holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove trailing whitespace

Browse Source
This commit is contained in:
Tom Eastep 2009-08-20 14:32:15 -07:00
parent 8c16ac1d46
commit 5dd41249c6
17 changed files with 221 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -98,7 +98,7 @@ sub process_accounting_rule( ) {
} elsif ( $cmd ne 'JUMP' ) {
accounting_error;
}
}
}
$target = jump_to_chain $action;
}

12
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -91,7 +91,7 @@ our $family;
our $macro_commands = { COMMENT => 0, FORMAT => 2 };
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
@ -228,7 +228,7 @@ sub merge_macro_column( $$ ) {
# Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
#
sub isolate_basic_target( $ ) {
my $target = ( split '[/:]', $_[0])[0];
my $target = ( split '[/:]', $_[0])[0];
$target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
}
@ -701,7 +701,7 @@ sub process_action3( $$$$$ ) {
( $action2 , my $param ) = get_target_param $action2;
my $action2type = $targets{$action2} || 0;
my $action2type = $targets{$action2} || 0;
unless ( $action2type == STANDARD ) {
if ( $action2type & ACTION ) {
@ -871,10 +871,10 @@ sub process_actions3 () {
'allowBcast' => \&allowBcast,
'dropNotSyn' => \&dropNotSyn,
'rejNotSyn' => \&rejNotSyn,
'dropInvalid' => \&dropInvalid,
'dropInvalid' => \&dropInvalid,
'allowInvalid' => \&allowInvalid,
'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP,
'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit, );
for my $wholeaction ( keys %usedactions ) {

