holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Fix syntax errors

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8855 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-11-02 20:00:29 +00:00
parent 8517734a60
commit 618d8a440a
3 changed files with 76 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1144,18 +1144,19 @@ sub clearrule() {
$iprangematch = 0; $iprangematch = 0;
} }
#
# Return the number of ports represented by the passed list
#
sub port_count( $ ) {
( $_[0] =~ tr/,:/,:/ ) + 1;
}
# #
# Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string. # Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string.
# #
sub do_proto( $$$ ) sub do_proto( $$$ )
{ {
my ($proto, $ports, $sports ) = @_; my ($proto, $ports, $sports ) = @_;
#
# Return the number of ports represented by the passed list
#
sub port_count( $ ) {
( $_[0] =~ tr/,:/,:/ ) + 1;
}
my $output = ''; my $output = '';
@ -1262,10 +1263,6 @@ sub do_proto6( $$$ )
# #
# Return the number of ports represented by the passed list # Return the number of ports represented by the passed list
# #
sub port_count( $ ) {
( $_[0] =~ tr/,:/,:/ ) + 1;
}
my $output = ''; my $output = '';
$proto = '' if $proto eq '-'; $proto = '' if $proto eq '-';

8
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -485,10 +485,10 @@ sub validate_6address( $$ ) {
defined wantarray ? wantarray ? @addrs : $addrs[0] : undef; defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
} }
}
sub validate_6net( $ ) { sub validate_6net( $$ ) {
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 ); my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
my $allow_name = $_[1];
fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+'; fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
@ -498,7 +498,7 @@ sub validate_6net( $ ) {
fatal_error "Invalid IPv6 address ($net)" unless valid_6address $net; fatal_error "Invalid IPv6 address ($net)" unless valid_6address $net;
} else { } else {
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net; fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
validate_6address $net; validate_6address $net, $allow_name;
} }
} }
@ -531,7 +531,7 @@ my %ipv6_icmp_types = ( any => 'any',
'ttl-exceeded' => 3, 'ttl-exceeded' => 3,
'ttl-zero-during-transit' => '3/0', 'ttl-zero-during-transit' => '3/0',
'ttl-zero-during-reassembly' => '3/1', 'ttl-zero-during-reassembly' => '3/1',
'parameter-problem' => 4 'parameter-problem' => 4,
'bad-header' => '4/0', 'bad-header' => '4/0',
'unknown-header-type' => '4/1', 'unknown-header-type' => '4/1',
'unknown-option' => '4/2', 'unknown-option' => '4/2',

319
Shorewall-perl/Shorewall/Rules.pm
View File

@ -1778,8 +1778,8 @@ sub process_6macro ( $$$$$$$$$$$$$$ ) {
# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If # Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
# #
sub process_rule1 ( $$$$$$$$$$$$$ ) { sub process_6rule1 ( $$$$$$$$$$$$ ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_; my ( $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_;
my ( $action, $loglevel) = split_action $target; my ( $action, $loglevel) = split_action $target;
my ( $basictarget, $param ) = get_target_param $action; my ( $basictarget, $param ) = get_target_param $action;
my $rule = ''; my $rule = '';
@ -1810,7 +1810,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$current_param = $param; $current_param = $param;
} }
process_macro( $basictarget, process_6macro( $basictarget,
$target , $target ,
$current_param, $current_param,
$source, $source,
@ -1818,7 +1818,6 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$proto, $proto,
$ports, $ports,
$sports, $sports,
$origdest,
$ratelimit, $ratelimit,
$user, $user,
$mark, $mark,
@ -1856,14 +1855,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
# Take care of irregular syntax and targets # Take care of irregular syntax and targets
# #
if ( $actiontype & REDIRECT ) { if ( $action eq 'REJECT' ) {
my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) {
$dest = join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
} else {
$dest = join( '', $z, '::', $dest ) unless $dest =~ /:/;
}
} elsif ( $action eq 'REJECT' ) {
$action = 'reject'; $action = 'reject';
} elsif ( $action eq 'CONTINUE' ) { } elsif ( $action eq 'CONTINUE' ) {
$action = 'RETURN'; $action = 'RETURN';
@ -1879,33 +1871,28 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $destref; my $destref;
my $origdstports; my $origdstports;
if ( $source =~ /^(.+?):(.*)/ ) { if ( $source =~ /^(.+?);(.*)/ ) {
fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq ''; fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
$sourcezone = $1; $sourcezone = $1;
$source = $2; $source = $2;
} else { } else {
$sourcezone = $source; $sourcezone = $source;
$source = ALLIPv4; $source = ALLIPv6;
} }
if ( $dest =~ /^(.*?):(.*)/ ) { if ( $dest =~ /^(.*?);(.*)/ ) {
fatal_error "Missing DEST Qualifier ($dest)" if $2 eq ''; fatal_error "Missing DEST Qualifier ($dest)" if $2 eq '';
$destzone = $1; $destzone = $1;
$dest = $2; $dest = $2;
} else { } else {
$destzone = $dest; $destzone = $dest;
$dest = ALLIPv4; $dest = ALLIPv6;
} }
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
