forked from extern/shorewall_code
Eliminate trailing whitespace
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6968 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a7786b5a2f
commit
767fea403a
@ -1,2 +1,2 @@
|
||||
This is the Shorewall-perl Stable 4.0 branch of SVN.
|
||||
|
||||
|
||||
|
@ -43,7 +43,7 @@ our $VERSION = 4.00;
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -59,7 +59,7 @@ INIT {
|
||||
# Accounting
|
||||
#
|
||||
sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
|
||||
|
||||
our $jumpchainref;
|
||||
|
||||
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_;
|
||||
@ -163,7 +163,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
sub setup_accounting() {
|
||||
|
||||
|
||||
my $first_entry = 1;
|
||||
|
||||
my $fn = open_file 'accounting';
|
||||
|
@ -88,7 +88,7 @@ our %macros;
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -276,7 +276,7 @@ sub createlogactionchain( $$ ) {
|
||||
mark_referenced $chainref; # Just in case the action body is empty.
|
||||
|
||||
unless ( $targets{$action} & STANDARD ) {
|
||||
|
||||
|
||||
my $file = find_file $chain;
|
||||
|
||||
if ( -f $file ) {
|
||||
@ -298,13 +298,13 @@ sub createlogactionchain( $$ ) {
|
||||
sub createsimpleactionchain( $ ) {
|
||||
my $action = shift;
|
||||
my $chainref = new_chain 'filter', $action;
|
||||
|
||||
|
||||
$logactionchains{"$action:none"} = $chainref;
|
||||
|
||||
|
||||
mark_referenced $chainref; # Just in case the action body is empty.
|
||||
|
||||
unless ( $targets{$action} & STANDARD ) {
|
||||
|
||||
|
||||
my $file = find_file $action;
|
||||
|
||||
if ( -f $file ) {
|
||||
@ -395,15 +395,15 @@ sub process_macro1 ( $$ ) {
|
||||
fatal_error "Invalid target ($mtarget)"
|
||||
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $mtarget eq 'LOG' );
|
||||
}
|
||||
|
||||
|
||||
progress_message " ..End Macro $macrofile";
|
||||
|
||||
|
||||
pop_open;
|
||||
}
|
||||
|
||||
sub process_action1 ( $$ ) {
|
||||
my ( $action, $wholetarget ) = @_;
|
||||
|
||||
|
||||
my ( $target, $level ) = split_action $wholetarget;
|
||||
|
||||
$level = 'none' unless $level;
|
||||
@ -412,9 +412,9 @@ sub process_action1 ( $$ ) {
|
||||
|
||||
if ( defined $targettype ) {
|
||||
return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & LOGRULE );
|
||||
|
||||
|
||||
fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
|
||||
|
||||
|
||||
fatal_error "An action may not invoke itself" if $target eq $action;
|
||||
|
||||
add_requiredby $wholetarget, $action if $targettype & ACTION;
|
||||
@ -438,7 +438,7 @@ sub process_action1 ( $$ ) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
sub process_actions1() {
|
||||
|
||||
progress_message2 "Preprocessing Action Files...";
|
||||
@ -548,7 +548,7 @@ sub process_macro3( $$$$$$$$$$$ ) {
|
||||
my $standard = ( $fn =~ /^($globals{SHAREDIR})/ );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
|
||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 1, 8, 'macro file';
|
||||
|
||||
if ( $mtarget =~ /^PARAM:?/ ) {
|
||||
@ -581,7 +581,7 @@ sub process_macro3( $$$$$$$$$$$ ) {
|
||||
} else {
|
||||
$mdest = '';
|
||||
}
|
||||
|
||||
|
||||
$mdest = '' if $mdest eq '-';
|
||||
|
||||
$mproto = merge_macro_column $mproto, $proto;
|
||||
@ -589,12 +589,12 @@ sub process_macro3( $$$$$$$$$$$ ) {
|
||||
$msports = merge_macro_column $msports, $sports;
|
||||
$mrate = merge_macro_column $mrate, $rate;
|
||||
$muser = merge_macro_column $muser, $user;
|
||||
|
||||
|
||||
process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
|
||||
}
|
||||
|
||||
pop_open;
|
||||
|
||||
|
||||
progress_message '..End Macro'
|
||||
}
|
||||
|
||||
@ -672,7 +672,7 @@ sub process_actions3 () {
|
||||
add_command $chainref, 'done';
|
||||
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne '';
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||
}
|
||||
|
@ -20,7 +20,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# This is the low-level iptables module. It provides the basic services
|
||||
# This is the low-level iptables module. It provides the basic services
|
||||
# of chain and rule creation. It is used by the higher level modules such
|
||||
# as Rules to create iptables-restore input.
|
||||
#
|
||||
@ -228,7 +228,7 @@ our $emitted_comment;
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -325,7 +325,7 @@ INIT {
|
||||
#
|
||||
|
||||
#
|
||||
# Process a COMMENT line (in $currentline)
|
||||
# Process a COMMENT line (in $currentline)
|
||||
#
|
||||
sub process_comment() {
|
||||
if ( $capabilities{COMMENTS} ) {
|
||||
@ -357,7 +357,7 @@ sub add_command($$)
|
||||
|
||||
sub add_commands {
|
||||
my $chainref = shift @_;
|
||||
|
||||
|
||||
for my $command ( @_ ) {
|
||||
push @{$chainref->{rules}}, join ('', ' ' x ( $chainref->{loopcount} + $chainref->{cmdcount} ), $command );
|
||||
}
|
||||
@ -382,7 +382,7 @@ sub add_file( $$ ) {
|
||||
if ( -f $file ) {
|
||||
open EF , '<', $file or fatal_error "Unable to open $file: $!";
|
||||
|
||||
add_commands( $chainref,
|
||||
add_commands( $chainref,
|
||||
qq(progress_message "Processing $file..."),
|
||||
'' );
|
||||
|
||||
@ -395,7 +395,7 @@ sub add_file( $$ ) {
|
||||
|
||||
close EF;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Add a rule to a chain. Arguments are:
|
||||
@ -778,7 +778,7 @@ sub setup_zone_mss() {
|
||||
set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss};
|
||||
set_mss( $zone, $zoneref->{options}{out}{mss}, '_out' ) if $zoneref->{options}{out}{mss};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub newexclusionchain() {
|
||||
my $seq = $exclseq++;
|
||||
@ -810,13 +810,13 @@ sub validate_portpair( $ ) {
|
||||
|
||||
for my $port ( @ports ) {
|
||||
my $value = $services{$port};
|
||||
|
||||
|
||||
unless ( defined $value ) {
|
||||
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
|
||||
}
|
||||
|
||||
|
||||
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
|
||||
|
||||
|
||||
$port = $value;
|
||||
}
|
||||
|
||||
@ -938,7 +938,7 @@ sub do_proto( $$$ )
|
||||
}
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
if ( $multiport ) {
|
||||
if ( $multiport ) {
|
||||
fatal_error "Too many entries in port list ($sports)" if port_count( $sports ) > 15;
|
||||
$sports = validate_port_list $sports;
|
||||
$output .= "-m multiport --sports $sports ";
|
||||
@ -1108,7 +1108,7 @@ sub match_source_dev( $ ) {
|
||||
} else {
|
||||
"-i $interface ";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Match Dest device
|
||||
@ -1121,7 +1121,7 @@ sub match_dest_dev( $ ) {
|
||||
} else {
|
||||
"-o $interface ";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Avoid generating a second '-m iprange' in a single rule.