76
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -50,7 +50,7 @@ our @EXPORT = qw(
$filter_table
);
our %EXPORT_TAGS = (
our %EXPORT_TAGS = (
internal => [ qw( STANDARD
NATRULE
BUILTIN
@ -83,7 +83,7 @@ our %EXPORT_TAGS = (
clear_comment
incr_cmd_level
decr_cmd_level
chain_base
chain_base
forward_chain
zone_forward_chain
use_forward_chain
@ -298,7 +298,7 @@ our %builtin_target = ( ACCEPT => 1,
sub initialize_chain_table();
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
@ -434,7 +434,7 @@ sub push_rule( $$ ) {
add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
} else {
#
# We omit the chain name for now -- this makes it easier to move rules from one
# We omit the chain name for now -- this makes it easier to move rules from one
# chain to another
#
push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
@ -472,7 +472,7 @@ sub handle_sport_list( $$$$$ ) {
last;
} else {
$newports .= $port;
}
}
} else {
$newports .= "${port}${separator}";
}
@ -515,7 +515,7 @@ sub handle_dport_list( $$$$$ ) {
last;
} else {
$newports .= $port;
}
}
} else {
$newports .= "${port}${separator}";
}
@ -612,7 +612,7 @@ sub add_jump( $$$;$$ ) {
}
#
# Purge jumps previously added via add_jump. If the target chain is empty, reset its
# Purge jumps previously added via add_jump. If the target chain is empty, reset its
# referenced flag
#
sub purge_jump ( $$ ) {
@ -622,7 +622,7 @@ sub purge_jump ( $$ ) {
for ( @{$fromref->{rules}} ) {
$_ = undef if / -[gj] ${to}\b/;
}
$toref->{referenced} = 0 unless @{$toref->{rules}};
}
@ -672,7 +672,7 @@ sub add_tunnel_rule( $$ ) {
# forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
# a zone-oriented chain, hence this function.
#
# The source chain must not have any run-time code included in its rules.
# The source chain must not have any run-time code included in its rules.
#
sub move_rules( $$ ) {
my ($chain1, $chain2 ) = @_;
@ -785,12 +785,12 @@ sub use_input_chain($) {
my $nets = $interfaceref->{nets};
#
# We must use the interfaces's chain if:
#
#
# - the interface is associated with multiple zone nets; or
# - the interface has the 'upnpclient' option.
#
# In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
#
#
return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
#
# Don't need it if it isn't associated with any zone
@ -817,7 +817,7 @@ sub use_input_chain($) {
$chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
! ( $chainref->{referenced} || $chainref->{is_policy} )
}
}
#
# Output Chain for an interface
@ -843,7 +843,7 @@ sub use_output_chain($) {
my $nets = $interfaceref->{nets};
#
# We must use the interfaces's chain if the interface is associated with multiple zone nets
#
#
return 1 if $nets > 1;
#
# Don't need it if it isn't associated with any zone
@ -851,7 +851,7 @@ sub use_output_chain($) {
return 0 unless $nets;
#
# Interface associated with a single zone -- use the zone's output chain if it has one
#
#
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
return 0 if $chainref;
@ -902,7 +902,7 @@ sub dnat_chain( $ )
#
# Notrack Chain from a zone
#
sub notrack_chain( $ )
sub notrack_chain( $ )
{
$_[0] . '_notrk';
}
@ -989,7 +989,7 @@ sub ensure_filter_chain( $$ )
}
#
# Create an accounting chain if necessary.
# Create an accounting chain if necessary.
#
sub ensure_accounting_chain( $ )
{
@ -1266,7 +1266,7 @@ sub set_mss( $$$ ) {
}
#
# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate.
# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate.
#
sub setup_zone_mss() {
for my $zone ( all_zones ) {
@ -1305,7 +1305,7 @@ sub newnonatchain() {
#
# Add a jump to the passed chain
#
# Return the exclusion chain. The type of the returned value
# Return the exclusion chain. The type of the returned value
# matches what was passed (reference
# or name).
#
@ -1374,7 +1374,7 @@ sub do_proto( $$$;$ )
my $invert = ( $proto =~ s/^!// ? '! ' : '' );
my $protonum = resolve_proto $proto;
if ( defined $protonum ) {
if ( defined $protonum ) {
#
# Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent
#
@ -1533,7 +1533,7 @@ sub verify_mark( $ ) {
sub verify_small_mark( $ ) {
verify_mark ( (my $mark) = $_[0] );
fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x3FFF : 0xFF );
fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x3FFF : 0xFF );
}
sub validate_mark( $ ) {
@ -1580,7 +1580,7 @@ sub do_ratelimit( $$ ) {
fatal_error "Rate Limiting not available with $action" if $norate{$action};
#
# "-m hashlimit" match for the passed LIMIT/BURST
# "-m hashlimit" match for the passed LIMIT/BURST
#
if ( $rate =~ /^[sd]:{1,2}/ ) {
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
@ -1616,7 +1616,7 @@ sub do_connlimit( $ ) {
return '' unless $limit and $limit ne '-';
require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
@ -1741,8 +1741,8 @@ sub do_connbytes( $ ) {
my $invert = $1 || ''; $invert = '! ' if $invert;
my $min = $2; $min = 0 unless defined $min;
my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max;
my $dir = $5 || 'B';
my $mode = $6 || 'B';
my $dir = $5 || 'B';
my $mode = $6 || 'B';
$dir =~ s/://;
$mode =~ s/://;
@ -1858,7 +1858,7 @@ sub match_source_net( $;$ ) {
validate_range $addr1, $addr2;
iprange_match . "${invert}--src-range $net ";
} elsif ( $net =~ /^!?~/ ) {
fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
mac_match $net;
} elsif ( $net =~ /^(!?)\+/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
@ -1873,7 +1873,7 @@ sub match_source_net( $;$ ) {
}
#
# Match a Destination.
# Match a Destination.
#
sub match_dest_net( $ ) {
my $net = $_[0];
@ -1950,7 +1950,7 @@ sub match_ipsec_out( $$ ) {
unless ( $optionsref->{super} ) {
$match = '-m policy --dir out --pol ';
if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
@ -2145,7 +2145,7 @@ sub set_chain_variables() {
} else {
emit 'IP=ip';
}
if ( $config{TC} ) {
emit( qq(TC="$config{TC}") ,
'[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"'
@ -2373,21 +2373,21 @@ sub have_global_variables() {
#
sub set_global_variables( $ ) {
my $setall = shift;
emit $_ for values %interfaceaddr;
emit $_ for values %interfacegateways;
emit $_ for values %interfacemacs;
if ( $setall ) {
if ( $setall ) {
emit $_ for values %interfaceaddrs;
emit $_ for values %interfacenets;
unless ( $capabilities{ADDRTYPE} ) {
if ( $family == F_IPV4 ) {
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
emit $_ for values %interfacebcasts;
} else {
emit 'ALL_ACASTS="$(get_all_acasts)"';
@ -2563,7 +2563,7 @@ sub expand_rule( $$$$$$$$$$;$ )
}
$dest = '';
} elsif ( $family == F_IPV4 ) {
} elsif ( $family == F_IPV4 ) {
if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1;
$dnets = $2;
@ -2604,7 +2604,7 @@ sub expand_rule( $$$$$$$$$$;$ )
push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
$rule .= '-d $dest ';
} else {
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
@ -2800,7 +2800,7 @@ sub expand_rule( $$$$$$$$$$;$ )
$source_match = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE};
my $dest_match = match_dest_net( $dnet );
my $predicates = join( '', $rule, $source_match, $dest_match, $onet );
if ( $loglevel ne '' ) {
if ( $disposition ne 'LOG' ) {
unless ( $logname ) {
@ -2815,7 +2815,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# Now add the log rule and target rule without predicates to the log chain.
#
log_rule_limit(
log_rule_limit(
$loglevel ,
$chainref = $logchainref ,
$chain ,
@ -2827,7 +2827,7 @@ sub expand_rule( $$$$$$$$$$;$ )
add_rule( $chainref, $exceptionrule . $target );
} else {
log_rule_limit(
log_rule_limit(
$loglevel ,
$chainref ,
$logname ,
@ -3229,7 +3229,7 @@ sub create_stop_load( $ ) {
#
# Test result
#
emit ('',
emit ('',
'if [ $? != 0 ]; then',
' error_message "ERROR: $command Failed."',
"fi\n"

