extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-13 17:18:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

A little cleanup

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1678 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-13 00:17:54 +00:00
parent 204b949836
commit d64c7fd3e6
2 changed files with 30 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Shorewall2/firewall
View File

@ -699,10 +699,10 @@ verify_interface()
# #
# Determine of communication to/from a host is encrypted using IPSEC # Determine of communication to/from a host is encrypted using IPSEC
# #
ipsec_host() # $1 = zone, $2 = host is_ipsec_host() # $1 = zone, $2 = host
{ {
eval local is_ipsec=\$${1}_is_ipsec eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\" eval local hosts=\"\$${1}_is_ipsec_hosts\"
test -n "$is_ipsec" || list_search $2 $hosts test -n "$is_ipsec" || list_search $2 $hosts
} }
@ -712,7 +712,7 @@ ipsec_host() # $1 = zone, $2 = host
# #
match_ipsec_in() # $1 = zone, $2 = host match_ipsec_in() # $1 = zone, $2 = host
{ {
if ipsec_host $1 $2 ; then if is_ipsec_host $1 $2 ; then
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
echo "-m policy --pol ipsec --dir in $options" echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then elif [ -n "$POLICY_MATCH" ]; then
@ -725,7 +725,7 @@ match_ipsec_in() # $1 = zone, $2 = host
# #
match_ipsec_out() # $1 = zone, $2 = host match_ipsec_out() # $1 = zone, $2 = host
{ {
if ipsec_host $1 $2 ; then if is_ipsec_host $1 $2 ; then
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
echo "-m policy --pol ipsec --dir out $options" echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then elif [ -n "$POLICY_MATCH" ]; then
@ -983,7 +983,7 @@ validate_hosts_file() {
ipsec) ipsec)
[ -n "$POLICY_MATCH" ] || \ [ -n "$POLICY_MATCH" ] || \
startup_error "Your kernel and/or iptables does not support policy match: ipsec" startup_error "Your kernel and/or iptables does not support policy match: ipsec"
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" eval ${z}_is_ipsec_hosts=\"\$${z}_is_ipsec_hosts $interface:$host\"
eval ${z}_is_complex=Yes eval ${z}_is_complex=Yes
;; ;;
routeback) routeback)
@ -1273,7 +1273,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
fi fi
if [ ${#prefix} -gt 29 ]; then if [ ${#prefix} -gt 29 ]; then
prefix="$(echo $prefix | cut -b -29)" prefix="$(echo $prefix | truncate 29)"
error_message "Warning: Log Prefix shortened to \"$prefix\"" error_message "Warning: Log Prefix shortened to \"$prefix\""
fi fi
@ -3041,7 +3041,9 @@ process_action() # $1 = chain (Chain to add the rules to)
} }
# #
# Create and record a log action chain -- in the functions that follow, # Create and record a log action chain -- Log action chains have names
# that are formed from the action name by prepending a "%" and appending
# a 1- or 2-digit sequence number. In the functions that follow,
# the CHAIN, LEVEL and TAG variable serves as arguments to the user's # the CHAIN, LEVEL and TAG variable serves as arguments to the user's
# exit. We call the exit corresponding to the name of the action but we # exit. We call the exit corresponding to the name of the action but we
# set CHAIN to the name of the iptables chain where rules are to be added. # set CHAIN to the name of the iptables chain where rules are to be added.
@ -3052,6 +3054,10 @@ process_action() # $1 = chain (Chain to add the rules to)
# <action>_actchain - The action chain number. # <action>_actchain - The action chain number.
# <action>_chains - List of ( level[:tag] , chainname ) pairs # <action>_chains - List of ( level[:tag] , chainname ) pairs
# #
# The maximum length of a chain name is 30 characters -- since the log
# action chain name is 2-3 characters longer than the base chain name,
# this function truncates the original chain name where necessary before
# it adds the leading "%" and trailing sequence number.
createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
{ {
@ -3061,18 +3067,17 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
case ${#action} in case ${#action} in
29|30) 29|30)
CHAIN=$(echo $action | cut -b -28) CHAIN=$(echo $action | truncate 28) # %...n makes 30
;; ;;
*) *)
CHAIN=${action} CHAIN=${action}
;; ;;
esac esac
[ "$COMMAND" != check ] && \ [ "$COMMAND" != check ] && \
while havechain %${CHAIN}${actchain}; do while havechain %${CHAIN}${actchain}; do
actchain=$(($actchain + 1)) actchain=$(($actchain + 1))
[ $actchain -eq 10 -a ${#CHAIN} -eq 28 ] && CHAIN=$(echo $CHAIN | cut -b -27) [ $actchain -eq 10 -a ${#CHAIN} -eq 28 ] && CHAIN=$(echo $CHAIN | truncate 27) # %...nn makes 30
done done
CHAIN=%${CHAIN}${actchain} CHAIN=%${CHAIN}${actchain}
@ -6094,13 +6099,10 @@ activate_rules()
> ${STATEDIR}/chains > ${STATEDIR}/chains
> ${STATEDIR}/zones > ${STATEDIR}/zones
# #
# Create forwarding chains for complex zones and generate jumps for IPSEC hosts to that chain. # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain.
# #
for zone in $zones; do for zone in $zones; do
if eval test -n \$${zone}_is_complex ; then
eval complex=\$${zone}_is_complex
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd frwd_chain=${zone}_frwd
createchain $frwd_chain No createchain $frwd_chain No
@ -6111,7 +6113,7 @@ activate_rules()
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
ipsec_host $zone $host && \ is_ipsec_host $zone $host && \
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
done done
fi fi
@ -6148,7 +6150,7 @@ activate_rules()
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
if [ -n "$complex" ] && ! ipsec_host $zone $host ; then if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
fi fi

16
Shorewall2/functions
View File

@ -2,6 +2,16 @@
# #
# Shorewall 2.1 -- /usr/share/shorewall/functions # Shorewall 2.1 -- /usr/share/shorewall/functions
# Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and
# dash do not support that form of expansion.
#
truncate() # $1 = length
{
cut -b -${1}
}
# #
# Split a colon-separated list into a space-separated list # Split a colon-separated list into a space-separated list
# #
@ -724,11 +734,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
case $1 in case $1 in
*+) *+)
# test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
# variable expansion :-(
#
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
;; ;;
*) *)
test "x$1" = "x$2" test "x$1" = "x$2"