From a9593da1121991ba90000434dbe2871e1ab98e29 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 16 Dec 2008 18:34:00 +0000 Subject: [PATCH] Delete aborted IPv6 attempts git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9077 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common-IPv6-Aborted/COPYING | 340 -- Shorewall-common-IPv6-Aborted/INSTALL | 24 - Shorewall-common-IPv6-Aborted/Makefile | 17 - Shorewall-common-IPv6-Aborted/Makefile-lite | 82 - Shorewall-common-IPv6-Aborted/README.txt | 1 - Shorewall-common-IPv6-Aborted/accounting | 12 - Shorewall-common-IPv6-Aborted/action.Drop | 53 - Shorewall-common-IPv6-Aborted/action.Reject | 51 - Shorewall-common-IPv6-Aborted/action.template | 200 - Shorewall-common-IPv6-Aborted/actions | 13 - Shorewall-common-IPv6-Aborted/actions.std | 35 - Shorewall-common-IPv6-Aborted/blacklist | 11 - Shorewall-common-IPv6-Aborted/changelog.txt | 19 - Shorewall-common-IPv6-Aborted/configpath | 13 - Shorewall-common-IPv6-Aborted/continue | 14 - Shorewall-common-IPv6-Aborted/default.debian | 24 - Shorewall-common-IPv6-Aborted/ecn | 11 - Shorewall-common-IPv6-Aborted/fallback.sh | 104 - Shorewall-common-IPv6-Aborted/firewall | 653 --- Shorewall-common-IPv6-Aborted/hosts | 11 - Shorewall-common-IPv6-Aborted/init | 13 - .../init.archlinux.sh | 58 - Shorewall-common-IPv6-Aborted/init.debian.sh | 129 - Shorewall-common-IPv6-Aborted/init.sh | 90 - Shorewall-common-IPv6-Aborted/initdone | 14 - Shorewall-common-IPv6-Aborted/install.sh | 776 ---- Shorewall-common-IPv6-Aborted/interfaces | 11 - Shorewall-common-IPv6-Aborted/ipsec | 7 - Shorewall-common-IPv6-Aborted/ipsecvpn | 296 -- Shorewall-common-IPv6-Aborted/lib.base | 1723 -------- Shorewall-common-IPv6-Aborted/lib.cli | 1146 ----- Shorewall-common-IPv6-Aborted/lib.config | 2296 ---------- .../lib.dynamiczones | 427 -- Shorewall-common-IPv6-Aborted/maclist | 10 - .../macro.AllowICMPs | 16 - Shorewall-common-IPv6-Aborted/macro.Amanda | 21 - Shorewall-common-IPv6-Aborted/macro.Auth | 12 - .../macro.BitTorrent | 23 - Shorewall-common-IPv6-Aborted/macro.CVS | 12 - Shorewall-common-IPv6-Aborted/macro.DAAP | 14 - Shorewall-common-IPv6-Aborted/macro.DCC | 13 - Shorewall-common-IPv6-Aborted/macro.DNS | 13 - Shorewall-common-IPv6-Aborted/macro.Distcc | 12 - Shorewall-common-IPv6-Aborted/macro.Drop | 53 - .../macro.DropDNSrep | 15 - Shorewall-common-IPv6-Aborted/macro.DropUPnP | 15 - Shorewall-common-IPv6-Aborted/macro.Edonkey | 35 - Shorewall-common-IPv6-Aborted/macro.FTP | 12 - Shorewall-common-IPv6-Aborted/macro.Finger | 13 - Shorewall-common-IPv6-Aborted/macro.GNUnet | 15 - Shorewall-common-IPv6-Aborted/macro.GRE | 14 - Shorewall-common-IPv6-Aborted/macro.Gnutella | 13 - Shorewall-common-IPv6-Aborted/macro.HTTP | 12 - Shorewall-common-IPv6-Aborted/macro.HTTPS | 12 - Shorewall-common-IPv6-Aborted/macro.ICQ | 12 - Shorewall-common-IPv6-Aborted/macro.IMAP | 13 - Shorewall-common-IPv6-Aborted/macro.IMAPS | 13 - Shorewall-common-IPv6-Aborted/macro.IPIP | 13 - Shorewall-common-IPv6-Aborted/macro.IPP | 12 - Shorewall-common-IPv6-Aborted/macro.IPPserver | 30 - Shorewall-common-IPv6-Aborted/macro.IPsec | 15 - Shorewall-common-IPv6-Aborted/macro.IPsecah | 16 - Shorewall-common-IPv6-Aborted/macro.IPsecnat | 17 - Shorewall-common-IPv6-Aborted/macro.JAP | 18 - .../macro.JabberPlain | 12 - .../macro.JabberSecure | 12 - Shorewall-common-IPv6-Aborted/macro.Jabberd | 12 - Shorewall-common-IPv6-Aborted/macro.Jetdirect | 12 - Shorewall-common-IPv6-Aborted/macro.L2TP | 14 - Shorewall-common-IPv6-Aborted/macro.LDAP | 17 - Shorewall-common-IPv6-Aborted/macro.LDAPS | 17 - Shorewall-common-IPv6-Aborted/macro.Mail | 19 - Shorewall-common-IPv6-Aborted/macro.MySQL | 12 - Shorewall-common-IPv6-Aborted/macro.NNTP | 13 - Shorewall-common-IPv6-Aborted/macro.NNTPS | 13 - Shorewall-common-IPv6-Aborted/macro.NTP | 13 - Shorewall-common-IPv6-Aborted/macro.NTPbrd | 18 - Shorewall-common-IPv6-Aborted/macro.OpenVPN | 12 - Shorewall-common-IPv6-Aborted/macro.PCA | 13 - Shorewall-common-IPv6-Aborted/macro.POP3 | 13 - Shorewall-common-IPv6-Aborted/macro.POP3S | 13 - Shorewall-common-IPv6-Aborted/macro.PPtP | 14 - Shorewall-common-IPv6-Aborted/macro.Ping | 12 - .../macro.PostgreSQL | 12 - Shorewall-common-IPv6-Aborted/macro.Printer | 12 - Shorewall-common-IPv6-Aborted/macro.RDP | 12 - Shorewall-common-IPv6-Aborted/macro.RNDC | 12 - Shorewall-common-IPv6-Aborted/macro.Rdate | 16 - Shorewall-common-IPv6-Aborted/macro.Reject | 54 - Shorewall-common-IPv6-Aborted/macro.Rfc1918 | 14 - Shorewall-common-IPv6-Aborted/macro.Rsync | 12 - Shorewall-common-IPv6-Aborted/macro.SANE | 23 - Shorewall-common-IPv6-Aborted/macro.SMB | 19 - Shorewall-common-IPv6-Aborted/macro.SMBBI | 23 - Shorewall-common-IPv6-Aborted/macro.SMBswat | 13 - Shorewall-common-IPv6-Aborted/macro.SMTP | 20 - Shorewall-common-IPv6-Aborted/macro.SMTPS | 17 - Shorewall-common-IPv6-Aborted/macro.SNMP | 13 - Shorewall-common-IPv6-Aborted/macro.SPAMD | 12 - Shorewall-common-IPv6-Aborted/macro.SSH | 12 - Shorewall-common-IPv6-Aborted/macro.SVN | 13 - Shorewall-common-IPv6-Aborted/macro.SixXS | 25 - .../macro.Submission | 12 - Shorewall-common-IPv6-Aborted/macro.Syslog | 12 - Shorewall-common-IPv6-Aborted/macro.TFTP | 14 - Shorewall-common-IPv6-Aborted/macro.Telnet | 13 - Shorewall-common-IPv6-Aborted/macro.Telnets | 13 - Shorewall-common-IPv6-Aborted/macro.Time | 14 - Shorewall-common-IPv6-Aborted/macro.Trcrt | 13 - Shorewall-common-IPv6-Aborted/macro.VNC | 12 - Shorewall-common-IPv6-Aborted/macro.VNCL | 13 - Shorewall-common-IPv6-Aborted/macro.Web | 15 - Shorewall-common-IPv6-Aborted/macro.Webmin | 12 - Shorewall-common-IPv6-Aborted/macro.Whois | 12 - Shorewall-common-IPv6-Aborted/macro.template | 368 -- Shorewall-common-IPv6-Aborted/masq | 11 - Shorewall-common-IPv6-Aborted/modules | 161 - Shorewall-common-IPv6-Aborted/nat | 11 - Shorewall-common-IPv6-Aborted/netmap | 11 - Shorewall-common-IPv6-Aborted/params | 27 - Shorewall-common-IPv6-Aborted/policy | 12 - Shorewall-common-IPv6-Aborted/providers | 10 - Shorewall-common-IPv6-Aborted/proxyarp | 10 - .../releasenotes.txt | 1045 ----- Shorewall-common-IPv6-Aborted/rfc1918 | 9 - Shorewall-common-IPv6-Aborted/route_rules | 9 - Shorewall-common-IPv6-Aborted/routestopped | 14 - Shorewall-common-IPv6-Aborted/rules | 15 - Shorewall-common-IPv6-Aborted/shorewall | 2014 --------- .../shorewall-common.spec | 306 -- Shorewall-common-IPv6-Aborted/shorewall.conf | 199 - Shorewall-common-IPv6-Aborted/start | 13 - Shorewall-common-IPv6-Aborted/started | 21 - Shorewall-common-IPv6-Aborted/stop | 13 - Shorewall-common-IPv6-Aborted/stopped | 13 - Shorewall-common-IPv6-Aborted/strip | 110 - Shorewall-common-IPv6-Aborted/tcclasses | 10 - Shorewall-common-IPv6-Aborted/tcdevices | 11 - Shorewall-common-IPv6-Aborted/tcfilters | 11 - Shorewall-common-IPv6-Aborted/tcrules | 15 - Shorewall-common-IPv6-Aborted/tos | 9 - Shorewall-common-IPv6-Aborted/tunnel | 166 - Shorewall-common-IPv6-Aborted/tunnels | 12 - Shorewall-common-IPv6-Aborted/uninstall.sh | 114 - Shorewall-common-IPv6-Aborted/wait4ifup | 60 - Shorewall-common-IPv6-Aborted/zones | 13 - Shorewall-perl-IPv6-Aborted/COPYING | 340 -- Shorewall-perl-IPv6-Aborted/README.txt | 2 - .../Shorewall/Accounting.pm | 220 - .../Shorewall/Actions.pm | 904 ---- .../Shorewall/Chains.pm | 3747 ----------------- .../Shorewall/Compiler.pm | 935 ---- .../Shorewall/Config.pm | 2248 ---------- .../Shorewall/IPAddrs.pm | 562 --- Shorewall-perl-IPv6-Aborted/Shorewall/Nat.pm | 518 --- .../Shorewall/Policy.pm | 855 ---- Shorewall-perl-IPv6-Aborted/Shorewall/Proc.pm | 212 - .../Shorewall/Providers.pm | 658 --- .../Shorewall/Proxyarp.pm | 160 - .../Shorewall/Rules.pm | 3094 -------------- Shorewall-perl-IPv6-Aborted/Shorewall/Tc.pm | 915 ---- .../Shorewall/Tunnels.pm | 299 -- .../Shorewall/Zones.pm | 1595 ------- Shorewall-perl-IPv6-Aborted/compiler.pl | 109 - Shorewall-perl-IPv6-Aborted/install.sh | 198 - Shorewall-perl-IPv6-Aborted/prog.footer | 180 - Shorewall-perl-IPv6-Aborted/prog.functions | 273 -- Shorewall-perl-IPv6-Aborted/prog.header | 1023 ----- .../shorewall-perl.spec | 161 - Shorewall-perl-maybe/COPYING | 340 -- Shorewall-perl-maybe/README.txt | 2 - Shorewall-perl-maybe/Shorewall/Accounting.pm | 220 - Shorewall-perl-maybe/Shorewall/Actions.pm | 919 ---- Shorewall-perl-maybe/Shorewall/Chains.pm | 2648 ------------ Shorewall-perl-maybe/Shorewall/Compiler.pm | 962 ----- Shorewall-perl-maybe/Shorewall/Config.pm | 2266 ---------- Shorewall-perl-maybe/Shorewall/IPAddrs.pm | 639 --- Shorewall-perl-maybe/Shorewall/Nat.pm | 518 --- Shorewall-perl-maybe/Shorewall/Policy.pm | 497 --- Shorewall-perl-maybe/Shorewall/Proc.pm | 212 - Shorewall-perl-maybe/Shorewall/Providers.pm | 658 --- Shorewall-perl-maybe/Shorewall/Proxyarp.pm | 160 - Shorewall-perl-maybe/Shorewall/Rules.pm | 2074 --------- Shorewall-perl-maybe/Shorewall/Tc.pm | 915 ---- Shorewall-perl-maybe/Shorewall/Tunnels.pm | 299 -- Shorewall-perl-maybe/Shorewall/Zones.pm | 1120 ----- Shorewall-perl-maybe/compiler.pl | 109 - Shorewall-perl-maybe/install.sh | 198 - Shorewall-perl-maybe/prog.footer | 201 - Shorewall-perl-maybe/prog.functions | 273 -- Shorewall-perl-maybe/prog.header | 1023 ----- Shorewall-perl-maybe/shorewall-perl.spec | 165 - 192 files changed, 50387 deletions(-) delete mode 100644 Shorewall-common-IPv6-Aborted/COPYING delete mode 100644 Shorewall-common-IPv6-Aborted/INSTALL delete mode 100644 Shorewall-common-IPv6-Aborted/Makefile delete mode 100644 Shorewall-common-IPv6-Aborted/Makefile-lite delete mode 100644 Shorewall-common-IPv6-Aborted/README.txt delete mode 100644 Shorewall-common-IPv6-Aborted/accounting delete mode 100644 Shorewall-common-IPv6-Aborted/action.Drop delete mode 100644 Shorewall-common-IPv6-Aborted/action.Reject delete mode 100644 Shorewall-common-IPv6-Aborted/action.template delete mode 100644 Shorewall-common-IPv6-Aborted/actions delete mode 100644 Shorewall-common-IPv6-Aborted/actions.std delete mode 100755 Shorewall-common-IPv6-Aborted/blacklist delete mode 100644 Shorewall-common-IPv6-Aborted/changelog.txt delete mode 100644 Shorewall-common-IPv6-Aborted/configpath delete mode 100644 Shorewall-common-IPv6-Aborted/continue delete mode 100644 Shorewall-common-IPv6-Aborted/default.debian delete mode 100644 Shorewall-common-IPv6-Aborted/ecn delete mode 100755 Shorewall-common-IPv6-Aborted/fallback.sh delete mode 100755 Shorewall-common-IPv6-Aborted/firewall delete mode 100644 Shorewall-common-IPv6-Aborted/hosts delete mode 100644 Shorewall-common-IPv6-Aborted/init delete mode 100755 Shorewall-common-IPv6-Aborted/init.archlinux.sh delete mode 100755 Shorewall-common-IPv6-Aborted/init.debian.sh delete mode 100755 Shorewall-common-IPv6-Aborted/init.sh delete mode 100755 Shorewall-common-IPv6-Aborted/initdone delete mode 100755 Shorewall-common-IPv6-Aborted/install.sh delete mode 100644 Shorewall-common-IPv6-Aborted/interfaces delete mode 100644 Shorewall-common-IPv6-Aborted/ipsec delete mode 100644 Shorewall-common-IPv6-Aborted/ipsecvpn delete mode 100644 Shorewall-common-IPv6-Aborted/lib.base delete mode 100644 Shorewall-common-IPv6-Aborted/lib.cli delete mode 100644 Shorewall-common-IPv6-Aborted/lib.config delete mode 100644 Shorewall-common-IPv6-Aborted/lib.dynamiczones delete mode 100644 Shorewall-common-IPv6-Aborted/maclist delete mode 100644 Shorewall-common-IPv6-Aborted/macro.AllowICMPs delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Amanda delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Auth delete mode 100644 Shorewall-common-IPv6-Aborted/macro.BitTorrent delete mode 100644 Shorewall-common-IPv6-Aborted/macro.CVS delete mode 100644 Shorewall-common-IPv6-Aborted/macro.DAAP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.DCC delete mode 100644 Shorewall-common-IPv6-Aborted/macro.DNS delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Distcc delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Drop delete mode 100644 Shorewall-common-IPv6-Aborted/macro.DropDNSrep delete mode 100644 Shorewall-common-IPv6-Aborted/macro.DropUPnP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Edonkey delete mode 100644 Shorewall-common-IPv6-Aborted/macro.FTP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Finger delete mode 100644 Shorewall-common-IPv6-Aborted/macro.GNUnet delete mode 100644 Shorewall-common-IPv6-Aborted/macro.GRE delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Gnutella delete mode 100644 Shorewall-common-IPv6-Aborted/macro.HTTP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.HTTPS delete mode 100644 Shorewall-common-IPv6-Aborted/macro.ICQ delete mode 100644 Shorewall-common-IPv6-Aborted/macro.IMAP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.IMAPS delete mode 100644 Shorewall-common-IPv6-Aborted/macro.IPIP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.IPP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.IPPserver delete mode 100644 Shorewall-common-IPv6-Aborted/macro.IPsec delete mode 100644 Shorewall-common-IPv6-Aborted/macro.IPsecah delete mode 100644 Shorewall-common-IPv6-Aborted/macro.IPsecnat delete mode 100644 Shorewall-common-IPv6-Aborted/macro.JAP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.JabberPlain delete mode 100644 Shorewall-common-IPv6-Aborted/macro.JabberSecure delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Jabberd delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Jetdirect delete mode 100644 Shorewall-common-IPv6-Aborted/macro.L2TP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.LDAP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.LDAPS delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Mail delete mode 100644 Shorewall-common-IPv6-Aborted/macro.MySQL delete mode 100644 Shorewall-common-IPv6-Aborted/macro.NNTP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.NNTPS delete mode 100644 Shorewall-common-IPv6-Aborted/macro.NTP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.NTPbrd delete mode 100644 Shorewall-common-IPv6-Aborted/macro.OpenVPN delete mode 100644 Shorewall-common-IPv6-Aborted/macro.PCA delete mode 100644 Shorewall-common-IPv6-Aborted/macro.POP3 delete mode 100644 Shorewall-common-IPv6-Aborted/macro.POP3S delete mode 100644 Shorewall-common-IPv6-Aborted/macro.PPtP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Ping delete mode 100644 Shorewall-common-IPv6-Aborted/macro.PostgreSQL delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Printer delete mode 100644 Shorewall-common-IPv6-Aborted/macro.RDP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.RNDC delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Rdate delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Reject delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Rfc1918 delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Rsync delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SANE delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SMB delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SMBBI delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SMBswat delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SMTP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SMTPS delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SNMP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SPAMD delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SSH delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SVN delete mode 100644 Shorewall-common-IPv6-Aborted/macro.SixXS delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Submission delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Syslog delete mode 100644 Shorewall-common-IPv6-Aborted/macro.TFTP delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Telnet delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Telnets delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Time delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Trcrt delete mode 100644 Shorewall-common-IPv6-Aborted/macro.VNC delete mode 100644 Shorewall-common-IPv6-Aborted/macro.VNCL delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Web delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Webmin delete mode 100644 Shorewall-common-IPv6-Aborted/macro.Whois delete mode 100644 Shorewall-common-IPv6-Aborted/macro.template delete mode 100644 Shorewall-common-IPv6-Aborted/masq delete mode 100644 Shorewall-common-IPv6-Aborted/modules delete mode 100644 Shorewall-common-IPv6-Aborted/nat delete mode 100644 Shorewall-common-IPv6-Aborted/netmap delete mode 100644 Shorewall-common-IPv6-Aborted/params delete mode 100644 Shorewall-common-IPv6-Aborted/policy delete mode 100644 Shorewall-common-IPv6-Aborted/providers delete mode 100644 Shorewall-common-IPv6-Aborted/proxyarp delete mode 100644 Shorewall-common-IPv6-Aborted/releasenotes.txt delete mode 100644 Shorewall-common-IPv6-Aborted/rfc1918 delete mode 100644 Shorewall-common-IPv6-Aborted/route_rules delete mode 100644 Shorewall-common-IPv6-Aborted/routestopped delete mode 100644 Shorewall-common-IPv6-Aborted/rules delete mode 100755 Shorewall-common-IPv6-Aborted/shorewall delete mode 100644 Shorewall-common-IPv6-Aborted/shorewall-common.spec delete mode 100644 Shorewall-common-IPv6-Aborted/shorewall.conf delete mode 100644 Shorewall-common-IPv6-Aborted/start delete mode 100644 Shorewall-common-IPv6-Aborted/started delete mode 100644 Shorewall-common-IPv6-Aborted/stop delete mode 100644 Shorewall-common-IPv6-Aborted/stopped delete mode 100755 Shorewall-common-IPv6-Aborted/strip delete mode 100644 Shorewall-common-IPv6-Aborted/tcclasses delete mode 100644 Shorewall-common-IPv6-Aborted/tcdevices delete mode 100644 Shorewall-common-IPv6-Aborted/tcfilters delete mode 100644 Shorewall-common-IPv6-Aborted/tcrules delete mode 100644 Shorewall-common-IPv6-Aborted/tos delete mode 100755 Shorewall-common-IPv6-Aborted/tunnel delete mode 100644 Shorewall-common-IPv6-Aborted/tunnels delete mode 100755 Shorewall-common-IPv6-Aborted/uninstall.sh delete mode 100755 Shorewall-common-IPv6-Aborted/wait4ifup delete mode 100644 Shorewall-common-IPv6-Aborted/zones delete mode 100644 Shorewall-perl-IPv6-Aborted/COPYING delete mode 100644 Shorewall-perl-IPv6-Aborted/README.txt delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Accounting.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Actions.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Chains.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Compiler.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Config.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/IPAddrs.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Nat.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Policy.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Proc.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Providers.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Proxyarp.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Rules.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Tc.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Tunnels.pm delete mode 100644 Shorewall-perl-IPv6-Aborted/Shorewall/Zones.pm delete mode 100755 Shorewall-perl-IPv6-Aborted/compiler.pl delete mode 100755 Shorewall-perl-IPv6-Aborted/install.sh delete mode 100644 Shorewall-perl-IPv6-Aborted/prog.footer delete mode 100644 Shorewall-perl-IPv6-Aborted/prog.functions delete mode 100644 Shorewall-perl-IPv6-Aborted/prog.header delete mode 100644 Shorewall-perl-IPv6-Aborted/shorewall-perl.spec delete mode 100644 Shorewall-perl-maybe/COPYING delete mode 100644 Shorewall-perl-maybe/README.txt delete mode 100644 Shorewall-perl-maybe/Shorewall/Accounting.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Actions.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Chains.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Compiler.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Config.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/IPAddrs.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Nat.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Policy.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Proc.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Providers.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Proxyarp.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Rules.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Tc.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Tunnels.pm delete mode 100644 Shorewall-perl-maybe/Shorewall/Zones.pm delete mode 100755 Shorewall-perl-maybe/compiler.pl delete mode 100755 Shorewall-perl-maybe/install.sh delete mode 100644 Shorewall-perl-maybe/prog.footer delete mode 100644 Shorewall-perl-maybe/prog.functions delete mode 100644 Shorewall-perl-maybe/prog.header delete mode 100644 Shorewall-perl-maybe/shorewall-perl.spec diff --git a/Shorewall-common-IPv6-Aborted/COPYING b/Shorewall-common-IPv6-Aborted/COPYING deleted file mode 100644 index 2ba72d57f..000000000 --- a/Shorewall-common-IPv6-Aborted/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) 19yy - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) 19yy name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/Shorewall-common-IPv6-Aborted/INSTALL b/Shorewall-common-IPv6-Aborted/INSTALL deleted file mode 100644 index 195ba27c2..000000000 --- a/Shorewall-common-IPv6-Aborted/INSTALL +++ /dev/null @@ -1,24 +0,0 @@ -Shoreline Firewall (Shorewall) Version 4 ------ ---- - ------------------------------------------------------------------------------ - - This program is free software; you can redistribute it and/or modify - it under the terms of Version 2 of the GNU General Public License - as published by the Free Software Foundation. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - ---------------------------------------------------------------------------- - -Please see http://www.shorewall.net/Install.htm for installation -instructions. - - diff --git a/Shorewall-common-IPv6-Aborted/Makefile b/Shorewall-common-IPv6-Aborted/Makefile deleted file mode 100644 index 1ee948e2e..000000000 --- a/Shorewall-common-IPv6-Aborted/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -# Shorewall Makefile to restart if config-files are newer than last restart -VARDIR=$(shell /sbin/shorewall show vardir) -CONFDIR=/etc/shorewall -RESTOREFILE?=.restore -all: $(VARDIR)/${RESTOREFILE} - -$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/* - @/sbin/shorewall -q save >/dev/null; \ - if \ - /sbin/shorewall -q restart >/dev/null 2>&1; \ - then \ - /sbin/shorewall -q save >/dev/null; \ - else \ - /sbin/shorewall -q restart 2>&1 | tail >&2; \ - fi - -# EOF diff --git a/Shorewall-common-IPv6-Aborted/Makefile-lite b/Shorewall-common-IPv6-Aborted/Makefile-lite deleted file mode 100644 index 74a09aedc..000000000 --- a/Shorewall-common-IPv6-Aborted/Makefile-lite +++ /dev/null @@ -1,82 +0,0 @@ -# Shorewall Packet Filtering Firewall Export Directory Makefile - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2006 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://www.shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -################################################################################ -# Place this file in each export directory. Modify each copy to set HOST -# to the name of the remote firewall corresponding to the directory. -# -# To make the 'firewall' script, type "make". -# -# Once the script is compiling correctly, you can install it by -# typing "make install". -# -################################################################################ -# V A R I A B L E S -# -# Files in the export directory on which the firewall script does not depend -# -IGNOREFILES = firewall% Makefile% trace% %~ -# -# Remote Firewall system -# -HOST = gateway -# -# Save some typing -# -LITEDIR = /var/lib/shorewall-lite -# -# Set this if the remote system has a non-standard modules directory -# -MODULESDIR= -# -# Default target is the firewall script -# -################################################################################ -# T A R G E T S -# -all: firewall -# -# Only generate the capabilities file if it doesn't already exist -# -capabilities: - ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities" - scp root@$(HOST):$(LITEDIR)/capabilities . -# -# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that -# 'filter-out' will be presented with the list of files in this directory rather than "*" -# -firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities - shorewall compile -e . firewall -# -# Only reload on demand. -# -install: firewall - scp firewall firewall.conf root@$(HOST):$(LITEDIR) - ssh root@$(HOST) "/sbin/shorewall-lite restart" -# -# Save running configuration -# -save: - ssh root@$(HOST) "/sbin/shorewall-lite save" -# -# Remove generated files -# -clean: - rm -f capabilities firewall firewall.conf reload diff --git a/Shorewall-common-IPv6-Aborted/README.txt b/Shorewall-common-IPv6-Aborted/README.txt deleted file mode 100644 index 189c4ab93..000000000 --- a/Shorewall-common-IPv6-Aborted/README.txt +++ /dev/null @@ -1 +0,0 @@ -This is the Shorewall-common Development 4.2 branch of SVN. diff --git a/Shorewall-common-IPv6-Aborted/accounting b/Shorewall-common-IPv6-Aborted/accounting deleted file mode 100644 index 57c434bff..000000000 --- a/Shorewall-common-IPv6-Aborted/accounting +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Accounting File -# -# For information about entries in this file, type "man shorewall-accounting" -# -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. -# -##################################################################################### -#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK -# PORT(S) PORT(S) GROUP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/action.Drop b/Shorewall-common-IPv6-Aborted/action.Drop deleted file mode 100644 index 770d0cedf..000000000 --- a/Shorewall-common-IPv6-Aborted/action.Drop +++ /dev/null @@ -1,53 +0,0 @@ -# -# Shorewall version 4 - Drop Action -# -# /usr/share/shorewall/action.Drop -# -# The default DROP common rules -# -# This action is invoked before a DROP policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that 'auth' requests are rejected, even if the policy is -# DROP. Otherwise, you may experience problems establishing -# connections with servers that use auth. -# c) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -# -############################################################################### -#TARGET SOURCE DEST PROTO DPORT SPORT -# -# Reject 'auth' -# -Auth/REJECT -# -# Don't log broadcasts -# -dropBcast -# -# ACCEPT critical ICMP types -# -AllowICMPs - - icmp -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log. -# -dropInvalid -# -# Drop Microsoft noise so that it doesn't clutter up the log. -# -SMB/DROP -DropUPnP -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -DropDNSrep -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/action.Reject b/Shorewall-common-IPv6-Aborted/action.Reject deleted file mode 100644 index 9d0b0029c..000000000 --- a/Shorewall-common-IPv6-Aborted/action.Reject +++ /dev/null @@ -1,51 +0,0 @@ -# -# Shorewall version 4 - Reject Action -# -# /usr/share/shorewall/action.Reject -# -# The default REJECT action common rules -# -# This action is invoked before a REJECT policy is enforced. The purpose -# of the action is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! -############################################################################### -#TARGET SOURCE DEST PROTO -# -# Don't log 'auth' -- REJECT -# -Auth/REJECT -# -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -dropBcast -# -# ACCEPT critical ICMP types -# -AllowICMPs - - icmp -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log (these ICMPs cannot be -# rejected). -# -dropInvalid -# -# Reject Microsoft noise so that it doesn't clutter up the log. -# -SMB/REJECT -DropUPnP -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -DropDNSrep -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/action.template b/Shorewall-common-IPv6-Aborted/action.template deleted file mode 100644 index 03fdec63e..000000000 --- a/Shorewall-common-IPv6-Aborted/action.template +++ /dev/null @@ -1,200 +0,0 @@ -# -# Shorewall version 4 - Action Template -# -# /etc/shorewall/action.template -# -# This file is a template for files with names of the form -# /etc/shorewall/action. where is an -# ACTION defined in /etc/shorewall/actions. -# -# To define a new action: -# -# 1. Add the to /etc/shorewall/actions -# 2. Copy this file to /etc/shorewall/action. -# 3. Add the desired rules to that file. -# -# Please see http://shorewall.net/Actions.html for additional -# information. -# -# Columns are: -# -# -# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a -# or a previously-defined -# -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as p2pwall. -# CONTINUE -- Stop processing this action and -# return to the point where the -# action was invoked. -# -- An defined in -# /etc/shorewall/actions. -# The must appear in that -# file BEFORE the one being defined -# in this file. -# -- The name of a macro defined in a -# file named macro.. If -# the macro accepts an action -# parameter (Look at the macro -# source to see if it has PARAM in -# the TARGET column) then the macro -# name is followed by "/" and the -# action (ACCEPT, DROP, REJECT, ...) -# to be substituted for the -# parameter. Example: FTP/ACCEPT. -# -# The TARGET may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# ACCEPT:debugging). This causes the packet to be -# logged at the specified level. -# -# The special log level 'none' does not result in logging -# but rather exempts the rule from being overridden by a -# non-forcing log level when the action is invoked. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. -# A comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# 192.168.2.2 Host 192.168.2.2 -# -# 155.186.235.0/24 Subnet 155.186.235.0/24 -# -# 10.0.0.4-10.0.0.9 Range of IP addresses; your -# kernel and iptables must have -# iprange match support. -# -# +remote The name of an ipset prefaced -# by "+". Your kernel and -# iptables must have set match -# support -# -# +remote[4] The name of the ipset may -# followed by a number of -# levels of ipset bindings -# enclosed in square brackets. -# -# 192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2. -# ~00-A0-C9-15-39-78 Host with -# MAC address 00:A0:C9:15:39:78. -# -# Alternatively, clients may be specified by interface -# name. For example, eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., eth1:192.168.1.5). -# -# DEST Location of destination host. Same as above with -# the exception that MAC addresses are not allowed and -# that you cannot specify an ipset name in both the -# SOURCE and DEST columns. -# -# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp", -# "ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all". -# "ipp2p*" requires ipp2p match support in your kernel -# and iptables. -# -# "tcp:syn" implies "tcp" plus the SYN flag must be -# set and the RST, ACK and FIN flags must be reset. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ADDRESS in the next column, then place "-" -# in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this column: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:][+] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# +upnpd #program named upnpd (This feature was -# #removed from Netfilter in kernel -# #version 2.6.14). -# -############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/actions b/Shorewall-common-IPv6-Aborted/actions deleted file mode 100644 index 370a1a703..000000000 --- a/Shorewall-common-IPv6-Aborted/actions +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Actions File -# -# /etc/shorewall/actions -# -# For information about entries in this file, type "man shorewall-actions" -# -# Please see http://shorewall.net/Actions.html for additional information. -# -############################################################################### -#ACTION COMMENT (place '# ' below the 'C' in comment followed by -# v a comment describing the action) -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/actions.std b/Shorewall-common-IPv6-Aborted/actions.std deleted file mode 100644 index 8cc596c21..000000000 --- a/Shorewall-common-IPv6-Aborted/actions.std +++ /dev/null @@ -1,35 +0,0 @@ -# -# Shorewall version 4 - Actions.std File -# -# /usr/share/shorewall/actions.std -# -# Please see http://shorewall.net/Actions.html for additional -# information. -# -# Builtin Actions are: -# -# allowBcast # Silently Allow Broadcast/multicast -# dropBcast # Silently Drop Broadcast/multicast -# dropNotSyn # Silently Drop Non-syn TCP packets -# rejNotSyn # Silently Reject Non-syn TCP packets -# dropInvalid # Silently Drop packets that are in the INVALID -# # conntrack state. -# allowInvalid # Accept packets that are in the INVALID -# # conntrack state. -# allowoutUPnP # Allow traffic from local command 'upnpd' (does not -# # work with kernel 2.6.14 and later). -# allowinUPnP # Allow UPnP inbound (to firewall) traffic -# forwardUPnP # Allow traffic that upnpd has redirected from -# # 'upnp' interfaces. -# drop1918src # Drop packets with an RFC 1918 source address -# drop1918dst # Drop packets with an RFC 1918 original dest address -# rej1918src # Reject packets with an RFC 1918 source address -# rej1918dst # Reject packets with an RFC 1918 original dest address -# Limit # Limit the rate of connections from each individual -# # IP address -# -############################################################################### -#ACTION -Drop # Default Action for DROP policy -Reject # Default Action for REJECT policy -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/blacklist b/Shorewall-common-IPv6-Aborted/blacklist deleted file mode 100755 index f8f6229df..000000000 --- a/Shorewall-common-IPv6-Aborted/blacklist +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Blacklist File -# -# For information about entries in this file, type "man shorewall-blacklist" -# -# Please see http://shorewall.net/blacklisting_support.htm for additional -# information. -# -############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/changelog.txt b/Shorewall-common-IPv6-Aborted/changelog.txt deleted file mode 100644 index aec9bb5ff..000000000 --- a/Shorewall-common-IPv6-Aborted/changelog.txt +++ /dev/null @@ -1,19 +0,0 @@ -Changes in Shorewall 4.2.1 - -1) Added CONNBYTES to tcrules manpage. Flesh out description of HELPER. - -2) Fixed minor CONNBYTES editing issue. - -3) Add CONNLIMIT to policy and rules. - -4) Allow use of iptables-1.4.1. - -5) Add time match support. - -6) Applied Lennart Sorensen's patch for length match. - -7) Take advantage --ctorigdstport - -8) Fix syntax error in 'export' - -Initial release of Shorewall 4.2.0. diff --git a/Shorewall-common-IPv6-Aborted/configpath b/Shorewall-common-IPv6-Aborted/configpath deleted file mode 100644 index 9c442bbbc..000000000 --- a/Shorewall-common-IPv6-Aborted/configpath +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Default Config Path -# -# /usr/share/shorewall/configpath -# -# Note to maintainers. -# -# The CONFDIR variable is normally set to /etc/shorewall but when -# the command is "compile -e" then CONFDIR is set to -# /usr/share/shorewall/configfiles/. This prevents 'compile -e' -# from trying to use configuration information from /etc/shorewall. - -CONFIG_PATH=${CONFDIR}:/usr/share/shorewall diff --git a/Shorewall-common-IPv6-Aborted/continue b/Shorewall-common-IPv6-Aborted/continue deleted file mode 100644 index 4591f7662..000000000 --- a/Shorewall-common-IPv6-Aborted/continue +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - Continue File -# -# /etc/shorewall/continue -# -# Add commands below that you want to be executed after shorewall has -# cleared any existing Netfilter rules and has enabled existing -# connections. -# -# For additional information, see -# http://shorewall.net/shorewall_extension_scripts.htm -# -############################################################################### -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/default.debian b/Shorewall-common-IPv6-Aborted/default.debian deleted file mode 100644 index 26b99e8f8..000000000 --- a/Shorewall-common-IPv6-Aborted/default.debian +++ /dev/null @@ -1,24 +0,0 @@ -# prevent startup with default configuration -# set the following varible to 1 in order to allow Shorewall to start - -startup=0 - -# if your Shorewall configuration requires detection of the ip address of a ppp -# interface, you must list such interfaces in "wait_interface" to get Shorewall to -# wait until the interface is configured. Otherwise the script will fail because -# it won't be able to detect the IP address. -# -# Example: -# wait_interface="ppp0" -# or -# wait_interface="ppp0 ppp1" -# or, if you have defined in /etc/shorewall/params -# wait_interface= - -# -# Startup options -# - -OPTIONS="" - -# EOF diff --git a/Shorewall-common-IPv6-Aborted/ecn b/Shorewall-common-IPv6-Aborted/ecn deleted file mode 100644 index c01683c68..000000000 --- a/Shorewall-common-IPv6-Aborted/ecn +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Ecn File -# -# For information about entries in this file, type "man shorewall-ecn" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-ecn.html -# -############################################################################### -#INTERFACE HOST(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/fallback.sh b/Shorewall-common-IPv6-Aborted/fallback.sh deleted file mode 100755 index 2fdfa2e00..000000000 --- a/Shorewall-common-IPv6-Aborted/fallback.sh +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/sh -# -# Script to back out the installation of Shoreline Firewall and to restore the previous version of -# the program -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# You may only use this script to back out the installation of the version -# shown below. Simply run this script to revert to your prior version of -# Shoreline Firewall. - -VERSION=4.2.1 - -usage() # $1 = exit status -{ - echo "usage: $(basename $0)" - exit $1 -} - -restore_directory() # $1 = directory to restore -{ - if [ -d ${1}-${VERSION}.bkout ]; then - if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then - echo - echo "$1 restored" - rm -rf ${1}-${VERSION} - else - echo "ERROR: Could not restore $1" - exit 1 - fi - fi -} - -restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from -{ - if [ -n "$2" ]; then - local file - file=$(basename $1) - - if [ -f $2/$file ]; then - if mv -f $2/$file $1 ; then - echo - echo "$1 restored" - return - fi - - echo "ERROR: Could not restore $1" - exit 1 - fi - fi - - if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then - if (mv -f ${1}-${VERSION}.bkout $1); then - echo - echo "$1 restored" - else - echo "ERROR: Could not restore $1" - exit 1 - fi - fi -} - -if [ ! -f /usr/share/shorewall-${VERSION}.bkout/version ]; then - echo "Shorewall Version $VERSION is not installed" - exit 1 -fi - -echo "Backing Out Installation of Shorewall $VERSION" - -if [ -L /usr/share/shorewall/init ]; then - FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //') - restore_file $FIREWALL /usr/share/shorewall-${VERSION}.bkout -else - restore_file /etc/init.d/shorewall /usr/share/shorewall-${VERSION}.bkout -fi - -restore_file /sbin/shorewall /var/lib/shorewall-${VERSION}.bkout - -restore_directory /etc/shorewall -restore_directory /usr/share/shorewall -restore_directory /var/lib/shorewall - -echo "Shorewall Restored to Version $(cat /usr/share/shorewall/version)" - - diff --git a/Shorewall-common-IPv6-Aborted/firewall b/Shorewall-common-IPv6-Aborted/firewall deleted file mode 100755 index ec38d0f9c..000000000 --- a/Shorewall-common-IPv6-Aborted/firewall +++ /dev/null @@ -1,653 +0,0 @@ -#!/bin/sh -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# firewall stop Stops the firewall -# firewall reset Resets iptables packet and -# byte counts -# firewall clear Remove all Shorewall chains -# and rules/policies. -# firewall add [:] zone Adds a host or subnet to a zone -# firewall delete [:] zone Deletes a host or subnet from a zone -# -# -# Fatal error -- stops the firewall after issuing the error message -# -fatal_error() # $* = Error Message -{ - echo " ERROR: $@" >&2 - stop_firewall - exit 2 -} - -# -# Fatal error during startup -- generate an error message and abend without -# altering the state of the firewall -# -startup_error() # $* = Error Message -{ - echo " ERROR: $@" >&2 - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - kill $$ - exit 2 -} - -# -# Send a message to STDOUT and the System Log -# -report () { # $* = message - progress_message3 "$@" - logger -p kern.info "$@" -} - -# -# Run iptables and if an error occurs, stop the firewall and quit -# -run_iptables() { - if [ -z "$KLUDGEFREE" ]; then - # - # Purge the temporary files that we use to prevent duplicate '-m' specifications - # - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - - if ! $IPTABLES $@ ; then - if [ -z "$STOPPING" ]; then - error_message "ERROR: Command \"$IPTABLES $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Version of 'run_iptables' that inserts white space after "!" in the arg list -# -run_iptables2() { - - case "$@" in - *!