26
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -246,7 +246,7 @@ sub generate_script_2() {
} else {
emit( 'start|restart|refresh|restore)' );
}
push_indent;
set_global_variables(1);
@ -254,10 +254,10 @@ sub generate_script_2() {
handle_optional_interfaces;
emit ';;';
if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
pop_indent;
emit 'restore)';
push_indent;
@ -362,7 +362,7 @@ sub generate_script_3($) {
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( '' ,
emit ( '' ,
' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' );
@ -381,7 +381,7 @@ sub generate_script_3($) {
'' );
mark_firewall_not_started;
emit ('',
'delete_proxyarp',
''
@ -524,14 +524,14 @@ EOF
#
sub compiler {
my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
( '', '', -1, '', 0, '', '', -1 );
$export = 0;
$test = 0;
sub validate_boolean( $ ) {
my $val = numeric_value( shift );
my $val = numeric_value( shift );
defined($val) && ($val >= 0) && ($val < 2);
}
@ -639,7 +639,7 @@ sub compiler {
setup_notrack;
enable_object;
if ( $objectfile ) {
#
# Place Header in the object
@ -656,7 +656,7 @@ sub compiler {
);
push_indent;
}
}
#
# Do all of the zone-independent stuff
#
@ -692,7 +692,7 @@ sub compiler {
# (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
#
enable_object;
if ( $objectfile ) {
emit( "\n#",
'# Setup routing and traffic shaping',
@ -731,7 +731,7 @@ sub compiler {
#
# Setup Masquerading/SNAT
#
setup_masq;
setup_masq;
#
# Setup Nat
#
@ -796,7 +796,7 @@ sub compiler {
# for stopping the firewall
#
Shorewall::Chains::initialize( $family );
compile_stop_firewall( $test );
compile_stop_firewall( $test );
#
# Copy the footer to the object
#
@ -807,7 +807,7 @@ sub compiler {
copy $globals{SHAREDIRPL} . 'prog.footer6';
}
}
disable_object;
#
# Close, rename and secure the object

54
Shorewall/Perl/Shorewall/Config.pm
View File

@ -54,7 +54,7 @@ our @EXPORT = qw(
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
finalize_object
enable_object
disable_object
@ -123,7 +123,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
MIN_VERBOSITY
MAX_VERBOSITY
) ] );
) ] );
Exporter::export_ok_tags('internal');
@ -202,9 +202,9 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match',
OLD_CONNTRACK_MATCH =>
OLD_CONNTRACK_MATCH =>
'Old conntrack match syntax',
NEW_CONNTRACK_MATCH =>
NEW_CONNTRACK_MATCH =>
'Extended Connection Tracking Match',
USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match',
@ -285,7 +285,7 @@ use constant { MIN_VERBOSITY => -1,
our %validlevels; # Valid log levels.
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
@ -301,7 +301,7 @@ sub initialize( $ ) {
( $product, $Product, $toolname, $toolNAME ) = qw( shorewall Shorewall iptables IPTABLES );
} else {
( $product, $Product, $toolname, $toolNAME ) = qw( shorewall6 Shorewall6 ip6tables IP6TABLES );
}
}
( $command, $doing, $done ) = qw/compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
@ -466,7 +466,7 @@ sub initialize( $ ) {
LOGMARK => 'LOGMARK' );
} else {
$globals{SHAREDIR} = '/usr/share/shorewall6';
$globals{CONFDIR} = '/etc/shorewall6';
$globals{CONFDIR} = '/etc/shorewall6';
$globals{PRODUCT} = 'shorewall6';
%config =
@ -874,9 +874,9 @@ sub set_log ( $$ ) {
$log_verbose = $value;
}
if ( $l && $log_verbose >= 0 ) {
if ( $l && $log_verbose >= 0 ) {
unless ( open $log , '>>' , $l ) {
$log = undef;
$log = undef;
fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!";
}
} else {
@ -926,7 +926,7 @@ sub progress_message {
if ( $log_verbose > 1 ) {
our @localtime;
@localtime = localtime unless $havelocaltime;
@localtime = localtime unless $havelocaltime;
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "${leading}${line}\n";
@ -945,7 +945,7 @@ sub progress_message_nocompress {
if ( $log_verbose > 1 ) {
our @localtime;
@localtime = localtime unless $havelocaltime;
@localtime = localtime unless $havelocaltime;
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "@_\n";
@ -966,7 +966,7 @@ sub progress_message2 {
if ( $log_verbose > 0 ) {
our @localtime;
@localtime = localtime unless $havelocaltime;
@localtime = localtime unless $havelocaltime;
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "@_\n";
@ -1036,7 +1036,7 @@ sub copy( $ ) {
$lastlineblank = 1;
} else {
if ( $indent ) {
s/^(\s*)/$indent1$1$indent2/;
s/^(\s*)/$indent1$1$indent2/;
s/ /\t/ if $indent2;
}
@ -1368,7 +1368,7 @@ sub pop_include() {
} else {
$currentfile = undef;
}
}
}
#
# This function is normally called below in read_a_line() when EOF is reached. Clients of the
@ -1425,18 +1425,18 @@ sub shorewall {
}
#
# We don't announce that we are checking/compiling a file until we determine that the file contains
# We don't announce that we are checking/compiling a file until we determine that the file contains
# at least one non-blank, non-commentary line.
#
# The argument to this function may be either a scalar or a function reference. When the first
# non-blank/non-commentary line is reached:
# non-blank/non-commentary line is reached:
#
# - if a function reference was passed to first_entry(), that function is called
# - otherwise, the argument to first_entry() is passed to progress_message2().
#
# We do this processing in read_a_line() rather than in the higher-level routines because
# Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
# until we get back to the caller of read_a_line(), we could issue error messages about parsing and
# until we get back to the caller of read_a_line(), we could issue error messages about parsing and
# running scripts in the file before we'd even indicated that we are processing it.
#
sub first_entry( $ ) {
@ -1445,7 +1445,7 @@ sub first_entry( $ ) {
if ( $reftype ) {
fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
}
}
}
sub embedded_shell( $ ) {
my $multiline = shift;
@ -1485,7 +1485,7 @@ sub embedded_shell( $ ) {
sub embedded_perl( $ ) {
my $multiline = shift;
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
if ( $multiline ) {
#
@ -1516,9 +1516,9 @@ sub embedded_perl( $ ) {
}
unless ( defined $return ) {
fatal_error "Perl Script failed: $!" if $!;
fatal_error "Perl Script failed: $!" if $!;
fatal_error "Perl Script failed";
}
}
fatal_error "Perl Script Returned False";
}
@ -2013,7 +2013,7 @@ sub determine_capabilities( $ ) {
$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
$capabilities{IPMARK_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
qt1( "$iptables -t mangle -F $sillyname" );
qt1( "$iptables -t mangle -X $sillyname" );
@ -2272,7 +2272,7 @@ sub get_configuration( $ ) {
}
check_trivalue ( 'IP_FORWARDING', 'on' );
check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
if ( $family == F_IPV4 ) {
check_trivalue ( 'LOG_MARTIANS', 'on' );
@ -2517,7 +2517,7 @@ sub append_file( $;$ ) {
} else {
#
# Include progress message -- Pretend progress_message call was in the file
#
#
$result = 1;
save_progress_message "Processing $user_exit ...";
copy1 $user_exit;
@ -2544,9 +2544,9 @@ sub run_user_exit( $ ) {
fatal_error "Couldn't parse $file: $@" if $@;
unless ( defined $return ) {
fatal_error "Couldn't do $file: $!" if $!;
fatal_error "Couldn't do $file: $!" if $!;
fatal_error "Couldn't do $file";
}
}
fatal_error "$file returned a false value";
}
@ -2662,7 +2662,7 @@ END {
#
unlink $tempfile if $tempfile;
unlink $scriptfilename if $scriptfilename;
unlink $_ for @tempfiles;
unlink $_ for @tempfiles;
}
1;

