forked from extern/shorewall_code
Much ado about nothing (extraneous whitespace removal)
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5707 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a8231a26b8
commit
85ad25cb68
@ -55,7 +55,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$chain = 'accounting' unless $chain and $chain ne '-';
|
$chain = 'accounting' unless $chain and $chain ne '-';
|
||||||
|
|
||||||
my $chainref = ensure_filter_chain $chain , 0;
|
my $chainref = ensure_filter_chain $chain , 0;
|
||||||
|
|
||||||
my $target = '';
|
my $target = '';
|
||||||
@ -118,7 +118,7 @@ sub setup_accounting() {
|
|||||||
|
|
||||||
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
|
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
|
||||||
}
|
}
|
||||||
|
|
||||||
close ACC;
|
close ACC;
|
||||||
|
|
||||||
if ( $filter_table->{accounting} ) {
|
if ( $filter_table->{accounting} ) {
|
||||||
|
@ -41,7 +41,7 @@ our @EXPORT = qw( merge_levels
|
|||||||
process_actions1
|
process_actions1
|
||||||
process_actions2
|
process_actions2
|
||||||
process_actions3
|
process_actions3
|
||||||
|
|
||||||
%usedactions
|
%usedactions
|
||||||
%default_actions
|
%default_actions
|
||||||
%actions
|
%actions
|
||||||
@ -160,7 +160,7 @@ sub createlogactionchain( $$ ) {
|
|||||||
my $chainref;
|
my $chainref;
|
||||||
|
|
||||||
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
|
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
|
||||||
|
|
||||||
while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) {
|
while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) {
|
||||||
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
|
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
|
||||||
}
|
}
|
||||||
@ -237,7 +237,7 @@ sub find_logactionchain( $ ) {
|
|||||||
# The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately
|
# The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately
|
||||||
# by reading the action definition files and creating rules. Note that a given action definition file is
|
# by reading the action definition files and creating rules. Note that a given action definition file is
|
||||||
# processed once for each unique [:level[:tag]] applied to an invocation of the action.
|
# processed once for each unique [:level[:tag]] applied to an invocation of the action.
|
||||||
#
|
#
|
||||||
sub process_actions1() {
|
sub process_actions1() {
|
||||||
|
|
||||||
for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
|
for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
|
||||||
@ -246,10 +246,10 @@ sub process_actions1() {
|
|||||||
|
|
||||||
for my $file qw/actions.std actions/ {
|
for my $file qw/actions.std actions/ {
|
||||||
open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!";
|
open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!";
|
||||||
|
|
||||||
while ( $line = <F> ) {
|
while ( $line = <F> ) {
|
||||||
my ( $action ) = split_line 1, 'action file';
|
my ( $action ) = split_line 1, 'action file';
|
||||||
|
|
||||||
if ( $action =~ /:/ ) {
|
if ( $action =~ /:/ ) {
|
||||||
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
||||||
$action =~ s/:.*$//;
|
$action =~ s/:.*$//;
|
||||||
@ -281,18 +281,18 @@ sub process_actions1() {
|
|||||||
next if $line =~ /^\s*#/;
|
next if $line =~ /^\s*#/;
|
||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
|
|
||||||
my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file';
|
my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file';
|
||||||
|
|
||||||
my ( $target, $level ) = split_action $wholetarget;
|
my ( $target, $level ) = split_action $wholetarget;
|
||||||
|
|
||||||
$level = 'none' unless $level;
|
$level = 'none' unless $level;
|
||||||
|
|
||||||
my $targettype = $targets{$target};
|
my $targettype = $targets{$target};
|
||||||
|
|
||||||
if ( defined $targettype ) {
|
if ( defined $targettype ) {
|
||||||
next if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $target eq 'LOG' );
|
next if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $target eq 'LOG' );
|
||||||
|
|
||||||
fatal_error "Invalid TARGET ($target) in action rule \"$line\"" if $targettype & STANDARD;
|
fatal_error "Invalid TARGET ($target) in action rule \"$line\"" if $targettype & STANDARD;
|
||||||
|
|
||||||
add_requiredby $wholetarget, $action if $targettype & ACTION;
|
add_requiredby $wholetarget, $action if $targettype & ACTION;
|
||||||
@ -303,14 +303,14 @@ sub process_actions1() {
|
|||||||
my $macrofile = $macros{$target};
|
my $macrofile = $macros{$target};
|
||||||
|
|
||||||
progress_message " ..Expanding Macro $macrofile...";
|
progress_message " ..Expanding Macro $macrofile...";
|
||||||
|
|
||||||
open M, $macrofile or fatal_error "Unable to open $macrofile: $!";
|
open M, $macrofile or fatal_error "Unable to open $macrofile: $!";
|
||||||
|
|
||||||
while ( $line = <M> ) {
|
while ( $line = <M> ) {
|
||||||
next if $line =~ /^\s*#/;
|
next if $line =~ /^\s*#/;
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file';
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file';
|
||||||
|
|
||||||
$mtarget =~ s/:.*$//;
|
$mtarget =~ s/:.*$//;
|
||||||
@ -324,7 +324,6 @@ sub process_actions1() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
progress_message " ..End Macro";
|
progress_message " ..End Macro";
|
||||||
|
|
||||||
close M;
|
close M;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid TARGET ($target) in rule \"$line\"";
|
fatal_error "Invalid TARGET ($target) in rule \"$line\"";
|
||||||
@ -359,10 +358,10 @@ sub process_actions2 () {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate chain for non-builtin action invocation
|
# Generate chain for non-builtin action invocation
|
||||||
#
|
#
|
||||||
sub process_action3( $$$$$ ) {
|
sub process_action3( $$$$$ ) {
|
||||||
my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
|
my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
|
||||||
#
|
#
|
||||||
@ -370,9 +369,9 @@ sub process_action3( $$$$$ ) {
|
|||||||
#
|
#
|
||||||
sub process_action( $$$$$$$$$$ ) {
|
sub process_action( $$$$$$$$$$ ) {
|
||||||
my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
|
my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
|
||||||
|
|
||||||
my ( $action , $level ) = split_action $target;
|
my ( $action , $level ) = split_action $target;
|
||||||
|
|
||||||
expand_rule ( $chainref ,
|
expand_rule ( $chainref ,
|
||||||
NO_RESTRICT ,
|
NO_RESTRICT ,
|
||||||
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
|
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
|
||||||
@ -400,7 +399,7 @@ sub process_action3( $$$$$ ) {
|
|||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
$line = expand_shell_variables $line unless $standard;
|
$line = expand_shell_variables $line unless $standard;
|
||||||
|
|
||||||
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file';
|
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file';
|
||||||
|
|
||||||
my $target2 = merge_levels $wholeaction, $target;
|
my $target2 = merge_levels $wholeaction, $target;
|
||||||
@ -432,9 +431,9 @@ sub process_action3( $$$$$ ) {
|
|||||||
progress_message "..Expanding Macro $fn...";
|
progress_message "..Expanding Macro $fn...";
|
||||||
|
|
||||||
open M, $fn or fatal_error "Can't open $fn: $!";
|
open M, $fn or fatal_error "Can't open $fn: $!";
|
||||||
|
|
||||||
my $standard = ( $fn =~ /^($env{SHAREDIR})/ );
|
my $standard = ( $fn =~ /^($env{SHAREDIR})/ );
|
||||||
|
|
||||||
while ( $line = <M> ) {
|
while ( $line = <M> ) {
|
||||||
next if $line =~ /^\s*#/;
|
next if $line =~ /^\s*#/;
|
||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
@ -442,7 +441,7 @@ sub process_action3( $$$$$ ) {
|
|||||||
$line = expand_shell_variables $line unless $standard;
|
$line = expand_shell_variables $line unless $standard;
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
|
||||||
|
|
||||||
if ( $mtarget =~ /^PARAM:?/ ) {
|
if ( $mtarget =~ /^PARAM:?/ ) {
|
||||||
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
||||||
$mtarget = substitute_action $param, $mtarget;
|
$mtarget = substitute_action $param, $mtarget;
|
||||||
@ -461,7 +460,7 @@ sub process_action3( $$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$msource = '' if $msource eq '-';
|
$msource = '' if $msource eq '-';
|
||||||
|
|
||||||
if ( $mdest ) {
|
if ( $mdest ) {
|
||||||
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
|
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
|
||||||
$mdest = $dest || '';
|
$mdest = $dest || '';
|
||||||
@ -486,7 +485,7 @@ sub process_action3( $$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
close M;
|
close M;
|
||||||
|
|
||||||
progress_message '..End Macro'
|
progress_message '..End Macro'
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
@ -495,7 +494,7 @@ sub process_action3( $$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$comment = '';
|
$comment = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub process_actions3 () {
|
sub process_actions3 () {
|
||||||
#
|
#
|
||||||
@ -503,83 +502,83 @@ sub process_actions3 () {
|
|||||||
#
|
#
|
||||||
sub dropBcast( $$$ ) {
|
sub dropBcast( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP';
|
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP';
|
||||||
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP';
|
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowBcast( $$$ ) {
|
sub allowBcast( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT';
|
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT';
|
||||||
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT';
|
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub dropNotSyn ( $$$ ) {
|
sub dropNotSyn ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
|
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
|
||||||
add_rule $chainref , '-p tcp ! --syn -j DROP';
|
add_rule $chainref , '-p tcp ! --syn -j DROP';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub rejNotSyn ( $$$ ) {
|
sub rejNotSyn ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
|
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
|
||||||
add_rule $chainref , '-p tcp ! --syn -j REJECT';
|
add_rule $chainref , '-p tcp ! --syn -j REJECT';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub dropInvalid ( $$$ ) {
|
sub dropInvalid ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
|
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
|
||||||
add_rule $chainref , '-m state --state INVALID -j REJECT';
|
add_rule $chainref , '-m state --state INVALID -j REJECT';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowInvalid ( $$$ ) {
|
sub allowInvalid ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
|
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
|
||||||
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
|
add_rule $chainref , '-m state --state INVALID -j ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub forwardUPnP ( $$$ ) {
|
sub forwardUPnP ( $$$ ) {
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowinUPnP ( $$$ ) {
|
sub allowinUPnP ( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
|
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
|
||||||
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
|
log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
|
add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
|
||||||
add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
|
add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub Limit( $$$ ) {
|
sub Limit( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
my @tag = split /,/, $tag;
|
my @tag = split /,/, $tag;
|
||||||
|
|
||||||
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag' unless @tag == 3;
|
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag' unless @tag == 3;
|
||||||
|
|
||||||
my $set = $tag[0];
|
my $set = $tag[0];
|
||||||
my $count = $tag[1] + 1;
|
my $count = $tag[1] + 1;
|
||||||
|
|
||||||
add_rule $chainref, "-m recent --name $set --set";
|
add_rule $chainref, "-m recent --name $set --set";
|
||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||||
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
||||||
@ -588,7 +587,7 @@ sub process_actions3 () {
|
|||||||
} else {
|
} else {
|
||||||
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
|
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-j ACCEPT';
|
add_rule $chainref, '-j ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -609,14 +608,14 @@ sub process_actions3 () {
|
|||||||
|
|
||||||
$level = '' unless defined $level;
|
$level = '' unless defined $level;
|
||||||
$tag = '' unless defined $tag;
|
$tag = '' unless defined $tag;
|
||||||
|
|
||||||
if ( $targets{$action} & BUILTIN ) {
|
if ( $targets{$action} & BUILTIN ) {
|
||||||
$level = '' if $level =~ /none!?/;
|
$level = '' if $level =~ /none!?/;
|
||||||
$builtinops{$action}->($chainref, $level, $tag);
|
$builtinops{$action}->($chainref, $level, $tag);
|
||||||
} else {
|
} else {
|
||||||
process_action3 $chainref, $wholeaction, $action, $level, $tag;
|
process_action3 $chainref, $wholeaction, $action, $level, $tag;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
@ -47,7 +47,7 @@ our @EXPORT = qw( STANDARD
|
|||||||
OUTPUT_RESTRICT
|
OUTPUT_RESTRICT
|
||||||
POSTROUTE_RESTRICT
|
POSTROUTE_RESTRICT
|
||||||
ALL_RESTRICT
|
ALL_RESTRICT
|
||||||
|
|
||||||
add_command
|
add_command
|
||||||
add_rule
|
add_rule
|
||||||
insert_rule
|
insert_rule
|
||||||
@ -99,7 +99,7 @@ our @EXPORT = qw( STANDARD
|
|||||||
addnatjump
|
addnatjump
|
||||||
insertnatjump
|
insertnatjump
|
||||||
create_netfilter_load
|
create_netfilter_load
|
||||||
|
|
||||||
@policy_chains
|
@policy_chains
|
||||||
%chain_table
|
%chain_table
|
||||||
$nat_table
|
$nat_table
|
||||||
@ -249,7 +249,7 @@ my $loopcount = 0;
|
|||||||
sub add_command($$)
|
sub add_command($$)
|
||||||
{
|
{
|
||||||
my ($chainref, $command) = @_;
|
my ($chainref, $command) = @_;
|
||||||
|
|
||||||
push @{$chainref->{rules}}, join ('', '~', ' ' x $loopcount, $command );
|
push @{$chainref->{rules}}, join ('', '~', ' ' x $loopcount, $command );
|
||||||
|
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
@ -265,7 +265,7 @@ sub add_command($$)
|
|||||||
sub add_rule($$)
|
sub add_rule($$)
|
||||||
{
|
{
|
||||||
my ($chainref, $rule) = @_;
|
my ($chainref, $rule) = @_;
|
||||||
|
|
||||||
$rule .= " -m comment --comment \"$comment\"" if $comment;
|
$rule .= " -m comment --comment \"$comment\"" if $comment;
|
||||||
|
|
||||||
if ( $loopcount ) {
|
if ( $loopcount ) {
|
||||||
@ -289,13 +289,13 @@ sub insert_rule($$$)
|
|||||||
my ($chainref, $number, $rule) = @_;
|
my ($chainref, $number, $rule) = @_;
|
||||||
|
|
||||||
fatal_error 'Internal Error in insert_rule()' if $loopcount;
|
fatal_error 'Internal Error in insert_rule()' if $loopcount;
|
||||||
|
|
||||||
$rule .= "-m comment --comment \"$comment\"" if $comment;
|
$rule .= "-m comment --comment \"$comment\"" if $comment;
|
||||||
|
|
||||||
splice @{$chainref->{rules}}, $number - 1, 0, $rule;
|
splice @{$chainref->{rules}}, $number - 1, 0, $rule;
|
||||||
|
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
|
|
||||||
$iprangematch = 0;
|
$iprangematch = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -429,7 +429,7 @@ sub new_chain($$)
|
|||||||
my ($table, $chain) = @_;
|
my ($table, $chain) = @_;
|
||||||
my %ch;
|
my %ch;
|
||||||
my @rules;
|
my @rules;
|
||||||
|
|
||||||
$ch{name} = $chain;
|
$ch{name} = $chain;
|
||||||
$ch{log} = 1 if $env{LOGRULENUMBERS};
|
$ch{log} = 1 if $env{LOGRULENUMBERS};
|
||||||
$ch{rules} = \@rules;
|
$ch{rules} = \@rules;
|
||||||
@ -456,7 +456,7 @@ sub ensure_chain($$)
|
|||||||
my ($table, $chain) = @_;
|
my ($table, $chain) = @_;
|
||||||
|
|
||||||
my $ref = $chain_table{$table}{$chain};
|
my $ref = $chain_table{$table}{$chain};
|
||||||
|
|
||||||
return $ref if $ref;
|
return $ref if $ref;
|
||||||
|
|
||||||
new_chain $table, $chain;
|
new_chain $table, $chain;
|
||||||
@ -484,7 +484,7 @@ sub ensure_filter_chain( $$ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
|
|
