From 85ad25cb68a0864cf7d9e3a749ad40b13878636c Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 26 Mar 2007 23:17:46 +0000 Subject: [PATCH] Much ado about nothing (extraneous whitespace removal) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5707 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- New/Shorewall/Accounting.pm | 4 +- New/Shorewall/Actions.pm | 85 +++++++++++---------- New/Shorewall/Chains.pm | 100 ++++++++++++------------- New/Shorewall/Common.pm | 28 +++---- New/Shorewall/Config.pm | 22 +++--- New/Shorewall/Hosts.pm | 4 +- New/Shorewall/IPAddrs.pm | 6 +- New/Shorewall/Interfaces.pm | 13 ++-- New/Shorewall/Macros.pm | 6 +- New/Shorewall/Nat.pm | 18 ++--- New/Shorewall/Policy.pm | 26 +++---- New/Shorewall/Proc.pm | 12 +-- New/Shorewall/Providers.pm | 94 +++++++++++------------ New/Shorewall/Proxyarp.pm | 4 +- New/Shorewall/Rules.pm | 145 ++++++++++++++++++------------------ New/Shorewall/Tc.pm | 55 +++++++------- New/Shorewall/Tunnels.pm | 82 ++++++++++---------- New/Shorewall/Zones.pm | 28 +++---- New/compiler.pl | 51 ++++++------- 19 files changed, 392 insertions(+), 391 deletions(-) diff --git a/New/Shorewall/Accounting.pm b/New/Shorewall/Accounting.pm index 4f79c5795..893e3b41a 100644 --- a/New/Shorewall/Accounting.pm +++ b/New/Shorewall/Accounting.pm @@ -55,7 +55,7 @@ sub process_accounting_rule( $$$$$$$$ ) { } $chain = 'accounting' unless $chain and $chain ne '-'; - + my $chainref = ensure_filter_chain $chain , 0; my $target = ''; @@ -118,7 +118,7 @@ sub setup_accounting() { process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user; } - + close ACC; if ( $filter_table->{accounting} ) { diff --git a/New/Shorewall/Actions.pm b/New/Shorewall/Actions.pm index 846a3cfe7..e6d82121f 100644 --- a/New/Shorewall/Actions.pm +++ b/New/Shorewall/Actions.pm @@ -41,7 +41,7 @@ our @EXPORT = qw( merge_levels process_actions1 process_actions2 process_actions3 - + %usedactions %default_actions %actions @@ -160,7 +160,7 @@ sub createlogactionchain( $$ ) { my $chainref; $chain = substr $chain, 0, 28 if ( length $chain ) > 28; - + while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) { $chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28; } @@ -237,7 +237,7 @@ sub find_logactionchain( $ ) { # The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately # by reading the action definition files and creating rules. Note that a given action definition file is # processed once for each unique [:level[:tag]] applied to an invocation of the action. -# +# sub process_actions1() { for my $act ( grep $targets{$_} & ACTION , keys %targets ) { @@ -246,10 +246,10 @@ sub process_actions1() { for my $file qw/actions.std actions/ { open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!"; - + while ( $line = ) { my ( $action ) = split_line 1, 'action file'; - + if ( $action =~ /:/ ) { warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; $action =~ s/:.*$//; @@ -281,18 +281,18 @@ sub process_actions1() { next if $line =~ /^\s*#/; next if $line =~ /^\s*$/; $line =~ s/#.*$//; - + my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file'; my ( $target, $level ) = split_action $wholetarget; - + $level = 'none' unless $level; my $targettype = $targets{$target}; if ( defined $targettype ) { next if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $target eq 'LOG' ); - + fatal_error "Invalid TARGET ($target) in action rule \"$line\"" if $targettype & STANDARD; add_requiredby $wholetarget, $action if $targettype & ACTION; @@ -303,14 +303,14 @@ sub process_actions1() { my $macrofile = $macros{$target}; progress_message " ..Expanding Macro $macrofile..."; - + open M, $macrofile or fatal_error "Unable to open $macrofile: $!"; while ( $line = ) { next if $line =~ /^\s*#/; $line =~ s/#.*$//; next if $line =~ /^\s*$/; - + my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file'; $mtarget =~ s/:.*$//; @@ -324,7 +324,6 @@ sub process_actions1() { } progress_message " ..End Macro"; - close M; } else { fatal_error "Invalid TARGET ($target) in rule \"$line\""; @@ -359,10 +358,10 @@ sub process_actions2 () { } } } - + # # Generate chain for non-builtin action invocation -# +# sub process_action3( $$$$$ ) { my ( $chainref, $wholeaction, $action, $level, $tag ) = @_; # @@ -370,9 +369,9 @@ sub process_action3( $$$$$ ) { # sub process_action( $$$$$$$$$$ ) { my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_; - + my ( $action , $level ) = split_action $target; - + expand_rule ( $chainref , NO_RESTRICT , do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user , @@ -400,7 +399,7 @@ sub process_action3( $$$$$ ) { next if $line =~ /^\s*$/; $line =~ s/#.*$//; $line = expand_shell_variables $line unless $standard; - + my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file'; my $target2 = merge_levels $wholeaction, $target; @@ -432,9 +431,9 @@ sub process_action3( $$$$$ ) { progress_message "..Expanding Macro $fn..."; open M, $fn or fatal_error "Can't open $fn: $!"; - + my $standard = ( $fn =~ /^($env{SHAREDIR})/ ); - + while ( $line = ) { next if $line =~ /^\s*#/; next if $line =~ /^\s*$/; @@ -442,7 +441,7 @@ sub process_action3( $$$$$ ) { $line = expand_shell_variables $line unless $standard; my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file'; - + if ( $mtarget =~ /^PARAM:?/ ) { fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param; $mtarget = substitute_action $param, $mtarget; @@ -461,7 +460,7 @@ sub process_action3( $$$$$ ) { } $msource = '' if $msource eq '-'; - + if ( $mdest ) { if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) { $mdest = $dest || ''; @@ -486,7 +485,7 @@ sub process_action3( $$$$$ ) { } close M; - + progress_message '..End Macro' } else { @@ -495,7 +494,7 @@ sub process_action3( $$$$$ ) { } $comment = ''; -} +} sub process_actions3 () { # @@ -503,83 +502,83 @@ sub process_actions3 () { # sub dropBcast( $$$ ) { my ($chainref, $level, $tag) = @_; - + if ( $level ) { log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast'; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast'; } - + add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP'; add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP'; } - + sub allowBcast( $$$ ) { my ($chainref, $level, $tag) = @_; - + if ( $level ) { log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast'; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast'; } - + add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT'; add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT'; } - + sub dropNotSyn ( $$$ ) { my ($chainref, $level, $tag) = @_; - + log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level; add_rule $chainref , '-p tcp ! --syn -j DROP'; } - + sub rejNotSyn ( $$$ ) { my ($chainref, $level, $tag) = @_; log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level; add_rule $chainref , '-p tcp ! --syn -j REJECT'; } - + sub dropInvalid ( $$$ ) { my ($chainref, $level, $tag) = @_; - + log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level; add_rule $chainref , '-m state --state INVALID -j REJECT'; } sub allowInvalid ( $$$ ) { my ($chainref, $level, $tag) = @_; - + log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level; add_rule $chainref , '-m state --state INVALID -j ACCEPT'; } - + sub forwardUPnP ( $$$ ) { } sub allowinUPnP ( $$$ ) { my ($chainref, $level, $tag) = @_; - + if ( $level ) { log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 '; log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 '; } - + add_rule $chainref, '-p udp --dport 1900 -j ACCEPT'; add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT'; } - + sub Limit( $$$ ) { my ($chainref, $level, $tag) = @_; - + my @tag = split /,/, $tag; - + fatal_error 'Limit rules must include ,, as the log tag' unless @tag == 3; my $set = $tag[0]; my $count = $tag[1] + 1; add_rule $chainref, "-m recent --name $set --set"; - + if ( $level ) { my $xchainref = new_chain 'filter' , "$chainref->{name}%"; log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', ''; @@ -588,7 +587,7 @@ sub process_actions3 () { } else { add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP"; } - + add_rule $chainref, '-j ACCEPT'; } @@ -609,14 +608,14 @@ sub process_actions3 () { $level = '' unless defined $level; $tag = '' unless defined $tag; - + if ( $targets{$action} & BUILTIN ) { $level = '' if $level =~ /none!?/; $builtinops{$action}->($chainref, $level, $tag); } else { process_action3 $chainref, $wholeaction, $action, $level, $tag; } - } + } } 1; diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm index da202e5c4..e0d1d6e77 100644 --- a/New/Shorewall/Chains.pm +++ b/New/Shorewall/Chains.pm @@ -47,7 +47,7 @@ our @EXPORT = qw( STANDARD OUTPUT_RESTRICT POSTROUTE_RESTRICT ALL_RESTRICT - + add_command add_rule insert_rule @@ -99,7 +99,7 @@ our @EXPORT = qw( STANDARD addnatjump insertnatjump create_netfilter_load - + @policy_chains %chain_table $nat_table @@ -249,7 +249,7 @@ my $loopcount = 0; sub add_command($$) { my ($chainref, $command) = @_; - + push @{$chainref->{rules}}, join ('', '~', ' ' x $loopcount, $command ); $chainref->{referenced} = 1; @@ -265,7 +265,7 @@ sub add_command($$) sub add_rule($$) { my ($chainref, $rule) = @_; - + $rule .= " -m comment --comment \"$comment\"" if $comment; if ( $loopcount ) { @@ -289,13 +289,13 @@ sub insert_rule($$$) my ($chainref, $number, $rule) = @_; fatal_error 'Internal Error in insert_rule()' if $loopcount; - + $rule .= "-m comment --comment \"$comment\"" if $comment; splice @{$chainref->{rules}}, $number - 1, 0, $rule; $chainref->{referenced} = 1; - + $iprangematch = 0; } @@ -429,7 +429,7 @@ sub new_chain($$) my ($table, $chain) = @_; my %ch; my @rules; - + $ch{name} = $chain; $ch{log} = 1 if $env{LOGRULENUMBERS}; $ch{rules} = \@rules; @@ -456,7 +456,7 @@ sub ensure_chain($$) my ($table, $chain) = @_; my $ref = $chain_table{$table}{$chain}; - + return $ref if $ref; new_chain $table, $chain; @@ -484,7 +484,7 @@ sub ensure_filter_chain( $$ ) } $chainref->{referenced} = 1; - + $chainref; } @@ -492,7 +492,7 @@ sub ensure_mangle_chain($) { my $chain = $_[0]; my $chainref = ensure_chain 'mangle', $chain; - + $chainref->{referenced} = 1; $chainref; @@ -504,7 +504,7 @@ sub ensure_mangle_chain($) { sub new_builtin_chain($$$) { my ( $table, $chain, $policy ) = @_; - + my $chainref = new_chain $table, $chain; $chainref->{referenced} = 1; $chainref->{policy} = $policy; @@ -515,7 +515,7 @@ sub new_standard_chain($) { my $chainref = new_chain 'filter' ,$_[0]; $chainref->{referenced} = 1; $chainref; -} +} # # Add all builtin chains to the chain table @@ -538,7 +538,7 @@ sub initialize_chain_table() for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ { new_builtin_chain 'mangle', $chain, 'ACCEPT'; } - + if ( $capabilities{MANGLE_FORWARD} ) { for my $chain qw/ FORWARD POSTROUTING / { new_builtin_chain 'mangle', $chain, 'ACCEPT'; @@ -554,7 +554,7 @@ sub finish_chain_section ($$) { my $chain = $chainref->{name}; add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; - + if ($sections{RELATED} ) { if ( $chainref->{is_policy} ) { if ( $chainref->{synparams} ) { @@ -575,7 +575,7 @@ sub finish_chain_section ($$) { } } } -} +} # # Do section-end processing @@ -610,7 +610,7 @@ sub do_proto( $$$ ) my ($proto, $ports, $sports ) = @_; my $output = ''; - + $proto = '' if $proto eq '-'; $ports = '' if $ports eq '-'; $sports = '' if $sports eq '-'; @@ -624,14 +624,14 @@ sub do_proto( $$$ ) if ( $count > 1 ) { fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT}; - + for my $port ( @ports ) { if ( $port =~ /:/ ) { fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT}; $count++; } } - + fatal_error "Too many entries in port list: $ports" if $count > 15; $output .= "-m multiport --dports $ports "; @@ -639,21 +639,21 @@ sub do_proto( $$$ ) $output .= "--dport $ports "; } } - + if ( $sports ) { my @ports = split /,/, $sports; my $count = @ports; if ( $count > 1 ) { fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT}; - + for my $port ( @ports ) { if ( $port =~ /:/ ) { fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $sports" unless $capabilities{XMULTIPORT}; $count++; } } - + fatal_error "Too many entries in port list: $sports" if $count > 15; $output .= "-m multiport --sports $sports "; @@ -726,17 +726,17 @@ sub validate_mark( $ ) { sub do_test ( $$ ) { my ($testval, $mask) = @_; - + return '' unless $testval and $testval ne '-'; my $invert = $testval =~ s/^!// ? '! ' : ''; my $match = $testval =~ s/:C$// ? '-m connmark ' : '-m mark '; - + $testval .= '/0xFF' unless ( $testval =~ '/' ); "${invert}$match $testval "; } - + # # Create a "-m limit" match for the passed LIMIT/BURST @@ -745,7 +745,7 @@ sub do_ratelimit( $ ) { my $rate = $_[0]; return '' unless $rate and $rate ne '-'; - + if ( $rate =~ /^([^:]+):([^:]+)$/ ) { "-m limit --limit $1 --limit-burst $2 "; } else { @@ -769,7 +769,7 @@ sub do_user( $ ) { $rule .= "--cmd-owner $2 " if $2; $user = $1; } - + if ( $user =~ /^!(.*):(.*)$/ ) { $rule .= "! --uid-owner $1 " if $1; $rule .= "! --gid-owner $2 " if $2; @@ -790,10 +790,10 @@ sub do_user( $ ) { # sub do_tos( $ ) { my $tos = $_[0]; - + $tos ne '-' ? "-m tos --tos $tos " : ''; -} - +} + # # Avoid generating a second '-m iprange' in a single rule. # @@ -825,7 +825,7 @@ sub get_set_flags( $$ ) { $setname = $1; $options = $2; } - + $setname =~ s/^\+//; "--set $setname $options" @@ -836,7 +836,7 @@ sub get_set_flags( $$ ) { # sub match_source_net( $ ) { my $net = $_[0]; - + if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { $net =~ s/!// if my $invert = $1 ? '! ' : ''; @@ -859,7 +859,7 @@ sub match_source_net( $ ) { # sub match_dest_net( $ ) { my $net = $_[0]; - + if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { $net =~ s/!// if my $invert = $1 ? '! ' : ''; @@ -881,7 +881,7 @@ sub match_orig_dest ( $ ) { my $net = $_[0]; return '' if $net eq ALLIPv4; - + if ( $net =~ /^!/ ) { $net =~ s/!//; "-m conntrack --ctorigdst ! $net "; @@ -908,7 +908,7 @@ sub match_ipsec_in( $$ ) { ''; } } - + # # Match Dest IPSEC # @@ -926,7 +926,7 @@ sub match_ipsec_out( $$ ) { ''; } } - + # # Generate a log message # @@ -999,7 +999,7 @@ sub mysplit( $ ) { fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']'; } - + push @result, $element; } @@ -1027,7 +1027,7 @@ sub get_interface_address ( $ ) { $interfaceaddrs{$interface} = interface_address( $interface ) . "=\$(find_first_interface_address $interface)"; } - + # # This function provides a uniform way to generate rules (something the original Shorewall sorely needed). # @@ -1043,7 +1043,7 @@ sub expand_rule( $$$$$$$$$$ ) if ( $loglevel ) { ( $loglevel, $logtag ) = split /:/, $loglevel; - + if ( $loglevel =~ /^none!?$/i ) { return if $disposition eq 'LOG'; $loglevel = $logtag = ''; @@ -1106,7 +1106,7 @@ sub expand_rule( $$$$$$$$$$ ) if ( @interfaces > 1 ) { add_command $chainref, 'addresses='; - + for my $interface ( @interfaces ) { get_interface_address $interface; add_command $chainref , join( '', 'addresses="$addresses $', interface_address( $interface ). '"' ); @@ -1152,11 +1152,11 @@ sub expand_rule( $$$$$$$$$$ ) if $restriction & INPUT_RESTRICT; $rule .= "-o $diface "; } - } + } if ( $origdest ) { if ( $origdest eq '-' ) { - $origdest = ''; + $origdest = ''; } elsif ( $origdest =~ /^detect:(.*)$/ ) { # # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column @@ -1256,7 +1256,7 @@ sub expand_rule( $$$$$$$$$$ ) # We have non-trivial exclusion -- need to create an exclusion chain # my $echain = newexclusionchain; - + # # Use the current rule and sent all possible matches to the exclusion chain # @@ -1275,7 +1275,7 @@ sub expand_rule( $$$$$$$$$$ ) # $inets = ALLIPv4; $dnets = ALLIPv4; - + # # Create the Exclusion Chain # @@ -1347,7 +1347,7 @@ sub addnatjump( $$$ ) { my ( $source , $dest, $predicates ) = @_; my $destref = $nat_table->{$dest} || {}; - + if ( $destref->{referenced} ) { add_rule $nat_table->{$source} , $predicates . "-j $dest"; } else { @@ -1359,9 +1359,9 @@ sub addnatjump( $$$ ) { # sub insertnatjump( $$$$ ) { my ( $source, $dest, $countref, $predicates ) = @_; - + my $destref = $nat_table->{$dest} || {}; - + if ( $destref->{referenced} ) { insert_rule $nat_table->{$source} , ($$countref)++, $predicates . "-j $dest"; } else { @@ -1406,7 +1406,7 @@ sub emitr( $ ) { } sub create_netfilter_load() { - + emit 'setup_netfilter()'; emit '{'; push_indent; @@ -1430,9 +1430,9 @@ sub create_netfilter_load() { for my $table qw/raw nat mangle filter/ { emitr "*$table"; - + my @chains; - + for my $chain ( @builtins ) { my $chainref = $chain_table{$table}{$chain}; if ( $chainref ) { @@ -1479,5 +1479,5 @@ sub create_netfilter_load() { emit "}\n"; } - + 1; diff --git a/New/Shorewall/Common.pm b/New/Shorewall/Common.pm index c34e5e64f..886b7bdcc 100644 --- a/New/Shorewall/Common.pm +++ b/New/Shorewall/Common.pm @@ -52,7 +52,7 @@ our @EXPORT = qw(ALLIPv4 copy1 create_temp_aux_config finalize_aux_config - + @allipv4 @rfc1918_networks $line @@ -111,20 +111,20 @@ sub split_line( $$ ) { my ( $columns, $description ) = @_; chomp $line; - + $line =~ s/\s+/ /g; my @line = split /\s+/, $line; return @line if $line[0] eq 'COMMENT'; - + fatal_error "Invalid $description entry: $line" if @line > $columns; push @line, '-' while @line < $columns; @line; } - + sub create_temp_object( $ ) { my $objectfile = $_[0]; my $suffix; @@ -174,7 +174,7 @@ sub emit ( $ ) { print $object "$line\n"; $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" ); } else { - print $object "\n" unless $lastlineblank; + print $object "\n" unless $lastlineblank; $lastlineblank = 1; } } @@ -188,7 +188,7 @@ sub emitj { for ( @_ ) { emit $_ }; } } - + # # Write passed message to the object with no indentation. @@ -261,14 +261,14 @@ sub pop_indent() { sub copy( $ ) { if ( $object ) { my $file = $_[0]; - + open IF , $file or fatal_error "Unable to open $file: $!"; - + while ( my $line = ) { $line =~ s/^/$indent/ if $indent; print $object $line; } - + close IF; } } @@ -276,9 +276,9 @@ sub copy( $ ) { sub copy1( $ ) { if ( $object ) { my $file = $_[0]; - + open IF , $file or fatal_error "Unable to open $file: $!"; - + my $do_indent = 1; while ( my $line = ) { @@ -287,12 +287,12 @@ sub copy1( $ ) { $do_indent = 1; next; } - + $line =~ s/^/$indent/ if $indent && $do_indent; print $object $line; $do_indent = ! ( $line =~ /\\$/ ); } - + close IF; } } @@ -321,6 +321,6 @@ END { } system "rm -rf $ENV{TMP_DIR}" if $ENV{TMP_DIR}; -} +} 1; diff --git a/New/Shorewall/Config.pm b/New/Shorewall/Config.pm index 83550fea5..a5156b8f6 100644 --- a/New/Shorewall/Config.pm +++ b/New/Shorewall/Config.pm @@ -243,9 +243,9 @@ sub report_capabilities() { print " $capdesc{$cap}: "; print $capabilities{$cap} ? "Available\n" : "Not Available\n"; } - + print "Shorewall has detected the following capabilities:\n"; - + for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) { report_capability $cap; } @@ -373,7 +373,7 @@ sub get_configuration() { default_yes_no 'BRIDGING' , ''; fatal_error 'BRIDGING=Yes is not supported by Shorewall-pl' . $env{VERSION} if $config{BRIDGING}; - + default_yes_no 'STARTUP_ENABLED' , 'Yes'; default_yes_no 'DELAYBLACKLISTLOAD' , ''; default_yes_no 'LOGTAGONLY' , ''; @@ -397,7 +397,7 @@ sub get_configuration() { $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; default 'BLACKLIST_DISPOSITION' , 'DROP'; - + my $val; $env{MACLIST_TARGET} = 'reject'; @@ -415,7 +415,7 @@ sub get_configuration() { } else { $config{MACLIST_DISPOSITION} = 'REJECT'; } - + if ( $val = $config{MACLIST_TABLE} ) { if ( $val eq 'mangle' ) { fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT'; @@ -431,7 +431,7 @@ sub get_configuration() { } else { $config{TCP_FLAGS_DISPOSITION} = 'DROP'; } - + $env{TC_SCRIPT} = ''; if ( $val = "\L$config{TC_ENABLED}" ) { @@ -451,7 +451,7 @@ sub get_configuration() { default 'ACCEPT_DEFAULT' , 'none'; default 'OPTIMIZE' , 0; default 'IPSECFILE' , 'ipsec'; - + for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT ACCEPT_DEFAULT/ { $config{$default} = 'none' if "\L$config{$default}" eq 'none'; } @@ -477,7 +477,7 @@ sub get_configuration() { }; fatal_error "Invalid LOGFORMAT ($val)" if $@; - + fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\"" if length $result > 29; @@ -514,7 +514,7 @@ sub propagateconfig() { my $value = $config{$option} || ''; emit "$option=\"$value\""; } - + for my $option ( @Shorewall::Config::propagateenv ) { my $value = $env{$option} || ''; emit "$option=\"$value\""; @@ -529,7 +529,7 @@ sub append_file( $ ) { save_progress_message "Processing $user_exit ..."; copy1 $user_exit; } - } + } } # @@ -570,7 +570,7 @@ sub generate_aux_config() { create_temp_aux_config; emit( "#\n# Shorewall auxiliary configuration file created by Shorewall-pl version " . $env{VERSION} . ' - ' . ( localtime ) . "\n#" ); - + for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS) { conditionally_add_option $option; } diff --git a/New/Shorewall/Hosts.pm b/New/Shorewall/Hosts.pm index 108d8d220..48a13a34b 100644 --- a/New/Shorewall/Hosts.pm +++ b/New/Shorewall/Hosts.pm @@ -45,7 +45,7 @@ sub validate_hosts_file() maclist => 1, norfc1918 => 1, nosmurfs => 1, - routeback => 1, + routeback => 1, routefilter => 1, tcpflags => 1, ); @@ -76,7 +76,7 @@ sub validate_hosts_file() } my $optionsref; - + if ( $options ne '-' ) { my @options = split ',', $options; my %options; diff --git a/New/Shorewall/IPAddrs.pm b/New/Shorewall/IPAddrs.pm index dedc438e1..878ae90f2 100644 --- a/New/Shorewall/IPAddrs.pm +++ b/New/Shorewall/IPAddrs.pm @@ -52,7 +52,7 @@ sub decodeaddr( $ ) { my @address = split /\./, $address; my $result = shift @address; - + for my $a ( @address ) { $result = ( $result << 8 ) | $a; } @@ -84,10 +84,10 @@ sub ip_range_explicit( $ ) { if ( defined $high ) { fatal_error "Invalid IP address ( $high )" unless valid_address $high; - + my $first = decodeaddr $low; my $last = decodeaddr $high; - + fatal_error "Invalid IP Range ( $range )" unless $first <= $last; while ( ++$first <= $last ) { diff --git a/New/Shorewall/Interfaces.pm b/New/Shorewall/Interfaces.pm index 56201326f..da60418c5 100644 --- a/New/Shorewall/Interfaces.pm +++ b/New/Shorewall/Interfaces.pm @@ -87,7 +87,7 @@ sub add_group_to_zone($$$$$) $ifacezone = $zone if $host eq ALLIPv4; } } - + push @$new, $switched ? "$interface:$host" : $host; } @@ -111,7 +111,8 @@ sub add_group_to_zone($$$$$) # # Parse the interfaces file. -# +# + sub validate_interfaces_file() { my %validoptions = (arp_filter => 1, @@ -124,7 +125,7 @@ sub validate_interfaces_file() norfc1918 => 1, nosmurfs => 1, proxyarp => 1, - routeback => 1, + routeback => 1, routefilter => 1, sourceroute => 1, tcpflags => 1, @@ -188,13 +189,13 @@ sub validate_interfaces_file() push @interfaces, $interface; add_group_to_zone( $zone, $zoneref->{type}, $interface, \@allipv4, $optionsref ) if $zone; - + $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() progress_message " Interface \"$line\" Validated"; - } - + } + close INTERFACES; } diff --git a/New/Shorewall/Macros.pm b/New/Shorewall/Macros.pm index 0476442e1..a1b80a575 100644 --- a/New/Shorewall/Macros.pm +++ b/New/Shorewall/Macros.pm @@ -59,7 +59,7 @@ sub find_macro( $ ) $macros{$macro} = $macrofile; $targets{$macro} = MACRO; } -} +} # # Macro and action files can have shell variables embedded. This function expands them from %ENV. @@ -67,7 +67,7 @@ sub find_macro( $ ) sub expand_shell_variables( $ ) { my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line; } - + # # Return ( action, level[:tag] ) from passed full action # @@ -112,7 +112,7 @@ sub merge_macro_source_dest( $$ ) { return "$invocation:$body"; } } - + $body || ''; } diff --git a/New/Shorewall/Nat.pm b/New/Shorewall/Nat.pm index 3bbb7e996..a7ed2bbe7 100644 --- a/New/Shorewall/Nat.pm +++ b/New/Shorewall/Nat.pm @@ -142,7 +142,7 @@ sub setup_one_masq($$$$$$) if ( $2 =~ /\./ ) { $fullinterface = $one; $destnets = $two; - } + } } # @@ -162,7 +162,7 @@ sub setup_one_masq($$$$$$) # Handle Protocol and Ports # $rule .= do_proto $proto, $ports, ''; - + my $detectaddress = 0; # # Parse the ADDRESSES column @@ -232,7 +232,7 @@ sub setup_one_masq($$$$$$) } progress_message " Masq record \"$line\" $done"; - + } # @@ -294,7 +294,7 @@ sub do_one_nat( $$$$$ ) sub add_nat_rule( $$ ) { add_rule ensure_chain( 'nat', $_[0] ) , $_[1]; } - + my $add_ip_aliases = $config{ADD_IP_ALIASES}; my $policyin = ''; @@ -320,7 +320,7 @@ sub do_one_nat( $$$$$ ) validate_nat_column 'ALL INTERFACES', \$allints; validate_nat_column 'LOCAL' , \$localnat; - + if ( $allints ) { add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal"; add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external"; @@ -328,7 +328,7 @@ sub do_one_nat( $$$$$ ) add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal"; add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external"; } - + add_nat_rule 'OUTPUT' , "-d $external$policyout -j DNAT --to-destination $internal " if $localnat; if ( $add_ip_aliases ) { @@ -345,7 +345,7 @@ sub do_one_nat( $$$$$ ) # Process NAT file # sub setup_nat() { - + open NAT, "$ENV{TMP_DIR}/nat" or fatal_error "Unable to open stripped nat file: $!"; while ( $line = ) { @@ -362,7 +362,7 @@ sub setup_nat() { } else { do_one_nat $external, $interface, $internal, $allints, $localnat; } - + } close NAT; @@ -374,7 +374,7 @@ sub setup_nat() { # Setup Network Mapping # sub setup_netmap() { - + open NM, "$ENV{TMP_DIR}/netmap" or fatal_error "Unable to open stripped netmap file: $!"; while ( $line = ) { diff --git a/New/Shorewall/Policy.pm b/New/Shorewall/Policy.pm index e3115ca67..b860830d2 100644 --- a/New/Shorewall/Policy.pm +++ b/New/Shorewall/Policy.pm @@ -45,7 +45,7 @@ sub new_policy_chain($$$) my ($chain, $policy, $optional) = @_; my $chainref = new_chain 'filter', $chain; - + $chainref->{is_policy} = 1; $chainref->{policy} = $policy; $chainref->{is_optional} = $optional; @@ -87,12 +87,12 @@ sub validate_policy() QUEUE => undef, NONE => undef ); - + my %map = ( DROP_DEFAULT => 'DROP' , REJECT_DEFAULT => 'REJECT' , ACCEPT_DEFAULT => 'ACCEPT' , QUEUE_DEFAULT => 'QUEUE' ); - + my $zone; use constant { OPTIONAL => 1 }; @@ -101,7 +101,7 @@ sub validate_policy() my $action = $config{$option}; next if $action eq 'none'; my $actiontype = $targets{$action}; - + if ( defined $actiontype ) { fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION; } else { @@ -115,7 +115,7 @@ sub validate_policy() $default_actions{$map{$option}} = $action; } - + for $zone ( @zones ) { push @policy_chains, ( new_policy_chain "${zone}2${zone}", 'ACCEPT', OPTIONAL ); @@ -138,7 +138,7 @@ sub validate_policy() $synparams = '' unless defined $synparams; $loglevel = '' if $loglevel eq '-'; $synparams = '' if $synparams eq '-'; - + my $clientwild = ( "\L$client" eq 'all' ); fatal_error "Undefined zone $client" unless $clientwild || $zones{$client}; @@ -153,7 +153,7 @@ sub validate_policy() $default = 'none'; } elsif ( $default ) { my $defaulttype = $targets{$default}; - + if ( $defaulttype & ACTION ) { unless ( $usedactions{$default} ) { $usedactions{$default} = 1; @@ -161,7 +161,7 @@ sub validate_policy() } } else { fatal_error "Unknown Default Action ($default) in policy \"$line\""; - } + } } else { $default = $default_actions{$policy} || ''; } @@ -174,13 +174,13 @@ sub validate_policy() fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" if $clientwild || $serverwild; } - + my $chain = "${client}2${server}"; my $chainref; if ( defined $filter_table->{$chain} ) { $chainref = $filter_table->{$chain}; - + if ( $chainref->{is_policy} ) { if ( $chainref->{is_optional} ) { $chainref->{is_optional} = 0; @@ -221,13 +221,13 @@ sub validate_policy() set_policy_chain "${client}2${zone}", $chainref, $policy; print_policy $client, $zone, $policy, $chain; } - + } else { print_policy $client, $server, $policy, $chain; } } - close POLICY; + close POLICY; } # @@ -281,7 +281,7 @@ sub default_policy( $$$ ) { } progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}"; - + } sub apply_policy_rules() { diff --git a/New/Shorewall/Proc.pm b/New/Shorewall/Proc.pm index f15a442f4..4beae4e09 100644 --- a/New/Shorewall/Proc.pm +++ b/New/Shorewall/Proc.pm @@ -79,7 +79,7 @@ fi for my $interface ( @$interfaces1 ) { my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore"; my $value = get_interface_option $interface, 'arp_ignore'; - + fatal_error "Internal Error in setup_arp_filtering()" unless defined $value; emit "if [ -f $file ]; then @@ -100,7 +100,7 @@ sub setup_route_filtering() { my $interfaces = find_interfaces_by_option 'routefilter'; if ( @$interfaces || $config{ROUTE_FILTER} ) { - + progress_message2 "$doing Kernel Route Filtering..."; save_progress_message "Setting up Route Filtering..."; @@ -120,7 +120,7 @@ else fi "; } - + emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; if ( $config{ROUTE_FILTER} ) { @@ -140,7 +140,7 @@ sub setup_martian_logging() { my $interfaces = find_interfaces_by_option 'logmartians'; if ( @$interfaces || $config{LOG_MARTIANS} ) { - + progress_message2 "$doing Martian Logging..."; save_progress_message "Setting up Martian Logging..."; @@ -160,7 +160,7 @@ else fi "; } - + emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; if ( $config{LOG_MARTIANS} ) { @@ -170,7 +170,7 @@ fi } } - + # # Source Routing # diff --git a/New/Shorewall/Providers.pm b/New/Shorewall/Providers.pm index 0cd7c8650..2f42a8bf0 100644 --- a/New/Shorewall/Providers.pm +++ b/New/Shorewall/Providers.pm @@ -61,10 +61,10 @@ my @providers; sub setup_route_marking() { my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF'; my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark'; - + add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; - + my $chainref = new_chain 'mangle', 'routemark'; while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) { @@ -95,11 +95,11 @@ sub setup_providers() { sub copy_and_edit_table( $$$ ) { my ( $duplicate, $number, $copy ) = @_; - + my $match = $copy; - + $match =~ s/ /\|/g; - + emitj ( "ip route show table $duplicate | while read net route; do", ' case $net in', ' default|nexthop)', @@ -118,18 +118,18 @@ sub setup_providers() { sub balance_default_route( $$$ ) { my ( $weight, $gateway, $interface ) = @_; - + $balance = 1; - + emit ''; - + if ( $first_default_route ) { if ( $gateway ) { emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\""; } else { emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\""; } - + $first_default_route = 0; } else { if ( $gateway ) { @@ -139,15 +139,15 @@ sub setup_providers() { } } } - + sub add_a_provider( $$$$$$$$ ) { my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_; - + fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED}; - + fatal_error "Duplicate provider ( $table )" if $providers{$table}; - + for my $provider ( keys %providers ) { fatal_error "Duplicate provider number ( $number )" if $providers{$provider}{number} == $number; } @@ -161,7 +161,7 @@ sub setup_providers() { emit "${iface}_up=Yes"; emit "qt ip route flush table $number"; emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing"; - + $duplicate = '-' unless $duplicate; $copy = '-' unless $copy; @@ -173,7 +173,7 @@ sub setup_providers() { my @c = ( split /,/, $copy ); $copy = "@c"; } - + copy_and_edit_table( $duplicate, $number ,$copy ); } else { copy_table ( $duplicate, $number ); @@ -199,7 +199,7 @@ sub setup_providers() { $gateway = ''; emit "run_ip route add default dev $interface table $number"; } - + $mark = '-' unless $mark; my $val = 0; @@ -207,15 +207,15 @@ sub setup_providers() { if ( $mark ne '-' ) { $val = numeric_value $mark; - + verify_mark $mark; - + if ( $val < 256) { fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS}; } else { fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS}; } - + for my $provider ( keys %providers ) { my $num = $providers{$provider}{mark}; fatal_error "Duplicate mark value ( $mark )" if $num == $val; @@ -254,48 +254,48 @@ sub setup_providers() { } } } - + if ( $loose ) { my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); - + emit "\nrulenum=0\n"; - + emitj ( "find_interface_addresses $interface | while read address; do", ' qt ip rule del from $address', " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", " echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing", ' rulenum=$(($rulenum + 1))', 'done' ); - } else { + } else { emit "\nfind_interface_addresses $interface | while read address; do"; emit ' qt ip rule del from $address'; emit 'done'; } - + emit "\nprogress_message \" Provider $table ($number) Added\"\n"; pop_indent; emit 'else'; - + if ( $optional ) { emit " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\""; emit " ${iface}_up="; } else { emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\""; } - - emit "fi\n"; + + emit "fi\n"; } sub add_an_rtrule( $$$$ ) { my ( $source, $dest, $provider, $priority ) = @_; - - unless ( $providers{$provider} ) { + + unless ( $providers{$provider} ) { my $found = 0; - + if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) { my $provider_number = numeric_value $provider; - + for my $provider ( keys %providers ) { if ( $providers{$provider}{number} == $provider_number ) { $found = 1; @@ -303,17 +303,17 @@ sub setup_providers() { } } } - + fatal_error "Unknown provider $provider in route rule \"$line\"" unless $found; } - + $source = '-' unless $source; $dest = '-' unless $dest; fatal_error "You must specify either the source or destination in an rt rule: \"$line\"" if $source eq '-' && $dest eq '-'; - + $dest = $dest eq '-' ? '' : "to $dest"; - + if ( $source eq '-' ) { $source = ''; } elsif ( $source =~ /:/ ) { @@ -324,11 +324,11 @@ sub setup_providers() { } else { $source = "iif $source"; } - + fatal_error "Invalid priority ($priority) in rule \"$line\"" unless $priority && $priority =~ /^\d{1,5}$/; - + $priority = "priority $priority"; - + emit "qt ip rule del $source $dest $priority"; emit "run_ip rule add $source $dest $priority table $provider"; emit "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing"; @@ -358,15 +358,15 @@ sub setup_providers() { '# Initialize the file that holds \'undo\' commands', '#', '> ${VARDIR}/undo_routing' ); - + save_progress_message 'Adding Providers...'; - + emit 'DEFAULT_ROUTE='; open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!"; while ( $line = ) { - + my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file'; add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ); @@ -392,8 +392,10 @@ sub setup_providers() { 'fi', '' ); } else { - emit "#\n# We don't have any 'balance' providers so we restore any default route that we've saved\n#"; - emit 'restore_default_route'; + emitj( '#', + '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved', + '#', + 'restore_default_route' ); } emit 'cat > /etc/iproute2/rt_tables <> /etc/iproute2/rt_tables"; } @@ -427,7 +429,7 @@ sub setup_providers() { while ( $line = ) { my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file'; - + add_an_rtrule( $source, $dest, $provider , $priority ); } @@ -439,7 +441,7 @@ sub setup_providers() { emit 'run_ip route flush cache'; pop_indent; emit "fi\n"; - + setup_route_marking if @routemarked_interfaces; } diff --git a/New/Shorewall/Proxyarp.pm b/New/Shorewall/Proxyarp.pm index 8e91649ea..f68c57a86 100644 --- a/New/Shorewall/Proxyarp.pm +++ b/New/Shorewall/Proxyarp.pm @@ -69,7 +69,7 @@ sub setup_one_proxy_arp( $$$$$ ) { fi progress_message \" Host $address connected to $interface added to ARP on $external\"\n"; - + push @proxyarp, "$address $interface $external $haveroute"; progress_message " Host $address connected to $interface added to ARP on $external"; @@ -91,7 +91,7 @@ sub setup_proxy_arp() { open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!"; while ( $line = ) { - + my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file'; $set{$interface} = 1; diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index ad0d0f24d..1bd0776cf 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -71,9 +71,9 @@ sub process_tos() { open TOS, "$ENV{TMP_DIR}/tos" or fatal_error "Unable to open stripped tos file: $!"; while ( $line = ) { - + my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file'; - + fatal_error "TOS field required: $line" unless $tos ne '-'; my $chainref; @@ -81,7 +81,7 @@ sub process_tos() { my $restriction = NO_RESTRICT; my ( $srczone , $source ) = split /:/, $src; - + if ( $srczone eq $firewall_zone ) { $chainref = $outtosref; $src = $source || '-'; @@ -92,7 +92,7 @@ sub process_tos() { } $dst =~ s/^all:?//; - + expand_rule $chainref , $restriction , @@ -133,11 +133,11 @@ sub setup_rfc1918_filteration( $ ) { } open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!"; - + while ( $line = ) { my ( $networks, $target ) = split_line 2, 'rfc1918 file'; - + my $s_target; if ( $target eq 'logdrop' ) { @@ -202,9 +202,9 @@ sub setup_blacklist() { if ( $level ) { my $chainref = new_standard_chain 'blacklog'; - + log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' ); - + add_rule $chainref, "-j $target" ; $target = 'blacklog'; @@ -217,7 +217,7 @@ sub setup_blacklist() { progress_message( join( '', ' Processing ', find_file( 'blacklist' ), '...' ) ); while ( $line = ) { - + my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file'; expand_rule @@ -231,7 +231,7 @@ sub setup_blacklist() { '' , $disposition , ''; - + progress_message " \"$line\" added to blacklist"; } } @@ -239,14 +239,14 @@ sub setup_blacklist() { close BL; my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - + for my $hostref ( @$hosts ) { my $interface = $hostref->[0]; my $ipsec = $hostref->[1]; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $network = $hostref->[2]; my $source = match_source_net $network; - + for my $chain ( @{first_chains $interface}) { add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; } @@ -268,7 +268,7 @@ sub process_criticalhosts() { while ( $line = ) { my $routeback = 0; - + my ($interface, $hosts, $options ) = split_line 3, 'routestopped file'; $hosts = ALLIPv4 unless $hosts && $hosts ne '-'; @@ -309,7 +309,7 @@ sub process_routestopped() { while ( $line = ) { my $routeback = 0; - + my ($interface, $hosts, $options ) = split_line 3, 'routestopped file'; $hosts = ALLIPv4 unless $hosts && $hosts ne '-'; @@ -327,7 +327,7 @@ sub process_routestopped() { warning_message "Duplicate 'routeback' option ignored in routestopped entry \"$line\""; } else { $routeback = 1; - + for my $host ( split /,/, $hosts ) { my $source = match_source_net $host; my $dest = match_dest_net $host; @@ -342,7 +342,7 @@ sub process_routestopped() { } elsif ( $option eq 'dest' ) { for my $host ( split /,/, $hosts ) { $dest{"$interface:$host"} = 1; - } + } } else { warning_message "Unknown routestopped option ( $option ) ignored in routestopped entry \"$line\"" unless $option eq 'critical'; } @@ -358,10 +358,10 @@ sub process_routestopped() { my ( $interface, $h ) = split /:/, $host; my $source = match_source_net $h; my $dest = match_dest_net $h; - + emit "\$IPTABLES INPUT -i $interface $source ACCEPT"; emit "\$IPTABLES OUTPUT -o $interface $dest