Use Perl Constants rather literals for IPv6 Networks

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-07-16 10:06:29 -07:00
parent 27937f32e3
commit d99aff5e09
4 changed files with 27 additions and 26 deletions

View File

@ -28,6 +28,7 @@ require Exporter;
use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones; use Shorewall::Zones;
use Shorewall::Chains qw(:DEFAULT :internal); use Shorewall::Chains qw(:DEFAULT :internal);
use Shorewall::IPAddrs;
use strict; use strict;
@ -57,7 +58,7 @@ our @EXPORT = qw( merge_levels
$macro_commands $macro_commands
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_10'; our $VERSION = '4.4_12';
# #
# Used Actions. Each action that is actually used has an entry with value 1. # Used Actions. Each action that is actually used has an entry with value 1.
@ -776,7 +777,7 @@ sub dropBcast( $$$ ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 '; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
} else { } else {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/8 -j DROP '; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
} }
} }
@ -801,7 +802,7 @@ sub dropBcast( $$$ ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
} else { } else {
add_rule $chainref, '-d ff00::/8 -j DROP'; add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
} }
} }
@ -833,8 +834,8 @@ sub allowBcast( $$$ ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT'; add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
} else { } else {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/8 ' if $level ne ''; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
add_rule $chainref, '-d ff00::/8 -j ACCEPT'; add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
} }
} }
} }

View File

@ -175,7 +175,7 @@ our %EXPORT_TAGS = (
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = '4.4_11'; our $VERSION = '4.4_12';
# #
# Chain Table # Chain Table
@ -2877,7 +2877,7 @@ sub get_interface_acasts ( $ ) {
my $variable = interface_acasts( $interface ); my $variable = interface_acasts( $interface );
$interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ff00::/8"); $interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ) . IPv6_MULTICAST;
"\$$variable"; "\$$variable";
} }

View File

@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
validate_icmp6 validate_icmp6
); );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
our $VERSION = '4.4_7'; our $VERSION = '4.4_12';
# #
# Some IPv4/6 useful stuff # Some IPv4/6 useful stuff
@ -91,14 +91,14 @@ our $validate_host;
use constant { ALLIPv4 => '0.0.0.0/0' , use constant { ALLIPv4 => '0.0.0.0/0' ,
ALLIPv6 => '::/0' , ALLIPv6 => '::/0' ,
IPv4_MULTICAST => '224.0.0.0/4' , IPv4_MULTICAST => '224.0.0.0/4' ,
IPv6_MULTICAST => 'FF00::/8' , IPv6_MULTICAST => 'ff00::/8' ,
IPv6_LINKLOCAL => 'FE80::/10' , IPv6_LINKLOCAL => 'fe80::/10' ,
IPv6_SITELOCAL => 'FEC0::/10' , IPv6_SITELOCAL => 'feC0::/10' ,
IPv6_LOOPBACK => '::1' , IPv6_LOOPBACK => '::1' ,
IPv6_LINK_ALLNODES => 'FF01::1' , IPv6_LINK_ALLNODES => 'ff01::1' ,
IPv6_LINK_ALLRTRS => 'FF01::2' , IPv6_LINK_ALLRTRS => 'ff01::2' ,
IPv6_SITE_ALLNODES => 'FF02::1' , IPv6_SITE_ALLNODES => 'ff02::1' ,
IPv6_SITE_ALLRTRS => 'FF02::2' , IPv6_SITE_ALLRTRS => 'ff02::2' ,
ICMP => 1, ICMP => 1,
TCP => 6, TCP => 6,
UDP => 17, UDP => 17,

View File

@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
compile_stop_firewall compile_stop_firewall
); );
our @EXPORT_OK = qw( process_rule process_rule1 initialize ); our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our $VERSION = '4.4_11'; our $VERSION = '4.4_12';
# #
# Set to one if we find a SECTION # Set to one if we find a SECTION
@ -509,7 +509,7 @@ sub add_common_rules() {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' ); add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' );
} else { } else {
add_jump( $chainref, $smurfdest, 1, '-s ff00::/8 ' ); add_jump( $chainref, $smurfdest, 1, '-s ' . IPv6_MULTICAST . ' ' );
} }
my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID'; my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
@ -547,7 +547,7 @@ sub add_common_rules() {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP'; add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
} else { } else {
add_rule $rejectref , '-s ff00::/8 -j DROP'; add_rule $rejectref , '-s ' . IPv6_MULTICAST . ' -j DROP';
} }
add_rule $rejectref , '-p 2 -j DROP'; add_rule $rejectref , '-p 2 -j DROP';
@ -729,7 +729,7 @@ sub setup_mac_lists( $ ) {
# #
# Accept Multicast # Accept Multicast
# #
add_rule $chainref , '-d ff00::/8 -j RETURN'; add_rule $chainref , '-d ' . IPv6_MULTICAST . ' -j RETURN';
} }
if ( $ttl ) { if ( $ttl ) {
@ -1983,7 +1983,7 @@ sub generate_matrix() {
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
$use_output = 1; $use_output = 1;
unless ( uc $net eq IPv6_LINKLOCAL ) { unless ( lc $net eq IPv6_LINKLOCAL ) {
for my $vzone ( vserver_zones ) { for my $vzone ( vserver_zones ) {
generate_source_rules ( $outputref, $vzone, $zone, $dest ); generate_source_rules ( $outputref, $vzone, $zone, $dest );
} }
@ -2044,7 +2044,7 @@ sub generate_matrix() {
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++; add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
$use_input = 1; $use_input = 1;
unless ( uc $net eq IPv6_LINKLOCAL ) { unless ( lc $net eq IPv6_LINKLOCAL ) {
for my $vzone ( @vservers ) { for my $vzone ( @vservers ) {
my $target = rules_target( $zone, $vzone ); my $target = rules_target( $zone, $vzone );
generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target; generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target;
@ -2456,13 +2456,13 @@ EOF
add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains; add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains;
if ( $family == F_IPV6 ) { if ( $family == F_IPV6 ) {
add_rule $input, '-s ff80::/10 -j ACCEPT'; add_rule $input, '-s ' . IPv6_LINKLOCAL . ' -j ACCEPT';
add_rule $input, '-d ff80::/10 -j ACCEPT'; add_rule $input, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT';
add_rule $input, '-d ff00::/8 -j ACCEPT'; add_rule $input, '-d ' . IPv6_MULTICAST . ' -j ACCEPT';
unless ( $config{ADMINISABSENTMINDED} ) { unless ( $config{ADMINISABSENTMINDED} ) {
add_rule $output, '-d ff80::/10 -j ACCEPT'; add_rule $output, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT';
add_rule $output, '-d ff00::/8 -j ACCEPT'; add_rule $output, '-d ' . IPv6_MULTICAST . ' -j ACCEPT';
} }
} }