|
||||
@ -1303,7 +1303,7 @@ sub log_rule_limit( $$$$$$$$ ) {
|
||||
|
||||
if ( $chainref->{loopcount} || $chainref->{cmdcount} ) {
|
||||
#
|
||||
# The rule will be converted to an "echo" shell command. We must insure that the
|
||||
# The rule will be converted to an "echo" shell command. We must insure that the
|
||||
# quotes are preserved in the iptables-input file.
|
||||
#
|
||||
if ( $level eq 'ULOG' ) {
|
||||
@ -1423,7 +1423,7 @@ sub get_interface_addresses ( $ ) {
|
||||
[ -n "\$$variable" ] || fatal_error "Unable to determine the IP address(es) of $interface"
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
"\$$variable";
|
||||
}
|
||||
|
||||
@ -1461,15 +1461,15 @@ sub get_interface_nets ( $ ) {
|
||||
#
|
||||
sub expand_rule( $$$$$$$$$$ )
|
||||
{
|
||||
my ($chainref , # Chain
|
||||
my ($chainref , # Chain
|
||||
$restriction, # Determines what to do with interface names in the SOURCE or DEST
|
||||
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
|
||||
$source, # SOURCE
|
||||
$dest, # DEST
|
||||
$origdest, # ORIGINAL DEST
|
||||
$target, # Target ('-j' part of the rule)
|
||||
$loglevel , # Log level (and tag)
|
||||
$disposition, # Primative part of the target (RETURN, ACCEPT, ...)
|
||||
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
|
||||
$source, # SOURCE
|
||||
$dest, # DEST
|
||||
$origdest, # ORIGINAL DEST
|
||||
$target, # Target ('-j' part of the rule)
|
||||
$loglevel , # Log level (and tag)
|
||||
$disposition, # Primative part of the target (RETURN, ACCEPT, ...)
|
||||
$exceptionrule # Caller's matches used in exclusion case
|
||||
) = @_;
|
||||
|
||||
@ -1666,7 +1666,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
#
|
||||
if ( $inets ) {
|
||||
fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/;
|
||||
|
||||
|
||||
if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
|
||||
$inets = $1;
|
||||
$iexcl = $2;
|
||||
@ -1680,7 +1680,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
$rule .= match_source_net "!$iexcl";
|
||||
$iexcl = '';
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
} else {
|
||||
$iexcl = '';
|
||||
@ -1691,7 +1691,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
#
|
||||
if ( $dnets ) {
|
||||
fatal_error "Invalid DEST" if $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/;
|
||||
|
||||
|
||||
if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
|
||||
$dnets = $1;
|
||||
$dexcl = $2;
|
||||
@ -1887,7 +1887,7 @@ sub set_global_variables() {
|
||||
# file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
|
||||
# has (have) something to look at to determine the error
|
||||
#
|
||||
# We may have to generate part of the input at run-time. The rules array in each chain
|
||||
# We may have to generate part of the input at run-time. The rules array in each chain
|
||||
# table entry may contain rules (begin with '-A') or shell source. We alternate between
|
||||
# writing the rules ('-A') into the temporary file to be bassed to iptables-restore
|
||||
# (CAT_STATE) and and writing shell source into the generated script.
|
||||
@ -1939,7 +1939,7 @@ sub create_netfilter_load() {
|
||||
push @table_list, 'filter';
|
||||
|
||||
$state = NULL_STATE;
|
||||
|
||||
|
||||
emit ( 'setup_netfilter()',
|
||||
'{'
|
||||
);
|
||||
@ -1953,7 +1953,7 @@ sub create_netfilter_load() {
|
||||
emit 'exec 3>${VARDIR}/.iptables-restore-input';
|
||||
|
||||
enter_cat_state;
|
||||
|
||||
|
||||
for my $table ( @table_list ) {
|
||||
emit_unindented "*$table";
|
||||
|
||||
@ -2019,7 +2019,7 @@ sub create_netfilter_load() {
|
||||
sub create_blacklist_reload() {
|
||||
|
||||
$state = NULL_STATE;
|
||||
|
||||
|
||||
emit( 'blacklist_reload()',
|
||||
'{'
|
||||
);
|
||||
@ -2044,7 +2044,7 @@ sub create_blacklist_reload() {
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_state unless $state == CAT_STATE;
|
||||
|
||||
|
||||
emit_unindented 'COMMIT';
|
||||
|
||||
enter_cmd_state;
|
||||
|
@ -296,7 +296,7 @@ EOF
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt $IPTABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
|
||||
EOF
|
||||
}
|
||||
|
||||
@ -471,7 +471,7 @@ EOF
|
||||
# Second Phase of Script Generation
|
||||
#
|
||||
# copies the 'prog.functions' file into the script, generates
|
||||
# clear_routing_and_traffic_shaping() and the first part of
|
||||
# clear_routing_and_traffic_shaping() and the first part of
|
||||
# 'setup_routing_and_traffic_shaping()'
|
||||
#
|
||||
# The bulk of that function is produced by the various config file
|
||||
@ -542,7 +542,7 @@ sub generate_script_2 () {
|
||||
'delete_proxyarp',
|
||||
''
|
||||
);
|
||||
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
||||
' while read external interface; do',
|
||||
@ -646,7 +646,7 @@ else
|
||||
set_state "Started"
