holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Much ado about nothing (extraneous whitespace removal)

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5707 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-26 23:17:46 +00:00
parent a8231a26b8
commit 85ad25cb68
19 changed files with 392 additions and 391 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
New/Shorewall/Accounting.pm
View File

@ -55,7 +55,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
}
$chain = 'accounting' unless $chain and $chain ne '-';
my $chainref = ensure_filter_chain $chain , 0;
my $target = '';
@ -118,7 +118,7 @@ sub setup_accounting() {
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
}
close ACC;
if ( $filter_table->{accounting} ) {

85
New/Shorewall/Actions.pm
View File

@ -41,7 +41,7 @@ our @EXPORT = qw( merge_levels
process_actions1
process_actions2
process_actions3
%usedactions
%default_actions
%actions
@ -160,7 +160,7 @@ sub createlogactionchain( $$ ) {
my $chainref;
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) {
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
}
@ -237,7 +237,7 @@ sub find_logactionchain( $ ) {
# The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately
# by reading the action definition files and creating rules. Note that a given action definition file is
# processed once for each unique [:level[:tag]] applied to an invocation of the action.
#
#
sub process_actions1() {
for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
@ -246,10 +246,10 @@ sub process_actions1() {
for my $file qw/actions.std actions/ {
open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!";
while ( $line = <F> ) {
my ( $action ) = split_line 1, 'action file';
if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
$action =~ s/:.*$//;
@ -281,18 +281,18 @@ sub process_actions1() {
next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/;
$line =~ s/#.*$//;
my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file';
my ( $target, $level ) = split_action $wholetarget;
$level = 'none' unless $level;
my $targettype = $targets{$target};
if ( defined $targettype ) {
next if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $target eq 'LOG' );
fatal_error "Invalid TARGET ($target) in action rule \"$line\"" if $targettype & STANDARD;
add_requiredby $wholetarget, $action if $targettype & ACTION;
@ -303,14 +303,14 @@ sub process_actions1() {
my $macrofile = $macros{$target};
progress_message " ..Expanding Macro $macrofile...";
open M, $macrofile or fatal_error "Unable to open $macrofile: $!";
while ( $line = <M> ) {
next if $line =~ /^\s*#/;
$line =~ s/#.*$//;
next if $line =~ /^\s*$/;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file';
$mtarget =~ s/:.*$//;
@ -324,7 +324,6 @@ sub process_actions1() {
}
progress_message " ..End Macro";
close M;
} else {
fatal_error "Invalid TARGET ($target) in rule \"$line\"";
@ -359,10 +358,10 @@ sub process_actions2 () {
}
}
}
#
# Generate chain for non-builtin action invocation
#
#
sub process_action3( $$$$$ ) {
my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
#
@ -370,9 +369,9 @@ sub process_action3( $$$$$ ) {
#
sub process_action( $$$$$$$$$$ ) {
my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
my ( $action , $level ) = split_action $target;
expand_rule ( $chainref ,
NO_RESTRICT ,
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
@ -400,7 +399,7 @@ sub process_action3( $$$$$ ) {
next if $line =~ /^\s*$/;
$line =~ s/#.*$//;
$line = expand_shell_variables $line unless $standard;
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file';
my $target2 = merge_levels $wholeaction, $target;
@ -432,9 +431,9 @@ sub process_action3( $$$$$ ) {
progress_message "..Expanding Macro $fn...";
open M, $fn or fatal_error "Can't open $fn: $!";
my $standard = ( $fn =~ /^($env{SHAREDIR})/ );
while ( $line = <M> ) {
next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/;
@ -442,7 +441,7 @@ sub process_action3( $$$$$ ) {
$line = expand_shell_variables $line unless $standard;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
if ( $mtarget =~ /^PARAM:?/ ) {
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
$mtarget = substitute_action $param, $mtarget;
@ -461,7 +460,7 @@ sub process_action3( $$$$$ ) {
}
$msource = '' if $msource eq '-';
if ( $mdest ) {
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
$mdest = $dest || '';
@ -486,7 +485,7 @@ sub process_action3( $$$$$ ) {
}
close M;
progress_message '..End Macro'
} else {
@ -495,7 +494,7 @@ sub process_action3( $$$$$ ) {
}
$comment = '';
}
}
sub process_actions3 () {
#
@ -503,83 +502,83 @@ sub process_actions3 () {
#
sub dropBcast( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
}
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP';
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP';
}
sub allowBcast( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
}
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT';
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT';
}
sub dropNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j DROP';
}
sub rejNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j REJECT';
}
sub dropInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j REJECT';
}
sub allowInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
}
sub forwardUPnP ( $$$ ) {
}
sub allowinUPnP ( $$$ ) {
my ($chainref, $level, $tag) = @_;
if ( $level ) {
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
}
add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
}
sub Limit( $$$ ) {
my ($chainref, $level, $tag) = @_;
my @tag = split /,/, $tag;
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag' unless @tag == 3;
my $set = $tag[0];
my $count = $tag[1] + 1;
add_rule $chainref, "-m recent --name $set --set";
if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
@ -588,7 +587,7 @@ sub process_actions3 () {
} else {
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
}
add_rule $chainref, '-j ACCEPT';
}
@ -609,14 +608,14 @@ sub process_actions3 () {
$level = '' unless defined $level;
$tag = '' unless defined $tag;
if ( $targets{$action} & BUILTIN ) {
$level = '' if $level =~ /none!?/;
$builtinops{$action}->($chainref, $level, $tag);
} else {
process_action3 $chainref, $wholeaction, $action, $level, $tag;
}
}
}
}
1;

