forked from extern/shorewall_code
Remove whitespace from blank lines
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9479 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
45c6c2ad1f
commit
5ff0ac8961
@ -286,7 +286,7 @@ sub createlogactionchain( $$ ) {
|
||||
my $chain = $action;
|
||||
my $actionref = $actions{$action};
|
||||
my $chainref;
|
||||
|
||||
|
||||
my ($lev, $tag) = split ':', $level;
|
||||
|
||||
validate_level $lev;
|
||||
@ -304,7 +304,7 @@ sub createlogactionchain( $$ ) {
|
||||
$logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
|
||||
|
||||
fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
|
||||
|
||||
|
||||
unless ( $targets{$action} & STANDARD ) {
|
||||
|
||||
my $file = find_file $chain;
|
||||
@ -752,7 +752,7 @@ sub process_actions3 () {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
}
|
||||
|
||||
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||
} else {
|
||||
|
@ -68,7 +68,7 @@ our %EXPORT_TAGS = (
|
||||
OUTPUT_RESTRICT
|
||||
POSTROUTE_RESTRICT
|
||||
ALL_RESTRICT
|
||||
|
||||
|
||||
add_command
|
||||
add_commands
|
||||
move_rules
|
||||
@ -140,7 +140,6 @@ our %EXPORT_TAGS = (
|
||||
match_ipsec_out
|
||||
log_rule
|
||||
expand_rule
|
||||
addrawjump
|
||||
addnatjump
|
||||
get_interface_address
|
||||
get_interface_addresses
|
||||
@ -384,7 +383,7 @@ sub clear_comment() {
|
||||
#
|
||||
sub macro_comment( $ ) {
|
||||
my $macro = $_[0];
|
||||
|
||||
|
||||
$comment = $macro unless $comment || ! ( $capabilities{COMMENTS} && $config{AUTO_COMMENT} );
|
||||
}
|
||||
|
||||
@ -443,22 +442,22 @@ sub push_rule( $$ ) {
|
||||
|
||||
sub handle_sport_list( $$$$$ ) {
|
||||
my ($chainref, $rule, $first, $ports, $rest) = @_;
|
||||
|
||||
|
||||
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
|
||||
#
|
||||
# More than 15 ports specified
|
||||
#
|
||||
my @ports = split '([,:])', $ports;
|
||||
|
||||
|
||||
while ( @ports ) {
|
||||
my $count = 0;
|
||||
my $newports = '';
|
||||
|
||||
|
||||
while ( @ports && $count < 15 ) {
|
||||
my ($port, $separator) = ( shift @ports, shift @ports );
|
||||
|
||||
|
||||
$separator ||= '';
|
||||
|
||||
|
||||
if ( ++$count == 15 ) {
|
||||
if ( $separator eq ':' ) {
|
||||
unshift @ports, $port, ':';
|
||||
@ -471,7 +470,7 @@ sub handle_sport_list( $$$$$ ) {
|
||||
$newports .= "${port}${separator}";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
push_rule ( $chainref, join( '', $first, $newports, $rest ) );
|
||||
}
|
||||
} else {
|
||||
@ -486,22 +485,22 @@ sub handle_sport_list( $$$$$ ) {
|
||||
|
||||
sub handle_dport_list( $$$$$ ) {
|
||||
my ($chainref, $rule, $first, $ports, $rest) = @_;
|
||||
|
||||
|
||||
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
|
||||
#
|
||||
# More than 15 ports specified
|
||||
#
|
||||
my @ports = split '([,:])', $ports;
|
||||
|
||||
|
||||
while ( @ports ) {
|
||||
my $count = 0;
|
||||
my $newports = '';
|
||||
|
||||
|
||||
while ( @ports && $count < 15 ) {
|
||||
my ($port, $separator) = ( shift @ports, shift @ports );
|
||||
|
||||
|
||||
$separator ||= '';
|
||||
|
||||
|
||||
if ( ++$count == 15 ) {
|
||||
if ( $separator eq ':' ) {
|
||||
unshift @ports, $port, ':';
|
||||
@ -516,7 +515,7 @@ sub handle_dport_list( $$$$$ ) {
|
||||
}
|
||||
|
||||
my $newrule = join( '', $first, $newports, $rest );
|
||||
|
||||
|
||||
if ( $newrule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
|
||||
handle_sport_list( $chainref, $newrule, $1, $2, $3 );
|
||||
} else {
|
||||
@ -548,7 +547,7 @@ sub add_rule($$;$)
|
||||
#
|
||||
# By post-processing each rule generated by expand_rule(), we avoid all of that
|
||||
# messiness and replace it with the following localized messiness.
|
||||
|
||||
|
||||
if ( $expandports ) {
|
||||
if ( $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) {
|
||||
#
|
||||
@ -592,7 +591,7 @@ sub add_jump( $$$;$ ) {
|
||||
#
|
||||
$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to };
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# If the destination is a chain, mark it referenced
|
||||
#
|
||||
@ -638,7 +637,7 @@ sub add_tunnel_rule( $$ ) {
|
||||
|
||||
insert_rule1( $chainref, $chainref->{new}++, $rule );
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Move the rules from one chain to another
|
||||
#
|
||||
@ -746,7 +745,7 @@ sub use_input_chain($) {
|
||||
return 0 unless $nets;
|
||||
|
||||
my $zone = $interfaceref->{zone};
|
||||
|
||||
|
||||
return 1 unless $zone;
|
||||
#
|
||||
# Interface associated with a single zone -- Must use the interface chain if
|
||||
@ -1081,7 +1080,7 @@ sub initialize_chain_table()
|
||||
for my $chain qw(INPUT OUTPUT FORWARD) {
|
||||
new_builtin_chain 'filter', $chain, 'DROP';
|
||||
}
|
||||
|
||||
|
||||
for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
|
||||
new_builtin_chain 'nat', $chain, 'ACCEPT';
|
||||
}
|
||||
@ -1128,7 +1127,7 @@ sub initialize_chain_table()
|
||||
for my $chain qw(INPUT OUTPUT FORWARD) {
|
||||
new_builtin_chain 'filter', $chain, 'DROP';
|
||||
}
|
||||
|
||||
|
||||
for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
|
||||
new_builtin_chain 'nat', $chain, 'ACCEPT';
|
||||
}
|
||||
@ -1145,7 +1144,7 @@ sub finish_chain_section ($$) {
|
||||
my ($chainref, $state ) = @_;
|
||||
my $chain = $chainref->{name};
|
||||
my $savecomment = $comment;
|
||||
|
||||
|
||||
$comment = '';
|
||||
|
||||
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||
@ -1169,7 +1168,7 @@ sub finish_chain_section ($$) {
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$chainref->{new} = @{$chainref->{rules}};
|
||||
|
||||
}
|
||||
@ -1269,27 +1268,27 @@ sub newexclusionchain() {
|
||||
#
|
||||
sub source_exclusion( $$ ) {
|
||||
my ( $exclusions, $target ) = @_;
|
||||
|
||||
|
||||
return $target unless @$exclusions;
|
||||
|
||||
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
|
||||
|
||||
add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
||||
add_jump( $chainref, $target, 1 );
|
||||
|
||||
|
||||
reftype $target ? $chainref : $chainref->{name};
|
||||
}
|
||||
|
||||
sub dest_exclusion( $$ ) {
|
||||
my ( $exclusions, $target ) = @_;
|
||||
|
||||
|
||||
return $target unless @$exclusions;
|
||||
|
||||
|
||||
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
|
||||
|
||||
add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