24
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -21,7 +21,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This module provides interfaces for dealing with IPv4 addresses, protocol names, and
# port names. It also exports functions for validating protocol- and port- (service)
# port names. It also exports functions for validating protocol- and port- (service)
# related constructs.
#
package Shorewall::IPAddrs;
@ -98,8 +98,8 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
IPv6_LINK_ALLRTRS => 'FF01::2' ,
IPv6_SITE_ALLNODES => 'FF02::1' ,
IPv6_SITE_ALLRTRS => 'FF02::2' ,
ICMP => 1,
TCP => 6,
ICMP => 1,
TCP => 6,
UDP => 17,
DCCP => 33,
IPv6_ICMP => 58,
@ -200,7 +200,7 @@ sub validate_4net( $$ ) {
( decodeaddr( $net ) , $vlsm );
} else {
"$net/$vlsm";
}
}
}
}
@ -437,7 +437,7 @@ sub expand_port_range( $$ ) {
# Break the range into groups:
#
# - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
# - Otherwise, find the largest power of two P that divides the first address such that
# - Otherwise, find the largest power of two P that divides the first address such that
# the remaining range has less than or equal to P ports. The next group is
# ( <first> , ~( P-1 ) ).
#
@ -463,8 +463,8 @@ sub expand_port_range( $$ ) {
} else {
( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
}
}
}
}
sub valid_6address( $ ) {
my $address = $_[0];
@ -625,7 +625,7 @@ sub ALLIP() {
sub allip() {
@allip;
}
}
sub valid_address ( $ ) {
$valid_address->(@_);
@ -639,16 +639,16 @@ sub validate_net ( $$ ) {
$validate_net->(@_);
}
sub validate_range ($$ ) {
sub validate_range ($$ ) {
$validate_range->(@_);
}
sub validate_host ($$ ) {
sub validate_host ($$ ) {
$validate_host->(@_);
}
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
@ -676,7 +676,7 @@ sub initialize( $ ) {
$validate_net = \&validate_6net;
$validate_range = \&validate_6range;
$validate_host = \&validate_6host;
}
}
}
1;

10
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -130,7 +130,7 @@ sub add_or_modify_policy_chain( $$ ) {
} else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
}
}
}
sub print_policy($$$$) {
my ( $source, $dest, $policy , $chain ) = @_;
@ -159,7 +159,7 @@ sub process_a_policy() {
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
my $serverwild = ( "\L$server" eq 'all' );
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
@ -193,7 +193,7 @@ sub process_a_policy() {
if ( defined $queue ) {
fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
my $queuenum = numeric_value( $queue );
fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
$policy = "NFQUEUE --queue-num $queuenum";
@ -234,7 +234,7 @@ sub process_a_policy() {
$chainref = new_policy_chain $client, $server, $policy, 0;
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
}
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
if ( $synparams ne '' || $connlimit ne '' ) {
@ -267,7 +267,7 @@ sub process_a_policy() {
set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
print_policy $client, $zone, $policy, $chain;
}
} else {
print_policy $client, $server, $policy, $chain;
}

