Much ado about nothing (extraneous whitespace removal)

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5707 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-26 23:17:46 +00:00
parent a8231a26b8
commit 85ad25cb68
19 changed files with 392 additions and 391 deletions

View File

@ -55,7 +55,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
} }
$chain = 'accounting' unless $chain and $chain ne '-'; $chain = 'accounting' unless $chain and $chain ne '-';
my $chainref = ensure_filter_chain $chain , 0; my $chainref = ensure_filter_chain $chain , 0;
my $target = ''; my $target = '';
@ -118,7 +118,7 @@ sub setup_accounting() {
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user; process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
} }
close ACC; close ACC;
if ( $filter_table->{accounting} ) { if ( $filter_table->{accounting} ) {

View File

@ -41,7 +41,7 @@ our @EXPORT = qw( merge_levels
process_actions1 process_actions1
process_actions2 process_actions2
process_actions3 process_actions3
%usedactions %usedactions
%default_actions %default_actions
%actions %actions
@ -160,7 +160,7 @@ sub createlogactionchain( $$ ) {
my $chainref; my $chainref;
$chain = substr $chain, 0, 28 if ( length $chain ) > 28; $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) { while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) {
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28; $chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
} }
@ -237,7 +237,7 @@ sub find_logactionchain( $ ) {
# The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately # The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately
# by reading the action definition files and creating rules. Note that a given action definition file is # by reading the action definition files and creating rules. Note that a given action definition file is
# processed once for each unique [:level[:tag]] applied to an invocation of the action. # processed once for each unique [:level[:tag]] applied to an invocation of the action.
# #
sub process_actions1() { sub process_actions1() {
for my $act ( grep $targets{$_} & ACTION , keys %targets ) { for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
@ -246,10 +246,10 @@ sub process_actions1() {
for my $file qw/actions.std actions/ { for my $file qw/actions.std actions/ {
open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!"; open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!";
while ( $line = <F> ) { while ( $line = <F> ) {
my ( $action ) = split_line 1, 'action file'; my ( $action ) = split_line 1, 'action file';
if ( $action =~ /:/ ) { if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
$action =~ s/:.*$//; $action =~ s/:.*$//;
@ -281,18 +281,18 @@ sub process_actions1() {
next if $line =~ /^\s*#/; next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/; next if $line =~ /^\s*$/;
$line =~ s/#.*$//; $line =~ s/#.*$//;
my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file'; my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file';
my ( $target, $level ) = split_action $wholetarget; my ( $target, $level ) = split_action $wholetarget;
$level = 'none' unless $level; $level = 'none' unless $level;
my $targettype = $targets{$target}; my $targettype = $targets{$target};
if ( defined $targettype ) { if ( defined $targettype ) {
next if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $target eq 'LOG' ); next if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $target eq 'LOG' );
fatal_error "Invalid TARGET ($target) in action rule \"$line\"" if $targettype & STANDARD; fatal_error "Invalid TARGET ($target) in action rule \"$line\"" if $targettype & STANDARD;
add_requiredby $wholetarget, $action if $targettype & ACTION; add_requiredby $wholetarget, $action if $targettype & ACTION;
@ -303,14 +303,14 @@ sub process_actions1() {
my $macrofile = $macros{$target}; my $macrofile = $macros{$target};
progress_message " ..Expanding Macro $macrofile..."; progress_message " ..Expanding Macro $macrofile...";
open M, $macrofile or fatal_error "Unable to open $macrofile: $!"; open M, $macrofile or fatal_error "Unable to open $macrofile: $!";
while ( $line = <M> ) { while ( $line = <M> ) {
next if $line =~ /^\s*#/; next if $line =~ /^\s*#/;
$line =~ s/#.*$//; $line =~ s/#.*$//;
next if $line =~ /^\s*$/; next if $line =~ /^\s*$/;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file'; my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file';
$mtarget =~ s/:.*$//; $mtarget =~ s/:.*$//;
@ -324,7 +324,6 @@ sub process_actions1() {
} }
progress_message " ..End Macro"; progress_message " ..End Macro";
close M; close M;
} else { } else {
fatal_error "Invalid TARGET ($target) in rule \"$line\""; fatal_error "Invalid TARGET ($target) in rule \"$line\"";
@ -359,10 +358,10 @@ sub process_actions2 () {
} }
} }
} }
# #
# Generate chain for non-builtin action invocation # Generate chain for non-builtin action invocation
# #
sub process_action3( $$$$$ ) { sub process_action3( $$$$$ ) {
my ( $chainref, $wholeaction, $action, $level, $tag ) = @_; my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
# #
@ -370,9 +369,9 @@ sub process_action3( $$$$$ ) {
# #
sub process_action( $$$$$$$$$$ ) { sub process_action( $$$$$$$$$$ ) {
my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_; my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
my ( $action , $level ) = split_action $target; my ( $action , $level ) = split_action $target;
expand_rule ( $chainref , expand_rule ( $chainref ,
NO_RESTRICT , NO_RESTRICT ,
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user , do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
@ -400,7 +399,7 @@ sub process_action3( $$$$$ ) {
next if $line =~ /^\s*$/; next if $line =~ /^\s*$/;
$line =~ s/#.*$//; $line =~ s/#.*$//;
$line = expand_shell_variables $line unless $standard; $line = expand_shell_variables $line unless $standard;
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file'; my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file';
my $target2 = merge_levels $wholeaction, $target; my $target2 = merge_levels $wholeaction, $target;
@ -432,9 +431,9 @@ sub process_action3( $$$$$ ) {
progress_message "..Expanding Macro $fn..."; progress_message "..Expanding Macro $fn...";
open M, $fn or fatal_error "Can't open $fn: $!"; open M, $fn or fatal_error "Can't open $fn: $!";
my $standard = ( $fn =~ /^($env{SHAREDIR})/ ); my $standard = ( $fn =~ /^($env{SHAREDIR})/ );
while ( $line = <M> ) { while ( $line = <M> ) {
next if $line =~ /^\s*#/; next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/; next if $line =~ /^\s*$/;
@ -442,7 +441,7 @@ sub process_action3( $$$$$ ) {
$line = expand_shell_variables $line unless $standard; $line = expand_shell_variables $line unless $standard;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file'; my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
if ( $mtarget =~ /^PARAM:?/ ) { if ( $mtarget =~ /^PARAM:?/ ) {
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param; fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
$mtarget = substitute_action $param, $mtarget; $mtarget = substitute_action $param, $mtarget;
@ -461,7 +460,7 @@ sub process_action3( $$$$$ ) {
} }
$msource = '' if $msource eq '-'; $msource = '' if $msource eq '-';
if ( $mdest ) { if ( $mdest ) {
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) { if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
$mdest = $dest || ''; $mdest = $dest || '';
@ -486,7 +485,7 @@ sub process_action3( $$$$$ ) {
} }
close M; close M;
progress_message '..End Macro' progress_message '..End Macro'
} else { } else {
@ -495,7 +494,7 @@ sub process_action3( $$$$$ ) {
} }
$comment = ''; $comment = '';
} }
sub process_actions3 () { sub process_actions3 () {
# #
@ -503,83 +502,83 @@ sub process_actions3 () {
# #
sub dropBcast( $$$ ) { sub dropBcast( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
if ( $level ) { if ( $level ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast'; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast'; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
} }
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP'; add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP';
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP'; add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP';
} }
sub allowBcast( $$$ ) { sub allowBcast( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
if ( $level ) { if ( $level ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast'; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast'; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
} }
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT'; add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT';
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT'; add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT';
} }
sub dropNotSyn ( $$$ ) { sub dropNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level; log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j DROP'; add_rule $chainref , '-p tcp ! --syn -j DROP';
} }
sub rejNotSyn ( $$$ ) { sub rejNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level; log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j REJECT'; add_rule $chainref , '-p tcp ! --syn -j REJECT';
} }
sub dropInvalid ( $$$ ) { sub dropInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level; log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j REJECT'; add_rule $chainref , '-m state --state INVALID -j REJECT';
} }
sub allowInvalid ( $$$ ) { sub allowInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level; log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j ACCEPT'; add_rule $chainref , '-m state --state INVALID -j ACCEPT';
} }
sub forwardUPnP ( $$$ ) { sub forwardUPnP ( $$$ ) {
} }
sub allowinUPnP ( $$$ ) { sub allowinUPnP ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
if ( $level ) { if ( $level ) {
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 '; log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 '; log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
} }
add_rule $chainref, '-p udp --dport 1900 -j ACCEPT'; add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT'; add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
} }
sub Limit( $$$ ) { sub Limit( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
my @tag = split /,/, $tag; my @tag = split /,/, $tag;
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag' unless @tag == 3; fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag' unless @tag == 3;
my $set = $tag[0]; my $set = $tag[0];
my $count = $tag[1] + 1; my $count = $tag[1] + 1;
add_rule $chainref, "-m recent --name $set --set"; add_rule $chainref, "-m recent --name $set --set";
if ( $level ) { if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%"; my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', ''; log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
@ -588,7 +587,7 @@ sub process_actions3 () {
} else { } else {
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP"; add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
} }
add_rule $chainref, '-j ACCEPT'; add_rule $chainref, '-j ACCEPT';
} }
@ -609,14 +608,14 @@ sub process_actions3 () {
$level = '' unless defined $level; $level = '' unless defined $level;
$tag = '' unless defined $tag; $tag = '' unless defined $tag;
if ( $targets{$action} & BUILTIN ) { if ( $targets{$action} & BUILTIN ) {
$level = '' if $level =~ /none!?/; $level = '' if $level =~ /none!?/;
$builtinops{$action}->($chainref, $level, $tag); $builtinops{$action}->($chainref, $level, $tag);
} else { } else {
process_action3 $chainref, $wholeaction, $action, $level, $tag; process_action3 $chainref, $wholeaction, $action, $level, $tag;
} }
} }
} }
1; 1;

