forked from extern/shorewall_code
Eliminate trailing whitespace
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6968 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a7786b5a2f
commit
767fea403a
@ -1,2 +1,2 @@
|
|||||||
This is the Shorewall-perl Stable 4.0 branch of SVN.
|
This is the Shorewall-perl Stable 4.0 branch of SVN.
|
||||||
|
|
||||||
|
@ -43,7 +43,7 @@ our $VERSION = 4.00;
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -59,7 +59,7 @@ INIT {
|
|||||||
# Accounting
|
# Accounting
|
||||||
#
|
#
|
||||||
sub process_accounting_rule( $$$$$$$$$ ) {
|
sub process_accounting_rule( $$$$$$$$$ ) {
|
||||||
|
|
||||||
our $jumpchainref;
|
our $jumpchainref;
|
||||||
|
|
||||||
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_;
|
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_;
|
||||||
@ -163,7 +163,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub setup_accounting() {
|
sub setup_accounting() {
|
||||||
|
|
||||||
my $first_entry = 1;
|
my $first_entry = 1;
|
||||||
|
|
||||||
my $fn = open_file 'accounting';
|
my $fn = open_file 'accounting';
|
||||||
|
@ -88,7 +88,7 @@ our %macros;
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -276,7 +276,7 @@ sub createlogactionchain( $$ ) {
|
|||||||
mark_referenced $chainref; # Just in case the action body is empty.
|
mark_referenced $chainref; # Just in case the action body is empty.
|
||||||
|
|
||||||
unless ( $targets{$action} & STANDARD ) {
|
unless ( $targets{$action} & STANDARD ) {
|
||||||
|
|
||||||
my $file = find_file $chain;
|
my $file = find_file $chain;
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( -f $file ) {
|
||||||
@ -298,13 +298,13 @@ sub createlogactionchain( $$ ) {
|
|||||||
sub createsimpleactionchain( $ ) {
|
sub createsimpleactionchain( $ ) {
|
||||||
my $action = shift;
|
my $action = shift;
|
||||||
my $chainref = new_chain 'filter', $action;
|
my $chainref = new_chain 'filter', $action;
|
||||||
|
|
||||||
$logactionchains{"$action:none"} = $chainref;
|
$logactionchains{"$action:none"} = $chainref;
|
||||||
|
|
||||||
mark_referenced $chainref; # Just in case the action body is empty.
|
mark_referenced $chainref; # Just in case the action body is empty.
|
||||||
|
|
||||||
unless ( $targets{$action} & STANDARD ) {
|
unless ( $targets{$action} & STANDARD ) {
|
||||||
|
|
||||||
my $file = find_file $action;
|
my $file = find_file $action;
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( -f $file ) {
|
||||||
@ -395,15 +395,15 @@ sub process_macro1 ( $$ ) {
|
|||||||
fatal_error "Invalid target ($mtarget)"
|
fatal_error "Invalid target ($mtarget)"
|
||||||
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $mtarget eq 'LOG' );
|
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $mtarget eq 'LOG' );
|
||||||
}
|
}
|
||||||
|
|
||||||
progress_message " ..End Macro $macrofile";
|
progress_message " ..End Macro $macrofile";
|
||||||
|
|
||||||
pop_open;
|
pop_open;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub process_action1 ( $$ ) {
|
sub process_action1 ( $$ ) {
|
||||||
my ( $action, $wholetarget ) = @_;
|
my ( $action, $wholetarget ) = @_;
|
||||||
|
|
||||||
my ( $target, $level ) = split_action $wholetarget;
|
my ( $target, $level ) = split_action $wholetarget;
|
||||||
|
|
||||||
$level = 'none' unless $level;
|
$level = 'none' unless $level;
|
||||||
@ -412,9 +412,9 @@ sub process_action1 ( $$ ) {
|
|||||||
|
|
||||||
if ( defined $targettype ) {
|
if ( defined $targettype ) {
|
||||||
return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & LOGRULE );
|
return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & LOGRULE );
|
||||||
|
|
||||||
fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
|
fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
|
||||||
|
|
||||||
fatal_error "An action may not invoke itself" if $target eq $action;
|
fatal_error "An action may not invoke itself" if $target eq $action;
|
||||||
|
|
||||||
add_requiredby $wholetarget, $action if $targettype & ACTION;
|
add_requiredby $wholetarget, $action if $targettype & ACTION;
|
||||||
@ -438,7 +438,7 @@ sub process_action1 ( $$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub process_actions1() {
|
sub process_actions1() {
|
||||||
|
|
||||||
progress_message2 "Preprocessing Action Files...";
|
progress_message2 "Preprocessing Action Files...";
|
||||||
@ -548,7 +548,7 @@ sub process_macro3( $$$$$$$$$$$ ) {
|
|||||||
my $standard = ( $fn =~ /^($globals{SHAREDIR})/ );
|
my $standard = ( $fn =~ /^($globals{SHAREDIR})/ );
|
||||||
|
|
||||||
while ( read_a_line ) {
|
while ( read_a_line ) {
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 1, 8, 'macro file';
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 1, 8, 'macro file';
|
||||||
|
|
||||||
if ( $mtarget =~ /^PARAM:?/ ) {
|
if ( $mtarget =~ /^PARAM:?/ ) {
|
||||||
@ -581,7 +581,7 @@ sub process_macro3( $$$$$$$$$$$ ) {
|
|||||||
} else {
|
} else {
|
||||||
$mdest = '';
|
$mdest = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
$mdest = '' if $mdest eq '-';
|
$mdest = '' if $mdest eq '-';
|
||||||
|
|
||||||
$mproto = merge_macro_column $mproto, $proto;
|
$mproto = merge_macro_column $mproto, $proto;
|
||||||
@ -589,12 +589,12 @@ sub process_macro3( $$$$$$$$$$$ ) {
|
|||||||
$msports = merge_macro_column $msports, $sports;
|
$msports = merge_macro_column $msports, $sports;
|
||||||
$mrate = merge_macro_column $mrate, $rate;
|
$mrate = merge_macro_column $mrate, $rate;
|
||||||
$muser = merge_macro_column $muser, $user;
|
$muser = merge_macro_column $muser, $user;
|
||||||
|
|
||||||
process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
|
process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
|
||||||
}
|
}
|
||||||
|
|
||||||
pop_open;
|
pop_open;
|
||||||
|
|
||||||
progress_message '..End Macro'
|
progress_message '..End Macro'
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -672,7 +672,7 @@ sub process_actions3 () {
|
|||||||
add_command $chainref, 'done';
|
add_command $chainref, 'done';
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne '';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne '';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||||
}
|
}
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
# This is the low-level iptables module. It provides the basic services
|
# This is the low-level iptables module. It provides the basic services
|
||||||
# of chain and rule creation. It is used by the higher level modules such
|
# of chain and rule creation. It is used by the higher level modules such
|
||||||
# as Rules to create iptables-restore input.
|
# as Rules to create iptables-restore input.
|
||||||
#
|
#
|
||||||
@ -228,7 +228,7 @@ our $emitted_comment;
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -325,7 +325,7 @@ INIT {
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# Process a COMMENT line (in $currentline)
|
# Process a COMMENT line (in $currentline)
|
||||||
#
|
#
|
||||||
sub process_comment() {
|
sub process_comment() {
|
||||||
if ( $capabilities{COMMENTS} ) {
|
if ( $capabilities{COMMENTS} ) {
|
||||||
@ -357,7 +357,7 @@ sub add_command($$)
|
|||||||
|
|
||||||
sub add_commands {
|
sub add_commands {
|
||||||
my $chainref = shift @_;
|
my $chainref = shift @_;
|
||||||
|
|
||||||
for my $command ( @_ ) {
|
for my $command ( @_ ) {
|
||||||
push @{$chainref->{rules}}, join ('', ' ' x ( $chainref->{loopcount} + $chainref->{cmdcount} ), $command );
|
push @{$chainref->{rules}}, join ('', ' ' x ( $chainref->{loopcount} + $chainref->{cmdcount} ), $command );
|
||||||
}
|
}
|
||||||
@ -382,7 +382,7 @@ sub add_file( $$ ) {
|
|||||||
if ( -f $file ) {
|
if ( -f $file ) {
|
||||||
open EF , '<', $file or fatal_error "Unable to open $file: $!";
|
open EF , '<', $file or fatal_error "Unable to open $file: $!";
|
||||||
|
|
||||||
add_commands( $chainref,
|
add_commands( $chainref,
|
||||||
qq(progress_message "Processing $file..."),
|
qq(progress_message "Processing $file..."),
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
@ -395,7 +395,7 @@ sub add_file( $$ ) {
|
|||||||
|
|
||||||
close EF;
|
close EF;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add a rule to a chain. Arguments are:
|
# Add a rule to a chain. Arguments are:
|
||||||
@ -778,7 +778,7 @@ sub setup_zone_mss() {
|
|||||||
set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss};
|
set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss};
|
||||||
set_mss( $zone, $zoneref->{options}{out}{mss}, '_out' ) if $zoneref->{options}{out}{mss};
|
set_mss( $zone, $zoneref->{options}{out}{mss}, '_out' ) if $zoneref->{options}{out}{mss};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub newexclusionchain() {
|
sub newexclusionchain() {
|
||||||
my $seq = $exclseq++;
|
my $seq = $exclseq++;
|
||||||
@ -810,13 +810,13 @@ sub validate_portpair( $ ) {
|
|||||||
|
|
||||||
for my $port ( @ports ) {
|
for my $port ( @ports ) {
|
||||||
my $value = $services{$port};
|
my $value = $services{$port};
|
||||||
|
|
||||||
unless ( defined $value ) {
|
unless ( defined $value ) {
|
||||||
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
|
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
|
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
|
||||||
|
|
||||||
$port = $value;
|
$port = $value;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -938,7 +938,7 @@ sub do_proto( $$$ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $sports ne '' ) {
|
if ( $sports ne '' ) {
|
||||||
if ( $multiport ) {
|
if ( $multiport ) {
|
||||||
fatal_error "Too many entries in port list ($sports)" if port_count( $sports ) > 15;
|
fatal_error "Too many entries in port list ($sports)" if port_count( $sports ) > 15;
|
||||||
$sports = validate_port_list $sports;
|
$sports = validate_port_list $sports;
|
||||||
$output .= "-m multiport --sports $sports ";
|
$output .= "-m multiport --sports $sports ";
|
||||||
@ -1108,7 +1108,7 @@ sub match_source_dev( $ ) {
|
|||||||
} else {
|
} else {
|
||||||
"-i $interface ";
|
"-i $interface ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Match Dest device
|
# Match Dest device
|
||||||
@ -1121,7 +1121,7 @@ sub match_dest_dev( $ ) {
|
|||||||
} else {
|
} else {
|
||||||
"-o $interface ";
|
"-o $interface ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Avoid generating a second '-m iprange' in a single rule.