44
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -62,7 +62,7 @@ our $family;
use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
@ -117,7 +117,7 @@ sub setup_route_marking() {
} else {
add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
}
incr_cmd_level( $chainref );
}
@ -270,7 +270,7 @@ sub add_a_provider( ) {
}
fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
my $provider = chain_base $table;
my $base = uc chain_base $interface;
my $gatewaycase = '';
@ -395,7 +395,7 @@ sub add_a_provider( ) {
my $realm = '';
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
if ( $shared ) {
my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
$realm = "realm $number";
@ -408,7 +408,7 @@ sub add_a_provider( ) {
} else {
start_provider( $table, $number, "if interface_is_usable $interface; then" );
}
$provider_interfaces{$interface} = $table;
emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
@ -537,7 +537,7 @@ sub add_an_rtrule( ) {
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
if ( $dest eq '-' ) {
$dest = 'to ' . ALLIP;
$dest = 'to ' . ALLIP;
} else {
validate_net( $dest, 0 );
$dest = "to $dest";
@ -599,12 +599,12 @@ sub setup_null_routing() {
for ( rfc1918_networks ) {
emit( qq(run_ip route replace unreachable $_) );
emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
}
}
}
sub start_providers() {
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
emit ( '#',
'# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
'#',
@ -616,7 +616,7 @@ sub start_providers() {
'# Save current routing table database so that it can be restored later',
'#',
'cp /etc/iproute2/rt_tables ${VARDIR}/' );
}
emit ( '#',
@ -627,9 +627,9 @@ sub start_providers() {
'# Initialize the file that holds \'undo\' commands',
'#',
'> ${VARDIR}/undo_routing' );
save_progress_message 'Adding Providers...';
emit 'DEFAULT_ROUTE=';
emit 'FALLBACK_ROUTE=';
emit '';
@ -660,7 +660,7 @@ sub finish_providers() {
} else {
emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
}
emit( 'fi',
'' );
} else {
@ -724,7 +724,7 @@ sub setup_providers() {
first_entry "$doing $fn...";
emit '';
add_an_rtrule while read_a_line;
}
@ -741,10 +741,10 @@ sub setup_providers() {
emit "\nif [ -z \"\$NOROUTES\" ]; then";
push_indent;
emit "\nundo_routing";
emit 'restore_default_route';
if ( $config{NULL_ROUTE_RFC1918} ) {
emit ( '#',
'# Initialize the file that holds \'undo\' commands',
@ -838,18 +838,18 @@ sub handle_stickiness( $ ) {
if ( $havesticky ) {
fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
for my $providerref ( @routemarked_providers ) {
my $interface = $providerref->{interface};
my $base = uc chain_base $interface;
my $mark = $providerref->{mark};
for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
my $stickyref = ensure_mangle_chain 'sticky';
my ( $rule1, $rule2 );
my $list = sprintf "sticky%03d" , $sticky++;
for my $chainref ( $stickyref, $setstickyref ) {
add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
@ -863,7 +863,7 @@ sub handle_stickiness( $ ) {
$rule1 = $_;
$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
}
$rule1 =~ s/-A //;
add_rule $chainref, $rule1;
@ -874,7 +874,7 @@ sub handle_stickiness( $ ) {
}
decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
}
}
@ -895,7 +895,7 @@ sub handle_stickiness( $ ) {
$rule1 = $_;
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
}
$rule1 =~ s/-A //;
add_rule $chainref, $rule1;
@ -913,7 +913,7 @@ sub handle_stickiness( $ ) {
if ( @routemarked_providers ) {
purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
purge_jump $mangle_table->{OUTPUT}, $setstickoref unless @{$setstickoref->{rules}};
purge_jump $mangle_table->{OUTPUT}, $setstickoref unless @{$setstickoref->{rules}};
}
}
1;

2
Shorewall/Perl/Shorewall/Proxyarp.pm
View File

@ -42,7 +42,7 @@ our @proxyarp;
our $family;
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't

2
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -47,7 +47,7 @@ sub process_notrack_rule( $$$$$$ ) {
$ports = '' if $ports eq 'any' || $ports eq 'all';
$sports = '' if $sports eq 'any' || $sports eq 'all';
( my $zone, $source) = split /:/, $source, 2;
( my $zone, $source) = split /:/, $source, 2;
my $zoneref = find_zone $zone;
my $chainref = ensure_raw_chain( notrack_chain $zone );
my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;

