extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-19 19:21:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

Follow some advice from 'Programming Perl'

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5691 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-26 00:46:15 +00:00
parent 08d59ffc7e
commit e6e04fe478
3 changed files with 50 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
New/Shorewall/Chains.pm
View File

@ -250,7 +250,7 @@ sub add_command($$)
{ {
my ($chainref, $command) = @_; my ($chainref, $command) = @_;
push @{$chainref->{rules}}, '~' . ( ( ' ' x $loopcount ) . $command ); push @{$chainref->{rules}}, join ('', '~', ' ' x $loopcount, $command );
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
@ -845,7 +845,7 @@ sub match_source_net( $ ) {
( $net = $2 ) =~ s/-/:/g; ( $net = $2 ) =~ s/-/:/g;
"-m mac --mac-source $1 $net "; "-m mac --mac-source $1 $net ";
} elsif ( $net =~ /^(!?)\+/ ) { } elsif ( $net =~ /^(!?)\+/ ) {
'-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'src' join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
"-s ! $net "; "-s ! $net ";
@ -865,7 +865,7 @@ sub match_dest_net( $ ) {
iprange_match . "${invert}--dst-range $net "; iprange_match . "${invert}--dst-range $net ";
} elsif ( $net =~ /^(!?)\+/ ) { } elsif ( $net =~ /^(!?)\+/ ) {
'-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'dst' join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
"-d ! $net "; "-d ! $net ";
@ -1112,14 +1112,14 @@ sub expand_rule( $$$$$$$$$$ )
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
get_interface_address $chainref, $interface; get_interface_address $chainref, $interface;
add_command $chainref , 'addresses="$addresses $' . interface_address( $interface ) . '"' ; add_command $chainref , join( '', 'addresses="$addresses $', interface_address( $interface ). '"' );
} }
add_command $chainref , 'for address in $addresses; do'; add_command $chainref , 'for address in $addresses; do';
$rule .= '-d $address '; $rule .= '-d $address ';
$loopcount++; $loopcount++;
} else { } else {
get_interface_address $chainref, $interfaces[0]; get_interface_address $chainref, $interfaces[0];
$rule .= '-d $' . interface_address( $interfaces[0] ) . ' '; $rule .= join ( '', '-d $', interface_address( $interfaces[0] ), ' ' );
} }
$dest = ''; $dest = '';
@ -1179,7 +1179,7 @@ sub expand_rule( $$$$$$$$$$ )
$loopcount++; $loopcount++;
} else { } else {
get_interface_address $chainref, $interfaces[0]; get_interface_address $chainref, $interfaces[0];
$rule .= '-m conntrack --ctorigdst $' . interface_address ( $interfaces[0] ) . ' '; $rule .= join( '', '-m conntrack --ctorigdst $', interface_address ( $interfaces[0] ), ' ' );
} }
$origdest = ''; $origdest = '';
@ -1268,7 +1268,7 @@ sub expand_rule( $$$$$$$$$$ )
for my $inet ( mysplit $inets ) { for my $inet ( mysplit $inets ) {
$inet = match_source_net $inet; $inet = match_source_net $inet;
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
add_rule $chainref, $rule . $inet . ( match_dest_net $dnet ) . $onet . "-j $echain"; add_rule $chainref, join( '', $rule, $inet, match_dest_net( $dnet ), $onet, "-j $echain" );
} }
} }
} }
@ -1315,8 +1315,23 @@ sub expand_rule( $$$$$$$$$$ )
for my $inet ( mysplit $inets ) { for my $inet ( mysplit $inets ) {
$inet = match_source_net $inet; $inet = match_source_net $inet;
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
log_rule_limit $loglevel , $chainref , $chain, $disposition , '' , $logtag , 'add' , $rule . $inet . match_dest_net( $dnet ) . $onet if $loglevel; if ( $loglevel ) {
add_rule $chainref, $rule . $inet . match_dest_net( $dnet ) . $onet . $target unless $disposition eq 'LOG'; log_rule_limit
$loglevel ,
$chainref ,
$chain,
$disposition ,
'' ,
$logtag ,
'add' ,
join( '', $rule, $inet, match_dest_net( $dnet ), $onet );
}
unless ( $disposition eq 'LOG' ) {
add_rule
$chainref,
join( '', $rule, $inet, match_dest_net( $dnet ), $onet, $target );
}
} }
} }
} }