||||
add_jump( $chainref, $target, 1 );
|
||||
|
||||
|
||||
reftype $target ? $chainref : $chainref->{name};
|
||||
}
|
||||
|
||||
@ -1318,7 +1317,7 @@ sub do_proto( $$$ )
|
||||
$sports = '' if $sports eq '-';
|
||||
|
||||
if ( $proto ne '' ) {
|
||||
|
||||
|
||||
my $synonly = ( $proto =~ s/:syn$//i );
|
||||
my $invert = ( $proto =~ s/^!// ? '! ' : '' );
|
||||
my $protonum = resolve_proto $proto;
|
||||
@ -1360,7 +1359,7 @@ sub do_proto( $$$ )
|
||||
} else {
|
||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
|
||||
}
|
||||
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
$invert = $sports =~ s/^!// ? '! ' : '';
|
||||
if ( $multiport ) {
|
||||
@ -1372,9 +1371,9 @@ sub do_proto( $$$ )
|
||||
$output .= "--sport ${invert}${sports} ";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
last PROTO; }
|
||||
|
||||
|
||||
if ( $proto == ICMP ) {
|
||||
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6;
|
||||
if ( $ports ne '' ) {
|
||||
@ -1383,7 +1382,7 @@ sub do_proto( $$$ )
|
||||
$ports = validate_icmp $ports;
|
||||
$output .= "--icmp-type ${invert}${ports} ";
|
||||
}
|
||||
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
|
||||
|
||||
last PROTO; }
|
||||
@ -1396,7 +1395,7 @@ sub do_proto( $$$ )
|
||||
$ports = validate_icmp6 $ports;
|
||||
$output .= "--icmpv6-type ${invert}${ports} ";
|
||||
}
|
||||
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
||||
|
||||
last PROTO; }
|
||||
@ -1408,18 +1407,18 @@ sub do_proto( $$$ )
|
||||
|
||||
} else {
|
||||
fatal_error '":syn" is only allowed with tcp' if $synonly;
|
||||
|
||||
|
||||
if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
|
||||
my $p = $2 ? lc $3 : 'tcp';
|
||||
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
|
||||
$proto = '-p ' . proto_name($p) . ' ';
|
||||
|
||||
my $options = '';
|
||||
|
||||
|
||||
if ( $ports ne 'ipp2p' ) {
|
||||
$options .= " --$_" for split /,/, $ports;
|
||||
}
|
||||
|
||||
|
||||
$options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
|
||||
|
||||
$output .= "${proto}-m ipp2p${options} ";
|
||||
@ -1552,7 +1551,7 @@ sub do_time( $ ) {
|
||||
require_capability 'TIME_MATCH', 'A non-empty TIME', 's';
|
||||
|
||||
my $result = '-m time ';
|
||||
|
||||
|
||||
for my $element (split /&/, $time ) {
|
||||
fatal_error "Invalid time element list ($time)" unless defined $element && $element;
|
||||
|
||||
@ -1577,7 +1576,7 @@ sub do_time( $ ) {
|
||||
fatal_error "Invalid time element ($element)";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$result;
|
||||
}
|
||||
|
||||
@ -1657,7 +1656,7 @@ sub do_connbytes( $ ) {
|
||||
my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max;
|
||||
my $dir = $5 || 'B';
|
||||
my $mode = $6 || 'B';
|
||||
|
||||
|
||||
$dir =~ s/://;
|
||||
$mode =~ s/://;
|
||||
|
||||
@ -1876,7 +1875,7 @@ sub log_rule_limit( $$$$$$$$ ) {
|
||||
$level = validate_level $level; # Do this here again because this function can be called directly from user exits.
|
||||
|
||||
return 1 if $level eq '';
|
||||
|
||||
|
||||
$predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' ';
|
||||
|
||||
unless ( $predicates =~ /-m limit / ) {
|
||||
@ -1905,7 +1904,7 @@ sub log_rule_limit( $$$$$$$$ ) {
|
||||
}
|
||||
|
||||
$disposition =~ s/\s+.*//;
|
||||
|
||||
|
||||
if ( $globals{LOGRULENUMBERS} ) {
|
||||
$prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag;
|
||||
} else {
|
||||
@ -2261,7 +2260,7 @@ sub expand_rule( $$$$$$$$$$$ )
|
||||
push_command $chainref, join( '', 'for source in ', $networks, '; do' ), 'done';
|
||||
|
||||
$rule .= '-s $source ';
|
||||
|
||||
|
||||
} else {
|
||||
fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT;
|
||||
$rule .= match_source_dev( $iiface );
|
||||
@ -2569,18 +2568,6 @@ sub expand_rule( $$$$$$$$$$$ )
|
||||
#
|
||||
# If the destination chain exists, then at the end of the source chain add a jump to the destination.
|
||||
#
|
||||
sub addrawjump( $$$ ) {
|
||||
my ( $source , $dest, $predicates ) = @_;
|
||||
|
||||
my $destref = $raw_table->{$dest} || {};
|
||||
|
||||
if ( $destref->{referenced} ) {
|
||||
add_rule $raw_table->{$source} , $predicates . "-j $dest";
|
||||
} else {
|
||||
clearrule;
|
||||
}
|
||||
}
|
||||
|
||||
sub addnatjump( $$$ ) {
|
||||
my ( $source , $dest, $predicates ) = @_;
|
||||
|
||||
@ -2606,7 +2593,7 @@ sub emit_test() {
|
||||
push_indent;
|
||||
our $emitted_test = 1;
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Generate setting of global variables
|
||||
#
|
||||
@ -2849,12 +2836,12 @@ sub create_chainlist_reload($) {
|
||||
emit '';
|
||||
|
||||
my $table = 'filter';
|
||||
|
||||
|
||||
my %chains;
|
||||
|
||||
|
||||
for my $chain ( @chains ) {
|
||||
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
||||
|
||||
|
||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
|
||||
|
||||
$chains{$table} = [] unless $chains{$table};
|
||||
@ -2873,7 +2860,7 @@ sub create_chainlist_reload($) {
|
||||
emit 'exec 3>${VARDIR}/.iptables-restore-input';
|
||||
|
||||
enter_cat_mode;
|
||||
|
||||
|
||||
for $table qw(nat mangle filter) {
|
||||
next unless $chains{$table};
|
||||
|
||||
@ -2887,11 +2874,11 @@ sub create_chainlist_reload($) {
|
||||
my $chainref = $tableref->{$chain};
|
||||
emit_unindented ":$chainref->{name} - [0:0]";
|
||||
}
|
||||
|
||||
|
||||
for my $chain ( @chains ) {
|
||||
my $chainref = $tableref->{$chain};
|
||||
my @rules = @{$chainref->{rules}};
|
||||
|
||||
|
||||
@rules = () unless @rules;
|
||||
#
|
||||
# Emit the chain rules
|
||||
@ -2902,7 +2889,7 @@ sub create_chainlist_reload($) {
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
|
||||
|
||||
emit_unindented 'COMMIT';
|
||||
}
|
||||
|
||||
|
@ -508,7 +508,7 @@ EOF
|
||||
|
||||
if ( @$interfaces ) {
|
||||
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
||||
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
emit "do_iptables -A INPUT -p udp -i $interface --dport $ports -j ACCEPT";
|
||||
emit "do_iptables -A OUTPUT -p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
||||
@ -631,7 +631,7 @@ sub generate_script_2($) {
|
||||
'qt1 $IPTABLES -X foox1234',
|
||||
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
|
||||
'' );
|
||||
|
||||
|
||||
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
|
||||
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
