diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 0ee94b0d9..306d8a456 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -286,7 +286,7 @@ sub createlogactionchain( $$ ) { my $chain = $action; my $actionref = $actions{$action}; my $chainref; - + my ($lev, $tag) = split ':', $level; validate_level $lev; @@ -304,7 +304,7 @@ sub createlogactionchain( $$ ) { $logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++; fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99; - + unless ( $targets{$action} & STANDARD ) { my $file = find_file $chain; @@ -752,7 +752,7 @@ sub process_actions3 () { log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; } - + if ( $family == F_IPV4 ) { add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; } else { diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 6e793b8dc..4adc2db3c 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -68,7 +68,7 @@ our %EXPORT_TAGS = ( OUTPUT_RESTRICT POSTROUTE_RESTRICT ALL_RESTRICT - + add_command add_commands move_rules @@ -140,7 +140,6 @@ our %EXPORT_TAGS = ( match_ipsec_out log_rule expand_rule - addrawjump addnatjump get_interface_address get_interface_addresses @@ -384,7 +383,7 @@ sub clear_comment() { # sub macro_comment( $ ) { my $macro = $_[0]; - + $comment = $macro unless $comment || ! ( $capabilities{COMMENTS} && $config{AUTO_COMMENT} ); } @@ -443,22 +442,22 @@ sub push_rule( $$ ) { sub handle_sport_list( $$$$$ ) { my ($chainref, $rule, $first, $ports, $rest) = @_; - + if ( ( $ports =~ tr/:,/:,/ ) > 14 ) { # # More than 15 ports specified # my @ports = split '([,:])', $ports; - + while ( @ports ) { my $count = 0; my $newports = ''; - + while ( @ports && $count < 15 ) { my ($port, $separator) = ( shift @ports, shift @ports ); - + $separator ||= ''; - + if ( ++$count == 15 ) { if ( $separator eq ':' ) { unshift @ports, $port, ':'; @@ -471,7 +470,7 @@ sub handle_sport_list( $$$$$ ) { $newports .= "${port}${separator}"; } } - + push_rule ( $chainref, join( '', $first, $newports, $rest ) ); } } else { @@ -486,22 +485,22 @@ sub handle_sport_list( $$$$$ ) { sub handle_dport_list( $$$$$ ) { my ($chainref, $rule, $first, $ports, $rest) = @_; - + if ( ( $ports =~ tr/:,/:,/ ) > 14 ) { # # More than 15 ports specified # my @ports = split '([,:])', $ports; - + while ( @ports ) { my $count = 0; my $newports = ''; - + while ( @ports && $count < 15 ) { my ($port, $separator) = ( shift @ports, shift @ports ); - + $separator ||= ''; - + if ( ++$count == 15 ) { if ( $separator eq ':' ) { unshift @ports, $port, ':'; @@ -516,7 +515,7 @@ sub handle_dport_list( $$$$$ ) { } my $newrule = join( '', $first, $newports, $rest ); - + if ( $newrule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) { handle_sport_list( $chainref, $newrule, $1, $2, $3 ); } else { @@ -548,7 +547,7 @@ sub add_rule($$;$) # # By post-processing each rule generated by expand_rule(), we avoid all of that # messiness and replace it with the following localized messiness. - + if ( $expandports ) { if ( $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) { # @@ -592,7 +591,7 @@ sub add_jump( $$$;$ ) { # $toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to }; } - + # # If the destination is a chain, mark it referenced # @@ -638,7 +637,7 @@ sub add_tunnel_rule( $$ ) { insert_rule1( $chainref, $chainref->{new}++, $rule ); } - + # # Move the rules from one chain to another # @@ -746,7 +745,7 @@ sub use_input_chain($) { return 0 unless $nets; my $zone = $interfaceref->{zone}; - + return 1 unless $zone; # # Interface associated with a single zone -- Must use the interface chain if @@ -1081,7 +1080,7 @@ sub initialize_chain_table() for my $chain qw(INPUT OUTPUT FORWARD) { new_builtin_chain 'filter', $chain, 'DROP'; } - + for my $chain qw(PREROUTING POSTROUTING OUTPUT) { new_builtin_chain 'nat', $chain, 'ACCEPT'; } @@ -1128,7 +1127,7 @@ sub initialize_chain_table() for my $chain qw(INPUT OUTPUT FORWARD) { new_builtin_chain 'filter', $chain, 'DROP'; } - + for my $chain qw(PREROUTING POSTROUTING OUTPUT) { new_builtin_chain 'nat', $chain, 'ACCEPT'; } @@ -1145,7 +1144,7 @@ sub finish_chain_section ($$) { my ($chainref, $state ) = @_; my $chain = $chainref->{name}; my $savecomment = $comment; - + $comment = ''; add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; @@ -1169,7 +1168,7 @@ sub finish_chain_section ($$) { add_jump $chainref, $synchainref, 0, "-p tcp --syn "; } } - + $chainref->{new} = @{$chainref->{rules}}; } @@ -1269,27 +1268,27 @@ sub newexclusionchain() { # sub source_exclusion( $$ ) { my ( $exclusions, $target ) = @_; - + return $target unless @$exclusions; my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain ); add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions; add_jump( $chainref, $target, 1 ); - + reftype $target ? $chainref : $chainref->{name}; } sub dest_exclusion( $$ ) { my ( $exclusions, $target ) = @_; - + return $target unless @$exclusions; - + my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain ); add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions; add_jump( $chainref, $target, 1 ); - + reftype $target ? $chainref : $chainref->{name}; } @@ -1318,7 +1317,7 @@ sub do_proto( $$$ ) $sports = '' if $sports eq '-'; if ( $proto ne '' ) { - + my $synonly = ( $proto =~ s/:syn$//i ); my $invert = ( $proto =~ s/^!