extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-29 02:54:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Periodic elimination of trailing white space

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-27 11:16:18 -07:00
parent f33912d5f7
commit f7eb3c3d8c
25 changed files with 113 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Contrib/swping
View File

@ -224,7 +224,7 @@ while : ; do
# One of the interfaces changed state -- restart Shorewall # One of the interfaces changed state -- restart Shorewall
# #
echo $if1_state > $VARDIR/${IF1}.status echo $if1_state > $VARDIR/${IF1}.status
echo $if2_state > $VARDIR/${IF2}.status echo $if2_state > $VARDIR/${IF2}.status
eval $COMMAND eval $COMMAND
state_changed= state_changed=
fi fi

4
Shorewall/Contrib/swping.init
View File

@ -32,7 +32,7 @@
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: swping # Provides: swping
# Required-Start: shorewall # Required-Start: shorewall
# Should-Start: # Should-Start:
# Required-Stop: # Required-Stop:
# Default-Start: 2 3 5 # Default-Start: 2 3 5
# Default-Stop: 0 1 6 # Default-Stop: 0 1 6
@ -87,7 +87,7 @@ case "$command" in
echo "swping is running" echo "swping is running"
exit 0 exit 0
else else
echo "swping is stopped" echo "swping is stopped"
exit 3 exit 3
fi fi
;; ;;

2
Shorewall/Macros/macro.BitTorrent
View File

@ -5,7 +5,7 @@
# #
# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier. # This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
# #
# If you are running BitTorrent 3.2 or later, you should use the # If you are running BitTorrent 3.2 or later, you should use the
# BitTorrent32 macro. # BitTorrent32 macro.
############################################################################### ###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/

2
Shorewall/Macros/macro.IPPserver
View File

@ -15,7 +15,7 @@
# Example for a two-interface firewall which acts as a print # Example for a two-interface firewall which acts as a print
# server for loc: # server for loc:
# IPPserver/ACCEPT loc $FW # IPPserver/ACCEPT loc $FW
# #
# NOTE: If you want both to serve requests for local printers and # NOTE: If you want both to serve requests for local printers and
# listen to requests for remote printers (i.e. your CUPS server is # listen to requests for remote printers (i.e. your CUPS server is
# also a client), you need to apply the rule twice, e.g. # also a client), you need to apply the rule twice, e.g.

6
Shorewall/Macros/macro.template
View File

@ -304,9 +304,9 @@
# #removed from Netfilter in kernel # #removed from Netfilter in kernel
# #version 2.6.14). # #version 2.6.14).
# #
# MARK Specifies a MARK value to match. Must be empty or # MARK Specifies a MARK value to match. Must be empty or
# '-' if the macro is to be used within an action. # '-' if the macro is to be used within an action.
# #
# [!]value[/mask][:C] # [!]value[/mask][:C]
# #
# Defines a test on the existing packet or connection # Defines a test on the existing packet or connection
@ -341,7 +341,7 @@
# [!]limit[:mask] # [!]limit[:mask]
# #
# May be used to limit the number of simultaneous # May be used to limit the number of simultaneous
# connections from each individual host to limit # connections from each individual host to limit
# connections. Requires connlimit match in your kernel # connections. Requires connlimit match in your kernel
# and iptables. While the limit is only checked on rules # and iptables. While the limit is only checked on rules
# specifying CONNLIMIT, the number of current connections # specifying CONNLIMIT, the number of current connections

4
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -98,7 +98,7 @@ sub process_accounting_rule( ) {
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ); my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
my $rule2 = 0; my $rule2 = 0;
my $jump = 0; my $jump = 0;
unless ( $action eq 'COUNT' ) { unless ( $action eq 'COUNT' ) {
if ( $action eq 'DONE' ) { if ( $action eq 'DONE' ) {
$target = 'RETURN'; $target = 'RETURN';
@ -166,7 +166,7 @@ sub process_accounting_rule( ) {
fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed"; fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
} }
} else { } else {
warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain ); warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
$chainref->{ipsec} = $dir; $chainref->{ipsec} = $dir;
} }
} elsif ( $ipsec ne '-' ) { } elsif ( $ipsec ne '-' ) {

