holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove trailing whitespace

Browse Source
This commit is contained in:
Tom Eastep 2009-08-20 14:32:15 -07:00
parent 8c16ac1d46
commit 5dd41249c6
17 changed files with 221 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -98,7 +98,7 @@ sub process_accounting_rule( ) {
} elsif ( $cmd ne 'JUMP' ) { } elsif ( $cmd ne 'JUMP' ) {
accounting_error; accounting_error;
} }
} }
$target = jump_to_chain $action; $target = jump_to_chain $action;
} }

12
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -91,7 +91,7 @@ our $family;
our $macro_commands = { COMMENT => 0, FORMAT => 2 }; our $macro_commands = { COMMENT => 0, FORMAT => 2 };
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't
@ -228,7 +228,7 @@ sub merge_macro_column( $$ ) {
# Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action. # Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
# #
sub isolate_basic_target( $ ) { sub isolate_basic_target( $ ) {
my $target = ( split '[/:]', $_[0])[0]; my $target = ( split '[/:]', $_[0])[0];
$target =~ /^(\w+)[(].*[)]$/ ? $1 : $target; $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
} }
@ -701,7 +701,7 @@ sub process_action3( $$$$$ ) {
( $action2 , my $param ) = get_target_param $action2; ( $action2 , my $param ) = get_target_param $action2;
my $action2type = $targets{$action2} || 0; my $action2type = $targets{$action2} || 0;
unless ( $action2type == STANDARD ) { unless ( $action2type == STANDARD ) {
if ( $action2type & ACTION ) { if ( $action2type & ACTION ) {
@ -871,10 +871,10 @@ sub process_actions3 () {
'allowBcast' => \&allowBcast, 'allowBcast' => \&allowBcast,
'dropNotSyn' => \&dropNotSyn, 'dropNotSyn' => \&dropNotSyn,
'rejNotSyn' => \&rejNotSyn, 'rejNotSyn' => \&rejNotSyn,
'dropInvalid' => \&dropInvalid, 'dropInvalid' => \&dropInvalid,
'allowInvalid' => \&allowInvalid, 'allowInvalid' => \&allowInvalid,
'allowinUPnP' => \&allowinUPnP, 'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP, 'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit, ); 'Limit' => \&Limit, );
for my $wholeaction ( keys %usedactions ) { for my $wholeaction ( keys %usedactions ) {