||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -492,7 +492,7 @@ sub ensure_mangle_chain($) {
|
|||||||
my $chain = $_[0];
|
my $chain = $_[0];
|
||||||
|
|
||||||
my $chainref = ensure_chain 'mangle', $chain;
|
my $chainref = ensure_chain 'mangle', $chain;
|
||||||
|
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
|
|
||||||
$chainref;
|
$chainref;
|
||||||
@ -504,7 +504,7 @@ sub ensure_mangle_chain($) {
|
|||||||
sub new_builtin_chain($$$)
|
sub new_builtin_chain($$$)
|
||||||
{
|
{
|
||||||
my ( $table, $chain, $policy ) = @_;
|
my ( $table, $chain, $policy ) = @_;
|
||||||
|
|
||||||
my $chainref = new_chain $table, $chain;
|
my $chainref = new_chain $table, $chain;
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
$chainref->{policy} = $policy;
|
$chainref->{policy} = $policy;
|
||||||
@ -515,7 +515,7 @@ sub new_standard_chain($) {
|
|||||||
my $chainref = new_chain 'filter' ,$_[0];
|
my $chainref = new_chain 'filter' ,$_[0];
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add all builtin chains to the chain table
|
# Add all builtin chains to the chain table
|
||||||
@ -538,7 +538,7 @@ sub initialize_chain_table()
|
|||||||
for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ {
|
for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ {
|
||||||
new_builtin_chain 'mangle', $chain, 'ACCEPT';
|
new_builtin_chain 'mangle', $chain, 'ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||||
for my $chain qw/ FORWARD POSTROUTING / {
|
for my $chain qw/ FORWARD POSTROUTING / {
|
||||||
new_builtin_chain 'mangle', $chain, 'ACCEPT';
|
new_builtin_chain 'mangle', $chain, 'ACCEPT';
|
||||||
@ -554,7 +554,7 @@ sub finish_chain_section ($$) {
|
|||||||
my $chain = $chainref->{name};
|
my $chain = $chainref->{name};
|
||||||
|
|
||||||
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
|
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||||
|
|
||||||
if ($sections{RELATED} ) {
|
if ($sections{RELATED} ) {
|
||||||
if ( $chainref->{is_policy} ) {
|
if ( $chainref->{is_policy} ) {
|
||||||
if ( $chainref->{synparams} ) {
|
if ( $chainref->{synparams} ) {
|
||||||
@ -575,7 +575,7 @@ sub finish_chain_section ($$) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Do section-end processing
|
# Do section-end processing
|
||||||
@ -610,7 +610,7 @@ sub do_proto( $$$ )
|
|||||||
my ($proto, $ports, $sports ) = @_;
|
my ($proto, $ports, $sports ) = @_;
|
||||||
|
|
||||||
my $output = '';
|
my $output = '';
|
||||||
|
|
||||||
$proto = '' if $proto eq '-';
|
$proto = '' if $proto eq '-';
|
||||||
$ports = '' if $ports eq '-';
|
$ports = '' if $ports eq '-';
|
||||||
$sports = '' if $sports eq '-';
|
$sports = '' if $sports eq '-';
|
||||||
@ -624,14 +624,14 @@ sub do_proto( $$$ )
|
|||||||
|
|
||||||
if ( $count > 1 ) {
|
if ( $count > 1 ) {
|
||||||
fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT};
|
fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT};
|
||||||
|
|
||||||
for my $port ( @ports ) {
|
for my $port ( @ports ) {
|
||||||
if ( $port =~ /:/ ) {
|
if ( $port =~ /:/ ) {
|
||||||
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT};
|
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT};
|
||||||
$count++;
|
$count++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Too many entries in port list: $ports" if $count > 15;
|
fatal_error "Too many entries in port list: $ports" if $count > 15;
|
||||||
|
|
||||||
$output .= "-m multiport --dports $ports ";
|
$output .= "-m multiport --dports $ports ";
|
||||||
@ -639,21 +639,21 @@ sub do_proto( $$$ )
|
|||||||
$output .= "--dport $ports ";
|
$output .= "--dport $ports ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $sports ) {
|
if ( $sports ) {
|
||||||
my @ports = split /,/, $sports;
|
my @ports = split /,/, $sports;
|
||||||
my $count = @ports;
|
my $count = @ports;
|
||||||
|
|
||||||
if ( $count > 1 ) {
|
if ( $count > 1 ) {
|
||||||
fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT};
|
fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT};
|
||||||
|
|
||||||
for my $port ( @ports ) {
|
for my $port ( @ports ) {
|
||||||
if ( $port =~ /:/ ) {
|
if ( $port =~ /:/ ) {
|
||||||
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $sports" unless $capabilities{XMULTIPORT};
|
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $sports" unless $capabilities{XMULTIPORT};
|
||||||
$count++;
|
$count++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Too many entries in port list: $sports" if $count > 15;
|
fatal_error "Too many entries in port list: $sports" if $count > 15;
|
||||||
|
|
||||||
$output .= "-m multiport --sports $sports ";
|
$output .= "-m multiport --sports $sports ";
|
||||||
@ -726,17 +726,17 @@ sub validate_mark( $ ) {
|
|||||||
sub do_test ( $$ )
|
sub do_test ( $$ )
|
||||||
{
|
{
|
||||||
my ($testval, $mask) = @_;
|
my ($testval, $mask) = @_;
|
||||||
|
|
||||||
return '' unless $testval and $testval ne '-';
|
return '' unless $testval and $testval ne '-';
|
||||||
|
|
||||||
my $invert = $testval =~ s/^!// ? '! ' : '';
|
my $invert = $testval =~ s/^!// ? '! ' : '';
|
||||||
my $match = $testval =~ s/:C$// ? '-m connmark ' : '-m mark ';
|
my $match = $testval =~ s/:C$// ? '-m connmark ' : '-m mark ';
|
||||||
|
|
||||||
$testval .= '/0xFF' unless ( $testval =~ '/' );
|
$testval .= '/0xFF' unless ( $testval =~ '/' );
|
||||||
|
|
||||||
"${invert}$match $testval ";
|
"${invert}$match $testval ";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create a "-m limit" match for the passed LIMIT/BURST
|
# Create a "-m limit" match for the passed LIMIT/BURST
|
||||||
@ -745,7 +745,7 @@ sub do_ratelimit( $ ) {
|
|||||||
my $rate = $_[0];
|
my $rate = $_[0];
|
||||||
|
|
||||||
return '' unless $rate and $rate ne '-';
|
return '' unless $rate and $rate ne '-';
|
||||||
|
|
||||||
if ( $rate =~ /^([^:]+):([^:]+)$/ ) {
|
if ( $rate =~ /^([^:]+):([^:]+)$/ ) {
|
||||||
"-m limit --limit $1 --limit-burst $2 ";
|
"-m limit --limit $1 --limit-burst $2 ";
|
||||||
} else {
|
} else {
|
||||||
@ -769,7 +769,7 @@ sub do_user( $ ) {
|
|||||||
$rule .= "--cmd-owner $2 " if $2;
|
$rule .= "--cmd-owner $2 " if $2;
|
||||||
$user = $1;
|
$user = $1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $user =~ /^!(.*):(.*)$/ ) {
|
if ( $user =~ /^!(.*):(.*)$/ ) {
|
||||||
$rule .= "! --uid-owner $1 " if $1;
|
$rule .= "! --uid-owner $1 " if $1;
|
||||||
$rule .= "! --gid-owner $2 " if $2;
|
$rule .= "! --gid-owner $2 " if $2;
|
||||||
@ -790,10 +790,10 @@ sub do_user( $ ) {
|
|||||||
#
|
#
|
||||||
sub do_tos( $ ) {
|
sub do_tos( $ ) {
|
||||||
my $tos = $_[0];
|
my $tos = $_[0];
|
||||||
|
|
||||||
$tos ne '-' ? "-m tos --tos $tos " : '';
|
$tos ne '-' ? "-m tos --tos $tos " : '';
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Avoid generating a second '-m iprange' in a single rule.
|
# Avoid generating a second '-m iprange' in a single rule.
|
||||||
#
|
#
|
||||||
@ -825,7 +825,7 @@ sub get_set_flags( $$ ) {
|
|||||||
$setname = $1;
|
$setname = $1;
|
||||||
$options = $2;
|
$options = $2;
|
||||||
}
|
}
|
||||||
|
|
||||||
$setname =~ s/^\+//;
|
$setname =~ s/^\+//;
|
||||||
|
|
||||||
"--set $setname $options"
|
"--set $setname $options"
|
||||||
@ -836,7 +836,7 @@ sub get_set_flags( $$ ) {
|
|||||||
#
|
#
|
||||||
sub match_source_net( $ ) {
|
sub match_source_net( $ ) {
|
||||||
my $net = $_[0];
|
my $net = $_[0];
|
||||||
|
|
||||||
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
|
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
|
||||||
$net =~ s/!// if my $invert = $1 ? '! ' : '';
|
$net =~ s/!// if my $invert = $1 ? '! ' : '';
|
||||||
|
|
||||||
@ -859,7 +859,7 @@ sub match_source_net( $ ) {
|
|||||||
#
|
#
|
||||||
sub match_dest_net( $ ) {
|
sub match_dest_net( $ ) {
|
||||||
my $net = $_[0];
|
my $net = $_[0];
|
||||||
|
|
||||||
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
|
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
|
||||||
$net =~ s/!// if my $invert = $1 ? '! ' : '';
|
$net =~ s/!// if my $invert = $1 ? '! ' : '';
|
||||||
|
|
||||||
@ -881,7 +881,7 @@ sub match_orig_dest ( $ ) {
|
|||||||
my $net = $_[0];
|
my $net = $_[0];
|
||||||
|
|
||||||
return '' if $net eq ALLIPv4;
|
return '' if $net eq ALLIPv4;
|
||||||
|
|
||||||
if ( $net =~ /^!/ ) {
|
if ( $net =~ /^!/ ) {
|
||||||
$net =~ s/!//;
|
$net =~ s/!//;
|
||||||
"-m conntrack --ctorigdst ! $net ";
|
"-m conntrack --ctorigdst ! $net ";
|
||||||
@ -908,7 +908,7 @@ sub match_ipsec_in( $$ ) {
|
|||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Match Dest IPSEC
|
# Match Dest IPSEC
|
||||||
#
|
#
|
||||||
@ -926,7 +926,7 @@ sub match_ipsec_out( $$ ) {
|
|||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate a log message
|
# Generate a log message
|
||||||
#
|
#
|
||||||
@ -999,7 +999,7 @@ sub mysplit( $ ) {
|
|||||||
|
|
||||||
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
|
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
|
||||||
}
|
}
|
||||||
|
|
||||||
push @result, $element;
|
push @result, $element;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1027,7 +1027,7 @@ sub get_interface_address ( $ ) {
|
|||||||
|
|
||||||
$interfaceaddrs{$interface} = interface_address( $interface ) . "=\$(find_first_interface_address $interface)";
|
$interfaceaddrs{$interface} = interface_address( $interface ) . "=\$(find_first_interface_address $interface)";
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# This function provides a uniform way to generate rules (something the original Shorewall sorely needed).
|
# This function provides a uniform way to generate rules (something the original Shorewall sorely needed).
|
||||||
#
|
#
|
||||||
@ -1043,7 +1043,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
|
|
||||||
if ( $loglevel ) {
|
if ( $loglevel ) {
|
||||||
( $loglevel, $logtag ) = split /:/, $loglevel;
|
( $loglevel, $logtag ) = split /:/, $loglevel;
|
||||||
|
|
||||||
if ( $loglevel =~ /^none!?$/i ) {
|
if ( $loglevel =~ /^none!?$/i ) {
|
||||||
return if $disposition eq 'LOG';
|
return if $disposition eq 'LOG';
|
||||||
$loglevel = $logtag = '';
|
$loglevel = $logtag = '';
|
||||||
@ -1106,7 +1106,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
|
|
||||||
if ( @interfaces > 1 ) {
|
if ( @interfaces > 1 ) {
|
||||||
add_command $chainref, 'addresses=';
|
add_command $chainref, 'addresses=';
|
||||||
|
|
||||||
for my $interface ( @interfaces ) {
|
for my $interface ( @interfaces ) {
|
||||||
get_interface_address $interface;
|
get_interface_address $interface;
|
||||||
add_command $chainref , join( '', 'addresses="$addresses $', interface_address( $interface ). '"' );
|
add_command $chainref , join( '', 'addresses="$addresses $', interface_address( $interface ). '"' );
|
||||||
@ -1152,11 +1152,11 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
if $restriction & INPUT_RESTRICT;
|
if $restriction & INPUT_RESTRICT;
|
||||||
$rule .= "-o $diface ";
|
$rule .= "-o $diface ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $origdest ) {
|
if ( $origdest ) {
|
||||||
if ( $origdest eq '-' ) {
|
if ( $origdest eq '-' ) {
|
||||||
$origdest = '';
|
$origdest = '';
|
||||||
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
|
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
|
||||||
#
|
#
|
||||||
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
|
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
|
||||||
@ -1256,7 +1256,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
# We have non-trivial exclusion -- need to create an exclusion chain
|
# We have non-trivial exclusion -- need to create an exclusion chain
|
||||||
#
|
#
|
||||||
my $echain = newexclusionchain;
|
my $echain = newexclusionchain;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Use the current rule and sent all possible matches to the exclusion chain
|
# Use the current rule and sent all possible matches to the exclusion chain
|
||||||
#
|
#
|
||||||
@ -1275,7 +1275,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
$inets = ALLIPv4;
|
$inets = ALLIPv4;
|
||||||
$dnets = ALLIPv4;
|
$dnets = ALLIPv4;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create the Exclusion Chain
|
# Create the Exclusion Chain
|
||||||
#
|
#
|
||||||
@ -1347,7 +1347,7 @@ sub addnatjump( $$$ ) {
|
|||||||
my ( $source , $dest, $predicates ) = @_;
|
my ( $source , $dest, $predicates ) = @_;
|
||||||
|
|
||||||
my $destref = $nat_table->{$dest} || {};
|
my $destref = $nat_table->{$dest} || {};
|
||||||
|
|
||||||
if ( $destref->{referenced} ) {
|
if ( $destref->{referenced} ) {
|
||||||
add_rule $nat_table->{$source} , $predicates . "-j $dest";
|
add_rule $nat_table->{$source} , $predicates . "-j $dest";
|
||||||
} else {
|
} else {
|
||||||
@ -1359,9 +1359,9 @@ sub addnatjump( $$$ ) {
|
|||||||
#
|
#
|
||||||
sub insertnatjump( $$$$ ) {
|
sub insertnatjump( $$$$ ) {
|
||||||
my ( $source, $dest, $countref, $predicates ) = @_;
|
my ( $source, $dest, $countref, $predicates ) = @_;
|
||||||
|
|
||||||
my $destref = $nat_table->{$dest} || {};
|
my $destref = $nat_table->{$dest} || {};
|
||||||
|
|
||||||
if ( $destref->{referenced} ) {
|
if ( $destref->{referenced} ) {
|
||||||
insert_rule $nat_table->{$source} , ($$countref)++, $predicates . "-j $dest";
|
insert_rule $nat_table->{$source} , ($$countref)++, $predicates . "-j $dest";
|
||||||
} else {
|
} else {
|
||||||
@ -1406,7 +1406,7 @@ sub emitr( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub create_netfilter_load() {
|
sub create_netfilter_load() {
|
||||||
|
|
||||||
emit 'setup_netfilter()';
|
emit 'setup_netfilter()';
|
||||||
emit '{';
|
emit '{';
|
||||||
push_indent;
|
push_indent;
|
||||||
@ -1430,9 +1430,9 @@ sub create_netfilter_load() {
|
|||||||
|
|
||||||
for my $table qw/raw nat mangle filter/ {
|
for my $table qw/raw nat mangle filter/ {
|
||||||
emitr "*$table";
|
emitr "*$table";
|
||||||
|
|
||||||
my @chains;
|
my @chains;
|
||||||
|
|
||||||
for my $chain ( @builtins ) {
|
for my $chain ( @builtins ) {
|
||||||
my $chainref = $chain_table{$table}{$chain};
|
my $chainref = $chain_table{$table}{$chain};
|
||||||
if ( $chainref ) {
|
if ( $chainref ) {
|
||||||
@ -1479,5 +1479,5 @@ sub create_netfilter_load() {
|
|||||||
|
|
||||||
emit "}\n";
|
emit "}\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
@ -52,7 +52,7 @@ our @EXPORT = qw(ALLIPv4
|
|||||||
copy1
|
copy1
|
||||||
create_temp_aux_config
|
create_temp_aux_config
|
||||||
finalize_aux_config
|
finalize_aux_config
|
||||||
|
|
||||||
@allipv4
|
@allipv4
|
||||||
@rfc1918_networks
|
@rfc1918_networks
|
||||||
$line
|
$line
|
||||||
@ -111,20 +111,20 @@ sub split_line( $$ ) {
|
|||||||
my ( $columns, $description ) = @_;
|
my ( $columns, $description ) = @_;
|
||||||
|
|
||||||
chomp $line;
|
chomp $line;
|
||||||
|
|
||||||
$line =~ s/\s+/ /g;
|
$line =~ s/\s+/ /g;
|
||||||
|
|
||||||
my @line = split /\s+/, $line;
|
my @line = split /\s+/, $line;
|
||||||
|
|
||||||
return @line if $line[0] eq 'COMMENT';
|
return @line if $line[0] eq 'COMMENT';
|
||||||
|
|
||||||
fatal_error "Invalid $description entry: $line" if @line > $columns;
|
fatal_error "Invalid $description entry: $line" if @line > $columns;
|
||||||
|
|
||||||
push @line, '-' while @line < $columns;
|
push @line, '-' while @line < $columns;
|
||||||
|
|
||||||
@line;
|
@line;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub create_temp_object( $ ) {
|
sub create_temp_object( $ ) {
|
||||||
my $objectfile = $_[0];
|
my $objectfile = $_[0];
|
||||||
my $suffix;
|
my $suffix;
|
||||||
@ -174,7 +174,7 @@ sub emit ( $ ) {
|
|||||||
print $object "$line\n";
|
print $object "$line\n";
|
||||||
$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
|
$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
|
||||||
} else {
|
} else {
|
||||||
print $object "\n" unless $lastlineblank;
|
print $object "\n" unless $lastlineblank;
|
||||||
$lastlineblank = 1;
|
$lastlineblank = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -188,7 +188,7 @@ sub emitj {
|
|||||||
for ( @_ ) { emit $_ };
|
for ( @_ ) { emit $_ };
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Write passed message to the object with no indentation.