2
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -195,7 +195,7 @@ sub split_action ( $ ) {
$action = $2 ? $3 : ''; $action = $2 ? $3 : '';
$max = 2; $max = 2;
} }
my @a = split( /:/ , $action, 4 ); my @a = split( /:/ , $action, 4 );
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max ); fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
$target = shift @a unless $target; $target = shift @a unless $target;

40
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -628,7 +628,7 @@ sub delete_reference( $$ ) {
# #
# In the first function, the rule number is zero-relative. In the second function, # In the first function, the rule number is zero-relative. In the second function,
# the rule number is one-relative. In the first function, if the rule number is < 0, then # the rule number is one-relative. In the first function, if the rule number is < 0, then
# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be # the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
# inserted at the front of the chain and the chain's 'blacklist' member incremented. # inserted at the front of the chain and the chain's 'blacklist' member incremented.
# #
sub insert_rule1($$$) sub insert_rule1($$$)
@ -733,7 +733,7 @@ sub move_rules( $$ ) {
for ( @{$chain1->{rules}} ) { for ( @{$chain1->{rules}} ) {
adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/; adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/;
} }
if ( $debug ) { if ( $debug ) {
my $rule = $blacklist; my $rule = $blacklist;
trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}}; trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}};
@ -754,7 +754,7 @@ sub move_rules( $$ ) {
} else { } else {
shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1]; shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
} }
delete_chain $chain1; delete_chain $chain1;
$count; $count;
@ -789,7 +789,7 @@ sub copy_rules( $$ ) {
# Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list # Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list
# #
my $rule = shift @rules1; my $rule = shift @rules1;
$rule =~ / -j ([^\s])/; $rule =~ / -j ([^\s])/;
my $chainb = $1; my $chainb = $1;
@ -814,7 +814,7 @@ sub copy_rules( $$ ) {
trace( $chain2, 'A', 1 , $rules1[0]) if $debug; trace( $chain2, 'A', 1 , $rules1[0]) if $debug;
unshift @$rules2, shift @rules1; unshift @$rules2, shift @rules1;
$chain1->{blacklist} = 0; $chain1->{blacklist} = 0;
$chain2->{blacklist} = 1; $chain2->{blacklist} = 1;
} }
@ -823,7 +823,7 @@ sub copy_rules( $$ ) {
my $rule = @$rules2; my $rule = @$rules2;
trace( $chain2, 'A', ++$rule, $_ ) for @rules1; trace( $chain2, 'A', ++$rule, $_ ) for @rules1;
} }
push @$rules2, @rules1; push @$rules2, @rules1;
progress_message " $count rules from $chain1->{name} appended to $chain2->{name}"; progress_message " $count rules from $chain1->{name} appended to $chain2->{name}";
@ -1078,10 +1078,10 @@ sub find_chain($$) {
my ($table, $chain) = @_; my ($table, $chain) = @_;
assert( $table && $chain && $chain_table{$table} ); assert( $table && $chain && $chain_table{$table} );
$chain_table{$table}{$chain}; $chain_table{$table}{$chain};
} }
# #
# Create a chain if it doesn't exist already # Create a chain if it doesn't exist already
# #
@ -2787,11 +2787,11 @@ sub do_ipsec($$) {
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' ); fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
my @options = split_list $ipsec, 'IPSEC options'; my @options = split_list $ipsec, 'IPSEC options';
if ( @options == 1 ) { if ( @options == 1 ) {
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) { if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
return do_ipsec_options $dir, 'ipsec', ''; return do_ipsec_options $dir, 'ipsec', '';
} }
if ( lc( $options[0] ) =~ /^(no|none)$/ ) { if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
return do_ipsec_options $dir, 'none', ''; return do_ipsec_options $dir, 'none', '';
@ -2912,7 +2912,7 @@ sub mysplit( $ ) {
fatal_error "Missing ']' ($element)" unless @input; fatal_error "Missing ']' ($element)" unless @input;
$element .= ( ',' . shift @input ); $element .= ( ',' . shift @input );
} }
fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/; fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
} }
@ -3644,14 +3644,14 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Log rule # Log rule
# #
log_rule_limit( $loglevel , log_rule_limit( $loglevel ,
$echainref , $echainref ,
$chain, $chain,
$disposition eq 'reject' ? 'REJECT' : $disposition , $disposition eq 'reject' ? 'REJECT' : $disposition ,
'' , '' ,
$logtag , $logtag ,
'add' , 'add' ,
'' ) '' )
if $loglevel; if $loglevel;
# #
# Generate Final Rule # Generate Final Rule
@ -3764,14 +3764,14 @@ sub promote_blacklist_rules() {
# Copy 'blacklst''s references since they will change in the following loop # Copy 'blacklst''s references since they will change in the following loop
# #
my @references = map $filter_table->{$_}, keys %{$chainbref->{references}}; my @references = map $filter_table->{$_}, keys %{$chainbref->{references}};
for my $chain1ref ( @references ) { for my $chain1ref ( @references ) {
assert( $chain1ref->{blacklist} == 1 ); assert( $chain1ref->{blacklist} == 1 );
my $copied = 0; my $copied = 0;
my $rule = $chain1ref->{rules}[0]; my $rule = $chain1ref->{rules}[0];
my $chain1 = $chain1ref->{name}; my $chain1 = $chain1ref->{name};
for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) { for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) {
unless ( $chain2ref->{builtin} ) { unless ( $chain2ref->{builtin} ) {
# #
@ -3984,7 +3984,7 @@ sub load_ipsets() {
' fi' , ' fi' ,
' fi' , ' fi' ,
); );
if ( @ipsets ) { if ( @ipsets ) {
emit ''; emit '';