*) - run_iptables $(fix_bang $@) - ;; - *) - run_iptables $@ - ;; - esac - -} - -# -# Quietly run iptables -# -qt_iptables() { - if [ -z "$KLUDGEFREE" ]; then - # - # Purge the temporary files that we use to prevent duplicate '-m' specifications - # - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - - qt $IPTABLES $@ -} - -# -# Run ip and if an error occurs, stop the firewall and quit -# -run_ip() { - if ! ip $@ ; then - if [ -z "$STOPPING" ]; then - error_message "ERROR: Command \"ip $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Run tc and if an error occurs, stop the firewall and quit -# -run_tc() { - if ! tc $@ ; then - if [ -z "$STOPPING" ]; then - error_message "ERROR: Command \"tc $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Delete a chain if it exists -# -deletechain() # $1 = name of chain -{ - qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 -} - -# -# Find broadcast addresses -- if we are compiling a script and 'detect' is specified for an interface -# the function returns nothing for that interface -# -find_broadcasts() { - for interface in $ALL_INTERFACES; do - eval bcast=\$$(chain_base $interface)_broadcast - if [ "x$bcast" = "xdetect" ]; then - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u - elif [ "x${bcast}" != "x-" ]; then - echo $(separate_list $bcast) - fi - done -} - -# -# For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to -# enable traffic to/from those hosts. -# -enable_critical_hosts() -{ - for host in $CRITICALHOSTS; do - interface=${host%:*} - networks=${host#*:} - $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - done -} - -# -# For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that -# enable traffic to/from those hosts. -# -disable_critical_hosts() -{ - for host in $CRITICALHOSTS; do - interface=${host%:*} - networks=${host#*:} - $IPTABLES -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - $IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - done -} - -# -# Undo changes to routing -# -undo_routing() { - - # - # Restore rt_tables database - # - if [ -f ${VARDIR}/rt_tables ]; then - [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" - rm -f ${VARDIR}/rt_tables - fi - # - # Restore the rest of the routing table - # - if [ -f ${VARDIR}/undo_routing ]; then - . ${VARDIR}/undo_routing - progress_message "Shorewall-generated routing tables and routing rules removed" - rm -f ${VARDIR}/undo_routing - fi - -} - -restore_default_route() { - if [ -f ${VARDIR}/default_route ]; then - local default_route - default_route= - local route - - while read route ; do - case $route in - default*) - if [ -n "$default_route" ]; then - case "$default_route" in - *metric*) - # - # Don't restore a route with a metric -- we only replace the one with metric == 0 - # - qt ip route delete default metric 0 && \ - progress_message "Default Route with metric 0 deleted" - ;; - *) - qt ip route replace $default_route && \ - progress_message "Default Route (${default_route# }) restored" - ;; - esac - - break - fi - - default_route="$default_route $route" - ;; - *) - default_route="$default_route $route" - ;; - esac - done < ${VARDIR}/default_route - - rm -f ${VARDIR}/default_route - fi -} - -# -# Stop the Firewall -# -stop_firewall() { - # - # Turn off trace unless we were tracing "stop" or "clear" - # - - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - - case $COMMAND in - stop|clear) - ;; - *) - set +x - - [ -n "${RESTOREFILE:=restore}" ] - - RESTOREPATH=${VARDIR}/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - - if [ -x ${RESTOREPATH}-ipsets ]; then - progress_message2 Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - for table in mangle nat filter; do - iptables -t $table -F - iptables -t $table -X - done - - ${RESTOREPATH}-ipsets - fi - - echo Restoring Shorewall... - - if $RESTOREPATH restore; then - echo "Shorewall restored from $RESTOREPATH" - set_state "Started" - else - set_state "Unknown" - fi - - kill $$ - exit 2 - fi - ;; - esac - - set_state "Stopping" - - STOPPING="Yes" - - TERMINATOR= - - deletechain shorewall - - run_user_exit stop - - if [ -n "$MANGLE_ENABLED" ]; then - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt $IPTABLES -t mangle -P $chain ACCEPT - done - fi - - if [ -n "$RAW_TABLE" ]; then - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt $IPTABLES -t raw -P $chain ACCEPT - done - fi - - if [ -n "$NAT_ENABLED" ]; then - delete_nat - for chain in PREROUTING POSTROUTING OUTPUT; do - qt $IPTABLES -t nat -P $chain ACCEPT - done - fi - - delete_proxy_arp - [ -n "$CLEAR_TC" ] && delete_tc1 - - undo_routing - restore_default_route - - [ -n "$DISABLE_IPV6" ] && disable_ipv6 - - undo_routing - restore_default_route - - process_criticalhosts - - if [ -n "$CRITICALHOSTS" ]; then - if [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT; do - setpolicy $chain ACCEPT - done - - setpolicy FORWARD DROP - - deleteallchains - - enable_critical_hosts - - for chain in INPUT OUTPUT; do - setpolicy $chain DROP - done - else - for chain in INPUT OUTPUT; do - setpolicy $chain ACCEPT - done - - setpolicy FORWARD DROP - - deleteallchains - - enable_critical_hosts - - setpolicy INPUT DROP - - for chain in INPUT FORWARD; do - setcontinue $chain - done - fi - elif [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain DROP - done - - deleteallchains - else - for chain in INPUT FORWARD; do - setpolicy $chain DROP - done - - setpolicy OUTPUT ACCEPT - - deleteallchains - - for chain in INPUT FORWARD; do - setcontinue $chain - done - fi - - process_routestopped -A - - $IPTABLES -A INPUT -i lo -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -o lo -j ACCEPT - - for interface in $(find_interfaces_by_option dhcp); do - $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT - # - # This might be a bridge - # - $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT - done - - case "$IP_FORWARDING" in - On|on|ON|Yes|yes|YES) - echo 1 > /proc/sys/net/ipv4/ip_forward - progress_message2 "IP Forwarding Enabled" - ;; - Off|off|OFF|No|no|NO) - echo 0 > /proc/sys/net/ipv4/ip_forward - progress_message2 "IP Forwarding Disabled!" - ;; - esac - - run_user_exit stopped - - set_state "Stopped" - - logger -p kern.info "Shorewall Stopped" - - rm -rf $TMP_DIR - - case $COMMAND in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Remove the lock file and Kill the shell in case we're in a - # subshell - # - kill $$ - ;; - esac -} - -# -# Remove all rules and remove all user-defined chains -# -clear_firewall() { - stop_firewall - - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT - - run_iptables -F - - echo 1 > /proc/sys/net/ipv4/ip_forward - - if [ -n "$DISABLE_IPV6" ] && qt mywhich ip6tables; then - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null - fi - - run_user_exit clear - - set_state "Cleared" - - logger -p kern.info "Shorewall Cleared" -} - -# -# Delete existing Proxy ARP -# -delete_proxy_arp() { - if [ -f ${VARDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface - f=/proc/sys/net/ipv4/conf/$interface/proxy_arp - [ -f $f ] && echo 0 > $f - done < ${VARDIR}/proxyarp - fi - - rm -f ${VARDIR}/proxyarp -} - -# -# Delete existing Static NAT -# -delete_nat() { - run_iptables -t nat -F - run_iptables -t nat -X - - if [ -f ${VARDIR}/nat ]; then - while read external interface; do - qt ip addr del $external dev $interface - done < ${VARDIR}/nat - - rm -f ${VARDIR}/nat - fi - - [ -d ${VARDIR} ] && touch ${VARDIR}/nat -} - -# -# Check for disabled startup -# -check_disabled_startup() { - if [ -z "$STARTUP_ENABLED" ]; then - echo " Shorewall Startup is disabled -- to enable startup" - echo " after you have completed Shorewall configuration," - echo " change the setting of STARTUP_ENABLED to Yes in" - echo " ${CONFDIR}/shorewall.conf" - - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - exit 2 - fi -} - -# -# Give Usage Information -# -usage() { - echo "Usage: $0 [debug] {start|stop|reset|restart|clear}" - exit 1 -} - -# -# E X E C U T I O N B E G I N S H E R E -# -# -# Start trace if first arg is "debug" or "trace" -# -[ $# -gt 1 ] && [ "x$1" = xdebug -o "$x$1" = xtrace ] && { set -x ; shift ; } - -NOLOCK= - -[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; } - -SHAREDIR=/usr/share/shorewall -CONFDIR=/etc/shorewall - -[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ] - -[ -n "${VARDIR:=/var/lib/shorewall}" ] - -for library in lib.base lib.config; do - FUNCTIONS=${SHAREDIR}/${library} - - if [ -f $FUNCTIONS ]; then - [ $VERBOSE -ge 2 ] && echo "Loading $FUNCTIONS..." - . $FUNCTIONS - else - fatal_error "Installation error: $FUNCTIONS does not exist!" - fi -done - -PROGRAM=firewall - -COMMAND="$1" - -case "$COMMAND" in - stop) - [ $# -ne 1 ] && usage - do_initialize - # - # Don't want to do a 'stop' when startup is disabled - # - check_disabled_startup - progress_message3 "Stopping Shorewall..." - stop_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - progress_message3 "done." - ;; - - reset) - [ $# -ne 1 ] && usage - do_initialize - if ! shorewall_is_started ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - exit 2; - fi - $IPTABLES -Z - $IPTABLES -t nat -Z - $IPTABLES -t mangle -Z - report "Shorewall Counters Reset" - date > ${VARDIR}/restarted - ;; - - clear) - [ $# -ne 1 ] && usage - do_initialize - progress_message3 "Clearing Shorewall..." - clear_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - progress_message3 "done." - ;; - - add) - [ $# -lt 3 ] && usage - do_initialize - lib_load dynamiczones "The add command" - if ! shorewall_is_started ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - exit 2; - fi - shift - add_to_zone $@ - ;; - - delete) - [ $# -lt 3 ] && usage - lib_load dynamiczones "The delete command" - do_initialize - if ! shorewall_is_started ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - exit 2; - fi - shift - delete_from_zone $@ - ;; - - call) - # - # Undocumented way to call functions in ${SHAREDIR}/firewall directly - # - shift - do_initialize - EMPTY= - $@ - ;; - - *) - usage - ;; - -esac diff --git a/Shorewall-common-IPv6-Aborted/hosts b/Shorewall-common-IPv6-Aborted/hosts deleted file mode 100644 index d68a030cf..000000000 --- a/Shorewall-common-IPv6-Aborted/hosts +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Hosts file -# -# For information about entries in this file, type "man shorewall-hosts" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-hosts.html -# -############################################################################### -#ZONE HOST(S) OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/init b/Shorewall-common-IPv6-Aborted/init deleted file mode 100644 index ce1dc70ba..000000000 --- a/Shorewall-common-IPv6-Aborted/init +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Init File -# -# /etc/shorewall/init -# -# Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. -# -# For additional information, see -# http://shorewall.net/shorewall_extension_scripts.htm -# -############################################################################### -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/init.archlinux.sh b/Shorewall-common-IPv6-Aborted/init.archlinux.sh deleted file mode 100755 index 91040787c..000000000 --- a/Shorewall-common-IPv6-Aborted/init.archlinux.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash - -OPTIONS="-f" - -if [ -f /etc/sysconfig/shorewall ] ; then - . /etc/sysconfig/shorewall -elif [ -f /etc/default/shorewall ] ; then - . /etc/default/shorewall -fi - -# if you want to override options, do so in /etc/sysconfig/shorewall or -# in /etc/default/shorewall -- -# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist. - -. /etc/rc.conf -. /etc/rc.d/functions - -DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon. - -case "$1" in - start) - stat_busy "Starting $DAEMON_NAME" - /sbin/shorewall $OPTIONS start &>/dev/null - if [ $? -gt 0 ]; then - stat_fail - else - add_daemon $DAEMON_NAME - stat_done - fi - ;; - - - stop) - stat_busy "Stopping $DAEMON_NAME" - /sbin/shorewall stop &>/dev/null - if [ $? -gt 0 ]; then - stat_fail - else - rm_daemon $DAEMON_NAME - stat_done - fi - ;; - - restart|reload) - stat_busy "Restarting $DAEMON_NAME" - /sbin/shorewall restart &>/dev/null - if [ $? -gt 0 ]; then - stat_fail - else - stat_done - fi - ;; - - *) - echo "usage: $0 {start|stop|restart}" -esac -exit 0 - diff --git a/Shorewall-common-IPv6-Aborted/init.debian.sh b/Shorewall-common-IPv6-Aborted/init.debian.sh deleted file mode 100755 index 7f5667c85..000000000 --- a/Shorewall-common-IPv6-Aborted/init.debian.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: shorewall -# Required-Start: $network -# Required-Stop: $network -# Default-Start: S -# Default-Stop: 0 6 -# Short-Description: Configure the firewall at boot time -# Description: Configure the firewall according to the rules specified in -# /etc/shorewall -### END INIT INFO - - - -SRWL=/sbin/shorewall -SRWL_OPTS="-tvv" -WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup -# Note, set INITLOG to /dev/null if you do not want to -# keep logs of the firewall (not recommended) -INITLOG=/var/log/shorewall-init.log - -test -x $SRWL || exit 0 -test -x $WAIT_FOR_IFUP || exit 0 -test -n $INITLOG || { - echo "INITLOG cannot be empty, please configure $0" ; - exit 1; -} - -if [ "$(id -u)" != "0" ] -then - echo "You must be root to start, stop or restart \"Shorewall firewall\"." - exit 1 -fi - -echo_notdone () { - - if [ "$INITLOG" = "/dev/null" ] ; then - echo "not done." - else - echo "not done (check $INITLOG)." - fi - -} - -not_configured () { - echo "#### WARNING ####" - echo "The firewall won't be started/stopped unless it is configured" - if [ "$1" != "stop" ] - then - echo "" - echo "Please read about Debian specific customization in" - echo "/usr/share/doc/shorewall-common/README.Debian.gz." - fi - echo "#################" - exit 0 -} - -# check if shorewall is configured or not -if [ -f "/etc/default/shorewall" ] -then - . /etc/default/shorewall - SRWL_OPTS="$SRWL_OPTS $OPTIONS" - if [ "$startup" != "1" ] - then - not_configured - fi -else - not_configured -fi - -# wait for an unconfigured interface -wait_for_pppd () { - if [ "$wait_interface" != "" ] - then - for i in $wait_interface - do - $WAIT_FOR_IFUP $i 90 - done - fi -} - -# start the firewall -shorewall_start () { - echo -n "Starting \"Shorewall firewall\": " - wait_for_pppd - $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone - return 0 -} - -# stop the firewall -shorewall_stop () { - echo -n "Stopping \"Shorewall firewall\": " - $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone - return 0 -} - -# restart the firewall -shorewall_restart () { - echo -n "Restarting \"Shorewall firewall\": " - $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone - return 0 -} - -# refresh the firewall -shorewall_refresh () { - echo -n "Refreshing \"Shorewall firewall\": " - $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone - return 0 -} - -case "$1" in - start) - shorewall_start - ;; - stop) - shorewall_stop - ;; - refresh) - shorewall_refresh - ;; - force-reload|restart) - shorewall_restart - ;; - *) - echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}" - exit 1 -esac - -exit 0 diff --git a/Shorewall-common-IPv6-Aborted/init.sh b/Shorewall-common-IPv6-Aborted/init.sh deleted file mode 100755 index c3956d2d2..000000000 --- a/Shorewall-common-IPv6-Aborted/init.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh -RCDLINKS="2,S41 3,S41 6,K41" -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# On most distributions, this file should be called /etc/init.d/shorewall. -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall reload Reload the firewall -# (same as restart) -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# - -# chkconfig: 2345 25 90 -# description: Packet filtering firewall - -### BEGIN INIT INFO -# Provides: shorewall -# Required-Start: $local_fs $remote_fs $syslog -# Should-Start: VMware $time $named -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Description: starts and stops the shorewall firewall -### END INIT INFO - -################################################################################ -# Give Usage Information # -################################################################################ -usage() { - echo "Usage: $0 start|stop|reload|restart|status" - exit 1 -} - -################################################################################ -# Get startup options (override default) -################################################################################ -OPTIONS="-v0" -if [ -f /etc/sysconfig/shorewall ]; then - . /etc/sysconfig/shorewall -elif [ -f /etc/default/shorewall ] ; then - . /etc/default/shorewall -fi - -################################################################################ -# E X E C U T I O N B E G I N S H E R E # -################################################################################ -command="$1" - -case "$command" in - start|restart|stop) - exec /sbin/shorewall $OPTIONS $@ - ;; - stop|restart|status) - exec /sbin/shorewall $@ - ;; - reload) - shift - exec /sbin/shorewall $OPTIONS restart $@ - ;; - *) - usage - ;; -esac diff --git a/Shorewall-common-IPv6-Aborted/initdone b/Shorewall-common-IPv6-Aborted/initdone deleted file mode 100755 index ed5764491..000000000 --- a/Shorewall-common-IPv6-Aborted/initdone +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - Initdone File -# -# /etc/shorewall/initdone -# -# Add commands below that you want to be executed during -# "shorewall start" or "shorewall restart" commands at the point where -# Shorewall has not yet added any perminent rules to the builtin chains. -# -# For additional information, see -# http://shorewall.net/shorewall_extension_scripts.htm -# -############################################################################### -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/install.sh b/Shorewall-common-IPv6-Aborted/install.sh deleted file mode 100755 index 453a1dfd8..000000000 --- a/Shorewall-common-IPv6-Aborted/install.sh +++ /dev/null @@ -1,776 +0,0 @@ -#!/bin/sh -# -# Script to install Shoreline Firewall -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -VERSION=4.2.1 - -usage() # $1 = exit status -{ - ME=$(basename $0) - echo "usage: $ME" - echo " $ME -v" - echo " $ME -h" - echo " $ME -n" - exit $1 -} - -split() { - local ifs - ifs=$IFS - IFS=: - set -- $1 - echo $* - IFS=$ifs -} - -qt() -{ - "$@" >/dev/null 2>&1 -} - -mywhich() { - local dir - - for dir in $(split $PATH); do - if [ -x $dir/$1 ]; then - echo $dir/$1 - return 0 - fi - done - - return 2 -} - -run_install() -{ - if ! install $*; then - echo - echo "ERROR: Failed to install $*" >&2 - exit 1 - fi -} - -cant_autostart() -{ - echo - echo "WARNING: Unable to configure shorewall to start automatically at boot" >&2 -} - -backup_directory() # $1 = directory to backup -{ - if [ -d $1 ]; then - if cp -a $1 ${1}-${VERSION}.bkout ; then - echo - echo "$1 saved to ${1}-${VERSION}.bkout" - else - exit 1 - fi - fi -} - -backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup -{ - if [ -z "${PREFIX}{NOBACKUP}" ]; then - if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then - if [ -n "$2" ]; then - if [ -d $2 ]; then - if cp -f $1 $2 ; then - echo - echo "$1 saved to $2/$(basename $1)" - else - exit 1 - fi - fi - elif cp $1 ${1}-${VERSION}.bkout; then - echo - echo "$1 saved to ${1}-${VERSION}.bkout" - else - exit 1 - fi - fi - fi -} - -delete_file() # $1 = file to delete -{ - rm -f $1 -} - -install_file() # $1 = source $2 = target $3 = mode -{ - run_install $OWNERSHIP -m $3 $1 ${2} -} - -install_file_with_backup() # $1 = source $2 = target $3 = mode $4 = (optional) backup directory -{ - backup_file $2 $4 - run_install $OWNERSHIP -m $3 $1 ${2} -} - -# -# Parse the run line -# -# DEST is the SysVInit script directory -# INIT is the name of the script in the $DEST directory -# RUNLEVELS is the chkconfig parmeters for firewall -# ARGS is "yes" if we've already parsed an argument -# -ARGS="" - -if [ -z "$DEST" ] ; then - DEST="/etc/init.d" -fi - -if [ -z "$INIT" ] ; then - INIT="shorewall" -fi - -if [ -z "$RUNLEVELS" ] ; then - RUNLEVELS="" -fi - -DEBIAN= -CYGWIN= - -case $(uname) in - CYGWIN*) - DEST= - INIT= - OWNER=$(id -un) - GROUP=$(id -gn) - CYGWIN=Yes - ;; - *) - [ -z "$OWNER" ] && OWNER=root - [ -z "$GROUP" ] && GROUP=root - ;; -esac - -OWNERSHIP="-o $OWNER -g $GROUP" - -NOBACKUP= - -while [ $# -gt 0 ] ; do - case "$1" in - -h|help|?) - usage 0 - ;; - -v) - echo "Shorewall Firewall Installer Version $VERSION" - exit 0 - ;; - -n) - NOBACKUP=Yes - ;; - *) - usage 1 - ;; - esac - shift - ARGS="yes" -done - -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - -# -# Determine where to install the firewall script -# - -if [ -n "$PREFIX" ]; then - if [ -z "$CYGWIN" ]; then - if [ `id -u` != 0 ] ; then - echo "Not setting file owner/group permissions, not running as root." - OWNERSHIP="" - fi - - install -d $OWNERSHIP -m 755 ${PREFIX}/sbin - install -d $OWNERSHIP -m 755 ${PREFIX}${DEST} - fi -else - [ -x /usr/share/shorewall-shell/compiler -o -x /usr/share/shorewall-perl/compiler.pl ] || \ - { echo " ERROR: No Shorewall compiler is installed" >&2; exit 1; } - if [ -z "$CYGWIN" ]; then - if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then - DEBIAN=yes - elif [ -f /etc/slackware-version ] ; then - DEST="/etc/rc.d" - INIT="rc.firewall" - elif [ -f /etc/arch-release ] ; then - DEST="/etc/rc.d" - INIT="shorewall" - ARCHLINUX=yes - fi - fi -fi - -# -# Change to the directory containing this script -# -cd "$(dirname $0)" - -echo "Installing Shorewall-common Version $VERSION" - -# -# Check for /etc/shorewall -# -if [ -d ${PREFIX}/etc/shorewall ]; then - first_install="" - if [ -z "$NOBACKUP" ]; then - backup_directory ${PREFIX}/etc/shorewall - backup_directory ${PREFIX}/usr/share/shorewall - backup_directory ${PREFIX}/var/lib/shorewall - fi -else - first_install="Yes" -fi - -if [ -z "$CYGWIN" ]; then - install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0755 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout - echo "shorewall control program installed in ${PREFIX}/sbin/shorewall" -else - install_file_with_backup shorewall ${PREFIX}/bin/shorewall 0755 ${PREFIX}/var/lib/shorewall-${VERSION}.bkout - echo "shorewall control program installed in ${PREFIX}/bin/shorewall" -fi - - -# -# Install the Firewall Script -# -if [ -n "$DEBIAN" ]; then - install_file_with_backup init.debian.sh /etc/init.d/shorewall 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout -elif [ -n "$ARCHLINUX" ]; then - install_file_with_backup init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout -elif [ -n "$INIT" ]; then - install_file_with_backup init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-${VERSION}.bkout -fi - -[ -n "$CYGWIN" ] || echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT" - -# -# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed -# -mkdir -p ${PREFIX}/etc/shorewall -mkdir -p ${PREFIX}/usr/share/shorewall -mkdir -p ${PREFIX}/usr/share/shorewall/configfiles -mkdir -p ${PREFIX}/var/lib/shorewall - -chmod 755 ${PREFIX}/etc/shorewall -chmod 755 ${PREFIX}/usr/share/shorewall -chmod 755 ${PREFIX}/usr/share/shorewall/configfiles -# -# Install the config file -# -run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf - -qt mywhich perl && perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf - -if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then - run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf - echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf" -fi - - -if [ -n "$ARCHLINUX" ] ; then - sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall/shorewall.conf -fi -# -# Install the zones file -# -run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall/configfiles/zones - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/zones ]; then - run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones - echo "Zones file installed as ${PREFIX}/etc/shorewall/zones" -fi - -delete_file ${PREFIX}/usr/share/shorewall/compiler -delete_file ${PREFIX}/usr/share/shorewall/lib.accounting -delete_file ${PREFIX}/usr/share/shorewall/lib.actions -delete_file ${PREFIX}/usr/share/shorewall/lib.dynamiczones -delete_file ${PREFIX}/usr/share/shorewall/lib.maclist -delete_file ${PREFIX}/usr/share/shorewall/lib.nat -delete_file ${PREFIX}/usr/share/shorewall/lib.providers -delete_file ${PREFIX}/usr/share/shorewall/lib.proxyarp -delete_file ${PREFIX}/usr/share/shorewall/lib.tc -delete_file ${PREFIX}/usr/share/shorewall/lib.tcrules -delete_file ${PREFIX}/usr/share/shorewall/lib.tunnels -delete_file ${PREFIX}/usr/share/shorewall/prog.header -delete_file ${PREFIX}/usr/share/shorewall/prog.footer - -# -# Install wait4ifup -# - -install_file wait4ifup ${PREFIX}/usr/share/shorewall/wait4ifup 0755 - -echo -echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall/wait4ifup" - -# -# Install the policy file -# -run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall/configfiles/policy - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/policy ]; then - run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy - echo "Policy file installed as ${PREFIX}/etc/shorewall/policy" -fi -# -# Install the interfaces file -# -run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall/configfiles/interfaces - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/interfaces ]; then - run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces - echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces" -fi -# -# Install the ipsec file -# -run_install $OWNERSHIP -m 0644 ipsec ${PREFIX}/usr/share/shorewall/configfiles/ipsec - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/ipsec ]; then - run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec - echo "Dummy IPSEC file installed as ${PREFIX}/etc/shorewall/ipsec" -fi - -# -# Install the hosts file -# -run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall/configfiles/hosts - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/hosts ]; then - run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts - echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts" -fi -# -# Install the rules file -# -run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall/configfiles/rules - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/rules ]; then - run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules - echo "Rules file installed as ${PREFIX}/etc/shorewall/rules" -fi -# -# Install the NAT file -# -run_install $OWNERSHIP -m 0644 nat ${PREFIX}/usr/share/shorewall/configfiles/nat - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/nat ]; then - run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat - echo "NAT file installed as ${PREFIX}/etc/shorewall/nat" -fi -# -# Install the NETMAP file -# -run_install $OWNERSHIP -m 0644 netmap ${PREFIX}/usr/share/shorewall/configfiles/netmap - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/netmap ]; then - run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap - echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap" -fi -# -# Install the Parameters file -# -run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall/configfiles/params - -if [ -f ${PREFIX}/etc/shorewall/params ]; then - chmod 0644 ${PREFIX}/etc/shorewall/params -else - run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall/params - echo "Parameter file installed as ${PREFIX}/etc/shorewall/params" -fi -# -# Install the proxy ARP file -# -run_install $OWNERSHIP -m 0644 proxyarp ${PREFIX}/usr/share/shorewall/configfiles/proxyarp - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then - run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp - echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp" -fi -# -# Install the Stopped Routing file -# -run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall/configfiles/routestopped - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/routestopped ]; then - run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped - echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped" -fi -# -# Install the Mac List file -# -run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall/configfiles/maclist - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/maclist ]; then - run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist - echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist" -fi -# -# Install the Masq file -# -run_install $OWNERSHIP -m 0644 masq ${PREFIX}/usr/share/shorewall/configfiles/masq - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then - run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq - echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq" -fi -# -# Install the Modules file -# -run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules -echo "Modules file installed as ${PREFIX}/usr/share/shorewall/modules" - -# -# Install the TC Rules file -# -run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall/configfiles/tcrules - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then - run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules - echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules" -fi - -# -# Install the TOS file -# -run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall/configfiles/tos - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tos ]; then - run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos - echo "TOS file installed as ${PREFIX}/etc/shorewall/tos" -fi -# -# Install the Tunnels file -# -run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall/configfiles/tunnels - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tunnels ]; then - run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels - echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels" -fi -# -# Install the blacklist file -# -run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall/configfiles/blacklist - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then - run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist - echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist" -fi -# -# Delete the Routes file -# -delete_file ${PREFIX}/etc/shorewall/routes -# -# Delete the tcstart file -# - -delete_file ${PREFIX}/usr/share/shorewall/tcstart - -# -# Delete the Limits Files -# -delete_file ${PREFIX}/usr/share/shorewall/action.Limit -delete_file ${PREFIX}/usr/share/shorewall/Limit -# -# Delete the xmodules file -# -delete_file ${PREFIX}/usr/share/shorewall/xmodules -# -# Install the Providers file -# -run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall/configfiles/providers - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/providers ]; then - run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers - echo "Providers file installed as ${PREFIX}/etc/shorewall/providers" -fi - -# -# Install the Route Rules file -# -run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall/configfiles/route_rules - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/route_rules ]; then - run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall/route_rules - echo "Routing rules file installed as ${PREFIX}/etc/shorewall/route_rules" -fi - -# -# Install the tcclasses file -# -run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall/configfiles/tcclasses - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then - run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall/tcclasses - echo "TC Classes file installed as ${PREFIX}/etc/shorewall/tcclasses" -fi - -# -# Install the tcdevices file -# -run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall/configfiles/tcdevices - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then - run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall/tcdevices - echo "TC Devices file installed as ${PREFIX}/etc/shorewall/tcdevices" -fi - -# -# Install the tcfilters file -# -run_install $OWNERSHIP -m 0644 tcfilters ${PREFIX}/usr/share/shorewall/configfiles/tcfilters - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcfilters ]; then - run_install $OWNERSHIP -m 0600 tcfilters ${PREFIX}/etc/shorewall/tcfilters - echo "TC Filters file installed as ${PREFIX}/etc/shorewall/tcfilters" -fi - -# -# Install the rfc1918 file -# -install_file rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0644 -echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918" -# -# Install the default config path file -# -install_file configpath ${PREFIX}/usr/share/shorewall/configpath 0644 -echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath" -# -# Install the init file -# -run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall/configfiles/init - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/init ]; then - run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init - echo "Init file installed as ${PREFIX}/etc/shorewall/init" -fi -# -# Install the initdone file -# -run_install $OWNERSHIP -m 0644 initdone ${PREFIX}/usr/share/shorewall/configfiles/initdone - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/initdone ]; then - run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone - echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone" -fi -# -# Install the start file -# -run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall/configfiles/start - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/start ]; then - run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start - echo "Start file installed as ${PREFIX}/etc/shorewall/start" -fi -# -# Install the stop file -# -run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall/configfiles/stop - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stop ]; then - run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop - echo "Stop file installed as ${PREFIX}/etc/shorewall/stop" -fi -# -# Install the stopped file -# -run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall/configfiles/stopped - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stopped ]; then - run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped - echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped" -fi -# -# Install the ECN file -# -run_install $OWNERSHIP -m 0644 ecn ${PREFIX}/usr/share/shorewall/configfiles/ecn - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/ecn ]; then - run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn - echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" -fi -# -# Install the Accounting file -# -run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall/configfiles/accounting - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then - run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting - echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting" -fi -# -# Install the Continue file -# -run_install $OWNERSHIP -m 0644 continue ${PREFIX}/usr/share/shorewall/configfiles/continue - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/continue ]; then - run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue - echo "Continue file installed as ${PREFIX}/etc/shorewall/continue" -fi -# -# Install the Started file -# -run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall/configfiles/started - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/started ]; then - run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started - echo "Started file installed as ${PREFIX}/etc/shorewall/started" -fi -# -# Install the Standard Actions file -# -install_file actions.std ${PREFIX}/usr/share/shorewall/actions.std 0644 -echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall/actions.std" - -# -# Install the Actions file -# -run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall/configfiles/actions - -if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/actions ]; then - run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall/actions - echo "Actions file installed as ${PREFIX}/etc/shorewall/actions" -fi - -# -# Install the Makefiles -# -run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall/configfiles/Makefile - -if [ -z "$CYGWIN" ]; then - run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile - echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile" -fi -# -# Install the Action files -# -for f in action.* ; do - install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 - echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" -done - -# Install the Macro files -# -for f in macro.* ; do - install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 - echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" -done -# -# Install the libraries -# -for f in lib.* ; do - if [ -f $f ]; then - install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 - echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" - fi -done -# -# Symbolically link 'functions' to lib.base -# -ln -sf lib.base ${PREFIX}/usr/share/shorewall/functions -# -# Create the version file -# -echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version -chmod 644 ${PREFIX}/usr/share/shorewall/version -# -# Remove and create the symbolic link to the init script -# - -if [ -z "$PREFIX" ]; then - rm -f /usr/share/shorewall/init - ln -s ${DEST}/${INIT} /usr/share/shorewall/init -fi - -# -# Install the Man Pages -# - -cd manpages - -for f in *.5; do - gzip -c $f > $f.gz - run_install -D -m 0644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz - echo "Man page $f.gz installed to /usr/share/man/man5/$f.gz" -done - -for f in *.8; do - gzip -c $f > $f.gz - run_install -D -m 0644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz - echo "Man page $f.gz installed to /usr/share/man/man8/$f.gz" -done - -cd .. - -echo "Man Pages Installed" - -# -# Install the firewall script -# -install_file firewall ${PREFIX}/usr/share/shorewall/firewall 0755 - -if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then - if [ -n "$DEBIAN" ]; then - run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall - ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall - echo "shorewall will start automatically at boot" - echo "Set startup=1 in /etc/default/shorewall to enable" - touch /var/log/shorewall-init.log - qt mywhich perl && perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf - else - if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then - if insserv /etc/init.d/shorewall ; then - echo "shorewall will start automatically at boot" - echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" - else - cant_autostart - fi - elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then - if chkconfig --add shorewall ; then - echo "shorewall will start automatically in run levels as follows:" - echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" - chkconfig --list shorewall - else - cant_autostart - fi - elif [ -x /sbin/rc-update ]; then - if rc-update add shorewall default; then - echo "shorewall will start automatically at boot" - echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" - else - cant_autostart - fi - elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically - cant_autostart - fi - fi -fi - -# -# Report Success -# -echo "shorewall-common Version $VERSION Installed" diff --git a/Shorewall-common-IPv6-Aborted/interfaces b/Shorewall-common-IPv6-Aborted/interfaces deleted file mode 100644 index a63e06d8f..000000000 --- a/Shorewall-common-IPv6-Aborted/interfaces +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Interfaces File -# -# For information about entries in this file, type "man shorewall-interfaces" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-interfaces.html -# -############################################################################### -#ZONE|6ZONE INTERFACE BROADCAST OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/ipsec b/Shorewall-common-IPv6-Aborted/ipsec deleted file mode 100644 index 9537ea736..000000000 --- a/Shorewall-common-IPv6-Aborted/ipsec +++ /dev/null @@ -1,7 +0,0 @@ -# -# The /etc/shorewall/ipsec file is obsolete -- the information -# previously contained in this file is now placed in the -# /etc/shorewall/zones file. -# -# See the IPSECFILE option in shorewall.conf for further information. -# diff --git a/Shorewall-common-IPv6-Aborted/ipsecvpn b/Shorewall-common-IPv6-Aborted/ipsecvpn deleted file mode 100644 index 07f13a663..000000000 --- a/Shorewall-common-IPv6-Aborted/ipsecvpn +++ /dev/null @@ -1,296 +0,0 @@ -#!