mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-26 16:18:57 +01:00
Periodic elimination of trailing white space
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
f33912d5f7
commit
f7eb3c3d8c
@ -224,7 +224,7 @@ while : ; do
|
||||
# One of the interfaces changed state -- restart Shorewall
|
||||
#
|
||||
echo $if1_state > $VARDIR/${IF1}.status
|
||||
echo $if2_state > $VARDIR/${IF2}.status
|
||||
echo $if2_state > $VARDIR/${IF2}.status
|
||||
eval $COMMAND
|
||||
state_changed=
|
||||
fi
|
||||
|
@ -32,7 +32,7 @@
|
||||
### BEGIN INIT INFO
|
||||
# Provides: swping
|
||||
# Required-Start: shorewall
|
||||
# Should-Start:
|
||||
# Should-Start:
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 5
|
||||
# Default-Stop: 0 1 6
|
||||
@ -87,7 +87,7 @@ case "$command" in
|
||||
echo "swping is running"
|
||||
exit 0
|
||||
else
|
||||
echo "swping is stopped"
|
||||
echo "swping is stopped"
|
||||
exit 3
|
||||
fi
|
||||
;;
|
||||
|
@ -5,7 +5,7 @@
|
||||
#
|
||||
# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
|
||||
#
|
||||
# If you are running BitTorrent 3.2 or later, you should use the
|
||||
# If you are running BitTorrent 3.2 or later, you should use the
|
||||
# BitTorrent32 macro.
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
|
@ -15,7 +15,7 @@
|
||||
# Example for a two-interface firewall which acts as a print
|
||||
# server for loc:
|
||||
# IPPserver/ACCEPT loc $FW
|
||||
#
|
||||
#
|
||||
# NOTE: If you want both to serve requests for local printers and
|
||||
# listen to requests for remote printers (i.e. your CUPS server is
|
||||
# also a client), you need to apply the rule twice, e.g.
|
||||
|
@ -304,9 +304,9 @@
|
||||
# #removed from Netfilter in kernel
|
||||
# #version 2.6.14).
|
||||
#
|
||||
# MARK Specifies a MARK value to match. Must be empty or
|
||||
# MARK Specifies a MARK value to match. Must be empty or
|
||||
# '-' if the macro is to be used within an action.
|
||||
#
|
||||
#
|
||||
# [!]value[/mask][:C]
|
||||
#
|
||||
# Defines a test on the existing packet or connection
|
||||
@ -341,7 +341,7 @@
|
||||
# [!]limit[:mask]
|
||||
#
|
||||
# May be used to limit the number of simultaneous
|
||||
# connections from each individual host to limit
|
||||
# connections from each individual host to limit
|
||||
# connections. Requires connlimit match in your kernel
|
||||
# and iptables. While the limit is only checked on rules
|
||||
# specifying CONNLIMIT, the number of current connections
|
||||
|
@ -98,7 +98,7 @@ sub process_accounting_rule( ) {
|
||||
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
|
||||
my $rule2 = 0;
|
||||
my $jump = 0;
|
||||
|
||||
|
||||
unless ( $action eq 'COUNT' ) {
|
||||
if ( $action eq 'DONE' ) {
|
||||
$target = 'RETURN';
|
||||
@ -166,7 +166,7 @@ sub process_accounting_rule( ) {
|
||||
fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
|
||||
}
|
||||
} else {
|
||||
warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
|
||||
warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
|
||||
$chainref->{ipsec} = $dir;
|
||||
}
|
||||
} elsif ( $ipsec ne '-' ) {
|
||||
|
@ -195,7 +195,7 @@ sub split_action ( $ ) {
|
||||
$action = $2 ? $3 : '';
|
||||
$max = 2;
|
||||
}
|
||||
|
||||
|
||||
my @a = split( /:/ , $action, 4 );
|
||||
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
|
||||
$target = shift @a unless $target;