View File

@ -47,7 +47,7 @@ our @EXPORT = qw( STANDARD
OUTPUT_RESTRICT OUTPUT_RESTRICT
POSTROUTE_RESTRICT POSTROUTE_RESTRICT
ALL_RESTRICT ALL_RESTRICT
add_command add_command
add_rule add_rule
insert_rule insert_rule
@ -99,7 +99,7 @@ our @EXPORT = qw( STANDARD
addnatjump addnatjump
insertnatjump insertnatjump
create_netfilter_load create_netfilter_load
@policy_chains @policy_chains
%chain_table %chain_table
$nat_table $nat_table
@ -249,7 +249,7 @@ my $loopcount = 0;
sub add_command($$) sub add_command($$)
{ {
my ($chainref, $command) = @_; my ($chainref, $command) = @_;
push @{$chainref->{rules}}, join ('', '~', ' ' x $loopcount, $command ); push @{$chainref->{rules}}, join ('', '~', ' ' x $loopcount, $command );
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
@ -265,7 +265,7 @@ sub add_command($$)
sub add_rule($$) sub add_rule($$)
{ {
my ($chainref, $rule) = @_; my ($chainref, $rule) = @_;
$rule .= " -m comment --comment \"$comment\"" if $comment; $rule .= " -m comment --comment \"$comment\"" if $comment;
if ( $loopcount ) { if ( $loopcount ) {
@ -289,13 +289,13 @@ sub insert_rule($$$)
my ($chainref, $number, $rule) = @_; my ($chainref, $number, $rule) = @_;
fatal_error 'Internal Error in insert_rule()' if $loopcount; fatal_error 'Internal Error in insert_rule()' if $loopcount;
$rule .= "-m comment --comment \"$comment\"" if $comment; $rule .= "-m comment --comment \"$comment\"" if $comment;
splice @{$chainref->{rules}}, $number - 1, 0, $rule; splice @{$chainref->{rules}}, $number - 1, 0, $rule;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$iprangematch = 0; $iprangematch = 0;
} }
@ -429,7 +429,7 @@ sub new_chain($$)
my ($table, $chain) = @_; my ($table, $chain) = @_;
my %ch; my %ch;
my @rules; my @rules;
$ch{name} = $chain; $ch{name} = $chain;
$ch{log} = 1 if $env{LOGRULENUMBERS}; $ch{log} = 1 if $env{LOGRULENUMBERS};
$ch{rules} = \@rules; $ch{rules} = \@rules;
@ -456,7 +456,7 @@ sub ensure_chain($$)
my ($table, $chain) = @_; my ($table, $chain) = @_;
my $ref = $chain_table{$table}{$chain}; my $ref = $chain_table{$table}{$chain};
return $ref if $ref; return $ref if $ref;
new_chain $table, $chain; new_chain $table, $chain;
@ -484,7 +484,7 @@ sub ensure_filter_chain( $$ )
} }
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref; $chainref;
} }
@ -492,7 +492,7 @@ sub ensure_mangle_chain($) {
my $chain = $_[0]; my $chain = $_[0];
my $chainref = ensure_chain 'mangle', $chain; my $chainref = ensure_chain 'mangle', $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref; $chainref;
@ -504,7 +504,7 @@ sub ensure_mangle_chain($) {
sub new_builtin_chain($$$) sub new_builtin_chain($$$)
{ {
my ( $table, $chain, $policy ) = @_; my ( $table, $chain, $policy ) = @_;
my $chainref = new_chain $table, $chain; my $chainref = new_chain $table, $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref->{policy} = $policy; $chainref->{policy} = $policy;
@ -515,7 +515,7 @@ sub new_standard_chain($) {
my $chainref = new_chain 'filter' ,$_[0]; my $chainref = new_chain 'filter' ,$_[0];
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref; $chainref;
} }
# #
# Add all builtin chains to the chain table # Add all builtin chains to the chain table
@ -538,7 +538,7 @@ sub initialize_chain_table()
for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ { for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ {
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
} }
if ( $capabilities{MANGLE_FORWARD} ) { if ( $capabilities{MANGLE_FORWARD} ) {
for my $chain qw/ FORWARD POSTROUTING / { for my $chain qw/ FORWARD POSTROUTING / {
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
@ -554,7 +554,7 @@ sub finish_chain_section ($$) {
my $chain = $chainref->{name}; my $chain = $chainref->{name};
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
if ($sections{RELATED} ) { if ($sections{RELATED} ) {
if ( $chainref->{is_policy} ) { if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) { if ( $chainref->{synparams} ) {
@ -575,7 +575,7 @@ sub finish_chain_section ($$) {
} }
} }
} }
} }
# #
# Do section-end processing # Do section-end processing
@ -610,7 +610,7 @@ sub do_proto( $$$ )
my ($proto, $ports, $sports ) = @_; my ($proto, $ports, $sports ) = @_;
my $output = ''; my $output = '';
$proto = '' if $proto eq '-'; $proto = '' if $proto eq '-';
$ports = '' if $ports eq '-'; $ports = '' if $ports eq '-';
$sports = '' if $sports eq '-'; $sports = '' if $sports eq '-';
@ -624,14 +624,14 @@ sub do_proto( $$$ )
if ( $count > 1 ) { if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT}; fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT};
for my $port ( @ports ) { for my $port ( @ports ) {
if ( $port =~ /:/ ) { if ( $port =~ /:/ ) {
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT}; fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT};
$count++; $count++;
} }
} }
fatal_error "Too many entries in port list: $ports" if $count > 15; fatal_error "Too many entries in port list: $ports" if $count > 15;
$output .= "-m multiport --dports $ports "; $output .= "-m multiport --dports $ports ";
@ -639,21 +639,21 @@ sub do_proto( $$$ )
$output .= "--dport $ports "; $output .= "--dport $ports ";
} }
} }
if ( $sports ) { if ( $sports ) {
my @ports = split /,/, $sports; my @ports = split /,/, $sports;
my $count = @ports; my $count = @ports;
if ( $count > 1 ) { if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT}; fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT};
for my $port ( @ports ) { for my $port ( @ports ) {
if ( $port =~ /:/ ) { if ( $port =~ /:/ ) {
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $sports" unless $capabilities{XMULTIPORT}; fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $sports" unless $capabilities{XMULTIPORT};
$count++; $count++;
} }
} }
fatal_error "Too many entries in port list: $sports" if $count > 15; fatal_error "Too many entries in port list: $sports" if $count > 15;
$output .= "-m multiport --sports $sports "; $output .= "-m multiport --sports $sports ";
@ -726,17 +726,17 @@ sub validate_mark( $ ) {
sub do_test ( $$ ) sub do_test ( $$ )
{ {
my ($testval, $mask) = @_; my ($testval, $mask) = @_;
return '' unless $testval and $testval ne '-'; return '' unless $testval and $testval ne '-';
my $invert = $testval =~ s/^!// ? '! ' : ''; my $invert = $testval =~ s/^!// ? '! ' : '';
my $match = $testval =~ s/:C$// ? '-m connmark ' : '-m mark '; my $match = $testval =~ s/:C$// ? '-m connmark ' : '-m mark ';
$testval .= '/0xFF' unless ( $testval =~ '/' ); $testval .= '/0xFF' unless ( $testval =~ '/' );
"${invert}$match $testval "; "${invert}$match $testval ";
} }
# #
# Create a "-m limit" match for the passed LIMIT/BURST # Create a "-m limit" match for the passed LIMIT/BURST
@ -745,7 +745,7 @@ sub do_ratelimit( $ ) {
my $rate = $_[0]; my $rate = $_[0];
return '' unless $rate and $rate ne '-'; return '' unless $rate and $rate ne '-';
if ( $rate =~ /^([^:]+):([^:]+)$/ ) { if ( $rate =~ /^([^:]+):([^:]+)$/ ) {
"-m limit --limit $1 --limit-burst $2 "; "-m limit --limit $1 --limit-burst $2 ";
} else { } else {
@ -769,7 +769,7 @@ sub do_user( $ ) {
$rule .= "--cmd-owner $2 " if $2; $rule .= "--cmd-owner $2 " if $2;
$user = $1; $user = $1;
} }
if ( $user =~ /^!(.*):(.*)$/ ) { if ( $user =~ /^!(.*):(.*)$/ ) {
$rule .= "! --uid-owner $1 " if $1; $rule .= "! --uid-owner $1 " if $1;
$rule .= "! --gid-owner $2 " if $2; $rule .= "! --gid-owner $2 " if $2;
@ -790,10 +790,10 @@ sub do_user( $ ) {
# #
sub do_tos( $ ) { sub do_tos( $ ) {
my $tos = $_[0]; my $tos = $_[0];
$tos ne '-' ? "-m tos --tos $tos " : ''; $tos ne '-' ? "-m tos --tos $tos " : '';
} }
# #
# Avoid generating a second '-m iprange' in a single rule. # Avoid generating a second '-m iprange' in a single rule.
# #
@ -825,7 +825,7 @@ sub get_set_flags( $$ ) {
$setname = $1; $setname = $1;
$options = $2; $options = $2;
} }
$setname =~ s/^\+//; $setname =~ s/^\+//;
"--set $setname $options" "--set $setname $options"
@ -836,7 +836,7 @@ sub get_set_flags( $$ ) {
# #
sub match_source_net( $ ) { sub match_source_net( $ ) {
my $net = $_[0]; my $net = $_[0];
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : ''; $net =~ s/!// if my $invert = $1 ? '! ' : '';
@ -859,7 +859,7 @@ sub match_source_net( $ ) {
# #
sub match_dest_net( $ ) { sub match_dest_net( $ ) {
my $net = $_[0]; my $net = $_[0];
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : ''; $net =~ s/!// if my $invert = $1 ? '! ' : '';
@ -881,7 +881,7 @@ sub match_orig_dest ( $ ) {
my $net = $_[0]; my $net = $_[0];
return '' if $net eq ALLIPv4; return '' if $net eq ALLIPv4;
if ( $net =~ /^!/ ) { if ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
"-m conntrack --ctorigdst ! $net "; "-m conntrack --ctorigdst ! $net ";
@ -908,7 +908,7 @@ sub match_ipsec_in( $$ ) {
''; '';
} }
} }
# #
# Match Dest IPSEC # Match Dest IPSEC
# #
@ -926,7 +926,7 @@ sub match_ipsec_out( $$ ) {
''; '';
} }
} }
# #
# Generate a log message # Generate a log message
# #
@ -999,7 +999,7 @@ sub mysplit( $ ) {
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']'; fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
} }
push @result, $element; push @result, $element;
} }
@ -1027,7 +1027,7 @@ sub get_interface_address ( $ ) {
$interfaceaddrs{$interface} = interface_address( $interface ) . "=\$(find_first_interface_address $interface)"; $interfaceaddrs{$interface} = interface_address( $interface ) . "=\$(find_first_interface_address $interface)";
} }
# #
# This function provides a uniform way to generate rules (something the original Shorewall sorely needed). # This function provides a uniform way to generate rules (something the original Shorewall sorely needed).
# #
@ -1043,7 +1043,7 @@ sub expand_rule( $$$$$$$$$$ )
if ( $loglevel ) { if ( $loglevel ) {
( $loglevel, $logtag ) = split /:/, $loglevel; ( $loglevel, $logtag ) = split /:/, $loglevel;
if ( $loglevel =~ /^none!?$/i ) { if ( $loglevel =~ /^none!?$/i ) {
return if $disposition eq 'LOG'; return if $disposition eq 'LOG';
$loglevel = $logtag = ''; $loglevel = $logtag = '';
@ -1106,7 +1106,7 @@ sub expand_rule( $$$$$$$$$$ )
if ( @interfaces > 1 ) { if ( @interfaces > 1 ) {
add_command $chainref, 'addresses='; add_command $chainref, 'addresses=';
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
get_interface_address $interface; get_interface_address $interface;
add_command $chainref , join( '', 'addresses="$addresses $', interface_address( $interface ). '"' ); add_command $chainref , join( '', 'addresses="$addresses $', interface_address( $interface ). '"' );
@ -1152,11 +1152,11 @@ sub expand_rule( $$$$$$$$$$ )
if $restriction & INPUT_RESTRICT; if $restriction & INPUT_RESTRICT;
$rule .= "-o $diface "; $rule .= "-o $diface ";
} }
} }
if ( $origdest ) { if ( $origdest ) {
if ( $origdest eq '-' ) { if ( $origdest eq '-' ) {
$origdest = ''; $origdest = '';
} elsif ( $origdest =~ /^detect:(.*)$/ ) { } elsif ( $origdest =~ /^detect:(.*)$/ ) {
# #
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
@ -1256,7 +1256,7 @@ sub expand_rule( $$$$$$$$$$ )
# We have non-trivial exclusion -- need to create an exclusion chain # We have non-trivial exclusion -- need to create an exclusion chain
# #
my $echain = newexclusionchain; my $echain = newexclusionchain;
# #
# Use the current rule and sent all possible matches to the exclusion chain # Use the current rule and sent all possible matches to the exclusion chain
# #
@ -1275,7 +1275,7 @@ sub expand_rule( $$$$$$$$$$ )
# #
$inets = ALLIPv4; $inets = ALLIPv4;
$dnets = ALLIPv4; $dnets = ALLIPv4;
# #
# Create the Exclusion Chain # Create the Exclusion Chain
# #
@ -1347,7 +1347,7 @@ sub addnatjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_; my ( $source , $dest, $predicates ) = @_;
my $destref = $nat_table->{$dest} || {}; my $destref = $nat_table->{$dest} || {};
if ( $destref->{referenced} ) { if ( $destref->{referenced} ) {
add_rule $nat_table->{$source} , $predicates . "-j $dest"; add_rule $nat_table->{$source} , $predicates . "-j $dest";
} else { } else {
@ -1359,9 +1359,9 @@ sub addnatjump( $$$ ) {
# #
sub insertnatjump( $$$$ ) { sub insertnatjump( $$$$ ) {
my ( $source, $dest, $countref, $predicates ) = @_; my ( $source, $dest, $countref, $predicates ) = @_;
my $destref = $nat_table->{$dest} || {}; my $destref = $nat_table->{$dest} || {};
if ( $destref->{referenced} ) { if ( $destref->{referenced} ) {
insert_rule $nat_table->{$source} , ($$countref)++, $predicates . "-j $dest"; insert_rule $nat_table->{$source} , ($$countref)++, $predicates . "-j $dest";
} else { } else {
@ -1406,7 +1406,7 @@ sub emitr( $ ) {
} }
sub create_netfilter_load() { sub create_netfilter_load() {
emit 'setup_netfilter()'; emit 'setup_netfilter()';
emit '{'; emit '{';
push_indent; push_indent;
@ -1430,9 +1430,9 @@ sub create_netfilter_load() {
for my $table qw/raw nat mangle filter/ { for my $table qw/raw nat mangle filter/ {
emitr "*$table"; emitr "*$table";
my @chains; my @chains;
for my $chain ( @builtins ) { for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{$chain};
if ( $chainref ) { if ( $chainref ) {
@ -1479,5 +1479,5 @@ sub create_netfilter_load() {
emit "}\n"; emit "}\n";
} }
1; 1;