76
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -50,7 +50,7 @@ our @EXPORT = qw(
$filter_table $filter_table
); );
our %EXPORT_TAGS = ( our %EXPORT_TAGS = (
internal => [ qw( STANDARD internal => [ qw( STANDARD
NATRULE NATRULE
BUILTIN BUILTIN
@ -83,7 +83,7 @@ our %EXPORT_TAGS = (
clear_comment clear_comment
incr_cmd_level incr_cmd_level
decr_cmd_level decr_cmd_level
chain_base chain_base
forward_chain forward_chain
zone_forward_chain zone_forward_chain
use_forward_chain use_forward_chain
@ -298,7 +298,7 @@ our %builtin_target = ( ACCEPT => 1,
sub initialize_chain_table(); sub initialize_chain_table();
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't
@ -434,7 +434,7 @@ sub push_rule( $$ ) {
add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3); add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
} else { } else {
# #
# We omit the chain name for now -- this makes it easier to move rules from one # We omit the chain name for now -- this makes it easier to move rules from one
# chain to another # chain to another
# #
push @{$chainref->{rules}}, join( ' ', '-A' , $rule ); push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
@ -472,7 +472,7 @@ sub handle_sport_list( $$$$$ ) {
last; last;
} else { } else {
$newports .= $port; $newports .= $port;
} }
} else { } else {
$newports .= "${port}${separator}"; $newports .= "${port}${separator}";
} }
@ -515,7 +515,7 @@ sub handle_dport_list( $$$$$ ) {
last; last;
} else { } else {
$newports .= $port; $newports .= $port;
} }
} else { } else {
$newports .= "${port}${separator}"; $newports .= "${port}${separator}";
} }
@ -612,7 +612,7 @@ sub add_jump( $$$;$$ ) {
} }
# #
# Purge jumps previously added via add_jump. If the target chain is empty, reset its # Purge jumps previously added via add_jump. If the target chain is empty, reset its
# referenced flag # referenced flag
# #
sub purge_jump ( $$ ) { sub purge_jump ( $$ ) {
@ -622,7 +622,7 @@ sub purge_jump ( $$ ) {
for ( @{$fromref->{rules}} ) { for ( @{$fromref->{rules}} ) {
$_ = undef if / -[gj] ${to}\b/; $_ = undef if / -[gj] ${to}\b/;
} }
$toref->{referenced} = 0 unless @{$toref->{rules}}; $toref->{referenced} = 0 unless @{$toref->{rules}};
} }
@ -672,7 +672,7 @@ sub add_tunnel_rule( $$ ) {
# forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
# a zone-oriented chain, hence this function. # a zone-oriented chain, hence this function.
# #
# The source chain must not have any run-time code included in its rules. # The source chain must not have any run-time code included in its rules.
# #
sub move_rules( $$ ) { sub move_rules( $$ ) {
my ($chain1, $chain2 ) = @_; my ($chain1, $chain2 ) = @_;
@ -785,12 +785,12 @@ sub use_input_chain($) {
my $nets = $interfaceref->{nets}; my $nets = $interfaceref->{nets};
# #
# We must use the interfaces's chain if: # We must use the interfaces's chain if:
# #
# - the interface is associated with multiple zone nets; or # - the interface is associated with multiple zone nets; or
# - the interface has the 'upnpclient' option. # - the interface has the 'upnpclient' option.
# #
# In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules(). # In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
# #
return 1 if $nets > 1 || $interfaceref->{options}{upnpclient}; return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
# #
# Don't need it if it isn't associated with any zone # Don't need it if it isn't associated with any zone
@ -817,7 +817,7 @@ sub use_input_chain($) {
$chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )}; $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
! ( $chainref->{referenced} || $chainref->{is_policy} ) ! ( $chainref->{referenced} || $chainref->{is_policy} )
} }
# #
# Output Chain for an interface # Output Chain for an interface
@ -843,7 +843,7 @@ sub use_output_chain($) {
my $nets = $interfaceref->{nets}; my $nets = $interfaceref->{nets};
# #
# We must use the interfaces's chain if the interface is associated with multiple zone nets # We must use the interfaces's chain if the interface is associated with multiple zone nets
# #
return 1 if $nets > 1; return 1 if $nets > 1;
# #
# Don't need it if it isn't associated with any zone # Don't need it if it isn't associated with any zone
@ -851,7 +851,7 @@ sub use_output_chain($) {
return 0 unless $nets; return 0 unless $nets;
# #
# Interface associated with a single zone -- use the zone's output chain if it has one # Interface associated with a single zone -- use the zone's output chain if it has one
# #
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}}; my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
return 0 if $chainref; return 0 if $chainref;
@ -902,7 +902,7 @@ sub dnat_chain( $ )
# #
# Notrack Chain from a zone # Notrack Chain from a zone
# #
sub notrack_chain( $ ) sub notrack_chain( $ )
{ {
$_[0] . '_notrk'; $_[0] . '_notrk';
} }
@ -989,7 +989,7 @@ sub ensure_filter_chain( $$ )
} }
# #
# Create an accounting chain if necessary. # Create an accounting chain if necessary.
# #
sub ensure_accounting_chain( $ ) sub ensure_accounting_chain( $ )
{ {
@ -1266,7 +1266,7 @@ sub set_mss( $$$ ) {
} }
# #
# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate. # Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate.
# #
sub setup_zone_mss() { sub setup_zone_mss() {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
@ -1305,7 +1305,7 @@ sub newnonatchain() {
# #
# Add a jump to the passed chain # Add a jump to the passed chain
# #
# Return the exclusion chain. The type of the returned value # Return the exclusion chain. The type of the returned value
# matches what was passed (reference # matches what was passed (reference
# or name). # or name).
# #
@ -1374,7 +1374,7 @@ sub do_proto( $$$;$ )
my $invert = ( $proto =~ s/^!// ? '! ' : '' ); my $invert = ( $proto =~ s/^!// ? '! ' : '' );
my $protonum = resolve_proto $proto; my $protonum = resolve_proto $proto;
if ( defined $protonum ) { if ( defined $protonum ) {
# #
# Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent # Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent
# #
@ -1533,7 +1533,7 @@ sub verify_mark( $ ) {
sub verify_small_mark( $ ) { sub verify_small_mark( $ ) {
verify_mark ( (my $mark) = $_[0] ); verify_mark ( (my $mark) = $_[0] );
fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x3FFF : 0xFF ); fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x3FFF : 0xFF );
} }
sub validate_mark( $ ) { sub validate_mark( $ ) {
@ -1580,7 +1580,7 @@ sub do_ratelimit( $$ ) {
fatal_error "Rate Limiting not available with $action" if $norate{$action}; fatal_error "Rate Limiting not available with $action" if $norate{$action};
# #
# "-m hashlimit" match for the passed LIMIT/BURST # "-m hashlimit" match for the passed LIMIT/BURST
# #
if ( $rate =~ /^[sd]:{1,2}/ ) { if ( $rate =~ /^[sd]:{1,2}/ ) {
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's'; require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
@ -1616,7 +1616,7 @@ sub do_connlimit( $ ) {
return '' unless $limit and $limit ne '-'; return '' unless $limit and $limit ne '-';
require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's'; require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below' my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
@ -1741,8 +1741,8 @@ sub do_connbytes( $ ) {
my $invert = $1 || ''; $invert = '! ' if $invert; my $invert = $1 || ''; $invert = '! ' if $invert;
my $min = $2; $min = 0 unless defined $min; my $min = $2; $min = 0 unless defined $min;
my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max; my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max;
my $dir = $5 || 'B'; my $dir = $5 || 'B';
my $mode = $6 || 'B'; my $mode = $6 || 'B';
$dir =~ s/://; $dir =~ s/://;
$mode =~ s/://; $mode =~ s/://;
@ -1858,7 +1858,7 @@ sub match_source_net( $;$ ) {
validate_range $addr1, $addr2; validate_range $addr1, $addr2;
iprange_match . "${invert}--src-range $net "; iprange_match . "${invert}--src-range $net ";
} elsif ( $net =~ /^!?~/ ) { } elsif ( $net =~ /^!?~/ ) {
fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT; fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
mac_match $net; mac_match $net;
} elsif ( $net =~ /^(!?)\+/ ) { } elsif ( $net =~ /^(!?)\+/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' ); require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
@ -1873,7 +1873,7 @@ sub match_source_net( $;$ ) {
} }
# #
# Match a Destination. # Match a Destination.
# #
sub match_dest_net( $ ) { sub match_dest_net( $ ) {
my $net = $_[0]; my $net = $_[0];
@ -1950,7 +1950,7 @@ sub match_ipsec_out( $$ ) {
unless ( $optionsref->{super} ) { unless ( $optionsref->{super} ) {
$match = '-m policy --dir out --pol '; $match = '-m policy --dir out --pol ';
if ( $zoneref->{type} eq 'ipsec' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( $capabilities{POLICY_MATCH} ) {
@ -2145,7 +2145,7 @@ sub set_chain_variables() {
} else { } else {
emit 'IP=ip'; emit 'IP=ip';
} }
if ( $config{TC} ) { if ( $config{TC} ) {
emit( qq(TC="$config{TC}") , emit( qq(TC="$config{TC}") ,
'[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"' '[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"'
@ -2373,21 +2373,21 @@ sub have_global_variables() {
# #
sub set_global_variables( $ ) { sub set_global_variables( $ ) {
my $setall = shift; my $setall = shift;
emit $_ for values %interfaceaddr; emit $_ for values %interfaceaddr;
emit $_ for values %interfacegateways; emit $_ for values %interfacegateways;
emit $_ for values %interfacemacs; emit $_ for values %interfacemacs;
if ( $setall ) { if ( $setall ) {
emit $_ for values %interfaceaddrs; emit $_ for values %interfaceaddrs;
emit $_ for values %interfacenets; emit $_ for values %interfacenets;
unless ( $capabilities{ADDRTYPE} ) { unless ( $capabilities{ADDRTYPE} ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
emit $_ for values %interfacebcasts; emit $_ for values %interfacebcasts;
} else { } else {
emit 'ALL_ACASTS="$(get_all_acasts)"'; emit 'ALL_ACASTS="$(get_all_acasts)"';
@ -2563,7 +2563,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} }
$dest = ''; $dest = '';
} elsif ( $family == F_IPV4 ) { } elsif ( $family == F_IPV4 ) {
if ( $dest =~ /^(.+?):(.+)$/ ) { if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1; $diface = $1;
$dnets = $2; $dnets = $2;
@ -2604,7 +2604,7 @@ sub expand_rule( $$$$$$$$$$;$ )
push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' ); push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
$rule .= '-d $dest '; $rule .= '-d $dest ';
} else { } else {
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
@ -2800,7 +2800,7 @@ sub expand_rule( $$$$$$$$$$;$ )
$source_match = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE}; $source_match = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE};
my $dest_match = match_dest_net( $dnet ); my $dest_match = match_dest_net( $dnet );
my $predicates = join( '', $rule, $source_match, $dest_match, $onet ); my $predicates = join( '', $rule, $source_match, $dest_match, $onet );
if ( $loglevel ne '' ) { if ( $loglevel ne '' ) {
if ( $disposition ne 'LOG' ) { if ( $disposition ne 'LOG' ) {
unless ( $logname ) { unless ( $logname ) {
@ -2815,7 +2815,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Now add the log rule and target rule without predicates to the log chain. # Now add the log rule and target rule without predicates to the log chain.
# #
log_rule_limit( log_rule_limit(
$loglevel , $loglevel ,
$chainref = $logchainref , $chainref = $logchainref ,
$chain , $chain ,
@ -2827,7 +2827,7 @@ sub expand_rule( $$$$$$$$$$;$ )
add_rule( $chainref, $exceptionrule . $target ); add_rule( $chainref, $exceptionrule . $target );
} else { } else {
log_rule_limit( log_rule_limit(
$loglevel , $loglevel ,
$chainref , $chainref ,
$logname , $logname ,
@ -3229,7 +3229,7 @@ sub create_stop_load( $ ) {
# #
# Test result # Test result
# #
emit ('', emit ('',
'if [ $? != 0 ]; then', 'if [ $? != 0 ]; then',
' error_message "ERROR: $command Failed."', ' error_message "ERROR: $command Failed."',
"fi\n" "fi\n"