|
||||
'if [ -n "$addr" ]; then',
|
||||
@ -643,7 +643,7 @@ sub generate_script_2($) {
|
||||
' done',
|
||||
"fi\n" );
|
||||
}
|
||||
|
||||
|
||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||
'',
|
||||
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
|
||||
@ -663,7 +663,7 @@ sub generate_script_2($) {
|
||||
}
|
||||
|
||||
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
|
||||
|
||||
|
||||
} else {
|
||||
emit ( '#',
|
||||
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
|
||||
@ -675,13 +675,13 @@ sub generate_script_2($) {
|
||||
'qt1 $IP6TABLES -X foox1234',
|
||||
'[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
|
||||
'' );
|
||||
|
||||
|
||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||
'',
|
||||
'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
|
||||
''
|
||||
);
|
||||
|
||||
|
||||
}
|
||||
|
||||
emit qq(delete_tc1\n) if $config{CLEAR_TC};
|
||||
@ -697,35 +697,35 @@ sub generate_script_2($) {
|
||||
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
|
||||
dump_proxy_arp;
|
||||
emit_unindented '__EOF__';
|
||||
|
||||
|
||||
emit( '',
|
||||
'if [ "$COMMAND" != refresh ]; then' );
|
||||
|
||||
|
||||
push_indent;
|
||||
|
||||
|
||||
emit 'cat > ${VARDIR}/zones << __EOF__';
|
||||
dump_zone_contents;
|
||||
emit_unindented '__EOF__';
|
||||
|
||||
|
||||
pop_indent;
|
||||
|
||||
|
||||
emit "fi\n";
|
||||
|
||||
|
||||
emit '> ${VARDIR}/nat';
|
||||
|
||||
|
||||
add_addresses;
|
||||
|
||||
emit( '',
|
||||
'if [ $COMMAND = restore ]; then',
|
||||
' iptables_save_file=${VARDIR}/$(basename $0)-iptables',
|
||||
' if [ -f $iptables_save_file ]; then' );
|
||||
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
|
||||
} else {
|
||||
emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
|
||||
}
|
||||
|
||||
|
||||
emit<<'EOF';
|
||||
else
|
||||
fatal_error "$iptables_save_file does not exist"
|
||||
@ -761,7 +761,7 @@ EOF
|
||||
|
||||
[ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore
|
||||
fi
|
||||
|
||||
|
||||
date > ${VARDIR}/restarted
|
||||
|
||||
case $COMMAND in
|
||||
@ -842,10 +842,10 @@ sub compiler {
|
||||
if ( $ref->{edit} ) {
|
||||
fatal_error "Invalid value ( $val ) supplied for parameter $name" unless $ref->{edit}->($val);
|
||||
}
|
||||
|
||||
|
||||
${$ref->{store}} = $val;
|
||||
}
|
||||
|
||||
|
||||
reinitialize if $reused++ || $family == F_IPV6;
|
||||
|
||||
if ( $directory ne '' ) {
|
||||
@ -869,7 +869,7 @@ sub compiler {
|
||||
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS};
|
||||
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
|
||||
require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT};
|
||||
|
||||
|
||||
set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
|
||||
|
||||
initialize_chain_table;
|
||||
@ -945,7 +945,7 @@ sub compiler {
|
||||
copy $globals{SHAREDIRPL} . 'prog.functions6';
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
emit( "\n#",
|
||||
'# Setup Common Rules (/proc)',
|
||||
'#',
|
||||
@ -981,21 +981,21 @@ sub compiler {
|
||||
pop_indent;
|
||||
emit '}';
|
||||
}
|
||||
|
||||
|
||||
disable_object;
|
||||
#
|
||||
# R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
|
||||
# (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
|
||||
#
|
||||
enable_object;
|
||||
|
||||
|
||||
unless ( $command eq 'check' ) {
|
||||
emit( "\n#",
|
||||
'# Setup routing and traffic shaping',
|
||||
'#',
|
||||
'setup_routing_and_traffic_shaping() {'
|
||||
);
|
||||
|
||||
|
||||
push_indent;
|
||||
}
|
||||
#
|
||||
@ -1006,12 +1006,12 @@ sub compiler {
|
||||
# TCRules and Traffic Shaping
|
||||
#
|
||||
setup_tc;
|
||||
|
||||
|
||||
unless ( $command eq 'check' ) {
|
||||
pop_indent;
|
||||
emit "}\n";
|
||||
}
|
||||
|
||||
|
||||
disable_object;
|
||||
#
|
||||
# N E T F I L T E R
|
||||
|
@ -317,7 +317,7 @@ sub initialize( $ ) {
|
||||
TC_SCRIPT => '',
|
||||
EXPORT => 0,
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.2.6",
|
||||
VERSION => "4.2.7",
|
||||
CAPVERSION => 40205 ,
|
||||
);
|
||||
|
||||
@ -676,7 +676,7 @@ sub fatal_error {
|
||||
close $log;
|
||||
$log = undef;
|
||||
}
|
||||
|
||||
|
||||
confess " ERROR: @_$currentlineinfo" if $debug;
|
||||
die " ERROR: @_$currentlineinfo\n";
|
||||
}
|
||||
@ -697,7 +697,7 @@ sub fatal_error1 {
|
||||
close $log;
|
||||
$log = undef;
|
||||
}
|
||||
|
||||
|
||||
confess " ERROR: @_" if $debug;
|
||||
die " ERROR: @_\n";
|
||||
}
|
||||
@ -747,7 +747,7 @@ sub in_hex8( $ ) {
|
||||
#
|
||||
sub emit {
|
||||
fatal_error 'Internal Error in emit' unless $object_enabled;
|
||||
|
||||
|
||||
if ( $object ) {
|
||||
#
|
||||
# 'compile' as opposed to 'check'
|
||||
@ -1030,7 +1030,7 @@ sub copy1( $ ) {
|
||||
s/^(\s*)/$indent1$1$indent2/;
|
||||
s/ /\t/ if $indent2;
|
||||
}
|
||||
|
||||
|
||||
print $object $_;
|
||||
print $object "\n";
|
||||
$do_indent = ! ( $here_documents || /\\$/ );
|
||||
@ -1159,7 +1159,7 @@ sub split_list( $$ ) {
|
||||
my ($list, $type ) = @_;
|
||||
|
||||
fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
|
||||
|
||||
|
||||
split /,/, $list;
|
||||
}
|
||||
|
||||
@ -1167,11 +1167,11 @@ sub split_list1( $$ ) {
|
||||
my ($list, $type ) = @_;
|
||||
|
||||
fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
|
||||
|
||||
|
||||
my @list1 = split /,/, $list;
|
||||
my @list2;
|
||||
my $element = '';
|
||||
|
||||
|
||||
for ( @list1 ) {
|
||||
if ( /\(/ ) {
|
||||
fatal_error "Invalid $type list ($list)" if $element;
|
||||
@ -1295,7 +1295,7 @@ sub close_file() {
|
||||
my $result = close $currentfile;
|
||||
|
||||
pop_include;
|
||||
|
||||
|
||||
fatal_error "SHELL Script failed" unless $result;
|
||||
|
||||
$first_entry = 0;
|
||||
@ -1367,7 +1367,7 @@ sub embedded_shell( $ ) {
|
||||
|
||||
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
|
||||
my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
|
||||
|
||||
|
||||
if ( $multiline ) {
|
||||
#
|
||||
# Multi-line script
|
||||
@ -1376,19 +1376,19 @@ sub embedded_shell( $ ) {
|
||||
$command .= "\n";
|
||||
|
||||
my $last = 0;
|
||||
|
||||
|
||||
while ( <$currentfile> ) {
|
||||
$currentlinenumber++;
|
||||
last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
|
||||
$command .= $_;
|
||||
}
|
||||
|
||||
|
||||
fatal_error ( "Missing END SHELL" ) unless $last;