76
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -63,7 +63,7 @@ my %rules_commands = ( COMMENT => 0,
SECTION => 2 );
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
@ -525,7 +525,7 @@ sub add_common_rules() {
add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited';
} else {
add_rule $rejectref, '-p 58 -j REJECT --reject-with icmp6-addr-unreachable';
add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited';
add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited';
}
} else {
add_rule $rejectref , '-j REJECT';
@ -628,7 +628,7 @@ sub add_common_rules() {
my $variable = get_interface_gateway $interface;
if ( interface_is_optional $interface ) {
add_commands( $chainref,
add_commands( $chainref,
qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
qq( echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
qq(fi) );
@ -676,7 +676,7 @@ sub setup_mac_lists( $ ) {
my $chainref = new_chain $table , mac_chain $interface;
if ( $family == F_IPV4 ) {
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
if $table eq 'mangle' && get_interface_option( $interface, 'dhcp');
} else {
#
@ -805,7 +805,7 @@ sub setup_mac_lists( $ ) {
} else {
my $variable1 = get_interface_bcasts $bridge;
add_commands( $chainref,
add_commands( $chainref,
" for address1 in $variable1; do" ,
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
" done" );
@ -888,7 +888,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
if ( $msource eq '-' ) {
$msource = $source || '';
} elsif ( $msource =~ s/^DEST:?// ) {
$msource = merge_macro_source_dest $msource, $dest;
$msource = merge_macro_source_dest $msource, $dest;
} else {
$msource =~ s/^SOURCE:?//;
$msource = merge_macro_source_dest $msource, $source;
@ -910,17 +910,17 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
$mdest = '';
}
process_rule1(
$mtarget,
$msource,
$mdest,
merge_macro_column( $mproto, $proto ) ,
process_rule1(
$mtarget,
$msource,
$mdest,
merge_macro_column( $mproto, $proto ) ,
merge_macro_column( $mports, $ports ) ,
merge_macro_column( $msports, $sports ) ,
merge_macro_column( $morigdest, $origdest ) ,
merge_macro_column( $morigdest, $origdest ) ,
merge_macro_column( $mrate, $rate ) ,
merge_macro_column( $muser, $user ) ,
$mark,
$mark,
$connlimit,
$time,
$wildcard
@ -995,7 +995,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
return;
} elsif ( $actiontype & NFQ ) {
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
my $paramval = $param eq '' ? 0 : numeric_value( $param );
fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
$action = "NFQUEUE --queue-num $paramval";
@ -1074,7 +1074,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $actiontype & NATONLY ) {
unless ( $destzone eq '-' || $destzone eq '' ) {
$destref = defined_zone( $destzone );
if ( $destref ) {
warning_message "Destination zone ($destzone) ignored";
} else {
@ -1161,14 +1161,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
#
# Isolate server port
# Isolate server port
#
if ( $dest =~ /^(.*)(:(.+))$/ ) {
#
# Server IP and Port
#
$server = $1; # May be empty
$serverport = $3; # Not Empty due to RE
$serverport = $3; # Not Empty due to RE
$origdstports = $ports;
if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
@ -1297,7 +1297,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $nonat_chain;
my $chn;
if ( $sourceref->{type} == FIREWALL ) {
$nonat_chain = $nat_table->{OUTPUT};
} else {
@ -1358,7 +1358,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
#
if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
#
# It was -- delete that rule
# It was -- delete that rule
#
pop @{$nonat_chain->{rules}};
#
@ -1413,7 +1413,7 @@ sub process_rule ( ) {
process_comment;
return 1;
}
if ( $target eq 'SECTION' ) {
#
# read_a_line has already verified that there are exactly two tokens on the line
@ -1422,7 +1422,7 @@ sub process_rule ( ) {
fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
$sectioned = 1;
$sections{$source} = 1;
if ( $source eq 'RELATED' ) {
$sections{ESTABLISHED} = 1;
finish_section 'ESTABLISHED';
@ -1430,7 +1430,7 @@ sub process_rule ( ) {
@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
}
$section = $source;
return 1;
}
@ -1459,7 +1459,7 @@ sub process_rule ( ) {
#
# Handle Wildcards
#
if ( $source =~ /^all[-+]/ ) {
if ( $source eq 'all+' ) {
$source = 'all';
@ -1506,7 +1506,7 @@ sub process_rule ( ) {
}
unshift @source, firewall_zone if $includesrcfw;
}
}
if ( $dest eq 'all' ) {
if ( $anydest ) {
@ -1516,7 +1516,7 @@ sub process_rule ( ) {
}
unshift @dest, firewall_zone if $includedstfw;
}
}
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
@ -1806,7 +1806,7 @@ sub generate_matrix() {
clearrule;
next if $hostref->{options}{destonly};
next if $hostref->{options}{destonly};
my $source = match_source_net $net;
@ -1996,11 +1996,11 @@ sub generate_matrix() {
$excl3ref ,
dest_exclusion( $host1ref->{exclusions}, $chain ),
0,
join( '',
$match_source_dev,
match_dest_dev($interface1),
match_source_net($net),
match_dest_net($net1),
join( '',
$match_source_dev,
match_dest_dev($interface1),
match_source_net($net),
match_dest_net($net1),
$ipsec_out_match )
);
}
@ -2084,11 +2084,11 @@ sub setup_mss( ) {
if ( $capabilities{POLICY_MATCH} ) {
$in_match = '-m policy --pol none --dir in ';
$out_match = '-m policy --pol none --dir out ';
}
}
for ( @$interfaces ) {
my $mss = get_interface_option( $_, 'mss' );
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
@ -2222,7 +2222,7 @@ EOF
);
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
add_rule $filter_table->{$_}, '-m state --state ESTABLISHED,RELATED -j ACCEPT' for @chains;
if ( $family == F_IPV6 ) {
@ -2274,7 +2274,7 @@ EOF
} else {
for my $interface ( all_bridges ) {
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
}
}
if ( $config{IP_FORWARDING} eq 'on' ) {
emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding',
@ -2291,7 +2291,7 @@ EOF
emit '
run_stopped_exit';
my @ipsets = all_ipsets;
my @ipsets = all_ipsets;
if ( @ipsets ) {
emit <<'EOF';
@ -2306,8 +2306,8 @@ EOF
fi
EOF
}
emit '
emit '
set_state "Stopped"
logger -p kern.info "$PRODUCT Stopped"