26
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -246,7 +246,7 @@ sub generate_script_2() {
} else { } else {
emit( 'start|restart|refresh|restore)' ); emit( 'start|restart|refresh|restore)' );
} }
push_indent; push_indent;
set_global_variables(1); set_global_variables(1);
@ -254,10 +254,10 @@ sub generate_script_2() {
handle_optional_interfaces; handle_optional_interfaces;
emit ';;'; emit ';;';
if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) { if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
pop_indent; pop_indent;
emit 'restore)'; emit 'restore)';
push_indent; push_indent;
@ -362,7 +362,7 @@ sub generate_script_3($) {
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( '' , emit ( '' ,
' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' , ' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' , ' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' ); ' fi' );
@ -381,7 +381,7 @@ sub generate_script_3($) {
'' ); '' );
mark_firewall_not_started; mark_firewall_not_started;
emit ('', emit ('',
'delete_proxyarp', 'delete_proxyarp',
'' ''
@ -524,14 +524,14 @@ EOF
# #
sub compiler { sub compiler {
my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
( '', '', -1, '', 0, '', '', -1 ); ( '', '', -1, '', 0, '', '', -1 );
$export = 0; $export = 0;
$test = 0; $test = 0;
sub validate_boolean( $ ) { sub validate_boolean( $ ) {
my $val = numeric_value( shift ); my $val = numeric_value( shift );
defined($val) && ($val >= 0) && ($val < 2); defined($val) && ($val >= 0) && ($val < 2);
} }
@ -639,7 +639,7 @@ sub compiler {
setup_notrack; setup_notrack;
enable_object; enable_object;
if ( $objectfile ) { if ( $objectfile ) {
# #
# Place Header in the object # Place Header in the object
@ -656,7 +656,7 @@ sub compiler {
); );
push_indent; push_indent;
} }
# #
# Do all of the zone-independent stuff # Do all of the zone-independent stuff
# #
@ -692,7 +692,7 @@ sub compiler {
# (Writes the setup_routing_and_traffic_shaping() function to the compiled script) # (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
# #
enable_object; enable_object;
if ( $objectfile ) { if ( $objectfile ) {
emit( "\n#", emit( "\n#",
'# Setup routing and traffic shaping', '# Setup routing and traffic shaping',
@ -731,7 +731,7 @@ sub compiler {
# #
# Setup Masquerading/SNAT # Setup Masquerading/SNAT
# #
setup_masq; setup_masq;
# #
# Setup Nat # Setup Nat
# #
@ -796,7 +796,7 @@ sub compiler {
# for stopping the firewall # for stopping the firewall
# #
Shorewall::Chains::initialize( $family ); Shorewall::Chains::initialize( $family );
compile_stop_firewall( $test ); compile_stop_firewall( $test );
# #
# Copy the footer to the object # Copy the footer to the object
# #
@ -807,7 +807,7 @@ sub compiler {
copy $globals{SHAREDIRPL} . 'prog.footer6'; copy $globals{SHAREDIRPL} . 'prog.footer6';
} }
} }
disable_object; disable_object;
# #
# Close, rename and secure the object # Close, rename and secure the object

54
Shorewall/Perl/Shorewall/Config.pm
View File

@ -54,7 +54,7 @@ our @EXPORT = qw(
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall); our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
our %EXPORT_TAGS = ( internal => [ qw( create_temp_object our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
finalize_object finalize_object
enable_object enable_object
disable_object disable_object
@ -123,7 +123,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
MIN_VERBOSITY MIN_VERBOSITY
MAX_VERBOSITY MAX_VERBOSITY
) ] ); ) ] );
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
@ -202,9 +202,9 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
MULTIPORT => 'Multi-port Match' , MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match', XMULTIPORT => 'Extended Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match', CONNTRACK_MATCH => 'Connection Tracking Match',
OLD_CONNTRACK_MATCH => OLD_CONNTRACK_MATCH =>
'Old conntrack match syntax', 'Old conntrack match syntax',
NEW_CONNTRACK_MATCH => NEW_CONNTRACK_MATCH =>
'Extended Connection Tracking Match', 'Extended Connection Tracking Match',
USEPKTTYPE => 'Packet Type Match', USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match', POLICY_MATCH => 'Policy Match',
@ -285,7 +285,7 @@ use constant { MIN_VERBOSITY => -1,
our %validlevels; # Valid log levels. our %validlevels; # Valid log levels.
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't
@ -301,7 +301,7 @@ sub initialize( $ ) {
( $product, $Product, $toolname, $toolNAME ) = qw( shorewall Shorewall iptables IPTABLES ); ( $product, $Product, $toolname, $toolNAME ) = qw( shorewall Shorewall iptables IPTABLES );
} else { } else {
( $product, $Product, $toolname, $toolNAME ) = qw( shorewall6 Shorewall6 ip6tables IP6TABLES ); ( $product, $Product, $toolname, $toolNAME ) = qw( shorewall6 Shorewall6 ip6tables IP6TABLES );
} }
( $command, $doing, $done ) = qw/compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion. ( $command, $doing, $done ) = qw/compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
@ -466,7 +466,7 @@ sub initialize( $ ) {
LOGMARK => 'LOGMARK' ); LOGMARK => 'LOGMARK' );
} else { } else {
$globals{SHAREDIR} = '/usr/share/shorewall6'; $globals{SHAREDIR} = '/usr/share/shorewall6';
$globals{CONFDIR} = '/etc/shorewall6'; $globals{CONFDIR} = '/etc/shorewall6';
$globals{PRODUCT} = 'shorewall6'; $globals{PRODUCT} = 'shorewall6';
%config = %config =
@ -874,9 +874,9 @@ sub set_log ( $$ ) {
$log_verbose = $value; $log_verbose = $value;
} }
if ( $l && $log_verbose >= 0 ) { if ( $l && $log_verbose >= 0 ) {
unless ( open $log , '>>' , $l ) { unless ( open $log , '>>' , $l ) {
$log = undef; $log = undef;
fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!"; fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!";
} }
} else { } else {
@ -926,7 +926,7 @@ sub progress_message {
if ( $log_verbose > 1 ) { if ( $log_verbose > 1 ) {
our @localtime; our @localtime;
@localtime = localtime unless $havelocaltime; @localtime = localtime unless $havelocaltime;
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "${leading}${line}\n"; print $log "${leading}${line}\n";
@ -945,7 +945,7 @@ sub progress_message_nocompress {
if ( $log_verbose > 1 ) { if ( $log_verbose > 1 ) {
our @localtime; our @localtime;
@localtime = localtime unless $havelocaltime; @localtime = localtime unless $havelocaltime;
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "@_\n"; print $log "@_\n";
@ -966,7 +966,7 @@ sub progress_message2 {
if ( $log_verbose > 0 ) { if ( $log_verbose > 0 ) {
our @localtime; our @localtime;
@localtime = localtime unless $havelocaltime; @localtime = localtime unless $havelocaltime;
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "@_\n"; print $log "@_\n";
@ -1036,7 +1036,7 @@ sub copy( $ ) {
$lastlineblank = 1; $lastlineblank = 1;
} else { } else {
if ( $indent ) { if ( $indent ) {
s/^(\s*)/$indent1$1$indent2/; s/^(\s*)/$indent1$1$indent2/;
s/ /\t/ if $indent2; s/ /\t/ if $indent2;
} }
@ -1368,7 +1368,7 @@ sub pop_include() {
} else { } else {
$currentfile = undef; $currentfile = undef;
} }
} }
# #
# This function is normally called below in read_a_line() when EOF is reached. Clients of the # This function is normally called below in read_a_line() when EOF is reached. Clients of the
@ -1425,18 +1425,18 @@ sub shorewall {
} }
# #
# We don't announce that we are checking/compiling a file until we determine that the file contains # We don't announce that we are checking/compiling a file until we determine that the file contains
# at least one non-blank, non-commentary line. # at least one non-blank, non-commentary line.
# #
# The argument to this function may be either a scalar or a function reference. When the first # The argument to this function may be either a scalar or a function reference. When the first
# non-blank/non-commentary line is reached: # non-blank/non-commentary line is reached:
# #
# - if a function reference was passed to first_entry(), that function is called # - if a function reference was passed to first_entry(), that function is called
# - otherwise, the argument to first_entry() is passed to progress_message2(). # - otherwise, the argument to first_entry() is passed to progress_message2().
# #
# We do this processing in read_a_line() rather than in the higher-level routines because # We do this processing in read_a_line() rather than in the higher-level routines because
# Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement # Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
# until we get back to the caller of read_a_line(), we could issue error messages about parsing and # until we get back to the caller of read_a_line(), we could issue error messages about parsing and
# running scripts in the file before we'd even indicated that we are processing it. # running scripts in the file before we'd even indicated that we are processing it.
# #
sub first_entry( $ ) { sub first_entry( $ ) {
@ -1445,7 +1445,7 @@ sub first_entry( $ ) {
if ( $reftype ) { if ( $reftype ) {
fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE'; fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
} }
} }
sub embedded_shell( $ ) { sub embedded_shell( $ ) {
my $multiline = shift; my $multiline = shift;
@ -1485,7 +1485,7 @@ sub embedded_shell( $ ) {
sub embedded_perl( $ ) { sub embedded_perl( $ ) {
my $multiline = shift; my $multiline = shift;
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
if ( $multiline ) { if ( $multiline ) {
# #
@ -1516,9 +1516,9 @@ sub embedded_perl( $ ) {
} }
unless ( defined $return ) { unless ( defined $return ) {
fatal_error "Perl Script failed: $!" if $!; fatal_error "Perl Script failed: $!" if $!;
fatal_error "Perl Script failed"; fatal_error "Perl Script failed";
} }
fatal_error "Perl Script Returned False"; fatal_error "Perl Script Returned False";
} }
@ -2013,7 +2013,7 @@ sub determine_capabilities( $ ) {
$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); $capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
$capabilities{IPMARK_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" ); $capabilities{IPMARK_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
qt1( "$iptables -t mangle -F $sillyname" ); qt1( "$iptables -t mangle -F $sillyname" );
qt1( "$iptables -t mangle -X $sillyname" ); qt1( "$iptables -t mangle -X $sillyname" );
@ -2272,7 +2272,7 @@ sub get_configuration( $ ) {
} }
check_trivalue ( 'IP_FORWARDING', 'on' ); check_trivalue ( 'IP_FORWARDING', 'on' );
check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6; check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
check_trivalue ( 'LOG_MARTIANS', 'on' ); check_trivalue ( 'LOG_MARTIANS', 'on' );
@ -2517,7 +2517,7 @@ sub append_file( $;$ ) {
} else { } else {
# #
# Include progress message -- Pretend progress_message call was in the file # Include progress message -- Pretend progress_message call was in the file
# #
$result = 1; $result = 1;
save_progress_message "Processing $user_exit ..."; save_progress_message "Processing $user_exit ...";
copy1 $user_exit; copy1 $user_exit;
@ -2544,9 +2544,9 @@ sub run_user_exit( $ ) {
fatal_error "Couldn't parse $file: $@" if $@; fatal_error "Couldn't parse $file: $@" if $@;
unless ( defined $return ) { unless ( defined $return ) {
fatal_error "Couldn't do $file: $!" if $!; fatal_error "Couldn't do $file: $!" if $!;
fatal_error "Couldn't do $file"; fatal_error "Couldn't do $file";
} }
fatal_error "$file returned a false value"; fatal_error "$file returned a false value";
} }
@ -2662,7 +2662,7 @@ END {
# #
unlink $tempfile if $tempfile; unlink $tempfile if $tempfile;
unlink $scriptfilename if $scriptfilename; unlink $scriptfilename if $scriptfilename;
unlink $_ for @tempfiles; unlink $_ for @tempfiles;
} }
1; 1;