40
New/Shorewall/Rules.pm
View File

@ -166,7 +166,7 @@ sub setup_rfc1918_filteration( $ ) {
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for my $chain ( @{first_chains $interface}) { for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , '-m state --state NEW ' . match_source_net( $hostref->[2]) . "${policy}-j norfc1918"; add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
} }
} }
} }
@ -214,7 +214,7 @@ sub setup_blacklist() {
open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!"; open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!";
progress_message( " Processing " . find_file 'blacklist' . '...' ); progress_message( join( '', ' Processing ', find_file( 'blacklist' ), '...' ) );
while ( $line = <BL> ) { while ( $line = <BL> ) {
@ -437,7 +437,7 @@ sub add_common_rules() {
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for $chain ( @{first_chains $interface}) { for $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , '-m state --state NEW,INVALID ' . match_source_net( $hostref->[2]) . "${policy}-j smurfs"; add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
} }
} }
} }
@ -516,7 +516,7 @@ sub add_common_rules() {
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for $chain ( @{first_chains $interface}) { for $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , '-p tcp ' . match_source_net( $hostref->[2]) . "${policy}-j tcpflags"; add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" );
} }
} }
} }
@ -827,7 +827,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
if ( $dest eq '-' ) { if ( $dest eq '-' ) {
$dest = "$firewall_zone"; $dest = "$firewall_zone";
} else { } else {
$dest = "$firewall_zone" . '::' . "$dest"; $dest = join( '', $firewall_zone, '::', $dest );
} }
} elsif ( $action eq 'REJECT' ) { } elsif ( $action eq 'REJECT' ) {
$action = 'reject'; $action = 'reject';
@ -875,12 +875,12 @@ sub process_rule1 ( $$$$$$$$$ ) {
# Validate Policy # Validate Policy
# #
my $policy = $chainref->{policy}; my $policy = $chainref->{policy};
fatal_error "No policy defined from $sourcezone to zone $destzone" unless $policy; fatal_error "No policy defined from zone $sourcezone to zone $destzone" unless $policy;
fatal_error "Rules may not override a NONE policy: rule \"$line\"" if $policy eq 'NONE'; fatal_error "Rules may not override a NONE policy: rule \"$line\"" if $policy eq 'NONE';
# #
# Generate Fixed part of the rule # Generate Fixed part of the rule
# #
$rule = do_proto $proto, $ports, $sports . do_ratelimit( $ratelimit ) . ( do_user $user ); $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit ) , do_user( $user ) );
# #
# Generate NAT rule(s), if any # Generate NAT rule(s), if any
@ -956,7 +956,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
# After NAT, the destination port will be the server port; Also, we log NAT rules in the nat table rather than in the filter table. # After NAT, the destination port will be the server port; Also, we log NAT rules in the nat table rather than in the filter table.
# #
unless ( $actiontype & NATONLY ) { unless ( $actiontype & NATONLY ) {
$rule = do_proto $proto, $ports, $sports . do_ratelimit( $ratelimit ) . do_user $user; $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
$loglevel = ''; $loglevel = '';
} }
} else { } else {
@ -1204,7 +1204,7 @@ sub generate_matrix() {
for my $host ( @{$exclusionsref} ) { for my $host ( @{$exclusionsref} ) {
my ( $interface, $net ) = split /:/, $host; my ( $interface, $net ) = split /:/, $host;
insert_rule $chainref , $num++, "-i $interface " . match_source_net( $host ) . '-j RETURN'; insert_rule $chainref , $num++, join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
} }
} }
@ -1216,7 +1216,7 @@ sub generate_matrix() {
for my $host ( @{$exclusionsref} ) { for my $host ( @{$exclusionsref} ) {
my ( $interface, $net ) = split /:/, $host; my ( $interface, $net ) = split /:/, $host;
add_rule $chainref , "-i $interface " . match_source_net( $host ) . '-j RETURN'; add_rule $chainref , join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
} }
} }
# #
@ -1278,7 +1278,7 @@ sub generate_matrix() {
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_rule add_rule
find_chainref( 'filter' , forward_chain $interface ) , find_chainref( 'filter' , forward_chain $interface ) ,
match_source_net $net . $ipsec_match . "-j $frwd_ref->n{name}"; match_source_net join( '', $net, $ipsec_match, "-j $frwd_ref->n{name}" );
} }
} }
} }
@ -1328,25 +1328,25 @@ sub generate_matrix() {
if ( $chain1 ) { if ( $chain1 ) {
if ( @$exclusions ) { if ( @$exclusions ) {
add_rule $filter_table->{output_chain $interface} , $dest . $ipsec_out_match . "-j ${zone}_output"; add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
add_rule $filter_table->{"${zone}_output"} , "-j $chain1"; add_rule $filter_table->{"${zone}_output"} , "-j $chain1";
} else { } else {
add_rule $filter_table->{output_chain $interface} , $dest . $ipsec_out_match . "-j $chain1"; add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
} }
} }
insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, ( "-i $interface " . $source . $ipsec_in_match ); insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match );
if ( $chain2 ) { if ( $chain2 ) {
if ( @$exclusions ) { if ( @$exclusions ) {
add_rule $filter_table->{input_chain $interface}, $source . $ipsec_in_match . "-j ${zone}_input"; add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" );
add_rule $filter_table->{"${zone}_input"} , "-j $chain2"; add_rule $filter_table->{"${zone}_input"} , "-j $chain2";
} else { } else {
add_rule $filter_table->{input_chain $interface}, $source . $ipsec_in_match . "-j $chain2"; add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" );
} }
} }
add_rule $filter_table->{forward_chain $interface} , $source . $ipsec_in_match . "-j $frwd_ref->{name}" add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
if $complex && $hostref->{ipsec} ne 'ipsec'; if $complex && $hostref->{ipsec} ne 'ipsec';
} }
} }
@ -1470,7 +1470,7 @@ sub generate_matrix() {
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_rule $frwd_ref, "-o $interface " . match_dest_net($net) . $ipsec_out_match . "-j $chain"; add_rule $frwd_ref, join( '', "-o $interface ", match_dest_net($net), $ipsec_out_match, "-j $chain" );
} }
} }
} }
@ -1491,7 +1491,9 @@ sub generate_matrix() {
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
for my $net1 ( @{$host1ref->{hosts}} ) { for my $net1 ( @{$host1ref->{hosts}} ) {
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
add_rule $chain3ref, "-o $interface1 " . $source_match . match_dest_net($net1) . $ipsec_out_match . "-j $chain"; add_rule
$chain3ref ,
join( '', "-o $interface1 ", $source_match, match_dest_net($net1), $ipsec_out_match, "-j $chain" );
} }
} }
} }