54
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -202,7 +202,7 @@ our %restrictions = ( tcpre => PREROUTE_RESTRICT ,
our $family;
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
@ -340,7 +340,7 @@ sub process_tc_rule( ) {
fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
$mask2 = $m2;
}
if ( defined $s ) {
$val = numeric_value ($s);
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128;
@ -349,7 +349,7 @@ sub process_tc_rule( ) {
} else {
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
}
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
}
@ -385,12 +385,12 @@ sub process_tc_rule( ) {
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} ,
do_proto( $proto, $ports, $sports) .
do_user( $user ) .
do_test( $testval, $mask ) .
do_length( $length ) .
do_tos( $tos ) .
do_connbytes( $connbytes ) .
do_proto( $proto, $ports, $sports) .
do_user( $user ) .
do_test( $testval, $mask ) .
do_length( $length ) .
do_tos( $tos ) .
do_connbytes( $connbytes ) .
do_helper( $helper ),
$source ,
$dest ,
@ -506,7 +506,7 @@ sub validate_tc_device( ) {
if ( @redirected ) {
fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
$classify = 1;
}
}
for my $rdevice ( @redirected ) {
fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@ -557,7 +557,7 @@ sub convert_rate( $$$ ) {
sub convert_delay( $ ) {
my $delay = shift;
return 0 unless $delay;
return $1 if $delay =~ /^(\d+)(ms)?$/;
fatal_error "Invalid Delay ($delay)";
@ -615,7 +615,7 @@ sub validate_tc_class( ) {
fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
$parentclass = $classnumber;
$classnumber = hex_value $subnumber;
}
}
fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
fatal_error "Duplicate interface/class number ($devclass)" if defined $devnums[ $classnumber ];
@ -667,13 +667,13 @@ sub validate_tc_class( ) {
if ( $devref->{qdisc} eq 'hfsc' ) {
( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
fatal_error "Invalid RATE ($rate)" if defined $rest;
$rate = convert_rate ( $full, $trate, 'RATE' );
$dmax = convert_delay( $dmax );
$umax = convert_size( $umax );
fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
} else {
$rate = convert_rate ( $full, $rate, 'RATE' );
}
@ -734,7 +734,7 @@ sub validate_tc_class( ) {
fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1;
fatal_error q(The 'occurs' option is not valid with 'default') if $devref->{default} == $classnumber;
fatal_error q(The 'occurs' option is not valid with 'tos') if @{$tcref->{tos}};
warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-';
warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-';
$tcref->{occurs} = $occurs;
$devref->{occurs} = 1;
@ -746,7 +746,7 @@ sub validate_tc_class( ) {
unless ( $devref->{classify} || $occurs > 1 ) {
fatal_error "Missing MARK" if $mark eq '-';
warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option" if $devclass =~ /:/;
warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option" if $devclass =~ /:/;
}
$tcref->{flow} = $devref->{flow} unless $tcref->{flow};
@ -780,7 +780,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
#
sub process_tc_filter( ) {
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
my ($device, $class, $rest ) = split /:/, $devclass, 3;
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
@ -831,13 +831,13 @@ sub process_tc_filter( ) {
$rule .= "\\\n match ip tos $tosval $mask";
}
if ( $length ne '-' ) {
my $len = numeric_value( $length ) || 0;
my $mask = $validlengths{$len};
fatal_error "Invalid LENGTH ($length)" unless $mask;
$rule .="\\\n match u16 0x0000 $mask at 2";
}
}
my $protonumber = 0;
@ -886,7 +886,7 @@ sub process_tc_filter( ) {
$rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
if ( $portlist eq '-' ) {
fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP;
for my $sportrange ( split_list $sportlist , 'port list' ) {
@ -910,7 +910,7 @@ sub process_tc_filter( ) {
}
}
} else {
fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
for my $portrange ( split_list $portlist, 'port list' ) {
@ -931,7 +931,7 @@ sub process_tc_filter( ) {
my ( $port, $mask ) = ( shift @portlist, shift @portlist );
my $rule1;
if ( $protonumber == TCP ) {
$rule1 = join( ' ', 'match tcp dst', hex_value( $port ), "0x$mask" );
} elsif ( $protonumber == UDP ) {
@ -967,9 +967,9 @@ sub process_tc_filter( ) {
" flowid $devref->{number}:$class" );
}
}
}
}
}
}
}
}
}
}
@ -984,7 +984,7 @@ sub process_tc_filter( ) {
emit '';
}
}
sub setup_traffic_shaping() {
our $lastrule = '';
@ -1116,7 +1116,7 @@ sub setup_traffic_shaping() {
}
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
if ( $devref->{qdisc} eq 'htb' ) {
emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
} else {
@ -1129,7 +1129,7 @@ sub setup_traffic_shaping() {
emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
}
}
emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
#
# add filters

36
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -164,7 +164,7 @@ use constant { SIMPLE_IF_OPTION => 1,
OBSOLETE_IF_OPTION => 5,
IPLIST_IF_OPTION => 6,
MASK_IF_OPTION => 7,
IF_OPTION_ZONEONLY => 8,
IF_OPTION_HOST => 16,
};
@ -174,7 +174,7 @@ our %validinterfaceoptions;
our %validhostoptions;
#
# Rather than initializing globals in an INIT block or during declaration,
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
@ -326,7 +326,7 @@ sub set_super( $ );
sub set_super( $ ) {
my $zoneref = shift;
unless ( $zoneref->{options}{super} ) {
$zoneref->{options}{super} = 1;
set_super( $zones{$_} ) for @{$zoneref->{parents}};
@ -358,7 +358,7 @@ sub process_zone( \$ ) {
fatal_error "Invalid zone name ($zone)" unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/;
fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
if ( $type =~ /ipv([46])?/i ) {
fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
$type = IP;
@ -391,11 +391,11 @@ sub process_zone( \$ ) {
}
}
}
for ( $options, $in_options, $out_options ) {
$_ = '' if $_ eq '-';
}
$zones{$zone} = { type => $type,
parents => \@parents,
bridge => '',
@ -410,9 +410,9 @@ sub process_zone( \$ ) {
children => [] ,
hosts => {}
};
return $zone;
}
#
# Parse the zones file.
@ -476,7 +476,7 @@ sub zone_report()
if ( $family == F_IPV4 ) {
@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
} else {
} else {
@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
}
@ -530,7 +530,7 @@ sub dump_zone_contents()
if ( $family == F_IPV4 ) {
@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
} else {
} else {
@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
}
@ -629,7 +629,7 @@ sub add_group_to_zone($$$$$)
if ( substr( $host, 0, 1 ) eq '+' ) {
fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
} else {
validate_host $host, 0;
}
@ -767,7 +767,7 @@ sub process_interface( $ ) {
unless ( $networks eq '' || $networks eq 'detect' ) {
my @broadcasts = split_list $networks, 'address';
for my $address ( @broadcasts ) {
fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
}
@ -788,7 +788,7 @@ sub process_interface( $ ) {
if ( $options ) {
my %hostoptions = ( dynamic => 0 );
for my $option (split_list1 $options, 'option' ) {
next if $option eq '-';
@ -846,13 +846,13 @@ sub process_interface( $ ) {
# Add all IP to the front of a list if the list begins with '!'
#
$value = join ',' , ALLIP , $value if $value =~ /^!/;
if ( $value eq 'dynamic' ) {
require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
$value = "+${zone}_${interface}";
$hostoptions{dynamic} = 1;
$ipsets{"${zone}_${interface}"} = 1;
}
}
#
# Convert into a Perl array reference
#
@ -885,7 +885,7 @@ sub process_interface( $ ) {
broadcasts => $broadcasts ,
options => \%options };
$nets = [ allip ] unless $nets;
$nets = [ allip ] unless $nets;
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
@ -1150,9 +1150,9 @@ sub process_host( ) {
$hosts = "+${zone}_${interface}";
$optionsref->{dynamic} = 1;
$ipsets{"${zone}_${interface}"} = 1;
}
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
progress_message " Host \"$currentline\" validated";

8
Shorewall/Perl/compiler.pl
View File

@ -105,11 +105,11 @@ my $result = GetOptions('h' => \$help,
usage(1) unless $result && @ARGV < 2;
usage(0) if $help;
compiler( object => defined $ARGV[0] ? $ARGV[0] : '',
directory => $shorewall_dir,
verbosity => $verbose,
compiler( object => defined $ARGV[0] ? $ARGV[0] : '',
directory => $shorewall_dir,
verbosity => $verbose,
timestamp => $timestamp,
debug => $debug,
debug => $debug,
export => $export,
chains => $chains,
log => $log,

4
Shorewall/Perl/prog.footer
View File

@ -200,7 +200,7 @@ get_all_bcasts()
debug_restore_input() {
local first second rest table chain
#
# Clear the ruleset
# Clear the ruleset
#
qt1 $IPTABLES -t mangle -F
qt1 $IPTABLES -t mangle -X
@ -291,7 +291,7 @@ usage() {
#
# Start trace if first arg is "debug" or "trace"
#
if [ $# -gt 1 ]; then
if [ $# -gt 1 ]; then
if [ "x$1" = "xtrace" ]; then
set -x
shift

6
Shorewall/Perl/prog.footer6
View File

@ -168,7 +168,7 @@ restore_dynamic_rules() {
debug_restore_input() {
local first second rest table chain
#
# Clear the ruleset
# Clear the ruleset
#
qt1 $IP6TABLES -t mangle -F
qt1 $IP6TABLES -t mangle -X
@ -252,7 +252,7 @@ usage() {
#
# Start trace if first arg is "debug" or "trace"
#
if [ $# -gt 1 ]; then
if [ $# -gt 1 ]; then
if [ "x$1" = "xtrace" ]; then
set -x
shift
@ -319,7 +319,7 @@ kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//'
if [ $kernel -lt 20624 ]; then
error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
status=2
else
else
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2

6
Shorewall/Perl/prog.header6
View File

@ -578,7 +578,7 @@ convert_to_anycast() {
local l
while read address; do
case $address in
case $address in
2*|3*)
vlsm=${address#*/}
vlsm=${vlsm:=128}
@ -626,7 +626,7 @@ convert_to_anycast() {
badress=$address
fi
#
# Note: at this point $address and $badress are the same except possibly for
# Note: at this point $address and $badress are the same except possibly for
# the contents of the last half-word
#
list_count $(split $address)
@ -663,7 +663,7 @@ convert_to_anycast() {
#
# Generate a list of anycast addresses for a given interface
#
#
get_interface_acasts() # $1 = interface
{