holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Finish ipset initial implementation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5656 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-24 15:59:17 +00:00
parent 6f40ceabf1
commit 5f5ece2a31
4 changed files with 83 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
New/Shorewall/Chains.pm
View File

@ -416,31 +416,6 @@ sub first_chains( $ ) #$1 = interface
[ $c . '_fwd', $c . '_in' ]; [ $c . '_fwd', $c . '_in' ];
} }
#
# Split a source or destination host list but keep [...] together.
#
sub mysplit( $ ) {
my @input = split /,/, $_[0];
my @result;
while ( @input ) {
my $element = shift @input;
if ( $element =~ /\[/ ) {
while ( ! ( $element =~ /\]/ ) ) {
last unless @input;
$element .= ( ',' . shift @input );
}
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
}
push @result, $element;
}
@result;
}
# #
# Create a new chain and return a reference to it. # Create a new chain and return a reference to it.
# #
@ -832,6 +807,29 @@ sub iprange_match() {
$match; $match;
} }
#
# Get set flags (ipsets).
#
sub get_set_flags( $$ ) {
my ( $setname, $option ) = @_;
my $options = $option;
fatal_error "Your kernel and/or iptables does not include ipset match: $setname" unless $capabilities{IPSET_MATCH};
if ( $setname =~ /(.*)\[([1-6])\]$/ ) {
$setname = $1;
my $count = $2;
$options .= ",$option" while --$count > 0;
} elsif ( $setname =~ /(.+)\[(.*)\]$/ ) {
$setname = $1;
$options = $2;
}
$setname =~ s/^\+//;
"--set $setname $options"
}
# #
# Match a Source. Currently only handles IP addresses and ranges # Match a Source. Currently only handles IP addresses and ranges
# #
@ -844,7 +842,9 @@ sub match_source_net( $ ) {
iprange_match . "${invert}--src-range $net "; iprange_match . "${invert}--src-range $net ";
} elsif ( $net =~ /^(!?)~(.*)$/ ) { } elsif ( $net =~ /^(!?)~(.*)$/ ) {
( $net = $2 ) =~ s/-/:/g; ( $net = $2 ) =~ s/-/:/g;
"-m mac --mac-source $1 $net " "-m mac --mac-source $1 $net ";
} elsif ( $net =~ /^(!?)\+/ ) {
'-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'src'
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
"-s ! $net "; "-s ! $net ";
@ -863,6 +863,8 @@ sub match_dest_net( $ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : ''; $net =~ s/!// if my $invert = $1 ? '! ' : '';
iprange_match . "${invert}--dst-range $net "; iprange_match . "${invert}--dst-range $net ";
} elsif ( $net =~ /^(!?)\+/ ) {
'-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'dst'
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
"-d ! $net "; "-d ! $net ";
@ -1159,7 +1161,7 @@ sub expand_rule( $$$$$$$$$$ )
$oexcl = ''; $oexcl = '';
} }
if ( ! $onets ) { unless ( $onets ) {
my @oexcl = mysplit $oexcl; my @oexcl = mysplit $oexcl;
if ( @oexcl == 1 ) { if ( @oexcl == 1 ) {
$rule .= "-m conntrack --ctorigdst ! $oexcl "; $rule .= "-m conntrack --ctorigdst ! $oexcl ";
@ -1182,7 +1184,7 @@ sub expand_rule( $$$$$$$$$$ )
$iexcl = ''; $iexcl = '';
} }
if ( ! $inets ) { unless ( $inets ) {
my @iexcl = mysplit $iexcl; my @iexcl = mysplit $iexcl;
if ( @iexcl == 1 ) { if ( @iexcl == 1 ) {
$rule .= match_source_net "!$iexcl "; $rule .= match_source_net "!$iexcl ";
@ -1204,7 +1206,7 @@ sub expand_rule( $$$$$$$$$$ )
$dexcl = ''; $dexcl = '';
} }
if ( ! $dnets ) { unless ( $dnets ) {
my @dexcl = mysplit $dexcl; my @dexcl = mysplit $dexcl;
if ( @dexcl == 1 ) { if ( @dexcl == 1 ) {
$rule .= match_dest_net "!$dexcl "; $rule .= match_dest_net "!$dexcl ";

