extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 04:04:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Delete trailing whitespace

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5860 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-04-08 14:42:26 +00:00
parent d19dac49d0
commit c35af63298
20 changed files with 219 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -94,7 +94,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
'' ;
if ( $rule2 ) {
expand_rule
expand_rule
$jumpchainref ,
NO_RESTRICT ,
$rule ,
@ -119,10 +119,10 @@ sub setup_accounting() {
my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = split_line 1, 8, 'Accounting File';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
progress_message2 "$doing $fn...";
$first_entry = 0;
}
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
}

38
Shorewall-perl/Shorewall/Actions.pm
View File

@ -32,18 +32,18 @@ use Shorewall::Macros;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( merge_levels
our @EXPORT = qw( merge_levels
isolate_basic_target
add_requiredby
add_requiredby
createlogactionchain
createactionchain
createactionchain
find_logactionchain
process_actions1
process_actions2
process_actions3
%usedactions
%default_actions
%usedactions
%default_actions
%actions
);
our @EXPORT_OK = qw( );
@ -100,7 +100,7 @@ sub merge_levels ($$) {
return "$target:$level:$tag" if $level =~ /!$/;
return $subordinate if $subparts >= 2;
return "$target:$level";
}
}
if ( @supparts == 2 ) {
return "$target:none!" if $level eq 'none!';
@ -152,7 +152,7 @@ sub add_requiredby ( $$ ) {
# action chain name is 2-3 characters longer than the base chain name,
# this function truncates the original chain name where necessary before
# it adds the leading "%" and trailing sequence number.
#
#
sub createlogactionchain( $$ ) {
my ( $action, $level ) = @_;
my $chain = $action;
@ -243,7 +243,7 @@ sub process_actions1() {
for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
new_action $act;
}
for my $file ( qw/actions.std actions/ ) {
open_file $file;
@ -311,7 +311,7 @@ sub process_actions1() {
$targettype = 0 unless defined $targettype;
fatal_error "Invalid target ($mtarget)"
fatal_error "Invalid target ($mtarget)"
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $mtarget eq 'LOG' );
}
@ -329,8 +329,8 @@ sub process_actions1() {
}
}
sub process_actions2 () {
progress_message2 'Generating Transitive Closure of Used-action List...';
sub process_actions2 () {
progress_message2 'Generating Transitive Closure of Used-action List...';
my $changed = 1;
@ -367,7 +367,7 @@ sub process_action3( $$$$$ ) {
expand_rule ( $chainref ,
NO_RESTRICT ,
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
$source ,
$dest ,
'', #Original Dest
@ -379,9 +379,9 @@ sub process_action3( $$$$$ ) {
my $actionfile = find_file "action.$action";
my $standard = ( $actionfile =~ /^$globals{SHAREDIR}/ );
fatal_error "Missing Action File: $actionfile" unless -f $actionfile;
progress_message2 "Processing $actionfile for chain $chainref->{name}...";
open_file $actionfile;
@ -474,7 +474,7 @@ sub process_action3( $$$$$ ) {
} else {
process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
}
}
}
$comment = '';
@ -511,28 +511,28 @@ sub process_actions3 () {
sub dropNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j DROP';
}
sub rejNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j REJECT';
}
sub dropInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j REJECT';
}
sub allowInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
}

