_[0])" if defined $rest;
|
||||
fatal_error "Invalid IP address ($net)" unless valid_4address $net;
|
||||
} else {
|
||||
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
|
||||
validate_4address $net, $_[1];
|
||||
$vlsm = 32;
|
||||
}
|
||||
|
||||
if ( defined wantarray ) {
|
||||
fatal_error "Internal Error in validate_net()" if $allow_name;
|
||||
if ( wantarray ) {
|
||||
( decodeaddr( $net ) , $vlsm );
|
||||
} else {
|
||||
"$net/$vlsm";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub validate_4range( $$ ) {
|
||||
my ( $low, $high ) = @_;
|
||||
|
||||
validate_4address $low, 0;
|
||||
validate_4address $high, 0;
|
||||
|
||||
my $first = decodeaddr $low;
|
||||
my $last = decodeaddr $high;
|
||||
|
||||
fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
|
||||
}
|
||||
|
||||
sub validate_4host( $$ ) {
|
||||
my ( $host, $allow_name ) = $_[0];
|
||||
|
||||
if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
|
||||
validate_4ange $1, $2;
|
||||
} else {
|
||||
validate_4net( $host, $allow_name );
|
||||
}
|
||||
}
|
||||
|
||||
sub ip_range_explicit( $ ) {
|
||||
my $range = $_[0];
|
||||
my @result;
|
||||
|
||||
my ( $low, $high ) = split /-/, $range;
|
||||
|
||||
validate_address $low, 0;
|
||||
|
||||
push @result, $low;
|
||||
|
||||
if ( defined $high ) {
|
||||
validate_faddress $high, 0;
|
||||
|
||||
my $first = decodeaddr $low;
|
||||
my $last = decodeaddr $high;
|
||||
my $diff = $last - $first;
|
||||
|
||||
fatal_error "Invalid IP Range ($range)" unless $diff >= 0 && $diff <= 256;
|
||||
|
||||
while ( ++$first <= $last ) {
|
||||
push @result, encodeaddr( $first );
|
||||
}
|
||||
}
|
||||
|
||||
@result;
|
||||
}
|
||||
|
||||
sub decompose_net( $ ) {
|
||||
my $net = $_[0];
|
||||
|
||||
return ( qw/0x00000000 0x00000000/ ) if $net eq '-';
|
||||
|
||||
( $net, my $vlsm ) = validate_net( $net , 0 );
|
||||
|
||||
( in_hex8( $net ) , vlsm_to_mask( $vlsm ) );
|
||||
|
||||
}
|
||||
|
||||
sub allipv4() {
|
||||
@allipv4;
|
||||
}
|
||||
|
||||
sub allipv6() {
|
||||
@allipv6;
|
||||
}
|
||||
|
||||
sub rfc1918_networks() {
|
||||
@rfc1918_networks
|
||||
}
|
||||
|
||||
#
|
||||
# Protocol/port validation
|
||||
#
|
||||
|
||||
our %nametoproto = ( all => 0, ALL => 0, icmp => 1, ICMP => 1, tcp => 6, TCP => 6, udp => 17, UDP => 17 );
|
||||
our @prototoname = ( 'all', 'icmp', '', '', '', '', 'tcp', '', '', '', '', '', '', '', '', '', '', 'udp' );
|
||||
|
||||
#
|
||||
# Returns the protocol number if the passed argument is a valid protocol number or name. Returns undef otherwise
|
||||
#
|
||||
sub resolve_proto( $ ) {
|
||||
my $proto = $_[0];
|
||||
my $number;
|
||||
|
||||
$proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
|
||||
}
|
||||
|
||||
sub proto_name( $ ) {
|
||||
my $proto = $_[0];
|
||||
|
||||
$proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
|
||||
}
|
||||
|
||||
sub validate_port( $$ ) {
|
||||
my ($proto, $port) = @_;
|
||||
|
||||
my $value;
|
||||
|
||||
if ( $port =~ /^(\d+)$/ ) {
|
||||
return $port if $port <= 65535;
|
||||
} else {
|
||||
$proto = proto_name $proto if $proto =~ /^(\d+)$/;
|
||||
$value = getservbyname( $port, $proto );
|
||||
}
|
||||
|
||||
fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
|
||||
|
||||
$value;
|
||||
}
|
||||
|
||||
sub validate_portpair( $$ ) {
|
||||
my ($proto, $portpair) = @_;
|
||||
|
||||
fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
|
||||
|
||||
$portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':';
|
||||
$portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
|
||||
|
||||
my @ports = split /:/, $portpair, 2;
|
||||
|
||||
$_ = validate_port( $proto, $_) for ( @ports );
|
||||
|
||||
if ( @ports == 2 ) {
|
||||
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
|
||||
}
|
||||
|
||||
join ':', @ports;
|
||||
|
||||
}
|
||||
|
||||
sub validate_port_list( $$ ) {
|
||||
my $result = '';
|
||||
my ( $proto, $list ) = @_;
|
||||
my @list = split_list( $list, 'port' );
|
||||
|
||||
if ( @list > 1 && $list =~ /:/ ) {
|
||||
require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
|
||||
}
|
||||
|
||||
$proto = proto_name $proto;
|
||||
|
||||
for ( @list ) {
|
||||
my $value = validate_portpair( $proto , $_ );
|
||||
$result = $result ? join ',', $result, $value : $value;
|
||||
}
|
||||
|
||||
$result;
|
||||
}
|
||||
|
||||
my %icmp_types = ( any => 'any',
|
||||
'echo-reply' => 0,
|
||||
'destination-unreachable' => 3,
|
||||
'network-unreachable' => '3/0',
|
||||
'host-unreachable' => '3/1',
|
||||
'protocol-unreachable' => '3/2',
|
||||
'port-unreachable' => '3/3',
|
||||
'fragmentation-needed' => '3/4',
|
||||
'source-route-failed' => '3/5',
|
||||
'network-unknown' => '3/6',
|
||||
'host-unknown' => '3/7',
|
||||
'network-prohibited' => '3/9',
|
||||
'host-prohibited' => '3/10',
|
||||
'TOS-network-unreachable' => '3/11',
|
||||
'TOS-host-unreachable' => '3/12',
|
||||
'communication-prohibited' => '3/13',
|
||||
'host-precedence-violation' => '3/14',
|
||||
'precedence-cutoff' => '3/15',
|
||||
'source-quench' => 4,
|
||||
'redirect' => 5,
|
||||
'network-redirect' => '5/0',
|
||||
'host-redirect' => '5/1',
|
||||
'TOS-network-redirect' => '5/2',
|
||||
'TOS-host-redirect' => '5/3',
|
||||
'echo-request' => '8',
|
||||
'router-advertisement' => 9,
|
||||
'router-solicitation' => 10,
|
||||
'time-exceeded' => 11,
|
||||
'ttl-zero-during-transit' => '11/0',
|
||||
'ttl-zero-during-reassembly' => '11/1',
|
||||
'parameter-problem' => 12,
|
||||
'ip-header-bad' => '12/0',
|
||||
'required-option-missing' => '12/1',
|
||||
'timestamp-request' => 13,
|
||||
'timestamp-reply' => 14,
|
||||
'address-mask-request' => 17,
|
||||
'address-mask-reply' => 18 );
|
||||
|
||||
sub validate_icmp( $ ) {
|
||||
fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
|
||||
|
||||
my $type = $_[0];
|
||||
|
||||
my $value = $icmp_types{$type};
|
||||
|
||||
return $value if defined $value;
|
||||
|
||||
if ( $type =~ /^(\d+)(\/(\d+))?$/ ) {
|
||||
return $type if $1 < 256 && ( ! $2 || $3 < 256 );
|
||||
}
|
||||
|
||||
fatal_error "Invalid ICMP Type ($type)"
|
||||
}
|
||||
|
||||
#
|
||||
# Expands a port range into a minimal list of ( port, mask ) pairs.
|
||||
# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
|
||||
# 006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
|
||||
#
|
||||
sub expand_port_range( $$ ) {
|
||||
my ( $proto, $range ) = @_;
|
||||
|
||||
if ( $range =~ /^(.*):(.*)$/ ) {
|
||||
my ( $first, $last ) = ( $1, $2);
|
||||
my @result;
|
||||
|
||||
fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
|
||||
#
|
||||
# Supply missing first/last port number
|
||||
#
|
||||
$first = 0 if $first eq '';
|
||||
$last = 65535 if $last eq '';
|
||||
#
|
||||
# Validate the ports
|
||||
#
|
||||
( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
|
||||
|
||||
$last++; #Increment last address for limit testing.
|
||||
#
|
||||
# Break the range into groups:
|
||||
#
|
||||
# - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
|
||||
# - Otherwise, find the largest power of two P that divides the first address such that
|
||||
# the remaining range has less than or equal to P ports. The next group is
|
||||
# ( <first> , ~( P-1 ) ).
|
||||
#
|
||||
while ( ( my $ports = ( $last - $first ) ) > 0 ) {
|
||||
my $mask = 0xffff; #Mask for current ports in group.
|
||||
my $y = 2; #Next power of two to test
|
||||
my $z = 1; #Number of ports in current group (Previous value of $y).
|
||||
|
||||
while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
|
||||
$mask <<= 1;
|
||||
$z = $y;
|
||||
$y <<= 1;
|
||||
}
|
||||
#
|
||||
#
|
||||
push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
|
||||
$first += $z;
|
||||
}
|
||||
|
||||
fatal_error "Invalid port range ($range)" unless @result; # first port > last port
|
||||
|
||||
@result;
|
||||
|
||||
} else {
|
||||
( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
|
||||
}
|
||||
}
|
||||
|
||||
sub valid_6address( $ ) {
|
||||
my $address = $_[0];
|
||||
|
||||
my @address = split /:/, $address;
|
||||
|
||||
return 0 if @address > 8;
|
||||
return 0 if @address < 8 && ! $address =~ /::/;
|
||||
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
|
||||
|
||||
if ( $address =~ /^:/ ) {
|
||||
unless ( $address eq '::' ) {
|
||||
return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
|
||||
}
|
||||
} elsif ( $address =~ /:$/ ) {
|
||||
return 0 if $address =~ /::.*:$/;
|
||||
}
|
||||
|
||||
for my $a ( @address ) {
|
||||
return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
|
||||
}
|
||||
|
||||
1;
|
||||
}
|
||||
|
||||
sub validate_6address( $$ ) {
|
||||
my ( $addr, $allow_name ) = @_;
|
||||
|
||||
my @addrs = ( $addr );
|
||||
|
||||
unless ( valid_6address $addr ) {
|
||||
fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
|
||||
fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname2 $addr, AF_INET6);
|
||||
|
||||
if ( defined wantarray ) {
|
||||
shift @addrs for (1..4);
|
||||
for ( @addrs ) {
|
||||
$_ = inet_ntop AF_INET6, $_;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
|
||||
}
|
||||
|
||||
sub validate_6net( $$ ) {
|
||||
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
|
||||
my $allow_name = $_[1];
|
||||
|
||||
fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
|
||||
|
||||
if ( defined $vlsm ) {
|
||||
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 64;
|
||||
fatal_error "Invalid Network address ($_[0])" if defined $rest;
|
||||
fatal_error "Invalid IPv6 address ($net)" unless valid_6address $net;
|
||||
} else {
|
||||
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
|
||||
validate_6address $net, $allow_name;
|
||||
}
|
||||
}
|
||||
|
||||
sub validate_6range( $$ ) {
|
||||
my ( $low, $high ) = @_;
|
||||
|
||||
validate_6address $low, 0;
|
||||
validate_6address $high, 0;
|
||||
|
||||
my @low = split ":", $low;
|
||||
my @high = split ":", $high;
|
||||
|
||||
if ( @low == @high ) {
|
||||
my ( $l, $h) = ( pop @low, pop @high );
|
||||
|
||||
return 1 if hex "0x$l" <= hex "0x$h" && join( ":", @low ) eq join( ":", @high );
|
||||
}
|
||||
|
||||
fatal_error "Invalid IPv6 Range ($low-$high)";
|
||||
}
|
||||
|
||||
sub validate_6host( $$ ) {
|
||||
my ( $host, $allow_name ) = $_[0];
|
||||
|
||||
if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
|
||||
validate_6range $1, $2;
|
||||
} else {
|
||||
validate_6net( $host, $allow_name );
|
||||
}
|
||||
}
|
||||
|
||||
my %ipv6_icmp_types = ( any => 'any',
|
||||
'destination-unreachable' => 1,
|
||||
'no-route' => '1/0',
|
||||
'communication-prohibited' => '1/1',
|
||||
'address-unreachable' => '1/2',
|
||||
'port-unreachable' => '1/3',
|
||||
'packet-too-big' => 2,
|
||||
'time-exceeded' => 3,
|
||||
'ttl-exceeded' => 3,
|
||||
'ttl-zero-during-transit' => '3/0',
|
||||
'ttl-zero-during-reassembly' => '3/1',
|
||||
'parameter-problem' => 4,
|
||||
'bad-header' => '4/0',
|
||||
'unknown-header-type' => '4/1',
|
||||
'unknown-option' => '4/2',
|
||||
'echo-request' => 128,
|
||||
'echo-reply' => 129,
|
||||
'router-solicitation' => 133,
|
||||
'router-advertisement' => 134,
|
||||
'neighbour-solicitation' => 135,
|
||||
'neighbour-advertisement' => 136,
|
||||
redirect => 137 );
|
||||
|
||||
|
||||
sub validate_icmp6( $ ) {
|
||||
fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
|
||||
my $type = $_[0];
|
||||
|
||||
my $value = $ipv6_icmp_types{$type};
|
||||
|
||||
return $value if defined $value;
|
||||
|
||||
if ( $type =~ /^(\d+)(\/(\d+))?$/ ) {
|
||||
return $type if $1 < 256 && ( ! $2 || $3 < 256 );
|
||||
}
|
||||
|
||||
fatal_error "Invalid IPv6 ICMP Type ($type)"
|
||||
}
|
||||
|
||||
sub ALLIP() {
|
||||
$family == F_IPV4 ? ALLIPv4 : ALLIPv6;
|
||||
}
|
||||
|
||||
sub allip() {
|
||||
$family == F_IPV4 ? ALLIPv4 : ALLIPv6;
|
||||
}
|
||||
|
||||
sub valid_address ( $ ) {
|
||||
$family == F_IPV4 ? valid_4address( $_[0] ) : valid_6address( $_[0] );
|
||||
}
|
||||
|
||||
sub validate_address ( $$ ) {
|
||||
$family == F_IPV4 ? validate_4address( $_[0], $_[1] ) : validate_6address( $_[0], $_[1] );
|
||||
}
|
||||
|
||||
sub validate_net ( $$ ) {
|
||||
$family == F_IPV4 ? validate_4net( $_[0], $_[1] ) : validate_6net( $_[0], $_[1] );
|
||||
}
|
||||
|
||||
sub validate_range ($$ ) {
|
||||
$family == F_IPV4 ? validate_4range( $_[0], $_[1] ) : validate_6range( $_[0], $_[1] );
|
||||
}
|
||||
|
||||
sub validate_host ($$ ) {
|
||||
$family == F_IPV4 ? validate_4host( $_[0], $_[1] ) : validate_6host( $_[0], $_[1] );
|
||||
}
|
||||
|
||||
1;
|
@ -1,518 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Nat.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module contains code for dealing with the /etc/shorewall/masq,