|
# Avoid generating a second '-m iprange' in a single rule.
|
||||||
@ -1303,7 +1303,7 @@ sub log_rule_limit( $$$$$$$$ ) {
|
|||||||
|
|
||||||
if ( $chainref->{loopcount} || $chainref->{cmdcount} ) {
|
if ( $chainref->{loopcount} || $chainref->{cmdcount} ) {
|
||||||
#
|
#
|
||||||
# The rule will be converted to an "echo" shell command. We must insure that the
|
# The rule will be converted to an "echo" shell command. We must insure that the
|
||||||
# quotes are preserved in the iptables-input file.
|
# quotes are preserved in the iptables-input file.
|
||||||
#
|
#
|
||||||
if ( $level eq 'ULOG' ) {
|
if ( $level eq 'ULOG' ) {
|
||||||
@ -1423,7 +1423,7 @@ sub get_interface_addresses ( $ ) {
|
|||||||
[ -n "\$$variable" ] || fatal_error "Unable to determine the IP address(es) of $interface"
|
[ -n "\$$variable" ] || fatal_error "Unable to determine the IP address(es) of $interface"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
"\$$variable";
|
"\$$variable";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1461,15 +1461,15 @@ sub get_interface_nets ( $ ) {
|
|||||||
#
|
#
|
||||||
sub expand_rule( $$$$$$$$$$ )
|
sub expand_rule( $$$$$$$$$$ )
|
||||||
{
|
{
|
||||||
my ($chainref , # Chain
|
my ($chainref , # Chain
|
||||||
$restriction, # Determines what to do with interface names in the SOURCE or DEST
|
$restriction, # Determines what to do with interface names in the SOURCE or DEST
|
||||||
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
|
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
|
||||||
$source, # SOURCE
|
$source, # SOURCE
|
||||||
$dest, # DEST
|
$dest, # DEST
|
||||||
$origdest, # ORIGINAL DEST
|
$origdest, # ORIGINAL DEST
|
||||||
$target, # Target ('-j' part of the rule)
|
$target, # Target ('-j' part of the rule)
|
||||||
$loglevel , # Log level (and tag)
|
$loglevel , # Log level (and tag)
|
||||||
$disposition, # Primative part of the target (RETURN, ACCEPT, ...)
|
$disposition, # Primative part of the target (RETURN, ACCEPT, ...)
|
||||||
$exceptionrule # Caller's matches used in exclusion case
|
$exceptionrule # Caller's matches used in exclusion case
|
||||||
) = @_;
|
) = @_;
|
||||||
|
|
||||||
@ -1666,7 +1666,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
if ( $inets ) {
|
if ( $inets ) {
|
||||||
fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/;
|
fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/;
|
||||||
|
|
||||||
if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
|
if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
|
||||||
$inets = $1;
|
$inets = $1;
|
||||||
$iexcl = $2;
|
$iexcl = $2;
|
||||||
@ -1680,7 +1680,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
$rule .= match_source_net "!$iexcl";
|
$rule .= match_source_net "!$iexcl";
|
||||||
$iexcl = '';
|
$iexcl = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$iexcl = '';
|
$iexcl = '';
|
||||||
@ -1691,7 +1691,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
if ( $dnets ) {
|
if ( $dnets ) {
|
||||||
fatal_error "Invalid DEST" if $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/;
|
fatal_error "Invalid DEST" if $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/;
|
||||||
|
|
||||||
if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
|
if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
|
||||||
$dnets = $1;
|
$dnets = $1;
|
||||||
$dexcl = $2;
|
$dexcl = $2;
|
||||||
@ -1887,7 +1887,7 @@ sub set_global_variables() {
|
|||||||
# file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
|
# file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
|
||||||
# has (have) something to look at to determine the error
|
# has (have) something to look at to determine the error
|
||||||
#
|
#
|
||||||
# We may have to generate part of the input at run-time. The rules array in each chain
|
# We may have to generate part of the input at run-time. The rules array in each chain
|
||||||
# table entry may contain rules (begin with '-A') or shell source. We alternate between
|
# table entry may contain rules (begin with '-A') or shell source. We alternate between
|
||||||
# writing the rules ('-A') into the temporary file to be bassed to iptables-restore
|
# writing the rules ('-A') into the temporary file to be bassed to iptables-restore
|
||||||
# (CAT_STATE) and and writing shell source into the generated script.
|
# (CAT_STATE) and and writing shell source into the generated script.
|
||||||
@ -1939,7 +1939,7 @@ sub create_netfilter_load() {
|
|||||||
push @table_list, 'filter';
|
push @table_list, 'filter';
|
||||||
|
|
||||||
$state = NULL_STATE;
|
$state = NULL_STATE;
|
||||||
|
|
||||||
emit ( 'setup_netfilter()',
|
emit ( 'setup_netfilter()',
|
||||||
'{'
|
'{'
|
||||||
);
|
);
|
||||||
@ -1953,7 +1953,7 @@ sub create_netfilter_load() {
|
|||||||
emit 'exec 3>${VARDIR}/.iptables-restore-input';
|
emit 'exec 3>${VARDIR}/.iptables-restore-input';
|
||||||
|
|
||||||
enter_cat_state;
|
enter_cat_state;
|
||||||
|
|
||||||
for my $table ( @table_list ) {
|
for my $table ( @table_list ) {
|
||||||
emit_unindented "*$table";
|
emit_unindented "*$table";
|
||||||
|
|
||||||
@ -2019,7 +2019,7 @@ sub create_netfilter_load() {
|
|||||||
sub create_blacklist_reload() {
|
sub create_blacklist_reload() {
|
||||||
|
|
||||||
$state = NULL_STATE;
|
$state = NULL_STATE;
|
||||||
|
|
||||||
emit( 'blacklist_reload()',
|
emit( 'blacklist_reload()',
|
||||||
'{'
|
'{'
|
||||||
);
|
);
|
||||||
@ -2044,7 +2044,7 @@ sub create_blacklist_reload() {
|
|||||||
# Commit the changes to the table
|
# Commit the changes to the table
|
||||||
#
|
#
|
||||||
enter_cat_state unless $state == CAT_STATE;
|
enter_cat_state unless $state == CAT_STATE;
|
||||||
|
|
||||||
emit_unindented 'COMMIT';
|
emit_unindented 'COMMIT';
|
||||||
|
|
||||||
enter_cmd_state;
|
enter_cmd_state;
|
||||||
|
@ -296,7 +296,7 @@ EOF
|
|||||||
for chain in PREROUTING OUTPUT; do
|
for chain in PREROUTING OUTPUT; do
|
||||||
qt $IPTABLES -t raw -P $chain ACCEPT
|
qt $IPTABLES -t raw -P $chain ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -471,7 +471,7 @@ EOF
|
|||||||
# Second Phase of Script Generation
|
# Second Phase of Script Generation
|
||||||
#
|
#
|
||||||
# copies the 'prog.functions' file into the script, generates
|
# copies the 'prog.functions' file into the script, generates
|
||||||
# clear_routing_and_traffic_shaping() and the first part of
|
# clear_routing_and_traffic_shaping() and the first part of
|
||||||
# 'setup_routing_and_traffic_shaping()'
|
# 'setup_routing_and_traffic_shaping()'
|
||||||
#
|
#
|
||||||
# The bulk of that function is produced by the various config file
|
# The bulk of that function is produced by the various config file
|
||||||
@ -542,7 +542,7 @@ sub generate_script_2 () {
|
|||||||
'delete_proxyarp',
|
'delete_proxyarp',
|
||||||
''
|
''
|
||||||
);
|
);
|
||||||
|
|
||||||
if ( $capabilities{NAT_ENABLED} ) {
|
if ( $capabilities{NAT_ENABLED} ) {
|
||||||
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
||||||
' while read external interface; do',
|
' while read external interface; do',
|
||||||
@ -646,7 +646,7 @@ else
|
|||||||
set_state "Started"
|
set_state "Started"
|
||||||
run_started_exit
|
run_started_exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cp -f $(my_pathname) ${VARDIR}/.restore