View File

@ -52,7 +52,7 @@ our @EXPORT = qw(ALLIPv4
copy1 copy1
create_temp_aux_config create_temp_aux_config
finalize_aux_config finalize_aux_config
@allipv4 @allipv4
@rfc1918_networks @rfc1918_networks
$line $line
@ -111,20 +111,20 @@ sub split_line( $$ ) {
my ( $columns, $description ) = @_; my ( $columns, $description ) = @_;
chomp $line; chomp $line;
$line =~ s/\s+/ /g; $line =~ s/\s+/ /g;
my @line = split /\s+/, $line; my @line = split /\s+/, $line;
return @line if $line[0] eq 'COMMENT'; return @line if $line[0] eq 'COMMENT';
fatal_error "Invalid $description entry: $line" if @line > $columns; fatal_error "Invalid $description entry: $line" if @line > $columns;
push @line, '-' while @line < $columns; push @line, '-' while @line < $columns;
@line; @line;
} }
sub create_temp_object( $ ) { sub create_temp_object( $ ) {
my $objectfile = $_[0]; my $objectfile = $_[0];
my $suffix; my $suffix;
@ -174,7 +174,7 @@ sub emit ( $ ) {
print $object "$line\n"; print $object "$line\n";
$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" ); $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
} else { } else {
print $object "\n" unless $lastlineblank; print $object "\n" unless $lastlineblank;
$lastlineblank = 1; $lastlineblank = 1;
} }
} }
@ -188,7 +188,7 @@ sub emitj {
for ( @_ ) { emit $_ }; for ( @_ ) { emit $_ };
} }
} }
# #
# Write passed message to the object with no indentation. # Write passed message to the object with no indentation.
@ -261,14 +261,14 @@ sub pop_indent() {
sub copy( $ ) { sub copy( $ ) {
if ( $object ) { if ( $object ) {
my $file = $_[0]; my $file = $_[0];
open IF , $file or fatal_error "Unable to open $file: $!"; open IF , $file or fatal_error "Unable to open $file: $!";
while ( my $line = <IF> ) { while ( my $line = <IF> ) {
$line =~ s/^/$indent/ if $indent; $line =~ s/^/$indent/ if $indent;
print $object $line; print $object $line;
} }
close IF; close IF;
} }
} }
@ -276,9 +276,9 @@ sub copy( $ ) {
sub copy1( $ ) { sub copy1( $ ) {
if ( $object ) { if ( $object ) {
my $file = $_[0]; my $file = $_[0];
open IF , $file or fatal_error "Unable to open $file: $!"; open IF , $file or fatal_error "Unable to open $file: $!";
my $do_indent = 1; my $do_indent = 1;
while ( my $line = <IF> ) { while ( my $line = <IF> ) {
@ -287,12 +287,12 @@ sub copy1( $ ) {
$do_indent = 1; $do_indent = 1;
next; next;
} }
$line =~ s/^/$indent/ if $indent && $do_indent; $line =~ s/^/$indent/ if $indent && $do_indent;
print $object $line; print $object $line;
$do_indent = ! ( $line =~ /\\$/ ); $do_indent = ! ( $line =~ /\\$/ );
} }
close IF; close IF;
} }
} }
@ -321,6 +321,6 @@ END {
} }
system "rm -rf $ENV{TMP_DIR}" if $ENV{TMP_DIR}; system "rm -rf $ENV{TMP_DIR}" if $ENV{TMP_DIR};
} }
1; 1;

View File

@ -243,9 +243,9 @@ sub report_capabilities() {
print " $capdesc{$cap}: "; print " $capdesc{$cap}: ";
print $capabilities{$cap} ? "Available\n" : "Not Available\n"; print $capabilities{$cap} ? "Available\n" : "Not Available\n";
} }
print "Shorewall has detected the following capabilities:\n"; print "Shorewall has detected the following capabilities:\n";
for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) { for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
report_capability $cap; report_capability $cap;
} }
@ -373,7 +373,7 @@ sub get_configuration() {
default_yes_no 'BRIDGING' , ''; default_yes_no 'BRIDGING' , '';
fatal_error 'BRIDGING=Yes is not supported by Shorewall-pl' . $env{VERSION} if $config{BRIDGING}; fatal_error 'BRIDGING=Yes is not supported by Shorewall-pl' . $env{VERSION} if $config{BRIDGING};
default_yes_no 'STARTUP_ENABLED' , 'Yes'; default_yes_no 'STARTUP_ENABLED' , 'Yes';
default_yes_no 'DELAYBLACKLISTLOAD' , ''; default_yes_no 'DELAYBLACKLISTLOAD' , '';
default_yes_no 'LOGTAGONLY' , ''; default_yes_no 'LOGTAGONLY' , '';
@ -397,7 +397,7 @@ sub get_configuration() {
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
default 'BLACKLIST_DISPOSITION' , 'DROP'; default 'BLACKLIST_DISPOSITION' , 'DROP';
my $val; my $val;
$env{MACLIST_TARGET} = 'reject'; $env{MACLIST_TARGET} = 'reject';
@ -415,7 +415,7 @@ sub get_configuration() {
} else { } else {
$config{MACLIST_DISPOSITION} = 'REJECT'; $config{MACLIST_DISPOSITION} = 'REJECT';
} }
if ( $val = $config{MACLIST_TABLE} ) { if ( $val = $config{MACLIST_TABLE} ) {
if ( $val eq 'mangle' ) { if ( $val eq 'mangle' ) {
fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT'; fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT';
@ -431,7 +431,7 @@ sub get_configuration() {
} else { } else {
$config{TCP_FLAGS_DISPOSITION} = 'DROP'; $config{TCP_FLAGS_DISPOSITION} = 'DROP';
} }
$env{TC_SCRIPT} = ''; $env{TC_SCRIPT} = '';
if ( $val = "\L$config{TC_ENABLED}" ) { if ( $val = "\L$config{TC_ENABLED}" ) {
@ -451,7 +451,7 @@ sub get_configuration() {
default 'ACCEPT_DEFAULT' , 'none'; default 'ACCEPT_DEFAULT' , 'none';
default 'OPTIMIZE' , 0; default 'OPTIMIZE' , 0;
default 'IPSECFILE' , 'ipsec'; default 'IPSECFILE' , 'ipsec';
for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT ACCEPT_DEFAULT/ { for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT ACCEPT_DEFAULT/ {
$config{$default} = 'none' if "\L$config{$default}" eq 'none'; $config{$default} = 'none' if "\L$config{$default}" eq 'none';
} }
@ -477,7 +477,7 @@ sub get_configuration() {
}; };
fatal_error "Invalid LOGFORMAT ($val)" if $@; fatal_error "Invalid LOGFORMAT ($val)" if $@;
fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\"" fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\""
if length $result > 29; if length $result > 29;
@ -514,7 +514,7 @@ sub propagateconfig() {
my $value = $config{$option} || ''; my $value = $config{$option} || '';
emit "$option=\"$value\""; emit "$option=\"$value\"";
} }
for my $option ( @Shorewall::Config::propagateenv ) { for my $option ( @Shorewall::Config::propagateenv ) {
my $value = $env{$option} || ''; my $value = $env{$option} || '';
emit "$option=\"$value\""; emit "$option=\"$value\"";
@ -529,7 +529,7 @@ sub append_file( $ ) {
save_progress_message "Processing $user_exit ..."; save_progress_message "Processing $user_exit ...";
copy1 $user_exit; copy1 $user_exit;
} }
} }
} }
# #
@ -570,7 +570,7 @@ sub generate_aux_config() {
create_temp_aux_config; create_temp_aux_config;
emit( "#\n# Shorewall auxiliary configuration file created by Shorewall-pl version " . $env{VERSION} . ' - ' . ( localtime ) . "\n#" ); emit( "#\n# Shorewall auxiliary configuration file created by Shorewall-pl version " . $env{VERSION} . ' - ' . ( localtime ) . "\n#" );
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS) { for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS) {
conditionally_add_option $option; conditionally_add_option $option;
} }

View File

@ -45,7 +45,7 @@ sub validate_hosts_file()
maclist => 1, maclist => 1,
norfc1918 => 1, norfc1918 => 1,
nosmurfs => 1, nosmurfs => 1,
routeback => 1, routeback => 1,
routefilter => 1, routefilter => 1,
tcpflags => 1, tcpflags => 1,
); );
@ -76,7 +76,7 @@ sub validate_hosts_file()
} }
my $optionsref; my $optionsref;
if ( $options ne '-' ) { if ( $options ne '-' ) {
my @options = split ',', $options; my @options = split ',', $options;
my %options; my %options;

View File

@ -52,7 +52,7 @@ sub decodeaddr( $ ) {
my @address = split /\./, $address; my @address = split /\./, $address;
my $result = shift @address; my $result = shift @address;
for my $a ( @address ) { for my $a ( @address ) {
$result = ( $result << 8 ) | $a; $result = ( $result << 8 ) | $a;
} }
@ -84,10 +84,10 @@ sub ip_range_explicit( $ ) {
if ( defined $high ) { if ( defined $high ) {
fatal_error "Invalid IP address ( $high )" unless valid_address $high; fatal_error "Invalid IP address ( $high )" unless valid_address $high;
my $first = decodeaddr $low; my $first = decodeaddr $low;
my $last = decodeaddr $high; my $last = decodeaddr $high;
fatal_error "Invalid IP Range ( $range )" unless $first <= $last; fatal_error "Invalid IP Range ( $range )" unless $first <= $last;
while ( ++$first <= $last ) { while ( ++$first <= $last ) {

View File

@ -87,7 +87,7 @@ sub add_group_to_zone($$$$$)
$ifacezone = $zone if $host eq ALLIPv4; $ifacezone = $zone if $host eq ALLIPv4;
} }
} }
push @$new, $switched ? "$interface:$host" : $host; push @$new, $switched ? "$interface:$host" : $host;
} }
@ -111,7 +111,8 @@ sub add_group_to_zone($$$$$)
# #
# Parse the interfaces file. # Parse the interfaces file.
# #
sub validate_interfaces_file() sub validate_interfaces_file()
{ {
my %validoptions = (arp_filter => 1, my %validoptions = (arp_filter => 1,
@ -124,7 +125,7 @@ sub validate_interfaces_file()
norfc1918 => 1, norfc1918 => 1,
nosmurfs => 1, nosmurfs => 1,
proxyarp => 1, proxyarp => 1,
routeback => 1, routeback => 1,
routefilter => 1, routefilter => 1,
sourceroute => 1, sourceroute => 1,
tcpflags => 1, tcpflags => 1,
@ -188,13 +189,13 @@ sub validate_interfaces_file()
push @interfaces, $interface; push @interfaces, $interface;
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@allipv4, $optionsref ) if $zone; add_group_to_zone( $zone, $zoneref->{type}, $interface, \@allipv4, $optionsref ) if $zone;
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
progress_message " Interface \"$line\" Validated"; progress_message " Interface \"$line\" Validated";
} }
close INTERFACES; close INTERFACES;
} }

View File

@ -59,7 +59,7 @@ sub find_macro( $ )
$macros{$macro} = $macrofile; $macros{$macro} = $macrofile;
$targets{$macro} = MACRO; $targets{$macro} = MACRO;
} }
} }
# #
# Macro and action files can have shell variables embedded. This function expands them from %ENV. # Macro and action files can have shell variables embedded. This function expands them from %ENV.
@ -67,7 +67,7 @@ sub find_macro( $ )
sub expand_shell_variables( $ ) { sub expand_shell_variables( $ ) {
my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line; my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line;
} }
# #
# Return ( action, level[:tag] ) from passed full action # Return ( action, level[:tag] ) from passed full action
# #
@ -112,7 +112,7 @@ sub merge_macro_source_dest( $$ ) {
return "$invocation:$body"; return "$invocation:$body";
} }
} }
$body || ''; $body || '';
} }

View File

@ -142,7 +142,7 @@ sub setup_one_masq($$$$$$)
if ( $2 =~ /\./ ) { if ( $2 =~ /\./ ) {
$fullinterface = $one; $fullinterface = $one;
$destnets = $two; $destnets = $two;
} }
} }
# #
@ -162,7 +162,7 @@ sub setup_one_masq($$$$$$)
# Handle Protocol and Ports # Handle Protocol and Ports
# #
$rule .= do_proto $proto, $ports, ''; $rule .= do_proto $proto, $ports, '';
my $detectaddress = 0; my $detectaddress = 0;
# #
# Parse the ADDRESSES column # Parse the ADDRESSES column
@ -232,7 +232,7 @@ sub setup_one_masq($$$$$$)
} }
progress_message " Masq record \"$line\" $done"; progress_message " Masq record \"$line\" $done";
} }
# #
@ -294,7 +294,7 @@ sub do_one_nat( $$$$$ )
sub add_nat_rule( $$ ) { sub add_nat_rule( $$ ) {
add_rule ensure_chain( 'nat', $_[0] ) , $_[1]; add_rule ensure_chain( 'nat', $_[0] ) , $_[1];
} }
my $add_ip_aliases = $config{ADD_IP_ALIASES}; my $add_ip_aliases = $config{ADD_IP_ALIASES};
my $policyin = ''; my $policyin = '';
@ -320,7 +320,7 @@ sub do_one_nat( $$$$$ )
validate_nat_column 'ALL INTERFACES', \$allints; validate_nat_column 'ALL INTERFACES', \$allints;
validate_nat_column 'LOCAL' , \$localnat; validate_nat_column 'LOCAL' , \$localnat;
if ( $allints ) { if ( $allints ) {
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal"; add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external"; add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
@ -328,7 +328,7 @@ sub do_one_nat( $$$$$ )
add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal"; add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external"; add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external";
} }
add_nat_rule 'OUTPUT' , "-d $external$policyout -j DNAT --to-destination $internal " if $localnat; add_nat_rule 'OUTPUT' , "-d $external$policyout -j DNAT --to-destination $internal " if $localnat;
if ( $add_ip_aliases ) { if ( $add_ip_aliases ) {
@ -345,7 +345,7 @@ sub do_one_nat( $$$$$ )
# Process NAT file # Process NAT file
# #
sub setup_nat() { sub setup_nat() {
open NAT, "$ENV{TMP_DIR}/nat" or fatal_error "Unable to open stripped nat file: $!"; open NAT, "$ENV{TMP_DIR}/nat" or fatal_error "Unable to open stripped nat file: $!";
while ( $line = <NAT> ) { while ( $line = <NAT> ) {
@ -362,7 +362,7 @@ sub setup_nat() {
} else { } else {
do_one_nat $external, $interface, $internal, $allints, $localnat; do_one_nat $external, $interface, $internal, $allints, $localnat;
} }
} }
close NAT; close NAT;
@ -374,7 +374,7 @@ sub setup_nat() {
# Setup Network Mapping # Setup Network Mapping
# #
sub setup_netmap() { sub setup_netmap() {
open NM, "$ENV{TMP_DIR}/netmap" or fatal_error "Unable to open stripped netmap file: $!"; open NM, "$ENV{TMP_DIR}/netmap" or fatal_error "Unable to open stripped netmap file: $!";
while ( $line = <NM> ) { while ( $line = <NM> ) {