|
||||
# /etc/shorewall/nat and /etc/shorewall/netmap files.
|
||||
#
|
||||
package Shorewall::Nat;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Providers qw( lookup_provider );
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
|
||||
our @EXPORT_OK = ();
|
||||
our $VERSION = 4.1.5;
|
||||
|
||||
our @addresses_to_add;
|
||||
our %addresses_to_add;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@addresses_to_add = ();
|
||||
%addresses_to_add = ();
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
#
|
||||
# Handle IPSEC Options in a masq record
|
||||
#
|
||||
sub do_ipsec_options($)
|
||||
{
|
||||
my %validoptions = ( strict => NOTHING,
|
||||
next => NOTHING,
|
||||
reqid => NUMERIC,
|
||||
spi => NUMERIC,
|
||||
proto => IPSECPROTO,
|
||||
mode => IPSECMODE,
|
||||
"tunnel-src" => NETWORK,
|
||||
"tunnel-dst" => NETWORK,
|
||||
);
|
||||
my $list=$_[0];
|
||||
my $options = '-m policy --pol ipsec --dir out ';
|
||||
my $fmt;
|
||||
|
||||
for my $e ( split_list $list, 'option' ) {
|
||||
my $val = undef;
|
||||
my $invert = '';
|
||||
|
||||
if ( $e =~ /([\w-]+)!=(.+)/ ) {
|
||||
$val = $2;
|
||||
$e = $1;
|
||||
$invert = '! ';
|
||||
} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
|
||||
$val = $2;
|
||||
$e = $1;
|
||||
}
|
||||
|
||||
$fmt = $validoptions{$e};
|
||||
|
||||
fatal_error "Invalid Option ($e)" unless $fmt;
|
||||
|
||||
if ( $fmt eq NOTHING ) {
|
||||
fatal_error "Option \"$e\" does not take a value" if defined $val;
|
||||
} else {
|
||||
fatal_error "Missing value for option \"$e\"" unless defined $val;
|
||||
fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
|
||||
}
|
||||
|
||||
$options .= $invert;
|
||||
$options .= "--$e ";
|
||||
$options .= "$val " if defined $val;
|
||||
}
|
||||
|
||||
$options;
|
||||
}
|
||||
|
||||
#
|
||||
# Process a single rule from the the masq file
|
||||
#
|
||||
sub setup_one_masq($$$$$$$)
|
||||
{
|
||||
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark) = @_;
|
||||
|
||||
my $pre_nat;
|
||||
my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
|
||||
my $destnets = '';
|
||||
my $baserule = '';
|
||||
|
||||
#
|
||||
# Leading '+'
|
||||
#
|
||||
$pre_nat = 1 if $interfacelist =~ s/^\+//;
|
||||
#
|
||||
# Parse the remaining part of the INTERFACE column
|
||||
#
|
||||
if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
|
||||
$add_snat_aliases = 0;
|
||||
$destnets = $2;
|
||||
$interfacelist = $1;
|
||||
} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
|
||||
$destnets = $2;
|
||||
$interfacelist = $1;
|
||||
} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
|
||||
$add_snat_aliases = 0;
|
||||
$interfacelist = $1;
|
||||
} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
|
||||
my ( $one, $two ) = ( $1, $2 );
|
||||
if ( $2 =~ /\./ ) {
|
||||
$interfacelist = $one;
|
||||
$destnets = $two;
|
||||
}
|
||||
}
|
||||
#
|
||||
# If there is no source or destination then allow all addresses
|
||||
#
|
||||
$networks = ALLIPv4 if $networks eq '-';
|
||||
$destnets = ALLIPv4 if $destnets eq '-';
|
||||
|
||||
#
|
||||
# Handle IPSEC options, if any
|
||||
#
|
||||
if ( $ipsec ne '-' ) {
|
||||
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH};
|
||||
|
||||
if ( $ipsec =~ /^yes$/i ) {
|
||||
$baserule .= '-m policy --pol ipsec --dir out ';
|
||||
} elsif ( $ipsec =~ /^no$/i ) {
|
||||
$baserule .= '-m policy --pol none --dir out ';
|
||||
} else {
|
||||
$baserule .= do_ipsec_options $ipsec;
|
||||
}
|
||||
} elsif ( $capabilities{POLICY_MATCH} ) {
|
||||
$baserule .= '-m policy --pol none --dir out ';
|
||||
}
|
||||
|
||||
#
|
||||
# Handle Protocol and Ports
|
||||
#
|
||||
$baserule .= do_proto $proto, $ports, '';
|
||||
|
||||
#
|
||||
# Handle Mark
|
||||
#
|
||||
$baserule .= do_test( $mark, 0xFF) if $mark ne '-';
|
||||
|
||||
for my $fullinterface (split_list $interfacelist, 'interface' ) {
|
||||
my $rule = '';
|
||||
my $target = '-j MASQUERADE ';
|
||||
#
|
||||
# Isolate and verify the interface part
|
||||
#
|
||||
( my $interface = $fullinterface ) =~ s/:.*//;
|
||||
|
||||
if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
|
||||
$interface = $1;
|
||||
my $provider = $2;
|
||||
$fullinterface =~ s/[(]\w*[)]//;
|
||||
my $realm = lookup_provider( $provider ) unless $provider =~ /^\d+$/;
|
||||
|
||||
fatal_error "$provider is not a shared-interface provider" unless $realm;
|
||||
|
||||
$rule .= "-m realm --realm $realm ";
|
||||
}
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rule .= "-o $interface ";
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
|
||||
|
||||
my $detectaddress = 0;
|
||||
my $exceptionrule = '';
|
||||
my $randomize = '';
|
||||
#
|
||||
# Parse the ADDRESSES column
|
||||
#
|
||||
if ( $addresses ne '-' ) {
|
||||
if ( $addresses eq 'random' ) {
|
||||
$randomize = '--random ';
|
||||
} else {
|
||||
$addresses =~ s/:random$// and $randomize = '--random ';
|
||||
|
||||
if ( $addresses =~ /^SAME:nodst:/ ) {
|
||||
fatal_error "':random' is not supported by the SAME target" if $randomize;
|
||||
$target = '-j SAME --nodst ';
|
||||
$addresses =~ s/.*://;
|
||||
for my $addr ( split_list $addresses, 'address' ) {
|
||||
$target .= "--to $addr ";
|
||||
}
|
||||
} elsif ( $addresses =~ /^SAME:/ ) {
|
||||
fatal_error "':random' is not supported by the SAME target" if $randomize;
|
||||
$target = '-j SAME ';
|
||||
$addresses =~ s/.*://;
|
||||
for my $addr ( split_list $addresses, 'address' ) {
|
||||
$target .= "--to $addr ";
|
||||
}
|
||||
} elsif ( $addresses eq 'detect' ) {
|
||||
my $variable = get_interface_address $interface;
|
||||
$target = "-j SNAT --to-source $variable";
|
||||
|
||||
if ( interface_is_optional $interface ) {
|
||||
add_commands( $chainref,
|
||||
'',
|
||||
"if [ \"$variable\" != 0.0.0.0 ]; then" );
|
||||
incr_cmd_level( $chainref );
|
||||
$detectaddress = 1;
|
||||
}
|
||||
} elsif ( $addresses eq 'NONAT' ) {
|
||||
$target = '-j RETURN';
|
||||
$add_snat_aliases = 0;
|
||||
} else {
|
||||
my $addrlist = '';
|
||||
for my $addr ( split_list $addresses , 'address' ) {
|
||||
if ( $addr =~ /^.*\..*\..*\./ ) {
|
||||
$target = '-j SNAT ';
|
||||
$addrlist .= "--to-source $addr ";
|
||||
$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
|
||||
} else {
|
||||
$addr =~ s/^://;
|
||||
$addrlist .= "--to-ports $addr ";
|
||||
$exceptionrule = do_proto( $proto, '', '' );
|
||||
}
|
||||
}
|
||||
|
||||
$target .= $addrlist;
|
||||
}
|
||||
}
|
||||
|
||||
$target .= $randomize;
|
||||
} else {
|
||||
$add_snat_aliases = 0;
|
||||
}
|
||||
#
|
||||
# And Generate the Rule(s)
|
||||
#
|
||||
expand_rule( $chainref ,
|
||||
POSTROUTE_RESTRICT ,
|
||||
$baserule . $rule ,
|
||||
$networks ,
|
||||
$destnets ,
|
||||
'' ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
'' ,
|
||||
$exceptionrule );
|
||||
|
||||
if ( $detectaddress ) {
|
||||
decr_cmd_level( $chainref );
|
||||
add_command( $chainref , 'fi' );
|
||||
}
|
||||
|
||||
if ( $add_snat_aliases ) {
|
||||
my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
|
||||
fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
|
||||
for my $address ( split_list $addresses, 'address' ) {
|
||||
my ( $addrs, $port ) = split /:/, $address;
|
||||
next unless $addrs;
|
||||
next if $addrs eq 'detect';
|
||||
for my $addr ( ip_range_explicit $addrs ) {
|
||||
unless ( $addresses_to_add{$addr} ) {
|
||||
emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
|
||||
$addresses_to_add{$addr} = 1;
|
||||
if ( defined $alias ) {
|
||||
push @addresses_to_add, $addr, "$interface:$alias";
|
||||
$alias++;
|
||||
} else {
|
||||
push @addresses_to_add, $addr, $interface;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
progress_message " Masq record \"$currentline\" $done";
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Process the masq file
|
||||
#
|
||||
sub setup_masq()
|
||||
{
|
||||
my $fn = open_file 'masq';
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
|
||||
|
||||
if ( $fullinterface eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
} else {
|
||||
setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark;
|
||||
}
|
||||
}
|
||||
|
||||
clear_comment;
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Validate the ALL INTERFACES or LOCAL column in the NAT file
|
||||
#
|
||||
sub validate_nat_column( $$ ) {
|
||||
my $ref = $_[1];
|
||||
my $val = $$ref;
|
||||
|
||||
if ( defined $val ) {
|
||||
unless ( ( $val = "\L$val" ) eq 'yes' ) {
|
||||
if ( ( $val eq 'no' ) || ( $val eq '-' ) ) {
|
||||
$$ref = '';
|
||||
} else {
|
||||
fatal_error "Invalid value ($val) for $_[0]";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$$ref = '';
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Process a record from the NAT file
|
||||
#
|
||||
sub do_one_nat( $$$$$ )
|
||||
{
|
||||
my ( $external, $fullinterface, $internal, $allints, $localnat ) = @_;
|
||||
|
||||
my ( $interface, $alias, $remainder ) = split( /:/, $fullinterface, 3 );
|
||||
|
||||
fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
|
||||
|
||||
sub add_nat_rule( $$ ) {
|
||||
add_rule ensure_chain( 'nat', $_[0] ) , $_[1];
|
||||
}
|
||||
|
||||
my $add_ip_aliases = $config{ADD_IP_ALIASES};
|
||||
|
||||
my $policyin = '';
|
||||
my $policyout = '';
|
||||
my $rulein = '';
|
||||
my $ruleout = '';
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rulein = "-i $interface ";
|
||||
$ruleout = "-o $interface ";
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
if ( $capabilities{POLICY_MATCH} ) {
|
||||
$policyin = ' -m policy --pol none --dir in';
|
||||
$policyout = '-m policy --pol none --dir out';
|
||||
}
|
||||
|
||||
fatal_error "Invalid nat file entry" unless defined $interface && defined $internal;
|
||||
|
||||
if ( $add_ip_aliases ) {
|
||||
if ( defined( $alias ) && $alias eq '' ) {
|
||||
$add_ip_aliases = '';
|
||||
} else {
|
||||
emit "del_ip_addr $external $interface" unless $config{RETAIN_ALIASES};
|
||||
}
|
||||
}
|
||||
|
||||
validate_nat_column 'ALL INTERFACES', \$allints;
|
||||
validate_nat_column 'LOCAL' , \$localnat;
|
||||
|
||||
if ( $allints ) {
|
||||
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
|
||||
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
|
||||
} else {
|
||||
add_nat_rule input_chain( $interface ) , $rulein . "-d $external $policyin -j DNAT --to-destination $internal";
|
||||
add_nat_rule output_chain( $interface ) , $ruleout . "-s $internal $policyout -j SNAT --to-source $external";
|
||||
}
|
||||
|
||||
add_nat_rule 'OUTPUT' , "-d $external $policyout -j DNAT --to-destination $internal " if $localnat;
|
||||
|
||||
if ( $add_ip_aliases ) {
|
||||
unless ( $addresses_to_add{$external} ) {
|
||||
$addresses_to_add{$external} = 1;
|
||||
push @addresses_to_add, ( $external , $fullinterface );
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Process NAT file
|
||||
#
|
||||
sub setup_nat() {
|
||||
|
||||
my $fn = open_file 'nat';
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
|
||||
|
||||
if ( $external eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
} else {
|
||||
( $interfacelist, my $digit ) = split /:/, $interfacelist;
|
||||
|
||||
$digit = defined $digit ? ":$digit" : '';
|
||||
|
||||
for my $interface ( split_list $interfacelist , 'interface' ) {
|
||||
fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
|
||||
do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
|
||||
}
|
||||
|
||||
progress_message " NAT entry \"$currentline\" $done";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
#
|
||||
# Setup Network Mapping
|
||||
#
|
||||
sub setup_netmap() {
|
||||
|
||||
my $fn = open_file 'netmap';
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
|
||||
|
||||
for my $interface ( split_list $interfacelist, 'interface' ) {
|
||||
|
||||
my $rulein = '';
|
||||
my $ruleout = '';
|
||||
my $iface = $interface;
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rulein = "-i $interface ";
|
||||
$ruleout = "-o $interface ";
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . "-d $net1 -j NETMAP --to $net2";
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
|
||||
} else {
|
||||
fatal_error "Invalid type ($type)";
|
||||
}
|
||||
|
||||
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
sub add_addresses () {
|
||||
if ( @addresses_to_add ) {
|
||||
my $arg = '';
|
||||
|
||||
while ( @addresses_to_add ) {
|
||||
my $addr = shift @addresses_to_add;
|
||||
my $interface = shift @addresses_to_add;
|
||||
$arg = "$arg $addr $interface";
|
||||
}
|
||||
|
||||
emit "add_ip_aliases $arg";
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
@ -1,481 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Policy.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module deals with the /etc/shorewall/policy file.
