forked from extern/shorewall_code
Enhanced syntax for SOURCE and DEST columns in the rules file
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
01306e1230
commit
799b17210c
@ -130,6 +130,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
split_list
|
||||
split_list1
|
||||
split_list2
|
||||
split_list3
|
||||
split_line
|
||||
split_line1
|
||||
split_line2
|
||||
|
||||
@ -2748,6 +2748,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
fatal_error "Unknown ACTION ($action)" unless $actiontype;
|
||||
|
||||
$usergenerated = $actiontype & IPTABLES;
|
||||
#
|
||||
# For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
|
||||
#
|
||||
$source =~ s/[()]//g;
|
||||
$dest =~ s/[()]//g;
|
||||
|
||||
if ( $actiontype == MACRO ) {
|
||||
#
|
||||
@ -3777,22 +3782,8 @@ sub build_zone_list( $$$\$\$ ) {
|
||||
#
|
||||
# Process a Record in the rules file
|
||||
#
|
||||
sub process_raw_rule ( ) {
|
||||
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
|
||||
= split_line2( 'rules file',
|
||||
\%rulecolumns,
|
||||
$rule_commands,
|
||||
undef, #Columns
|
||||
1 ); #Allow inline matches
|
||||
|
||||
|
||||
fatal_error 'ACTION must be specified' if $target eq '-';
|
||||
#
|
||||
# Section Names are optional so once we get to an actual rule, we need to be sure that
|
||||
# we close off any missing sections.
|
||||
#
|
||||
next_section if $section != $next_section;
|
||||
|
||||
sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
|
||||
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) = @_;
|
||||
if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
|
||||
progress_message "Rule \"$currentline\" ignored.";
|
||||
return 1;
|
||||
@ -3858,6 +3849,44 @@ sub process_raw_rule ( ) {
|
||||
progress_message qq( Rule "$thisline" $done);
|
||||
}
|
||||
|
||||
sub process_raw_rule ( ) {
|
||||
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
|
||||
= split_line2( 'rules file',
|
||||
\%rulecolumns,
|
||||
$rule_commands,
|
||||
undef, #Columns
|
||||
1 ); #Allow inline matches
|
||||
|
||||
|
||||
fatal_error 'ACTION must be specified' if $target eq '-';
|
||||
#
|
||||
# Section Names are optional so once we get to an actual rule, we need to be sure that
|
||||
# we close off any missing sections.
|
||||
#
|
||||
next_section if $section != $next_section;
|
||||
|
||||
my ( @source, @dest );
|
||||
|
||||
if ( $source =~ /:\(.+\)/ ) {
|
||||
@source = split_list3( $source, 'SOURCE' );
|
||||
} else {
|
||||
@source = ( $source );
|
||||
}
|
||||
|
||||
if ( $dest =~ /:\(.+\)/ ) {
|
||||
@dest = split_list3( $dest, 'DEST' );
|
||||
} else {
|
||||
@dest = ( $dest );
|
||||
}
|
||||
|
||||
for $source ( @source ) {
|
||||
for $dest ( @dest ) {
|
||||
process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
sub intrazone_allowed( $$ ) {
|
||||
my ( $zone, $zoneref ) = @_;
|
||||
|
||||
|
||||
@ -907,8 +907,8 @@
|
||||
role="bold">+</emphasis>][<emphasis
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
|
||||
role="bold">:</emphasis>[(]{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}[)][,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source hosts to which the rule applies. May be a
|
||||
@ -1093,6 +1093,26 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Beginning with Shorewall 5.1.0, multiple
|
||||
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
|
||||
tupples can be listed, separated by commas. Where the
|
||||
<replaceable>address-list</replaceable> consists of more than a
|
||||
single address, the list must be enclosed in parentheses.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>dmz:(192.168.2.2,192.168.2.3),net:(206.124.146.22,155.186.235.0/24!155.186.235.16/28)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Hosts 192.168.2.2 and 192.168.2.3 in the dmz zone, host
|
||||
206.124.146.22 in the dmz zone and network 155.186.235.0/24 in
|
||||
the net zone excluding 155.186.235.16/28.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1103,7 +1123,7 @@
|
||||
role="bold">any</emphasis>}[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">[:{</emphasis><emphasis>interface</emphasis>|[(]<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>][)]|[(]<emphasis>exclusion</emphasis>[)]|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
||||
role="bold">random</emphasis>]]</term>
|
||||
|
||||
@ -1270,6 +1290,13 @@
|
||||
the port number on the firewall that the request should be
|
||||
redirected to. That is equivalent to specifying
|
||||
<option>$FW</option>::<replaceable>port</replaceable>.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.1.0, multiple
|
||||
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
|
||||
tupples can be listed, separated by commas. Where the
|
||||
<replaceable>address-list</replaceable> consists of more than a
|
||||
single address, the list must be enclosed in parentheses. See the
|
||||
example in the SOURCE section above.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -866,9 +866,9 @@
|
||||
role="bold">{all|any}</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][(][<emphasis
|
||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}[)][,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source hosts to which the rule applies. May be a zone declared
|
||||
@ -960,7 +960,7 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>dmz:2002:ce7c::92b4:1::2</term>
|
||||
<term>dmz:[2002:ce7c:2b4:1::2]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
|
||||
@ -976,7 +976,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>loc:<2002:cec792b4:1::2,2002:cec792b4:1::44></term>
|
||||
<term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
|
||||
@ -994,11 +994,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80</term>
|
||||
<term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
|
||||
|
||||
<listitem>
|
||||
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
|
||||
2001:4d48:ad51:24:6:/80.</para>
|
||||
2001:4d48:ad51:24:6::/80.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1024,7 +1024,7 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>loc:eth1:<2002:cec792b4:1::2,2002:cec792b4:1::44></term>
|
||||
<term>loc:eth1:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
|
||||
@ -1033,6 +1033,26 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Beginning with Shorewall 5.1.0, multiple
|
||||
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
|
||||
tupples can be listed, separated by commas. Where the
|
||||
<replaceable>address-list</replaceable> consists of more than a
|
||||
single address, the list must be enclosed in parentheses.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>dmz:([2002:c37c:92b4:1::2],[2002:c37c:92b4:1::3]),loc:eth1:([2002:cec792b4:1::2],[2002:cec792b4:1::44])</term>
|
||||
|
||||
<listitem>
|
||||
<para>Hosts 2002:c37c:92b4:1::2 and 2002:c37c:92b4:1::3 in the
|
||||
dmz zone and hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44
|
||||
in the loc zone via interface eth1</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user