// ? '! ' : '' ); my $protonum = resolve_proto $proto; @@ -1360,7 +1359,7 @@ sub do_proto( $$$ ) } else { $multiport = ( ( $sports =~ tr/,/,/ ) > 0 ); } - + if ( $sports ne '' ) { $invert = $sports =~ s/^!// ? '! ' : ''; if ( $multiport ) { @@ -1372,9 +1371,9 @@ sub do_proto( $$$ ) $output .= "--sport ${invert}${sports} "; } } - + last PROTO; } - + if ( $proto == ICMP ) { fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; if ( $ports ne '' ) { @@ -1383,7 +1382,7 @@ sub do_proto( $$$ ) $ports = validate_icmp $ports; $output .= "--icmp-type ${invert}${ports} "; } - + fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; last PROTO; } @@ -1396,7 +1395,7 @@ sub do_proto( $$$ ) $ports = validate_icmp6 $ports; $output .= "--icmpv6-type ${invert}${ports} "; } - + fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne ''; last PROTO; } @@ -1408,18 +1407,18 @@ sub do_proto( $$$ ) } else { fatal_error '":syn" is only allowed with tcp' if $synonly; - + if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) { my $p = $2 ? lc $3 : 'tcp'; require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' ); $proto = '-p ' . proto_name($p) . ' '; my $options = ''; - + if ( $ports ne 'ipp2p' ) { $options .= " --$_" for split /,/, $ports; } - + $options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options; $output .= "${proto}-m ipp2p${options} "; @@ -1552,7 +1551,7 @@ sub do_time( $ ) { require_capability 'TIME_MATCH', 'A non-empty TIME', 's'; my $result = '-m time '; - + for my $element (split /&/, $time ) { fatal_error "Invalid time element list ($time)" unless defined $element && $element; @@ -1577,7 +1576,7 @@ sub do_time( $ ) { fatal_error "Invalid time element ($element)"; } } - + $result; } @@ -1657,7 +1656,7 @@ sub do_connbytes( $ ) { my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max; my $dir = $5 || 'B'; my $mode = $6 || 'B'; - + $dir =~ s/://; $mode =~ s/://; @@ -1876,7 +1875,7 @@ sub log_rule_limit( $$$$$$$$ ) { $level = validate_level $level; # Do this here again because this function can be called directly from user exits. return 1 if $level eq ''; - + $predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' '; unless ( $predicates =~ /-m limit / ) { @@ -1905,7 +1904,7 @@ sub log_rule_limit( $$$$$$$$ ) { } $disposition =~ s/\s+.*//; - + if ( $globals{LOGRULENUMBERS} ) { $prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag; } else { @@ -2261,7 +2260,7 @@ sub expand_rule( $$$$$$$$$$$ ) push_command $chainref, join( '', 'for source in ', $networks, '; do' ), 'done'; $rule .= '-s $source '; - + } else { fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT; $rule .= match_source_dev( $iiface ); @@ -2569,18 +2568,6 @@ sub expand_rule( $$$$$$$$$$$ ) # # If the destination chain exists, then at the end of the source chain add a jump to the destination. # -sub addrawjump( $$$ ) { - my ( $source , $dest, $predicates ) = @_; - - my $destref = $raw_table->{$dest} || {}; - - if ( $destref->{referenced} ) { - add_rule $raw_table->{$source} , $predicates . "-j $dest"; - } else { - clearrule; - } -} - sub addnatjump( $$$ ) { my ( $source , $dest, $predicates ) = @_; @@ -2606,7 +2593,7 @@ sub emit_test() { push_indent; our $emitted_test = 1; } - + # # Generate setting of global variables # @@ -2849,12 +2836,12 @@ sub create_chainlist_reload($) { emit ''; my $table = 'filter'; - + my %chains; - + for my $chain ( @chains ) { ( $table , $chain ) = split ':', $chain if $chain =~ /:/; - + fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; $chains{$table} = [] unless $chains{$table}; @@ -2873,7 +2860,7 @@ sub create_chainlist_reload($) { emit 'exec 3>${VARDIR}/.iptables-restore-input'; enter_cat_mode; - + for $table qw(nat mangle filter) { next unless $chains{$table}; @@ -2887,11 +2874,11 @@ sub create_chainlist_reload($) { my $chainref = $tableref->{$chain}; emit_unindented ":$chainref->{name} - [0:0]"; } - + for my $chain ( @chains ) { my $chainref = $tableref->{$chain}; my @rules = @{$chainref->{rules}}; - + @rules = () unless @rules; # # Emit the chain rules @@ -2902,7 +2889,7 @@ sub create_chainlist_reload($) { # Commit the changes to the table # enter_cat_mode unless $mode == CAT_MODE; - + emit_unindented 'COMMIT'; } diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index f25af4b24..1e32d2572 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -508,7 +508,7 @@ EOF if ( @$interfaces ) { my $ports = $family == F_IPV4 ? '67:68' : '546:547'; - + for my $interface ( @$interfaces ) { emit "do_iptables -A INPUT -p udp -i $interface --dport $ports -j ACCEPT"; emit "do_iptables -A OUTPUT -p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED}; @@ -631,7 +631,7 @@ sub generate_script_2($) { 'qt1 $IPTABLES -X foox1234', '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', '' ); - + for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", 'if [ -n "$addr" ]; then', @@ -643,7 +643,7 @@ sub generate_script_2($) { ' done', "fi\n" ); } - + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', '', 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', @@ -663,7 +663,7 @@ sub generate_script_2($) { } emit "disable_ipv6\n" if $config{DISABLE_IPV6}; - + } else { emit ( '#', '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', @@ -675,13 +675,13 @@ sub generate_script_2($) { 'qt1 $IP6TABLES -X foox1234', '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"', '' ); - + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', '', 'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall', '' ); - + } emit