90
Shorewall-perl/Shorewall/Chains.pm
View File

@ -101,14 +101,14 @@ our @EXPORT = qw( STANDARD
get_interface_addresses
create_netfilter_load
@policy_chains
%chain_table
$nat_table
$mangle_table
@policy_chains
%chain_table
$nat_table
$mangle_table
$filter_table
$section
%sections
$comment
$comment
%targets
);
our @EXPORT_OK = ();
@ -123,7 +123,7 @@ our @VERSION = 1.00;
# table => <table name>
# is_policy => 0|1
# is_optionsl => 0|1
# referenced => 0|1
# referenced => 0|1
# policy => <policy>
# loglevel => <level>
# synparams => <burst/limit>
@ -143,10 +143,10 @@ our @VERSION = 1.00;
#
# Only 'referenced' chains get written to the iptables-restore output.
#
# 'loglevel', 'synparams' and 'default' only apply to policy chains.
# 'loglevel', 'synparams' and 'default' only apply to policy chains.
#
our @policy_chains;
our %chain_table = ( raw => {} ,
our %chain_table = ( raw => {} ,
mangle => {},
nat => {},
filter => {} );
@ -243,7 +243,7 @@ my $chainseq;
#
# Count of the number of unclosed loops in generated shell code. We insert shell code
# into the Chain tables 'rules' array (proceeded by '~'). create_netfilter_load()
# into the Chain tables 'rules' array (proceeded by '~'). create_netfilter_load()
# emits that code inline for execution at run-time.
#
my $loopcount = 0;
@ -300,7 +300,7 @@ sub insert_rule($$$)
}
#
# Form the name of a chain.
# Form the name of a chain.
#
sub chain_base($) {
my $chain = $_[0];
@ -547,7 +547,7 @@ sub initialize_chain_table()
}
#
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
#
sub finish_chain_section ($$) {
my ($chainref, $state ) = @_;
@ -562,7 +562,7 @@ sub finish_chain_section ($$) {
if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
}
}
} else {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
}
@ -579,7 +579,7 @@ sub finish_chain_section ($$) {
#
# Do section-end processing
#
#
sub finish_section ( $ ) {
my $sections = $_[0];
@ -620,7 +620,7 @@ sub do_proto( $$$ )
$output = "-p $proto ";
if ( $ports ) {
my @ports = split /,/, $ports;
my $count = @ports;
my $count = @ports;
if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT};
@ -629,7 +629,7 @@ sub do_proto( $$$ )
if ( $port =~ /:/ ) {
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT};
$count++;
}
}
}
fatal_error "Too many entries in port list: $ports" if $count > 15;
@ -642,7 +642,7 @@ sub do_proto( $$$ )
if ( $sports ) {
my @ports = split /,/, $sports;
my $count = @ports;
my $count = @ports;
if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT};
@ -683,7 +683,7 @@ sub mac_match( $ ) {
my $mac = $_[0];
$mac =~ s/^(!?)~//;
$mac =~ s/^!// if my $invert = ( $1 ? '! ' : '');
$mac =~ s/^!// if my $invert = ( $1 ? '! ' : '');
$mac =~ s/-/:/g;
"--match mac --mac-source ${invert}$mac ";
@ -705,7 +705,7 @@ sub verify_mark( $ ) {
my $mark = $_[0];
my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF;
fatal_error "Invalid Mark or Mask value: $mark"
fatal_error "Invalid Mark or Mask value: $mark"
unless numeric_value( $mark ) <= $limit;
}
@ -837,7 +837,7 @@ sub get_set_flags( $$ ) {
#
sub match_source_net( $ ) {
my $net = $_[0];
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : '';
iprange_match . "${invert}--src-range $net ";
@ -883,7 +883,7 @@ sub match_orig_dest ( $ ) {
return '' if $net eq ALLIPv4;
return '' unless $capabilities{CONNTRACK_MATCH};
if ( $net =~ /^!/ ) {
$net =~ s/!//;
"-m conntrack --ctorigdst ! $net ";
@ -904,13 +904,13 @@ sub match_ipsec_in( $$ ) {
if ( $zoneref->{type} eq 'ipsec4' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
} elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} else {
'';
}
}
#
# Match Dest IPSEC
#
@ -922,7 +922,7 @@ sub match_ipsec_out( $$ ) {
if ( $zoneref->{type} eq 'ipsec4' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
} elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
} else {
'';
@ -1023,11 +1023,11 @@ sub interface_address( $ ) {
}
#
# Record that the ruleset requires the first IP address on the passed interface
# Record that the ruleset requires the first IP address on the passed interface
#
sub get_interface_address ( $ ) {
my ( $interface ) = $_[0];
my $variable = interface_address( $interface );
$interfaceaddr{$interface} = "$variable=\$(find_first_interface_address $interface)";
@ -1043,11 +1043,11 @@ sub interface_addresses( $ ) {
}
#
# Record that the ruleset requires the IP addresses on the passed interface
# Record that the ruleset requires the IP addresses on the passed interface
#
sub get_interface_addresses ( $ ) {
my ( $interface ) = $_[0];
my $variable = interface_addresses( $interface );
$interfaceaddr{$interface} = qq($variable=\$(get_interface_addresses $interface)
@ -1065,7 +1065,7 @@ sub interface_nets( $ ) {
}
#
# Record that the ruleset requires the first IP address on the passed interface
# Record that the ruleset requires the first IP address on the passed interface
#
sub get_interface_nets ( $ ) {
my ( $interface ) = $_[0];
@ -1077,12 +1077,12 @@ sub get_interface_nets ( $ ) {
);
"\$$variable";
}
#
# This function provides a uniform way to generate rules (something the original Shorewall sorely needed).
#
#
sub expand_rule( $$$$$$$$$$ )
{
my ($chainref , $restriction, $rule, $source, $dest, $origdest, $target, $loglevel , $disposition, $exceptionrule ) = @_;
@ -1135,11 +1135,11 @@ sub expand_rule( $$$$$$$$$$ )
$rule .= '-s $source ';
#
# While $loopcount > 0, calls to 'add_rule()' will be converted to calls to 'add_command()'
# While $loopcount > 0, calls to 'add_rule()' will be converted to calls to 'add_command()'
#
$loopcount++;
} else {
fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line"
fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line"
if $restriction & OUTPUT_RESTRICT;
$rule .= "-i $iiface ";
}
@ -1229,7 +1229,7 @@ sub expand_rule( $$$$$$$$$$ )
} else {
get_interface_address $interfaces[0];
$rule .= join( '', '-m conntrack --ctorigdst $', interface_address ( $interfaces[0] ), ' ' );
}
}
$origdest = '';
} else {
@ -1324,7 +1324,7 @@ sub expand_rule( $$$$$$$$$$ )
}
#
# The final rule in the exclusion chain will not qualify the source or destination
# The final rule in the exclusion chain will not qualify the source or destination
#
$inets = ALLIPv4;
$dnets = ALLIPv4;
@ -1354,7 +1354,7 @@ sub expand_rule( $$$$$$$$$$ )
log_rule_limit $loglevel , $echainref , $chain, $disposition , '', $logtag , 'add' , '' if $loglevel;
#
# Generate Final Rule
#
#
add_rule $echainref, $exceptionrule . $target unless $disposition eq 'LOG';
} else {
#
@ -1366,20 +1366,20 @@ sub expand_rule( $$$$$$$$$$ )
$inet = match_source_net $inet;
for my $dnet ( mysplit $dnets ) {
if ( $loglevel ) {
log_rule_limit
$loglevel ,
$chainref ,
$chain,
$disposition ,
'' ,
$logtag ,
'add' ,
log_rule_limit
$loglevel ,
$chainref ,
$chain,
$disposition ,
'' ,
$logtag ,
'add' ,
join( '', $rule, $inet, match_dest_net( $dnet ), $onet );
}
unless ( $disposition eq 'LOG' ) {
add_rule
$chainref,
add_rule
$chainref,
join( '', $rule, $inet, match_dest_net( $dnet ), $onet, $target );
}
}