|
cp -f $(my_pathname) ${VARDIR}/.restore
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -22,10 +22,10 @@
|
|||||||
#
|
#
|
||||||
# This module is responsible for lower level configuration file handling.
|
# This module is responsible for lower level configuration file handling.
|
||||||
# It also exports functions for generating warning and error messages.
|
# It also exports functions for generating warning and error messages.
|
||||||
# The get_configuration function parses the shorewall.conf, capabilities and
|
# The get_configuration function parses the shorewall.conf, capabilities and
|
||||||
# modules files during compiler startup. The module also provides the basic
|
# modules files during compiler startup. The module also provides the basic
|
||||||
# output file services such as creation of temporary 'object' files, writing
|
# output file services such as creation of temporary 'object' files, writing
|
||||||
# into those files (emitters) and finalizing those files (renaming
|
# into those files (emitters) and finalizing those files (renaming
|
||||||
# them to their final name and setting their mode appropriately).
|
# them to their final name and setting their mode appropriately).
|
||||||
#
|
#
|
||||||
package Shorewall::Config;
|
package Shorewall::Config;
|
||||||
@ -176,7 +176,7 @@ our $debug; # If true, use Carp to report errors with stack tr
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
|
( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
|
||||||
@ -461,21 +461,21 @@ sub save_progress_message_short( $ ) {
|
|||||||
|
|
||||||
#
|
#
|
||||||
# Set $timestamp
|
# Set $timestamp
|
||||||
#
|
#
|
||||||
sub set_timestamp( $ ) {
|
sub set_timestamp( $ ) {
|
||||||
$timestamp = shift;
|
$timestamp = shift;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Set $verbose
|
# Set $verbose
|
||||||
#
|
#
|
||||||
sub set_verbose( $ ) {
|
sub set_verbose( $ ) {
|
||||||
$verbose = shift;
|
$verbose = shift;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Print the current TOD to STDOUT.
|
# Print the current TOD to STDOUT.
|
||||||
#
|
#
|
||||||
sub timestamp() {
|
sub timestamp() {
|
||||||
my ($sec, $min, $hr) = ( localtime ) [0,1,2];
|
my ($sec, $min, $hr) = ( localtime ) [0,1,2];
|
||||||
printf '%02d:%02d:%02d ', $hr, $min, $sec;
|
printf '%02d:%02d:%02d ', $hr, $min, $sec;
|
||||||
@ -739,7 +739,7 @@ sub split_line2( $$$ ) {
|
|||||||
|
|
||||||
if ( defined $columns ) {
|
if ( defined $columns ) {
|
||||||
fatal_error "Invalid $first entry" if $columns && @line != $columns;
|
fatal_error "Invalid $first entry" if $columns && @line != $columns;
|
||||||
return @line
|
return @line
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Shorewall Configuration file entries may not contain single quotes" if $currentline =~ /'/;
|
fatal_error "Shorewall Configuration file entries may not contain single quotes" if $currentline =~ /'/;
|
||||||
@ -843,7 +843,7 @@ sub read_a_line() {
|
|||||||
#
|
#
|
||||||
# Remove Trailing Comments -- result might be a blank line
|
# Remove Trailing Comments -- result might be a blank line
|
||||||
#
|
#
|
||||||
$currentline =~ s/#.*$//;
|
$currentline =~ s/#.*$//;
|
||||||
#
|
#
|
||||||
# Ignore ( concatenated ) Blank Lines
|
# Ignore ( concatenated ) Blank Lines
|
||||||
#
|
#
|
||||||
@ -935,14 +935,14 @@ sub default_yes_no ( $$ ) {
|
|||||||
|
|
||||||
my %validlevels = ( debug => 7,
|
my %validlevels = ( debug => 7,
|
||||||
info => 6,
|
info => 6,
|
||||||
notice => 5,
|
notice => 5,
|
||||||
warning => 4,
|
warning => 4,
|
||||||
warn => 4,
|
warn => 4,
|
||||||
err => 3,
|
err => 3,
|
||||||
error => 3,
|
error => 3,
|
||||||
crit => 2,
|
crit => 2,
|
||||||
alert => 1,
|
alert => 1,
|
||||||
emerg => 0,
|
emerg => 0,
|
||||||
panic => 0,
|
panic => 0,
|
||||||
none => '',
|
none => '',
|
||||||
ULOG => 'ULOG' );
|
ULOG => 'ULOG' );
|
||||||
@ -1002,7 +1002,7 @@ sub check_trivalue( $$ ) {
|
|||||||
$config{var} = $default
|
$config{var} = $default
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Produce a report of the detected capabilities
|
# Produce a report of the detected capabilities
|
||||||
#
|
#
|
||||||
@ -1180,7 +1180,7 @@ sub determine_capabilities() {
|
|||||||
|
|
||||||
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
||||||
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
||||||
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||||
|
|
||||||
qt( "$iptables -F $sillyname" );
|
qt( "$iptables -F $sillyname" );
|
||||||
qt( "$iptables -X $sillyname" );
|
qt( "$iptables -X $sillyname" );
|
||||||
@ -1279,7 +1279,7 @@ sub process_shorewall_conf() {
|
|||||||
|
|
||||||
sub get_capabilities( $ ) {
|
sub get_capabilities( $ ) {
|
||||||
my $export = $_[0];
|
my $export = $_[0];
|
||||||
|
|
||||||
if ( ! $export && $> == 0 ) { # $> == $EUID
|
if ( ! $export && $> == 0 ) { # $> == $EUID
|
||||||
unless ( $config{IPTABLES} ) {
|
unless ( $config{IPTABLES} ) {
|
||||||
fatal_error "Can't find iptables executable" unless $config{IPTABLES} = mywhich 'iptables';
|
fatal_error "Can't find iptables executable" unless $config{IPTABLES} = mywhich 'iptables';
|
||||||
@ -1358,7 +1358,7 @@ sub get_configuration( $ ) {
|
|||||||
check_trivalue ( 'IP_FORWARDING', 'on' );
|
check_trivalue ( 'IP_FORWARDING', 'on' );
|
||||||
check_trivalue ( 'ROUTE_FILTER', '' );
|
check_trivalue ( 'ROUTE_FILTER', '' );
|
||||||
check_trivalue ( 'LOG_MARTIANS', '' );
|
check_trivalue ( 'LOG_MARTIANS', '' );
|
||||||
|
|
||||||
default_yes_no 'ADD_IP_ALIASES' , 'Yes';
|
default_yes_no 'ADD_IP_ALIASES' , 'Yes';
|
||||||
default_yes_no 'ADD_SNAT_ALIASES' , '';
|
default_yes_no 'ADD_SNAT_ALIASES' , '';
|
||||||
default_yes_no 'DETECT_DNAT_IPADDRS' , '';
|
default_yes_no 'DETECT_DNAT_IPADDRS' , '';
|
||||||
@ -1632,7 +1632,7 @@ sub run_user_exit2( $$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pop_open;