if ( $actiontype & NATONLY ) { fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
warning_message "Destination zone ($destzone) ignored" unless $destzone eq '-' || $destzone eq '';
} else {
fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
}
my $restriction = NO_RESTRICT; my $restriction = NO_RESTRICT;
@ -1916,51 +1903,41 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
} }
my ( $chain, $chainref, $policy ); my ( $chain, $chainref, $policy );
#
# For compatibility with older Shorewall versions
#
$origdest = ALLIPv4 if $origdest eq 'all';
# #
# Take care of chain # Check for illegal bridge port rule
# #
if ( $destref->{type} eq 'bport4' ) {
unless ( $actiontype & NATONLY ) { unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
#
# Check for illegal bridge port rule
#
if ( $destref->{type} eq 'bport4' ) {
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
return 1 if $wildcard;
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
}
}
$chain = "${sourcezone}2${destzone}";
$chainref = ensure_chain 'filter', $chain;
$policy = $chainref->{policy};
if ( $policy eq 'NONE' ) {
return 1 if $wildcard; return 1 if $wildcard;
fatal_error "Rules may not override a NONE policy"; fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
} }
#
# Handle Optimization
#
if ( $optimize > 0 ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
if ( $loglevel ne '' ) {
return 1 if $target eq "${policy}:$loglevel}";
} else {
return 1 if $basictarget eq $policy;
}
}
#
# Mark the chain as referenced and add appropriate rules from earlier sections.
#
$chainref = ensure_filter_chain $chain, 1;
} }
$chain = "${sourcezone}2${destzone}";
$chainref = ensure_chain 'filter', $chain;
$policy = $chainref->{policy};
if ( $policy eq 'NONE' ) {
return 1 if $wildcard;
fatal_error "Rules may not override a NONE policy";
}
#
# Handle Optimization
#
if ( $optimize > 0 ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
if ( $loglevel ne '' ) {
return 1 if $target eq "${policy}:$loglevel}";
} else {
return 1 if $basictarget eq $policy;
}
}
#
# Mark the chain as referenced and add appropriate rules from earlier sections.
#
$chainref = ensure_filter_chain $chain, 1;
# #
# Generate Fixed part of the rule # Generate Fixed part of the rule
# #
@ -1973,188 +1950,22 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
} }
# #
# Generate NAT rule(s), if any # Add filter table rule
# #
if ( $actiontype & NATRULE ) { if ( $actiontype & ACTION ) {
my ( $server, $serverport ); $action = (find_logactionchain $target)->{name};
my $randomize = $dest =~ s/:random$// ? '--random ' : ''; $loglevel = '';
require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
#
# Isolate server port
#
if ( $dest =~ /^(.*)(:(.+))$/ ) {
#
# Server IP and Port
#
$server = $1; # May be empty
$serverport = $3; # Not Empty due to RE
$origdstports = $ports;
if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
#
# Server Port Range
#
fatal_error "Invalid port range ($serverport)" unless $1 < $2;
my @ports = ( $1, $2 );
$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
( $ports = $serverport ) =~ tr/-/:/;
} else {
$serverport = $ports = validate_port( proto_name( $proto ), $serverport );
}
} elsif ( $dest eq ':' ) {
#
# Rule with no server IP or port ( zone:: )
#
$server = $serverport = '';
} else {
#
# Simple server IP address (may be empty or "-")
#
$server = $dest;
$serverport = '';
}
#
# Generate the target
#
my $target = '';
if ( $actiontype & REDIRECT ) {
fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
$target = '-j REDIRECT ';
$target .= "--to-port $serverport " if $serverport;
if ( $origdest eq '' || $origdest eq '-' ) {
$origdest = ALLIPv4;
} elsif ( $origdest eq 'detect' ) {
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
my $interfacesref = $sourceref->{interfaces};
my @interfaces = keys %$interfacesref;
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
} else {
$origdest = ALLIPv4;
}
}
} else {
fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
if ( $server =~ /^(.+)-(.+)$/ ) {
validate_range( $1, $2 );
} else {
$server = validate_address $server, 1;
}
if ( $action eq 'SAME' ) {
fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone;
fatal_error "':random' is not supported by the SAME target" if $randomize;
warning_message 'Netfilter support for SAME is being dropped in early 2008';
$target = '-j SAME ';
for my $serv ( split /,/, $server ) {
$target .= "--to $serv ";
}
} elsif ( $action eq 'DNAT' ) {
$target = '-j DNAT ';
$serverport = ":$serverport" if $serverport;
for my $serv ( split /,/, $server ) {
$target .= "--to-destination ${serv}${serverport} ";
}
}
unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
my $interfacesref = $sourceref->{interfaces};
my @interfaces = keys %$interfacesref;
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
} else {
$origdest = ALLIPv4;
}
}
}
$target .= $randomize;
#
# And generate the nat table rule(s)
#
expand_rule ( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ),
PREROUTE_RESTRICT ,
$rule ,
$source ,
$origdest ,
'' ,
'' ,
$target ,
$loglevel ,
$action ,
$serverport ? do_proto( $proto, '', '' ) : '' );
