Apply inversion changes to trunk

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9395 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2009-02-02 20:42:19 +00:00 · 2009-02-02 20:42:19 +00:00 · 6651c2d6ce
commit 6651c2d6ce
parent ba14c45cf4
2 changed files with 31 additions and 15 deletions
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -1206,8 +1206,8 @@ sub do_proto( $$$ )

    if ( $proto ne '' ) {
 	
-	my $synonly = ( $proto =~ s/:syn$//i );
-
+	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;

 	if ( defined $protonum ) {	    
@ -1219,41 +1219,44 @@ sub do_proto( $$$ )
 	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
 	    #
 	    unless ( $synonly ) {
-		$output  = "-p $proto ";
+		$output  = "-p ${invert}${proto} ";
 	    } else {
-		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP;
+		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
 		$output = "-p $proto --syn ";
 	    }

+	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
+
 	  PROTO:
 	    {
-
 		if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) {
 		    my $multiport = 0;

 		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
 			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
 			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
 			    fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
 			    $ports = validate_port_list $pname , $ports;
-			    $output .= "-m multiport --dports $ports ";
+			    $output .= "-m multiport --dports ${invert}${ports} ";
 			    $multiport = 1;
 			}  else {
 			    $ports   = validate_portpair $pname , $ports;
-			    $output .= "--dport $ports ";
+			    $output .= "--dport ${invert}${ports} ";
 			}
 		    } else {
 			$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
 		    }
 		    
 		    if ( $sports ne '' ) {
+			$invert = $sports =~ s/^!// ? '! ' : '';
 			if ( $multiport ) {
 			    fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15;
 			    $sports = validate_port_list $pname , $sports;
-			    $output .= "-m multiport --sports $sports ";
+			    $output .= "-m multiport --sports ${invert}${sports} ";
 			}  else {
 			    $sports  = validate_portpair $pname , $sports;
-			    $output .= "--sport $sports ";
+			    $output .= "--sport ${invert}${sports} ";
 			}
 		    }
 		    
@ -1262,9 +1265,10 @@ sub do_proto( $$$ )
 		if ( $proto == ICMP ) {
 		    fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6;
 		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
 			fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
 			$ports = validate_icmp $ports;
-			$output .= "--icmp-type $ports ";
+			$output .= "--icmp-type ${invert}${ports} ";
 		    }
 		
 		    fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
@ -1274,9 +1278,10 @@ sub do_proto( $$$ )
 		if ( $proto == IPv6_ICMP ) {
 		    fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
 		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
 			fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
 			$ports = validate_icmp6 $ports;
-			$output .= "--icmpv6-type $ports ";
+			$output .= "--icmpv6-type ${invert}${ports} ";
 		    }
 		
 		    fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
@ -1929,10 +1934,12 @@ sub get_interface_gateway ( $ ) {

    my $variable = interface_gateway( $interface );

+    my $routine = $config{USE_DEFAULT_RT} ? 'detect_gateway' : 'detect_dynamic_gateway';
+
    if ( interface_is_optional $interface ) {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)\n);
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
    } else {
-	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
 [ -n "\$$variable" ] || fatal_error "Unable to detect the gateway through interface $interface"
 );
    }
@ -2581,7 +2588,8 @@ sub emitr( $$ ) {
 #
 # Generate the netfilter input
 #
-sub create_netfilter_load() {
+sub create_netfilter_load( $ ) {
+    my $test = shift;

    my @table_list;

@ -2613,6 +2621,14 @@ sub create_netfilter_load() {

    enter_cat_mode;

+    my $date = localtime;
+
+    unless ( $test ) {
+	emit_unindented '#';
+	emit_unindented "# Generated by Shorewall-perl $globals{VERSION} - $date";
+	emit_unindented '#';
+    }
+
    for my $table ( @table_list ) {
 	emit_unindented "*$table";

--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@ -697,7 +697,7 @@ sub generate_script_4($) {
    } else {
 	progress_message2 "Creating ip6tables-restore input...";
    }
-    create_netfilter_load;
+    create_netfilter_load( $test );
    create_chainlist_reload( $_[0] );

    emit "#\n# Start/Restart the Firewall\n#";