mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Use Perl Constants rather literals for IPv6 Networks
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
27937f32e3
commit
d99aff5e09
@ -28,6 +28,7 @@ require Exporter;
|
|||||||
use Shorewall::Config qw(:DEFAULT :internal);
|
use Shorewall::Config qw(:DEFAULT :internal);
|
||||||
use Shorewall::Zones;
|
use Shorewall::Zones;
|
||||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||||
|
use Shorewall::IPAddrs;
|
||||||
|
|
||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
@ -57,7 +58,7 @@ our @EXPORT = qw( merge_levels
|
|||||||
$macro_commands
|
$macro_commands
|
||||||
);
|
);
|
||||||
our @EXPORT_OK = qw( initialize );
|
our @EXPORT_OK = qw( initialize );
|
||||||
our $VERSION = '4.4_10';
|
our $VERSION = '4.4_12';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Used Actions. Each action that is actually used has an entry with value 1.
|
# Used Actions. Each action that is actually used has an entry with value 1.
|
||||||
@ -776,7 +777,7 @@ sub dropBcast( $$$ ) {
|
|||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/8 -j DROP ';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -801,7 +802,7 @@ sub dropBcast( $$$ ) {
|
|||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||||
} else {
|
} else {
|
||||||
add_rule $chainref, '-d ff00::/8 -j DROP';
|
add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -833,8 +834,8 @@ sub allowBcast( $$$ ) {
|
|||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||||
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
|
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/8 ' if $level ne '';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
|
||||||
add_rule $chainref, '-d ff00::/8 -j ACCEPT';
|
add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -175,7 +175,7 @@ our %EXPORT_TAGS = (
|
|||||||
|
|
||||||
Exporter::export_ok_tags('internal');
|
Exporter::export_ok_tags('internal');
|
||||||
|
|
||||||
our $VERSION = '4.4_11';
|
our $VERSION = '4.4_12';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Chain Table
|
# Chain Table
|
||||||
@ -2877,7 +2877,7 @@ sub get_interface_acasts ( $ ) {
|
|||||||
|
|
||||||
my $variable = interface_acasts( $interface );
|
my $variable = interface_acasts( $interface );
|
||||||
|
|
||||||
$interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ff00::/8");
|
$interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ) . IPv6_MULTICAST;
|
||||||
|
|
||||||
"\$$variable";
|
"\$$variable";
|
||||||
}
|
}
|
||||||
|
@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
|
|||||||
validate_icmp6
|
validate_icmp6
|
||||||
);
|
);
|
||||||
our @EXPORT_OK = qw( );
|
our @EXPORT_OK = qw( );
|
||||||
our $VERSION = '4.4_7';
|
our $VERSION = '4.4_12';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Some IPv4/6 useful stuff
|
# Some IPv4/6 useful stuff
|
||||||
@ -91,14 +91,14 @@ our $validate_host;
|
|||||||
use constant { ALLIPv4 => '0.0.0.0/0' ,
|
use constant { ALLIPv4 => '0.0.0.0/0' ,
|
||||||
ALLIPv6 => '::/0' ,
|
ALLIPv6 => '::/0' ,
|
||||||
IPv4_MULTICAST => '224.0.0.0/4' ,
|
IPv4_MULTICAST => '224.0.0.0/4' ,
|
||||||
IPv6_MULTICAST => 'FF00::/8' ,
|
IPv6_MULTICAST => 'ff00::/8' ,
|
||||||
IPv6_LINKLOCAL => 'FE80::/10' ,
|
IPv6_LINKLOCAL => 'fe80::/10' ,
|
||||||
IPv6_SITELOCAL => 'FEC0::/10' ,
|
IPv6_SITELOCAL => 'feC0::/10' ,
|
||||||
IPv6_LOOPBACK => '::1' ,
|
IPv6_LOOPBACK => '::1' ,
|
||||||
IPv6_LINK_ALLNODES => 'FF01::1' ,
|
IPv6_LINK_ALLNODES => 'ff01::1' ,
|
||||||
IPv6_LINK_ALLRTRS => 'FF01::2' ,
|
IPv6_LINK_ALLRTRS => 'ff01::2' ,
|
||||||
IPv6_SITE_ALLNODES => 'FF02::1' ,
|
IPv6_SITE_ALLNODES => 'ff02::1' ,
|
||||||
IPv6_SITE_ALLRTRS => 'FF02::2' ,
|
IPv6_SITE_ALLRTRS => 'ff02::2' ,
|
||||||
ICMP => 1,
|
ICMP => 1,
|
||||||
TCP => 6,
|
TCP => 6,
|
||||||
UDP => 17,
|
UDP => 17,
|
||||||
|
@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
|
|||||||
compile_stop_firewall
|
compile_stop_firewall
|
||||||
);
|
);
|
||||||
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
|
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
|
||||||
our $VERSION = '4.4_11';
|
our $VERSION = '4.4_12';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Set to one if we find a SECTION
|
# Set to one if we find a SECTION
|
||||||
@ -509,7 +509,7 @@ sub add_common_rules() {
|
|||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' );
|
add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' );
|
||||||
} else {
|
} else {
|
||||||
add_jump( $chainref, $smurfdest, 1, '-s ff00::/8 ' );
|
add_jump( $chainref, $smurfdest, 1, '-s ' . IPv6_MULTICAST . ' ' );
|
||||||
}
|
}
|
||||||
|
|
||||||
my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
|
my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
|
||||||
@ -547,7 +547,7 @@ sub add_common_rules() {
|
|||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
|
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
|
||||||
} else {
|
} else {
|
||||||
add_rule $rejectref , '-s ff00::/8 -j DROP';
|
add_rule $rejectref , '-s ' . IPv6_MULTICAST . ' -j DROP';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $rejectref , '-p 2 -j DROP';
|
add_rule $rejectref , '-p 2 -j DROP';
|
||||||
@ -729,7 +729,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
#
|
#
|
||||||
# Accept Multicast
|
# Accept Multicast
|
||||||
#
|
#
|
||||||
add_rule $chainref , '-d ff00::/8 -j RETURN';
|
add_rule $chainref , '-d ' . IPv6_MULTICAST . ' -j RETURN';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $ttl ) {
|
if ( $ttl ) {
|
||||||
@ -1983,7 +1983,7 @@ sub generate_matrix() {
|
|||||||
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||||
$use_output = 1;
|
$use_output = 1;
|
||||||
|
|
||||||
unless ( uc $net eq IPv6_LINKLOCAL ) {
|
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
||||||
for my $vzone ( vserver_zones ) {
|
for my $vzone ( vserver_zones ) {
|
||||||
generate_source_rules ( $outputref, $vzone, $zone, $dest );
|
generate_source_rules ( $outputref, $vzone, $zone, $dest );
|
||||||
}
|
}
|
||||||
@ -2044,7 +2044,7 @@ sub generate_matrix() {
|
|||||||
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
|
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
|
||||||
$use_input = 1;
|
$use_input = 1;
|
||||||
|
|
||||||
unless ( uc $net eq IPv6_LINKLOCAL ) {
|
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
||||||
for my $vzone ( @vservers ) {
|
for my $vzone ( @vservers ) {
|
||||||
my $target = rules_target( $zone, $vzone );
|
my $target = rules_target( $zone, $vzone );
|
||||||
generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target;
|
generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target;
|
||||||
@ -2456,13 +2456,13 @@ EOF
|
|||||||
add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains;
|
add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains;
|
||||||
|
|
||||||
if ( $family == F_IPV6 ) {
|
if ( $family == F_IPV6 ) {
|
||||||
add_rule $input, '-s ff80::/10 -j ACCEPT';
|
add_rule $input, '-s ' . IPv6_LINKLOCAL . ' -j ACCEPT';
|
||||||
add_rule $input, '-d ff80::/10 -j ACCEPT';
|
add_rule $input, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT';
|
||||||
add_rule $input, '-d ff00::/8 -j ACCEPT';
|
add_rule $input, '-d ' . IPv6_MULTICAST . ' -j ACCEPT';
|
||||||
|
|
||||||
unless ( $config{ADMINISABSENTMINDED} ) {
|
unless ( $config{ADMINISABSENTMINDED} ) {
|
||||||
add_rule $output, '-d ff80::/10 -j ACCEPT';
|
add_rule $output, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT';
|
||||||
add_rule $output, '-d ff00::/8 -j ACCEPT';
|
add_rule $output, '-d ' . IPv6_MULTICAST . ' -j ACCEPT';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user