#
# After NAT:
# - the destination port will be the server port ($ports) -- we did that above
# - the destination IP will be the server IP ($dest)
# - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
# - the target will be ACCEPT.
#
unless ( $actiontype & NATONLY ) {
$rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
$loglevel = '';
$dest = $server;
$action = 'ACCEPT';
}
} elsif ( $actiontype & NONAT ) {
#
# NONAT or ACCEPT+ -- May not specify a destination interface
#
fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
$origdest = '' unless $origdest and $origdest ne '-';
if ( $origdest eq 'detect' ) {
my $interfacesref = $sourceref->{interfaces};
my $interfaces = "@$interfacesref";
$origdest = $interfaces ? "detect:$interfaces" : ALLIPv4;
}
expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
PREROUTE_RESTRICT ,
$rule ,
$source ,
$dest ,
$origdest ,
'',
'-j RETURN ' ,
$loglevel ,
$action ,
'' );
}
#
# Add filter table rule, unless this is a NATONLY rule type
#
unless ( $actiontype & NATONLY ) {
if ( $actiontype & ACTION ) {
$action = (find_logactionchain $target)->{name};
$loglevel = '';
}
unless ( $origdest eq '-' ) {
require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in a non-NAT rule', 's' ) unless $actiontype & NATRULE;
} else {
$origdest = '';
}
expand_rule( ensure_chain( 'filter', $chain ) ,
$restriction ,
$rule ,
$source ,
$dest ,
$origdest ,
$origdstports ,
"-j $action " ,
$loglevel ,
$action ,
'' );
} }
expand_6rule( ensure_chain( 'filter', $chain ) ,
$restriction ,
$rule ,
$source ,
$dest ,
"-j $action " ,
$loglevel ,
$action ,
'' );
} }
# #
@ -2162,8 +1973,8 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column). # Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
# #
sub process_rule ( $$$$$$$$$$$$ ) { sub process_6rule ( $$$$$$$$$$$ ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit , $time ) = @_; my ( $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit , $time ) = @_;
my $intrazone = 0; my $intrazone = 0;
my $includesrcfw = 1; my $includesrcfw = 1;
my $includedstfw = 1; my $includedstfw = 1;
@ -2219,13 +2030,13 @@ sub process_rule ( $$$$$$$$$$$$ ) {
fatal_error "Invalid or missing ACTION ($target)" unless defined $action; fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
if ( $source eq 'all' ) { if ( $source eq 'all' ) {
for my $zone ( all_zones ) { for my $zone ( all_6zones ) {
if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) { if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) {
if ( $dest eq 'all' ) { if ( $dest eq 'all' ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_6zones ) {
if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) { if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) {
if ( $intrazone || ( $zone ne $zone1 ) ) { if ( $intrazone || ( $zone ne $zone1 ) ) {
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; process_6rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, 1;
} }
} }
} }
@ -2233,20 +2044,20 @@ sub process_rule ( $$$$$$$$$$$$ ) {
my $destzone = (split( /:/, $dest, 2 ) )[0]; my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
if ( $intrazone || ( $zone ne $destzone ) ) { if ( $intrazone || ( $zone ne $destzone ) ) {
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; process_6rule1 $target, $zone, $dest , $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, 1;
} }
} }
} }
} }
} elsif ( $dest eq 'all' ) { } elsif ( $dest eq 'all' ) {
for my $zone ( all_zones ) { for my $zone ( all_6zones ) {
my $sourcezone = ( split( /:/, $source, 2 ) )[0]; my $sourcezone = ( split( /:/, $source, 2 ) )[0];
if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; process_6rule1 $target, $source, $zone , $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, 1;
} }
} }
} else { } else {
process_rule1 $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 0; process_6rule1 $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, 0;
} }
progress_message " Rule \"$thisline\" $done"; progress_message " Rule \"$thisline\" $done";
@ -2255,15 +2066,15 @@ sub process_rule ( $$$$$$$$$$$$ ) {
# #
# Process the Rules File # Process the Rules File
# #
sub process_rules() { sub process_6rules() {
my $fn = open_file 'rules'; my $fn = open_file '6rules';
first_entry "$doing $fn..."; first_entry "$doing $fn...";
while ( read_a_line ) { while ( read_a_line ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands; my ( $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 11, '6rules file', \%rules_commands;
if ( $target eq 'COMMENT' ) { if ( $target eq 'COMMENT' ) {
process_comment; process_comment;
@ -2289,7 +2100,7 @@ sub process_rules() {
if ( "\L$source" =~ /^none(:.*)?$/ || "\L$dest" =~ /^none(:.*)?$/ ) { if ( "\L$source" =~ /^none(:.*)?$/ || "\L$dest" =~ /^none(:.*)?$/ ) {
progress_message "Rule \"$currentline\" ignored." progress_message "Rule \"$currentline\" ignored."
} else { } else {
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time; process_6rule $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time;
} }
} }
} }