qq(delete_tc1\n) if $config{CLEAR_TC}; @@ -697,35 +697,35 @@ sub generate_script_2($) { emit 'cat > ${VARDIR}/proxyarp << __EOF__'; dump_proxy_arp; emit_unindented '__EOF__'; - + emit( '', 'if [ "$COMMAND" != refresh ]; then' ); - + push_indent; - + emit 'cat > ${VARDIR}/zones << __EOF__'; dump_zone_contents; emit_unindented '__EOF__'; - + pop_indent; - + emit "fi\n"; - + emit '> ${VARDIR}/nat'; - + add_addresses; emit( '', 'if [ $COMMAND = restore ]; then', ' iptables_save_file=${VARDIR}/$(basename $0)-iptables', ' if [ -f $iptables_save_file ]; then' ); - + if ( $family == F_IPV4 ) { emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' } else { emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux' } - + emit<<'EOF'; else fatal_error "$iptables_save_file does not exist" @@ -761,7 +761,7 @@ EOF [ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore fi - + date > ${VARDIR}/restarted case $COMMAND in @@ -842,10 +842,10 @@ sub compiler { if ( $ref->{edit} ) { fatal_error "Invalid value ( $val ) supplied for parameter $name" unless $ref->{edit}->($val); } - + ${$ref->{store}} = $val; } - + reinitialize if $reused++ || $family == F_IPV6; if ( $directory ne '' ) { @@ -869,7 +869,7 @@ sub compiler { require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS}; require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT}; - + set_command( 'check', 'Checking', 'Checked' ) unless $objectfile; initialize_chain_table; @@ -945,7 +945,7 @@ sub compiler { copy $globals{SHAREDIRPL} . 'prog.functions6'; } } - + emit( "\n#", '# Setup Common Rules (/proc)', '#', @@ -981,21 +981,21 @@ sub compiler { pop_indent; emit '}'; } - + disable_object; # # R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G # (Writes the setup_routing_and_traffic_shaping() function to the compiled script) # enable_object; - + unless ( $command eq 'check' ) { emit( "\n#", '# Setup routing and traffic shaping', '#', 'setup_routing_and_traffic_shaping() {' ); - + push_indent; } # @@ -1006,12 +1006,12 @@ sub compiler { # TCRules and Traffic Shaping # setup_tc; - + unless ( $command eq 'check' ) { pop_indent; emit "}\n"; } - + disable_object; # # N E T F I L T E R diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index b5c78e2d1..c5bef952d 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -317,7 +317,7 @@ sub initialize( $ ) { TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.2.6", + VERSION => "4.2.7", CAPVERSION => 40205 , ); @@ -676,7 +676,7 @@ sub fatal_error { close $log; $log = undef; } - + confess " ERROR: @_$currentlineinfo" if $debug; die " ERROR: @_$currentlineinfo\n"; } @@ -697,7 +697,7 @@ sub fatal_error1 { close $log; $log = undef; } - + confess " ERROR: @_" if $debug; die " ERROR: @_\n"; } @@ -747,7 +747,7 @@ sub in_hex8( $ ) { # sub emit { fatal_error 'Internal Error in emit' unless $object_enabled; - + if ( $object ) { # # 'compile' as opposed to 'check' @@ -1030,7 +1030,7 @@ sub copy1( $ ) { s/^(\s*)/$indent1$1$indent2/; s/ /\t/ if $indent2; } - + print $object $_; print $object "\n"; $do_indent = ! ( $here_documents || /\\$/ ); @@ -1159,7 +1159,7 @@ sub split_list( $$ ) { my ($list, $type ) = @_; fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/; - + split /,/, $list; } @@ -1167,11 +1167,11 @@ sub split_list1( $$ ) { my ($list, $type ) = @_; fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/; - + my @list1 = split /,/, $list; my @list2; my $element = ''; - + for ( @list1 ) { if ( /\(/ ) { fatal_error "Invalid $type list ($list)" if $element; @@ -1295,7 +1295,7 @@ sub close_file() { my $result = close $currentfile; pop_include; - + fatal_error "SHELL Script failed" unless $result; $first_entry = 0; @@ -1367,7 +1367,7 @@ sub embedded_shell( $ ) { fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber ); - + if ( $multiline ) { # # Multi-line script @@ -1376,19 +1376,19 @@ sub embedded_shell( $ ) { $command .= "\n"; my $last = 0; - + while ( <$currentfile> ) { $currentlinenumber++; last if $last = s/^\s*END(\s+SHELL)?\s*;?//; $command .= $_; } - + fatal_error ( "Missing END SHELL" ) unless $last; fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/; } $command .= q('); - + push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; $currentfile = undef; open $currentfile , '-|', $command or fatal_error qq(Shell Command failed); @@ -1399,7 +1399,7 @@ sub embedded_shell( $ ) { sub embedded_perl( $ ) { my $multiline = shift; - + my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); if ( $multiline ) { @@ -1408,19 +1408,19 @@ sub embedded_perl( $ ) { # fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/; $command .= "\n"; - + my $last = 0; - + while ( <$currentfile> ) { $currentlinenumber++; last if $last = s/^\s*END(\s+PERL)?\s*;?//; $command .