From d99aff5e09ffb55fa4ccdb1c49f5f657ea83a5b6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 16 Jul 2010 10:06:29 -0700 Subject: [PATCH] Use Perl Constants rather literals for IPv6 Networks Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Actions.pm | 11 ++++++----- Shorewall/Perl/Shorewall/Chains.pm | 4 ++-- Shorewall/Perl/Shorewall/IPAddrs.pm | 16 ++++++++-------- Shorewall/Perl/Shorewall/Rules.pm | 22 +++++++++++----------- 4 files changed, 27 insertions(+), 26 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Actions.pm b/Shorewall/Perl/Shorewall/Actions.pm index 770e9e435..bd1019cd8 100644 --- a/Shorewall/Perl/Shorewall/Actions.pm +++ b/Shorewall/Perl/Shorewall/Actions.pm @@ -28,6 +28,7 @@ require Exporter; use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; use Shorewall::Chains qw(:DEFAULT :internal); +use Shorewall::IPAddrs; use strict; @@ -57,7 +58,7 @@ our @EXPORT = qw( merge_levels $macro_commands ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.4_10'; +our $VERSION = '4.4_12'; # # Used Actions. Each action that is actually used has an entry with value 1. @@ -776,7 +777,7 @@ sub dropBcast( $$$ ) { if ( $family == F_IPV4 ) { log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 '; } else { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/8 -j DROP '; + log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' ); } } @@ -801,7 +802,7 @@ sub dropBcast( $$$ ) { if ( $family == F_IPV4 ) { add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; } else { - add_rule $chainref, '-d ff00::/8 -j DROP'; + add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' ); } } @@ -833,8 +834,8 @@ sub allowBcast( $$$ ) { log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT'; } else { - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/8 ' if $level ne ''; - add_rule $chainref, '-d ff00::/8 -j ACCEPT'; + log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne ''; + add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' ); } } } diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index b9c10e868..3b902c11f 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -175,7 +175,7 @@ our %EXPORT_TAGS = ( Exporter::export_ok_tags('internal'); -our $VERSION = '4.4_11'; +our $VERSION = '4.4_12'; # # Chain Table @@ -2877,7 +2877,7 @@ sub get_interface_acasts ( $ ) { my $variable = interface_acasts( $interface ); - $interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ff00::/8"); + $interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ) . IPv6_MULTICAST; "\$$variable"; } diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index fa3e83697..c31d587c6 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4 validate_icmp6 ); our @EXPORT_OK = qw( ); -our $VERSION = '4.4_7'; +our $VERSION = '4.4_12'; # # Some IPv4/6 useful stuff @@ -91,14 +91,14 @@ our $validate_host; use constant { ALLIPv4 => '0.0.0.0/0' , ALLIPv6 => '::/0' , IPv4_MULTICAST => '224.0.0.0/4' , - IPv6_MULTICAST => 'FF00::/8' , - IPv6_LINKLOCAL => 'FE80::/10' , - IPv6_SITELOCAL => 'FEC0::/10' , + IPv6_MULTICAST => 'ff00::/8' , + IPv6_LINKLOCAL => 'fe80::/10' , + IPv6_SITELOCAL => 'feC0::/10' , IPv6_LOOPBACK => '::1' , - IPv6_LINK_ALLNODES => 'FF01::1' , - IPv6_LINK_ALLRTRS => 'FF01::2' , - IPv6_SITE_ALLNODES => 'FF02::1' , - IPv6_SITE_ALLRTRS => 'FF02::2' , + IPv6_LINK_ALLNODES => 'ff01::1' , + IPv6_LINK_ALLRTRS => 'ff01::2' , + IPv6_SITE_ALLNODES => 'ff02::1' , + IPv6_SITE_ALLRTRS => 'ff02::2' , ICMP => 1, TCP => 6, UDP => 17, diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 06314018b..4bb2e57d0 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos compile_stop_firewall ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = '4.4_11'; +our $VERSION = '4.4_12'; # # Set to one if we find a SECTION @@ -509,7 +509,7 @@ sub add_common_rules() { if ( $family == F_IPV4 ) { add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' ); } else { - add_jump( $chainref, $smurfdest, 1, '-s ff00::/8 ' ); + add_jump( $chainref, $smurfdest, 1, '-s ' . IPv6_MULTICAST . ' ' ); } my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID'; @@ -547,7 +547,7 @@ sub add_common_rules() { if ( $family == F_IPV4 ) { add_rule $rejectref , '-s 224.0.0.0/4 -j DROP'; } else { - add_rule $rejectref , '-s ff00::/8 -j DROP'; + add_rule $rejectref , '-s ' . IPv6_MULTICAST . ' -j DROP'; } add_rule $rejectref , '-p 2 -j DROP'; @@ -729,7 +729,7 @@ sub setup_mac_lists( $ ) { # # Accept Multicast # - add_rule $chainref , '-d ff00::/8 -j RETURN'; + add_rule $chainref , '-d ' . IPv6_MULTICAST . ' -j RETURN'; } if ( $ttl ) { @@ -1983,7 +1983,7 @@ sub generate_matrix() { add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; $use_output = 1; - unless ( uc $net eq IPv6_LINKLOCAL ) { + unless ( lc $net eq IPv6_LINKLOCAL ) { for my $vzone ( vserver_zones ) { generate_source_rules ( $outputref, $vzone, $zone, $dest ); } @@ -2044,7 +2044,7 @@ sub generate_matrix() { add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++; $use_input = 1; - unless ( uc $net eq IPv6_LINKLOCAL ) { + unless ( lc $net eq IPv6_LINKLOCAL ) { for my $vzone ( @vservers ) { my $target = rules_target( $zone, $vzone ); generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target; @@ -2456,13 +2456,13 @@ EOF add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains; if ( $family == F_IPV6 ) { - add_rule $input, '-s ff80::/10 -j ACCEPT'; - add_rule $input, '-d ff80::/10 -j ACCEPT'; - add_rule $input, '-d ff00::/8 -j ACCEPT'; + add_rule $input, '-s ' . IPv6_LINKLOCAL . ' -j ACCEPT'; + add_rule $input, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT'; + add_rule $input, '-d ' . IPv6_MULTICAST . ' -j ACCEPT'; unless ( $config{ADMINISABSENTMINDED} ) { - add_rule $output, '-d ff80::/10 -j ACCEPT'; - add_rule $output, '-d ff00::/8 -j ACCEPT'; + add_rule $output, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT'; + add_rule $output, '-d ' . IPv6_MULTICAST . ' -j ACCEPT'; } }