|
||||
fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/;
|
||||
}
|
||||
|
||||
$command .= q(');
|
||||
|
||||
|
||||
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
|
||||
$currentfile = undef;
|
||||
open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
|
||||
@ -1399,7 +1399,7 @@ sub embedded_shell( $ ) {
|
||||
|
||||
sub embedded_perl( $ ) {
|
||||
my $multiline = shift;
|
||||
|
||||
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
|
||||
if ( $multiline ) {
|
||||
@ -1408,19 +1408,19 @@ sub embedded_perl( $ ) {
|
||||
#
|
||||
fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/;
|
||||
$command .= "\n";
|
||||
|
||||
|
||||
my $last = 0;
|
||||
|
||||
|
||||
while ( <$currentfile> ) {
|
||||
$currentlinenumber++;
|
||||
last if $last = s/^\s*END(\s+PERL)?\s*;?//;
|
||||
$command .= $_;
|
||||
}
|
||||
|
||||
|
||||
fatal_error ( "Missing END PERL" ) unless $last;
|
||||
fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/;
|
||||
}
|
||||
|
||||
|
||||
unless (my $return = eval $command ) {
|
||||
if ( $@ ) {
|
||||
#
|
||||
@ -1429,7 +1429,7 @@ sub embedded_perl( $ ) {
|
||||
$@ =~ s/, <\$currentfile> line \d+//g;
|
||||
fatal_error1 "$@";
|
||||
}
|
||||
|
||||
|
||||
unless ( defined $return ) {
|
||||
fatal_error "Perl Script failed: $!" if $!;
|
||||
fatal_error "Perl Script failed";
|
||||
@ -1437,23 +1437,23 @@ sub embedded_perl( $ ) {
|
||||
|
||||
fatal_error "Perl Script Returned False";
|
||||
}
|
||||
|
||||
|
||||
if ( $scriptfile ) {
|
||||
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
|
||||
|
||||
close $scriptfile or fatal_error "Internal Error in embedded_perl()";
|
||||
|
||||
|
||||
$scriptfile = undef;
|
||||
|
||||
|
||||
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
|
||||
$currentfile = undef;
|
||||
|
||||
|
||||
open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
|
||||
|
||||
push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
|
||||
|
||||
|
||||
$scriptfilename = '';
|
||||
|
||||
|
||||
$currentfilename = "PERL\@$currentfilename:$linenumber";
|
||||
$currentline = '';
|
||||
$currentlinenumber = 0;
|
||||
@ -1525,19 +1525,19 @@ sub read_a_line() {
|
||||
$currentline = join( '', $1 , $val , $4 );
|
||||
fatal_error "Variable Expansion Loop" if ++$count > 100;
|
||||
}
|
||||
|
||||
|
||||
if ( $currentline =~ /^\s*INCLUDE\s/ ) {
|
||||
|
||||
|
||||
my @line = split ' ', $currentline;
|
||||
|
||||
|
||||
fatal_error "Invalid INCLUDE command" if @line != 2;
|
||||
fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
|
||||
|
||||
|
||||
my $filename = find_file $line[1];
|
||||
|
||||
|
||||
fatal_error "INCLUDE file $filename not found" unless -f $filename;
|
||||
fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
|
||||
|
||||
|
||||
if ( -s _ ) {
|
||||
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
|
||||
$currentfile = undef;
|
||||
@ -1545,7 +1545,7 @@ sub read_a_line() {
|
||||
} else {
|
||||
$currentlinenumber = 0;
|
||||
}
|
||||
|
||||
|
||||
$currentline = '';
|
||||
} else {
|
||||
return 1;
|
||||
@ -1646,7 +1646,7 @@ sub validate_level( $ ) {
|
||||
|
||||
$index++;
|
||||
}
|
||||
|
||||
|
||||
return $olevel;
|
||||
}
|
||||
|
||||
@ -1817,11 +1817,11 @@ sub determine_capabilities( $ ) {
|
||||
my $pid = $$;
|
||||
my $sillyname = "fooX$pid";
|
||||
my $sillyname1 = "foo1X$pid";
|
||||
|
||||
|
||||
$capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
|
||||
|
||||
|
||||
$capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
|
||||
|
||||
|
||||
qt1( "$iptables -N $sillyname" );
|
||||
qt1( "$iptables -N $sillyname1" );
|
||||
|
||||
@ -1835,7 +1835,7 @@ sub determine_capabilities( $ ) {
|
||||
$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
|
||||
$capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
|
||||
}
|
||||
|
||||
|
||||
if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
|
||||
$capabilities{MULTIPORT} = 1;
|
||||
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
|
||||
@ -2092,7 +2092,7 @@ sub get_capabilities( $ ) {
|
||||
#
|
||||
sub unsupported_yes_no( $ ) {
|
||||
my $option = shift;
|
||||
|
||||
|
||||
default_yes_no $option, '';
|
||||
|
||||
fatal_error "$option=Yes is not supported by Shorewall-perl $globals{VERSION}" if $config{$option};
|
||||
@ -2110,7 +2110,7 @@ sub get_configuration( $ ) {
|
||||
$globals{EXPORT} = $export;
|
||||
|
||||
our ( $once, @originalinc );
|
||||
|
||||
|
||||
@originalinc = @INC unless $once++;
|
||||
|
||||
ensure_config_path;
|
||||
@ -2135,7 +2135,7 @@ sub get_configuration( $ ) {
|
||||
if ( defined $config{LOGRATE} ) {
|
||||
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
|
||||
}
|
||||
|
||||
|
||||
if ( defined $config{LOGBURST} ) {
|
||||
fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
|
||||
}
|
||||
@ -2231,7 +2231,7 @@ sub get_configuration( $ ) {
|
||||
default_yes_no 'NULL_ROUTE_RFC1918' , '';
|
||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
|
||||
|
||||
|
||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||
|
||||
default 'BLACKLIST_DISPOSITION' , 'DROP';
|
||||
@ -2402,12 +2402,12 @@ sub run_user_exit( $ ) {
|
||||
|
||||
unless (my $return = eval $command ) {
|
||||
fatal_error "Couldn't parse $file: $@" if $@;
|
||||
|
||||
|
||||
unless ( defined $return ) {
|
||||
fatal_error "Couldn't do $file: $!" if $!;
|
||||
fatal_error "Couldn't do $file";
|
||||
}
|
||||
|
||||
|
||||
fatal_error "$file returned a false value";
|
||||
}
|
||||
}
|
||||
|
@ -139,7 +139,7 @@ sub validate_4address( $$ ) {
|
||||
my ( $addr, $allow_name ) = @_;
|
||||
|
||||
my @addrs = ( $addr );
|
||||
|
||||
|
||||
unless ( valid_4address $addr ) {
|
||||
fatal_error "Invalid IP Address ($addr)" unless $allow_name;
|
||||
fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname $addr);
|
||||
@ -267,7 +267,7 @@ sub decompose_net( $ ) {
|
||||
( $net, my $vlsm ) = validate_net( $net , 0 );
|
||||
|
||||
( in_hex8( $net ) , vlsm_to_mask( $vlsm ) );
|
||||
|
||||
|
||||
}
|
||||
|
||||
sub allipv4() {
|
||||
@ -281,7 +281,7 @@ sub allipv6() {
|
||||
sub rfc1918_networks() {
|
||||
@rfc1918_networks
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Protocol/port validation
|
||||
#
|
||||
@ -455,7 +455,7 @@ sub expand_port_range( $$ ) {
|
||||
my $mask = 0xffff; #Mask for current ports in group.