= $_; } - + fatal_error ( "Missing END PERL" ) unless $last; fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/; } - + unless (my $return = eval $command ) { if ( $@ ) { # @@ -1429,7 +1429,7 @@ sub embedded_perl( $ ) { $@ =~ s/, <\$currentfile> line \d+//g; fatal_error1 "$@"; } - + unless ( defined $return ) { fatal_error "Perl Script failed: $!" if $!; fatal_error "Perl Script failed"; @@ -1437,23 +1437,23 @@ sub embedded_perl( $ ) { fatal_error "Perl Script Returned False"; } - + if ( $scriptfile ) { fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; close $scriptfile or fatal_error "Internal Error in embedded_perl()"; - + $scriptfile = undef; - + push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; $currentfile = undef; - + open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename"; push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin - + $scriptfilename = ''; - + $currentfilename = "PERL\@$currentfilename:$linenumber"; $currentline = ''; $currentlinenumber = 0; @@ -1525,19 +1525,19 @@ sub read_a_line() { $currentline = join( '', $1 , $val , $4 ); fatal_error "Variable Expansion Loop" if ++$count > 100; } - + if ( $currentline =~ /^\s*INCLUDE\s/ ) { - + my @line = split ' ', $currentline; - + fatal_error "Invalid INCLUDE command" if @line != 2; fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4; - + my $filename = find_file $line[1]; - + fatal_error "INCLUDE file $filename not found" unless -f $filename; fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; - + if ( -s _ ) { push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; $currentfile = undef; @@ -1545,7 +1545,7 @@ sub read_a_line() { } else { $currentlinenumber = 0; } - + $currentline = ''; } else { return 1; @@ -1646,7 +1646,7 @@ sub validate_level( $ ) { $index++; } - + return $olevel; } @@ -1817,11 +1817,11 @@ sub determine_capabilities( $ ) { my $pid = $$; my $sillyname = "fooX$pid"; my $sillyname1 = "foo1X$pid"; - + $capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4; - + $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" ); - + qt1( "$iptables -N $sillyname" ); qt1( "$iptables -N $sillyname1" ); @@ -1835,7 +1835,7 @@ sub determine_capabilities( $ ) { $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" ); $capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" ); } - + if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { $capabilities{MULTIPORT} = 1; $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); @@ -2092,7 +2092,7 @@ sub get_capabilities( $ ) { # sub unsupported_yes_no( $ ) { my $option = shift; - + default_yes_no $option, ''; fatal_error "$option=Yes is not supported by Shorewall-perl $globals{VERSION}" if $config{$option}; @@ -2110,7 +2110,7 @@ sub get_configuration( $ ) { $globals{EXPORT} = $export; our ( $once, @originalinc ); - + @originalinc = @INC unless $once++; ensure_config_path; @@ -2135,7 +2135,7 @@ sub get_configuration( $ ) { if ( defined $config{LOGRATE} ) { fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/; } - + if ( defined $config{LOGBURST} ) { fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/; } @@ -2231,7 +2231,7 @@ sub get_configuration( $ ) { default_yes_no 'NULL_ROUTE_RFC1918' , ''; default_yes_no 'USE_DEFAULT_RT' , ''; default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; - + $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; default 'BLACKLIST_DISPOSITION' , 'DROP'; @@ -2402,12 +2402,12 @@ sub run_user_exit( $ ) { unless (my $return = eval $command ) { fatal_error "Couldn't parse $file: $@" if $@; - + unless ( defined $return ) { fatal_error "Couldn't do $file: $!" if $!; fatal_error "Couldn't do $file"; } - + fatal_error "$file returned a false value"; } } diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index cf8b5173c..52e2465ee 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -139,7 +139,7 @@ sub validate_4address( $$ ) { my ( $addr, $allow_name ) = @_; my @addrs = ( $addr ); - + unless ( valid_4address $addr ) { fatal_error "Invalid IP Address ($addr)" unless $allow_name; fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname $addr); @@ -267,7 +267,7 @@ sub decompose_net( $ ) { ( $net, my $vlsm ) = validate_net( $net , 0 ); ( in_hex8( $net ) , vlsm_to_mask( $vlsm ) ); - + } sub allipv4() { @@ -281,7 +281,7 @@ sub allipv6() { sub rfc1918_networks() { @rfc1918_networks } - + # # Protocol/port validation # @@ -455,7 +455,7 @@ sub expand_port_range( $$ ) { my $mask = 0xffff; #Mask for current ports in group. my $y = 2; #Next power of two to test my $z = 1; #Number of ports in current group (Previous value of $y). - + while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) { $mask <<= 1; $z = $y; @@ -466,7 +466,7 @@ sub expand_port_range( $$ ) { push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff ); $first += $z; } - + fatal_error "Invalid port range ($range)" unless @result; # first port > last port @result; @@ -489,7 +489,7 @@ sub valid_6address( $ ) { } else { $max = 8; } - + return 0 if @address > $max; return 0 unless ( @address == $max ) || $address =~ /::/; return 0 if $address =~ /:::/ || $address =~ /::.*::/; @@ -513,7 +513,7 @@ sub validate_6address( $$ ) { my ( $addr, $allow_name ) = @_; my @addrs = ( $addr ); - + unless ( valid_6address $addr ) { fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name; require Socket6; diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index d3531b0d7..379cc3671 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -151,13 +151,13 @@ sub setup_one_masq($$$$$$$) # $networks = ALLIPv4 if $networks eq '-'; $destnets = ALLIPv4 if $destnets eq '-'; - + # # Handle IPSEC options, if any # if ( $ipsec ne '-' ) { fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH}; - + if ( $ipsec =~ /^yes$/i ) { $baserule .= '-m policy --pol ipsec --dir out '; } elsif ( $ipsec =~ /^no$/i ) { @@ -178,7 +178,7 @@ sub setup_one_masq($$$$$$$) # Handle Mark # $baserule .