|
||||
|
@ -628,7 +628,7 @@ sub delete_reference( $$ ) {
|
||||
#
|
||||
# In the first function, the rule number is zero-relative. In the second function,
|
||||
# the rule number is one-relative. In the first function, if the rule number is < 0, then
|
||||
# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
|
||||
# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
|
||||
# inserted at the front of the chain and the chain's 'blacklist' member incremented.
|
||||
#
|
||||
sub insert_rule1($$$)
|
||||
@ -733,7 +733,7 @@ sub move_rules( $$ ) {
|
||||
for ( @{$chain1->{rules}} ) {
|
||||
adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/;
|
||||
}
|
||||
|
||||
|
||||
if ( $debug ) {
|
||||
my $rule = $blacklist;
|
||||
trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}};
|
||||
@ -754,7 +754,7 @@ sub move_rules( $$ ) {
|
||||
} else {
|
||||
shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
|
||||
}
|
||||
|
||||
|
||||
delete_chain $chain1;
|
||||
|
||||
$count;
|
||||
@ -789,7 +789,7 @@ sub copy_rules( $$ ) {
|
||||
# Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list
|
||||
#
|
||||
my $rule = shift @rules1;
|
||||
|
||||
|
||||
$rule =~ / -j ([^\s])/;
|
||||
|
||||
my $chainb = $1;
|
||||
@ -814,7 +814,7 @@ sub copy_rules( $$ ) {
|
||||
trace( $chain2, 'A', 1 , $rules1[0]) if $debug;
|
||||
|
||||
unshift @$rules2, shift @rules1;
|
||||
|
||||
|
||||
$chain1->{blacklist} = 0;
|
||||
$chain2->{blacklist} = 1;
|
||||
}
|
||||
@ -823,7 +823,7 @@ sub copy_rules( $$ ) {
|
||||
my $rule = @$rules2;
|
||||
trace( $chain2, 'A', ++$rule, $_ ) for @rules1;
|
||||
}
|
||||
|
||||
|
||||
push @$rules2, @rules1;
|
||||
|
||||
progress_message " $count rules from $chain1->{name} appended to $chain2->{name}";
|
||||
@ -1078,10 +1078,10 @@ sub find_chain($$) {
|
||||
my ($table, $chain) = @_;
|
||||
|
||||
assert( $table && $chain && $chain_table{$table} );
|
||||
|
||||
|
||||
$chain_table{$table}{$chain};
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Create a chain if it doesn't exist already
|
||||
#
|
||||
@ -2787,11 +2787,11 @@ sub do_ipsec($$) {
|
||||
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
|
||||
|
||||
my @options = split_list $ipsec, 'IPSEC options';
|
||||
|
||||
|
||||
if ( @options == 1 ) {
|
||||
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
|
||||
return do_ipsec_options $dir, 'ipsec', '';
|
||||
}
|
||||
}
|
||||
|
||||
if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
|
||||
return do_ipsec_options $dir, 'none', '';
|
||||
@ -2912,7 +2912,7 @@ sub mysplit( $ ) {
|
||||
fatal_error "Missing ']' ($element)" unless @input;
|
||||
$element .= ( ',' . shift @input );
|
||||
}
|
||||
|
||||
|
||||
fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
|
||||
}
|
||||
|
||||
@ -3644,14 +3644,14 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Log rule
|
||||
#
|
||||
log_rule_limit( $loglevel ,
|
||||
$echainref ,
|
||||
$chain,
|
||||
log_rule_limit( $loglevel ,
|
||||
$echainref ,
|
||||
$chain,
|
||||
$disposition eq 'reject' ? 'REJECT' : $disposition ,
|
||||
'' ,
|
||||
$logtag ,
|
||||
'' ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
'' )
|
||||
'' )
|
||||
if $loglevel;
|
||||
#
|
||||
# Generate Final Rule
|
||||
@ -3764,14 +3764,14 @@ sub promote_blacklist_rules() {
|
||||
# Copy 'blacklst''s references since they will change in the following loop
|
||||
#
|
||||
my @references = map $filter_table->{$_}, keys %{$chainbref->{references}};
|
||||
|
||||
|
||||
for my $chain1ref ( @references ) {
|
||||
