holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Require the correct PROTO to use a port range in the ADDRESS column of masq

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-03-18 11:21:53 -07:00
parent 0415883628
commit 56f66bd966
2 changed files with 45 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -76,6 +76,7 @@ our @EXPORT = qw( ALLIPv4
proto_name proto_name
validate_port validate_port
validate_portpair validate_portpair
validate_portpair1
validate_port_list validate_port_list
validate_icmp validate_icmp
validate_icmp6 validate_icmp6
@ -371,6 +372,7 @@ sub validate_port( $$ ) {
sub validate_portpair( $$ ) { sub validate_portpair( $$ ) {
my ($proto, $portpair) = @_; my ($proto, $portpair) = @_;
my $what;
fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1; fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
@ -379,16 +381,57 @@ sub validate_portpair( $$ ) {
my @ports = split /:/, $portpair, 2; my @ports = split /:/, $portpair, 2;
$_ = validate_port( $proto, $_) for ( grep $_, @ports ); my $protonum = resolve_proto( $proto ) || 0;
$_ = validate_port( $protonum, $_) for grep $_, @ports;
if ( @ports == 2 ) { if ( @ports == 2 ) {
$what = 'port range';
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1]; fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
} else {
$what = 'port';
} }
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
defined $protonum && ( $protonum == TCP ||
$protonum == UDP ||
$protonum == SCTP ||
$protonum == DCCP );
join ':', @ports; join ':', @ports;
} }
sub validate_portpair1( $$ ) {
my ($proto, $portpair) = @_;
my $what;
fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
$portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':';
$portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
my @ports = split /-/, $portpair, 2;
my $protonum = resolve_proto( $proto ) || 0;
$_ = validate_port( $protonum, $_) for grep $_, @ports;
if ( @ports == 2 ) {
$what = 'port range';
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
} else {
$what = 'port';
}
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
defined $protonum && ( $protonum == TCP ||
$protonum == UDP ||
$protonum == SCTP ||
$protonum == DCCP );
join '-', @ports;
}
sub validate_port_list( $$ ) { sub validate_port_list( $$ ) {
my $result = ''; my $result = '';
my ( $proto, $list ) = @_; my ( $proto, $list ) = @_;

4
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -210,9 +210,7 @@ sub process_one_masq( )
} else { } else {
my $ports = $addr; my $ports = $addr;
$ports =~ s/^://; $ports =~ s/^://;
my $portrange = $ports; validate_portpair1( $proto, $ports );
$portrange =~ s/-/:/;
validate_portpair( $proto, $portrange );
$addrlist .= "--to-ports $ports "; $addrlist .= "--to-ports $ports ";
$exceptionrule = do_proto( $proto, '', '' ); $exceptionrule = do_proto( $proto, '', '' );
} }