/bin/sh - -################################################################################ -# -# ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode -# IPSEC connection -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -RCDLINKS="2,S42 3,S42 6,K42" - -#### BEGIN INIT INFO -# Provides: ipsecvpn -# Required-Start: $shorewall -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Description: starts and stops a tunnel-mode VPN connection -### END INIT INFO - -# chkconfig: 2345 26 89 -# description: IPSEC tunnel-mode connection -# -################################################################################ -# -# External Interface -# -INTERFACE=eth0 -# -# Remote IPSEC Gateway -# -GATEWAY=1.2.3.4 -# -# Networks behind the remote gateway (space-separated list) -# -NETWORKS="192.168.1.0/24" -# -# Directory where X.509 certificates are stored. -# -CERTS=/etc/certs -# -# Certificate to be used for this connection. The cert -# directory must contain: -# -# ${CERT}.pem - the certificate -# ${CERT}_key.pem - the certificates's key -# -CERT=roadwarrior -# -# The setkey binary -# -SETKEY=/usr/sbin/setkey -# -# The racoon binary -# -RACOON=/usr/sbin/racoon - -# -# Message to stderr -# -error_message() # $* = Error Message -{ - echo " $@" >&2 -} - -# -# Fatal error -- stops the firewall after issuing the error message -# -fatal_error() # $* = Error Message -{ - echo " Error: $@" >&2 - exit 2 -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_first_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' -} - -# -# Create a Racoon configuration file using the variables above -# -make_racoon_conf() { - echo "path certificate \"$CERTS\";" - echo - echo "listen" - echo "{" - echo " isakmp $IPADDR;" - echo "}" - echo - echo "remote $GATEWAY" - echo "{" - echo " exchange_mode main;" - echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";" - echo " verify_cert on;" - echo " my_identifier asn1dn ;" - echo " peers_identifier asn1dn ;" - echo " verify_identifier on ;" - echo " lifetime time 24 hour ;" - echo " proposal {" - echo " encryption_algorithm blowfish;" - echo " hash_algorithm sha1;" - echo " authentication_method rsasig ;" - echo " dh_group 2 ;" - echo " }" - echo "}" - echo - - for network in $NETWORKS; do - echo "sainfo address $IPADDR/32 any address $network any" - echo "{" - echo " pfs_group 2;" - echo " lifetime time 12 hour ;" - echo " encryption_algorithm blowfish ;" - echo " authentication_algorithm hmac_sha1, hmac_md5 ;" - echo " compression_algorithm deflate ;" - echo "}" - echo - echo "sainfo address $network any address $IPADDR/32 any" - echo "{" - echo " pfs_group 2;" - echo " lifetime time 12 hour ;" - echo " encryption_algorithm blowfish ;" - echo " authentication_algorithm hmac_sha1, hmac_md5 ;" - echo " compression_algorithm deflate ;" - echo "}" - - done - - echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any" - echo "{" - echo " pfs_group 2;" - echo " lifetime time 12 hour ;" - echo " encryption_algorithm blowfish ;" - echo " authentication_algorithm hmac_sha1, hmac_md5 ;" - echo " compression_algorithm deflate ;" - echo "}" - echo - echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any" - echo "{" - echo " pfs_group 2;" - echo " lifetime time 12 hour ;" - echo " encryption_algorithm blowfish ;" - echo " authentication_algorithm hmac_sha1, hmac_md5 ;" - echo " compression_algorithm deflate ;" - echo "}" -} - -# -# Make a setkey configuration file using the variables above -# -make_setkey_conf() -{ - echo "flush;" - echo "spdflush;" - - echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" - echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" - - for network in $NETWORKS; do - echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" - echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" - done -} - -# -# Start the Tunnel -# -start() -{ - # - # Get the first IP address configured on the device in INTERFACE - # - IPADDR=$(find_first_interface_address $INTERFACE) - # - # Create the name of the setkey temporary file - # - TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX) - [ $? -eq 0 ] || fatal_error "Can't create temporary file name" - # - # Create the file - # - make_setkey_conf > $TEMPFILE - # - # Create the SPD - # - $SETKEY -f $TEMPFILE - # - # We can now remove the file - # - rm -f $TEMPFILE - # - # Create another name -- make this distict to aid debugging - # (just comment out the 'rm' commands) - # - TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX) - [ $? -eq 0 ] || fatal_error "Can't create temporary file name" - # - # Create the file - # - make_racoon_conf > $TEMPFILE - # - # Start Racoon Daemon - # - $RACOON -4 -f $TEMPFILE - # - # Once the Daemon is running, we can remove the file - # - rm -f $TEMPFILE -} -# -# Stop the Tunnel -# -stop() -{ - # - # Kill any racoon daemons - # - killall racoon - # - # Purge the SAD and SPD - # - setkey -F -FP -} - -# -# Display command syntax and abend -# -usage() -{ - error_message "usage: $(basename $0) [start|stop|restart]" - exit 1 -} -################################################################################ -# C O D E S T A R T S H E R E -################################################################################ -[ $# -eq 1 ] || usage - - -case $1 in - start) - start - ;; - stop) - stop - ;; - restart) - stop - sleep 2 - start - ;; - *) - usage - ;; -esac - - - - - - - - - - diff --git a/Shorewall-common-IPv6-Aborted/lib.base b/Shorewall-common-IPv6-Aborted/lib.base deleted file mode 100644 index 9969635c6..000000000 --- a/Shorewall-common-IPv6-Aborted/lib.base +++ /dev/null @@ -1,1723 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.base -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the code common to all Shorewall components. -# -# - It is copied into the compiled script with the -e compiler flag is specified to -# shorewall-shell. -# - It is loaded by /sbin/shorewall. -# - It is loaded by /usr/share/shorewall/firewall. -# - It is loaded by /usr/share/shorewall-shell/compiler. -# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite -# and /usr/share/shorewall-lite/shorecap. -# - It is released as part of Shorewall Perl where it is copied into the compiled script -# by the compiler. -# - -SHOREWALL_LIBVERSION=40000 -SHOREWALL_CAPVERSION=40202 - -[ -n "${VARDIR:=/var/lib/shorewall}" ] -[ -n "${SHAREDIR:=/usr/share/shorewall}" ] -[ -n "${CONFDIR:=/etc/shorewall}" ] -SHELLSHAREDIR=/usr/share/shorewall-shell -PERLSHAREDIR=/usr/share/shorewall-perl - -# -# Message to stderr -# -error_message() # $* = Error Message -{ - echo " $@" >&2 -} - -# -# Conditionally produce message -# -progress_message() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSE -gt 1 ]; then - [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi -} - -progress_message2() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSE -gt 0 ]; then - [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi -} - -progress_message3() # $* = Message -{ - local timestamp - timestamp= - - if [ $VERBOSE -ge 0 ]; then - [ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) " - echo "${timestamp}$@" - fi -} - -# -# Split a colon-separated list into a space-separated list -# -split() { - local ifs - ifs=$IFS - IFS=: - echo $* - IFS=$ifs -} - -# -# Search a list looking for a match -- returns zero if a match found -# 1 otherwise -# -list_search() # $1 = element to search for , $2-$n = list -{ - local e - e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -# -# Undo the effect of 'separate_list()' -# -combine_list() -{ - local f - local o - o= - - for f in $* ; do - o="${o:+$o,}$f" - done - - echo $o -} - -# -# Suppress all output for a command -# -qt() -{ - "$@" >/dev/null 2>&1 -} - -# -# Determine if Shorewall is "running" -# -shorewall_is_started() { - qt $IPTABLES -L shorewall -n -} - -# -# Echos the fully-qualified name of the calling shell program -# -my_pathname() { - cd $(dirname $0) - echo $PWD/$(basename $0) -} - -# -# Source a user exit file if it exists -# -run_user_exit() # $1 = file name -{ - local user_exit - user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - progress_message "Processing $user_exit ..." - . $user_exit - fi -} - -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Set a standard chain to enable established and related connections -# -setcontinue() # $1 = name of chain -{ - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT -} - -# -# Flush one of the NAT table chains -# -flushnat() # $1 = name of chain -{ - run_iptables -t nat -F $1 -} - -# -# Flush one of the Mangle table chains -# -flushmangle() # $1 = name of chain -{ - run_iptables -t mangle -F $1 -} - -# -# Flush and delete all user-defined chains in the filter table -# -deleteallchains() { - run_iptables -F - run_iptables -X -} - -# -# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains -# a space-separated list of directories to search for -# the module and that 'moduleloader' contains the -# module loader command. -# -loadmodule() # $1 = module name, $2 - * arguments -{ - local modulename - modulename=$1 - local modulefile - local suffix - - if ! list_search $modulename $MODULES $DONT_LOAD ; then - shift - - for suffix in $MODULE_SUFFIX ; do - for directory in $moduledirectories; do - modulefile=$directory/${modulename}.${suffix} - - if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename $* - ;; - esac - break 2 - fi - done - done - fi -} - -# -# Reload the Modules -# -reload_kernel_modules() { - - local save_modules_dir - save_modules_dir=$MODULESDIR - local directory - local moduledirectories - moduledirectories= - local moduleloader - moduleloader=modprobe - - if ! qt mywhich modprobe; then - moduleloader=insmod - fi - - [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter - MODULES=$(lsmod | cut -d ' ' -f1) - - for directory in $(split $MODULESDIR); do - [ -d $directory ] && moduledirectories="$moduledirectories $directory" - done - - [ -n "$moduledirectories" ] && while read command; do - eval $command - done - - MODULESDIR=$save_modules_dir -} - -# -# Load kernel modules required for Shorewall -# -load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR -{ - local save_modules_dir - save_modules_dir=$MODULESDIR - local directory - local moduledirectories - moduledirectories= - local moduleloader - moduleloader=modprobe - local savemoduleinfo - savemoduleinfo=${1:-Yes} # So old compiled scripts still work - - if ! qt mywhich modprobe; then - moduleloader=insmod - fi - - [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - - [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter - - for directory in $(split $MODULESDIR); do - [ -d $directory ] && moduledirectories="$moduledirectories $directory" - done - - modules=$(find_file modules) - - if [ -f $modules -a -n "$moduledirectories" ]; then - MODULES=$(lsmod | cut -d ' ' -f1) - progress_message "Loading Modules..." - . $modules - if [ $savemoduleinfo = Yes ]; then - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir - cp -f $modules ${VARDIR}/.modules - fi - elif [ $savemoduleinfo = Yes ]; then - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - > ${VARDIR}/.modulesdir - > ${VARDIR}/.modules - fi - - MODULESDIR=$save_modules_dir -} - -# -# Call this function to assert mutual exclusion with Shorewall. If you invoke the -# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as -# the first argument. Example "shorewall nolock refresh" -# -# This function uses the lockfile utility from procmail if it exists. -# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the -# behavior of lockfile. -# -mutex_on() -{ - local try - try=0 - local lockf - lockf=${LOCKFILE:=${VARDIR}/lock} - - MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} - - if [ $MUTEX_TIMEOUT -gt 0 ]; then - - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - - if qt mywhich lockfile; then - lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} - else - while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do - sleep 1 - try=$((${try} + 1)) - done - - if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then - # Create the lockfile - echo $$ > ${lockf} - else - echo "Giving up on lock file ${lockf}" >&2 - fi - fi - fi -} - -# -# Call this function to release mutual exclusion -# -mutex_off() -{ - rm -f ${LOCKFILE:=${VARDIR}/lock} -} - -# -# Load an optional library -# -lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found -{ - local lib - lib=${SHAREDIR}/lib.$1 - local loaded - - eval loaded=\$LIB_${1}_LOADED - - if [ -z "$loaded" ]; then - [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1 - - if [ -f $lib ]; then - progress_message "Loading library $lib..." - . $lib - eval LIB_${1}_LOADED=Yes - else - startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed" - fi - fi -} - -# -# Determine if an optional library is available -# -lib_avail() # $1 = Name of the Library -{ - [ -f ${SHAREDIR}/lib.$1 ] -} - -# -# Note: The following set of IP address manipulation functions have anomalous -# behavior when the shell only supports 32-bit signed arithmetic and -# the IP address is 128.0.0.0 or 128.0.0.1. -# - -LEFTSHIFT='<<' - -# -# Validate an IP address -# -valid_address() { - local x - local y - local ifs - ifs=$IFS - - IFS=. - - for x in $1; do - case $x in - [0-9]|[0-9][0-9]|[1-2][0-9][0-9]) - [ $x -lt 256 ] || { IFS=$ifs; return 2; } - ;; - *) - IFS=$ifs - return 2 - ;; - esac - done - - IFS=$ifs - - return 0 -} - -# -# Convert an IP address in dot quad format to an integer -# -decodeaddr() { - local x - local temp - temp=0 - local ifs - ifs=$IFS - - IFS=. - - for x in $1; do - temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x )) - done - - echo $temp - - IFS=$ifs -} - -# -# convert an integer to dot quad format -# -encodeaddr() { - addr=$1 - local x - local y - y=$(($addr & 255)) - - for x in 1 2 3 ; do - addr=$(($addr >> 8)) - y=$(($addr & 255)).$y - done - - echo $y -} - -# -# Miserable Hack to work around broken BusyBox ash in OpenWRT -# -addr_comp() { - test $(bc < $2 -EOF -) -eq 1 - -} - -# -# Enumerate the members of an IP range -- When using a shell supporting only -# 32-bit signed arithmetic, the range cannot span 128.0.0.0. -# -# Comes in two flavors: -# -# ip_range() - produces a mimimal list of network/host addresses that spans -# the range. -# -# ip_range_explicit() - explicitly enumerates the range. -# -ip_range() { - local first - local last - local l - local x - local y - local z - local vlsm - - case $1 in - !*) - # - # Let iptables complain if it's a range - # - echo $1 - return - ;; - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if addr_comp $first $last; then - fatal_error "Invalid IP address range: $1" - fi - - l=$(( $last + 1 )) - - while addr_comp $l $first; do - vlsm= - x=31 - y=2 - z=1 - - while [ $(( $first % $y )) -eq 0 ] && addr_comp $l $(( $first + $y )) ; do - vlsm=/$x - x=$(( $x - 1 )) - z=$y - y=$(( $y * 2 )) - done - - echo $(encodeaddr $first)$vlsm - first=$(($first + $z)) - done -} - -ip_range_explicit() { - local first - local last - - case $1 in - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if addr_comp $first $last; then - fatal_error "Invalid IP address range: $1" - fi - - while ! addr_comp $first $last; do - echo $(encodeaddr $first) - first=$(($first + 1)) - done -} - -# -# Netmask from CIDR -# -ip_netmask() { - local vlsm - vlsm=${1#*/} - - [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) )) -} - -# -# Network address from CIDR -# -ip_network() { - local decodedaddr - decodedaddr=$(decodeaddr ${1%/*}) - local netmask - netmask=$(ip_netmask $1) - - echo $(encodeaddr $(($decodedaddr & $netmask))) -} - -# -# The following hack is supplied to compensate for the fact that many of -# the popular light-weight Bourne shell derivatives don't support XOR ("^"). -# -ip_broadcast() { - local x - x=$(( 32 - ${1#*/} )) - - [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 )) -} - -# -# Calculate broadcast address from CIDR -# -broadcastaddress() { - local decodedaddr - decodedaddr=$(decodeaddr ${1%/*}) - local netmask - netmask=$(ip_netmask $1) - local broadcast - broadcast=$(ip_broadcast $1) - - echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))) -} - -# -# Test for network membership -# -in_network() # $1 = IP address, $2 = CIDR network -{ - local netmask - netmask=$(ip_netmask $2) - # - # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT - # - test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask )) -} - -# -# Netmask to VLSM -# -ip_vlsm() { - local mask - mask=$(decodeaddr $1) - local vlsm - vlsm=0 - local x - x=$(( 128 << 24 )) # 0x80000000 - - while [ $(( $x & $mask )) -ne 0 ]; do - [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. - vlsm=$(($vlsm + 1)) - done - - if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff - echo "Invalid net mask: $1" >&2 - else - echo $vlsm - fi -} - - -# -# Chain name base for an interface -- replace all periods with underscores in the passed name. -# The result is echoed (less trailing "+"). -# -chain_base() #$1 = interface -{ - local c - c=${1%%+} - - while true; do - case $c in - @*) - c=at_${c#@} - ;; - *.*) - c="${c%.*}_${c##*.}" - ;; - *-*) - c="${c%-*}_${c##*-}" - ;; - *%*) - c="${c%\%*}_${c##*%}" - ;; - *@*) - c="${c%@*}_${c##*@}" - ;; - *) - echo ${c:=common} - return - ;; - esac - done -} - -# -# Query NetFilter about the existence of a filter chain -# -chain_exists() # $1 = chain name -{ - qt $IPTABLES -L $1 -n -} - -# -# Find the value 'dev' in the passed arguments then echo the next value -# - -find_device() { - while [ $# -gt 1 ]; do - [ "x$1" = xdev ] && echo $2 && return - shift - done -} - -# -# Find the value 'via' in the passed arguments then echo the next value -# - -find_gateway() { - while [ $# -gt 1 ]; do - [ "x$1" = xvia ] && echo $2 && return - shift - done -} - -# -# Find the value 'mtu' in the passed arguments then echo the next value -# - -find_mtu() { - while [ $# -gt 1 ]; do - [ "x$1" = xmtu ] && echo $2 && return - shift - done -} - -# -# Find the value 'peer' in the passed arguments then echo the next value up to -# "/" -# - -find_peer() { - while [ $# -gt 1 ]; do - [ "x$1" = xpeer ] && echo ${2%/*} && return - shift - done -} - -# -# Find the interfaces that have a route to the passed address - the default -# route is not used. -# - -find_rt_interface() { - ip route list | while read addr rest; do - case $addr in - */*) - in_network ${1%/*} $addr && echo $(find_device $rest) - ;; - default) - ;; - *) - if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then - echo $(find_device $rest) - fi - ;; - esac - done -} - -# -# Try to find the gateway through an interface looking for 'nexthop' - -find_nexthop() # $1 = interface -{ - echo $(find_gateway `ip route list | grep "[[:space:]]nexthop.* $1"`) -} - -# -# Find the default route's interface -# -find_default_interface() { - ip route list | while read first rest; do - [ "$first" = default ] && echo $(find_device $rest) && return - done -} - -# -# Echo the name of the interface(s) that will be used to send to the -# passed address -# - -find_interface_by_address() { - local dev - dev="$(find_rt_interface $1)" - local first - local rest - - [ -z "$dev" ] && dev=$(find_default_interface) - - [ -n "$dev" ] && echo $dev -} - -# -# Find the interface with the passed MAC address -# - -find_interface_by_mac() { - local mac - mac=$1 - local first - local second - local rest - local dev - - ip link list | while read first second rest; do - case $first in - *:) - dev=$second - ;; - *) - if [ "$second" = $mac ]; then - echo ${dev%:} - return - fi - esac - done -} - -# -# Determine if Interface is up -# -interface_is_up() { - [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_first_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' -} - -find_first_interface_address_if_any() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0 -} - -# -# Determine if interface is usable from a Netfilter prespective -# -interface_is_usable() # $1 = interface -{ - interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] -} - -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - ip -f inet addr show $1 2> /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' -} - -# -# echo the list of networks routed out of a given interface -# -get_routed_networks() # $1 = interface name, $2-n = Fatal error message -{ - local address - local rest - - ip route show dev $1 2> /dev/null | - while read address rest; do - case "$address" in - default) - if [ $# -gt 1 ]; then - shift - fatal_error "$@" - else - echo "WARNING: default route ignored on interface $1" >&2 - fi - ;; - multicast|broadcast|prohibit|nat|throw|nexthop) - ;; - *) - [ "$address" = "${address%/*}" ] && address="${address}/32" - echo $address - ;; - esac - done -} - -get_interface_bcasts() # $1 = interface -{ - ip -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u -} - -# -# Internal version of 'which' -# -mywhich() { - local dir - - for dir in $(split $PATH); do - if [ -x $dir/$1 ]; then - echo $dir/$1 - return 0 - fi - done - - return 2 -} - -# -# Set default config path -# -ensure_config_path() { - local F - F=${SHAREDIR}/configpath - if [ -z "$CONFIG_PATH" ]; then - [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } - . $F - fi - - if [ -n "$SHOREWALL_DIR" ]; then - [ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH - fi -} - -# -# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR} -# -find_file() -{ - local saveifs - saveifs= - local directory - - case $1 in - /*) - echo $1 - ;; - *) - for directory in $(split $CONFIG_PATH); do - if [ -f $directory/$1 ]; then - echo $directory/$1 - return - fi - done - - echo ${CONFDIR}/$1 - ;; - esac -} - -# -# Get fully-qualified name of file -# -resolve_file() # $1 = file name -{ - local pwd - pwd=$PWD - - case $1 in - /*) - echo $1 - ;; - .) - echo $pwd - ;; - ./*) - echo ${pwd}${1#.} - ;; - ..) - cd .. - echo $PWD - cd $pwd - ;; - ../*) - cd .. - resolve_file ${1#../} - cd $pwd - ;; - *) - echo $pwd/$1 - ;; - esac -} - -# -# Perform variable substitution on the passed argument and echo the result -# -expand() # $@ = contents of variable which may be the name of another variable -{ - eval echo \"$@\" -} - -# -# Function for including one file into another -# -INCLUDE() { - . $(find_file $(expand $@)) -} - -# -# Set the Shorewall state -# -set_state () # $1 = state -{ - echo "$1 ($(date))" > ${VARDIR}/state -} - -# -# Determine which optional facilities are supported by iptables/netfilter -# -determine_capabilities() { - qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= - qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= - - CONNTRACK_MATCH= - NEW_CONNTRACK_MATCH= - OLD_CONNTRACK_MATCH= - MULTIPORT= - XMULTIPORT= - POLICY_MATCH= - PHYSDEV_MATCH= - PHYSDEV_BRIDGE= - IPRANGE_MATCH= - RECENT_MATCH= - OWNER_MATCH= - IPSET_MATCH= - CONNMARK= - XCONNMARK= - CONNMARK_MATCH= - XCONNMARK_MATCH= - RAW_TABLE= - IPP2P_MATCH= - LENGTH_MATCH= - CLASSIFY_TARGET= - ENHANCED_REJECT= - USEPKTTYPE= - KLUDGEFREE= - MARK= - XMARK= - MANGLE_FORWARD= - COMMENTS= - ADDRTYPE= - TCPMSS_MATCH= - HASHLIMIT_MATCH= - NFQUEUE_TARGET= - REALM_MATCH= - HELPER_MATCH= - CONNLIMIT_MATCH= - TIME_MATCH= - - chain=fooX$$ - - [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables) - - if [ -z "$IPTABLES" ]; then - echo " ERROR: No executable iptables binary can be found on your PATH" >&2 - exit 1 - fi - - qt $IPTABLES -F $chain - qt $IPTABLES -X $chain - if ! $IPTABLES -N $chain; then - echo " ERROR: The command \"$IPTABLES -N $chain\" failed" >&2 - exit 1 - fi - - if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then - echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2 - exit 1 - fi - - qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - - if [ -n "$CONNTRACK_MATCH" ]; then - qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes - qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes - fi - - if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then - MULTIPORT=Yes - qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes - fi - - qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes - qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes - - if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then - PHYSDEV_MATCH=Yes - qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes - if [ -z "${KLUDGEFREE}" ]; then - qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes - fi - fi - - if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then - IPRANGE_MATCH=Yes - if [ -z "${KLUDGEFREE}" ]; then - qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes - fi - fi - - qt $IPTABLES -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes - qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes - - if qt $IPTABLES -A $chain -m connmark --mark 2 -j ACCEPT; then - CONNMARK_MATCH=Yes - qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes - fi - - qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes - qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes - qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes - - qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes - - if [ -n "$MANGLE_ENABLED" ]; then - qt $IPTABLES -t mangle -N $chain - - if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then - MARK=Yes - qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes - fi - - if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then - CONNMARK=Yes - qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes - fi - - qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes - qt $IPTABLES -t mangle -F $chain - qt $IPTABLES -t mangle -X $chain - qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes - fi - - qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes - - if qt mywhich ipset; then - qt ipset -X $chain # Just in case something went wrong the last time - - if qt ipset -N $chain iphash ; then - if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then - qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT - IPSET_MATCH=Yes - fi - qt ipset -X $chain - fi - fi - - qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes - qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes - qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes - qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes - qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes - qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes - qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes - qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes - qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes - - qt $IPTABLES -F $chain - qt $IPTABLES -X $chain - - CAPVERSION=$SHOREWALL_CAPVERSION -} - -report_capabilities() { - report_capability() # $1 = Capability Description , $2 Capability Setting (if any) - { - local setting - setting= - - [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - - echo " " $1: $setting - } - - if [ $VERBOSE -gt 1 ]; then - echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability "NAT" $NAT_ENABLED - report_capability "Packet Mangling" $MANGLE_ENABLED - report_capability "Multi-port Match" $MULTIPORT - [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT - report_capability "Connection Tracking Match" $CONNTRACK_MATCH - if [ -n "$CONNTRACK_MATCH" ]; then - report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH - report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH - fi - report_capability "Packet Type Match" $USEPKTTYPE - report_capability "Policy Match" $POLICY_MATCH - report_capability "Physdev Match" $PHYSDEV_MATCH - report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE - report_capability "Packet length Match" $LENGTH_MATCH - report_capability "IP range Match" $IPRANGE_MATCH - report_capability "Recent Match" $RECENT_MATCH - report_capability "Owner Match" $OWNER_MATCH - report_capability "Ipset Match" $IPSET_MATCH - report_capability "CONNMARK Target" $CONNMARK - [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK - report_capability "Connmark Match" $CONNMARK_MATCH - [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH - report_capability "Raw Table" $RAW_TABLE - report_capability "IPP2P Match" $IPP2P_MATCH - report_capability "CLASSIFY Target" $CLASSIFY_TARGET - report_capability "Extended REJECT" $ENHANCED_REJECT - report_capability "Repeat match" $KLUDGEFREE - report_capability "MARK Target" $MARK - [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK - report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD - report_capability "Comments" $COMMENTS - report_capability "Address Type Match" $ADDRTYPE - report_capability "TCPMSS Match" $TCPMSS_MATCH - report_capability "Hashlimit Match" $HASHLIMIT_MATCH - report_capability "NFQUEUE Target" $NFQUEUE_TARGET - report_capability "Realm Match" $REALM_MATCH - report_capability "Helper Match" $HELPER_MATCH - report_capability "Connlimit Match" $CONNLIMIT_MATCH - report_capability "Time Match" $TIME_MATCH - fi - - [ -n "$PKTTYPE" ] || USEPKTTYPE= - -} - -report_capabilities1() { - report_capability1() # $1 = Capability - { - eval echo $1=\$$1 - } - - echo "#" - echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" - echo "#" - report_capability1 NAT_ENABLED - report_capability1 MANGLE_ENABLED - report_capability1 MULTIPORT - report_capability1 XMULTIPORT - report_capability1 CONNTRACK_MATCH - report_capability1 NEW_CONNTRACK_MATCH - report_capability1 OLD_CONNTRACK_MATCH - report_capability1 USEPKTTYPE - report_capability1 POLICY_MATCH - report_capability1 PHYSDEV_MATCH - report_capability1 PHYSDEV_BRIDGE - report_capability1 LENGTH_MATCH - report_capability1 IPRANGE_MATCH - report_capability1 RECENT_MATCH - report_capability1 OWNER_MATCH - report_capability1 IPSET_MATCH - report_capability1 CONNMARK - report_capability1 XCONNMARK - report_capability1 CONNMARK_MATCH - report_capability1 XCONNMARK_MATCH - report_capability1 RAW_TABLE - report_capability1 IPP2P_MATCH - report_capability1 CLASSIFY_TARGET - report_capability1 ENHANCED_REJECT - report_capability1 KLUDGEFREE - report_capability1 MARK - report_capability1 XMARK - report_capability1 MANGLE_FORWARD - report_capability1 COMMENTS - report_capability1 ADDRTYPE - report_capability1 TCPMSS_MATCH - report_capability1 HASHLIMIT_MATCH - report_capability1 NFQUEUE_TARGET - report_capability1 REALM_MATCH - report_capability1 HELPER_MATCH - report_capability1 CONNLIMIT_MATCH - report_capability1 TIME_MATCH - - echo CAPVERSION=$SHOREWALL_CAPVERSION -} - -# -# Delete IP address -# -del_ip_addr() # $1 = address, $2 = interface -{ - [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 -} - -# Add IP Aliases -# -add_ip_aliases() # $* = List of addresses -{ - local addresses - local external - local interface - local inet - local cidr - local rest - local val1 - local arping - arping=$(mywhich arping) - - address_details() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same networks - # - # Get all of the lines that contain inet addresses with broadcast - # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do - case $cidr in - */*) - if in_network $external $cidr; then - echo "/${cidr#*/} brd $(broadcastaddress $cidr)" - break - fi - ;; - esac - done - } - - do_one() - { - val=$(address_details) - - ip addr add ${external}${val} dev $interface $label - [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external - echo "$external $interface" >> $VARDIR/nat - [ -n "$label" ] && label="with $label" - progress_message " IP Address $external added to interface $interface $label" - } - - progress_message "Adding IP Addresses..." - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - shift 2 - - list_search $external $(find_interface_addresses $interface) || do_one - done -} - -detect_gateway() # $1 = interface -{ - local interface - interface=$1 - # - # First assume that this is some sort of point-to-point interface - # - gateway=$( find_peer $(ip addr list $interface ) ) - # - # Maybe there's a default route through this gateway already - # - [ -n "$gateway" ] || gateway=$(find_gateway $(ip route list dev $interface)) - # - # Last hope -- is there a load-balancing route through the interface? - # - [ -n "$gateway" ] || gateway=$(find_nexthop $interface) - # - # Be sure we found one - # - [ -n "$gateway" ] && echo $gateway -} - -# -# Disable IPV6 -# -disable_ipv6() { - local foo - foo="$(ip -f inet6 addr list 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt mywhich ip6tables; then - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - ip6tables -F - ip6tables -X - ip6tables -A OUTPUT -o lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - -# Function to truncate a string -- It uses 'cut -b -' -# rather than ${v:first:last} because light-weight shells like ash and -# dash do not support that form of expansion. -# - -truncate() # $1 = length -{ - cut -b -${1} -} - -# -# Add a logging rule. -# -do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local displayChain - displayChain=$3 - local disposition - disposition=$4 - local rulenum - rulenum= - local limit - limit= - local tag - tag= - local command - command= - local prefix - local base - base=$(chain_base $displayChain) - local pf - - limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. - tag=${6:+$6 } - command=${7:--A} - - shift 7 - - if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then - displayChain=$tag - tag= - fi - - if [ -n "$LOGRULENUMBERS" ]; then - # - # Hack for broken printf on some lightweight shells - # - [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf) - - eval rulenum=\$${base}_logrules - - rulenum=${rulenum:-1} - - prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" - - rulenum=$(($rulenum + 1)) - eval ${base}_logrules=$rulenum - else - prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" - fi - - if [ ${#prefix} -gt 29 ]; then - prefix="`echo "$prefix" | truncate 28` " - error_message "WARNING: Log Prefix shortened to \"$prefix\"" - fi - - case $level in - ULOG) - $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" - ;; - *) - $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$STOPPING" ] && { stop_firewall; exit 2; } - fi -} - -do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule -{ - local level - level=$1 - local chain - chain=$2 - local disposition - disposition=$3 - - shift 3 - - do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ -} - -delete_tc1() -{ - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Detect a device's MTU -- echos the passed device's MTU -# -get_device_mtu() # $1 = device -{ - local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash - - if [ -n "$output" ]; then - echo $(find_mtu $output) - else - echo 1500 - fi -} - -# -# Version of the above that doesn't generate any output for MTU 1500. -# Generates 'mtu ' otherwise, where is the device's MTU + 100 -# -get_device_mtu1() # $1 = device -{ - local output - output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash - local mtu - - if [ -n "$output" ]; then - mtu=$(find_mtu $output) - if [ -n "$mtu" ]; then - [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) - fi - fi - -} - -# -# Undo changes to routing -# -undo_routing() { - - if [ -z "$NOROUTES" ]; then - # - # Restore rt_tables database - # - if [ -f ${VARDIR}/rt_tables ]; then - [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" - rm -f ${VARDIR}/rt_tables - fi - # - # Restore the rest of the routing table - # - if [ -f ${VARDIR}/undo_routing ]; then - . ${VARDIR}/undo_routing - progress_message "Shorewall-generated routing tables and routing rules removed" - rm -f ${VARDIR}/undo_routing - fi - fi - -} - -restore_default_route() { - if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then - local default_route - default_route= - local route - - while read route ; do - case $route in - default*) - if [ -n "$default_route" ]; then - case "$default_route" in - *metric*) - # - # Don't restore a route with a metric -- we only replace the one with metric == 0 - # - qt ip route delete default metric 0 && \ - progress_message "Default Route with metric 0 deleted" - ;; - *) - qt ip route replace $default_route && \ - progress_message "Default Route (${default_route# }) restored" - ;; - esac - - break - fi - - default_route="$default_route $route" - ;; - *) - default_route="$default_route $route" - ;; - esac - done < ${VARDIR}/default_route - - rm -f ${VARDIR}/default_route - fi -} - -# -# Determine how to do "echo -e" -# - -find_echo() { - local result - - result=$(echo "a\tb") - [ ${#result} -eq 3 ] && { echo echo; return; } - - result=$(echo -e "a\tb") - [ ${#result} -eq 3 ] && { echo "echo -e"; return; } - - result=$(which echo) - [ -n "$result" ] && { echo "$result -e"; return; } - - echo echo -} - -# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: -# -# None - No mktemp -# BSD - BSD mktemp (Mandrake) -# STD - mktemp.org mktemp -# -find_mktemp() { - local mktemp - mktemp=`mywhich mktemp 2> /dev/null` - - if [ -n "$mktemp" ]; then - if qt mktemp -V ; then - MKTEMP=STD - else - MKTEMP=BSD - fi - else - MKTEMP=None - fi -} - -# -# create a temporary file. If a directory name is passed, the file will be created in -# that directory. Otherwise, it will be created in a temporary directory. -# -mktempfile() { - - [ -z "$MKTEMP" ] && find_mktemp - - if [ $# -gt 0 ]; then - case "$MKTEMP" in - BSD) - mktemp $1/shorewall.XXXXXX - ;; - STD) - mktemp -p $1 shorewall.XXXXXX - ;; - None) - > $1/shorewall-$$ && echo $1/shorewall-$$ - ;; - *) - error_message "ERROR:Internal error in mktempfile" - ;; - esac - else - case "$MKTEMP" in - BSD) - mktemp /tmp/shorewall.XXXXXX - ;; - STD) - mktemp -t shorewall.XXXXXX - ;; - None) - rm -f /tmp/shorewall-$$ - > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - error_message "ERROR:Internal error in mktempfile" - ;; - esac - fi -} diff --git a/Shorewall-common-IPv6-Aborted/lib.cli b/Shorewall-common-IPv6-Aborted/lib.cli deleted file mode 100644 index d26b3cc38..000000000 --- a/Shorewall-common-IPv6-Aborted/lib.cli +++ /dev/null @@ -1,1146 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.cli. -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the command processing code common to /sbin/shorewall and -# /sbin/shorewall-lite. -# - -# -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " $@" >&2 - exit 2 -} - -# Display a chain if it exists -# - -showfirstchain() # $1 = name of chain -{ - awk \ - 'BEGIN {prnt=0; rslt=1; }; \ - /^$/ { next; };\ - /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ - /Chain '$1'/ { prnt=1; }; \ - { if (prnt == 1) print; };\ - END { exit rslt; }' $TMPFILE -} - -showchain() # $1 = name of chain -{ - if [ "$firstchain" = "Yes" ]; then - if showfirstchain $1; then - firstchain= - fi - else - awk \ - 'BEGIN {prnt=0;};\ - /^$|^ pkts/ { next; };\ - /^Chain/ {if ( prnt == 1 ) exit; };\ - /Chain '$1'/ { prnt=1; };\ - { if (prnt == 1) print; }' $TMPFILE - fi -} - -# -# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules). -# - -iptablesbug() -{ - if qt mywhich awk ; then - awk 'BEGIN { sline=""; };\ - /^-j/ { print sline $0; next };\ - /-m policy.*-j/ { print $0; next };\ - /-m policy/ { sline=$0; next };\ - /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ - { print ; sline="" }' - else - echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 - cat - fi -} - -# -# Validate the value of RESTOREFILE -# -validate_restorefile() # $* = label -{ - case $RESTOREFILE in - */*) - error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE" - exit 2 - ;; - .safe|.try) - ;; - .*|NONE) - error_message "ERROR: Reserved File Name: $RESTOREFILE" - exit 2 - ;; - esac -} - -# -# Clear descriptor 1 if it is a terminal -# -clear_term() { - [ -t 1 ] && clear -} - -# -# Delay $timeout seconds -- if we're running on a recent bash2 then allow -# to terminate the delay -# -timed_read () -{ - read -t $timeout foo 2> /dev/null - - test $? -eq 2 && sleep $timeout -} - -# -# Determine if 'syslog -C' is running -# -syslog_circular_buffer() { - local pid - local tty - local flags - local cputime - local path - local args - local arg - - ps ax 2> /dev/null | while read pid tty flags cputime path args; do - case $path in - syslogd|*/syslogd) - for arg in $args; do - if [ x$arg = x-C ]; then - echo Yes - return - fi - done - ;; - esac - done -} - -# -# Display the last $1 packets logged -# -packet_log() # $1 = number of messages -{ - local options - - if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then - $LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ - else - $LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ - fi -} - -# -# Show traffic control information -# -show_tc() { - - show_one_tc() { - local device - device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s -d qdisc show dev $device - echo - tc -s -d class show dev $device - echo - fi - } - - ip -o link list | while read inx interface details; do - show_one_tc ${interface%:} - done - -} - -# -# Show classifier information -# -show_classifiers() { - - show_one_classifier() { - local device - device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s filter ls dev $device - echo - fi - } - - ip -o link list | while read inx interface details; do - show_one_classifier ${interface%:} - done - -} - -# -# Watch the Firewall Log -# -logwatch() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - timeout=$((- $1)) - pause="Yes" - else - pause="No" - timeout=$1 - fi - - qt mywhich awk && haveawk=Yes || haveawk= - - while true; do - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log ($LOGFILE)" - echo - - show_reset - - rejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 40 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 40 - timed_read - fi - done -} - -# -# Save currently running configuration -# -save_config() { - - local result - result=1 - - iptables_save=${IPTABLES}-save - - [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 - - if shorewall_is_started ; then - [ -d ${VARDIR} ] || mkdir -p ${VARDIR} - - if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" >&2 - else - case $RESTOREFILE in - capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones) - echo " ERROR: Reserved file name: $RESTOREFILE" >&2 - ;; - *) - validate_restorefile RESTOREFILE - - if $IPTABLES -L dynamic -n > ${VARDIR}/save; then - echo " Dynamic Rules Saved" - if [ -f ${VARDIR}/.restore ]; then - if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then - cp -f ${VARDIR}/.restore $RESTOREPATH - mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables - chmod +x $RESTOREPATH - echo " Currently-running Configuration Saved to $RESTOREPATH" - - rm -f ${RESTOREPATH}-ipsets - - case ${SAVE_IPSETS:-No} in - [Yy][Ee][Ss]) - RESTOREPATH=${RESTOREPATH}-ipsets - - f=${VARDIR}/restore-$$ - - echo "#!