extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-31 15:05:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Search and destroy trailing whitespace

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-04-24 14:52:57 -07:00
parent f860cd037d
commit d904a2de86
67 changed files with 476 additions and 479 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-core/configure vendored
View File

@ -56,7 +56,7 @@ getfileparams() {
esac esac
done done
return 0 return 0
} }
@ -70,7 +70,7 @@ for p in $@; do
pv=${p#*=} pv=${p#*=}
if [ -n "${pn}" ]; then if [ -n "${pn}" ]; then
case ${pn} in case ${pn} in
VENDOR) VENDOR)
pn=HOST pn=HOST
@ -85,7 +85,7 @@ for p in $@; do
pn=CONFDIR pn=CONFDIR
;; ;;
esac esac
params[${pn}]="${pv}" params[${pn}]="${pv}"
else else
echo "ERROR: Invalid option ($p)" >&2 echo "ERROR: Invalid option ($p)" >&2
@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then
$params[HOST]=apple $params[HOST]=apple
rcfile=shorewallrc.apple rcfile=shorewallrc.apple
;; ;;
cygwin*) cygwin*)
$params[HOST]=cygwin $params[HOST]=cygwin
rcfile=shorewallrc.cygwin rcfile=shorewallrc.cygwin

4
Shorewall-core/configure.pl
View File

@ -30,7 +30,7 @@ use strict;
# #
# Build updates this # Build updates this
# #
use constant { use constant {
VERSION => '4.5.2.1' VERSION => '4.5.2.1'
}; };
@ -131,7 +131,7 @@ for ( qw/ HOST
PERLLIBDIR PERLLIBDIR
CONFDIR CONFDIR
SBINDIR SBINDIR
MANDIR MANDIR
INITDIR INITDIR
INITSOURCE INITSOURCE
INITFILE INITFILE

4
Shorewall-core/install.sh
View File

@ -33,7 +33,7 @@ usage() # $1 = exit status
exit $1 exit $1
} }
fatal_error() fatal_error()
{ {
echo " ERROR: $@" >&2 echo " ERROR: $@" >&2
exit 1 exit 1
@ -91,7 +91,7 @@ install_file() # $1 = source $2 = target $3 = mode
run_install $T $OWNERSHIP -m $3 $1 ${2} run_install $T $OWNERSHIP -m $3 $1 ${2}
} }
require() require()
{ {
eval [ -n "\$$1" ] || fatal_error "Required option $1 not set" eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
} }

38
Shorewall-core/lib.cli
View File

@ -434,7 +434,7 @@ save_config() {
# order we all know and love # order we all know and love
# #
sort_routes() { sort_routes() {
local dest local dest
local rest local rest
local crvsn local crvsn
@ -472,7 +472,7 @@ find_tables() {
# #
show_routing() { show_routing() {
local rule local rule
local table local table
if [ -n "$(ip -$g_family rule list)" ]; then if [ -n "$(ip -$g_family rule list)" ]; then
heading "Routing Rules" heading "Routing Rules"
@ -1029,12 +1029,12 @@ perip_accounting() {
if [ -n "$hnames" ]; then if [ -n "$hnames" ]; then
for hname in $hnames; do for hname in $hnames; do
iptaccount -l $hname | egrep '^IP:|^Show' iptaccount -l $hname | egrep '^IP:|^Show'
echo echo
done done
else else
echo " No IP Accounting Tables Defined" echo " No IP Accounting Tables Defined"
echo echo
fi fi
else else
echo " iptaccount is not installed" echo " iptaccount is not installed"
@ -1259,7 +1259,7 @@ do_dump_command() {
netstat -${g_family}tunap netstat -${g_family}tunap
else else
netstat -tunap netstat -tunap
fi fi
if [ -n "$TC_ENABLED" ]; then if [ -n "$TC_ENABLED" ]; then
heading "Traffic Control" heading "Traffic Control"
@ -2036,11 +2036,11 @@ determine_capabilities() {
qt $g_tool -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $g_tool -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
else else
qt $g_tool -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $g_tool -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes
fi fi
if [ -n "$CONNTRACK_MATCH" ]; then if [ -n "$CONNTRACK_MATCH" ]; then
qt $g_tool -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes qt $g_tool -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
qt $g_tool -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes qt $g_tool -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
else else
@ -2129,7 +2129,7 @@ determine_capabilities() {
qt $g_tool -t mangle -F $chain qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain qt $g_tool -t mangle -X $chain
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
fi fi
@ -2223,10 +2223,10 @@ determine_capabilities() {
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
CAPVERSION=$SHOREWALL_CAPVERSION CAPVERSION=$SHOREWALL_CAPVERSION
KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//') KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')
case "$KERNELVERSION" in case "$KERNELVERSION" in
*.*.*) *.*.*)
KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
;; ;;
@ -2316,7 +2316,7 @@ report_capabilities() {
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
else else
@ -2536,7 +2536,7 @@ forget_command() {
ipcalc_command() { ipcalc_command() {
local address local address
local vlsm local vlsm
[ $g_family -eq 6 ] && usage 1 [ $g_family -eq 6 ] && usage 1
if [ $# -eq 2 ]; then if [ $# -eq 2 ]; then
@ -2567,7 +2567,7 @@ iprange_command() {
[ $g_family -eq 6 ] && usage 1 [ $g_family -eq 6 ] && usage 1
range='' range=''
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
shift shift
@ -2629,7 +2629,7 @@ get_config() {
ensure_config_path ensure_config_path
config=$(find_file ${g_program}.conf) config=$(find_file ${g_program}.conf)
if [ -f $config ]; then if [ -f $config ]; then
if [ -r $config ]; then if [ -r $config ]; then
. $config . $config
@ -2676,7 +2676,7 @@ get_config() {
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
exit 2 exit 2
fi fi
else else
IPTABLES=$(mywhich iptables 2> /dev/null) IPTABLES=$(mywhich iptables 2> /dev/null)
if [ -z "$IPTABLES" ] ; then if [ -z "$IPTABLES" ] ; then
echo " ERROR: Can't find iptables executable" >&2 echo " ERROR: Can't find iptables executable" >&2
@ -2691,7 +2691,7 @@ get_config() {
echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2 echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
exit 2 exit 2
fi fi
else else
IP6TABLES=$(mywhich ip6tables 2> /dev/null) IP6TABLES=$(mywhich ip6tables 2> /dev/null)
if [ -z "$IP6TABLES" ] ; then if [ -z "$IP6TABLES" ] ; then
echo " ERROR: Can't find ip6tables executable" >&2 echo " ERROR: Can't find ip6tables executable" >&2
@ -2748,7 +2748,7 @@ verify_firewall_script() {
else else
echo " The file $g_firewall does not exist" >&2 echo " The file $g_firewall does not exist" >&2
fi fi
exit 2 exit 2
fi fi
} }
@ -3189,7 +3189,7 @@ shorewall_cli() {
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root" [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
get_config get_config
status_command status_command
;; ;;
dump) dump)
get_config Yes No Yes get_config Yes No Yes
@ -3299,6 +3299,6 @@ shorewall_cli() {
else else
usage 1 usage 1
fi fi
;; ;;
esac esac
} }

2
Shorewall-core/lib.common
View File

@ -593,7 +593,7 @@ find_first_interface_address() # $1 = interface
# #
[ -n "$addr" ] || startup_error "Can't determine the IP address of $1" [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
# #
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line # along with everything else on the line
# #
echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'

2
Shorewall-core/shorewallrc.cygwin
View File

@ -16,5 +16,5 @@ INITSOURCE= #Unused on Cygwin
ANNOTATED= #Unused on Cygwin ANNOTATED= #Unused on Cygwin
SYSTEMD= #Unused on Cygwin SYSTEMD= #Unused on Cygwin
SYSCONFDIR= #Unused on Cygwin SYSCONFDIR= #Unused on Cygwin
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARDIR=/var/lib #Unused on Cygwin VARDIR=/var/lib #Unused on Cygwin

6
Shorewall-lite/init.debian.sh
View File

@ -23,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
test -x $SRWL || exit 0 test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0 test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || { test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ; echo "INITLOG cannot be empty, please configure $0" ;
exit 1; exit 1;
} }
@ -35,9 +35,9 @@ fi
echo_notdone () { echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done." echo "not done."
else else
echo "not done (check $INITLOG)." echo "not done (check $INITLOG)."
fi fi

10
Shorewall-lite/init.fedora.sh
View File

@ -41,10 +41,10 @@ start() {
echo -n $"Starting Shorewall: " echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start 2>&1 | $logger $shorewall $OPTIONS start 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
touch $lockfile touch $lockfile
success success
else else
failure failure
fi fi
echo echo
@ -55,10 +55,10 @@ stop() {
echo -n $"Stopping Shorewall: " echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger $shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
rm -f $lockfile rm -f $lockfile
success success
else else
failure failure
fi fi
echo echo
@ -71,7 +71,7 @@ restart() {
echo -n $"Restarting Shorewall: " echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS restart 2>&1 | $logger $shorewall $OPTIONS restart 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
touch $lockfile touch $lockfile
success success
else # Failed to start, clean up lock file if present else # Failed to start, clean up lock file if present

8
Shorewall-lite/install.sh
View File

@ -33,7 +33,7 @@ usage() # $1 = exit status
exit $1 exit $1
} }
fatal_error() fatal_error()
{ {
echo " ERROR: $@" >&2 echo " ERROR: $@" >&2
exit 1 exit 1
@ -91,7 +91,7 @@ install_file() # $1 = source $2 = target $3 = mode
run_install $T $OWNERSHIP -m $3 $1 ${2} run_install $T $OWNERSHIP -m $3 $1 ${2}
} }
require() require()
{ {
eval [ -n "\$$1" ] || fatal_error "Required option $1 not set" eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
} }
@ -118,7 +118,7 @@ while [ $finished -eq 0 ] ; do
case "$1" in case "$1" in
-*) -*)
option=${option#-} option=${option#-}
while [ -n "$option" ]; do while [ -n "$option" ]; do
case $option in case $option in
h) h)
@ -268,7 +268,7 @@ if [ -n "$DESTDIR" ]; then
echo "Not setting file owner/group permissions, not running as root." echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP="" OWNERSHIP=""
fi fi
install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR} install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR} install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}

2
Shorewall-lite/shorewall-lite
View File

@ -4,7 +4,7 @@
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - # (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# Tom Eastep (teastep@shorewall.net) # Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://www.shorewall.net # Shorewall documentation is available at http://www.shorewall.net

2
Shorewall-lite/shorewall-lite.conf
View File

@ -1,5 +1,5 @@
############################################################################### ###############################################################################
# /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following # /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following
# variables to override the values in the shorewall.conf file used to # variables to override the values in the shorewall.conf file used to
# compile /var/lib/shorewall-lite/firewall. Those values may be found in # compile /var/lib/shorewall-lite/firewall. Those values may be found in
# /var/lib/shorewall-lite/firewall.conf. # /var/lib/shorewall-lite/firewall.conf.

3
Shorewall/Perl/.includepath
View File

@ -1,3 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<includepath />

12
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -85,7 +85,7 @@ sub initialize() {
# The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a # The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a
# the first non-commentary line in the accounting file isn't a section header # the first non-commentary line in the accounting file isn't a section header
# #
# This allows the section header processor to quickly check for correct order # This allows the section header processor to quickly check for correct order
# #
$asection = -1; $asection = -1;
# #
@ -194,7 +194,7 @@ sub process_accounting_rule( ) {
$ports = '' if $ports eq 'any' || $ports eq 'all'; $ports = '' if $ports eq 'any' || $ports eq 'all';
$sports = '' if $sports eq 'any' || $sports eq 'all'; $sports = '' if $sports eq 'any' || $sports eq 'all';
fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT; fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers ); my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
my $rule2 = 0; my $rule2 = 0;
@ -250,7 +250,7 @@ sub process_accounting_rule( ) {
if ( $source eq 'any' || $source eq 'all' ) { if ( $source eq 'any' || $source eq 'all' ) {
$source = ALLIP; $source = ALLIP;
} else { } else {
fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection ); fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
} }
@ -289,7 +289,7 @@ sub process_accounting_rule( ) {
if ( ! $chainref ) { if ( ! $chainref ) {
if ( reserved_chain_name( $chain ) ) { if ( reserved_chain_name( $chain ) ) {
fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain; fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain;
$chainref = ensure_accounting_chain $chain, 0 , $restriction; $chainref = ensure_accounting_chain $chain, 0 , $restriction;
} elsif ( $asection ) { } elsif ( $asection ) {
fatal_error "Unknown accounting chain ($chain)"; fatal_error "Unknown accounting chain ($chain)";
@ -312,7 +312,7 @@ sub process_accounting_rule( ) {
} }
} else { } else {
fatal_error "$chain is not an accounting chain" unless $chainref->{accounting}; fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
if ( $ipsec ne '-' ) { if ( $ipsec ne '-' ) {
$dir = $chainref->{ipsec}; $dir = $chainref->{ipsec};
fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir; fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
@ -338,7 +338,7 @@ sub process_accounting_rule( ) {
} }
fatal_error "$chain is not an accounting chain" unless $chainref->{accounting}; fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
$restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir; $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
expand_rule expand_rule