assert( $chain1ref->{blacklist} == 1 );
|
||||
|
||||
my $copied = 0;
|
||||
my $rule = $chain1ref->{rules}[0];
|
||||
my $chain1 = $chain1ref->{name};
|
||||
|
||||
|
||||
for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) {
|
||||
unless ( $chain2ref->{builtin} ) {
|
||||
#
|
||||
@ -3984,7 +3984,7 @@ sub load_ipsets() {
|
||||
' fi' ,
|
||||
' fi' ,
|
||||
);
|
||||
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit '';
|
||||
|
||||
|
@ -445,7 +445,7 @@ EOF
|
||||
my $config_dir = $globals{CONFIGDIR};
|
||||
|
||||
emit<<"EOF";
|
||||
set_state Started $config_dir
|
||||
set_state Started $config_dir
|
||||
run_restored_exit
|
||||
else
|
||||
if [ \$COMMAND = refresh ]; then
|
||||
|
@ -1841,7 +1841,7 @@ sub read_a_line(;$) {
|
||||
embedded_perl( $1 );
|
||||
next;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
my $count = 0;
|
||||
#
|
||||
@ -2928,12 +2928,12 @@ sub get_configuration( $ ) {
|
||||
|
||||
if ( $units && $units ne 'sec' ) {
|
||||
my $expire = 60000; # 1 minute in milliseconds
|
||||
|
||||
|
||||
if ( $units ne 'min' ) {
|
||||
$expire *= 60; #At least an hour
|
||||
$expire *= 24 if $units eq 'day';
|
||||
}
|
||||
|
||||
|
||||
$limit .= "--hashlimit-htable-expire $expire ";
|
||||
}
|
||||
} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
|
||||
|
@ -189,7 +189,7 @@ sub validate_4net( $$ ) {
|
||||
if ( $1 ) {
|
||||
fatal_error "An ipset list ($net) is not allowed in this context";
|
||||
} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
|
||||
fatal_error "An ipset name ($net) is not allowed in this context";
|
||||
fatal_error "An ipset name ($net) is not allowed in this context";
|
||||
} else {
|
||||
fatal_error "Invalid ipset name ($net)";
|
||||
}
|
||||
@ -306,7 +306,7 @@ sub resolve_proto( $ ) {
|
||||
# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
|
||||
#
|
||||
$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
|
||||
|
||||
|
||||
defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
|
||||
}
|
||||
}
|
||||
@ -553,7 +553,7 @@ sub validate_6net( $$ ) {
|
||||
if ( $1 ) {
|
||||
fatal_error "An ipset list ($net) is not allowed in this context";
|
||||
} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
|
||||
fatal_error "An ipset name ($net) is not allowed in this context";
|
||||
fatal_error "An ipset name ($net) is not allowed in this context";
|
||||
} else {
|
||||
fatal_error "Invalid ipset name ($net)";
|
||||
}
|
||||
|
@ -341,7 +341,7 @@ sub validate_policy()
|
||||
add_or_modify_policy_chain( $zone, $zone1 );
|
||||
add_or_modify_policy_chain( $zone1, $zone );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -496,13 +496,13 @@ sub setup_syn_flood_chains() {
|
||||
my $level = $chainref->{loglevel};
|
||||
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
||||
add_rule $synchainref , "${limit}-j RETURN";
|
||||
log_rule_limit( $level ,
|
||||
$synchainref ,
|
||||
$chainref->{name} ,
|
||||
'DROP',
|
||||
$globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
|
||||
'' ,
|
||||
'add' ,
|
||||
log_rule_limit( $level ,
|
||||
$synchainref ,
|
||||
$chainref->{name} ,
|
||||
'DROP',
|
||||
$globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
|
||||
'' ,
|
||||
'add' ,
|
||||
'' )
|
||||
if $level ne '';
|
||||
add_rule $synchainref, '-j DROP';
|
||||
|
@ -849,7 +849,7 @@ sub handle_optional_interfaces( $ ) {
|
||||
|
||||
if ( @$interfaces ) {
|
||||
my $require = $config{REQUIRE_INTERFACE};
|
||||
|
||||
|
||||
verify_required_interfaces( shift );
|
||||
|
||||
emit( 'HAVE_INTERFACE=', '' ) if $require;