|
||||
#
|
||||
package Shorewall::Policy;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Chains qw( :DEFAULT :internal) ;
|
||||
use Shorewall::Actions;
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.3.0;
|
||||
|
||||
# @policy_chains is a list of references to policy chains in the filter table
|
||||
|
||||
our @policy_chains;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@policy_chains = ();
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
#
|
||||
# Convert a chain into a policy chain.
|
||||
#
|
||||
sub convert_to_policy_chain($$$$$)
|
||||
{
|
||||
my ($chainref, $source, $dest, $policy, $optional ) = @_;
|
||||
|
||||
$chainref->{is_policy} = 1;
|
||||
$chainref->{policy} = $policy;
|
||||
$chainref->{is_optional} = $optional;
|
||||
$chainref->{policychain} = $chainref->{name};
|
||||
$chainref->{policypair} = [ $source, $dest ];
|
||||
}
|
||||
|
||||
#
|
||||
# Create a new policy chain and return a reference to it.
|
||||
#
|
||||
sub new_policy_chain($$$$)
|
||||
{
|
||||
my ($source, $dest, $policy, $optional) = @_;
|
||||
|
||||
my $chainref = new_chain( 'filter', "${source}2${dest}" );
|
||||
|
||||
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Set the passed chain's policychain and policy to the passed values.
|
||||
#
|
||||
sub set_policy_chain($$$$$)
|
||||
{
|
||||
my ($source, $dest, $chain1, $chainref, $policy ) = @_;
|
||||
|
||||
my $chainref1 = $filter_table->{$chain1};
|
||||
|
||||
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
|
||||
|
||||
unless ( $chainref1->{policychain} ) {
|
||||
if ( $config{EXPAND_POLICIES} ) {
|
||||
#
|
||||
# We convert the canonical chain into a policy chain, using the settings of the
|
||||
# passed policy chain.
|
||||
#
|
||||
$chainref1->{policychain} = $chain1;
|
||||
$chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel};
|
||||
|
||||
if ( defined $chainref->{synparams} ) {
|
||||
$chainref1->{synparams} = $chainref->{synparams};
|
||||
$chainref1->{synchain} = $chainref->{synchain};
|
||||
}
|
||||
|
||||
$chainref1->{default} = $chainref->{default} if defined $chainref->{default};
|
||||
$chainref1->{is_policy} = 1;
|
||||
push @policy_chains, $chainref1;
|
||||
} else {
|
||||
$chainref1->{policychain} = $chainref->{name};
|
||||
}
|
||||
|
||||
$chainref1->{policy} = $policy;
|
||||
$chainref1->{policypair} = [ $source, $dest ];
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Process the policy file
|
||||
#
|
||||
use constant { OPTIONAL => 1 };
|
||||
|
||||
sub add_or_modify_policy_chain( $$ ) {
|
||||
my ( $zone, $zone1 ) = @_;
|
||||
my $chain = "${zone}2${zone1}";
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
if ( $chainref ) {
|
||||
unless( $chainref->{is_policy} ) {
|
||||
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||
push @policy_chains, $chainref;
|
||||
}
|
||||
} else {
|
||||
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||
}
|
||||
}
|
||||
|
||||
sub print_policy($$$$) {
|
||||
my ( $source, $dest, $policy , $chain ) = @_;
|
||||
unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
|
||||
if ( $policy eq 'CONTINUE' ) {
|
||||
my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) );
|
||||
warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
|
||||
}
|
||||
progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
|
||||
}
|
||||
}
|
||||
|
||||
sub validate_policy()
|
||||
{
|
||||
my %validpolicies = (
|
||||
ACCEPT => undef,
|
||||
REJECT => undef,
|
||||
DROP => undef,
|
||||
CONTINUE => undef,
|
||||
QUEUE => undef,
|
||||
NFQUEUE => undef,
|
||||
NONE => undef
|
||||
);
|
||||
|
||||
my %map = ( DROP_DEFAULT => 'DROP' ,
|
||||
REJECT_DEFAULT => 'REJECT' ,
|
||||
ACCEPT_DEFAULT => 'ACCEPT' ,
|
||||
QUEUE_DEFAULT => 'QUEUE' ,
|
||||
NFQUEUE_DEFAULT => 'NFQUEUE' );
|
||||
|
||||
my $zone;
|
||||
my @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
|
||||
|
||||
for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
|
||||
my $action = $config{$option};
|
||||
next if $action eq 'none';
|
||||
my $actiontype = $targets{$action};
|
||||
|
||||
if ( defined $actiontype ) {
|
||||
fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
|
||||
} else {
|
||||
fatal_error "Default Action $option=$action not found";
|
||||
}
|
||||
|
||||
unless ( $usedactions{$action} ) {
|
||||
$usedactions{$action} = 1;
|
||||
createactionchain $action;
|
||||
}
|
||||
|
||||
$default_actions{$map{$option}} = $action;
|
||||
}
|
||||
|
||||
for $zone ( all_zones ) {
|
||||
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
|
||||
|
||||
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
unless( $zone eq $zone1 ) {
|
||||
add_or_modify_policy_chain( $zone, $zone1 );
|
||||
add_or_modify_policy_chain( $zone1, $zone );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
my $fn = open_file 'policy';
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
|
||||
|
||||
$loglevel = '' if $loglevel eq '-';
|
||||
$synparams = '' if $synparams eq '-';
|
||||
$connlimit = '' if $connlimit eq '-';
|
||||
|
||||
my $clientwild = ( "\L$client" eq 'all' );
|
||||
|
||||
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
|
||||
|
||||
my $serverwild = ( "\L$server" eq 'all' );
|
||||
|
||||
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
|
||||
|
||||
my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
|
||||
|
||||
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
|
||||
|
||||
fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
|
||||
|
||||
( $policy , my $queue ) = get_target_param $policy;
|
||||
|
||||
if ( $default ) {
|
||||
if ( "\L$default" eq 'none' ) {
|
||||
$default = 'none';
|
||||
} else {
|
||||
my $defaulttype = $targets{$default} || 0;
|
||||
|
||||
if ( $defaulttype & ACTION ) {
|
||||
unless ( $usedactions{$default} ) {
|
||||
$usedactions{$default} = 1;
|
||||
createactionchain $default;
|
||||
}
|
||||
} else {
|
||||
fatal_error "Unknown Default Action ($default)";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$default = $default_actions{$policy} || '';
|
||||
}
|
||||
|
||||
fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
|
||||
|
||||
if ( defined $queue ) {
|
||||
fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
|
||||
require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
|
||||
my $queuenum = numeric_value( $queue );
|
||||
fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
|
||||
$policy = "NFQUEUE --queue-num $queuenum";
|
||||
} elsif ( $policy eq 'NONE' ) {
|
||||
fatal_error "NONE policy not allowed with \"all\""
|
||||
if $clientwild || $serverwild;
|
||||
fatal_error "NONE policy not allowed to/from firewall zone"
|
||||
if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' );
|
||||
}
|
||||
|
||||
unless ( $clientwild || $serverwild ) {
|
||||
if ( zone_type( $server ) eq 'bport' ) {
|
||||
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
|
||||
unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
|
||||
}
|
||||
}
|
||||
|
||||
my $chain = "${client}2${server}";
|
||||
my $chainref;
|
||||
|
||||
if ( defined $filter_table->{$chain} ) {
|
||||
$chainref = $filter_table->{$chain};
|
||||
|
||||
if ( $chainref->{is_policy} ) {
|
||||
if ( $chainref->{is_optional} ) {
|
||||
$chainref->{is_optional} = 0;
|
||||
$chainref->{policy} = $policy;
|
||||
} else {
|
||||
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
|
||||
}
|
||||
} elsif ( $chainref->{policy} ) {
|
||||
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
|
||||
} else {
|
||||
convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
|
||||
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
||||
}
|
||||
} else {
|
||||
$chainref = new_policy_chain $client, $server, $policy, 0;
|
||||
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
|
||||
}
|
||||
|
||||
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
||||
|
||||
if ( $synparams ne '' || $connlimit ne '' ) {
|
||||
my $value = '';
|
||||
fatal_error "Invalid CONNLIMIT ($connlimit)" if $connlimit =~ /^!/;
|
||||
$value = do_ratelimit $synparams, 'ACCEPT' if $synparams ne '';
|
||||
$value .= do_connlimit $connlimit if $connlimit ne '';
|
||||
$chainref->{synparams} = $value;
|
||||
$chainref->{synchain} = $chain
|
||||
}
|
||||
|
||||
$chainref->{default} = $default if $default;
|
||||
|
||||
if ( $clientwild ) {
|
||||
if ( $serverwild ) {
|
||||
for my $zone ( @zonelist ) {
|
||||
for my $zone1 ( @zonelist ) {
|
||||
set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
|
||||
print_policy $zone, $zone1, $policy, $chain;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for my $zone ( all_zones ) {
|
||||
set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
|
||||
print_policy $zone, $server, $policy, $chain;
|
||||
}
|
||||
}
|
||||
} elsif ( $serverwild ) {
|
||||
for my $zone ( @zonelist ) {
|
||||
set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
|
||||
print_policy $client, $zone, $policy, $chain;
|
||||
}
|
||||
|
||||
} else {
|
||||
print_policy $client, $server, $policy, $chain;
|
||||
}
|
||||
}
|
||||
|
||||
for $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Policy Rule application
|
||||
#
|
||||
sub policy_rules( $$$$$ ) {
|
||||
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
|
||||
|
||||
unless ( $target eq 'NONE' ) {
|
||||
add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
|
||||
add_rule $chainref, "-j $default" if $default && $default ne 'none';
|
||||
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
||||
fatal_error "Null target in policy_rules()" unless $target;
|
||||
$target = 'reject' if $target eq 'REJECT';
|
||||
|
||||
add_jump( $chainref , $target, 1 ) unless $target eq 'CONTINUE';
|
||||
}
|
||||
}
|
||||
|
||||
sub report_syn_flood_protection() {
|
||||
progress_message ' Enabled SYN flood protection';
|
||||
}
|
||||
|
||||
sub default_policy( $$$ ) {
|
||||
my $chainref = $_[0];
|
||||
my $policyref = $filter_table->{$chainref->{policychain}};
|
||||
my $synparams = $policyref->{synparams};
|
||||
my $default = $policyref->{default};
|
||||
my $policy = $policyref->{policy};
|
||||
my $loglevel = $policyref->{loglevel};
|
||||
|
||||
fatal_error "Internal error in default_policy()" unless $policyref;
|
||||
|
||||
if ( $chainref eq $policyref ) {
|
||||
policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
|
||||
} else {
|
||||
if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
|
||||
if ( $synparams ) {
|
||||
report_syn_flood_protection;
|
||||
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
||||
} else {
|
||||
add_jump $chainref, $policyref, 1;
|
||||
$chainref = $policyref;
|
||||
}
|
||||
} elsif ( $policy eq 'CONTINUE' ) {
|
||||
report_syn_flood_protection if $synparams;
|
||||
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
||||
} else {
|
||||
report_syn_flood_protection if $synparams;
|
||||
add_jump $chainref , $policyref, 1;
|
||||
$chainref = $policyref;
|
||||
}
|
||||
}
|
||||
|
||||
progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
|
||||
|
||||
}
|
||||
|
||||
sub apply_policy_rules() {
|
||||
progress_message2 'Applying Policies...';
|
||||
|
||||
for my $chainref ( @policy_chains ) {
|
||||
my $policy = $chainref->{policy};
|
||||
my $loglevel = $chainref->{loglevel};
|
||||
my $optional = $chainref->{is_optional};
|
||||
my $default = $chainref->{default};
|
||||
my $name = $chainref->{name};
|
||||
|
||||
if ( $policy ne 'NONE' ) {
|
||||
if ( ! $chainref->{referenced} && ( ! $optional && $policy ne 'CONTINUE' ) ) {
|
||||
ensure_filter_chain $name, 1;
|
||||
}
|
||||
|
||||
if ( $name =~ /^all2|2all$/ ) {
|
||||
run_user_exit $chainref;
|
||||
policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $chainref = $filter_table->{"${zone}2${zone1}"};
|
||||
|
||||
if ( $chainref->{referenced} ) {
|
||||
run_user_exit $chainref;
|
||||
default_policy $chainref, $zone, $zone1;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Complete a standard chain
|
||||
#
|
||||
# - run any supplied user exit
|
||||
# - search the policy file for an applicable policy and add rules as
|
||||
# appropriate
|
||||
# - If no applicable policy is found, add rules for an assummed
|
||||
# policy of DROP INFO
|
||||
#
|
||||
sub complete_standard_chain ( $$$$ ) {
|
||||
my ( $stdchainref, $zone, $zone2, $default ) = @_;
|
||||
|
||||
add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
|
||||
|
||||
run_user_exit $stdchainref;
|
||||
|
||||
my $ruleschainref = $filter_table->{"${zone}2${zone2}"};
|
||||
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
|
||||
my $policychainref;
|
||||
|
||||
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
|
||||
|
||||
( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
|
||||
|
||||
policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
|
||||
}
|
||||
|
||||
#
|
||||
# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
|
||||
#
|
||||
sub setup_syn_flood_chains() {
|
||||
for my $chainref ( @policy_chains ) {
|
||||
my $limit = $chainref->{synparams};
|
||||
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
|
||||
my $level = $chainref->{loglevel};
|
||||
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
||||
add_rule $synchainref , "${limit}-j RETURN";
|
||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||
if $level ne '';
|
||||
add_rule $synchainref, '-j DROP';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
@ -1,212 +0,0 @@
|
||||
#
|
||||
# Shorewall 4.2 -- /usr/share/shorewall-perl/Shorewall/Proc.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module contains the code that deals with entries in /proc.