222
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -364,7 +364,7 @@ use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
# #
# Optimization masks # Optimization masks
# #
use constant { use constant {
OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains() OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains()
OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset() OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
}; };
@ -500,7 +500,7 @@ my %ipset_exists;
# shell command, the text of the command is in # shell command, the text of the command is in
# the cmd # the cmd
# cmd => Shell command, if mode == CMD_MODE and cmdlevel == 0 # cmd => Shell command, if mode == CMD_MODE and cmdlevel == 0
# cmdlevel => nesting level within loops and conditional blocks. # cmdlevel => nesting level within loops and conditional blocks.
# determines indentation # determines indentation
# simple => true|false. If true, there are no matches or options # simple => true|false. If true, there are no matches or options
# jump => 'j' or 'g' (determines whether '-j' or '-g' is included) # jump => 'j' or 'g' (determines whether '-j' or '-g' is included)
@ -510,7 +510,7 @@ my %ipset_exists;
# <option> => iptables/ip6tables -A options (e.g., i => eth0) # <option> => iptables/ip6tables -A options (e.g., i => eth0)
# <match> => iptables match. Value may be a scalar or array. # <match> => iptables match. Value may be a scalar or array.
# if an array, multiple "-m <match>"s will be generated # if an array, multiple "-m <match>"s will be generated
# } # }
# #
# The following constants and hash are used to classify keys in a rule hash # The following constants and hash are used to classify keys in a rule hash
# #
@ -524,7 +524,7 @@ my %opttype = ( rule => CONTROL,
cmd => CONTROL, cmd => CONTROL,
dhcp => UNIQUE, dhcp => UNIQUE,
mode => CONTROL, mode => CONTROL,
cmdlevel => CONTROL, cmdlevel => CONTROL,
simple => CONTROL, simple => CONTROL,
@ -538,12 +538,12 @@ my %opttype = ( rule => CONTROL,
sport => UNIQUE, sport => UNIQUE,
'icmp-type' => UNIQUE, 'icmp-type' => UNIQUE,
'icmpv6-type' => UNIQUE, 'icmpv6-type' => UNIQUE,
comment => CONTROL, comment => CONTROL,
policy => MATCH, policy => MATCH,
state => EXCLUSIVE, state => EXCLUSIVE,
jump => TARGET, jump => TARGET,
target => TARGET, target => TARGET,
targetopts => TARGET, targetopts => TARGET,
@ -563,7 +563,7 @@ my %aliases = ( protocol => 'p',
); );
my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ ); my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
@ -620,7 +620,7 @@ sub initialize( $$$ ) {
$hashlimitset = 0; $hashlimitset = 0;
$ipset_rules = 0 if $hard; $ipset_rules = 0 if $hard;
%ipset_exists = (); %ipset_exists = ();
%helpers = ( amanda => TCP, %helpers = ( amanda => TCP,
ftp => TCP, ftp => TCP,
@ -704,9 +704,9 @@ sub decr_cmd_level( $ ) {
} }
# #
# Transform the passed iptables rule into an internal-form hash reference. # Transform the passed iptables rule into an internal-form hash reference.
# Most of the compiler has been converted to use the new form natively. # Most of the compiler has been converted to use the new form natively.
# A few parts, mostly those dealing with expand_rule(), still generate # A few parts, mostly those dealing with expand_rule(), still generate
# iptables command strings which are converted into the new form by # iptables command strings which are converted into the new form by
# transform_rule() # transform_rule()
# #
@ -718,7 +718,7 @@ sub set_rule_option( $$$ ) {
assert( defined $value && reftype $ruleref , $value, $ruleref ); assert( defined $value && reftype $ruleref , $value, $ruleref );
$ruleref->{simple} = 0; $ruleref->{simple} = 0;
my $opttype = $opttype{$option} || MATCH; my $opttype = $opttype{$option} || MATCH;
if ( exists $ruleref->{$option} ) { if ( exists $ruleref->{$option} ) {
@ -760,7 +760,7 @@ sub transform_rule( $ ) {
while ( $input ) { while ( $input ) {
my $option; my $option;
my $invert = ''; my $invert = '';
if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) { if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
# #
# Normal case of single-character # Normal case of single-character
@ -769,7 +769,7 @@ sub transform_rule( $ ) {
} elsif ( $input =~ s/^(!\s+)?--([^\s]+)\s*// ) { } elsif ( $input =~ s/^(!\s+)?--([^\s]+)\s*// ) {
$invert = '!' if $1; $invert = '!' if $1;
my $opt = $option = $2; my $opt = $option = $2;
fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option}; fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option};
} else { } else {
fatal_error "Unrecognized iptables option string ($input)"; fatal_error "Unrecognized iptables option string ($input)";
} }
@ -795,7 +795,7 @@ sub transform_rule( $ ) {
last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' }; last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
$input =~ s/^([^\s]+)\s*//; $input =~ s/^([^\s]+)\s*//;
my $token = $1; my $token = $1;
$params = $params eq '' ? $token : join( ' ' , $params, $token); $params = $params eq '' ? $token : join( ' ' , $params, $token);
} }
if ( $input =~ /^(?:!\s+--([^\s]+)|!\s+[^-])/ ) { if ( $input =~ /^(?:!\s+--([^\s]+)|!\s+[^-])/ ) {
@ -861,20 +861,20 @@ sub format_option( $$ ) {
$rule; $rule;
} }
sub format_rule( $$;$ ) { sub format_rule( $$;$ ) {
my ( $chainref, $ruleref, $suppresshdr ) = @_; my ( $chainref, $ruleref, $suppresshdr ) = @_;
return $ruleref->{cmd} if exists $ruleref->{cmd}; return $ruleref->{cmd} if exists $ruleref->{cmd};
my $rule = $suppresshdr ? '' : "-A $chainref->{name}"; my $rule = $suppresshdr ? '' : "-A $chainref->{name}";
for ( @unique_options ) { for ( @unique_options ) {
if ( exists $ruleref->{$_} ) { if ( exists $ruleref->{$_} ) {
my $value = $ruleref->{$_}; my $value = $ruleref->{$_};
$rule .= ' !' if $value =~ s/^! //; $rule .= ' !' if $value =~ s/^! //;
if ( length == 1 ) { if ( length == 1 ) {
$rule .= join( '' , ' -', $_, ' ', $value ); $rule .= join( '' , ' -', $_, ' ', $value );
} else { } else {
@ -883,8 +883,8 @@ sub format_rule( $$;$ ) {
} }
} }
$rule .= format_option( 'state', $ruleref->{state} ) if defined $ruleref->{state}; $rule .= format_option( 'state', $ruleref->{state} ) if defined $ruleref->{state};
$rule .= format_option( 'policy', $ruleref->{policy} ) if defined $ruleref->{policy}; $rule .= format_option( 'policy', $ruleref->{policy} ) if defined $ruleref->{policy};
$rule .= format_option( $_, $ruleref->{$_} ) for sort ( grep ! $opttype{$_}, keys %{$ruleref} ); $rule .= format_option( $_, $ruleref->{$_} ) for sort ( grep ! $opttype{$_}, keys %{$ruleref} );
@ -913,7 +913,7 @@ sub compatible( $$ ) {
# #
my @val1 = split ' ', $val1; my @val1 = split ' ', $val1;
my @val2 = split ' ', $val2; my @val2 = split ' ', $val2;
return 0 if @val1 > @val2; # $val1 is more specific than $val2 return 0 if @val1 > @val2; # $val1 is more specific than $val2
for ( my $i = 0; $i < @val1; $i++ ) { for ( my $i = 0; $i < @val1; $i++ ) {
@ -938,11 +938,11 @@ sub merge_rules( $$$ ) {
my ( $tableref, $toref, $fromref ) = @_; my ( $tableref, $toref, $fromref ) = @_;
my $target = $fromref->{target}; my $target = $fromref->{target};
for my $option ( @unique_options ) { for my $option ( @unique_options ) {
$toref->{$option} = $fromref->{$option} if exists $fromref->{$option}; $toref->{$option} = $fromref->{$option} if exists $fromref->{$option};
} }
for my $option ( grep ! $opttype{$_}, keys %$fromref ) { for my $option ( grep ! $opttype{$_}, keys %$fromref ) {
set_rule_option( $toref, $option, $fromref->{$option} ); set_rule_option( $toref, $option, $fromref->{$option} );
} }
@ -970,12 +970,12 @@ sub merge_rules( $$$ ) {
# #
# Trace a change to the chain table # Trace a change to the chain table
# #
sub trace( $$$$ ) { sub trace( $$$$ ) {
my ($chainref, $action, $rulenum, $message) = @_; my ($chainref, $action, $rulenum, $message) = @_;
my $heading = $rulenum ? my $heading = $rulenum ?
sprintf " NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum : sprintf " NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum :
sprintf " NF-(%s)-> %s:%s", $action, $chainref->{table}, $chainref->{name}; sprintf " NF-(%s)-> %s:%s", $action, $chainref->{table}, $chainref->{name};
my $length = length $heading; my $length = length $heading;
@ -1176,7 +1176,7 @@ sub add_rule($$;$) {
# New add_rule implementation # New add_rule implementation
# #
sub push_matches { sub push_matches {
my $ruleref = shift; my $ruleref = shift;
my $dont_optimize = 0; my $dont_optimize = 0;
@ -1204,9 +1204,9 @@ sub push_irule( $$$;@ ) {
( $target, my $targetopts ) = split ' ', $target, 2; ( $target, my $targetopts ) = split ' ', $target, 2;
my $ruleref = {}; my $ruleref = {};
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
if ( $jump ) { if ( $jump ) {
$ruleref->{jump} = $jump; $ruleref->{jump} = $jump;
$ruleref->{target} = $target; $ruleref->{target} = $target;
@ -1326,9 +1326,9 @@ sub insert_irule( $$$$;@ ) {
my ( $chainref, $jump, $target, $number, @matches ) = @_; my ( $chainref, $jump, $target, $number, @matches ) = @_;
my $ruleref = {}; my $ruleref = {};
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
if ( $jump ) { if ( $jump ) {
$jump = 'j' if $jump eq 'g' && ! have_capability 'GOTO_TARGET'; $jump = 'j' if $jump eq 'g' && ! have_capability 'GOTO_TARGET';
( $target, my $targetopts ) = split ' ', $target, 2; ( $target, my $targetopts ) = split ' ', $target, 2;
@ -1393,7 +1393,7 @@ sub delete_chain_and_references( $ ) {
# We're going to delete this chain but first, we must delete all references to it. # We're going to delete this chain but first, we must delete all references to it.
# #
my $tableref = $chain_table{$chainref->{table}}; my $tableref = $chain_table{$chainref->{table}};
my $name1 = $chainref->{name}; my $name1 = $chainref->{name};
for ( @{$chainref->{rules}} ) { for ( @{$chainref->{rules}} ) {
decrement_reference_count( $tableref->{$_->{target}}, $name1 ) if $_->{target}; decrement_reference_count( $tableref->{$_->{target}}, $name1 ) if $_->{target};
} }
@ -1440,7 +1440,7 @@ sub decrement_reference_count( $$ ) {
delete $toref->{references}{$chain} unless --$toref->{references}{$chain}; delete $toref->{references}{$chain} unless --$toref->{references}{$chain};
delete_chain( $toref ) unless ( keys %{$toref->{references}} ); delete_chain( $toref ) unless ( keys %{$toref->{references}} );
} }
} }
# #
# Move the rules from one chain to another # Move the rules from one chain to another
@ -1474,11 +1474,11 @@ sub move_rules( $$ ) {
# We set aside the filtered rules for the time being # We set aside the filtered rules for the time being
# #
$filtered = $filtered1; $filtered = $filtered1;
push @filtered1 , shift @{$chain1->{rules}} while $filtered--; push @filtered1 , shift @{$chain1->{rules}} while $filtered--;
$chain1->{filtered} = 0; $chain1->{filtered} = 0;
$filtered = $filtered2; $filtered = $filtered2;
push @filtered2 , shift @{$chain2->{rules}} while $filtered--; push @filtered2 , shift @{$chain2->{rules}} while $filtered--;
@ -1507,25 +1507,25 @@ sub move_rules( $$ ) {
trace( $chain2, 'I', ++$rule, $filtered1[$filtered++] ) while $filtered < $filtered1; trace( $chain2, 'I', ++$rule, $filtered1[$filtered++] ) while $filtered < $filtered1;
} }
splice @{$rules}, 0, 0, @filtered1; splice @{$rules}, 0, 0, @filtered1;
} }
# #
# Restore the filters originally in chain2 but drop duplicates of those from $chain1 # Restore the filters originally in chain2 but drop duplicates of those from $chain1
# #
FILTER: FILTER:
while ( @filtered2 ) { while ( @filtered2 ) {
$filtered = pop @filtered2; $filtered = pop @filtered2;
for ( $rule = 0; $rule < $filtered1; $rule++ ) { for ( $rule = 0; $rule < $filtered1; $rule++ ) {
$filtered2--, next FILTER if ${$rules}[$rule] eq $filtered; $filtered2--, next FILTER if ${$rules}[$rule] eq $filtered;
} }
unshift @{$rules}, $filtered; unshift @{$rules}, $filtered;
} }
$chain2->{filtered} = $filtered1 + $filtered2; $chain2->{filtered} = $filtered1 + $filtered2;
delete_chain $chain1; delete_chain $chain1;
$count; $count;
@ -1736,21 +1736,21 @@ sub output_chain($)
# #
# Prerouting Chain for an interface # Prerouting Chain for an interface
# #
sub prerouting_chain($) sub prerouting_chain($)
{ {
my $interface = shift; my $interface = shift;
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre'; ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
} }
# #
# Postouting Chain for an interface # Postouting Chain for an interface
# #
sub postrouting_chain($) sub postrouting_chain($)
{ {
my $interface = shift; my $interface = shift;
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post'; ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
} }
# #
# Output Chain for a zone # Output Chain for a zone
# #
@ -2362,7 +2362,7 @@ sub ensure_audit_chain( $;$$ ) {
$tgt ||= $action; $tgt ||= $action;
add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action; add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action;
if ( $tgt eq 'REJECT' ) { if ( $tgt eq 'REJECT' ) {
add_ijump $ref , g => 'reject'; add_ijump $ref , g => 'reject';
} else { } else {
@ -2391,8 +2391,8 @@ sub require_audit($$;$) {
require_capability 'AUDIT_TARGET', 'audit', 's'; require_capability 'AUDIT_TARGET', 'audit', 's';
return ensure_audit_chain $target, $action, $tgt; return ensure_audit_chain $target, $action, $tgt;
} }
# #
# Returns the Level and Tag for the current action chain # Returns the Level and Tag for the current action chain
# #
@ -2400,7 +2400,7 @@ sub get_action_logging() {
my $chainref = get_action_chain; my $chainref = get_action_chain;
my $wholeaction = $chainref->{action}; my $wholeaction = $chainref->{action};
my ( undef, $level, $tag, undef ) = split ':', $wholeaction; my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
$level = '' if $level =~ /^none/; $level = '' if $level =~ /^none/;
( $level, $tag ); ( $level, $tag );
@ -2660,7 +2660,7 @@ sub replace_references1( $$ ) {
if ( $fromref->{referenced} ) { if ( $fromref->{referenced} ) {
for ( @{$fromref->{rules}} ) { for ( @{$fromref->{rules}} ) {
$rule++; $rule++;
if ( $_->{target} eq $name ) { if ( $_->{target} eq $name ) {
if ( compatible( $_ , $ruleref ) ) { if ( compatible( $_ , $ruleref ) ) {
# #
# The target is the passed chain -- merge the two rules into one # The target is the passed chain -- merge the two rules into one
@ -2738,8 +2738,8 @@ sub optimize_level0() {
next if $family == F_IPV6 && $table eq 'nat'; next if $family == F_IPV6 && $table eq 'nat';
my $tableref = $chain_table{$table}; my $tableref = $chain_table{$table};
my @chains = grep $_->{referenced}, values %$tableref; my @chains = grep $_->{referenced}, values %$tableref;
my $chains = @chains; my $chains = @chains;
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
# #
# If the chain isn't branched to, then delete it # If the chain isn't branched to, then delete it
@ -2769,8 +2769,8 @@ sub optimize_level4( $$ ) {
$passes++; $passes++;
my @chains = grep $_->{referenced}, values %$tableref; my @chains = grep $_->{referenced}, values %$tableref;
my $chains = @chains; my $chains = @chains;
progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a..."; progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
@ -2868,8 +2868,8 @@ sub optimize_level4( $$ ) {
$passes++; $passes++;
my @chains = grep $_->{referenced}, values %$tableref; my @chains = grep $_->{referenced}, values %$tableref;
my $chains = @chains; my $chains = @chains;
progress_message "\n Table $table pass $passes, $chains referenced chains, level 4b..."; progress_message "\n Table $table pass $passes, $chains referenced chains, level 4b...";
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
@ -2880,8 +2880,8 @@ sub optimize_level4( $$ ) {
# Last rule is a simple branch # Last rule is a simple branch
my $targetref = $tableref->{$lastrule->{target}}; my $targetref = $tableref->{$lastrule->{target}};
if ( $targetref && if ( $targetref &&
($targetref->{optflags} & DONT_MOVE) == 0 && ($targetref->{optflags} & DONT_MOVE) == 0 &&
( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) { ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
copy_rules( $targetref, $chainref ); copy_rules( $targetref, $chainref );
$progress = 1; $progress = 1;
@ -2942,7 +2942,7 @@ sub optimize_level8( $$$ ) {
unless ( $chainref->{name} =~ /^~/ ) { unless ( $chainref->{name} =~ /^~/ ) {
# #
# For simple use of the BLACKLIST section, we can end up with many identical # For simple use of the BLACKLIST section, we can end up with many identical
# chains. To distinguish them from other renamed chains, we keep track of # chains. To distinguish them from other renamed chains, we keep track of
# these chains via the 'blacklistsection' member. # these chains via the 'blacklistsection' member.
# #
@ -2962,14 +2962,14 @@ sub optimize_level8( $$$ ) {
# #
for my $oldname ( @rename ) { for my $oldname ( @rename ) {
my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++; my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug; trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
$tableref->{$newname} = $tableref->{$oldname}; $tableref->{$newname} = $tableref->{$oldname};
$tableref->{$oldname}{name} = $newname; $tableref->{$oldname}{name} = $newname;
progress_message " Chain $oldname renamed to $newname"; progress_message " Chain $oldname renamed to $newname";
} }
# #
# Next, map the combined names # Next, map the combined names
# #
while ( my ( $oldname, $combinedname ) = each %combined ) { while ( my ( $oldname, $combinedname ) = each %combined ) {
$renamed{$oldname} = $renamed{$combinedname} || $combinedname; $renamed{$oldname} = $renamed{$combinedname} || $combinedname;
@ -3082,7 +3082,7 @@ sub get_keys( $ ) {
# Adjacent rules are compatible if: # Adjacent rules are compatible if:
# #
# - They all specify destination ports # - They all specify destination ports
# - All of the rest of their members are identical with the possible exception of 'comment'. # - All of the rest of their members are identical with the possible exception of 'comment'.
# #
# Adjacent distinct comments are combined, separated by ', '. Redundant adjacent comments are dropped. # Adjacent distinct comments are combined, separated by ', '. Redundant adjacent comments are dropped.
# #
@ -3097,7 +3097,7 @@ sub combine_dports {
my $ruleref; my $ruleref;
my $ports1; my $ports1;
my $basenum = $rulenum; my $basenum = $rulenum;
if ( $ports1 = get_dports( $baseref ) ) { if ( $ports1 = get_dports( $baseref ) ) {
my $proto = $baseref->{p}; my $proto = $baseref->{p};
my @keys1 = get_keys( $baseref ); my @keys1 = get_keys( $baseref );
@ -3136,7 +3136,7 @@ sub combine_dports {
} }
next RULE if $ports1 eq $ports2; next RULE if $ports1 eq $ports2;
last if ( $ports += port_count( $ports2 ) ) > 15; last if ( $ports += port_count( $ports2 ) ) > 15;
if ( $comment2 ) { if ( $comment2 ) {
@ -3163,7 +3163,7 @@ sub combine_dports {
push @ports, split ',', $ports2; push @ports, split ',', $ports2;
trace( $chainref, 'D', $rulenum, $ruleref ) if $debug; trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
} else { } else {
last; last;
} }
@ -3182,7 +3182,7 @@ sub combine_dports {
trace ( $chainref, 'R', $basenum, $baseref ) if $debug; trace ( $chainref, 'R', $basenum, $baseref ) if $debug;
} }
} }
push @rules, $baseref; push @rules, $baseref;
@ -3192,7 +3192,7 @@ sub combine_dports {
\@rules; \@rules;
} }
sub optimize_level16( $$$ ) { sub optimize_level16( $$$ ) {
my ( $table, $tableref , $passes ) = @_; my ( $table, $tableref , $passes ) = @_;
my @chains = ( grep $_->{referenced}, values %{$tableref} ); my @chains = ( grep $_->{referenced}, values %{$tableref} );
@ -3296,7 +3296,7 @@ sub setup_zone_mss() {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
add_ijump ensure_chain( 'filter', rules_chain( $zone, $zone1 ) ), j => $target , @sourcedev, @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecin ; add_ijump ensure_chain( 'filter', rules_chain( $zone, $zone1 ) ), j => $target , @sourcedev, @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecin ;
add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ), j => $target , @destdev, @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ; add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ), j => $target , @destdev, @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;
} }
} }
} }
@ -3402,9 +3402,9 @@ sub source_iexclusion( $$$$$;@ ) {
@exclusion = mysplit( $2 ); @exclusion = mysplit( $2 );
my $chainref1 = new_chain( $table , newexclusionchain( $table ) ); my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion; add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
if ( $targetopts ) { if ( $targetopts ) {
add_ijump( $chainref1, $jump => $target, targetopts => $targetopts ); add_ijump( $chainref1, $jump => $target, targetopts => $targetopts );
} else { } else {
@ -3416,7 +3416,7 @@ sub source_iexclusion( $$$$$;@ ) {
add_ijump( $chainref, add_ijump( $chainref,
$jump => $target, $jump => $target,
targetopts => $targetopts, targetopts => $targetopts,
imatch_source_net( $source ), imatch_source_net( $source ),
@_ ); @_ );
} else { } else {
add_ijump( $chainref, $jump => $target, imatch_source_net( $source ), @_ ); add_ijump( $chainref, $jump => $target, imatch_source_net( $source ), @_ );
@ -3453,9 +3453,9 @@ sub dest_iexclusion( $$$$$;@ ) {
@exclusion = mysplit( $2 ); @exclusion = mysplit( $2 );
my $chainref1 = new_chain( $table , newexclusionchain( $table ) ); my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion; add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
if ( $targetopts ) { if ( $targetopts ) {
add_ijump( $chainref1, $jump => $target, targetopts => $targetopts, @_ ); add_ijump( $chainref1, $jump => $target, targetopts => $targetopts, @_ );
} else { } else {
@ -4082,7 +4082,7 @@ sub resolve_id( $$ ) {
$id; $id;
} }
# #
# Create a "-m owner" match for the passed USER/GROUP # Create a "-m owner" match for the passed USER/GROUP
@ -4224,14 +4224,14 @@ sub validate_helper( $;$ ) {
my $helper_proto = $helpers{$helper_base}; my $helper_proto = $helpers{$helper_base};
if ( $helper_proto) { if ( $helper_proto) {
# #
# Recognized helper # Recognized helper
# #
if ( supplied $proto ) { if ( supplied $proto ) {
my $protonum = -1; my $protonum = -1;
fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) ); fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
unless ( $protonum == $helper_proto ) { unless ( $protonum == $helper_proto ) {
fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto ); fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
@ -4299,7 +4299,7 @@ my %headers = ( hop => 1,
route => 1, route => 1,
frag => 1, frag => 1,
auth => 1, auth => 1,
esp => 1, esp => 1,
none => 1, none => 1,
'hop-by-hop' => 1, 'hop-by-hop' => 1,
'ipv6-opts' => 1, 'ipv6-opts' => 1,
@ -4353,7 +4353,7 @@ sub do_probability( $ ) {
require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's'; require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's';
my $invert = $probability =~ s/^!// ? '! ' : ""; my $invert = $probability =~ s/^!// ? '! ' : "";
fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/; fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/;
"-m statistic --mode random --probability $probability "; "-m statistic --mode random --probability $probability ";
@ -4449,7 +4449,7 @@ sub match_dest_dev( $;$ ) {
} }
} else { } else {
my $bridgeref = find_interface $interfaceref->{bridge}; my $bridgeref = find_interface $interfaceref->{bridge};
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface "; "-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface ";
} else { } else {
@ -4475,7 +4475,7 @@ sub imatch_dest_dev( $;$ ) {
} }
} else { } else {
my $bridgeref = find_interface $interfaceref->{bridge}; my $bridgeref = find_interface $interfaceref->{bridge};
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
( o => $bridgeref->{physical}, physdev => "--physdev-is-bridged --physdev-out $interface" ); ( o => $bridgeref->{physical}, physdev => "--physdev-is-bridged --physdev-out $interface" );
} else { } else {
@ -4571,13 +4571,13 @@ sub record_runtime_address( $$;$ ) {
} }
$addr . ' '; $addr . ' ';
} }
# #
# If the passed address is a run-time address variable for an optional interface, then # If the passed address is a run-time address variable for an optional interface, then
# begin a conditional rule block that tests the address for nil. Returns 1 if a conditional # begin a conditional rule block that tests the address for nil. Returns 1 if a conditional
# block was opened. The caller stores the result, and if the result is true the caller # block was opened. The caller stores the result, and if the result is true the caller
# invokes conditional_rule_end() when the conditional block is complete. # invokes conditional_rule_end() when the conditional block is complete.
# #
sub conditional_rule( $$ ) { sub conditional_rule( $$ ) {
@ -4614,7 +4614,7 @@ sub conditional_rule_end( $ ) {
my $chainref = shift; my $chainref = shift;
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands( $chainref , "fi\n" ); add_commands( $chainref , "fi\n" );
} }
sub mysplit( $;$ ); sub mysplit( $;$ );
@ -4765,7 +4765,7 @@ sub match_dest_net( $ ) {
if ( $net =~ /^([&%])(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return '! -d ' . record_runtime_address $1, $2; return '! -d ' . record_runtime_address $1, $2;
} }
validate_net $net, 1; validate_net $net, 1;
return "! -d $net "; return "! -d $net ";
} }
@ -4812,7 +4812,7 @@ sub imatch_dest_net( $ ) {
if ( $net =~ /^([&%])(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return ( d => '! ' . record_runtime_address( $1, $2, 1 ) ); return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
} }
validate_net $net, 1; validate_net $net, 1;
return ( d => "! $net " ); return ( d => "! $net " );
} }
@ -5475,7 +5475,7 @@ sub split_network( $$$ ) {
} }
invalid_network_list( $srcdst, $list ) if @result > 2; invalid_network_list( $srcdst, $list ) if @result > 2;
@result; @result;
} }
@ -5487,7 +5487,7 @@ sub handle_network_list( $$ ) {
my $nets = ''; my $nets = '';
my $excl = ''; my $excl = '';
my @nets = mysplit $list; my @nets = mysplit $list;
for ( @nets ) { for ( @nets ) {
@ -5507,7 +5507,7 @@ sub handle_network_list( $$ ) {
$excl .= ",$_"; $excl .= ",$_";
} else { } else {
$nets = $nets ? join(',', $nets, $_ ) : $_; $nets = $nets ? join(',', $nets, $_ ) : $_;
} }
} }
( $nets, $excl ); ( $nets, $excl );
@ -5551,7 +5551,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else { } else {
$jump = $basictarget = ''; $jump = $basictarget = '';
} }
our @ends = (); our @ends = ();
# #
# In the generated rules, we sometimes need run-time loops or conditional blocks. This function is used # In the generated rules, we sometimes need run-time loops or conditional blocks. This function is used
@ -5659,7 +5659,7 @@ sub expand_rule( $$$$$$$$$$;$ )
fatal_error "Source Interface ($iiface) not allowed when the SOURCE is the firewall"; fatal_error "Source Interface ($iiface) not allowed when the SOURCE is the firewall";
} }
} }
$chainref->{restricted} |= $restriction; $chainref->{restricted} |= $restriction;
$rule .= match_source_dev( $iiface ); $rule .= match_source_dev( $iiface );
} }
@ -5753,12 +5753,12 @@ sub expand_rule( $$$$$$$$$$;$ )
fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain"; fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
} }
} }
if ( $iiface ) { if ( $iiface ) {
my $bridge = port_to_bridge( $diface ); my $bridge = port_to_bridge( $diface );
fatal_error "Source interface ($iiface) is not a port on the same bridge as the destination interface ( $diface )" if $bridge && $bridge ne source_port_to_bridge( $iiface ); fatal_error "Source interface ($iiface) is not a port on the same bridge as the destination interface ( $diface )" if $bridge && $bridge ne source_port_to_bridge( $iiface );
} }
$chainref->{restricted} |= $restriction; $chainref->{restricted} |= $restriction;
$rule .= match_dest_dev( $diface ); $rule .= match_dest_dev( $diface );
} }
@ -5923,7 +5923,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# Use the current rule and send all possible matches to the exclusion chain # Use the current rule and send all possible matches to the exclusion chain
# #
for my $onet ( mysplit $onets ) { for my $onet ( mysplit $onets ) {
my $cond = conditional_rule( $chainref, $onet ); my $cond = conditional_rule( $chainref, $onet );
$onet = match_orig_dest $onet; $onet = match_orig_dest $onet;
@ -5944,7 +5944,7 @@ sub expand_rule( $$$$$$$$$$;$ )
conditional_rule_end( $chainref ) if $cond; conditional_rule_end( $chainref ) if $cond;
} }
# #
# Generate RETURNs for each exclusion # Generate RETURNs for each exclusion
# #
@ -5998,12 +5998,12 @@ sub expand_rule( $$$$$$$$$$;$ )
my $cond = conditional_rule( $chainref, $onet ); my $cond = conditional_rule( $chainref, $onet );
$onet = match_orig_dest $onet; $onet = match_orig_dest $onet;
for my $inet ( mysplit $inets ) { for my $inet ( mysplit $inets ) {
my $source_match; my $source_match;
my $cond = conditional_rule( $chainref, $inet ); my $cond = conditional_rule( $chainref, $inet );
$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE}; $source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
@ -6091,7 +6091,7 @@ sub copy_options( $ ) {
} }
# #
# This function is called after the blacklist rules have been added to the canonical chains. It # This function is called after the blacklist rules have been added to the canonical chains. It
# either copies the relevant interface option rules into each canonocal chain, or it inserts one # either copies the relevant interface option rules into each canonocal chain, or it inserts one
# or more jumps to the relevant option chains. The argument indicates whether blacklist rules are # or more jumps to the relevant option chains. The argument indicates whether blacklist rules are
# present. # present.
@ -6123,7 +6123,7 @@ sub add_interface_options( $ ) {
$digest = format_rule( $chainref, $_, 1 ); $digest = format_rule( $chainref, $_, 1 );
} }
} }
$chainref->{digest} = sha1 $digest; $chainref->{digest} = sha1 $digest;
} }
# #
@ -6132,10 +6132,10 @@ sub add_interface_options( $ ) {
for my $zone1 ( off_firewall_zones ) { for my $zone1 ( off_firewall_zones ) {
my @input_interfaces = keys %{zone_interfaces( $zone1 )}; my @input_interfaces = keys %{zone_interfaces( $zone1 )};
my @forward_interfaces = @input_interfaces; my @forward_interfaces = @input_interfaces;
if ( @input_interfaces > 1 ) { if ( @input_interfaces > 1 ) {
# #
# This zone has multiple interfaces - discover if all of the interfaces have the same # This zone has multiple interfaces - discover if all of the interfaces have the same
# input and/or forward options # input and/or forward options
# #
my $digest; my $digest;
@ -6166,14 +6166,14 @@ sub add_interface_options( $ ) {
@forward_interfaces = ( $forward_interfaces[0] ); @forward_interfaces = ( $forward_interfaces[0] );
} }
} }
# #
# Now insert the jumps # Now insert the jumps
# #
for my $zone2 ( all_zones ) { for my $zone2 ( all_zones ) {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
my $chain1ref; my $chain1ref;
if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) { if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) {
if ( @input_interfaces == 1 && copy_options( $input_interfaces[0] ) ) { if ( @input_interfaces == 1 && copy_options( $input_interfaces[0] ) ) {
$chain1ref = $input_chains{$input_interfaces[0]}; $chain1ref = $input_chains{$input_interfaces[0]};
@ -6232,7 +6232,7 @@ sub add_interface_options( $ ) {
my $chain1ref; my $chain1ref;
$chainref = $filter_table->{input_option_chain $interface}; $chainref = $filter_table->{input_option_chain $interface};
if( @{$chainref->{rules}} ) { if( @{$chainref->{rules}} ) {
move_rules $chainref, $chain1ref = $filter_table->{input_chain $interface}; move_rules $chainref, $chain1ref = $filter_table->{input_chain $interface};
set_interface_option( $interface, 'use_input_chain', 1 ); set_interface_option( $interface, 'use_input_chain', 1 );
@ -6265,7 +6265,7 @@ sub add_interface_options( $ ) {
# #
# We may have to generate part of the input at run-time. The rules array in each chain # We may have to generate part of the input at run-time. The rules array in each chain
# table entry may contain both rules or shell source, determined by the contents of the 'mode' # table entry may contain both rules or shell source, determined by the contents of the 'mode'
# member. We alternate between writing the rules into the temporary file to be passed to # member. We alternate between writing the rules into the temporary file to be passed to
# iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE). # iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
# #
# The following two functions are responsible for the mode transitions. # The following two functions are responsible for the mode transitions.
@ -6301,7 +6301,7 @@ sub emitr( $$ ) {
# A command # A command
# #
enter_cmd_mode unless $mode == CMD_MODE; enter_cmd_mode unless $mode == CMD_MODE;
if ( exists $ruleref->{cmd} ) { if ( exists $ruleref->{cmd} ) {
emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} ); emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
} else { } else {
@ -6309,7 +6309,7 @@ sub emitr( $$ ) {
# Must preserve quotes in the rule # Must preserve quotes in the rule
# #
( my $rule = format_rule( $chainref, $ruleref ) ) =~ s/"/\\"/g; ( my $rule = format_rule( $chainref, $ruleref ) ) =~ s/"/\\"/g;
emit join( '', ' ' x $ruleref->{cmdlevel} , 'echo "' , $rule, '" >&3' ); emit join( '', ' ' x $ruleref->{cmdlevel} , 'echo "' , $rule, '" >&3' );
} }
} }
@ -6351,7 +6351,7 @@ sub emitr1( $$ ) {
emitstd $ruleref->{cmd}; emitstd $ruleref->{cmd};
} else { } else {
( my $rule = format_rule( $chainref, $ruleref ) ) =~ s/"/\\"/g; ( my $rule = format_rule( $chainref, $ruleref ) ) =~ s/"/\\"/g;
emitstd join( '', ' ' x $ruleref->{cmdlevel} , 'echo "' , $rule, '" >&3' ); emitstd join( '', ' ' x $ruleref->{cmdlevel} , 'echo "' , $rule, '" >&3' );
} }
} }
@ -6487,7 +6487,7 @@ sub load_ipsets() {
'esac' , 'esac' ,
'' , '' ,
'if [ "$COMMAND" = start ]; then' ); 'if [ "$COMMAND" = start ]; then' );
if ( $config{SAVE_IPSETS} ) { if ( $config{SAVE_IPSETS} ) {
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' , emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' $IPSET -F' , ' $IPSET -F' ,
@ -6557,7 +6557,7 @@ sub load_ipsets() {
' grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' , ' grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' ); ' fi' );
} }
if ( @ipsets ) { if ( @ipsets ) {
emit( 'elif [ "$COMMAND" = refresh ]; then' ); emit( 'elif [ "$COMMAND" = refresh ]; then' );
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
@ -6761,7 +6761,7 @@ sub create_chainlist_reload($) {
unless ( @chains ) { unless ( @chains ) {
@chains = qw( blacklst ) if $filter_table->{blacklst}; @chains = qw( blacklst ) if $filter_table->{blacklst};
push @chains, 'blackout' if $filter_table->{blackout}; push @chains, 'blackout' if $filter_table->{blackout};
for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) { for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
push @chains, $_->{name} if $_->{blacklistsection}; push @chains, $_->{name} if $_->{blacklistsection};
} }
@ -6804,7 +6804,7 @@ sub create_chainlist_reload($) {
my $chainref; my $chainref;
fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain}; fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin}; fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
if ( $chainseq{$table} && @{$chainref->{rules}} ) { if ( $chainseq{$table} && @{$chainref->{rules}} ) {
$tables{$table} = 1; $tables{$table} = 1;
} else { } else {