|
pop_open;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
# This module exports the %protocols and %services hashes built from
|
# This module exports the %protocols and %services hashes built from
|
||||||
# /etc/protocols and /etc/services respectively.
|
# /etc/protocols and /etc/services respectively.
|
||||||
#
|
#
|
||||||
# Module generated using buildports.pl 4.0.0-Beta7 - Fri Jun 29 14:10:45 2007
|
# Module generated using buildports.pl 4.0.0-Beta7 - Fri Jun 29 14:10:45 2007
|
||||||
|
@ -20,8 +20,8 @@
|
|||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
# This module provides interfaces for dealing with IPv4 addresses.
|
# This module provides interfaces for dealing with IPv4 addresses.
|
||||||
#
|
#
|
||||||
package Shorewall::IPAddrs;
|
package Shorewall::IPAddrs;
|
||||||
require Exporter;
|
require Exporter;
|
||||||
use Shorewall::Config;
|
use Shorewall::Config;
|
||||||
@ -121,7 +121,7 @@ sub validate_range( $$ ) {
|
|||||||
my $last = decodeaddr $high;
|
my $last = decodeaddr $high;
|
||||||
|
|
||||||
fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
|
fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub ip_range_explicit( $ ) {
|
sub ip_range_explicit( $ ) {
|
||||||
my $range = $_[0];
|
my $range = $_[0];
|
||||||
@ -151,7 +151,7 @@ sub ip_range_explicit( $ ) {
|
|||||||
|
|
||||||
sub validate_host( $ ) {
|
sub validate_host( $ ) {
|
||||||
my $host = $_[0];
|
my $host = $_[0];
|
||||||
|
|
||||||
if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
|
if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
|
||||||
validate_range $1, $2;
|
validate_range $1, $2;
|
||||||
} else {
|
} else {
|
||||||
|
@ -47,7 +47,7 @@ our %addresses_to_add;
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -237,7 +237,7 @@ sub setup_one_masq($$$$$$$)
|
|||||||
#
|
#
|
||||||
# And Generate the Rule(s)
|
# And Generate the Rule(s)
|
||||||
#
|
#
|
||||||
expand_rule( $chainref ,
|
expand_rule( $chainref ,
|
||||||
POSTROUTE_RESTRICT ,
|
POSTROUTE_RESTRICT ,
|
||||||
$rule ,
|
$rule ,
|
||||||
$networks ,
|
$networks ,
|
||||||
|
@ -208,10 +208,10 @@ sub validate_policy()
|
|||||||
|
|
||||||
unless ( $clientwild || $serverwild ) {
|
unless ( $clientwild || $serverwild ) {
|
||||||
if ( $zones{$server}{type} eq 'bport4' ) {
|
if ( $zones{$server}{type} eq 'bport4' ) {
|
||||||
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
|
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
|
||||||
unless $zones{$client}{bridge} eq $zones{$server}{bridge} || single_interface( $client ) eq $zones{$server}{bridge};
|
unless $zones{$client}{bridge} eq $zones{$server}{bridge} || single_interface( $client ) eq $zones{$server}{bridge};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chain = "${client}2${server}";
|
my $chain = "${client}2${server}";
|
||||||
my $chainref;
|
my $chainref;
|
||||||
@ -238,12 +238,12 @@ sub validate_policy()
|
|||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
$chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
|
||||||
|
|
||||||
if ( $synparams ne '' ) {
|
if ( $synparams ne '' ) {
|
||||||
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
|
$chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
|
||||||
$chainref->{synchain} = $chain
|
$chainref->{synchain} = $chain
|
||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{default} = $default if $default;
|
$chainref->{default} = $default if $default;
|
||||||
|
|
||||||
if ( $clientwild ) {
|
if ( $clientwild ) {
|
||||||
@ -277,7 +277,7 @@ sub validate_policy()
|
|||||||
#
|
#
|
||||||
sub policy_rules( $$$$ ) {
|
sub policy_rules( $$$$ ) {
|
||||||
my ( $chainref , $target, $loglevel, $default ) = @_;
|
my ( $chainref , $target, $loglevel, $default ) = @_;
|
||||||
|
|
||||||
unless ( $target eq 'NONE' ) {
|
unless ( $target eq 'NONE' ) {
|
||||||
add_rule $chainref, "-j $default" if $default && $default ne 'none';
|
add_rule $chainref, "-j $default" if $default && $default ne 'none';
|
||||||
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
||||||
@ -392,7 +392,7 @@ sub setup_syn_flood_chains() {
|
|||||||
for my $chainref ( @policy_chains ) {
|
for my $chainref ( @policy_chains ) {
|
||||||
my $limit = $chainref->{synparams};
|
my $limit = $chainref->{synparams};
|
||||||
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
|
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
|
||||||
my $level = $chainref->{loglevel};
|
my $level = $chainref->{loglevel};
|
||||||
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
|
||||||
add_rule $synchainref , "${limit}-j RETURN";
|
add_rule $synchainref , "${limit}-j RETURN";
|
||||||
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
|
||||||
|
@ -157,7 +157,7 @@ sub setup_martian_logging() {
|
|||||||
" echo $value > $file" );
|
" echo $value > $file" );
|
||||||
|
|
||||||
emit ( 'else' ,
|
emit ( 'else' ,
|
||||||
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
|
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
|
||||||
emit "fi\n";
|
emit "fi\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -59,7 +59,7 @@ our @providers;
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -104,7 +104,7 @@ sub setup_route_marking() {
|
|||||||
|
|
||||||
sub copy_table( $$ ) {
|
sub copy_table( $$ ) {
|
||||||
my ( $duplicate, $number ) = @_;
|
my ( $duplicate, $number ) = @_;
|
||||||
|
|
||||||
emit ( "ip route show table $duplicate | while read net route; do",
|
emit ( "ip route show table $duplicate | while read net route; do",
|
||||||
' case $net in',
|
' case $net in',
|
||||||
' default|nexthop)',
|
' default|nexthop)',
|
||||||
@ -119,7 +119,7 @@ sub copy_table( $$ ) {
|
|||||||
|
|
||||||
sub copy_and_edit_table( $$$ ) {
|
sub copy_and_edit_table( $$$ ) {
|
||||||
my ( $duplicate, $number, $copy ) = @_;
|
my ( $duplicate, $number, $copy ) = @_;
|
||||||
|
|
||||||
emit ( "ip route show table $duplicate | while read net route; do",
|
emit ( "ip route show table $duplicate | while read net route; do",
|
||||||
' case $net in',
|
' case $net in',
|
||||||
' default|nexthop)',
|
' default|nexthop)',
|
||||||
@ -137,18 +137,18 @@ sub copy_and_edit_table( $$$ ) {
|
|||||||
|
|
||||||
sub balance_default_route( $$$ ) {
|
sub balance_default_route( $$$ ) {
|
||||||
my ( $weight, $gateway, $interface ) = @_;
|
my ( $weight, $gateway, $interface ) = @_;
|
||||||
|
|
||||||
$balance = 1;
|
$balance = 1;
|
||||||
|
|
||||||
emit '';
|
emit '';
|
||||||
|
|
||||||
if ( $first_default_route ) {
|
if ( $first_default_route ) {
|
||||||
if ( $gateway ) {
|
if ( $gateway ) {
|
||||||
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\"";
|
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\"";
|
||||||
} else {
|
} else {
|
||||||
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\"";
|
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\"";
|
||||||
}
|
}
|
||||||
|
|
||||||
$first_default_route = 0;
|
$first_default_route = 0;
|
||||||
} else {
|
} else {
|
||||||
if ( $gateway ) {
|
if ( $gateway ) {
|
||||||
@ -164,21 +164,21 @@ sub add_a_provider( $$$$$$$$ ) {
|
|||||||
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
|
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
|
||||||
|
|
||||||
fatal_error "Duplicate provider ($table)" if $providers{$table};
|
fatal_error "Duplicate provider ($table)" if $providers{$table};
|
||||||
|
|
||||||
for my $providerref ( values %providers ) {
|
for my $providerref ( values %providers ) {
|
||||||
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
|
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
|
||||||
}
|
}
|
||||||
|
|
||||||
emit "#\n# Add Provider $table ($number)\n#";
|
emit "#\n# Add Provider $table ($number)\n#";
|
||||||
|
|
||||||
emit "if interface_is_usable $interface; then";
|
emit "if interface_is_usable $interface; then";
|
||||||
push_indent;
|
push_indent;
|
||||||
my $iface = chain_base $interface;
|
my $iface = chain_base $interface;
|
||||||
|
|
||||||
emit "${iface}_up=Yes";
|
emit "${iface}_up=Yes";
|
||||||
emit "qt ip route flush table $number";
|
emit "qt ip route flush table $number";
|
||||||
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
|
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||||
|
|
||||||
if ( $duplicate ne '-' ) {
|
if ( $duplicate ne '-' ) {
|
||||||
if ( $copy eq '-' ) {
|
if ( $copy eq '-' ) {
|
||||||
copy_table ( $duplicate, $number );
|
copy_table ( $duplicate, $number );
|
||||||
@ -218,17 +218,17 @@ sub add_a_provider( $$$$$$$$ ) {
|
|||||||
my $val = 0;
|
my $val = 0;
|
||||||
|
|
||||||
if ( $mark ne '-' ) {
|
if ( $mark ne '-' ) {
|
||||||
|
|
||||||
$val = numeric_value $mark;
|
$val = numeric_value $mark;
|
||||||
|
|
||||||
verify_mark $mark;
|
verify_mark $mark;
|
||||||
|
|
||||||
if ( $val < 256) {
|
if ( $val < 256) {
|
||||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
|
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
|
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $providerref ( values %providers ) {
|
for my $providerref ( values %providers ) {
|
||||||
fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
|
fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
|
||||||
}
|
}
|
||||||
@ -244,9 +244,9 @@ sub add_a_provider( $$$$$$$$ ) {
|
|||||||
$providers{$table} = {};
|
$providers{$table} = {};
|
||||||
$providers{$table}{number} = $number;
|
$providers{$table}{number} = $number;
|
||||||
$providers{$table}{mark} = $val;
|
$providers{$table}{mark} = $val;
|
||||||
|
|
||||||
