forked from extern/shorewall_code
Replace curly brace enclosure with a preceding caret to avoid ambiguity.
- {...} is used to enclose a set of column/value pairs and it is certain
that the two will become confused.
This commit is contained in:
Tom Eastep
parent
e086067567
commit
55c88e8e81
@ -5109,7 +5109,7 @@ sub match_source_net( $;$\$ ) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
||||
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
|
||||
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
|
||||
|
||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||
@ -5175,7 +5175,7 @@ sub imatch_source_net( $;$\$ ) {
|
||||
return \@result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
||||
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
|
||||
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
|
||||
|
||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||
@ -5238,7 +5238,7 @@ sub match_dest_net( $;$ ) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
||||
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
|
||||
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
|
||||
|
||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||
@ -5299,7 +5299,7 @@ sub imatch_dest_net( $;$ ) {
|
||||
return \@result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
||||
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
|
||||
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
|
||||
|
||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||
@ -6109,7 +6109,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} elsif ( $source =~ /^(.+?):(.+)$/ ) {
|
||||
$iiface = $1;
|
||||
$inets = $2;
|
||||
} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?{/ ) {
|
||||
} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?\^/ ) {
|
||||
$inets = $source;
|
||||
} else {
|
||||
$iiface = $source;
|
||||
@ -6123,7 +6123,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$inets = $source;
|
||||
}
|
||||
} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || $source =~ /^!?{/ ) {
|
||||
} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || $source =~ /^!?\^/ ) {
|
||||
$inets = $source;
|
||||
} else {
|
||||
$iiface = $source;
|
||||
@ -6208,7 +6208,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
if ( $dest =~ /^(.+?):(.+)$/ ) {
|
||||
$diface = $1;
|
||||
$dnets = $2;
|
||||
} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?{/ ) {
|
||||
} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?\^/ ) {
|
||||
$dnets = $dest;
|
||||
} else {
|
||||
$diface = $dest;
|
||||
@ -6222,7 +6222,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$dnets = $dest;
|
||||
}
|
||||
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ || $dest =~ /^!?{/ ) {
|
||||
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ || $dest =~ /^!?\^/ ) {
|
||||
$dnets = $dest;
|
||||
} else {
|
||||
$diface = $dest;
|
||||
|
||||
@ -563,7 +563,7 @@
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>countrycode-list</replaceable>}</term>
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source hosts to which the rule applies. May be a
|
||||
@ -642,8 +642,8 @@
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||
country codes enclosed in curly braces ('{...}'). A list of country
|
||||
codes supported by Shorewall may be found at <ulink
|
||||
country codes preceded by a caret ('^'). A list of country codes
|
||||
supported by Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||
@ -736,7 +736,7 @@
|
||||
role="bold">+</emphasis>][<emphasis
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
||||
role="bold">random</emphasis>]]</term>
|
||||
|
||||
<listitem>
|
||||
@ -757,8 +757,8 @@
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||
country codes enclosed in curly braces ('{...}'). A list of country
|
||||
codes supported by Shorewall may be found at <ulink
|
||||
country codes preceded by a caret ('^'). A list of country codes
|
||||
supported by Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||
@ -1565,7 +1565,7 @@
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DROP net:{A1,A2} fw tcp 22</programlisting>
|
||||
DROP net:^A1,A2 fw tcp 22</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -422,7 +422,7 @@
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>countrycode-list</replaceable>}</term>
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source hosts to which the rule applies. May be a zone declared
|
||||
@ -493,8 +493,8 @@
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||
country codes enclosed in curly braces ('{...}'). A list of country
|
||||
codes supported by Shorewall may be found at <ulink
|
||||
country codes preceded by a caret ('^'). A list of country codes
|
||||
supported by Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||
@ -596,7 +596,7 @@
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>countrycode-list</emphasis>}</emphasis></term>
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Location of Server. May be a zone declared in <ulink
|
||||
@ -625,8 +625,8 @@
|
||||
<para>Beginning with Shorewall 4.5.4, A
|
||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||
country codes enclosed in curly braces ('{...}'). A list of country
|
||||
codes supported by Shorewall may be found at <ulink
|
||||
country codes preceded by a caret ('^'). A list of country codes
|
||||
supported by Shorewall may be found at <ulink
|
||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||
@ -1245,7 +1245,7 @@
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DROP net:{ZZ} fw tcp 22</programlisting>
|
||||
DROP net:^ZZ fw tcp 22</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -40,7 +40,7 @@
|
||||
<para>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
|
||||
SOURCE and/or DEST IP addresses by their corresponding country. That is
|
||||
done by specifying a comma-separated list of ISO-3661 2-character Country
|
||||
Codes enclosed in curly braces ('{...}').</para>
|
||||
Codes prefixed by a caret ('^').</para>
|
||||
|
||||
<para>Example - Drop email from the Anonymous Proxy and Satellite Provider
|
||||
networks.</para>
|
||||
@ -49,7 +49,7 @@
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DROP:info net:{A1,A2} dmz tcp 25
|
||||
DROP:info net:^A1,A2 dmz tcp 25
|
||||
</programlisting>
|
||||
|
||||
<para>The country codes recognized by Shorewall as of Shorewall 4.5.4 are
|
||||
|
||||
Loading…
Reference in New Issue
Block a user