View File

@ -45,7 +45,7 @@ sub new_policy_chain($$$)
my ($chain, $policy, $optional) = @_; my ($chain, $policy, $optional) = @_;
my $chainref = new_chain 'filter', $chain; my $chainref = new_chain 'filter', $chain;
$chainref->{is_policy} = 1; $chainref->{is_policy} = 1;
$chainref->{policy} = $policy; $chainref->{policy} = $policy;
$chainref->{is_optional} = $optional; $chainref->{is_optional} = $optional;
@ -87,12 +87,12 @@ sub validate_policy()
QUEUE => undef, QUEUE => undef,
NONE => undef NONE => undef
); );
my %map = ( DROP_DEFAULT => 'DROP' , my %map = ( DROP_DEFAULT => 'DROP' ,
REJECT_DEFAULT => 'REJECT' , REJECT_DEFAULT => 'REJECT' ,
ACCEPT_DEFAULT => 'ACCEPT' , ACCEPT_DEFAULT => 'ACCEPT' ,
QUEUE_DEFAULT => 'QUEUE' ); QUEUE_DEFAULT => 'QUEUE' );
my $zone; my $zone;
use constant { OPTIONAL => 1 }; use constant { OPTIONAL => 1 };
@ -101,7 +101,7 @@ sub validate_policy()
my $action = $config{$option}; my $action = $config{$option};
next if $action eq 'none'; next if $action eq 'none';
my $actiontype = $targets{$action}; my $actiontype = $targets{$action};
if ( defined $actiontype ) { if ( defined $actiontype ) {
fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION; fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
} else { } else {
@ -115,7 +115,7 @@ sub validate_policy()
$default_actions{$map{$option}} = $action; $default_actions{$map{$option}} = $action;
} }
for $zone ( @zones ) { for $zone ( @zones ) {
push @policy_chains, ( new_policy_chain "${zone}2${zone}", 'ACCEPT', OPTIONAL ); push @policy_chains, ( new_policy_chain "${zone}2${zone}", 'ACCEPT', OPTIONAL );
@ -138,7 +138,7 @@ sub validate_policy()
$synparams = '' unless defined $synparams; $synparams = '' unless defined $synparams;
$loglevel = '' if $loglevel eq '-'; $loglevel = '' if $loglevel eq '-';
$synparams = '' if $synparams eq '-'; $synparams = '' if $synparams eq '-';
my $clientwild = ( "\L$client" eq 'all' ); my $clientwild = ( "\L$client" eq 'all' );
fatal_error "Undefined zone $client" unless $clientwild || $zones{$client}; fatal_error "Undefined zone $client" unless $clientwild || $zones{$client};
@ -153,7 +153,7 @@ sub validate_policy()
$default = 'none'; $default = 'none';
} elsif ( $default ) { } elsif ( $default ) {
my $defaulttype = $targets{$default}; my $defaulttype = $targets{$default};
if ( $defaulttype & ACTION ) { if ( $defaulttype & ACTION ) {
unless ( $usedactions{$default} ) { unless ( $usedactions{$default} ) {
$usedactions{$default} = 1; $usedactions{$default} = 1;
@ -161,7 +161,7 @@ sub validate_policy()
} }
} else { } else {
fatal_error "Unknown Default Action ($default) in policy \"$line\""; fatal_error "Unknown Default Action ($default) in policy \"$line\"";
} }
} else { } else {
$default = $default_actions{$policy} || ''; $default = $default_actions{$policy} || '';
} }
@ -174,13 +174,13 @@ sub validate_policy()
fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
if $clientwild || $serverwild; if $clientwild || $serverwild;
} }
my $chain = "${client}2${server}"; my $chain = "${client}2${server}";
my $chainref; my $chainref;
if ( defined $filter_table->{$chain} ) { if ( defined $filter_table->{$chain} ) {
$chainref = $filter_table->{$chain}; $chainref = $filter_table->{$chain};
if ( $chainref->{is_policy} ) { if ( $chainref->{is_policy} ) {
if ( $chainref->{is_optional} ) { if ( $chainref->{is_optional} ) {
$chainref->{is_optional} = 0; $chainref->{is_optional} = 0;
@ -221,13 +221,13 @@ sub validate_policy()
set_policy_chain "${client}2${zone}", $chainref, $policy; set_policy_chain "${client}2${zone}", $chainref, $policy;
print_policy $client, $zone, $policy, $chain; print_policy $client, $zone, $policy, $chain;
} }
} else { } else {
print_policy $client, $server, $policy, $chain; print_policy $client, $server, $policy, $chain;
} }
} }
close POLICY; close POLICY;
} }
# #
@ -281,7 +281,7 @@ sub default_policy( $$$ ) {
} }
progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}"; progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
} }
sub apply_policy_rules() { sub apply_policy_rules() {

View File

@ -79,7 +79,7 @@ fi
for my $interface ( @$interfaces1 ) { for my $interface ( @$interfaces1 ) {
my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore"; my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
my $value = get_interface_option $interface, 'arp_ignore'; my $value = get_interface_option $interface, 'arp_ignore';
fatal_error "Internal Error in setup_arp_filtering()" unless defined $value; fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
emit "if [ -f $file ]; then emit "if [ -f $file ]; then
@ -100,7 +100,7 @@ sub setup_route_filtering() {
my $interfaces = find_interfaces_by_option 'routefilter'; my $interfaces = find_interfaces_by_option 'routefilter';
if ( @$interfaces || $config{ROUTE_FILTER} ) { if ( @$interfaces || $config{ROUTE_FILTER} ) {
progress_message2 "$doing Kernel Route Filtering..."; progress_message2 "$doing Kernel Route Filtering...";
save_progress_message "Setting up Route Filtering..."; save_progress_message "Setting up Route Filtering...";
@ -120,7 +120,7 @@ else
fi fi
"; ";
} }
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
if ( $config{ROUTE_FILTER} ) { if ( $config{ROUTE_FILTER} ) {
@ -140,7 +140,7 @@ sub setup_martian_logging() {
my $interfaces = find_interfaces_by_option 'logmartians'; my $interfaces = find_interfaces_by_option 'logmartians';
if ( @$interfaces || $config{LOG_MARTIANS} ) { if ( @$interfaces || $config{LOG_MARTIANS} ) {
progress_message2 "$doing Martian Logging..."; progress_message2 "$doing Martian Logging...";
save_progress_message "Setting up Martian Logging..."; save_progress_message "Setting up Martian Logging...";
@ -160,7 +160,7 @@ else
fi fi
"; ";
} }
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
if ( $config{LOG_MARTIANS} ) { if ( $config{LOG_MARTIANS} ) {
@ -170,7 +170,7 @@ fi
} }
} }
# #
# Source Routing # Source Routing
# #

View File

@ -61,10 +61,10 @@ my @providers;
sub setup_route_marking() { sub setup_route_marking() {
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF'; my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF';
my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark'; my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
my $chainref = new_chain 'mangle', 'routemark'; my $chainref = new_chain 'mangle', 'routemark';
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) { while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
@ -95,11 +95,11 @@ sub setup_providers() {
sub copy_and_edit_table( $$$ ) { sub copy_and_edit_table( $$$ ) {
my ( $duplicate, $number, $copy ) = @_; my ( $duplicate, $number, $copy ) = @_;
my $match = $copy; my $match = $copy;
$match =~ s/ /\|/g; $match =~ s/ /\|/g;
emitj ( "ip route show table $duplicate | while read net route; do", emitj ( "ip route show table $duplicate | while read net route; do",
' case $net in', ' case $net in',
' default|nexthop)', ' default|nexthop)',
@ -118,18 +118,18 @@ sub setup_providers() {
sub balance_default_route( $$$ ) { sub balance_default_route( $$$ ) {
my ( $weight, $gateway, $interface ) = @_; my ( $weight, $gateway, $interface ) = @_;
$balance = 1; $balance = 1;
emit ''; emit '';
if ( $first_default_route ) { if ( $first_default_route ) {
if ( $gateway ) { if ( $gateway ) {
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\""; emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\"";
} else { } else {
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\""; emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\"";
} }
$first_default_route = 0; $first_default_route = 0;
} else { } else {
if ( $gateway ) { if ( $gateway ) {
@ -139,15 +139,15 @@ sub setup_providers() {
} }
} }
} }
sub add_a_provider( $$$$$$$$ ) { sub add_a_provider( $$$$$$$$ ) {
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_; my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED}; fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
fatal_error "Duplicate provider ( $table )" if $providers{$table}; fatal_error "Duplicate provider ( $table )" if $providers{$table};
for my $provider ( keys %providers ) { for my $provider ( keys %providers ) {
fatal_error "Duplicate provider number ( $number )" if $providers{$provider}{number} == $number; fatal_error "Duplicate provider number ( $number )" if $providers{$provider}{number} == $number;
} }
@ -161,7 +161,7 @@ sub setup_providers() {
emit "${iface}_up=Yes"; emit "${iface}_up=Yes";
emit "qt ip route flush table $number"; emit "qt ip route flush table $number";
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing"; emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
$duplicate = '-' unless $duplicate; $duplicate = '-' unless $duplicate;
$copy = '-' unless $copy; $copy = '-' unless $copy;
@ -173,7 +173,7 @@ sub setup_providers() {
my @c = ( split /,/, $copy ); my @c = ( split /,/, $copy );
$copy = "@c"; $copy = "@c";
} }
copy_and_edit_table( $duplicate, $number ,$copy ); copy_and_edit_table( $duplicate, $number ,$copy );
} else { } else {
copy_table ( $duplicate, $number ); copy_table ( $duplicate, $number );
@ -199,7 +199,7 @@ sub setup_providers() {
$gateway = ''; $gateway = '';
emit "run_ip route add default dev $interface table $number"; emit "run_ip route add default dev $interface table $number";
} }
$mark = '-' unless $mark; $mark = '-' unless $mark;
my $val = 0; my $val = 0;
@ -207,15 +207,15 @@ sub setup_providers() {
if ( $mark ne '-' ) { if ( $mark ne '-' ) {
$val = numeric_value $mark; $val = numeric_value $mark;
verify_mark $mark; verify_mark $mark;
if ( $val < 256) { if ( $val < 256) {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS}; fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
} else { } else {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS}; fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
} }
for my $provider ( keys %providers ) { for my $provider ( keys %providers ) {
my $num = $providers{$provider}{mark}; my $num = $providers{$provider}{mark};
fatal_error "Duplicate mark value ( $mark )" if $num == $val; fatal_error "Duplicate mark value ( $mark )" if $num == $val;
@ -254,48 +254,48 @@ sub setup_providers() {
} }
} }
} }
if ( $loose ) { if ( $loose ) {
my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
emit "\nrulenum=0\n"; emit "\nrulenum=0\n";
emitj ( "find_interface_addresses $interface | while read address; do", emitj ( "find_interface_addresses $interface | while read address; do",
' qt ip rule del from $address', ' qt ip rule del from $address',
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing", " echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
' rulenum=$(($rulenum + 1))', ' rulenum=$(($rulenum + 1))',
'done' ); 'done' );
} else { } else {
emit "\nfind_interface_addresses $interface | while read address; do"; emit "\nfind_interface_addresses $interface | while read address; do";
emit ' qt ip rule del from $address'; emit ' qt ip rule del from $address';
emit 'done'; emit 'done';
} }
emit "\nprogress_message \" Provider $table ($number) Added\"\n"; emit "\nprogress_message \" Provider $table ($number) Added\"\n";
pop_indent; pop_indent;
emit 'else'; emit 'else';
if ( $optional ) { if ( $optional ) {
emit " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\""; emit " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"";
emit " ${iface}_up="; emit " ${iface}_up=";
} else { } else {
emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\""; emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"";
} }
emit "fi\n"; emit "fi\n";
} }
sub add_an_rtrule( $$$$ ) { sub add_an_rtrule( $$$$ ) {
my ( $source, $dest, $provider, $priority ) = @_; my ( $source, $dest, $provider, $priority ) = @_;
unless ( $providers{$provider} ) { unless ( $providers{$provider} ) {
my $found = 0; my $found = 0;
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) { if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
my $provider_number = numeric_value $provider; my $provider_number = numeric_value $provider;
for my $provider ( keys %providers ) { for my $provider ( keys %providers ) {
if ( $providers{$provider}{number} == $provider_number ) { if ( $providers{$provider}{number} == $provider_number ) {
$found = 1; $found = 1;
@ -303,17 +303,17 @@ sub setup_providers() {
} }
} }
} }
fatal_error "Unknown provider $provider in route rule \"$line\"" unless $found; fatal_error "Unknown provider $provider in route rule \"$line\"" unless $found;
} }
$source = '-' unless $source; $source = '-' unless $source;
$dest = '-' unless $dest; $dest = '-' unless $dest;
fatal_error "You must specify either the source or destination in an rt rule: \"$line\"" if $source eq '-' && $dest eq '-'; fatal_error "You must specify either the source or destination in an rt rule: \"$line\"" if $source eq '-' && $dest eq '-';
$dest = $dest eq '-' ? '' : "to $dest"; $dest = $dest eq '-' ? '' : "to $dest";
if ( $source eq '-' ) { if ( $source eq '-' ) {
$source = ''; $source = '';
} elsif ( $source =~ /:/ ) { } elsif ( $source =~ /:/ ) {
@ -324,11 +324,11 @@ sub setup_providers() {
} else { } else {
$source = "iif $source"; $source = "iif $source";
} }
fatal_error "Invalid priority ($priority) in rule \"$line\"" unless $priority && $priority =~ /^\d{1,5}$/; fatal_error "Invalid priority ($priority) in rule \"$line\"" unless $priority && $priority =~ /^\d{1,5}$/;
$priority = "priority $priority"; $priority = "priority $priority";
emit "qt ip rule del $source $dest $priority"; emit "qt ip rule del $source $dest $priority";
emit "run_ip rule add $source $dest $priority table $provider"; emit "run_ip rule add $source $dest $priority table $provider";
emit "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing"; emit "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing";
@ -358,15 +358,15 @@ sub setup_providers() {
'# Initialize the file that holds \'undo\' commands', '# Initialize the file that holds \'undo\' commands',
'#', '#',
'> ${VARDIR}/undo_routing' ); '> ${VARDIR}/undo_routing' );
save_progress_message 'Adding Providers...'; save_progress_message 'Adding Providers...';
emit 'DEFAULT_ROUTE='; emit 'DEFAULT_ROUTE=';
open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!"; open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!";
while ( $line = <PV> ) { while ( $line = <PV> ) {
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file'; my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file';
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ); add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
@ -392,8 +392,10 @@ sub setup_providers() {
'fi', 'fi',
'' ); '' );
} else { } else {
emit "#\n# We don't have any 'balance' providers so we restore any default route that we've saved\n#"; emitj( '#',
emit 'restore_default_route'; '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
'#',
'restore_default_route' );
} }
emit 'cat > /etc/iproute2/rt_tables <<EOF'; emit 'cat > /etc/iproute2/rt_tables <<EOF';
@ -412,7 +414,7 @@ sub setup_providers() {
emit 'echocommand=$(find_echo)'; emit 'echocommand=$(find_echo)';
emit ''; emit '';
for my $table ( @providers ) { for my $table ( @providers ) {
emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables"; emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables";
} }
@ -427,7 +429,7 @@ sub setup_providers() {
while ( $line = <RR> ) { while ( $line = <RR> ) {
my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file'; my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file';
add_an_rtrule( $source, $dest, $provider , $priority ); add_an_rtrule( $source, $dest, $provider , $priority );
} }
@ -439,7 +441,7 @@ sub setup_providers() {
emit 'run_ip route flush cache'; emit 'run_ip route flush cache';
pop_indent; pop_indent;
emit "fi\n"; emit "fi\n";
setup_route_marking if @routemarked_interfaces; setup_route_marking if @routemarked_interfaces;
} }