24
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -21,7 +21,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# This module provides interfaces for dealing with IPv4 addresses, protocol names, and # This module provides interfaces for dealing with IPv4 addresses, protocol names, and
# port names. It also exports functions for validating protocol- and port- (service) # port names. It also exports functions for validating protocol- and port- (service)
# related constructs. # related constructs.
# #
package Shorewall::IPAddrs; package Shorewall::IPAddrs;
@ -98,8 +98,8 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
IPv6_LINK_ALLRTRS => 'FF01::2' , IPv6_LINK_ALLRTRS => 'FF01::2' ,
IPv6_SITE_ALLNODES => 'FF02::1' , IPv6_SITE_ALLNODES => 'FF02::1' ,
IPv6_SITE_ALLRTRS => 'FF02::2' , IPv6_SITE_ALLRTRS => 'FF02::2' ,
ICMP => 1, ICMP => 1,
TCP => 6, TCP => 6,
UDP => 17, UDP => 17,
DCCP => 33, DCCP => 33,
IPv6_ICMP => 58, IPv6_ICMP => 58,
@ -200,7 +200,7 @@ sub validate_4net( $$ ) {
( decodeaddr( $net ) , $vlsm ); ( decodeaddr( $net ) , $vlsm );
} else { } else {
"$net/$vlsm"; "$net/$vlsm";
} }
} }
} }
@ -437,7 +437,7 @@ sub expand_port_range( $$ ) {
# Break the range into groups: # Break the range into groups:
# #
# - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ). # - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
# - Otherwise, find the largest power of two P that divides the first address such that # - Otherwise, find the largest power of two P that divides the first address such that
# the remaining range has less than or equal to P ports. The next group is # the remaining range has less than or equal to P ports. The next group is
# ( <first> , ~( P-1 ) ). # ( <first> , ~( P-1 ) ).
# #
@ -463,8 +463,8 @@ sub expand_port_range( $$ ) {
} else { } else {
( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' ); ( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
} }
} }
sub valid_6address( $ ) { sub valid_6address( $ ) {
my $address = $_[0]; my $address = $_[0];
@ -625,7 +625,7 @@ sub ALLIP() {
sub allip() { sub allip() {
@allip; @allip;
} }
sub valid_address ( $ ) { sub valid_address ( $ ) {
$valid_address->(@_); $valid_address->(@_);
@ -639,16 +639,16 @@ sub validate_net ( $$ ) {
$validate_net->(@_); $validate_net->(@_);
} }
sub validate_range ($$ ) { sub validate_range ($$ ) {
$validate_range->(@_); $validate_range->(@_);
} }
sub validate_host ($$ ) { sub validate_host ($$ ) {
$validate_host->(@_); $validate_host->(@_);
} }
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't
@ -676,7 +676,7 @@ sub initialize( $ ) {
$validate_net = \&validate_6net; $validate_net = \&validate_6net;
$validate_range = \&validate_6range; $validate_range = \&validate_6range;
$validate_host = \&validate_6host; $validate_host = \&validate_6host;
} }
} }
1; 1;

10
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -130,7 +130,7 @@ sub add_or_modify_policy_chain( $$ ) {
} else { } else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
} }
} }
sub print_policy($$$$) { sub print_policy($$$$) {
my ( $source, $dest, $policy , $chain ) = @_; my ( $source, $dest, $policy , $chain ) = @_;
@ -159,7 +159,7 @@ sub process_a_policy() {
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client ); fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
my $serverwild = ( "\L$server" eq 'all' ); my $serverwild = ( "\L$server" eq 'all' );
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server ); fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 ); my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
@ -193,7 +193,7 @@ sub process_a_policy() {
if ( defined $queue ) { if ( defined $queue ) {
fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE'; fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
my $queuenum = numeric_value( $queue ); my $queuenum = numeric_value( $queue );
fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535; fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
$policy = "NFQUEUE --queue-num $queuenum"; $policy = "NFQUEUE --queue-num $queuenum";
@ -234,7 +234,7 @@ sub process_a_policy() {
$chainref = new_policy_chain $client, $server, $policy, 0; $chainref = new_policy_chain $client, $server, $policy, 0;
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
} }
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
if ( $synparams ne '' || $connlimit ne '' ) { if ( $synparams ne '' || $connlimit ne '' ) {
@ -267,7 +267,7 @@ sub process_a_policy() {
set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy; set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
print_policy $client, $zone, $policy, $chain; print_policy $client, $zone, $policy, $chain;
} }
} else { } else {
print_policy $client, $server, $policy, $chain; print_policy $client, $server, $policy, $chain;
} }