6
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -425,7 +425,7 @@ sub generate_script_3($) {
emit 'cat > ${VARDIR}/proxyarp << __EOF__'; emit 'cat > ${VARDIR}/proxyarp << __EOF__';
} else { } else {
emit 'cat > ${VARDIR}/proxyndp << __EOF__'; emit 'cat > ${VARDIR}/proxyndp << __EOF__';
} }
dump_proxy_arp; dump_proxy_arp;
emit_unindented '__EOF__'; emit_unindented '__EOF__';
@ -493,7 +493,7 @@ EOF
" set_state Started $config_dir" , " set_state Started $config_dir" ,
' else' , ' else' ,
' setup_netfilter' ); ' setup_netfilter' );
setup_load_distribution; setup_load_distribution;
emit<<"EOF"; emit<<"EOF";
@ -578,7 +578,7 @@ sub compiler {
log => { store => \$log }, log => { store => \$log },
log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } , log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
test => { store => \$test }, test => { store => \$test },
preview => { store => \$preview, validate=> \&validate_boolean } , preview => { store => \$preview, validate=> \&validate_boolean } ,
confess => { store => \$confess, validate=> \&validate_boolean } , confess => { store => \$confess, validate=> \&validate_boolean } ,
update => { store => \$update, validate=> \&validate_boolean } , update => { store => \$update, validate=> \&validate_boolean } ,
convert => { store => \$convert, validate=> \&validate_boolean } , convert => { store => \$convert, validate=> \&validate_boolean } ,

