holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add edits for IP addresses and ranges

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6287 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-08 18:25:16 +00:00
parent 6160e9c627
commit 77ce1b5a43
2 changed files with 39 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Shorewall-perl/Shorewall/Chains.pm
View File

@ -31,6 +31,7 @@ use Shorewall::Common;
use Shorewall::Config; use Shorewall::Config;
use Shorewall::Zones; use Shorewall::Zones;
use Shorewall::Interfaces; use Shorewall::Interfaces;
use Shorewall::IPAddrs;
use strict; use strict;
@ -1054,8 +1055,10 @@ sub get_set_flags( $$ ) {
sub match_source_net( $ ) { sub match_source_net( $ ) {
my $net = $_[0]; my $net = $_[0];
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { if ( $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
my ($addr1, $addr2) = ( $2, $3 );
$net =~ s/!// if my $invert = $1 ? '! ' : ''; $net =~ s/!// if my $invert = $1 ? '! ' : '';
validate_range $addr1, $addr2;
iprange_match . "${invert}--src-range $net "; iprange_match . "${invert}--src-range $net ";
} elsif ( $net =~ /^(!?)~(.*)$/ ) { } elsif ( $net =~ /^(!?)~(.*)$/ ) {
( $net = $2 ) =~ tr/-/:/; ( $net = $2 ) =~ tr/-/:/;
@ -1066,8 +1069,11 @@ sub match_source_net( $ ) {
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
validate_net $net;
validate_net $net;
"-s ! $net "; "-s ! $net ";
} else { } else {
validate_net $net;
$net eq ALLIPv4 ? '' : "-s $net "; $net eq ALLIPv4 ? '' : "-s $net ";
} }
} }
@ -1078,16 +1084,20 @@ sub match_source_net( $ ) {
sub match_dest_net( $ ) { sub match_dest_net( $ ) {
my $net = $_[0]; my $net = $_[0];
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { if ( $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
my ($addr1, $addr2) = ( $2, $3 );
$net =~ s/!// if my $invert = $1 ? '! ' : ''; $net =~ s/!// if my $invert = $1 ? '! ' : '';
validate_range $addr1, $addr2;
iprange_match . "${invert}--dst-range $net "; iprange_match . "${invert}--dst-range $net ";
} elsif ( $net =~ /^(!?)\+/ ) { } elsif ( $net =~ /^(!?)\+/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , ''); require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
validate_net $net;
"-d ! $net "; "-d ! $net ";
} else { } else {
validate_net $net;
$net eq ALLIPv4 ? '' : "-d $net "; $net eq ALLIPv4 ? '' : "-d $net ";
} }
} }
@ -1155,7 +1165,7 @@ sub log_rule_limit( $$$$$$$$ ) {
unless ( $predicates =~ /-m limit / ) { unless ( $predicates =~ /-m limit / ) {
$limit = $globals{LOGLIMIT} unless $limit && $limit ne '-'; $limit = $globals{LOGLIMIT} unless $limit && $limit ne '-';
$predicates .= $limit; $predicates .= $limit if $limit;
} }
if ( $tag ) { if ( $tag ) {
@ -1504,7 +1514,7 @@ sub expand_rule( $$$$$$$$$$ )
unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) { unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
my @iexcl = mysplit $iexcl; my @iexcl = mysplit $iexcl;
if ( @iexcl == 1 ) { if ( @iexcl == 1 ) {
$rule .= match_source_net "!$iexcl "; $rule .= match_source_net "!$iexcl";
$iexcl = ''; $iexcl = '';
} }
@ -1529,7 +1539,7 @@ sub expand_rule( $$$$$$$$$$ )
unless ( $dnets ) { unless ( $dnets ) {
my @dexcl = mysplit $dexcl; my @dexcl = mysplit $dexcl;
if ( @dexcl == 1 ) { if ( @dexcl == 1 ) {
$rule .= match_dest_net "!$dexcl "; $rule .= match_dest_net "!$dexcl";
$dexcl = ''; $dexcl = '';
} }
} }

24
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -31,6 +31,8 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( our @EXPORT = qw(
validate_net
validate_range
ip_range_explicit ip_range_explicit
); );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
@ -48,6 +50,16 @@ sub valid_address( $ ) {
1; 1;
} }
sub validate_net( $ ) {
my ($net, $vlsm) = split '/', $_[0];
if ( defined $vlsm ) {
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
}
fatal_error "Invalid IP address ($net)" unless valid_address $net;
}
sub decodeaddr( $ ) { sub decodeaddr( $ ) {
my $address = $_[0]; my $address = $_[0];
@ -74,6 +86,18 @@ sub encodeaddr( $ ) {
$result; $result;
} }
sub validate_range( $$ ) {
my ( $low, $high ) = @_;
fatal_error "Invalid IP address ( $low )" unless valid_address $low;
fatal_error "Invalid IP address ( $high )" unless valid_address $high;
my $first = decodeaddr $low;
my $last = decodeaddr $high;
fatal_error "Invalid IP Range ( $low-$high )" unless $first <= $last;
}
sub ip_range_explicit( $ ) { sub ip_range_explicit( $ ) {
my $range = $_[0]; my $range = $_[0];
my @result; my @result;