44
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -62,7 +62,7 @@ our $family;
use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 }; use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't
@ -117,7 +117,7 @@ sub setup_route_marking() {
} else { } else {
add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
} }
incr_cmd_level( $chainref ); incr_cmd_level( $chainref );
} }
@ -270,7 +270,7 @@ sub add_a_provider( ) {
} }
fatal_error "Unknown Interface ($interface)" unless known_interface $interface; fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
my $provider = chain_base $table; my $provider = chain_base $table;
my $base = uc chain_base $interface; my $base = uc chain_base $interface;
my $gatewaycase = ''; my $gatewaycase = '';
@ -395,7 +395,7 @@ sub add_a_provider( ) {
my $realm = ''; my $realm = '';
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
if ( $shared ) { if ( $shared ) {
my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
$realm = "realm $number"; $realm = "realm $number";
@ -408,7 +408,7 @@ sub add_a_provider( ) {
} else { } else {
start_provider( $table, $number, "if interface_is_usable $interface; then" ); start_provider( $table, $number, "if interface_is_usable $interface; then" );
} }
$provider_interfaces{$interface} = $table; $provider_interfaces{$interface} = $table;
emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none'; emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
@ -537,7 +537,7 @@ sub add_an_rtrule( ) {
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-'; fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
if ( $dest eq '-' ) { if ( $dest eq '-' ) {
$dest = 'to ' . ALLIP; $dest = 'to ' . ALLIP;
} else { } else {
validate_net( $dest, 0 ); validate_net( $dest, 0 );
$dest = "to $dest"; $dest = "to $dest";
@ -599,12 +599,12 @@ sub setup_null_routing() {
for ( rfc1918_networks ) { for ( rfc1918_networks ) {
emit( qq(run_ip route replace unreachable $_) ); emit( qq(run_ip route replace unreachable $_) );
emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) ); emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
} }
} }
sub start_providers() { sub start_providers() {
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' ); require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
emit ( '#', emit ( '#',
'# Undo any changes made since the last time that we [re]started -- this will not restore the default route', '# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
'#', '#',
@ -616,7 +616,7 @@ sub start_providers() {
'# Save current routing table database so that it can be restored later', '# Save current routing table database so that it can be restored later',
'#', '#',
'cp /etc/iproute2/rt_tables ${VARDIR}/' ); 'cp /etc/iproute2/rt_tables ${VARDIR}/' );
} }
emit ( '#', emit ( '#',
@ -627,9 +627,9 @@ sub start_providers() {
'# Initialize the file that holds \'undo\' commands', '# Initialize the file that holds \'undo\' commands',
'#', '#',
'> ${VARDIR}/undo_routing' ); '> ${VARDIR}/undo_routing' );
save_progress_message 'Adding Providers...'; save_progress_message 'Adding Providers...';
emit 'DEFAULT_ROUTE='; emit 'DEFAULT_ROUTE=';
emit 'FALLBACK_ROUTE='; emit 'FALLBACK_ROUTE=';
emit ''; emit '';
@ -660,7 +660,7 @@ sub finish_providers() {
} else { } else {
emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table"); emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
} }
emit( 'fi', emit( 'fi',
'' ); '' );
} else { } else {
@ -724,7 +724,7 @@ sub setup_providers() {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
emit ''; emit '';
add_an_rtrule while read_a_line; add_an_rtrule while read_a_line;
} }
@ -741,10 +741,10 @@ sub setup_providers() {
emit "\nif [ -z \"\$NOROUTES\" ]; then"; emit "\nif [ -z \"\$NOROUTES\" ]; then";
push_indent; push_indent;
emit "\nundo_routing"; emit "\nundo_routing";
emit 'restore_default_route'; emit 'restore_default_route';
if ( $config{NULL_ROUTE_RFC1918} ) { if ( $config{NULL_ROUTE_RFC1918} ) {
emit ( '#', emit ( '#',
'# Initialize the file that holds \'undo\' commands', '# Initialize the file that holds \'undo\' commands',
@ -838,18 +838,18 @@ sub handle_stickiness( $ ) {
if ( $havesticky ) { if ( $havesticky ) {
fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers; fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
for my $providerref ( @routemarked_providers ) { for my $providerref ( @routemarked_providers ) {
my $interface = $providerref->{interface}; my $interface = $providerref->{interface};
my $base = uc chain_base $interface; my $base = uc chain_base $interface;
my $mark = $providerref->{mark}; my $mark = $providerref->{mark};
for ( grep /-j sticky/, @{$tcpreref->{rules}} ) { for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
my $stickyref = ensure_mangle_chain 'sticky'; my $stickyref = ensure_mangle_chain 'sticky';
my ( $rule1, $rule2 ); my ( $rule1, $rule2 );
my $list = sprintf "sticky%03d" , $sticky++; my $list = sprintf "sticky%03d" , $sticky++;
for my $chainref ( $stickyref, $setstickyref ) { for my $chainref ( $stickyref, $setstickyref ) {
add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
@ -863,7 +863,7 @@ sub handle_stickiness( $ ) {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/; $rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
} }
$rule1 =~ s/-A //; $rule1 =~ s/-A //;
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
@ -874,7 +874,7 @@ sub handle_stickiness( $ ) {
} }
decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional}; decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
} }
} }
@ -895,7 +895,7 @@ sub handle_stickiness( $ ) {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/; $rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
} }
$rule1 =~ s/-A //; $rule1 =~ s/-A //;
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
@ -913,7 +913,7 @@ sub handle_stickiness( $ ) {
if ( @routemarked_providers ) { if ( @routemarked_providers ) {
purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}}; purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
purge_jump $mangle_table->{OUTPUT}, $setstickoref unless @{$setstickoref->{rules}}; purge_jump $mangle_table->{OUTPUT}, $setstickoref unless @{$setstickoref->{rules}};
} }
} }
1; 1;

2
Shorewall/Perl/Shorewall/Proxyarp.pm
View File

@ -42,7 +42,7 @@ our @proxyarp;
our $family; our $family;
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't

2
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -47,7 +47,7 @@ sub process_notrack_rule( $$$$$$ ) {
$ports = '' if $ports eq 'any' || $ports eq 'all'; $ports = '' if $ports eq 'any' || $ports eq 'all';
$sports = '' if $sports eq 'any' || $sports eq 'all'; $sports = '' if $sports eq 'any' || $sports eq 'all';
( my $zone, $source) = split /:/, $source, 2; ( my $zone, $source) = split /:/, $source, 2;
my $zoneref = find_zone $zone; my $zoneref = find_zone $zone;
my $chainref = ensure_raw_chain( notrack_chain $zone ); my $chainref = ensure_raw_chain( notrack_chain $zone );
my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT; my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;