|
||||
@ -860,9 +860,9 @@ sub handle_optional_interfaces( $ ) {
|
||||
|
||||
if ( $wildcards ) {
|
||||
#
|
||||
# We must consider all interfaces with an address in $family -- generate a list of such addresses.
|
||||
# We must consider all interfaces with an address in $family -- generate a list of such addresses.
|
||||
#
|
||||
emit( '',
|
||||
emit( '',
|
||||
'for interface in $(find_all_interfaces1); do',
|
||||
);
|
||||
|
||||
@ -904,10 +904,10 @@ sub handle_optional_interfaces( $ ) {
|
||||
if ( $wildcards ) {
|
||||
emit( "$case)" );
|
||||
push_indent;
|
||||
|
||||
|
||||
if ( $wild ) {
|
||||
emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
|
||||
push_indent;
|
||||
push_indent;
|
||||
emit ( 'if interface_is_usable $interface; then' );
|
||||
} else {
|
||||
emit ( "if interface_is_usable $physical; then" );
|
||||
|
@ -1064,7 +1064,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
$action = "NFQUEUE --queue-num $paramval";
|
||||
} elsif ( $actiontype & SET ) {
|
||||
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
|
||||
fatal_error "$action rules require a set name parameter" unless $param;
|
||||
fatal_error "$action rules require a set name parameter" unless $param;
|
||||
} else {
|
||||
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
|
||||
}
|
||||
@ -1531,7 +1531,7 @@ sub process_section ($) {
|
||||
@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
|
||||
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
||||
}
|
||||
|
||||
|
||||
$section = $sect;
|
||||
}
|
||||
|
||||
@ -1698,13 +1698,13 @@ sub generate_dest_rules( $$$$ ) {
|
||||
|
||||
if ( $type2 == VSERVER ) {
|
||||
for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
|
||||
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
|
||||
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
|
||||
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
add_jump( $chainref,
|
||||
add_jump( $chainref,
|
||||
$exclusion ,
|
||||
0,
|
||||
join('', $match, match_dest_net( $net ) ) )
|
||||
join('', $match, match_dest_net( $net ) ) )
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@ -1718,7 +1718,7 @@ sub generate_dest_rules( $$$$ ) {
|
||||
sub generate_source_rules( $$$$ ) {
|
||||
my ( $outchainref, $z1, $z2, $match ) = @_;
|
||||
my $chain = rules_target ( $z1, $z2 );
|
||||
|
||||
|
||||
if ( $chain ) {
|
||||
#
|
||||
# Not a CONTINUE policy with no rules
|
||||
@ -1726,16 +1726,16 @@ sub generate_source_rules( $$$$ ) {
|
||||
for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
|
||||
my $ipsec_match = match_ipsec_in $z1 , $hostref;
|
||||
my $exclusion = source_exclusion( $hostref->{exclusions}, $chain);
|
||||
|
||||
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
generate_dest_rules( $outchainref,
|
||||
$exclusion,
|
||||
$z2,
|
||||
$z2,
|
||||
join('', match_source_net( $net ), $match , $ipsec_match )
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
@ -1780,11 +1780,11 @@ sub handle_loopback_traffic() {
|
||||
for my $typeref ( values %{$source_hosts_ref} ) {
|
||||
for my $hostref ( @{$typeref->{'%vserver%'}} ) {
|
||||
my $exclusion = source_exclusion( $hostref->{exclusions}, $natref);
|
||||
|
||||
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
add_jump( $natout, $exclusion, 0, match_source_net( $net ), 0, $rulenum++ );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1873,7 +1873,7 @@ sub generate_matrix() {
|