|
||||
#
|
||||
# Note: The /proc/sys/net/ipv4/conf/x/proxy_arp flag is handled
|
||||
# in the Proxyarp module.
|
||||
#
|
||||
package Shorewall::Proc;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw(
|
||||
setup_arp_filtering
|
||||
setup_route_filtering
|
||||
setup_martian_logging
|
||||
setup_source_routing
|
||||
setup_forwarding
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.0.6;
|
||||
|
||||
#
|
||||
# ARP Filtering
|
||||
#
|
||||
sub setup_arp_filtering() {
|
||||
save_progress_message "Setting up ARP filtering...";
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'arp_filter';
|
||||
my $interfaces1 = find_interfaces_by_option 'arp_ignore';
|
||||
|
||||
if ( @$interfaces || @$interfaces1 ) {
|
||||
progress_message2 "$doing ARP Filtering...";
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
|
||||
my $value = get_interface_option $interface, 'arp_filter';
|
||||
|
||||
emit ( '',
|
||||
"if [ -f $file ]; then",
|
||||
" echo $value > $file");
|
||||
emit ( 'else',
|
||||
" error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
for my $interface ( @$interfaces1 ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
|
||||
my $value = get_interface_option $interface, 'arp_ignore';
|
||||
|
||||
fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
|
||||
|
||||
emit ( "if [ -f $file ]; then",
|
||||
" echo $value > $file");
|
||||
emit ( 'else',
|
||||
" error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Route Filtering
|
||||
#
|
||||
sub setup_route_filtering() {
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'routefilter';
|
||||
|
||||
if ( @$interfaces || $config{ROUTE_FILTER} ) {
|
||||
|
||||
progress_message2 "$doing Kernel Route Filtering...";
|
||||
|
||||
save_progress_message "Setting up Route Filtering...";
|
||||
|
||||
|
||||
if ( $config{ROUTE_FILTER} ) {
|
||||
my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
|
||||
|
||||
emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
|
||||
" [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
|
||||
'done' );
|
||||
}
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
|
||||
my $value = get_interface_option $interface, 'routefilter';
|
||||
|
||||
emit ( "if [ -f $file ]; then" ,
|
||||
" echo $value > $file" );
|
||||
emit ( 'else' ,
|
||||
" error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
|
||||
|
||||
if ( $config{ROUTE_FILTER} eq 'on' ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
|
||||
} elsif ( $config{ROUTE_FILTER} eq 'off' ) {
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
|
||||
}
|
||||
|
||||
emit "[ -n \"\$NOROUTES\" ] || ip route flush cache";
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Martian Logging
|
||||
#
|
||||
|
||||
sub setup_martian_logging() {
|
||||
my $interfaces = find_interfaces_by_option 'logmartians';
|
||||
|
||||
if ( @$interfaces || $config{LOG_MARTIANS} ) {
|
||||
|
||||
progress_message2 "$doing Martian Logging...";
|
||||
|
||||
save_progress_message "Setting up Martian Logging...";
|
||||
|
||||
if ( $config{LOG_MARTIANS} ) {
|
||||
my $val = $config{LOG_MARTIANS} eq 'on' ? 1 : 0;
|
||||
|
||||
emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
|
||||
" [ -f \$file/log_martians ] && echo $val > \$file/log_martians",
|
||||
'done' );
|
||||
}
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
|
||||
my $value = get_interface_option $interface, 'logmartians';
|
||||
|
||||
emit ( "if [ -f $file ]; then" ,
|
||||
" echo $value > $file" );
|
||||
|
||||
emit ( 'else' ,
|
||||
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
if ( $config{LOG_MARTIANS} eq 'on' ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians';
|
||||
} elsif ( $config{LOG_MARTIANS} eq 'off' ) {
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/conf/all/log_martians';
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/log_martians';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Source Routing
|
||||
#
|
||||
sub setup_source_routing() {
|
||||
|
||||
save_progress_message 'Setting up Accept Source Routing...';
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'sourceroute';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
progress_message2 "$doing Accept Source Routing...";
|
||||
|
||||
save_progress_message 'Setting up Source Routing...';
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv4/conf/$interface/accept_source_route";
|
||||
my $value = get_interface_option $interface, 'sourceroute';
|
||||
|
||||
emit ( "if [ -f $file ]; then" ,
|
||||
" echo $value > $file" );
|
||||
emit ( 'else' ,
|
||||
" error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_forwarding() {
|
||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||
emit ' echo 1 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit ' progress_message2 IP Forwarding Enabled';
|
||||
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
|
||||
emit ' echo 0 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit ' progress_message2 IP Forwarding Disabled!';
|
||||
}
|
||||
|
||||
emit '';
|
||||
}
|
||||
|
||||
1;
|
@ -1,658 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Providers.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module deals with the /etc/shorewall/providers and
|
||||
# /etc/shorewall/route_rules files.
|
||||
#
|
||||
package Shorewall::Providers;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_providers @routemarked_interfaces);
|
||||
our @EXPORT_OK = qw( initialize lookup_provider );
|
||||
our $VERSION = 4.1.5;
|
||||
|
||||
use constant { LOCAL_TABLE => 255,
|
||||
MAIN_TABLE => 254,
|
||||
DEFAULT_TABLE => 253,
|
||||
UNSPEC_TABLE => 0
|
||||
};
|
||||
|
||||
our @routemarked_providers;
|
||||
our %routemarked_interfaces;
|
||||
our @routemarked_interfaces;
|
||||
|
||||
our $balance;
|
||||
our $first_default_route;
|
||||
|
||||
our %providers;
|
||||
|
||||
our @providers;
|
||||
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@routemarked_providers = ();
|
||||
%routemarked_interfaces = ();
|
||||
@routemarked_interfaces = ();
|
||||
$balance = 0;
|
||||
$first_default_route = 1;
|
||||
|
||||
%providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 } ,
|
||||
main => { number => MAIN_TABLE , mark => 0 , optional => 0 } ,
|
||||
default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } ,
|
||||
unspec => { number => UNSPEC_TABLE , mark => 0 , optional => 0 } );
|
||||
@providers = ();
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
#
|
||||
# Set up marking for 'tracked' interfaces.
|
||||
#
|
||||
sub setup_route_marking() {
|
||||
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
|
||||
|
||||
require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
|
||||
require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' );
|
||||
|
||||
add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||
add_rule $mangle_table->{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||
|
||||
my $chainref = new_chain 'mangle', 'routemark';
|
||||
|
||||
my %marked_interfaces;
|
||||
|
||||
for my $providerref ( @routemarked_providers ) {
|
||||
my $interface = $providerref->{interface};
|
||||
my $base = uc chain_base $interface;
|
||||
|
||||
add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
||||
|
||||
unless ( $marked_interfaces{$interface} ) {
|
||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
||||
$marked_interfaces{$interface} = 1;
|
||||
}
|
||||
|
||||
if ( $providerref->{shared} ) {
|
||||
add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
|
||||
} else {
|
||||
add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
|
||||
}
|
||||
|
||||
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
|
||||
}
|
||||
|
||||
add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
|
||||
}
|
||||
|
||||
sub copy_table( $$$ ) {
|
||||
my ( $duplicate, $number, $realm ) = @_;
|
||||
|
||||
if ( $realm ) {
|
||||
emit ( "ip -4 route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
} else {
|
||||
emit ( "ip -4 route show table $duplicate | while read net route; do" )
|
||||
}
|
||||
|
||||
emit ( ' case $net in',
|
||||
' default|nexthop)',
|
||||
' ;;',
|
||||
' *)',
|
||||
" run_ip route add table $number \$net \$route $realm",
|
||||
' ;;',
|
||||
' esac',
|
||||
"done\n"
|
||||
);
|
||||
}
|
||||
|
||||
sub copy_and_edit_table( $$$$ ) {
|
||||
my ( $duplicate, $number, $copy, $realm) = @_;
|
||||
|
||||
if ( $realm ) {
|
||||
emit ( "ip route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
} else {
|
||||
emit ( "ip route show table $duplicate | while read net route; do" )
|
||||
}
|
||||
|
||||
emit ( ' case $net in',
|
||||
' default|nexthop)',
|
||||
' ;;',
|
||||
' *)',
|
||||
' case $(find_device $route) in',
|
||||
" $copy)",
|
||||
" run_ip route add table $number \$net \$route $realm",
|
||||
' ;;',
|
||||
' esac',
|
||||
' ;;',
|
||||
' esac',
|
||||
"done\n" );
|
||||
}
|
||||
|
||||
sub balance_default_route( $$$$ ) {
|
||||
my ( $weight, $gateway, $interface, $realm ) = @_;
|
||||
|
||||
$balance = 1;
|
||||
|
||||
emit '';
|
||||
|
||||
if ( $first_default_route ) {
|
||||
if ( $gateway ) {
|
||||
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
|
||||
} else {
|
||||
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
|
||||
}
|
||||
|
||||
$first_default_route = 0;
|
||||
} else {
|
||||
if ( $gateway ) {
|
||||
emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
|
||||
} else {
|
||||
emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub add_a_provider( $$$$$$$$ ) {
|
||||
|
||||
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
|
||||
|
||||
fatal_error "Duplicate provider ($table)" if $providers{$table};
|
||||
|
||||
my $num = numeric_value $number;
|
||||
|
||||
fatal_error "Invalid Provider number ($number)" unless defined $num;
|
||||
|
||||
$number = $num;
|
||||
|
||||
for my $providerref ( values %providers ) {
|
||||
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
|
||||
}
|
||||
|
||||
( $interface, my $address ) = split /:/, $interface;
|
||||
|
||||
my $shared = 0;
|
||||
|
||||
if ( defined $address ) {
|
||||
validate_address $address, 0;
|
||||
$shared = 1;
|
||||
require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
|
||||
}
|
||||
|
||||
fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
|
||||
|
||||
my $provider = chain_base $table;
|
||||
my $base = uc chain_base $interface;
|
||||
|
||||
emit "#\n# Add Provider $table ($number)\n#";
|
||||
|
||||
emit "if interface_is_usable $interface; then";
|
||||
push_indent;
|
||||
|
||||
emit "qt ip route flush table $number";
|
||||
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||
|
||||
if ( $gateway eq 'detect' ) {
|
||||
fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
|
||||
$gateway = get_interface_gateway $interface;
|
||||
} elsif ( $gateway && $gateway ne '-' ) {
|
||||
validate_address $gateway, 0;
|
||||
} else {
|
||||
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
|
||||
$gateway = '';
|
||||
emit "run_ip route add default dev $interface table $number";
|
||||
}
|
||||
|
||||
my $val = 0;
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
|
||||
$val = numeric_value $mark;
|
||||
|
||||
fatal_error "Invalid Mark Value ($mark)" unless defined $val;
|
||||
|
||||
verify_mark $mark;
|
||||
|
||||
if ( $val < 256) {
|
||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
|
||||
} else {
|
||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
|
||||
}
|
||||
|
||||
for my $providerref ( values %providers ) {
|
||||
fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
|
||||
}
|
||||
|
||||
my $pref = 10000 + $number - 1;
|
||||
|
||||
emit ( "qt ip rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
|
||||
"echo \"qt ip rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
|
||||
);
|
||||
}
|
||||
|
||||
my ( $loose, $track, $balance , $default_balance, $optional, $mtu ) = (0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
|
||||
|
||||
unless ( $options eq '-' ) {
|
||||
for my $option ( split_list $options, 'option' ) {
|
||||
if ( $option eq 'track' ) {
|
||||
$track = 1;
|
||||
} elsif ( $option =~ /^balance=(\d+)$/ ) {
|
||||
$balance = $1;
|
||||
} elsif ( $option eq 'balance' ) {
|
||||
$balance = 1;
|
||||
} elsif ( $option eq 'loose' ) {
|
||||
$loose = 1;
|
||||
$default_balance = 0;
|
||||
} elsif ( $option eq 'optional' ) {
|
||||
set_interface_option $interface, 'optional', 1;
|
||||
$optional = 1;
|
||||
} elsif ( $option =~ /^src=(.*)$/ ) {
|
||||
fatal_error "OPTION 'src' not allowed on shared interface" if $shared;
|
||||
$address = validate_address( $1 , 1 );
|
||||
} elsif ( $option =~ /^mtu=(\d+)$/ ) {
|
||||
$mtu = "mtu $1 ";
|
||||
} else {
|
||||
fatal_error "Invalid option ($option)";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$balance = $default_balance unless $balance;
|
||||
|
||||
$providers{$table} = { provider => $table,
|
||||
number => $number ,
|
||||
mark => $val ,
|
||||
interface => $interface ,
|
||||
optional => $optional ,
|
||||
gateway => $gateway ,
|
||||
shared => $shared };
|
||||
|
||||
if ( $track ) {
|
||||
fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
|
||||
|
||||
if ( $routemarked_interfaces{$interface} ) {
|
||||
fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1;
|
||||
fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
|
||||
} else {
|
||||
$routemarked_interfaces{$interface} = $shared ? 1 : 2;
|
||||
push @routemarked_interfaces, $interface;
|
||||
}