76
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -63,7 +63,7 @@ my %rules_commands = ( COMMENT => 0,
SECTION => 2 ); SECTION => 2 );
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't
@ -525,7 +525,7 @@ sub add_common_rules() {
add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited'; add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited';
} else { } else {
add_rule $rejectref, '-p 58 -j REJECT --reject-with icmp6-addr-unreachable'; add_rule $rejectref, '-p 58 -j REJECT --reject-with icmp6-addr-unreachable';
add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited'; add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited';
} }
} else { } else {
add_rule $rejectref , '-j REJECT'; add_rule $rejectref , '-j REJECT';
@ -628,7 +628,7 @@ sub add_common_rules() {
my $variable = get_interface_gateway $interface; my $variable = get_interface_gateway $interface;
if ( interface_is_optional $interface ) { if ( interface_is_optional $interface ) {
add_commands( $chainref, add_commands( $chainref,
qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) , qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
qq( echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) , qq( echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
qq(fi) ); qq(fi) );
@ -676,7 +676,7 @@ sub setup_mac_lists( $ ) {
my $chainref = new_chain $table , mac_chain $interface; my $chainref = new_chain $table , mac_chain $interface;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
if $table eq 'mangle' && get_interface_option( $interface, 'dhcp'); if $table eq 'mangle' && get_interface_option( $interface, 'dhcp');
} else { } else {
# #
@ -805,7 +805,7 @@ sub setup_mac_lists( $ ) {
} else { } else {
my $variable1 = get_interface_bcasts $bridge; my $variable1 = get_interface_bcasts $bridge;
add_commands( $chainref, add_commands( $chainref,
" for address1 in $variable1; do" , " for address1 in $variable1; do" ,
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3", " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
" done" ); " done" );
@ -888,7 +888,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
if ( $msource eq '-' ) { if ( $msource eq '-' ) {
$msource = $source || ''; $msource = $source || '';
} elsif ( $msource =~ s/^DEST:?// ) { } elsif ( $msource =~ s/^DEST:?// ) {
$msource = merge_macro_source_dest $msource, $dest; $msource = merge_macro_source_dest $msource, $dest;
} else { } else {
$msource =~ s/^SOURCE:?//; $msource =~ s/^SOURCE:?//;
$msource = merge_macro_source_dest $msource, $source; $msource = merge_macro_source_dest $msource, $source;
@ -910,17 +910,17 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
$mdest = ''; $mdest = '';
} }
process_rule1( process_rule1(
$mtarget, $mtarget,
$msource, $msource,
$mdest, $mdest,
merge_macro_column( $mproto, $proto ) , merge_macro_column( $mproto, $proto ) ,
merge_macro_column( $mports, $ports ) , merge_macro_column( $mports, $ports ) ,
merge_macro_column( $msports, $sports ) , merge_macro_column( $msports, $sports ) ,
merge_macro_column( $morigdest, $origdest ) , merge_macro_column( $morigdest, $origdest ) ,
merge_macro_column( $mrate, $rate ) , merge_macro_column( $mrate, $rate ) ,
merge_macro_column( $muser, $user ) , merge_macro_column( $muser, $user ) ,
$mark, $mark,
$connlimit, $connlimit,
$time, $time,
$wildcard $wildcard
@ -995,7 +995,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
return; return;
} elsif ( $actiontype & NFQ ) { } elsif ( $actiontype & NFQ ) {
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
my $paramval = $param eq '' ? 0 : numeric_value( $param ); my $paramval = $param eq '' ? 0 : numeric_value( $param );
fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535; fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
$action = "NFQUEUE --queue-num $paramval"; $action = "NFQUEUE --queue-num $paramval";
@ -1074,7 +1074,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $actiontype & NATONLY ) { if ( $actiontype & NATONLY ) {
unless ( $destzone eq '-' || $destzone eq '' ) { unless ( $destzone eq '-' || $destzone eq '' ) {
$destref = defined_zone( $destzone ); $destref = defined_zone( $destzone );
if ( $destref ) { if ( $destref ) {
warning_message "Destination zone ($destzone) ignored"; warning_message "Destination zone ($destzone) ignored";
} else { } else {
@ -1161,14 +1161,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
require_capability( 'NAT_ENABLED' , "$basictarget rules", '' ); require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
# #
# Isolate server port # Isolate server port
# #
if ( $dest =~ /^(.*)(:(.+))$/ ) { if ( $dest =~ /^(.*)(:(.+))$/ ) {
# #
# Server IP and Port # Server IP and Port
# #
$server = $1; # May be empty $server = $1; # May be empty
$serverport = $3; # Not Empty due to RE $serverport = $3; # Not Empty due to RE
$origdstports = $ports; $origdstports = $ports;
if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) { if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
@ -1297,7 +1297,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $nonat_chain; my $nonat_chain;
my $chn; my $chn;
if ( $sourceref->{type} == FIREWALL ) { if ( $sourceref->{type} == FIREWALL ) {
$nonat_chain = $nat_table->{OUTPUT}; $nonat_chain = $nat_table->{OUTPUT};
} else { } else {
@ -1358,7 +1358,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) { if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
# #
# It was -- delete that rule # It was -- delete that rule
# #
pop @{$nonat_chain->{rules}}; pop @{$nonat_chain->{rules}};
# #
@ -1413,7 +1413,7 @@ sub process_rule ( ) {
process_comment; process_comment;
return 1; return 1;
} }
if ( $target eq 'SECTION' ) { if ( $target eq 'SECTION' ) {
# #
# read_a_line has already verified that there are exactly two tokens on the line # read_a_line has already verified that there are exactly two tokens on the line
@ -1422,7 +1422,7 @@ sub process_rule ( ) {
fatal_error "Duplicate or out of order SECTION $source" if $sections{$source}; fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
$sectioned = 1; $sectioned = 1;
$sections{$source} = 1; $sections{$source} = 1;
if ( $source eq 'RELATED' ) { if ( $source eq 'RELATED' ) {
$sections{ESTABLISHED} = 1; $sections{ESTABLISHED} = 1;
finish_section 'ESTABLISHED'; finish_section 'ESTABLISHED';
@ -1430,7 +1430,7 @@ sub process_rule ( ) {
@sections{'ESTABLISHED','RELATED'} = ( 1, 1 ); @sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
} }
$section = $source; $section = $source;
return 1; return 1;
} }
@ -1459,7 +1459,7 @@ sub process_rule ( ) {
# #
# Handle Wildcards # Handle Wildcards
# #
if ( $source =~ /^all[-+]/ ) { if ( $source =~ /^all[-+]/ ) {
if ( $source eq 'all+' ) { if ( $source eq 'all+' ) {
$source = 'all'; $source = 'all';
@ -1506,7 +1506,7 @@ sub process_rule ( ) {
} }
unshift @source, firewall_zone if $includesrcfw; unshift @source, firewall_zone if $includesrcfw;
} }
if ( $dest eq 'all' ) { if ( $dest eq 'all' ) {
if ( $anydest ) { if ( $anydest ) {
@ -1516,7 +1516,7 @@ sub process_rule ( ) {
} }
unshift @dest, firewall_zone if $includedstfw; unshift @dest, firewall_zone if $includedstfw;
} }
fatal_error "Invalid or missing ACTION ($target)" unless defined $action; fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
@ -1806,7 +1806,7 @@ sub generate_matrix() {
clearrule; clearrule;
next if $hostref->{options}{destonly}; next if $hostref->{options}{destonly};
my $source = match_source_net $net; my $source = match_source_net $net;
@ -1996,11 +1996,11 @@ sub generate_matrix() {
$excl3ref , $excl3ref ,
dest_exclusion( $host1ref->{exclusions}, $chain ), dest_exclusion( $host1ref->{exclusions}, $chain ),
0, 0,
join( '', join( '',
$match_source_dev, $match_source_dev,
match_dest_dev($interface1), match_dest_dev($interface1),
match_source_net($net), match_source_net($net),
match_dest_net($net1), match_dest_net($net1),
$ipsec_out_match ) $ipsec_out_match )
); );
} }
@ -2084,11 +2084,11 @@ sub setup_mss( ) {
if ( $capabilities{POLICY_MATCH} ) { if ( $capabilities{POLICY_MATCH} ) {
$in_match = '-m policy --pol none --dir in '; $in_match = '-m policy --pol none --dir in ';
$out_match = '-m policy --pol none --dir out '; $out_match = '-m policy --pol none --dir out ';
} }
for ( @$interfaces ) { for ( @$interfaces ) {
my $mss = get_interface_option( $_, 'mss' ); my $mss = get_interface_option( $_, 'mss' );
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
add_rule $chainref, "-o $_ -j RETURN" if $clampmss; add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss"; add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
@ -2222,7 +2222,7 @@ EOF
); );
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/; my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
add_rule $filter_table->{$_}, '-m state --state ESTABLISHED,RELATED -j ACCEPT' for @chains; add_rule $filter_table->{$_}, '-m state --state ESTABLISHED,RELATED -j ACCEPT' for @chains;
if ( $family == F_IPV6 ) { if ( $family == F_IPV6 ) {
@ -2274,7 +2274,7 @@ EOF
} else { } else {
for my $interface ( all_bridges ) { for my $interface ( all_bridges ) {
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT"; emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
} }
if ( $config{IP_FORWARDING} eq 'on' ) { if ( $config{IP_FORWARDING} eq 'on' ) {
emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding', emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding',
@ -2291,7 +2291,7 @@ EOF
emit ' emit '
run_stopped_exit'; run_stopped_exit';
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
if ( @ipsets ) { if ( @ipsets ) {
emit <<'EOF'; emit <<'EOF';
@ -2306,8 +2306,8 @@ EOF
fi fi
EOF EOF
} }
emit ' emit '
set_state "Stopped" set_state "Stopped"
logger -p kern.info "$PRODUCT Stopped" logger -p kern.info "$PRODUCT Stopped"