||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||
my $blackref = $filter_table->{blacklst};
|
||||
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
||||
|
||||
|
||||
if ( $simple ) {
|
||||
#
|
||||
# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
|
||||
@ -1881,7 +1881,7 @@ sub generate_matrix() {
|
||||
for my $zone1 ( @zones ) {
|
||||
my $ruleschain = rules_chain( $zone, $zone1 );
|
||||
my $ruleschainref = $filter_table->{$ruleschain};
|
||||
|
||||
|
||||
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
|
||||
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
|
||||
}
|
||||
@ -1899,12 +1899,12 @@ sub generate_matrix() {
|
||||
|
||||
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
|
||||
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
next if $simple;
|
||||
|
||||
|
||||
#
|
||||
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
|
||||
#
|
||||
@ -2028,7 +2028,7 @@ sub generate_matrix() {
|
||||
my $ipsec_in_match = match_ipsec_in $zone , $hostref;
|
||||
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
|
||||
my $exclusions = $hostref->{exclusions};
|
||||
|
||||
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
my $dest = match_dest_net $net;
|
||||
|
||||
|
@ -297,7 +297,7 @@ sub process_tc_rule( ) {
|
||||
}
|
||||
|
||||
$restriction = DESTIFACE_DISALLOW;
|
||||
|
||||
|
||||
ensure_mangle_chain($target);
|
||||
|
||||
$sticky++;
|
||||
@ -1462,7 +1462,7 @@ sub process_secmark_rule() {
|
||||
O => 'tcout' , );
|
||||
|
||||
my %state = ( N => 'NEW' ,
|
||||
E => 'ESTABLISHED' ,
|
||||
E => 'ESTABLISHED' ,
|
||||
ER => 'ESTABLISHED,RELATED' );
|
||||
|
||||
my ( $chain , $state, $rest) = split ':', $chainin , 3;
|
||||
@ -1470,7 +1470,7 @@ sub process_secmark_rule() {
|
||||
fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
|
||||
|
||||
my $chain1= $chns{$chain};
|
||||
|
||||
|
||||
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
|
||||
fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
|
||||
|
||||
@ -1488,22 +1488,22 @@ sub process_secmark_rule() {
|
||||
|
||||
$disposition =~ s/ .*//;
|
||||
|
||||
expand_rule( ensure_mangle_chain( $chain1 ) ,
|
||||
expand_rule( ensure_mangle_chain( $chain1 ) ,
|
||||
$restrictions{$chain1} ,
|
||||
$state .
|
||||
do_proto( $proto, $dport, $sport ) .
|
||||
do_user( $user ) .
|
||||
do_test( $mark, $globals{TC_MASK} ) ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
$disposition,
|
||||
'' );
|
||||
|
||||
progress_message "Secmarks rule \"$currentline\" $done";
|
||||
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
@ -1622,7 +1622,7 @@ sub setup_tc() {
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
process_secmark_rule while read_a_line;
|
||||
|
||||
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
|
@ -160,7 +160,7 @@ our %reservedName = ( all => 1,
|
||||
# }
|
||||
#
|
||||
# The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
|
||||
# the same order as the interfaces are encountered in the configuration files.
|
||||
# the same order as the interfaces are encountered in the configuration files.
|
||||
#
|
||||
our @interfaces;
|
||||
our %interfaces;
|
||||
@ -804,7 +804,7 @@ sub chain_base($) {
|
||||
#
|
||||
return $name if $name;
|
||||
#
|
||||
# Remember initial value
|
||||
# Remember initial value
|
||||
#
|
||||
my $key = $chain;
|
||||
#
|
||||
@ -882,7 +882,7 @@ sub process_interface( $$ ) {
|
||||
} else {
|
||||
$zoneref->{bridge} = $interface;
