From 77ce1b5a43ae612040a26ed117b6f3865728fbb5 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 8 May 2007 18:25:16 +0000 Subject: [PATCH] Add edits for IP addresses and ranges git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6287 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 20 +++++++++++++++----- Shorewall-perl/Shorewall/IPAddrs.pm | 24 ++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 5f6138a79..cf936ecd9 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -31,6 +31,7 @@ use Shorewall::Common; use Shorewall::Config; use Shorewall::Zones; use Shorewall::Interfaces; +use Shorewall::IPAddrs; use strict; @@ -1054,8 +1055,10 @@ sub get_set_flags( $$ ) { sub match_source_net( $ ) { my $net = $_[0]; - if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { + if ( $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) { + my ($addr1, $addr2) = ( $2, $3 ); $net =~ s/!// if my $invert = $1 ? '! ' : ''; + validate_range $addr1, $addr2; iprange_match . "${invert}--src-range $net "; } elsif ( $net =~ /^(!?)~(.*)$/ ) { ( $net = $2 ) =~ tr/-/:/; @@ -1066,8 +1069,11 @@ sub match_source_net( $ ) { join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); } elsif ( $net =~ /^!/ ) { $net =~ s/!//; + validate_net $net; + validate_net $net; "-s ! $net "; } else { + validate_net $net; $net eq ALLIPv4 ? '' : "-s $net "; } } @@ -1078,16 +1084,20 @@ sub match_source_net( $ ) { sub match_dest_net( $ ) { my $net = $_[0]; - if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { + if ( $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) { + my ($addr1, $addr2) = ( $2, $3 ); $net =~ s/!// if my $invert = $1 ? '! ' : ''; + validate_range $addr1, $addr2; iprange_match . "${invert}--dst-range $net "; } elsif ( $net =~ /^(!?)\+/ ) { require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , ''); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); } elsif ( $net =~ /^!/ ) { $net =~ s/!//; + validate_net $net; "-d ! $net "; } else { + validate_net $net; $net eq ALLIPv4 ? '' : "-d $net "; } } @@ -1155,7 +1165,7 @@ sub log_rule_limit( $$$$$$$$ ) { unless ( $predicates =~ /-m limit / ) { $limit = $globals{LOGLIMIT} unless $limit && $limit ne '-'; - $predicates .= $limit; + $predicates .= $limit if $limit; } if ( $tag ) { @@ -1504,7 +1514,7 @@ sub expand_rule( $$$$$$$$$$ ) unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) { my @iexcl = mysplit $iexcl; if ( @iexcl == 1 ) { - $rule .= match_source_net "!$iexcl "; + $rule .= match_source_net "!$iexcl"; $iexcl = ''; } @@ -1529,7 +1539,7 @@ sub expand_rule( $$$$$$$$$$ ) unless ( $dnets ) { my @dexcl = mysplit $dexcl; if ( @dexcl == 1 ) { - $rule .= match_dest_net "!$dexcl "; + $rule .= match_dest_net "!$dexcl"; $dexcl = ''; } } diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index 045edba27..457fb9c7c 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -31,6 +31,8 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( + validate_net + validate_range ip_range_explicit ); our @EXPORT_OK = qw( ); @@ -48,6 +50,16 @@ sub valid_address( $ ) { 1; } +sub validate_net( $ ) { + my ($net, $vlsm) = split '/', $_[0]; + + if ( defined $vlsm ) { + fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32; + } + + fatal_error "Invalid IP address ($net)" unless valid_address $net; +} + sub decodeaddr( $ ) { my $address = $_[0]; @@ -74,6 +86,18 @@ sub encodeaddr( $ ) { $result; } +sub validate_range( $$ ) { + my ( $low, $high ) = @_; + + fatal_error "Invalid IP address ( $low )" unless valid_address $low; + fatal_error "Invalid IP address ( $high )" unless valid_address $high; + + my $first = decodeaddr $low; + my $last = decodeaddr $high; + + fatal_error "Invalid IP Range ( $low-$high )" unless $first <= $last; +} + sub ip_range_explicit( $ ) { my $range = $_[0]; my @result;