100
New/Shorewall/Chains.pm
View File

@ -47,7 +47,7 @@ our @EXPORT = qw( STANDARD
OUTPUT_RESTRICT
POSTROUTE_RESTRICT
ALL_RESTRICT
add_command
add_rule
insert_rule
@ -99,7 +99,7 @@ our @EXPORT = qw( STANDARD
addnatjump
insertnatjump
create_netfilter_load
@policy_chains
%chain_table
$nat_table
@ -249,7 +249,7 @@ my $loopcount = 0;
sub add_command($$)
{
my ($chainref, $command) = @_;
push @{$chainref->{rules}}, join ('', '~', ' ' x $loopcount, $command );
$chainref->{referenced} = 1;
@ -265,7 +265,7 @@ sub add_command($$)
sub add_rule($$)
{
my ($chainref, $rule) = @_;
$rule .= " -m comment --comment \"$comment\"" if $comment;
if ( $loopcount ) {
@ -289,13 +289,13 @@ sub insert_rule($$$)
my ($chainref, $number, $rule) = @_;
fatal_error 'Internal Error in insert_rule()' if $loopcount;
$rule .= "-m comment --comment \"$comment\"" if $comment;
splice @{$chainref->{rules}}, $number - 1, 0, $rule;
$chainref->{referenced} = 1;
$iprangematch = 0;
}
@ -429,7 +429,7 @@ sub new_chain($$)
my ($table, $chain) = @_;
my %ch;
my @rules;
$ch{name} = $chain;
$ch{log} = 1 if $env{LOGRULENUMBERS};
$ch{rules} = \@rules;
@ -456,7 +456,7 @@ sub ensure_chain($$)
my ($table, $chain) = @_;
my $ref = $chain_table{$table}{$chain};
return $ref if $ref;
new_chain $table, $chain;
@ -484,7 +484,7 @@ sub ensure_filter_chain( $$ )
}
$chainref->{referenced} = 1;
$chainref;
}
@ -492,7 +492,7 @@ sub ensure_mangle_chain($) {
my $chain = $_[0];
my $chainref = ensure_chain 'mangle', $chain;
$chainref->{referenced} = 1;
$chainref;
@ -504,7 +504,7 @@ sub ensure_mangle_chain($) {
sub new_builtin_chain($$$)
{
my ( $table, $chain, $policy ) = @_;
my $chainref = new_chain $table, $chain;
$chainref->{referenced} = 1;
$chainref->{policy} = $policy;
@ -515,7 +515,7 @@ sub new_standard_chain($) {
my $chainref = new_chain 'filter' ,$_[0];
$chainref->{referenced} = 1;
$chainref;
}
}
#
# Add all builtin chains to the chain table
@ -538,7 +538,7 @@ sub initialize_chain_table()
for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ {
new_builtin_chain 'mangle', $chain, 'ACCEPT';
}
if ( $capabilities{MANGLE_FORWARD} ) {
for my $chain qw/ FORWARD POSTROUTING / {
new_builtin_chain 'mangle', $chain, 'ACCEPT';
@ -554,7 +554,7 @@ sub finish_chain_section ($$) {
my $chain = $chainref->{name};
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
if ($sections{RELATED} ) {
if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) {
@ -575,7 +575,7 @@ sub finish_chain_section ($$) {
}
}
}
}
}
#
# Do section-end processing
@ -610,7 +610,7 @@ sub do_proto( $$$ )
my ($proto, $ports, $sports ) = @_;
my $output = '';
$proto = '' if $proto eq '-';
$ports = '' if $ports eq '-';
$sports = '' if $sports eq '-';
@ -624,14 +624,14 @@ sub do_proto( $$$ )
if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT};
for my $port ( @ports ) {
if ( $port =~ /:/ ) {
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT};
$count++;
}
}
fatal_error "Too many entries in port list: $ports" if $count > 15;
$output .= "-m multiport --dports $ports ";
@ -639,21 +639,21 @@ sub do_proto( $$$ )
$output .= "--dport $ports ";
}
}
if ( $sports ) {
my @ports = split /,/, $sports;
my $count = @ports;
if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT};
for my $port ( @ports ) {
if ( $port =~ /:/ ) {
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $sports" unless $capabilities{XMULTIPORT};
$count++;
}
}
fatal_error "Too many entries in port list: $sports" if $count > 15;
$output .= "-m multiport --sports $sports ";
@ -726,17 +726,17 @@ sub validate_mark( $ ) {
sub do_test ( $$ )
{
my ($testval, $mask) = @_;
return '' unless $testval and $testval ne '-';
my $invert = $testval =~ s/^!// ? '! ' : '';
my $match = $testval =~ s/:C$// ? '-m connmark ' : '-m mark ';
$testval .= '/0xFF' unless ( $testval =~ '/' );
"${invert}$match $testval ";
}
#
# Create a "-m limit" match for the passed LIMIT/BURST
@ -745,7 +745,7 @@ sub do_ratelimit( $ ) {
my $rate = $_[0];
return '' unless $rate and $rate ne '-';
if ( $rate =~ /^([^:]+):([^:]+)$/ ) {
"-m limit --limit $1 --limit-burst $2 ";
} else {
@ -769,7 +769,7 @@ sub do_user( $ ) {
$rule .= "--cmd-owner $2 " if $2;
$user = $1;
}
if ( $user =~ /^!(.*):(.*)$/ ) {
$rule .= "! --uid-owner $1 " if $1;
$rule .= "! --gid-owner $2 " if $2;
@ -790,10 +790,10 @@ sub do_user( $ ) {
#
sub do_tos( $ ) {
my $tos = $_[0];
$tos ne '-' ? "-m tos --tos $tos " : '';
}
}
#
# Avoid generating a second '-m iprange' in a single rule.
#
@ -825,7 +825,7 @@ sub get_set_flags( $$ ) {
$setname = $1;
$options = $2;
}
$setname =~ s/^\+//;
"--set $setname $options"
@ -836,7 +836,7 @@ sub get_set_flags( $$ ) {
#
sub match_source_net( $ ) {
my $net = $_[0];
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : '';
@ -859,7 +859,7 @@ sub match_source_net( $ ) {
#
sub match_dest_net( $ ) {
my $net = $_[0];
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : '';
@ -881,7 +881,7 @@ sub match_orig_dest ( $ ) {
my $net = $_[0];
return '' if $net eq ALLIPv4;
if ( $net =~ /^!/ ) {
$net =~ s/!//;
"-m conntrack --ctorigdst ! $net ";
@ -908,7 +908,7 @@ sub match_ipsec_in( $$ ) {
'';
}
}
#
# Match Dest IPSEC
#
@ -926,7 +926,7 @@ sub match_ipsec_out( $$ ) {
'';
}
}
#
# Generate a log message
#
@ -999,7 +999,7 @@ sub mysplit( $ ) {
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
}
push @result, $element;
}
@ -1027,7 +1027,7 @@ sub get_interface_address ( $ ) {
$interfaceaddrs{$interface} = interface_address( $interface ) . "=\$(find_first_interface_address $interface)";
}
#
# This function provides a uniform way to generate rules (something the original Shorewall sorely needed).
#
@ -1043,7 +1043,7 @@ sub expand_rule( $$$$$$$$$$ )
if ( $loglevel ) {
( $loglevel, $logtag ) = split /:/, $loglevel;
if ( $loglevel =~ /^none!?$/i ) {
return if $disposition eq 'LOG';
$loglevel = $logtag = '';
@ -1106,7 +1106,7 @@ sub expand_rule( $$$$$$$$$$ )
if ( @interfaces > 1 ) {
add_command $chainref, 'addresses=';
for my $interface ( @interfaces ) {
get_interface_address $interface;
add_command $chainref , join( '', 'addresses="$addresses $', interface_address( $interface ). '"' );
@ -1152,11 +1152,11 @@ sub expand_rule( $$$$$$$$$$ )
if $restriction & INPUT_RESTRICT;
$rule .= "-o $diface ";
}
}
}
if ( $origdest ) {
if ( $origdest eq '-' ) {
$origdest = '';
$origdest = '';
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
#
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
@ -1256,7 +1256,7 @@ sub expand_rule( $$$$$$$$$$ )
# We have non-trivial exclusion -- need to create an exclusion chain
#
my $echain = newexclusionchain;
#
# Use the current rule and sent all possible matches to the exclusion chain
#
@ -1275,7 +1275,7 @@ sub expand_rule( $$$$$$$$$$ )
#
$inets = ALLIPv4;
$dnets = ALLIPv4;
#
# Create the Exclusion Chain
#
@ -1347,7 +1347,7 @@ sub addnatjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_;
my $destref = $nat_table->{$dest} || {};
if ( $destref->{referenced} ) {
add_rule $nat_table->{$source} , $predicates . "-j $dest";
} else {
@ -1359,9 +1359,9 @@ sub addnatjump( $$$ ) {
#
sub insertnatjump( $$$$ ) {
my ( $source, $dest, $countref, $predicates ) = @_;
my $destref = $nat_table->{$dest} || {};
if ( $destref->{referenced} ) {
insert_rule $nat_table->{$source} , ($$countref)++, $predicates . "-j $dest";
} else {
@ -1406,7 +1406,7 @@ sub emitr( $ ) {
}
sub create_netfilter_load() {
emit 'setup_netfilter()';
emit '{';
push_indent;
@ -1430,9 +1430,9 @@ sub create_netfilter_load() {
for my $table qw/raw nat mangle filter/ {
emitr "*$table";
my @chains;
for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain};
if ( $chainref ) {
@ -1479,5 +1479,5 @@ sub create_netfilter_load() {
emit "}\n";
}
1;