|
||||
}
|
||||
|
||||
|
||||
fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
|
||||
}
|
||||
|
||||
@ -950,7 +950,7 @@ sub process_interface( $$ ) {
|
||||
|
||||
if ( $zone ) {
|
||||
fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
|
||||
} else {
|
||||
} else {
|
||||
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
|
||||
}
|
||||
|
||||
@ -1178,7 +1178,7 @@ sub map_physical( $$ ) {
|
||||
#
|
||||
# Returns true if passed interface matches an entry in /etc/shorewall/interfaces
|
||||
#
|
||||
# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in
|
||||
# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in
|
||||
# %interfaces.
|
||||
#
|
||||
sub known_interface($;$)
|
||||
@ -1195,7 +1195,7 @@ sub known_interface($;$)
|
||||
my $root = $interfaceref->{root};
|
||||
if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
|
||||
my $physical = map_physical( $interface, $interfaceref );
|
||||
|
||||
|
||||
my $copyref = { options => $interfaceref->{options},
|
||||
bridge => $interfaceref->{bridge} ,
|
||||
name => $i ,
|
||||
@ -1392,7 +1392,7 @@ sub verify_required_interfaces( $ ) {
|
||||
my $wait = $interfaces{$interface}{options}{wait};
|
||||
|
||||
emit q() unless $first-- > 0;
|
||||
|
||||
|
||||
if ( $wait ) {
|
||||
my $physical = get_physical $interface;
|
||||
|
||||
@ -1431,7 +1431,7 @@ sub verify_required_interfaces( $ ) {
|
||||
}
|
||||
|
||||
emit( ";;\n" );
|
||||
|
||||
|
||||
pop_indent;
|
||||
pop_indent;
|
||||
|
||||
@ -1697,7 +1697,7 @@ sub process_host( ) {
|
||||
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
|
||||
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
my $optionsref = { dynamic => 0 };
|
||||
|
||||
@ -1723,7 +1723,7 @@ sub process_host( ) {
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
|
||||
fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
|
||||
|
||||
$optionsref = \%options;
|
||||
}
|
||||
|
@ -22,11 +22,11 @@ checkkernelversion() {
|
||||
local kernel
|
||||
|
||||
kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
|
||||
|
||||
|
||||
if [ $kernel -lt 20624 ]; then
|
||||
error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
|
||||
return 1
|
||||
else
|
||||
else
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
@ -296,7 +296,7 @@ case "$COMMAND" in
|
||||
echo "$g_product is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
|
@ -509,7 +509,7 @@ undo_routing() {
|
||||
#
|
||||
restore_default_route() {
|
||||
local result
|
||||
|
||||
|
||||
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
|
||||
local default_route
|
||||
default_route=
|
||||
|
@ -497,7 +497,7 @@ undo_routing() {
|
||||
#
|
||||
restore_default_route() {
|
||||
local result
|
||||
|
||||
|
||||
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
|
||||
local default_route
|
||||
default_route=
|
||||
|
@ -3,11 +3,11 @@
|
||||
#
|
||||
# /etc/shorewall/findgw
|
||||
#
|
||||
# The code in this file is executed when Shorewall is trying to detect the
|
||||
# The code in this file is executed when Shorewall is trying to detect the
|
||||
# gateway through an interface in /etc/shorewall/providers that has GATEWAY
|
||||
# specified as 'detect'.
|
||||
#
|
||||
# The function should echo the IP address of the gateway if it knows what
|
||||
# The function should echo the IP address of the gateway if it knows what
|
||||
# it is; the name of the interface is in $1.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
|
@ -4,7 +4,7 @@
|
||||
# /etc/shorewall/restored
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# completed a 'restore' command.
|
||||
# completed a 'restore' command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
@ -10,4 +10,4 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -562,7 +562,7 @@ show_command() {
|
||||
|
||||
if [ -z "$LOGFILE" ]; then
|
||||
LOGFILE=/var/log/messages
|
||||
|
||||
|
||||
if [ -n "$(syslog_circular_buffer)" ]; then
|
||||
g_logread="logread | tac"
|
||||
elif [ -r $LOGFILE ]; then
|
||||
|
@ -514,7 +514,7 @@ find_file()
|
||||
#
|
||||
# Set the Shorewall state
|
||||
#
|
||||
set_state () # $1 = state $2
|
||||
set_state () # $1 = state $2
|
||||
{
|
||||
if [ $# -gt 1 ]; then
|
||||
echo "$1 ($(date)) from $2" > ${VARDIR}/state
|
||||
|
@ -31,7 +31,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
...
|
||||
Shorewall configuration compiled to /var/lib/shorewall6/.start
|
||||
ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
|
||||
/usr/share/shorewall6/lib.common: line 73:
|
||||
/usr/share/shorewall6/lib.common: line 73:
|
||||
[: -lt: unary operator expected
|
||||
ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
|
||||
[root@localhost shorewall6]#
|
||||
@ -345,18 +345,18 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
defined as optional in the interfaces file.