66
Shorewall/Perl/Shorewall/Config.pm
View File

@ -47,18 +47,18 @@ our @EXPORT = qw(
warning_message warning_message
fatal_error fatal_error
assert assert
progress_message progress_message
progress_message_nocompress progress_message_nocompress
progress_message2 progress_message2
progress_message3 progress_message3
supplied supplied
get_action_params get_action_params
get_action_chain get_action_chain
set_action_param set_action_param
have_capability have_capability
require_capability require_capability
); );
@ -301,7 +301,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
IPTABLES_S => 'iptables -S', IPTABLES_S => 'iptables -S',
BASIC_FILTER => 'Basic Filter', BASIC_FILTER => 'Basic Filter',
CT_TARGET => 'CT Target', CT_TARGET => 'CT Target',
STATISTIC_MATCH => STATISTIC_MATCH =>
'Statistics Match', 'Statistics Match',
IMQ_TARGET => 'IMQ Target', IMQ_TARGET => 'IMQ Target',
DSCP_MATCH => 'DSCP Match', DSCP_MATCH => 'DSCP Match',
@ -395,7 +395,7 @@ my $first_entry; # Message to output or function to call on first no
my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files.
our $debug; # Global debugging flag our $debug; # Global debugging flag
my $confess; # If true, use Carp to report errors with stack trace. my $confess; # If true, use Carp to report errors with stack trace.
our $family; # Protocol family (4 or 6) our $family; # Protocol family (4 or 6)
our $toolname; # Name of the tool to use (iptables or iptables6) our $toolname; # Name of the tool to use (iptables or iptables6)
@ -456,7 +456,7 @@ use constant { PLAIN_READ => 0, # No read_a_line options
STRIP_COMMENTS => 4, # Remove comments STRIP_COMMENTS => 4, # Remove comments
SUPPRESS_WHITESPACE => 8, # Ignore blank lines SUPPRESS_WHITESPACE => 8, # Ignore blank lines
CHECK_GUNK => 16, # Look for unprintable characters CHECK_GUNK => 16, # Look for unprintable characters
CONFIG_CONTINUATION => 32, # Suppress leading whitespace if CONFIG_CONTINUATION => 32, # Suppress leading whitespace if
# continued line ends in ',' or ':' # continued line ends in ',' or ':'
DO_INCLUDE => 64, # Look for INCLUDE <filename> DO_INCLUDE => 64, # Look for INCLUDE <filename>
NORMAL_READ => -1 # All options NORMAL_READ => -1 # All options
@ -494,7 +494,7 @@ sub initialize( $;$ ) {
$indent = ''; # Current total indentation $indent = ''; # Current total indentation
( $dir, $file ) = ('',''); # Script's Directory and Filename ( $dir, $file ) = ('',''); # Script's Directory and Filename
$tempfile = ''; # Temporary File Name $tempfile = ''; # Temporary File Name
$sillyname = $sillyname =
$sillyname1 = ''; # Temporary ipchains $sillyname1 = ''; # Temporary ipchains
$omitting = 0; $omitting = 0;
$ifstack = 0; $ifstack = 0;
@ -770,7 +770,7 @@ sub initialize( $;$ ) {
$debug = 0; $debug = 0;
$confess = 0; $confess = 0;
%params = (); %params = ();
%compiler_params = (); %compiler_params = ();
@ -1496,7 +1496,7 @@ sub split_line1( $$;$ ) {
fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/; fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
$line[$column] = $value; $line[$column] = $value;
} }
} }
@line; @line;
} }
@ -1609,8 +1609,8 @@ sub process_conditional( $$$ ) {
$cap =~ s/^__//; $cap =~ s/^__//;
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} : $omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
exists $params{$rest} ? $params{$rest} : exists $params{$rest} ? $params{$rest} :
exists $config{$rest} ? $config{$rest} : exists $config{$rest} ? $config{$rest} :
exists $capdesc{$cap} ? have_capability( $cap ) : 0 ); exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
} }
@ -1631,7 +1631,7 @@ sub process_conditional( $$$ ) {
} }
$omitting; $omitting;
} }
# #
# Functions for copying a file into the script # Functions for copying a file into the script
@ -1700,7 +1700,7 @@ sub copy1( $ ) {
my ( $do_indent, $here_documents ) = ( 1, ''); my ( $do_indent, $here_documents ) = ( 1, '');
open_file( $_[0] ); open_file( $_[0] );
while ( $currentfile ) { while ( $currentfile ) {
while ( <$currentfile> ) { while ( <$currentfile> ) {
$currentlinenumber++; $currentlinenumber++;
@ -1772,7 +1772,7 @@ sub copy1( $ ) {
next; next;
} }
if ( $indent ) { if ( $indent ) {
s/^(\s*)/$indent1$1$indent2/; s/^(\s*)/$indent1$1$indent2/;
s/ /\t/ if $indent2; s/ /\t/ if $indent2;
@ -2208,7 +2208,7 @@ sub read_a_line($) {
$omitting = process_conditional( $omitting, $currentline, $currentlinenumber ); $omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
$currentline=''; $currentline='';
next; next;
} }
if ( $omitting ) { if ( $omitting ) {
print "OMIT=> $currentline\n" if $debug; print "OMIT=> $currentline\n" if $debug;
@ -2549,7 +2549,7 @@ sub load_kernel_modules( ) {
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/ipv6/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"; $modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/ipv6/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
} }
my @moduledirectories; my @moduledirectories;
for ( split /:/, $modulesdir ) { for ( split /:/, $modulesdir ) {
push @moduledirectories, $_ if -d $_; push @moduledirectories, $_ if -d $_;
@ -2588,7 +2588,7 @@ sub load_kernel_modules( ) {
} else { } else {
system( "modprobe $module $arguments" ); system( "modprobe $module $arguments" );
} }
$loadedmodules{ $module } = 1; $loadedmodules{ $module } = 1;
} }
} }
@ -3343,7 +3343,7 @@ sub update_config_file( $ ) {
open $template, '<' , $fn or fatal_error "Unable to open $fn: $!"; open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
unless ( open $output, '>', "$configfile.updated" ) { unless ( open $output, '>', "$configfile.updated" ) {
close $template; close $template;
fatal_error "Unable to open $configfile.updated for output: $!"; fatal_error "Unable to open $configfile.updated for output: $!";
} }
@ -3414,7 +3414,7 @@ EOF
fatal_error "Can't rename $configfile to $configfile.bak: $!" unless rename $configfile, "$configfile.bak"; fatal_error "Can't rename $configfile to $configfile.bak: $!" unless rename $configfile, "$configfile.bak";
fatal_error "Can't rename $configfile.updated to $configfile: $!" unless rename "$configfile.updated", $configfile; fatal_error "Can't rename $configfile.updated to $configfile: $!" unless rename "$configfile.updated", $configfile;
if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) { if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak"; progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
} else { } else {
@ -3457,7 +3457,7 @@ sub process_shorewall_conf( $$ ) {
warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var}; warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};
$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ); $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
warning_message "Option $var=$val is deprecated" warning_message "Option $var=$val is deprecated"
if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var}; if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
} else { } else {
@ -3613,7 +3613,7 @@ sub get_params() {
print "Params:\n"; print "Params:\n";
print $_ for @params; print $_ for @params;
} }
my ( $variable , $bug ); my ( $variable , $bug );
if ( $params[0] =~ /^declare/ ) { if ( $params[0] =~ /^declare/ ) {
@ -3642,7 +3642,7 @@ sub get_params() {
} else { } else {
warning_message "Param line ($_) ignored" unless $bug++; warning_message "Param line ($_) ignored" unless $bug++;
} }
} }
} }
} elsif ( $params[0] =~ /^export .*?="/ || $params[0] =~ /^export [^\s=]+\s*$/ ) { } elsif ( $params[0] =~ /^export .*?="/ || $params[0] =~ /^export [^\s=]+\s*$/ ) {
# #
@ -3670,7 +3670,7 @@ sub get_params() {
} else { } else {
warning_message "Param line ($_) ignored" unless $bug++; warning_message "Param line ($_) ignored" unless $bug++;
} }
} }
} }
} else { } else {
# #
@ -3684,7 +3684,7 @@ sub get_params() {
for ( @params ) { for ( @params ) {
if ( /^export (.*?)='(.*'"'"')$/ ) { if ( /^export (.*?)='(.*'"'"')$/ ) {
$params{$variable=$1}="${2}\n"; $params{$variable=$1}="${2}\n";
} elsif ( /^export (.*?)='(.*)'$/ ) { } elsif ( /^export (.*?)='(.*)'$/ ) {
$params{$1} = $2 unless $1 eq '_'; $params{$1} = $2 unless $1 eq '_';
} elsif ( /^export (.*?)='(.*)$/ ) { } elsif ( /^export (.*?)='(.*)$/ ) {
@ -3696,7 +3696,7 @@ sub get_params() {
$params{$variable} .= $_; $params{$variable} .= $_;
} else { } else {
warning_message "Param line ($_) ignored" unless $bug++; warning_message "Param line ($_) ignored" unless $bug++;
} }
} }
} }
} }
@ -3993,7 +3993,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'ACCOUNTING' , 'Yes'; default_yes_no 'ACCOUNTING' , 'Yes';
default_yes_no 'OPTIMIZE_ACCOUNTING' , ''; default_yes_no 'OPTIMIZE_ACCOUNTING' , '';
if ( supplied $config{ACCOUNTING_TABLE} ) { if ( supplied $config{ACCOUNTING_TABLE} ) {
my $value = $config{ACCOUNTING_TABLE}; my $value = $config{ACCOUNTING_TABLE};
fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle'; fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
@ -4030,7 +4030,7 @@ sub get_configuration( $$$ ) {
} }
fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31; fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
$globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} ); $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
$globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET}; $globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET};
@ -4045,7 +4045,7 @@ sub get_configuration( $$$ ) {
} }
if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) { if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS}; $globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
} else { } else {
$globals{USER_MASK} = 0; $globals{USER_MASK} = 0;
@ -4085,7 +4085,7 @@ sub get_configuration( $$$ ) {
default_log_level 'LOGALLNEW', ''; default_log_level 'LOGALLNEW', '';
default_log_level 'SFILTER_LOG_LEVEL', 'info'; default_log_level 'SFILTER_LOG_LEVEL', 'info';
if ( $val = $config{SFILTER_DISPOSITION} ) { if ( $val = $config{SFILTER_DISPOSITION} ) {
fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/; fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1; require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
@ -4272,7 +4272,7 @@ sub append_file( $;$$ ) {
my $user_exit = find_file $file; my $user_exit = find_file $file;
my $result = 0; my $result = 0;
my $save_indent = $indent; my $save_indent = $indent;
$indent = '' if $unindented; $indent = '' if $unindented;
unless ( $user_exit =~ m(^/usr/share/shorewall6?/) ) { unless ( $user_exit =~ m(^/usr/share/shorewall6?/) ) {
@ -4468,7 +4468,7 @@ sub dump_mark_layout() {
$globals{TC_MAX} + 1, $globals{TC_MAX} + 1,
$globals{USER_MASK}, $globals{USER_MASK},
$globals{USER_MASK} ); $globals{USER_MASK} );
dumpout( "Provider", dumpout( "Provider",
$config{PROVIDER_BITS}, $config{PROVIDER_BITS},
$globals{PROVIDER_MIN}, $globals{PROVIDER_MIN},
@ -4486,7 +4486,7 @@ sub dump_mark_layout() {
$globals{EXCLUSION_MASK}, $globals{EXCLUSION_MASK},
$globals{EXCLUSION_MASK}, $globals{EXCLUSION_MASK},
$globals{EXCLUSION_MASK} ); $globals{EXCLUSION_MASK} );
} }
END { END {
cleanup; cleanup;

8
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -293,9 +293,9 @@ sub compare_nets( $$ ) {
@net1 = decompose_net( $_[0] ); @net1 = decompose_net( $_[0] );
@net2 = decompose_net( $_[1] ); @net2 = decompose_net( $_[1] );
$net1[0] eq $net2[0] && $net1[1] == $net2[1]; $net1[0] eq $net2[0] && $net1[1] == $net2[1];
} }
sub allipv4() { sub allipv4() {
@allipv4; @allipv4;
@ -392,7 +392,7 @@ sub validate_portpair( $$ ) {
$what = 'port'; $what = 'port';
} }
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
defined $protonum && ( $protonum == TCP || defined $protonum && ( $protonum == TCP ||
$protonum == UDP || $protonum == UDP ||
$protonum == SCTP || $protonum == SCTP ||
@ -423,7 +423,7 @@ sub validate_portpair1( $$ ) {
$what = 'port'; $what = 'port';
} }
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
defined $protonum && ( $protonum == TCP || defined $protonum && ( $protonum == TCP ||
$protonum == UDP || $protonum == UDP ||
$protonum == SCTP || $protonum == SCTP ||

92
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -72,9 +72,9 @@ sub process_tos() {
my ( $pretosref, $outtosref ); my ( $pretosref, $outtosref );
first_entry( sub { progress_message2 "$doing $fn..."; first_entry( sub { progress_message2 "$doing $fn...";
warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules"; warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
$pretosref = ensure_chain 'mangle' , $chain; $pretosref = ensure_chain 'mangle' , $chain;
$outtosref = ensure_chain 'mangle' , 'outtos'; $outtosref = ensure_chain 'mangle' , 'outtos';
} }
); );
@ -202,7 +202,7 @@ sub setup_blacklist() {
my $audit = $disposition =~ /^A_/; my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $orig_target = $target; my $orig_target = $target;
# #
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
# for 'refresh' to work properly. # for 'refresh' to work properly.
@ -216,7 +216,7 @@ sub setup_blacklist() {
} elsif ( $audit ) { } elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $disposition ); $target = verify_audit( $disposition );
} }
} }
BLACKLIST: BLACKLIST:
@ -253,7 +253,7 @@ sub setup_blacklist() {
for ( @options ) { for ( @options ) {
$whitelist++ if $_ eq 'whitelist'; $whitelist++ if $_ eq 'whitelist';
$auditone++ if $_ eq 'audit'; $auditone++ if $_ eq 'audit';
} }
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1; warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
@ -268,7 +268,7 @@ sub setup_blacklist() {
} else { } else {
warning_message "Duplicate 'audit' option ignored" if $auditone > 1; warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
$tgt = verify_audit( 'A_' . $target, $orig_target, $target ); $tgt = verify_audit( 'A_' . $target, $orig_target, $target );
} }
@ -331,7 +331,7 @@ sub setup_blacklist() {
} }
# #
# Remove instances of 'blacklist' from the passed file. # Remove instances of 'blacklist' from the passed file.
# #
sub remove_blacklist( $ ) { sub remove_blacklist( $ ) {
my $file = shift; my $file = shift;
@ -343,7 +343,7 @@ sub remove_blacklist( $ ) {
my $oldfile = open_file $fn; my $oldfile = open_file $fn;
my $newfile; my $newfile;
my $changed; my $changed;
open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!"; open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) { while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
@ -358,12 +358,12 @@ sub remove_blacklist( $ ) {
$currentline = join( '#', $rule, $comment ); $currentline = join( '#', $rule, $comment );
} else { } else {
$currentline =~ s/blacklist/ /g; $currentline =~ s/blacklist/ /g;
} }
} }
print $newfile "$currentline\n"; print $newfile "$currentline\n";
} }
close $newfile; close $newfile;
if ( $changed ) { if ( $changed ) {
@ -384,7 +384,7 @@ sub convert_blacklist() {
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $orig_target = $target; my $orig_target = $target;
my @rules; my @rules;
if ( @$zones || @$zones1 ) { if ( @$zones || @$zones1 ) {
if ( supplied $level ) { if ( supplied $level ) {
$target = 'blacklog'; $target = 'blacklog';
@ -411,7 +411,7 @@ sub convert_blacklist() {
for ( @options ) { for ( @options ) {
$whitelist++ if $_ eq 'whitelist'; $whitelist++ if $_ eq 'whitelist';
$auditone++ if $_ eq 'audit'; $auditone++ if $_ eq 'audit';
} }
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1; warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
@ -481,7 +481,7 @@ sub convert_blacklist() {
EOF EOF
} }
print( $blrules print( $blrules
"#\n" , "#\n" ,
"# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" , "# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
"#\n" ); "#\n" );
@ -509,10 +509,10 @@ EOF
$rule .= "all\t\t\t$zone\t\t\t"; $rule .= "all\t\t\t$zone\t\t\t";
} }
} }
$rule .= "\t$protocols" if $protocols ne '-'; $rule .= "\t$protocols" if $protocols ne '-';
$rule .= "\t$ports" if $ports ne '-'; $rule .= "\t$ports" if $ports ne '-';
print $blrules "$rule\n"; print $blrules "$rule\n";
} }
} }
@ -521,19 +521,19 @@ EOF
} else { } else {
warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty or does not exist) unless @rules; warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty or does not exist) unless @rules;
} }
if ( -f $fn ) { if ( -f $fn ) {
rename $fn, "$fn.bak"; rename $fn, "$fn.bak";
progress_message2 "Blacklist file $fn saved in $fn.bak"; progress_message2 "Blacklist file $fn saved in $fn.bak";
} }
for my $file ( qw(zones interfaces hosts) ) { for my $file ( qw(zones interfaces hosts) ) {
remove_blacklist $file; remove_blacklist $file;
} }
progress_message2 "Blacklist successfully converted"; progress_message2 "Blacklist successfully converted";
return 1; return 1;
} else { } else {
my $fn = find_file 'blacklist'; my $fn = find_file 'blacklist';
if ( -f $fn ) { if ( -f $fn ) {
@ -697,7 +697,7 @@ sub add_common_rules ( $ ) {
if ( $config{FASTACCEPT} ) { if ( $config{FASTACCEPT} ) {
add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate ) add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
} }
my $policy = $config{SFILTER_DISPOSITION}; my $policy = $config{SFILTER_DISPOSITION};
$level = $config{SFILTER_LOG_LEVEL}; $level = $config{SFILTER_LOG_LEVEL};
@ -711,11 +711,11 @@ sub add_common_rules ( $ ) {
$chainref = new_standard_chain 'sfilter'; $chainref = new_standard_chain 'sfilter';
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target = 'sfilter'; $target = 'sfilter';
} else { } else {
$target = $policy eq 'REJECT' ? 'reject' : $policy; $target = $policy eq 'REJECT' ? 'reject' : $policy;
@ -731,11 +731,11 @@ sub add_common_rules ( $ ) {
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target1 = 'sfilter1'; $target1 = 'sfilter1';
} else { } else {
# #
@ -752,9 +752,9 @@ sub add_common_rules ( $ ) {
unless ( $interfaceref->{options}{ignore} ) { unless ( $interfaceref->{options}{ignore} ) {
my @filters = @{$interfaceref->{filter}}; my @filters = @{$interfaceref->{filter}};
$chainref = $filter_table->{forward_option_chain $interface}; $chainref = $filter_table->{forward_option_chain $interface};
if ( @filters ) { if ( @filters ) {
add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
} elsif ( $interfaceref->{bridge} eq $interface ) { } elsif ( $interfaceref->{bridge} eq $interface ) {
@ -765,12 +765,12 @@ sub add_common_rules ( $ ) {
$interfaceref->{physical} eq '+' ); $interfaceref->{physical} eq '+' );
} }
if ( @filters ) { if ( @filters ) {
$chainref = $filter_table->{input_option_chain $interface}; $chainref = $filter_table->{input_option_chain $interface};
add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
} }
for ( option_chains( $interface ) ) { for ( option_chains( $interface ) ) {
add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref; add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT}; add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
@ -915,13 +915,13 @@ sub add_common_rules ( $ ) {
1 ) for input_option_chain( $interface ), output_option_chain( $interface ); 1 ) for input_option_chain( $interface ), output_option_chain( $interface );
add_ijump( $filter_table->{forward_option_chain $interface} , add_ijump( $filter_table->{forward_option_chain $interface} ,
j => 'ACCEPT', j => 'ACCEPT',
p => "udp --dport $ports" , p => "udp --dport $ports" ,
imatch_dest_dev( $interface ) ) imatch_dest_dev( $interface ) )
if get_interface_option( $interface, 'bridge' ); if get_interface_option( $interface, 'bridge' );
unless ( $family == F_IPV6 || get_interface_option( $interface, 'allip' ) ) { unless ( $family == F_IPV6 || get_interface_option( $interface, 'allip' ) ) {
add_ijump( $filter_table->{input_chain( $interface ) } , add_ijump( $filter_table->{input_chain( $interface ) } ,
j => 'ACCEPT' , j => 'ACCEPT' ,
p => "udp --dport $ports" , p => "udp --dport $ports" ,
s => NILIPv4 . '/32' ); s => NILIPv4 . '/32' );
@ -948,7 +948,7 @@ sub add_common_rules ( $ ) {
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, ''; log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
$globals{LOGPARMS} = $savelogparms; $globals{LOGPARMS} = $savelogparms;
if ( $audit ) { if ( $audit ) {
@ -1128,7 +1128,7 @@ sub setup_mac_lists( $ ) {
my $source = match_source_net $address; my $source = match_source_net $address;
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if supplied $level; if supplied $level;
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" ); add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
} }
@ -1348,7 +1348,7 @@ sub handle_loopback_traffic() {
my $exclusion = source_exclusion( $hostref->{exclusions}, $natref); my $exclusion = source_exclusion( $hostref->{exclusions}, $natref);
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
insert_ijump( $natout, insert_ijump( $natout,
j => $exclusion, j => $exclusion,
$rulenum++, $rulenum++,
imatch_source_net( $net , 0, ) ); imatch_source_net( $net , 0, ) );
@ -1383,7 +1383,7 @@ sub add_interface_jumps {
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface ); addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface ); addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface ); addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
if ( have_capability 'RAWPOST_TABLE' ) { if ( have_capability 'RAWPOST_TABLE' ) {
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface}; insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface}; insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
@ -1410,7 +1410,7 @@ sub add_interface_jumps {
) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge}; ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
add_ijump( $filter_table->{forward_chain $bridge} , add_ijump( $filter_table->{forward_chain $bridge} ,
j => $forwardref , j => $forwardref ,
imatch_source_dev( $interface, 1 ) imatch_source_dev( $interface, 1 )
) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref; ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
@ -1449,7 +1449,7 @@ sub add_interface_jumps {
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones). # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates. # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
# #
# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and # The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
# nat-table rules. # nat-table rules.
# #
sub generate_matrix() { sub generate_matrix() {
@ -1462,7 +1462,7 @@ sub generate_matrix() {
my $fw = firewall_zone; my $fw = firewall_zone;
my @zones = off_firewall_zones; my @zones = off_firewall_zones;
my @vservers = vserver_zones; my @vservers = vserver_zones;
my $notrackref = $raw_table->{notrack_chain $fw}; my $notrackref = $raw_table->{notrack_chain $fw};
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
my $interface_jumps_added = 0; my $interface_jumps_added = 0;
@ -1480,7 +1480,7 @@ sub generate_matrix() {
# #
for my $zone ( @zones ) { for my $zone ( @zones ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{complex}; next if @zones <= 2 && ! $zoneref->{complex};
# #
# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain # Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
@ -1689,14 +1689,14 @@ sub generate_matrix() {
imatch_source_dev( $interface), imatch_source_dev( $interface),
@source, @source,
@ipsec_in_match ); @ipsec_in_match );
if ( get_physical( $interface ) eq '+' ) { if ( get_physical( $interface ) eq '+' ) {
# #
# The jump from the PREROUTING chain to dnat may not have been added above # The jump from the PREROUTING chain to dnat may not have been added above
# #
addnatjump 'PREROUTING', 'dnat' unless $preroutingref->{references}{PREROUTING}; addnatjump 'PREROUTING', 'dnat' unless $preroutingref->{references}{PREROUTING};
} }
check_optimization( $dnatref ) if @source; check_optimization( $dnatref ) if @source;
} }
@ -1725,7 +1725,7 @@ sub generate_matrix() {
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) { if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
$inputchainref = $interfacechainref; $inputchainref = $interfacechainref;
if ( $isport ) { if ( $isport ) {
add_ijump( $filter_table->{ input_chain $bridge }, add_ijump( $filter_table->{ input_chain $bridge },
j => $inputchainref , j => $inputchainref ,
@ -1762,7 +1762,7 @@ sub generate_matrix() {
if ( use_forward_chain $interface, $forwardref ) { if ( use_forward_chain $interface, $forwardref ) {
add_ijump $forwardref , j => $ref, @source, @ipsec_in_match; add_ijump $forwardref , j => $ref, @source, @ipsec_in_match;
if ( $isport ) { if ( $isport ) {
add_ijump( $filter_table->{ forward_chain $bridge } , add_ijump( $filter_table->{ forward_chain $bridge } ,
j => $forwardref , j => $forwardref ,
@ -1903,7 +1903,7 @@ sub generate_matrix() {
# Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
# #
$chain3ref = $forwardchainref; $chain3ref = $forwardchainref;
if ( $interfaceref->{options}{port} ) { if ( $interfaceref->{options}{port} ) {
add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } , add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
j => $chain3ref, j => $chain3ref,

16
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -54,7 +54,7 @@ sub initialize() {
# #
sub process_one_masq( ) sub process_one_masq( )
{ {
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) = my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 }; split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
if ( $interfacelist eq 'COMMENT' ) { if ( $interfacelist eq 'COMMENT' ) {
@ -208,7 +208,7 @@ sub process_one_masq( )
$addrlist .= "--to-source $addr "; $addrlist .= "--to-source $addr ";
$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/; $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
} else { } else {
my $ports = $addr; my $ports = $addr;
$ports =~ s/^://; $ports =~ s/^://;
validate_portpair1( $proto, $ports ); validate_portpair1( $proto, $ports );
$addrlist .= "--to-ports $ports "; $addrlist .= "--to-ports $ports ";
@ -426,7 +426,7 @@ sub setup_netmap() {
unless ( $type =~ /:/ ) { unless ( $type =~ /:/ ) {
my @rulein; my @rulein;
my @ruleout; my @ruleout;
validate_net $net1, 0; validate_net $net1, 0;
validate_net $net2, 0; validate_net $net2, 0;
@ -439,7 +439,7 @@ sub setup_netmap() {
require_capability 'NAT_ENABLED', 'Stateful NAT Entries', ''; require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
if ( $type eq 'DNAT' ) { if ( $type eq 'DNAT' ) {
dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) , dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) ,
j => 'NETMAP' , j => 'NETMAP' ,
"--to $net2", "--to $net2",
$net1 , $net1 ,
@ -465,10 +465,10 @@ sub setup_netmap() {
validate_net $net2, 0; validate_net $net2, 0;
unless ( $interfaceref->{root} ) { unless ( $interfaceref->{root} ) {
@match = imatch_dest_dev( $interface ); @match = imatch_dest_dev( $interface );
$interface = $interfaceref->{name}; $interface = $interfaceref->{name};
} }
if ( $chain eq 'P' ) { if ( $chain eq 'P' ) {
$chain = prerouting_chain $interface; $chain = prerouting_chain $interface;
@match = imatch_source_dev( $iface ) unless $iface eq $interface; @match = imatch_source_dev( $iface ) unless $iface eq $interface;
@ -481,7 +481,7 @@ sub setup_netmap() {
my $chainref = ensure_chain( $table, $chain ); my $chainref = ensure_chain( $table, $chain );
if ( $target eq 'DNAT' ) { if ( $target eq 'DNAT' ) {
dest_iexclusion( $chainref , dest_iexclusion( $chainref ,
j => 'RAWDNAT' , j => 'RAWDNAT' ,
@ -504,7 +504,7 @@ sub setup_netmap() {
fatal_error 'TYPE must be specified' if $type eq '-'; fatal_error 'TYPE must be specified' if $type eq '-';
fatal_error "Invalid TYPE ($type)"; fatal_error "Invalid TYPE ($type)";
} }
progress_message " Network $net1 on $iface mapped to $net2 ($type)"; progress_message " Network $net1 on $iface mapped to $net2 ($type)";
} }
} }

4
Shorewall/Perl/Shorewall/Proc.pm
View File

@ -286,7 +286,7 @@ sub setup_interface_proc( $ ) {
if ( interface_has_option( $interface, 'arp_filter' , $value ) ) { if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter"; push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
} }
if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) { if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore"; push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
} }
@ -315,6 +315,6 @@ sub setup_interface_proc( $ ) {
emit "fi\n"; emit "fi\n";
} }
} }
1; 1;

68
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -161,7 +161,7 @@ sub setup_route_marking() {
my $chainref2 = new_chain( 'mangle', load_chain( $physical ) ); my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ); set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
add_ijump ( $chainref1, add_ijump ( $chainref1,
j => $chainref2 , j => $chainref2 ,
mark => "--mark 0/$mask" ); mark => "--mark 0/$mask" );
@ -171,7 +171,7 @@ sub setup_route_marking() {
sub copy_table( $$$ ) { sub copy_table( $$$ ) {
my ( $duplicate, $number, $realm ) = @_; my ( $duplicate, $number, $realm ) = @_;
my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : ''; my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';
emit ''; emit '';
@ -186,7 +186,7 @@ sub copy_table( $$$ ) {
' default)', ' default)',
' ;;', ' ;;',
' *)' ); ' *)' );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit ( ' case $net in', emit ( ' case $net in',
' 255.255.255.255*)', ' 255.255.255.255*)',
@ -218,7 +218,7 @@ sub copy_and_edit_table( $$$$ ) {
# Shell and iptables use a different wildcard character # Shell and iptables use a different wildcard character
# #
$copy =~ s/\+/*/g; $copy =~ s/\+/*/g;
emit ''; emit '';
if ( $realm ) { if ( $realm ) {
@ -244,7 +244,7 @@ sub copy_and_edit_table( $$$$ ) {
); );
} else { } else {
emit ( " run_ip route add table $number \$net \$route $realm" ); emit ( " run_ip route add table $number \$net \$route $realm" );
} }
emit ( ' ;;', emit ( ' ;;',
' esac', ' esac',
@ -557,9 +557,9 @@ sub process_a_provider() {
# Generate the start_provider_...() function for the passed provider # Generate the start_provider_...() function for the passed provider
# #
sub add_a_provider( $$ ) { sub add_a_provider( $$ ) {
my ( $providerref, $tcdevices ) = @_; my ( $providerref, $tcdevices ) = @_;
my $table = $providerref->{provider}; my $table = $providerref->{provider};
my $number = $providerref->{number}; my $number = $providerref->{number};
my $mark = $providerref->{rawmark}; my $mark = $providerref->{rawmark};
@ -610,9 +610,9 @@ sub add_a_provider( $$ ) {
emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load; emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
emit( '', emit( '',
"cat <<EOF >> \${VARDIR}/undo_${table}_routing" ); "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
emit_unindented 'case \$COMMAND in'; emit_unindented 'case \$COMMAND in';
emit_unindented ' enable|disable)'; emit_unindented ' enable|disable)';
emit_unindented ' ;;'; emit_unindented ' ;;';
@ -686,7 +686,7 @@ CEOF
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number); emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing); emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
} }
$fallback = 1; $fallback = 1;
} }
@ -724,19 +724,19 @@ CEOF
emit ''; emit '';
emit $_ for @{$providers{$table}->{rules}}; emit $_ for @{$providers{$table}->{rules}};
} }
if ( @{$providerref->{routes}} ) { if ( @{$providerref->{routes}} ) {
emit ''; emit '';
emit $_ for @{$providers{$table}->{routes}}; emit $_ for @{$providers{$table}->{routes}};
} }
emit( '' ); emit( '' );
my ( $tbl, $weight ); my ( $tbl, $weight );
emit( qq(echo 0 > \${VARDIR}/${physical}.status) ); emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
if ( $optional ) { if ( $optional ) {
emit( '', emit( '',
'if [ $COMMAND = enable ]; then' ); 'if [ $COMMAND = enable ]; then' );
@ -775,7 +775,7 @@ CEOF
emit ( qq(progress_message2 " Provider $table ($number) Started") ); emit ( qq(progress_message2 " Provider $table ($number) Started") );
pop_indent; pop_indent;
emit( 'else' ); emit( 'else' );
emit( qq( echo $weight > \${VARDIR}/${physical}_weight) , emit( qq( echo $weight > \${VARDIR}/${physical}_weight) ,
qq( progress_message " Provider $table ($number) Started"), qq( progress_message " Provider $table ($number) Started"),
@ -785,18 +785,18 @@ CEOF
emit( qq(echo 0 > \${VARDIR}/${physical}.status) ); emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
emit( qq(progress_message "Provider $table ($number) Started") ); emit( qq(progress_message "Provider $table ($number) Started") );
} }
pop_indent; pop_indent;
emit 'else'; emit 'else';
push_indent; push_indent;
emit( qq(echo 1 > \${VARDIR}/${physical}.status) ); emit( qq(echo 1 > \${VARDIR}/${physical}.status) );
if ( $optional ) { if ( $optional ) {
if ( $shared ) { if ( $shared ) {
emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" ); emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
} else { } else {
emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" ); emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
} }
@ -839,7 +839,7 @@ CEOF
if ( $gateway ) { if ( $gateway ) {
$via = "via $gateway dev $physical"; $via = "via $gateway dev $physical";
} else { } else {
$via = "dev $physical"; $via = "dev $physical";
} }
@ -856,7 +856,7 @@ CEOF
"distribute_load $maxload @load_interfaces" ) if $load; "distribute_load $maxload @load_interfaces" ) if $load;
unless ( $shared ) { unless ( $shared ) {
emit( '', emit( '',
"qt \$TC qdisc del dev $physical root", "qt \$TC qdisc del dev $physical root",
"qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface}; "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
} }
@ -1001,14 +1001,14 @@ sub add_a_route( ) {
my $routes = $providerref->{routes}; my $routes = $providerref->{routes};
fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE; fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
if ( $gateway ne '-' ) { if ( $gateway ne '-' ) {
if ( $device ne '-' ) { if ( $device ne '-' ) {
push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number); push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number);
emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
} else { } else {
push @$routes, qq(run_ip route add $dest via $gateway table $number); push @$routes, qq(run_ip route add $dest via $gateway table $number);
emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
} }
} else { } else {
fatal_error "You must specify a device for this route" unless $physical; fatal_error "You must specify a device for this route" unless $physical;
@ -1055,7 +1055,7 @@ sub start_providers() {
emit 'DEFAULT_ROUTE='; emit 'DEFAULT_ROUTE=';
emit 'FALLBACK_ROUTE='; emit 'FALLBACK_ROUTE=';
emit ''; emit '';
for my $provider ( qw/main default/ ) { for my $provider ( qw/main default/ ) {
emit ''; emit '';
emit qq(> \${VARDIR}/undo_${provider}_routing ); emit qq(> \${VARDIR}/undo_${provider}_routing );
@ -1068,7 +1068,7 @@ sub start_providers() {
sub finish_providers() { sub finish_providers() {
my $table = MAIN_TABLE; my $table = MAIN_TABLE;
if ( $config{USE_DEFAULT_RT} ) { if ( $config{USE_DEFAULT_RT} ) {
emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999', emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765', 'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
@ -1096,7 +1096,7 @@ sub finish_providers() {
'' ''
); );
} }
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
'else', 'else',
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' ); ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
@ -1163,7 +1163,7 @@ sub process_providers( $ ) {
$lastmark = 0; $lastmark = 0;
if ( my $fn = open_file 'providers' ) { if ( my $fn = open_file 'providers' ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
process_a_provider, $providers++ while read_a_line( NORMAL_READ ); process_a_provider, $providers++ while read_a_line( NORMAL_READ );
} }
@ -1180,7 +1180,7 @@ sub process_providers( $ ) {
if ( $fn ) { if ( $fn ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
emit ''; emit '';
add_an_rtrule while read_a_line( NORMAL_READ ); add_an_rtrule while read_a_line( NORMAL_READ );
@ -1196,7 +1196,7 @@ sub process_providers( $ ) {
} }
add_a_provider( $providers{$_}, $tcdevices ) for @providers; add_a_provider( $providers{$_}, $tcdevices ) for @providers;
emit << 'EOF';; emit << 'EOF';;
# #
@ -1221,7 +1221,7 @@ EOF
emit( "$providerref->{physical}|$provider)" ); emit( "$providerref->{physical}|$provider)" );
} }
emit ( " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", emit ( " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
" start_provider_$provider", " start_provider_$provider",
' else', ' else',
" startup_error \"Interface $providerref->{physical} is already enabled\"", " startup_error \"Interface $providerref->{physical} is already enabled\"",
@ -1257,7 +1257,7 @@ EOF
my $providerref = $providers{$provider}; my $providerref = $providers{$provider};
emit( "$providerref->{physical}|$provider)", emit( "$providerref->{physical}|$provider)",
" if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", " if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
" stop_provider_$provider", " stop_provider_$provider",
' else', ' else',
" startup_error \"Interface $providerref->{physical} is already disabled\"", " startup_error \"Interface $providerref->{physical} is already disabled\"",
@ -1284,11 +1284,11 @@ sub setup_providers() {
if ( $providers ) { if ( $providers ) {
emit "\nif [ -z \"\$g_noroutes\" ]; then"; emit "\nif [ -z \"\$g_noroutes\" ]; then";
push_indent; push_indent;
start_providers; start_providers;
emit ''; emit '';
emit "start_provider_$_" for @providers; emit "start_provider_$_" for @providers;
@ -1515,7 +1515,7 @@ sub handle_stickiness( $ ) {
$rule1 = clone_rule( $_ ); $rule1 = clone_rule( $_ );
clear_rule_target( $rule1 ); clear_rule_target( $rule1 );
set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" ); set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" );
$rule2 = ''; $rule2 = '';
} }
@ -1549,7 +1549,7 @@ sub handle_stickiness( $ ) {
while ( my ( $key, $value ) = each %$_ ) { while ( my ( $key, $value ) = each %$_ ) {
$rule2->{$key} = $value; $rule2->{$key} = $value;
} }
clear_rule_target( $rule2 ); clear_rule_target( $rule2 );
set_rule_option ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" ); set_rule_option ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" );
} else { } else {
@ -1584,7 +1584,7 @@ sub handle_stickiness( $ ) {
sub setup_load_distribution() { sub setup_load_distribution() {
emit ( '', emit ( '',
" distribute_load $maxload @load_interfaces" , " distribute_load $maxload @load_interfaces" ,
'' ''
) if @load_interfaces; ) if @load_interfaces;
} }

18
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -105,7 +105,7 @@ sub process_notrack_rule( $$$$$$$ ) {
'' , '' ,
$target , $target ,
$exception_rule ); $exception_rule );
progress_message " Notrack rule \"$currentline\" $done"; progress_message " Notrack rule \"$currentline\" $done";
$globals{UNTRACKED} = 1; $globals{UNTRACKED} = 1;
@ -130,36 +130,36 @@ sub setup_notrack() {
my $nonEmpty = 0; my $nonEmpty = 0;
while ( read_a_line( NORMAL_READ ) ) { while ( read_a_line( NORMAL_READ ) ) {
my ( $source, $dest, $proto, $ports, $sports, $user ); my ( $source, $dest, $proto, $ports, $sports, $user );
if ( $format == 1 ) { if ( $format == 1 ) {
( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 }; ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
if ( $source eq 'FORMAT' ) { if ( $source eq 'FORMAT' ) {
$format = process_format( $dest ); $format = process_format( $dest );
next; next;
} }
if ( $source eq 'COMMENT' ) { if ( $source eq 'COMMENT' ) {
process_comment; process_comment;
next; next;
} }
} else { } else {
( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 }; ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
if ( $action eq 'FORMAT' ) { if ( $action eq 'FORMAT' ) {
$format = process_format( $source ); $format = process_format( $source );
$action = 'NOTRACK'; $action = 'NOTRACK';
next; next;
} }
if ( $action eq 'COMMENT' ) { if ( $action eq 'COMMENT' ) {
process_comment; process_comment;
next; next;
} }
} }
process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user; process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
} }

58
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -341,7 +341,7 @@ sub process_a_policy() {
fatal_error "Invalid default action ($default:$remainder)" if defined $remainder; fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
( $policy , my $queue ) = get_target_param $policy; ( $policy , my $queue ) = get_target_param $policy;
fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy}; fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
if ( $audit ) { if ( $audit ) {
@ -492,7 +492,7 @@ sub process_policies()
for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) { for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
my $action = $config{$option}; my $action = $config{$option};
unless ( $action eq 'none' ) { unless ( $action eq 'none' ) {
my ( $act, $param ) = get_target_param( $action ); my ( $act, $param ) = get_target_param( $action );
@ -552,7 +552,7 @@ sub policy_rules( $$$$$ ) {
add_ijump $chainref, j => $default if $default && $default ne 'none'; add_ijump $chainref, j => $default if $default && $default ne 'none';
log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target; fatal_error "Null target in policy_rules()" unless $target;
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit}; add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE'; add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
} }
@ -685,7 +685,7 @@ sub setup_syn_flood_chains() {
my $limit = $chainref->{synparams}; my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) { if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel}; my $level = $chainref->{loglevel};
my $synchainref = @zones > 1 ? my $synchainref = @zones > 1 ?
new_chain 'filter' , syn_flood_chain $chainref : new_chain 'filter' , syn_flood_chain $chainref :
new_chain( 'filter' , '@' . $chainref->{name} ); new_chain( 'filter' , '@' . $chainref->{name} );
add_rule $synchainref , "${limit}-j RETURN"; add_rule $synchainref , "${limit}-j RETURN";
@ -763,7 +763,7 @@ sub finish_chain_section ($$) {
my $chain = $chainref->{name}; my $chain = $chainref->{name};
my $related_level = $config{RELATED_LOG_LEVEL}; my $related_level = $config{RELATED_LOG_LEVEL};
my $related_target = $globals{RELATED_TARGET}; my $related_target = $globals{RELATED_TARGET};
push_comment(''); #These rules should not have comments push_comment(''); #These rules should not have comments
if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) { if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
@ -775,7 +775,7 @@ sub finish_chain_section ($$) {
$config{RELATED_DISPOSITION}, $config{RELATED_DISPOSITION},
'' ); '' );
add_ijump( $relatedref, g => $related_target ); add_ijump( $relatedref, g => $related_target );
$related_target = $relatedref->{name}; $related_target = $relatedref->{name};
} }
@ -863,9 +863,9 @@ sub split_action ( $ ) {
# #
# Create a normalized action name from the passed pieces. # Create a normalized action name from the passed pieces.
# #
# Internally, action invocations are uniquely identified by a 4-tuple that # Internally, action invocations are uniquely identified by a 4-tuple that
# includes the action name, log level, log tag and params. The pieces of the tuple # includes the action name, log level, log tag and params. The pieces of the tuple
# are separated by ":". # are separated by ":".
# #
sub normalize_action( $$$ ) { sub normalize_action( $$$ ) {
my $action = shift; my $action = shift;
@ -904,7 +904,7 @@ sub externalize( $ ) {
$target .= ":$tag" if $tag; $target .= ":$tag" if $tag;
$target; $target;
} }
# #
# Define an Action # Define an Action
# #
@ -988,7 +988,7 @@ sub createsimpleactionchain( $ ) {
my $normalized = normalize_action_name( $action ); my $normalized = normalize_action_name( $action );
return createlogactionchain( $normalized, $action, 'none', '', '' ) if $filter_table->{$action} || $nat_table->{$action}; return createlogactionchain( $normalized, $action, 'none', '', '' ) if $filter_table->{$action} || $nat_table->{$action};
my $chainref = new_standard_chain $action; my $chainref = new_standard_chain $action;
$usedactions{$normalized} = $chainref; $usedactions{$normalized} = $chainref;
@ -1205,7 +1205,7 @@ sub dropBcast( $$$$ ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' ); log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
} }
} }
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
} else { } else {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@ -1482,8 +1482,8 @@ sub process_action( $) {
if ( $target eq 'DEFAULTS' ) { if ( $target eq 'DEFAULTS' ) {
default_action_params( $action, split_list $source, 'defaults' ), next if $format == 2; default_action_params( $action, split_list $source, 'defaults' ), next if $format == 2;
fatal_error 'DEFAULTS only allowed in FORMAT-2 actions'; fatal_error 'DEFAULTS only allowed in FORMAT-2 actions';
} }
process_rule1( $chainref, process_rule1( $chainref,
merge_levels( "$action:$level:$tag", $target ), merge_levels( "$action:$level:$tag", $target ),
@ -1520,7 +1520,7 @@ sub process_action( $) {
# #
sub use_policy_action( $ ) { sub use_policy_action( $ ) {
my $ref = use_action( $_[0] ); my $ref = use_action( $_[0] );
process_action( $ref ) if $ref; process_action( $ref ) if $ref;
} }
@ -1559,7 +1559,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
} }
fatal_error 'TARGET must be specified' if $mtarget eq '-'; fatal_error 'TARGET must be specified' if $mtarget eq '-';
if ( $mtarget eq 'COMMENT' ) { if ( $mtarget eq 'COMMENT' ) {
process_comment unless $nocomment; process_comment unless $nocomment;
next; next;
@ -1663,12 +1663,12 @@ sub verify_audit($;$$) {
# #
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
# #
sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
$target, $target,
$current_param, $current_param,
$source, $source,
$dest, $dest,
@ -1693,7 +1693,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
my $normalized_target; my $normalized_target;
my $normalized_action; my $normalized_action;
my $blacklist = ( $section eq 'BLACKLIST' ); my $blacklist = ( $section eq 'BLACKLIST' );
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref; ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
$param = '' unless defined $param; $param = '' unless defined $param;
@ -1822,8 +1822,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
CONTINUE => sub { $action = 'RETURN'; } , CONTINUE => sub { $action = 'RETURN'; } ,
WHITELIST => sub { WHITELIST => sub {
fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist; fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
$action = 'RETURN'; $action = 'RETURN';
} , } ,
@ -1838,7 +1838,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$function->(); $function->();
} elsif ( $actiontype & SET ) { } elsif ( $actiontype & SET ) {
my %xlate = ( ADD => 'add-set' , DEL => 'del-set' ); my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
my ( $setname, $flags, $rest ) = split ':', $param, 3; my ( $setname, $flags, $rest ) = split ':', $param, 3;
fatal_error "Invalid ADD/DEL parameter ($param)" if $rest; fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/; fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
@ -1864,7 +1864,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$sourcezone = $source; $sourcezone = $source;
$source = ALLIP; $source = ALLIP;
} }
if ( $dest =~ /^(.*?):(.*)/ ) { if ( $dest =~ /^(.*?):(.*)/ ) {
fatal_error "Missing DEST Qualifier ($dest)" if $2 eq ''; fatal_error "Missing DEST Qualifier ($dest)" if $2 eq '';
$destzone = $1; $destzone = $1;
@ -1927,7 +1927,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
# We are generating rules in an action chain -- the chain name is the name of that action chain # We are generating rules in an action chain -- the chain name is the name of that action chain
# #
$chain = $chainref->{name}; $chain = $chainref->{name};
} else { } else {
unless ( $actiontype & NATONLY ) { unless ( $actiontype & NATONLY ) {
# #
# Check for illegal bridge port rule # Check for illegal bridge port rule
@ -1971,7 +1971,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
if ( $blacklist ) { if ( $blacklist ) {
my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} ); my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} );
my $blacklistref = $filter_table->{$blacklistchain}; my $blacklistref = $filter_table->{$blacklistchain};
unless ( $blacklistref ) { unless ( $blacklistref ) {
my @state; my @state;
$blacklistref = new_chain 'filter', $blacklistchain; $blacklistref = new_chain 'filter', $blacklistchain;
@ -1979,7 +1979,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
@state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY}; @state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
add_ijump( $chainref, j => $blacklistref, @state ); add_ijump( $chainref, j => $blacklistref, @state );
} }
$chain = $blacklistchain; $chain = $blacklistchain;
$chainref = $blacklistref; $chainref = $blacklistref;
} }
@ -2017,7 +2017,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
unless ( $section eq 'NEW' || $inaction ) { unless ( $section eq 'NEW' || $inaction ) {
if ( $config{FASTACCEPT} ) { if ( $config{FASTACCEPT} ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
$section eq 'BLACKLIST' || $section eq 'BLACKLIST' ||
( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) ) ( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
} }
@ -2407,7 +2407,7 @@ sub process_rule ( ) {
progress_message "Rule \"$currentline\" ignored."; progress_message "Rule \"$currentline\" ignored.";
return 1; return 1;
} }
my $intrazone = 0; my $intrazone = 0;
my $wild = 0; my $wild = 0;
my $thisline = $currentline; #We must save $currentline because it is overwritten by macro expansion my $thisline = $currentline; #We must save $currentline because it is overwritten by macro expansion
@ -2473,11 +2473,11 @@ sub classic_blacklist() {
my @vservers = vserver_zones; my @vservers = vserver_zones;
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
my $result; my $result;
for my $zone ( @zones ) { for my $zone ( @zones ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
my $simple = @zones <= 2 && ! $zoneref->{complex}; my $simple = @zones <= 2 && ! $zoneref->{complex};
if ( $zoneref->{options}{in}{blacklist} ) { if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst}; my $blackref = $filter_table->{blacklst};
add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers; add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;

48
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -200,7 +200,7 @@ sub process_tc_rule( ) {
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }; split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
$headers = '-'; $headers = '-';
} else { } else {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) = ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }; split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
} }
@ -220,13 +220,13 @@ sub process_tc_rule( ) {
my $chain = $globals{MARKING_CHAIN}; my $chain = $globals{MARKING_CHAIN};
my $classid = 0; my $classid = 0;
if ( $remainder ) { if ( $remainder ) {
if ( $originalmark =~ /^\w+\(?.*\)$/ ) { if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
$mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
} else { } else {
fatal_error "Invalid MARK ($originalmark)" fatal_error "Invalid MARK ($originalmark)"
unless ( $mark =~ /^([0-9a-fA-F]+)$/ && unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
$designator =~ /^([0-9a-fA-F]+)$/ && $designator =~ /^([0-9a-fA-F]+)$/ &&
( $chain = $designator{$remainder} ) ); ( $chain = $designator{$remainder} ) );
$mark = join( ':', $mark, $designator ); $mark = join( ':', $mark, $designator );
$classid = 1; $classid = 1;
@ -287,7 +287,7 @@ sub process_tc_rule( ) {
$val = numeric_value ($s); $val = numeric_value ($s);
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128; fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
$shift = $s; $shift = $s;
} }
} else { } else {
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK'; fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
} }
@ -379,7 +379,7 @@ sub process_tc_rule( ) {
}, },
DSCP => sub() { DSCP => sub() {
assert( $cmd =~ /^DSCP\((\w+)\)$/ ); assert( $cmd =~ /^DSCP\((\w+)\)$/ );
require_capability 'DSCP_TARGET', 'The DSCP action', 's'; require_capability 'DSCP_TARGET', 'The DSCP action', 's';
my $dscp = numeric_value( $1 ); my $dscp = numeric_value( $1 );
$dscp = $dscpmap{$1} unless defined $dscp; $dscp = $dscpmap{$1} unless defined $dscp;
fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 ); fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
@ -526,7 +526,7 @@ sub process_tc_rule( ) {
} }
} }
fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) ); fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} | $restriction, $restrictions{$chain} | $restriction,
@ -587,7 +587,7 @@ sub calculate_quantum( $$ ) {
# #
sub process_in_bandwidth( $ ) { sub process_in_bandwidth( $ ) {
my $in_rate = shift; my $in_rate = shift;
return 0 if $in_rate eq '-' or $in_rate eq '0'; return 0 if $in_rate eq '-' or $in_rate eq '0';
my $in_burst = '10kb'; my $in_burst = '10kb';
@ -605,7 +605,7 @@ sub process_in_bandwidth( $ ) {
fatal_error "Invalid IN-BANDWIDTH ($in_band)" unless supplied( $in_interval ) && supplied( $in_decay ); fatal_error "Invalid IN-BANDWIDTH ($in_band)" unless supplied( $in_interval ) && supplied( $in_decay );
fatal_error "Invalid Interval ($in_interval)" unless $in_interval =~ /^(?:(?:250|500)ms|(?:1|2|4|8)sec)$/; fatal_error "Invalid Interval ($in_interval)" unless $in_interval =~ /^(?:(?:250|500)ms|(?:1|2|4|8)sec)$/;
fatal_error "Invalid Decay ($in_decay)" unless $in_decay =~ /^(?:500ms|(?:1|2|4|8|16|32|64)sec)$/; fatal_error "Invalid Decay ($in_decay)" unless $in_decay =~ /^(?:500ms|(?:1|2|4|8|16|32|64)sec)$/;
if ( $in_decay =~ /ms/ ) { if ( $in_decay =~ /ms/ ) {
fatal_error "Decay must be at least twice the interval" unless $in_interval eq '250ms'; fatal_error "Decay must be at least twice the interval" unless $in_interval eq '250ms';
} else { } else {
@ -615,12 +615,12 @@ sub process_in_bandwidth( $ ) {
$decay =~ s/sec//; $decay =~ s/sec//;
fatal_error "Decay must be at least twice the interval" unless $decay > $interval; fatal_error "Decay must be at least twice the interval" unless $decay > $interval;
} }
} }
} }
$in_avrate = rate_to_kbit( $in_rate ); $in_avrate = rate_to_kbit( $in_rate );
$in_rate = 0; $in_rate = 0;
} else { } else {
if ( $in_band =~ /:/ ) { if ( $in_band =~ /:/ ) {
( $in_band, $burst ) = split /:/, $in_rate, 2; ( $in_band, $burst ) = split /:/, $in_rate, 2;
@ -629,7 +629,7 @@ sub process_in_bandwidth( $ ) {
} }
$in_rate = rate_to_kbit( $in_band ); $in_rate = rate_to_kbit( $in_band );
} }
[ $in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ]; [ $in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ];
@ -643,7 +643,7 @@ sub handle_in_bandwidth( $$ ) {
my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref; my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref;
emit ( "run_tc qdisc add dev $physical handle ffff: ingress" ); emit ( "run_tc qdisc add dev $physical handle ffff: ingress" );
if ( have_capability 'BASIC_FILTER' ) { if ( have_capability 'BASIC_FILTER' ) {
if ( $in_rate ) { if ( $in_rate ) {
emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\", emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
@ -663,7 +663,7 @@ sub handle_in_bandwidth( $$ ) {
" police rate ${in_rate}kbit burst $in_burst drop flowid :1\n" ); " police rate ${in_rate}kbit burst $in_burst drop flowid :1\n" );
} }
} }
sub process_flow($) { sub process_flow($) {
my $flow = shift; my $flow = shift;
@ -774,7 +774,7 @@ sub process_simple_device() {
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER'; emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
emit ''; emit '';
} }
emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" . emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
"\\\n match ip protocol 6 0xff" . "\\\n match ip protocol 6 0xff" .
"\\\n match u8 0x05 0x0f at 0" . "\\\n match u8 0x05 0x0f at 0" .
@ -1319,7 +1319,7 @@ sub process_tc_filter() {
} else { } else {
push @$filtersref, ( "\nrun_tc $rule\\" , push @$filtersref, ( "\nrun_tc $rule\\" ,
" link $tnum:0 offset plus 40 eat" ); " link $tnum:0 offset plus 40 eat" );
} }
# #
# The rule to match the port(s) will be inserted into the new table # The rule to match the port(s) will be inserted into the new table
# #
@ -1452,9 +1452,9 @@ sub process_tcfilters() {
if ( $fn ) { if ( $fn ) {
my @family = ( $family ); my @family = ( $family );
first_entry( "$doing $fn..." ); first_entry( "$doing $fn..." );
while ( read_a_line( NORMAL_READ ) ) { while ( read_a_line( NORMAL_READ ) ) {
if ( $currentline =~ /^\s*IPV4\s*$/ ) { if ( $currentline =~ /^\s*IPV4\s*$/ ) {
Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4; Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4;
@ -1586,7 +1586,7 @@ sub process_tcpri() {
add_ijump( $mangle_table->{tcpost} , add_ijump( $mangle_table->{tcpost} ,
j => 'CONNMARK --save-mark --ctmask ' . in_hex( $globals{TC_MASK} ), j => 'CONNMARK --save-mark --ctmask ' . in_hex( $globals{TC_MASK} ),
mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
); );
} }
} }
@ -1711,7 +1711,7 @@ sub process_traffic_shaping() {
my $priority = $tcref->{priority} << 8; my $priority = $tcref->{priority} << 8;
my $parent = in_hexp $tcref->{parent}; my $parent = in_hexp $tcref->{parent};
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" ); emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
if ( $devref->{qdisc} eq 'htb' ) { if ( $devref->{qdisc} eq 'htb' ) {
@ -1758,7 +1758,7 @@ sub process_traffic_shaping() {
my ( $tos, $mask ) = split q(/), $tospair; my ( $tos, $mask ) = split q(/), $tospair;
emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid"; emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
} }
save_progress_message_short qq(" TC Class $classid defined."); save_progress_message_short qq(" TC Class $classid defined.");
emit ''; emit '';
@ -1767,7 +1767,7 @@ sub process_traffic_shaping() {
emit ''; emit '';
emit "$_" for @{$devref->{filters}}; emit "$_" for @{$devref->{filters}};
save_progress_message_short qq(" TC Device $device defined."); save_progress_message_short qq(" TC Device $device defined.");
pop_indent; pop_indent;
@ -1819,7 +1819,7 @@ sub process_tc() {
# enabled. # enabled.
my %empty; my %empty;
$config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices; $config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
} }