28
New/Shorewall/Common.pm
View File

@ -52,7 +52,7 @@ our @EXPORT = qw(ALLIPv4
copy1
create_temp_aux_config
finalize_aux_config
@allipv4
@rfc1918_networks
$line
@ -111,20 +111,20 @@ sub split_line( $$ ) {
my ( $columns, $description ) = @_;
chomp $line;
$line =~ s/\s+/ /g;
my @line = split /\s+/, $line;
return @line if $line[0] eq 'COMMENT';
fatal_error "Invalid $description entry: $line" if @line > $columns;
push @line, '-' while @line < $columns;
@line;
}
sub create_temp_object( $ ) {
my $objectfile = $_[0];
my $suffix;
@ -174,7 +174,7 @@ sub emit ( $ ) {
print $object "$line\n";
$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
} else {
print $object "\n" unless $lastlineblank;
print $object "\n" unless $lastlineblank;
$lastlineblank = 1;
}
}
@ -188,7 +188,7 @@ sub emitj {
for ( @_ ) { emit $_ };
}
}
#
# Write passed message to the object with no indentation.
@ -261,14 +261,14 @@ sub pop_indent() {
sub copy( $ ) {
if ( $object ) {
my $file = $_[0];
open IF , $file or fatal_error "Unable to open $file: $!";
while ( my $line = <IF> ) {
$line =~ s/^/$indent/ if $indent;
print $object $line;
}
close IF;
}
}
@ -276,9 +276,9 @@ sub copy( $ ) {
sub copy1( $ ) {
if ( $object ) {
my $file = $_[0];
open IF , $file or fatal_error "Unable to open $file: $!";
my $do_indent = 1;
while ( my $line = <IF> ) {
@ -287,12 +287,12 @@ sub copy1( $ ) {
$do_indent = 1;
next;
}
$line =~ s/^/$indent/ if $indent && $do_indent;
print $object $line;
$do_indent = ! ( $line =~ /\\$/ );
}
close IF;
}
}
@ -321,6 +321,6 @@ END {
}
system "rm -rf $ENV{TMP_DIR}" if $ENV{TMP_DIR};
}
}
1;

22
New/Shorewall/Config.pm
View File

@ -243,9 +243,9 @@ sub report_capabilities() {
print " $capdesc{$cap}: ";
print $capabilities{$cap} ? "Available\n" : "Not Available\n";
}
print "Shorewall has detected the following capabilities:\n";
for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
report_capability $cap;
}
@ -373,7 +373,7 @@ sub get_configuration() {
default_yes_no 'BRIDGING' , '';
fatal_error 'BRIDGING=Yes is not supported by Shorewall-pl' . $env{VERSION} if $config{BRIDGING};
default_yes_no 'STARTUP_ENABLED' , 'Yes';
default_yes_no 'DELAYBLACKLISTLOAD' , '';
default_yes_no 'LOGTAGONLY' , '';
@ -397,7 +397,7 @@ sub get_configuration() {
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
default 'BLACKLIST_DISPOSITION' , 'DROP';
my $val;
$env{MACLIST_TARGET} = 'reject';
@ -415,7 +415,7 @@ sub get_configuration() {
} else {
$config{MACLIST_DISPOSITION} = 'REJECT';
}
if ( $val = $config{MACLIST_TABLE} ) {
if ( $val eq 'mangle' ) {
fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT';
@ -431,7 +431,7 @@ sub get_configuration() {
} else {
$config{TCP_FLAGS_DISPOSITION} = 'DROP';
}
$env{TC_SCRIPT} = '';
if ( $val = "\L$config{TC_ENABLED}" ) {
@ -451,7 +451,7 @@ sub get_configuration() {
default 'ACCEPT_DEFAULT' , 'none';
default 'OPTIMIZE' , 0;
default 'IPSECFILE' , 'ipsec';
for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT ACCEPT_DEFAULT/ {
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
}
@ -477,7 +477,7 @@ sub get_configuration() {
};
fatal_error "Invalid LOGFORMAT ($val)" if $@;
fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\""
if length $result > 29;
@ -514,7 +514,7 @@ sub propagateconfig() {
my $value = $config{$option} || '';
emit "$option=\"$value\"";
}
for my $option ( @Shorewall::Config::propagateenv ) {
my $value = $env{$option} || '';
emit "$option=\"$value\"";
@ -529,7 +529,7 @@ sub append_file( $ ) {
save_progress_message "Processing $user_exit ...";
copy1 $user_exit;
}
}
}
}
#
@ -570,7 +570,7 @@ sub generate_aux_config() {
create_temp_aux_config;
emit( "#\n# Shorewall auxiliary configuration file created by Shorewall-pl version " . $env{VERSION} . ' - ' . ( localtime ) . "\n#" );
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS) {
conditionally_add_option $option;
}

4
New/Shorewall/Hosts.pm
View File

@ -45,7 +45,7 @@ sub validate_hosts_file()
maclist => 1,
norfc1918 => 1,
nosmurfs => 1,
routeback => 1,
routeback => 1,
routefilter => 1,
tcpflags => 1,
);
@ -76,7 +76,7 @@ sub validate_hosts_file()
}
my $optionsref;
if ( $options ne '-' ) {
my @options = split ',', $options;
my %options;

6
New/Shorewall/IPAddrs.pm
View File

@ -52,7 +52,7 @@ sub decodeaddr( $ ) {
my @address = split /\./, $address;
my $result = shift @address;
for my $a ( @address ) {
$result = ( $result << 8 ) | $a;
}
@ -84,10 +84,10 @@ sub ip_range_explicit( $ ) {
if ( defined $high ) {
fatal_error "Invalid IP address ( $high )" unless valid_address $high;
my $first = decodeaddr $low;
my $last = decodeaddr $high;
fatal_error "Invalid IP Range ( $range )" unless $first <= $last;
while ( ++$first <= $last ) {

13
New/Shorewall/Interfaces.pm
View File

@ -87,7 +87,7 @@ sub add_group_to_zone($$$$$)
$ifacezone = $zone if $host eq ALLIPv4;
}
}
push @$new, $switched ? "$interface:$host" : $host;
}
@ -111,7 +111,8 @@ sub add_group_to_zone($$$$$)
#
# Parse the interfaces file.
#
#
sub validate_interfaces_file()
{
my %validoptions = (arp_filter => 1,
@ -124,7 +125,7 @@ sub validate_interfaces_file()
norfc1918 => 1,
nosmurfs => 1,
proxyarp => 1,
routeback => 1,
routeback => 1,
routefilter => 1,
sourceroute => 1,
tcpflags => 1,
@ -188,13 +189,13 @@ sub validate_interfaces_file()
push @interfaces, $interface;
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@allipv4, $optionsref ) if $zone;
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
progress_message " Interface \"$line\" Validated";
}
}
close INTERFACES;
}

6
New/Shorewall/Macros.pm
View File

@ -59,7 +59,7 @@ sub find_macro( $ )
$macros{$macro} = $macrofile;
$targets{$macro} = MACRO;
}
}
}
#
# Macro and action files can have shell variables embedded. This function expands them from %ENV.
@ -67,7 +67,7 @@ sub find_macro( $ )
sub expand_shell_variables( $ ) {
my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line;
}
#
# Return ( action, level[:tag] ) from passed full action
#
@ -112,7 +112,7 @@ sub merge_macro_source_dest( $$ ) {
return "$invocation:$body";
}
}
$body || '';
}

18
New/Shorewall/Nat.pm
View File

@ -142,7 +142,7 @@ sub setup_one_masq($$$$$$)
if ( $2 =~ /\./ ) {
$fullinterface = $one;
$destnets = $two;
}
}
}
#
@ -162,7 +162,7 @@ sub setup_one_masq($$$$$$)
# Handle Protocol and Ports
#
$rule .= do_proto $proto, $ports, '';
my $detectaddress = 0;
#
# Parse the ADDRESSES column
@ -232,7 +232,7 @@ sub setup_one_masq($$$$$$)
}
progress_message " Masq record \"$line\" $done";
}
#
@ -294,7 +294,7 @@ sub do_one_nat( $$$$$ )
sub add_nat_rule( $$ ) {
add_rule ensure_chain( 'nat', $_[0] ) , $_[1];
}
my $add_ip_aliases = $config{ADD_IP_ALIASES};
my $policyin = '';
@ -320,7 +320,7 @@ sub do_one_nat( $$$$$ )
validate_nat_column 'ALL INTERFACES', \$allints;
validate_nat_column 'LOCAL' , \$localnat;
if ( $allints ) {
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
@ -328,7 +328,7 @@ sub do_one_nat( $$$$$ )
add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external";
}
add_nat_rule 'OUTPUT' , "-d $external$policyout -j DNAT --to-destination $internal " if $localnat;
if ( $add_ip_aliases ) {
@ -345,7 +345,7 @@ sub do_one_nat( $$$$$ )
# Process NAT file
#
sub setup_nat() {
open NAT, "$ENV{TMP_DIR}/nat" or fatal_error "Unable to open stripped nat file: $!";
while ( $line = <NAT> ) {
@ -362,7 +362,7 @@ sub setup_nat() {
} else {
do_one_nat $external, $interface, $internal, $allints, $localnat;
}
}
close NAT;
@ -374,7 +374,7 @@ sub setup_nat() {
# Setup Network Mapping
#
sub setup_netmap() {
open NM, "$ENV{TMP_DIR}/netmap" or fatal_error "Unable to open stripped netmap file: $!";
while ( $line = <NM> ) {

26
New/Shorewall/Policy.pm
View File

@ -45,7 +45,7 @@ sub new_policy_chain($$$)
my ($chain, $policy, $optional) = @_;
my $chainref = new_chain 'filter', $chain;
$chainref->{is_policy} = 1;
$chainref->{policy} = $policy;
$chainref->{is_optional} = $optional;
@ -87,12 +87,12 @@ sub validate_policy()
QUEUE => undef,
NONE => undef
);
my %map = ( DROP_DEFAULT => 'DROP' ,
REJECT_DEFAULT => 'REJECT' ,
ACCEPT_DEFAULT => 'ACCEPT' ,
QUEUE_DEFAULT => 'QUEUE' );
my $zone;
use constant { OPTIONAL => 1 };
@ -101,7 +101,7 @@ sub validate_policy()
my $action = $config{$option};
next if $action eq 'none';
my $actiontype = $targets{$action};
if ( defined $actiontype ) {
fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
} else {
@ -115,7 +115,7 @@ sub validate_policy()
$default_actions{$map{$option}} = $action;
}
for $zone ( @zones ) {
push @policy_chains, ( new_policy_chain "${zone}2${zone}", 'ACCEPT', OPTIONAL );
@ -138,7 +138,7 @@ sub validate_policy()
$synparams = '' unless defined $synparams;
$loglevel = '' if $loglevel eq '-';
$synparams = '' if $synparams eq '-';
my $clientwild = ( "\L$client" eq 'all' );
fatal_error "Undefined zone $client" unless $clientwild || $zones{$client};
@ -153,7 +153,7 @@ sub validate_policy()
$default = 'none';
} elsif ( $default ) {
my $defaulttype = $targets{$default};
if ( $defaulttype & ACTION ) {
unless ( $usedactions{$default} ) {
$usedactions{$default} = 1;
@ -161,7 +161,7 @@ sub validate_policy()
}
} else {
fatal_error "Unknown Default Action ($default) in policy \"$line\"";
}
}
} else {
$default = $default_actions{$policy} || '';
}
@ -174,13 +174,13 @@ sub validate_policy()
fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
if $clientwild || $serverwild;
}
my $chain = "${client}2${server}";
my $chainref;
if ( defined $filter_table->{$chain} ) {
$chainref = $filter_table->{$chain};
if ( $chainref->{is_policy} ) {
if ( $chainref->{is_optional} ) {
$chainref->{is_optional} = 0;
@ -221,13 +221,13 @@ sub validate_policy()
set_policy_chain "${client}2${zone}", $chainref, $policy;
print_policy $client, $zone, $policy, $chain;
}
} else {
print_policy $client, $server, $policy, $chain;
}
}
close POLICY;
close POLICY;
}
#
@ -281,7 +281,7 @@ sub default_policy( $$$ ) {
}
progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
}
sub apply_policy_rules() {

12
New/Shorewall/Proc.pm
View File

@ -79,7 +79,7 @@ fi
for my $interface ( @$interfaces1 ) {
my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
my $value = get_interface_option $interface, 'arp_ignore';
fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
emit "if [ -f $file ]; then
@ -100,7 +100,7 @@ sub setup_route_filtering() {
my $interfaces = find_interfaces_by_option 'routefilter';
if ( @$interfaces || $config{ROUTE_FILTER} ) {
progress_message2 "$doing Kernel Route Filtering...";
save_progress_message "Setting up Route Filtering...";
@ -120,7 +120,7 @@ else
fi
";
}
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
if ( $config{ROUTE_FILTER} ) {
@ -140,7 +140,7 @@ sub setup_martian_logging() {
my $interfaces = find_interfaces_by_option 'logmartians';
if ( @$interfaces || $config{LOG_MARTIANS} ) {
progress_message2 "$doing Martian Logging...";
save_progress_message "Setting up Martian Logging...";
@ -160,7 +160,7 @@ else
fi
";
}
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
if ( $config{LOG_MARTIANS} ) {
@ -170,7 +170,7 @@ fi
}
}
#
# Source Routing
#

94
New/Shorewall/Providers.pm
View File

@ -61,10 +61,10 @@ my @providers;
sub setup_route_marking() {
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF';
my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
my $chainref = new_chain 'mangle', 'routemark';
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
@ -95,11 +95,11 @@ sub setup_providers() {
sub copy_and_edit_table( $$$ ) {
my ( $duplicate, $number, $copy ) = @_;
my $match = $copy;
$match =~ s/ /\|/g;
emitj ( "ip route show table $duplicate | while read net route; do",
' case $net in',
' default|nexthop)',
@ -118,18 +118,18 @@ sub setup_providers() {
sub balance_default_route( $$$ ) {
my ( $weight, $gateway, $interface ) = @_;
$balance = 1;
emit '';
if ( $first_default_route ) {
if ( $gateway ) {
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\"";
} else {
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\"";
}
$first_default_route = 0;
} else {
if ( $gateway ) {
@ -139,15 +139,15 @@ sub setup_providers() {
}
}
}
sub add_a_provider( $$$$$$$$ ) {
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
fatal_error "Duplicate provider ( $table )" if $providers{$table};
for my $provider ( keys %providers ) {
fatal_error "Duplicate provider number ( $number )" if $providers{$provider}{number} == $number;
}
@ -161,7 +161,7 @@ sub setup_providers() {
emit "${iface}_up=Yes";
emit "qt ip route flush table $number";
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
$duplicate = '-' unless $duplicate;
$copy = '-' unless $copy;
@ -173,7 +173,7 @@ sub setup_providers() {
my @c = ( split /,/, $copy );
$copy = "@c";
}
copy_and_edit_table( $duplicate, $number ,$copy );
} else {
copy_table ( $duplicate, $number );
@ -199,7 +199,7 @@ sub setup_providers() {
$gateway = '';
emit "run_ip route add default dev $interface table $number";
}
$mark = '-' unless $mark;
my $val = 0;
@ -207,15 +207,15 @@ sub setup_providers() {
if ( $mark ne '-' ) {
$val = numeric_value $mark;
verify_mark $mark;
if ( $val < 256) {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
} else {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
}
for my $provider ( keys %providers ) {
my $num = $providers{$provider}{mark};
fatal_error "Duplicate mark value ( $mark )" if $num == $val;
@ -254,48 +254,48 @@ sub setup_providers() {
}
}
}
if ( $loose ) {
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
emit "\nrulenum=0\n";
emitj ( "find_interface_addresses $interface | while read address; do",
' qt ip rule del from $address',
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
' rulenum=$(($rulenum + 1))',
'done' );
} else {
} else {
emit "\nfind_interface_addresses $interface | while read address; do";
emit ' qt ip rule del from $address';
emit 'done';
}
emit "\nprogress_message \" Provider $table ($number) Added\"\n";
pop_indent;
emit 'else';
if ( $optional ) {
emit " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"";
emit " ${iface}_up=";
} else {
emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"";
}
emit "fi\n";
emit "fi\n";
}
sub add_an_rtrule( $$$$ ) {
my ( $source, $dest, $provider, $priority ) = @_;
unless ( $providers{$provider} ) {
unless ( $providers{$provider} ) {
my $found = 0;
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
my $provider_number = numeric_value $provider;
for my $provider ( keys %providers ) {
if ( $providers{$provider}{number} == $provider_number ) {
$found = 1;
@ -303,17 +303,17 @@ sub setup_providers() {
}
}
}
fatal_error "Unknown provider $provider in route rule \"$line\"" unless $found;
}
$source = '-' unless $source;
$dest = '-' unless $dest;
fatal_error "You must specify either the source or destination in an rt rule: \"$line\"" if $source eq '-' && $dest eq '-';
$dest = $dest eq '-' ? '' : "to $dest";
if ( $source eq '-' ) {
$source = '';
} elsif ( $source =~ /:/ ) {
@ -324,11 +324,11 @@ sub setup_providers() {
} else {
$source = "iif $source";
}
fatal_error "Invalid priority ($priority) in rule \"$line\"" unless $priority && $priority =~ /^\d{1,5}$/;
$priority = "priority $priority";
emit "qt ip rule del $source $dest $priority";
emit "run_ip rule add $source $dest $priority table $provider";
emit "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing";
@ -358,15 +358,15 @@ sub setup_providers() {
'# Initialize the file that holds \'undo\' commands',
'#',
'> ${VARDIR}/undo_routing' );
save_progress_message 'Adding Providers...';
emit 'DEFAULT_ROUTE=';
open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!";
while ( $line = <PV> ) {
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file';
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
@ -392,8 +392,10 @@ sub setup_providers() {
'fi',
'' );
} else {
emit "#\n# We don't have any 'balance' providers so we restore any default route that we've saved\n#";
emit 'restore_default_route';
emitj( '#',
'# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
'#',
'restore_default_route' );
}
emit 'cat > /etc/iproute2/rt_tables <<EOF';
@ -412,7 +414,7 @@ sub setup_providers() {
emit 'echocommand=$(find_echo)';
emit '';
for my $table ( @providers ) {
emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables";
}
@ -427,7 +429,7 @@ sub setup_providers() {
while ( $line = <RR> ) {
my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file';
add_an_rtrule( $source, $dest, $provider , $priority );
}
@ -439,7 +441,7 @@ sub setup_providers() {
emit 'run_ip route flush cache';
pop_indent;
emit "fi\n";
setup_route_marking if @routemarked_interfaces;
}

4
New/Shorewall/Proxyarp.pm
View File

@ -69,7 +69,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
fi
progress_message \" Host $address connected to $interface added to ARP on $external\"\n";
push @proxyarp, "$address $interface $external $haveroute";
progress_message " Host $address connected to $interface added to ARP on $external";
@ -91,7 +91,7 @@ sub setup_proxy_arp() {
open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!";
while ( $line = <PA> ) {
my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file';
$set{$interface} = 1;

145
New/Shorewall/Rules.pm
View File

@ -71,9 +71,9 @@ sub process_tos() {
open TOS, "$ENV{TMP_DIR}/tos" or fatal_error "Unable to open stripped tos file: $!";
while ( $line = <TOS> ) {
my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file';
fatal_error "TOS field required: $line" unless $tos ne '-';
my $chainref;
@ -81,7 +81,7 @@ sub process_tos() {
my $restriction = NO_RESTRICT;
my ( $srczone , $source ) = split /:/, $src;
if ( $srczone eq $firewall_zone ) {
$chainref = $outtosref;
$src = $source || '-';
@ -92,7 +92,7 @@ sub process_tos() {
}
$dst =~ s/^all:?//;
expand_rule
$chainref ,
$restriction ,
@ -133,11 +133,11 @@ sub setup_rfc1918_filteration( $ ) {
}
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
while ( $line = <RFC> ) {
my ( $networks, $target ) = split_line 2, 'rfc1918 file';
my $s_target;
if ( $target eq 'logdrop' ) {
@ -202,9 +202,9 @@ sub setup_blacklist() {
if ( $level ) {
my $chainref = new_standard_chain 'blacklog';
log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' );
add_rule $chainref, "-j $target" ;
$target = 'blacklog';
@ -217,7 +217,7 @@ sub setup_blacklist() {
progress_message( join( '', ' Processing ', find_file( 'blacklist' ), '...' ) );
while ( $line = <BL> ) {
my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file';
expand_rule
@ -231,7 +231,7 @@ sub setup_blacklist() {
'' ,
$disposition ,
'';
progress_message " \"$line\" added to blacklist";
}
}
@ -239,14 +239,14 @@ sub setup_blacklist() {
close BL;
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
for my $hostref ( @$hosts ) {
my $interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2];
my $source = match_source_net $network;
for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
}
@ -268,7 +268,7 @@ sub process_criticalhosts() {
while ( $line = <RS> ) {
my $routeback = 0;
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
@ -309,7 +309,7 @@ sub process_routestopped() {
while ( $line = <RS> ) {
my $routeback = 0;
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
@ -327,7 +327,7 @@ sub process_routestopped() {
warning_message "Duplicate 'routeback' option ignored in routestopped entry \"$line\"";
} else {
$routeback = 1;
for my $host ( split /,/, $hosts ) {
my $source = match_source_net $host;
my $dest = match_dest_net $host;
@ -342,7 +342,7 @@ sub process_routestopped() {
} elsif ( $option eq 'dest' ) {
for my $host ( split /,/, $hosts ) {
$dest{"$interface:$host"} = 1;
}
}
} else {
warning_message "Unknown routestopped option ( $option ) ignored in routestopped entry \"$line\"" unless $option eq 'critical';
}
@ -358,10 +358,10 @@ sub process_routestopped() {
my ( $interface, $h ) = split /:/, $host;
my $source = match_source_net $h;
my $dest = match_dest_net $h;
emit "\$IPTABLES INPUT -i $interface $source ACCEPT";
emit "\$IPTABLES OUTPUT -o $interface $dest ACCEPT" if $config{ADMINISABSENTMINDED};
my $matched = 0;
if ( $source{$host} ) {
@ -373,7 +373,7 @@ sub process_routestopped() {
emit "\$IPTABLES FORWARD -o $interface $dest ACCEPT";
$matched = 1;
}
unless ( $matched ) {
for my $host1 ( @allhosts ) {
unless ( $host eq $host1 ) {
@ -405,7 +405,7 @@ sub add_common_rules() {
new_standard_chain 'dynamic';
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
for $interface ( @interfaces ) {
for $chain ( input_chain $interface , forward_chain $interface ) {
add_rule new_standard_chain( $chain ) , "$state -j dynamic";
@ -429,7 +429,7 @@ sub add_common_rules() {
} elsif ( @$list ) {
fatal_error "The nosmurfs option requires Address Type Match in your kernel and iptables";
}
if ( @$list ) {
progress_message2 ' Adding Anti-smurf Rules';
for my $hostref ( @$list ) {
@ -441,9 +441,9 @@ sub add_common_rules() {
}
}
}
add_rule $rejectref , '-p tcp -j REJECT --reject-with tcp-reset';
if ( $capabilities{ENHANCED_REJECT} ) {
add_rule $rejectref , '-p udp -j REJECT';
add_rule $rejectref, '-p icmp -j REJECT --reject-with icmp-host-unreachable';
@ -480,20 +480,20 @@ sub add_common_rules() {
my $disposition;
progress_message2 " $doing TCP Flags filtering...";
$chainref = new_standard_chain 'tcpflags';
if ( $config{TCP_FLAGS_LOG_LEVEL} ) {
my $logflagsref = new_standard_chain 'logflags';
my $savelogparms = $env{LOGPARMS};
$env{LOGPARMS} = "$env{LOGPARMS} --log-ip-options" unless $config{TCP_FLAGS_LOG_LEVEL} eq 'ULOG';
log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
$env{LOGPARMS} = $savelogparms;
if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) {
add_rule $logflagsref , '-j REJECT --reject-with tcp-reset';
} else {
@ -527,13 +527,13 @@ sub add_common_rules() {
new_standard_chain $chain;
}
}
(new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1;
add_rule $filter_table->{input_chain $interface}, "-j $chain";
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
}
}
$list = find_interfaces_by_option 'upnp';
@ -570,16 +570,16 @@ sub setup_mac_lists( $ ) {
}
my @maclist_interfaces = ( sort keys %maclist_interfaces );
progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase...";
if ( $phase == 1 ) {
for my $interface ( @maclist_interfaces ) {
my $chainref = new_chain $table , mac_chain $interface;
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp};
if ( $config{MACLIST_TTL} ) {
my $chain1ref = new_chain $table, macrecent_target $interface;
@ -709,11 +709,11 @@ sub process_macro ( $$$$$$$$$$$ ) {
next if $line =~ /^\s*$/;
$line =~ s/#.*$//;
$line = expand_shell_variables $line unless $standard;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
$mtarget = merge_levels $target, $mtarget;
if ( $mtarget =~ /^PARAM:?/ ) {
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
$mtarget = substitute_action $param, $mtarget;
@ -727,7 +727,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
createactionchain $mtarget;
$usedactions{$mtarget} = 1;
}
$mtarget = find_logactionchain $mtarget;
} else {
fatal_error "Invalid Action ($mtarget) in rule \"$line\"" unless $actiontype & STANDARD;
@ -746,7 +746,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
}
$msource = '' if $msource eq '-';
if ( $mdest ) {
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
$mdest = $dest || '';
@ -766,7 +766,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
$msports = merge_macro_column $msports, $sports;
$mrate = merge_macro_column $mrate, $rate;
$muser = merge_macro_column $muser, $user;
process_rule1 $mtarget, $msource, $mdest, $mproto, $mports, $msports, $origdest, $rate, $user;
progress_message " Rule \"$line\" $done"; }
@ -794,9 +794,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype;
if ( $actiontype == MACRO ) {
process_macro
$macros{$basictarget},
target ,
process_macro
$macros{$basictarget},
$target ,
$param ,
$source,
$dest,
@ -848,7 +848,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
$sourcezone = $source;
$source = ALLIPv4;
}
if ( $dest =~ /^(.+?):(.*)/ ) {
$destzone = $1;
$dest = $2;
@ -966,7 +966,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
# NONAT or ACCEPT+ -- May not specify a destination interface
#
fatal_error "Invalid DEST ($dest) in $action rule \"$line\"" if $dest =~ /:/;
$origdest = '' unless $origdest and $origdest ne '-';
if ( $origdest eq 'detect' ) {
@ -1146,7 +1146,7 @@ sub process_rules() {
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user;
}
}
close RULES;
$comment = '';
@ -1172,16 +1172,16 @@ sub generate_matrix() {
my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}";
my $chainref = $filter_table->{$chain};
return $chain if $chainref && $chainref->{referenced};
return 'ACCEPT' if $zone eq $zone1;
if ( $chainref->{policy} ne 'CONTINUE' ) {
my $policyref = $chainref->{policychain};
return $policyref->{name} if $policyref;
fatal_error "No policy defined for zone $zone to zone $zone1";
}
'';
}
@ -1200,9 +1200,9 @@ sub generate_matrix() {
#
sub insert_exclusions( $$ ) {
my ( $chainref, $exclusionsref ) = @_;
my $num = 1;
for my $host ( @{$exclusionsref} ) {
my ( $interface, $net ) = split /:/, $host;
insert_rule $chainref , $num++, join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
@ -1214,12 +1214,13 @@ sub generate_matrix() {
#
sub add_exclusions ( $$ ) {
my ( $chainref, $exclusionsref ) = @_;
for my $host ( @{$exclusionsref} ) {
my ( $interface, $net ) = split /:/, $host;
add_rule $chainref , join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
}
}
}
#
# Generate_Matrix() Starts Here
#
@ -1241,7 +1242,7 @@ sub generate_matrix() {
addnatjump 'PREROUTING' , 'nat_in' , '';
addnatjump 'POSTROUTING' , 'nat_out' , '';
for my $interface ( @interfaces ) {
addnatjump 'PREROUTING' , input_chain( $interface ) , "-i $interface ";
addnatjump 'POSTROUTING' , output_chain( $interface ) , "-o $interface ";
@ -1256,7 +1257,7 @@ sub generate_matrix() {
my $num = 1;
my $in_ref = new_standard_chain "${zone}_input";
my $out_ref = new_standard_chain "${zone}_output";
add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target $zone, $zone eq 'ACCEPT';
for my $host ( @$exclusions ) {
@ -1265,13 +1266,13 @@ sub generate_matrix() {
add_rule $in_ref , "-i $interface -s $net -j RETURN";
add_rule $out_ref , "-i $interface -s $net -j RETURN";
}
if ( $capabilities{POLICY_MATCH} ) {
my $type = $zoneref->{type};
my $source_ref = $zoneref->{hosts}{ipsec} || [];
create_zone_dyn_chain $zone, $frwd_ref && $config{DYNAMIC_ZONES} && (@$source_ref || $type ne 'ipsec4' );
for my $interface ( keys %$source_ref ) {
my $arrayref = $source_ref->{$interface};
for my $hostref ( @{$arrayref} ) {
@ -1283,7 +1284,7 @@ sub generate_matrix() {
}
}
}
}
}
}
}
#
@ -1335,7 +1336,7 @@ sub generate_matrix() {
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
}
}
insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match );
if ( $chain2 ) {
@ -1366,11 +1367,11 @@ sub generate_matrix() {
for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) {
my $zone1ref = $zones{$zone1};
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
next if $policy eq 'NONE';
my $chain = rules_target $zone, $zone1;
next unless $chain;
if ( $zone eq $zone1 ) {
@ -1380,7 +1381,7 @@ sub generate_matrix() {
no warnings;
next if ( %{ $zoneref->{interfaces}} < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
}
if ( $chain =~ /2all$/ ) {
if ( $chain ne $last_chain ) {
$last_chain = $chain;
@ -1398,7 +1399,7 @@ sub generate_matrix() {
$last_chain = '';
}
}
if ( $last_chain && @temp_zones == 1 ) {
push @dest_zones, @temp_zones;
$last_chain = '';
@ -1424,9 +1425,9 @@ sub generate_matrix() {
next unless $chain;
push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
my $num_ifaces = 0;
if ( $zone eq $zone1 ) {
#
# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
@ -1437,9 +1438,9 @@ sub generate_matrix() {
my $chainref = $filter_table->{$chain};
my $exclusions1 = $zone1ref->{exclusions};
my $dest_hosts_ref = $zone1ref->{hosts};
if ( @$exclusions1 ) {
if ( $chain eq "all2$zone1" ) {
unless ( $chain_exclusions{$chain} ) {
@ -1448,7 +1449,7 @@ sub generate_matrix() {
}
} elsif ( $chain =~ /2all$/ ) {
my $chain1 = $policy_exclusions{"${chain}_${zone1}"};
unless ( $chain ) {
$chain1 = newexclusionchain;
$policy_exclusions{"${chain}_${zone1}"} = $chain1;
@ -1456,13 +1457,13 @@ sub generate_matrix() {
add_exclusions $chain1ref, $exclusions1;
add_rule $chain1ref, "-j $chain";
}
$chain = $chain1;
} else {
insert_exclusions $chainref , $exclusions1;
}
}
if ( $complex ) {
for my $typeref ( values %$dest_hosts_ref ) {
for my $interface ( keys %$typeref ) {
@ -1580,6 +1581,6 @@ sub dump_rule_chains() {
for my $arrayref ( @rule_chains ) {
emit_unindented "@$arrayref";
}
}
}
1;

55
New/Shorewall/Tc.pm
View File

@ -49,7 +49,7 @@ my %tcs = ( t => { chain => 'tcpost',
ct => { chain => 'tcpost' ,
target => 'CONNMARK --set-mark' ,
connmark => 1 ,
fw => 1
fw => 1
} ,
c => { target => 'CONNMARK --set-mark' ,
connmark => 1 ,
@ -91,7 +91,7 @@ use constant { NOMARK => 0 ,
SMALLMARK => 1 ,
HIGHMARK => 2
};
my @tccmd = ( { pattern => 'SAVE' ,
target => 'CONNMARK --save-mark --mask' ,
mark => SMALLMARK ,
@ -142,7 +142,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
if ( $designator ) {
$tcsref = $tcs{$designator};
if ( $tcsref ) {
if ( $chain eq 'tcout' ) {
fatal_error "Invalid chain designator for source $firewall_zone; rule \"$line\"" unless $tcsref->{fw};
@ -151,7 +151,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
$chain = $tcsref->{chain} if $tcsref->{chain};
$target = $tcsref->{target} if $tcsref->{target};
$mark = "$mark/0xFF" if $connmark = $tcsref->{connmark};
} else {
fatal_error "Invalid MARK ($original_mark) in rule \"$line\"" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
$chain = 'tcpost';
@ -173,12 +173,12 @@ sub process_tc_rule( $$$$$$$$$$ ) {
for my $tccmd ( @tccmd ) {
if ( $cmd =~ /^($tccmd->{pattern})$/ ) {
fatal_error "$mark not valid with :C[FP]" if $connmark;
$target = "$tccmd->{target} ";
my $marktype = $tccmd->{mark};
$mark =~ s/^[!&]//;
if ( $rest ) {
fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK;
@ -192,12 +192,12 @@ sub process_tc_rule( $$$$$$$$$$ ) {
} elsif ( $tccmd->{mask} ) {
$mark = $tccmd->{mask};
}
last MARK;
}
}
}
validate_mark $mark;
fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
@ -215,11 +215,11 @@ sub process_tc_rule( $$$$$$$$$$ ) {
'' ,
'' ,
'';
progress_message " TC Rule \"$line\" $done";
}
#
# Perl version of Arn Bernin's 'tc4shorewall'.
#
@ -265,9 +265,8 @@ sub rate_to_kbit( $ ) {
sub calculate_quantum( $ ) {
my $rate = rate_to_kbit $_[0];
eval "int( ( $rate * 128 ) / $r2q )";
}
}
sub validate_tc_device( $$$ ) {
my ( $device, $inband, $outband ) = @_;
@ -303,7 +302,7 @@ sub validate_tc_class( $$$$$$ ) {
'tos-maximize-reliability' => 'tos=0x04/0x04' ,
'tos-minimize-cost' => 'tos=0x02/0x02' ,
'tos-normal-service' => 'tos=0x00/0x1e' );
my $devref = $tcdevices{$device};
fatal_error "Unknown Device ( $device ) in tcclass \"$line\"" unless $devref;
my $full = rate_to_kbit $devref->{out_bandwidth};
@ -326,9 +325,9 @@ sub validate_tc_class( $$$$$$ ) {
unless ( $options eq '-' ) {
for my $option ( split /,/, "\L$options" ) {
my $optval = $tosoptions{$option};
$option = $optval if $optval;
if ( $option eq 'default' ) {
fatal_error "Only one default class may be specified for device $device" if $devref->{default};
$devref->{default} = $markval;
@ -347,7 +346,7 @@ sub validate_tc_class( $$$$$$ ) {
}
push @tcclasses, "$device:$markval";
}
}
sub setup_traffic_shaping() {
if ( -s "$ENV{TMP_DIR}/tcdevices" ) {
@ -364,7 +363,6 @@ sub setup_traffic_shaping() {
fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
validate_tc_device( $device, $inband, $outband );
}
}
close TD;
@ -378,10 +376,9 @@ sub setup_traffic_shaping() {
while ( $line = <TC> ) {
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
}
}
close TC;
@ -398,7 +395,7 @@ sub setup_traffic_shaping() {
fatal_error "Option default is not defined for any class in tcclasses for interface $device" unless $defmark;
emit "if interface_is_usable $device; then";
push_indent;
emit "${dev}_exists=Yes";
@ -407,7 +404,7 @@ sub setup_traffic_shaping() {
emit "run_tc qdisc add dev $device root handle $devnum: htb default ${prefix}${defmark}";
emit "${dev}_mtu=\$(get_device_mtu $device)";
emit "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} mtu \$${dev}_mtu";
my $inband = rate_to_kbit $devref->{in_bandwidth};
if ( $inband ) {
@ -451,7 +448,7 @@ sub setup_traffic_shaping() {
push_indent;
$lastdevice = $device;
}
emit "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum";
emit "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling} prio $tcref->{priority} mtu \$${dev}_mtu quantum \$quantum";
emit "run_tc qdisc add dev $device parent $classid handle ${prefix}${mark}: sfq perturb 10";
@ -468,7 +465,7 @@ sub setup_traffic_shaping() {
#
emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
for my $tospair ( @{$tcref->{tos}} ) {
my ( $tos, $mask ) = split q(/), $tospair;
emit "run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid";
@ -477,7 +474,7 @@ sub setup_traffic_shaping() {
save_progress_message_short qq(" TC Class $class defined.");
emit '';
}
if ( $lastdevice ) {
pop_indent;
emit "fi\n";
@ -495,7 +492,7 @@ sub setup_tc() {
ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost';
}
open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!";
while ( $line = <TC> ) {
@ -512,7 +509,7 @@ sub setup_tc() {
} else {
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
}
}
close TC;
@ -523,7 +520,7 @@ sub setup_tc() {
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
$mark_part = '-m mark --mark 0/0xFF00';
for my $interface ( @routemarked_interfaces ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
}

82
New/Shorewall/Tunnels.pm
View File

@ -46,43 +46,43 @@ sub setup_tunnels() {
( $kind, my $qualifier ) = split /:/, $kind;
fatal_error "Invalid IPSEC modifier ($qualifier) in tunnel \"$line\"" if $qualifier && ( $qualifier ne 'noah' );
my $noah = $qualifier || ($kind ne 'ipsec' );
my $options = '-m $state --state NEW -j ACCEPT';
add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
}
add_rule $outchainref, "-p udp $dest --dport 500 $options";
if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport $options";
} else {
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
}
for my $zone ( split /,/, $gatewayzones ) {
fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4';
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
unless ( $capabilities{POLICY_MATCH} ) {
add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
}
}
if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport 500 $options";
add_rule $outchainref, "-p udp $dest --dport 500 $options";
@ -92,76 +92,76 @@ sub setup_tunnels() {
}
}
}
sub setup_one_other {
my ($inchainref, $outchainref, $kind, $source, $dest , $protocol) = @_;
add_rule $inchainref , "-p $protocol $source -j ACCEPT";
add_rule $outchainref , "-p $protocol $dest -j ACCEPT";
}
sub setup_pptp_client {
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
add_rule $outchainref, "-p 47 $dest -j ACCEPT";
add_rule $inchainref, "-p 47 $source -j ACCEPT";
add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
}
sub setup_pptp_server {
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
add_rule $inchainref, "-p 47 $dest -j ACCEPT";
add_rule $outchainref, "-p 47 $source -j ACCEPT";
add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
}
sub setup_one_openvpn {
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
my $protocol = 'udp';
my $port = 1194;
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
if ( $p ) {
$port = $p;
$protocol = $proto;
} elsif ( $proto ) {
$port = $proto;
}
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
}
sub setup_one_openvpn_client {
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
my $protocol = 'udp';
my $port = 1194;
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
if ( $p ) {
$port = $p;
$protocol = $proto;
} elsif ( $proto ) {
$port = $proto;
}
add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
}
sub setup_one_openvpn_server {
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
my $protocol = 'udp';
my $port = 1194;
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
if ( $p ) {
$port = $p;
$protocol = $proto;
@ -175,10 +175,10 @@ sub setup_tunnels() {
sub setup_one_generic {
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
my $protocol = 'udp';
my $port = '--dport 5000';
if ( $kind =~ /.*:.*:.*/ ) {
( $kind, $protocol, $port) = split /:/, $kind;
$port = "--dport $port";
@ -186,22 +186,22 @@ sub setup_tunnels() {
$port = '';
( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
}
add_rule $inchainref, "-p $protocol $source $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
}
sub setup_one_tunnel($$$$) {
my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4';
my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
my $source = match_source_net $gateway;
my $dest = match_dest_net $gateway;
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } ,
@ -218,13 +218,13 @@ sub setup_tunnels() {
$kind = "\L$kind";
(my $type) = split /:/, $kind;
my $tunnelref = $tunneltypes{ $type };
fatal_error "Tunnels of type $type are not supported: Tunnel \"$line\"" unless $tunnelref;
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
progress_message " Tunnel \"$line\" $done";
}
#
@ -247,10 +247,10 @@ sub setup_tunnels() {
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
}
}
close TUNNELS;
$comment = '';
}
}
1;

28
New/Shorewall/Zones.pm
View File

@ -34,7 +34,7 @@ our @EXPORT = qw( NOTHING
NETWORK
IPSECPROTO
IPSECMODE
determine_zones
zone_report
dump_zone_contents
@ -147,17 +147,17 @@ sub parse_zone_option_list($)
$val = $2;
$e = $1;
}
$fmt = $validoptions{$e};
fatal_error "Invalid Option ($e)" unless $fmt;
if ( $fmt eq NOTHING ) {
fatal_error "Option $e does not take a value: Zone \"$line\"" if defined $val;
} else {
fatal_error "Invalid value ($val) for option \"$e\" in Zone \"$line\"" unless $val =~ /^($fmt)$/;
}
if ( $key{$e} ) {
$h{$e} = $val;
} else {
@ -175,7 +175,7 @@ sub parse_zone_option_list($)
#
# Parse the zones file.
#
#
sub determine_zones()
{
my @z;
@ -183,11 +183,11 @@ sub determine_zones()
open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!";
while ( $line = <ZONES> ) {
my @parents;
my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file';
if ( $zone =~ /(\w+):([\w,]+)/ ) {
$zone = $1;
@parents = split ',', $2;
@ -281,11 +281,11 @@ sub zone_report()
progress_message " $zone ($type)";
my $printed = 0;
if ( $hostref ) {
for my $type ( sort keys %$hostref ) {
my $interfaceref = $hostref->{$type};
for my $interface ( sort keys %$interfaceref ) {
my $arrayref = $interfaceref->{$interface};
for my $groupref ( @$arrayref ) {
@ -300,7 +300,7 @@ sub zone_report()
}
}
}
warning_message "*** $zone is an EMPTY ZONE ***" unless $printed || $type eq 'firewall';
}
}
@ -319,7 +319,7 @@ sub dump_zone_contents()
if ( $hostref ) {
for my $type ( sort keys %$hostref ) {
my $interfaceref = $hostref->{$type};
for my $interface ( sort keys %$interfaceref ) {
my $arrayref = $interfaceref->{$interface};
for my $groupref ( @$arrayref ) {
@ -336,12 +336,12 @@ sub dump_zone_contents()
if ( @$exclusions ) {
$entry .= ' exclude';
for my $host ( @$exclusions ) {
$entry .= " $host";
}
}
}
emit_unindented $entry;
}
}

51
New/compiler.pl
View File

@ -58,11 +58,7 @@ use Shorewall::Accounting;
use Shorewall::Rules;
use Shorewall::Proc;
use Shorewall::Proxyarp;
#
# Emacs doesn't handle 'here documents' in Perl Mode nearly as well as it does in Shell mode
# (it basically doesn't understand it at all and gets lost). So I use a number of rather
# awkward styles in place of 'here docs'.
#
sub generate_script_1 {
copy $env{SHAREDIRPL} . 'prog.header';
@ -75,9 +71,8 @@ sub generate_script_1 {
'CONFDIR=/etc/shorewall-lite',
'VARDIR=/var/lib/shorewall-lite',
'PRODUCT="Shorewall Lite"' );
copy "$env{SHAREDIR}/lib.base";
emitj ( '################################################################################',
'# End of /usr/share/shorewall/lib.base',
'################################################################################' );
@ -91,7 +86,7 @@ sub generate_script_1 {
emit 'TEMPFILE=';
emit '';
for my $exit qw/init start tcclear started stop stopped/ {
emit "run_${exit}_exit() {";
push_indent;
@ -100,12 +95,12 @@ sub generate_script_1 {
pop_indent;
emit "}\n";
}
emit 'initialize()';
emit '{';
push_indent;
if ( $ENV{EXPORT} ) {
emitj ( '#',
'# These variables are required by the library functions called in this script',
@ -128,7 +123,7 @@ sub generate_script_1 {
}
propagateconfig;
emitj ( '[ -n "${COMMAND:=restart}" ]',
'[ -n "${VERBOSE:=0}" ]',
'[ -n "${RESTOREFILE:=$RESTOREFILE}" ]',
@ -136,7 +131,7 @@ sub generate_script_1 {
qq(VERSION="$env{VERSION}") ,
qq(PATH="$config{PATH}") ,
'TERMINATOR=fatal_error' );
if ( $config{IPTABLES} ) {
emit "IPTABLES=\"$config{IPTABLES}\"\n";
emit "[ -x \"$config{IPTABLES}\" ] || startup_error \"IPTABLES=$config{IPTABLES} does not exist or is not executable\"";
@ -155,16 +150,16 @@ sub generate_script_1 {
'# The library requires that ${VARDIR} exist',
'#',
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' );
pop_indent;
emit "}\n";
}
sub compile_stop_firewall() {
emit "
emit <<EOF;
#
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
#
@ -213,7 +208,7 @@ stop_firewall() {
logger -p kern.err \"ERROR:\$PRODUCT restore failed\"
;;
esac
if [ \"\$RESTOREFILE\" = NONE ]; then
COMMAND=clear
clear_firewall
@ -302,20 +297,24 @@ stop_firewall() {
done
fi
rm -f \${VARDIR}/proxyarp\n";
rm -f \${VARDIR}/proxyarp
EOF
emit ' delete_tc1' if $config{CLEAR_TC};
emit ' undo_routing';
emit ' restore_default_route';
my $criticalhosts = process_criticalhosts;
if ( @$criticalhosts ) {
if ( $config{ADMINISABSENTMINDED} ) {
emitj ( ' for chain in INPUT OUTPUT; do',
' setpolicy $chain ACCEPT',
" done\n",
" setpolicy FORWARD DROP\n",
' done',
'',
' setpolicy FORWARD DROP',
'',
' deleteallchains',
'' );
@ -327,7 +326,7 @@ stop_firewall() {
emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
}
emit "
for chain in INPUT OUTPUT; do
setpolicy \$chain DROP
@ -412,12 +411,12 @@ stop_firewall() {
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
emit 'progress_message2 IP Forwarding Disabled!';
}
emit 'run_stopped_exit';
pop_indent;
emit "
emit <<EOF;
set_state \"Stopped\"
logger -p kern.info \"\$PRODUCT Stopped\"
@ -434,7 +433,9 @@ stop_firewall() {
kill \$\$
;;
esac
}\n";
}
EOF
}