|
||||
|
||||
o If there were no references matching the wildcard, then the
|
||||
'optional' option was effectively ignored.
|
||||
'optional' option was effectively ignored.
|
||||
|
||||
The new implementation:
|
||||
|
||||
- Insures valid shell variable names.
|
||||
|
||||
|
||||
- Insures that shell variable names are unique.
|
||||
|
||||
- Handles interface names appearing in the INTERFACE column of the
|
||||
providers file as a special case for 'optional'. If the name
|
||||
matches a wildcard entry in the interfaces file then the
|
||||
usability of the specific interface is tracked individually.
|
||||
usability of the specific interface is tracked individually.
|
||||
|
||||
- Handles the availabilty of other interfaces matching a wildcard
|
||||
as a group; if there is one useable interface in the group then
|
||||
@ -392,7 +392,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
state match rather than conntrack match for UNTRACKED state
|
||||
matching.
|
||||
|
||||
12) If the routestopped files contains NOTRACK rules, 'shorewall* clear'
|
||||
12) If the routestopped files contains NOTRACK rules, 'shorewall* clear'
|
||||
did not clear the raw table.
|
||||
|
||||
13) An error message was incorrectly generated if a port range of the
|
||||
@ -429,7 +429,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
The 'all' and 'any' keywords now support exclusion in the form of a
|
||||
comma-separated list of excluded zones.
|
||||
|
||||
Examples:
|
||||
Examples:
|
||||
|
||||
all!fw (same as all-).
|
||||
any+!dmz,loc (All zones except 'dmz' and 'loc' and
|
||||
@ -554,7 +554,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
fatal compilation error in REDIRECT rules.
|
||||
|
||||
4) A number of problems associated with Shorewall-init and Upstart
|
||||
have been corrected.
|
||||
have been corrected.
|
||||
|
||||
If you use Shorewall-init, then when upgrading to this version, be
|
||||
sure to recompile all firewall scripts before you take interfaces
|
||||
@ -564,7 +564,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
/usr/share/shorewall/configfiles/Makefile and rather issued the
|
||||
following message:
|
||||
|
||||
install-file: command not found
|
||||
install-file: command not found
|
||||
|
||||
This caused the Makefile to be omitted from RPMs as well.
|
||||
|
||||
@ -592,7 +592,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
|
||||
2) Per-ip log rate limiting has been added in the form of the LOGLIMIT
|
||||
option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
|
||||
LOGBURST are ignored.
|
||||
LOGBURST are ignored.
|
||||
|
||||
LOGRATE and LOGBURST are now deprecated.
|
||||
|
||||
@ -675,7 +675,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
Shorewall is running
|
||||
State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
|
||||
|
||||
gateway:/etc/shorewall#
|
||||
gateway:/etc/shorewall#
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 1
|
||||
@ -708,7 +708,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
shorewall.conf and shorewall6.conf. It has been added.
|
||||
|
||||
6) Under some versions of Perl, a Perl run-time diagnostic was produced
|
||||
when options were omitted from shorewall.conf or shorewall6.conf.
|
||||
when options were omitted from shorewall.conf or shorewall6.conf.
|
||||
|
||||
7) If the following options were specified in /etc/shorewall/interfaces
|
||||
for an interface with '-' in the ZONE column, then these options
|
||||
@ -729,7 +729,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
9) Previously, if nets= was specified under Shorewall6, this error
|
||||
would result:
|
||||
|
||||
ERROR: Invalid IPv6 address (224.0.0.0) :
|
||||
ERROR: Invalid IPv6 address (224.0.0.0) :
|
||||
/etc/shorewall6/interfaces (line 16)
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
@ -744,7 +744,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
See http://www.shorewall.net/Vserver.html for details.
|
||||
|
||||
2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
|
||||
and shorewall6.conf.
|
||||
and shorewall6.conf.
|
||||
|
||||
Traditionally, Shorewall has cleared the packet mark in the first
|
||||
rule in the mangle FORWARD chain. This behavior is maintained with
|
||||
|
Loading…
Reference in New Issue
Block a user