mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-19 19:21:07 +01:00
Add ipset-friendly split function
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5652 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
199aa48ee3
commit
a64b9b86f4
@ -416,6 +416,31 @@ sub first_chains( $ ) #$1 = interface
|
|||||||
[ $c . '_fwd', $c . '_in' ];
|
[ $c . '_fwd', $c . '_in' ];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Split a source or destination list but keep [...] together.
|
||||||
|
#
|
||||||
|
sub mysplit( $ ) {
|
||||||
|
my @input = split /,/, $_[0];
|
||||||
|
my @result;
|
||||||
|
|
||||||
|
while ( @input ) {
|
||||||
|
my $element = shift @input;
|
||||||
|
|
||||||
|
if ( $element =~ /\[/ ) {
|
||||||
|
while ( ! ( $element =~ /\]/ ) ) {
|
||||||
|
last unless @input;
|
||||||
|
$element .= ( ',' . shift @input );
|
||||||
|
}
|
||||||
|
|
||||||
|
fatal_error "Invalid List $_[0]" unless substr( $element, -1, 1 ) eq ']';
|
||||||
|
}
|
||||||
|
|
||||||
|
push @result, $element;
|
||||||
|
}
|
||||||
|
|
||||||
|
@result;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create a new chain and return a reference to it.
|
# Create a new chain and return a reference to it.
|
||||||
#
|
#
|
||||||
@ -1135,7 +1160,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( ! $onets ) {
|
if ( ! $onets ) {
|
||||||
my @oexcl = split /,/, $oexcl;
|
my @oexcl = mysplit $oexcl;
|
||||||
if ( @oexcl == 1 ) {
|
if ( @oexcl == 1 ) {
|
||||||
$rule .= "-m conntrack --ctorigdst ! $oexcl ";
|
$rule .= "-m conntrack --ctorigdst ! $oexcl ";
|
||||||
$oexcl = '';
|
$oexcl = '';
|
||||||
@ -1158,7 +1183,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( ! $inets ) {
|
if ( ! $inets ) {
|
||||||
my @iexcl = split /,/, $iexcl;
|
my @iexcl = mysplit $iexcl;
|
||||||
if ( @iexcl == 1 ) {
|
if ( @iexcl == 1 ) {
|
||||||
$rule .= match_source_net "!$iexcl ";
|
$rule .= match_source_net "!$iexcl ";
|
||||||
$iexcl = '';
|
$iexcl = '';
|
||||||
@ -1180,7 +1205,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( ! $dnets ) {
|
if ( ! $dnets ) {
|
||||||
my @dexcl = split /,/, $dexcl;
|
my @dexcl = mysplit $dexcl;
|
||||||
if ( @dexcl == 1 ) {
|
if ( @dexcl == 1 ) {
|
||||||
$rule .= match_dest_net "!$dexcl ";
|
$rule .= match_dest_net "!$dexcl ";
|
||||||
$dexcl = '';
|
$dexcl = '';
|
||||||
@ -1203,11 +1228,11 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
# Use the current rule and sent all possible matches to the exclusion chain
|
# Use the current rule and sent all possible matches to the exclusion chain
|
||||||
#
|
#
|
||||||
for my $onet ( split /,/, $onets ) {
|
for my $onet ( mysplit $onets ) {
|
||||||
$onet = match_orig_dest $onet;
|
$onet = match_orig_dest $onet;
|
||||||
for my $inet ( split /,/, $inets ) {
|
for my $inet ( mysplit $inets ) {
|
||||||
$inet = match_source_net $inet;
|
$inet = match_source_net $inet;
|
||||||
for my $dnet ( split /,/, $dnets ) {
|
for my $dnet ( mysplit $dnets ) {
|
||||||
add_rule $chainref, $rule . $inet . ( match_dest_net $dnet ) . $onet . "-j $echain";
|
add_rule $chainref, $rule . $inet . ( match_dest_net $dnet ) . $onet . "-j $echain";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1227,15 +1252,15 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
# Generate RETURNs for each exclusion
|
# Generate RETURNs for each exclusion
|
||||||
#
|
#
|
||||||
for my $net ( split ',', $iexcl ) {
|
for my $net ( mysplit $iexcl ) {
|
||||||
add_rule $echainref, ( match_source_net $net ) . '-j RETURN';
|
add_rule $echainref, ( match_source_net $net ) . '-j RETURN';
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $net ( split ',', $dexcl ) {
|
for my $net ( mysplit $dexcl ) {
|
||||||
add_rule $echainref, ( match_dest_net $net ) . '-j RETURN';
|
add_rule $echainref, ( match_dest_net $net ) . '-j RETURN';
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $net ( split ',', $oexcl ) {
|
for my $net ( mysplit $oexcl ) {
|
||||||
add_rule $echainref, ( match_orig_dest $net ) . '-j RETURN';
|
add_rule $echainref, ( match_orig_dest $net ) . '-j RETURN';
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
@ -1250,11 +1275,11 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
# No exclusions
|
# No exclusions
|
||||||
#
|
#
|
||||||
for my $onet ( split /,/, $onets ) {
|
for my $onet ( mysplit $onets ) {
|
||||||
$onet = match_orig_dest $onet;
|
$onet = match_orig_dest $onet;
|
||||||
for my $inet ( split /,/, $inets ) {
|
for my $inet ( mysplit $inets ) {
|
||||||
$inet = match_source_net $inet;
|
$inet = match_source_net $inet;
|
||||||
for my $dnet ( split /,/, $dnets ) {
|
for my $dnet ( mysplit $dnets ) {
|
||||||
log_rule_limit $loglevel , $chainref , $chain, $disposition , '' , $logtag , 'add' , $rule . $inet . match_dest_net( $dnet ) . $onet if $loglevel;
|
log_rule_limit $loglevel , $chainref , $chain, $disposition , '' , $logtag , 'add' , $rule . $inet . match_dest_net( $dnet ) . $onet if $loglevel;
|
||||||
add_rule $chainref, $rule . $inet . match_dest_net( $dnet ) . $onet . $target unless $disposition eq 'LOG';
|
add_rule $chainref, $rule . $inet . match_dest_net( $dnet ) . $onet . $target unless $disposition eq 'LOG';
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user