2
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -445,7 +445,7 @@ EOF
my $config_dir = $globals{CONFIGDIR}; my $config_dir = $globals{CONFIGDIR};
emit<<"EOF"; emit<<"EOF";
set_state Started $config_dir set_state Started $config_dir
run_restored_exit run_restored_exit
else else
if [ \$COMMAND = refresh ]; then if [ \$COMMAND = refresh ]; then

6
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1841,7 +1841,7 @@ sub read_a_line(;$) {
embedded_perl( $1 ); embedded_perl( $1 );
next; next;
} }
} }
my $count = 0; my $count = 0;
# #
@ -2928,12 +2928,12 @@ sub get_configuration( $ ) {
if ( $units && $units ne 'sec' ) { if ( $units && $units ne 'sec' ) {
my $expire = 60000; # 1 minute in milliseconds my $expire = 60000; # 1 minute in milliseconds
if ( $units ne 'min' ) { if ( $units ne 'min' ) {
$expire *= 60; #At least an hour $expire *= 60; #At least an hour
$expire *= 24 if $units eq 'day'; $expire *= 24 if $units eq 'day';
} }
$limit .= "--hashlimit-htable-expire $expire "; $limit .= "--hashlimit-htable-expire $expire ";
} }
} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) { } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {

6
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -189,7 +189,7 @@ sub validate_4net( $$ ) {
if ( $1 ) { if ( $1 ) {
fatal_error "An ipset list ($net) is not allowed in this context"; fatal_error "An ipset list ($net) is not allowed in this context";
} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) { } elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
fatal_error "An ipset name ($net) is not allowed in this context"; fatal_error "An ipset name ($net) is not allowed in this context";
} else { } else {
fatal_error "Invalid ipset name ($net)"; fatal_error "Invalid ipset name ($net)";
} }
@ -306,7 +306,7 @@ sub resolve_proto( $ ) {
# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations # Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
# #
$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6; $proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto; defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
} }
} }
@ -553,7 +553,7 @@ sub validate_6net( $$ ) {
if ( $1 ) { if ( $1 ) {
fatal_error "An ipset list ($net) is not allowed in this context"; fatal_error "An ipset list ($net) is not allowed in this context";
} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) { } elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
fatal_error "An ipset name ($net) is not allowed in this context"; fatal_error "An ipset name ($net) is not allowed in this context";
} else { } else {
fatal_error "Invalid ipset name ($net)"; fatal_error "Invalid ipset name ($net)";
} }