2
Shorewall-perl/Shorewall/Common.pm
View File

@ -101,7 +101,7 @@ sub fatal_error
#
# Write the argument to the object file (if any) with the current indentation.
#
#
# Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines.
#
sub emit ( $ ) {

58
Shorewall-perl/Shorewall/Config.pm
View File

@ -29,7 +29,7 @@ use Shorewall::Common;
our @ISA = qw(Exporter);
our @EXPORT = qw(
warning_message
warning_message
fatal_error
find_file
split_line
@ -65,7 +65,7 @@ our %globals = ( SHAREDIR => '/usr/share/shorewall' ,
#
# From shorewall.conf file
#
our %config =
our %config =
( STARTUP_ENABLED => undef,
VERBOSITY => undef,
#
@ -159,7 +159,7 @@ my @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
#
# From parsing the capabilities file
#
our %capabilities =
our %capabilities =
( NAT_ENABLED => undef,
MANGLE_ENABLED => undef,
MULTIPORT => undef,
@ -237,7 +237,7 @@ my $currentlinenumber = 0;
#
# Issue a Warning Message
#
sub warning_message
sub warning_message
{
my $lineinfo = $currentfile ? " : $currentfilename ( line $currentlinenumber )" : '';
@ -255,7 +255,7 @@ sub fatal_error {
#
# Search the CONFIG_PATH for the passed file
#
sub find_file($)
sub find_file($)
{
my $filename=$_[0];
@ -320,14 +320,14 @@ sub open_file( $ ) {
}
#
# This function is normally called below in read_a_line() when EOF is reached. Clients of the
# This function is normally called below in read_a_line() when EOF is reached. Clients of the
# module may also call the function to close the file before EOF
#
sub close_file() {
if ( $currentfile ) {
close $currentfile;
my $arrayref = pop @includestack;
if ( $arrayref ) {
@ -363,7 +363,7 @@ sub pop_open() {
} else {
$currentfile = undef;
}
}
}
#
# Read a line from the current include stack.
@ -397,7 +397,7 @@ sub read_a_line {
#
# Ignore ( concatenated ) Blank Lines
#
if ( $line =~ /^\s*$/ ) {
if ( $line =~ /^\s*$/ ) {
$line = '';
next;
}
@ -410,18 +410,18 @@ sub read_a_line {
#
$line = join( '', $1 , ( $ENV{$2} || '' ) , $3 ) while $line =~ /^(.*?)\${([a-zA-Z]\w*)}(.*)$/;
$line = join( '', $1 , ( $ENV{$2} || '' ) , $3 ) while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/;
if ( $line =~ /^INCLUDE\s/ ) {
my @line = split /\s+/, $line;
fatal_error "Invalid INCLUDE command: $line" if @line != 2;
fatal_error "INCLUDEs nested too deeply: $line" if @includestack >= 4;
my $filename = find_file $line[1];
fatal_error "INCLUDE file $filename not found" unless ( -f $filename );
if ( -s _ ) {
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
@ -433,7 +433,7 @@ sub read_a_line {
return 1;
}
}
close_file;
}
}
@ -500,7 +500,7 @@ sub load_kernel_modules( ) {
if ( @moduledirectories && open_file 'modules' ) {
my %loadedmodules;
progress_message "Loading Modules...";
open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod";
@ -509,7 +509,7 @@ sub load_kernel_modules( ) {
my $module = ( split( /\s+/, $line ) )[0];
$loadedmodules{$module} = 1 unless $module eq 'Module'
}
close LSMOD;
$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX};
@ -536,7 +536,7 @@ sub load_kernel_modules( ) {
}
}
}
}
}
}
#
@ -550,14 +550,14 @@ sub qt( $ ) {
# Determine which optional facilities are supported by iptables/netfilter
#
sub determine_capabilities() {
my $iptables = $config{IPTABLES};
$capabilities{NAT_ENABLED} = qt( "$iptables -t nat -L -n" );
$capabilities{MANGLE_ENABLED} = qt( "$iptables -t mangle -L -n" );
qt( "$iptables -N fooX1234" );
$capabilities{CONNTRACK_MATCH} = qt( "$iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
$capabilities{MULTIPORT} = qt( "$iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT" );
$capabilities{XMULTIPORT} = qt( "$iptables -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT" );
@ -578,7 +578,7 @@ sub determine_capabilities() {
$capabilities{CONNMARK_MATCH} = 1;
$capabilities{XCONNMARK_MATCH} = qt( "$iptables -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT" );
}
$capabilities{IPP2P_MATCH} = qt( "$iptables -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT" );
$capabilities{LENGTH_MATCH} = qt( "$iptables -A fooX1234 -m length --length 10:20 -j ACCEPT" );
$capabilities{ENHANCED_REJECT} = qt( "$iptables -A fooX1234 -j REJECT --reject-with icmp-host-prohibited" );
@ -624,7 +624,7 @@ sub determine_capabilities() {
qt( "$iptables -F fooX1234" );
qt( "$iptables -X fooX1234" );
}
}
sub require_capability( $$ ) {
my ( $capability, $description ) = @_;
@ -642,10 +642,10 @@ sub ensure_config_path( $ ) {
my $f = "$globals{SHAREDIR}/configpath";
$ENV{CONFDIR} = $export ? '/usr/share/shorewall/configfiles/' : '/etc/shorewall/';
unless ( $config{CONFIG_PATH} ) {
fatal_error "$f does not exist" unless -f $f;
open_file $f;
while ( read_a_line ) {
@ -656,7 +656,7 @@ sub ensure_config_path( $ ) {
fatal_error "Unrecognized entry";
}
}
fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
}
@ -722,7 +722,7 @@ sub get_configuration( $ ) {
}
load_kernel_modules;
unless ( open_file 'capabilities' ) {
determine_capabilities;
}
@ -759,7 +759,7 @@ sub get_configuration( $ ) {
}
if ( $config{IP_FORWARDING} ) {
fatal_error "Invalid value ( $config{IP_FORWARDING} ) for IP_FORWARDING"
fatal_error "Invalid value ( $config{IP_FORWARDING} ) for IP_FORWARDING"
unless $config{IP_FORWARDING} =~ /^(On|Off|Keep)$/i;
} else {
$config{IP_FORWARDING} = 'On';
@ -845,7 +845,7 @@ sub get_configuration( $ ) {
} else {
fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter';
}
} else {
} else {
default 'MACLIST_TABLE' , 'filter';
}