|
||||
run_started_exit
|
||||
fi
|
||||
|
||||
|
||||
cp -f $(my_pathname) ${VARDIR}/.restore
|
||||
fi
|
||||
|
||||
|
@ -22,10 +22,10 @@
|
||||
#
|
||||
# This module is responsible for lower level configuration file handling.
|
||||
# It also exports functions for generating warning and error messages.
|
||||
# The get_configuration function parses the shorewall.conf, capabilities and
|
||||
# modules files during compiler startup. The module also provides the basic
|
||||
# The get_configuration function parses the shorewall.conf, capabilities and
|
||||
# modules files during compiler startup. The module also provides the basic
|
||||
# output file services such as creation of temporary 'object' files, writing
|
||||
# into those files (emitters) and finalizing those files (renaming
|
||||
# into those files (emitters) and finalizing those files (renaming
|
||||
# them to their final name and setting their mode appropriately).
|
||||
#
|
||||
package Shorewall::Config;
|
||||
@ -176,7 +176,7 @@ our $debug; # If true, use Carp to report errors with stack tr
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
sub initialize() {
|
||||
( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
|
||||
@ -461,21 +461,21 @@ sub save_progress_message_short( $ ) {
|
||||
|
||||
#
|
||||
# Set $timestamp
|
||||
#
|
||||
#
|
||||
sub set_timestamp( $ ) {
|
||||
$timestamp = shift;
|
||||
}
|
||||
|
||||
#
|
||||
# Set $verbose
|
||||
#
|
||||
#
|
||||
sub set_verbose( $ ) {
|
||||
$verbose = shift;
|
||||
}
|
||||
|
||||
#
|
||||
# Print the current TOD to STDOUT.
|
||||
#
|
||||
#
|
||||
sub timestamp() {
|
||||
my ($sec, $min, $hr) = ( localtime ) [0,1,2];
|
||||
printf '%02d:%02d:%02d ', $hr, $min, $sec;
|
||||
@ -739,7 +739,7 @@ sub split_line2( $$$ ) {
|
||||
|
||||
if ( defined $columns ) {
|
||||
fatal_error "Invalid $first entry" if $columns && @line != $columns;
|
||||
return @line
|
||||
return @line
|
||||
}
|
||||
|
||||
fatal_error "Shorewall Configuration file entries may not contain single quotes" if $currentline =~ /'/;
|
||||
@ -843,7 +843,7 @@ sub read_a_line() {
|
||||
#
|
||||
# Remove Trailing Comments -- result might be a blank line
|
||||
#
|
||||
$currentline =~ s/#.*$//;
|
||||
$currentline =~ s/#.*$//;
|
||||
#
|
||||
# Ignore ( concatenated ) Blank Lines
|
||||
#
|
||||
@ -935,14 +935,14 @@ sub default_yes_no ( $$ ) {
|
||||
|
||||
my %validlevels = ( debug => 7,
|
||||
info => 6,
|
||||
notice => 5,
|
||||
warning => 4,
|
||||
warn => 4,
|
||||
notice => 5,
|
||||
warning => 4,
|
||||
warn => 4,
|
||||
err => 3,
|
||||
error => 3,
|
||||
crit => 2,
|
||||
alert => 1,
|
||||
emerg => 0,
|
||||
crit => 2,
|
||||
alert => 1,
|
||||
emerg => 0,
|
||||
panic => 0,
|
||||
none => '',
|
||||
ULOG => 'ULOG' );
|
||||
@ -1002,7 +1002,7 @@ sub check_trivalue( $$ ) {
|
||||
$config{var} = $default
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Produce a report of the detected capabilities
|
||||
#
|
||||
@ -1180,7 +1180,7 @@ sub determine_capabilities() {
|
||||
|
||||
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
||||
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
||||
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||
|
||||
qt( "$iptables -F $sillyname" );
|
||||
qt( "$iptables -X $sillyname" );
|
||||
@ -1279,7 +1279,7 @@ sub process_shorewall_conf() {
|
||||
|
||||
sub get_capabilities( $ ) {
|
||||
my $export = $_[0];
|
||||
|
||||
|
||||
if ( ! $export && $> == 0 ) { # $> == $EUID
|
||||
unless ( $config{IPTABLES} ) {
|
||||
fatal_error "Can't find iptables executable" unless $config{IPTABLES} = mywhich 'iptables';
|
||||
@ -1358,7 +1358,7 @@ sub get_configuration( $ ) {
|
||||
check_trivalue ( 'IP_FORWARDING', 'on' );
|
||||
check_trivalue ( 'ROUTE_FILTER', '' );
|
||||
check_trivalue ( 'LOG_MARTIANS', '' );
|
||||
|
||||
|
||||
default_yes_no 'ADD_IP_ALIASES' , 'Yes';
|
||||
default_yes_no 'ADD_SNAT_ALIASES' , '';
|
||||
default_yes_no 'DETECT_DNAT_IPADDRS' , '';
|
||||
@ -1632,7 +1632,7 @@ sub run_user_exit2( $$ ) {
|
||||
}
|
||||
|
||||
pop_open;
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -20,7 +20,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# This module exports the %protocols and %services hashes built from
|
||||
# This module exports the %protocols and %services hashes built from
|
||||
# /etc/protocols and /etc/services respectively.
|
||||
#
|
||||
# Module generated using buildports.pl 4.0.0-Beta7 - Fri Jun 29 14:10:45 2007
|
||||
|
@ -20,8 +20,8 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# This module provides interfaces for dealing with IPv4 addresses.
