forked from extern/shorewall_code
Replace curly brace enclosure with a preceding caret to avoid ambiguity.
- {...} is used to enclose a set of column/value pairs and it is certain that the two will become confused.
This commit is contained in:
parent
e086067567
commit
55c88e8e81
@ -5109,7 +5109,7 @@ sub match_source_net( $;$\$ ) {
|
|||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
|
||||||
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
|
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
|
||||||
|
|
||||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||||
@ -5175,7 +5175,7 @@ sub imatch_source_net( $;$\$ ) {
|
|||||||
return \@result;
|
return \@result;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
|
||||||
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
|
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
|
||||||
|
|
||||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||||
@ -5238,7 +5238,7 @@ sub match_dest_net( $;$ ) {
|
|||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
|
||||||
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
|
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
|
||||||
|
|
||||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||||
@ -5299,7 +5299,7 @@ sub imatch_dest_net( $;$ ) {
|
|||||||
return \@result;
|
return \@result;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $net =~ /^(!?){([A-Z,\d]+)}$/ ) {
|
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
|
||||||
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
|
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
|
||||||
|
|
||||||
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
require_capability 'GEOIP_MATCH', 'A country-code', '';
|
||||||
@ -6109,7 +6109,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
} elsif ( $source =~ /^(.+?):(.+)$/ ) {
|
} elsif ( $source =~ /^(.+?):(.+)$/ ) {
|
||||||
$iiface = $1;
|
$iiface = $1;
|
||||||
$inets = $2;
|
$inets = $2;
|
||||||
} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?{/ ) {
|
} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?\^/ ) {
|
||||||
$inets = $source;
|
$inets = $source;
|
||||||
} else {
|
} else {
|
||||||
$iiface = $source;
|
$iiface = $source;
|
||||||
@ -6123,7 +6123,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
} else {
|
} else {
|
||||||
$inets = $source;
|
$inets = $source;
|
||||||
}
|
}
|
||||||
} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || $source =~ /^!?{/ ) {
|
} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ || $source =~ /^!?\^/ ) {
|
||||||
$inets = $source;
|
$inets = $source;
|
||||||
} else {
|
} else {
|
||||||
$iiface = $source;
|
$iiface = $source;
|
||||||
@ -6208,7 +6208,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
if ( $dest =~ /^(.+?):(.+)$/ ) {
|
if ( $dest =~ /^(.+?):(.+)$/ ) {
|
||||||
$diface = $1;
|
$diface = $1;
|
||||||
$dnets = $2;
|
$dnets = $2;
|
||||||
} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?{/ ) {
|
} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?\^/ ) {
|
||||||
$dnets = $dest;
|
$dnets = $dest;
|
||||||
} else {
|
} else {
|
||||||
$diface = $dest;
|
$diface = $dest;
|
||||||
@ -6222,7 +6222,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
} else {
|
} else {
|
||||||
$dnets = $dest;
|
$dnets = $dest;
|
||||||
}
|
}
|
||||||
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ || $dest =~ /^!?{/ ) {
|
} elsif ( $dest =~ /(?:\+|&|\..*\.)/ || $dest =~ /^!?\^/ ) {
|
||||||
$dnets = $dest;
|
$dnets = $dest;
|
||||||
} else {
|
} else {
|
||||||
$diface = $dest;
|
$diface = $dest;
|
||||||
|
@ -563,7 +563,7 @@
|
|||||||
role="bold">-</emphasis>]}<emphasis
|
role="bold">-</emphasis>]}<emphasis
|
||||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||||
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>countrycode-list</replaceable>}</term>
|
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Source hosts to which the rule applies. May be a
|
<para>Source hosts to which the rule applies. May be a
|
||||||
@ -642,8 +642,8 @@
|
|||||||
<para>Beginning with Shorewall 4.5.4, A
|
<para>Beginning with Shorewall 4.5.4, A
|
||||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||||
country codes enclosed in curly braces ('{...}'). A list of country
|
country codes preceded by a caret ('^'). A list of country codes
|
||||||
codes supported by Shorewall may be found at <ulink
|
supported by Shorewall may be found at <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||||
@ -736,7 +736,7 @@
|