16
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -341,7 +341,7 @@ sub validate_policy()
add_or_modify_policy_chain( $zone, $zone1 ); add_or_modify_policy_chain( $zone, $zone1 );
add_or_modify_policy_chain( $zone1, $zone ); add_or_modify_policy_chain( $zone1, $zone );
} }
} }
} }
} }
@ -496,13 +496,13 @@ sub setup_syn_flood_chains() {
my $level = $chainref->{loglevel}; my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref; my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
add_rule $synchainref , "${limit}-j RETURN"; add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit( $level , log_rule_limit( $level ,
$synchainref , $synchainref ,
$chainref->{name} , $chainref->{name} ,
'DROP', 'DROP',
$globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
'' , '' ,
'add' , 'add' ,
'' ) '' )
if $level ne ''; if $level ne '';
add_rule $synchainref, '-j DROP'; add_rule $synchainref, '-j DROP';

10
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -849,7 +849,7 @@ sub handle_optional_interfaces( $ ) {
if ( @$interfaces ) { if ( @$interfaces ) {
my $require = $config{REQUIRE_INTERFACE}; my $require = $config{REQUIRE_INTERFACE};
verify_required_interfaces( shift ); verify_required_interfaces( shift );
emit( 'HAVE_INTERFACE=', '' ) if $require; emit( 'HAVE_INTERFACE=', '' ) if $require;
@ -860,9 +860,9 @@ sub handle_optional_interfaces( $ ) {
if ( $wildcards ) { if ( $wildcards ) {
# #
# We must consider all interfaces with an address in $family -- generate a list of such addresses. # We must consider all interfaces with an address in $family -- generate a list of such addresses.
# #
emit( '', emit( '',
'for interface in $(find_all_interfaces1); do', 'for interface in $(find_all_interfaces1); do',
); );
@ -904,10 +904,10 @@ sub handle_optional_interfaces( $ ) {
if ( $wildcards ) { if ( $wildcards ) {
emit( "$case)" ); emit( "$case)" );
push_indent; push_indent;
if ( $wild ) { if ( $wild ) {
emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) ); emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
push_indent; push_indent;
emit ( 'if interface_is_usable $interface; then' ); emit ( 'if interface_is_usable $interface; then' );
} else { } else {
emit ( "if interface_is_usable $physical; then" ); emit ( "if interface_is_usable $physical; then" );