/bin/sh" > $f - echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f - echo >> $f - echo ". ${SHAREDIR}/lib.base" >> $f - echo >> $f - cat ${VARDIR}/.modulesdir >> $f - echo >> $f - echo "reload_kernel_modules << __EOF__" >> $f - grep 'loadmodule ip_set' ${VARDIR}/.modules >> $f - echo "__EOF__" >> $f - echo >> $f - echo "ipset -U :all: :all:" >> $f - echo "ipset -U :all: :default:" >> $f - echo "ipset -F" >> $f - echo "ipset -X" >> $f - echo "ipset -R << __EOF__" >> $f - ipset -S >> $f - echo "__EOF__" >> $f - mv -f $f $RESTOREPATH - chmod +x $RESTOREPATH - echo " Current Ipset Contents Saved to $RESTOREPATH" - result=0 - ;; - [Nn][Oo]) - ;; - *) - echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" >&2 - ;; - esac - - run_user_exit save - else - rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" >&2 - fi - else - echo " ERROR: ${VARDIR}/.restore does not exist" >&2 - fi - else - echo "Error Saving the Dynamic Rules" >&2 - fi - ;; - esac - fi - else - echo "Shorewall isn't started" >&2 - fi - - return 0 - -} - -# -# Show routing configuration -# -show_routing() { - if [ -n "$(ip rule list)" ]; then - heading "Routing Rules" - ip rule list - ip rule list | while read rule; do - echo ${rule##* } - done | sort -u | while read table; do - heading "Table $table:" - ip route list table $table - done - else - heading "Routing Table" - ip route list - fi -} - -# -# Show Command Executor -# -show_command() { - local finished - finished=0 - local table - table=filter - local table_given - table_given= - - show_macro() { - foo=`grep 'This macro' $macro | sed 's/This macro //'` - if [ -n "$foo" ]; then - macro=${macro#*.} - foo=${foo%.*} - if [ ${#macro} -gt 10 ]; then - echo " $macro ${foo#\#}" - else - $ECHO_E " $macro \t${foo#\#}" - fi - fi - } - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - v*) - VERBOSE=$(($VERBOSE + 1 )) - option=${option#v} - ;; - x*) - IPT_OPTIONS="-xnv" - option=${option#x} - ;; - m*) - SHOWMACS=Yes - option=${option#m} - ;; - f*) - FILEMODE=Yes - option=${option#f} - ;; - t) - [ $# -eq 1 ] && usage 1 - - case $2 in - mangle|nat|filter|raw) - table=$2 - table_given=Yes - ;; - *) - fatal_error "Invalid table name ($s)" - ;; - esac - - option= - shift - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ -n "$debugging" ] && set -x - case "$1" in - connections) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version Connections at $HOSTNAME - $(date)" - echo - [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack - ;; - nat) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version NAT Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t nat -L $IPT_OPTIONS - ;; - tos|mangle) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t mangle -L $IPT_OPTIONS - ;; - log) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - packet_log 20 - ;; - tc) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)" - echo - show_tc - ;; - classifiers|filters) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)" - echo - show_classifiers - ;; - zones) - [ $# -gt 1 ] && usage 1 - if [ -f ${VARDIR}/zones ]; then - echo "$PRODUCT $version Zones at $HOSTNAME - $(date)" - echo - while read zone type hosts; do - echo "$zone ($type)" - for host in $hosts; do - case $host in - exclude) - echo " exclude:" - ;; - *) - echo " $host" - ;; - esac - done - done < ${VARDIR}/zones - echo - else - echo " ERROR: ${VARDIR}/zones does not exist" >&2 - exit 1 - fi - ;; - capabilities) - [ $# -gt 1 ] && usage 1 - determine_capabilities - VERBOSE=2 - if [ -n "$FILEMODE" ]; then - report_capabilities1 - else - report_capabilities - fi - ;; - ip) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version IP at $HOSTNAME - $(date)" - echo - ip -4 addr list - ;; - routing) - [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version Routing at $HOSTNAME - $(date)" - echo - show_routing - ;; - config) - . ${SHAREDIR}/configpath - echo "Default CONFIG_PATH is $CONFIG_PATH" - [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR" - ;; - chain) - shift - echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - $IPTABLES -t $table -L $chain $IPT_OPTIONS - done - else - $IPTABLES -t $table -L $IPT_OPTIONS - fi - ;; - vardir) - echo $VARDIR; - ;; - *) - if [ "$PRODUCT" = Shorewall ]; then - case $1 in - actions) - [ $# -gt 1 ] && usage 1 - echo "allowBcast # Silently Allow Broadcast/multicast" - echo "allowInvalid # Accept packets that are in the INVALID conntrack state." - echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic" - echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)" - echo "dropBcast # Silently Drop Broadcast/multicast" - echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state" - echo "dropNotSyn # Silently Drop Non-syn TCP packets" - echo "drop1918src # Drop packets with an RFC 1918 source address (Shorewall-perl only)" - echo "drop1918dst # Drop packets with an RFC 1918 original dest address (Shorewall-perl only)" - echo "forwardUPnP # Allow traffic that upnpd has redirected from" - echo "rejNotSyn # Silently Reject Non-syn TCP packets" - echo "rej1918src # Reject packets with an RFC 1918 source address (Shorewall-perl only)" - echo "rej1918dst # Reject packets with an RFC 1918 original dest address (Shorewall-perl only)" - - if [ -f ${CONFDIR}/actions ]; then - cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$' - else - grep -Ev '^\#|^$' ${SHAREDIR}/actions.std - fi - - return - ;; - macros) - [ $# -gt 1 ] && usage 1 - - for directory in $(split $CONFIG_PATH); do - temp= - for macro in ${directory}/macro.*; do - case $macro in - *\*) - ;; - *) - if [ -z "$temp" ]; then - echo - echo "Macros in $directory:" - echo - temp=Yes - fi - show_macro - ;; - esac - done - done - return - ;; - esac - fi - - if [ $# -gt 0 ]; then - [ -n "$table_given" ] || for chain in $*; do - if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then - echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2 - exit 1 - fi - done - - echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $HOSTNAME - $(date)" - echo - show_reset - for chain in $*; do - $IPTABLES -t $table -L $chain $IPT_OPTIONS - done - else - echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t $table -L $IPT_OPTIONS - fi - ;; - esac -} - -# -# Dump Command Executor -# -dump_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - x*) - IPT_OPTIONS="-xnv" - option=${option#x} - ;; - m*) - SHOWMACS=Yes - option=${option#m} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ $VERBOSE -lt 2 ] && VERBOSE=2 - - [ -n "$debugging" ] && set -x - [ $# -eq 0 ] || usage 1 - clear_term - echo "$PRODUCT $version Dump at $HOSTNAME - $(date)" - echo - if [ -f /usr/share/shorewall-shell/version ]; then - echo " Shorewall-shell $(cat /usr/share/shorewall-shell/version)" - if [ -f /usr/share/shorewall-perl/version ]; then - echo " Shorewall-perl $(cat /usr/share/shorewall-perl/version)" - fi - echo - elif [ -f /usr/share/shorewall-perl/version ]; then - echo " Shorewall-perl $(cat /usr/share/shorewall-perl/version)" - echo - fi - - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - $IPTABLES -L $IPT_OPTIONS - - heading "Log ($LOGFILE)" - packet_log 20 - - heading "NAT Table" - $IPTABLES -t nat -L $IPT_OPTIONS - - heading "Mangle Table" - $IPTABLES -t mangle -L $IPT_OPTIONS - - heading "Conntrack Table" - [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack - - heading "IP Configuration" - ip -4 addr list - - heading "IP Stats" - ip -stat link list - - if qt mywhich brctl; then - heading "Bridges" - brctl show - fi - - if qt mywhich setkey; then - heading "PFKEY SPD" - setkey -DP - heading "PFKEY SAD" - setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys - fi - - heading "/proc" - show_proc /proc/version - show_proc /proc/sys/net/ipv4/ip_forward - show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all - - for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do - show_proc $directory/$file - done - done - - show_routing - - heading "ARP" - arp -na - - if qt mywhich lsmod; then - heading "Modules" - lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort - fi - - determine_capabilities - echo - report_capabilities - - if [ -n "$TC_ENABLED" ]; then - heading "Traffic Control" - show_tc - heading "TC Filters" - show_classifiers - fi -} - -# -# Restore Comand Executor -# -restore_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - NOROUTES=Yes - option=${option#n} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - RESTOREFILE="$1" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - if [ -z "$STARTUP_ENABLED" ]; then - error_message "ERROR: Startup is disabled" - exit 2 - fi - - RESTOREPATH=${VARDIR}/$RESTOREFILE - - export NOROUTES - - [ -n "$nolock" ] || mutex_on - - if [ -x $RESTOREPATH ]; then - if [ -x ${RESTOREPATH}-ipsets ] ; then - echo Restoring Ipsets... - iptables -F - iptables -X - $SHOREWALL_SHELL ${RESTOREPATH}-ipsets - fi - - progress_message3 "Restoring Shorewall..." - - $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE" - - [ -n "$nolock" ] || mutex_off - else - echo "File $RESTOREPATH: file not found" - [ -n "$nolock" ] || mutex_off - exit 2 - fi -} - -# -# Display the time that the counters were last reset -# -show_reset() { - [ -f ${VARDIR}/restarted ] && \ - echo "Counters reset $(cat ${VARDIR}/restarted)" && \ - echo -} - -# -# Display's the passed file name followed by "=" and the file's contents. -# -show_proc() # $1 = name of a file -{ - [ -f $1 ] && echo " $1 = $(cat $1)" -} - -read_yesno_with_timeout() { - read -t 60 yn 2> /dev/null - if [ $? -eq 2 ] - then - # read doesn't support timeout - test -x /bin/bash || return 2 # bash is not installed so the feature is not available - /bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read - return $? - else - # read supports timeout - case "$yn" in - y|Y) - return 0 - ;; - *) - return 1 - ;; - esac - fi -} - -# -# Print a heading with leading and trailing black lines -# -heading() { - echo - echo "$@" - echo -} - -# -# Create the appropriate -q option to pass onward -# -make_verbose() { - local v - v=$VERBOSE_OFFSET - local option - option=- - - if [ -n "$USE_VERBOSITY" ]; then - echo "-v$USE_VERBOSITY" - elif [ $VERBOSE_OFFSET -gt 0 ]; then - while [ $v -gt 0 ]; do - option="${option}v" - v=$(($v - 1)) - done - - echo $option - elif [ $VERBOSE_OFFSET -lt 0 ]; then - while [ $v -lt 0 ]; do - option="${option}q" - v=$(($v + 1)) - done - - echo $option - fi -} - -# -# Executor for drop,reject,... commands -# -block() # $1 = command, $2 = Finished, $3 - $n addresses -{ - local chain - chain=$1 - local finished - finished=$2 - - shift 3 - - while [ $# -gt 0 ]; do - case $1 in - *-*) - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop - $IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1 - ;; - *) - qt $IPTABLES -D dynamic -s $1 -j reject - qt $IPTABLES -D dynamic -s $1 -j DROP - qt $IPTABLES -D dynamic -s $1 -j logreject - qt $IPTABLES -D dynamic -s $1 -j logdrop - $IPTABLES -A dynamic -s $1 -j $chain || break 1 - ;; - esac - - echo "$1 $finished" - shift - done -} - -# -# 'hits' commmand executor -# -hits_command() { - local finished - finished=0 - local today - today= - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - t*) - today=$(date +'^%b %_d.*') - option=${option#t} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ $# -eq 0 ] || usage 1 - - clear_term - echo "$PRODUCT $version Hits at $HOSTNAME - $(date)" - echo - - timeout=30 - - if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then - echo " HITS IP DATE" - echo " ---- --------------- ------" - $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn | while read count address month day; do - printf '%7d %-15s %3s %2d\n' $count $address $month $day - done - - echo "" - - echo " HITS IP PORT" - echo " ---- --------------- -----" - $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ - t - s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do - printf '%7d %-15s %d\n' $count $address $port - done - - echo "" - - echo " HITS DATE" - echo " ---- ------" - $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do - printf '%7d %3s %2d\n' $count $month $day - done - - echo "" - - echo " HITS PORT SERVICE(S)" - echo " ---- ----- ----------" - $LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do - # List all services defined for the given port - srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u) - srv=$(echo $srv | sed 's/ /,/g') - - if [ -n "$srv" ] ; then - printf '%7d %5d %s\n' $count $port $srv - else - printf '%7d %5d\n' $count $port - fi - done - fi -} - -# -# 'allow' command executor -# -allow_command() { - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then - [ -n "$nolock" ] || mutex_on - while [ $# -gt 1 ]; do - shift - case $1 in - *-*) - if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\ - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\ - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\ - qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject - then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" - fi - ;; - *) - if qt $IPTABLES -D dynamic -s $1 -j reject ||\ - qt $IPTABLES -D dynamic -s $1 -j DROP ||\ - qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ - qt $IPTABLES -D dynamic -s $1 -j logreject - then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" - fi - ;; - esac - done - [ -n "$nolock" ] || mutex_off - else - error_message "ERROR: $PRODUCT is not started" - exit 2 - fi -} - -# -# 'logwatch' command executor -# -logwatch_command() { - shift - - finished=0 - - while [ $finished -eq 0 -a $# -ne 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - v*) - VERBOSE=$(($VERBOSE + 1 )) - option=${option#v} - ;; - q*) - VERBOSE=$(($VERBOSE - 1 )) - option=${option#q} - ;; - m*) - SHOWMACS=Yes - option=${option#m} - ;; - -) - finished=1 - option= - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ -n "$debugging" ] && set -x - - if [ $# -eq 1 ]; then - logwatch $1 - elif [ $# -eq 0 ]; then - logwatch 30 - else - usage 1 - fi -} diff --git a/Shorewall-common-IPv6-Aborted/lib.config b/Shorewall-common-IPv6-Aborted/lib.config deleted file mode 100644 index 27608981e..000000000 --- a/Shorewall-common-IPv6-Aborted/lib.config +++ /dev/null @@ -1,2296 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.config -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library contains the configuration file parsing code common to -# /usr/share/shorewall/compiler and /usr/share/shorewall/firewall -# - -SHOREWALL_CONFIGVERSION=40000 - -# -# Replace commas with spaces and echo the result -# -separate_list() { - local list - list="$@" - local part - local newlist - local firstpart - local lastpart - local enclosure - - case "$list" in - *,|,*|*,,*|*[[:space:]]*) - # - # There's been whining about us not catching embedded white space in - # comma-separated lists. This is an attempt to snag some of the cases. - # - # The 'TERMINATOR' function will be set by the 'firewall' script to - # either 'startup_error' or 'fatal_error' depending on the command and - # command phase - # - [ -n "$TERMINATOR" ] && \ - $TERMINATOR "Invalid comma-separated list \"$@\"" - echo "WARNING -- invalid comma-separated list \"$@\"" >&2 - ;; - *\[*\]*) - # - # Where we need to embed comma-separated lists within lists, we enclose them - # within square brackets. - # - firstpart=${list%%\[*} - lastpart=${list#*\[} - enclosure=${lastpart%%\]*} - lastpart=${lastpart#*\]} - case $lastpart in - \,*) - case $firstpart in - *\,) - echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})" - ;; - *) - echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" - ;; - esac - ;; - *) - case $firstpart in - *\,) - echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" - ;; - *) - echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" - ;; - esac - ;; - esac - return - ;; - esac - - list="$@" - part="${list%%,*}" - newlist="$part" - - while [ "x$part" != "x$list" ]; do - list="${list#*,}"; - part="${list%%,*}"; - newlist="$newlist $part"; - done - - echo "$newlist" -} - -# -# Display elements of a list with leading white space -# -display_list() # $1 = List Title, rest of $* = list to display -{ - [ $# -gt 1 ] && echo " $*" -} - -# -# Determine if a chain is a policy chain -# -is_policy_chain() # $1 = name of chain -{ - eval test \"\$${1}_is_policy\" = Yes -} - -# -# Return a space separated list of values matching -# -list_walk() # $1 = element to search for, $2-$n = list -{ - local e - e=$1 - local result - result= - - while [ $# -gt 1 ]; do - shift - case $1 in - $e*) - result="$result ${1##$e}" - ;; - esac - done - echo $result -} - -# -# Functions to count list elements -# - - - - - - - - - - - - - - - - -# Whitespace-separated list -# -list_count1() { - echo $# -} -# -# Comma-separated list -# -list_count() { - list_count1 $(separate_list $1) -} - -# -# Filter that expands variables -# -expand_line() { - local line - - while read line; do - echo $(expand $line) - done -} - -# -# Add whitespace after leading "!" -# -fix_bang() -{ - local result - result= - - while [ $# -gt 0 ]; do - case $1 in - !*) - result="$result ! ${1#!}" - ;; - *) - result="$result $1" - ;; - esac - shift - done - - echo $result -} - -# -# Read the zones file and find the firewall zone -# -get_firewall_zone() { - local zone - local type - local rest - local comment - comment='#*' - local f - f=$(find_file zones) - - [ -f $f ] || startup_error "Unable to find zones file" - - while read zone type rest; do - case $zone in - $comment) - ;; - *) - if [ "x$type" = xfirewall ]; then - FW=$zone - return - fi - ;; - esac - done < $f - - startup_error "No firewall zone defined in $f" -} - -# -# This function assumes that the TMP_DIR variable is set and that -# its value names an existing directory. -# -determine_zones() -{ - local zone - local parent - local parents - local rest - local new_zone_file - new_zone_file= - local r - - merge_zone() - { - local z - local zones - zones="$ZONES" - local merged - merged= - - if [ -n "$parents" ]; then - ZONES= - for z in $zones; do - if [ -z "$merged" ] && list_search $z $parents; then - ZONES="$ZONES $zone" - merged=Yes - fi - ZONES="$ZONES $z" - done - else - ZONES="$ZONES $zone" - fi - } - - ZONES= - IPV4_ZONES= - IPSEC_ZONES= - - [ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}" - - while read zone type rest; do - case $zone in - *:*) - parents=${zone#*:} - zone=${zone%:*} - [ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents" - parents=$(separate_list $parents) - eval ${zone}_parents=\"$parents\" - ;; - *) - parents= - eval ${zone}_parents= - ;; - esac - - for parent in $parents; do - [ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed" - list_search $parent $ZONES || startup_error "Parent zone not defined: $parent" - done - - [ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone" - - case "$zone" in - [0-9*]) - startup_error "Illegal zone name \"$zone\" in zones file" - ;; - all|none|SOURCE|DEST) - startup_error "Reserved zone name \"$zone\" in zones file" - ;; - esac - - if [ -n "$new_zone_file" ]; then - case ${type:=ipv4} in - ipv4|IPv4|IPV4|plain|-) - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - merge_zone - IPV4_ZONES="$IPV4_ZONES $zone" - ;; - ipsec|IPSEC|ipsec4|IPSEC4) - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - [ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - merge_zone - IPSEC_ZONES="$IPSEC_ZONES $zone" - ;; - firewall) - [ -n "$FW" ] && startup_error "Only one firewall zone may be defined" - list_search $zone $ZONES && startup_error "Zone $zone is defined more than once" - [ -n "$parents" ] && startup_error "The firewall zone may not be nested" - for r in $rest; do - [ "x$r" = x- ] || startup_error "OPTIONS not allowed on the firewall zone" - done - FW=$zone - ;; - bport|bport4) - [ "$PROGRAM" = compiler ] && startup_error "Invalid Zone Type: $type" - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - merge_zone - BRIDGING=Yes - ;; - *) - startup_error "Invalid Zone Type: $type" - ;; - esac - - eval ${zone}_type=$type - else - list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" - ZONES="$ZONES $zone" - IPV4_ZONES="$IPV4_ZONES $zone" - eval ${zone}_type=ipv4 - fi - done < $TMP_DIR/zones - - [ -z "$ZONES" ] && startup_error "No ipv4 or ipsec Zones Defined" - - [ -z "$FW" ] && startup_error "No Firewall Zone Defined" -} - -# -# Validate the zone names and options in the interfaces file -# -validate_interfaces_file() { - local wildcard - local found_obsolete_option - found_obsolete_option= - local z - local interface - local networks - local options - local r - local iface - local option - - while read z interface networks options; do - r="$z $interface $networks $options" - - [ "x$z" = "x-" ] && z= - - if [ -n "$z" ]; then - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - fi - - list_search $interface $ALL_INTERFACES && \ - startup_error "Duplicate Interface $interface" - - wildcard= - - case $interface in - *:*) - if [ "$PROGRAM" != compiler ]; then - # - # Assume that this is 4.0 syntax for a bridge - # - local bridge - bridge=${interface%:*} - list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge" - interface=${interface#*:} - else - startup_error "Invalid Interface Name: $interface" - fi - ;; - +) - startup_error "Invalid Interface Name: +" - ;; - *+) - wildcard=Yes - ;; - esac - - ALL_INTERFACES="$ALL_INTERFACES $interface" - options=$(separate_list $options) - iface=$(chain_base $interface) - - eval ${iface}_broadcast="$networks" - eval ${iface}_zone="$z" - eval ${iface}_options=\"$options\" - - for option in $options; do - case $option in - -) - ;; - dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|nosmurfs|upnp|-) - ;; - proxyarp) - [ "$PROGRAM" = compiler ] && lib_load proxyarp "The 'proxyarp' option on interface $interface" - ;; - maclist) - [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" - ;; - norfc1918) - if [ "$PROGRAM" != compiler ]; then - addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) - if [ -n "$addr" ]; then - addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//') - for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do - if in_network $addr $network; then - startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface" - fi - done - fi - fi - ;; - arp_ignore=*) - eval ${iface}_arp_ignore=${option#*=} - ;; - arp_ignore) - eval ${iface}_arp_ignore=1 - ;; - detectnets) - [ -n "$wildcard" ] && \ - startup_error "The \"detectnets\" option may not be used with a wild-card interface" - [ -n "$EXPORT" ] && \ - startup_error "'detectnets' not permitted with the -e run-line option" - ;; - routeback) - [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" - ;; - *) - [ $PROGRAM = compiler ] && error_message "WARNING: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done < $TMP_DIR/interfaces - - [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" -} - -# -# Process the ipsec information in the zones file -# -setup_ipsec() { - local zone - local using_ipsec - using_ipsec= - # - # Add a --set-mss rule to the passed chain - # - set_mss1() # $1 = chain, $2 = MSS - { - local policy - eval policy=\$${1}_policy - - if [ "$policy" != NONE ]; then - ensurechain $1 - local match - match= - [ "$TCPMSS_MATCH" ] && match="-m tcpmss --mss $2: " - run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $2 - fi - } - # - # Set up rules to set MSS to and/or from zone "$zone" - # - set_mss() # $1 = MSS value, $2 = _in, _out or "" - { - for z in $ZONES $FW; do - case $2 in - _in) - set_mss1 ${zone}2${z} $1 - ;; - _out) - set_mss1 ${z}2${zone} $1 - ;; - *) - set_mss1 ${z}2${zone} $1 - set_mss1 ${zone}2${z} $1 - ;; - esac - done - } - - do_options() # $1 = _in, _out or "" - $2 = option list - { - local option - local newoptions - newoptions= - local val - - [ x${2} = x- ] && return - - for option in $(separate_list $2); do - val=${option#*=} - - case $option in - mss=[0-9]*) [ "$PROGRAM" = compiler ] && set_mss $val $1 ;; - strict) newoptions="$newoptions --strict" ;; - next) newoptions="$newoptions --next" ;; - reqid=*) newoptions="$newoptions --reqid $val" ;; - spi=*) newoptions="$newoptions --spi $val" ;; - proto=*) newoptions="$newoptions --proto $val" ;; - mode=*) newoptions="$newoptions --mode $val" ;; - tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; - tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; - reqid!=*) newoptions="$newoptions ! --reqid $val" ;; - spi!=*) newoptions="$newoptions ! --spi $val" ;; - proto!=*) newoptions="$newoptions ! --proto $val" ;; - mode!=*) newoptions="$newoptions ! --mode $val" ;; - tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; - tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; - *) fatal_error "Invalid option \"$option\" for zone $zone" ;; - esac - done - - if [ -n "$newoptions" ]; then - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_complex=Yes - eval ${zone}_ipsec${1}_options=\"${newoptions# }\" - fi - } - - case $IPSECFILE in - zones) - f=zones - progress_message "$DOING IPSEC..." - [ $PROGRAM = compiler -a -n "$IPSEC_ZONES" ] && save_progress_message "Setting up IPSEC management..." - ;; - ipsec) - using_ipsec=Yes - if [ -s ${TMP_DIR}/ipsec ]; then - progress_message "$DOING ipsec..." - [ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..." - f=ipsec - else - return - fi - ;; - esac - - while read zone type options in_options out_options mss; do - if [ -n "$using_ipsec" ]; then - validate_zone1 $zone || fatal_error "Unknown zone: $zone" - fi - - if [ -n "$type" ]; then - if [ -n "$using_ipsec" ]; then - case $type in - No|no) - ;; - Yes|yes) - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - eval ${zone}_type=ipsec4 - ;; - *) - fatal_error "Invalid IPSEC column contents" - ;; - esac - fi - - do_options "" $options - do_options "_in" $in_options - do_options "_out" $out_options - fi - - done < $TMP_DIR/$f -} - -# -# Validate the zone names and options in the hosts file -# -validate_hosts_file() { - local z - local hosts - local options - local r - local interface - local host - local option - local zports - local ipsec - ipsec= - - check_bridge_port() - { - list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" - list_search $1 $ALL_PORTS || ALL_PORTS="$ALL_PORTS $1" - } - - while read z hosts options; do - r="$z $hosts $options" - validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" - - case $hosts in - *:*) - - interface=${hosts%%:*} - iface=$(chain_base $interface) - - list_search $interface $ALL_INTERFACES || \ - startup_error "Unknown interface ($interface) in record \"$r\"" - - hosts=${hosts#*:} - ;; - *) - startup_error "Invalid HOST(S) column contents: $hosts" - ;; - esac - - eval zports=\$${z}_ports - - if [ -z "$BRIDGING" ]; then - case $hosts in - *!*!*) - startup_error "Invalid hosts file entry: \"$r\"" - ;; - !*) - hosts=0.0.0.0/0 - eval ${z}_is_complex=Yes - ;; - *!*) - hosts=${hosts%%!*} - eval ${z}_is_complex=Yes - ;; - esac - fi - - for host in $(separate_list $hosts); do - if [ -n "$BRIDGING" ]; then - case $host in - *:*) - known_interface ${host%:*} && \ - startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" - check_bridge_port ${host%%:*} - ;; - *.*.*) - ;; - *+|+*|*!*) - eval ${z}_is_complex=Yes - ;; - *) - known_interface $host && \ - startup_error "Bridged interfaces may not be defined in ${CONFDIR}/interfaces: $host" - check_bridge_port $host - ;; - esac - else - case $host in - *.*.*) - ;; - +*) - eval ${z}_is_complex=Yes - ;; - *) - startup_error "BRIDGING=Yes is needed for this zone definition: $r" - ;; - esac - fi - - for option in $(separate_list $options) ; do - case $option in - norfc1918|blacklist|tcpflags|nosmurfs|-) - ;; - maclist) - [ "$PROGRAM" = compiler ] && lib_load maclist "The 'maclist' option" - ;; - ipsec) - [ -n "$POLICY_MATCH" ] || \ - startup_error "Your kernel and/or iptables does not support policy match: ipsec" - eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" - eval ${z}_is_complex=Yes - ipsec=Yes - ;; - routeback) - eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" - ;; - *) - error_message "WARNING: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done - - [ -n "$zports" ] && eval ${z}_ports=\"$zports\" - - done < $TMP_DIR/hosts - - [ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS" - - [ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH= -} - -# -# Find interfaces to a given zone -# -# Search the variables representing the contents of the interfaces file and -# for each record matching the passed ZONE, echo the expanded contents of -# the "INTERFACE" column -# -find_interfaces() # $1 = interface zone -{ - local zne - zne=$1 - local z - local interface - - for interface in $ALL_INTERFACES; do - eval z=\$$(chain_base $interface)_zone - [ "x${z}" = x${zne} ] && echo $interface - done -} - -# -# Forward Chain for an interface -# -forward_chain() # $1 = interface -{ - echo $(chain_base $1)_fwd -} - -# -# Input Chain for an interface -# -input_chain() # $1 = interface -{ - echo $(chain_base $1)_in -} - -# -# Output Chain for an interface -# -output_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Masquerade Chain for an interface -# -masq_chain() # $1 = interface -{ - echo $(chain_base $1)_masq -} - -# -# MAC Verification Chain for an interface -# -mac_chain() # $1 = interface -{ - echo $(chain_base $1)_mac -} - -macrecent_target() # $1 - interface -{ - [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN -} - -# -# Functions for creating dynamic zone rules -# -dynamic_fwd() # $1 = interface -{ - echo $(chain_base $1)_dynf -} - -dynamic_in() # $1 = interface -{ - echo $(chain_base $1)_dyni -} - -dynamic_out() # $1 = interface -{ - echo $(chain_base $1)_dyno -} - -dynamic_chains() #$1 = interface -{ - local c - c=$(chain_base $1) - - echo ${c}_dyni ${c}_dynf ${c}_dyno -} - -# -# DNAT Chain from a zone -# -dnat_chain() # $1 = zone -{ - echo ${1}_dnat -} - -# -# SNAT Chain to an interface -# -snat_chain() # $1 = interface -{ - echo $(chain_base $1)_snat -} - -# -# ECN Chain to an interface -# -ecn_chain() # $1 = interface -{ - echo $(chain_base $1)_ecn -} - -# -# First chains for an interface -# -first_chains() #$1 = interface -{ - local c - c=$(chain_base $1) - - echo ${c}_fwd ${c}_in -} - -# -# Out Chain to an interface -# -out_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Horrible hack to work around an iptables limitation -# -iprange_echo() -{ - if [ -n "$KLUDGEFREE" ]; then - echo "-m iprange $@" - elif [ -f $TMP_DIR/iprange ]; then - echo $@ - else - echo "-m iprange $@" - > $TMP_DIR/iprange - fi -} - -# -# Get set flags (ipsets). -# -get_set_flags() # $1 = set name and optional [levels], $2 = src or dst -{ - local temp - local setname - setname=$1 - local options - options=$2 - - [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1" - - case $1 in - *\[[1-6]\]) - temp=${1#*\[} - temp=${temp%\]} - setname=${1%\[*} - while [ $temp -gt 1 ]; do - options="$options,$2" - temp=$(($temp - 1)) - done - ;; - *\[*\]) - options=${1#*\[} - options=${options%\]} - setname=${1%\[*} - ;; - *) - ;; - esac - - echo "--set ${setname#+} $options" -} - -# -# Horrible hack to work around an iptables limitation -# -physdev_echo() -{ - if [ -n "$KLUDGEFREE" ]; then - echo -m physdev $@ - elif [ -f $TMP_DIR/physdev ]; then - echo $@ - else - echo -m physdev $@ - > $TMP_DIR/physdev - fi -} - -# -# Source IP range -# -source_ip_range() # $1 = Address or Address Range -{ - [ $# -gt 0 ] && case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --src-range ${1#!}" - ;; - *) - iprange_echo "--src-range $1" - ;; - esac - ;; - !+*) - echo "-m set ! $(get_set_flags ${1#!} src)" - ;; - +*) - echo "-m set $(get_set_flags $1 src)" - ;; - *) - echo "-s $1" - ;; - esac -} - -# -# Destination IP range -# -dest_ip_range() # $1 = Address or Address Range -{ - [ $# -gt 0 ] && case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --dst-range ${1#!}" - ;; - *) - iprange_echo "--dst-range $1" - ;; - esac - ;; - !+*) - echo "-m set ! $(get_set_flags ${1#!} dst)" - ;; - +*) - echo "-m set $(get_set_flags $1 dst)" - ;; - *) - echo "-d $1" - ;; - esac -} - -both_ip_ranges() # $1 = Source address or range, $2 = dest address or range -{ - local rangeprefix - rangeprefix= - local setprefix - setprefix= - local rangematch - rangematch= - local setmatch - setmatch= - - case $1 in - *.*.*.*-*.*.*.*) - rangeprefix="-m iprange" - rangematch="--src-range $1" - ;; - !+*) - setprefix="-m set" - setmatch="! $(get_set_flags ${1#!} src)" - ;; - +*) - setprefix="-m set" - setmatch="$(get_set_flags $1 src)" - ;; - *) - rangematch="-s $1" - ;; - esac - - case $2 in - *.*.*.*-*.*.*.*) - rangeprefix="-m iprange" - rangematch="$rangematch --dst-range $2" - ;; - !+*) - setprefix="-m set" - match="$setmatch ! $(get_set_flags ${2#!} dst)" - ;; - +*) - setprefix="-m set" - setmatch="$setmatch $(get_set_flags $2 dst)" - ;; - *) - rangematch="$rangematch -d $2" - ;; - esac - - echo "$rangeprefix $rangematch $setprefix $setmatch" -} - -# -# Loosly Match the name of an interface -# - -if_match() # $1 = Name in interfaces file - may end in "+" - # $2 = Full interface name - may also end in "+" -{ - local pattern - pattern=${1%+} - - case $1 in - *+) - test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" - ;; - *) - test "x$1" = "x$2" - ;; - esac -} - -# -# We allow hosts to be specified by IP address or by physdev. These two functions -# are used to produce the proper match in a netfilter rule. -# -match_source_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" - ;; - *.*.*.*|+*|!+*) - echo $(source_ip_range $1) - ;; - *) - physdev_echo "--physdev-in $1" - ;; - esac - else - echo $(source_ip_range $1) - fi -} - -match_dest_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" - ;; - *.*.*.*|+*|!+*) - echo $(dest_ip_range $1) - ;; - *) - physdev_echo "--physdev-out $1" - ;; - esac - else - echo $(dest_ip_range $1) - fi -} -# -# Matches for either or :
-# -match_source() -{ - case "$1" in - *:*) - echo "-i ${1%%:*} $(match_source_hosts ${1#*:})" - ;; - *) - echo $(dest_ip_range $1) - ;; - esac -} - -match_dest() -{ - case "$1" in - *:*) - echo "-o ${1%%:*} $(match_dest_hosts ${1#*:})" - ;; - *) - echo $(dest_ip_range $1) - ;; - esac -} - -# -# Similarly, the source or destination in a rule can be qualified by a device name. If -# the device is defined in ${CONFDIR}/interfaces then a normal interface match is -# generated (-i or -o); otherwise, a physdev match is generated. -#------------------------------------------------------------------------------------- -# -# loosely match the passed interface with those in ${CONFDIR}/interfaces. -# -known_interface() # $1 = interface name -{ - local iface - - for iface in $ALL_INTERFACES ; do - if if_match $iface $1 ; then - return 0 - fi - done - - return 1 -} - -known_port() # $1 = port name -{ - local port - - for port in $ALL_PORTS ; do - if if_match $port $1 ; then - return 0 - fi - done - - return 1 -} - -match_source_dev() -{ - if [ -n "$BRIDGING" ]; then - known_port $1 && physdev_echo "--physdev-in $1" || echo -i $1 - elif known_interface $1; then - echo -i $1 - elif [ -n "$PHYSDEV_MATCH" ]; then - physdev_echo "--physdev-in $1" - else - echo -i $1 - fi -} - -match_dest_dev() -{ - if [ -n "$BRIDGING" ]; then - known_port $1 && physdev_echo "--physdev-out $1" || echo -o $1 - elif known_interface $1; then - echo -o $1 - elif [ -n "$PHYSDEV_MATCH" ]; then - physdev_echo "--physdev-out $1" - else - echo -o $1 - fi -} - -verify_interface() -{ - known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; } -} - -# -# Determine if communication to/from a host is encrypted using IPSEC -# -is_ipsec_host() # $1 = zone, $2 = host -{ - local is_ipsec - eval is_ipsec=\$${1}_is_ipsec - local hosts - eval hosts=\"\$${1}_ipsec_hosts\" - - test -n "$is_ipsec" || list_search $2 $hosts -} - -# -# Generate a match for decrypted packets -# -match_ipsec_in() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - local options - eval options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" - echo "-m policy --pol ipsec --dir in $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in" - fi -} - -# -# Generate a match for packets that will be encrypted -# -match_ipsec_out() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - local options - eval options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" - echo "-m policy --pol ipsec --dir out $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out" - fi -} - -# -# Jacket for ip_range() that takes care of iprange match -# - -firewall_ip_range() # $1 = IP address or range -{ - [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 -} - -# -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts - local interface - local address - local addresses - - while read z hosts options; do - if [ "x$(expand $z)" = "x$1" ]; then - interface=${hosts%%:*} - addresses=${hosts#*:} - case $addresses in - !*) - echo $interface:0.0.0.0/0 - ;; - *) - for address in $(separate_list ${addresses%%!*}); do - echo $interface:$address - done - ;; - esac - fi - done < $TMP_DIR/hosts -} - -# -# -# Find exclusions in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo any exclusions -# -find_exclusions() # $1 = host zone -{ - local hosts - local interface - local address - local addresses - - while read z hosts options; do - if [ "x$z" = "x$1" ]; then - interface=${hosts%%:*} - addresses=${hosts#*:} - case $addresses in - *!*) - for address in $(separate_list ${addresses#*!