|
# Write passed message to the object with no indentation.
|
||||||
@ -261,14 +261,14 @@ sub pop_indent() {
|
|||||||
sub copy( $ ) {
|
sub copy( $ ) {
|
||||||
if ( $object ) {
|
if ( $object ) {
|
||||||
my $file = $_[0];
|
my $file = $_[0];
|
||||||
|
|
||||||
open IF , $file or fatal_error "Unable to open $file: $!";
|
open IF , $file or fatal_error "Unable to open $file: $!";
|
||||||
|
|
||||||
while ( my $line = <IF> ) {
|
while ( my $line = <IF> ) {
|
||||||
$line =~ s/^/$indent/ if $indent;
|
$line =~ s/^/$indent/ if $indent;
|
||||||
print $object $line;
|
print $object $line;
|
||||||
}
|
}
|
||||||
|
|
||||||
close IF;
|
close IF;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -276,9 +276,9 @@ sub copy( $ ) {
|
|||||||
sub copy1( $ ) {
|
sub copy1( $ ) {
|
||||||
if ( $object ) {
|
if ( $object ) {
|
||||||
my $file = $_[0];
|
my $file = $_[0];
|
||||||
|
|
||||||
open IF , $file or fatal_error "Unable to open $file: $!";
|
open IF , $file or fatal_error "Unable to open $file: $!";
|
||||||
|
|
||||||
my $do_indent = 1;
|
my $do_indent = 1;
|
||||||
|
|
||||||
while ( my $line = <IF> ) {
|
while ( my $line = <IF> ) {
|
||||||
@ -287,12 +287,12 @@ sub copy1( $ ) {
|
|||||||
$do_indent = 1;
|
$do_indent = 1;
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
|
|
||||||
$line =~ s/^/$indent/ if $indent && $do_indent;
|
$line =~ s/^/$indent/ if $indent && $do_indent;
|
||||||
print $object $line;
|
print $object $line;
|
||||||
$do_indent = ! ( $line =~ /\\$/ );
|
$do_indent = ! ( $line =~ /\\$/ );
|
||||||
}
|
}
|
||||||
|
|
||||||
close IF;
|
close IF;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -321,6 +321,6 @@ END {
|
|||||||
}
|
}
|
||||||
|
|
||||||
system "rm -rf $ENV{TMP_DIR}" if $ENV{TMP_DIR};
|
system "rm -rf $ENV{TMP_DIR}" if $ENV{TMP_DIR};
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
@ -243,9 +243,9 @@ sub report_capabilities() {
|
|||||||
print " $capdesc{$cap}: ";
|
print " $capdesc{$cap}: ";
|
||||||
print $capabilities{$cap} ? "Available\n" : "Not Available\n";
|
print $capabilities{$cap} ? "Available\n" : "Not Available\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
print "Shorewall has detected the following capabilities:\n";
|
print "Shorewall has detected the following capabilities:\n";
|
||||||
|
|
||||||
for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
|
for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
|
||||||
report_capability $cap;
|
report_capability $cap;
|
||||||
}
|
}
|
||||||
@ -373,7 +373,7 @@ sub get_configuration() {
|
|||||||
default_yes_no 'BRIDGING' , '';
|
default_yes_no 'BRIDGING' , '';
|
||||||
|
|
||||||
fatal_error 'BRIDGING=Yes is not supported by Shorewall-pl' . $env{VERSION} if $config{BRIDGING};
|
fatal_error 'BRIDGING=Yes is not supported by Shorewall-pl' . $env{VERSION} if $config{BRIDGING};
|
||||||
|
|
||||||
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
||||||
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
||||||
default_yes_no 'LOGTAGONLY' , '';
|
default_yes_no 'LOGTAGONLY' , '';
|
||||||
@ -397,7 +397,7 @@ sub get_configuration() {
|
|||||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||||
|
|
||||||
default 'BLACKLIST_DISPOSITION' , 'DROP';
|
default 'BLACKLIST_DISPOSITION' , 'DROP';
|
||||||
|
|
||||||
my $val;
|
my $val;
|
||||||
|
|
||||||
$env{MACLIST_TARGET} = 'reject';
|
$env{MACLIST_TARGET} = 'reject';
|
||||||
@ -415,7 +415,7 @@ sub get_configuration() {
|
|||||||
} else {
|
} else {
|
||||||
$config{MACLIST_DISPOSITION} = 'REJECT';
|
$config{MACLIST_DISPOSITION} = 'REJECT';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $val = $config{MACLIST_TABLE} ) {
|
if ( $val = $config{MACLIST_TABLE} ) {
|
||||||
if ( $val eq 'mangle' ) {
|
if ( $val eq 'mangle' ) {
|
||||||
fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT';
|
fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT';
|
||||||
@ -431,7 +431,7 @@ sub get_configuration() {
|
|||||||
} else {
|
} else {
|
||||||
$config{TCP_FLAGS_DISPOSITION} = 'DROP';
|
$config{TCP_FLAGS_DISPOSITION} = 'DROP';
|
||||||
}
|
}
|
||||||
|
|
||||||
$env{TC_SCRIPT} = '';
|
$env{TC_SCRIPT} = '';
|
||||||
|
|
||||||
if ( $val = "\L$config{TC_ENABLED}" ) {
|
if ( $val = "\L$config{TC_ENABLED}" ) {
|
||||||
@ -451,7 +451,7 @@ sub get_configuration() {
|
|||||||
default 'ACCEPT_DEFAULT' , 'none';
|
default 'ACCEPT_DEFAULT' , 'none';
|
||||||
default 'OPTIMIZE' , 0;
|
default 'OPTIMIZE' , 0;
|
||||||
default 'IPSECFILE' , 'ipsec';
|
default 'IPSECFILE' , 'ipsec';
|
||||||
|
|
||||||
for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT ACCEPT_DEFAULT/ {
|
for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT ACCEPT_DEFAULT/ {
|
||||||
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
|
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
|
||||||
}
|
}
|
||||||
@ -477,7 +477,7 @@ sub get_configuration() {
|
|||||||
};
|
};
|
||||||
|
|
||||||
fatal_error "Invalid LOGFORMAT ($val)" if $@;
|
fatal_error "Invalid LOGFORMAT ($val)" if $@;
|
||||||
|
|
||||||
fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\""
|
fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\""
|
||||||
if length $result > 29;
|
if length $result > 29;
|
||||||
|
|
||||||
@ -514,7 +514,7 @@ sub propagateconfig() {
|
|||||||
my $value = $config{$option} || '';
|
my $value = $config{$option} || '';
|
||||||
emit "$option=\"$value\"";
|
emit "$option=\"$value\"";
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $option ( @Shorewall::Config::propagateenv ) {
|
for my $option ( @Shorewall::Config::propagateenv ) {
|
||||||
my $value = $env{$option} || '';
|
my $value = $env{$option} || '';
|
||||||
emit "$option=\"$value\"";
|
emit "$option=\"$value\"";
|
||||||
@ -529,7 +529,7 @@ sub append_file( $ ) {
|
|||||||
save_progress_message "Processing $user_exit ...";
|
save_progress_message "Processing $user_exit ...";
|
||||||
copy1 $user_exit;
|
copy1 $user_exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -570,7 +570,7 @@ sub generate_aux_config() {
|
|||||||
create_temp_aux_config;
|
create_temp_aux_config;
|
||||||
|
|
||||||
emit( "#\n# Shorewall auxiliary configuration file created by Shorewall-pl version " . $env{VERSION} . ' - ' . ( localtime ) . "\n#" );
|
emit( "#\n# Shorewall auxiliary configuration file created by Shorewall-pl version " . $env{VERSION} . ' - ' . ( localtime ) . "\n#" );
|
||||||
|
|
||||||
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS) {
|
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE SAVE_IPSETS) {
|
||||||
conditionally_add_option $option;
|
conditionally_add_option $option;
|
||||||
}
|
}
|
||||||
|
@ -45,7 +45,7 @@ sub validate_hosts_file()
|
|||||||
maclist => 1,
|
maclist => 1,
|
||||||
norfc1918 => 1,
|
norfc1918 => 1,
|
||||||
nosmurfs => 1,
|
nosmurfs => 1,
|
||||||
routeback => 1,
|
routeback => 1,
|
||||||
routefilter => 1,
|
routefilter => 1,
|
||||||
tcpflags => 1,
|
tcpflags => 1,
|
||||||
);
|
);
|
||||||
@ -76,7 +76,7 @@ sub validate_hosts_file()
|
|||||||
}
|
}
|
||||||
|
|
||||||
my $optionsref;
|
my $optionsref;
|
||||||
|
|
||||||
if ( $options ne '-' ) {
|
if ( $options ne '-' ) {
|
||||||
my @options = split ',', $options;
|
my @options = split ',', $options;
|
||||||
my %options;
|
my %options;
|
||||||
|
@ -52,7 +52,7 @@ sub decodeaddr( $ ) {
|
|||||||
my @address = split /\./, $address;
|
my @address = split /\./, $address;
|
||||||
|
|
||||||
my $result = shift @address;
|
my $result = shift @address;
|
||||||
|
|
||||||
for my $a ( @address ) {
|
for my $a ( @address ) {
|
||||||
$result = ( $result << 8 ) | $a;
|
$result = ( $result << 8 ) | $a;
|
||||||
}
|
}
|
||||||
@ -84,10 +84,10 @@ sub ip_range_explicit( $ ) {
|
|||||||
|
|
||||||
if ( defined $high ) {
|
if ( defined $high ) {
|
||||||
fatal_error "Invalid IP address ( $high )" unless valid_address $high;
|
fatal_error "Invalid IP address ( $high )" unless valid_address $high;
|
||||||
|
|
||||||
my $first = decodeaddr $low;
|
my $first = decodeaddr $low;
|
||||||
my $last = decodeaddr $high;
|
my $last = decodeaddr $high;
|
||||||
|
|
||||||
fatal_error "Invalid IP Range ( $range )" unless $first <= $last;
|
fatal_error "Invalid IP Range ( $range )" unless $first <= $last;
|
||||||
|
|
||||||
while ( ++$first <= $last ) {
|
while ( ++$first <= $last ) {
|
||||||
|
@ -87,7 +87,7 @@ sub add_group_to_zone($$$$$)
|
|||||||
$ifacezone = $zone if $host eq ALLIPv4;
|
$ifacezone = $zone if $host eq ALLIPv4;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
push @$new, $switched ? "$interface:$host" : $host;
|
push @$new, $switched ? "$interface:$host" : $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -111,7 +111,8 @@ sub add_group_to_zone($$$$$)
|
|||||||
|
|
||||||
#
|
#
|
||||||
# Parse the interfaces file.
|
# Parse the interfaces file.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub validate_interfaces_file()
|
sub validate_interfaces_file()
|
||||||
{
|
{
|
||||||
my %validoptions = (arp_filter => 1,
|
my %validoptions = (arp_filter => 1,
|
||||||
@ -124,7 +125,7 @@ sub validate_interfaces_file()
|
|||||||
norfc1918 => 1,
|
norfc1918 => 1,
|
||||||
nosmurfs => 1,
|
nosmurfs => 1,
|
||||||
proxyarp => 1,
|
proxyarp => 1,
|
||||||
routeback => 1,
|
routeback => 1,
|
||||||
routefilter => 1,
|
routefilter => 1,
|
||||||
sourceroute => 1,
|
sourceroute => 1,
|
||||||
tcpflags => 1,
|
tcpflags => 1,
|
||||||
@ -188,13 +189,13 @@ sub validate_interfaces_file()
|
|||||||
push @interfaces, $interface;
|
push @interfaces, $interface;
|
||||||
|
|
||||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@allipv4, $optionsref ) if $zone;
|
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@allipv4, $optionsref ) if $zone;
|
||||||
|
|
||||||
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
||||||
|
|
||||||
progress_message " Interface \"$line\" Validated";
|
progress_message " Interface \"$line\" Validated";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
close INTERFACES;
|
close INTERFACES;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -59,7 +59,7 @@ sub find_macro( $ )
|
|||||||
$macros{$macro} = $macrofile;
|
$macros{$macro} = $macrofile;
|
||||||
$targets{$macro} = MACRO;
|
$targets{$macro} = MACRO;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Macro and action files can have shell variables embedded. This function expands them from %ENV.