29
New/Shorewall/Common.pm
View File

@ -34,6 +34,7 @@ our @EXPORT = qw(ALLIPv4
warning_message warning_message
fatal_error fatal_error
mysplit
create_temp_object create_temp_object
finalize_object finalize_object
emit emit
@ -97,6 +98,34 @@ sub fatal_error
die; die;
} }
#
# Split a comma-separated source or destination host list but keep [...] together.
#
sub mysplit( $ ) {
my @input = split /,/, $_[0];
return @input unless $_[0] =~ /\[/;
my @result;
while ( @input ) {
my $element = shift @input;
if ( $element =~ /\[/ ) {
while ( ! ( $element =~ /\]/ ) ) {
last unless @input;
$element .= ( ',' . shift @input );
}
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
}
push @result, $element;
}
@result;
}
sub create_temp_object( $ ) { sub create_temp_object( $ ) {
my $objectfile = $_[0]; my $objectfile = $_[0];
my $suffix; my $suffix;

4
New/compiler.pl
View File

@ -601,8 +601,8 @@ sub compile_firewall( $ ) {
unless $capabilities{XMULTIPORT}; unless $capabilities{XMULTIPORT};
fatal_error( 'Shorewall ' . VERSION . ' requires Address Type Match Support' ) fatal_error( 'Shorewall ' . VERSION . ' requires Address Type Match Support' )
unless $capabilities{ADDRTYPE}; unless $capabilities{ADDRTYPE};
fatal_error 'BRIDGING=Yes requires Physdev Match support in your Kernel and iptables' fatal_error 'BRIDGING=Yes is not supported by the ' . VERSION . 'Perl-based compiler';
if $config{BRIDGING} && ! $capabilities{PHYSDEV_MATCH}; if $config{BRIDGING};
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables' fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH}; if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match' fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'

31
New/releasenotes.txt
View File

@ -8,25 +8,36 @@ a) The compiler is small.
b) The compiler is very fast. b) The compiler is very fast.
c) The compiler generates a firewall script that uses iptables-restore; c) The compiler generates a firewall script that uses iptables-restore;
so the script is very fast. so the script is very fast.
d) Use of the perl compiler is optional! The old slow clunky
Bourne-shell compiler is still there.
The bad news: The bad news:
There are a number of incompatibilities between 3.9.0 and earlier There are a number of incompatibilities between 3.9.0 using the
versions. Perl-based compiler and earlier versions.
a) This version requires the addrtype match capability in your kernel a) This version requires the following capabilities in your kernel
and iptables. This capability is in current distributions. and iptables.
b) The BROADCAST column in the interfaces file is essentailly unused; - addrtype match
- conntrack match
- extended multiport match
These capabilities are in current distributions.
b) BRIDGING=Yes is not supported. The kernel code necessary to
support this option was removed in Linux kernel 2.6.20.
c) The BROADCAST column in the interfaces file is essentailly unused;
if you enter anything in this column but '-' or 'detect', you will if you enter anything in this column but '-' or 'detect', you will
receive a warning. receive a warning.
c) Because the compiler is now written in Perl, your compile-time d) Because the compiler is now written in Perl, your compile-time
extension scripts for earlier version will no longer work. extension scripts for earlier version will no longer work.
d) The 'refresh' command is now synonamous with 'restart'. e) The 'refresh' command is now synonamous with 'restart'.
e) Some run-time extension scripts are no longer supported because they f) Some run-time extension scripts are no longer supported because they
make no sense (iptables-restore instantiates the new configuration make no sense (iptables-restore instantiates the new configuration
atomically). atomically).
@ -36,8 +47,8 @@ e) Some run-time extension scripts are no longer supported because they
refresh refresh
refreshed refreshed
f) Currently, 3.9.0 has no support for ipsets. That will change with g) Currently, support for ipsets is untested. That will change with
future releases but one thing is certain -- Shorewall is out of the future releases but one thing is certain -- Shorewall is now out of the
ipset load/reload business. If the Netfilter ruleset is never cleared, ipset load/reload business. If the Netfilter ruleset is never cleared,
then there is no opportunity for Shorewall to load/reload your then there is no opportunity for Shorewall to load/reload your
ipsets. ipsets.