View File

@ -69,7 +69,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
fi fi
progress_message \" Host $address connected to $interface added to ARP on $external\"\n"; progress_message \" Host $address connected to $interface added to ARP on $external\"\n";
push @proxyarp, "$address $interface $external $haveroute"; push @proxyarp, "$address $interface $external $haveroute";
progress_message " Host $address connected to $interface added to ARP on $external"; progress_message " Host $address connected to $interface added to ARP on $external";
@ -91,7 +91,7 @@ sub setup_proxy_arp() {
open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!"; open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!";
while ( $line = <PA> ) { while ( $line = <PA> ) {
my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file'; my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file';
$set{$interface} = 1; $set{$interface} = 1;

View File

@ -71,9 +71,9 @@ sub process_tos() {
open TOS, "$ENV{TMP_DIR}/tos" or fatal_error "Unable to open stripped tos file: $!"; open TOS, "$ENV{TMP_DIR}/tos" or fatal_error "Unable to open stripped tos file: $!";
while ( $line = <TOS> ) { while ( $line = <TOS> ) {
my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file'; my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file';
fatal_error "TOS field required: $line" unless $tos ne '-'; fatal_error "TOS field required: $line" unless $tos ne '-';
my $chainref; my $chainref;
@ -81,7 +81,7 @@ sub process_tos() {
my $restriction = NO_RESTRICT; my $restriction = NO_RESTRICT;
my ( $srczone , $source ) = split /:/, $src; my ( $srczone , $source ) = split /:/, $src;
if ( $srczone eq $firewall_zone ) { if ( $srczone eq $firewall_zone ) {
$chainref = $outtosref; $chainref = $outtosref;
$src = $source || '-'; $src = $source || '-';
@ -92,7 +92,7 @@ sub process_tos() {
} }
$dst =~ s/^all:?//; $dst =~ s/^all:?//;
expand_rule expand_rule
$chainref , $chainref ,
$restriction , $restriction ,
@ -133,11 +133,11 @@ sub setup_rfc1918_filteration( $ ) {
} }
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!"; open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
while ( $line = <RFC> ) { while ( $line = <RFC> ) {
my ( $networks, $target ) = split_line 2, 'rfc1918 file'; my ( $networks, $target ) = split_line 2, 'rfc1918 file';
my $s_target; my $s_target;
if ( $target eq 'logdrop' ) { if ( $target eq 'logdrop' ) {
@ -202,9 +202,9 @@ sub setup_blacklist() {
if ( $level ) { if ( $level ) {
my $chainref = new_standard_chain 'blacklog'; my $chainref = new_standard_chain 'blacklog';
log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' ); log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' );
add_rule $chainref, "-j $target" ; add_rule $chainref, "-j $target" ;
$target = 'blacklog'; $target = 'blacklog';
@ -217,7 +217,7 @@ sub setup_blacklist() {
progress_message( join( '', ' Processing ', find_file( 'blacklist' ), '...' ) ); progress_message( join( '', ' Processing ', find_file( 'blacklist' ), '...' ) );
while ( $line = <BL> ) { while ( $line = <BL> ) {
my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file'; my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file';
expand_rule expand_rule
@ -231,7 +231,7 @@ sub setup_blacklist() {
'' , '' ,
$disposition , $disposition ,
''; '';
progress_message " \"$line\" added to blacklist"; progress_message " \"$line\" added to blacklist";
} }
} }
@ -239,14 +239,14 @@ sub setup_blacklist() {
close BL; close BL;
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
for my $hostref ( @$hosts ) { for my $hostref ( @$hosts ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2]; my $network = $hostref->[2];
my $source = match_source_net $network; my $source = match_source_net $network;
for my $chain ( @{first_chains $interface}) { for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
} }
@ -268,7 +268,7 @@ sub process_criticalhosts() {
while ( $line = <RS> ) { while ( $line = <RS> ) {
my $routeback = 0; my $routeback = 0;
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file'; my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
$hosts = ALLIPv4 unless $hosts && $hosts ne '-'; $hosts = ALLIPv4 unless $hosts && $hosts ne '-';
@ -309,7 +309,7 @@ sub process_routestopped() {
while ( $line = <RS> ) { while ( $line = <RS> ) {
my $routeback = 0; my $routeback = 0;
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file'; my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
$hosts = ALLIPv4 unless $hosts && $hosts ne '-'; $hosts = ALLIPv4 unless $hosts && $hosts ne '-';
@ -327,7 +327,7 @@ sub process_routestopped() {
warning_message "Duplicate 'routeback' option ignored in routestopped entry \"$line\""; warning_message "Duplicate 'routeback' option ignored in routestopped entry \"$line\"";
} else { } else {
$routeback = 1; $routeback = 1;
for my $host ( split /,/, $hosts ) { for my $host ( split /,/, $hosts ) {
my $source = match_source_net $host; my $source = match_source_net $host;
my $dest = match_dest_net $host; my $dest = match_dest_net $host;
@ -342,7 +342,7 @@ sub process_routestopped() {
} elsif ( $option eq 'dest' ) { } elsif ( $option eq 'dest' ) {
for my $host ( split /,/, $hosts ) { for my $host ( split /,/, $hosts ) {
$dest{"$interface:$host"} = 1; $dest{"$interface:$host"} = 1;
} }
} else { } else {
warning_message "Unknown routestopped option ( $option ) ignored in routestopped entry \"$line\"" unless $option eq 'critical'; warning_message "Unknown routestopped option ( $option ) ignored in routestopped entry \"$line\"" unless $option eq 'critical';
} }
@ -358,10 +358,10 @@ sub process_routestopped() {
my ( $interface, $h ) = split /:/, $host; my ( $interface, $h ) = split /:/, $host;
my $source = match_source_net $h; my $source = match_source_net $h;
my $dest = match_dest_net $h; my $dest = match_dest_net $h;
emit "\$IPTABLES INPUT -i $interface $source ACCEPT"; emit "\$IPTABLES INPUT -i $interface $source ACCEPT";
emit "\$IPTABLES OUTPUT -o $interface $dest ACCEPT" if $config{ADMINISABSENTMINDED}; emit "\$IPTABLES OUTPUT -o $interface $dest ACCEPT" if $config{ADMINISABSENTMINDED};
my $matched = 0; my $matched = 0;
if ( $source{$host} ) { if ( $source{$host} ) {
@ -373,7 +373,7 @@ sub process_routestopped() {
emit "\$IPTABLES FORWARD -o $interface $dest ACCEPT"; emit "\$IPTABLES FORWARD -o $interface $dest ACCEPT";
$matched = 1; $matched = 1;
} }
unless ( $matched ) { unless ( $matched ) {
for my $host1 ( @allhosts ) { for my $host1 ( @allhosts ) {
unless ( $host eq $host1 ) { unless ( $host eq $host1 ) {
@ -405,7 +405,7 @@ sub add_common_rules() {
new_standard_chain 'dynamic'; new_standard_chain 'dynamic';
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
for $interface ( @interfaces ) { for $interface ( @interfaces ) {
for $chain ( input_chain $interface , forward_chain $interface ) { for $chain ( input_chain $interface , forward_chain $interface ) {
add_rule new_standard_chain( $chain ) , "$state -j dynamic"; add_rule new_standard_chain( $chain ) , "$state -j dynamic";
@ -429,7 +429,7 @@ sub add_common_rules() {
} elsif ( @$list ) { } elsif ( @$list ) {
fatal_error "The nosmurfs option requires Address Type Match in your kernel and iptables"; fatal_error "The nosmurfs option requires Address Type Match in your kernel and iptables";
} }
if ( @$list ) { if ( @$list ) {
progress_message2 ' Adding Anti-smurf Rules'; progress_message2 ' Adding Anti-smurf Rules';
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
@ -441,9 +441,9 @@ sub add_common_rules() {
} }
} }
} }
add_rule $rejectref , '-p tcp -j REJECT --reject-with tcp-reset'; add_rule $rejectref , '-p tcp -j REJECT --reject-with tcp-reset';
if ( $capabilities{ENHANCED_REJECT} ) { if ( $capabilities{ENHANCED_REJECT} ) {
add_rule $rejectref , '-p udp -j REJECT'; add_rule $rejectref , '-p udp -j REJECT';
add_rule $rejectref, '-p icmp -j REJECT --reject-with icmp-host-unreachable'; add_rule $rejectref, '-p icmp -j REJECT --reject-with icmp-host-unreachable';
@ -480,20 +480,20 @@ sub add_common_rules() {
my $disposition; my $disposition;
progress_message2 " $doing TCP Flags filtering..."; progress_message2 " $doing TCP Flags filtering...";
$chainref = new_standard_chain 'tcpflags'; $chainref = new_standard_chain 'tcpflags';
if ( $config{TCP_FLAGS_LOG_LEVEL} ) { if ( $config{TCP_FLAGS_LOG_LEVEL} ) {
my $logflagsref = new_standard_chain 'logflags'; my $logflagsref = new_standard_chain 'logflags';
my $savelogparms = $env{LOGPARMS}; my $savelogparms = $env{LOGPARMS};
$env{LOGPARMS} = "$env{LOGPARMS} --log-ip-options" unless $config{TCP_FLAGS_LOG_LEVEL} eq 'ULOG'; $env{LOGPARMS} = "$env{LOGPARMS} --log-ip-options" unless $config{TCP_FLAGS_LOG_LEVEL} eq 'ULOG';
log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, ''; log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
$env{LOGPARMS} = $savelogparms; $env{LOGPARMS} = $savelogparms;
if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) { if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) {
add_rule $logflagsref , '-j REJECT --reject-with tcp-reset'; add_rule $logflagsref , '-j REJECT --reject-with tcp-reset';
} else { } else {
@ -527,13 +527,13 @@ sub add_common_rules() {
new_standard_chain $chain; new_standard_chain $chain;
} }
} }
(new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1; (new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1;
add_rule $filter_table->{input_chain $interface}, "-j $chain"; add_rule $filter_table->{input_chain $interface}, "-j $chain";
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface; add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface; add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
} }
$list = find_interfaces_by_option 'upnp'; $list = find_interfaces_by_option 'upnp';
@ -570,16 +570,16 @@ sub setup_mac_lists( $ ) {
} }
my @maclist_interfaces = ( sort keys %maclist_interfaces ); my @maclist_interfaces = ( sort keys %maclist_interfaces );
progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase..."; progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase...";
if ( $phase == 1 ) { if ( $phase == 1 ) {
for my $interface ( @maclist_interfaces ) { for my $interface ( @maclist_interfaces ) {
my $chainref = new_chain $table , mac_chain $interface; my $chainref = new_chain $table , mac_chain $interface;
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp}; if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp};
if ( $config{MACLIST_TTL} ) { if ( $config{MACLIST_TTL} ) {
my $chain1ref = new_chain $table, macrecent_target $interface; my $chain1ref = new_chain $table, macrecent_target $interface;
@ -709,11 +709,11 @@ sub process_macro ( $$$$$$$$$$$ ) {
next if $line =~ /^\s*$/; next if $line =~ /^\s*$/;
$line =~ s/#.*$//; $line =~ s/#.*$//;