|
# Macro and action files can have shell variables embedded. This function expands them from %ENV.
|
||||||
@ -67,7 +67,7 @@ sub find_macro( $ )
|
|||||||
sub expand_shell_variables( $ ) {
|
sub expand_shell_variables( $ ) {
|
||||||
my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line;
|
my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Return ( action, level[:tag] ) from passed full action
|
# Return ( action, level[:tag] ) from passed full action
|
||||||
#
|
#
|
||||||
@ -112,7 +112,7 @@ sub merge_macro_source_dest( $$ ) {
|
|||||||
return "$invocation:$body";
|
return "$invocation:$body";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$body || '';
|
$body || '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -142,7 +142,7 @@ sub setup_one_masq($$$$$$)
|
|||||||
if ( $2 =~ /\./ ) {
|
if ( $2 =~ /\./ ) {
|
||||||
$fullinterface = $one;
|
$fullinterface = $one;
|
||||||
$destnets = $two;
|
$destnets = $two;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -162,7 +162,7 @@ sub setup_one_masq($$$$$$)
|
|||||||
# Handle Protocol and Ports
|
# Handle Protocol and Ports
|
||||||
#
|
#
|
||||||
$rule .= do_proto $proto, $ports, '';
|
$rule .= do_proto $proto, $ports, '';
|
||||||
|
|
||||||
my $detectaddress = 0;
|
my $detectaddress = 0;
|
||||||
#
|
#
|
||||||
# Parse the ADDRESSES column
|
# Parse the ADDRESSES column
|
||||||
@ -232,7 +232,7 @@ sub setup_one_masq($$$$$$)
|
|||||||
}
|
}
|
||||||
|
|
||||||
progress_message " Masq record \"$line\" $done";
|
progress_message " Masq record \"$line\" $done";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -294,7 +294,7 @@ sub do_one_nat( $$$$$ )
|
|||||||
sub add_nat_rule( $$ ) {
|
sub add_nat_rule( $$ ) {
|
||||||
add_rule ensure_chain( 'nat', $_[0] ) , $_[1];
|
add_rule ensure_chain( 'nat', $_[0] ) , $_[1];
|
||||||
}
|
}
|
||||||
|
|
||||||
my $add_ip_aliases = $config{ADD_IP_ALIASES};
|
my $add_ip_aliases = $config{ADD_IP_ALIASES};
|
||||||
|
|
||||||
my $policyin = '';
|
my $policyin = '';
|
||||||
@ -320,7 +320,7 @@ sub do_one_nat( $$$$$ )
|
|||||||
|
|
||||||
validate_nat_column 'ALL INTERFACES', \$allints;
|
validate_nat_column 'ALL INTERFACES', \$allints;
|
||||||
validate_nat_column 'LOCAL' , \$localnat;
|
validate_nat_column 'LOCAL' , \$localnat;
|
||||||
|
|
||||||
if ( $allints ) {
|
if ( $allints ) {
|
||||||
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
|
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
|
||||||
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
|
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
|
||||||
@ -328,7 +328,7 @@ sub do_one_nat( $$$$$ )
|
|||||||
add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal";
|
add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal";
|
||||||
add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external";
|
add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external";
|
||||||
}
|
}
|
||||||
|
|
||||||
add_nat_rule 'OUTPUT' , "-d $external$policyout -j DNAT --to-destination $internal " if $localnat;
|
add_nat_rule 'OUTPUT' , "-d $external$policyout -j DNAT --to-destination $internal " if $localnat;
|
||||||
|
|
||||||
if ( $add_ip_aliases ) {
|
if ( $add_ip_aliases ) {
|
||||||
@ -345,7 +345,7 @@ sub do_one_nat( $$$$$ )
|
|||||||
# Process NAT file
|
# Process NAT file
|
||||||
#
|
#
|
||||||
sub setup_nat() {
|
sub setup_nat() {
|
||||||
|
|
||||||
open NAT, "$ENV{TMP_DIR}/nat" or fatal_error "Unable to open stripped nat file: $!";
|
open NAT, "$ENV{TMP_DIR}/nat" or fatal_error "Unable to open stripped nat file: $!";
|
||||||
|
|
||||||
while ( $line = <NAT> ) {
|
while ( $line = <NAT> ) {
|
||||||
@ -362,7 +362,7 @@ sub setup_nat() {
|
|||||||
} else {
|
} else {
|
||||||
do_one_nat $external, $interface, $internal, $allints, $localnat;
|
do_one_nat $external, $interface, $internal, $allints, $localnat;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
close NAT;
|
close NAT;
|
||||||
@ -374,7 +374,7 @@ sub setup_nat() {
|
|||||||
# Setup Network Mapping
|
# Setup Network Mapping
|
||||||
#
|
#
|
||||||
sub setup_netmap() {
|
sub setup_netmap() {
|
||||||
|
|
||||||
open NM, "$ENV{TMP_DIR}/netmap" or fatal_error "Unable to open stripped netmap file: $!";
|
open NM, "$ENV{TMP_DIR}/netmap" or fatal_error "Unable to open stripped netmap file: $!";
|
||||||
|
|
||||||
while ( $line = <NM> ) {
|
while ( $line = <NM> ) {
|
||||||
|
@ -45,7 +45,7 @@ sub new_policy_chain($$$)
|
|||||||
my ($chain, $policy, $optional) = @_;
|
my ($chain, $policy, $optional) = @_;
|
||||||
|
|
||||||
my $chainref = new_chain 'filter', $chain;
|
my $chainref = new_chain 'filter', $chain;
|
||||||
|
|
||||||
$chainref->{is_policy} = 1;
|
$chainref->{is_policy} = 1;
|
||||||
$chainref->{policy} = $policy;
|
$chainref->{policy} = $policy;
|
||||||
$chainref->{is_optional} = $optional;
|
$chainref->{is_optional} = $optional;
|
||||||
@ -87,12 +87,12 @@ sub validate_policy()
|
|||||||
QUEUE => undef,
|
QUEUE => undef,
|
||||||
NONE => undef
|
NONE => undef
|
||||||
);
|
);
|
||||||
|
|
||||||
my %map = ( DROP_DEFAULT => 'DROP' ,
|
my %map = ( DROP_DEFAULT => 'DROP' ,
|
||||||
REJECT_DEFAULT => 'REJECT' ,
|
REJECT_DEFAULT => 'REJECT' ,
|
||||||
ACCEPT_DEFAULT => 'ACCEPT' ,
|
ACCEPT_DEFAULT => 'ACCEPT' ,
|
||||||
QUEUE_DEFAULT => 'QUEUE' );
|
QUEUE_DEFAULT => 'QUEUE' );
|
||||||
|
|
||||||
my $zone;
|
my $zone;
|
||||||
|
|
||||||
use constant { OPTIONAL => 1 };
|
use constant { OPTIONAL => 1 };
|
||||||
@ -101,7 +101,7 @@ sub validate_policy()
|
|||||||
my $action = $config{$option};
|
my $action = $config{$option};
|
||||||
next if $action eq 'none';
|
next if $action eq 'none';
|
||||||
my $actiontype = $targets{$action};
|
my $actiontype = $targets{$action};
|
||||||
|
|
||||||
if ( defined $actiontype ) {
|
if ( defined $actiontype ) {
|
||||||
fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
|
fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
|
||||||
} else {
|
} else {
|
||||||
@ -115,7 +115,7 @@ sub validate_policy()
|
|||||||
|
|
||||||
$default_actions{$map{$option}} = $action;
|
$default_actions{$map{$option}} = $action;
|
||||||
}
|
}
|
||||||
|
|
||||||
for $zone ( @zones ) {
|
for $zone ( @zones ) {
|
||||||
push @policy_chains, ( new_policy_chain "${zone}2${zone}", 'ACCEPT', OPTIONAL );
|
push @policy_chains, ( new_policy_chain "${zone}2${zone}", 'ACCEPT', OPTIONAL );
|
||||||
|
|
||||||
@ -138,7 +138,7 @@ sub validate_policy()
|
|||||||
$synparams = '' unless defined $synparams;
|
$synparams = '' unless defined $synparams;
|
||||||
$loglevel = '' if $loglevel eq '-';
|
$loglevel = '' if $loglevel eq '-';
|
||||||
$synparams = '' if $synparams eq '-';
|
$synparams = '' if $synparams eq '-';
|
||||||
|
|
||||||
my $clientwild = ( "\L$client" eq 'all' );
|
my $clientwild = ( "\L$client" eq 'all' );
|
||||||
|
|
||||||
fatal_error "Undefined zone $client" unless $clientwild || $zones{$client};
|
fatal_error "Undefined zone $client" unless $clientwild || $zones{$client};
|
||||||
@ -153,7 +153,7 @@ sub validate_policy()
|
|||||||
$default = 'none';
|
$default = 'none';
|
||||||
} elsif ( $default ) {
|
} elsif ( $default ) {
|
||||||
my $defaulttype = $targets{$default};
|
my $defaulttype = $targets{$default};
|
||||||
|
|
||||||
if ( $defaulttype & ACTION ) {
|
if ( $defaulttype & ACTION ) {
|
||||||
unless ( $usedactions{$default} ) {
|
unless ( $usedactions{$default} ) {
|
||||||
$usedactions{$default} = 1;
|
$usedactions{$default} = 1;
|
||||||
@ -161,7 +161,7 @@ sub validate_policy()
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Unknown Default Action ($default) in policy \"$line\"";
|
fatal_error "Unknown Default Action ($default) in policy \"$line\"";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$default = $default_actions{$policy} || '';
|
$default = $default_actions{$policy} || '';
|
||||||
}
|
}
|
||||||
@ -174,13 +174,13 @@ sub validate_policy()
|
|||||||
fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
|
fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
|
||||||
if $clientwild || $serverwild;
|
if $clientwild || $serverwild;
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chain = "${client}2${server}";
|
my $chain = "${client}2${server}";
|
||||||
my $chainref;
|
my $chainref;
|
||||||
|
|
||||||
if ( defined $filter_table->{$chain} ) {
|
if ( defined $filter_table->{$chain} ) {
|
||||||
$chainref = $filter_table->{$chain};
|
$chainref = $filter_table->{$chain};
|
||||||
|
|
||||||
if ( $chainref->{is_policy} ) {
|
if ( $chainref->{is_policy} ) {
|
||||||
if ( $chainref->{is_optional} ) {
|
if ( $chainref->{is_optional} ) {
|
||||||
$chainref->{is_optional} = 0;
|
$chainref->{is_optional} = 0;
|
||||||
@ -221,13 +221,13 @@ sub validate_policy()
|
|||||||
set_policy_chain "${client}2${zone}", $chainref, $policy;
|
set_policy_chain "${client}2${zone}", $chainref, $policy;
|
||||||
print_policy $client, $zone, $policy, $chain;
|
print_policy $client, $zone, $policy, $chain;
|
||||||
}
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
print_policy $client, $server, $policy, $chain;
|
print_policy $client, $server, $policy, $chain;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
close POLICY;
|
close POLICY;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -281,7 +281,7 @@ sub default_policy( $$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
|
progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
sub apply_policy_rules() {
|
sub apply_policy_rules() {
|
||||||
|
@ -79,7 +79,7 @@ fi
|
|||||||
for my $interface ( @$interfaces1 ) {
|
for my $interface ( @$interfaces1 ) {
|
||||||
my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
|
my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
|
||||||
my $value = get_interface_option $interface, 'arp_ignore';
|
my $value = get_interface_option $interface, 'arp_ignore';
|
||||||
|
|
||||||
fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
|
fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
|
||||||
|
|
||||||
emit "if [ -f $file ]; then
|
emit "if [ -f $file ]; then
|
||||||
@ -100,7 +100,7 @@ sub setup_route_filtering() {
|
|||||||
my $interfaces = find_interfaces_by_option 'routefilter';
|
my $interfaces = find_interfaces_by_option 'routefilter';
|
||||||
|
|
||||||
if ( @$interfaces || $config{ROUTE_FILTER} ) {
|
if ( @$interfaces || $config{ROUTE_FILTER} ) {
|
||||||
|
|
||||||
progress_message2 "$doing Kernel Route Filtering...";
|
progress_message2 "$doing Kernel Route Filtering...";
|
||||||
|
|
||||||
save_progress_message "Setting up Route Filtering...";
|
save_progress_message "Setting up Route Filtering...";
|
||||||
@ -120,7 +120,7 @@ else
|
|||||||
fi
|
fi
|
||||||
";
|
";
|
||||||
}
|
}
|
||||||
|
|
||||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
|
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
|
||||||
|
|
||||||
if ( $config{ROUTE_FILTER} ) {
|
if ( $config{ROUTE_FILTER} ) {
|
||||||
@ -140,7 +140,7 @@ sub setup_martian_logging() {
|
|||||||
my $interfaces = find_interfaces_by_option 'logmartians';
|
my $interfaces = find_interfaces_by_option 'logmartians';
|
||||||
|
|
||||||
if ( @$interfaces || $config{LOG_MARTIANS} ) {
|
if ( @$interfaces || $config{LOG_MARTIANS} ) {
|
||||||
|
|
||||||
progress_message2 "$doing Martian Logging...";
|
progress_message2 "$doing Martian Logging...";
|
||||||
|
|
||||||
save_progress_message "Setting up Martian Logging...";
|
save_progress_message "Setting up Martian Logging...";
|
||||||
@ -160,7 +160,7 @@ else
|
|||||||
fi
|
fi
|
||||||
";
|
";
|
||||||
}
|
}
|
||||||
|
|
||||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
|
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
|
||||||
|
|
||||||
if ( $config{LOG_MARTIANS} ) {
|
if ( $config{LOG_MARTIANS} ) {
|
||||||
@ -170,7 +170,7 @@ fi
|
|||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Source Routing
|
# Source Routing
|
||||||
#
|
#
|
||||||
|
@ -61,10 +61,10 @@ my @providers;
|
|||||||
sub setup_route_marking() {
|
sub setup_route_marking() {
|
||||||
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF';
|
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF';
|
||||||
my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
|
my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
|
||||||
|
|
||||||
add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||||
add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
|
||||||
|
|
||||||
my $chainref = new_chain 'mangle', 'routemark';
|
my $chainref = new_chain 'mangle', 'routemark';
|
||||||
|
|
||||||
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
|
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
|
||||||
@ -95,11 +95,11 @@ sub setup_providers() {
|
|||||||
|
|
||||||
sub copy_and_edit_table( $$$ ) {
|
sub copy_and_edit_table( $$$ ) {
|
||||||
my ( $duplicate, $number, $copy ) = @_;
|
my ( $duplicate, $number, $copy ) = @_;
|
||||||
|
|
||||||
my $match = $copy;
|
my $match = $copy;
|
||||||
|
|
||||||
$match =~ s/ /\|/g;
|
$match =~ s/ /\|/g;
|
||||||
|
|
||||||
emitj ( "ip route show table $duplicate | while read net route; do",
|
emitj ( "ip route show table $duplicate | while read net route; do",
|
||||||
' case $net in',
|
' case $net in',
|
||||||
' default|nexthop)',
|
' default|nexthop)',
|
||||||
@ -118,18 +118,18 @@ sub setup_providers() {
|
|||||||
|
|
||||||
sub balance_default_route( $$$ ) {
|
sub balance_default_route( $$$ ) {
|
||||||
my ( $weight, $gateway, $interface ) = @_;
|
my ( $weight, $gateway, $interface ) = @_;
|
||||||
|
|
||||||
$balance = 1;
|
$balance = 1;
|
||||||
|
|
||||||
emit '';
|
emit '';
|
||||||
|
|
||||||
if ( $first_default_route ) {
|
if ( $first_default_route ) {
|
||||||
if ( $gateway ) {
|
if ( $gateway ) {
|
||||||
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\"";
|
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight\"";
|
||||||
} else {
|
} else {
|
||||||
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\"";
|
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight\"";
|
||||||
}
|
}
|
||||||
|
|
||||||
$first_default_route = 0;
|
$first_default_route = 0;
|
||||||
} else {
|
} else {
|
||||||
if ( $gateway ) {
|
if ( $gateway ) {
|
||||||
@ -139,15 +139,15 @@ sub setup_providers() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub add_a_provider( $$$$$$$$ ) {
|
sub add_a_provider( $$$$$$$$ ) {
|
||||||
|
|
||||||
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
|
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
|
||||||
|
|
||||||
fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
|
fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
|
||||||
|
|
||||||
fatal_error "Duplicate provider ( $table )" if $providers{$table};
|
fatal_error "Duplicate provider ( $table )" if $providers{$table};
|
||||||
|
|
||||||
for my $provider ( keys %providers ) {
|
for my $provider ( keys %providers ) {
|
||||||
fatal_error "Duplicate provider number ( $number )" if $providers{$provider}{number} == $number;
|
fatal_error "Duplicate provider number ( $number )" if $providers{$provider}{number} == $number;
|
||||||
}
|
}
|
||||||
@ -161,7 +161,7 @@ sub setup_providers() {
|
|||||||
emit "${iface}_up=Yes";
|
emit "${iface}_up=Yes";
|
||||||
emit "qt ip route flush table $number";
|
emit "qt ip route flush table $number";
|
||||||
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
|
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||||
|
|
||||||
$duplicate = '-' unless $duplicate;
|
$duplicate = '-' unless $duplicate;
|
||||||
$copy = '-' unless $copy;
|
$copy = '-' unless $copy;
|
||||||
|
|
||||||
@ -173,7 +173,7 @@ sub setup_providers() {
|
|||||||
my @c = ( split /,/, $copy );
|
my @c = ( split /,/, $copy );
|
||||||
$copy = "@c";
|
$copy = "@c";
|
||||||
}
|
}
|
||||||
|
|
||||||
copy_and_edit_table( $duplicate, $number ,$copy );
|
copy_and_edit_table( $duplicate, $number ,$copy );
|
||||||
} else {
|
} else {
|
||||||
copy_table ( $duplicate, $number );
|
copy_table ( $duplicate, $number );
|
||||||
@ -199,7 +199,7 @@ sub setup_providers() {
|
|||||||
$gateway = '';
|
$gateway = '';
|
||||||
emit "run_ip route add default dev $interface table $number";
|
emit "run_ip route add default dev $interface table $number";
|
||||||
}
|
}
|
||||||
|
|
||||||
$mark = '-' unless $mark;
|
$mark = '-' unless $mark;
|
||||||
|
|
||||||
my $val = 0;
|
my $val = 0;
|
||||||
@ -207,15 +207,15 @@ sub setup_providers() {
|
|||||||
if ( $mark ne '-' ) {
|
if ( $mark ne '-' ) {
|
||||||
|
|
||||||
$val = numeric_value $mark;
|
$val = numeric_value $mark;
|
||||||
|
|
||||||
verify_mark $mark;
|
verify_mark $mark;
|
||||||
|
|
||||||
if ( $val < 256) {
|
if ( $val < 256) {
|
||||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
|
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
|
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $provider ( keys %providers ) {
|
for my $provider ( keys %providers ) {
|
||||||
my $num = $providers{$provider}{mark};
|
my $num = $providers{$provider}{mark};
|
||||||
fatal_error "Duplicate mark value ( $mark )" if $num == $val;
|
fatal_error "Duplicate mark value ( $mark )" if $num == $val;
|
||||||
@ -254,48 +254,48 @@ sub setup_providers() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $loose ) {
|
if ( $loose ) {
|
||||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||||
|
|
||||||
emit "\nrulenum=0\n";
|
emit "\nrulenum=0\n";
|
||||||
|
|
||||||
emitj ( "find_interface_addresses $interface | while read address; do",
|
emitj ( "find_interface_addresses $interface | while read address; do",
|
||||||
' qt ip rule del from $address',
|
' qt ip rule del from $address',
|
||||||
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||||
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
|
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||||
' rulenum=$(($rulenum + 1))',
|
' rulenum=$(($rulenum + 1))',
|
||||||
'done' );
|
'done' );
|
||||||
} else {
|
} else {
|
||||||
emit "\nfind_interface_addresses $interface | while read address; do";
|
emit "\nfind_interface_addresses $interface | while read address; do";
|
||||||
emit ' qt ip rule del from $address';
|
emit ' qt ip rule del from $address';
|
||||||
emit 'done';
|
emit 'done';