54
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -202,7 +202,7 @@ our %restrictions = ( tcpre => PREROUTE_RESTRICT ,
our $family; our $family;
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't
@ -340,7 +340,7 @@ sub process_tc_rule( ) {
fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff; fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
$mask2 = $m2; $mask2 = $m2;
} }
if ( defined $s ) { if ( defined $s ) {
$val = numeric_value ($s); $val = numeric_value ($s);
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128; fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128;
@ -349,7 +349,7 @@ sub process_tc_rule( ) {
} else { } else {
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK'; fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
} }
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift"; $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
} }
@ -385,12 +385,12 @@ sub process_tc_rule( ) {
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} , $restrictions{$chain} ,
do_proto( $proto, $ports, $sports) . do_proto( $proto, $ports, $sports) .
do_user( $user ) . do_user( $user ) .
do_test( $testval, $mask ) . do_test( $testval, $mask ) .
do_length( $length ) . do_length( $length ) .
do_tos( $tos ) . do_tos( $tos ) .
do_connbytes( $connbytes ) . do_connbytes( $connbytes ) .
do_helper( $helper ), do_helper( $helper ),
$source , $source ,
$dest , $dest ,
@ -506,7 +506,7 @@ sub validate_tc_device( ) {
if ( @redirected ) { if ( @redirected ) {
fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband; fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
$classify = 1; $classify = 1;
} }
for my $rdevice ( @redirected ) { for my $rdevice ( @redirected ) {
fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/; fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@ -557,7 +557,7 @@ sub convert_rate( $$$ ) {
sub convert_delay( $ ) { sub convert_delay( $ ) {
my $delay = shift; my $delay = shift;
return 0 unless $delay; return 0 unless $delay;
return $1 if $delay =~ /^(\d+)(ms)?$/; return $1 if $delay =~ /^(\d+)(ms)?$/;
fatal_error "Invalid Delay ($delay)"; fatal_error "Invalid Delay ($delay)";
@ -615,7 +615,7 @@ sub validate_tc_class( ) {
fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber; fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
$parentclass = $classnumber; $parentclass = $classnumber;
$classnumber = hex_value $subnumber; $classnumber = hex_value $subnumber;
} }
fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber; fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
fatal_error "Duplicate interface/class number ($devclass)" if defined $devnums[ $classnumber ]; fatal_error "Duplicate interface/class number ($devclass)" if defined $devnums[ $classnumber ];
@ -667,13 +667,13 @@ sub validate_tc_class( ) {
if ( $devref->{qdisc} eq 'hfsc' ) { if ( $devref->{qdisc} eq 'hfsc' ) {
( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4; ( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
fatal_error "Invalid RATE ($rate)" if defined $rest; fatal_error "Invalid RATE ($rate)" if defined $rest;
$rate = convert_rate ( $full, $trate, 'RATE' ); $rate = convert_rate ( $full, $trate, 'RATE' );
$dmax = convert_delay( $dmax ); $dmax = convert_delay( $dmax );
$umax = convert_size( $umax ); $umax = convert_size( $umax );
fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax; fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
} else { } else {
$rate = convert_rate ( $full, $rate, 'RATE' ); $rate = convert_rate ( $full, $rate, 'RATE' );
} }
@ -734,7 +734,7 @@ sub validate_tc_class( ) {
fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1; fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1;
fatal_error q(The 'occurs' option is not valid with 'default') if $devref->{default} == $classnumber; fatal_error q(The 'occurs' option is not valid with 'default') if $devref->{default} == $classnumber;
fatal_error q(The 'occurs' option is not valid with 'tos') if @{$tcref->{tos}}; fatal_error q(The 'occurs' option is not valid with 'tos') if @{$tcref->{tos}};
warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-'; warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-';
$tcref->{occurs} = $occurs; $tcref->{occurs} = $occurs;
$devref->{occurs} = 1; $devref->{occurs} = 1;
@ -746,7 +746,7 @@ sub validate_tc_class( ) {
unless ( $devref->{classify} || $occurs > 1 ) { unless ( $devref->{classify} || $occurs > 1 ) {
fatal_error "Missing MARK" if $mark eq '-'; fatal_error "Missing MARK" if $mark eq '-';
warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option" if $devclass =~ /:/; warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option" if $devclass =~ /:/;
} }
$tcref->{flow} = $devref->{flow} unless $tcref->{flow}; $tcref->{flow} = $devref->{flow} unless $tcref->{flow};
@ -780,7 +780,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
# #
sub process_tc_filter( ) { sub process_tc_filter( ) {
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file'; my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
my ($device, $class, $rest ) = split /:/, $devclass, 3; my ($device, $class, $rest ) = split /:/, $devclass, 3;
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class ); fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
@ -831,13 +831,13 @@ sub process_tc_filter( ) {
$rule .= "\\\n match ip tos $tosval $mask"; $rule .= "\\\n match ip tos $tosval $mask";
} }
if ( $length ne '-' ) { if ( $length ne '-' ) {
my $len = numeric_value( $length ) || 0; my $len = numeric_value( $length ) || 0;
my $mask = $validlengths{$len}; my $mask = $validlengths{$len};
fatal_error "Invalid LENGTH ($length)" unless $mask; fatal_error "Invalid LENGTH ($length)" unless $mask;
$rule .="\\\n match u16 0x0000 $mask at 2"; $rule .="\\\n match u16 0x0000 $mask at 2";
} }
my $protonumber = 0; my $protonumber = 0;
@ -886,7 +886,7 @@ sub process_tc_filter( ) {
$rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0"; $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
if ( $portlist eq '-' ) { if ( $portlist eq '-' ) {
fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT" fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP; unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP;
for my $sportrange ( split_list $sportlist , 'port list' ) { for my $sportrange ( split_list $sportlist , 'port list' ) {
@ -910,7 +910,7 @@ sub process_tc_filter( ) {
} }
} }
} else { } else {
fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT" fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP; unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
for my $portrange ( split_list $portlist, 'port list' ) { for my $portrange ( split_list $portlist, 'port list' ) {
@ -931,7 +931,7 @@ sub process_tc_filter( ) {
my ( $port, $mask ) = ( shift @portlist, shift @portlist ); my ( $port, $mask ) = ( shift @portlist, shift @portlist );
my $rule1; my $rule1;
if ( $protonumber == TCP ) { if ( $protonumber == TCP ) {
$rule1 = join( ' ', 'match tcp dst', hex_value( $port ), "0x$mask" ); $rule1 = join( ' ', 'match tcp dst', hex_value( $port ), "0x$mask" );
} elsif ( $protonumber == UDP ) { } elsif ( $protonumber == UDP ) {
@ -967,9 +967,9 @@ sub process_tc_filter( ) {
" flowid $devref->{number}:$class" ); " flowid $devref->{number}:$class" );
} }
} }
} }
} }
} }
} }
} }
} }
@ -984,7 +984,7 @@ sub process_tc_filter( ) {
emit ''; emit '';
} }
sub setup_traffic_shaping() { sub setup_traffic_shaping() {
our $lastrule = ''; our $lastrule = '';
@ -1116,7 +1116,7 @@ sub setup_traffic_shaping() {
} }
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" ); emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
if ( $devref->{qdisc} eq 'htb' ) { if ( $devref->{qdisc} eq 'htb' ) {
emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" ); emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
} else { } else {
@ -1129,7 +1129,7 @@ sub setup_traffic_shaping() {
emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" ); emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
} }
} }
emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo}; emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
# #
# add filters # add filters