|
||||
my $y = 2; #Next power of two to test
|
||||
my $z = 1; #Number of ports in current group (Previous value of $y).
|
||||
|
||||
|
||||
while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
|
||||
$mask <<= 1;
|
||||
$z = $y;
|
||||
@ -466,7 +466,7 @@ sub expand_port_range( $$ ) {
|
||||
push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
|
||||
$first += $z;
|
||||
}
|
||||
|
||||
|
||||
fatal_error "Invalid port range ($range)" unless @result; # first port > last port
|
||||
|
||||
@result;
|
||||
@ -489,7 +489,7 @@ sub valid_6address( $ ) {
|
||||
} else {
|
||||
$max = 8;
|
||||
}
|
||||
|
||||
|
||||
return 0 if @address > $max;
|
||||
return 0 unless ( @address == $max ) || $address =~ /::/;
|
||||
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
|
||||
@ -513,7 +513,7 @@ sub validate_6address( $$ ) {
|
||||
my ( $addr, $allow_name ) = @_;
|
||||
|
||||
my @addrs = ( $addr );
|
||||
|
||||
|
||||
unless ( valid_6address $addr ) {
|
||||
fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
|
||||
require Socket6;
|
||||
|
@ -151,13 +151,13 @@ sub setup_one_masq($$$$$$$)
|
||||
#
|
||||
$networks = ALLIPv4 if $networks eq '-';
|
||||
$destnets = ALLIPv4 if $destnets eq '-';
|
||||
|
||||
|
||||
#
|
||||
# Handle IPSEC options, if any
|
||||
#
|
||||
if ( $ipsec ne '-' ) {
|
||||
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH};
|
||||
|
||||
|
||||
if ( $ipsec =~ /^yes$/i ) {
|
||||
$baserule .= '-m policy --pol ipsec --dir out ';
|
||||
} elsif ( $ipsec =~ /^no$/i ) {
|
||||
@ -178,7 +178,7 @@ sub setup_one_masq($$$$$$$)
|
||||
# Handle Mark
|
||||
#
|
||||
$baserule .= do_test( $mark, 0xFF) if $mark ne '-';
|
||||
|
||||
|
||||
for my $fullinterface (split_list $interfacelist, 'interface' ) {
|
||||
my $rule = '';
|
||||
my $target = '-j MASQUERADE ';
|
||||
@ -194,7 +194,7 @@ sub setup_one_masq($$$$$$$)
|
||||
my $realm = lookup_provider( $provider ) unless $provider =~ /^\d+$/;
|
||||
|
||||
fatal_error "$provider is not a shared-interface provider" unless $realm;
|
||||
|
||||
|
||||
$rule .= "-m realm --realm $realm ";
|
||||
}
|
||||
|
||||
@ -218,7 +218,7 @@ sub setup_one_masq($$$$$$$)
|
||||
$randomize = '--random ';
|
||||
} else {
|
||||
$addresses =~ s/:random$// and $randomize = '--random ';
|
||||
|
||||
|
||||
if ( $addresses =~ /^SAME:nodst:/ ) {
|
||||
fatal_error "':random' is not supported by the SAME target" if $randomize;
|
||||
$target = '-j SAME --nodst ';
|
||||
@ -236,7 +236,7 @@ sub setup_one_masq($$$$$$$)
|
||||
} elsif ( $addresses eq 'detect' ) {
|
||||
my $variable = get_interface_address $interface;
|
||||
$target = "-j SNAT --to-source $variable";
|
||||
|
||||
|
||||
if ( interface_is_optional $interface ) {
|
||||
add_commands( $chainref,
|
||||
'',
|
||||
@ -283,12 +283,12 @@ sub setup_one_masq($$$$$$$)
|
||||
'' ,
|
||||
'' ,
|
||||
$exceptionrule );
|
||||
|
||||
|
||||
if ( $detectaddress ) {
|
||||
decr_cmd_level( $chainref );
|
||||
add_command( $chainref , 'fi' );
|
||||
}
|
||||
|
||||
|
||||
if ( $add_snat_aliases ) {
|
||||
my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
|
||||
fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
|
||||
@ -311,7 +311,7 @@ sub setup_one_masq($$$$$$$)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
progress_message " Masq record \"$currentline\" $done";
|
||||
|
||||
}
|
||||
@ -324,7 +324,7 @@ sub setup_masq()
|
||||
my $fn = open_file 'masq';
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
|
||||
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
|
||||
@ -435,7 +435,7 @@ sub setup_nat() {
|
||||
my $fn = open_file 'nat';
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
|
||||
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
|
||||
@ -474,13 +474,13 @@ sub setup_netmap() {
|
||||
my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
|
||||
|
||||
for my $interface ( split_list $interfacelist, 'interface' ) {
|
||||
|
||||
|
||||
my $rulein = '';
|
||||
my $ruleout = '';
|
||||
my $iface = $interface;
|
||||
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
|
||||
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rulein = "-i $interface ";
|
||||
$ruleout = "-o $interface ";
|
||||
|
@ -32,7 +32,7 @@ use Shorewall::Actions;
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
|
||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.2.4;
|
||||
|
||||
@ -131,7 +131,7 @@ sub add_or_modify_policy_chain( $$ ) {
|
||||
my ( $zone, $zone1 ) = @_;
|
||||
my $chain = "${zone}2${zone1}";
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
|
||||
if ( $chainref ) {
|
||||
unless( $chainref->{is_policy} ) {
|
||||
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||
@ -355,9 +355,8 @@ sub policy_rules( $$$$$ ) {
|
||||
add_rule $chainref, "-j $default" if $default && $default ne 'none';
|
||||
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
||||
fatal_error "Null target in policy_rules()" unless $target;
|
||||
$target = 'reject' if $target eq 'REJECT';
|
||||
|
||||
add_jump( $chainref , $target, 1 ) unless $target eq 'CONTINUE';
|
||||
add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -219,9 +219,9 @@ sub setup_forwarding( $ ) {
|
||||
emit ' echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
|
||||
emit ' progress_message2 IPv6 Forwarding Disabled!';
|
||||
}
|
||||
|
||||
|
||||
emit '';
|
||||
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'forward';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
|
@ -77,7 +77,7 @@ sub initialize( $ ) {
|
||||
$fallback = 0;
|
||||
$first_default_route = 1;
|
||||
$first_fallback_route = 1;
|
||||
|
||||
|
||||
%providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 } ,
|
||||
main => { number => MAIN_TABLE , mark => 0 , optional => 0 } ,
|
||||
default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } ,
|
||||
@ -121,7 +121,7 @@ sub setup_route_marking() {
|
||||
} else {
|
||||
add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
|
||||
}
|
||||
|
||||
|
||||
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
|
||||
}
|
||||
|
||||
@ -221,7 +221,7 @@ sub balance_fallback_route( $$$$ ) {
|
||||
|
||||
sub start_provider( $$$ ) {
|
||||
my ($table, $number, $test ) = @_;
|
||||
|
||||
|
||||
emit $test;
|
||||
push_indent;
|
||||
|
||||
@ -364,7 +364,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