}); do - echo $interface:$address - done - ;; - esac - fi - done < $TMP_DIR/hosts -} - -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $ZONES; do - interfaces=$(find_interfaces $zone) - interfaces=$(echo $interfaces) # Remove extra trash - eval ${zone}_interfaces=\"\$interfaces\" - done -} - -# -# Determine if an interface has a given option -# -interface_has_option() # $1 = interface, #2 = option -{ - local options - - eval options=\$$(chain_base $1)_options - - list_search $2 $options -} - -# -# Determine the defined hosts in each zone -# -determine_hosts() { - for zone in $ZONES; do - hosts=$(find_hosts $zone) - hosts=$(echo $hosts) # Remove extra trash - exclusions=$(find_exclusions $zone) - exclusions=$(echo $exclusions) # Remove extra trash - - eval interfaces=\$${zone}_interfaces - - for interface in $interfaces; do - if interface_has_option $interface detectnets; then - networks=$(get_routed_networks $interface "detectnets not allowed on interface with default route - $interface" ) - else - networks=0.0.0.0/0 - fi - - for network in $networks; do - if [ -z "$hosts" ]; then - hosts=$interface:$network - else - hosts="$hosts $interface:$network" - fi - - if interface_has_option $interface routeback; then - eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\" - fi - done - done - - interfaces= - - for host in $hosts; do - interface=${host%:*} - if list_search $interface $interfaces; then - list_search $interface:0.0.0.0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - list_search $interface:0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - eval ${zone}_is_complex=Yes - else - if [ -z "$interfaces" ]; then - interfaces=$interface - else - interfaces="$interfaces $interface" - fi - fi - done - - eval ${zone}_exclusions="\$exclusions" - eval ${zone}_interfaces="\$interfaces" - eval ${zone}_hosts="\$hosts" - - if [ -n "$hosts" ]; then - if [ $VERBOSE -ge 1 ]; then - [ -n "$exclusions" ] && display_list "$zone Zone:" $hosts minus "($exclusions)" || display_list "$zone Zone:" $hosts - fi - else - error_message "WARNING: Zone $zone is empty" - fi - done -} - -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $ZONES $FW -} -# -# Ensure that the passed zone is defined in the zones file. -# -validate_zone1() # $1 = zone -{ - list_search $1 $ZONES -} - -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" -} - -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && echo $interface - done -} - -# -# This slightly slower version is used to find both the option and option followed -# by equal sign ("=") and a value -# -find_interfaces_by_option1() # $1 = option -{ - local options - local option - - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - for option in $options; do - if [ "${option%=*}" = "$1" ]; then - echo $interface - break - fi - done - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - local ignore - local hosts - local interface - local address - local addresses - local options - local ipsec - ipsec= - local list - - while read ignore hosts options; do - list=$(separate_list $options) - if list_search $1 $list; then - list_search ipsec $list && ipsec=ipsec || ipsec=none - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo ${ipsec}^$interface:$address - done - fi - done < $TMP_DIR/hosts - - for interface in $ALL_INTERFACES; do - interface_has_option $interface $1 && \ - echo none^${interface}:0.0.0.0/0 - done -} - -# -# Process the routestopped file either adding or deleting rules -# -process_routestopped() # $1 = command -{ - local hosts - hosts= - local interface - local host - local host1 - local options - local networks - local source - source= - local dest - dest= - local matched - - while read interface host options; do - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 - for h in $(separate_list $host); do - hosts="$hosts $interface:$h" - done - - routeback= - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback) - if [ -n "$routeback" ]; then - error_message "WARNING: Duplicate routestopped option ignored: routeback" - else - routeback=Yes - for h in $(separate_list $host); do - run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT - done - fi - ;; - source) - for h in $(separate_list $host); do - source="$source $interface:$h" - done - ;; - dest) - for h in $(separate_list $host); do - dest="$dest $interface:$h" - done - ;; - critical) - ;; - *) - error_message "WARNING: Unknown routestopped option ignored: $option" - ;; - esac - done - fi - - done < $TMP_DIR/routestopped - - - for host in $hosts; do - interface=${host%:*} - networks=${host#*:} - source_range=$(source_ip_range $networks) - dest_range=$(dest_ip_range $networks) - run_iptables $1 INPUT -i $interface $source_range -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - run_iptables $1 OUTPUT -o $interface $dest_range -j ACCEPT - - matched= - - if list_search $host $source ; then - run_iptables $1 FORWARD -i $interface $source_range -j ACCEPT - matched=Yes - fi - - if list_search $host $dest ; then - run_iptables $1 FORWARD -o $interface $dest_range -j ACCEPT - matched=Yes - fi - - if [ -z "$matched" ]; then - for host1 in $hosts; do - [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done - fi - done -} - -process_criticalhosts() -{ - local hosts - hosts= - local interface - local host - local h - local options - local networks - local criticalhosts - criticalhosts= - - while read interface host options; do - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host) - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback|source|dest) - ;; - critical) - for h in $host; do - criticalhosts="$criticalhosts $interface:$h" - done - ;; - *) - error_message "WARNING: Unknown routestopped option ignored: $option" - ;; - esac - done - fi - done < $TMP_DIR/routestopped - - if [ -n "$criticalhosts" ]; then - CRITICALHOSTS=$criticalhosts - progress_message "Critical Hosts are:$CRITICALHOSTS" - fi - -} - -# -# create a temporary directory -# -mktempdir() { - - [ -z "$MKTEMP" ] && find_mktemp - - case "$MKTEMP" in - STD) - mktemp -td shorewall.XXXXXX - ;; - None|BSD) - # - # Not all versions of the BSD mktemp support the -d option under Linux - # - qt rm -rf /tmp/shorewall-$$ - mkdir -p /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - error_message "ERROR:Internal error in mktempdir" - ;; - esac -} - -# -# Read a file and handle "INCLUDE" directives -# - -read_file() # $1 = file name, $2 = nest count -{ - local first - local rest - - if [ -f $1 ]; then - while read first rest; do - if [ "x$first" = "xINCLUDE" ]; then - if [ $2 -lt 4 ]; then - read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) - else - error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)" - fi - else - echo "$first $rest" - fi - done < $1 - else - [ -n "$TERMINATOR" ] && $TERMINATOR "No such file: $1" - echo "WARNING -- No such file: $1" - fi -} - -# -# Strip comments and blank lines from a file and place the result in the -# temporary directory -# -strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) -{ - local fname - - if [ ! -f $TMP_DIR/$1 ]; then - [ $# = 1 ] && fname=$(find_file $1) || fname=$2 - - if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1 - else - > $TMP_DIR/$1 - fi - fi -} - -# -# Strip the passed file. -# -# Return success if -# a) the stripped file is non-empty and the library was successfully loaded; or -# b) the stripped file is empty but the library had been loaded previously -# -strip_file_and_lib_load() # $1 = logical file name, $2 = library to load if the stripped file is non-empty -{ - local f - f=$(find_file $1) - - strip_file $1 $f - - if [ -s $TMP_DIR/$1 ]; then - lib_load $2 "A non-empty $1 file ($f)" - return 0 - fi - - eval test -n \"\$LIB_${2}_LOADED\" -} - -# -# Check that a mark value or mask is less that 256 or that it is less than 65536 and -# that it's lower 8 bits are zero. -# -verify_mark() # $1 = value to test -{ - verify_mark2() - { - case $1 in - 0*) - [ $(($1)) -lt 256 ] && return 0 - [ -n "$HIGH_ROUTE_MARKS" ] || return 1 - [ $(($1)) -gt 65535 ] && return 1 - return $(($1 & 0xFF)) - ;; - [1-9]*) - [ $1 -lt 256 ] && return 0 - [ -n "$HIGH_ROUTE_MARKS" ] || return 1 - [ $1 -gt 65535 ] && return 1 - return $(($1 & 0xFF)) - ;; - *) - return 2 - ;; - esac - } - - verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" -} - -# -# Determine the value for a parameter that defaults to Yes -# -added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value -{ - local val - val="$2" - - if [ -z "$val" ]; then - echo "Yes" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Determine the value for a parameter that defaults to No -# -added_param_value_no() # $1 = Parameter Name, $2 = Parameter value -{ - local val - val="$2" - - if [ -z "$val" ]; then - echo "" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Initialize this program -# -do_initialize() { - - # Run all utility programs using the C locale - # - # Thanks to Vincent Planchenault for this tip # - - export LC_ALL=C - - # Make sure umask is sane - umask 077 - - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - # - # Establish termination function - # - TERMINATOR=fatal_error - # - # Clear all configuration variables (shorewall.conf) - # - STARTUP_ENABLED= - # - #VERBOSE is inherited -- VERBOSITY is only used in the CIs - # - # - # Logging - # - LOGFILE= - LOGFORMAT= - LOGTAGONLY= - LOGRATE= - LOGBURST= - LOGALLNEW= - BLACKLIST_LOGLEVEL= - MACLIST_LOG_LEVEL= - TCP_FLAGS_LOG_LEVEL= - RFC1918_LOG_LEVEL= - SMURF_LOG_LEVEL= - LOG_MARTIANS= - # - # Location of files - # - IPTABLES= - #PATH is inherited - SHOREWALL_SHELL= - SUBSYSLOCK= - MODULESDIR= - #CONFIG_PATH is inherited - RESTOREFILE= - IPSECFILE= - LOCKFILE= - # - # Default Actions/Macros - # - DROP_DEFAULT= - REJECT_DEFAULT= - ACCEPT_DEFAULT= - QUEUE_DEFAULT= - # - # Firewall Options - # - IP_FORWARDING= - ADD_IP_ALIASES= - ADD_SNAT_ALIASES= - RETAIN_ALIASES= - TC_ENABLED= - TC_EXPERT= - CLEAR_TC= - MARK_IN_FORWARD_CHAIN= - CLAMPMSS= - ROUTE_FILTER= - DETECT_DNAT_IPADDRS= - MUTEX_TIMEOUT= - ADMINISABSENTMINDED= - BLACKLISTNEWONLY= - DELAYBLACKLISTLOAD= - MODULE_SUFFIX= - DISABLE_IPV6= - BRIDGING= - DYNAMIC_ZONES= - PKTTYPE= - RFC1918_STRICT= - MACLIST_TABLE= - MACLIST_TTL= - SAVE_IPSETS= - MAPOLDACTIONS= - FASTACCEPT= - IMPLICIT_CONTINUE= - HIGH_ROUTE_MARKS= - USE_ACTIONS= - OPTIMIZE= - EXPORTPARAMS= - KEEP_TC_RULES= - DELETE_THEN_ADD= - DONT_LOAD= - # - # Packet Disposition - # - MACLIST_DISPOSITION= - TCP_FLAGS_DISPOSITION= - BLACKLIST_DISPOSITION= - # - # Other Globals - # - VERSION= - FW= - USEPKTYPE= - LOGLIMIT= - LOGPARMS= - OUTPUT= - ALL_INTERFACES= - ROUTEMARK_INTERFACES= - PROVIDERS= - CRITICALHOSTS= - EXCLUSION_SEQ=1 - STOPPING= - HAVE_MUTEX= - ALIASES_TO_ADD= - SECTION=ESTABLISHED - SECTIONS= - ALL_PORTS= - ACTIONS= - USEDACTIONS= - DEFAULT_MACROS= - COMMENT= - VERSION_FILE= - LOGRULENUMBERS= - ORIGINAL_POLICY_MATCH= - ORIGINAL_MANGLE_ENABLED= - - ensure_config_path - - VERSION_FILE=$SHAREDIR/version - - [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE) - - [ -d /usr/share/shorewall-perl ] && set -a; - - run_user_exit params - - set +a - - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - progress_message "Processing $config..." - . $config - else - startup_error "Cannot read $config (Hint: Are you root?)" - fi - else - startup_error "$config does not exist!" - fi - # - # Restore CONFIG_PATH if the shorewall.conf file cleared it - # - ensure_config_path - - TMP_DIR=$(mktempdir) - - [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ - startup_error "Can't create a temporary directory" - - case $PROGRAM in - compiler) - trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 - ;; - firewall) - trap "[ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 - ;; - esac - - # - # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to accurately determine - # capabilities when module autoloading isn't enabled. - # - PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) - [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )" - - [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - - if [ -z "$EXPORT" -a $(id -u) -eq 0 ]; then - - load_kernel_modules Yes - - if [ -z "$IPTABLES" ]; then - IPTABLES=$(mywhich iptables 2> /dev/null) - [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" - else - [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" - fi - - f=$(find_file capabilities) - - [ -f $f ] && . $f || determine_capabilities - else - f=$(find_file capabilities) - [ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file" - fi - - if [ -n "$CAPVERSION" ]; then - [ $CAPVERSION -ge $SHOREWALL_CAPVERSION ] || error_message "WARNING: $f is out of date -- it does not contain all of the capabilities defined by Shorewall version $VERSION" - else - error_message "WARNING: $f may be not contain all of the capabilities defined by Shorewall version $VERSION" - fi - - ORIGINAL_POLICY_MATCH=$POLICY_MATCH - ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED - - ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" - - if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGLIMIT="--match limit" - [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" - fi - - if [ -n "$IP_FORWARDING" ]; then - case "$IP_FORWARDING" in - On|Off|Yes|No|Keep|on|off|yes|no|keep|ON|OFF|YES|NO|KEEP) - ;; - *) - startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" - ;; - esac - else - IP_FORWARDING=On - fi - - if [ -n "$ROUTE_FILTER" ]; then - case "$ROUTE_FILTER" in - Yes|yes|YES) - ROUTE_FILTER=yes - ;; - No|no|NO) - ROUTE_FILTER=no - ;; - Keep|keep|KEEP) - ROUTE_FILTER= - ;; - *) - startup_error "Invalid value ($ROUTE_FILTER) for ROUTE_FILTER" - ;; - esac - else - ROUTE_FILTER= - fi - - if [ -n "$LOG_MARTIANS" ]; then - case "$LOG_MARTIANS" in - Yes|yes|YES) - LOG_MARTIANS=yes - ;; - No|no|NO) - LOG_MARTIANS=no - ;; - Keep|keep|KEEP) - LOG_MARTIANS= - ;; - *) - startup_error "Invalid value ($LOG_MARTIANS) for LOG_MARTIANS" - ;; - esac - else - LOG_MARTIANS=yes - fi - - [ -n "${BLACKLIST_DISPOSITION:=DROP}" ] - - case "$CLAMPMSS" in - [0-9]*) - ;; - *) - CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) - ;; - esac - - ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) - DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) - - MACLIST_TARGET=reject - - if [ -n "$MACLIST_DISPOSITION" ] ; then - case $MACLIST_DISPOSITION in - REJECT) - ;; - DROP) - MACLIST_TARGET=DROP - ;; - ACCEPT) - MACLIST_TARGET=RETURN - ;; - *) - startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" - ;; - esac - else - MACLIST_DISPOSITION=REJECT - fi - - if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then - case $TCP_FLAGS_DISPOSITION in - REJECT|ACCEPT|DROP) - ;; - *) - startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" - ;; - esac - else - TCP_FLAGS_DISPOSITION=DROP - fi - - [ -n "${RFC1918_LOG_LEVEL:=info}" ] - - MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) - [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre - CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) - - if [ -n "$LOGFORMAT" ]; then - if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then - LOGRULENUMBERS=Yes - temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - else - temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - fi - - [ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" - - MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) )) - MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*} - else - LOGFORMAT="Shorewall:%s:%s:" - MAXZONENAMELENGTH=5 - fi - - ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) - BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) - DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) - BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) - - DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) - if [ -n "$DYNAMIC_ZONES" ]; then - [ -n "$EXPORT" ] && startup_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" - lib_avail dynamiczones || error_message "WARNING: DYNAMIC_ZONES=Yes requires the Shorewall dynamiczones library (${SHAREDIR}/lib.dynamiczones) which is not installed" - fi - - STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) - RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) - [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= - DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) - LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) - RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) - MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) - FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) - - [ -n "$FASTACCEPT" -a -z "$BLACKLISTNEWONLY" ] && error_message "WARNING: BLACKLISTNEWONLY=No does not work with FASTACCEPT=Yes" - - IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) - HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) - TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) - USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) - EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS) - KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES) - DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD) - - if [ -n "$MANGLE_ENABLED" ] ; then - case $MANGLE_ENABLED in - Yes|yes) - ;; - No|no) - MANGLE_ENABLED= - ;; - *) - startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED"; - ;; - esac - fi - - [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" - - [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= - [ -n "$XMARK" ] || XCONNMARK= - - [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" - - case ${MACLIST_TABLE:=filter} in - filter) - ;; - mangle) - [ $MACLIST_DISPOSITION = reject ] && startup_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle" - ;; *) - startup_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option" - ;; - esac - - TC_SCRIPT= - - if [ -n "$TC_ENABLED" ] ; then - case "$TC_ENABLED" in - [Yy][Ee][Ss]) - TC_ENABLED=Yes - TC_SCRIPT=$(find_file tcstart) - [ -f $TC_SCRIPT ] || startup_error "Unable to find tcstart file" - ;; - [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll]) - TC_ENABLED=Internal - ;; - [Nn][Oo]) - TC_ENABLED= - ;; - esac - else - TC_ENABLED=Yes - fi - - if [ -n "$TC_ENABLED" ];then - [ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables" - [ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf" - fi - - [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" - [ -n "${RESTOREFILE:=restore}" ] - - case "${DROP_DEFAULT:=Drop}" in - None) - DROP_DEFAULT=none - ;; - esac - - case "${REJECT_DEFAULT:=Reject}" in - None) - REJECT_DEFAULT=none - ;; - esac - - case "${QUEUE_DEFAULT:=none}" in - None) - QUEUE_DEFAULT=none - ;; - esac - - case "${ACCEPT_DEFAULT:=none}" in - None) - ACCEPT_DEFAULT=none - ;; - esac - - case "${OPTIMIZE:=0}" in - 0|1) - ;; - *) - startup_error "Invalid OPTIMIZE value ($OPTIMIZE)" - ;; - esac - - if [ -n "$LOCKFILE" ]; then - [ -d $(dirname $LOCKFILE) ] || startup_error "LOCKFILE=$LOCKFILE: Directory $(dirname $LOCKFILE) does not exist" - fi - # - # Check out the user's shell - # - [ -n "${SHOREWALL_SHELL:=/bin/sh}" ] - - temp=$(decodeaddr 192.168.1.1) - if [ $(encodeaddr $temp) != 192.168.1.1 ]; then - startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" - fi - - if [ -z "$KLUDGEFREE" ]; then - rm -f $TMP_DIR/physdev - rm -f $TMP_DIR/iprange - fi - - qt mywhich awk && HAVEAWK=Yes || HAVEAWK= - # - # Pre-process all of the standard files - # - # Because 'strip_file()' does shell variable expansion, we must first determine the - # setting of $FW - # - case ${IPSECFILE:=ipsec} in - ipsec) - [ -n "${FW:=fw}" ] - strip_file ipsec - ;; - zones) - get_firewall_zone - ;; - *) - startup_error "Invalid value ($IPSECFILE) for IPSECFILE option" - ;; - esac - - strip_file zones - strip_file routestopped - strip_file interfaces - strip_file hosts - - if [ $PROGRAM = compiler ]; then - strip_file_and_lib_load accounting accounting - - if [ -n "$USE_ACTIONS" ]; then - strip_file actions - strip_file actions.std ${SHAREDIR}/actions.std - fi - - strip_file blacklist - strip_file ecn - strip_file maclist - strip_file_and_lib_load masq nat - strip_file_and_lib_load nat nat - strip_file_and_lib_load netmap nat - strip_file policy - strip_file_and_lib_load providers providers && strip_file route_rules - strip_file_and_lib_load proxyarp proxyarp - strip_file rfc1918 - strip_file routestopped - strip_file rules - - if [ "$TC_ENABLED" = Internal ]; then - strip_file_and_lib_load tcdevices tc - strip_file_and_lib_load tcclasses tc - fi - - strip_file_and_lib_load tcrules tcrules - strip_file tos - strip_file_and_lib_load tunnels tunnels - fi - - [ "$IPSECFILE" = zones ] && FW= -} diff --git a/Shorewall-common-IPv6-Aborted/lib.dynamiczones b/Shorewall-common-IPv6-Aborted/lib.dynamiczones deleted file mode 100644 index 826da53de..000000000 --- a/Shorewall-common-IPv6-Aborted/lib.dynamiczones +++ /dev/null @@ -1,427 +0,0 @@ -#!/bin/sh -# -# Shorewall 4.2 -- /usr/share/shorewall/lib.dynamiczones -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This library is loaded by /usr/share/shorewall/firewall when processing -# the 'add' and 'delete' commands. -# - -# -# Add a host or networks to a zone -# -add_to_zone() # $1...${n-1} = [:] $n = zone -{ - local interface host zone z h z1 z2 chain - local dhcp_interfaces blacklist_interfaces maclist_interfaces - local tcpflags_interfaces newhostlist= - local rulenum source_chain dest_hosts iface hosts hostlist= - - nat_chain_exists() # $1 = chain name - { - qt $IPTABLES -t nat -L $1 -n - } - - do_iptables() # $@ = command - { - [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - if ! $IPTABLES $@ ; then - error_message "ERROR: Can't add $newhost to zone $zone" - fi - } - - DOING=Processing - DONE=Processed - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file $IPSECFILE) - - [ -f $f ] && setup_ipsec $f - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - [ "$host" = "$1" ] && host= - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" - [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" - # - # Check for duplicates and create a new zone state file - # - > ${VARDIR}/zones_$$ - - while read z type hosts; do - if [ "$z" = "$zone" ]; then - case $type in - bport4:*) - rm -f ${VARDIR}/zones_$$ - startup_error "Bridge Port zones may not be dynamically modified" - ;; - esac - - case "$hosts" in - *exclude*) - rm -f ${VARDIR}/zones_$$ - startup_error "Modifying a zone that has an exclude list is not supported" - ;; - *) - for h in $hostlist; do - if ! list_search +$h $hosts; then - if ! list_search $h $hosts; then - newhostlist="$newhostlist +$h" - else - error_message "$h is already in zone $zone" - fi - else - error_message "$h is already in zone $zone" - fi - done - - [ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist" - ;; - esac - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $type $hosts" >> ${VARDIR}/zones_$$ - done < ${VARDIR}/zones - - mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones - - TERMINATOR=fatal_error - # - # Create a new Zone state file - # - for newhost in $newhostlist; do - newhost=${newhost#+} - # - # Isolate interface and host parts - # - interface=${newhost%%:*} - host=${newhost#*:} - # - # If the zone passed in the command has a dnat chain then insert a rule in - # the nat table PREROUTING chain to jump to that chain when the source - # matches the new host(s)# - # - chain=${zone}_dnat - - if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain - fi - # - # Insert new rules into the filter table for the passed interface - # - while read z1 z2 chain; do - [ "$z1" = "$z2" ] && op="-I" || op="-A" - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $newhost ; then - do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - # - # Add a rule to the dynamic out chain for the interface - # - do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - fi - fi - done - fi - fi - done < ${VARDIR}/chains - - progress_message "$newhost added to zone $zone" - - done - - rm -rf $TMP_DIR -} - -# -# Delete a host or networks from a zone -# -delete_from_zone() # $1 = [:] $2 = zone -{ - local interface host zone z h z1 z2 chain delhost - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts hostlist= - - DOING=Processing - DONE=Processed - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file ipsec) - - [ -f $f ] && setup_ipsec $f - - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - [ "$host" = "$1" ] && host= - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" - [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" - # - # Delete the passed hosts from the zone state file - # - > ${VARDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - temp=$hosts - hosts= - - for host in $hostlist; do - found= - for h in $temp; do - if [ "$h" = "+$host" ]; then - found=Yes - break - fi - - if [ "$h" = "$host" ]; then - found=No - break - fi - done - - [ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone" - [ "$found" = No ] && startup_error "$host is a permanent member of zone $zone" - done - - for h in $temp; do - found= - for host in $hostlist; do - if [ "$h" = "+$host" ]; then - found=Yes - break - fi - done - - [ -n "$found" ] || hosts="$hosts $h" - done - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${VARDIR}/zones_$$ - done < ${VARDIR}/zones - - mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones - - TERMINATOR=fatal_error - - for delhost in $hostlist; do - interface=${delhost%%:*} - host=${delhost#*:} - # - # Delete any nat table entries for the host(s) - # - qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat - # - # Delete rules rules the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $delhost ; then - qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" - - for h in $dest_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - [ "$h" = exclude ] && break - iface=${h%%:*} - iface=${iface#+} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - fi - fi - done - fi - fi - done < ${VARDIR}/chains - - progress_message "$delhost removed from zone $zone" - - done - - rm -rf $TMP_DIR -} diff --git a/Shorewall-common-IPv6-Aborted/maclist b/Shorewall-common-IPv6-Aborted/maclist deleted file mode 100644 index 39270ff38..000000000 --- a/Shorewall-common-IPv6-Aborted/maclist +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall version 4 - Maclist file -# -# For information about entries in this file, type "man shorewall-maclist" -# -# For additional information, see http://shorewall.net/MAC_Validation.html -# -############################################################################### -#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional) -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.AllowICMPs b/Shorewall-common-IPv6-Aborted/macro.AllowICMPs deleted file mode 100644 index 81a9729dd..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.AllowICMPs +++ /dev/null @@ -1,16 +0,0 @@ -# -# Shorewall version 4 - AllowICMPs Macro -# -# /usr/share/shorewall/macro.AllowICMPs -# -# This macro ACCEPTs needed ICMP types -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP - -COMMENT Needed ICMP types - -ACCEPT - - icmp fragmentation-needed -ACCEPT - - icmp time-exceeded -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Amanda b/Shorewall-common-IPv6-Aborted/macro.Amanda deleted file mode 100644 index 8a79c6067..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Amanda +++ /dev/null @@ -1,21 +0,0 @@ -# -# Shorewall version 4 - Amanda Macro -# -# /usr/share/shorewall/macro.Amanda -# -# This macro handles connections required by the AMANDA backup system -# to back up remote nodes. It does not provide the ability to restore -# files from those nodes. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 10080 -# -# You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6, -# it should not be necessary to use this. The ip_conntrack_amanda -# kernel module should be loaded (via /etc/shorewall/modules) on all -# systems which need to pass AMANDA traffic through netfilter. -#PARAM - - tcp 50000:50100 -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Auth b/Shorewall-common-IPv6-Aborted/macro.Auth deleted file mode 100644 index b633d63c0..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Auth +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Auth Macro -# -# /usr/share/shorewall/macro.Auth -# -# This macro handles Auth (identd) traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.BitTorrent b/Shorewall-common-IPv6-Aborted/macro.BitTorrent deleted file mode 100644 index 96147dfaa..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.BitTorrent +++ /dev/null @@ -1,23 +0,0 @@ -# -# Shorewall version 4 - BitTorrent Macro -# -# /usr/share/shorewall/macro.BitTorrent -# -# This macro handles BitTorrent traffic. -# -# If you are running a more modern BitTorrent client, then you may need -# to tweak the open port range. This can be done by copying the below -# rules into /etc/shorewall and making the necessary edits there: -# -# Replace 6881:6889 with 6881:6899 -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 6881:6889 -# -# It may also be necessary to allow UDP traffic: -# -PARAM - - udp 6881 -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.CVS b/Shorewall-common-IPv6-Aborted/macro.CVS deleted file mode 100644 index 386c8c39b..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.CVS +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - CVS Macro -# -# /usr/share/shorewall/macro.CVS -# -# This macro handles connections to the CVS pserver. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 2401 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.DAAP b/Shorewall-common-IPv6-Aborted/macro.DAAP deleted file mode 100644 index cafb8fab1..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.DAAP +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - DAAP Macro -# -# /usr/share/shorewall/macro.DAAP -# -# This macro handles DAAP (Digital Audio Access Protocol) traffic. -# The protocol is used by iTunes, Rythmbox and other similar daemons. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 3689 -PARAM - - udp 3689 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.DCC b/Shorewall-common-IPv6-Aborted/macro.DCC deleted file mode 100644 index dc4027d18..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.DCC +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - DCC Macro -# -# /usr/share/shorewall/macro.DCC -# -# This macro handles DCC (Distributed Checksum Clearinghouse) traffic. -# DCC is a distributed spam filtering mechanism. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 6277 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.DNS b/Shorewall-common-IPv6-Aborted/macro.DNS deleted file mode 100644 index 584481e84..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.DNS +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - DNS Macro -# -# /usr/share/shorewall/macro.DNS -# -# This macro handles DNS traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 53 -PARAM - - tcp 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Distcc b/Shorewall-common-IPv6-Aborted/macro.Distcc deleted file mode 100644 index 95ac70615..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Distcc +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Distcc Macro -# -# /usr/share/shorewall/macro.Distcc -# -# This macro handles connections to the Distributed Compiler service. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 3632 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Drop b/Shorewall-common-IPv6-Aborted/macro.Drop deleted file mode 100644 index 8a6520ef9..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Drop +++ /dev/null @@ -1,53 +0,0 @@ -# -# Shorewall version 4 - Drop Macro -# -# /usr/share/shorewall/macro.Drop -# -# This macro generates the same rules as the Drop default action -# It is used in place of action.Drop when USE_ACTIONS=No. -# -# Example: -# -# Drop net all -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -# -# Don't log 'auth' REJECT -# -REJECT - - tcp 113 -# -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -dropBcast -# -# ACCEPT critical ICMP types -# -ACCEPT - - icmp fragmentation-needed -ACCEPT - - icmp time-exceeded -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log (these ICMPs cannot be -# rejected). -# -dropInvalid -# -# Drop Microsoft noise so that it doesn't clutter up the log. -# -DROP - - udp 135,445 -DROP - - udp 137:139 -DROP - - udp 1024: 137 -DROP - - tcp 135,139,445 -DROP - - udp 1900 -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -DROP - - udp - 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.DropDNSrep b/Shorewall-common-IPv6-Aborted/macro.DropDNSrep deleted file mode 100644 index 2828ec307..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.DropDNSrep +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall version 4 - DropDNSrep Macro -# -# /usr/share/shorewall/macro.DropDNSrep -# -# This macro silently drops DNS UDP replies -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP - -COMMENT Late DNS Replies - -DROP - - udp - 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.DropUPnP b/Shorewall-common-IPv6-Aborted/macro.DropUPnP deleted file mode 100644 index 9ad8a04a9..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.DropUPnP +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall version 4 - DropUPnP Macro -# -# /usr/share/shorewall/macro.DropUPnP -# -# This macro silently drops UPnP probes on UDP port 1900 -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP - -COMMENT UPnP - -DROP - - udp 1900 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Edonkey b/Shorewall-common-IPv6-Aborted/macro.Edonkey deleted file mode 100644 index 9d7264f57..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Edonkey +++ /dev/null @@ -1,35 +0,0 @@ -# -# Shorewall version 4 - Edonkey Macro -# -# /usr/share/shorewall/macro.Edonkey -# -# This macro handles Edonkey traffic. -# -# -# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm -# says to use udp 5737 rather than 4665. -# -# http://www.amule.org/wiki/index.php/FAQ_ed2k says this: -# -# 4661 TCP (outgoing) Port, on which a server listens for connection -# (defined by server). -# -# 4665 UDP (outgoing) used for global server searches and global source -# queries. This is always Server TCP port (in this case 4661) + 4. -# -# 4662 TCP (outgoing and incoming) Client to client transfers. -# -# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue -# Rating, File Reask Ping -# -# 4711 TCP WebServer listening port. -# -# 4712 TCP External Connection port. Used to communicate aMule with other -# applications such as aMule WebServer or aMuleCMD. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 4662 -PARAM - - udp 4665 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.FTP b/Shorewall-common-IPv6-Aborted/macro.FTP deleted file mode 100644 index 997b78615..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.FTP +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - FTP Macro -# -# /usr/share/shorewall/macro.FTP -# -# This macro handles FTP traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 21 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Finger b/Shorewall-common-IPv6-Aborted/macro.Finger deleted file mode 100644 index f180ecfb2..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Finger +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Finger Macro -# -# /usr/share/shorewall/macro.Finger -# -# This macro handles Finger protocol. You should not generally open -# your finger information to internet. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 79 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.GNUnet b/Shorewall-common-IPv6-Aborted/macro.GNUnet deleted file mode 100644 index 1a2615b64..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.GNUnet +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall version 4 - GNUnet Macro -# -# /usr/share/shorewall/macro.GNUnet -# -# This macro handles GNUnet (secure peer-to-peer networking) traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 2086 -PARAM - - udp 2086 -PARAM - - tcp 1080 -PARAM - - udp 1080 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.GRE b/Shorewall-common-IPv6-Aborted/macro.GRE deleted file mode 100644 index 3f0f6b2f6..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.GRE +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - GRE Macro -# -# /usr/share/shorewall/macro.GRE -# -# This macro (bi-directional) handles Generic Routing Encapsulation -# traffic (RFC 1701) -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - 47 # GRE -PARAM DEST SOURCE 47 # GRE -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Gnutella b/Shorewall-common-IPv6-Aborted/macro.Gnutella deleted file mode 100644 index 4ec5718af..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Gnutella +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Gnutella Macro -# -# /usr/share/shorewall/macro.Gnutella -# -# This macro handles Gnutella traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 6346 -PARAM - - udp 6346 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.HTTP b/Shorewall-common-IPv6-Aborted/macro.HTTP deleted file mode 100644 index 798b6bc94..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.HTTP +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - HTTP Macro -# -# /usr/share/shorewall/macro.HTTP -# -# This macro handles plaintext HTTP (WWW) traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 80 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.HTTPS b/Shorewall-common-IPv6-Aborted/macro.HTTPS deleted file mode 100644 index af75c782f..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.HTTPS +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - HTTPS Macro -# -# /usr/share/shorewall/macro.HTTPS -# -# This macro handles HTTPS (WWW over SSL) traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 443 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.ICQ b/Shorewall-common-IPv6-Aborted/macro.ICQ deleted file mode 100644 index 65d69748e..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.ICQ +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - ICQ Macro -# -# /usr/share/shorewall/macro.ICQ -# -# This macro handles ICQ, now called AOL Instant Messenger (or AIM). -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 5190 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.IMAP b/Shorewall-common-IPv6-Aborted/macro.IMAP deleted file mode 100644 index f9da86963..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.IMAP +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - IMAP Macro -# -# /usr/share/shorewall/macro.IMAP -# -# This macro handles plaintext IMAP traffic. For encrypted IMAP, -# see macro.IMAPS. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 143 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.IMAPS b/Shorewall-common-IPv6-Aborted/macro.IMAPS deleted file mode 100644 index f3f1f14eb..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.IMAPS +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - IMAPS Macro -# -# /usr/share/shorewall/macro.IMAPS -# -# This macro handles encrypted IMAP traffic. For plaintext IMAP -# (not recommended), see macro.IMAP. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 993 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.IPIP b/Shorewall-common-IPv6-Aborted/macro.IPIP deleted file mode 100644 index 3f1caf089..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.IPIP +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - IPIP Macro -# -# /usr/share/shorewall/macro.IPIP -# -# This macro (bidirectional) handles IPIP capsulation traffic -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - 94 # IPIP -PARAM DEST SOURCE 94 # IPIP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.IPP b/Shorewall-common-IPv6-Aborted/macro.IPP deleted file mode 100644 index 9486ac824..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.IPP +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 3.2 - IPP Macro -# -# /usr/share/shorewall/macro.IPP -# -# This macro handles Internet Printing Protocol (IPP). -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 631 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.IPPserver b/Shorewall-common-IPv6-Aborted/macro.IPPserver deleted file mode 100644 index cd91202c9..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.IPPserver +++ /dev/null @@ -1,30 +0,0 @@ -# -# Shorewall version 3.2 - IPPserver Macro -# -# /usr/share/shorewall/macro.IPPserver -# -# This macro handles Internet Printing Protocol (IPP), indicating -# that DEST is a printing server for SOURCE. The macro allows -# print queue broadcasts from the server to the client, and -# printing connections from the client to the server. -# -# Example usage on a single-interface firewall which is a print -# client: -# IPPserver/ACCEPT $FW net -# -# Example for a two-interface firewall which acts as a print -# server for loc: -# IPPserver/ACCEPT loc $FW -# -# NOTE: If you want both to serve requests for local printers and -# listen to requests for remote printers (i.e. your CUPS server is -# also a client), you need to apply the rule twice, e.g. -# IPPserver/ACCEPT loc $FW -# IPPserver/ACCEPT $FW loc -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM SOURCE DEST tcp 631 -PARAM DEST SOURCE udp 631 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.IPsec b/Shorewall-common-IPv6-Aborted/macro.IPsec deleted file mode 100644 index 2819d7e74..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.IPsec +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall version 4 - IPsec Macro -# -# /usr/share/shorewall/macro.IPsec -# -# This macro (bidirectional) handles IPsec traffic -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 500 500 # IKE -PARAM - - 50 # ESP -PARAM DEST SOURCE udp 500 500 # IKE -PARAM DEST SOURCE 50 # ESP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.IPsecah b/Shorewall-common-IPv6-Aborted/macro.IPsecah deleted file mode 100644 index a6ca61523..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.IPsecah +++ /dev/null @@ -1,16 +0,0 @@ -# -# Shorewall version 4 - IPsecah Macro -# -# /usr/share/shorewall/macro.IPsecah -# -# This macro (bidirectional) handles IPsec authentication (AH) traffic. -# This is insecure. You should use ESP with encryption for security. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 500 500 # IKE -PARAM - - 51 # AH -PARAM DEST SOURCE udp 500 500 # IKE -PARAM DEST SOURCE 51 # AH -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.IPsecnat b/Shorewall-common-IPv6-Aborted/macro.IPsecnat deleted file mode 100644 index 9212d97c5..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.IPsecnat +++ /dev/null @@ -1,17 +0,0 @@ -# -# Shorewall version 4 - IPsecnat Macro -# -# /usr/share/shorewall/macro.IPsecnat -# -# This macro (bidirectional) handles IPsec traffic and Nat-Traversal -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 500 # IKE -PARAM - - udp 4500 # NAT-T -PARAM - - 50 # ESP -PARAM DEST SOURCE udp 500 # IKE -PARAM DEST SOURCE udp 4500 # NAT-T -PARAM DEST SOURCE 50 # ESP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.JAP b/Shorewall-common-IPv6-Aborted/macro.JAP deleted file mode 100644 index 793c8c4ba..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.JAP +++ /dev/null @@ -1,18 +0,0 @@ -# -# Shorewall version 4 - JAP Macro -# -# /usr/share/shorewall/macro.JAP -# -# This macro handles JAP Anon Proxy traffic. This macro is for -# administrators running a Mix server. It is NOT for people trying -# to browse anonymously! -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 8080 # HTTP port -PARAM - - tcp 6544 # HTTP port -PARAM - - tcp 6543 # InfoService port -HTTPS/PARAM -SSH/PARAM -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.JabberPlain b/Shorewall-common-IPv6-Aborted/macro.JabberPlain deleted file mode 100644 index c7a5ce5d7..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.JabberPlain +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 3.4 - JabberPlain Macro -# -# /usr/share/shorewall/macro.JabberPlain -# -# This macro accepts Jabber traffic (plaintext). -# -############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 5222 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.JabberSecure b/Shorewall-common-IPv6-Aborted/macro.JabberSecure deleted file mode 100644 index 7e10c0abf..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.JabberSecure +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 3.4 - JabberSecure (ssl) Macro -# -# /usr/share/shorewall/macro.JabberSecure -# -# This macro accepts Jabber traffic (ssl). -# -############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 5223 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Jabberd b/Shorewall-common-IPv6-Aborted/macro.Jabberd deleted file mode 100644 index 0be954292..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Jabberd +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 3.4 - Jabberd (server intercommunication) -# -# /usr/share/shorewall/macro.Jabberd -# -# This macro accepts Jabberd intercommunication traffic -# -############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 5269 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Jetdirect b/Shorewall-common-IPv6-Aborted/macro.Jetdirect deleted file mode 100644 index c505b262f..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Jetdirect +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 3.2 - Jetdirect Macro -# -# /usr/share/shorewall/macro.Jetdirect -# -# This macro handles HP Jetdirect printing. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 9100 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.L2TP b/Shorewall-common-IPv6-Aborted/macro.L2TP deleted file mode 100644 index 64afee142..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.L2TP +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - L2TP Macro -# -# /usr/share/shorewall/macro.L2TP -# -# This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic -# (RFC 2661) -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 1701 # L2TP -PARAM DEST SOURCE udp 1701 # L2TP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.LDAP b/Shorewall-common-IPv6-Aborted/macro.LDAP deleted file mode 100644 index ba5710172..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.LDAP +++ /dev/null @@ -1,17 +0,0 @@ -# -# Shorewall version 4 - LDAP Macro -# -# /usr/share/shorewall/macro.LDAP -# -# This macro handles plaintext LDAP traffic. For encrypted LDAP -# traffic, see macro.LDAPS. Use of LDAPS is recommended (and is -# required by some directory services) if you want to do user -# authentication over LDAP. Note that some LDAP implementations -# support initiating TLS connections via the plaintext LDAP port. -# Consult your LDAP server documentation for details. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 389 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.LDAPS b/Shorewall-common-IPv6-Aborted/macro.LDAPS deleted file mode 100644 index bcaf2de91..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.LDAPS +++ /dev/null @@ -1,17 +0,0 @@ -# -# Shorewall version 4 - LDAPS Macro -# -# /usr/share/shorewall/macro.LDAPS -# -# This macro handles encrypted LDAP traffic. For plaintext LDAP -# traffic, see macro.LDAP. Use of LDAPS is recommended (and is -# required by some directory services) if you want to do user -# authentication over LDAP. Note that some LDAP implementations -# support initiating TLS connections via the plaintext LDAP port. -# Consult your LDAP server documentation for details. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 636 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Mail b/Shorewall-common-IPv6-Aborted/macro.Mail deleted file mode 100644 index 46d6cabdc..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Mail +++ /dev/null @@ -1,19 +0,0 @@ -# -# Shorewall version 4 - Mail Macro -# -# /usr/share/shorewall/macro.Mail -# -# This macro handles SMTP (email secure and insecure) traffic. -# It's the aggregate of macro.SMTP, macro.SMTPS, macro.Submission. -# -# Note: This macro handles traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the POP3 or IMAP macros. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 25 -PARAM - - tcp 465 -PARAM - - tcp 587 diff --git a/Shorewall-common-IPv6-Aborted/macro.MySQL b/Shorewall-common-IPv6-Aborted/macro.MySQL deleted file mode 100644 index 1e438d97c..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.MySQL +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - MySQL Macro -# -# /usr/share/shorewall/macro.MySQL -# -# This macro handles connections to the MySQL server. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 3306 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.NNTP b/Shorewall-common-IPv6-Aborted/macro.NNTP deleted file mode 100644 index 3bfc76283..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.NNTP +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 NNTP Macro -# -# /usr/share/shorewall/macro.NNTP -# -# This macro handles plaintext NNTP traffic (Usenet). For -# encrypted NNTP, see macro.NNTPS. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 119 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.NNTPS b/Shorewall-common-IPv6-Aborted/macro.NNTPS deleted file mode 100644 index 25fef49d8..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.NNTPS +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 NNTPS Macro -# -# /usr/share/shorewall/macro.NNTPS -# -# This macro handles encrypted NNTP traffic (Usenet). For -# plaintext NNTP, see macro.NNTP. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 563 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.NTP b/Shorewall-common-IPv6-Aborted/macro.NTP deleted file mode 100644 index 6ff0a350e..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.NTP +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - NTP Macro -# -# /usr/share/shorewall/macro.NTP -# -# This macro handles NTP traffic (ntpd). -# For broadcast NTP traffic, use NTPbrd Macro. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 123 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.NTPbrd b/Shorewall-common-IPv6-Aborted/macro.NTPbrd deleted file mode 100644 index 63b110add..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.NTPbrd +++ /dev/null @@ -1,18 +0,0 @@ -# -# Shorewall version 4 - NTPbrd Macro -# -# /usr/share/shorewall/macro.NTPbrd -# -# This macro handles NTP traffic (ntpd) including replies to Broadcast -# NTP traffic. -# -# It is recommended only to use this where the source host is trusted - -# otherwise it opens up a large hole in your firewall because -# Netfilter doesn't track connections for broadcast traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 123 -PARAM - - udp 1024: 123 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.OpenVPN b/Shorewall-common-IPv6-Aborted/macro.OpenVPN deleted file mode 100644 index 6a827603f..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.OpenVPN +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - OpenVPN Macro -# -# /usr/share/shorewall/macro.OpenVPN Macro -# -# This macro handles OpenVPN traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 1194 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.PCA b/Shorewall-common-IPv6-Aborted/macro.PCA deleted file mode 100644 index 1518af059..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.PCA +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - PCA Macro -# -# /usr/share/shorewall/macro.PCA -# -# This macro handles PCAnywere (tm) -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 5632 -PARAM - - tcp 5631 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.POP3 b/Shorewall-common-IPv6-Aborted/macro.POP3 deleted file mode 100644 index b0acab21d..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.POP3 +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - POP3 Macro -# -# /usr/share/shorewall/macro.POP3 -# -# This macro handles plaintext POP3 traffic. For encrypted POP3, -# see macro.POP3S. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 110 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.POP3S b/Shorewall-common-IPv6-Aborted/macro.POP3S deleted file mode 100644 index fd9c26097..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.POP3S +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - POP3S Macro -# -# /usr/share/shorewall/macro.POP3S -# -# This macro handles encrypted POP3 traffic. For plaintext POP3, -# see macro.POP3. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 995 # Secure POP3 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.PPtP b/Shorewall-common-IPv6-Aborted/macro.PPtP deleted file mode 100644 index ac3823e56..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.PPtP +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - PPTP Macro -# -# /usr/share/shorewall/macro.PPtP Macro -# -# This macro handles PPTP traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - 47 -PARAM DEST SOURCE 47 -PARAM - - tcp 1723 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Ping b/Shorewall-common-IPv6-Aborted/macro.Ping deleted file mode 100644 index dad8b3a9a..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Ping +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Ping Macro -# -# /usr/share/shorewall/macro.Ping -# -# This macro handles 'ping' requests. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.PostgreSQL b/Shorewall-common-IPv6-Aborted/macro.PostgreSQL deleted file mode 100644 index 2c4a4cab1..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.PostgreSQL +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - PostgreSQL Macro -# -# /usr/share/shorewall/macro.PostgreSQL -# -# This macro handles connections to the PostgreSQL server. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 5432 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Printer b/Shorewall-common-IPv6-Aborted/macro.Printer deleted file mode 100644 index 8c28ed8df..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Printer +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 3.2 - Printer Macro -# -# /usr/share/shorewall/macro.Printer -# -# This macro handles Line Printer protocol printing. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 515 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.RDP b/Shorewall-common-IPv6-Aborted/macro.RDP deleted file mode 100644 index fbbd8254e..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.RDP +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 3.2 - RDP Macro -# -# /usr/share/shorewall/macro.RDP -# -# This macro handles Microsoft RDP (Remote Desktop) traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 3389 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.RNDC b/Shorewall-common-IPv6-Aborted/macro.RNDC deleted file mode 100644 index 63ccc5afc..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.RNDC +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - RNDC Macro -# -# /usr/share/shorewall/macro.RNDC -# -# This macro handles RNDC (BIND remote management protocol) traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 953 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Rdate b/Shorewall-common-IPv6-Aborted/macro.Rdate deleted file mode 100644 index 500873ed0..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Rdate +++ /dev/null @@ -1,16 +0,0 @@ -# -# Shorewall version 4 - Rdate Macro -# -# /usr/share/shorewall/macro.Rdate -# -# This macro handles remote time retrieval (rdate). -# Unless you are supporting extremely old hardware or software, -# you shouldn't be using this. NTP is a superior alternative. -# And even if you need to use rfc 868 Time protocol you should -# use Time macro instead. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 37 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Reject b/Shorewall-common-IPv6-Aborted/macro.Reject deleted file mode 100644 index f44ed506b..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Reject +++ /dev/null @@ -1,54 +0,0 @@ -# -# Shorewall version 4 - Reject Macro -# -# /usr/share/shorewall/macro.Reject -# -# This macro generates the same rules as the Reject default action -# It is used in place of action.Reject when USE_ACTIONS=No. -# -# Example: -# -# Reject loc fw -# -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -# -# Don't log 'auth' REJECT -# -REJECT - - tcp 113 -# -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -dropBcast -# -# ACCEPT critical ICMP types -# -ACCEPT - - icmp fragmentation-needed -ACCEPT - - icmp time-exceeded -# -# Drop packets that are in the INVALID state -- these are usually ICMP packets -# and just confuse people when they appear in the log (these ICMPs cannot be -# rejected). -# -dropInvalid -# -# Reject Microsoft noise so that it doesn't clutter up the log. -# -REJECT - - udp 135,445 -REJECT - - udp 137:139 -REJECT - - udp 1024: 137 -REJECT - - tcp 135,139,445 -DROP - - udp 1900 -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up -# the log. -# -DROP - - udp - 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Rfc1918 b/Shorewall-common-IPv6-Aborted/macro.Rfc1918 deleted file mode 100644 index 5cb8992f8..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Rfc1918 +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - Macro Template -# -# /usr/share/shorewall/macro.Rfc1918 -# -# This macro handles pkts with a SOURCE or ORIGINAL DEST address reserved by RFC 1918 -############################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -FORMAT 2 -PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ - DEST - - - - - - -PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Rsync b/Shorewall-common-IPv6-Aborted/macro.Rsync deleted file mode 100644 index 530358b96..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Rsync +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Rsync Macro -# -# /usr/share/shorewall/macro.Rsync -# -# This macro handles connections to the rsync server. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 873 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SANE b/Shorewall-common-IPv6-Aborted/macro.SANE deleted file mode 100644 index 19312256e..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SANE +++ /dev/null @@ -1,23 +0,0 @@ -# -# Shorewall version 4 - SANE Macro -# -# /usr/share/shorewall/macro.SANE -# -# This macro handles SANE network scanning. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 6566 -# -# Kernels 2.6.23+ has nf_conntrack_sane module which will handle -# sane data connection. -# -# If you don't have sane conntracking support you need to open whole dynamic -# port range. -# -# This is for normal linux 2.4+ -#PARAM - - tcp 32768:61000 -# This is generic rule for any os running saned. -#PARAM - - tcp 1024: -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SMB b/Shorewall-common-IPv6-Aborted/macro.SMB deleted file mode 100644 index e4166c351..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SMB +++ /dev/null @@ -1,19 +0,0 @@ -# -# Shorewall version 4 - SMB Macro -# -# /usr/share/shorewall/macro.SMB -# -# This macro handles Microsoft SMB traffic. You need to invoke -# this macro in both directions. Beware! This rule opens a lot -# of ports, and could possibly be used to compromise your firewall -# if not used with care. You should only allow SMB traffic -# between hosts you fully trust. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 135,445 -PARAM - - udp 137:139 -PARAM - - udp 1024: 137 -PARAM - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SMBBI b/Shorewall-common-IPv6-Aborted/macro.SMBBI deleted file mode 100644 index 04e91e7c9..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SMBBI +++ /dev/null @@ -1,23 +0,0 @@ -# -# Shorewall version 4 - SMB Bi-directional Macro -# -# /usr/share/shorewall/macro.SMBBI -# -# This macro (bidirectional) handles Microsoft SMB traffic. -# -# Beware! This macro opens a lot of ports, and could possibly be used -# to compromise your firewall if not used with care. You should only -# allow SMB traffic between hosts you fully trust. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 135,445 -PARAM - - udp 137:139 -PARAM - - udp 1024: 137 -PARAM - - tcp 135,139,445 -PARAM DEST SOURCE udp 135,445 -PARAM DEST SOURCE udp 137:139 -PARAM DEST SOURCE udp 1024: 137 -PARAM DEST SOURCE tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SMBswat b/Shorewall-common-IPv6-Aborted/macro.SMBswat deleted file mode 100644 index d63805518..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SMBswat +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - SMBswat Macro -# -# /usr/share/shorewall/macro.SMBswat -# -# This macro handles connections to the Samba Web Administration Tool -# (SWAT). -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 901 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SMTP b/Shorewall-common-IPv6-Aborted/macro.SMTP deleted file mode 100644 index b8782315d..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SMTP +++ /dev/null @@ -1,20 +0,0 @@ -# -# Shorewall version 4 - SMTP Macro -# -# /usr/share/shorewall/macro.SMTP -# -# This macro handles plaintext SMTP (email) traffic. For SMTP -# encrypted over SSL, use macro.SMTPS. Note that STARTTLS can be -# used over the standard STMP port, so the use of this macro -# doesn't necessarily imply the use of an insecure connection. -# -# Note: This macro handles traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the POP3 or IMAP macros. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 25 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SMTPS b/Shorewall-common-IPv6-Aborted/macro.SMTPS deleted file mode 100644 index e2f188243..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SMTPS +++ /dev/null @@ -1,17 +0,0 @@ -# -# Shorewall version 4 - SMTPS Macro -# -# /usr/share/shorewall/macro.SMTPS -# -# This macro handles encrypted SMTPS (email) traffic. -# -# Note: This macro handles traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the POP3(S) or IMAP(S) macros. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 465 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SNMP b/Shorewall-common-IPv6-Aborted/macro.SNMP deleted file mode 100644 index 0959e4fbb..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SNMP +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - SNMP Macro -# -# /usr/share/shorewall/macro.SNMP -# -# This macro handles SNMP traffic (including traps). -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 161:162 -PARAM - - tcp 161 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SPAMD b/Shorewall-common-IPv6-Aborted/macro.SPAMD deleted file mode 100644 index 258c6d14c..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SPAMD +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - SPAMD Macro -# -# /usr/share/shorewall/macro.SPAMD -# -# This macro handles Spam Assassin SPAMD traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 783 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SSH b/Shorewall-common-IPv6-Aborted/macro.SSH deleted file mode 100644 index 2bde98249..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SSH +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - SSH Macro -# -# /usr/share/shorewall/macro.SSH -# -# This macro handles secure shell (SSH) traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 22 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SVN b/Shorewall-common-IPv6-Aborted/macro.SVN deleted file mode 100644 index aa5e52a00..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SVN +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - SVN Macro -# -# /usr/share/shorewall/macro.SVN -# -# This macro handles connections to the Subversion server (svnserve). -# -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 3690 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.SixXS b/Shorewall-common-IPv6-Aborted/macro.SixXS deleted file mode 100644 index 657e75f43..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.SixXS +++ /dev/null @@ -1,25 +0,0 @@ -# -# Shorewall version 4 - SIXXS Macro -# -# /usr/share/shorewall/macro.SixXS -# -# This macro handles SixXS -- An IPv6 Deployment and Tunnel Broker -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -# -# Used for retrieving the tunnel information (eg by AICCU) -PARAM - - tcp 3874 -# -# Used for signaling where the current IPv4 endpoint -# of the tunnel is and that it is alive -PARAM - - udp 3740 -# -# Used for tunneling IPv6 over IPv4 (static + heartbeat tunnels) -PARAM - - 41 -# -# Used for tunneling IPv6 over IPv4 (AYIYA -# tunnels)(5072 is official port, 8374 is used in the beta) -PARAM - - udp 5072,8374 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Submission b/Shorewall-common-IPv6-Aborted/macro.Submission deleted file mode 100644 index 4f9e1e2ce..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Submission +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Submission Macro -# -# /usr/share/shorewall/macro.Submission -# -# This macro handles mail message submission traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 587 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Syslog b/Shorewall-common-IPv6-Aborted/macro.Syslog deleted file mode 100644 index 9efc6443e..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Syslog +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Syslog Macro -# -# /usr/share/shorewall/macro.Syslog -# -# This macro handles syslog UDP traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 514 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.TFTP b/Shorewall-common-IPv6-Aborted/macro.TFTP deleted file mode 100644 index 70f2c0980..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.TFTP +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 3.2 - TFTP Macro -# -# /usr/share/shorewall/macro.TFTP -# -# This macro handles Trivial File Transfer Protocol (TFTP) -# Because TFTP lacks all security you should not enable it over -# Internet. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 69 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Telnet b/Shorewall-common-IPv6-Aborted/macro.Telnet deleted file mode 100644 index da87b2001..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Telnet +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Telnet Macro -# -# /usr/share/shorewall/macro.Telnet -# -# This macro handles Telnet traffic. For traffic over the -# internet, telnet is inappropriate; use SSH instead -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 23 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Telnets b/Shorewall-common-IPv6-Aborted/macro.Telnets deleted file mode 100644 index 158e9b280..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Telnets +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Telnet Macro -# -# /usr/share/shorewall/macro.Telnets -# -# This macro handles Telnets (Telnet over SSL) traffic. -# For traffic over the internet, SSH might be more practical. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 992 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Time b/Shorewall-common-IPv6-Aborted/macro.Time deleted file mode 100644 index 4bc33d184..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Time +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - Time Macro -# -# /usr/share/shorewall/macro.Time -# -# This macro handles rfc 868 Time protocol. -# Unless you are supporting extremely old hardware or software, -# you shouldn't be using this. NTP is a superior alternative. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 37 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Trcrt b/Shorewall-common-IPv6-Aborted/macro.Trcrt deleted file mode 100644 index 2d84d1eed..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Trcrt +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 -Trcrt Macro -# -# /usr/share/shorewall/macro.Trcrt -# -# This macro handles Traceroute (for up to 30 hops). -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 33434:33524 # UDP Traceroute -PARAM - - icmp 8 # ICMP Traceroute -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.VNC b/Shorewall-common-IPv6-Aborted/macro.VNC deleted file mode 100644 index 92102db5c..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.VNC +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - VNC Macro -# -# /usr/share/shorewall/macro.VNC -# -# This macro handles VNC traffic for VNC display's 0 - 9. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 5900:5909 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.VNCL b/Shorewall-common-IPv6-Aborted/macro.VNCL deleted file mode 100644 index 52b1ffa21..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.VNCL +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 -VNCL Macro -# -# /usr/share/shorewall/macro.VNCL -# -# This macro handles VNC traffic from Vncservers to Vncviewers in listen -# mode. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 5500 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Web b/Shorewall-common-IPv6-Aborted/macro.Web deleted file mode 100644 index 3d54f800f..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Web +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall version 4 - Web Macro -# -# /usr/share/shorewall/macro.Web -# -# This macro handles WWW traffic (secure and insecure). This -# macro is deprecated - use of macro.HTTP and macro.HTTPS instead -# is recommended. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 80 # HTTP (plaintext) -PARAM - - tcp 443 # HTTPS (over SSL) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Webmin b/Shorewall-common-IPv6-Aborted/macro.Webmin deleted file mode 100644 index 8ac6d213a..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Webmin +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Webmin Macro -# -# /usr/share/shorewall/macro.Webmin -# -# This macro handles Webmin traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 10000 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.Whois b/Shorewall-common-IPv6-Aborted/macro.Whois deleted file mode 100644 index 5bc2a0509..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.Whois +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Whois Macro -# -# /usr/share/shorewall/macro.Whois -# -# This macro handles whois (nicname) traffic. -# -############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 43 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/macro.template b/Shorewall-common-IPv6-Aborted/macro.template deleted file mode 100644 index ae357d1bd..000000000 --- a/Shorewall-common-IPv6-Aborted/macro.template +++ /dev/null @@ -1,368 +0,0 @@ -# -# Shorewall version 4 - Macro Template -# -# /usr/share/shorewall/macro.template -# -# Macro files are similar to action files with the following exceptions: -# -# - A macro file is not processed unless the marcro that it defines is -# referenced in the /etc/shorewall/rules file or in an action -# definition file. -# -# - Macros are translated directly into one or more rules whereas -# actions become their own chain. -# -# - All entries in a macro undergo substitution when the macro is -# invoked in the rules file. -# -# - Macros used in action bodies may not invoke other macros. -# -# The columns in the file are the same as those in the action.template file but -# have different restrictions: -# -# Columns are: -# -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, -# LOG, QUEUE, PARAM or an name. -# -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# SAME -- Similar to DNAT except that the -# port may not be remapped and when -# multiple server addresses are -# listed, all requests from a given -# remote system go to the same -# server. -# SAME- -- Advanced users only. -# Like SAME but only generates the -# NAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# REDIRECT- -# -- Advanced users only. -# Like REDIRET but only generates the -# REDIRECT iptables rule and not -# the companion ACCEPT rule. -# -# CONTINUE -- (For experts only). Do not process -# any of the following rules for this -# (source zone,destination zone). If -# The source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zone(s). -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). -# PARAM -- If you code PARAM as the action in -# a macro then when you invoke the -# macro, you can include the name of -# the macro followed by a slash ("/") -# and an ACTION (either builtin or -# user-defined. All instances of -# PARAM in the body of the macro will -# be replaced with the ACTION. -# -- The name of an action defined in -# /usr/share/shorewall/actions.std or -# in /etc/shorewall/actions. -# -# The ACTION may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be -# logged at the specified level. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all", "all+" or "none" If the ACTION -# is DNAT or REDIRECT, sub-zones of the specified zone -# may be excluded from the rule by following the zone -# name with "!' and a comma-separated list of sub-zone -# names. -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, clients may be -# further restricted to a list of subnets and/or hosts by -# appending ":" and a comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# Hosts may be specified as an IP address range using the -# syntax -. This requires that -# your kernel and iptables contain iprange match support. -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of source bindings to be -# matched. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# net:192.0.2.11-192.0.2.17 -# Hosts 192.0.2.11-192.0.2.17 in -# the net zone. -# -# Alternatively, clients may be specified by interface -# by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones, $FW to indicate the firewall -# itself, "all". "all+" or "none". -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, the server may be -# further restricted to a particular subnet, host or -# interface by appending ":" and the subnet, host or -# interface. See above. -# -# Restrictions: -# -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3. You may not specify both an interface and -# an address. -# -# Like in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to addresses in the -# range in a round-robin fashion. -# -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of destination bindings -# to be matched. Only one of the SOURCE and DEST columns -# may specify an ipset name. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. A destination port may only be -# included if the ACTION is DNAT or REDIRECT. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the ACTION is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp", -# "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all". -# "ipp2p*" requires ipp2p match support in your kernel -# and iptables. -# -# "tcp:syn" implies "tcp" plus the SYN flag must be -# set and the RST,ACK and FIN flags must be reset. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p*, this column is interpreted -# as an ipp2p option without the leading "--" (example -# "bit" for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then -# place "-" in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL Original destination IP address. Must be omitted ( -# DEST or '-') if the macro is to be used from within -# an action. See 'man shorewall-rules'. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:][+] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# +upnpd #program named upnpd (This feature was -# #removed from Netfilter in kernel -# #version 2.6.14). -# -# A few examples should help show how Macros work. -# -# /etc/shorewall/macro.FwdFTP: -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT(S) PORT(S) DEST LIMIT GROUP -# DNAT - - tcp 21 -# -# /etc/shorewall/rules: -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT(S) PORT(S) DEST LIMIT GROUP -# FwdFTP net loc:192.168.1.5 -# -# The result is equivalent to: -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT(S) PORT(S) DEST LIMIT GROUP -# DNAT net loc:192.168.1.5 tcp 21 -# -# The substitution rules are as follows: -# -# ACTION column If in the invocation of the macro, the macro -# name is followed by slash ("/") and a second -# name, the second name is substituted for each -# entry in the macro whose ACTION is PARAM -# -# For example, if macro FOO is invoked as -# FOO/ACCEPT then when expanding macro.FOO, -# Shorewall will substitute ACCEPT in each -# entry in macro.FOO whose ACTION column -# contains PARAM. PARAM may be optionally -# followed by a colon and a log level. -# -# You may also follow the -# -# Any logging specified when the macro is -# invoked is applied to each entry in the macros. -# -# SOURCE and DEST If the column in the macro is empty then the -# columns value in the rules file is used. If the column -# in the macro is non-empty then any value in -# the rules file is appended with a ":" -# separator. -# -# Example: ############################################### -# #ACTION SOURCE DEST PROTO DEST -# # PORT(S) -# macro.FTP File PARAM net loc tcp 21 -# rules File FTP/DNAT - 192.168.1.5 -# Result DNAT net loc:192.168.1.5 tcp 21 -# -# Remaining Any value in the rules file REPLACES the value -# columns given in the macro file. -# -####################################################################################################### -# DO NOT REMOVE THE FOLLOWING LINE -FORMAT 2 -####################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL -# PORT(S) PORT(S) DEST LIMIT GROUP DEST -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/masq b/Shorewall-common-IPv6-Aborted/masq deleted file mode 100644 index 9b4f38dd1..000000000 --- a/Shorewall-common-IPv6-Aborted/masq +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Masq file -# -# For information about entries in this file, type "man shorewall-masq" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-masq.html -# -############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/modules b/Shorewall-common-IPv6-Aborted/modules deleted file mode 100644 index 5532a96af..000000000 --- a/Shorewall-common-IPv6-Aborted/modules +++ /dev/null @@ -1,161 +0,0 @@ -# -# Shorewall version 4 - Modules File -# -# /usr/share/shorewall/modules -# -# This file loads the modules that may be needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 -# before you load M2. -# -# If you need to modify this file, copy it to /etc/shorewall and modify the -# copy. -# -############################################################################### -# -# Essential Modules -# -loadmodule nfnetlink -loadmodule x_tables -loadmodule ip_tables -loadmodule iptable_filter -loadmodule iptable_mangle -loadmodule ip_conntrack -loadmodule nf_conntrack -loadmodule nf_conntrack_ipv4 -loadmodule iptable_nat -loadmodule xt_state -loadmodule xt_tcpudp -# -# Other xtables modules -# -loadmodule xt_CLASSIFY -loadmodule xt_connmark -loadmodule xt_CONNMARK -loadmodule xt_conntrack -loadmodule xt_dccp -loadmodule xt_dscp -loadmodule xt_DSCP -loadmodule xt_hashlimit -loadmodule xt_helper -loadmodule xt_iprange -loadmodule xt_length -loadmodule xt_limit -loadmodule xt_mac -loadmodule xt_mark -loadmodule xt_MARK -loadmodule xt_multiport -loadmodule xt_NFLOG -loadmodule xt_NFQUEUE -loadmodule xt_owner -loadmodule xt_physdev -loadmodule xt_pkttype -loadmodule xt_tcpmss -# -# Helpers -# -loadmodule ip_conntrack_amanda -loadmodule ip_conntrack_ftp -loadmodule ip_conntrack_h323 -loadmodule ip_conntrack_irc -loadmodule ip_conntrack_netbios_ns -loadmodule ip_conntrack_pptp -loadmodule ip_conntrack_sip -loadmodule ip_conntrack_tftp -loadmodule ip_nat_amanda -loadmodule ip_nat_ftp -loadmodule ip_nat_h323 -loadmodule ip_nat_irc -loadmodule ip_nat_pptp -loadmodule ip_nat_sip -loadmodule ip_nat_snmp_basic -loadmodule ip_nat_tftp -loadmodule ip_set -loadmodule ip_set_iphash -loadmodule ip_set_ipmap -loadmodule ip_set_macipmap -loadmodule ip_set_portmap -# -# 2.6.20+ helpers -# -loadmodule nf_conntrack_ftp -loadmodule nf_conntrack_h323 -loadmodule nf_conntrack_irc -loadmodule nf_conntrack_netbios_ns -loadmodule nf_conntrack_netlink -loadmodule nf_conntrack_pptp -loadmodule nf_conntrack_proto_gre -loadmodule nf_conntrack_proto_sctp -loadmodule nf_conntrack_sip -loadmodule nf_conntrack_tftp -loadmodule nf_conntrack_sane -loadmodule nf_nat_amanda -loadmodule nf_nat_ftp -loadmodule nf_nat_h323 -loadmodule nf_nat_irc -loadmodule nf_nat -loadmodule nf_nat_pptp -loadmodule nf_nat_proto_gre -loadmodule nf_nat_sip -loadmodule nf_nat_snmp_basic -loadmodule nf_nat_tftp -# -# Traffic Shaping -# -loadmodule sch_sfq -loadmodule sch_ingress -loadmodule sch_htb -loadmodule cls_u32 -loadmodule cls_fw -loadmodule act_police -# -# Extensions -# -loadmodule ipt_addrtype -loadmodule ipt_ah -loadmodule ipt_CLASSIFY -loadmodule ipt_CLUSTERIP -loadmodule ipt_comment -loadmodule ipt_connmark -loadmodule ipt_CONNMARK -loadmodule ipt_conntrack -loadmodule ipt_dscp -loadmodule ipt_DSCP -loadmodule ipt_ecn -loadmodule ipt_ECN -loadmodule ipt_esp -loadmodule ipt_hashlimit -loadmodule ipt_helper -loadmodule ipt_ipp2p -loadmodule ipt_iprange -loadmodule ipt_length -loadmodule ipt_limit -loadmodule ipt_LOG -loadmodule ipt_mac -loadmodule ipt_mark -loadmodule ipt_MARK -loadmodule ipt_MASQUERADE -loadmodule ipt_multiport -loadmodule ipt_NETMAP -loadmodule ipt_NOTRACK -loadmodule ipt_owner -loadmodule ipt_physdev -loadmodule ipt_pkttype -loadmodule ipt_policy -loadmodule ipt_realm -loadmodule ipt_recent -loadmodule ipt_REDIRECT -loadmodule ipt_REJECT -loadmodule ipt_SAME -loadmodule ipt_sctp -loadmodule ipt_set -loadmodule ipt_state -loadmodule ipt_tcpmss -loadmodule ipt_TCPMSS -loadmodule ipt_tos -loadmodule ipt_TOS -loadmodule ipt_ttl -loadmodule ipt_TTL -loadmodule ipt_ULOG -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/nat b/Shorewall-common-IPv6-Aborted/nat deleted file mode 100644 index 5c8874c8e..000000000 --- a/Shorewall-common-IPv6-Aborted/nat +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Nat File -# -# For information about entries in this file, type "man shorewall-nat" -# -# For additional information, see http://shorewall.net/NAT.htm -# -############################################################################### -#EXTERNAL INTERFACE INTERNAL ALL LOCAL -# INTERFACES -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/netmap b/Shorewall-common-IPv6-Aborted/netmap deleted file mode 100644 index 6290bcfb4..000000000 --- a/Shorewall-common-IPv6-Aborted/netmap +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Netmap File -# -# For information about entries in this file, type "man shorewall-netmap" -# -# See http://shorewall.net/netmap.html for an example and usage -# information. -# -############################################################################### -#TYPE NET1 INTERFACE NET2 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/params b/Shorewall-common-IPv6-Aborted/params deleted file mode 100644 index 84983dc13..000000000 --- a/Shorewall-common-IPv6-Aborted/params +++ /dev/null @@ -1,27 +0,0 @@ -# -# Shorewall version 4 - Params File -# -# /etc/shorewall/params -# -# Assign any variables that you need here. -# -# It is suggested that variable names begin with an upper case letter -# to distinguish them from variables used internally within the -# Shorewall programs -# -# Example: -# -# NET_IF=eth0 -# NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter,norfc1918 -# -# Example (/etc/shorewall/interfaces record): -# -# net $NET_IF $NET_BCAST $NET_OPTIONS -# -# The result will be the same as if the record had been written -# -# net eth0 130.252.100.255 routefilter,norfc1918 -# -############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/policy b/Shorewall-common-IPv6-Aborted/policy deleted file mode 100644 index 338f13fec..000000000 --- a/Shorewall-common-IPv6-Aborted/policy +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Policy File -# -# For information about entries in this file, type "man shorewall-policy" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-policy.html -# -############################################################################### -#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: -# LEVEL BURST MASK -#LAST LINE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/providers b/Shorewall-common-IPv6-Aborted/providers deleted file mode 100644 index 63dc6c064..000000000 --- a/Shorewall-common-IPv6-Aborted/providers +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall version 4 - Providers File -# -# For information about entries in this file, type "man shorewall-providers" -# -# For additional information, see http://shorewall.net/MultiISP.html -# -############################################################################################ -#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/proxyarp b/Shorewall-common-IPv6-Aborted/proxyarp deleted file mode 100644 index 4bc86f21b..000000000 --- a/Shorewall-common-IPv6-Aborted/proxyarp +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall version 4 - Proxyarp File -# -# For information about entries in this file, type "man shorewall-proxyarp" -# -# See http://shorewall.net/ProxyARP.htm for additional information. -# -############################################################################### -#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/releasenotes.txt b/Shorewall-common-IPv6-Aborted/releasenotes.txt deleted file mode 100644 index 44d7f30b9..000000000 --- a/Shorewall-common-IPv6-Aborted/releasenotes.txt +++ /dev/null @@ -1,1045 +0,0 @@ -Shorewall 4.2.1 - ----------------------------------------------------------------------------- - R E L E A S E 4 . 