|||||||
role="bold">+</emphasis>][<emphasis
|
role="bold">+</emphasis>][<emphasis
|
||||||
role="bold">-</emphasis>]}<emphasis
|
role="bold">-</emphasis>]}<emphasis
|
||||||
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
||||||
role="bold">random</emphasis>]]</term>
|
role="bold">random</emphasis>]]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -757,8 +757,8 @@
|
|||||||
<para>Beginning with Shorewall 4.5.4, A
|
<para>Beginning with Shorewall 4.5.4, A
|
||||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||||
country codes enclosed in curly braces ('{...}'). A list of country
|
country codes preceded by a caret ('^'). A list of country codes
|
||||||
codes supported by Shorewall may be found at <ulink
|
supported by Shorewall may be found at <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
||||||
@ -1565,7 +1565,7 @@
|
|||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
DROP net:{A1,A2} fw tcp 22</programlisting>
|
DROP net:^A1,A2 fw tcp 22</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -422,7 +422,7 @@
|
|||||||
role="bold">-</emphasis>]}<emphasis
|
role="bold">-</emphasis>]}<emphasis
|
||||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>countrycode-list</replaceable>}</term>
|
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Source hosts to which the rule applies. May be a zone declared
|
<para>Source hosts to which the rule applies. May be a zone declared
|
||||||
@ -493,8 +493,8 @@
|
|||||||
<para>Beginning with Shorewall 4.5.4, A
|
<para>Beginning with Shorewall 4.5.4, A
|
||||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||||
country codes enclosed in curly braces ('{...}'). A list of country
|
country codes preceded by a caret ('^'). A list of country codes
|
||||||
codes supported by Shorewall may be found at <ulink
|
supported by Shorewall may be found at <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||||
@ -596,7 +596,7 @@
|
|||||||
role="bold">-</emphasis>]}<emphasis
|
role="bold">-</emphasis>]}<emphasis
|
||||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>countrycode-list</emphasis>}</emphasis></term>
|
role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Location of Server. May be a zone declared in <ulink
|
<para>Location of Server. May be a zone declared in <ulink
|
||||||
@ -625,8 +625,8 @@
|
|||||||
<para>Beginning with Shorewall 4.5.4, A
|
<para>Beginning with Shorewall 4.5.4, A
|
||||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
<replaceable>countrycode-list</replaceable> may be specified. A
|
||||||
countrycode-list is a comma-separated list of two-character ISO-3661
|
countrycode-list is a comma-separated list of two-character ISO-3661
|
||||||
country codes enclosed in curly braces ('{...}'). A list of country
|
country codes preceded by a caret ('^'). A list of country codes
|
||||||
codes supported by Shorewall may be found at <ulink
|
supported by Shorewall may be found at <ulink
|
||||||
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
Specifying a <replaceable>countrycode-list</replaceable> requires
|
||||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
||||||
@ -1245,7 +1245,7 @@
|
|||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
DROP net:{ZZ} fw tcp 22</programlisting>
|
DROP net:^ZZ fw tcp 22</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -40,7 +40,7 @@
|
|||||||
<para>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
|
<para>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
|
||||||
SOURCE and/or DEST IP addresses by their corresponding country. That is
|
SOURCE and/or DEST IP addresses by their corresponding country. That is
|
||||||
done by specifying a comma-separated list of ISO-3661 2-character Country
|
done by specifying a comma-separated list of ISO-3661 2-character Country
|
||||||
Codes enclosed in curly braces ('{...}').</para>
|
Codes prefixed by a caret ('^').</para>
|
||||||
|
|
||||||
<para>Example - Drop email from the Anonymous Proxy and Satellite Provider
|
<para>Example - Drop email from the Anonymous Proxy and Satellite Provider
|
||||||
networks.</para>
|
networks.</para>
|
||||||
@ -49,7 +49,7 @@
|
|||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
DROP:info net:{A1,A2} dmz tcp 25
|
DROP:info net:^A1,A2 dmz tcp 25
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>The country codes recognized by Shorewall as of Shorewall 4.5.4 are
|
<para>The country codes recognized by Shorewall as of Shorewall 4.5.4 are
|
||||||
|
Loading…
Reference in New Issue
Block a user