|
||||||
}
|
}
|
||||||
|
|
||||||
emit "\nprogress_message \" Provider $table ($number) Added\"\n";
|
emit "\nprogress_message \" Provider $table ($number) Added\"\n";
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
emit 'else';
|
emit 'else';
|
||||||
|
|
||||||
if ( $optional ) {
|
if ( $optional ) {
|
||||||
emit " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"";
|
emit " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"";
|
||||||
emit " ${iface}_up=";
|
emit " ${iface}_up=";
|
||||||
} else {
|
} else {
|
||||||
emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"";
|
emit " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"";
|
||||||
}
|
}
|
||||||
|
|
||||||
emit "fi\n";
|
emit "fi\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub add_an_rtrule( $$$$ ) {
|
sub add_an_rtrule( $$$$ ) {
|
||||||
my ( $source, $dest, $provider, $priority ) = @_;
|
my ( $source, $dest, $provider, $priority ) = @_;
|
||||||
|
|
||||||
unless ( $providers{$provider} ) {
|
unless ( $providers{$provider} ) {
|
||||||
my $found = 0;
|
my $found = 0;
|
||||||
|
|
||||||
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
|
if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
|
||||||
my $provider_number = numeric_value $provider;
|
my $provider_number = numeric_value $provider;
|
||||||
|
|
||||||
for my $provider ( keys %providers ) {
|
for my $provider ( keys %providers ) {
|
||||||
if ( $providers{$provider}{number} == $provider_number ) {
|
if ( $providers{$provider}{number} == $provider_number ) {
|
||||||
$found = 1;
|
$found = 1;
|
||||||
@ -303,17 +303,17 @@ sub setup_providers() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Unknown provider $provider in route rule \"$line\"" unless $found;
|
fatal_error "Unknown provider $provider in route rule \"$line\"" unless $found;
|
||||||
}
|
}
|
||||||
|
|
||||||
$source = '-' unless $source;
|
$source = '-' unless $source;
|
||||||
$dest = '-' unless $dest;
|
$dest = '-' unless $dest;
|
||||||
|
|
||||||
fatal_error "You must specify either the source or destination in an rt rule: \"$line\"" if $source eq '-' && $dest eq '-';
|
fatal_error "You must specify either the source or destination in an rt rule: \"$line\"" if $source eq '-' && $dest eq '-';
|
||||||
|
|
||||||
$dest = $dest eq '-' ? '' : "to $dest";
|
$dest = $dest eq '-' ? '' : "to $dest";
|
||||||
|
|
||||||
if ( $source eq '-' ) {
|
if ( $source eq '-' ) {
|
||||||
$source = '';
|
$source = '';
|
||||||
} elsif ( $source =~ /:/ ) {
|
} elsif ( $source =~ /:/ ) {
|
||||||
@ -324,11 +324,11 @@ sub setup_providers() {
|
|||||||
} else {
|
} else {
|
||||||
$source = "iif $source";
|
$source = "iif $source";
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Invalid priority ($priority) in rule \"$line\"" unless $priority && $priority =~ /^\d{1,5}$/;
|
fatal_error "Invalid priority ($priority) in rule \"$line\"" unless $priority && $priority =~ /^\d{1,5}$/;
|
||||||
|
|
||||||
$priority = "priority $priority";
|
$priority = "priority $priority";
|
||||||
|
|
||||||
emit "qt ip rule del $source $dest $priority";
|
emit "qt ip rule del $source $dest $priority";
|
||||||
emit "run_ip rule add $source $dest $priority table $provider";
|
emit "run_ip rule add $source $dest $priority table $provider";
|
||||||
emit "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing";
|
emit "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing";
|
||||||
@ -358,15 +358,15 @@ sub setup_providers() {
|
|||||||
'# Initialize the file that holds \'undo\' commands',
|
'# Initialize the file that holds \'undo\' commands',
|
||||||
'#',
|
'#',
|
||||||
'> ${VARDIR}/undo_routing' );
|
'> ${VARDIR}/undo_routing' );
|
||||||
|
|
||||||
save_progress_message 'Adding Providers...';
|
save_progress_message 'Adding Providers...';
|
||||||
|
|
||||||
emit 'DEFAULT_ROUTE=';
|
emit 'DEFAULT_ROUTE=';
|
||||||
|
|
||||||
open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!";
|
open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!";
|
||||||
|
|
||||||
while ( $line = <PV> ) {
|
while ( $line = <PV> ) {
|
||||||
|
|
||||||
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file';
|
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file';
|
||||||
|
|
||||||
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
|
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
|
||||||
@ -392,8 +392,10 @@ sub setup_providers() {
|
|||||||
'fi',
|
'fi',
|
||||||
'' );
|
'' );
|
||||||
} else {
|
} else {
|
||||||
emit "#\n# We don't have any 'balance' providers so we restore any default route that we've saved\n#";
|
emitj( '#',
|
||||||
emit 'restore_default_route';
|
'# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
|
||||||
|
'#',
|
||||||
|
'restore_default_route' );
|
||||||
}
|
}
|
||||||
|
|
||||||
emit 'cat > /etc/iproute2/rt_tables <<EOF';
|
emit 'cat > /etc/iproute2/rt_tables <<EOF';
|
||||||
@ -412,7 +414,7 @@ sub setup_providers() {
|
|||||||
|
|
||||||
emit 'echocommand=$(find_echo)';
|
emit 'echocommand=$(find_echo)';
|
||||||
emit '';
|
emit '';
|
||||||
|
|
||||||
for my $table ( @providers ) {
|
for my $table ( @providers ) {
|
||||||
emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables";
|
emit "\$echocommand \"$providers{$table}{number}\\t$table\" >> /etc/iproute2/rt_tables";
|
||||||
}
|
}
|
||||||
@ -427,7 +429,7 @@ sub setup_providers() {
|
|||||||
|
|
||||||
while ( $line = <RR> ) {
|
while ( $line = <RR> ) {
|
||||||
my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file';
|
my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file';
|
||||||
|
|
||||||
add_an_rtrule( $source, $dest, $provider , $priority );
|
add_an_rtrule( $source, $dest, $provider , $priority );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -439,7 +441,7 @@ sub setup_providers() {
|
|||||||
emit 'run_ip route flush cache';
|
emit 'run_ip route flush cache';
|
||||||
pop_indent;
|
pop_indent;
|
||||||
emit "fi\n";
|
emit "fi\n";
|
||||||
|
|
||||||
setup_route_marking if @routemarked_interfaces;
|
setup_route_marking if @routemarked_interfaces;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -69,7 +69,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
progress_message \" Host $address connected to $interface added to ARP on $external\"\n";
|
progress_message \" Host $address connected to $interface added to ARP on $external\"\n";
|
||||||
|
|
||||||
push @proxyarp, "$address $interface $external $haveroute";
|
push @proxyarp, "$address $interface $external $haveroute";
|
||||||
|
|
||||||
progress_message " Host $address connected to $interface added to ARP on $external";
|
progress_message " Host $address connected to $interface added to ARP on $external";
|
||||||
@ -91,7 +91,7 @@ sub setup_proxy_arp() {
|
|||||||
open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!";
|
open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!";
|
||||||
|
|
||||||
while ( $line = <PA> ) {
|
while ( $line = <PA> ) {
|
||||||
|
|
||||||
my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file';
|
my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file';
|
||||||
|
|
||||||
$set{$interface} = 1;
|
$set{$interface} = 1;
|
||||||
|
@ -71,9 +71,9 @@ sub process_tos() {
|
|||||||
open TOS, "$ENV{TMP_DIR}/tos" or fatal_error "Unable to open stripped tos file: $!";
|
open TOS, "$ENV{TMP_DIR}/tos" or fatal_error "Unable to open stripped tos file: $!";
|
||||||
|
|
||||||
while ( $line = <TOS> ) {
|
while ( $line = <TOS> ) {
|
||||||
|
|
||||||
my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file';
|
my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file';
|
||||||
|
|
||||||
fatal_error "TOS field required: $line" unless $tos ne '-';
|
fatal_error "TOS field required: $line" unless $tos ne '-';
|
||||||
|
|
||||||
my $chainref;
|
my $chainref;
|
||||||
@ -81,7 +81,7 @@ sub process_tos() {
|
|||||||
my $restriction = NO_RESTRICT;
|
my $restriction = NO_RESTRICT;
|
||||||
|
|
||||||
my ( $srczone , $source ) = split /:/, $src;
|
my ( $srczone , $source ) = split /:/, $src;
|
||||||
|
|
||||||
if ( $srczone eq $firewall_zone ) {
|
if ( $srczone eq $firewall_zone ) {
|
||||||
$chainref = $outtosref;
|
$chainref = $outtosref;
|
||||||
$src = $source || '-';
|
$src = $source || '-';
|
||||||
@ -92,7 +92,7 @@ sub process_tos() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$dst =~ s/^all:?//;
|
$dst =~ s/^all:?//;
|
||||||
|
|
||||||
expand_rule
|
expand_rule
|
||||||
$chainref ,
|
$chainref ,
|
||||||
$restriction ,
|
$restriction ,
|
||||||
@ -133,11 +133,11 @@ sub setup_rfc1918_filteration( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
|
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
|
||||||
|
|
||||||
while ( $line = <RFC> ) {
|
while ( $line = <RFC> ) {
|
||||||
|
|
||||||
my ( $networks, $target ) = split_line 2, 'rfc1918 file';
|
my ( $networks, $target ) = split_line 2, 'rfc1918 file';
|
||||||
|
|
||||||
my $s_target;
|
my $s_target;
|
||||||
|
|
||||||
if ( $target eq 'logdrop' ) {
|
if ( $target eq 'logdrop' ) {
|
||||||
@ -202,9 +202,9 @@ sub setup_blacklist() {
|
|||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
my $chainref = new_standard_chain 'blacklog';
|
my $chainref = new_standard_chain 'blacklog';
|
||||||
|
|
||||||
log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' );
|
log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' );
|
||||||
|
|
||||||
add_rule $chainref, "-j $target" ;
|
add_rule $chainref, "-j $target" ;
|
||||||
|
|
||||||
$target = 'blacklog';
|
$target = 'blacklog';
|
||||||
@ -217,7 +217,7 @@ sub setup_blacklist() {
|
|||||||
progress_message( join( '', ' Processing ', find_file( 'blacklist' ), '...' ) );
|
progress_message( join( '', ' Processing ', find_file( 'blacklist' ), '...' ) );
|
||||||
|
|
||||||
while ( $line = <BL> ) {
|
while ( $line = <BL> ) {
|
||||||
|
|
||||||
my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file';
|
my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file';
|
||||||
|
|
||||||
expand_rule
|
expand_rule
|
||||||
@ -231,7 +231,7 @@ sub setup_blacklist() {
|
|||||||
'' ,
|
'' ,
|
||||||
$disposition ,
|
$disposition ,
|
||||||
'';
|
'';
|
||||||
|
|
||||||
progress_message " \"$line\" added to blacklist";
|
progress_message " \"$line\" added to blacklist";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -239,14 +239,14 @@ sub setup_blacklist() {
|
|||||||
close BL;
|
close BL;
|
||||||
|
|
||||||
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
||||||
|
|
||||||
for my $hostref ( @$hosts ) {
|
for my $hostref ( @$hosts ) {
|
||||||
my $interface = $hostref->[0];
|
my $interface = $hostref->[0];
|
||||||
my $ipsec = $hostref->[1];
|
my $ipsec = $hostref->[1];
|
||||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||||
my $network = $hostref->[2];
|
my $network = $hostref->[2];
|
||||||
my $source = match_source_net $network;
|
my $source = match_source_net $network;
|
||||||
|
|
||||||
for my $chain ( @{first_chains $interface}) {
|
for my $chain ( @{first_chains $interface}) {
|
||||||
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
|
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
|
||||||
}
|
}
|
||||||
@ -268,7 +268,7 @@ sub process_criticalhosts() {
|
|||||||
while ( $line = <RS> ) {
|
while ( $line = <RS> ) {
|
||||||
|
|
||||||
my $routeback = 0;
|
my $routeback = 0;
|
||||||
|
|
||||||
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
|
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
|
||||||
|
|
||||||
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
|
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
|
||||||
@ -309,7 +309,7 @@ sub process_routestopped() {
|
|||||||
while ( $line = <RS> ) {
|
while ( $line = <RS> ) {
|
||||||
|
|
||||||
my $routeback = 0;
|
my $routeback = 0;
|
||||||
|
|
||||||
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
|
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
|
||||||
|
|
||||||
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
|
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
|
||||||
@ -327,7 +327,7 @@ sub process_routestopped() {
|
|||||||
warning_message "Duplicate 'routeback' option ignored in routestopped entry \"$line\"";
|
warning_message "Duplicate 'routeback' option ignored in routestopped entry \"$line\"";
|
||||||
} else {
|
} else {
|
||||||
$routeback = 1;
|
$routeback = 1;
|
||||||
|
|
||||||
for my $host ( split /,/, $hosts ) {
|
for my $host ( split /,/, $hosts ) {
|
||||||
my $source = match_source_net $host;
|
my $source = match_source_net $host;
|
||||||
my $dest = match_dest_net $host;
|
my $dest = match_dest_net $host;
|
||||||
@ -342,7 +342,7 @@ sub process_routestopped() {
|
|||||||
} elsif ( $option eq 'dest' ) {
|
} elsif ( $option eq 'dest' ) {
|
||||||
for my $host ( split /,/, $hosts ) {
|
for my $host ( split /,/, $hosts ) {
|
||||||
$dest{"$interface:$host"} = 1;
|
$dest{"$interface:$host"} = 1;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
warning_message "Unknown routestopped option ( $option ) ignored in routestopped entry \"$line\"" unless $option eq 'critical';
|
warning_message "Unknown routestopped option ( $option ) ignored in routestopped entry \"$line\"" unless $option eq 'critical';
|
||||||
}
|
}
|
||||||
@ -358,10 +358,10 @@ sub process_routestopped() {
|
|||||||
my ( $interface, $h ) = split /:/, $host;
|
my ( $interface, $h ) = split /:/, $host;
|
||||||
my $source = match_source_net $h;
|
my $source = match_source_net $h;
|
||||||
my $dest = match_dest_net $h;
|
my $dest = match_dest_net $h;
|
||||||
|
|
||||||
emit "\$IPTABLES INPUT -i $interface $source ACCEPT";
|
emit "\$IPTABLES INPUT -i $interface $source ACCEPT";
|
||||||
emit "\$IPTABLES OUTPUT -o $interface $dest ACCEPT" if $config{ADMINISABSENTMINDED};
|
emit "\$IPTABLES OUTPUT -o $interface $dest ACCEPT" if $config{ADMINISABSENTMINDED};
|
||||||
|
|
||||||
my $matched = 0;
|
my $matched = 0;
|
||||||
|
|
||||||
if ( $source{$host} ) {
|
if ( $source{$host} ) {
|
||||||
@ -373,7 +373,7 @@ sub process_routestopped() {
|
|||||||
emit "\$IPTABLES FORWARD -o $interface $dest ACCEPT";
|
emit "\$IPTABLES FORWARD -o $interface $dest ACCEPT";
|
||||||
$matched = 1;
|
$matched = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( $matched ) {
|
unless ( $matched ) {
|
||||||
for my $host1 ( @allhosts ) {
|
for my $host1 ( @allhosts ) {
|
||||||
unless ( $host eq $host1 ) {
|
unless ( $host eq $host1 ) {
|
||||||
@ -405,7 +405,7 @@ sub add_common_rules() {
|
|||||||
new_standard_chain 'dynamic';
|
new_standard_chain 'dynamic';
|
||||||
|
|
||||||
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
||||||
|
|
||||||
for $interface ( @interfaces ) {
|
for $interface ( @interfaces ) {
|
||||||
for $chain ( input_chain $interface , forward_chain $interface ) {
|
for $chain ( input_chain $interface , forward_chain $interface ) {
|
||||||
add_rule new_standard_chain( $chain ) , "$state -j dynamic";
|
add_rule new_standard_chain( $chain ) , "$state -j dynamic";
|
||||||
@ -429,7 +429,7 @@ sub add_common_rules() {
|
|||||||
} elsif ( @$list ) {
|
} elsif ( @$list ) {
|
||||||
fatal_error "The nosmurfs option requires Address Type Match in your kernel and iptables";
|
fatal_error "The nosmurfs option requires Address Type Match in your kernel and iptables";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( @$list ) {
|
if ( @$list ) {
|
||||||
progress_message2 ' Adding Anti-smurf Rules';
|
progress_message2 ' Adding Anti-smurf Rules';
|
||||||
for my $hostref ( @$list ) {
|
for my $hostref ( @$list ) {
|
||||||
@ -441,9 +441,9 @@ sub add_common_rules() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $rejectref , '-p tcp -j REJECT --reject-with tcp-reset';
|
add_rule $rejectref , '-p tcp -j REJECT --reject-with tcp-reset';
|
||||||
|
|
||||||
if ( $capabilities{ENHANCED_REJECT} ) {
|
if ( $capabilities{ENHANCED_REJECT} ) {
|
||||||
add_rule $rejectref , '-p udp -j REJECT';
|
add_rule $rejectref , '-p udp -j REJECT';
|
||||||
add_rule $rejectref, '-p icmp -j REJECT --reject-with icmp-host-unreachable';
|
add_rule $rejectref, '-p icmp -j REJECT --reject-with icmp-host-unreachable';
|
||||||
@ -480,20 +480,20 @@ sub add_common_rules() {
|
|||||||
my $disposition;
|
my $disposition;
|
||||||
|
|
||||||
progress_message2 " $doing TCP Flags filtering...";
|
progress_message2 " $doing TCP Flags filtering...";
|
||||||
|
|
||||||
$chainref = new_standard_chain 'tcpflags';
|
$chainref = new_standard_chain 'tcpflags';
|
||||||
|
|
||||||
if ( $config{TCP_FLAGS_LOG_LEVEL} ) {
|
if ( $config{TCP_FLAGS_LOG_LEVEL} ) {
|
||||||
my $logflagsref = new_standard_chain 'logflags';
|
my $logflagsref = new_standard_chain 'logflags';
|
||||||
|
|
||||||
my $savelogparms = $env{LOGPARMS};
|
my $savelogparms = $env{LOGPARMS};
|
||||||
|
|
||||||
$env{LOGPARMS} = "$env{LOGPARMS} --log-ip-options" unless $config{TCP_FLAGS_LOG_LEVEL} eq 'ULOG';
|
$env{LOGPARMS} = "$env{LOGPARMS} --log-ip-options" unless $config{TCP_FLAGS_LOG_LEVEL} eq 'ULOG';
|
||||||
|
|
||||||
log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
|
log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
|
||||||
|
|
||||||
$env{LOGPARMS} = $savelogparms;
|
$env{LOGPARMS} = $savelogparms;
|
||||||
|
|
||||||
if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) {
|
if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) {
|
||||||
add_rule $logflagsref , '-j REJECT --reject-with tcp-reset';
|
add_rule $logflagsref , '-j REJECT --reject-with tcp-reset';
|
||||||
} else {
|
} else {
|
||||||
@ -527,13 +527,13 @@ sub add_common_rules() {
|
|||||||
new_standard_chain $chain;
|
new_standard_chain $chain;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
(new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1;
|
(new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1;
|
||||||
|
|
||||||
add_rule $filter_table->{input_chain $interface}, "-j $chain";
|
add_rule $filter_table->{input_chain $interface}, "-j $chain";
|
||||||
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
||||||
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
|
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
|
||||||
}
|
}
|
||||||
|
|
||||||