|
||||
|
||||
push @routemarked_providers, $providers{$table};
|
||||
}
|
||||
|
||||
my $realm = '';
|
||||
|
||||
if ( $shared ) {
|
||||
$providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
|
||||
$realm = "realm $number";
|
||||
}
|
||||
|
||||
if ( $duplicate ne '-' ) {
|
||||
fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
if ( $copy eq '-' ) {
|
||||
copy_table ( $duplicate, $number, $realm );
|
||||
} else {
|
||||
if ( $copy eq 'none' ) {
|
||||
$copy = $interface;
|
||||
} else {
|
||||
$copy =~ tr/,/|/;
|
||||
$copy = "$interface|$copy";
|
||||
}
|
||||
|
||||
copy_and_edit_table( $duplicate, $number ,$copy , $realm);
|
||||
}
|
||||
} elsif ( $copy ne '-' ) {
|
||||
fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column';
|
||||
}
|
||||
|
||||
if ( $gateway ) {
|
||||
$address = get_interface_address $interface unless $address;
|
||||
emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
|
||||
emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
|
||||
}
|
||||
|
||||
balance_default_route $balance , $gateway, $interface, $realm if $balance;
|
||||
|
||||
if ( $loose ) {
|
||||
if ( $config{DELETE_THEN_ADD} ) {
|
||||
emit ( "\nfind_interface_addresses $interface | while read address; do",
|
||||
' qt ip rule del from $address',
|
||||
'done'
|
||||
);
|
||||
}
|
||||
} elsif ( $shared ) {
|
||||
emit "qt ip rule del from $address" if $config{DELETE_THEN_ADD};
|
||||
emit( "run_ip rule add from $address pref 20000 table $number" ,
|
||||
"echo \"qt ip rule del from $address\" >> \${VARDIR}/undo_routing" );
|
||||
} else {
|
||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||
|
||||
emit "\nrulenum=0\n";
|
||||
|
||||
emit ( "find_interface_addresses $interface | while read address; do" );
|
||||
emit ( ' qt ip rule del from $address' ) if $config{DELETE_THEN_ADD};
|
||||
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||
' rulenum=$(($rulenum + 1))',
|
||||
'done'
|
||||
);
|
||||
}
|
||||
|
||||
emit qq(\nprogress_message " Provider $table ($number) Added"\n);
|
||||
|
||||
emit ( "${base}_IS_UP=Yes" ) if $optional;
|
||||
|
||||
pop_indent;
|
||||
emit 'else';
|
||||
|
||||
if ( $optional ) {
|
||||
emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"",
|
||||
" ${base}_IS_UP=" );
|
||||
} else {
|
||||
emit( " fatal_error \"Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" );
|
||||
}
|
||||
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
sub add_an_rtrule( $$$$ ) {
|
||||
my ( $source, $dest, $provider, $priority ) = @_;
|
||||
|
||||
unless ( $providers{$provider} ) {
|
||||
my $found = 0;
|
||||
|
||||
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
|
||||
my $provider_number = numeric_value $provider;
|
||||
|
||||
for ( keys %providers ) {
|
||||
if ( $providers{$_}{number} == $provider_number ) {
|
||||
$provider = $_;
|
||||
$found = 1;
|
||||
last;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error "Unknown provider ($provider)" unless $found;
|
||||
}
|
||||
|
||||
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
|
||||
|
||||
if ( $dest eq '-' ) {
|
||||
$dest = 'to ' . ALLIP;
|
||||
} else {
|
||||
validate_net( $dest, 0 );
|
||||
$dest = "to $dest";
|
||||
}
|
||||
|
||||
if ( $source eq '-' ) {
|
||||
$source = 'from ' . ALLIP;
|
||||
} elsif ( $source =~ /:/ ) {
|
||||
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
|
||||
fatal_error "Invalid SOURCE" if defined $remainder;
|
||||
validate_net ( $source, 0 );
|
||||
$source = "iif $interface from $source";
|
||||
} elsif ( $source =~ /\..*\..*/ ) {
|
||||
validate_net ( $source, 0 );
|
||||
$source = "from $source";
|
||||
} else {
|
||||
$source = "iif $source";
|
||||
}
|
||||
|
||||
fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/;
|
||||
|
||||
$priority = "priority $priority";
|
||||
|
||||
emit ( "qt ip rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
|
||||
|
||||
if ( $optional ) {
|
||||
my $base = uc chain_base( $providers{$provider}{interface} );
|
||||
emit ( '', "if [ -n \$${base}_IS_UP ]; then" );
|
||||
push_indent;
|
||||
}
|
||||
|
||||
emit ( "run_ip rule add $source $dest $priority table $number",
|
||||
"echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
|
||||
|
||||
pop_indent, emit ( "fi\n" ) if $optional;
|
||||
|
||||
progress_message " Routing rule \"$currentline\" $done";
|
||||
}
|
||||
|
||||
#
|
||||
# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
|
||||
# it makes sense to keep all of the routing code together
|
||||
#
|
||||
sub setup_null_routing() {
|
||||
save_progress_message "Null Routing the RFC 1918 subnets";
|
||||
for ( rfc1918_networks ) {
|
||||
emit( "run_ip route replace unreachable $_" );
|
||||
emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_providers() {
|
||||
my $providers = 0;
|
||||
|
||||
my $fn = open_file 'providers';
|
||||
|
||||
while ( read_a_line ) {
|
||||
unless ( $providers ) {
|
||||
progress_message2 "$doing $fn ...";
|
||||
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
|
||||
|
||||
fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
|
||||
|
||||
emit "\nif [ -z \"\$NOROUTES\" ]; then";
|
||||
|
||||
push_indent;
|
||||
|
||||
emit ( '#',
|
||||
'# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
|
||||
'#',
|
||||
'undo_routing' );
|
||||
|
||||
unless ( $config{KEEP_RT_TABLES} ) {
|
||||
emit (
|
||||
'#',
|
||||
'# Save current routing table database so that it can be restored later',
|
||||
'#',
|
||||
'cp /etc/iproute2/rt_tables ${VARDIR}/' );
|
||||
|
||||
}
|
||||
|
||||
emit ( '#',
|
||||
'# Capture the default route(s) if we don\'t have it (them) already.',
|
||||
'#',
|
||||
'[ -f ${VARDIR}/default_route ] || ip route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
|
||||
'#',
|
||||
'# Initialize the file that holds \'undo\' commands',
|
||||
'#',
|
||||
'> ${VARDIR}/undo_routing' );
|
||||
|
||||
save_progress_message 'Adding Providers...';
|
||||
|
||||
emit 'DEFAULT_ROUTE=';
|
||||
}
|
||||
|
||||
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file';
|
||||
|
||||
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
|
||||
|
||||
push @providers, $table;
|
||||
|
||||
$providers++;
|
||||
|
||||
progress_message " Provider \"$currentline\" $done";
|
||||
|
||||
}
|
||||
|
||||
if ( $providers ) {
|
||||
if ( $balance ) {
|
||||
my $table = MAIN_TABLE;
|
||||
|
||||
if ( $config{USE_DEFAULT_RT} ) {
|
||||
emit ( 'run_ip rule add from all table ' . MAIN_TABLE . ' pref 999',
|
||||
'ip rule del from all table ' . MAIN_TABLE . ' pref 32766',
|
||||
'echo "qt ip rule add from all table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
|
||||
'echo "qt ip rule del from all table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
|
||||
'' );
|
||||
$table = DEFAULT_TABLE;
|
||||
}
|
||||
|
||||
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
|
||||
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
|
||||
emit ( ' qt ip route del default table ' . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
|
||||
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
|
||||
'else',
|
||||
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"',
|
||||
' restore_default_route',
|
||||
'fi',
|
||||
'' );
|
||||
} else {
|
||||
emit ( '#',
|
||||
'# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
|
||||
'#',
|
||||
'restore_default_route' );
|
||||
}
|
||||
|
||||
unless ( $config{KEEP_RT_TABLES} ) {
|
||||
emit( 'if [ -w /etc/iproute2/rt_tables ]; then',
|
||||
' cat > /etc/iproute2/rt_tables <<EOF' );
|
||||
|
||||
push_indent;
|
||||
|
||||
emit_unindented join( "\n",
|
||||
'#',
|
||||
'# reserved values',
|
||||
'#',
|
||||
LOCAL_TABLE . "\tlocal",
|
||||
MAIN_TABLE . "\tmain",
|
||||
DEFAULT_TABLE . "\tdefault",
|
||||
"0\tunspec",
|
||||
'#',
|
||||
'# local',
|
||||
'#',
|
||||
"EOF\n" );
|
||||
|
||||
emit "echocommand=\$(find_echo)\n";
|
||||
|
||||
for my $table ( @providers ) {
|
||||
emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables";
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
my $fn = open_file 'route_rules';
|
||||
|
||||
if ( $fn ) {
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
emit '';
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
|
||||
|
||||
add_an_rtrule( $source, $dest, $provider , $priority );
|
||||
}
|
||||
}
|
||||
|
||||
setup_null_routing if $config{NULL_ROUTE_RFC1918};
|
||||
emit "\nrun_ip route flush cache";
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
|
||||
setup_route_marking if @routemarked_interfaces;
|
||||
} else {
|
||||
emit "\nundo_routing";
|
||||
emit 'restore_default_route';
|
||||
if ( $config{NULL_ROUTE_RFC1918} ) {
|
||||
emit "\nif [ -z \"\$NOROUTES\" ]; then";
|
||||
|
||||
push_indent;
|
||||
|
||||
emit ( '#',
|
||||
'# Initialize the file that holds \'undo\' commands',
|
||||
'#',
|
||||
'> ${VARDIR}/undo_routing' );
|
||||
setup_null_routing;
|
||||
emit "\nrun_ip route flush cache";
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub lookup_provider( $ ) {
|
||||
my $provider = $_[0];
|
||||
my $providerref = $providers{ $provider };
|
||||
|
||||
unless ( $providerref ) {
|
||||
fatal_error "Unknown provider ($provider)" unless $provider =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/;
|
||||
|
||||
my $provider_number = numeric_value $provider;
|
||||
|
||||
for ( keys %providers ) {
|
||||
if ( $providers{$_}{number} == $provider_number ) {
|
||||
$providerref = $providers{$_};
|
||||
last;
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error "Unknown provider ($provider)" unless $providerref;
|
||||
}
|
||||
|
||||
|
||||
$providerref->{shared} ? $providerref->{number} : 0;
|
||||
}
|
||||
|
||||
1;
|
@ -1,160 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Proxyarp.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
#
|
||||
package Shorewall::Proxyarp;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw(
|
||||
setup_proxy_arp
|
||||
dump_proxy_arp
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = 4.0.6;
|
||||
|
||||
our @proxyarp;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@proxyarp = ();
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
sub setup_one_proxy_arp( $$$$$ ) {
|
||||
my ( $address, $interface, $external, $haveroute, $persistent) = @_;
|
||||
|
||||
if ( "\L$haveroute" eq 'no' || $haveroute eq '-' ) {
|
||||
$haveroute = '';
|
||||
} elsif ( "\L$haveroute" eq 'yes' ) {
|
||||
$haveroute = 'yes';
|
||||
} else {
|
||||
fatal_error "Invalid value ($haveroute) for HAVEROUTE";
|
||||
}
|
||||
|
||||
if ( "\L$persistent" eq 'no' || $persistent eq '-' ) {
|
||||
$persistent = '';
|
||||
} elsif ( "\L$persistent" eq 'yes' ) {
|
||||
$persistent = 'yes';
|
||||
} else {
|
||||
fatal_error "Invalid value ($persistent) for PERSISTENT";
|
||||
}
|
||||
|
||||
unless ( $haveroute ) {
|
||||
emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
|
||||
$haveroute = 1 if $persistent;
|
||||
}
|
||||
|
||||
emit ( "if ! arp -i $external -Ds $address $external pub; then",
|
||||
" fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" ,
|
||||
'fi' ,
|
||||
'',
|
||||
"progress_message \" Host $address connected to $interface added to ARP on $external\"\n" );
|
||||
|
||||
push @proxyarp, "$address $interface $external $haveroute";
|
||||
|
||||
progress_message " Host $address connected to $interface added to ARP on $external";
|
||||
}
|
||||
|
||||
#
|
||||
# Setup Proxy ARP
|
||||
#
|
||||
sub setup_proxy_arp() {
|
||||
|
||||
my $interfaces= find_interfaces_by_option 'proxyarp';
|
||||
my $fn = open_file 'proxyarp';
|
||||
|
||||
if ( @$interfaces || $fn ) {
|
||||
|
||||
my $first_entry = 1;
|
||||
|
||||
save_progress_message "Setting up Proxy ARP...";
|
||||
|
||||
my ( %set, %reset );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file';
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing $fn...";
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
$set{$interface} = 1;
|
||||
$reset{$external} = 1 unless $set{$external};
|
||||
|
||||
setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
|
||||
}
|
||||
|
||||
emit '';
|
||||
|
||||
for my $interface ( keys %reset ) {
|
||||
unless ( $set{interface} ) {
|
||||
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
|
||||
" echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
|
||||
for my $interface ( keys %set ) {
|
||||
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
|
||||
" echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
|
||||
emit ( 'else' ,
|
||||
" error_message \" WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $value = get_interface_option $interface, 'proxyarp';
|
||||
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
|
||||
" echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
|
||||
emit ( 'else' ,
|
||||
" error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub dump_proxy_arp() {
|
||||
for ( @proxyarp ) {
|
||||
emit_unindented $_;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
File diff suppressed because it is too large
Load Diff
@ -1,915 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Tc.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Traffic Control is from tc4shorewall Version 0.5
|
||||
# (c) 2005 Arne Bernin <arne@ucbering.de>
|
||||
# Modified by Tom Eastep for integration into the Shorewall distribution
|
||||
# published under GPL Version 2#
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module deals with Traffic Shaping and the tcrules file.