6
Shorewall-perl/Shorewall/Hosts.pm
View File

@ -36,7 +36,7 @@ our @EXPORT_OK = ();
our @VERSION = 1.00;
#
# Validates the hosts file. Generates entries in %zone{..}{hosts}
# Validates the hosts file. Generates entries in %zone{..}{hosts}
#
sub validate_hosts_file()
{
@ -113,8 +113,8 @@ sub validate_hosts_file()
$capabilities{POLICY_MATCH} = '' unless $ipsec or $zones{ipsec};
}
#
# Returns a reference to a array of host entries. Each entry is a
# reference to an array containing ( interface , group type {ipsec|none} , network );
# Returns a reference to a array of host entries. Each entry is a
# reference to an array containing ( interface , group type {ipsec|none} , network );
#
sub find_hosts_by_option( $ ) {
my $option = $_[0];

2
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -29,7 +29,7 @@ use Shorewall::Config;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw(
our @EXPORT = qw(
ip_range_explicit
);
our @EXPORT_OK = qw( );

8
Shorewall-perl/Shorewall/Interfaces.pm
View File

@ -30,9 +30,9 @@ use Shorewall::Zones;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( add_group_to_zone
our @EXPORT = qw( add_group_to_zone
validate_interfaces_file
known_interface
known_interface
find_interfaces_by_option
get_interface_option
@ -113,7 +113,7 @@ sub add_group_to_zone($$$$$)
#
# Parse the interfaces file.
#
sub validate_interfaces_file()
{
my %validoptions = (arp_filter => 1,
@ -143,7 +143,7 @@ sub validate_interfaces_file()
my $zoneref;
if ( $first_entry ) {
progress_message2 "$doing $fn...";
progress_message2 "$doing $fn...";
$first_entry = 0;
}

8
Shorewall-perl/Shorewall/Macros.pm
View File

@ -32,9 +32,9 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( find_macro
split_action
substitute_action
merge_macro_source_dest
split_action
substitute_action
merge_macro_source_dest
merge_macro_column
%macros );
@ -61,7 +61,7 @@ sub find_macro( $ )
}
#
# Return ( action, level[:tag] ) from passed full action
# Return ( action, level[:tag] ) from passed full action
#
sub split_action ( $ ) {
my $action = $_[0];