|
||||
#
|
||||
# This module provides interfaces for dealing with IPv4 addresses.
|
||||
#
|
||||
package Shorewall::IPAddrs;
|
||||
require Exporter;
|
||||
use Shorewall::Config;
|
||||
@ -121,7 +121,7 @@ sub validate_range( $$ ) {
|
||||
my $last = decodeaddr $high;
|
||||
|
||||
fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
|
||||
}
|
||||
}
|
||||
|
||||
sub ip_range_explicit( $ ) {
|
||||
my $range = $_[0];
|
||||
@ -151,7 +151,7 @@ sub ip_range_explicit( $ ) {
|
||||
|
||||
sub validate_host( $ ) {
|
||||
my $host = $_[0];
|
||||
|
||||
|
||||
if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
|
||||
validate_range $1, $2;
|
||||
} else {
|
||||
|
@ -47,7 +47,7 @@ our %addresses_to_add;
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -237,7 +237,7 @@ sub setup_one_masq($$$$$$$)
|
||||
#
|
||||
# And Generate the Rule(s)
|
||||
#
|
||||
expand_rule( $chainref ,
|
||||
expand_rule( $chainref ,
|
||||
POSTROUTE_RESTRICT ,
|
||||
$rule ,
|
||||
$networks ,
|
||||
|
@ -208,10 +208,10 @@ sub validate_policy()
|
||||
|
||||
unless ( $clientwild || $serverwild ) {
|
||||
if ( $zones{$server}{type} eq 'bport4' ) {
|
||||
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
|
||||
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
|
||||
unless $zones{$client}{bridge} eq $zones{$server}{bridge} || single_interface( $client ) eq $zones{$server}{bridge};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
my $chain = "${client}2${server}";
|
||||
my $chainref;
|
||||
@ -238,12 +238,12 @@ sub validate_policy()
|
||||
}
|
||||
|
||||
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
||||
|
||||
|
||||
if ( $synparams ne '' ) {
|
||||
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
|
||||
$chainref->{synchain} = $chain
|
||||
$chainref->{synchain} = $chain
|
||||
}
|
||||
|
||||
|
||||
$chainref->{default} = $default if $default;
|
||||
|
||||
if ( $clientwild ) {
|
||||
@ -277,7 +277,7 @@ sub validate_policy()
|
||||
#
|
||||
sub policy_rules( $$$$ ) {
|
||||
my ( $chainref , $target, $loglevel, $default ) = @_;
|
||||
|
||||
|
||||
unless ( $target eq 'NONE' ) {
|
||||
add_rule $chainref, "-j $default" if $default && $default ne 'none';
|
||||
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
||||
@ -392,7 +392,7 @@ sub setup_syn_flood_chains() {
|
||||
for my $chainref ( @policy_chains ) {
|
||||
my $limit = $chainref->{synparams};
|
||||
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
|
||||
my $level = $chainref->{loglevel};
|
||||
my $level = $chainref->{loglevel};
|
||||
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
||||
add_rule $synchainref , "${limit}-j RETURN";
|
||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||
|
@ -157,7 +157,7 @@ sub setup_martian_logging() {
|
||||
" echo $value > $file" );
|
||||
|
||||
emit ( 'else' ,
|
||||
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
|
||||
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
|
@ -59,7 +59,7 @@ our @providers;
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -104,7 +104,7 @@ sub setup_route_marking() {
|
||||
|
||||
sub copy_table( $$ ) {
|
||||
my ( $duplicate, $number ) = @_;
|
||||
|
||||
|
||||
emit ( "ip route show table $duplicate | while read net route; do",
|
||||
' case $net in',
|
||||
' default|nexthop)',
|
||||
@ -119,7 +119,7 @@ sub copy_table( $$ ) {
|
||||
|
||||
sub copy_and_edit_table( $$$ ) {
|
||||
my ( $duplicate, $number, $copy ) = @_;
|
||||
|
||||
|
||||
emit ( "ip route show table $duplicate | while read net route; do",
|
||||
' case $net in',
|
||||
' default|nexthop)',
|
||||
@ -137,18 +137,18 @@ sub copy_and_edit_table( $$$ ) {
|
||||
|
||||
sub balance_default_route( $$$ ) {
|
||||
my ( $weight, $gateway, $interface ) = @_;
|
||||
|
||||
|
||||
$balance = 1;
|
||||
|
||||
|
||||
emit '';
|
||||
|
||||
|
||||
if ( $first_default_route ) {
|
||||
if ( $gateway ) {
|
||||
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\"";
|
||||
} else {
|
||||
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\"";
|
||||
}
|
||||
|
||||
|
||||
$first_default_route = 0;
|
||||
} else {
|
||||
if ( $gateway ) {
|
||||
@ -164,21 +164,21 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
|
||||
|
||||
fatal_error "Duplicate provider ($table)" if $providers{$table};
|
||||
|
||||
|
||||
for my $providerref ( values %providers ) {
|
||||
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
|
||||
}
|
||||
|
||||
|
||||
emit "#\n# Add Provider $table ($number)\n#";
|
||||
|
||||
|
||||
emit "if interface_is_usable $interface; then";
|
||||
push_indent;
|
||||
my $iface = chain_base $interface;
|
||||
|
||||
|
||||
emit "${iface}_up=Yes";
|
||||
emit "qt ip route flush table $number";
|
||||
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||
|
||||
|
||||
if ( $duplicate ne '-' ) {
|
||||
if ( $copy eq '-' ) {
|
||||
copy_table ( $duplicate, $number );
|
||||
@ -218,17 +218,17 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
my $val = 0;
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
|
||||
|
||||
$val = numeric_value $mark;
|
||||
|
||||
|
||||
verify_mark $mark;
|
||||
|
||||
|
||||
if ( $val < 256) {
|
||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
|
||||
} else {
|
||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
|
||||
}
|
||||
|
||||
|
||||
for my $providerref ( values %providers ) {
|
||||
fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
|
||||
}
|
||||
@ -244,9 +244,9 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
$providers{$table} = {};
|
||||
$providers{$table}{number} = $number;
|
||||
$providers{$table}{mark} = $val;
|
||||
|
||||
|
||||
my ( $loose, $optional ) = (0,0);
|
||||
|
||||
|
||||
unless ( $options eq '-' ) {
|
||||
for my $option ( split /,/, $options ) {
|
||||
if ( $option eq 'track' ) {
|
||||