$line = expand_shell_variables $line unless $standard; $line = expand_shell_variables $line unless $standard;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file'; my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
$mtarget = merge_levels $target, $mtarget; $mtarget = merge_levels $target, $mtarget;
if ( $mtarget =~ /^PARAM:?/ ) { if ( $mtarget =~ /^PARAM:?/ ) {
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param; fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
$mtarget = substitute_action $param, $mtarget; $mtarget = substitute_action $param, $mtarget;
@ -727,7 +727,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
createactionchain $mtarget; createactionchain $mtarget;
$usedactions{$mtarget} = 1; $usedactions{$mtarget} = 1;
} }
$mtarget = find_logactionchain $mtarget; $mtarget = find_logactionchain $mtarget;
} else { } else {
fatal_error "Invalid Action ($mtarget) in rule \"$line\"" unless $actiontype & STANDARD; fatal_error "Invalid Action ($mtarget) in rule \"$line\"" unless $actiontype & STANDARD;
@ -746,7 +746,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
} }
$msource = '' if $msource eq '-'; $msource = '' if $msource eq '-';
if ( $mdest ) { if ( $mdest ) {
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) { if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
$mdest = $dest || ''; $mdest = $dest || '';
@ -766,7 +766,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
$msports = merge_macro_column $msports, $sports; $msports = merge_macro_column $msports, $sports;
$mrate = merge_macro_column $mrate, $rate; $mrate = merge_macro_column $mrate, $rate;
$muser = merge_macro_column $muser, $user; $muser = merge_macro_column $muser, $user;
process_rule1 $mtarget, $msource, $mdest, $mproto, $mports, $msports, $origdest, $rate, $user; process_rule1 $mtarget, $msource, $mdest, $mproto, $mports, $msports, $origdest, $rate, $user;
progress_message " Rule \"$line\" $done"; } progress_message " Rule \"$line\" $done"; }
@ -794,9 +794,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype; fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype;
if ( $actiontype == MACRO ) { if ( $actiontype == MACRO ) {
process_macro process_macro
$macros{$basictarget}, $macros{$basictarget},
target , $target ,
$param , $param ,
$source, $source,
$dest, $dest,
@ -848,7 +848,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
$sourcezone = $source; $sourcezone = $source;
$source = ALLIPv4; $source = ALLIPv4;
} }
if ( $dest =~ /^(.+?):(.*)/ ) { if ( $dest =~ /^(.+?):(.*)/ ) {
$destzone = $1; $destzone = $1;
$dest = $2; $dest = $2;
@ -966,7 +966,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
# NONAT or ACCEPT+ -- May not specify a destination interface # NONAT or ACCEPT+ -- May not specify a destination interface
# #
fatal_error "Invalid DEST ($dest) in $action rule \"$line\"" if $dest =~ /:/; fatal_error "Invalid DEST ($dest) in $action rule \"$line\"" if $dest =~ /:/;
$origdest = '' unless $origdest and $origdest ne '-'; $origdest = '' unless $origdest and $origdest ne '-';
if ( $origdest eq 'detect' ) { if ( $origdest eq 'detect' ) {
@ -1146,7 +1146,7 @@ sub process_rules() {
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user; process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user;
} }
} }
close RULES; close RULES;
$comment = ''; $comment = '';
@ -1172,16 +1172,16 @@ sub generate_matrix() {
my ( $zone, $zone1 ) = @_; my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}"; my $chain = "${zone}2${zone1}";
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{$chain};
return $chain if $chainref && $chainref->{referenced}; return $chain if $chainref && $chainref->{referenced};
return 'ACCEPT' if $zone eq $zone1; return 'ACCEPT' if $zone eq $zone1;
if ( $chainref->{policy} ne 'CONTINUE' ) { if ( $chainref->{policy} ne 'CONTINUE' ) {
my $policyref = $chainref->{policychain}; my $policyref = $chainref->{policychain};
return $policyref->{name} if $policyref; return $policyref->{name} if $policyref;
fatal_error "No policy defined for zone $zone to zone $zone1"; fatal_error "No policy defined for zone $zone to zone $zone1";
} }
''; '';
} }
@ -1200,9 +1200,9 @@ sub generate_matrix() {
# #
sub insert_exclusions( $$ ) { sub insert_exclusions( $$ ) {
my ( $chainref, $exclusionsref ) = @_; my ( $chainref, $exclusionsref ) = @_;
my $num = 1; my $num = 1;
for my $host ( @{$exclusionsref} ) { for my $host ( @{$exclusionsref} ) {
my ( $interface, $net ) = split /:/, $host; my ( $interface, $net ) = split /:/, $host;
insert_rule $chainref , $num++, join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' ); insert_rule $chainref , $num++, join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
@ -1214,12 +1214,13 @@ sub generate_matrix() {
# #
sub add_exclusions ( $$ ) { sub add_exclusions ( $$ ) {
my ( $chainref, $exclusionsref ) = @_; my ( $chainref, $exclusionsref ) = @_;
for my $host ( @{$exclusionsref} ) { for my $host ( @{$exclusionsref} ) {
my ( $interface, $net ) = split /:/, $host; my ( $interface, $net ) = split /:/, $host;
add_rule $chainref , join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' ); add_rule $chainref , join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
} }
} }
# #
# Generate_Matrix() Starts Here # Generate_Matrix() Starts Here
# #
@ -1241,7 +1242,7 @@ sub generate_matrix() {
addnatjump 'PREROUTING' , 'nat_in' , ''; addnatjump 'PREROUTING' , 'nat_in' , '';
addnatjump 'POSTROUTING' , 'nat_out' , ''; addnatjump 'POSTROUTING' , 'nat_out' , '';
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
addnatjump 'PREROUTING' , input_chain( $interface ) , "-i $interface "; addnatjump 'PREROUTING' , input_chain( $interface ) , "-i $interface ";
addnatjump 'POSTROUTING' , output_chain( $interface ) , "-o $interface "; addnatjump 'POSTROUTING' , output_chain( $interface ) , "-o $interface ";
@ -1256,7 +1257,7 @@ sub generate_matrix() {
my $num = 1; my $num = 1;
my $in_ref = new_standard_chain "${zone}_input"; my $in_ref = new_standard_chain "${zone}_input";
my $out_ref = new_standard_chain "${zone}_output"; my $out_ref = new_standard_chain "${zone}_output";
add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target $zone, $zone eq 'ACCEPT'; add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target $zone, $zone eq 'ACCEPT';
for my $host ( @$exclusions ) { for my $host ( @$exclusions ) {
@ -1265,13 +1266,13 @@ sub generate_matrix() {
add_rule $in_ref , "-i $interface -s $net -j RETURN"; add_rule $in_ref , "-i $interface -s $net -j RETURN";
add_rule $out_ref , "-i $interface -s $net -j RETURN"; add_rule $out_ref , "-i $interface -s $net -j RETURN";
} }
if ( $capabilities{POLICY_MATCH} ) { if ( $capabilities{POLICY_MATCH} ) {
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $source_ref = $zoneref->{hosts}{ipsec} || []; my $source_ref = $zoneref->{hosts}{ipsec} || [];
create_zone_dyn_chain $zone, $frwd_ref && $config{DYNAMIC_ZONES} && (@$source_ref || $type ne 'ipsec4' ); create_zone_dyn_chain $zone, $frwd_ref && $config{DYNAMIC_ZONES} && (@$source_ref || $type ne 'ipsec4' );
for my $interface ( keys %$source_ref ) { for my $interface ( keys %$source_ref ) {
my $arrayref = $source_ref->{$interface}; my $arrayref = $source_ref->{$interface};
for my $hostref ( @{$arrayref} ) { for my $hostref ( @{$arrayref} ) {
@ -1283,7 +1284,7 @@ sub generate_matrix() {
} }
} }
} }
} }
} }
} }
# #
@ -1335,7 +1336,7 @@ sub generate_matrix() {
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" ); add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
} }
} }
insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match ); insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match );
if ( $chain2 ) { if ( $chain2 ) {
@ -1366,11 +1367,11 @@ sub generate_matrix() {
for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) { for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) {
my $zone1ref = $zones{$zone1}; my $zone1ref = $zones{$zone1};
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
next if $policy eq 'NONE'; next if $policy eq 'NONE';
my $chain = rules_target $zone, $zone1; my $chain = rules_target $zone, $zone1;
next unless $chain; next unless $chain;
if ( $zone eq $zone1 ) { if ( $zone eq $zone1 ) {
@ -1380,7 +1381,7 @@ sub generate_matrix() {
no warnings; no warnings;
next if ( %{ $zoneref->{interfaces}} < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); next if ( %{ $zoneref->{interfaces}} < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
} }
if ( $chain =~ /2all$/ ) { if ( $chain =~ /2all$/ ) {
if ( $chain ne $last_chain ) { if ( $chain ne $last_chain ) {
$last_chain = $chain; $last_chain = $chain;
@ -1398,7 +1399,7 @@ sub generate_matrix() {
$last_chain = ''; $last_chain = '';
} }
} }
if ( $last_chain && @temp_zones == 1 ) { if ( $last_chain && @temp_zones == 1 ) {
push @dest_zones, @temp_zones; push @dest_zones, @temp_zones;
$last_chain = ''; $last_chain = '';
@ -1424,9 +1425,9 @@ sub generate_matrix() {
next unless $chain; next unless $chain;
push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES}; push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
my $num_ifaces = 0; my $num_ifaces = 0;
if ( $zone eq $zone1 ) { if ( $zone eq $zone1 ) {
# #
# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning. # One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
@ -1437,9 +1438,9 @@ sub generate_matrix() {
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{$chain};
my $exclusions1 = $zone1ref->{exclusions}; my $exclusions1 = $zone1ref->{exclusions};
my $dest_hosts_ref = $zone1ref->{hosts}; my $dest_hosts_ref = $zone1ref->{hosts};
if ( @$exclusions1 ) { if ( @$exclusions1 ) {
if ( $chain eq "all2$zone1" ) { if ( $chain eq "all2$zone1" ) {
unless ( $chain_exclusions{$chain} ) { unless ( $chain_exclusions{$chain} ) {
@ -1448,7 +1449,7 @@ sub generate_matrix() {
} }
} elsif ( $chain =~ /2all$/ ) { } elsif ( $chain =~ /2all$/ ) {
my $chain1 = $policy_exclusions{"${chain}_${zone1}"}; my $chain1 = $policy_exclusions{"${chain}_${zone1}"};
unless ( $chain ) { unless ( $chain ) {
$chain1 = newexclusionchain; $chain1 = newexclusionchain;
$policy_exclusions{"${chain}_${zone1}"} = $chain1; $policy_exclusions{"${chain}_${zone1}"} = $chain1;
@ -1456,13 +1457,13 @@ sub generate_matrix() {
add_exclusions $chain1ref, $exclusions1; add_exclusions $chain1ref, $exclusions1;
add_rule $chain1ref, "-j $chain"; add_rule $chain1ref, "-j $chain";
} }
$chain = $chain1; $chain = $chain1;
} else { } else {
insert_exclusions $chainref , $exclusions1; insert_exclusions $chainref , $exclusions1;
} }
} }
if ( $complex ) { if ( $complex ) {
for my $typeref ( values %$dest_hosts_ref ) { for my $typeref ( values %$dest_hosts_ref ) {
for my $interface ( keys %$typeref ) { for my $interface ( keys %$typeref ) {
@ -1580,6 +1581,6 @@ sub dump_rule_chains() {
for my $arrayref ( @rule_chains ) { for my $arrayref ( @rule_chains ) {
emit_unindented "@$arrayref"; emit_unindented "@$arrayref";
} }
} }
1; 1;