my ( $loose, $optional ) = (0,0);
|
my ( $loose, $optional ) = (0,0);
|
||||||
|
|
||||||
unless ( $options eq '-' ) {
|
unless ( $options eq '-' ) {
|
||||||
for my $option ( split /,/, $options ) {
|
for my $option ( split /,/, $options ) {
|
||||||
if ( $option eq 'track' ) {
|
if ( $option eq 'track' ) {
|
||||||
@ -270,9 +270,9 @@ sub add_a_provider( $$$$$$$$ ) {
|
|||||||
|
|
||||||
if ( $loose ) {
|
if ( $loose ) {
|
||||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||||
|
|
||||||
emit "\nrulenum=0\n";
|
emit "\nrulenum=0\n";
|
||||||
|
|
||||||
emit ( "find_interface_addresses $interface | while read address; do",
|
emit ( "find_interface_addresses $interface | while read address; do",
|
||||||
' qt ip rule del from $address',
|
' qt ip rule del from $address',
|
||||||
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||||
@ -286,12 +286,12 @@ sub add_a_provider( $$$$$$$$ ) {
|
|||||||
'done'
|
'done'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
emit "\nprogress_message \" Provider $table ($number) Added\"\n";
|
emit "\nprogress_message \" Provider $table ($number) Added\"\n";
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
emit 'else';
|
emit 'else';
|
||||||
|
|
||||||
if ( $optional ) {
|
if ( $optional ) {
|
||||||
emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"",
|
emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"",
|
||||||
" ${iface}_up="
|
" ${iface}_up="
|
||||||
@ -299,19 +299,19 @@ sub add_a_provider( $$$$$$$$ ) {
|
|||||||
} else {
|
} else {
|
||||||
emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"";
|
emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"";
|
||||||
}
|
}
|
||||||
|
|
||||||
emit "fi\n";
|
emit "fi\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub add_an_rtrule( $$$$ ) {
|
sub add_an_rtrule( $$$$ ) {
|
||||||
my ( $source, $dest, $provider, $priority ) = @_;
|
my ( $source, $dest, $provider, $priority ) = @_;
|
||||||
|
|
||||||
unless ( $providers{$provider} ) {
|
unless ( $providers{$provider} ) {
|
||||||
my $found = 0;
|
my $found = 0;
|
||||||
|
|
||||||
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
|
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
|
||||||
my $provider_number = numeric_value $provider;
|
my $provider_number = numeric_value $provider;
|
||||||
|
|
||||||
for my $provider ( keys %providers ) {
|
for my $provider ( keys %providers ) {
|
||||||
if ( $providers{$provider}{number} == $provider_number ) {
|
if ( $providers{$provider}{number} == $provider_number ) {
|
||||||
$found = 1;
|
$found = 1;
|
||||||
@ -319,14 +319,14 @@ sub add_an_rtrule( $$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Unknown provider ($provider)" unless $found;
|
fatal_error "Unknown provider ($provider)" unless $found;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
|
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
|
||||||
|
|
||||||
$dest = $dest eq '-' ? '' : "to $dest";
|
$dest = $dest eq '-' ? '' : "to $dest";
|
||||||
|
|
||||||
if ( $source eq '-' ) {
|
if ( $source eq '-' ) {
|
||||||
$source = '';
|
$source = '';
|
||||||
} elsif ( $source =~ /:/ ) {
|
} elsif ( $source =~ /:/ ) {
|
||||||
@ -338,21 +338,21 @@ sub add_an_rtrule( $$$$ ) {
|
|||||||
} else {
|
} else {
|
||||||
$source = "iif $source";
|
$source = "iif $source";
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/;
|
fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/;
|
||||||
|
|
||||||
$priority = "priority $priority";
|
$priority = "priority $priority";
|
||||||
|
|
||||||
emit ( "qt ip rule del $source $dest $priority",
|
emit ( "qt ip rule del $source $dest $priority",
|
||||||
"run_ip rule add $source $dest $priority table $provider",
|
"run_ip rule add $source $dest $priority table $provider",
|
||||||
"echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing"
|
"echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing"
|
||||||
);
|
);
|
||||||
progress_message " Routing rule \"$currentline\" $done";
|
progress_message " Routing rule \"$currentline\" $done";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_providers() {
|
sub setup_providers() {
|
||||||
my $providers = 0;
|
my $providers = 0;
|
||||||
|
|
||||||
my $fn = open_file 'providers';
|
my $fn = open_file 'providers';
|
||||||
|
|
||||||
while ( read_a_line ) {
|
while ( read_a_line ) {
|
||||||
|
@ -45,7 +45,7 @@ our @proxyarp;
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -145,7 +145,7 @@ sub setup_proxy_arp() {
|
|||||||
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
|
emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
|
||||||
" echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
|
" echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
|
||||||
emit ( 'else' ,
|
emit ( 'else' ,
|
||||||
" error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
|
" error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
|
||||||
emit "fi\n";
|
emit "fi\n";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -66,7 +66,7 @@ our @param_stack;
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -111,12 +111,12 @@ sub process_tos() {
|
|||||||
|
|
||||||
fatal_error "TOS field required" unless $tos ne '-';
|
fatal_error "TOS field required" unless $tos ne '-';
|
||||||
|
|
||||||
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
|
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
|
||||||
$tos = $tosval;
|
$tos = $tosval;
|
||||||
} elsif ( numeric_value( $tos ) > 0x1e ) {
|
} elsif ( numeric_value( $tos ) > 0x1e ) {
|
||||||
fatal_error "Invalid TOS value ($tos)";
|
fatal_error "Invalid TOS value ($tos)";
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chainref;
|
my $chainref;
|
||||||
|
|
||||||
my $restriction = NO_RESTRICT;
|
my $restriction = NO_RESTRICT;
|
||||||
@ -521,13 +521,13 @@ sub add_common_rules() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
run_user_exit1 'initdone';
|
run_user_exit1 'initdone';
|
||||||
|
|
||||||
setup_blacklist;
|
setup_blacklist;
|
||||||
|
|
||||||
$list = find_hosts_by_option 'nosmurfs';
|
$list = find_hosts_by_option 'nosmurfs';
|
||||||
|
|
||||||
$chainref = new_standard_chain 'smurfs';
|
$chainref = new_standard_chain 'smurfs';
|
||||||
|
|
||||||
if ( $capabilities{ADDRTYPE} ) {
|
if ( $capabilities{ADDRTYPE} ) {
|
||||||
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
|
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
|
||||||
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
||||||
@ -541,7 +541,7 @@ sub add_common_rules() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
||||||
|
|
||||||
if ( $capabilities{ADDRTYPE} ) {
|
if ( $capabilities{ADDRTYPE} ) {
|
||||||
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
|
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
|
||||||
} else {
|
} else {
|
||||||
@ -652,7 +652,7 @@ sub add_common_rules() {
|
|||||||
add_rule $filter_table->{input_chain $interface}, "-j $chain";
|
add_rule $filter_table->{input_chain $interface}, "-j $chain";
|
||||||
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
||||||
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
|
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$list = find_interfaces_by_option 'upnp';
|
$list = find_interfaces_by_option 'upnp';
|
||||||
@ -689,7 +689,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
my $level = $config{MACLIST_LOG_LEVEL};
|
my $level = $config{MACLIST_LOG_LEVEL};
|
||||||
my $disposition = $config{MACLIST_DISPOSITION};
|
my $disposition = $config{MACLIST_DISPOSITION};
|
||||||
my $ttl = $config{MACLIST_TTL};
|
my $ttl = $config{MACLIST_TTL};
|
||||||
|
|
||||||
progress_message2 "$doing MAC Filtration -- Phase $phase...";
|
progress_message2 "$doing MAC Filtration -- Phase $phase...";
|
||||||
|
|
||||||
for my $hostref ( @$maclist_hosts ) {
|
for my $hostref ( @$maclist_hosts ) {
|
||||||
@ -761,7 +761,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
if ( $addresses ) {
|
if ( $addresses ) {
|
||||||
for my $address ( split ',', $addresses ) {
|
for my $address ( split ',', $addresses ) {
|
||||||
my $source = match_source_net $address;
|
my $source = match_source_net $address;
|
||||||
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
|
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
|
||||||
if defined $level && $level ne '';
|
if defined $level && $level ne '';
|
||||||
add_rule $chainref , "${mac}${source}-j $targetref->{target}";
|
add_rule $chainref , "${mac}${source}-j $targetref->{target}";
|
||||||
}
|
}
|
||||||
@ -800,9 +800,9 @@ sub setup_mac_lists( $ ) {
|
|||||||
|
|
||||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||||
my $variable = get_interface_addresses $interfaces{$interface}{bridge};
|
my $variable = get_interface_addresses $interfaces{$interface}{bridge};
|
||||||
|
|
||||||
if ( $capabilities{ADDRTYPE} ) {
|
if ( $capabilities{ADDRTYPE} ) {
|
||||||
add_commands( $chainref,
|
add_commands( $chainref,
|
||||||
"for address in $variable; do",
|
"for address in $variable; do",
|
||||||
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
|
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
|
||||||
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
|
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
|
||||||
@ -810,7 +810,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
} else {
|
} else {
|
||||||
my $variable1 = get_interface_bcasts $interfaces{$interface}{bridge};
|
my $variable1 = get_interface_bcasts $interfaces{$interface}{bridge};
|
||||||
|
|
||||||