2
Shorewall/Perl/Shorewall/Tunnels.pm
View File

@ -279,7 +279,7 @@ sub setup_tunnels() {
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} ); $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
} }
progress_message " Tunnel \"$currentline\" $done"; progress_message " Tunnel \"$currentline\" $done";
} }

20
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -711,7 +711,7 @@ sub add_group_to_zone($$$$$)
my $interfaceref; my $interfaceref;
my $zoneref = $zones{$zone}; my $zoneref = $zones{$zone};
my $zonetype = $zoneref->{type}; my $zonetype = $zoneref->{type};
$zoneref->{interfaces}{$interface} = 1; $zoneref->{interfaces}{$interface} = 1;
@ -936,7 +936,7 @@ sub process_interface( $$ ) {
fatal_error "Invalid FORMAT ($1)"; fatal_error "Invalid FORMAT ($1)";
} }
if ( $zone eq '-' ) { if ( $zone eq '-' ) {
$zone = ''; $zone = '';
} else { } else {
@ -992,7 +992,7 @@ sub process_interface( $$ ) {
$root = substr( $interface, 0, -1 ); $root = substr( $interface, 0, -1 );
$roots{$root} = $interface; $roots{$root} = $interface;
my $len = length $root; my $len = length $root;
if ( $minroot ) { if ( $minroot ) {
$minroot = $len if $minroot > $len; $minroot = $len if $minroot > $len;
} else { } else {
@ -1090,7 +1090,7 @@ sub process_interface( $$ ) {
assert( 0 ); assert( 0 );
} }
} elsif ( $type == NUMERIC_IF_OPTION ) { } elsif ( $type == NUMERIC_IF_OPTION ) {
fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK; fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
$value = $defaultinterfaceoptions{$option} unless defined $value; $value = $defaultinterfaceoptions{$option} unless defined $value;
fatal_error "The '$option' option requires a value" unless defined $value; fatal_error "The '$option' option requires a value" unless defined $value;
my $numval = numeric_value $value; my $numval = numeric_value $value;
@ -1208,7 +1208,7 @@ sub process_interface( $$ ) {
sub validate_interfaces_file( $ ) { sub validate_interfaces_file( $ ) {
my $export = shift; my $export = shift;
our $format = 1; our $format = 1;
my @ifaces; my @ifaces;
my $nextinum = 1; my $nextinum = 1;
@ -1297,7 +1297,7 @@ sub known_interface($)
if ( $minroot ) { if ( $minroot ) {
while ( length $iface > $minroot ) { while ( length $iface > $minroot ) {
chop $iface; chop $iface;
if ( my $i = $roots{$iface} ) { if ( my $i = $roots{$iface} ) {
$interfaceref = $interfaces{$i}; $interfaceref = $interfaces{$i};
@ -1373,7 +1373,7 @@ sub physical_name( $ ) {
$devref ? $devref->{physical} : $device; $devref ? $devref->{physical} : $device;
} }
# #
# Returns true if there are bridge port zones defined in the config # Returns true if there are bridge port zones defined in the config
# #
@ -1479,7 +1479,7 @@ sub get_interface_option( $$ ) {
assert( $ref = known_interface( $interface ) ); assert( $ref = known_interface( $interface ) );
$ref->{options}{$option}; $ref->{options}{$option};
} }
# #
@ -1742,7 +1742,7 @@ sub compile_updown() {
if ( @$optional ) { if ( @$optional ) {
my @interfaces = map $interfaces{$_}->{physical}, @$optional; my @interfaces = map $interfaces{$_}->{physical}, @$optional;
my $interfaces = join '|', @interfaces; my $interfaces = join '|', @interfaces;
if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) { if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
emit( "$interfaces)", emit( "$interfaces)",
@ -1838,7 +1838,7 @@ sub process_host( ) {
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root}; fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
} else { } else {
fatal_error "Invalid HOST(S) column contents: $hosts" fatal_error "Invalid HOST(S) column contents: $hosts"
} }
if ( $hosts =~ /^!?\+/ ) { if ( $hosts =~ /^!?\+/ ) {

2
Shorewall/Perl/prog.footer
View File

@ -38,7 +38,7 @@ checkkernelversion() {
if [ $g_family -eq 6 ]; then if [ $g_family -eq 6 ]; then
kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//') kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
case "$kernel" in case "$kernel" in
*.*.*) *.*.*)
kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
;; ;;

20
Shorewall/Samples/LICENSE
View File

@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be author's reputation will not be affected by problems that might be
introduced by others. introduced by others.
Finally, software patents pose a constant threat to the existence of Finally, software patents pose a constant threat to the existence of
any free program. We wish to make sure that a company cannot any free program. We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a effectively restrict the users of a free program by obtaining a
@ -111,7 +111,7 @@ modification follow. Pay close attention to the difference between a
"work based on the library" and a "work that uses the library". The "work based on the library" and a "work that uses the library". The
former contains code derived from the library, whereas the latter must former contains code derived from the library, whereas the latter must
be combined with the library in order to run. be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for on the Library (independent of the use of the Library in a tool for
writing it). Whether that is true depends on what the Library does writing it). Whether that is true depends on what the Library does
and what the program that uses the Library does. and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's 1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an you conspicuously and appropriately publish on each copy an
@ -158,7 +158,7 @@ Library.
You may charge a fee for the physical act of transferring a copy, You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a and you may at your option offer warranty protection in exchange for a
fee. fee.
2. You may modify your copy or copies of the Library or any portion 2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1 distribute such modifications or work under the terms of Section 1
@ -216,7 +216,7 @@ instead of to this License. (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.) Do not make any other change in that version instead if you wish.) Do not make any other change in
these notices. these notices.
Once this change is made in a given copy, it is irreversible for Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy. subsequent copies and derivative works made from that copy.
@ -267,7 +267,7 @@ Library will still fall under Section 6.)
distribute the object code for the work under the terms of Section 6. distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6, Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself. whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or 6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work work containing portions of the Library, and distribute that work
@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
accompany the operating system. Such a contradiction means you cannot accompany the operating system. Such a contradiction means you cannot
use both them and the Library together in an executable that you use both them and the Library together in an executable that you
distribute. distribute.
7. You may place library facilities that are a work based on the 7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined facilities not covered by this License, and distribute such a combined
@ -370,7 +370,7 @@ subject to these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein. restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with You are not responsible for enforcing compliance by third parties with
this License. this License.
11. If, as a consequence of a court judgment or allegation of patent 11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues), infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or conditions are imposed on you (whether by court order, agreement or
@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
the Free Software Foundation. If the Library does not specify a the Free Software Foundation. If the Library does not specify a
license version number, you may choose any version ever published by license version number, you may choose any version ever published by
the Free Software Foundation. the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free 14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these, programs whose distribution conditions are incompatible with these,
write to the author to ask for permission. For software which is write to the author to ask for permission. For software which is
@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. DAMAGES.
END OF TERMS AND CONDITIONS END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Libraries How to Apply These Terms to Your New Libraries
If you develop a new library, and you want it to be of the greatest If you develop a new library, and you want it to be of the greatest

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -13,7 +13,7 @@
# #
# For information about the settings in this file, type "man shorewall.conf" # For information about the settings in this file, type "man shorewall.conf"
# #
# The manpage is also online at # The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html # http://shorewall.net/manpages/shorewall.conf.html
# #
############################################################################### ###############################################################################

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -14,7 +14,7 @@
# #
# For information about the settings in this file, type "man shorewall.conf" # For information about the settings in this file, type "man shorewall.conf"
# #
# The manpage is also online at # The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html # http://shorewall.net/manpages/shorewall.conf.html
# #
############################################################################### ###############################################################################

4
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -3,7 +3,7 @@
# Shorewall version 4.0 - Sample shorewall.conf for two-interface # Shorewall version 4.0 - Sample shorewall.conf for two-interface
# configuration. # configuration.
# Copyright (C) 2006,2007 by the Shorewall Team # Copyright (C) 2006,2007 by the Shorewall Team
# 2011 by Thomas M. Eastep # 2011 by Thomas M. Eastep
# #
# This library is free software; you can redistribute it and/or # This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public # modify it under the terms of the GNU Lesser General Public
@ -14,7 +14,7 @@
# #
# For information about the settings in this file, type "man shorewall.conf" # For information about the settings in this file, type "man shorewall.conf"
# #
# The manpage is also online at # The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html # http://shorewall.net/manpages/shorewall.conf.html
# #
############################################################################### ###############################################################################

6
Shorewall/action.Broadcast
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Broadcast[([<action>|-[,{audit|-}])] # Broadcast[([<action>|-[,{audit|-}])]
# #
# Default action is DROP # Default action is DROP
# #
@ -51,7 +51,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
} }
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
@ -64,7 +64,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_jump $chainref, $target, 0, '-d 224.0.0.0/4 '; add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';

4
Shorewall/action.Drop
View File

@ -33,7 +33,7 @@
############################################################################### ###############################################################################
FORMAT 2 FORMAT 2
# #
# The following magic provides different defaults for $2 thru $5, when $1 is # The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'. # 'audit'.
# #
BEGIN PERL; BEGIN PERL;
@ -41,7 +41,7 @@ use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 ); my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) { if ( defined $p1 ) {
if ( $p1 eq 'audit' ) { if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2; set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_DROP') unless supplied $p3; set_action_param( 3, 'A_DROP') unless supplied $p3;

10
Shorewall/action.DropSmurfs
View File

@ -41,15 +41,15 @@ if ( $level ne '-' || $audit ne '-' ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit'; fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's'; require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
add_ijump( $logchainref, j => 'AUDIT --type DROP' ); add_ijump( $logchainref, j => 'AUDIT --type DROP' );
} }
add_ijump( $logchainref, j => 'DROP' ); add_ijump( $logchainref, j => 'DROP' );
$target = $logchainref; $target = $logchainref;
} else { } else {
$target = 'DROP'; $target = 'DROP';
} }
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ; add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ;
@ -64,7 +64,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
} else { } else {
add_commands $chainref, 'for address in $ALL_ACASTS; do'; add_commands $chainref, 'for address in $ALL_ACASTS; do';
} }
incr_cmd_level $chainref; incr_cmd_level $chainref;
add_ijump( $chainref, g => $target, s => '$address' ); add_ijump( $chainref, g => $target, s => '$address' );
decr_cmd_level $chainref; decr_cmd_level $chainref;
@ -80,6 +80,6 @@ if ( $family == F_IPV4 ) {
END PERL; END PERL;

2
Shorewall/action.Invalid
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Invalid[([<action>|-[,{audit|-}])] # Invalid[([<action>|-[,{audit|-}])]
# #
# Default action is DROP # Default action is DROP
# #

2
Shorewall/action.NotSyn
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# NotSyn[([<action>|-[,{audit|-}])] # NotSyn[([<action>|-[,{audit|-}])]
# #
# Default action is DROP # Default action is DROP
# #

4
Shorewall/action.Reject
View File

@ -29,7 +29,7 @@
############################################################################### ###############################################################################
FORMAT 2 FORMAT 2
# #
# The following magic provides different defaults for $2 thru $5, when $1 is # The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'. # 'audit'.
# #
BEGIN PERL; BEGIN PERL;
@ -37,7 +37,7 @@ use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 ); my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) { if ( defined $p1 ) {
if ( $p1 eq 'audit' ) { if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2; set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_REJECT') unless supplied $p3; set_action_param( 3, 'A_REJECT') unless supplied $p3;

8
Shorewall/action.TCPFlags
View File

@ -24,7 +24,7 @@ my ( $disposition, $audit ) = get_action_params( 2 );
my $chainref = get_action_chain; my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging; my ( $level, $tag ) = get_action_logging;
fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
if ( $level ne '-' || $audit ne '-' ) { if ( $level ne '-' || $audit ne '-' ) {
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0; my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
@ -42,13 +42,13 @@ if ( $level ne '-' || $audit ne '-' ) {
fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit'; fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's'; require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition ); add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
} }
add_ijump( $logchainref, g => $disposition ); add_ijump( $logchainref, g => $disposition );
$disposition = $logchainref; $disposition = $logchainref;
} }
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST'; add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
@ -58,6 +58,6 @@ add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
END PERL; END PERL;

10
Shorewall/init.fedora.sh
View File

@ -41,10 +41,10 @@ start() {
echo -n $"Starting Shorewall: " echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start 2>&1 | $logger $shorewall $OPTIONS start 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
touch $lockfile touch $lockfile
success success
else else
failure failure
fi fi
echo echo
@ -55,10 +55,10 @@ stop() {
echo -n $"Stopping Shorewall: " echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger $shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
rm -f $lockfile rm -f $lockfile
success success
else else
failure failure
fi fi
echo echo
@ -71,7 +71,7 @@ restart() {
echo -n $"Restarting Shorewall: " echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS restart 2>&1 | $logger $shorewall $OPTIONS restart 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
touch $lockfile touch $lockfile
success success
else # Failed to start, clean up lock file if present else # Failed to start, clean up lock file if present

8
Shorewall/install.sh
View File

@ -38,7 +38,7 @@ usage() # $1 = exit status
exit $1 exit $1
} }
fatal_error() fatal_error()
{ {
echo " ERROR: $@" >&2 echo " ERROR: $@" >&2
exit 1 exit 1
@ -95,7 +95,7 @@ install_file() # $1 = source $2 = target $3 = mode
run_install $T $OWNERSHIP -m $3 $1 ${2} run_install $T $OWNERSHIP -m $3 $1 ${2}
} }
require() require()
{ {
eval [ -n "\$$1" ] || fatal_error "Required option $1 not set" eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
} }
@ -335,7 +335,7 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
if [ -n "$INITFILE" ]; then if [ -n "$INITFILE" ]; then
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544 install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
if [ -n "${AUXINITSOURCE}" ]; then if [ -n "${AUXINITSOURCE}" ]; then
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544 install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
fi fi
@ -439,7 +439,7 @@ run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PR
if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
run_install $OWNERSHIP -m 0644 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf run_install $OWNERSHIP -m 0644 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
if [ "$SHAREDIR" != /usr/share -o "$CONFDIR" != /etc ]; then if [ "$SHAREDIR" != /usr/share -o "$CONFDIR" != /etc ]; then
if [ $PRODUCT = shorewall ]; then if [ $PRODUCT = shorewall ]; then
perl -p -w -i -e "s|^CONFIG_PATH=.*|CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf perl -p -w -i -e "s|^CONFIG_PATH=.*|CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf

12
Shorewall/lib.cli-std
View File

@ -34,7 +34,7 @@ get_config() {
ensure_config_path ensure_config_path
if [ "$1" = Yes ]; then if [ "$1" = Yes ]; then
params=$(find_file params) params=$(find_file params)
@ -90,7 +90,7 @@ get_config() {
exit 2 exit 2
fi fi
fi fi
g_tool=$IPTABLES g_tool=$IPTABLES
else else
if [ -n "$IP6TABLES" ]; then if [ -n "$IP6TABLES" ]; then
@ -507,7 +507,7 @@ start_command() {
c*) c*)
AUTOMAKE= AUTOMAKE=
option=${option#c} option=${option#c}
;; ;;
T*) T*)
g_confess=Yes g_confess=Yes
option=${option#T} option=${option#T}
@ -874,7 +874,7 @@ restart_command() {
c*) c*)
AUTOMAKE= AUTOMAKE=
option=${option#c} option=${option#c}
;; ;;
n*) n*)
g_noroutes=Yes g_noroutes=Yes
option=${option#n} option=${option#n}
@ -1418,7 +1418,7 @@ reload_command() # $* = original arguments less the command.
fi fi
. $directory/$g_program.conf . $directory/$g_program.conf
ensure_config_path ensure_config_path
fi fi
@ -1597,7 +1597,7 @@ usage() # $1 = exit status
echo " show dynamic <zone>" echo " show dynamic <zone>"
echo " show filters" echo " show filters"
echo " show ip" echo " show ip"
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
echo " show ipa" echo " show ipa"
fi fi