|
||||
#
|
||||
package Shorewall::Tc;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
use Shorewall::Providers;
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tc );
|
||||
our @EXPORT_OK = qw( process_tc_rule initialize );
|
||||
our $VERSION = 4.1.5;
|
||||
|
||||
our %tcs = ( T => { chain => 'tcpost',
|
||||
connmark => 0,
|
||||
fw => 1
|
||||
} ,
|
||||
CT => { chain => 'tcpost' ,
|
||||
target => 'CONNMARK --set-mark' ,
|
||||
connmark => 1 ,
|
||||
fw => 1
|
||||
} ,
|
||||
C => { target => 'CONNMARK --set-mark' ,
|
||||
connmark => 1 ,
|
||||
fw => 1
|
||||
} ,
|
||||
P => { chain => 'tcpre' ,
|
||||
connmark => 0 ,
|
||||
fw => 0
|
||||
} ,
|
||||
CP => { chain => 'tcpre' ,
|
||||
target => 'CONNMARK --set-mark' ,
|
||||
connmark => 1 ,
|
||||
fw => 0
|
||||
} ,
|
||||
F => { chain => 'tcfor' ,
|
||||
connmark => 0 ,
|
||||
fw => 0
|
||||
} ,
|
||||
CF => { chain => 'tcfor' ,
|
||||
connmark => 1 ,
|
||||
fw => 0 ,
|
||||
} ,
|
||||
);
|
||||
|
||||
use constant { NOMARK => 0 ,
|
||||
SMALLMARK => 1 ,
|
||||
HIGHMARK => 2
|
||||
};
|
||||
|
||||
our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
|
||||
target => 'CONNMARK --save-mark --mask' ,
|
||||
mark => SMALLMARK ,
|
||||
mask => '0xFF' ,
|
||||
connmark => 1
|
||||
} ,
|
||||
{ match => sub ( $ ) { $_[0] eq 'RESTORE' },
|
||||
target => 'CONNMARK --restore-mark --mask' ,
|
||||
mark => SMALLMARK ,
|
||||
mask => '0xFF' ,
|
||||
connmark => 1
|
||||
} ,
|
||||
{ match => sub ( $ ) { $_[0] eq 'CONTINUE' },
|
||||
target => 'RETURN' ,
|
||||
mark => NOMARK ,
|
||||
mask => '' ,
|
||||
connmark => 0
|
||||
} ,
|
||||
{ match => sub ( $ ) { $_[0] =~ '\|.*'} ,
|
||||
target => 'MARK --or-mark' ,
|
||||
mark => HIGHMARK ,
|
||||
mask => '' } ,
|
||||
{ match => sub ( $ ) { $_[0] =~ '&.*' },
|
||||
target => 'MARK --and-mark ' ,
|
||||
mark => HIGHMARK ,
|
||||
mask => '' ,
|
||||
connmark => 0
|
||||
}
|
||||
);
|
||||
|
||||
our %classids;
|
||||
|
||||
our @deferred_rules;
|
||||
|
||||
#
|
||||
# Perl version of Arn Bernin's 'tc4shorewall'.
|
||||
#
|
||||
# TCDevices Table
|
||||
#
|
||||
# %tcdevices { <interface> -> {in_bandwidth => <value> ,
|
||||
# out_bandwidth => <value> ,
|
||||
# number => <number>,
|
||||
# classify => 0|1
|
||||
# tablenumber => <next u32 table to be allocated for this device>
|
||||
# default => <default class mark value>
|
||||
# redirected => [ <dev1>, <dev2>, ... ]
|
||||
# }
|
||||
#
|
||||
our @tcdevices;
|
||||
our %tcdevices;
|
||||
our @devnums;
|
||||
our $devnum;
|
||||
|
||||
|
||||
#
|
||||
# TCClasses Table
|
||||
#
|
||||
# %tcclasses { device => <device> ,
|
||||
# mark => <mark> ,
|
||||
# number => <number> ,
|
||||
# rate => <rate> ,
|
||||
# ceiling => <ceiling> ,
|
||||
# priority => <priority> ,
|
||||
# options => { tos => [ <value1> , <value2> , ... ];
|
||||
# tcp_ack => 1 ,
|
||||
# ...
|
||||
#
|
||||
|
||||
our @tcclasses;
|
||||
our %tcclasses;
|
||||
|
||||
our %restrictions = ( tcpre => PREROUTE_RESTRICT ,
|
||||
tcpost => POSTROUTE_RESTRICT ,
|
||||
tcfor => NO_RESTRICT ,
|
||||
tcout => OUTPUT_RESTRICT );
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
%classids = ();
|
||||
@deferred_rules = ();
|
||||
@tcdevices = ();
|
||||
%tcdevices = ();
|
||||
@tcclasses = ();
|
||||
%tcclasses = ();
|
||||
@devnums = ();
|
||||
$devnum = 0;
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
sub process_tc_rule( $$$$$$$$$$$$ ) {
|
||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes , $helper ) = @_;
|
||||
|
||||
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
|
||||
|
||||
fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq '';
|
||||
|
||||
my $chain = $globals{MARKING_CHAIN};
|
||||
my $target = 'MARK --set-mark';
|
||||
my $tcsref;
|
||||
my $connmark = 0;
|
||||
my $classid = 0;
|
||||
my $device = '';
|
||||
my $fw = firewall_zone;
|
||||
|
||||
if ( $source ) {
|
||||
if ( $source eq $fw ) {
|
||||
$chain = 'tcout';
|
||||
$source = '';
|
||||
} else {
|
||||
$chain = 'tcout' if $source =~ s/^($fw)://;
|
||||
}
|
||||
}
|
||||
|
||||
if ( $designator ) {
|
||||
$tcsref = $tcs{$designator};
|
||||
|
||||
if ( $tcsref ) {
|
||||
if ( $chain eq 'tcout' ) {
|
||||
fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
|
||||
}
|
||||
|
||||
$chain = $tcsref->{chain} if $tcsref->{chain};
|
||||
$target = $tcsref->{target} if $tcsref->{target};
|
||||
$mark = "$mark/0xFF" if $connmark = $tcsref->{connmark};
|
||||
|
||||
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
|
||||
|
||||
} else {
|
||||
fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
|
||||
|
||||
if ( $config{TC_ENABLED} eq 'Internal' ) {
|
||||
fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} );
|
||||
}
|
||||
|
||||
$chain = 'tcpost';
|
||||
$classid = 1;
|
||||
$mark = $originalmark;
|
||||
$target = 'CLASSIFY --set-class';
|
||||
}
|
||||
}
|
||||
|
||||
my $mask = 0xffff;
|
||||
|
||||
my ($cmd, $rest) = split( '/', $mark, 2 );
|
||||
|
||||
unless ( $classid ) {
|
||||
MARK:
|
||||
{
|
||||
for my $tccmd ( @tccmd ) {
|
||||
if ( $tccmd->{match}($cmd) ) {
|
||||
fatal_error "$mark not valid with :C[FPT]" if $connmark;
|
||||
|
||||
require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
|
||||
|
||||
$target = "$tccmd->{target} ";
|
||||
my $marktype = $tccmd->{mark};
|
||||
|
||||
if ( $marktype == NOMARK ) {
|
||||
$mark = ''
|
||||
} else {
|
||||
$mark =~ s/^[|&]//;
|
||||
}
|
||||
|
||||
if ( $rest ) {
|
||||
fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
|
||||
|
||||
$mark = $rest if $tccmd->{mask};
|
||||
|
||||
if ( $marktype == SMALLMARK ) {
|
||||
verify_small_mark $mark;
|
||||
} else {
|
||||
validate_mark $mark;
|
||||
}
|
||||
} elsif ( $tccmd->{mask} ) {
|
||||
$mark = $tccmd->{mask};
|
||||
}
|
||||
|
||||
last MARK;
|
||||
}
|
||||
}
|
||||
|
||||
validate_mark $mark;
|
||||
|
||||
if ( $config{HIGH_ROUTE_MARKS} ) {
|
||||
my $val = numeric_value( $cmd );
|
||||
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
|
||||
fatal_error 'Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes'
|
||||
if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= 0xFF;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
|
||||
$restrictions{$chain} ,
|
||||
do_proto( $proto, $ports, $sports) .
|
||||
do_user( $user ) .
|
||||
do_test( $testval, $mask ) .
|
||||
do_length( $length ) .
|
||||
do_tos( $tos ) .
|
||||
do_connbytes( $connbytes ) .