add_commands( $chainref,
|
add_commands( $chainref,
|
||||||
"for address in $variable; do",
|
"for address in $variable; do",
|
||||||
" for address1 in $variable1; do",
|
" for address1 in $variable1; do",
|
||||||
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
|
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
|
||||||
@ -915,12 +915,12 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
|
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
|
||||||
|
|
||||||
$param = '' unless defined $param;
|
$param = '' unless defined $param;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Determine the validity of the action
|
# Determine the validity of the action
|
||||||
#
|
#
|
||||||
my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
|
my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
|
||||||
|
|
||||||
fatal_error "Unknown action ($action)" unless $actiontype;
|
fatal_error "Unknown action ($action)" unless $actiontype;
|
||||||
|
|
||||||
if ( $actiontype == MACRO ) {
|
if ( $actiontype == MACRO ) {
|
||||||
@ -933,7 +933,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
push @param_stack, $current_param;
|
push @param_stack, $current_param;
|
||||||
$current_param = $param;
|
$current_param = $param;
|
||||||
}
|
}
|
||||||
|
|
||||||
process_macro( $macros{$basictarget},
|
process_macro( $macros{$basictarget},
|
||||||
$target ,
|
$target ,
|
||||||
$current_param,
|
$current_param,
|
||||||
@ -949,7 +949,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
$wildcard );
|
$wildcard );
|
||||||
|
|
||||||
$macro_nest_level--;
|
$macro_nest_level--;
|
||||||
|
|
||||||
$current_param = pop @param_stack if $param ne '';
|
$current_param = pop @param_stack if $param ne '';
|
||||||
|
|
||||||
return;
|
return;
|
||||||
@ -988,7 +988,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
my $sourcezone;
|
my $sourcezone;
|
||||||
my $destzone;
|
my $destzone;
|
||||||
|
|
||||||
if ( $source =~ /^(.+?):(.*)/ ) {
|
if ( $source =~ /^(.+?):(.*)/ ) {
|
||||||
$sourcezone = $1;
|
$sourcezone = $1;
|
||||||
$source = $2;
|
$source = $2;
|
||||||
@ -1004,7 +1004,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
$destzone = $dest;
|
$destzone = $dest;
|
||||||
$dest = ALLIPv4;
|
$dest = ALLIPv4;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Missing source zone" if $sourcezone eq '-';
|
fatal_error "Missing source zone" if $sourcezone eq '-';
|
||||||
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
|
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
|
||||||
fatal_error "Missing destination zone" if $destzone eq '-';
|
fatal_error "Missing destination zone" if $destzone eq '-';
|
||||||
@ -1069,7 +1069,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
unless ( $section eq 'NEW' ) {
|
unless ( $section eq 'NEW' ) {
|
||||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT;
|
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT;
|
||||||
$rule .= "-m state --state $section "
|
$rule .= "-m state --state $section "
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1211,7 +1211,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Process a Record in the rules file
|
# Process a Record in the rules file
|
||||||
#
|
#
|
||||||
# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
|
# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
|
||||||
#
|
#
|
||||||
@ -1264,7 +1264,7 @@ sub process_rule ( $$$$$$$$$$ ) {
|
|||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid DEST ($dest)" unless $dest eq 'all';
|
fatal_error "Invalid DEST ($dest)" unless $dest eq 'all';
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
my $action = isolate_basic_target $target;
|
my $action = isolate_basic_target $target;
|
||||||
@ -1425,7 +1425,7 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Set a breakpoint in this function if you want to step through generate_matrix().
|
# Set a breakpoint in this function if you want to step through generate_matrix().
|
||||||
#
|
#
|
||||||
sub start_matrix() {
|
sub start_matrix() {
|
||||||
progress_message2 'Generating Rule Matrix...';
|
progress_message2 'Generating Rule Matrix...';
|
||||||
@ -1497,7 +1497,7 @@ sub generate_matrix() {
|
|||||||
for my $hostref ( @{$arrayref} ) {
|
for my $hostref ( @{$arrayref} ) {
|
||||||
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
add_rule(
|
add_rule(
|
||||||
$filter_table->{forward_chain $interface} ,
|
$filter_table->{forward_chain $interface} ,
|
||||||
join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" )
|
join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" )
|
||||||
);
|
);
|
||||||
@ -1586,13 +1586,13 @@ sub generate_matrix() {
|
|||||||
my $variable = get_interface_bcasts $interface;
|
my $variable = get_interface_bcasts $interface;
|
||||||
my $chain = output_chain $interface;
|
my $chain = output_chain $interface;
|
||||||
my $chainref = $filter_table->{$chain};
|
my $chainref = $filter_table->{$chain};
|
||||||
|
|
||||||
add_commands( $chainref,
|
add_commands( $chainref,
|
||||||
"for address in $variable; do",
|
"for address in $variable; do",
|
||||||
" echo \"-A $chain -d \$address -j $chain1\" >&3",
|
" echo \"-A $chain -d \$address -j $chain1\" >&3",
|
||||||
'done' );
|
'done' );
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
|
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1847,7 +1847,7 @@ sub setup_mss( $ ) {
|
|||||||
$match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
|
$match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
|
||||||
$option = "--set-mss $clampmss";
|
$option = "--set-mss $clampmss";
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option";
|
add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -158,7 +158,7 @@ our $prefix = '1';
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -231,7 +231,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
|||||||
for my $tccmd ( @tccmd ) {
|
for my $tccmd ( @tccmd ) {
|
||||||
if ( $tccmd->{match}($cmd) ) {
|
if ( $tccmd->{match}($cmd) ) {
|
||||||
fatal_error "$mark not valid with :C[FPT]" if $connmark;
|
fatal_error "$mark not valid with :C[FPT]" if $connmark;
|
||||||
|
|
||||||
$target = "$tccmd->{target} ";
|
$target = "$tccmd->{target} ";
|
||||||
my $marktype = $tccmd->{mark};
|
my $marktype = $tccmd->{mark};
|
||||||
|
|
||||||
@ -243,9 +243,9 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
|||||||
|
|
||||||
if ( $rest ) {
|
if ( $rest ) {
|
||||||
fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK;
|
fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK;
|
||||||
|
|
||||||
$mark = $rest if $tccmd->{mask};
|
$mark = $rest if $tccmd->{mask};
|
||||||
|
|
||||||
if ( $marktype == SMALLMARK ) {
|
if ( $marktype == SMALLMARK ) {
|
||||||
verify_small_mark $mark;
|
verify_small_mark $mark;
|
||||||
} else {
|
} else {
|
||||||
@ -254,7 +254,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
|||||||
} elsif ( $tccmd->{mask} ) {
|
} elsif ( $tccmd->{mask} ) {
|
||||||
$mark = $tccmd->{mask};
|
$mark = $tccmd->{mask};
|
||||||
}
|
}
|
||||||
|
|
||||||
last MARK;
|
last MARK;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -339,7 +339,7 @@ sub convert_rate( $$ ) {
|
|||||||
} else {
|
} else {
|
||||||
$rate = rate_to_kbit $rate
|
$rate = rate_to_kbit $rate
|
||||||
}
|
}
|
||||||
|
|
||||||
"${rate}kbit";
|
"${rate}kbit";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -588,7 +588,7 @@ sub setup_tc() {
|
|||||||
} elsif ( $config{TC_ENABLED} eq 'Internal' ) {
|
} elsif ( $config{TC_ENABLED} eq 'Internal' ) {
|
||||||
setup_traffic_shaping;
|
setup_traffic_shaping;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( my $fn = open_file 'tcrules' ) {
|
if ( my $fn = open_file 'tcrules' ) {
|
||||||
|
|
||||||
while ( read_a_line ) {
|
while ( read_a_line ) {
|
||||||
|
@ -84,17 +84,17 @@ sub setup_tunnels() {
|
|||||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
|
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
|
||||||
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
||||||
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
||||||
|
|
||||||
unless ( $capabilities{POLICY_MATCH} ) {
|
unless ( $capabilities{POLICY_MATCH} ) {
|
||||||
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||||
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||||
|
|
||||||
unless ( $noah ) {
|
unless ( $noah ) {
|
||||||
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
||||||
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $kind eq 'ipsec' ) {
|
if ( $kind eq 'ipsec' ) {
|
||||||
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
||||||
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Zones.pm
|
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Zones.pm
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
@ -20,7 +20,7 @@
|
|||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
# This module contains the code which deals with /etc/shorewall/zones,
|
# This module contains the code which deals with /etc/shorewall/zones,
|
||||||
# /etc/shorewall/interfaces and /etc/shorewall/hosts.
|
# /etc/shorewall/interfaces and /etc/shorewall/hosts.
|
||||||
#
|
#
|
||||||
package Shorewall::Zones;
|
package Shorewall::Zones;
|
||||||
@ -54,7 +54,7 @@ our @EXPORT = qw( NOTHING
|
|||||||
@zones
|
@zones
|
||||||
%zones
|
%zones
|
||||||
$firewall_zone
|
$firewall_zone
|
||||||
%interfaces
|
%interfaces
|
||||||
@interfaces
|
@interfaces
|
||||||
@bridges );
|
@bridges );
|
||||||
|
|
||||||
@ -134,7 +134,7 @@ our @bridges;