14
Shorewall/lib.core
View File

@ -203,7 +203,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
local mask local mask
[ $g_family -eq 4 ] && mask=32 || mask=128 [ $g_family -eq 4 ] && mask=32 || mask=128
$IP -$g_family route show dev $1 2> /dev/null | $IP -$g_family route show dev $1 2> /dev/null |
while read address rest; do while read address rest; do
@ -385,7 +385,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
done < ${VARDIR}/default_route done < ${VARDIR}/default_route
replace_default_route $1 replace_default_route $1
if [ $result = 1 ]; then if [ $result = 1 ]; then
# #
# We didn't restore a default route with metric 0 # We didn't restore a default route with metric 0
@ -617,7 +617,7 @@ EOF
for interface in $@; do for interface in $@; do
qt $g_tool -t mangle -F ~$interface qt $g_tool -t mangle -F ~$interface
eval load=\$${interface}_load eval load=\$${interface}_load
if [ -n "$load" ]; then if [ -n "$load" ]; then
load=$(bc <<EOF load=$(bc <<EOF
scale=8 scale=8
@ -888,7 +888,7 @@ add_gateway() # $1 = Delta $2 = Table Number
local weight local weight
local delta local delta
local dev local dev
route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'` route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
if [ -z "$route" ]; then if [ -z "$route" ]; then
@ -920,7 +920,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'` route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
gateway=$1 gateway=$1
if [ -n "$route" ]; then if [ -n "$route" ]; then
if echo $route | fgrep -q ' nexthop '; then if echo $route | fgrep -q ' nexthop '; then
gateway="nexthop $gateway" gateway="nexthop $gateway"
@ -1214,7 +1214,7 @@ add_gateway() # $1 = Delta $2 = Table Number
local weight local weight
local delta local delta
local dev local dev
run_ip route add default scope global table $2 $1 run_ip route add default scope global table $2 $1
} }
@ -1229,7 +1229,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'` route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
gateway=$1 gateway=$1
dev=$(find_device $route) dev=$(find_device $route)
[ "$dev" = "$3" ] && run_ip route delete default table $2 [ "$dev" = "$3" ] && run_ip route delete default table $2
} }

2
Shorewall/manpages/shorewall-rules.xml
View File

@ -1505,7 +1505,7 @@
SSH connection to the ipset S:</para> SSH connection to the ipset S:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST <programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
ADD(+S:dst,src,dst) net fw tcp 22</programlisting> ADD(+S:dst,src,dst) net fw tcp 22</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>

4
Shorewall/manpages/shorewall-tcfilters.xml
View File

@ -204,7 +204,7 @@
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
protocols.</para> protocols.</para>
<programlisting> #CLASS SOURCE DEST PROTO DEST <programlisting> #CLASS SOURCE DEST PROTO DEST
# PORT # PORT
IPV4 IPV4
@ -213,7 +213,7 @@
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
IPV6 IPV6
1:10 ::/0 ::/0 icmp6 echo-request 1:10 ::/0 ::/0 icmp6 echo-request
1:10 ::/0 ::/0 icmp6 echo-reply</programlisting> 1:10 ::/0 ::/0 icmp6 echo-reply</programlisting>
</listitem> </listitem>

2
Shorewall/manpages/shorewall-tunnels.xml
View File

@ -57,7 +57,7 @@
<programlisting> <emphasis role="bold">6to4</emphasis> or <emphasis <programlisting> <emphasis role="bold">6to4</emphasis> or <emphasis
role="bold">6in4</emphasis> - 6to4 or 6in4 tunnel. The <emphasis role="bold">6in4</emphasis> - 6to4 or 6in4 tunnel. The <emphasis
role="bold">6in4</emphasis> synonym was added in 4.4.24. role="bold">6in4</emphasis> synonym was added in 4.4.24.
<emphasis role="bold">ipsec</emphasis> - IPv4 IPSEC <emphasis role="bold">ipsec</emphasis> - IPv4 IPSEC
<emphasis role="bold">ipsecnat</emphasis> - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation) <emphasis role="bold">ipsecnat</emphasis> - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
<emphasis role="bold">ipip</emphasis> - IPv4 encapsulated in IPv4 (Protocol 4) <emphasis role="bold">ipip</emphasis> - IPv4 encapsulated in IPv4 (Protocol 4)

2
Shorewall/shorewall
View File

@ -4,7 +4,7 @@
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - # (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# Tom Eastep (teastep@shorewall.net) # Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://www.shorewall.net # Shorewall documentation is available at http://www.shorewall.net

6
Shorewall6-lite/init.debian.sh
View File

@ -24,7 +24,7 @@ export SHOREWALL_INIT_SCRIPT
test -x $SRWL || exit 0 test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0 test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || { test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ; echo "INITLOG cannot be empty, please configure $0" ;
exit 1; exit 1;
} }
@ -36,9 +36,9 @@ fi
echo_notdone () { echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done." echo "not done."
else else
echo "not done (check $INITLOG)." echo "not done (check $INITLOG)."
fi fi

10
Shorewall6-lite/init.fedora.sh
View File

@ -41,10 +41,10 @@ start() {
echo -n $"Starting Shorewall: " echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start 2>&1 | $logger $shorewall $OPTIONS start 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
touch $lockfile touch $lockfile
success success
else else
failure failure
fi fi
echo echo
@ -55,10 +55,10 @@ stop() {
echo -n $"Stopping Shorewall: " echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger $shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
rm -f $lockfile rm -f $lockfile
success success
else else
failure failure
fi fi
echo echo
@ -71,7 +71,7 @@ restart() {
echo -n $"Restarting Shorewall: " echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS restart 2>&1 | $logger $shorewall $OPTIONS restart 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
touch $lockfile touch $lockfile
success success
else # Failed to start, clean up lock file if present else # Failed to start, clean up lock file if present

2
Shorewall6-lite/shorewall6-lite
View File

@ -4,7 +4,7 @@
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012 - # (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012 -
# Tom Eastep (teastep@shorewall.net) # Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://www.shorewall.net # Shorewall documentation is available at http://www.shorewall.net

2
Shorewall6-lite/shorewall6-lite.conf
View File

@ -1,5 +1,5 @@
############################################################################### ###############################################################################
# /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following # /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following
# variables to override the values in the shorewall.conf file used to # variables to override the values in the shorewall.conf file used to
# compile /var/lib/shorewall-lite/firewall. Those values may be found in # compile /var/lib/shorewall-lite/firewall. Those values may be found in
# /var/lib/shorewall-lite/firewall.conf. # /var/lib/shorewall-lite/firewall.conf.

8
Shorewall6/Makefile-lite
View File

@ -23,10 +23,10 @@
# to the name of the remote firewall corresponding to the directory. # to the name of the remote firewall corresponding to the directory.
# #
# To make the 'firewall' script, type "make". # To make the 'firewall' script, type "make".
# #
# Once the script is compiling correctly, you can install it by # Once the script is compiling correctly, you can install it by
# typing "make install". # typing "make install".
# #
################################################################################ ################################################################################
# V A R I A B L E S # V A R I A B L E S
# #
@ -55,7 +55,7 @@ all: firewall
# #
# Only generate the capabilities file if it doesn't already exist # Only generate the capabilities file if it doesn't already exist
# #
capabilities: capabilities:
ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall6-lite/shorecap > $(LITEDIR)/capabilities" ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall6-lite/shorecap > $(LITEDIR)/capabilities"
scp root@$(HOST):$(LITEDIR)/capabilities . scp root@$(HOST):$(LITEDIR)/capabilities .
# #
@ -78,5 +78,5 @@ save:
# #
# Remove generated files # Remove generated files
# #
clean: clean:
rm -f capabilities firewall firewall.conf reload rm -f capabilities firewall firewall.conf reload

20
Shorewall6/Samples6/LICENSE
View File

@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be author's reputation will not be affected by problems that might be
introduced by others. introduced by others.
Finally, software patents pose a constant threat to the existence of Finally, software patents pose a constant threat to the existence of
any free program. We wish to make sure that a company cannot any free program. We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a effectively restrict the users of a free program by obtaining a
@ -111,7 +111,7 @@ modification follow. Pay close attention to the difference between a
"work based on the library" and a "work that uses the library". The "work based on the library" and a "work that uses the library". The
former contains code derived from the library, whereas the latter must former contains code derived from the library, whereas the latter must
be combined with the library in order to run. be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for on the Library (independent of the use of the Library in a tool for
writing it). Whether that is true depends on what the Library does writing it). Whether that is true depends on what the Library does
and what the program that uses the Library does. and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's 1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an you conspicuously and appropriately publish on each copy an
@ -158,7 +158,7 @@ Library.
You may charge a fee for the physical act of transferring a copy, You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a and you may at your option offer warranty protection in exchange for a
fee. fee.
2. You may modify your copy or copies of the Library or any portion 2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1 distribute such modifications or work under the terms of Section 1
@ -216,7 +216,7 @@ instead of to this License. (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.) Do not make any other change in that version instead if you wish.) Do not make any other change in
these notices. these notices.
Once this change is made in a given copy, it is irreversible for Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy. subsequent copies and derivative works made from that copy.
@ -267,7 +267,7 @@ Library will still fall under Section 6.)
distribute the object code for the work under the terms of Section 6. distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6, Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself. whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or 6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work work containing portions of the Library, and distribute that work
@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
accompany the operating system. Such a contradiction means you cannot accompany the operating system. Such a contradiction means you cannot
use both them and the Library together in an executable that you use both them and the Library together in an executable that you
distribute. distribute.
7. You may place library facilities that are a work based on the 7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined facilities not covered by this License, and distribute such a combined
@ -370,7 +370,7 @@ subject to these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein. restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with You are not responsible for enforcing compliance by third parties with
this License. this License.
11. If, as a consequence of a court judgment or allegation of patent 11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues), infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or conditions are imposed on you (whether by court order, agreement or
@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
the Free Software Foundation. If the Library does not specify a the Free Software Foundation. If the Library does not specify a
license version number, you may choose any version ever published by license version number, you may choose any version ever published by
the Free Software Foundation. the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free 14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these, programs whose distribution conditions are incompatible with these,
write to the author to ask for permission. For software which is write to the author to ask for permission. For software which is
@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. DAMAGES.
END OF TERMS AND CONDITIONS END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Libraries How to Apply These Terms to Your New Libraries
If you develop a new library, and you want it to be of the greatest If you develop a new library, and you want it to be of the greatest

2
Shorewall6/action.A_AllowICMPs
View File

@ -7,7 +7,7 @@
# #
############################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST #TARGET SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
COMMENT Needed ICMP types (RFC4890) COMMENT Needed ICMP types (RFC4890)
A_ACCEPT - - ipv6-icmp destination-unreachable A_ACCEPT - - ipv6-icmp destination-unreachable

2
Shorewall6/action.AllowICMPs
View File

@ -7,7 +7,7 @@
# #
############################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST #TARGET SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
FORMAT 2 FORMAT 2
DEFAULTS ACCEPT DEFAULTS ACCEPT

6
Shorewall6/action.Broadcast
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# Broadcast[([<action>|-[,{audit|-}])] # Broadcast[([<action>|-[,{audit|-}])]
# #
# Default action is DROP # Default action is DROP
# #
@ -49,7 +49,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
} }
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
@ -62,7 +62,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
} }
log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne ''; log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne '';
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' ); add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );

4
Shorewall6/action.Drop
View File

@ -33,7 +33,7 @@
############################################################################### ###############################################################################
FORMAT 2 FORMAT 2
# #
# The following magic provides different defaults for $2 thru $5, when $1 is # The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'. # 'audit'.
# #
BEGIN PERL; BEGIN PERL;
@ -41,7 +41,7 @@ use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 ); my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) { if ( defined $p1 ) {
if ( $p1 eq 'audit' ) { if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2; set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_DROP') unless supplied $p3; set_action_param( 3, 'A_DROP') unless supplied $p3;

4
Shorewall6/action.Reject
View File

@ -29,7 +29,7 @@
############################################################################### ###############################################################################
FORMAT 2 FORMAT 2
# #
# The following magic provides different defaults for $2 thru $5, when $1 is # The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'. # 'audit'.
# #
BEGIN PERL; BEGIN PERL;
@ -37,7 +37,7 @@ use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 ); my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) { if ( defined $p1 ) {
if ( $p1 eq 'audit' ) { if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2; set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_REJECT') unless supplied $p3; set_action_param( 3, 'A_REJECT') unless supplied $p3;

2
Shorewall6/actions.std
View File

@ -8,7 +8,7 @@
# #
# Builtin Actions are: # Builtin Actions are:
# #
# allowBcasts # Accept multicast and anycast packets # allowBcasts # Accept multicast and anycast packets
# dropBcasts # Silently Drop multicast and anycast packets # dropBcasts # Silently Drop multicast and anycast packets
# dropNotSyn # Silently Drop Non-syn TCP packets # dropNotSyn # Silently Drop Non-syn TCP packets
# rejNotSyn # Silently Reject Non-syn TCP packets # rejNotSyn # Silently Reject Non-syn TCP packets

2
Shorewall6/configfiles/restored
View File

@ -4,7 +4,7 @@
# /etc/shorewall6/restored # /etc/shorewall6/restored
# #
# Add commands below that you want to be executed after shorewall6 has # Add commands below that you want to be executed after shorewall6 has
# completed a 'restore' command. # completed a 'restore' command.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.

2
Shorewall6/configfiles/scfilter
View File

@ -4,7 +4,7 @@
# /etc/shorewall/scfilter # /etc/shorewall/scfilter
# #
# Replace the 'cat' command below to filter the output of # Replace the 'cat' command below to filter the output of
# 'show connections. # 'show connections.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.

8
Shorewall6/init.debian.sh
View File

@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall6-init.log}
test -x $SRWL || exit 0 test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0 test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || { test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ; echo "INITLOG cannot be empty, please configure $0" ;
exit 1; exit 1;
} }
@ -32,9 +32,9 @@ fi
echo_notdone () { echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done." echo "not done."
else else
echo "not done (check $INITLOG)." echo "not done (check $INITLOG)."
fi fi
@ -76,7 +76,7 @@ fi
export SHOREWALL_INIT_SCRIPT export SHOREWALL_INIT_SCRIPT
# wait for an unconfigured interface # wait for an unconfigured interface
wait_for_pppd () { wait_for_pppd () {
if [ "$wait_interface" != "" ] if [ "$wait_interface" != "" ]
then then

10
Shorewall6/init.fedora.sh
View File

@ -41,10 +41,10 @@ start() {
echo -n $"Starting Shorewall: " echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start 2>&1 | $logger $shorewall $OPTIONS start 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
touch $lockfile touch $lockfile
success success
else else
failure failure
fi fi
echo echo
@ -55,10 +55,10 @@ stop() {
echo -n $"Stopping Shorewall: " echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger $shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
rm -f $lockfile rm -f $lockfile
success success
else else
failure failure
fi fi
echo echo
@ -71,7 +71,7 @@ restart() {
echo -n $"Restarting Shorewall: " echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS restart 2>&1 | $logger $shorewall $OPTIONS restart 2>&1 | $logger
retval=${PIPESTATUS[0]} retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then if [[ $retval == 0 ]]; then
touch $lockfile touch $lockfile
success success
else # Failed to start, clean up lock file if present else # Failed to start, clean up lock file if present

2
Shorewall6/init.slackware.shorewall6.sh
View File

@ -6,7 +6,7 @@
# This script only affect the IPv6 rules and configuration located # This script only affect the IPv6 rules and configuration located
# in /etc/shorewall6 # in /etc/shorewall6
# #
# http://rafb.net/p/1gsyye11.html # http://rafb.net/p/1gsyye11.html
OPTIONS="" OPTIONS=""

2
Shorewall6/ipv6
View File

@ -59,7 +59,7 @@ SIT="sit1"
ADDRESS4=206.124.146.180 ADDRESS4=206.124.146.180
# #
# Internal interfaces of the firewall -- space separated # Internal interfaces of the firewall -- space separated
# #
INTERFACES="eth0" INTERFACES="eth0"
# #
# Bits 48-63 of the first internal interface address. Will be incremented # Bits 48-63 of the first internal interface address. Will be incremented

4
Shorewall6/manpages/shorewall6-tcfilters.xml
View File

@ -200,7 +200,7 @@
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
protocols.</para> protocols.</para>
<programlisting> #CLASS SOURCE DEST PROTO DEST <programlisting> #CLASS SOURCE DEST PROTO DEST
# PORT # PORT
IPV4 IPV4
@ -209,7 +209,7 @@
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
IPV6 IPV6
1:10 ::/0 ::/0 icmp6 echo-request 1:10 ::/0 ::/0 icmp6 echo-request
1:10 ::/0 ::/0 icmp6 echo-reply</programlisting> 1:10 ::/0 ::/0 icmp6 echo-reply</programlisting>
</listitem> </listitem>

6
Shorewall6/modules.essential
View File

@ -15,9 +15,9 @@
############################################################################### ###############################################################################
loadmodule nfnetlink loadmodule nfnetlink
loadmodule x_tables loadmodule x_tables
loadmodule ip6_tables loadmodule ip6_tables
loadmodule ip6table_filter loadmodule ip6table_filter
loadmodule ip6table_mangle loadmodule ip6table_mangle
loadmodule ip6table_raw loadmodule ip6table_raw
loadmodule xt_conntrack loadmodule xt_conntrack
loadmodule nf_conntrack_ipv6 loadmodule nf_conntrack_ipv6

2
Shorewall6/shorewall6
View File

@ -4,7 +4,7 @@
# #
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
# #
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - # (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# Tom Eastep (teastep@shorewall.net) # Tom Eastep (teastep@shorewall.net)
# #
# Shorewall documentation is available at http://www.shorewall.net # Shorewall documentation is available at http://www.shorewall.net