|
||||
do_helper( $helper ),
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
'' ,
|
||||
"-j $target $mark" ,
|
||||
'' ,
|
||||
'' ,
|
||||
'' ) )
|
||||
&& $device ) {
|
||||
#
|
||||
# expand_rule() returns destination device if any
|
||||
#
|
||||
fatal_error "Class Id $originalmark is not associated with device $result" if $device ne $result;
|
||||
}
|
||||
|
||||
progress_message " TC Rule \"$currentline\" $done";
|
||||
|
||||
}
|
||||
|
||||
sub rate_to_kbit( $ ) {
|
||||
my $rate = $_[0];
|
||||
|
||||
return 0 if $rate eq '-';
|
||||
return $1 if $rate =~ /^(\d+)kbit$/i;
|
||||
return $1 * 1000 if $rate =~ /^(\d+)mbit$/i;
|
||||
return $1 * 8000 if $rate =~ /^(\d+)mbps$/i;
|
||||
return $1 * 8 if $rate =~ /^(\d+)kbps$/i;
|
||||
return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
|
||||
fatal_error "Invalid Rate ($rate)";
|
||||
}
|
||||
|
||||
sub calculate_r2q( $ ) {
|
||||
my $rate = rate_to_kbit $_[0];
|
||||
my $r2q= $rate / 200 ;
|
||||
$r2q <= 5 ? 5 : $r2q;
|
||||
}
|
||||
|
||||
sub calculate_quantum( $$ ) {
|
||||
my ( $rate, $r2q ) = @_;
|
||||
$rate = rate_to_kbit $rate;
|
||||
int( ( $rate * 125 ) / $r2q );
|
||||
}
|
||||
|
||||
sub validate_tc_device( $$$$$ ) {
|
||||
my ( $device, $inband, $outband , $options , $redirected ) = @_;
|
||||
|
||||
my $devnumber;
|
||||
|
||||
if ( $device =~ /:/ ) {
|
||||
( my $number, $device, my $rest ) = split /:/, $device, 3;
|
||||
|
||||
fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
|
||||
|
||||
if ( defined $number ) {
|
||||
$devnumber = numeric_value( $number );
|
||||
fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
|
||||
fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ];
|
||||
$devnum = $devnumber if $devnumber > $devnum;
|
||||
} else {
|
||||
fatal_error "Missing interface NUMBER";
|
||||
}
|
||||
} else {
|
||||
$devnumber = ++$devnum;
|
||||
}
|
||||
|
||||
$devnums[ $devnumber ] = $device;
|
||||
|
||||
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
|
||||
fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
|
||||
|
||||
my $classify = 0;
|
||||
|
||||
if ( $options ne '-' ) {
|
||||
for my $option ( split_list $options, 'option' ) {
|
||||
if ( $option eq 'classify' ) {
|
||||
$classify = 1;
|
||||
} else {
|
||||
fatal_error "Unknown device option ($option)";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
my @redirected = ();
|
||||
|
||||
@redirected = split_list( $redirected , 'device' ) if defined $redirected && $redirected ne '-';
|
||||
|
||||
if ( @redirected ) {
|
||||
fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
|
||||
$classify = 1;
|
||||
}
|
||||
|
||||
for my $rdevice ( @redirected ) {
|
||||
fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
|
||||
my $rdevref = $tcdevices{$rdevice};
|
||||
fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
|
||||
fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
|
||||
}
|
||||
|
||||
$tcdevices{$device} = { in_bandwidth => rate_to_kbit( $inband ) . 'kbit' ,
|
||||
out_bandwidth => rate_to_kbit( $outband ) . 'kbit' ,
|
||||
number => $devnumber,
|
||||
classify => $classify ,
|
||||
tablenumber => 1 ,
|
||||
redirected => \@redirected ,
|
||||
} ,
|
||||
|
||||
push @tcdevices, $device;
|
||||
|
||||
progress_message " Tcdevice \"$currentline\" $done.";
|
||||
}
|
||||
|
||||
sub convert_rate( $$$ ) {
|
||||
my ($full, $rate, $column) = @_;
|
||||
|
||||
if ( $rate =~ /\bfull\b/ ) {
|
||||
$rate =~ s/\bfull\b/$full/g;
|
||||
progress_message " Compiling $column $_[1]";
|
||||
fatal_error "Invalid $column ($_[1])" if $rate =~ m{[^0-9*/+()-]};
|
||||
no warnings;
|
||||
$rate = eval "int( $rate )";
|
||||
use warnings;
|
||||
fatal_error "Invalid $column ($_[1])" unless defined $rate;
|
||||
} else {
|
||||
$rate = rate_to_kbit $rate
|
||||
}
|
||||
|
||||
fatal_error "$column may not be zero" unless $rate;
|
||||
fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full;
|
||||
|
||||
$rate;
|
||||
}
|
||||
|
||||
sub dev_by_number( $ ) {
|
||||
my $dev = $_[0];
|
||||
my $devnum = numeric_value( $dev );
|
||||
my $devref;
|
||||
|
||||
if ( defined $devnum ) {
|
||||
$dev = $devnums[ $devnum ];
|
||||
fatal_error "Undefined INTERFACE number ($_[0])" unless defined $dev;
|
||||
$devref = $tcdevices{$dev};
|
||||
fatal_error "Internal Error in dev_by_number()" unless $devref;
|
||||
} else {
|
||||
$devref = $tcdevices{$dev};
|
||||
fatal_error "Unknown INTERFACE ($dev)" unless $devref;
|
||||
}
|
||||
|
||||
( $dev , $devref );
|
||||
|
||||
}
|
||||
|
||||
sub validate_tc_class( $$$$$$ ) {
|
||||
my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = @_;
|
||||
|
||||
my %tosoptions = ( 'tos-minimize-delay' => 'tos=0x10/0x10' ,
|
||||
'tos-maximize-throughput' => 'tos=0x08/0x08' ,
|
||||
'tos-maximize-reliability' => 'tos=0x04/0x04' ,
|
||||
'tos-minimize-cost' => 'tos=0x02/0x02' ,
|
||||
'tos-normal-service' => 'tos=0x00/0x1e' );
|
||||
|
||||
my $classnumber = 0;
|
||||
my $devref;
|
||||
my $device = $devclass;
|
||||
|
||||
if ( $devclass =~ /:/ ) {
|
||||
( $device, my ($number, $rest ) ) = split /:/, $device, 3;
|
||||
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
|
||||
|
||||
( $device , $devref) = dev_by_number( $device );
|
||||
|
||||
if ( defined $number ) {
|
||||
if ( $devref->{classify} ) {
|
||||
$classnumber = numeric_value( $number );
|
||||
fatal_error "Invalid interface NUMBER ($number)" unless defined $classnumber && $classnumber;
|
||||
fatal_error "Duplicate interface/class number ($number)" if defined $devnums[ $classnumber ];
|
||||
} else {
|
||||
warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option";
|
||||
}
|
||||
} else {
|
||||
fatal_error "Missing interface NUMBER";
|
||||
}
|
||||
} else {
|
||||
($device, $devref ) = dev_by_number( $device );
|
||||
fatal_error "Missing class NUMBER" if $devref->{classify};
|
||||
}
|
||||
|
||||
my $full = rate_to_kbit $devref->{out_bandwidth};
|
||||
|
||||
$tcclasses{$device} = {} unless $tcclasses{$device};
|
||||
my $tcref = $tcclasses{$device};
|
||||
|
||||
my $markval = 0;
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
if ( $devref->{classify} ) {
|
||||
warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
|
||||
} else {
|
||||
fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
|
||||
|
||||
$markval = numeric_value( $mark );
|
||||
fatal_error "Invalid MARK ($markval)" unless defined $markval;
|
||||
fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
|
||||
$classnumber = $devnum . $mark;
|
||||
}
|
||||
} else {
|
||||
fatal_error "Missing MARK" unless $devref->{classify};
|
||||
fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
|
||||
}
|
||||
|
||||
$tcref->{$classnumber} = { tos => [] ,
|
||||
rate => convert_rate( $full, $rate, 'RATE' ) ,
|
||||
ceiling => convert_rate( $full, $ceil, 'CEIL' ) ,
|
||||
priority => $prio eq '-' ? 1 : $prio ,
|
||||
mark => $markval
|
||||
};
|
||||
|
||||
$tcref = $tcref->{$classnumber};
|
||||
|
||||
fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling};
|
||||
|
||||
unless ( $options eq '-' ) {
|
||||
for my $option ( split_list "\L$options", 'option' ) {
|
||||
my $optval = $tosoptions{$option};
|
||||
|
||||
$option = $optval if $optval;
|
||||
|
||||
if ( $option eq 'default' ) {
|
||||
fatal_error "Only one default class may be specified for device $device" if $devref->{default};
|
||||
$devref->{default} = $classnumber;
|
||||
} elsif ( $option eq 'tcp-ack' ) {
|
||||
$tcref->{tcp_ack} = 1;
|
||||
} elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
|
||||
( undef, $option ) = split /=/, $option;
|
||||
push @{$tcref->{tos}}, "$option/0xff";
|
||||
} elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
|
||||
( undef, $option ) = split /=/, $option;
|
||||
push @{$tcref->{tos}}, $option;
|
||||
} else {
|
||||
fatal_error "Unknown option ($option)";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
push @tcclasses, "$device:$classnumber";
|
||||
progress_message " Tcclass \"$currentline\" $done.";
|
||||
}
|
||||
|
||||
#
|
||||
# Process a record from the tcfilters file
|
||||
#
|
||||
sub process_tc_filter( $$$$$$ ) {
|
||||
my ($devclass , $source, $dest , $proto, $portlist , $sportlist ) = @_;
|
||||
|
||||
my ($device, $class, $rest ) = split /:/, $devclass, 3;
|
||||
|
||||
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
|
||||
|
||||
( $device , my $devref ) = dev_by_number( $device );
|
||||
|
||||
my $devnum = $devref->{number};
|
||||
|
||||
my $tcref = $tcclasses{$device};
|
||||
|
||||
fatal_error "No Classes were defined for INTERFACE $device" unless $tcref;
|
||||
|
||||
$tcref = $tcref->{$class};
|
||||
|
||||
fatal_error "Unknown CLASS ($devclass)" unless $tcref;
|
||||
|
||||
my $rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32";
|
||||
|
||||
my ( $net , $mask ) = decompose_net( $source );
|
||||
|
||||
$rule .= "\\\n match u32 $net $mask at 12" unless $mask eq '0x00000000';
|
||||
|
||||
( $net , $mask ) = decompose_net( $dest );
|
||||
|
||||
$rule .= "\\\n match u32 $net $mask at 16" unless $mask eq '0x00000000';
|
||||
|
||||
my $protonumber = 0;
|
||||
|
||||
unless ( $proto eq '-' ) {
|
||||
$protonumber = resolve_proto $proto;
|
||||
fatal_error "Unknown PROTO ($proto)" unless defined $protonumber;
|
||||
|
||||
if ( $protonumber ) {
|
||||
my $pnumber = in_hex2 $protonumber;
|
||||
$rule .= "\\\n match u8 $pnumber 0xff at 9";
|
||||
}
|
||||
}
|
||||
|
||||
if ( $portlist eq '-' && $sportlist eq '-' ) {
|
||||
emit( "\nrun_tc $rule\\" ,
|
||||
" flowid $devref->{number}:$class" ,
|
||||
'' );
|
||||
} else {
|
||||
our $lastrule;
|
||||
our $lasttnum;