= do_test( $mark, 0xFF) if $mark ne '-'; - + for my $fullinterface (split_list $interfacelist, 'interface' ) { my $rule = ''; my $target = '-j MASQUERADE '; @@ -194,7 +194,7 @@ sub setup_one_masq($$$$$$$) my $realm = lookup_provider( $provider ) unless $provider =~ /^\d+$/; fatal_error "$provider is not a shared-interface provider" unless $realm; - + $rule .= "-m realm --realm $realm "; } @@ -218,7 +218,7 @@ sub setup_one_masq($$$$$$$) $randomize = '--random '; } else { $addresses =~ s/:random$// and $randomize = '--random '; - + if ( $addresses =~ /^SAME:nodst:/ ) { fatal_error "':random' is not supported by the SAME target" if $randomize; $target = '-j SAME --nodst '; @@ -236,7 +236,7 @@ sub setup_one_masq($$$$$$$) } elsif ( $addresses eq 'detect' ) { my $variable = get_interface_address $interface; $target = "-j SNAT --to-source $variable"; - + if ( interface_is_optional $interface ) { add_commands( $chainref, '', @@ -283,12 +283,12 @@ sub setup_one_masq($$$$$$$) '' , '' , $exceptionrule ); - + if ( $detectaddress ) { decr_cmd_level( $chainref ); add_command( $chainref , 'fi' ); } - + if ( $add_snat_aliases ) { my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 ); fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; @@ -311,7 +311,7 @@ sub setup_one_masq($$$$$$$) } } } - + progress_message " Masq record \"$currentline\" $done"; } @@ -324,7 +324,7 @@ sub setup_masq() my $fn = open_file 'masq'; first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); - + while ( read_a_line ) { my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file'; @@ -435,7 +435,7 @@ sub setup_nat() { my $fn = open_file 'nat'; first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); - + while ( read_a_line ) { my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file'; @@ -474,13 +474,13 @@ sub setup_netmap() { my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file'; for my $interface ( split_list $interfacelist, 'interface' ) { - + my $rulein = ''; my $ruleout = ''; my $iface = $interface; - + fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface ); - + unless ( $interfaceref->{root} ) { $rulein = "-i $interface "; $ruleout = "-o $interface "; diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index ba6d21134..cb265362a 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -32,7 +32,7 @@ use Shorewall::Actions; use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); +our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains ); our @EXPORT_OK = qw( ); our $VERSION = 4.2.4; @@ -131,7 +131,7 @@ sub add_or_modify_policy_chain( $$ ) { my ( $zone, $zone1 ) = @_; my $chain = "${zone}2${zone1}"; my $chainref = $filter_table->{$chain}; - + if ( $chainref ) { unless( $chainref->{is_policy} ) { convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL ); @@ -355,9 +355,8 @@ sub policy_rules( $$$$$ ) { add_rule $chainref, "-j $default" if $default && $default ne 'none'; log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; fatal_error "Null target in policy_rules()" unless $target; - $target = 'reject' if $target eq 'REJECT'; - add_jump( $chainref , $target, 1 ) unless $target eq 'CONTINUE'; + add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE'; } } diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index 5e7f23ca2..5feb095ff 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -219,9 +219,9 @@ sub setup_forwarding( $ ) { emit ' echo 0 > /proc/sys/net/ipv6/conf/all/forwarding'; emit ' progress_message2 IPv6 Forwarding Disabled!'; } - + emit ''; - + my $interfaces = find_interfaces_by_option 'forward'; if ( @$interfaces ) { diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index a8242932b..d9dbfd349 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -77,7 +77,7 @@ sub initialize( $ ) { $fallback = 0; $first_default_route = 1; $first_fallback_route = 1; - + %providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 } , main => { number => MAIN_TABLE , mark => 0 , optional => 0 } , default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } , @@ -121,7 +121,7 @@ sub setup_route_marking() { } else { add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}"; } - + decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional}; } @@ -221,7 +221,7 @@ sub balance_fallback_route( $$$$ ) { sub start_provider( $$$ ) { my ($table, $number, $test ) = @_; - + emit $test; push_indent; @@ -364,7 +364,7 @@ sub add_a_provider( $$$$$$$$ ) { if ( $track ) { fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-'; - + if ( $routemarked_interfaces{$interface} ) { fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1; fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared; @@ -436,7 +436,7 @@ sub add_a_provider( $$$$$$$$ ) { "echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" ); } else { my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); - + emit "\nrulenum=0\n"; emit ( "find_interface_addresses $interface | while read address; do" ); @@ -675,9 +675,9 @@ sub setup_providers() { '# local', '#', "EOF\n" ); - + emit "echocommand=\$(find_echo)\n"; - + for my $table ( @providers ) { emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables"; } @@ -692,7 +692,7 @@ sub setup_providers() { if ( $fn ) { first_entry "$doing $fn..."; - + emit ''; while ( read_a_line ) { @@ -723,7 +723,7 @@ sub setup_providers() { '> ${VARDIR}/undo_routing' ); setup_null_routing; emit "\nrun_ip route flush cache"; - + pop_indent; emit "fi\n"; @@ -746,7 +746,7 @@ sub lookup_provider( $ ) { last; } } - + fatal_error "Unknown provider ($provider)" unless $providerref; } diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm index 85059a27f..8732600ab 100644 --- a/Shorewall-perl/Shorewall/Proxyarp.pm +++ b/Shorewall-perl/Shorewall/Proxyarp.pm @@ -108,7 +108,7 @@ sub setup_proxy_arp() { my $first_entry = 1; save_progress_message "Setting up Proxy ARP..."; - + my ( %set, %reset ); while ( read_a_line ) { @@ -122,7 +122,7 @@ sub setup_proxy_arp() { $set{$interface} = 1; $reset{$external} = 1 unless $set{$external}; - + setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent ); } @@ -135,7 +135,7 @@ sub setup_proxy_arp() { emit "fi\n"; } } - + for my $interface ( keys %set ) { emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" , " echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" ); @@ -143,7 +143,7 @@ sub setup_proxy_arp() { " error_message \" WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface ); emit "fi\n"; } - + for my $interface ( @$interfaces ) { my $value = get_interface_option $interface, 'proxyarp'; emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" , diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 402df9267..bef7870c3 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -99,7 +99,7 @@ sub process_tos() { if ( my $fn = open_file 'tos' ) { my $first_entry = 1; - + my ( $pretosref, $outtosref ); first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } ); @@ -111,7 +111,7 @@ sub process_tos() { $first_entry = 0; fatal_error 'A value must be supplied in the TOS column' if $tos eq '-'; - + if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) { $tos = $tosval; } else { @@ -307,7 +307,7 @@ sub setup_blacklist() { if ( my $fn = open_file 'blacklist' ) { my $first_entry = 1; - + first_entry "$doing $fn..."; while ( read_a_line ) { @@ -601,7 +601,7 @@ sub add_common_rules() { decr_cmd_level $rejectref; add_command $rejectref, 'done'; } - + if ( $family == F_IPV4 ) { add_rule $rejectref , '-s 224.0.0.0/4 -j DROP'; } else { @@ -622,7 +622,7 @@ sub add_common_rules() { for $chain ( first_chains $interface ) { add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy ); } - + set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; } @@ -633,7 +633,7 @@ sub add_common_rules() { if ( $capabilities{ENHANCED_REJECT} ) { add_rule $rejectref , '-p 17 -j REJECT'; - + if ( $family == F_IPV4 ) { add_rule $rejectref, '-p 1 -j REJECT --reject-with icmp-host-unreachable'; add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited'; @@ -646,12 +646,12 @@ sub add_common_rules() { } $list = find_interfaces_by_option 'dhcp'; - + if ( @$list ) { progress_message2 'Adding rules for DHCP'; my $ports = $family == F_IPV4 ? '67:68' : '546:547'; - + for $interface ( @$list ) { set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; @@ -659,7 +659,7 @@ sub add_common_rules() { for $chain ( input_chain $interface, output_chain $interface ) { add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; } - + add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' ); } } @@ -726,7 +726,7 @@ sub add_common_rules() { progress_message2 "$doing UPnP"; new_nat_chain( 'UPnP' ); - + for $interface ( @$list ) { add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP'; } @@ -857,7 +857,7 @@ sub setup_mac_lists( $ ) { if ( $table eq 'filter' ) { my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} ); - + for my $chain ( first_chains $interface ) { add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}"; } @@ -873,7 +873,7 @@ sub setup_mac_lists( $ ) { for my $interface ( @maclist_interfaces ) { my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chain = $chainref->{name}; - + if ( $family == F_IPV4 ) { if ( $level ne '' || $disposition ne 'ACCEPT' ) { my $variable = get_interface_addresses source_port_to_bridge( $interface ); @@ -887,10 +887,10 @@ sub setup_mac_lists( $ ) { } else { my $bridge = source_port_to_bridge( $interface ); my $bridgeref = find_interface( $bridge ); - + add_commands( $chainref, "for address in $variable; do" ); - + if ( $bridgeref->{broadcasts} ) { for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { add_commands( $chainref , @@ -898,7 +898,7 @@ sub setup_mac_lists( $ ) { } } else { my $variable1 = get_interface_bcasts $bridge; - + add_commands( $chainref, " for address1 in $variable1; do" , " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3", @@ -911,7 +911,7 @@ sub setup_mac_lists( $ ) { } } } - + run_user_exit2( 'maclog', $chainref ); log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne ''; @@ -1187,7 +1187,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { # # Take care of chain # - + unless ( $actiontype & NATONLY ) { # # Check for illegal bridge port rule @@ -1253,13 +1253,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $server = $1; # May be empty $serverport = $3; # Not Empty due to RE $origdstports = $ports; - + if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) { $origdstports = validate_port( $proto, $origdstports ); } else { $origdstports = ''; } - + if ( $serverport =~ /^(\d+)-(\d+)$/ ) { # # Server Port Range @@ -1396,7 +1396,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $action , '' ); } - + # # Add filter table rule, unless this is a NATONLY rule type # @@ -1680,7 +1680,7 @@ sub generate_matrix() { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { my $sourcechainref; my $interfacematch = ''; - + if ( use_forward_chain( $interface ) ) { $sourcechainref = $filter_table->{forward_chain $interface}; } else { @@ -1690,7 +1690,7 @@ sub generate_matrix() { } my $arrayref = $source_ref->{$interface}; - + for my $hostref ( @{$arrayref} ) { my $ipsec_match = match_ipsec_in $zone , $hostref; for my $net ( @{$hostref->{hosts}} ) { @@ -1847,7 +1847,7 @@ sub generate_matrix() { $inputchainref = $filter_table->{INPUT}; $interfacematch = match_source_dev $interface; } - + if ( $chain2 ) { add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match ); move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface; diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 37dd3047a..09a1492f8 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -251,7 +251,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) { $target = 'CLASSIFY --set-class'; } } - + my $mask = 0xffff; my ($cmd, $rest) = split( '/', $mark, 2 ); @@ -262,7 +262,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) { for my $tccmd ( @tccmd ) { if ( $tccmd->{match}($cmd) ) { fatal_error "$mark not valid with :C[FPT]" if $connmark; - + require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark}; $target = "$tccmd->{target} "; @@ -365,10 +365,10 @@ sub process_flow($) { for ( @flow ) { fatal_error "Invalid flow key ($_)" unless $flow_keys{$_}; } - + $flow; } - + sub validate_tc_device( $$$$$ ) { my ( $device, $inband, $outband , $options , $redirected ) = @_; @@ -378,7 +378,7 @@ sub validate_tc_device( $$$$$ ) { ( my $number, $device, my $rest ) = split /:/, $device, 3; fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest; - + if ( defined $number ) { $devnumber = numeric_value( $number ); fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber; @@ -390,7 +390,7 @@ sub validate_tc_device( $$$$$ ) { } else { $devnumber = ++$devnum; } - + $devnums[ $devnumber ] = $device; fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device}; @@ -469,7 +469,7 @@ sub dev_by_number( $ ) { my $dev = $_[0]; my $devnum = numeric_value( $dev ); my $devref; - + if ( defined $devnum ) { $dev = $devnums[ $devnum ]; fatal_error "Undefined INTERFACE number ($_[0])" unless defined $dev; @@ -481,7 +481,7 @@ sub dev_by_number( $ ) { } ( $dev , $devref ); - + } sub validate_tc_class( $$$$$$ ) { @@ -500,9 +500,9 @@ sub validate_tc_class( $$$$$$ ) { if ( $devclass =~ /:/ ) { ( $device, my ($number, $rest ) ) = split /:/, $device, 3; fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest; - + ( $device , $devref) = dev_by_number( $device ); - + if ( defined $number ) { if ( $devref->{classify} ) { $classnumber = numeric_value( $number ); @@ -518,12 +518,12 @@ sub validate_tc_class( $$$$$$ ) { ($device, $devref ) = dev_by_number( $device ); fatal_error "Missing class NUMBER" if $devref->{classify}; } - + my $full = rate_to_kbit $devref->{out_bandwidth}; $tcclasses{$device} = {} unless $tcclasses{$device}; my $tcref = $tcclasses{$device}; - + my $markval = 0; if ( $mark ne '-' ) { @@ -600,15 +600,15 @@ sub process_tc_filter( $$$$$$ ) { my ($device, $class, $rest ) = split /:/, $devclass, 3; fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class ); - + ( $device , my $devref ) = dev_by_number( $device ); my $devnum = $devref->{number}; my $tcref = $tcclasses{$device}; - + fatal_error "No Classes were defined for INTERFACE $device" unless $tcref; - + $tcref = $tcref->{$class}; fatal_error "Unknown CLASS ($devclass)" unless $tcref; @@ -616,7 +616,7 @@ sub process_tc_filter( $$$$$$ ) { my $rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32"; my ( $net , $mask ) = decompose_net( $source ); - + $rule .= "\\\n match u32 $net $mask at 12" unless $mask eq '0x00000000'; ( $net , $mask ) = decompose_net( $dest ); @@ -634,7 +634,7 @@ sub process_tc_filter( $$$$$$ ) { $rule .= "\\\n match u8 $pnumber 0xff at 9"; } } - + if ( $portlist eq '-' && $sportlist eq '-' ) { emit( "\nrun_tc $rule\\" , " flowid $devref->{number}:$class" , @@ -693,12 +693,12 @@ sub process_tc_filter( $$$$$$ ) { for my $portrange ( split_list $portlist, 'port list' ) { if ( $protonumber == ICMP ) { fatal_error "SOURCE PORT(S) are not allowed with ICMP" if $sportlist ne '-'; - + my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $portrange ); - + $icmptype = in_hex2 numeric_value1 $icmptype; $icmpcode = in_hex2 numeric_value1 $icmpcode if defined $icmpcode; - + my $rule1 = " match u8 $icmptype 0xff at nexthdr+0"; $rule1 .