2 H I G H L I G H T S ----------------------------------------------------------------------------- -1) Support is included for multiple internet providers through the same - ethernet interface. - -2) Support for NFLOG has been added. - -3) Enhanced operational logging. - -4) The tarball installers now work under Cygwin. - -5) Shorewall-perl now supports IFB devices which allow traffic shaping of - incoming traffic. - -6) Shorewall-perl supports definition of u32 traffic classification - filters. - -Migration Issues. - -1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero - mark values < 256 to be assigned in the OUTPUT chain. This has been - changed so that only high mark values may be assigned - there. Packet marking rules for traffic shaping of packets - originating on the firewall must be coded in the POSTROUTING table. - -2) Previously, Shorewall did not range-check the value of the - VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2: - - a) A VERBOSITY setting outside the range -1 through 2 is rejected. - b) After the -v and -q options are applied, the resulting value is - adjusted to fall within the range -1 through 2. - -3) Specifying a destination zone in a NAT-only rule now generates a - warning and the destination zone is ignored. NAT-only rules are: - - NONAT - REDIRECT- - DNAT- - -4) The default value for LOG_MARTIANS has been changed. Previously, - the defaults were: - - Shorewall-perl - 'Off' - Shorewall-shell - 'No' - - The new default values are: - - Shorewall-perl - 'On' - Shorewall-shell - 'Yes'. - - Shorewall-perl users may: - - a) Accept the new default -- martians will be logged from all - interfaces with route filtering except those with log_martians=0 - in /etc/shorewall/interfaces. - - b) Explicitly set LOG_MARTIANS=Off to maintain compatibility with - prior versions of Shorewall. - - Shorewall-shell users may: - - a) Accept the new default -- martians will be logged from all - interfaces with the route filtering enabled. - - b) Explicitly set LOG_MARTIONS=No to maintain compatibility with - prior versions of Shorewall. - -5) The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has - been changed from Yes to No. - -6) The 'norfc1918' option is deprecated. Use explicit rules instead. - Note that there is a new 'Rfc1918' macro that acts on addresses - reserved by RFC 1918. - -7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use - ipset-based zones instead. - -Problems corrected in Shorewall 4.2.1 - -1) A description of the CONNBYTES column has been added to - shorewall-tcrules(5). - -2) Previously, Shorewall-perl would accept zero as the value in - the CONNBYTES column of tcrules even when the field was - non-zero. A value of zero for was equivalent to omitting - . - -3) iptables 1.4.1 discontinued support of syntax generated by - shorewall in some cases. Shorewall now detects when the new syntax - is required and uses it instead. - -4) The Shorewall-perl implementation of the LENGTH column in - /etc/shorewall/tcrules was incomplete with the result that - all LENGTH rules matched. Thanks to Lennart Sorensen for the patch. - -5) The 'export' command no longer fails with the error: - - /sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting "fi") - -Other changes in Shorewall 4.2.1 - -1) With the recent renewed interest in DOS attacks, it seems - appropriate to have connection limiting support in Shorewall. To - that end, a CONNLIMIT column has been added to both the policy and - rules files. - - The content of these columns is of the format - - [!] [:] - - where - - is the limit on simultaneous TCP connections. - - specifies the size of the network to which - the limit applies and is specified as a - CIDR mask length. The default value for - is 32 which means that each remote - IP address can have TCP connections - active at once. - - ! Not allowed in the policy file. In the rules file, it - causes connections to match when the number of - current connections exceeds . - - When specified in the policy file, the limit is enforced on all - connections that are subject to the given policy (just like - LIMIT:BURST). The limit is checked on new connections before the - connection is passed through the rules in the NEW section of the - rules file. - - It is important to note that while the limit is only checked for - those destinations specified in the DEST column, the number of - current connections is calculated over all destinations and not - just the destination specified in the DEST column. - - Use of this feature requires the connlimit match capability in your - kernel and iptables. If you use a capabilities file when compiling - your Shorewall configuration(s), then you need to regenerate the - file using Shorewall or Shorewall-lite 4.2.1. - -2) Shorewall now supports time/date restrictions on entries in the - rules file via a new TIME column. - - The contents of this column is a series of one or more "time - elements" separated by apersands ("&"). Possible time elements are: - - utc Times are expressed in Greenwich Mean Time. - localtz Times are expressed in local civil time (default) - timestart=hh:mm[:ss] - timestop=hh:mm[:ss] Start and stop time of day for rule - weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or - Sun - monthdays=dd[,dd]... where dd is an ordinal day of the month. - datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] - datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] - where yyyy = Year - first mm = Month - dd = Day - hh = Hour - 2nd mm = Minute - ss = Second - - Examples: - - 1) utc×tart=10:00×top=12:00 - - Between 10am and 12 noon each day, GMT - - 2) datestart=2008-11-01T12:00 - - Beginning November 1, 2008 at noon LCT. - - Use of this feature requires the time match capability in your - kernel and iptables. If you use a capabilities file when compiling - your Shorewall configuration(s), then you need to regenerate the - file using Shorewall or Shorewall-lite 4.2.1. - -3) If your kernel and iptables support "-m conntrack --ctorigdstport" - then Shorewall will utilize that capability to ensure that when you - do port mapping (change the destination port but not the - destination IP address), the final destination port is not opened - as a side effect. - - Example: - - DNAT net loc:206.124.146.177:22 tcp 2222 - 206.124.146.177 - - That rule maps port 2222 -> 22 but without this new feature, it - also opens port 22 directly. - - To use this feature, you must be running Shorewall-perl and the - output of 'shorewall show capabilities' must show: - - Extended Connection Tracking Match Support: Available - -New Features in Shorewall 4.2. - -1) Shorewall 4.2 contains support for multiple Internet providers - through a single ethernet interface. Configuring two providers - through a single interface differs from two providers through two - interfaces in several ways. - - a) Only ethernet (or ethernet-like) interfaces can be used. For - inbound traffic, the MAC addresses of the gateway routers is used - to determine which provider a packet was received through. Note - that only routed traffic can be categorized using this technique. - - b) You must specify the address on the interface that corresponds to - a particular provider in the INTERFACE column by following the - interface name with a colon (":") and the address. - - c) Entries in /etc/shorewall/masq must be qualified by the provider - name (or number). - - d) This feature requires Realm Match support in your kernel and - iptables. If you use a capabilities file, you need to regenerate - the file with Shorewall 4.2 or Shorewall-lite 4.2. - - e) You must add route_rules entries for networks that are accessed - through a particular provider. - - f) If you have additional IP addresses through either provider, - you must add route_rules to direct traffic FROM each of those - addresses through the appropriate provider. - - g) You must add MARK rules for any traffic that you know originates - from a particular provider. - - Example: - - Providers Blarg (1) and Avvanta (2) are both connected to - eth0. The firewall's IP address with Blarg is 206.124.146.176/24 - (gateway 206.124.146.254) and the IP address from Avvanta is - 130.252.144.8/24 (gateway 130.252.144.254). We have a second IP - address (206.124.146.177) from Blarg. - - /etc/shorewall/providers: - - #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY - Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ... - Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ... - - /etc/shorewall/masq: - - #INTERFACE SOURCE ADDRESS - eth0(Blarg) 130.252.144.8 206.124.146.176 - eth0(Avvanta) 206.124.146.176 130.252.144.8 - eth0(Blarg) eth1 206.124.146.176 - eth0(Avvanta) eth1 130.252.144.8 - - /etc/shorewall/route_rules: - - #SOURCE DEST PROVIDER PRIORITY - - 206.124.146.0/24 Blarg 1000 - - 130.252.144.0/24 Avvanta 1000 - 206.124.146.177 - Blarg 26000 - - /etc/shorewall/tcrules - - #MARK/CLASSIFY SOURCE DEST - 1 eth0:206.124.146.0/24 0.0.0.0/0 - 2 eth0:130.242.144.0/24 0.0.0.0/0 - -2) You may now include the name of a table (nat, mangle or filter) in - a 'shorewall refresh' command by following the table name with a - colon (e.g., mangle:). This causes all non-builtin chains in the - table to be reloaded. - - Example: - - shorewall refresh nat: - -3) When no chain name is given to the 'shorewall refresh' command, the - mangle table is refreshed along with the blacklist chain (if - any). This allows you to modify /etc/shorewall/tcrules and install - the changes using 'shorewall refresh'. - -4) Support for the NFLOG log target has been added. NFLOG is a - successor to ULOG. In addition, both ULOG and NFLOG may be followed - by a list of up to three numbers in parentheses. - - The first number specifies the netlink group (1-32). If omitted - (e.g., NFLOG(,0,10)) then a value of 1 is assumed. - - The second number specifies the maximum number of bytes to copy. If - omitted, 0 (no limit) is assumed. - - The third number specifies the number of log messages that should - be buffered in the kernel before they are sent to user space. The - default is 1. - - Examples: - - /etc/shorewall/shorewall.conf: - - MACLIST_LOG_LEVEL=NFLOG(1,0,1) - - /etc/shorewall/rules: - - ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 - -5) Shorewall-perl 4.2 implements an alternative syntax for macro - parameters and for the NFQUEUE queue number. Rather than following - the macro name (or NFQUEUE) with a slash ("/") and the parameter, - the parameter may be enclosed in parentheses. - - Examples -- each pair shown below are equivalent: - - DNS/ACCEPT DNS(ACCEPT) - NFQUEUE/3 NFQUEUE(3) - - The old syntax will still be accepted but will cease to be documented - in some future Shorewall release. - -6) Shorewall 4.2 contains enhanced operational logging capabilities - through a set of related enhancements to Shorewall-common and - Shorewall-perl. The enhancements are not supported by - Shorewall-shell nor are they supported by Shorewall-lite except - when the script is compiled using Shorewall-perl. - - a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives - the name of the Shorewall operational log. The log will be - created if it does not exist. - - b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives - the verbosity at which logging will occur. It uses the same - value range as VERBOSITY: - - -1 Do not log - 0 Almost quiet - 1 Only major steps - 2 Verbose - - c) An absolute VERBOSITY may be specified on the command line - using the -v option followed by -1,0,1 or 2. - - Example: - - shorewall -v2 check - - d) The /etc/init.d/shorewall script supplied with the - shorewall.net packages sets '-v0' as the default. This may be - overridden with the OPTIONS setting in /etc/defaults/shorewall or - /etc/sysconfig/shorewall. - - Logging occurs on both Shorewall-perl and the generated script when - the following commands are issued: - - start - restart - refresh - - Messages in the log are always timestamped. - - This change implemented two new options to the Shorewall-perl - compiler (/usr/share/shorewall-perl/compiler.pl). - - --log= - --log_verbosity={-1|0-2} - - The --log option is ignored when --log_verbosity is not supplied or - is supplied with value -1. - - To avoid a proliferation of parameters to - Shorewall::Compiler::compile(), that function has been changed to - use named parameters. Parameter names are: - - object Object file. If omitted or '', the - configuration is syntax checked. - directory Directory. If omitted or '', configuration - files are located using - CONFIG_PATH. Otherwise, the directory named by - this parameter is searched first. - verbosity Verbosity; range -1 to 2 - timestamp 0|1 -- timestamp messages. - debug 0|1 -- include stack trace in warning/error - messages. - export 0|1 -- compile for export. - chains List of chains to be reloaded by 'refresh'. - log File to log compiler messages to. - log_verbosity Log Verbosity; range -1 to 2. - - Those parameters that are supplied must have defined values. - - Defaults are: - - object '' ('check' command) - directory '' - verbosity 1 - timestamp 0 - debug 0 - export 0 - chains '' - log '' - log_verbosity -1 - - - Example: - - use lib '/usr/share/shorewall-perl/'; - use Shorewall::Compiler; - - compiler( object => '/root/firewall', - log => '/root/compile.log', - log_verbosity => 2 ); - -7) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero - mark values < 256 to be assigned in the OUTPUT chain. This has been - changed so that only high mark values may be assigned - there. Packet marking rules for traffic shaping of packets - originating on the firewall must be coded in the POSTROUTING chain. - -8) Previously, Shorewall did not range-check the value of the - VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2: - - a) A VERBOSITY setting outside the range -1 through 2 is rejected. - b) After the -v and -q options are applied, the resulting value is - adjusted to fall within the range -1 through 2. - -9) The tcdevices file has been extended to include an OPTIONS - column. Currently only a single option is defined. - - classify When specified, you must use explicit CLASSIFY tcrules - to classify traffic by class. Shorewall will not create - any CLASSIFY rules to classify traffic by mark value. - - See http://www.shorewall.net/traffic_shaping.htm for further - information. - -10) COMMENT lines are now supported in macro bodies by Shorewall-perl - and are ignored by the Shorewall-shell compiler. - - COMMENT lines in macros work slightly differently from COMMENT - lines in other files. COMMENT lines in macros are ignored if - COMMENT support is not available or if there was a COMMENT in use - when the top-level macro was invoked. This allows the - following: - - /etc/shorewall/macro.SSH: - - #ACTION SOURCE PROTO DEST SOURCE RATE USER/ - # PORT(S) PORT(S) LIMIT GROUP - COMMENT My SSH Macro - PARAM - - tcp 22 - - /etc/shorewall/rules: - - COMMENT Allow SSH from home - SSH/ALLOW net:$MYIP $FW - COMMENT - - The comment line in macro.SSH will not override the - COMMENT line in the rules file and the generated rule will show - - /* Allow SSH from home */ - - when displayed through the Shorewall show and dump commands. - - If a macro is invoked and there is no current comment, then the - name of the macro automatically becomes the current comment. This - makes macros self-commenting. - -11) If the program named in SHOREWALL_SHELL doesn't exist or is not - executable, Shorewall and Shorewall-lite now both fall back to - /bin/sh after issuing a warning message. Previously, both - terminated with a fatal error. - -12) Shorewall-perl now generates fatal error conditions if there are - no IPv4 zones defined or there are no interfaces defined. - -13) Shorewall now unconditionally uses tc filter rules to classify - traffic by MARK value. Previously, Shorewall used the CLASSIFY - target in the POSTROUTING chain if it was available. - -14) The Shorewall installers (install.sh) now work on Windows - under Cygwin. By default, they install under the user id and group - of the person doing the install. This can be overridden by - specifying OWNER and GROUP explicitly. - - Example: - - OWNER=foo GROUP=bar ./install.sh - - To install Shorewall-perl under Cygwin: - - $ tar -zxf shorewall-perl-4.x.y.tar.bz2 - $ tar -zxf shorewall-common-4.x.y.tar.bz2 - $ cd shorewall-perl-4.x.y - $ ./install.sh - $ cd ../shorewall-common-4.x.y - $ ./install.sh - - The 'shorewall' program is installed in /bin/ (a.k.a, /usr/bin/). - -15) When installing on Cygwin, /etc/shorewall is no longer fully - populated. Rather, only the shorewall.conf and params files are - installed. As always, the full configuration file set is installed - in /usr/share/shorewall/configfiles. - -16) Specifying a destination zone in a NAT-only rule now generates a - warning and the destination zone is ignored. NAT-only rules are: - - NONAT - REDIRECT- - DNAT- - -17) The /etc/shorewall/masq and /etc/shorewall/nat file now accept a - comma-separated list of interface names where before only a single - interface name could be listed (Shorewall-perl only). - - This feature is not for beginners. It iterates over the - list of interfaces, substituting each interface in place of the - list and processing the resulting entry according to the semantics - of earlier Shorewall versions. If you don't know where to use this, - don't try. - - Example 1: - - /etc/shorewall/masq: - - #INTERFACE SOURCE ADDRESS - eth0,eth1 eth2 1.2.3.4 - - equivalent to: - - #INTERFACE SOURCE ADDRESS - eth0 eth2 1.2.3.4 - eth1 eth2 1.2.3.4 - - Example 2: - - /etc/shorewall/masq: - - #INTERFACE SOURCE ADDRESS - eth0,eth1::192.168.1.0/24 eth2 1.2.3.4 - - equivalent to: - - #INTERFACE SOURCE ADDRESS - eth0::192.168.1.0/24 eth2 1.2.3.4 - eth1::192.168.1.0/24 eth2 1.2.3.4 - - Example 3: - - /etc/shorewall/nat: - - #EXTERNAL INTERFACE INTERNAL - 206.124.146.178 eth0,wlan0 192.168.1.3 - - equivalent to: - - #EXTERNAL INTERFACE INTERNAL - 206.124.146.178 eth0 192.168.1.3 - 206.124.146.178 wlan0 192.168.1.3 - -18) Previously, the INTERFACE name used in the masq, nat and netmap - files had to exactly match the name of an interface from the - interfaces file. Beginning with Shorewall-perl 4.1.4, the - interface may loosely match a wildcard entry in the interfaces - file. - - Example: - - /etc/shorewall/interfaces: - - vpn tun+ - - /etc/shorewall/masq: - - tun1 192.168.4.0/24 - -19) Previously, Shorewall classified non-firewall zones as either - 'simple' or 'complex'. Attributes of a zone which made it 'complex' - included: - - - The zone was of type 'ipsec' or 'ipsec4' or it had a hosts - entry with the 'ipsec' options. - - The zone had OPTIONS, IN OPTIONS or OUT OPTIONS - - The zone had more than one network on a given interface - - The zone had a hosts file entry with an exclusion. - - The zone had a hosts file entry specifying an ipset. - - The handling of 'simple' and 'complex' zones was different. - - - complex zones had their own 'forward' chain (named - '_frwd'). - - complex zones with exclusions had their own 'input' and - 'output' chains. - - Beginning with Shorewall-perl 4.2, all non-firewall zones will be - treated as 'complex'. This will have the effect of one additional - filter chain per zone but in most cases, the average number of - filter rules traversed by a connection request will be reduced. - -20) The need for interface-specific chains (such as eth0_in, eth4_fwd, - etc.) in the filter table has been drastically reduced. This has - the effect of reducing the average number of rules that each packet - must traverse. - -21) The default value for LOG_MARTIANS is now 'Yes' ('On' in - Shorewall-perl). Previously, the default value was 'No' ('Off' in - Shorewall-perl). The shorewall.conf file has also been - updated to specify a value of 'Yes' (which is interpreted as 'On' - by Shorewall-perl). - -22) Shorewall-perl now generates an error when a MAC address appears in - a traffic shaping rule in the OUTPUT or POSTROUTING chains. - -23) Macros are now self-commenting under control of a new AUTO_COMMENT - option in shorewall.conf. When this option is set, if there is not - a current comment when a macro is invoked, the behavior under - Shorewall-perl is as if the first line of the macro file was - "COMMENT ". - - So, if you have this rule: - - SSH/ACCEPT loc fw - - then the generated netfilter rule will include "/* SSH */" when - viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall - dump'. - - The AUTO_COMMENT option has a default value of 'Yes' and is only - available under Shorewall-perl. The option is ignored by - Shorewall-shell. - -24) The default value for the IMPLICIT_CONTINUE option has been changed - to 'No'. - -25) Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP - port 1701 in both directions and assumes that the source port will - also be 1701. Some implementations (particularly OS X) use a - different source port. In that case, you should use - 'generic:udp:1701' rather than 'l2tp'. - -26) The /etc/shorewall/tcdevices and /etc/shorewall/tcclasses files - have undergone some changes, especially when the 'classify' option - has been specified. - - Normally Shorewall assigns interface numbers sequentially to - devices listed in /etc/shorewall/tcdevices. Beginning with - Shorewall 4.1.6, you can explicitly specify inteface numbers by - prefixing the interface name with the interface number and a colon: - - Example: - - #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS - 1:eth0 1300kbit 384kbit classify - 2:eth1 5600kbit 1000kbit - - In /etc/shorewall/tcclasses: - - a) You can specify the INTERFACE using either the interface name - or interface number. - - b) classes associated with devices which have the 'classify' - option _must_ specify a class number by following the interface - name/number with a colon (":") and the class number. The same - class number may be used for classes defined on different - interfaces but a class number may not be the same as any - interface number. - - A class number may be specified when 'classify' has not been - specified for the associated device. When a class number has not - been given, the default class number remains the mark value - prefixed by "1". - -27) Shorewall now supports Intermediate Functional Block (IFB) devices. - These devices allow shaping of incoming traffic. - - The 'ifb' module is available in the kernels included with today's - distributions. You must load the module manually: - - If your distribution has modprobe: - - modprobe ifb [ numifbs= ] - - Otherwise: - - insmod /ifb.ko [ numifbs= ] - - By default, the module automatically creates two IFB devices (ifb0 - and ifb1). To create only one, specify 'numifbs=1'. - - Example: - - ursa:~ # modprobe ifb numifbs=1 - ursa:~ # ip link ls - 1: lo: mtu 16436 qdisc noqueue - link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 - 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 - link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff - 3: wlan0: mtu 1500 qdisc pfifo_fast qlen 1000 - link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff - 4: ifb0: mtu 1500 qdisc noop qlen 32 - link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff - ursa:~ # - - After you have created the IFB(s), you must bring it(them) up: - - ip link set dev ifb0 up - - You can place all of this in /etc/shorewall/init as follows: - - modprobe ifb numifbs=1 - ip link set dev ifb0 up - - The /etc/shorewall/tcdevices file has been extended to include an - additional REDIRECTED DEVICES column. To convert your configuration - to use an IFB: - - a) Look at your current /etc/shorewall/tcdevices file. Suppose you - have: - - #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS - eth0 1300kbit 384kbit - - - Change it as follows: - - #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED - # DEVICES - eth0 - 384kkbit - - ifb0 - 1300kbit - eth0 - - Note that the old IN-BANDWIDTH for eth0 has become the - OUT-BANDWIDTH for ifb0 and that neither device has an - IN-BANDWIDTH in the new configuration. - - Finally note that eth0 has been specified as a REDIRECTED device - for the IFB. - - b) There are no Netfilter hooks between the real device (eth0) and - the IFB (ifb0). So tcrules cannot be used to specify shaping of - traffic leaving the IFB. To allow that traffic to be classified, - a new /etc/shorewall/tcfilters file has been added. - - /etc/shorewall/tcfilters can be used for classifying traffic on - any interface. When using entries in that file, it is important - to realize that those entries act on packets as they appear 'on - the wire'. That means that on output, SNAT/MASQUERADE has been - applied and on input (output to an IFB), DNAT has not yet been - applied. - - Columns in the file are: - - INTERFACE:CLASS - - The interface name or number followed by a colon (":") - and the class number. - - SOURCE - Source IP address. May be a host or network address. - Specify "-" if any SOURCE address should match. - - DEST - Destination IP address. May be a host or network - address. Specify "-" if any DEST address should match. - - PROTO - Protocol Name/Number. Specify "-" if any PROTO should - match. - - DEST PORT(S) - A comma-separated list of destination ports. May only - be given if the PROTO is tcp, udp, icmp or - sctp. Port ranges may be used, except when the PROTO is - icmp. Specify "-" if any PORT should match. - - SOURCE PORT(S) - A comma-separated list of source port. May only be - given if the PROTO is tcp, udp or sctp. Port ranges - may be used unless the protocol is icmp. Specify "-" if - any PORT should match. - - Entries in /etc/shorewall/tcfilters generate U32 tc filters which - may be displayed using the "shorewall show filters" ("shorewall-lite - show filters") command. Note: The 'show filters' command is an - alias for the existing 'show classifiers' command. - - Note that /etc/shorewall/tcfilters provides a usable alternative to - HIGH_ROUTE_MARKS=Yes. You can use marks to select between providers - and use entries in /etc/shorewall/tcfilters (or CLASSIFY tcrules) - for traffic shaping. - -28) If an interface fails when using balanced multi-ISP routing, the - default route is lost. If there are remaining working interfaces - with dynamic gateway addresses, Shorewall will be unable to - determine those gateways. - - Beginning with Shorewall (Shorewall-lite) 4.1.7, the 'init' script - may participate in gateway detection by setting variables with - pre-determined names as follows: - - _GATEWAY - - where is the interface name: - - - in upper case - - with any characters not allowed in shell variable names - replaced by '_'. - - Example (from OpenWRT): - - Interface: eth0.1 - Variable: ETH0_1_GATEWAY - /etc/shorewall/init: - - ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway) - -29) A new CONNBYTES column has been added to the tcrules file. The - column defines a byte or packet range that the connection must fall - within in order for the rule to match. The contents are: - - [!]:[[:{O|R|B}[:{B|P|A}]]] - - ! matches if the the packet/byte count is not within the range - defined by and . - - is an integer which defines the beginning of the byte/packet - range. - - is an integer which defines the end of the byte/packet range. - If omitted, only the beginning of the range is checked. - - The first letter gives the direction which the range refers to: - - O - The original direction of the connection. - R - The opposite direction from the original connection. - B - The total of both directions. - - If omitted, 'B' is assumed. - - The second letter determins what the range refers to. - - B - Bytes - P - Packets - A - Average packet size. - - If omitted, 'B' is assumed. - - Examples: - - 1000000: - Connection has transferred a total of - at least 1,000,000 bytes. - - 1000000::R - Connection has transferred at least - 1,000,000 bytes in the direction opposite - of the original direction (typical of a - large download). - - 1000000::O:P - Connection has sent at least 1,000,000 - packets in the direction of the original - connection. - -30) A new MANGLE_ENABLED option is added to shorewall.conf. The default - setting is 'Yes' which causes Shorewall to assume responsibility for - the Netfilter mangle table. - - When MANGLE_ENABLED is set to 'No', Shorewall assumes no - responsibility for that table. In this setting: - - a) Shorewall doesn't alter the mangle table. - b) You may not use Shorewall Traffic Shaping (TC_ENABLED must be - set to 'No'. - c) The tcrules file is ignored. - d) The providers file must be empty. - e) All entries in tcdevices must specify the 'classify' option and - traffic classification may only occur using the tcfilters file. - - This allows for another application running on your firewall to - take over the mangle table and use it for it's own purposes. - -31) Shorewall-perl now supports an ORIGINAL DEST column in macro files. - The column must be left empty if the macro is to be used in the - body of an action. - - The new column is placed between the SOURCE PORT(S) and RATE LIMIT - columns. So that Shorewall-perl can determine which column layout - each macro has, a new FORMAT directive is added: - - FORMAT {1|2} - - The default is FORMAT 1 which is the old format. FORMAT 2 specifies - that the macro is in the new format. - -32) Shorewall-perl implements a new Rfc1918 macro that deals with - RFC 1918 addresses. This macro should be used in place of - the 'norfc1918' interface option which is deprecated. - - The macro body is: - - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ - # PORT(S) PORT(S) DEST LIMIT GROUP - FORMAT 2 - PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ - DEST - - - - - - - PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - The 'norfc1918' option on the interface associated with zone 'z' - and with RFC1018_STRICT=Yes is equivalent to: - - Rfc1918(DROP) z all - -33) A better way to perform RFC 1918 filtration is to null-route the - address ranges reserved by RFC 1918. You can do that by setting the - new NULL_ROUTE_RFC1918 option to 'Yes' in shorewall.conf. - - It is highly recommended that you also set ROUTE_FILTER=Yes to get - Martian messages. These will help diagnose problems where you need - to be able to access hosts with RFC 1918 addresses that are outside - of your local networks. Sometimes, these can be subtle such as the - case where your ISP is using RFC 1918 addresses on their DHCP - servers. - - NULL_ROUTE_RFC1918 defaults to 'No' and is only supported by - Shorewall-perl; Shorewall-shell ignores the option. - -34) There is now a macro.SANE which supports network-attached - scanners. Shorewall now automatically loads the sane connection - tracking helper module. - - Thanks for this feature go to Tuomo Soini. - -35) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall - would enable ip forwarding before instantiating the rules. This - could lead to incorrect connection tracking entries being created - between the time that forwarding was enabled and when the nat table - rules were instantiated. - - Beginning with Shorewall 4.0.11 and 4.1.7, enabling of forwarding - is deferred until after the rules are in place. - -36) When using Shorewall-perl, the CEIL and RATE columns must now - contain arithmetic expressions consisting of: - - a) Numeric digits (Hex numbers not allowed). - b) Parentheses. - c) The arithmetic operators +-* and /. - d) The word 'full'. - -37) The installers (install.sh) now auto-detect a Cygwin environment - and install under the current user's ID if OWNER and GROUP are not - given. - -38) The 'start' and 'restart' commands now support a '-p' (purge) - option which cause all entries to be removed from the Netfilter - conntrack table. In order to use this option, the 'conntrack' - utility must be installed on your system. Although it is generally - not installed by default, Most distributions have this utility in - their repositories. - -39) A 'save' extension script is added. The script is run after - iptables-save has completed successfully. - - The 'load' and 'reload' commands copy the save script (if any) to - /etc/shorewall-lite/ on the remove firewall system. The 'export' - command copies the file to the same directory as the 'firewall' and - 'firewall.conf' scripts. - - I have the following commands in my 'save' script: - - [ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup - ipset -S > /root/ipsets.save - - These commands complement my 'init' script: - - qt modprobe ifb numifbs=1 - qt ip link set dev ifb0 up - - if [ "$COMMAND" = start ]; then - ipset -U :all: :all: - ipset -U :all: :default: - ipset -F - ipset -X - ipset -R < /root/ipsets.save - fi - - Those two scripts allow me to save and restore the contents of my - ipsets automatically under Shorewall-perl/Shorewall-lite (my - routestopped file does not use ipsets). - -40) A HELPER column is included in the tcrules file. The value in this - column names one of the Netfilter protocol 'helper' module sets - (ftp, sip, amanda, etc). - - See http://www.shorewall.net/traffic_shaping.htm for an example. - -41) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. - -42) Farkas Levante has contributed a macro.Mail macro that covers SMTP, - SMTPS and submission. - -43) Beginning with Shorewall 4.0.0, the -f option was no longer the - default for '/etc/init.d/shorewall start'. Beginning with 4.0.13 - and 4.2.0-Beta3, this is also true for Shoreawall-lite. - -44) A new USE_DEFAULT_RT option has been added to shorewall.conf. When - set to 'Yes', it causes the Shorewall multi-ISP feature to create - a different set of routing rules which are resilient to changes in - the main routing table. Such changes can occur for a number of - reasons, VPNs going up and down being an example. - - The idea is to send packets through the main table prior to - applying any of the Shorewall-generated routing rules. So changes - to the main table will affect the routing of packets by default. - - When USE_DEFAULT_RT=Yes: - - a) Both the DUPLICATE and the COPY columns in the providers file - must remain empty (or contain "-"). - - b) The default route is added to the the 'default' table rather - than to the main table. - - c) 'balance' is assumed unless 'loose' is specified. - - d) Packets are sent through the main routing table by a rule with - priority 999. In /etc/shorewall/routing_rules, the range 1-998 - may be used for inserting rules that bypass the main table. - - e) All provider gateways must be specified explicitly in the - GATEWAY column. 'detect' may not be specified. - - f) You should disable all default route management outside of - Shorewall. If a default route is added to the main table while - Shorewall is started, then all policy routing will stop working - (except for those routing rules in the priority range 1-998). - -45) The 'shorewall restart' command now supports an -f option. When - this option is specified, no compilation occurs; rather, the script - which last started or restarted Shorewall is used. - -46) A macro supporting RNDC (BIND remote management protocol) traffic - has been added. It can be used as any other macro (e.g., RNDC/ACCEPT) - in the rules file. - -47) If 'NONAT' is specified in the ADDRESS column of an entry in - /etc/shorewall/masq, then traffic matching that entry is not - passed to the entries that follow. - diff --git a/Shorewall-common-IPv6-Aborted/rfc1918 b/Shorewall-common-IPv6-Aborted/rfc1918 deleted file mode 100644 index abdfc2825..000000000 --- a/Shorewall-common-IPv6-Aborted/rfc1918 +++ /dev/null @@ -1,9 +0,0 @@ -# -# Shorewall version 4 - Rfc1918 File -# -############################################################################### -#SUBNETS TARGET -172.16.0.0/12 logdrop # RFC 1918 -192.168.0.0/16 logdrop # RFC 1918 -10.0.0.0/8 logdrop # RFC 1918 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/route_rules b/Shorewall-common-IPv6-Aborted/route_rules deleted file mode 100644 index 53ae2c76b..000000000 --- a/Shorewall-common-IPv6-Aborted/route_rules +++ /dev/null @@ -1,9 +0,0 @@ -# -# Shorewall version 4 - route_rules File -# -# For information about entries in this file, type "man shorewall-route_rules" -# -# For additional information, see http://www.shorewall.net/MultiISP.html -############################################################################## -#SOURCE DEST PROVIDER PRIORITY -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/routestopped b/Shorewall-common-IPv6-Aborted/routestopped deleted file mode 100644 index 91fb28c9c..000000000 --- a/Shorewall-common-IPv6-Aborted/routestopped +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall version 4 - Routestopped File -# -# For information about entries in this file, type "man shorewall-routestopped" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-routestopped.html -# -# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional -# information. -# -############################################################################### -#INTERFACE HOST(S) OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/rules b/Shorewall-common-IPv6-Aborted/rules deleted file mode 100644 index dbfe994cc..000000000 --- a/Shorewall-common-IPv6-Aborted/rules +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall version 4 - Rules File -# -# For information on the settings in this file, type "man shorewall-rules" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-rules.html -# -#################################################################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME -# PORT PORT(S) DEST LIMIT GROUP -#SECTION ESTABLISHED -#SECTION RELATED -SECTION NEW -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/shorewall b/Shorewall-common-IPv6-Aborted/shorewall deleted file mode 100755 index 1d93b47ab..000000000 --- a/Shorewall-common-IPv6-Aborted/shorewall +++ /dev/null @@ -1,2014 +0,0 @@ -#!/bin/sh -# -# Shorewall Packet Filtering Firewall Control Program - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# This file should be placed in /sbin/shorewall. -# -# Shorewall documentation is available at http://www.shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# The firewall uses configuration files in /etc/shorewall/ - skeleton -# files are included with the firewall. -# -# Commands are: -# -# shorewall add [:] zone Adds a host or subnet to a zone -# shorewall delete [:] zone Deletes a host or subnet from a zone -# shorewall dump Dumps all Shorewall-related information -# for problem analysis -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# shorewall reset Resets iptables packet and -# byte counts -# shorewall clear Open the floodgates by -# removing all iptables rules -# and setting the three permanent -# chain policies to ACCEPT -# shorewall refresh Rebuild the common chain to -# compensate for a change of -# broadcast address on any "detect" -# interface. -# shorewall [re]load [ ] -# Compile a script and install it on a -# remote Shorewall Lite system. -# shorewall show [ ... ] Display the rules in each listed -# shorewall show actions Displays the available actions -# shorewall show log Print the last 20 log messages -# shorewall show connections Show the kernel's connection -# tracking table -# shorewall show nat Display the rules in the nat table -# shorewall show {mangle|tos} Display the rules in the mangle table -# shorewall show tc Display traffic control info -# shorewall show classifiers Display classifiers -# shorewall show capabilities Display iptables/kernel capabilities -# shorewall show vardir Display the VARDIR setting. -# shorewall version Display the installed version id -# shorewall check [ -e ] [ ] Dry-run compilation. -# shorewall try [ ] Try a new configuration and if -# it doesn't work, revert to the -# standard one. If a timeout is supplied -# the command reverts back to the -# standard configuration after that many -# seconds have elapsed after successfully -# starting the new configuration. -# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall -# messages. -# shorewall drop
... Temporarily drop all packets from the -# listed address(es) -# shorewall reject
... Temporarily reject all packets from the -# listed address(es) -# shorewall allow
... Reenable address(es) previously -# disabled with "drop" or "reject" -# shorewall save [ ] Save the list of "rejected" and -# "dropped" addresses so that it will -# be automatically reinstated the -# next time that Shorewall starts. -# Save the current state so that 'shorewall -# restore' can be used. -# -# shorewall forget [ ] Discard the data saved by 'shorewall save' -# -# shorewall restore [ ] Restore the state of the firewall from -# previously saved information. -# -# shorewall ipaddr {
/ |
} -# -# Displays information about the network -# defined by the argument[s] -# -# shorewall iprange
-
Decomposes a range of IP addresses into -# a list of network/host addresses. -# -# shorewall ipdecimal {