|
||||
#
|
||||
# In order to be able to access the protocol header, we must create another hash table and link to it.
|
||||
#
|
||||
# Create the Table.
|
||||
#
|
||||
my $tnum;
|
||||
|
||||
if ( $lastrule eq $rule ) {
|
||||
#
|
||||
# The source, dest and protocol are the same as the last rule that specified a port
|
||||
# Use the same table
|
||||
#
|
||||
$tnum = $lasttnum
|
||||
} else {
|
||||
$tnum = in_hex3 $devref->{tablenumber}++;
|
||||
$lasttnum = $tnum;
|
||||
$lastrule = $rule;
|
||||
|
||||
emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip pref 10 handle $tnum: u32 divisor 1" );
|
||||
}
|
||||
#
|
||||
# And link to it using the current contents of $rule
|
||||
#
|
||||
emit( "\nrun_tc $rule\\" ,
|
||||
" link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
|
||||
#
|
||||
# The rule to match the port(s) will be inserted into the new table
|
||||
#
|
||||
$rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32 ht $tnum:0";
|
||||
|
||||
if ( $portlist eq '-' ) {
|
||||
fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
|
||||
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP;
|
||||
|
||||
for my $sportrange ( split_list $sportlist , 'port list' ) {
|
||||
my @sportlist = expand_port_range $protonumber , $sportrange;
|
||||
|
||||
while ( @sportlist ) {
|
||||
my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
|
||||
emit( "\nrun_tc $rule\\" ,
|
||||
" match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" ,
|
||||
" flowid $devref->{number}:$class" );
|
||||
}
|
||||
}
|
||||
} else {
|
||||
fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
|
||||
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
|
||||
|
||||
for my $portrange ( split_list $portlist, 'port list' ) {
|
||||
if ( $protonumber == ICMP ) {
|
||||
fatal_error "SOURCE PORT(S) are not allowed with ICMP" if $sportlist ne '-';
|
||||
|
||||
my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $portrange );
|
||||
|
||||
$icmptype = in_hex2 numeric_value1 $icmptype;
|
||||
$icmpcode = in_hex2 numeric_value1 $icmpcode if defined $icmpcode;
|
||||
|
||||
my $rule1 = " match u8 $icmptype 0xff at nexthdr+0";
|
||||
$rule1 .= "\\\n match u8 $icmpcode 0xff at nexthdr+1" if defined $icmpcode;
|
||||
emit( "\nrun_tc ${rule}\\" ,
|
||||
"$rule1\\" ,
|
||||
" flowid $devref->{number}:$class" );
|
||||
} else {
|
||||
my @portlist = expand_port_range $protonumber , $portrange;
|
||||
|
||||
while ( @portlist ) {
|
||||
my ( $port, $mask ) = ( shift @portlist, shift @portlist );
|
||||
|
||||
my $rule1 = "match u32 0x0000${port} 0x0000${mask} at nexthdr+0";
|
||||
|
||||
if ( $sportlist eq '-' ) {
|
||||
emit( "\nrun_tc ${rule}\\" ,
|
||||
" $rule1\\" ,
|
||||
" flowid $devref->{number}:$class" );
|
||||
} else {
|
||||
for my $sportrange ( split_list $sportlist , 'port list' ) {
|
||||
my @sportlist = expand_port_range $protonumber , $sportrange;
|
||||
|
||||
while ( @sportlist ) {
|
||||
my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
|
||||
|
||||
emit( "\nrun_tc ${rule}\\",
|
||||
" $rule1\\" ,
|
||||
" match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" ,
|
||||
" flowid $devref->{number}:$class" );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
emit '';
|
||||
|
||||
progress_message " TC Filter \"$currentline\" $done";
|
||||
|
||||
$currentline =~ s/\s+/ /g;
|
||||
|
||||
save_progress_message_short qq(" TC Filter \"$currentline\" defined.");
|
||||
|
||||
emit '';
|
||||
|
||||
}
|
||||
|
||||
sub setup_traffic_shaping() {
|
||||
our $lastrule = '';
|
||||
|
||||
save_progress_message "Setting up Traffic Control...";
|
||||
|
||||
my $fn = open_file 'tcdevices';
|
||||
|
||||
if ( $fn ) {
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $device, $inband, $outband, $options , $redirected ) = split_line 3, 5, 'tcdevices';
|
||||
|
||||
fatal_error "Invalid tcdevices entry" if $outband eq '-';
|
||||
validate_tc_device( $device, $inband, $outband , $options , $redirected );
|
||||
}
|
||||
}
|
||||
|
||||
$devnum = $devnum > 10 ? 10 : 1;
|
||||
|
||||
$fn = open_file 'tcclasses';
|
||||
|
||||
if ( $fn ) {
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
|
||||
|
||||
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
|
||||
}
|
||||
}
|
||||
|
||||
for my $device ( @tcdevices ) {
|
||||
my $dev = chain_base( $device );
|
||||
my $devref = $tcdevices{$device};
|
||||
my $defmark = $devref->{default} || 0;
|
||||
my $devnum = $devref->{number};
|
||||
|
||||
emit "if interface_is_up $device; then";
|
||||
|
||||
push_indent;
|
||||
|
||||
emit ( "${dev}_exists=Yes",
|
||||
"qt tc qdisc del dev $device root",
|
||||
"qt tc qdisc del dev $device ingress",
|
||||
"run_tc qdisc add dev $device root handle $devnum: htb default $defmark",
|
||||
"${dev}_mtu=\$(get_device_mtu $device)",
|
||||
"${dev}_mtu1=\$(get_device_mtu1 $device)",
|
||||
"run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1"
|
||||
);
|
||||
|
||||
my $inband = rate_to_kbit $devref->{in_bandwidth};
|
||||
|
||||
if ( $inband ) {
|
||||
emit ( "run_tc qdisc add dev $device handle ffff: ingress",
|
||||
"run_tc filter add dev $device parent ffff: protocol ip pref 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
|
||||
);
|
||||
}
|
||||
|
||||
for my $rdev ( @{$devref->{redirected}} ) {
|
||||
emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
|
||||
emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
|
||||
}
|
||||
|
||||
save_progress_message_short " TC Device $device defined.";
|
||||
|
||||
pop_indent;
|
||||
emit 'else';
|
||||
push_indent;
|
||||
|
||||
emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
|
||||
emit "${dev}_exists=";
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
my $lastdevice = '';
|
||||
|
||||
for my $class ( @tcclasses ) {
|
||||
my ( $device, $classnum ) = split /:/, $class;
|
||||
my $devref = $tcdevices{$device};
|
||||
my $tcref = $tcclasses{$device}{$classnum};
|
||||
my $mark = $tcref->{mark};
|
||||
my $devicenumber = $devref->{number};
|
||||
my $classid = join( '', $devicenumber, ':', $classnum);
|
||||
my $rate = "$tcref->{rate}kbit";
|
||||
my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
|
||||
my $dev = chain_base $device;
|
||||
|
||||
$classids{$classid}=$device;
|
||||
|
||||
if ( $lastdevice ne $device ) {
|
||||
if ( $lastdevice ) {
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
emit qq(if [ -n "\$${dev}_exists" ]; then);
|
||||
push_indent;
|
||||
$lastdevice = $device;
|
||||
}
|
||||
|
||||
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum",
|
||||
"run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum",
|
||||
"run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq perturb 10"
|
||||
);
|
||||
#
|
||||
# add filters
|
||||
#
|
||||
emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio 1 handle $mark fw classid $classid" unless $devref->{classify};
|
||||
#
|
||||
#options
|
||||
#
|
||||
emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
|
||||
|
||||
for my $tospair ( @{$tcref->{tos}} ) {
|
||||
my ( $tos, $mask ) = split q(/), $tospair;
|
||||
emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid";
|
||||
}
|
||||
|
||||
save_progress_message_short qq(" TC Class $class defined.");
|
||||
emit '';
|
||||
}
|
||||
|
||||
if ( $lastdevice ) {
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
$fn = open_file 'tcfilters';
|
||||
|
||||
if ( $fn ) {
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $devclass, $source, $dest, $proto, $port, $sport ) = split_line 2, 6, 'tcfilters file';
|
||||
|
||||
process_tc_filter( $devclass, $source, $dest, $proto, $port, $sport );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Process the tcrules file and setup traffic shaping
|
||||
#
|
||||
sub setup_tc() {
|
||||
|
||||
if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
|
||||
ensure_mangle_chain 'tcpre';
|
||||
ensure_mangle_chain 'tcout';
|
||||
|
||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||
ensure_mangle_chain 'tcfor';
|
||||
ensure_mangle_chain 'tcpost';
|
||||
}
|
||||
|
||||
my $mark_part = '';
|
||||
|
||||
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
|
||||
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
|
||||
|
||||
for my $interface ( @routemarked_interfaces ) {
|
||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
|
||||
add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcout";
|
||||
|
||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||
add_rule $mangle_table->{FORWARD} , '-j tcfor';
|
||||
add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
|
||||
}
|
||||
|
||||
if ( $config{HIGH_ROUTE_MARKS} ) {
|
||||
for my $chain qw(INPUT FORWARD POSTROUTING) {
|
||||
insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark 0xFF';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( $globals{TC_SCRIPT} ) {
|
||||
save_progress_message 'Setting up Traffic Control...';
|
||||
append_file $globals{TC_SCRIPT};
|
||||
} elsif ( $config{TC_ENABLED} eq 'Internal' ) {
|
||||
setup_traffic_shaping;
|
||||
}
|
||||
|
||||
if ( $config{TC_ENABLED} ) {
|
||||
if ( my $fn = open_file 'tcrules' ) {
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
|
||||
|
||||
if ( $mark eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
} else {
|
||||
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
clear_comment;
|
||||
}
|
||||
}
|
||||
|
||||
for ( @deferred_rules ) {
|
||||
add_rule ensure_chain( 'mangle' , 'tcpost' ), $_;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
@ -1,299 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Tunnels.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module handles the /etc/shorewall/tunnels file.
|
||||
#
|
||||
package Shorewall::Tunnels;
|
||||
require Exporter;
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tunnels );
|
||||
our @EXPORT_OK = ( );
|
||||
our $VERSION = 4.1.5;
|
||||
|
||||
#
|
||||
# Here starts the tunnel stuff -- we really should get rid of this crap...
|
||||
#
|
||||
sub setup_tunnels() {
|
||||
|
||||
our $fw = firewall_zone;
|
||||
|
||||
sub setup_one_ipsec {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest, $gatewayzones) = @_;
|
||||
|
||||
( $kind, my ( $qualifier , $remainder ) ) = split( /:/, $kind, 3 );
|
||||
|
||||
my $noah = 1;
|
||||
|
||||
fatal_error "Invalid IPSEC modifier ($qualifier:$remainder)" if defined $remainder;
|
||||
|
||||
if ( defined $qualifier ) {
|
||||
if ( $qualifier eq 'ah' ) {
|
||||
fatal_error ":ah not allowed with ipsecnat tunnels" if $kind eq 'ipsecnat';
|
||||
$noah = 0;
|
||||
} else {
|
||||
fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier ne 'noah';
|
||||
}
|
||||
}
|
||||
|
||||
my $options = '-m state --state NEW -j ACCEPT';
|
||||
|
||||
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||
|
||||
unless ( $noah ) {
|
||||
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
||||
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
||||
}
|
||||
|
||||
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
||||
|
||||
if ( $kind eq 'ipsec' ) {
|
||||
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
||||
} else {
|
||||
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
|
||||
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
|
||||
}
|
||||
|
||||
unless ( $gatewayzones eq '-' ) {
|
||||
for my $zone ( split_list $gatewayzones, 'zone' ) {
|
||||
my $type = zone_type( $zone );
|
||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport';
|
||||
$inchainref = ensure_filter_chain "${zone}2${fw}", 1;
|
||||
$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
|
||||
|
||||
unless ( $capabilities{POLICY_MATCH} ) {
|
||||
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||
|
||||
unless ( $noah ) {
|
||||
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
||||
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
||||
}
|
||||
}
|
||||
|
||||
if ( $kind eq 'ipsec' ) {
|
||||
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
||||
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
||||
} else {
|
||||
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
|
||||
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_one_other {
|
||||
my ($inchainref, $outchainref, $source, $dest , $protocol) = @_;
|
||||
|
||||
add_rule $inchainref , "-p $protocol $source -j ACCEPT";
|
||||
add_rule $outchainref , "-p $protocol $dest -j ACCEPT";
|
||||
}
|
||||
|
||||
sub setup_pptp_client {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
|
||||
|
||||
add_rule $outchainref, "-p 47 $dest -j ACCEPT";
|
||||
add_rule $inchainref, "-p 47 $source -j ACCEPT";
|
||||
add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
|
||||
}
|
||||
|
||||
sub setup_pptp_server {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
|
||||
|
||||
add_rule $inchainref, "-p 47 $dest -j ACCEPT";
|
||||
add_rule $outchainref, "-p 47 $source -j ACCEPT";
|
||||
add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
|
||||
}
|
||||
|
||||
sub setup_one_openvpn {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||
|
||||
my $protocol = 'udp';
|
||||
my $port = 1194;
|
||||
|
||||
( $kind, my ( $proto, $p, $remainder ) ) = split( /:/, $kind, 4 );
|
||||
|
||||
fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
|
||||
|
||||
if ( defined $p && $p ne '' ) {
|
||||
$port = $p;
|
||||
$protocol = $proto;
|
||||
} elsif ( defined $proto && $proto ne '' ) {
|
||||
if ( "\L$proto" =~ /udp|tcp/ ) {
|
||||
$protocol = $proto;
|
||||
} else {
|
||||
$port = $proto;
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
|
||||
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
|
||||
}
|
||||
|
||||
sub setup_one_openvpn_client {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||
|
||||
my $protocol = 'udp';
|
||||
my $port = 1194;
|
||||
|
||||
( $kind, my ( $proto, $p , $remainder ) ) = split( /:/, $kind, 4 );
|
||||
|
||||
fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
|
||||
|
||||
if ( defined $p && $p ne '' ) {
|
||||
$port = $p;
|
||||
$protocol = $proto;
|
||||
} elsif ( defined $proto && $proto ne '' ) {
|
||||
if ( "\L$proto" =~ /udp|tcp/ ) {
|
||||
$protocol = $proto;
|
||||
} else {
|
||||
$port = $proto;
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT";
|
||||
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
|
||||
}
|
||||
|
||||
sub setup_one_openvpn_server {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||
|
||||
my $protocol = 'udp';
|
||||
my $port = 1194;
|
||||
|
||||
( $kind, my ( $proto, $p , $remainder ) ) = split( /:/, $kind, 4 );
|
||||
|
||||
fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
|
||||
|
||||
if ( defined $p && $p ne '' ) {
|
||||
$port = $p;
|
||||
$protocol = $proto;
|
||||
} elsif ( defined $proto && $proto ne '' ) {
|
||||
if ( "\L$proto" =~ /udp|tcp/ ) {
|
||||
$protocol = $proto;
|
||||
} else {
|
||||
$port = $proto;
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
|
||||
add_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
|
||||
}
|
||||
|
||||
sub setup_one_l2tp {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||
|
||||
fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/;
|
||||
|
||||
add_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
|
||||
add_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT";
|
||||
}
|
||||
|
||||
sub setup_one_generic {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||
|
||||
my $protocol = 'udp';
|
||||
my $port = '--dport 5000';
|
||||
|
||||
if ( $kind =~ /.*:.*:.*/ ) {
|
||||
( $kind, $protocol, $port) = split /:/, $kind;
|
||||
$port = "--dport $port";
|
||||
} else {
|
||||
$port = '';
|
||||
( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
|
||||
}
|
||||
|
||||
add_rule $inchainref, "-p $protocol $source $port -j ACCEPT";
|
||||
add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
|
||||
}
|
||||
|
||||
sub setup_one_tunnel($$$$) {
|
||||
my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
|
||||
|
||||
my $zonetype = zone_type( $zone );
|
||||
|
||||
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport';
|
||||
|
||||
my $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
|
||||
my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
|
||||
|
||||
$gateway = ALLIP if $gateway eq '-';
|
||||
|
||||
my $source = match_source_net $gateway;
|
||||
my $dest = match_dest_net $gateway;
|
||||
|
||||
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
|
||||
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
|
||||
'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } ,
|
||||
'gre' => { function => \&setup_one_other, params => [ $source, $dest , 47 ] } ,
|
||||
'6to4' => { function => \&setup_one_other, params => [ $source, $dest , 41 ] } ,
|
||||
'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, $source, $dest ] } ,
|
||||
'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, $source, $dest ] } ,
|
||||
'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, $source, $dest ] } ,
|
||||
'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, $source, $dest ] } ,
|
||||
'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, $source, $dest ] } ,
|
||||
'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, $source, $dest ] } ,
|
||||
'generic' => { function => \&setup_one_generic , params => [ $kind, $source, $dest ] } ,
|
||||
);
|
||||
|
||||
$kind = "\L$kind";
|
||||
|
||||
(my $type) = split /:/, $kind;
|
||||
|
||||
my $tunnelref = $tunneltypes{ $type };
|
||||
|
||||
fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
|
||||
|
||||
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
|
||||
|
||||
progress_message " Tunnel \"$currentline\" $done";
|
||||
}
|
||||
|
||||
#
|
||||
# Setup_Tunnels() Starts Here
|
||||
#
|
||||
my $fn = open_file 'tunnels';
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
|
||||
|
||||
if ( $kind eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
} else {
|
||||
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
|
||||
}
|
||||
}
|
||||
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
1;
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user