|
|||||||
# initialize() function does globals initialization for this
|
# initialize() function does globals initialization for this
|
||||||
# module and is called from an INIT block below. The function is
|
# module and is called from an INIT block below. The function is
|
||||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||||
# the second and subsequent calls to that function.
|
# the second and subsequent calls to that function.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub initialize() {
|
sub initialize() {
|
||||||
@ -285,8 +285,8 @@ sub determine_zones()
|
|||||||
}
|
}
|
||||||
|
|
||||||
$zones{$zone} = { type => $type,
|
$zones{$zone} = { type => $type,
|
||||||
parents => \@parents,
|
parents => \@parents,
|
||||||
exclusions => [],
|
exclusions => [],
|
||||||
bridge => '',
|
bridge => '',
|
||||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||||
@ -300,7 +300,7 @@ sub determine_zones()
|
|||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "No firewall zone defined" unless $firewall_zone;
|
fatal_error "No firewall zone defined" unless $firewall_zone;
|
||||||
|
|
||||||
my $pushed = 1;
|
my $pushed = 1;
|
||||||
my %ordered;
|
my %ordered;
|
||||||
|
|
||||||
@ -435,7 +435,7 @@ sub single_interface( $ ) {
|
|||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub add_group_to_zone($$$$$)
|
sub add_group_to_zone($$$$$)
|
||||||
{
|
{
|
||||||
@ -491,7 +491,7 @@ sub add_group_to_zone($$$$$)
|
|||||||
$zoneref->{options}{complex} = 1 if @$arrayref || ( @newnetworks > 1 ) || ( @exclusions );
|
$zoneref->{options}{complex} = 1 if @$arrayref || ( @newnetworks > 1 ) || ( @exclusions );
|
||||||
|
|
||||||
push @{$zoneref->{exclusions}}, @exclusions;
|
push @{$zoneref->{exclusions}}, @exclusions;
|
||||||
|
|
||||||
push @{$arrayref}, { options => $options,
|
push @{$arrayref}, { options => $options,
|
||||||
hosts => \@newnetworks,
|
hosts => \@newnetworks,
|
||||||
ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' };
|
ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' };
|
||||||
@ -533,9 +533,9 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
use constant { SIMPLE_IF_OPTION => 1,
|
use constant { SIMPLE_IF_OPTION => 1,
|
||||||
BINARY_IF_OPTION => 2,
|
BINARY_IF_OPTION => 2,
|
||||||
ENUM_IF_OPTION => 3,
|
ENUM_IF_OPTION => 3,
|
||||||
MASK_IF_OPTION => 3,
|
MASK_IF_OPTION => 3,
|
||||||
|
|
||||||
IF_OPTION_ZONEONLY => 4 };
|
IF_OPTION_ZONEONLY => 4 };
|
||||||
|
|
||||||
my %validoptions = (arp_filter => BINARY_IF_OPTION,
|
my %validoptions = (arp_filter => BINARY_IF_OPTION,
|
||||||
@ -569,7 +569,7 @@ sub validate_interfaces_file( $ )
|
|||||||
progress_message2 "$doing $fn...";
|
progress_message2 "$doing $fn...";
|
||||||
$first_entry = 0;
|
$first_entry = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
my ($zone, $interface, $networks, $options ) = split_line 2, 4, 'interfaces file';
|
my ($zone, $interface, $networks, $options ) = split_line 2, 4, 'interfaces file';
|
||||||
my $zoneref;
|
my $zoneref;
|
||||||
my $bridge = '';
|
my $bridge = '';
|
||||||
@ -588,7 +588,7 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
( $interface, my ($port, $extra) ) = split /:/ , $interface, 3;
|
( $interface, my ($port, $extra) ) = split /:/ , $interface, 3;
|
||||||
|
|
||||||
fatal_error "Invalid INTERFACE" if defined $extra || ! $interface;
|
fatal_error "Invalid INTERFACE" if defined $extra || ! $interface;
|
||||||
|
|
||||||
fatal_error "Invalid Interface Name ($interface)" if $interface eq '+';
|
fatal_error "Invalid Interface Name ($interface)" if $interface eq '+';
|
||||||
|
|
||||||
@ -620,13 +620,13 @@ sub validate_interfaces_file( $ )
|
|||||||
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4';
|
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4';
|
||||||
$interfaces{$interface}{bridge} = $interface;
|
$interfaces{$interface}{bridge} = $interface;
|
||||||
}
|
}
|
||||||
|
|
||||||
my $wildcard = 0;
|
my $wildcard = 0;
|
||||||
|
|
||||||
if ( $interface =~ /\+$/ ) {
|
if ( $interface =~ /\+$/ ) {
|
||||||
$wildcard = 1;
|
$wildcard = 1;
|
||||||
$interfaces{$interface}{root} = substr( $interface, 0, -1 );
|
$interfaces{$interface}{root} = substr( $interface, 0, -1 );
|
||||||
} else {
|
} else {
|
||||||
$interfaces{$interface}{root} = $interface;
|
$interfaces{$interface}{root} = $interface;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -642,7 +642,7 @@ sub validate_interfaces_file( $ )
|
|||||||
my $optionsref = {};
|
my $optionsref = {};
|
||||||
|
|
||||||
my %options;
|
my %options;
|
||||||
|
|
||||||
if ( $options ) {
|
if ( $options ) {
|
||||||
|
|
||||||
for my $option (split ',', $options ) {
|
for my $option (split ',', $options ) {
|
||||||
@ -653,7 +653,7 @@ sub validate_interfaces_file( $ )
|
|||||||
fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option};
|
fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option};
|
||||||
|
|
||||||
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
|
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
|
||||||
|
|
||||||
$type &= MASK_IF_OPTION;
|
$type &= MASK_IF_OPTION;
|
||||||
|
|
||||||
if ( $type == SIMPLE_IF_OPTION ) {
|
if ( $type == SIMPLE_IF_OPTION ) {
|
||||||
@ -672,7 +672,7 @@ sub validate_interfaces_file( $ )
|
|||||||
$options{arp_ignore} = $value;
|
$options{arp_ignore} = $value;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid value ($value) for arp_ignore";
|
fatal_error "Invalid value ($value) for arp_ignore";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$options{arp_ignore} = 1;
|
$options{arp_ignore} = 1;
|
||||||
}
|
}
|
||||||
@ -692,7 +692,7 @@ sub validate_interfaces_file( $ )
|
|||||||
} elsif ( $port ) {
|
} elsif ( $port ) {
|
||||||
$options{port} = 1;
|
$options{port} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$interfaces{$interface}{options} = $optionsref = \%options;
|
$interfaces{$interface}{options} = $optionsref = \%options;
|
||||||
|
|
||||||
push @ifaces, $interface;
|
push @ifaces, $interface;
|
||||||
@ -713,7 +713,7 @@ sub validate_interfaces_file( $ )
|
|||||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
|
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
|
||||||
|
|
||||||
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
||||||
|
|
||||||
progress_message " Interface \"$currentline\" Validated";
|
progress_message " Interface \"$currentline\" Validated";
|
||||||
|
|
||||||
}
|
}
|
||||||
@ -723,7 +723,7 @@ sub validate_interfaces_file( $ )
|
|||||||
#
|
#
|
||||||
for my $interface ( @ifaces ) {
|
for my $interface ( @ifaces ) {
|
||||||
my $interfaceref = $interfaces{$interface};
|
my $interfaceref = $interfaces{$interface};
|
||||||
|
|
||||||
if ( $interfaceref->{options}{bridge} ) {
|
if ( $interfaceref->{options}{bridge} ) {
|
||||||
my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces;
|
my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces;
|
||||||
|
|
||||||
@ -735,7 +735,7 @@ sub validate_interfaces_file( $ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
push @interfaces, $interface unless $interfaceref->{options}{port};
|
push @interfaces, $interface unless $interfaceref->{options}{port};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -902,7 +902,7 @@ sub validate_hosts_file()
|
|||||||
#
|
#
|
||||||
# Now add a comma before '!'. Do it globally - add_group_to_zone() correctly checks for multiple exclusions
|
# Now add a comma before '!'. Do it globally - add_group_to_zone() correctly checks for multiple exclusions
|
||||||
#
|
#
|
||||||
$hosts =~ s/!/,!/g;
|
$hosts =~ s/!/,!/g;