34
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1064,7 +1064,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$action = "NFQUEUE --queue-num $paramval"; $action = "NFQUEUE --queue-num $paramval";
} elsif ( $actiontype & SET ) { } elsif ( $actiontype & SET ) {
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' ); require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
fatal_error "$action rules require a set name parameter" unless $param; fatal_error "$action rules require a set name parameter" unless $param;
} else { } else {
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq ''; fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
} }
@ -1531,7 +1531,7 @@ sub process_section ($) {
@sections{'ESTABLISHED','RELATED'} = ( 1, 1 ); @sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
} }
$section = $sect; $section = $sect;
} }
@ -1698,13 +1698,13 @@ sub generate_dest_rules( $$$$ ) {
if ( $type2 == VSERVER ) { if ( $type2 == VSERVER ) {
for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) { for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain); my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_jump( $chainref, add_jump( $chainref,
$exclusion , $exclusion ,
0, 0,
join('', $match, match_dest_net( $net ) ) ) join('', $match, match_dest_net( $net ) ) )
} }
} }
} else { } else {
@ -1718,7 +1718,7 @@ sub generate_dest_rules( $$$$ ) {
sub generate_source_rules( $$$$ ) { sub generate_source_rules( $$$$ ) {
my ( $outchainref, $z1, $z2, $match ) = @_; my ( $outchainref, $z1, $z2, $match ) = @_;
my $chain = rules_target ( $z1, $z2 ); my $chain = rules_target ( $z1, $z2 );
if ( $chain ) { if ( $chain ) {
# #
# Not a CONTINUE policy with no rules # Not a CONTINUE policy with no rules
@ -1726,16 +1726,16 @@ sub generate_source_rules( $$$$ ) {
for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) { for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
my $ipsec_match = match_ipsec_in $z1 , $hostref; my $ipsec_match = match_ipsec_in $z1 , $hostref;
my $exclusion = source_exclusion( $hostref->{exclusions}, $chain); my $exclusion = source_exclusion( $hostref->{exclusions}, $chain);
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
generate_dest_rules( $outchainref, generate_dest_rules( $outchainref,
$exclusion, $exclusion,
$z2, $z2,
join('', match_source_net( $net ), $match , $ipsec_match ) join('', match_source_net( $net ), $match , $ipsec_match )
); );
} }
} }
} }
} }
# #
@ -1780,11 +1780,11 @@ sub handle_loopback_traffic() {
for my $typeref ( values %{$source_hosts_ref} ) { for my $typeref ( values %{$source_hosts_ref} ) {
for my $hostref ( @{$typeref->{'%vserver%'}} ) { for my $hostref ( @{$typeref->{'%vserver%'}} ) {
my $exclusion = source_exclusion( $hostref->{exclusions}, $natref); my $exclusion = source_exclusion( $hostref->{exclusions}, $natref);
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_jump( $natout, $exclusion, 0, match_source_net( $net ), 0, $rulenum++ ); add_jump( $natout, $exclusion, 0, match_source_net( $net ), 0, $rulenum++ );
} }
} }
} }
} }
} }
@ -1873,7 +1873,7 @@ sub generate_matrix() {
if ( $zoneref->{options}{in}{blacklist} ) { if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst}; my $blackref = $filter_table->{blacklst};
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers; add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
if ( $simple ) { if ( $simple ) {
# #
# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains # We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
@ -1881,7 +1881,7 @@ sub generate_matrix() {
for my $zone1 ( @zones ) { for my $zone1 ( @zones ) {
my $ruleschain = rules_chain( $zone, $zone1 ); my $ruleschain = rules_chain( $zone, $zone1 );
my $ruleschainref = $filter_table->{$ruleschain}; my $ruleschainref = $filter_table->{$ruleschain};
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) { if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 ); add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
} }
@ -1899,12 +1899,12 @@ sub generate_matrix() {
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) { if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 ); add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
} }
} }
} }
next if $simple; next if $simple;
# #
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
# #
@ -2028,7 +2028,7 @@ sub generate_matrix() {
my $ipsec_in_match = match_ipsec_in $zone , $hostref; my $ipsec_in_match = match_ipsec_in $zone , $hostref;
my $ipsec_out_match = match_ipsec_out $zone , $hostref; my $ipsec_out_match = match_ipsec_out $zone , $hostref;
my $exclusions = $hostref->{exclusions}; my $exclusions = $hostref->{exclusions};
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
my $dest = match_dest_net $net; my $dest = match_dest_net $net;

