forked from extern/shorewall_code
Rename 'mysplit' to 'split_host_list'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
896d874aab
commit
32c9e4274f
@ -227,7 +227,7 @@ our %EXPORT_TAGS = (
|
|||||||
handle_network_list
|
handle_network_list
|
||||||
expand_rule
|
expand_rule
|
||||||
addnatjump
|
addnatjump
|
||||||
mysplit
|
split_host_list
|
||||||
set_chain_variables
|
set_chain_variables
|
||||||
mark_firewall_not_started
|
mark_firewall_not_started
|
||||||
mark_firewall6_not_started
|
mark_firewall6_not_started
|
||||||
@ -3631,7 +3631,7 @@ sub source_iexclusion( $$$$$;@ ) {
|
|||||||
|
|
||||||
if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
|
if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
|
||||||
$source = $1;
|
$source = $1;
|
||||||
@exclusion = mysplit( $2 );
|
@exclusion = split_host_list( $2 );
|
||||||
|
|
||||||
my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
|
my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
|
||||||
|
|
||||||
@ -3682,7 +3682,7 @@ sub dest_iexclusion( $$$$$;@ ) {
|
|||||||
|
|
||||||
if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
|
if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
|
||||||
$dest = $1;
|
$dest = $1;
|
||||||
@exclusion = mysplit( $2 );
|
@exclusion = split_host_list( $2 );
|
||||||
|
|
||||||
my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
|
my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );
|
||||||
|
|
||||||
@ -4876,7 +4876,7 @@ sub load_isocodes() {
|
|||||||
$isocodes{substr(basename($_),0,2)} = 1 for @codes;
|
$isocodes{substr(basename($_),0,2)} = 1 for @codes;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub mysplit( $;$ );
|
sub split_host_list( $;$ );
|
||||||
|
|
||||||
#
|
#
|
||||||
# Match a Source.
|
# Match a Source.
|
||||||
@ -4906,7 +4906,7 @@ sub match_source_net( $;$\$ ) {
|
|||||||
|
|
||||||
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
||||||
my $result = '';
|
my $result = '';
|
||||||
my @sets = mysplit $1, 1;
|
my @sets = split_host_list $1, 1;
|
||||||
|
|
||||||
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||||
|
|
||||||
@ -4979,7 +4979,7 @@ sub imatch_source_net( $;$\$ ) {
|
|||||||
|
|
||||||
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
||||||
my @result = ();
|
my @result = ();
|
||||||
my @sets = mysplit $1, 1;
|
my @sets = split_host_list $1, 1;
|
||||||
|
|
||||||
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||||
|
|
||||||
@ -5048,7 +5048,7 @@ sub match_dest_net( $;$ ) {
|
|||||||
|
|
||||||
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
||||||
my $result = '';
|
my $result = '';
|
||||||
my @sets = mysplit $1, 1;
|
my @sets = split_host_list $1, 1;
|
||||||
|
|
||||||
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||||
|
|
||||||
@ -5115,7 +5115,7 @@ sub imatch_dest_net( $;$ ) {
|
|||||||
|
|
||||||
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
||||||
my @result;
|
my @result;
|
||||||
my @sets = mysplit $1, 1;
|
my @sets = split_host_list $1, 1;
|
||||||
|
|
||||||
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||||
|
|
||||||
@ -5428,7 +5428,7 @@ sub addnatjump( $$;@ ) {
|
|||||||
# Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
|
# Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
|
||||||
# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
|
# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
|
||||||
#
|
#
|
||||||
sub mysplit( $;$ ) {
|
sub split_host_list( $;$ ) {
|
||||||
my ( $input, $loose ) = @_;
|
my ( $input, $loose ) = @_;
|
||||||
|
|
||||||
my @input = split_list $input, 'host';
|
my @input = split_list $input, 'host';
|
||||||
@ -5869,7 +5869,7 @@ sub handle_network_list( $$ ) {
|