|
||||||
#
|
#
|
||||||
# Take care of case where the hosts list begins with '!'
|
# Take care of case where the hosts list begins with '!'
|
||||||
#
|
#
|
||||||
|
@ -31,18 +31,18 @@ use lib '/usr/share/shorewall-perl';
|
|||||||
use Shorewall::Config qw( open_file
|
use Shorewall::Config qw( open_file
|
||||||
push_open
|
push_open
|
||||||
pop_open
|
pop_open
|
||||||
read_a_line1
|
read_a_line1
|
||||||
split_line
|
split_line
|
||||||
fatal_error
|
fatal_error
|
||||||
%globals
|
%globals
|
||||||
ensure_config_path
|
ensure_config_path
|
||||||
set_shorewall_dir
|
set_shorewall_dir
|
||||||
set_config_path );
|
set_config_path );
|
||||||
|
|
||||||
our $offset = "\t\t ";
|
our $offset = "\t\t ";
|
||||||
|
|
||||||
our %service_hash;
|
our %service_hash;
|
||||||
|
|
||||||
sub print_it( $$ ) {
|
sub print_it( $$ ) {
|
||||||
my ( $name, $number ) = @_;
|
my ( $name, $number ) = @_;
|
||||||
my $tabs;
|
my $tabs;
|
||||||
@ -61,7 +61,7 @@ sub print_it( $$ ) {
|
|||||||
|
|
||||||
sub print_service( $$ ) {
|
sub print_service( $$ ) {
|
||||||
my ( $service, $number ) = @_;
|
my ( $service, $number ) = @_;
|
||||||
|
|
||||||
unless ( exists $service_hash{$service} ) {
|
unless ( exists $service_hash{$service} ) {
|
||||||
print_it( $service, $number );
|
print_it( $service, $number );
|
||||||
$service_hash{$service} = $number;
|
$service_hash{$service} = $number;
|
||||||
@ -107,7 +107,7 @@ print <<"EOF";
|
|||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
# This module exports the %protocols and %services hashes built from
|
# This module exports the %protocols and %services hashes built from
|
||||||
# /etc/protocols and /etc/services respectively.
|
# /etc/protocols and /etc/services respectively.
|
||||||
#
|
#
|
||||||
# Module generated using buildports.pl $globals{VERSION} - $date
|
# Module generated using buildports.pl $globals{VERSION} - $date
|
||||||
@ -132,7 +132,7 @@ while ( read_a_line1 ) {
|
|||||||
my ( $proto1, $number, @aliases ) = split_line( 2, 10, '/etc/protocols entry');
|
my ( $proto1, $number, @aliases ) = split_line( 2, 10, '/etc/protocols entry');
|
||||||
|
|
||||||
print_it( $proto1, $number );
|
print_it( $proto1, $number );
|
||||||
|
|
||||||
for my $alias ( @aliases ) {
|
for my $alias ( @aliases ) {
|
||||||
last if $alias eq '-';
|
last if $alias eq '-';
|
||||||
print_it( $alias, $number );
|
print_it( $alias, $number );
|
||||||
|
@ -70,7 +70,7 @@
|
|||||||
#
|
#
|
||||||
@@ -111,20 +90,6 @@
|
@@ -111,20 +90,6 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
-# Undo the effect of 'separate_list()'
|
-# Undo the effect of 'separate_list()'
|
||||||
-#
|
-#
|
||||||
@ -91,7 +91,7 @@
|
|||||||
qt()
|
qt()
|
||||||
@@ -310,83 +275,6 @@
|
@@ -310,83 +275,6 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
|
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
|
||||||
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
|
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
|
||||||
@ -150,7 +150,7 @@
|
|||||||
-
|
-
|
||||||
- if [ -z "$loaded" ]; then
|
- if [ -z "$loaded" ]; then
|
||||||
- [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
|
- [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
|
||||||
-
|
-
|
||||||
- if [ -f $lib ]; then
|
- if [ -f $lib ]; then
|
||||||
- progress_message "Loading library $lib..."
|
- progress_message "Loading library $lib..."
|
||||||
- . $lib
|
- . $lib
|
||||||
@ -175,7 +175,7 @@
|
|||||||
# the IP address is 128.0.0.0 or 128.0.0.1.
|
# the IP address is 128.0.0.0 or 128.0.0.1.
|
||||||
@@ -395,32 +283,6 @@
|
@@ -395,32 +283,6 @@
|
||||||
LEFTSHIFT='<<'
|
LEFTSHIFT='<<'
|
||||||
|
|
||||||
#
|
#
|
||||||
-# Validate an IP address
|
-# Validate an IP address
|
||||||
-#
|
-#
|
||||||
@ -196,7 +196,7 @@
|
|||||||
- ;;
|
- ;;
|
||||||
- esac
|
- esac
|
||||||
- done
|
- done
|
||||||
-
|
-
|
||||||
- IFS=$ifs
|
- IFS=$ifs
|
||||||
-
|
-
|
||||||
- return 0
|
- return 0
|
||||||
@ -208,7 +208,7 @@
|
|||||||
decodeaddr() {
|
decodeaddr() {
|
||||||
@@ -456,88 +318,6 @@
|
@@ -456,88 +318,6 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
-# Enumerate the members of an IP range -- When using a shell supporting only
|
-# Enumerate the members of an IP range -- When using a shell supporting only
|
||||||
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
|
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
|
||||||
@ -297,7 +297,7 @@
|
|||||||
ip_netmask() {
|
ip_netmask() {
|
||||||
@@ -588,60 +368,6 @@
|
@@ -588,60 +368,6 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
-# Netmask to VLSM
|
-# Netmask to VLSM
|
||||||
-#
|
-#
|
||||||
@ -331,7 +331,7 @@
|
|||||||
- case $c in
|
- case $c in
|
||||||
- @*)
|
- @*)
|
||||||
- c=at_${c#@}
|
- c=at_${c#@}
|
||||||
- ;;
|
- ;;
|
||||||
- *.*)
|
- *.*)
|
||||||
- c="${c%.*}_${c##*.}"
|
- c="${c%.*}_${c##*.}"
|
||||||
- ;;
|
- ;;
|
||||||
@ -358,7 +358,7 @@
|
|||||||
chain_exists() # $1 = chain name
|
chain_exists() # $1 = chain name
|
||||||
@@ -879,21 +605,6 @@
|
@@ -879,21 +605,6 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
-# Set default config path
|
-# Set default config path
|
||||||
-#
|
-#
|
||||||
@ -380,7 +380,7 @@
|
|||||||
find_file()
|
find_file()
|
||||||
@@ -918,54 +629,6 @@
|
@@ -918,54 +629,6 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
-# Get fully-qualified name of file
|
-# Get fully-qualified name of file
|
||||||
-#
|
-#
|
||||||
@ -435,7 +435,7 @@
|
|||||||
set_state () # $1 = state
|
set_state () # $1 = state
|
||||||
@@ -974,200 +637,6 @@
|
@@ -974,200 +637,6 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
-# Determine which optional facilities are supported by iptables/netfilter
|
-# Determine which optional facilities are supported by iptables/netfilter
|
||||||
-#
|
-#
|
||||||
@ -626,7 +626,7 @@
|
|||||||
- report_capability1 MANGLE_FORWARD
|
- report_capability1 MANGLE_FORWARD
|
||||||
- report_capability1 COMMENTS
|
- report_capability1 COMMENTS
|
||||||
- report_capability1 ADDRTYPE
|
- report_capability1 ADDRTYPE
|
||||||
-
|
-
|
||||||
- echo CAPVERSION=$SHOREWALL_CAPVERSION
|
- echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
-}
|
-}
|
||||||
-
|
-
|
||||||
@ -637,7 +637,7 @@
|
|||||||
@@ -1286,82 +755,6 @@
|
@@ -1286,82 +755,6 @@
|
||||||
cut -b -${1}
|
cut -b -${1}
|
||||||
}
|
}
|
||||||
|
|
||||||
-#
|
-#
|
||||||
-# Add a logging rule.
|
-# Add a logging rule.
|
||||||
-#
|
-#
|
||||||
@ -718,8 +718,8 @@
|
|||||||
{
|
{
|
||||||
clear_one_tc() {
|
clear_one_tc() {
|
||||||
@@ -1496,65 +889,6 @@
|
@@ -1496,65 +889,6 @@
|
||||||
|
|
||||||
echo echo
|
echo echo
|
||||||
}
|
}
|
||||||
-
|
-
|
||||||
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
|
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
|
||||||
|
@ -168,6 +168,6 @@ get_device_mtu1() # $1 = device
|
|||||||
#
|
#
|
||||||
get_all_bcasts()
|
get_all_bcasts()
|
||||||
{
|
{
|
||||||
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -267,7 +267,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
|||||||
fi
|
fi
|
||||||
elif [ $savemoduleinfo = Yes ]; then
|
elif [ $savemoduleinfo = Yes ]; then
|
||||||
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
||||||
> ${VARDIR}/.modulesdir
|
> ${VARDIR}/.modulesdir
|
||||||
> ${VARDIR}/.modules
|
> ${VARDIR}/.modules
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -585,9 +585,9 @@ get_interface_bcasts() # $1 = interface
|
|||||||
{
|
{
|
||||||
local addresses=
|
local addresses=
|
||||||
|
|
||||||
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Internal version of 'which'
|
# Internal version of 'which'
|
||||||
#
|
#
|
||||||
@ -887,7 +887,7 @@ find_echo() {
|
|||||||
result=$(which echo)
|
result=$(which echo)
|
||||||
[ -n "$result" ] && { echo "$result -e"; return; }
|
[ -n "$result" ] && { echo "$result -e"; return; }
|
||||||
|
|
||||||
echo echo
|
echo echo
|
||||||
}
|
}
|
||||||
################################################################################
|
################################################################################
|
||||||
# End of functions imported from /usr/share/shorewall/lib.base
|
# End of functions imported from /usr/share/shorewall/lib.base
|
||||||
|
Loading…
Reference in New Issue
Block a user