10
New/compiler.pl
View File

@ -64,7 +64,7 @@ sub generate_script_1 {
my $date = localtime; my $date = localtime;
emit( "#\n# Compiled firewall script generated by Shorewall-pl " . $env{VERSION} . " - $date\n#" ); emit join ( '', "#\n# Compiled firewall script generated by Shorewall-pl ", $env{VERSION}, " - $date\n#" );
if ( $ENV{EXPORT} ) { if ( $ENV{EXPORT} ) {
emit 'SHAREDIR=/usr/share/shorewall-lite'; emit 'SHAREDIR=/usr/share/shorewall-lite';
@ -129,7 +129,7 @@ sub generate_script_1 {
emit '[ -n "${VERBOSE:=0}" ]'; emit '[ -n "${VERBOSE:=0}" ]';
emit '[ -n "${RESTOREFILE:=$RESTOREFILE}" ]'; emit '[ -n "${RESTOREFILE:=$RESTOREFILE}" ]';
emit '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"'; emit '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"';
emit( 'VERSION="' . $env{VERSION} . '"' ); emit join( '', 'VERSION="', $env{VERSION}, '"' );
emit "PATH=\"$config{PATH}\""; emit "PATH=\"$config{PATH}\"";
emit 'TERMINATOR=fatal_error'; emit 'TERMINATOR=fatal_error';
@ -593,11 +593,11 @@ sub compile_firewall( $ ) {
report_capabilities if $ENV{VERBOSE} > 1; report_capabilities if $ENV{VERBOSE} > 1;
fatal_error( 'Shorewall-pl ' . $env{VERSION} . ' requires Conntrack Match Support' ) fatal_error join( '', 'Shorewall-pl ', $env{VERSION}, ' requires Conntrack Match Support' )
unless $capabilities{CONNTRACK_MATCH}; unless $capabilities{CONNTRACK_MATCH};
fatal_error( 'Shorewall-pl ' . $env{VERSION} . ' requires Extended Multi-port Match Support' ) fatal_error join ( '', 'Shorewall-pl ', $env{VERSION}, ' requires Extended Multi-port Match Support' )
unless $capabilities{XMULTIPORT}; unless $capabilities{XMULTIPORT};
fatal_error( 'Shorewall-pl ' . $env{VERSION} . ' requires Address Type Match Support' ) fatal_error join( '', 'Shorewall-pl ', $env{VERSION}, ' requires Address Type Match Support' )
unless $capabilities{ADDRTYPE}; unless $capabilities{ADDRTYPE};
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables' fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH}; if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};