@ -270,9 +270,9 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
|
||||
if ( $loose ) {
|
||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||
|
||||
|
||||
emit "\nrulenum=0\n";
|
||||
|
||||
|
||||
emit ( "find_interface_addresses $interface | while read address; do",
|
||||
' qt ip rule del from $address',
|
||||
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||
@ -286,12 +286,12 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
'done'
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
emit "\nprogress_message \" Provider $table ($number) Added\"\n";
|
||||
|
||||
|
||||
pop_indent;
|
||||
emit 'else';
|
||||
|
||||
|
||||
if ( $optional ) {
|
||||
emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"",
|
||||
" ${iface}_up="
|
||||
@ -299,19 +299,19 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
} else {
|
||||
emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"";
|
||||
}
|
||||
|
||||
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
sub add_an_rtrule( $$$$ ) {
|
||||
my ( $source, $dest, $provider, $priority ) = @_;
|
||||
|
||||
|
||||
unless ( $providers{$provider} ) {
|
||||
my $found = 0;
|
||||
|
||||
|
||||
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
|
||||
my $provider_number = numeric_value $provider;
|
||||
|
||||
|
||||
for my $provider ( keys %providers ) {
|
||||
if ( $providers{$provider}{number} == $provider_number ) {
|
||||
$found = 1;
|
||||
@ -319,14 +319,14 @@ sub add_an_rtrule( $$$$ ) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
fatal_error "Unknown provider ($provider)" unless $found;
|
||||
}
|
||||
|
||||
|
||||
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
|
||||
|
||||
|
||||
$dest = $dest eq '-' ? '' : "to $dest";
|
||||
|
||||
|
||||
if ( $source eq '-' ) {
|
||||
$source = '';
|
||||
} elsif ( $source =~ /:/ ) {
|
||||
@ -338,21 +338,21 @@ sub add_an_rtrule( $$$$ ) {
|
||||
} else {
|
||||
$source = "iif $source";
|
||||
}
|
||||
|
||||
|
||||
fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/;
|
||||
|
||||
|
||||
$priority = "priority $priority";
|
||||
|
||||
|
||||
emit ( "qt ip rule del $source $dest $priority",
|
||||
"run_ip rule add $source $dest $priority table $provider",
|
||||
"echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing"
|
||||
);
|
||||
progress_message " Routing rule \"$currentline\" $done";
|
||||
}
|
||||
|
||||
|
||||
sub setup_providers() {
|
||||
my $providers = 0;
|
||||
|
||||
|
||||
my $fn = open_file 'providers';
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
@ -45,7 +45,7 @@ our @proxyarp;
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -145,7 +145,7 @@ sub setup_proxy_arp() {
|
||||
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
|
||||
" echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
|
||||
emit ( 'else' ,
|
||||
" error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
|
||||
" error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
|
@ -66,7 +66,7 @@ our @param_stack;
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -111,12 +111,12 @@ sub process_tos() {
|
||||
|
||||
fatal_error "TOS field required" unless $tos ne '-';
|
||||
|
||||
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
|
||||
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
|
||||
$tos = $tosval;
|
||||
} elsif ( numeric_value( $tos ) > 0x1e ) {
|
||||
fatal_error "Invalid TOS value ($tos)";
|
||||
}
|
||||
|
||||
|
||||
my $chainref;
|
||||
|
||||
my $restriction = NO_RESTRICT;
|
||||
@ -521,13 +521,13 @@ sub add_common_rules() {
|
||||
}
|
||||
|
||||
run_user_exit1 'initdone';
|
||||
|
||||
|
||||
setup_blacklist;
|
||||
|
||||
$list = find_hosts_by_option 'nosmurfs';
|
||||
|
||||
$chainref = new_standard_chain 'smurfs';
|
||||
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
|
||||
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
||||
@ -541,7 +541,7 @@ sub add_common_rules() {
|
||||
}
|
||||
|
||||
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
||||
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
|
||||
} else {
|
||||
@ -652,7 +652,7 @@ sub add_common_rules() {
|
||||
add_rule $filter_table->{input_chain $interface}, "-j $chain";
|
||||
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
||||
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$list = find_interfaces_by_option 'upnp';
|
||||
@ -689,7 +689,7 @@ sub setup_mac_lists( $ ) {
|
||||
my $level = $config{MACLIST_LOG_LEVEL};
|
||||
my $disposition = $config{MACLIST_DISPOSITION};
|
||||
my $ttl = $config{MACLIST_TTL};
|
||||
|
||||
|
||||
progress_message2 "$doing MAC Filtration -- Phase $phase...";
|
||||
|
||||
for my $hostref ( @$maclist_hosts ) {
|
||||
@ -761,7 +761,7 @@ sub setup_mac_lists( $ ) {
|
||||
if ( $addresses ) {
|
||||
for my $address ( split ',', $addresses ) {
|
||||
my $source = match_source_net $address;
|
||||
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
|
||||
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
|
||||
if defined $level && $level ne '';
|
||||
add_rule $chainref , "${mac}${source}-j $targetref->{target}";
|
||||
}
|
||||
@ -800,9 +800,9 @@ sub setup_mac_lists( $ ) {
|
||||
|
||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||
my $variable = get_interface_addresses $interfaces{$interface}{bridge};
|
||||
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
add_commands( $chainref,
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do",
|
||||
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
|
||||
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
|
||||
@ -810,7 +810,7 @@ sub setup_mac_lists( $ ) {
|
||||
} else {
|
||||
my $variable1 = get_interface_bcasts $interfaces{$interface}{bridge};
|
||||
|
||||
add_commands( $chainref,
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do",
|
||||
" for address1 in $variable1; do",
|
||||
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
|
||||
@ -915,12 +915,12 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
|
||||
|
||||
$param = '' unless defined $param;
|
||||
|
||||
|
||||
#
|
||||
# Determine the validity of the action
|
||||
#
|
||||
my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
|
||||
|
||||
|
||||
fatal_error "Unknown action ($action)" unless $actiontype;
|
||||
|
||||
if ( $actiontype == MACRO ) {
|
||||
@ -933,7 +933,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
push @param_stack, $current_param;
|
||||
$current_param = $param;
|
||||
}
|
||||
|
||||
|
||||
process_macro( $macros{$basictarget},
|
||||
$target ,
|
||||
$current_param,
|
||||
@ -949,7 +949,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
$wildcard );
|
||||
|
||||
$macro_nest_level--;
|
||||
|
||||
|
||||
$current_param = pop @param_stack if $param ne '';
|
||||
|
||||
return;
|
||||
@ -988,7 +988,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
#
|
||||
my $sourcezone;
|
||||
my $destzone;
|
||||
|
||||
|
||||
if ( $source =~ /^(.+?):(.*)/ ) {
|
||||
$sourcezone = $1;
|
||||
$source = $2;
|
||||
@ -1004,7 +1004,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
$destzone = $dest;
|
||||
$dest = ALLIPv4;
|
||||
}
|
||||
|
||||
|
||||
fatal_error "Missing source zone" if $sourcezone eq '-';
|
||||
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
|
||||
fatal_error "Missing destination zone" if $destzone eq '-';
|
||||
@ -1069,7 +1069,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
unless ( $section eq 'NEW' ) {
|
||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT;
|
||||
$rule .= "-m state --state $section "
|
||||
$rule .= "-m state --state $section "
|
||||
}
|
||||
|
||||
#
|
||||
@ -1211,7 +1211,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Process a Record in the rules file
|
||||
# Process a Record in the rules file
|
||||
#
|
||||
# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
|
||||
#
|
||||
@ -1264,7 +1264,7 @@ sub process_rule ( $$$$$$$$$$ ) {
|
||||
} else {
|
||||
fatal_error "Invalid DEST ($dest)" unless $dest eq 'all';
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
my $action = isolate_basic_target $target;
|
||||
@ -1425,7 +1425,7 @@ sub generate_matrix() {
|
||||
}
|
||||
|
||||
#
|
||||
# Set a breakpoint in this function if you want to step through generate_matrix().
|
||||
# Set a breakpoint in this function if you want to step through generate_matrix().
|
||||
#
|
||||
sub start_matrix() {
|
||||
progress_message2 'Generating Rule Matrix...';
|
||||
@ -1497,7 +1497,7 @@ sub generate_matrix() {
|
||||
for my $hostref ( @{$arrayref} ) {
|
||||
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
add_rule(
|
||||
add_rule(
|
||||
$filter_table->{forward_chain $interface} ,
|
||||
join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" )
|
||||
);
|
||||
@ -1586,13 +1586,13 @@ sub generate_matrix() {
|
||||
my $variable = get_interface_bcasts $interface;
|
||||
my $chain = output_chain $interface;
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
add_commands( $chainref,
|
||||
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do",
|
||||
" echo \"-A $chain -d \$address -j $chain1\" >&3",
|
||||
'done' );
|
||||
}
|
||||
|
||||
|
||||
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
|
||||
}
|
||||
}
|
||||
@ -1847,7 +1847,7 @@ sub setup_mss( $ ) {
|
||||
$match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
|
||||
$option = "--set-mss $clampmss";
|
||||
}
|
||||
|
||||
|
||||
add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option";
|
||||
}
|
||||
|
||||
|
@ -158,7 +158,7 @@ our $prefix = '1';
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -231,7 +231,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
||||
for my $tccmd ( @tccmd ) {
|
||||
if ( $tccmd->{match}($cmd) ) {
|
||||
fatal_error "$mark not valid with :C[FPT]" if $connmark;
|
||||
|
||||
|
||||
$target = "$tccmd->{target} ";
|
||||
my $marktype = $tccmd->{mark};
|
||||
|
||||
@ -243,9 +243,9 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
||||
|
||||
if ( $rest ) {
|
||||
fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK;
|
||||
|
||||
|
||||
$mark = $rest if $tccmd->{mask};
|
||||
|
||||
|
||||
if ( $marktype == SMALLMARK ) {
|
||||
verify_small_mark $mark;
|
||||
} else {
|
||||
@ -254,7 +254,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
||||
} elsif ( $tccmd->{mask} ) {
|
||||
$mark = $tccmd->{mask};
|
||||
}
|
||||
|
||||
|
||||
last MARK;
|
||||
}
|
||||
}
|
||||
@ -339,7 +339,7 @@ sub convert_rate( $$ ) {
|
||||
} else {
|
||||
$rate = rate_to_kbit $rate
|
||||
}
|
||||
|
||||
|
||||
"${rate}kbit";
|
||||
}
|
||||
|
||||
@ -588,7 +588,7 @@ sub setup_tc() {
|
||||
} elsif ( $config{TC_ENABLED} eq 'Internal' ) {
|
||||
setup_traffic_shaping;
|
||||
}
|
||||
|
||||
|
||||
if ( my $fn = open_file 'tcrules' ) {
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
@ -84,17 +84,17 @@ sub setup_tunnels() {
|
||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
|
||||
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
||||
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
||||
|
||||
|
||||
unless ( $capabilities{POLICY_MATCH} ) {
|
||||
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||
|
||||
|
||||
unless ( $noah ) {
|
||||
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
||||
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ( $kind eq 'ipsec' ) {
|
||||
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
||||
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Zones.pm
|
||||
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Zones.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
@ -20,7 +20,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# This module contains the code which deals with /etc/shorewall/zones,