22
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -297,7 +297,7 @@ sub process_tc_rule( ) {
} }
$restriction = DESTIFACE_DISALLOW; $restriction = DESTIFACE_DISALLOW;
ensure_mangle_chain($target); ensure_mangle_chain($target);
$sticky++; $sticky++;
@ -1462,7 +1462,7 @@ sub process_secmark_rule() {
O => 'tcout' , ); O => 'tcout' , );
my %state = ( N => 'NEW' , my %state = ( N => 'NEW' ,
E => 'ESTABLISHED' , E => 'ESTABLISHED' ,
ER => 'ESTABLISHED,RELATED' ); ER => 'ESTABLISHED,RELATED' );
my ( $chain , $state, $rest) = split ':', $chainin , 3; my ( $chain , $state, $rest) = split ':', $chainin , 3;
@ -1470,7 +1470,7 @@ sub process_secmark_rule() {
fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain; fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
my $chain1= $chns{$chain}; my $chain1= $chns{$chain};
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1; fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout'; fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
@ -1488,22 +1488,22 @@ sub process_secmark_rule() {
$disposition =~ s/ .*//; $disposition =~ s/ .*//;
expand_rule( ensure_mangle_chain( $chain1 ) , expand_rule( ensure_mangle_chain( $chain1 ) ,
$restrictions{$chain1} , $restrictions{$chain1} ,
$state . $state .
do_proto( $proto, $dport, $sport ) . do_proto( $proto, $dport, $sport ) .
do_user( $user ) . do_user( $user ) .
do_test( $mark, $globals{TC_MASK} ) , do_test( $mark, $globals{TC_MASK} ) ,
$source , $source ,
$dest , $dest ,
'' , '' ,
$target , $target ,
'' , '' ,
$disposition, $disposition,
'' ); '' );
progress_message "Secmarks rule \"$currentline\" $done"; progress_message "Secmarks rule \"$currentline\" $done";
} }
# #
@ -1622,7 +1622,7 @@ sub setup_tc() {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
process_secmark_rule while read_a_line; process_secmark_rule while read_a_line;
clear_comment; clear_comment;
} }

20
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -160,7 +160,7 @@ our %reservedName = ( all => 1,
# } # }
# #
# The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in # The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
# the same order as the interfaces are encountered in the configuration files. # the same order as the interfaces are encountered in the configuration files.
# #
our @interfaces; our @interfaces;
our %interfaces; our %interfaces;
@ -804,7 +804,7 @@ sub chain_base($) {
# #
return $name if $name; return $name if $name;
# #
# Remember initial value # Remember initial value
# #
my $key = $chain; my $key = $chain;
# #
@ -882,7 +882,7 @@ sub process_interface( $$ ) {
} else { } else {
$zoneref->{bridge} = $interface; $zoneref->{bridge} = $interface;
} }
fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER; fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
} }
@ -950,7 +950,7 @@ sub process_interface( $$ ) {
if ( $zone ) { if ( $zone ) {
fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER ); fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
} else { } else {
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY; fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
} }
@ -1178,7 +1178,7 @@ sub map_physical( $$ ) {
# #
# Returns true if passed interface matches an entry in /etc/shorewall/interfaces # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
# #
# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in # If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in
# %interfaces. # %interfaces.
# #
sub known_interface($;$) sub known_interface($;$)
@ -1195,7 +1195,7 @@ sub known_interface($;$)
my $root = $interfaceref->{root}; my $root = $interfaceref->{root};
if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) { if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
my $physical = map_physical( $interface, $interfaceref ); my $physical = map_physical( $interface, $interfaceref );
my $copyref = { options => $interfaceref->{options}, my $copyref = { options => $interfaceref->{options},
bridge => $interfaceref->{bridge} , bridge => $interfaceref->{bridge} ,
name => $i , name => $i ,
@ -1392,7 +1392,7 @@ sub verify_required_interfaces( $ ) {
my $wait = $interfaces{$interface}{options}{wait}; my $wait = $interfaces{$interface}{options}{wait};
emit q() unless $first-- > 0; emit q() unless $first-- > 0;
if ( $wait ) { if ( $wait ) {
my $physical = get_physical $interface; my $physical = get_physical $interface;
@ -1431,7 +1431,7 @@ sub verify_required_interfaces( $ ) {
} }
emit( ";;\n" ); emit( ";;\n" );
pop_indent; pop_indent;
pop_indent; pop_indent;
@ -1697,7 +1697,7 @@ sub process_host( ) {
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) { } elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}"; fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
} }
} }
my $optionsref = { dynamic => 0 }; my $optionsref = { dynamic => 0 };
@ -1723,7 +1723,7 @@ sub process_host( ) {
} }
} }
fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
$optionsref = \%options; $optionsref = \%options;
} }

6
Shorewall/Perl/prog.footer6
View File

@ -22,11 +22,11 @@ checkkernelversion() {
local kernel local kernel
kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
if [ $kernel -lt 20624 ]; then if [ $kernel -lt 20624 ]; then
error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later" error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
return 1 return 1
else else
return 0 return 0
fi fi
} }
@ -296,7 +296,7 @@ case "$COMMAND" in
echo "$g_product is stopped" echo "$g_product is stopped"
status=4 status=4
fi fi
if [ -f ${VARDIR}/state ]; then if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)" state="$(cat ${VARDIR}/state)"
case $state in case $state in

2
Shorewall/Perl/prog.header
View File

@ -509,7 +509,7 @@ undo_routing() {
# #
restore_default_route() { restore_default_route() {
local result local result
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route local default_route
default_route= default_route=

2
Shorewall/Perl/prog.header6
View File

@ -497,7 +497,7 @@ undo_routing() {
# #
restore_default_route() { restore_default_route() {
local result local result
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route local default_route
default_route= default_route=

4
Shorewall/configfiles/findgw
View File

@ -3,11 +3,11 @@
# #
# /etc/shorewall/findgw # /etc/shorewall/findgw
# #
# The code in this file is executed when Shorewall is trying to detect the # The code in this file is executed when Shorewall is trying to detect the
# gateway through an interface in /etc/shorewall/providers that has GATEWAY # gateway through an interface in /etc/shorewall/providers that has GATEWAY
# specified as 'detect'. # specified as 'detect'.
# #
# The function should echo the IP address of the gateway if it knows what # The function should echo the IP address of the gateway if it knows what
# it is; the name of the interface is in $1. # it is; the name of the interface is in $1.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # See http://shorewall.net/shorewall_extension_scripts.htm for additional

2
Shorewall/configfiles/restored
View File

@ -4,7 +4,7 @@
# /etc/shorewall/restored # /etc/shorewall/restored
# #
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# completed a 'restore' command. # completed a 'restore' command.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.

2
Shorewall/configfiles/secmarks
View File

@ -10,4 +10,4 @@

2
Shorewall/lib.cli
View File

@ -562,7 +562,7 @@ show_command() {
if [ -z "$LOGFILE" ]; then if [ -z "$LOGFILE" ]; then
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac" g_logread="logread | tac"
elif [ -r $LOGFILE ]; then elif [ -r $LOGFILE ]; then

2
Shorewall/lib.common
View File

@ -514,7 +514,7 @@ find_file()
# #
# Set the Shorewall state # Set the Shorewall state
# #
set_state () # $1 = state $2 set_state () # $1 = state $2
{ {
if [ $# -gt 1 ]; then if [ $# -gt 1 ]; then
echo "$1 ($(date)) from $2" > ${VARDIR}/state echo "$1 ($(date)) from $2" > ${VARDIR}/state

26
Shorewall/releasenotes.txt
View File

@ -31,7 +31,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
... ...
Shorewall configuration compiled to /var/lib/shorewall6/.start Shorewall configuration compiled to /var/lib/shorewall6/.start
ERROR: Shorewall6 requires Linux kernel 2.6.24 or later ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
/usr/share/shorewall6/lib.common: line 73: /usr/share/shorewall6/lib.common: line 73:
[: -lt: unary operator expected [: -lt: unary operator expected
ERROR: Shorewall6 requires Linux kernel 2.6.24 or later ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
[root@localhost shorewall6]# [root@localhost shorewall6]#
@ -345,18 +345,18 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
defined as optional in the interfaces file. defined as optional in the interfaces file.
o If there were no references matching the wildcard, then the o If there were no references matching the wildcard, then the
'optional' option was effectively ignored. 'optional' option was effectively ignored.
The new implementation: The new implementation:
- Insures valid shell variable names. - Insures valid shell variable names.
- Insures that shell variable names are unique. - Insures that shell variable names are unique.
- Handles interface names appearing in the INTERFACE column of the - Handles interface names appearing in the INTERFACE column of the
providers file as a special case for 'optional'. If the name providers file as a special case for 'optional'. If the name
matches a wildcard entry in the interfaces file then the matches a wildcard entry in the interfaces file then the
usability of the specific interface is tracked individually. usability of the specific interface is tracked individually.
- Handles the availabilty of other interfaces matching a wildcard - Handles the availabilty of other interfaces matching a wildcard
as a group; if there is one useable interface in the group then as a group; if there is one useable interface in the group then
@ -392,7 +392,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
state match rather than conntrack match for UNTRACKED state state match rather than conntrack match for UNTRACKED state
matching. matching.
12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 12) If the routestopped files contains NOTRACK rules, 'shorewall* clear'
did not clear the raw table. did not clear the raw table.
13) An error message was incorrectly generated if a port range of the 13) An error message was incorrectly generated if a port range of the
@ -429,7 +429,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
The 'all' and 'any' keywords now support exclusion in the form of a The 'all' and 'any' keywords now support exclusion in the form of a
comma-separated list of excluded zones. comma-separated list of excluded zones.
Examples: Examples:
all!fw (same as all-). all!fw (same as all-).
any+!dmz,loc (All zones except 'dmz' and 'loc' and any+!dmz,loc (All zones except 'dmz' and 'loc' and
@ -554,7 +554,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
fatal compilation error in REDIRECT rules. fatal compilation error in REDIRECT rules.
4) A number of problems associated with Shorewall-init and Upstart 4) A number of problems associated with Shorewall-init and Upstart
have been corrected. have been corrected.
If you use Shorewall-init, then when upgrading to this version, be If you use Shorewall-init, then when upgrading to this version, be
sure to recompile all firewall scripts before you take interfaces sure to recompile all firewall scripts before you take interfaces
@ -564,7 +564,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/usr/share/shorewall/configfiles/Makefile and rather issued the /usr/share/shorewall/configfiles/Makefile and rather issued the
following message: following message:
install-file: command not found install-file: command not found
This caused the Makefile to be omitted from RPMs as well. This caused the Makefile to be omitted from RPMs as well.
@ -592,7 +592,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
2) Per-ip log rate limiting has been added in the form of the LOGLIMIT 2) Per-ip log rate limiting has been added in the form of the LOGLIMIT
option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
LOGBURST are ignored. LOGBURST are ignored.
LOGRATE and LOGBURST are now deprecated. LOGRATE and LOGBURST are now deprecated.
@ -675,7 +675,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Shorewall is running Shorewall is running
State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/ State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
gateway:/etc/shorewall# gateway:/etc/shorewall#
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 1 P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 1
@ -708,7 +708,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
shorewall.conf and shorewall6.conf. It has been added. shorewall.conf and shorewall6.conf. It has been added.
6) Under some versions of Perl, a Perl run-time diagnostic was produced 6) Under some versions of Perl, a Perl run-time diagnostic was produced
when options were omitted from shorewall.conf or shorewall6.conf. when options were omitted from shorewall.conf or shorewall6.conf.
7) If the following options were specified in /etc/shorewall/interfaces 7) If the following options were specified in /etc/shorewall/interfaces
for an interface with '-' in the ZONE column, then these options for an interface with '-' in the ZONE column, then these options
@ -729,7 +729,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
9) Previously, if nets= was specified under Shorewall6, this error 9) Previously, if nets= was specified under Shorewall6, this error
would result: would result:
ERROR: Invalid IPv6 address (224.0.0.0) : ERROR: Invalid IPv6 address (224.0.0.0) :
/etc/shorewall6/interfaces (line 16) /etc/shorewall6/interfaces (line 16)
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -744,7 +744,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
See http://www.shorewall.net/Vserver.html for details. See http://www.shorewall.net/Vserver.html for details.
2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf 2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
and shorewall6.conf. and shorewall6.conf.
Traditionally, Shorewall has cleared the packet mark in the first Traditionally, Shorewall has cleared the packet mark in the first
rule in the mangle FORWARD chain. This behavior is maintained with rule in the mangle FORWARD chain. This behavior is maintained with