|
||||
if ( $track ) {
|
||||
fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
|
||||
|
||||
|
||||
if ( $routemarked_interfaces{$interface} ) {
|
||||
fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1;
|
||||
fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
|
||||
@ -436,7 +436,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
"echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
|
||||
} else {
|
||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||
|
||||
|
||||
emit "\nrulenum=0\n";
|
||||
|
||||
emit ( "find_interface_addresses $interface | while read address; do" );
|
||||
@ -675,9 +675,9 @@ sub setup_providers() {
|
||||
'# local',
|
||||
'#',
|
||||
"EOF\n" );
|
||||
|
||||
|
||||
emit "echocommand=\$(find_echo)\n";
|
||||
|
||||
|
||||
for my $table ( @providers ) {
|
||||
emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables";
|
||||
}
|
||||
@ -692,7 +692,7 @@ sub setup_providers() {
|
||||
if ( $fn ) {
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
|
||||
emit '';
|
||||
|
||||
while ( read_a_line ) {
|
||||
@ -723,7 +723,7 @@ sub setup_providers() {
|
||||
'> ${VARDIR}/undo_routing' );
|
||||
setup_null_routing;
|
||||
emit "\nrun_ip route flush cache";
|
||||
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "fi\n";
|
||||
@ -746,7 +746,7 @@ sub lookup_provider( $ ) {
|
||||
last;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
fatal_error "Unknown provider ($provider)" unless $providerref;
|
||||
}
|
||||
|
||||
|
@ -108,7 +108,7 @@ sub setup_proxy_arp() {
|
||||
my $first_entry = 1;
|
||||
|
||||
save_progress_message "Setting up Proxy ARP...";
|
||||
|
||||
|
||||
my ( %set, %reset );
|
||||
|
||||
while ( read_a_line ) {
|
||||
@ -122,7 +122,7 @@ sub setup_proxy_arp() {
|
||||
|
||||
$set{$interface} = 1;
|
||||
$reset{$external} = 1 unless $set{$external};
|
||||
|
||||
|
||||
setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
|
||||
}
|
||||
|
||||
@ -135,7 +135,7 @@ sub setup_proxy_arp() {
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
for my $interface ( keys %set ) {
|
||||
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
|
||||
" echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
|
||||
@ -143,7 +143,7 @@ sub setup_proxy_arp() {
|
||||
" error_message \" WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $value = get_interface_option $interface, 'proxyarp';
|
||||
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
|
||||
|
@ -99,7 +99,7 @@ sub process_tos() {
|
||||
|
||||
if ( my $fn = open_file 'tos' ) {
|
||||
my $first_entry = 1;
|
||||
|
||||
|
||||
my ( $pretosref, $outtosref );
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
|
||||
@ -111,7 +111,7 @@ sub process_tos() {
|
||||
$first_entry = 0;
|
||||
|
||||
fatal_error 'A value must be supplied in the TOS column' if $tos eq '-';
|
||||
|
||||
|
||||
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
|
||||
$tos = $tosval;
|
||||
} else {
|
||||
@ -307,7 +307,7 @@ sub setup_blacklist() {
|
||||
if ( my $fn = open_file 'blacklist' ) {
|
||||
|
||||
my $first_entry = 1;
|
||||
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
while ( read_a_line ) {
|
||||
@ -601,7 +601,7 @@ sub add_common_rules() {
|
||||
decr_cmd_level $rejectref;
|
||||
add_command $rejectref, 'done';
|
||||
}
|
||||
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
|
||||
} else {
|
||||
@ -622,7 +622,7 @@ sub add_common_rules() {
|
||||
for $chain ( first_chains $interface ) {
|
||||
add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy );
|
||||
}
|
||||
|
||||
|
||||
set_interface_option $interface, 'use_input_chain', 1;
|
||||
set_interface_option $interface, 'use_forward_chain', 1;
|
||||
}
|
||||
@ -633,7 +633,7 @@ sub add_common_rules() {
|
||||
|
||||
if ( $capabilities{ENHANCED_REJECT} ) {
|
||||
add_rule $rejectref , '-p 17 -j REJECT';
|
||||
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_rule $rejectref, '-p 1 -j REJECT --reject-with icmp-host-unreachable';
|
||||
add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited';
|
||||
@ -646,12 +646,12 @@ sub add_common_rules() {
|
||||
}
|
||||
|
||||
$list = find_interfaces_by_option 'dhcp';
|
||||
|
||||
|
||||
if ( @$list ) {
|
||||
progress_message2 'Adding rules for DHCP';
|
||||
|
||||
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
||||
|
||||
|
||||
for $interface ( @$list ) {
|
||||
set_interface_option $interface, 'use_input_chain', 1;
|
||||
set_interface_option $interface, 'use_forward_chain', 1;
|
||||
@ -659,7 +659,7 @@ sub add_common_rules() {
|
||||
for $chain ( input_chain $interface, output_chain $interface ) {
|
||||
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
|
||||
}
|
||||
|
||||
|
||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
|
||||
}
|
||||
}
|
||||
@ -726,7 +726,7 @@ sub add_common_rules() {
|
||||
progress_message2 "$doing UPnP";
|
||||
|
||||
new_nat_chain( 'UPnP' );
|
||||
|
||||
|
||||
for $interface ( @$list ) {
|
||||
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
|
||||
}
|
||||
@ -857,7 +857,7 @@ sub setup_mac_lists( $ ) {
|
||||
|
||||
if ( $table eq 'filter' ) {
|
||||
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
|
||||
|
||||
|
||||
for my $chain ( first_chains $interface ) {
|
||||
add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}";
|
||||
}
|
||||
@ -873,7 +873,7 @@ sub setup_mac_lists( $ ) {
|
||||
for my $interface ( @maclist_interfaces ) {
|
||||
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||
my $chain = $chainref->{name};
|
||||
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||
my $variable = get_interface_addresses source_port_to_bridge( $interface );
|
||||
@ -887,10 +887,10 @@ sub setup_mac_lists( $ ) {
|
||||
} else {
|
||||
my $bridge = source_port_to_bridge( $interface );
|
||||
my $bridgeref = find_interface( $bridge );
|
||||
|
||||
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do" );
|
||||
|
||||
|
||||
if ( $bridgeref->{broadcasts} ) {
|
||||
for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
|
||||
add_commands( $chainref ,
|
||||
@ -898,7 +898,7 @@ sub setup_mac_lists( $ ) {
|
||||
}
|
||||
} else {
|
||||
my $variable1 = get_interface_bcasts $bridge;
|
||||
|
||||
|
||||
add_commands( $chainref,
|
||||
" for address1 in $variable1; do" ,
|
||||
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