View File

@ -49,7 +49,7 @@ my %tcs = ( t => { chain => 'tcpost',
ct => { chain => 'tcpost' , ct => { chain => 'tcpost' ,
target => 'CONNMARK --set-mark' , target => 'CONNMARK --set-mark' ,
connmark => 1 , connmark => 1 ,
fw => 1 fw => 1
} , } ,
c => { target => 'CONNMARK --set-mark' , c => { target => 'CONNMARK --set-mark' ,
connmark => 1 , connmark => 1 ,
@ -91,7 +91,7 @@ use constant { NOMARK => 0 ,
SMALLMARK => 1 , SMALLMARK => 1 ,
HIGHMARK => 2 HIGHMARK => 2
}; };
my @tccmd = ( { pattern => 'SAVE' , my @tccmd = ( { pattern => 'SAVE' ,
target => 'CONNMARK --save-mark --mask' , target => 'CONNMARK --save-mark --mask' ,
mark => SMALLMARK , mark => SMALLMARK ,
@ -142,7 +142,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
if ( $designator ) { if ( $designator ) {
$tcsref = $tcs{$designator}; $tcsref = $tcs{$designator};
if ( $tcsref ) { if ( $tcsref ) {
if ( $chain eq 'tcout' ) { if ( $chain eq 'tcout' ) {
fatal_error "Invalid chain designator for source $firewall_zone; rule \"$line\"" unless $tcsref->{fw}; fatal_error "Invalid chain designator for source $firewall_zone; rule \"$line\"" unless $tcsref->{fw};
@ -151,7 +151,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
$chain = $tcsref->{chain} if $tcsref->{chain}; $chain = $tcsref->{chain} if $tcsref->{chain};
$target = $tcsref->{target} if $tcsref->{target}; $target = $tcsref->{target} if $tcsref->{target};
$mark = "$mark/0xFF" if $connmark = $tcsref->{connmark}; $mark = "$mark/0xFF" if $connmark = $tcsref->{connmark};
} else { } else {
fatal_error "Invalid MARK ($original_mark) in rule \"$line\"" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/; fatal_error "Invalid MARK ($original_mark) in rule \"$line\"" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
$chain = 'tcpost'; $chain = 'tcpost';
@ -173,12 +173,12 @@ sub process_tc_rule( $$$$$$$$$$ ) {
for my $tccmd ( @tccmd ) { for my $tccmd ( @tccmd ) {
if ( $cmd =~ /^($tccmd->{pattern})$/ ) { if ( $cmd =~ /^($tccmd->{pattern})$/ ) {
fatal_error "$mark not valid with :C[FP]" if $connmark; fatal_error "$mark not valid with :C[FP]" if $connmark;
$target = "$tccmd->{target} "; $target = "$tccmd->{target} ";
my $marktype = $tccmd->{mark}; my $marktype = $tccmd->{mark};
$mark =~ s/^[!&]//; $mark =~ s/^[!&]//;
if ( $rest ) { if ( $rest ) {
fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK; fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK;
@ -192,12 +192,12 @@ sub process_tc_rule( $$$$$$$$$$ ) {
} elsif ( $tccmd->{mask} ) { } elsif ( $tccmd->{mask} ) {
$mark = $tccmd->{mask}; $mark = $tccmd->{mask};
} }
last MARK; last MARK;
} }
} }
} }
validate_mark $mark; validate_mark $mark;
fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes' fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
@ -215,11 +215,11 @@ sub process_tc_rule( $$$$$$$$$$ ) {
'' , '' ,
'' , '' ,
''; '';
progress_message " TC Rule \"$line\" $done"; progress_message " TC Rule \"$line\" $done";
} }
# #
# Perl version of Arn Bernin's 'tc4shorewall'. # Perl version of Arn Bernin's 'tc4shorewall'.
# #
@ -265,9 +265,8 @@ sub rate_to_kbit( $ ) {
sub calculate_quantum( $ ) { sub calculate_quantum( $ ) {
my $rate = rate_to_kbit $_[0]; my $rate = rate_to_kbit $_[0];
eval "int( ( $rate * 128 ) / $r2q )"; eval "int( ( $rate * 128 ) / $r2q )";
} }
sub validate_tc_device( $$$ ) { sub validate_tc_device( $$$ ) {
my ( $device, $inband, $outband ) = @_; my ( $device, $inband, $outband ) = @_;
@ -303,7 +302,7 @@ sub validate_tc_class( $$$$$$ ) {
'tos-maximize-reliability' => 'tos=0x04/0x04' , 'tos-maximize-reliability' => 'tos=0x04/0x04' ,
'tos-minimize-cost' => 'tos=0x02/0x02' , 'tos-minimize-cost' => 'tos=0x02/0x02' ,
'tos-normal-service' => 'tos=0x00/0x1e' ); 'tos-normal-service' => 'tos=0x00/0x1e' );
my $devref = $tcdevices{$device}; my $devref = $tcdevices{$device};
fatal_error "Unknown Device ( $device ) in tcclass \"$line\"" unless $devref; fatal_error "Unknown Device ( $device ) in tcclass \"$line\"" unless $devref;
my $full = rate_to_kbit $devref->{out_bandwidth}; my $full = rate_to_kbit $devref->{out_bandwidth};
@ -326,9 +325,9 @@ sub validate_tc_class( $$$$$$ ) {
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
for my $option ( split /,/, "\L$options" ) { for my $option ( split /,/, "\L$options" ) {
my $optval = $tosoptions{$option}; my $optval = $tosoptions{$option};
$option = $optval if $optval; $option = $optval if $optval;
if ( $option eq 'default' ) { if ( $option eq 'default' ) {
fatal_error "Only one default class may be specified for device $device" if $devref->{default}; fatal_error "Only one default class may be specified for device $device" if $devref->{default};
$devref->{default} = $markval; $devref->{default} = $markval;
@ -347,7 +346,7 @@ sub validate_tc_class( $$$$$$ ) {
} }
push @tcclasses, "$device:$markval"; push @tcclasses, "$device:$markval";
} }
sub setup_traffic_shaping() { sub setup_traffic_shaping() {
if ( -s "$ENV{TMP_DIR}/tcdevices" ) { if ( -s "$ENV{TMP_DIR}/tcdevices" ) {
@ -364,7 +363,6 @@ sub setup_traffic_shaping() {
fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-'; fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
validate_tc_device( $device, $inband, $outband ); validate_tc_device( $device, $inband, $outband );
} }
} }
close TD; close TD;
@ -378,10 +376,9 @@ sub setup_traffic_shaping() {
while ( $line = <TC> ) { while ( $line = <TC> ) {
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file'; my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options ); validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
} }
} }
close TC; close TC;
@ -398,7 +395,7 @@ sub setup_traffic_shaping() {
fatal_error "Option default is not defined for any class in tcclasses for interface $device" unless $defmark; fatal_error "Option default is not defined for any class in tcclasses for interface $device" unless $defmark;
emit "if interface_is_usable $device; then"; emit "if interface_is_usable $device; then";
push_indent; push_indent;
emit "${dev}_exists=Yes"; emit "${dev}_exists=Yes";
@ -407,7 +404,7 @@ sub setup_traffic_shaping() {
emit "run_tc qdisc add dev $device root handle $devnum: htb default ${prefix}${defmark}"; emit "run_tc qdisc add dev $device root handle $devnum: htb default ${prefix}${defmark}";
emit "${dev}_mtu=\$(get_device_mtu $device)"; emit "${dev}_mtu=\$(get_device_mtu $device)";
emit "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} mtu \$${dev}_mtu"; emit "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} mtu \$${dev}_mtu";
my $inband = rate_to_kbit $devref->{in_bandwidth}; my $inband = rate_to_kbit $devref->{in_bandwidth};
if ( $inband ) { if ( $inband ) {
@ -451,7 +448,7 @@ sub setup_traffic_shaping() {
push_indent; push_indent;
$lastdevice = $device; $lastdevice = $device;
} }
emit "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum"; emit "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum";
emit "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling} prio $tcref->{priority} mtu \$${dev}_mtu quantum \$quantum"; emit "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling} prio $tcref->{priority} mtu \$${dev}_mtu quantum \$quantum";
emit "run_tc qdisc add dev $device parent $classid handle ${prefix}${mark}: sfq perturb 10"; emit "run_tc qdisc add dev $device parent $classid handle ${prefix}${mark}: sfq perturb 10";
@ -468,7 +465,7 @@ sub setup_traffic_shaping() {
# #
emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack}; emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
for my $tospair ( @{$tcref->{tos}} ) { for my $tospair ( @{$tcref->{tos}} ) {
my ( $tos, $mask ) = split q(/), $tospair; my ( $tos, $mask ) = split q(/), $tospair;
emit "run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid"; emit "run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid";
@ -477,7 +474,7 @@ sub setup_traffic_shaping() {
save_progress_message_short qq(" TC Class $class defined."); save_progress_message_short qq(" TC Class $class defined.");
emit ''; emit '';
} }
if ( $lastdevice ) { if ( $lastdevice ) {
pop_indent; pop_indent;
emit "fi\n"; emit "fi\n";
@ -495,7 +492,7 @@ sub setup_tc() {
ensure_mangle_chain 'tcfor'; ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost'; ensure_mangle_chain 'tcpost';
} }
open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!"; open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!";
while ( $line = <TC> ) { while ( $line = <TC> ) {
@ -512,7 +509,7 @@ sub setup_tc() {
} else { } else {
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
} }
} }
close TC; close TC;
@ -523,7 +520,7 @@ sub setup_tc() {
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) { if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
$mark_part = '-m mark --mark 0/0xFF00'; $mark_part = '-m mark --mark 0/0xFF00';
for my $interface ( @routemarked_interfaces ) { for my $interface ( @routemarked_interfaces ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
} }

View File

@ -46,43 +46,43 @@ sub setup_tunnels() {
( $kind, my $qualifier ) = split /:/, $kind; ( $kind, my $qualifier ) = split /:/, $kind;
fatal_error "Invalid IPSEC modifier ($qualifier) in tunnel \"$line\"" if $qualifier && ( $qualifier ne 'noah' ); fatal_error "Invalid IPSEC modifier ($qualifier) in tunnel \"$line\"" if $qualifier && ( $qualifier ne 'noah' );
my $noah = $qualifier || ($kind ne 'ipsec' ); my $noah = $qualifier || ($kind ne 'ipsec' );
my $options = '-m $state --state NEW -j ACCEPT'; my $options = '-m $state --state NEW -j ACCEPT';
add_rule $inchainref, "-p 50 $source -j ACCEPT"; add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT"; add_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) { unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT"; add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT"; add_rule $outchainref, "-p 51 $dest -j ACCEPT";
} }
add_rule $outchainref, "-p udp $dest --dport 500 $options"; add_rule $outchainref, "-p udp $dest --dport 500 $options";
if ( $kind eq 'ipsec' ) { if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport $options"; add_rule $inchainref, "-p udp $source --dport $options";
} else { } else {
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
} }
for my $zone ( split /,/, $gatewayzones ) { for my $zone ( split /,/, $gatewayzones ) {
fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4'; fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4';
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1; $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1; $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
unless ( $capabilities{POLICY_MATCH} ) { unless ( $capabilities{POLICY_MATCH} ) {
add_rule $inchainref, "-p 50 $source -j ACCEPT"; add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT"; add_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) { unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT"; add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT"; add_rule $outchainref, "-p 51 $dest -j ACCEPT";
} }
} }
if ( $kind eq 'ipsec' ) { if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport 500 $options"; add_rule $inchainref, "-p udp $source --dport 500 $options";
add_rule $outchainref, "-p udp $dest --dport 500 $options"; add_rule $outchainref, "-p udp $dest --dport 500 $options";
@ -92,76 +92,76 @@ sub setup_tunnels() {
} }
} }
} }
sub setup_one_other { sub setup_one_other {
my ($inchainref, $outchainref, $kind, $source, $dest , $protocol) = @_; my ($inchainref, $outchainref, $kind, $source, $dest , $protocol) = @_;
add_rule $inchainref , "-p $protocol $source -j ACCEPT"; add_rule $inchainref , "-p $protocol $source -j ACCEPT";
add_rule $outchainref , "-p $protocol $dest -j ACCEPT"; add_rule $outchainref , "-p $protocol $dest -j ACCEPT";
} }
sub setup_pptp_client { sub setup_pptp_client {
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
add_rule $outchainref, "-p 47 $dest -j ACCEPT"; add_rule $outchainref, "-p 47 $dest -j ACCEPT";
add_rule $inchainref, "-p 47 $source -j ACCEPT"; add_rule $inchainref, "-p 47 $source -j ACCEPT";
add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT" add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
} }
sub setup_pptp_server { sub setup_pptp_server {
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
add_rule $inchainref, "-p 47 $dest -j ACCEPT"; add_rule $inchainref, "-p 47 $dest -j ACCEPT";
add_rule $outchainref, "-p 47 $source -j ACCEPT"; add_rule $outchainref, "-p 47 $source -j ACCEPT";
add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT" add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
} }
sub setup_one_openvpn { sub setup_one_openvpn {
my ($inchainref, $outchainref, $kind, $source, $dest) = @_; my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
my $protocol = 'udp'; my $protocol = 'udp';
my $port = 1194; my $port = 1194;
( $kind, my ( $proto, $p ) ) = split /:/, $kind; ( $kind, my ( $proto, $p ) ) = split /:/, $kind;
if ( $p ) { if ( $p ) {
$port = $p; $port = $p;
$protocol = $proto; $protocol = $proto;
} elsif ( $proto ) { } elsif ( $proto ) {
$port = $proto; $port = $proto;
} }
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
} }
sub setup_one_openvpn_client { sub setup_one_openvpn_client {
my ($inchainref, $outchainref, $kind, $source, $dest) = @_; my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
my $protocol = 'udp'; my $protocol = 'udp';
my $port = 1194; my $port = 1194;
( $kind, my ( $proto, $p ) ) = split /:/, $kind; ( $kind, my ( $proto, $p ) ) = split /:/, $kind;
if ( $p ) { if ( $p ) {
$port = $p; $port = $p;
$protocol = $proto; $protocol = $proto;
} elsif ( $proto ) { } elsif ( $proto ) {
$port = $proto; $port = $proto;
} }
add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT"; add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
} }
sub setup_one_openvpn_server { sub setup_one_openvpn_server {
my ($inchainref, $outchainref, $kind, $source, $dest) = @_; my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
my $protocol = 'udp'; my $protocol = 'udp';
my $port = 1194; my $port = 1194;
( $kind, my ( $proto, $p ) ) = split /:/, $kind; ( $kind, my ( $proto, $p ) ) = split /:/, $kind;
if ( $p ) { if ( $p ) {
$port = $p; $port = $p;
$protocol = $proto; $protocol = $proto;
@ -175,10 +175,10 @@ sub setup_tunnels() {
sub setup_one_generic { sub setup_one_generic {
my ($inchainref, $outchainref, $kind, $source, $dest) = @_; my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
my $protocol = 'udp'; my $protocol = 'udp';
my $port = '--dport 5000'; my $port = '--dport 5000';
if ( $kind =~ /.*:.*:.*/ ) { if ( $kind =~ /.*:.*:.*/ ) {
( $kind, $protocol, $port) = split /:/, $kind; ( $kind, $protocol, $port) = split /:/, $kind;
$port = "--dport $port"; $port = "--dport $port";
@ -186,22 +186,22 @@ sub setup_tunnels() {
$port = ''; $port = '';
( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/; ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
} }
add_rule $inchainref, "-p $protocol $source $port -j ACCEPT"; add_rule $inchainref, "-p $protocol $source $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT"; add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
} }
sub setup_one_tunnel($$$$) { sub setup_one_tunnel($$$$) {
my ( $kind , $zone, $gateway, $gatewayzones ) = @_; my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4'; fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4';
my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1; my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1; my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
my $source = match_source_net $gateway; my $source = match_source_net $gateway;
my $dest = match_dest_net $gateway; my $dest = match_dest_net $gateway;
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } , my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } , 'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } , 'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } ,
@ -218,13 +218,13 @@ sub setup_tunnels() {
$kind = "\L$kind"; $kind = "\L$kind";
(my $type) = split /:/, $kind; (my $type) = split /:/, $kind;
my $tunnelref = $tunneltypes{ $type }; my $tunnelref = $tunneltypes{ $type };
fatal_error "Tunnels of type $type are not supported: Tunnel \"$line\"" unless $tunnelref; fatal_error "Tunnels of type $type are not supported: Tunnel \"$line\"" unless $tunnelref;
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} ); $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
progress_message " Tunnel \"$line\" $done"; progress_message " Tunnel \"$line\" $done";
} }
# #
@ -247,10 +247,10 @@ sub setup_tunnels() {
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
} }
} }
close TUNNELS; close TUNNELS;
$comment = ''; $comment = '';
} }
1; 1;