|
||||
# This module contains the code which deals with /etc/shorewall/zones,
|
||||
# /etc/shorewall/interfaces and /etc/shorewall/hosts.
|
||||
#
|
||||
package Shorewall::Zones;
|
||||
@ -54,7 +54,7 @@ our @EXPORT = qw( NOTHING
|
||||
@zones
|
||||
%zones
|
||||
$firewall_zone
|
||||
%interfaces
|
||||
%interfaces
|
||||
@interfaces
|
||||
@bridges );
|
||||
|
||||
@ -134,7 +134,7 @@ our @bridges;
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@ -285,8 +285,8 @@ sub determine_zones()
|
||||
}
|
||||
|
||||
$zones{$zone} = { type => $type,
|
||||
parents => \@parents,
|
||||
exclusions => [],
|
||||
parents => \@parents,
|
||||
exclusions => [],
|
||||
bridge => '',
|
||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||
@ -300,7 +300,7 @@ sub determine_zones()
|
||||
}
|
||||
|
||||
fatal_error "No firewall zone defined" unless $firewall_zone;
|
||||
|
||||
|
||||
my $pushed = 1;
|
||||
my %ordered;
|
||||
|
||||
@ -435,7 +435,7 @@ sub single_interface( $ ) {
|
||||
'';
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub add_group_to_zone($$$$$)
|
||||
{
|
||||
@ -491,7 +491,7 @@ sub add_group_to_zone($$$$$)
|
||||
$zoneref->{options}{complex} = 1 if @$arrayref || ( @newnetworks > 1 ) || ( @exclusions );
|
||||
|
||||
push @{$zoneref->{exclusions}}, @exclusions;
|
||||
|
||||
|
||||
push @{$arrayref}, { options => $options,
|
||||
hosts => \@newnetworks,
|
||||
ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' };
|
||||
@ -533,9 +533,9 @@ sub validate_interfaces_file( $ )
|
||||
|
||||
use constant { SIMPLE_IF_OPTION => 1,
|
||||
BINARY_IF_OPTION => 2,
|
||||
ENUM_IF_OPTION => 3,
|
||||
ENUM_IF_OPTION => 3,
|
||||
MASK_IF_OPTION => 3,
|
||||
|
||||
|
||||
IF_OPTION_ZONEONLY => 4 };
|
||||
|
||||
my %validoptions = (arp_filter => BINARY_IF_OPTION,
|
||||
@ -569,7 +569,7 @@ sub validate_interfaces_file( $ )
|
||||
progress_message2 "$doing $fn...";
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
|
||||
my ($zone, $interface, $networks, $options ) = split_line 2, 4, 'interfaces file';
|
||||
my $zoneref;
|
||||
my $bridge = '';
|
||||
@ -588,7 +588,7 @@ sub validate_interfaces_file( $ )
|
||||
|
||||
( $interface, my ($port, $extra) ) = split /:/ , $interface, 3;
|
||||
|
||||
fatal_error "Invalid INTERFACE" if defined $extra || ! $interface;
|
||||
fatal_error "Invalid INTERFACE" if defined $extra || ! $interface;
|
||||
|
||||
fatal_error "Invalid Interface Name ($interface)" if $interface eq '+';
|
||||
|
||||
@ -620,13 +620,13 @@ sub validate_interfaces_file( $ )
|
||||
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4';
|
||||
$interfaces{$interface}{bridge} = $interface;
|
||||
}
|
||||
|
||||
|
||||
my $wildcard = 0;
|
||||
|
||||
if ( $interface =~ /\+$/ ) {
|
||||
$wildcard = 1;
|
||||
$interfaces{$interface}{root} = substr( $interface, 0, -1 );
|
||||
} else {
|
||||
} else {
|
||||
$interfaces{$interface}{root} = $interface;
|
||||
}
|
||||
|
||||
@ -642,7 +642,7 @@ sub validate_interfaces_file( $ )
|
||||
my $optionsref = {};
|
||||
|
||||
my %options;
|
||||
|
||||
|
||||
if ( $options ) {
|
||||
|
||||
for my $option (split ',', $options ) {
|
||||
@ -653,7 +653,7 @@ sub validate_interfaces_file( $ )
|
||||
fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option};
|
||||
|
||||
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
|
||||
|
||||
|
||||
$type &= MASK_IF_OPTION;
|
||||
|
||||
if ( $type == SIMPLE_IF_OPTION ) {
|
||||
@ -672,7 +672,7 @@ sub validate_interfaces_file( $ )
|
||||
$options{arp_ignore} = $value;
|
||||
} else {
|
||||
fatal_error "Invalid value ($value) for arp_ignore";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$options{arp_ignore} = 1;
|
||||
}
|
||||
@ -692,7 +692,7 @@ sub validate_interfaces_file( $ )
|
||||
} elsif ( $port ) {
|
||||
$options{port} = 1;
|
||||
}
|
||||
|
||||
|
||||
$interfaces{$interface}{options} = $optionsref = \%options;
|
||||
|
||||
push @ifaces, $interface;
|
||||
@ -713,7 +713,7 @@ sub validate_interfaces_file( $ )
|
||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
|
||||
|
||||
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
||||
|
||||
|
||||
progress_message " Interface \"$currentline\" Validated";
|
||||
|
||||
}
|
||||
@ -723,7 +723,7 @@ sub validate_interfaces_file( $ )
|
||||
#
|
||||
for my $interface ( @ifaces ) {
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
|
||||
|
||||
if ( $interfaceref->{options}{bridge} ) {
|
||||
my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces;
|
||||
|
||||
@ -735,7 +735,7 @@ sub validate_interfaces_file( $ )
|
||||
}
|
||||
|
||||
push @interfaces, $interface unless $interfaceref->{options}{port};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
@ -902,7 +902,7 @@ sub validate_hosts_file()
|
||||
#
|
||||
# Now add a comma before '!'. Do it globally - add_group_to_zone() correctly checks for multiple exclusions
|
||||
#
|
||||
$hosts =~ s/!/,!/g;
|
||||
$hosts =~ s/!/,!/g;