12
Shorewall-perl/Shorewall/Nat.pm
View File

@ -42,7 +42,7 @@ my %addresses_to_add;
#
# Handle IPSEC Options in a masq record
#
sub do_ipsec_options($)
sub do_ipsec_options($)
{
my %validoptions = ( strict => NOTHING,
next => NOTHING,
@ -143,7 +143,7 @@ sub setup_one_masq($$$$$$)
$fullinterface = $one;
$destnets = $two;
}
}
}
#
# Isolate and verify the interface part
@ -236,7 +236,7 @@ sub setup_one_masq($$$$$$)
#
# Process the masq file
#
sub setup_masq()
sub setup_masq()
{
my $first_entry = 1;
@ -247,7 +247,7 @@ sub setup_masq()
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 2, 6, 'masq file';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
$first_entry = 0;
}
@ -361,7 +361,7 @@ sub setup_nat() {
my ( $external, $interface, $internal, $allints, $localnat ) = split_line 3, 5, 'nat file';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
$first_entry = 0;
}
@ -396,7 +396,7 @@ sub setup_netmap() {
my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
$first_entry = 0;
}

6
Shorewall-perl/Shorewall/Policy.pm
View File

@ -44,7 +44,7 @@ sub new_policy_chain($$$)
{
my ($chain, $policy, $optional) = @_;
my $chainref = new_chain 'filter', $chain;
my $chainref = new_chain 'filter', $chain;
$chainref->{is_policy} = 1;
$chainref->{policy} = $policy;
@ -75,11 +75,11 @@ sub validate_policy()
sub print_policy($$$$)
{
my ( $source, $dest, $policy , $chain ) = @_;
progress_message " Policy for $source to $dest is $policy using chain $chain"
progress_message " Policy for $source to $dest is $policy using chain $chain"
unless ( $source eq $dest ) || ( $source eq 'all' ) || ( $dest eq 'all' );
}
my %validpolicies = (
my %validpolicies = (
ACCEPT => undef,
REJECT => undef,
DROP => undef,

10
Shorewall-perl/Shorewall/Providers.pm
View File

@ -315,7 +315,7 @@ sub setup_providers() {
if ( $source eq '-' ) {
$source = '';
} elsif ( $source =~ /:/ ) {
} elsif ( $source =~ /:/ ) {
( my $interface, $source ) = split /:/, $source;
$source = "iif $interface from $source";
} elsif ( $source =~ /\..*\..*/ ) {
@ -364,12 +364,12 @@ sub setup_providers() {
'# Initialize the file that holds \'undo\' commands',
'#',
'> ${VARDIR}/undo_routing' );
save_progress_message 'Adding Providers...';
emit 'DEFAULT_ROUTE=';
}
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file';
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
@ -434,7 +434,7 @@ sub setup_providers() {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
add_an_rtrule( $source, $dest, $provider , $priority );
@ -444,7 +444,7 @@ sub setup_providers() {
emit "\nrun_ip route flush cache";
pop_indent;
emit "fi\n";
setup_route_marking if @routemarked_interfaces;
} else {
emit "\nundo_routing";

4
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -30,7 +30,7 @@ use Shorewall::Interfaces;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw(
our @EXPORT = qw(
setup_proxy_arp
dump_proxy_arp
);
@ -99,7 +99,7 @@ sub setup_proxy_arp() {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
$set{$interface} = 1;
$reset{$external} = 1 unless $set{$external};