|||||||
my $nets = '';
|
my $nets = '';
|
||||||
my $excl = '';
|
my $excl = '';
|
||||||
|
|
||||||
my @nets = mysplit $list;
|
my @nets = split_host_list $list;
|
||||||
|
|
||||||
for ( @nets ) {
|
for ( @nets ) {
|
||||||
if ( /!/ ) {
|
if ( /!/ ) {
|
||||||
@ -6139,7 +6139,7 @@ sub handle_original_dest( $$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
unless ( $onets ) {
|
unless ( $onets ) {
|
||||||
my @oexcl = mysplit $oexcl;
|
my @oexcl = split_host_list $oexcl;
|
||||||
if ( @oexcl == 1 ) {
|
if ( @oexcl == 1 ) {
|
||||||
$rule .= match_orig_dest( "!$oexcl" );
|
$rule .= match_orig_dest( "!$oexcl" );
|
||||||
$oexcl = '';
|
$oexcl = '';
|
||||||
@ -6190,19 +6190,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
|
my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
|
||||||
|
|
||||||
for ( mysplit $iexcl ) {
|
for ( split_host_list $iexcl ) {
|
||||||
my $cond = conditional_rule( $chainref, $_ );
|
my $cond = conditional_rule( $chainref, $_ );
|
||||||
add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude;
|
add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude;
|
||||||
conditional_rule_end( $chainref ) if $cond;
|
conditional_rule_end( $chainref ) if $cond;
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( mysplit $dexcl ) {
|
for ( split_host_list $dexcl ) {
|
||||||
my $cond = conditional_rule( $chainref, $_ );
|
my $cond = conditional_rule( $chainref, $_ );
|
||||||
add_rule $chainref, ( match_dest_net $_, $restriction ) . $exclude;
|
add_rule $chainref, ( match_dest_net $_, $restriction ) . $exclude;
|
||||||
conditional_rule_end( $chainref ) if $cond;
|
conditional_rule_end( $chainref ) if $cond;
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( mysplit $oexcl ) {
|
for ( split_host_list $oexcl ) {
|
||||||
my $cond = conditional_rule( $chainref, $_ );
|
my $cond = conditional_rule( $chainref, $_ );
|
||||||
add_rule $chainref, ( match_orig_dest $_ ) . $exclude;
|
add_rule $chainref, ( match_orig_dest $_ ) . $exclude;
|
||||||
conditional_rule_end( $chainref ) if $cond;
|
conditional_rule_end( $chainref ) if $cond;
|
||||||
@ -6223,19 +6223,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Use the current rule and send all possible matches to the exclusion chain
|
# Use the current rule and send all possible matches to the exclusion chain
|
||||||
#
|
#
|
||||||
for my $onet ( mysplit $onets ) {
|
for my $onet ( split_host_list $onets ) {
|
||||||
|
|
||||||
my $cond = conditional_rule( $chainref, $onet );
|
my $cond = conditional_rule( $chainref, $onet );
|
||||||
|
|
||||||
$onet = match_orig_dest $onet;
|
$onet = match_orig_dest $onet;
|
||||||
|
|
||||||
for my $inet ( mysplit $inets ) {
|
for my $inet ( split_host_list $inets ) {
|
||||||
|
|
||||||
my $cond = conditional_rule( $chainref, $inet );
|
my $cond = conditional_rule( $chainref, $inet );
|
||||||
|
|
||||||
my $source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
|
my $source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
|
||||||
|
|
||||||
for my $dnet ( mysplit $dnets ) {
|
for my $dnet ( split_host_list $dnets ) {
|
||||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
|
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
|
||||||
add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) );
|
add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) );
|
||||||
}
|
}
|
||||||
@ -6248,19 +6248,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Generate RETURNs for each exclusion
|
# Generate RETURNs for each exclusion
|
||||||
#
|
#
|
||||||
for ( mysplit $iexcl ) {
|
for ( split_host_list $iexcl ) {
|
||||||
my $cond = conditional_rule( $echainref, $_ );
|
my $cond = conditional_rule( $echainref, $_ );