= "\\\n match u8 $icmpcode 0xff at nexthdr+1" if defined $icmpcode; emit( "\nrun_tc ${rule}\\" , @@ -706,12 +706,12 @@ sub process_tc_filter( $$$$$$ ) { " flowid $devref->{number}:$class" ); } else { my @portlist = expand_port_range $protonumber , $portrange; - + while ( @portlist ) { my ( $port, $mask ) = ( shift @portlist, shift @portlist ); - + my $rule1 = "match u32 0x0000${port} 0x0000${mask} at nexthdr+0"; - + if ( $sportlist eq '-' ) { emit( "\nrun_tc ${rule}\\" , " $rule1\\" , @@ -719,10 +719,10 @@ sub process_tc_filter( $$$$$$ ) { } else { for my $sportrange ( split_list $sportlist , 'port list' ) { my @sportlist = expand_port_range $protonumber , $sportrange; - + while ( @sportlist ) { my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist ); - + emit( "\nrun_tc ${rule}\\", " $rule1\\" , " match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" , @@ -885,9 +885,9 @@ sub setup_traffic_shaping() { if ( $fn ) { first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } ); - + while ( read_a_line ) { - + my ( $devclass, $source, $dest, $proto, $port, $sport ) = split_line 2, 6, 'tcfilters file'; process_tc_filter( $devclass, $source, $dest, $proto, $port, $sport ); @@ -956,9 +956,9 @@ sub setup_tc() { } else { process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper; } - + } - + clear_comment; } } diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 9babae63a..b2c77cbf1 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -475,7 +475,7 @@ sub dump_zone_contents() sub single_interface( $ ) { my $zone = $_[0]; my $zoneref = $zones{$zone}; - + fatal_error "Internal Error in single_zone()" unless $zoneref; my @keys = keys( %{$zoneref->{interfaces}} ); @@ -537,7 +537,7 @@ sub add_group_to_zone($$$$$) $interfaceref = ( $typeref->{$interface} || ( $typeref->{$interface} = [] ) ); $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ); - + push @{$interfaceref}, { options => $options, hosts => \@newnetworks, ipsec => $type eq 'ipsec' ? 'ipsec' : 'none' , @@ -800,7 +800,7 @@ sub validate_interfaces_file( $ ) root => $root , broadcasts => $broadcasts , options => $optionsref }; - + push @ifaces, $interface; my @networks = allip; @@ -846,7 +846,7 @@ sub known_interface($) { my $interface = $_[0]; my $interfaceref = $interfaces{$interface}; - + return $interfaceref if $interfaceref; for my $i ( @interfaces ) { @@ -891,7 +891,7 @@ sub all_bridges() { sub find_interface( $ ) { my $interface = $_[0]; my $interfaceref = $interfaces{ $interface }; - + fatal_error "Unknown Interface ($interface)" unless $interfaceref; $interfaceref; diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index 754e9faee..ff3c8b9c6 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.2.6 +VERSION=4.2.7 usage() # $1 = exit status { diff --git a/Shorewall-perl/prog.footer6 b/Shorewall-perl/prog.footer6 index 4060c0431..4fa6d61a9 100644 --- a/Shorewall-perl/prog.footer6 +++ b/Shorewall-perl/prog.footer6 @@ -127,7 +127,7 @@ else error_message "$PRODUCT is not running" progress_message3 "Starting $PRODUCT...." fi - + define_firewall status=$? if [ -n "$SUBSYSLOCK" ]; then @@ -174,7 +174,7 @@ else echo "$PRODUCT is stopped" status=4 fi - + if [ -f ${VARDIR}/state ]; then state="$(cat ${VARDIR}/state)" case $state in diff --git a/Shorewall-perl/prog.functions b/Shorewall-perl/prog.functions index a94977027..5ef27ecf7 100644 --- a/Shorewall-perl/prog.functions +++ b/Shorewall-perl/prog.functions @@ -54,7 +54,7 @@ fatal_error() timestamp="$(date +'%_b %d %T') " echo "${timestamp} ERROR: $@" >> $STARTUP_LOG fi - + stop_firewall [ -n "$TEMPFILE" ] && rm -f $TEMPFILE exit 2 @@ -80,7 +80,7 @@ startup_error() # $* = Error Message if [ $LOG_VERBOSE -gt 1 ]; then timestamp="$(date +'%_b %d %T') " - + case $COMMAND in start) echo "${timestamp} ERROR:$PRODUCT start failed" >> $STARTUP_LOG @@ -209,14 +209,14 @@ debug_restore_input() { for chain in PREROUTING OUTPUT; do qt1 $IPTABLES -t raw -P $chain ACCEPT done - + run_iptables -t nat -F run_iptables -t nat -X for chain in PREROUTING POSTROUTING OUTPUT; do qt1 $IPTABLES -t nat -P $chain ACCEPT done - + qt1 $IPTABLES -t filter -F qt1 $IPTABLES -t filter -X diff --git a/Shorewall-perl/prog.functions6 b/Shorewall-perl/prog.functions6 index 0625701bb..0c4d41f2a 100644 --- a/Shorewall-perl/prog.functions6 +++ b/Shorewall-perl/prog.functions6 @@ -30,7 +30,7 @@ fatal_error() timestamp="$(date +'%_b %d %T') " echo "${timestamp} ERROR: $@" >> $STARTUP_LOG fi - + stop_firewall [ -n "$TEMPFILE" ] && rm -f $TEMPFILE exit 2 @@ -56,7 +56,7 @@ startup_error() # $* = Error Message if [ $LOG_VERBOSE -gt 1 ]; then timestamp="$(date +'%_b %d %T') " - + case $COMMAND in start) echo "${timestamp} ERROR:$PRODUCT start failed" >> $STARTUP_LOG @@ -177,7 +177,7 @@ debug_restore_input() { for chain in PREROUTING OUTPUT; do qt1 $IP6TABLES -t raw -P $chain ACCEPT done - + qt1 $IP6TABLES -t filter -F qt1 $IP6TABLES -t filter -X diff --git a/Shorewall-perl/prog.header6 b/Shorewall-perl/prog.header6 index d9e02c760..cf947efc1 100644 --- a/Shorewall-perl/prog.header6 +++ b/Shorewall-perl/prog.header6 @@ -537,7 +537,7 @@ normalize_address() # $1 = valid IPv6 Address list_count $(split $address) j=$? - + if [ $j -eq 7 ]; then address=${address%::*}:0:${address#*::} elif [ $j -eq 8 ]; then @@ -585,7 +585,7 @@ convert_to_anycast() { # Defines a viable subnet -- first get the subnet-router anycast address # host=$((128 - $vlsm)) - + address=$(normalize_address ${address%/*}) while [ $host -ge 16 ]; do diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index 8b6217969..833d0ad9b 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,5 +1,5 @@ %define name shorewall-perl -%define version 4.2.6 +%define version 4.2.7 %define release 0base Summary: Shoreline Firewall Perl-based compiler. @@ -62,6 +62,8 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING releasenotes.txt %changelog +* Sat Feb 21 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.7-0base * Wed Feb 04 2009 Tom Eastep tom@shorewall.net - Updated to 4.2.6-0base * Thu Jan 29 2009 Tom Eastep tom@shorewall.net