72
Shorewall-perl/Shorewall/Rules.pm
View File

@ -39,7 +39,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( process_tos
setup_ecn
add_common_rules
add_common_rules
setup_mac_lists
process_criticalhosts
process_routestopped
@ -68,7 +68,7 @@ sub process_tos() {
my $first_entry = 1;
my ( $pretosref, $outtosref );
while ( read_a_line ) {
my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 6, 'tos file';
@ -99,7 +99,7 @@ sub process_tos() {
$dst =~ s/^all:?//;
expand_rule
expand_rule
$chainref ,
$restriction ,
do_proto( $proto, $ports, $sports ) ,
@ -158,7 +158,7 @@ sub setup_ecn()
for my $interface ( @interfaces ) {
my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
if ( $capabilities{MANGLE_FORWARD} ) {
add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
} else {
@ -295,7 +295,7 @@ sub setup_blacklist() {
$first_entry = 0;
}
expand_rule(
expand_rule(
$chainref ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
@ -306,7 +306,7 @@ sub setup_blacklist() {
'' ,
$disposition ,
'' );
progress_message " \"$line\" added to blacklist";
}
}
@ -319,11 +319,11 @@ sub setup_blacklist() {
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2];
my $source = match_source_net $network;
for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
}
progress_message " Blacklisting enabled on ${interface}:${network}";
}
}
@ -360,7 +360,7 @@ sub process_criticalhosts() {
for my $option (split /,/, $options ) {
unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) {
if ( $option eq 'critical' ) {
push @critical, @hosts;
push @critical, @hosts;
} else {
warning_message "Unknown routestopped option ( $option ) ignored";
}
@ -498,7 +498,7 @@ sub add_common_rules() {
if ( $capabilities{ADDRTYPE} ) {
$chainref = new_standard_chain 'smurfs';
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
add_rule_pair $chainref, '-m addrtype --src-type MULTICAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
@ -603,7 +603,7 @@ sub add_common_rules() {
}
}
(new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1;
(new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1;
add_rule $filter_table->{input_chain $interface}, "-j $chain";
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
@ -752,7 +752,7 @@ sub setup_mac_lists( $ ) {
add_command $chainref, " ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do";
add_command $chainref, ' address=${address%/*}';
add_command $chainref, ' if [ -n "$broadcast" ]; then';
add_command $chainref, ' echo "-A $chain -s $address -d $broadcast -j RETURN" >&3';
add_command $chainref, ' echo "-A $chain -s $address -d $broadcast -j RETURN" >&3';
add_command $chainref, ' fi';
add_command $chainref, '';
add_command $chainref, ' echo "-A $chain -s $address -d 255.255.255.255 -j RETURN" >&3';
@ -874,15 +874,15 @@ sub process_rule1 ( $$$$$$$$$ ) {
#
process_macro
$macros{$basictarget},
$target ,
$param ,
$source,
$dest,
$proto,
$ports,
$sports,
$origdest,
$ratelimit,
$target ,
$param ,
$source,
$dest,
$proto,
$ports,
$sports,
$origdest,
$ratelimit,
$user;
return;
}
@ -935,7 +935,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
$dest = ALLIPv4;
}
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone};
my $restriction = NO_RESTRICT;
@ -1031,7 +1031,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
'' ,
$target ,
$loglevel ,
$action ,
$action ,
$serverport ? do_proto( $proto, '', '' ) : '';
#
# After NAT:
@ -1180,12 +1180,12 @@ sub process_rule ( $$$$$$$$$ ) {
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user;
}
}
}
}
}
} else {
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user;
}
}
}
}
} elsif ( $dest eq 'all' ) {
for my $zone1 ( @zones ) {
@ -1258,7 +1258,7 @@ sub process_rules() {
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this functions and the rules that it generates.
#
# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
#
#
sub generate_matrix() {
#
# Helper functions for generate_matrix()
@ -1377,7 +1377,7 @@ sub generate_matrix() {
my $ipsec_match = match_ipsec_in $zone , $hostref;
for my $net ( @{$hostref->{hosts}} ) {
add_rule
find_chainref( 'filter' , forward_chain $interface ) ,
find_chainref( 'filter' , forward_chain $interface ) ,
match_source_net join( '', $net, $ipsec_match, "-j $frwd_ref->n{name}" );
}
}
@ -1393,11 +1393,11 @@ sub generate_matrix() {
my $source_hosts_ref = $zoneref->{hosts};
my $chain1 = rules_target $firewall_zone , $zone;
my $chain2 = rules_target $zone, $firewall_zone;
my $complex = $zoneref->{options}{complex} || 0;
my $complex = $zoneref->{options}{complex} || 0;
my $type = $zoneref->{type};
my $exclusions = $zoneref->{exclusions};
my $need_broadcast = {}; ### Fixme ###
my $frwd_ref = 0;
my $frwd_ref = 0;
my $chain = 0;
if ( $complex ) {
@ -1421,7 +1421,7 @@ sub generate_matrix() {
my $arrayref = $typeref->{$interface};
for my $hostref ( @$arrayref ) {
my $ipsec_in_match = match_ipsec_in $zone , $hostref;
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
for my $net ( @{$hostref->{hosts}} ) {
my $source = match_source_net $net;
my $dest = match_dest_net $net;
@ -1568,7 +1568,7 @@ sub generate_matrix() {
my $arrayref = $typeref->{$interface};
for my $hostref ( @$arrayref ) {
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
for my $net ( @{$hostref->{hosts}} ) {
add_rule $frwd_ref, join( '', "-o $interface ", match_dest_net($net), $ipsec_out_match, "-j $chain" );
}
@ -1588,11 +1588,11 @@ sub generate_matrix() {
for my $interface1 ( keys %$type1ref ) {
my $array1ref = $type1ref->{$interface1};
for my $host1ref ( @$array1ref ) {
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
for my $net1 ( @{$host1ref->{hosts}} ) {
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
add_rule
$chain3ref ,
add_rule
$chain3ref ,
join( '', "-o $interface1 ", $source_match, match_dest_net($net1), $ipsec_out_match, "-j $chain" );
}
}
@ -1654,8 +1654,8 @@ sub generate_matrix() {
if ( $config{LOGALLNEW} ) {
for my $table qw/mangle nat filter/ {
for my $chain ( @{$builtins{$table}} ) {
log_rule_limit
$config{LOGALLNEW} ,
log_rule_limit
$config{LOGALLNEW} ,
$chain_table{$table}{$chain} ,
$table ,
$chain ,