ACCEPT" if $config{ADMINISABSENTMINDED}; - + my $matched = 0; if ( $source{$host} ) { @@ -373,7 +373,7 @@ sub process_routestopped() { emit "\$IPTABLES FORWARD -o $interface $dest ACCEPT"; $matched = 1; } - + unless ( $matched ) { for my $host1 ( @allhosts ) { unless ( $host eq $host1 ) { @@ -405,7 +405,7 @@ sub add_common_rules() { new_standard_chain 'dynamic'; my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - + for $interface ( @interfaces ) { for $chain ( input_chain $interface , forward_chain $interface ) { add_rule new_standard_chain( $chain ) , "$state -j dynamic"; @@ -429,7 +429,7 @@ sub add_common_rules() { } elsif ( @$list ) { fatal_error "The nosmurfs option requires Address Type Match in your kernel and iptables"; } - + if ( @$list ) { progress_message2 ' Adding Anti-smurf Rules'; for my $hostref ( @$list ) { @@ -441,9 +441,9 @@ sub add_common_rules() { } } } - + add_rule $rejectref , '-p tcp -j REJECT --reject-with tcp-reset'; - + if ( $capabilities{ENHANCED_REJECT} ) { add_rule $rejectref , '-p udp -j REJECT'; add_rule $rejectref, '-p icmp -j REJECT --reject-with icmp-host-unreachable'; @@ -480,20 +480,20 @@ sub add_common_rules() { my $disposition; progress_message2 " $doing TCP Flags filtering..."; - + $chainref = new_standard_chain 'tcpflags'; if ( $config{TCP_FLAGS_LOG_LEVEL} ) { my $logflagsref = new_standard_chain 'logflags'; - + my $savelogparms = $env{LOGPARMS}; $env{LOGPARMS} = "$env{LOGPARMS} --log-ip-options" unless $config{TCP_FLAGS_LOG_LEVEL} eq 'ULOG'; - + log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, ''; - + $env{LOGPARMS} = $savelogparms; - + if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) { add_rule $logflagsref , '-j REJECT --reject-with tcp-reset'; } else { @@ -527,13 +527,13 @@ sub add_common_rules() { new_standard_chain $chain; } } - + (new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1; - + add_rule $filter_table->{input_chain $interface}, "-j $chain"; add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface; add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface; - } + } $list = find_interfaces_by_option 'upnp'; @@ -570,16 +570,16 @@ sub setup_mac_lists( $ ) { } my @maclist_interfaces = ( sort keys %maclist_interfaces ); - + progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase..."; if ( $phase == 1 ) { for my $interface ( @maclist_interfaces ) { my $chainref = new_chain $table , mac_chain $interface; - + add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp}; - + if ( $config{MACLIST_TTL} ) { my $chain1ref = new_chain $table, macrecent_target $interface; @@ -709,11 +709,11 @@ sub process_macro ( $$$$$$$$$$$ ) { next if $line =~ /^\s*$/; $line =~ s/#.*$//; $line = expand_shell_variables $line unless $standard; - + my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file'; - + $mtarget = merge_levels $target, $mtarget; - + if ( $mtarget =~ /^PARAM:?/ ) { fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param; $mtarget = substitute_action $param, $mtarget; @@ -727,7 +727,7 @@ sub process_macro ( $$$$$$$$$$$ ) { createactionchain $mtarget; $usedactions{$mtarget} = 1; } - + $mtarget = find_logactionchain $mtarget; } else { fatal_error "Invalid Action ($mtarget) in rule \"$line\"" unless $actiontype & STANDARD; @@ -746,7 +746,7 @@ sub process_macro ( $$$$$$$$$$$ ) { } $msource = '' if $msource eq '-'; - + if ( $mdest ) { if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) { $mdest = $dest || ''; @@ -766,7 +766,7 @@ sub process_macro ( $$$$$$$$$$$ ) { $msports = merge_macro_column $msports, $sports; $mrate = merge_macro_column $mrate, $rate; $muser = merge_macro_column $muser, $user; - + process_rule1 $mtarget, $msource, $mdest, $mproto, $mports, $msports, $origdest, $rate, $user; progress_message " Rule \"$line\" $done"; } @@ -794,9 +794,9 @@ sub process_rule1 ( $$$$$$$$$ ) { fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype; if ( $actiontype == MACRO ) { - process_macro - $macros{$basictarget}, - target , + process_macro + $macros{$basictarget}, + $target , $param , $source, $dest, @@ -848,7 +848,7 @@ sub process_rule1 ( $$$$$$$$$ ) { $sourcezone = $source; $source = ALLIPv4; } - + if ( $dest =~ /^(.+?):(.*)/ ) { $destzone = $1; $dest = $2; @@ -966,7 +966,7 @@ sub process_rule1 ( $$$$$$$$$ ) { # NONAT or ACCEPT+ -- May not specify a destination interface # fatal_error "Invalid DEST ($dest) in $action rule \"$line\"" if $dest =~ /:/; - + $origdest = '' unless $origdest and $origdest ne '-'; if ( $origdest eq 'detect' ) { @@ -1146,7 +1146,7 @@ sub process_rules() { process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user; } } - + close RULES; $comment = ''; @@ -1172,16 +1172,16 @@ sub generate_matrix() { my ( $zone, $zone1 ) = @_; my $chain = "${zone}2${zone1}"; my $chainref = $filter_table->{$chain}; - + return $chain if $chainref && $chainref->{referenced}; return 'ACCEPT' if $zone eq $zone1; - + if ( $chainref->{policy} ne 'CONTINUE' ) { my $policyref = $chainref->{policychain}; return $policyref->{name} if $policyref; fatal_error "No policy defined for zone $zone to zone $zone1"; } - + ''; } @@ -1200,9 +1200,9 @@ sub generate_matrix() { # sub insert_exclusions( $$ ) { my ( $chainref, $exclusionsref ) = @_; - + my $num = 1; - + for my $host ( @{$exclusionsref} ) { my ( $interface, $net ) = split /:/, $host; insert_rule $chainref , $num++, join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' ); @@ -1214,12 +1214,13 @@ sub generate_matrix() { # sub add_exclusions ( $$ ) { my ( $chainref, $exclusionsref ) = @_; - + for my $host ( @{$exclusionsref} ) { my ( $interface, $net ) = split /:/, $host; add_rule $chainref , join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' ); } - } + } + # # Generate_Matrix() Starts Here # @@ -1241,7 +1242,7 @@ sub generate_matrix() { addnatjump 'PREROUTING' , 'nat_in' , ''; addnatjump 'POSTROUTING' , 'nat_out' , ''; - + for my $interface ( @interfaces ) { addnatjump 'PREROUTING' , input_chain( $interface ) , "-i $interface "; addnatjump 'POSTROUTING' , output_chain( $interface ) , "-o $interface "; @@ -1256,7 +1257,7 @@ sub generate_matrix() { my $num = 1; my $in_ref = new_standard_chain "${zone}_input"; my $out_ref = new_standard_chain "${zone}_output"; - + add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target $zone, $zone eq 'ACCEPT'; for my $host ( @$exclusions ) { @@ -1265,13 +1266,13 @@ sub generate_matrix() { add_rule $in_ref , "-i $interface -s $net -j RETURN"; add_rule $out_ref , "-i $interface -s $net -j RETURN"; } - + if ( $capabilities{POLICY_MATCH} ) { my $type = $zoneref->{type}; my $source_ref = $zoneref->{hosts}{ipsec} || []; create_zone_dyn_chain $zone, $frwd_ref && $config{DYNAMIC_ZONES} && (@$source_ref || $type ne 'ipsec4' ); - + for my $interface ( keys %$source_ref ) { my $arrayref = $source_ref->{$interface}; for my $hostref ( @{$arrayref} ) { @@ -1283,7 +1284,7 @@ sub generate_matrix() { } } } - } + } } } # @@ -1335,7 +1336,7 @@ sub generate_matrix() { add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" ); } } - + insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match ); if ( $chain2 ) { @@ -1366,11 +1367,11 @@ sub generate_matrix() { for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) { my $zone1ref = $zones{$zone1}; my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; - + next if $policy eq 'NONE'; - + my $chain = rules_target $zone, $zone1; - + next unless $chain; if ( $zone eq $zone1 ) { @@ -1380,7 +1381,7 @@ sub generate_matrix() { no warnings; next if ( %{ $zoneref->{interfaces}} < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); } - + if ( $chain =~ /2all$/ ) { if ( $chain ne $last_chain ) { $last_chain = $chain; @@ -1398,7 +1399,7 @@ sub generate_matrix() { $last_chain = ''; } } - + if ( $last_chain && @temp_zones == 1 ) { push @dest_zones, @temp_zones; $last_chain = ''; @@ -1424,9 +1425,9 @@ sub generate_matrix() { next unless $chain; push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES}; - + my $num_ifaces = 0; - + if ( $zone eq $zone1 ) { # # One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning. @@ -1437,9 +1438,9 @@ sub generate_matrix() { my $chainref = $filter_table->{$chain}; my $exclusions1 = $zone1ref->{exclusions}; - + my $dest_hosts_ref = $zone1ref->{hosts}; - + if ( @$exclusions1 ) { if ( $chain eq "all2$zone1" ) { unless ( $chain_exclusions{$chain} ) { @@ -1448,7 +1449,7 @@ sub generate_matrix() { } } elsif ( $chain =~ /2all$/ ) { my $chain1 = $policy_exclusions{"${chain}_${zone1}"}; - + unless ( $chain ) { $chain1 = newexclusionchain; $policy_exclusions{"${chain}_${zone1}"} = $chain1; @@ -1456,13 +1457,13 @@ sub generate_matrix() { add_exclusions $chain1ref, $exclusions1; add_rule $chain1ref, "-j $chain"; } - + $chain = $chain1; } else { insert_exclusions $chainref , $exclusions1; } } - + if ( $complex ) { for my $typeref ( values %$dest_hosts_ref ) { for my $interface ( keys %$typeref ) { @@ -1580,6 +1581,6 @@ sub dump_rule_chains() { for my $arrayref ( @rule_chains ) { emit_unindented "@$arrayref"; } -} +} 1; diff --git a/New/Shorewall/Tc.pm b/New/Shorewall/Tc.pm index b492fff6a..1f2fdf637 100644 --- a/New/Shorewall/Tc.pm +++ b/New/Shorewall/Tc.pm @@ -49,7 +49,7 @@ my %tcs = ( t => { chain => 'tcpost', ct => { chain => 'tcpost' , target => 'CONNMARK --set-mark' , connmark => 1 , - fw => 1 + fw => 1 } , c => { target => 'CONNMARK --set-mark' , connmark => 1 , @@ -91,7 +91,7 @@ use constant { NOMARK => 0 , SMALLMARK => 1 , HIGHMARK => 2 }; - + my @tccmd = ( { pattern => 'SAVE' , target => 'CONNMARK --save-mark --mask' , mark => SMALLMARK , @@ -142,7 +142,7 @@ sub process_tc_rule( $$$$$$$$$$ ) { if ( $designator ) { $tcsref = $tcs{$designator}; - + if ( $tcsref ) { if ( $chain eq 'tcout' ) { fatal_error "Invalid chain designator for source $firewall_zone; rule \"$line\"" unless $tcsref->{fw}; @@ -151,7 +151,7 @@ sub process_tc_rule( $$$$$$$$$$ ) { $chain = $tcsref->{chain} if $tcsref->{chain}; $target = $tcsref->{target} if $tcsref->{target}; $mark = "$mark/0xFF" if $connmark = $tcsref->{connmark}; - + } else { fatal_error "Invalid MARK ($original_mark) in rule \"$line\"" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/; $chain = 'tcpost'; @@ -173,12 +173,12 @@ sub process_tc_rule( $$$$$$$$$$ ) { for my $tccmd ( @tccmd ) { if ( $cmd =~ /^($tccmd->{pattern})$/ ) { fatal_error "$mark not valid with :C[FP]" if $connmark; - + $target = "$tccmd->{target} "; my $marktype = $tccmd->{mark}; - + $mark =~ s/^[!&]//; - + if ( $rest ) { fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK; @@ -192,12 +192,12 @@ sub process_tc_rule( $$$$$$$$$$ ) { } elsif ( $tccmd->{mask} ) { $mark = $tccmd->{mask}; } - + last MARK; } } } - + validate_mark $mark; fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes' @@ -215,11 +215,11 @@ sub process_tc_rule( $$$$$$$$$$ ) { '' , '' , ''; - + progress_message " TC Rule \"$line\" $done"; - + } - + # # Perl version of Arn Bernin's 'tc4shorewall'. # @@ -265,9 +265,8 @@ sub rate_to_kbit( $ ) { sub calculate_quantum( $ ) { my $rate = rate_to_kbit $_[0]; - eval "int( ( $rate * 128 ) / $r2q )"; -} +} sub validate_tc_device( $$$ ) { my ( $device, $inband, $outband ) = @_; @@ -303,7 +302,7 @@ sub validate_tc_class( $$$$$$ ) { 'tos-maximize-reliability' => 'tos=0x04/0x04' , 'tos-minimize-cost' => 'tos=0x02/0x02' , 'tos-normal-service' => 'tos=0x00/0x1e' ); - + my $devref = $tcdevices{$device}; fatal_error "Unknown Device ( $device ) in tcclass \"$line\"" unless $devref; my $full = rate_to_kbit $devref->{out_bandwidth}; @@ -326,9 +325,9 @@ sub validate_tc_class( $$$$$$ ) { unless ( $options eq '-' ) { for my $option ( split /,/, "\L$options" ) { my $optval = $tosoptions{$option}; - + $option = $optval if $optval; - + if ( $option eq 'default' ) { fatal_error "Only one default class may be specified for device $device" if $devref->{default}; $devref->{default} = $markval; @@ -347,7 +346,7 @@ sub validate_tc_class( $$$$$$ ) { } push @tcclasses, "$device:$markval"; -} +} sub setup_traffic_shaping() { if ( -s "$ENV{TMP_DIR}/tcdevices" ) { @@ -364,7 +363,6 @@ sub setup_traffic_shaping() { fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-'; validate_tc_device( $device, $inband, $outband ); } - } close TD; @@ -378,10 +376,9 @@ sub setup_traffic_shaping() { while ( $line = ) { my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file'; - + validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options ); } - } close TC; @@ -398,7 +395,7 @@ sub setup_traffic_shaping() { fatal_error "Option default is not defined for any class in tcclasses for interface $device" unless $defmark; emit "if interface_is_usable $device; then"; - + push_indent; emit "${dev}_exists=Yes"; @@ -407,7 +404,7 @@ sub setup_traffic_shaping() { emit "run_tc qdisc add dev $device root handle $devnum: htb default ${prefix}${defmark}"; emit "${dev}_mtu=\$(get_device_mtu $device)"; emit "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} mtu \$${dev}_mtu"; - + my $inband = rate_to_kbit $devref->{in_bandwidth}; if ( $inband ) { @@ -451,7 +448,7 @@ sub setup_traffic_shaping() { push_indent; $lastdevice = $device; } - + emit "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum"; emit "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling} prio $tcref->{priority} mtu \$${dev}_mtu quantum \$quantum"; emit "run_tc qdisc add dev $device parent $classid handle ${prefix}${mark}: sfq perturb 10"; @@ -468,7 +465,7 @@ sub setup_traffic_shaping() { # emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack}; - + for my $tospair ( @{$tcref->{tos}} ) { my ( $tos, $mask ) = split q(/), $tospair; emit "run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid"; @@ -477,7 +474,7 @@ sub setup_traffic_shaping() { save_progress_message_short qq(" TC Class $class defined."); emit ''; } - + if ( $lastdevice ) { pop_indent; emit "fi\n"; @@ -495,7 +492,7 @@ sub setup_tc() { ensure_mangle_chain 'tcfor'; ensure_mangle_chain 'tcpost'; } - + open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!"; while ( $line = ) { @@ -512,7 +509,7 @@ sub setup_tc() { } else { process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos } - + } close TC; @@ -523,7 +520,7 @@ sub setup_tc() { if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) { $mark_part = '-m mark --mark 0/0xFF00'; - + for my $interface ( @routemarked_interfaces ) { add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; } diff --git a/New/Shorewall/Tunnels.pm b/New/Shorewall/Tunnels.pm index 8cd16042d..d4840c5a0 100644 --- a/New/Shorewall/Tunnels.pm +++ b/New/Shorewall/Tunnels.pm @@ -46,43 +46,43 @@ sub setup_tunnels() { ( $kind, my $qualifier ) = split /:/, $kind; fatal_error "Invalid IPSEC modifier ($qualifier) in tunnel \"$line\"" if $qualifier && ( $qualifier ne 'noah' ); - + my $noah = $qualifier || ($kind ne 'ipsec' ); my $options = '-m $state --state NEW -j ACCEPT'; - + add_rule $inchainref, "-p 50 $source -j ACCEPT"; add_rule $outchainref, "-p 50 $dest -j ACCEPT"; - + unless ( $noah ) { add_rule $inchainref, "-p 51 $source -j ACCEPT"; add_rule $outchainref, "-p 51 $dest -j ACCEPT"; } - + add_rule $outchainref, "-p udp $dest --dport 500 $options"; - + if ( $kind eq 'ipsec' ) { add_rule $inchainref, "-p udp $source --dport $options"; } else { add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; } - + for my $zone ( split /,/, $gatewayzones ) { fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4'; $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1; $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1; - + unless ( $capabilities{POLICY_MATCH} ) { add_rule $inchainref, "-p 50 $source -j ACCEPT"; add_rule $outchainref, "-p 50 $dest -j ACCEPT"; - + unless ( $noah ) { add_rule $inchainref, "-p 51 $source -j ACCEPT"; add_rule $outchainref, "-p 51 $dest -j ACCEPT"; } } - + if ( $kind eq 'ipsec' ) { add_rule $inchainref, "-p udp $source --dport 500 $options"; add_rule $outchainref, "-p udp $dest --dport 500 $options"; @@ -92,76 +92,76 @@ sub setup_tunnels() { } } } - + sub setup_one_other { my ($inchainref, $outchainref, $kind, $source, $dest , $protocol) = @_; - + add_rule $inchainref , "-p $protocol $source -j ACCEPT"; add_rule $outchainref , "-p $protocol $dest -j ACCEPT"; } - + sub setup_pptp_client { my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; - + add_rule $outchainref, "-p 47 $dest -j ACCEPT"; add_rule $inchainref, "-p 47 $source -j ACCEPT"; add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT" } - + sub setup_pptp_server { my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; - + add_rule $inchainref, "-p 47 $dest -j ACCEPT"; add_rule $outchainref, "-p 47 $source -j ACCEPT"; add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT" } - + sub setup_one_openvpn { my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - + my $protocol = 'udp'; my $port = 1194; - + ( $kind, my ( $proto, $p ) ) = split /:/, $kind; - + if ( $p ) { $port = $p; $protocol = $proto; } elsif ( $proto ) { $port = $proto; } - + add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; } sub setup_one_openvpn_client { my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - + my $protocol = 'udp'; my $port = 1194; - + ( $kind, my ( $proto, $p ) ) = split /:/, $kind; - + if ( $p ) { $port = $p; $protocol = $proto; } elsif ( $proto ) { $port = $proto; } - + add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT"; add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; } sub setup_one_openvpn_server { my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - + my $protocol = 'udp'; my $port = 1194; - + ( $kind, my ( $proto, $p ) ) = split /:/, $kind; - + if ( $p ) { $port = $p; $protocol = $proto; @@ -175,10 +175,10 @@ sub setup_tunnels() { sub setup_one_generic { my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - + my $protocol = 'udp'; my $port = '--dport 5000'; - + if ( $kind =~ /.*:.*:.*/ ) { ( $kind, $protocol, $port) = split /:/, $kind; $port = "--dport $port"; @@ -186,22 +186,22 @@ sub setup_tunnels() { $port = ''; ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/; } - + add_rule $inchainref, "-p $protocol $source $port -j ACCEPT"; add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT"; } - + sub setup_one_tunnel($$$$) { my ( $kind , $zone, $gateway, $gatewayzones ) = @_; - + fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4'; - + my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1; my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1; - + my $source = match_source_net $gateway; my $dest = match_dest_net $gateway; - + my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } , 'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } , 'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } , @@ -218,13 +218,13 @@ sub setup_tunnels() { $kind = "\L$kind"; (my $type) = split /:/, $kind; - + my $tunnelref = $tunneltypes{ $type }; - + fatal_error "Tunnels of type $type are not supported: Tunnel \"$line\"" unless $tunnelref; - + $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} ); - + progress_message " Tunnel \"$line\" $done"; } # @@ -247,10 +247,10 @@ sub setup_tunnels() { setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; } } - + close TUNNELS; $comment = ''; -} +} 1; diff --git a/New/Shorewall/Zones.pm b/New/Shorewall/Zones.pm index 0ea187a6b..ecad581a6 100644 --- a/New/Shorewall/Zones.pm +++ b/New/Shorewall/Zones.pm @@ -34,7 +34,7 @@ our @EXPORT = qw( NOTHING NETWORK IPSECPROTO IPSECMODE - + determine_zones zone_report dump_zone_contents @@ -147,17 +147,17 @@ sub parse_zone_option_list($) $val = $2; $e = $1; } - + $fmt = $validoptions{$e}; fatal_error "Invalid Option ($e)" unless $fmt; - + if ( $fmt eq NOTHING ) { fatal_error "Option $e does not take a value: Zone \"$line\"" if defined $val; } else { fatal_error "Invalid value ($val) for option \"$e\" in Zone \"$line\"" unless $val =~ /^($fmt)$/; } - + if ( $key{$e} ) { $h{$e} = $val; } else { @@ -175,7 +175,7 @@ sub parse_zone_option_list($) # # Parse the zones file. -# +# sub determine_zones() { my @z; @@ -183,11 +183,11 @@ sub determine_zones() open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!"; while ( $line = ) { - + my @parents; my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file'; - + if ( $zone =~ /(\w+):([\w,]+)/ ) { $zone = $1; @parents = split ',', $2; @@ -281,11 +281,11 @@ sub zone_report() progress_message " $zone ($type)"; my $printed = 0; - + if ( $hostref ) { for my $type ( sort keys %$hostref ) { my $interfaceref = $hostref->{$type}; - + for my $interface ( sort keys %$interfaceref ) { my $arrayref = $interfaceref->{$interface}; for my $groupref ( @$arrayref ) { @@ -300,7 +300,7 @@ sub zone_report() } } } - + warning_message "*** $zone is an EMPTY ZONE ***" unless $printed || $type eq 'firewall'; } } @@ -319,7 +319,7 @@ sub dump_zone_contents() if ( $hostref ) { for my $type ( sort keys %$hostref ) { my $interfaceref = $hostref->{$type}; - + for my $interface ( sort keys %$interfaceref ) { my $arrayref = $interfaceref->{$interface}; for my $groupref ( @$arrayref ) { @@ -336,12 +336,12 @@ sub dump_zone_contents() if ( @$exclusions ) { $entry .= ' exclude'; - + for my $host ( @$exclusions ) { $entry .= " $host"; } - } - + } + emit_unindented $entry; } } diff --git a/New/compiler.pl b/New/compiler.pl index f91017269..3d48c9115 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -58,11 +58,7 @@ use Shorewall::Accounting; use Shorewall::Rules; use Shorewall::Proc; use Shorewall::Proxyarp; -# -# Emacs doesn't handle 'here documents' in Perl Mode nearly as well as it does in Shell mode -# (it basically doesn't understand it at all and gets lost). So I use a number of rather -# awkward styles in place of 'here docs'. -# + sub generate_script_1 { copy $env{SHAREDIRPL} . 'prog.header'; @@ -75,9 +71,8 @@ sub generate_script_1 { 'CONFDIR=/etc/shorewall-lite', 'VARDIR=/var/lib/shorewall-lite', 'PRODUCT="Shorewall Lite"' ); - + copy "$env{SHAREDIR}/lib.base"; - emitj ( '################################################################################', '# End of /usr/share/shorewall/lib.base', '################################################################################' ); @@ -91,7 +86,7 @@ sub generate_script_1 { emit 'TEMPFILE='; emit ''; - + for my $exit qw/init start tcclear started stop stopped/ { emit "run_${exit}_exit() {"; push_indent; @@ -100,12 +95,12 @@ sub generate_script_1 { pop_indent; emit "}\n"; } - + emit 'initialize()'; emit '{'; push_indent; - + if ( $ENV{EXPORT} ) { emitj ( '#', '# These variables are required by the library functions called in this script', @@ -128,7 +123,7 @@ sub generate_script_1 { } propagateconfig; - + emitj ( '[ -n "${COMMAND:=restart}" ]', '[ -n "${VERBOSE:=0}" ]', '[ -n "${RESTOREFILE:=$RESTOREFILE}" ]', @@ -136,7 +131,7 @@ sub generate_script_1 { qq(VERSION="$env{VERSION}") , qq(PATH="$config{PATH}") , 'TERMINATOR=fatal_error' ); - + if ( $config{IPTABLES} ) { emit "IPTABLES=\"$config{IPTABLES}\"\n"; emit "[ -x \"$config{IPTABLES}\" ] || startup_error \"IPTABLES=$config{IPTABLES} does not exist or is not executable\""; @@ -155,16 +150,16 @@ sub generate_script_1 { '# The library requires that ${VARDIR} exist', '#', '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' ); - + pop_indent; - + emit "}\n"; - + } sub compile_stop_firewall() { - emit " + emit < /proc/sys/net/ipv4/ip_forward'; emit 'progress_message2 IP Forwarding Disabled!'; } - + emit 'run_stopped_exit'; pop_indent; - emit " + emit <