|
||||||
add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN';
|
add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN';
|
||||||
conditional_rule_end( $echainref ) if $cond;
|
conditional_rule_end( $echainref ) if $cond;
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( mysplit $dexcl ) {
|
for ( split_host_list $dexcl ) {
|
||||||
my $cond = conditional_rule( $echainref, $_ );
|
my $cond = conditional_rule( $echainref, $_ );
|
||||||
add_rule $echainref, ( match_dest_net $_, $restriction ) . '-j RETURN';
|
add_rule $echainref, ( match_dest_net $_, $restriction ) . '-j RETURN';
|
||||||
conditional_rule_end( $echainref ) if $cond;
|
conditional_rule_end( $echainref ) if $cond;
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( mysplit $oexcl ) {
|
for ( split_host_list $oexcl ) {
|
||||||
my $cond = conditional_rule( $echainref, $_ );
|
my $cond = conditional_rule( $echainref, $_ );
|
||||||
add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN';
|
add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN';
|
||||||
conditional_rule_end( $echainref ) if $cond;
|
conditional_rule_end( $echainref ) if $cond;
|
||||||
@ -6385,7 +6385,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
|
( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
|
||||||
|
|
||||||
unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
|
unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
|
||||||
my @iexcl = mysplit $iexcl, 1;
|
my @iexcl = split_host_list $iexcl, 1;
|
||||||
if ( @iexcl == 1 ) {
|
if ( @iexcl == 1 ) {
|
||||||
$rule .= match_source_net "!$iexcl" , $restriction;
|
$rule .= match_source_net "!$iexcl" , $restriction;
|
||||||
$iexcl = '';
|
$iexcl = '';
|
||||||
@ -6400,7 +6400,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
|
( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
|
||||||
|
|
||||||
unless ( $dnets || $dexcl =~ /^\+\[/ ) {
|
unless ( $dnets || $dexcl =~ /^\+\[/ ) {
|
||||||
my @dexcl = mysplit $dexcl, 1;
|
my @dexcl = split_host_list $dexcl, 1;
|
||||||
if ( @dexcl == 1 ) {
|
if ( @dexcl == 1 ) {
|
||||||
$rule .= match_dest_net "!$dexcl", $restriction;
|
$rule .= match_dest_net "!$dexcl", $restriction;
|
||||||
$dexcl = '';
|
$dexcl = '';
|
||||||
@ -6446,19 +6446,19 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
#
|
#
|
||||||
# No non-trivial exclusions or we're using marks to handle them
|
# No non-trivial exclusions or we're using marks to handle them
|
||||||
#
|
#
|
||||||
for my $onet ( mysplit $onets ) {
|
for my $onet ( split_host_list $onets ) {
|
||||||
my $cond1 = conditional_rule( $chainref, $onet );
|
my $cond1 = conditional_rule( $chainref, $onet );
|
||||||
|
|
||||||
$onet = match_orig_dest $onet;
|
$onet = match_orig_dest $onet;
|
||||||
|
|
||||||
for my $inet ( mysplit $inets ) {
|
for my $inet ( split_host_list $inets ) {
|
||||||
my $source_match;
|
my $source_match;
|
||||||
|
|
||||||
my $cond2 = conditional_rule( $chainref, $inet );
|
my $cond2 = conditional_rule( $chainref, $inet );
|
||||||
|
|
||||||
$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
|
$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
|
||||||
|
|
||||||
for my $dnet ( mysplit $dnets ) {
|
for my $dnet ( split_host_list $dnets ) {
|
||||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
|
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
|
||||||
my $dest_match = match_dest_net( $dnet, $restriction );
|
my $dest_match = match_dest_net( $dnet, $restriction );
|
||||||
my $matches = join( '', $rule, $source_match, $dest_match, $onet );
|
my $matches = join( '', $rule, $source_match, $dest_match, $onet );
|
||||||
|
Loading…
Reference in New Issue
Block a user