26
Shorewall-perl/Shorewall/Tc.pm
View File

@ -53,7 +53,7 @@ my %tcs = ( t => { chain => 'tcpost',
} ,
c => { target => 'CONNMARK --set-mark' ,
connmark => 1 ,
fw => 1
fw => 1
} ,
p => { chain => 'tcpre' ,
connmark => 0 ,
@ -89,7 +89,7 @@ my %tcs = ( t => { chain => 'tcpost',
use constant { NOMARK => 0 ,
SMALLMARK => 1 ,
HIGHMARK => 2
HIGHMARK => 2
};
my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
@ -105,7 +105,7 @@ my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
{ match => sub ( $ ) { $_[0] eq 'CONTINUE' },
target => 'RETURN' ,
mark => NOMARK ,
mask => ''
mask => ''
} ,
{ match => sub ( $ ) { $_[0] =~ '\|.*'} ,
target => 'MARK --or-mark' ,
@ -114,7 +114,7 @@ my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
{ match => sub ( $ ) { $_[0] =~ '&.*' },
target => 'MARK --and-mark ' ,
mark => HIGHMARK ,
mask => ''
mask => ''
}
);
@ -200,11 +200,11 @@ sub process_tc_rule( $$$$$$$$$$ ) {
validate_mark $mark;
fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) < 0xFF && $config{HIGH_ROUTE_MARKS};
}
expand_rule
expand_rule
ensure_chain( 'mangle' , $chain ) ,
NO_RESTRICT ,
do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) ,
@ -227,7 +227,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
#
# %tcdevices { <interface> -> {in_bandwidth => <value> ,
# out_bandwidth => <value>
# number => <ordinal>
# number => <ordinal>
# default => <default class mark value> }
#
my @tcdevices;
@ -419,7 +419,7 @@ sub setup_traffic_shaping() {
);
}
$devref->{number} = $devnum++;
$devref->{number} = $devnum++;
save_progress_message_short " TC Device $device defined.";
@ -494,7 +494,7 @@ sub setup_traffic_shaping() {
#
sub setup_tc() {
my $first_entry = 1;
my $first_entry = 1;
if ( $capabilities{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre';
@ -508,15 +508,15 @@ sub setup_tc() {
if ( my $fn = open_file 'tcrules' ) {
while ( read_a_line ) {
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 2, 10, 'tcrules file';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
progress_message2 "$doing $fn...";
require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' );
$first_entry = 0;
}
if ( $mark eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
@ -527,7 +527,7 @@ sub setup_tc() {
} else {
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
}
}
$comment = '';

10
Shorewall-perl/Shorewall/Tunnels.pm
View File

@ -51,12 +51,12 @@ sub setup_tunnels() {
my $options = '-m $state --state NEW -j ACCEPT';
add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
}
add_rule $outchainref, "-p udp $dest --dport 500 $options";
@ -240,7 +240,7 @@ sub setup_tunnels() {
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 2, 4, 'tunnels file';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
progress_message2 "$doing $fn...";
$first_entry = 0;
}

20
Shorewall-perl/Shorewall/Zones.pm
View File

@ -39,9 +39,9 @@ our @EXPORT = qw( NOTHING
zone_report
dump_zone_contents
@zones
@zones
%zones
$firewall_zone
$firewall_zone
%interfaces );
our @EXPORT_OK = ();
@ -58,7 +58,7 @@ use constant { NOTHING => 'NOTHING',
};
#
# Zone Table.
# Zone Table.
#
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
#
@ -66,7 +66,7 @@ use constant { NOTHING => 'NOTHING',
# options => { complex => 0|1
# in_out => < policy match string >
# in => < policy match string >
# out => < policy match string >
# out => < policy match string >
# }
# parents => [ <parents> ] Parents, Children and interfaces are listed by name
# children => [ <children> ]
@ -86,7 +86,7 @@ use constant { NOTHING => 'NOTHING',
#
# $firewall_zone names the firewall zone.
#
our @zones;
our @zones;
our %zones;
our $firewall_zone;
@ -170,7 +170,7 @@ sub parse_zone_option_list($)
$h{ipsec} = $options ? "$options " : '';
\%h;
\%h;
}
#
@ -191,7 +191,7 @@ sub determine_zones()
my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
progress_message2 "$doing $fn...";
$first_entry = 0;
}
@ -266,7 +266,7 @@ sub determine_zones()
}
$ordered{$zone} = 1;
push @zones, $zone;
$pushed = 1;
$pushed = 1;
}
}
}
@ -275,7 +275,7 @@ sub determine_zones()
#
# Report about zones.
#
sub zone_report()
sub zone_report()
{
for my $zone ( @zones )
{
@ -311,7 +311,7 @@ sub zone_report()
}
}
sub dump_zone_contents()
sub dump_zone_contents()
{
for my $zone ( @zones )
{