$list = find_interfaces_by_option 'upnp';
|
$list = find_interfaces_by_option 'upnp';
|
||||||
|
|
||||||
@ -570,16 +570,16 @@ sub setup_mac_lists( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
my @maclist_interfaces = ( sort keys %maclist_interfaces );
|
my @maclist_interfaces = ( sort keys %maclist_interfaces );
|
||||||
|
|
||||||
progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase...";
|
progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase...";
|
||||||
|
|
||||||
if ( $phase == 1 ) {
|
if ( $phase == 1 ) {
|
||||||
for my $interface ( @maclist_interfaces ) {
|
for my $interface ( @maclist_interfaces ) {
|
||||||
my $chainref = new_chain $table , mac_chain $interface;
|
my $chainref = new_chain $table , mac_chain $interface;
|
||||||
|
|
||||||
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
|
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
|
||||||
if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp};
|
if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp};
|
||||||
|
|
||||||
if ( $config{MACLIST_TTL} ) {
|
if ( $config{MACLIST_TTL} ) {
|
||||||
my $chain1ref = new_chain $table, macrecent_target $interface;
|
my $chain1ref = new_chain $table, macrecent_target $interface;
|
||||||
|
|
||||||
@ -709,11 +709,11 @@ sub process_macro ( $$$$$$$$$$$ ) {
|
|||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
$line = expand_shell_variables $line unless $standard;
|
$line = expand_shell_variables $line unless $standard;
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
|
||||||
|
|
||||||
$mtarget = merge_levels $target, $mtarget;
|
$mtarget = merge_levels $target, $mtarget;
|
||||||
|
|
||||||
if ( $mtarget =~ /^PARAM:?/ ) {
|
if ( $mtarget =~ /^PARAM:?/ ) {
|
||||||
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
||||||
$mtarget = substitute_action $param, $mtarget;
|
$mtarget = substitute_action $param, $mtarget;
|
||||||
@ -727,7 +727,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
|
|||||||
createactionchain $mtarget;
|
createactionchain $mtarget;
|
||||||
$usedactions{$mtarget} = 1;
|
$usedactions{$mtarget} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$mtarget = find_logactionchain $mtarget;
|
$mtarget = find_logactionchain $mtarget;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid Action ($mtarget) in rule \"$line\"" unless $actiontype & STANDARD;
|
fatal_error "Invalid Action ($mtarget) in rule \"$line\"" unless $actiontype & STANDARD;
|
||||||
@ -746,7 +746,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$msource = '' if $msource eq '-';
|
$msource = '' if $msource eq '-';
|
||||||
|
|
||||||
if ( $mdest ) {
|
if ( $mdest ) {
|
||||||
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
|
if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
|
||||||
$mdest = $dest || '';
|
$mdest = $dest || '';
|
||||||
@ -766,7 +766,7 @@ sub process_macro ( $$$$$$$$$$$ ) {
|
|||||||
$msports = merge_macro_column $msports, $sports;
|
$msports = merge_macro_column $msports, $sports;
|
||||||
$mrate = merge_macro_column $mrate, $rate;
|
$mrate = merge_macro_column $mrate, $rate;
|
||||||
$muser = merge_macro_column $muser, $user;
|
$muser = merge_macro_column $muser, $user;
|
||||||
|
|
||||||
process_rule1 $mtarget, $msource, $mdest, $mproto, $mports, $msports, $origdest, $rate, $user;
|
process_rule1 $mtarget, $msource, $mdest, $mproto, $mports, $msports, $origdest, $rate, $user;
|
||||||
|
|
||||||
progress_message " Rule \"$line\" $done"; }
|
progress_message " Rule \"$line\" $done"; }
|
||||||
@ -794,9 +794,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
|||||||
fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype;
|
fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype;
|
||||||
|
|
||||||
if ( $actiontype == MACRO ) {
|
if ( $actiontype == MACRO ) {
|
||||||
process_macro
|
process_macro
|
||||||
$macros{$basictarget},
|
$macros{$basictarget},
|
||||||
target ,
|
$target ,
|
||||||
$param ,
|
$param ,
|
||||||
$source,
|
$source,
|
||||||
$dest,
|
$dest,
|
||||||
@ -848,7 +848,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
|||||||
$sourcezone = $source;
|
$sourcezone = $source;
|
||||||
$source = ALLIPv4;
|
$source = ALLIPv4;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $dest =~ /^(.+?):(.*)/ ) {
|
if ( $dest =~ /^(.+?):(.*)/ ) {
|
||||||
$destzone = $1;
|
$destzone = $1;
|
||||||
$dest = $2;
|
$dest = $2;
|
||||||
@ -966,7 +966,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
|||||||
# NONAT or ACCEPT+ -- May not specify a destination interface
|
# NONAT or ACCEPT+ -- May not specify a destination interface
|
||||||
#
|
#
|
||||||
fatal_error "Invalid DEST ($dest) in $action rule \"$line\"" if $dest =~ /:/;
|
fatal_error "Invalid DEST ($dest) in $action rule \"$line\"" if $dest =~ /:/;
|
||||||
|
|
||||||
$origdest = '' unless $origdest and $origdest ne '-';
|
$origdest = '' unless $origdest and $origdest ne '-';
|
||||||
|
|
||||||
if ( $origdest eq 'detect' ) {
|
if ( $origdest eq 'detect' ) {
|
||||||
@ -1146,7 +1146,7 @@ sub process_rules() {
|
|||||||
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user;
|
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
close RULES;
|
close RULES;
|
||||||
|
|
||||||
$comment = '';
|
$comment = '';
|
||||||
@ -1172,16 +1172,16 @@ sub generate_matrix() {
|
|||||||
my ( $zone, $zone1 ) = @_;
|
my ( $zone, $zone1 ) = @_;
|
||||||
my $chain = "${zone}2${zone1}";
|
my $chain = "${zone}2${zone1}";
|
||||||
my $chainref = $filter_table->{$chain};
|
my $chainref = $filter_table->{$chain};
|
||||||
|
|
||||||
return $chain if $chainref && $chainref->{referenced};
|
return $chain if $chainref && $chainref->{referenced};
|
||||||
return 'ACCEPT' if $zone eq $zone1;
|
return 'ACCEPT' if $zone eq $zone1;
|
||||||
|
|
||||||
if ( $chainref->{policy} ne 'CONTINUE' ) {
|
if ( $chainref->{policy} ne 'CONTINUE' ) {
|
||||||
my $policyref = $chainref->{policychain};
|
my $policyref = $chainref->{policychain};
|
||||||
return $policyref->{name} if $policyref;
|
return $policyref->{name} if $policyref;
|
||||||
fatal_error "No policy defined for zone $zone to zone $zone1";
|
fatal_error "No policy defined for zone $zone to zone $zone1";
|
||||||
}
|
}
|
||||||
|
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1200,9 +1200,9 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
sub insert_exclusions( $$ ) {
|
sub insert_exclusions( $$ ) {
|
||||||
my ( $chainref, $exclusionsref ) = @_;
|
my ( $chainref, $exclusionsref ) = @_;
|
||||||
|
|
||||||
my $num = 1;
|
my $num = 1;
|
||||||
|
|
||||||
for my $host ( @{$exclusionsref} ) {
|
for my $host ( @{$exclusionsref} ) {
|
||||||
my ( $interface, $net ) = split /:/, $host;
|
my ( $interface, $net ) = split /:/, $host;
|
||||||
insert_rule $chainref , $num++, join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
|
insert_rule $chainref , $num++, join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
|
||||||
@ -1214,12 +1214,13 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
sub add_exclusions ( $$ ) {
|
sub add_exclusions ( $$ ) {
|
||||||
my ( $chainref, $exclusionsref ) = @_;
|
my ( $chainref, $exclusionsref ) = @_;
|
||||||
|
|
||||||
for my $host ( @{$exclusionsref} ) {
|
for my $host ( @{$exclusionsref} ) {
|
||||||
my ( $interface, $net ) = split /:/, $host;
|
my ( $interface, $net ) = split /:/, $host;
|
||||||
add_rule $chainref , join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
|
add_rule $chainref , join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate_Matrix() Starts Here
|
# Generate_Matrix() Starts Here
|
||||||
#
|
#
|
||||||
@ -1241,7 +1242,7 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
addnatjump 'PREROUTING' , 'nat_in' , '';
|
addnatjump 'PREROUTING' , 'nat_in' , '';
|
||||||
addnatjump 'POSTROUTING' , 'nat_out' , '';
|
addnatjump 'POSTROUTING' , 'nat_out' , '';
|
||||||
|
|
||||||
for my $interface ( @interfaces ) {
|
for my $interface ( @interfaces ) {
|
||||||
addnatjump 'PREROUTING' , input_chain( $interface ) , "-i $interface ";
|
addnatjump 'PREROUTING' , input_chain( $interface ) , "-i $interface ";
|
||||||
addnatjump 'POSTROUTING' , output_chain( $interface ) , "-o $interface ";
|
addnatjump 'POSTROUTING' , output_chain( $interface ) , "-o $interface ";
|
||||||
@ -1256,7 +1257,7 @@ sub generate_matrix() {
|
|||||||
my $num = 1;
|
my $num = 1;
|
||||||
my $in_ref = new_standard_chain "${zone}_input";
|
my $in_ref = new_standard_chain "${zone}_input";
|
||||||
my $out_ref = new_standard_chain "${zone}_output";
|
my $out_ref = new_standard_chain "${zone}_output";
|
||||||
|
|
||||||
add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target $zone, $zone eq 'ACCEPT';
|
add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target $zone, $zone eq 'ACCEPT';
|
||||||
|
|
||||||
for my $host ( @$exclusions ) {
|
for my $host ( @$exclusions ) {
|
||||||
@ -1265,13 +1266,13 @@ sub generate_matrix() {
|
|||||||
add_rule $in_ref , "-i $interface -s $net -j RETURN";
|
add_rule $in_ref , "-i $interface -s $net -j RETURN";
|
||||||
add_rule $out_ref , "-i $interface -s $net -j RETURN";
|
add_rule $out_ref , "-i $interface -s $net -j RETURN";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $capabilities{POLICY_MATCH} ) {
|
if ( $capabilities{POLICY_MATCH} ) {
|
||||||
my $type = $zoneref->{type};
|
my $type = $zoneref->{type};
|
||||||
my $source_ref = $zoneref->{hosts}{ipsec} || [];
|
my $source_ref = $zoneref->{hosts}{ipsec} || [];
|
||||||
|
|
||||||
create_zone_dyn_chain $zone, $frwd_ref && $config{DYNAMIC_ZONES} && (@$source_ref || $type ne 'ipsec4' );
|
create_zone_dyn_chain $zone, $frwd_ref && $config{DYNAMIC_ZONES} && (@$source_ref || $type ne 'ipsec4' );
|
||||||
|
|
||||||
for my $interface ( keys %$source_ref ) {
|
for my $interface ( keys %$source_ref ) {
|
||||||
my $arrayref = $source_ref->{$interface};
|
my $arrayref = $source_ref->{$interface};
|
||||||
for my $hostref ( @{$arrayref} ) {
|
for my $hostref ( @{$arrayref} ) {
|
||||||
@ -1283,7 +1284,7 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
@ -1335,7 +1336,7 @@ sub generate_matrix() {
|
|||||||
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
|
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match );
|
insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match );
|
||||||
|
|
||||||
if ( $chain2 ) {
|
if ( $chain2 ) {
|
||||||
@ -1366,11 +1367,11 @@ sub generate_matrix() {
|
|||||||
for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) {
|
for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) {
|
||||||
my $zone1ref = $zones{$zone1};
|
my $zone1ref = $zones{$zone1};
|
||||||
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
|
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
|
||||||
|
|
||||||
next if $policy eq 'NONE';
|
next if $policy eq 'NONE';
|
||||||
|
|
||||||
my $chain = rules_target $zone, $zone1;
|
my $chain = rules_target $zone, $zone1;
|
||||||
|
|
||||||
next unless $chain;
|
next unless $chain;
|
||||||
|
|
||||||
if ( $zone eq $zone1 ) {
|
if ( $zone eq $zone1 ) {
|
||||||
@ -1380,7 +1381,7 @@ sub generate_matrix() {
|
|||||||
no warnings;
|
no warnings;
|
||||||
next if ( %{ $zoneref->{interfaces}} < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
|
next if ( %{ $zoneref->{interfaces}} < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $chain =~ /2all$/ ) {
|
if ( $chain =~ /2all$/ ) {
|
||||||
if ( $chain ne $last_chain ) {
|
if ( $chain ne $last_chain ) {
|
||||||
$last_chain = $chain;
|
$last_chain = $chain;
|
||||||
@ -1398,7 +1399,7 @@ sub generate_matrix() {
|
|||||||
$last_chain = '';
|
$last_chain = '';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $last_chain && @temp_zones == 1 ) {
|
if ( $last_chain && @temp_zones == 1 ) {
|
||||||
push @dest_zones, @temp_zones;
|
push @dest_zones, @temp_zones;
|
||||||
$last_chain = '';
|
$last_chain = '';
|
||||||
@ -1424,9 +1425,9 @@ sub generate_matrix() {
|
|||||||
next unless $chain;
|
next unless $chain;
|
||||||
|
|
||||||
push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
|
push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
|
||||||
|
|
||||||
my $num_ifaces = 0;
|
my $num_ifaces = 0;
|
||||||
|
|
||||||
if ( $zone eq $zone1 ) {
|
if ( $zone eq $zone1 ) {
|
||||||
#
|
#
|
||||||
# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
|
# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
|
||||||
@ -1437,9 +1438,9 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
my $chainref = $filter_table->{$chain};
|
my $chainref = $filter_table->{$chain};
|
||||||
my $exclusions1 = $zone1ref->{exclusions};
|
my $exclusions1 = $zone1ref->{exclusions};
|
||||||
|
|
||||||
my $dest_hosts_ref = $zone1ref->{hosts};
|
my $dest_hosts_ref = $zone1ref->{hosts};
|
||||||
|
|
||||||
if ( @$exclusions1 ) {
|
if ( @$exclusions1 ) {
|
||||||
if ( $chain eq "all2$zone1" ) {
|
if ( $chain eq "all2$zone1" ) {
|
||||||
unless ( $chain_exclusions{$chain} ) {
|
unless ( $chain_exclusions{$chain} ) {
|
||||||
@ -1448,7 +1449,7 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
} elsif ( $chain =~ /2all$/ ) {
|
} elsif ( $chain =~ /2all$/ ) {
|
||||||
my $chain1 = $policy_exclusions{"${chain}_${zone1}"};
|
my $chain1 = $policy_exclusions{"${chain}_${zone1}"};
|
||||||
|
|
||||||
unless ( $chain ) {
|
unless ( $chain ) {
|
||||||
$chain1 = newexclusionchain;
|
$chain1 = newexclusionchain;
|
||||||
$policy_exclusions{"${chain}_${zone1}"} = $chain1;
|
$policy_exclusions{"${chain}_${zone1}"} = $chain1;
|
||||||
@ -1456,13 +1457,13 @@ sub generate_matrix() {
|
|||||||
add_exclusions $chain1ref, $exclusions1;
|
add_exclusions $chain1ref, $exclusions1;
|
||||||
add_rule $chain1ref, "-j $chain";
|
add_rule $chain1ref, "-j $chain";
|
||||||
}
|
}
|
||||||
|
|
||||||
$chain = $chain1;
|
$chain = $chain1;
|
||||||
} else {
|
} else {
|
||||||
insert_exclusions $chainref , $exclusions1;
|
insert_exclusions $chainref , $exclusions1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $complex ) {
|
if ( $complex ) {
|
||||||
for my $typeref ( values %$dest_hosts_ref ) {
|
for my $typeref ( values %$dest_hosts_ref ) {
|
||||||
for my $interface ( keys %$typeref ) {
|
for my $interface ( keys %$typeref ) {
|
||||||
@ -1580,6 +1581,6 @@ sub dump_rule_chains() {
|
|||||||
for my $arrayref ( @rule_chains ) {
|
for my $arrayref ( @rule_chains ) {
|
||||||
emit_unindented "@$arrayref";
|
emit_unindented "@$arrayref";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
@ -49,7 +49,7 @@ my %tcs = ( t => { chain => 'tcpost',
|
|||||||
ct => { chain => 'tcpost' ,
|
ct => { chain => 'tcpost' ,
|
||||||
target => 'CONNMARK --set-mark' ,
|
target => 'CONNMARK --set-mark' ,
|
||||||
connmark => 1 ,
|
connmark => 1 ,
|
||||||
fw => 1
|
fw => 1
|
||||||
} ,
|
} ,
|
||||||
c => { target => 'CONNMARK --set-mark' ,
|
c => { target => 'CONNMARK --set-mark' ,
|
||||||
connmark => 1 ,
|
connmark => 1 ,
|
||||||
@ -91,7 +91,7 @@ use constant { NOMARK => 0 ,
|
|||||||
SMALLMARK => 1 ,
|
SMALLMARK => 1 ,
|
||||||
HIGHMARK => 2
|
HIGHMARK => 2
|
||||||
};
|
};
|
||||||
|
|
||||||
my @tccmd = ( { pattern => 'SAVE' ,
|
my @tccmd = ( { pattern => 'SAVE' ,
|
||||||
target => 'CONNMARK --save-mark --mask' ,
|
target => 'CONNMARK --save-mark --mask' ,
|
||||||
mark => SMALLMARK ,
|
mark => SMALLMARK ,
|
||||||
@ -142,7 +142,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
|||||||
|
|
||||||
if ( $designator ) {
|
if ( $designator ) {
|
||||||
$tcsref = $tcs{$designator};
|
$tcsref = $tcs{$designator};
|
||||||
|
|
||||||
if ( $tcsref ) {
|
if ( $tcsref ) {
|
||||||
if ( $chain eq 'tcout' ) {
|
if ( $chain eq 'tcout' ) {
|
||||||
fatal_error "Invalid chain designator for source $firewall_zone; rule \"$line\"" unless $tcsref->{fw};
|
fatal_error "Invalid chain designator for source $firewall_zone; rule \"$line\"" unless $tcsref->{fw};
|
||||||
@ -151,7 +151,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
|||||||
$chain = $tcsref->{chain} if $tcsref->{chain};
|
$chain = $tcsref->{chain} if $tcsref->{chain};
|
||||||
$target = $tcsref->{target} if $tcsref->{target};
|
$target = $tcsref->{target} if $tcsref->{target};
|
||||||
$mark = "$mark/0xFF" if $connmark = $tcsref->{connmark};
|
$mark = "$mark/0xFF" if $connmark = $tcsref->{connmark};
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid MARK ($original_mark) in rule \"$line\"" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
|
fatal_error "Invalid MARK ($original_mark) in rule \"$line\"" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
|
||||||
$chain = 'tcpost';
|
$chain = 'tcpost';
|
||||||
@ -173,12 +173,12 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
|||||||
for my $tccmd ( @tccmd ) {
|
for my $tccmd ( @tccmd ) {
|
||||||
if ( $cmd =~ /^($tccmd->{pattern})$/ ) {
|
if ( $cmd =~ /^($tccmd->{pattern})$/ ) {
|
||||||
fatal_error "$mark not valid with :C[FP]" if $connmark;
|
fatal_error "$mark not valid with :C[FP]" if $connmark;
|
||||||
|
|
||||||
$target = "$tccmd->{target} ";
|
$target = "$tccmd->{target} ";
|
||||||
my $marktype = $tccmd->{mark};
|
my $marktype = $tccmd->{mark};
|
||||||
|
|
||||||
$mark =~ s/^[!&]//;
|
$mark =~ s/^[!&]//;
|
||||||
|
|
||||||
if ( $rest ) {
|
if ( $rest ) {
|
||||||
fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK;
|
fatal_error "Invalid MARK ($original_mark)" if $marktype == NOMARK;
|
||||||
|
|
||||||
@ -192,12 +192,12 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
|||||||
} elsif ( $tccmd->{mask} ) {
|
} elsif ( $tccmd->{mask} ) {
|
||||||
$mark = $tccmd->{mask};
|
$mark = $tccmd->{mask};
|
||||||
}
|
}
|
||||||
|
|
||||||
last MARK;
|
last MARK;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
validate_mark $mark;
|
validate_mark $mark;
|
||||||
|
|
||||||
fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
|
fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
|
||||||
@ -215,11 +215,11 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
|||||||
'' ,
|
'' ,
|
||||||
'' ,
|
'' ,
|
||||||
'';
|
'';
|
||||||
|
|
||||||
progress_message " TC Rule \"$line\" $done";
|
progress_message " TC Rule \"$line\" $done";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Perl version of Arn Bernin's 'tc4shorewall'.
|
# Perl version of Arn Bernin's 'tc4shorewall'.
|
||||||
#
|
#
|
||||||
@ -265,9 +265,8 @@ sub rate_to_kbit( $ ) {
|
|||||||
|
|
||||||
sub calculate_quantum( $ ) {
|
sub calculate_quantum( $ ) {
|
||||||
my $rate = rate_to_kbit $_[0];
|
my $rate = rate_to_kbit $_[0];
|
||||||
|
|
||||||
eval "int( ( $rate * 128 ) / $r2q )";
|
eval "int( ( $rate * 128 ) / $r2q )";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub validate_tc_device( $$$ ) {
|
sub validate_tc_device( $$$ ) {
|
||||||
my ( $device, $inband, $outband ) = @_;
|
my ( $device, $inband, $outband ) = @_;
|
||||||
@ -303,7 +302,7 @@ sub validate_tc_class( $$$$$$ ) {
|
|||||||
'tos-maximize-reliability' => 'tos=0x04/0x04' ,
|
'tos-maximize-reliability' => 'tos=0x04/0x04' ,
|
||||||
'tos-minimize-cost' => 'tos=0x02/0x02' ,
|
'tos-minimize-cost' => 'tos=0x02/0x02' ,
|
||||||
'tos-normal-service' => 'tos=0x00/0x1e' );
|
'tos-normal-service' => 'tos=0x00/0x1e' );
|
||||||
|
|
||||||
my $devref = $tcdevices{$device};
|
my $devref = $tcdevices{$device};
|
||||||
fatal_error "Unknown Device ( $device ) in tcclass \"$line\"" unless $devref;
|
fatal_error "Unknown Device ( $device ) in tcclass \"$line\"" unless $devref;
|
||||||
my $full = rate_to_kbit $devref->{out_bandwidth};
|
my $full = rate_to_kbit $devref->{out_bandwidth};
|
||||||
@ -326,9 +325,9 @@ sub validate_tc_class( $$$$$$ ) {
|
|||||||
unless ( $options eq '-' ) {
|
unless ( $options eq '-' ) {
|
||||||
for my $option ( split /,/, "\L$options" ) {
|
for my $option ( split /,/, "\L$options" ) {
|
||||||
my $optval = $tosoptions{$option};
|
my $optval = $tosoptions{$option};
|
||||||
|
|
||||||
$option = $optval if $optval;
|
$option = $optval if $optval;
|
||||||
|
|
||||||
if ( $option eq 'default' ) {
|
if ( $option eq 'default' ) {
|
||||||
fatal_error "Only one default class may be specified for device $device" if $devref->{default};
|
fatal_error "Only one default class may be specified for device $device" if $devref->{default};
|
||||||
$devref->{default} = $markval;
|
$devref->{default} = $markval;
|
||||||
@ -347,7 +346,7 @@ sub validate_tc_class( $$$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
push @tcclasses, "$device:$markval";
|
push @tcclasses, "$device:$markval";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_traffic_shaping() {
|
sub setup_traffic_shaping() {
|
||||||
if ( -s "$ENV{TMP_DIR}/tcdevices" ) {
|
if ( -s "$ENV{TMP_DIR}/tcdevices" ) {
|
||||||
@ -364,7 +363,6 @@ sub setup_traffic_shaping() {
|
|||||||
fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
|
fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
|
||||||
validate_tc_device( $device, $inband, $outband );
|
validate_tc_device( $device, $inband, $outband );
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
close TD;
|
close TD;
|
||||||
@ -378,10 +376,9 @@ sub setup_traffic_shaping() {
|
|||||||
while ( $line = <TC> ) {
|
while ( $line = <TC> ) {
|
||||||
|
|
||||||
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
|
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
|
||||||
|
|
||||||
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
|
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
close TC;
|
close TC;
|
||||||
@ -398,7 +395,7 @@ sub setup_traffic_shaping() {
|
|||||||
fatal_error "Option default is not defined for any class in tcclasses for interface $device" unless $defmark;
|
fatal_error "Option default is not defined for any class in tcclasses for interface $device" unless $defmark;
|
||||||
|
|
||||||
emit "if interface_is_usable $device; then";
|
emit "if interface_is_usable $device; then";
|
||||||
|
|
||||||
push_indent;
|
push_indent;
|
||||||
|
|
||||||
emit "${dev}_exists=Yes";
|
emit "${dev}_exists=Yes";
|
||||||
@ -407,7 +404,7 @@ sub setup_traffic_shaping() {
|
|||||||
emit "run_tc qdisc add dev $device root handle $devnum: htb default ${prefix}${defmark}";
|
emit "run_tc qdisc add dev $device root handle $devnum: htb default ${prefix}${defmark}";
|
||||||
emit "${dev}_mtu=\$(get_device_mtu $device)";
|
emit "${dev}_mtu=\$(get_device_mtu $device)";
|
||||||
emit "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} mtu \$${dev}_mtu";
|
emit "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} mtu \$${dev}_mtu";
|
||||||
|
|
||||||
my $inband = rate_to_kbit $devref->{in_bandwidth};
|
my $inband = rate_to_kbit $devref->{in_bandwidth};
|
||||||
|
|
||||||
if ( $inband ) {
|
if ( $inband ) {
|
||||||
@ -451,7 +448,7 @@ sub setup_traffic_shaping() {
|
|||||||
push_indent;
|
push_indent;
|
||||||
$lastdevice = $device;
|
$lastdevice = $device;
|
||||||
}
|
}
|
||||||
|
|
||||||
emit "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum";
|
emit "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum";
|
||||||
emit "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling} prio $tcref->{priority} mtu \$${dev}_mtu quantum \$quantum";
|
emit "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling} prio $tcref->{priority} mtu \$${dev}_mtu quantum \$quantum";
|
||||||
emit "run_tc qdisc add dev $device parent $classid handle ${prefix}${mark}: sfq perturb 10";
|
emit "run_tc qdisc add dev $device parent $classid handle ${prefix}${mark}: sfq perturb 10";
|
||||||
@ -468,7 +465,7 @@ sub setup_traffic_shaping() {
|
|||||||
#
|
#
|
||||||
emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
|
emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
|
||||||
|
|
||||||
|
|
||||||
for my $tospair ( @{$tcref->{tos}} ) {
|
for my $tospair ( @{$tcref->{tos}} ) {
|
||||||
my ( $tos, $mask ) = split q(/), $tospair;
|
my ( $tos, $mask ) = split q(/), $tospair;
|
||||||
emit "run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid";
|
emit "run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid";
|
||||||
@ -477,7 +474,7 @@ sub setup_traffic_shaping() {
|
|||||||
save_progress_message_short qq(" TC Class $class defined.");
|
save_progress_message_short qq(" TC Class $class defined.");
|
||||||
emit '';
|
emit '';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $lastdevice ) {
|
if ( $lastdevice ) {
|
||||||
pop_indent;
|
pop_indent;
|
||||||
emit "fi\n";
|
emit "fi\n";
|
||||||
@ -495,7 +492,7 @@ sub setup_tc() {
|
|||||||
ensure_mangle_chain 'tcfor';
|
ensure_mangle_chain 'tcfor';
|
||||||
ensure_mangle_chain 'tcpost';
|
ensure_mangle_chain 'tcpost';
|
||||||
}
|
}
|
||||||
|
|
||||||
open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!";
|
open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!";
|
||||||
|
|
||||||
while ( $line = <TC> ) {
|
while ( $line = <TC> ) {
|
||||||
@ -512,7 +509,7 @@ sub setup_tc() {
|
|||||||
} else {
|
} else {
|
||||||
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
|
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
close TC;
|
close TC;
|
||||||
@ -523,7 +520,7 @@ sub setup_tc() {
|
|||||||
|
|
||||||
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
|
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
|
||||||
$mark_part = '-m mark --mark 0/0xFF00';
|
$mark_part = '-m mark --mark 0/0xFF00';
|
||||||
|
|
||||||
for my $interface ( @routemarked_interfaces ) {
|
for my $interface ( @routemarked_interfaces ) {
|
||||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
|
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
|
||||||
}
|
}
|
||||||
|
@ -46,43 +46,43 @@ sub setup_tunnels() {
|
|||||||
( $kind, my $qualifier ) = split /:/, $kind;
|
( $kind, my $qualifier ) = split /:/, $kind;
|
||||||
|
|
||||||
fatal_error "Invalid IPSEC modifier ($qualifier) in tunnel \"$line\"" if $qualifier && ( $qualifier ne 'noah' );
|
fatal_error "Invalid IPSEC modifier ($qualifier) in tunnel \"$line\"" if $qualifier && ( $qualifier ne 'noah' );
|
||||||
|
|
||||||
my $noah = $qualifier || ($kind ne 'ipsec' );
|
my $noah = $qualifier || ($kind ne 'ipsec' );
|
||||||
|
|
||||||
my $options = '-m $state --state NEW -j ACCEPT';
|
my $options = '-m $state --state NEW -j ACCEPT';
|
||||||
|
|
||||||
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||||
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||||
|
|
||||||
unless ( $noah ) {
|
unless ( $noah ) {
|
||||||
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
||||||
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
||||||
|
|
||||||
if ( $kind eq 'ipsec' ) {
|
if ( $kind eq 'ipsec' ) {
|
||||||
add_rule $inchainref, "-p udp $source --dport $options";
|
add_rule $inchainref, "-p udp $source --dport $options";
|
||||||
} else {
|
} else {
|
||||||
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
|
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
|
||||||
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
|
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $zone ( split /,/, $gatewayzones ) {
|
for my $zone ( split /,/, $gatewayzones ) {
|
||||||
fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4';
|
fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4';
|
||||||
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
||||||
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
||||||
|
|
||||||
unless ( $capabilities{POLICY_MATCH} ) {
|
unless ( $capabilities{POLICY_MATCH} ) {
|
||||||
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||||
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||||
|
|
||||||
unless ( $noah ) {
|
unless ( $noah ) {
|
||||||
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
add_rule $inchainref, "-p 51 $source -j ACCEPT";
|
||||||
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $kind eq 'ipsec' ) {
|
if ( $kind eq 'ipsec' ) {
|
||||||
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
||||||
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
||||||
@ -92,76 +92,76 @@ sub setup_tunnels() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_one_other {
|
sub setup_one_other {
|
||||||
my ($inchainref, $outchainref, $kind, $source, $dest , $protocol) = @_;
|
my ($inchainref, $outchainref, $kind, $source, $dest , $protocol) = @_;
|
||||||
|
|
||||||
add_rule $inchainref , "-p $protocol $source -j ACCEPT";
|
add_rule $inchainref , "-p $protocol $source -j ACCEPT";
|
||||||
add_rule $outchainref , "-p $protocol $dest -j ACCEPT";
|
add_rule $outchainref , "-p $protocol $dest -j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_pptp_client {
|
sub setup_pptp_client {
|
||||||
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
|
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
|
||||||
|
|
||||||
add_rule $outchainref, "-p 47 $dest -j ACCEPT";
|
add_rule $outchainref, "-p 47 $dest -j ACCEPT";
|
||||||
add_rule $inchainref, "-p 47 $source -j ACCEPT";
|
add_rule $inchainref, "-p 47 $source -j ACCEPT";
|
||||||
add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
|
add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_pptp_server {
|
sub setup_pptp_server {
|
||||||
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
|
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
|
||||||
|
|
||||||
add_rule $inchainref, "-p 47 $dest -j ACCEPT";
|
add_rule $inchainref, "-p 47 $dest -j ACCEPT";
|
||||||
add_rule $outchainref, "-p 47 $source -j ACCEPT";
|
add_rule $outchainref, "-p 47 $source -j ACCEPT";
|
||||||
add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
|
add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_one_openvpn {
|
sub setup_one_openvpn {
|
||||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||||
|
|
||||||
my $protocol = 'udp';
|
my $protocol = 'udp';
|
||||||
my $port = 1194;
|
my $port = 1194;
|
||||||
|
|
||||||
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
|
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
|
||||||
|
|
||||||
if ( $p ) {
|
if ( $p ) {
|
||||||
$port = $p;
|
$port = $p;
|
||||||
$protocol = $proto;
|
$protocol = $proto;
|
||||||
} elsif ( $proto ) {
|
} elsif ( $proto ) {
|
||||||
$port = $proto;
|
$port = $proto;
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
|
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
|
||||||
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
|
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_one_openvpn_client {
|
sub setup_one_openvpn_client {
|
||||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||||
|
|
||||||
my $protocol = 'udp';
|
my $protocol = 'udp';
|
||||||
my $port = 1194;
|
my $port = 1194;
|
||||||
|
|
||||||
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
|
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
|
||||||
|
|
||||||
if ( $p ) {
|
if ( $p ) {
|
||||||
$port = $p;
|
$port = $p;
|
||||||
$protocol = $proto;
|
$protocol = $proto;
|
||||||
} elsif ( $proto ) {
|
} elsif ( $proto ) {
|
||||||
$port = $proto;
|
$port = $proto;
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT";
|
add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT";
|
||||||
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
|
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_one_openvpn_server {
|
sub setup_one_openvpn_server {
|
||||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||||
|
|
||||||
my $protocol = 'udp';
|
my $protocol = 'udp';
|
||||||
my $port = 1194;
|
my $port = 1194;
|
||||||
|
|
||||||
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
|
( $kind, my ( $proto, $p ) ) = split /:/, $kind;
|
||||||
|
|
||||||
if ( $p ) {
|
if ( $p ) {
|
||||||
$port = $p;
|
$port = $p;
|
||||||
$protocol = $proto;
|
$protocol = $proto;
|
||||||
@ -175,10 +175,10 @@ sub setup_tunnels() {
|
|||||||
|
|
||||||
sub setup_one_generic {
|
sub setup_one_generic {
|
||||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||||
|
|
||||||
my $protocol = 'udp';
|
my $protocol = 'udp';
|
||||||
my $port = '--dport 5000';
|
my $port = '--dport 5000';
|
||||||
|
|
||||||
if ( $kind =~ /.*:.*:.*/ ) {
|
if ( $kind =~ /.*:.*:.*/ ) {
|
||||||
( $kind, $protocol, $port) = split /:/, $kind;