36
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -164,7 +164,7 @@ use constant { SIMPLE_IF_OPTION => 1,
OBSOLETE_IF_OPTION => 5, OBSOLETE_IF_OPTION => 5,
IPLIST_IF_OPTION => 6, IPLIST_IF_OPTION => 6,
MASK_IF_OPTION => 7, MASK_IF_OPTION => 7,
IF_OPTION_ZONEONLY => 8, IF_OPTION_ZONEONLY => 8,
IF_OPTION_HOST => 16, IF_OPTION_HOST => 16,
}; };
@ -174,7 +174,7 @@ our %validinterfaceoptions;
our %validhostoptions; our %validhostoptions;
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
# 1. Proper initialization depends on the address family which isn't # 1. Proper initialization depends on the address family which isn't
@ -326,7 +326,7 @@ sub set_super( $ );
sub set_super( $ ) { sub set_super( $ ) {
my $zoneref = shift; my $zoneref = shift;
unless ( $zoneref->{options}{super} ) { unless ( $zoneref->{options}{super} ) {
$zoneref->{options}{super} = 1; $zoneref->{options}{super} = 1;
set_super( $zones{$_} ) for @{$zoneref->{parents}}; set_super( $zones{$_} ) for @{$zoneref->{parents}};
@ -358,7 +358,7 @@ sub process_zone( \$ ) {
fatal_error "Invalid zone name ($zone)" unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH}; fatal_error "Invalid zone name ($zone)" unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/; fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/;
fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone}; fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
if ( $type =~ /ipv([46])?/i ) { if ( $type =~ /ipv([46])?/i ) {
fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
$type = IP; $type = IP;
@ -391,11 +391,11 @@ sub process_zone( \$ ) {
} }
} }
} }
for ( $options, $in_options, $out_options ) { for ( $options, $in_options, $out_options ) {
$_ = '' if $_ eq '-'; $_ = '' if $_ eq '-';
} }
$zones{$zone} = { type => $type, $zones{$zone} = { type => $type,
parents => \@parents, parents => \@parents,
bridge => '', bridge => '',
@ -410,9 +410,9 @@ sub process_zone( \$ ) {
children => [] , children => [] ,
hosts => {} hosts => {}
}; };
return $zone; return $zone;
} }
# #
# Parse the zones file. # Parse the zones file.
@ -476,7 +476,7 @@ sub zone_report()
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); @translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
} else { } else {
@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); @translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
} }
@ -530,7 +530,7 @@ sub dump_zone_contents()
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
} else { } else {
@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
} }
@ -629,7 +629,7 @@ sub add_group_to_zone($$$$$)
if ( substr( $host, 0, 1 ) eq '+' ) { if ( substr( $host, 0, 1 ) eq '+' ) {
fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/; fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
require_capability( 'IPSET_MATCH', 'Ipset names in host lists', ''); require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
} else { } else {
validate_host $host, 0; validate_host $host, 0;
} }
@ -767,7 +767,7 @@ sub process_interface( $ ) {
unless ( $networks eq '' || $networks eq 'detect' ) { unless ( $networks eq '' || $networks eq 'detect' ) {
my @broadcasts = split_list $networks, 'address'; my @broadcasts = split_list $networks, 'address';
for my $address ( @broadcasts ) { for my $address ( @broadcasts ) {
fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
} }
@ -788,7 +788,7 @@ sub process_interface( $ ) {
if ( $options ) { if ( $options ) {
my %hostoptions = ( dynamic => 0 ); my %hostoptions = ( dynamic => 0 );
for my $option (split_list1 $options, 'option' ) { for my $option (split_list1 $options, 'option' ) {
next if $option eq '-'; next if $option eq '-';
@ -846,13 +846,13 @@ sub process_interface( $ ) {
# Add all IP to the front of a list if the list begins with '!' # Add all IP to the front of a list if the list begins with '!'
# #
$value = join ',' , ALLIP , $value if $value =~ /^!/; $value = join ',' , ALLIP , $value if $value =~ /^!/;
if ( $value eq 'dynamic' ) { if ( $value eq 'dynamic' ) {
require_capability( 'IPSET_MATCH', 'Dynamic nets', ''); require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
$value = "+${zone}_${interface}"; $value = "+${zone}_${interface}";
$hostoptions{dynamic} = 1; $hostoptions{dynamic} = 1;
$ipsets{"${zone}_${interface}"} = 1; $ipsets{"${zone}_${interface}"} = 1;
} }
# #
# Convert into a Perl array reference # Convert into a Perl array reference
# #
@ -885,7 +885,7 @@ sub process_interface( $ ) {
broadcasts => $broadcasts , broadcasts => $broadcasts ,
options => \%options }; options => \%options };
$nets = [ allip ] unless $nets; $nets = [ allip ] unless $nets;
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone; add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
@ -1150,9 +1150,9 @@ sub process_host( ) {
$hosts = "+${zone}_${interface}"; $hosts = "+${zone}_${interface}";
$optionsref->{dynamic} = 1; $optionsref->{dynamic} = 1;
$ipsets{"${zone}_${interface}"} = 1; $ipsets{"${zone}_${interface}"} = 1;
} }
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
progress_message " Host \"$currentline\" validated"; progress_message " Host \"$currentline\" validated";

8
Shorewall/Perl/compiler.pl
View File

@ -105,11 +105,11 @@ my $result = GetOptions('h' => \$help,
usage(1) unless $result && @ARGV < 2; usage(1) unless $result && @ARGV < 2;
usage(0) if $help; usage(0) if $help;
compiler( object => defined $ARGV[0] ? $ARGV[0] : '', compiler( object => defined $ARGV[0] ? $ARGV[0] : '',
directory => $shorewall_dir, directory => $shorewall_dir,
verbosity => $verbose, verbosity => $verbose,
timestamp => $timestamp, timestamp => $timestamp,
debug => $debug, debug => $debug,
export => $export, export => $export,
chains => $chains, chains => $chains,
log => $log, log => $log,

4
Shorewall/Perl/prog.footer
View File

@ -200,7 +200,7 @@ get_all_bcasts()
debug_restore_input() { debug_restore_input() {
local first second rest table chain local first second rest table chain
# #
# Clear the ruleset # Clear the ruleset
# #
qt1 $IPTABLES -t mangle -F qt1 $IPTABLES -t mangle -F
qt1 $IPTABLES -t mangle -X qt1 $IPTABLES -t mangle -X
@ -291,7 +291,7 @@ usage() {
# #
# Start trace if first arg is "debug" or "trace" # Start trace if first arg is "debug" or "trace"
# #
if [ $# -gt 1 ]; then if [ $# -gt 1 ]; then
if [ "x$1" = "xtrace" ]; then if [ "x$1" = "xtrace" ]; then
set -x set -x
shift shift

6
Shorewall/Perl/prog.footer6
View File

@ -168,7 +168,7 @@ restore_dynamic_rules() {
debug_restore_input() { debug_restore_input() {
local first second rest table chain local first second rest table chain
# #
# Clear the ruleset # Clear the ruleset
# #
qt1 $IP6TABLES -t mangle -F qt1 $IP6TABLES -t mangle -F
qt1 $IP6TABLES -t mangle -X qt1 $IP6TABLES -t mangle -X
@ -252,7 +252,7 @@ usage() {
# #
# Start trace if first arg is "debug" or "trace" # Start trace if first arg is "debug" or "trace"
# #
if [ $# -gt 1 ]; then if [ $# -gt 1 ]; then
if [ "x$1" = "xtrace" ]; then if [ "x$1" = "xtrace" ]; then
set -x set -x
shift shift
@ -319,7 +319,7 @@ kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//'
if [ $kernel -lt 20624 ]; then if [ $kernel -lt 20624 ]; then
error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later" error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
status=2 status=2
else else
case "$COMMAND" in case "$COMMAND" in
start) start)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2

6
Shorewall/Perl/prog.header6
View File

@ -578,7 +578,7 @@ convert_to_anycast() {
local l local l
while read address; do while read address; do
case $address in case $address in
2*|3*) 2*|3*)
vlsm=${address#*/} vlsm=${address#*/}
vlsm=${vlsm:=128} vlsm=${vlsm:=128}
@ -626,7 +626,7 @@ convert_to_anycast() {
badress=$address badress=$address
fi fi
# #
# Note: at this point $address and $badress are the same except possibly for # Note: at this point $address and $badress are the same except possibly for
# the contents of the last half-word # the contents of the last half-word
# #
list_count $(split $address) list_count $(split $address)
@ -663,7 +663,7 @@ convert_to_anycast() {
# #
# Generate a list of anycast addresses for a given interface # Generate a list of anycast addresses for a given interface
# #
get_interface_acasts() # $1 = interface get_interface_acasts() # $1 = interface
{ {