42
Shorewall-perl/compiler.pl
View File

@ -101,7 +101,7 @@ sub generate_script_1() {
}
emit "TEMPFILE=\n";
for my $exit qw/init start tcclear started stop stopped/ {
emit "run_${exit}_exit() {";
push_indent;
@ -111,8 +111,8 @@ sub generate_script_1() {
emit "}\n";
}
emitj ( 'initialize()',
'{'
emitj ( 'initialize()',
'{'
);
push_indent;
@ -327,7 +327,7 @@ EOF
emit 'delete_tc1' if $config{CLEAR_TC};
emitj( 'undo_routing',
'restore_default_route'
'restore_default_route'
);
my $criticalhosts = process_criticalhosts;
@ -484,11 +484,11 @@ sub generate_script_2 () {
);
push_indent;
emit 'local restore_file=$1';
save_progress_message 'Initializing...';
if ( $export ) {
my $fn = find_file 'modules';
@ -529,7 +529,7 @@ sub generate_script_2 () {
'delete_proxyarp',
''
);
emit "delete_tc1\n" if $config{CLEAR_TC};
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
setup_mss( $config{CLAMPMSS} ) if $config{CLAMPMSS};
@ -544,7 +544,7 @@ sub generate_script_2 () {
# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
#
# Generate the 'setup_netfilter()' function that runs iptables-restore.
# Generate the 'define_firewall()' function.
# Generate the 'define_firewall()' function.
#
sub generate_script_3() {
@ -618,23 +618,23 @@ EOF
pop_indent;
emit "}\n";
copy $globals{SHAREDIRPL} . 'prog.footer';
}
#
# The Compiler.
#
# If the argument is non-null, it names the script file to generate.
# If the argument is non-null, it names the script file to generate.
# Otherwise, this is a 'check' command and no script is produced.
#
sub compiler( $ ) {
my $objectfile = $_[0];
report_capabilities if $verbose > 1;
require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" );
require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" );
require_capability( 'ADDRTYPE' , "Shorewall-perl $globals{VERSION}" );
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL};
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS};
@ -657,7 +657,7 @@ sub compiler( $ ) {
#
# Process the interfaces file.
#
validate_interfaces_file;
validate_interfaces_file;
#
# Process the hosts file.
#
@ -665,12 +665,12 @@ sub compiler( $ ) {
#
# Report zone contents
#
progress_message2 "Determining Hosts in Zones...";
progress_message2 "Determining Hosts in Zones...";
zone_report;
#
# Do action pre-processing.
#
progress_message2 "Preprocessing Action Files...";
progress_message2 "Preprocessing Action Files...";
process_actions1;
#
# Process the Policy File.
@ -702,7 +702,7 @@ sub compiler( $ ) {
setup_proxy_arp;
#
# [Re-]establish Routing
#
#
setup_providers;
#
# TCRules and Traffic Shaping
@ -723,7 +723,7 @@ sub compiler( $ ) {
#
# MACLIST Filtration
#
progress_message2 "$doing MAC Filtration -- Phase 1...";
progress_message2 "$doing MAC Filtration -- Phase 1...";
setup_mac_lists 1;
#
# Process the rules file.
@ -741,13 +741,13 @@ sub compiler( $ ) {
#
# MACLIST Filtration again
#
progress_message2 "$doing MAC Filtration -- Phase 2...";
progress_message2 "$doing MAC Filtration -- Phase 2...";
setup_mac_lists 2;
#
# Apply Policies
#
progress_message2 'Applying Policies...';
apply_policy_rules;
progress_message2 'Applying Policies...';
apply_policy_rules;
#
# Setup Nat
#
@ -761,7 +761,7 @@ sub compiler( $ ) {
#
setup_accounting;
progress_message2 'Generating Rule Matrix...';
progress_message2 'Generating Rule Matrix...';
generate_matrix;
generate_script_3;

2
Shorewall-perl/prog.functions
View File

@ -79,7 +79,7 @@ startup_error() # $* = Error Message
logger -p kern.err "ERROR:$PRODUCT restore failed"
;;
esac
kill $$
exit 2
}

16
Shorewall-perl/releasenotes.txt
View File

@ -45,7 +45,7 @@ and the Bourne-shell one. Some of these will probably go away by first
official release but most will not.
a) The Perl-based compiler requires the following capabilities in your
kernel and iptables.
kernel and iptables.
- addrtype match (may be relaxed later)
- multiport match (will not be relaxed)
@ -60,10 +60,10 @@ b) Now that Netfilter has features to deal reasonably with port lists,
avoiding the ugliness required to do that. The new compiler just
generates an error if your list is too long. It will also produce
an error if you insert a port range into a port list and you don't
have extended multiport support.
have extended multiport support.
c) BRIDGING=Yes is not supported. The kernel code necessary to
support this option was removed in Linux kernel 2.6.20.
support this option was removed in Linux kernel 2.6.20.
d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will
@ -133,10 +133,10 @@ i) Currently, support for ipsets is untested. That will change with
course) will normally be produced using the ipset -S
command.
The above will work most of the time but will fail in a
'shorewall stop' - 'shorewall start' sequence if you
The above will work most of the time but will fail in a
'shorewall stop' - 'shorewall start' sequence if you
use ipsets in your routestopped file (see below).
ii) Your ipsets may not be reloaded until Shorewall is stopped or
cleared.
@ -179,7 +179,7 @@ In addition to Shorewall-3.4.2 or later, you need:
----------------------------------------------------------------------------
I N S T A L L A T I O N
----------------------------------------------------------------------------
Either
Either
$ tar -jxf shorewall-perl-3.9.1.tar.bz2
$ cd shorewall-perl-3.9.1
@ -191,7 +191,7 @@ or
----------------------------------------------------------------------------
U S I N G T H E N E W C O M P I L E R
----------------------------------------------------------------------------
By default, the old Bourne-shell based compiler will be used.
By default, the old Bourne-shell based compiler will be used.
To use the new compiler, add this to shorewall.conf: