mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 11:11:32 +02:00
Generate inversion that satisfies iptables 1.4.3.
Signed-off-by: Tom Eastep <teastep@shorewall.net> git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9796 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
07c579562e
commit
e2c5ad441a
@ -1350,7 +1350,7 @@ sub do_proto( $$$ )
|
|||||||
# $proto now contains the protocol number and $pname contains the canonical name of the protocol
|
# $proto now contains the protocol number and $pname contains the canonical name of the protocol
|
||||||
#
|
#
|
||||||
unless ( $synonly ) {
|
unless ( $synonly ) {
|
||||||
$output = "-p ${invert}${proto} ";
|
$output = "${invert}-p ${proto} ";
|
||||||
} else {
|
} else {
|
||||||
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
|
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
|
||||||
$output = "-p $proto --syn ";
|
$output = "-p $proto --syn ";
|
||||||
@ -1369,11 +1369,11 @@ sub do_proto( $$$ )
|
|||||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
|
fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
|
||||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||||
$ports = validate_port_list $pname , $ports;
|
$ports = validate_port_list $pname , $ports;
|
||||||
$output .= "-m multiport --dports ${invert}${ports} ";
|
$output .= "-m multiport ${invert}--dports ${ports} ";
|
||||||
$multiport = 1;
|
$multiport = 1;
|
||||||
} else {
|
} else {
|
||||||
$ports = validate_portpair $pname , $ports;
|
$ports = validate_portpair $pname , $ports;
|
||||||
$output .= "--dport ${invert}${ports} ";
|
$output .= "${invert}--dport ${ports} ";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
|
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
|
||||||
@ -1384,10 +1384,10 @@ sub do_proto( $$$ )
|
|||||||
if ( $multiport ) {
|
if ( $multiport ) {
|
||||||
fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15;
|
fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15;
|
||||||
$sports = validate_port_list $pname , $sports;
|
$sports = validate_port_list $pname , $sports;
|
||||||
$output .= "-m multiport --sports ${invert}${sports} ";
|
$output .= "-m multiport ${invert}--sports ${sports} ";
|
||||||
} else {
|
} else {
|
||||||
$sports = validate_portpair $pname , $sports;
|
$sports = validate_portpair $pname , $sports;
|
||||||
$output .= "--sport ${invert}${sports} ";
|
$output .= "${invert}--sport ${sports} ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1412,7 +1412,7 @@ sub do_proto( $$$ )
|
|||||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
||||||
$ports = validate_icmp6 $ports;
|
$ports = validate_icmp6 $ports;
|
||||||
$output .= "--icmpv6-type ${invert}${ports} ";
|
$output .= "${invert}--icmpv6-type ${ports} ";
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
||||||
@ -1464,7 +1464,7 @@ sub mac_match( $ ) {
|
|||||||
|
|
||||||
fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
|
fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
|
||||||
|
|
||||||
"--match mac --mac-source ${invert}$mac ";
|
"--match mac ${invert}--mac-source $mac ";
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1679,7 +1679,7 @@ sub do_connbytes( $ ) {
|
|||||||
$dir =~ s/://;
|
$dir =~ s/://;
|
||||||
$mode =~ s/://;
|
$mode =~ s/://;
|
||||||
|
|
||||||
"${invert}-m connbytes --connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} ";
|
"-m connbytes ${invert}--connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} ";
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1797,7 +1797,7 @@ sub match_source_net( $;$ ) {
|
|||||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
||||||
} elsif ( $net =~ s/^!// ) {
|
} elsif ( $net =~ s/^!// ) {
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
"-s ! $net ";
|
"! -s $net ";
|
||||||
} else {
|
} else {
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
$net eq ALLIP ? '' : "-s $net ";
|
$net eq ALLIP ? '' : "-s $net ";
|
||||||
@ -1822,7 +1822,7 @@ sub match_dest_net( $ ) {
|
|||||||
} elsif ( $net =~ /^!/ ) {
|
} elsif ( $net =~ /^!/ ) {
|
||||||
$net =~ s/!//;
|
$net =~ s/!//;
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
"-d ! $net ";
|
"! -d $net ";
|
||||||
} else {
|
} else {
|
||||||
validate_net $net, 1;
|
validate_net $net, 1;
|
||||||
$net eq ALLIP ? '' : "-d $net ";
|
$net eq ALLIP ? '' : "-d $net ";
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user