|
||||
@ -911,7 +911,7 @@ sub setup_mac_lists( $ ) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
run_user_exit2( 'maclog', $chainref );
|
||||
|
||||
log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
|
||||
@ -1187,7 +1187,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
#
|
||||
# Take care of chain
|
||||
#
|
||||
|
||||
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
#
|
||||
# Check for illegal bridge port rule
|
||||
@ -1253,13 +1253,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
$server = $1; # May be empty
|
||||
$serverport = $3; # Not Empty due to RE
|
||||
$origdstports = $ports;
|
||||
|
||||
|
||||
if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
|
||||
$origdstports = validate_port( $proto, $origdstports );
|
||||
} else {
|
||||
$origdstports = '';
|
||||
}
|
||||
|
||||
|
||||
if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
|
||||
#
|
||||
# Server Port Range
|
||||
@ -1396,7 +1396,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
$action ,
|
||||
'' );
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Add filter table rule, unless this is a NATONLY rule type
|
||||
#
|
||||
@ -1680,7 +1680,7 @@ sub generate_matrix() {
|
||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
|
||||
my $sourcechainref;
|
||||
my $interfacematch = '';
|
||||
|
||||
|
||||
if ( use_forward_chain( $interface ) ) {
|
||||
$sourcechainref = $filter_table->{forward_chain $interface};
|
||||
} else {
|
||||
@ -1690,7 +1690,7 @@ sub generate_matrix() {
|
||||
}
|
||||
|
||||
my $arrayref = $source_ref->{$interface};
|
||||
|
||||
|
||||
for my $hostref ( @{$arrayref} ) {
|
||||
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
@ -1847,7 +1847,7 @@ sub generate_matrix() {
|
||||
$inputchainref = $filter_table->{INPUT};
|
||||
$interfacematch = match_source_dev $interface;
|
||||
}
|
||||
|
||||
|
||||
if ( $chain2 ) {
|
||||
add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
|
||||
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
|
||||
|
@ -251,7 +251,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
|
||||
$target = 'CLASSIFY --set-class';
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
my $mask = 0xffff;
|
||||
|
||||
my ($cmd, $rest) = split( '/', $mark, 2 );
|
||||
@ -262,7 +262,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
|
||||
for my $tccmd ( @tccmd ) {
|
||||
if ( $tccmd->{match}($cmd) ) {
|
||||
fatal_error "$mark not valid with :C[FPT]" if $connmark;
|
||||
|
||||
|
||||
require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
|
||||
|
||||
$target = "$tccmd->{target} ";
|
||||
@ -365,10 +365,10 @@ sub process_flow($) {
|
||||
for ( @flow ) {
|
||||
fatal_error "Invalid flow key ($_)" unless $flow_keys{$_};
|
||||
}
|
||||
|
||||
|
||||
$flow;
|
||||
}
|
||||
|
||||
|
||||
sub validate_tc_device( $$$$$ ) {
|
||||
my ( $device, $inband, $outband , $options , $redirected ) = @_;
|
||||
|
||||
@ -378,7 +378,7 @@ sub validate_tc_device( $$$$$ ) {
|
||||
( my $number, $device, my $rest ) = split /:/, $device, 3;
|
||||
|
||||
fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
|
||||
|
||||
|
||||
if ( defined $number ) {
|
||||
$devnumber = numeric_value( $number );
|
||||
fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
|
||||
@ -390,7 +390,7 @@ sub validate_tc_device( $$$$$ ) {
|
||||
} else {
|
||||
$devnumber = ++$devnum;
|
||||
}
|
||||
|
||||
|
||||
$devnums[ $devnumber ] = $device;
|
||||
|
||||
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
|
||||
@ -469,7 +469,7 @@ sub dev_by_number( $ ) {
|
||||
my $dev = $_[0];
|
||||
my $devnum = numeric_value( $dev );
|
||||
my $devref;
|
||||
|
||||
|
||||
if ( defined $devnum ) {
|
||||
$dev = $devnums[ $devnum ];
|
||||
fatal_error "Undefined INTERFACE number ($_[0])" unless defined $dev;
|
||||
@ -481,7 +481,7 @@ sub dev_by_number( $ ) {
|
||||
}
|
||||
|
||||
( $dev , $devref );
|
||||
|
||||
|
||||
}
|
||||
|
||||
sub validate_tc_class( $$$$$$ ) {
|
||||
@ -500,9 +500,9 @@ sub validate_tc_class( $$$$$$ ) {
|
||||
if ( $devclass =~ /:/ ) {
|
||||
( $device, my ($number, $rest ) ) = split /:/, $device, 3;
|
||||
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
|
||||
|
||||
|
||||
( $device , $devref) = dev_by_number( $device );
|
||||
|
||||
|
||||
if ( defined $number ) {
|
||||
if ( $devref->{classify} ) {
|
||||
$classnumber = numeric_value( $number );
|
||||
@ -518,12 +518,12 @@ sub validate_tc_class( $$$$$$ ) {
|
||||
($device, $devref ) = dev_by_number( $device );
|
||||
fatal_error "Missing class NUMBER" if $devref->{classify};
|
||||
}
|
||||
|
||||
|
||||
my $full = rate_to_kbit $devref->{out_bandwidth};
|
||||
|
||||
$tcclasses{$device} = {} unless $tcclasses{$device};
|
||||
my $tcref = $tcclasses{$device};
|
||||
|
||||
|
||||
my $markval = 0;
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
@ -600,15 +600,15 @@ sub process_tc_filter( $$$$$$ ) {
|
||||
my ($device, $class, $rest ) = split /:/, $devclass, 3;
|
||||
|
||||
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
|
||||
|
||||
|
||||
( $device , my $devref ) = dev_by_number( $device );
|
||||
|
||||
my $devnum = $devref->{number};
|
||||
|
||||
my $tcref = $tcclasses{$device};
|
||||
|
||||
|
||||
fatal_error "No Classes were defined for INTERFACE $device" unless $tcref;
|
||||
|
||||
|
||||
$tcref = $tcref->{$class};
|
||||
|
||||
fatal_error "Unknown CLASS ($devclass)" unless $tcref;
|
||||
@ -616,7 +616,7 @@ sub process_tc_filter( $$$$$$ ) {
|
||||
my $rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32";
|
||||
|
||||
my ( $net , $mask ) = decompose_net( $source );
|
||||
|
||||
|
||||
$rule .= "\\\n match u32 $net $mask at 12" unless $mask eq '0x00000000';
|
||||
|
||||
( $net , $mask ) = decompose_net( $dest );
|
||||
@ -634,7 +634,7 @@ sub process_tc_filter( $$$$$$ ) {
|
||||
$rule .= "\\\n match u8 $pnumber 0xff at 9";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ( $portlist eq '-' && $sportlist eq '-' ) {
|
||||
emit( "\nrun_tc $rule\\" ,
|
||||
" flowid $devref->{number}:$class" ,
|
||||
@ -693,12 +693,12 @@ sub process_tc_filter( $$$$$$ ) {
|
||||
for my $portrange ( split_list $portlist, 'port list' ) {
|
||||
if ( $protonumber == ICMP ) {
|
||||
fatal_error "SOURCE PORT(S) are not allowed with ICMP" if $sportlist ne '-';
|
||||
|
||||
|
||||