|
( $kind, $protocol, $port) = split /:/, $kind;
|
||||||
$port = "--dport $port";
|
$port = "--dport $port";
|
||||||
@ -186,22 +186,22 @@ sub setup_tunnels() {
|
|||||||
$port = '';
|
$port = '';
|
||||||
( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
|
( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $inchainref, "-p $protocol $source $port -j ACCEPT";
|
add_rule $inchainref, "-p $protocol $source $port -j ACCEPT";
|
||||||
add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
|
add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_one_tunnel($$$$) {
|
sub setup_one_tunnel($$$$) {
|
||||||
my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
|
my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
|
||||||
|
|
||||||
fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4';
|
fatal_error "Invalid zone ($zone) in tunnel \"$line\"" unless $zones{$zone}{type} eq 'ipv4';
|
||||||
|
|
||||||
my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
||||||
my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
||||||
|
|
||||||
my $source = match_source_net $gateway;
|
my $source = match_source_net $gateway;
|
||||||
my $dest = match_dest_net $gateway;
|
my $dest = match_dest_net $gateway;
|
||||||
|
|
||||||
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
|
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
|
||||||
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
|
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } ,
|
||||||
'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } ,
|
'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } ,
|
||||||
@ -218,13 +218,13 @@ sub setup_tunnels() {
|
|||||||
$kind = "\L$kind";
|
$kind = "\L$kind";
|
||||||
|
|
||||||
(my $type) = split /:/, $kind;
|
(my $type) = split /:/, $kind;
|
||||||
|
|
||||||
my $tunnelref = $tunneltypes{ $type };
|
my $tunnelref = $tunneltypes{ $type };
|
||||||
|
|
||||||
fatal_error "Tunnels of type $type are not supported: Tunnel \"$line\"" unless $tunnelref;
|
fatal_error "Tunnels of type $type are not supported: Tunnel \"$line\"" unless $tunnelref;
|
||||||
|
|
||||||
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
|
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
|
||||||
|
|
||||||
progress_message " Tunnel \"$line\" $done";
|
progress_message " Tunnel \"$line\" $done";
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
@ -247,10 +247,10 @@ sub setup_tunnels() {
|
|||||||
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
|
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
close TUNNELS;
|
close TUNNELS;
|
||||||
|
|
||||||
$comment = '';
|
$comment = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
@ -34,7 +34,7 @@ our @EXPORT = qw( NOTHING
|
|||||||
NETWORK
|
NETWORK
|
||||||
IPSECPROTO
|
IPSECPROTO
|
||||||
IPSECMODE
|
IPSECMODE
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
zone_report
|
zone_report
|
||||||
dump_zone_contents
|
dump_zone_contents
|
||||||
@ -147,17 +147,17 @@ sub parse_zone_option_list($)
|
|||||||
$val = $2;
|
$val = $2;
|
||||||
$e = $1;
|
$e = $1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$fmt = $validoptions{$e};
|
$fmt = $validoptions{$e};
|
||||||
|
|
||||||
fatal_error "Invalid Option ($e)" unless $fmt;
|
fatal_error "Invalid Option ($e)" unless $fmt;
|
||||||
|
|
||||||
if ( $fmt eq NOTHING ) {
|
if ( $fmt eq NOTHING ) {
|
||||||
fatal_error "Option $e does not take a value: Zone \"$line\"" if defined $val;
|
fatal_error "Option $e does not take a value: Zone \"$line\"" if defined $val;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid value ($val) for option \"$e\" in Zone \"$line\"" unless $val =~ /^($fmt)$/;
|
fatal_error "Invalid value ($val) for option \"$e\" in Zone \"$line\"" unless $val =~ /^($fmt)$/;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $key{$e} ) {
|
if ( $key{$e} ) {
|
||||||
$h{$e} = $val;
|
$h{$e} = $val;
|
||||||
} else {
|
} else {
|
||||||
@ -175,7 +175,7 @@ sub parse_zone_option_list($)
|
|||||||
|
|
||||||
#
|
#
|
||||||
# Parse the zones file.
|
# Parse the zones file.
|
||||||
#
|
#
|
||||||
sub determine_zones()
|
sub determine_zones()
|
||||||
{
|
{
|
||||||
my @z;
|
my @z;
|
||||||
@ -183,11 +183,11 @@ sub determine_zones()
|
|||||||
open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!";
|
open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!";
|
||||||
|
|
||||||
while ( $line = <ZONES> ) {
|
while ( $line = <ZONES> ) {
|
||||||
|
|
||||||
my @parents;
|
my @parents;
|
||||||
|
|
||||||
my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file';
|
my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file';
|
||||||
|
|
||||||
if ( $zone =~ /(\w+):([\w,]+)/ ) {
|
if ( $zone =~ /(\w+):([\w,]+)/ ) {
|
||||||
$zone = $1;
|
$zone = $1;
|
||||||
@parents = split ',', $2;
|
@parents = split ',', $2;
|
||||||
@ -281,11 +281,11 @@ sub zone_report()
|
|||||||
progress_message " $zone ($type)";
|
progress_message " $zone ($type)";
|
||||||
|
|
||||||
my $printed = 0;
|
my $printed = 0;
|
||||||
|
|
||||||
if ( $hostref ) {
|
if ( $hostref ) {
|
||||||
for my $type ( sort keys %$hostref ) {
|
for my $type ( sort keys %$hostref ) {
|
||||||
my $interfaceref = $hostref->{$type};
|
my $interfaceref = $hostref->{$type};
|
||||||
|
|
||||||
for my $interface ( sort keys %$interfaceref ) {
|
for my $interface ( sort keys %$interfaceref ) {
|
||||||
my $arrayref = $interfaceref->{$interface};
|
my $arrayref = $interfaceref->{$interface};
|
||||||
for my $groupref ( @$arrayref ) {
|
for my $groupref ( @$arrayref ) {
|
||||||
@ -300,7 +300,7 @@ sub zone_report()
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
warning_message "*** $zone is an EMPTY ZONE ***" unless $printed || $type eq 'firewall';
|
warning_message "*** $zone is an EMPTY ZONE ***" unless $printed || $type eq 'firewall';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -319,7 +319,7 @@ sub dump_zone_contents()
|
|||||||
if ( $hostref ) {
|
if ( $hostref ) {
|
||||||
for my $type ( sort keys %$hostref ) {
|
for my $type ( sort keys %$hostref ) {
|
||||||
my $interfaceref = $hostref->{$type};
|
my $interfaceref = $hostref->{$type};
|
||||||
|
|
||||||
for my $interface ( sort keys %$interfaceref ) {
|
for my $interface ( sort keys %$interfaceref ) {
|
||||||
my $arrayref = $interfaceref->{$interface};
|
my $arrayref = $interfaceref->{$interface};
|
||||||
for my $groupref ( @$arrayref ) {
|
for my $groupref ( @$arrayref ) {
|
||||||
@ -336,12 +336,12 @@ sub dump_zone_contents()
|
|||||||
|
|
||||||
if ( @$exclusions ) {
|
if ( @$exclusions ) {
|
||||||
$entry .= ' exclude';
|
$entry .= ' exclude';
|
||||||
|
|
||||||
for my $host ( @$exclusions ) {
|
for my $host ( @$exclusions ) {
|
||||||
$entry .= " $host";
|
$entry .= " $host";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
emit_unindented $entry;
|
emit_unindented $entry;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -58,11 +58,7 @@ use Shorewall::Accounting;
|
|||||||
use Shorewall::Rules;
|
use Shorewall::Rules;
|
||||||
use Shorewall::Proc;
|
use Shorewall::Proc;
|
||||||
use Shorewall::Proxyarp;
|
use Shorewall::Proxyarp;
|
||||||
#
|
|
||||||
# Emacs doesn't handle 'here documents' in Perl Mode nearly as well as it does in Shell mode
|
|
||||||
# (it basically doesn't understand it at all and gets lost). So I use a number of rather
|
|
||||||
# awkward styles in place of 'here docs'.
|
|
||||||
#
|
|
||||||
sub generate_script_1 {
|
sub generate_script_1 {
|
||||||
copy $env{SHAREDIRPL} . 'prog.header';
|
copy $env{SHAREDIRPL} . 'prog.header';
|
||||||
|
|
||||||
@ -75,9 +71,8 @@ sub generate_script_1 {
|
|||||||
'CONFDIR=/etc/shorewall-lite',
|
'CONFDIR=/etc/shorewall-lite',
|
||||||
'VARDIR=/var/lib/shorewall-lite',
|
'VARDIR=/var/lib/shorewall-lite',
|
||||||
'PRODUCT="Shorewall Lite"' );
|
'PRODUCT="Shorewall Lite"' );
|
||||||
|
|
||||||
copy "$env{SHAREDIR}/lib.base";
|
copy "$env{SHAREDIR}/lib.base";
|
||||||
|
|
||||||
emitj ( '################################################################################',
|
emitj ( '################################################################################',
|
||||||
'# End of /usr/share/shorewall/lib.base',
|
'# End of /usr/share/shorewall/lib.base',
|
||||||
'################################################################################' );
|
'################################################################################' );
|
||||||
@ -91,7 +86,7 @@ sub generate_script_1 {
|
|||||||
|
|
||||||
emit 'TEMPFILE=';
|
emit 'TEMPFILE=';
|
||||||
emit '';
|
emit '';
|
||||||
|
|
||||||
for my $exit qw/init start tcclear started stop stopped/ {
|
for my $exit qw/init start tcclear started stop stopped/ {
|
||||||
emit "run_${exit}_exit() {";
|
emit "run_${exit}_exit() {";
|
||||||
push_indent;
|
push_indent;
|
||||||
@ -100,12 +95,12 @@ sub generate_script_1 {
|
|||||||
pop_indent;
|
pop_indent;
|
||||||
emit "}\n";
|
emit "}\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
emit 'initialize()';
|
emit 'initialize()';
|
||||||
emit '{';
|
emit '{';
|
||||||
|
|
||||||
push_indent;
|
push_indent;
|
||||||
|
|
||||||
if ( $ENV{EXPORT} ) {
|
if ( $ENV{EXPORT} ) {
|
||||||
emitj ( '#',
|
emitj ( '#',
|
||||||
'# These variables are required by the library functions called in this script',
|
'# These variables are required by the library functions called in this script',
|
||||||
@ -128,7 +123,7 @@ sub generate_script_1 {
|
|||||||
}
|
}
|
||||||
|
|
||||||
propagateconfig;
|
propagateconfig;
|
||||||
|
|
||||||
emitj ( '[ -n "${COMMAND:=restart}" ]',
|
emitj ( '[ -n "${COMMAND:=restart}" ]',
|
||||||
'[ -n "${VERBOSE:=0}" ]',
|
'[ -n "${VERBOSE:=0}" ]',
|
||||||
'[ -n "${RESTOREFILE:=$RESTOREFILE}" ]',
|
'[ -n "${RESTOREFILE:=$RESTOREFILE}" ]',
|
||||||
@ -136,7 +131,7 @@ sub generate_script_1 {
|
|||||||
qq(VERSION="$env{VERSION}") ,
|
qq(VERSION="$env{VERSION}") ,
|
||||||
qq(PATH="$config{PATH}") ,
|
qq(PATH="$config{PATH}") ,
|
||||||
'TERMINATOR=fatal_error' );
|
'TERMINATOR=fatal_error' );
|
||||||
|
|
||||||
if ( $config{IPTABLES} ) {
|
if ( $config{IPTABLES} ) {
|
||||||
emit "IPTABLES=\"$config{IPTABLES}\"\n";
|
emit "IPTABLES=\"$config{IPTABLES}\"\n";
|
||||||
emit "[ -x \"$config{IPTABLES}\" ] || startup_error \"IPTABLES=$config{IPTABLES} does not exist or is not executable\"";
|
emit "[ -x \"$config{IPTABLES}\" ] || startup_error \"IPTABLES=$config{IPTABLES} does not exist or is not executable\"";
|
||||||
@ -155,16 +150,16 @@ sub generate_script_1 {
|
|||||||
'# The library requires that ${VARDIR} exist',
|
'# The library requires that ${VARDIR} exist',
|
||||||
'#',
|
'#',
|
||||||
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' );
|
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' );
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
|
|
||||||
emit "}\n";
|
emit "}\n";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
sub compile_stop_firewall() {
|
sub compile_stop_firewall() {
|
||||||
|
|
||||||
emit "
|
emit <<EOF;
|
||||||
#
|
#
|
||||||
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
||||||
#
|
#
|
||||||
@ -213,7 +208,7 @@ stop_firewall() {
|
|||||||
logger -p kern.err \"ERROR:\$PRODUCT restore failed\"
|
logger -p kern.err \"ERROR:\$PRODUCT restore failed\"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if [ \"\$RESTOREFILE\" = NONE ]; then
|
if [ \"\$RESTOREFILE\" = NONE ]; then
|
||||||
COMMAND=clear
|
COMMAND=clear
|
||||||
clear_firewall
|
clear_firewall
|
||||||
@ -302,20 +297,24 @@ stop_firewall() {
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f \${VARDIR}/proxyarp\n";
|
rm -f \${VARDIR}/proxyarp
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
emit ' delete_tc1' if $config{CLEAR_TC};
|
emit ' delete_tc1' if $config{CLEAR_TC};
|
||||||
emit ' undo_routing';
|
emit ' undo_routing';
|
||||||
emit ' restore_default_route';
|
emit ' restore_default_route';
|
||||||
|
|
||||||
my $criticalhosts = process_criticalhosts;
|
my $criticalhosts = process_criticalhosts;
|
||||||
|
|
||||||
if ( @$criticalhosts ) {
|
if ( @$criticalhosts ) {
|
||||||
if ( $config{ADMINISABSENTMINDED} ) {
|
if ( $config{ADMINISABSENTMINDED} ) {
|
||||||
emitj ( ' for chain in INPUT OUTPUT; do',
|
emitj ( ' for chain in INPUT OUTPUT; do',
|
||||||
' setpolicy $chain ACCEPT',
|
' setpolicy $chain ACCEPT',
|
||||||
" done\n",
|
' done',
|
||||||
" setpolicy FORWARD DROP\n",
|
'',
|
||||||
|
' setpolicy FORWARD DROP',
|
||||||
|
'',
|
||||||
' deleteallchains',
|
' deleteallchains',
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
@ -327,7 +326,7 @@ stop_firewall() {
|
|||||||
emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
|
emit " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
|
||||||
emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
|
emit " \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
emit "
|
emit "
|
||||||
for chain in INPUT OUTPUT; do
|
for chain in INPUT OUTPUT; do
|
||||||
setpolicy \$chain DROP
|
setpolicy \$chain DROP
|
||||||
@ -412,12 +411,12 @@ stop_firewall() {
|
|||||||
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
|
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
|
||||||
emit 'progress_message2 IP Forwarding Disabled!';
|
emit 'progress_message2 IP Forwarding Disabled!';
|
||||||
}
|
}
|
||||||
|
|
||||||
emit 'run_stopped_exit';
|
emit 'run_stopped_exit';
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
|
|
||||||
emit "
|
emit <<EOF;
|
||||||
set_state \"Stopped\"
|
set_state \"Stopped\"
|
||||||
|
|
||||||
logger -p kern.info \"\$PRODUCT Stopped\"
|
logger -p kern.info \"\$PRODUCT Stopped\"
|
||||||
@ -434,7 +433,9 @@ stop_firewall() {
|
|||||||
kill \$\$
|
kill \$\$
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}\n";
|
}
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user