|
||||
#
|
||||
# Take care of case where the hosts list begins with '!'
|
||||
#
|
||||
|
@ -31,18 +31,18 @@ use lib '/usr/share/shorewall-perl';
|
||||
use Shorewall::Config qw( open_file
|
||||
push_open
|
||||
pop_open
|
||||
read_a_line1
|
||||
split_line
|
||||
fatal_error
|
||||
%globals
|
||||
ensure_config_path
|
||||
read_a_line1
|
||||
split_line
|
||||
fatal_error
|
||||
%globals
|
||||
ensure_config_path
|
||||
set_shorewall_dir
|
||||
set_config_path );
|
||||
|
||||
our $offset = "\t\t ";
|
||||
|
||||
our %service_hash;
|
||||
|
||||
|
||||
sub print_it( $$ ) {
|
||||
my ( $name, $number ) = @_;
|
||||
my $tabs;
|
||||
@ -61,7 +61,7 @@ sub print_it( $$ ) {
|
||||
|
||||
sub print_service( $$ ) {
|
||||
my ( $service, $number ) = @_;
|
||||
|
||||
|
||||
unless ( exists $service_hash{$service} ) {
|
||||
print_it( $service, $number );
|
||||
$service_hash{$service} = $number;
|
||||
@ -107,7 +107,7 @@ print <<"EOF";
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
# This module exports the %protocols and %services hashes built from
|
||||
# This module exports the %protocols and %services hashes built from
|
||||
# /etc/protocols and /etc/services respectively.
|
||||
#
|
||||
# Module generated using buildports.pl $globals{VERSION} - $date
|
||||
@ -132,7 +132,7 @@ while ( read_a_line1 ) {
|
||||
my ( $proto1, $number, @aliases ) = split_line( 2, 10, '/etc/protocols entry');
|
||||
|
||||
print_it( $proto1, $number );
|
||||
|
||||
|
||||
for my $alias ( @aliases ) {
|
||||
last if $alias eq '-';
|
||||
print_it( $alias, $number );
|
||||
|
@ -70,7 +70,7 @@
|
||||
#
|
||||
@@ -111,20 +90,6 @@
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
-# Undo the effect of 'separate_list()'
|
||||
-#
|
||||
@ -91,7 +91,7 @@
|
||||
qt()
|
||||
@@ -310,83 +275,6 @@
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
|
||||
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
|
||||
@ -150,7 +150,7 @@
|
||||
-
|
||||
- if [ -z "$loaded" ]; then
|
||||
- [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
|
||||
-
|
||||
-
|
||||
- if [ -f $lib ]; then
|
||||
- progress_message "Loading library $lib..."
|
||||
- . $lib
|
||||
@ -175,7 +175,7 @@
|
||||
# the IP address is 128.0.0.0 or 128.0.0.1.
|
||||
@@ -395,32 +283,6 @@
|
||||
LEFTSHIFT='<<'
|
||||
|
||||
|
||||
#
|
||||
-# Validate an IP address
|
||||
-#
|
||||
@ -196,7 +196,7 @@
|
||||
- ;;
|
||||
- esac
|
||||
- done
|
||||
-
|
||||
-
|
||||
- IFS=$ifs
|
||||
-
|
||||
- return 0
|
||||
@ -208,7 +208,7 @@
|
||||
decodeaddr() {
|
||||
@@ -456,88 +318,6 @@
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
-# Enumerate the members of an IP range -- When using a shell supporting only
|
||||
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
|
||||
@ -297,7 +297,7 @@
|
||||
ip_netmask() {
|
||||
@@ -588,60 +368,6 @@
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
-# Netmask to VLSM
|
||||
-#
|
||||
@ -331,7 +331,7 @@
|
||||
- case $c in
|
||||
- @*)
|
||||
- c=at_${c#@}
|
||||
- ;;
|
||||
- ;;
|
||||
- *.*)
|
||||
- c="${c%.*}_${c##*.}"
|
||||
- ;;
|
||||
@ -358,7 +358,7 @@
|
||||
chain_exists() # $1 = chain name
|
||||
@@ -879,21 +605,6 @@
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
-# Set default config path
|
||||
-#
|
||||
@ -380,7 +380,7 @@
|
||||
find_file()
|
||||
@@ -918,54 +629,6 @@
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
-# Get fully-qualified name of file
|
||||
-#
|
||||
@ -435,7 +435,7 @@
|
||||
set_state () # $1 = state
|
||||
@@ -974,200 +637,6 @@
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
-# Determine which optional facilities are supported by iptables/netfilter
|
||||
-#
|
||||
@ -626,7 +626,7 @@
|
||||
- report_capability1 MANGLE_FORWARD
|
||||
- report_capability1 COMMENTS
|
||||
- report_capability1 ADDRTYPE
|
||||
-
|
||||
-
|
||||
- echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
-}
|
||||
-
|
||||
@ -637,7 +637,7 @@
|
||||
@@ -1286,82 +755,6 @@
|
||||
cut -b -${1}
|
||||
}
|
||||
|
||||
|
||||
-#
|
||||
-# Add a logging rule.
|
||||
-#
|
||||
@ -718,8 +718,8 @@
|
||||
{
|
||||
clear_one_tc() {
|
||||
@@ -1496,65 +889,6 @@
|
||||
|
||||
echo echo
|
||||
|
||||
echo echo
|
||||
}
|
||||
-
|
||||
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
|
||||
|
@ -168,6 +168,6 @@ get_device_mtu1() # $1 = device
|
||||
#
|
||||
get_all_bcasts()
|
||||
{
|
||||
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
}
|
||||
|
||||
|
||||
|
@ -267,7 +267,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
fi
|
||||
elif [ $savemoduleinfo = Yes ]; then
|
||||
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
||||
> ${VARDIR}/.modulesdir
|
||||
> ${VARDIR}/.modulesdir
|
||||
> ${VARDIR}/.modules
|
||||
fi
|
||||
|
||||
@ -585,9 +585,9 @@ get_interface_bcasts() # $1 = interface
|
||||
{
|
||||
local addresses=
|
||||
|
||||
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Internal version of 'which'
|
||||
#
|
||||
@ -887,7 +887,7 @@ find_echo() {
|
||||
result=$(which echo)
|
||||
[ -n "$result" ] && { echo "$result -e"; return; }
|
||||
|
||||
echo echo
|
||||
echo echo
|
||||
}
|
||||
################################################################################
|
||||
# End of functions imported from /usr/share/shorewall/lib.base
|
||||
|
Loading…
Reference in New Issue
Block a user