my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $portrange );
|
||||
|
||||
|
||||
$icmptype = in_hex2 numeric_value1 $icmptype;
|
||||
$icmpcode = in_hex2 numeric_value1 $icmpcode if defined $icmpcode;
|
||||
|
||||
|
||||
my $rule1 = " match u8 $icmptype 0xff at nexthdr+0";
|
||||
$rule1 .= "\\\n match u8 $icmpcode 0xff at nexthdr+1" if defined $icmpcode;
|
||||
emit( "\nrun_tc ${rule}\\" ,
|
||||
@ -706,12 +706,12 @@ sub process_tc_filter( $$$$$$ ) {
|
||||
" flowid $devref->{number}:$class" );
|
||||
} else {
|
||||
my @portlist = expand_port_range $protonumber , $portrange;
|
||||
|
||||
|
||||
while ( @portlist ) {
|
||||
my ( $port, $mask ) = ( shift @portlist, shift @portlist );
|
||||
|
||||
|
||||
my $rule1 = "match u32 0x0000${port} 0x0000${mask} at nexthdr+0";
|
||||
|
||||
|
||||
if ( $sportlist eq '-' ) {
|
||||
emit( "\nrun_tc ${rule}\\" ,
|
||||
" $rule1\\" ,
|
||||
@ -719,10 +719,10 @@ sub process_tc_filter( $$$$$$ ) {
|
||||
} else {
|
||||
for my $sportrange ( split_list $sportlist , 'port list' ) {
|
||||
my @sportlist = expand_port_range $protonumber , $sportrange;
|
||||
|
||||
|
||||
while ( @sportlist ) {
|
||||
my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
|
||||
|
||||
|
||||
emit( "\nrun_tc ${rule}\\",
|
||||
" $rule1\\" ,
|
||||
" match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" ,
|
||||
@ -885,9 +885,9 @@ sub setup_traffic_shaping() {
|
||||
|
||||
if ( $fn ) {
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } );
|
||||
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
|
||||
my ( $devclass, $source, $dest, $proto, $port, $sport ) = split_line 2, 6, 'tcfilters file';
|
||||
|
||||
process_tc_filter( $devclass, $source, $dest, $proto, $port, $sport );
|
||||
@ -956,9 +956,9 @@ sub setup_tc() {
|
||||
} else {
|
||||
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
clear_comment;
|
||||
}
|
||||
}
|
||||
|
@ -475,7 +475,7 @@ sub dump_zone_contents()
|
||||
sub single_interface( $ ) {
|
||||
my $zone = $_[0];
|
||||
my $zoneref = $zones{$zone};
|
||||
|
||||
|
||||
fatal_error "Internal Error in single_zone()" unless $zoneref;
|
||||
|
||||
my @keys = keys( %{$zoneref->{interfaces}} );
|
||||
@ -537,7 +537,7 @@ sub add_group_to_zone($$$$$)
|
||||
$interfaceref = ( $typeref->{$interface} || ( $typeref->{$interface} = [] ) );
|
||||
|
||||
$zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
|
||||
|
||||
|
||||
push @{$interfaceref}, { options => $options,
|
||||
hosts => \@newnetworks,
|
||||
ipsec => $type eq 'ipsec' ? 'ipsec' : 'none' ,
|
||||
@ -800,7 +800,7 @@ sub validate_interfaces_file( $ )
|
||||
root => $root ,
|
||||
broadcasts => $broadcasts ,
|
||||
options => $optionsref };
|
||||
|
||||
|
||||
push @ifaces, $interface;
|
||||
|
||||
my @networks = allip;
|
||||
@ -846,7 +846,7 @@ sub known_interface($)
|
||||
{
|
||||
my $interface = $_[0];
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
|
||||
|
||||
return $interfaceref if $interfaceref;
|
||||
|
||||
for my $i ( @interfaces ) {
|
||||
@ -891,7 +891,7 @@ sub all_bridges() {
|
||||
sub find_interface( $ ) {
|
||||
my $interface = $_[0];
|
||||
my $interfaceref = $interfaces{ $interface };
|
||||
|
||||
|
||||
fatal_error "Unknown Interface ($interface)" unless $interfaceref;
|
||||
|
||||
$interfaceref;
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.2.6
|
||||
VERSION=4.2.7
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -127,7 +127,7 @@ else
|
||||
error_message "$PRODUCT is not running"
|
||||
progress_message3 "Starting $PRODUCT...."
|
||||
fi
|
||||
|
||||
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
@ -174,7 +174,7 @@ else
|
||||
echo "$PRODUCT is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
|
@ -54,7 +54,7 @@ fatal_error()
|
||||
timestamp="$(date +'%_b %d %T') "
|
||||
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
|
||||
fi
|
||||
|
||||
|
||||
stop_firewall
|
||||
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
|
||||
exit 2
|
||||
@ -80,7 +80,7 @@ startup_error() # $* = Error Message
|
||||
|
||||
if [ $LOG_VERBOSE -gt 1 ]; then
|
||||
timestamp="$(date +'%_b %d %T') "
|
||||
|
||||
|
||||
case $COMMAND in
|
||||
start)
|
||||
echo "${timestamp} ERROR:$PRODUCT start failed" >> $STARTUP_LOG
|
||||
@ -209,14 +209,14 @@ debug_restore_input() {
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t nat -P $chain ACCEPT
|
||||
done
|
||||
|
||||
|
||||
qt1 $IPTABLES -t filter -F
|
||||
qt1 $IPTABLES -t filter -X
|
||||
|
||||
|
@ -30,7 +30,7 @@ fatal_error()
|
||||
timestamp="$(date +'%_b %d %T') "
|
||||
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
|
||||
fi
|
||||
|
||||
|
||||
stop_firewall
|
||||
[ -n "$TEMPFILE" ] && rm -f $TEMPFILE
|
||||
exit 2
|
||||
@ -56,7 +56,7 @@ startup_error() # $* = Error Message
|
||||
|
||||
if [ $LOG_VERBOSE -gt 1 ]; then
|
||||
timestamp="$(date +'%_b %d %T') "
|
||||
|
||||
|
||||
case $COMMAND in
|
||||
start)
|
||||
echo "${timestamp} ERROR:$PRODUCT start failed" >> $STARTUP_LOG
|
||||
@ -177,7 +177,7 @@ debug_restore_input() {
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $IP6TABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
|
||||
qt1 $IP6TABLES -t filter -F
|
||||
qt1 $IP6TABLES -t filter -X
|
||||
|
||||
|
@ -537,7 +537,7 @@ normalize_address() # $1 = valid IPv6 Address
|
||||
list_count $(split $address)
|
||||
|
||||
j=$?
|
||||
|
||||
|
||||
if [ $j -eq 7 ]; then
|
||||
address=${address%::*}:0:${address#*::}
|
||||
elif [ $j -eq 8 ]; then
|
||||
@ -585,7 +585,7 @@ convert_to_anycast() {
|
||||
# Defines a viable subnet -- first get the subnet-router anycast address
|
||||
#
|
||||
host=$((128 - $vlsm))
|
||||
|
||||
|
||||
address=$(normalize_address ${address%/*})
|
||||
|
||||
while [ $host -ge 16 ]; do
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-perl
|
||||
%define version 4.2.6
|
||||
%define version 4.2.7
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall Perl-based compiler.
|
||||
@ -62,6 +62,8 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%doc COPYING releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sat Feb 21 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.7-0base
|
||||
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.6-0base
|
||||
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
|
||||
|
Loading…
Reference in New Issue
Block a user