extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-18 12:20:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Re-arrange enforcement of restrictions on geoip.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-17 13:59:56 -07:00
parent d1519345c4
commit f5f80d2ccc
1 changed files with 26 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3713,7 +3713,7 @@ sub set_mss( $$$ ) {
sub imatch_source_dev( $;$ ); sub imatch_source_dev( $;$ );
sub imatch_dest_dev( $;$ ); sub imatch_dest_dev( $;$ );
sub imatch_source_net( $;$\$ ); sub imatch_source_net( $;$\$ );
sub imatch_dest_net( $ ); sub imatch_dest_net( $;$ );
sub newmsschain( ) { sub newmsschain( ) {
my $seq = $chainseq{filter}++; my $seq = $chainseq{filter}++;
@ -5110,6 +5110,8 @@ sub match_source_net( $;$\$ ) {
} }
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) { if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', ''; require_capability 'GEOIP_MATCH', 'A country-code', '';
for ( split_list $2, 'cc' ) { for ( split_list $2, 'cc' ) {
@ -5174,6 +5176,8 @@ sub imatch_source_net( $;$\$ ) {
} }
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) { if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', ''; require_capability 'GEOIP_MATCH', 'A country-code', '';
for ( split_list $2, 'cc' ) { for ( split_list $2, 'cc' ) {
@ -5203,8 +5207,10 @@ sub imatch_source_net( $;$\$ ) {
# #
# Match a Destination. # Match a Destination.
# #
sub match_dest_net( $ ) { sub match_dest_net( $;$ ) {
my $net = $_[0]; my ( $net, $restriction ) = @_;
$restriction |= 0;
if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) || if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
( $family == F_IPV6 && $net =~ /^(!?)(.*:.*)-(.*:.*)$/ ) ) { ( $family == F_IPV6 && $net =~ /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
@ -5233,6 +5239,8 @@ sub match_dest_net( $ ) {
} }
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) { if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', ''; require_capability 'GEOIP_MATCH', 'A country-code', '';
for ( split_list $2, 'cc' ) { for ( split_list $2, 'cc' ) {
@ -5259,8 +5267,10 @@ sub match_dest_net( $ ) {
$net eq ALLIP ? '' : "-d $net "; $net eq ALLIP ? '' : "-d $net ";
} }
sub imatch_dest_net( $ ) { sub imatch_dest_net( $;$ ) {
my $net = $_[0]; my ( $net, $restriction ) = @_;
$restriction |= NO_RESTRICT;
if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) || if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
( $family == F_IPV6 && $net =~ /^(!?)(.*:.*)-(.*:.*)$/ ) ) { ( $family == F_IPV6 && $net =~ /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
@ -5290,6 +5300,8 @@ sub imatch_dest_net( $ ) {
} }
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) { if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', ''; require_capability 'GEOIP_MATCH', 'A country-code', '';
for ( split_list $2, 'cc' ) { for ( split_list $2, 'cc' ) {
@ -6097,8 +6109,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} elsif ( $source =~ /^(.+?):(.+)$/ ) { } elsif ( $source =~ /^(.+?):(.+)$/ ) {
$iiface = $1; $iiface = $1;
$inets = $2; $inets = $2;
} elsif ( $source =~ /\+|&|~|\..*\./ || } elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?{/ ) {
( ! ( $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT ) ) && $source =~ /^!?{/ ) ) {
$inets = $source; $inets = $source;
} else { } else {
$iiface = $source; $iiface = $source;
@ -6112,8 +6123,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else { } else {
$inets = $source; $inets = $source;
} }
} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || } elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || $source =~ /^!?{/ ) {
( ! ( $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT ) ) && $source =~ /^!?{/ ) ) {
$inets = $source; $inets = $source;
} else { } else {
$iiface = $source; $iiface = $source;
@ -6198,8 +6208,7 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $dest =~ /^(.+?):(.+)$/ ) { if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1; $diface = $1;
$dnets = $2; $dnets = $2;
} elsif ( $dest =~ /\+|&|%|~|\..*\./ || } elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?{/ ) {
( ! ( $restriction & ( PREROUTE_RESTRICT | INPUT_RESTRICT ) ) && $dest =~ /^!?{/ ) ) {
$dnets = $dest; $dnets = $dest;
} else { } else {
$diface = $dest; $diface = $dest;
@ -6213,8 +6222,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else { } else {
$dnets = $dest; $dnets = $dest;
} }
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ || } elsif ( $dest =~ /(?:\+|&|\..*\.)/ || $dest =~ /^!?{/ ) {
( ! ( $restriction & ( PREROUTE_RESTRICT | INPUT_RESTRICT ) ) && $dest =~ /^!?{/ ) ) {
$dnets = $dest; $dnets = $dest;
} else { } else {
$diface = $dest; $diface = $dest;
@ -6347,7 +6355,7 @@ sub expand_rule( $$$$$$$$$$;$ )
unless ( $dnets || $dexcl =~ /^\+\[/ ) { unless ( $dnets || $dexcl =~ /^\+\[/ ) {
my @dexcl = mysplit $dexcl, 1; my @dexcl = mysplit $dexcl, 1;
if ( @dexcl == 1 ) { if ( @dexcl == 1 ) {
$rule .= match_dest_net "!$dexcl"; $rule .= match_dest_net "!$dexcl", $restriction;
$dexcl = ''; $dexcl = '';
$trivialdexcl = 1; $trivialdexcl = 1;
} }
@ -6394,7 +6402,7 @@ sub expand_rule( $$$$$$$$$$;$ )
for ( mysplit $dexcl ) { for ( mysplit $dexcl ) {
my $cond = conditional_rule( $chainref, $_ ); my $cond = conditional_rule( $chainref, $_ );
add_rule $chainref, ( match_dest_net $_ ) . $exclude; add_rule $chainref, ( match_dest_net $_, $restriction ) . $exclude;
conditional_rule_end( $chainref ) if $cond; conditional_rule_end( $chainref ) if $cond;
} }
@ -6431,7 +6439,7 @@ sub expand_rule( $$$$$$$$$$;$ )
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE}; $source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ) ); add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) );
} }
conditional_rule_end( $chainref ) if $cond; conditional_rule_end( $chainref ) if $cond;
@ -6451,7 +6459,7 @@ sub expand_rule( $$$$$$$$$$;$ )
for ( mysplit $dexcl ) { for ( mysplit $dexcl ) {
my $cond = conditional_rule( $echainref, $_ ); my $cond = conditional_rule( $echainref, $_ );
add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN'; add_rule $echainref, ( match_dest_net $_, $restriction ) . '-j RETURN';
conditional_rule_end( $echainref ) if $cond; conditional_rule_end( $echainref ) if $cond;
} }
@ -6503,7 +6511,7 @@ sub expand_rule( $$$$$$$$$$;$ )
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE}; $source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
my $dest_match = match_dest_net( $dnet ); my $dest_match = match_dest_net( $dnet, $restriction );
my $matches = join( '', $rule, $source_match, $dest_match, $onet ); my $matches = join( '', $rule, $source_match, $dest_match, $onet );
my $cond = conditional_rule( $chainref, $dnet ); my $cond = conditional_rule( $chainref, $dnet );