View File

@ -34,7 +34,7 @@ our @EXPORT = qw( NOTHING
NETWORK NETWORK
IPSECPROTO IPSECPROTO
IPSECMODE IPSECMODE
determine_zones determine_zones
zone_report zone_report
dump_zone_contents dump_zone_contents
@ -147,17 +147,17 @@ sub parse_zone_option_list($)
$val = $2; $val = $2;
$e = $1; $e = $1;
} }
$fmt = $validoptions{$e}; $fmt = $validoptions{$e};
fatal_error "Invalid Option ($e)" unless $fmt; fatal_error "Invalid Option ($e)" unless $fmt;
if ( $fmt eq NOTHING ) { if ( $fmt eq NOTHING ) {
fatal_error "Option $e does not take a value: Zone \"$line\"" if defined $val; fatal_error "Option $e does not take a value: Zone \"$line\"" if defined $val;
} else { } else {
fatal_error "Invalid value ($val) for option \"$e\" in Zone \"$line\"" unless $val =~ /^($fmt)$/; fatal_error "Invalid value ($val) for option \"$e\" in Zone \"$line\"" unless $val =~ /^($fmt)$/;
} }
if ( $key{$e} ) { if ( $key{$e} ) {
$h{$e} = $val; $h{$e} = $val;
} else { } else {
@ -175,7 +175,7 @@ sub parse_zone_option_list($)
# #
# Parse the zones file. # Parse the zones file.
# #
sub determine_zones() sub determine_zones()
{ {
my @z; my @z;
@ -183,11 +183,11 @@ sub determine_zones()
open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!"; open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!";
while ( $line = <ZONES> ) { while ( $line = <ZONES> ) {
my @parents; my @parents;
my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file'; my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file';
if ( $zone =~ /(\w+):([\w,]+)/ ) { if ( $zone =~ /(\w+):([\w,]+)/ ) {
$zone = $1; $zone = $1;
@parents = split ',', $2; @parents = split ',', $2;
@ -281,11 +281,11 @@ sub zone_report()
progress_message " $zone ($type)"; progress_message " $zone ($type)";
my $printed = 0; my $printed = 0;
if ( $hostref ) { if ( $hostref ) {
for my $type ( sort keys %$hostref ) { for my $type ( sort keys %$hostref ) {
my $interfaceref = $hostref->{$type}; my $interfaceref = $hostref->{$type};
for my $interface ( sort keys %$interfaceref ) { for my $interface ( sort keys %$interfaceref ) {
my $arrayref = $interfaceref->{$interface}; my $arrayref = $interfaceref->{$interface};
for my $groupref ( @$arrayref ) { for my $groupref ( @$arrayref ) {
@ -300,7 +300,7 @@ sub zone_report()
} }
} }
} }
warning_message "*** $zone is an EMPTY ZONE ***" unless $printed || $type eq 'firewall'; warning_message "*** $zone is an EMPTY ZONE ***" unless $printed || $type eq 'firewall';
} }
} }
@ -319,7 +319,7 @@ sub dump_zone_contents()
if ( $hostref ) { if ( $hostref ) {
for my $type ( sort keys %$hostref ) { for my $type ( sort keys %$hostref ) {
my $interfaceref = $hostref->{$type}; my $interfaceref = $hostref->{$type};
for my $interface ( sort keys %$interfaceref ) { for my $interface ( sort keys %$interfaceref ) {
my $arrayref = $interfaceref->{$interface}; my $arrayref = $interfaceref->{$interface};
for my $groupref ( @$arrayref ) { for my $groupref ( @$arrayref ) {
@ -336,12 +336,12 @@ sub dump_zone_contents()
if ( @$exclusions ) { if ( @$exclusions ) {
$entry .= ' exclude'; $entry .= ' exclude';
for my $host ( @$exclusions ) { for my $host ( @$exclusions ) {
$entry .= " $host"; $entry .= " $host";
} }
} }
emit_unindented $entry; emit_unindented $entry;
} }
} }

View File

@ -58,11 +58,7 @@ use Shorewall::Accounting;
use Shorewall::Rules; use Shorewall::Rules;
use Shorewall::Proc; use Shorewall::Proc;
use Shorewall::Proxyarp; use Shorewall::Proxyarp;
#
# Emacs doesn't handle 'here documents' in Perl Mode nearly as well as it does in Shell mode
# (it basically doesn't understand it at all and gets lost). So I use a number of rather
# awkward styles in place of 'here docs'.
#
sub generate_script_1 { sub generate_script_1 {
copy $env{SHAREDIRPL} . 'prog.header'; copy $env{SHAREDIRPL} . 'prog.header';
@ -75,9 +71,8 @@ sub generate_script_1 {
'CONFDIR=/etc/shorewall-lite', 'CONFDIR=/etc/shorewall-lite',
'VARDIR=/var/lib/shorewall-lite', 'VARDIR=/var/lib/shorewall-lite',
'PRODUCT="Shorewall Lite"' ); 'PRODUCT="Shorewall Lite"' );
copy "$env{SHAREDIR}/lib.base"; copy "$env{SHAREDIR}/lib.base";
emitj ( '################################################################################', emitj ( '################################################################################',
'# End of /usr/share/shorewall/lib.base', '# End of /usr/share/shorewall/lib.base',
'################################################################################' ); '################################################################################' );
@ -91,7 +86,7 @@ sub generate_script_1 {
emit 'TEMPFILE='; emit 'TEMPFILE=';
emit ''; emit '';
for my $exit qw/init start tcclear started stop stopped/ { for my $exit qw/init start tcclear started stop stopped/ {
emit "run_${exit}_exit() {"; emit "run_${exit}_exit() {";
push_indent; push_indent;
@ -100,12 +95,12 @@ sub generate_script_1 {
pop_indent; pop_indent;
emit "}\n"; emit "}\n";
} }
emit 'initialize()'; emit 'initialize()';
emit '{'; emit '{';
push_indent; push_indent;
if ( $ENV{EXPORT} ) { if ( $ENV{EXPORT} ) {
emitj ( '#', emitj ( '#',
'# These variables are required by the library functions called in this script', '# These variables are required by the library functions called in this script',
@ -128,7 +123,7 @@ sub generate_script_1 {
} }
propagateconfig; propagateconfig;
emitj ( '[ -n "${COMMAND:=restart}" ]', emitj ( '[ -n "${COMMAND:=restart}" ]',
'[ -n "${VERBOSE:=0}" ]', '[ -n "${VERBOSE:=0}" ]',
'[ -n "${RESTOREFILE:=$RESTOREFILE}" ]', '[ -n "${RESTOREFILE:=$RESTOREFILE}" ]',
@ -136,7 +131,7 @@ sub generate_script_1 {
qq(VERSION="$env{VERSION}") , qq(VERSION="$env{VERSION}") ,
qq(PATH="$config{PATH}") , qq(PATH="$config{PATH}") ,
'TERMINATOR=fatal_error' ); 'TERMINATOR=fatal_error' );
if ( $config{IPTABLES} ) { if ( $config{IPTABLES} ) {
emit "IPTABLES=\"$config{IPTABLES}\"\n"; emit "IPTABLES=\"$config{IPTABLES}\"\n";
emit "[ -x \"$config{IPTABLES}\" ] || startup_error \"IPTABLES=$config{IPTABLES} does not exist or is not executable\""; emit "[ -x \"$config{IPTABLES}\" ] || startup_error \"IPTABLES=$config{IPTABLES} does not exist or is not executable\"";
@ -155,16 +150,16 @@ sub generate_script_1 {
'# The library requires that ${VARDIR} exist', '# The library requires that ${VARDIR} exist',
'#', '#',
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' ); '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' );
pop_indent; pop_indent;
emit "}\n"; emit "}\n";
} }
sub compile_stop_firewall() { sub compile_stop_firewall() {
emit " emit <<EOF;
# #
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
# #
@ -213,7 +208,7 @@ stop_firewall() {
logger -p kern.err \"ERROR:\$PRODUCT restore failed\" logger -p kern.err \"ERROR:\$PRODUCT restore failed\"
;; ;;
esac esac
if [ \"\$RESTOREFILE\" = NONE ]; then if [ \"\$RESTOREFILE\" = NONE ]; then
COMMAND=clear COMMAND=clear
clear_firewall clear_firewall
@ -302,20 +297,24 @@ stop_firewall() {
done done
fi fi
rm -f \${VARDIR}/proxyarp\n"; rm -f \${VARDIR}/proxyarp
EOF
emit ' delete_tc1' if $config{CLEAR_TC}; emit ' delete_tc1' if $config{CLEAR_TC};
emit ' undo_routing'; emit ' undo_routing';
emit ' restore_default_route'; emit ' restore_default_route';
my $criticalhosts = process_criticalhosts; my $criticalhosts = process_criticalhosts;
if ( @$criticalhosts ) { if ( @$criticalhosts ) {
if ( $config{ADMINISABSENTMINDED} ) { if ( $config{ADMINISABSENTMINDED} ) {
emitj ( ' for chain in INPUT OUTPUT; do', emitj ( ' for chain in INPUT OUTPUT; do',
' setpolicy $chain ACCEPT', ' setpolicy $chain ACCEPT',
" done\n", ' done',
" setpolicy FORWARD DROP\n", '',
' setpolicy FORWARD DROP',
'',
' deleteallchains', ' deleteallchains',
'' ); '' );
@ -327,7 +326,7 @@ stop_firewall() {
emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT"; emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT"; emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
} }
emit " emit "
for chain in INPUT OUTPUT; do for chain in INPUT OUTPUT; do
setpolicy \$chain DROP setpolicy \$chain DROP
@ -412,12 +411,12 @@ stop_firewall() {
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward'; emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
emit 'progress_message2 IP Forwarding Disabled!'; emit 'progress_message2 IP Forwarding Disabled!';
} }
emit 'run_stopped_exit'; emit 'run_stopped_exit';
pop_indent; pop_indent;
emit " emit <<EOF;
set_state \"Stopped\" set_state \"Stopped\"
logger -p kern.info \"\$PRODUCT Stopped\" logger -p kern.info \"\$PRODUCT Stopped\"
@ -434,7 +433,9 @@ stop_firewall() {
kill \$\$ kill \$\$
;; ;;
esac esac
}\n"; }
EOF
} }