| } -# -# Displays the decimal equivalent of an IP -# address and vice versa. -# -# shorewall safe-start [ ] Starts the firewall and promtp for a c -# confirmation to accept or reject the new -# configuration -# -# shorewall safe-restart [ ] Restarts the firewall and prompt for a -# confirmation to accept or reject the new -# configuration -# -# shorewall compile [ -e ] [ ] -# Compile a firewall program file. - -# -# Set the configuration variables from shorewall.conf -# -# $1 = Yes: read the params file -# $2 = Yes: check for STARTUP_ENABLED -# $3 = Yes: Check for LOGFILE -# -# -get_config() { - - ensure_config_path - - if [ "$1" = Yes ]; then - params=$(find_file params) - - if [ -f $params ]; then - . $params - fi - fi - - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - . $config - else - echo "Cannot read $config! (Hint: Are you root?)" >&2 - exit 1 - fi - else - echo "$config does not exist!" >&2 - exit 2 - fi - - ensure_config_path - - if [ -z "$EXPORT" -a "$(id -u)" = 0 ]; then - # - # This block is avoided for compile for export and when the user isn't root - # - export CONFIG_PATH - - if [ "$3" = Yes ]; then - [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages - - if [ -n "$(syslog_circular_buffer)" ]; then - LOGREAD="logread | tac" - elif [ -f $LOGFILE ]; then - LOGREAD="tac $LOGFILE" - else - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - fi - - if [ -n "$IPTABLES" ]; then - if [ ! -x "$IPTABLES" ]; then - echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 - exit 2 - fi - else - IPTABLES=$(mywhich iptables 2> /dev/null) - if [ -z "$IPTABLES" ] ; then - echo " ERROR: Can't find iptables executable" >&2 - exit 2 - fi - fi - - export IPTABLES - - # - # Compile by non-root needs no restore file - # - [ -n "$RESTOREFILE" ] || RESTOREFILE=restore - - validate_restorefile RESTOREFILE - - export RESTOREFILE - - if [ "$2" = Yes ]; then - case $STARTUP_ENABLED in - No|no|NO) - echo " ERROR: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2 - exit 2 - ;; - Yes|yes|YES) - ;; - *) - if [ -n "$STARTUP_ENABLED" ]; then - echo " ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2 - exit 2 - fi - ;; - esac - fi - - case ${TC_ENABLED:=Internal} in - No|NO|no) - TC_ENABLED= - ;; - esac - - [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" - - [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" - - export LOGFORMAT - - if [ -n "$STARTUP_LOG" ]; then - if [ -n "$LOG_VERBOSITY" ]; then - case $LOG_VERBOSITY in - -1) - ;; - 0|1|2) - ;; - *) - echo " ERROR: Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2 - exit 2; - ;; - esac - else - LOG_VERBOSITY=2; - fi - else - LOG_VERBOSITY=-1; - fi - - else - STARTUP_LOG= - LOG_VERBOSITY=-1 - fi - - if [ -n "$SHOREWALL_SHELL" ]; then - if [ ! -x "$SHOREWALL_SHELL" ]; then - echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 - SHOREWALL_SHELL=/bin/sh - fi - fi - - case $VERBOSITY in - -1|0|1|2) - ;; - *) - if [ -n "$VERBOSITY" ]; then - echo " ERROR: Invalid VERBOSITY setting ($VERBOSITY)" >&2 - exit 2 - else - VERBOSITY=2 - fi - ;; - esac - - [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY)) - - if [ $VERBOSE -lt -1 ]; then - VERBOSE=-1 - elif [ $VERBOSE -gt 2 ]; then - VERBOSE=2 - fi - - export VERBOSE - - [ -n "${HOSTNAME:=$(hostname)}" ] - - [ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}' - [ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' - - case $MANGLE_ENABLED in - Yes|yes) - ;; - No|no) - MANGLE_ENABLED= - ;; - *) - if [ -n "$MANGLE_ENABLED" ]; then - echo " ERROR: Invalid MANGLE_ENABLED setting ($MANGLE_ENABLED)" >&2 - exit 2 - fi - ;; - esac -} - -# -# Run the appropriate compiler -# -compiler() { - local sc - sc=${SHELLSHAREDIR}/compiler - local pc - pc=${PERLSHAREDIR}/compiler.pl - - startup_error() { - echo " ERROR: $@" >&2 - exit 1 - } - - local command - command=$1 - - shift - - if [ $(id -u) -ne 0 ]; then - if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then - startup_error "Ordinary users may not compile the /etc/shorewall configuration" - fi - fi - # - # We've now set SHOREWALL_DIR so recalculate CONFIG_PATH - # - ensure_config_path - - compiler= - haveparams= - - if [ -n "$SHOREWALL_COMPILER" ]; then - compiler="$SHOREWALL_COMPILER" #Compiler specified in /etc/shorewall/shorewall.conf or on the run-line - elif [ -x $sc ]; then - if [ ! -x $pc ]; then - compiler=shell - fi - elif [ -x $pc ]; then - compiler=perl - else - fatal_error "No shorewall compiler installed" - fi - - if [ -z "$compiler" ]; then - # - # Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER - # - if [ -n "$SHOREWALL_DIR" ]; then - shell=$SHOREWALL_SHELL - - [ -x $pc ] && set -a - run_user_exit params - set +a - haveparams=Yes - - get_config No No No - - SHOREWALL_SHELL=$shell - fi - # - # And initiate the appropriate compiler - # - if [ -n "$SHOREWALL_COMPILER" ]; then - compiler="$SHOREWALL_COMPILER" - elif [ -x $sc ]; then - compiler=shell - else - compiler=perl - fi - fi - - case $COMMAND in - *start|try|refresh) - ;; - *) - STARTUP_LOG= - LOG_VERBOSITY=-1 - ;; - esac - - [ $command = exec ] || command= - - case "$compiler" in - perl) - debugflags="-w" - [ -n "$DEBUG" ] && debugflags='-wd' - [ -n "$PROFILE" ] && debugflags='-wd:DProf' - - # Perl compiler only takes the output file as a argument - - [ "$1" = debug -o "$1" = trace ] && shift; - [ "$1" = nolock ] && shift; - shift - - options="--verbose=$VERBOSE" - [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" - [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY"; - [ -n "$EXPORT" ] && options="$options --export" - [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" - [ -n "$TIMESTAMP" ] && options="$options --timestamp" - [ -n "$TEST" ] && options="$options --test" - [ "$debugging" = trace ] && options="$options --debug" - [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" - [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed" - # - # Run the appropriate params file - # - if [ -z "$haveparams" ]; then - set -a; - run_user_exit params - set +a - fi - - $command perl $debugflags $pc $options $@ - ;; - shell) - [ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed" - [ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains" - $command $SHOREWALL_SHELL $sc $@ - ;; - *) - startup_error "Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" - ;; - esac -} - -# -# Start Command Executor -# -start_command() { - local finished - finished=0 - - do_it() { - local rc - rc=0 - - progress_message3 "Compiling..." - - if compiler run $debugging $nolock compile ${VARDIR}/.start; then - [ -n "$nolock" ] || mutex_on - ${VARDIR}/.start $debugging start - rc=$? - [ -n "$nolock" ] || mutex_off - else - rc=$? - logger -p kern.err "ERROR:Shorewall start failed" - fi - - exit $rc - } - - if shorewall_is_started; then - error_message "Shorewall is already running" - exit 0 - fi - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; - d*) - DEBUG=Yes - option=${option#d} - ;; - f*) - FAST=Yes - option=${option#f} - ;; - p*) - [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" - PURGE=Yes - option=${option%p} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - export SHOREWALL_DIR - ;; - *) - usage 1 - ;; - esac - - export NOROUTES - export PURGE - - if [ -n "$FAST" ]; then - if qt mywhich make; then - # - # RESTOREFILE is exported by get_config() - # - make -qf ${CONFDIR}/Makefile || FAST= - fi - - if [ -n "$FAST" ]; then - - RESTOREPATH=${VARDIR}/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - if [ -x ${RESTOREPATH}-ipsets ]; then - echo Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - iptables -F - iptables -X - $SHOREWALL_SHELL ${RESTOREPATH}-ipsets - fi - - echo Restoring Shorewall... - $SHOREWALL_SHELL $RESTOREPATH restore - date > ${VARDIR}/restarted - progress_message3 Shorewall restored from $RESTOREPATH - else - do_it - fi - else - do_it - fi - else - do_it - fi -} - -# -# Compile Command Executor -# -compile_command() { - local finished - finished=0 - - while [ $finished -eq 0 ]; do - [ $# -eq 0 ] && usage 1 - option=$1 - case $option in - -*) - shift - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - e*) - EXPORT=Yes - option=${option#e} - ;; - p*) - PROFILE=Yes - option=${option#p} - ;; - C) - [ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$1 - option= - shift - ;; - t*) - TEST=Yes - option=${option#t} - ;; - d*) - DEBUG=Yes; - option=${option#d} - ;; - -) - finished=1 - option= - ;; - *) - usage 1 - ;; - esac - done - ;; - *) - finished=1 - ;; - esac - done - - file= - - case $# in - 1) - file=$1 - [ -d $file ] && echo " ERROR: $file is a directory" >&2 && exit 2; - ;; - 2) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - export SHOREWALL_DIR - file=$2 - ;; - *) - usage 1 - ;; - esac - - export EXPORT - - progress_message3 "Compiling..." - - compiler exec $debugging compile $file -} - -# -# Check Command Executor -# -check_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - e*) - EXPORT=Yes - option=${option#e} - ;; - p*) - PROFILE=Yes - option=${option#p} - ;; - d*) - DEBUG=Yes; - option=${option#d} - ;; - C) - [ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - export SHOREWALL_DIR - ;; - *) - usage 1 - ;; - esac - - export EXPORT - - progress_message3 "Checking..." - - compiler exec $debugging $nolock check -} - -# -# Restart Command Executor -# -restart_command() { - local finished - finished=0 - local rc - rc=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - d*) - DEBUG=Yes - option=${option#d} - ;; - f*) - FAST=Yes - option=${option#f} - ;; - n*) - NOROUTES=Yes - option=${option#n} - ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; - p*) - [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" - PURGE=Yes - option=${option%p} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - [ -n "$FAST" ] && fatal_error "Directory may not be specified with the -f option" - export SHOREWALL_DIR - ;; - *) - usage 1 - ;; - esac - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - export NOROUTES - export PURGE - - if [ -z "$FAST" ]; then - progress_message3 "Compiling..." - - if compiler run $debugging $nolock compile ${VARDIR}/.restart; then - [ -n "$nolock" ] || mutex_on - $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart - rc=$? - [ -n "$nolock" ] || mutex_off - else - rc=$? - logger -p kern.err "ERROR:Shorewall restart failed" - fi - else - [ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found" - [ -n "$nolock" ] || mutex_on - $SHOREWALL_SHELL ${VARDIR}/.restore $debugging restart - rc=$? - [ -n "$nolock" ] || mutex_off - fi - - return $rc -} - -# -# Refresh Command Executor -# -refresh_command() { - local finished - finished=0 - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - if [ $# -gt 0 ]; then - REFRESHCHAINS=$1 - shift - - while [ $# -gt 0 ]; do - REFRESHCHAINS="$REFRESHCHAINS,$1" - shift - done - fi - - shorewall_is_started || fatal_error "Shorewall is not running" - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - export NOROUTES - - progress_message3 "Compiling..." - - if compiler run $debugging $nolock compile ${VARDIR}/.refresh; then - [ -n "$nolock" ] || mutex_on - $SHOREWALL_SHELL ${VARDIR}/.refresh $debugging refresh - rc=$? - [ -n "$nolock" ] || mutex_off - else - rc=$? - fi - - return $rc -} - -# -# Safe-start/safe-restart Command Executor -# -safe_commands() { - local finished - finished=0 - - # test is the shell supports timed read - read -t 0 junk 2> /dev/null - if [ $? -eq 2 -a ! -x /bin/bash ];then - echo "Your shell does not support a feature required to execute this command". - exit 2 - fi - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - NOROUTES=Yes - option=${option#n} - ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - ;; - 1) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - export SHOREWALL_DIR - ;; - *) - usage 1 - ;; - esac - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - if shorewall_is_started; then - running=Yes - else - running= - fi - - if [ "$COMMAND" = "safe-start" -a -n "$running" ]; then - # the command is safe-start but the firewall is already running - error_message "Shorewall is already started" - exit 0 - fi - - if [ "$COMMAND" = "safe-start" -o -z "$running" ]; then - # the command is safe-start or shorewall is not started yet - command="start" - else - # the command is safe-restart and the firewall is already running - command="restart" - fi - - progress_message3 "Compiling..." - - if ! compiler run $debugging nolock compile ${VARDIR}/.$command; then - status=$? - exit $status - fi - - case $command in - start) - export RESTOREFILE=NONE - progress_message3 "Starting..." - ;; - restart) - export RESTOREFILE=.safe - RESTOREPATH=${VARDIR}/.safe - save_config - progress_message3 "Restarting..." - ;; - esac - - [ -n "$nolock" ] || mutex_on - - if ${VARDIR}/.$command $command; then - - echo -n "Do you want to accept the new firewall configuration? [y/n] " - - if read_yesno_with_timeout; then - echo "New configuration has been accepted" - else - if [ "$command" = "restart" ]; then - ${VARDIR}/.safe restore - else - ${VARDIR}/.$command clear - fi - - [ -n "$nolock" ] || mutex_off - - echo "New configuration has been rejected and the old one restored" - exit 2 - fi - - fi - - [ -n "$nolock" ] || mutex_off -} - -# -# 'try' Command Executor -# -try_command() { - local finished - finished=0 - local timeout - timeout= - - handle_directory() { - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $1 ]; then - if [ -e $1 ]; then - echo "$1 is not a directory" >&2 && exit 2 - else - echo "Directory $1 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $1) - export SHOREWALL_DIR - } - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - n*) - NOROUTES=Yes - option=${option#n} - ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - SHOREWALL_COMPILER=$2 - option= - shift - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 0) - usage 1 - ;; - 1) - handle_directory $1 - ;; - 2) - handle_directory $1 - timeout=$2 - case $timeout in - *[!0-9]*) - echo " ERROR: Invalid timeout ($timeout)" >&2; - exit 1 - ;; - esac - ;; - *) - usage 1 - ;; - esac - - [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - - if shorewall_is_started; then - running=Yes - else - running= - fi - - if [ -z "$running" ]; then - # shorewall is not started yet - command="start" - else - # the firewall is already running - command="restart" - fi - - progress_message3 "Compiling..." - - if ! compiler run $debugging $nolock compile ${VARDIR}/.$command; then - status=$? - exit $status - fi - - case $command in - start) - export RESTOREFILE=NONE - progress_message3 "Starting..." - ;; - restart) - export RESTOREFILE=.try - RESTOREPATH=${VARDIR}/.try - save_config - progress_message3 "Restarting..." - ;; - esac - - [ -n "$nolock" ] || mutex_on - - if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then - sleep $timeout - - if [ "$command" = "restart" ]; then - ${VARDIR}/.try restore - else - ${VARDIR}/.$command clear - fi - fi - - [ -n "$nolock" ] || mutex_off - - return 0 -} - -rsh_command() { - command="$*" - - eval $RSH_COMMAND -} - -rcp_command() { - files="$1" - destination=$2 - - eval $RCP_COMMAND -} - -# -# [Re]load command executor -# -reload_command() # $* = original arguments less the command. -{ - local verbose - verbose=$(make_verbose) - local file - file= - local capabilities - capabilities= - local finished - finished=0 - local saveit - saveit= - local result - local directory - local system - local getcaps - getcaps= - local root - root=root - local compiler - compiler= - - LITEDIR=/var/lib/shorewall-lite - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - s*) - saveit=Yes - option=${option#s} - ;; - c*) - getcaps=Yes - option=${option#c} - ;; - r) - [ $# -gt 1 ] || fatal_error "Missing Root User name" - root=$2 - option= - shift - ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - compiler="-C $2" - option= - shift - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 1) - directory="." - system=$1 - ;; - 2) - directory=$1 - system=$2 - ;; - *) - usage 1 - ;; - esac - - litedir=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') - - [ -n "$litedir" ] && LITEDIR=$litedir - - if [ -z "$getcaps" ]; then - SHOREWALL_DIR=$(resolve_file $directory) - ensure_config_path - capabilities=$(find_file capabilities) - [ -f $capabilities ] || getcaps=Yes - fi - - if [ -n "$getcaps" ]; then - if [ -f $directory/shorewall.conf ]; then - . $directory/shorewall.conf - ensure_config_path - fi - - progress_message "Getting Capabilities on system $system..." - if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then - fatal_error "ERROR: Capturing capabilities on system $system failed" - fi - fi - - file=$(resolve_file $directory/firewall) - - [ -n "$TIMESTAMP" ] && timestamp='-t' || timestamp= - - if shorewall $debugging $verbose $timestamp compile -e $compiler $directory $directory/firewall && \ - progress_message3 "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \ - rcp_command "$directory/firewall $directory/firewall.conf" ${LITEDIR} - then - save=$(find_file save); - - [ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/shorewall-lite/" && rcp_command $save /etc/shorewall-lite/ - - progress_message3 "Copy complete" - if [ $COMMAND = reload ]; then - rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp restart" && \ - progress_message3 "System $system reloaded" || saveit= - else - rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp start" && \ - progress_message3 "System $system loaded" || saveit= - fi - - if [ -n "$saveit" ]; then - rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp save" && \ - progress_message3 "Configuration on system $system saved" - fi - fi -} - -# -# Export command executor -# -export_command() # $* = original arguments less the command. -{ - local verbose - verbose=$(make_verbose) - local file - file= - local finished - finished=0 - local directory - local target - local compiler - compiler= - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - C) - [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" - compiler="-C $2" - option= - shift - ;; - *) - fatal_error "Unrecognized option \"$option\"" - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - case $# in - 1) - directory="." - target=$1 - ;; - 2) - directory=$1 - target=$2 - ;; - *) - fatal_error "ERROR: Invalid command syntax (\"man shorewall\" for help)" - ;; - esac - - case $target in - *:*) - ;; - *) - target=$target: - ;; - esac - - file=$(resolve_file $directory/firewall) - - if shorewall $debugging $verbose compile -e $compiler $directory $directory/firewall && \ - echo "Copying $file and ${file}.conf to ${target#*@}..." && \ - scp $directory/firewall $directory/firewall.conf $target - then - save=$(find_file save); - - [ -f $save ] && progress_message3 "Copying $save to ${target#*}..." && rcp_command $save $target - - progress_message3 "Copy complete" - fi -} - -# -# Give Usage Information -# -usage() # $1 = exit status -{ - echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " - echo "where is one of:" - echo " add [:] ... " - echo " allow
..." - echo " check [ -e ] [ -C {shell|perl} ] [ ]" - echo " clear [ -f ]" - echo " compile [ -e ] [ -C {shell|perl} ] [ ] " - echo " delete [:] ... " - echo " drop
..." - echo " dump [ -x ]" - echo " export [ -C {shell|perl} ] [ ] [@][:]" - echo " forget [ ]" - echo " help" - echo " hits [ -t ]" - echo " ipcalc {
/ |
}" - echo " ipdecimal {
| }" - echo " iprange
-
" - echo " load [ -s ] [ -c ] [ -r ] [ -C {shell|perl} ] [ ] " - echo " logdrop
..." - echo " logreject
..." - echo " logwatch []" - echo " refresh [ -C {shell|perl} ] [ ... ]" - echo " reject
..." - echo " reload [ -s ] [ -c ] [ -r ] [ -C {shell|perl} ] [ ] " - echo " reset" - echo " restart [ -n ] [ -p ] [ -f ] [ -C {shell|perl} ] [ ]" - echo " restore [ -n ] [ ]" - echo " save [ ]" - echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" - echo " start [ -f ] [ -n ] [ -p ] [ -C {shell|perl} ] [ ]" - echo " stop [ -f ]" - echo " status" - echo " try [ -C {shell|perl} ] [ ]" - echo " version [ -a ]" - echo " safe-start [ -C {shell|perl} ] [ ]" - echo " safe-restart [ -C {shell|perl} ] [ ]" - echo - exit $1 -} - -# -# Execution begins here -# -debugging= - -if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then - debugging=$1 - shift -fi - -nolock= - -if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then - nolock=nolock - shift -fi - -SHOREWALL_DIR= -IPT_OPTIONS="-nv" -FAST= -VERBOSE_OFFSET=0 -USE_VERBOSITY= -NOROUTES= -PURGE= -EXPORT= -export TIMESTAMP= -noroutes= - -finished=0 - -while [ $finished -eq 0 ]; do - [ $# -eq 0 ] && usage 1 - option=$1 - case $option in - -) - finished=1 - ;; - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - c) - [ $# -eq 1 ] && usage 1 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$(resolve_file $2) - option= - shift - ;; - e*) - EXPORT=Yes - option=${option#e} - ;; - x*) - IPT_OPTIONS="-xnv" - option=${option#x} - ;; - q*) - VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 )) - option=${option#q} - ;; - f*) - FAST=Yes - option=${option#f} - ;; - v*) - option=${option#v} - case $option in - -1*) - USE_VERBOSITY=-1 - option=${option#-1} - ;; - 0*) - USE_VERBOSITY=0 - option=${option#0} - ;; - 1*) - USE_VERBOSITY=1 - option=${option#1} - ;; - 2*) - USE_VERBOSITY=2 - option=${option#2} - ;; - *) - VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 )) - USE_VERBOSITY= - ;; - esac - ;; - n*) - NOROUTES=Yes - option=${option#n} - ;; - t*) - TIMESTAMP=Yes - option=${option#t} - ;; - -) - finished=1 - option= - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac -done - -version_command() { - local finished - finished=0 - local all - all= - - while [ $finished -eq 0 -a $# -gt 0 ]; do - option=$1 - case $option in - -*) - option=${option#-} - - while [ -n "$option" ]; do - case $option in - -) - finished=1 - option= - ;; - a*) - all=Yes - option=${option#a} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - finished=1 - ;; - esac - done - - [ $# -gt 0 ] && usage 1 - - echo $version - - if [ -n "$all" ]; then - if [ -f /usr/share/shorewall-shell/version ]; then - echo "Shorewall-shell $(cat /usr/share/shorewall-shell/version)" - fi - - if [ -f /usr/share/shorewall-perl/version ]; then - echo "Shorewall-perl $(cat /usr/share/shorewall-perl/version)" - fi - fi -} - -if [ $# -eq 0 ]; then - usage 1 -fi - -[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -MUTEX_TIMEOUT= - -SHAREDIR=/usr/share/shorewall -CONFDIR=/etc/shorewall -export PRODUCT="Shorewall" - -[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir - -[ -n "${VARDIR:=/var/lib/shorewall}" ] - -FIREWALL=$SHAREDIR/firewall -LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli" -VERSION_FILE=$SHAREDIR/version -REFRESHCHAINS= - -for library in $LIBRARIES; do - if [ -f $library ]; then - . $library - else - echo "$library does not exist!" >&2 - exit 2 - fi -done - -if [ ! -f $FIREWALL ]; then - echo " ERROR: Shorewall is not properly installed" >&2 - if [ -L $FIREWALL ]; then - echo " $FIREWALL is a symbolic link to a" >&2 - echo " non-existant file" >&2 - else - echo " The file $FIREWALL does not exist" >&2 - fi - - exit 2 -fi - -if [ -f $VERSION_FILE ]; then - version=$(cat $VERSION_FILE) -else - echo " ERROR: Shorewall is not properly installed" >&2 - echo " The file $VERSION_FILE does not exist" >&2 - exit 1 -fi - -banner="Shorewall-$version Status at $HOSTNAME -" - -case $(echo -e) in - -e*) - RING_BELL="echo \a" - ECHO_E="echo" - ;; - *) - RING_BELL="echo -e \a" - ECHO_E="echo -e" - ;; -esac - -case $(echo -n "Testing") in - -n*) - ECHO_N= - ;; - *) - ECHO_N=-n - ;; -esac - -COMMAND=$1 - -case "$COMMAND" in - start) - get_config Yes Yes - shift - start_command $@ - ;; - stop|clear) - if [ "x$2" = x-f ]; then - [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore - shift; - fi - - [ $# -ne 1 ] && usage 1 - get_config - export NOROUTES - mutex_on - $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND - mutex_off - ;; - reset) - [ $# -ne 1 ] && usage 1 - get_config - export NOROUTES - mutex_on - $SHOREWALL_SHELL $FIREWALL $debugging $nolock reset - mutex_off - ;; - compile) - get_config Yes - shift - compile_command $@ - ;; - restart) - get_config Yes Yes - shift - restart_command $@ - ;; - refresh) - get_config Yes Yes - shift - refresh_command $@ - ;; - check) - get_config Yes - shift - check_command $@ - ;; - add|delete) - [ $# -lt 3 ] && usage 1 - get_config - mutex_on - $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@ - mutex_off - ;; - show|list) - get_config Yes No Yes - shift - show_command $@ - ;; - load|reload) - get_config Yes - shift - reload_command $@ - ;; - export) - get_config Yes - shift - export_command $@ - ;; - status) - [ $# -eq 1 ] || usage 1 - get_config - echo "Shorewall-$version Status at $HOSTNAME - $(date)" - echo - if shorewall_is_started ; then - echo "Shorewall is running" - status=0 - else - echo "Shorewall is stopped" - status=4 - fi - - if [ -f ${VARDIR}/state ]; then - state="$(cat ${VARDIR}/state)" - case $state in - Stopped*|Clear*) - status=3 - ;; - esac - else - state=Unknown - fi - echo "State:$state" - echo - exit $status - ;; - dump) - get_config Yes No Yes - shift - dump_command $@ - ;; - hits) - get_config Yes No Yes - [ -n "$debugging" ] && set -x - shift - hits_command $@ - ;; - version) - shift - version_command $@ - ;; - try) - get_config Yes - shift - try_command $@ - ;; - logwatch) - get_config Yes Yes Yes - banner="Shorewall-$version Logwatch at $HOSTNAME -" - logwatch_command $@ - ;; - drop) - get_config - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then - [ -n "$nolock" ] || mutex_on - block DROP Dropped $* - [ -n "$nolock" ] || mutex_off - else - fatal_error "Shorewall is not started" - fi - ;; - logdrop) - get_config - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then - [ -n "$nolock" ] || mutex_on - block logdrop Dropped $* - [ -n "$nolock" ] || mutex_off - else - fatal_error "Shorewall is not started" - fi - ;; - reject|logreject) - get_config - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - if shorewall_is_started ; then - [ -n "$nolock" ] || mutex_on - block $COMMAND Rejected $* - [ -n "$nolock" ] || mutex_off - else - fatal_error "Shorewall is not started" - fi - ;; - allow) - get_config - allow_command $@ - ;; - save) - get_config - [ -n "$debugging" ] && set -x - - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - RESTOREPATH=${VARDIR}/$RESTOREFILE - - [ -n "$nolock" ] || mutex_on - - save_config - - result=$? - - [ -n "$nolock" ] || mutex_off - - exit $result - ;; - forget) - get_config - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - - RESTOREPATH=${VARDIR}/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - - if [ -x ${RESTOREPATH}-ipsets ]; then - rm -f ${RESTOREPATH}-ipsets - echo " ${RESTOREPATH}-ipsets removed" - fi - - rm -f $RESTOREPATH - rm -f ${RESTOREPATH}-iptables - echo " $RESTOREPATH removed" - elif [ -f $RESTOREPATH ]; then - echo " $RESTOREPATH exists and is not a saved Shorewall configuration" - fi - rm -f ${VARDIR}/save - ;; - ipcalc) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - address=${2%/*} - vlsm=${2#*/} - elif [ $# -eq 3 ]; then - address=$2 - vlsm=$(ip_vlsm $3) - else - usage 1 - fi - - valid_address $address || fatal_error "Invalid IP address: $address" - [ -z "$vlsm" ] && exit 2 - [ "x$address" = "x$vlsm" ] && usage 2 - [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 - - address=$address/$vlsm - - echo " CIDR=$address" - temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" - temp=$(ip_network $address); echo " NETWORK=$temp" - temp=$(broadcastaddress $address); echo " BROADCAST=$temp" - ;; - - iprange) - [ -n "$debugging" ] && set -x - case $2 in - *.*.*.*-*.*.*.*) - for address in ${2%-*} ${2#*-}; do - valid_address $address || fatal_error "Invalid IP address: $address" - done - - ip_range $2 - ;; - *) - usage 1 - ;; - esac - ;; - ipdecimal) - [ -n "$debugging" ] && set -x - [ $# -eq 2 ] || usage 1 - case $2 in - *.*.*.*) - valid_address $2 || fatal_error "Invalid IP address: $2" - echo " $(decodeaddr $2)" - ;; - *) - echo " $(encodeaddr $2)" - ;; - esac - ;; - restore) - get_config - shift - restore_command $@ - ;; - call) - get_config - [ -n "$debugging" ] && set -x - # - # Undocumented way to call functions in ${SHAREDIR}/functions directly - # - shift - $@ - ;; - help) - shift - usage - ;; - safe-restart|safe-start) - get_config Yes - shift - safe_commands $@ - ;; - *) - usage 1 - ;; - -esac diff --git a/Shorewall-common-IPv6-Aborted/shorewall-common.spec b/Shorewall-common-IPv6-Aborted/shorewall-common.spec deleted file mode 100644 index 57c0f3dbe..000000000 --- a/Shorewall-common-IPv6-Aborted/shorewall-common.spec +++ /dev/null @@ -1,306 +0,0 @@ -%define name shorewall-common -%define version 4.2.1 -%define release 0base - -Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. -Name: %{name} -Version: %{version} -Release: %{release} -License: GPL -Packager: Tom Eastep -Group: Networking/Utilities -Source: %{name}-%{version}.tgz -URL: http://www.shorewall.net/ -BuildArch: noarch -BuildRoot: %{_tmppath}/%{name}-%{version}-root -Requires: iptables iproute shorewall_compiler - -%description - -The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter -(iptables) based firewall that can be used on a dedicated firewall system, -a multi-function gateway/ router/server or on a standalone GNU/Linux system. - -Shorewall offers two alternative firewall compilers, shorewall-perl and -shorewall-shell. The shorewall-perl compilers is suggested for new installed -systems and shorewall-shell is provided for backwards compability and smooth -legacy system upgrades because shorewall perl is not fully compatible with -all legacy configurations. - -%prep - -%setup - -%build - -%install -export PREFIX=$RPM_BUILD_ROOT ; \ -export OWNER=`id -n -u` ; \ -export GROUP=`id -n -g` ;\ -./install.sh -n - -%clean -rm -rf $RPM_BUILD_ROOT - -%post - -if [ $1 -eq 1 ]; then - if [ -x /sbin/insserv ]; then - /sbin/insserv /etc/rc.d/shorewall - elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --add shorewall; - fi -fi - -%preun - -if [ $1 = 0 ]; then - if [ -x /sbin/insserv ]; then - /sbin/insserv -r /etc/init.d/shorewall - elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --del shorewall - fi - - rm -f /etc/shorewall/startup_disabled - -fi - -%triggerpostun -- shorewall < 4.0.0 - -if [ -x /sbin/insserv ]; then - /sbin/insserv /etc/rc.d/shorewall -elif [ -x /sbin/chkconfig ]; then - /sbin/chkconfig --add shorewall; -fi - -%files -%defattr(0644,root,root,0755) -%attr(0544,root,root) /etc/init.d/shorewall -%attr(0755,root,root) %dir /etc/shorewall -%attr(0755,root,root) %dir /usr/share/shorewall -%attr(0755,root,root) %dir /usr/share/shorewall/configfiles -%attr(0700,root,root) %dir /var/lib/shorewall -%attr(0644,root,root) %config(noreplace) /etc/shorewall/shorewall.conf -%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones -%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy -%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces -%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec -%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules -%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat -%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap -%attr(0644,root,root) %config(noreplace) /etc/shorewall/params -%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp -%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped -%attr(0600,root,root) %config(noreplace) /etc/shorewall/maclist -%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq -%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules -%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos -%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels -%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts -%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist -%attr(0600,root,root) %config(noreplace) /etc/shorewall/init -%attr(0600,root,root) %config(noreplace) /etc/shorewall/initdone -%attr(0600,root,root) %config(noreplace) /etc/shorewall/start -%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop -%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped -%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn -%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting -%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions -%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue -%attr(0600,root,root) %config(noreplace) /etc/shorewall/started -%attr(0600,root,root) %config(noreplace) /etc/shorewall/providers -%attr(0600,root,root) %config(noreplace) /etc/shorewall/route_rules -%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcclasses -%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcdevices -%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcfilters -%attr(0600,root,root) /etc/shorewall/Makefile - -%attr(0755,root,root) /sbin/shorewall - -%attr(0644,root,root) /usr/share/shorewall/version -%attr(0644,root,root) /usr/share/shorewall/actions.std -%attr(0644,root,root) /usr/share/shorewall/action.Drop -%attr(0644,root,root) /usr/share/shorewall/action.Reject -%attr(0644,root,root) /usr/share/shorewall/action.template -%attr(0755,root,root) /usr/share/shorewall/firewall -%attr(- ,root,root) /usr/share/shorewall/functions -%attr(0644,root,root) /usr/share/shorewall/lib.base -%attr(0644,root,root) /usr/share/shorewall/lib.cli -%attr(0644,root,root) /usr/share/shorewall/lib.config -%attr(0644,root,root) /usr/share/shorewall/lib.dynamiczones -%attr(0644,root,root) /usr/share/shorewall/macro.* -%attr(0644,root,root) /usr/share/shorewall/modules -%attr(0644,root,root) /usr/share/shorewall/rfc1918 -%attr(0644,root,root) /usr/share/shorewall/configpath -%attr(0755,root,root) /usr/share/shorewall/wait4ifup - -%attr(0644,root,root) /usr/share/shorewall/configfiles/shorewall.conf -%attr(0644,root,root) /usr/share/shorewall/configfiles/zones -%attr(0644,root,root) /usr/share/shorewall/configfiles/policy -%attr(0644,root,root) /usr/share/shorewall/configfiles/interfaces -%attr(0644,root,root) /usr/share/shorewall/configfiles/ipsec -%attr(0644,root,root) /usr/share/shorewall/configfiles/rules -%attr(0644,root,root) /usr/share/shorewall/configfiles/nat -%attr(0644,root,root) /usr/share/shorewall/configfiles/netmap -%attr(0644,root,root) /usr/share/shorewall/configfiles/params -%attr(0644,root,root) /usr/share/shorewall/configfiles/proxyarp -%attr(0644,root,root) /usr/share/shorewall/configfiles/routestopped -%attr(0644,root,root) /usr/share/shorewall/configfiles/maclist -%attr(0644,root,root) /usr/share/shorewall/configfiles/masq -%attr(0644,root,root) /usr/share/shorewall/configfiles/tcrules -%attr(0644,root,root) /usr/share/shorewall/configfiles/tos -%attr(0644,root,root) /usr/share/shorewall/configfiles/tunnels -%attr(0644,root,root) /usr/share/shorewall/configfiles/hosts -%attr(0644,root,root) /usr/share/shorewall/configfiles/blacklist -%attr(0644,root,root) /usr/share/shorewall/configfiles/init -%attr(0644,root,root) /usr/share/shorewall/configfiles/initdone -%attr(0644,root,root) /usr/share/shorewall/configfiles/start -%attr(0644,root,root) /usr/share/shorewall/configfiles/stop -%attr(0644,root,root) /usr/share/shorewall/configfiles/stopped -%attr(0644,root,root) /usr/share/shorewall/configfiles/ecn -%attr(0644,root,root) /usr/share/shorewall/configfiles/accounting -%attr(0644,root,root) /usr/share/shorewall/configfiles/actions -%attr(0644,root,root) /usr/share/shorewall/configfiles/continue -%attr(0644,root,root) /usr/share/shorewall/configfiles/started -%attr(0644,root,root) /usr/share/shorewall/configfiles/providers -%attr(0644,root,root) /usr/share/shorewall/configfiles/route_rules -%attr(0644,root,root) /usr/share/shorewall/configfiles/tcclasses -%attr(0644,root,root) /usr/share/shorewall/configfiles/tcdevices -%attr(0644,root,root) /usr/share/shorewall/configfiles/tcfilters -%attr(0644,root,root) /usr/share/shorewall/configfiles/Makefile - -%attr(0644,root,root) %{_mandir}/man5/* -%attr(0644,root,root) %{_mandir}/man8/shorewall.8.gz - -%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples - -%changelog -* Wed Oct 08 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.1-0base -* Fri Oct 03 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0base -* Tue Sep 23 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0RC4 -* Mon Sep 15 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0RC3 -* Mon Sep 08 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0RC2 -* Tue Aug 19 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0RC1 -* Thu Jul 03 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0Beta3 -* Mon Jun 02 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0Beta2 -* Wed May 07 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.0-0Beta1 -* Mon Apr 28 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.8-0base -* Mon Mar 24 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.7-0base -* Thu Mar 13 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.6-0base -* Tue Feb 05 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.5-0base -* Fri Jan 04 2008 Tom Eastep tom@shorewall.net -- Updated to 4.1.4-0base -* Wed Dec 12 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.3-0base -* Fri Dec 07 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.3-1 -* Tue Nov 27 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.2-1 -* Wed Nov 21 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.1-1 -* Mon Nov 19 2007 Tom Eastep tom@shorewall.net -- Updated to 4.1.0-1 -* Thu Nov 15 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.6-1 -* Sat Nov 10 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.6-0RC3 -* Wed Nov 07 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.6-0RC2 -* Thu Oct 25 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.6-0RC1 -* Tue Oct 03 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.5-1 -* Wed Sep 05 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.4-1 -* Mon Aug 13 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.3-1 -* Thu Aug 09 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.2-1 -* Sat Jul 21 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.1-1 -* Wed Jul 11 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-1 -* Sun Jul 08 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0RC2 -* Fri Jun 29 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0RC1 -* Sun Jun 24 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta7 -* Wed Jun 20 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta6 -* Thu Jun 14 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta5 -* Fri Jun 08 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta4 -* Tue Jun 05 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta3 -* Tue May 15 2007 Tom Eastep tom@shorewall.net -- Updated to 4.0.0-0Beta1 -* Fri May 11 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.7-1 -* Sat May 05 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.6-1 -* Mon Apr 30 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.5-1 -* Mon Apr 23 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.4-1 -* Wed Apr 18 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.3-1 -* Mon Apr 16 2007 Tom Eastep tom@shorewall.net -- Moved lib.dynamiczones from Shorewall-shell -* Sat Apr 14 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.2-1 -* Tue Apr 03 2007 Tom Eastep tom@shorewall.net -- Updated to 3.9.1-1 -* Thu Mar 24 2007 Tom Eastep tom@shorewall.net -- Updated to 3.4.2-1 -* Thu Mar 15 2007 Tom Eastep tom@shorewall.net -- Updated to 3.4.1-1 -* Sat Mar 10 2007 Tom Eastep tom@shorewall.net -- Updated to 3.4.0-1 -* Sun Feb 25 2007 Tom Eastep tom@shorewall.net -- Updated to 3.4.0-0RC3 -* Sun Feb 04 2007 Tom Eastep tom@shorewall.net -- Updated to 3.4.0-0RC2 -* Wed Jan 24 2007 Tom Eastep tom@shorewall.net -- Updated to 3.4.0-0RC1 -* Mon Jan 22 2007 Tom Eastep tom@shorewall.net -- Updated to 3.4.0-0Beta3 -* Wed Jan 03 2007 Tom Eastep tom@shorewall.net -- Updated to 3.4.0-0Beta2 -* Thu Dec 14 2006 Tom Eastep tom@shorewall.net -- Updated to 3.4.0-0Beta1 -* Sat Nov 25 2006 Tom Eastep tom@shorewall.net -- Added shorewall-exclusion(5) -- Updated to 3.3.6-1 -* Sun Nov 19 2006 Tom Eastep tom@shorewall.net -- Updated to 3.3.5-1 -* Sat Nov 18 2006 Tom Eastep tom@shorewall.net -- Add Man Pages. -* Sun Oct 29 2006 Tom Eastep tom@shorewall.net -- Updated to 3.3.4-1 -* Mon Oct 16 2006 Tom Eastep tom@shorewall.net -- Updated to 3.3.3-1 -* Sat Sep 30 2006 Tom Eastep tom@shorewall.net -- Updated to 3.3.2-1 -* Wed Aug 30 2006 Tom Eastep tom@shorewall.net -- Updated to 3.3.1-1 -* Sun Aug 27 2006 Tom Eastep tom@shorewall.net -- Updated to 3.3.0-1 -* Fri Aug 25 2006 Tom Eastep tom@shorewall.net -- Updated to 3.2.3-1 - - diff --git a/Shorewall-common-IPv6-Aborted/shorewall.conf b/Shorewall-common-IPv6-Aborted/shorewall.conf deleted file mode 100644 index 134c93801..000000000 --- a/Shorewall-common-IPv6-Aborted/shorewall.conf +++ /dev/null @@ -1,199 +0,0 @@ -############################################################################### -# /etc/shorewall/shorewall.conf Version 4 - Change the following variables to -# match your setup -# -# This program is under GPL -# [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This file should be placed in /etc/shorewall -# -# (c) 1999,2000,2001,2002,2003,2004,2005, -# 2006,2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# For information about the settings in this file, type "man shorewall.conf" -# -# Additional information is available at -# http://www.shorewall.net/Documentation.htm#Conf -############################################################################### -# S T A R T U P E N A B L E D -############################################################################### - -STARTUP_ENABLED=No - -############################################################################### -# V E R B O S I T Y -############################################################################### - -VERBOSITY=1 - -############################################################################### -# C O M P I L E R -# (setting this to 'perl' requires installation of Shorewall-perl) -############################################################################### - -SHOREWALL_COMPILER= - -############################################################################### -# L O G G I N G -############################################################################### - -LOGFILE=/var/log/messages - -STARTUP_LOG= - -LOG_VERBOSITY= - -LOGFORMAT="Shorewall:%s:%s:" - -LOGTAGONLY=No - -LOGRATE= - -LOGBURST= - -LOGALLNEW= - -BLACKLIST_LOGLEVEL= - -MACLIST_LOG_LEVEL=info - -TCP_FLAGS_LOG_LEVEL=info - -RFC1918_LOG_LEVEL=info - -SMURF_LOG_LEVEL=info - -LOG_MARTIANS=Yes - -############################################################################### -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -############################################################################### - -IPTABLES= - -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - -SHOREWALL_SHELL=/bin/sh - -SUBSYSLOCK=/var/lock/subsys/shorewall - -MODULESDIR= - -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall - -RESTOREFILE= - -IPSECFILE=zones - -LOCKFILE= - -############################################################################### -# D E F A U L T A C T I O N S / M A C R O S -############################################################################### - -DROP_DEFAULT="Drop" -REJECT_DEFAULT="Reject" -ACCEPT_DEFAULT="none" -QUEUE_DEFAULT="none" -NFQUEUE_DEFAULT="none" - -############################################################################### -# R S H / R C P C O M M A N D S -############################################################################### - -RSH_COMMAND='ssh ${root}@${system} ${command}' -RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' - -############################################################################### -# F I R E W A L L O P T I O N S -############################################################################### - -IP_FORWARDING=On - -ADD_IP_ALIASES=Yes - -ADD_SNAT_ALIASES=No - -RETAIN_ALIASES=No - -TC_ENABLED=Internal - -TC_EXPERT=No - -CLEAR_TC=Yes - -MARK_IN_FORWARD_CHAIN=No - -CLAMPMSS=No - -ROUTE_FILTER=No - -DETECT_DNAT_IPADDRS=No - -MUTEX_TIMEOUT=60 - -ADMINISABSENTMINDED=Yes - -BLACKLISTNEWONLY=Yes - -DELAYBLACKLISTLOAD=No - -MODULE_SUFFIX= - -DISABLE_IPV6=Yes - -BRIDGING=No - -DYNAMIC_ZONES=No - -PKTTYPE=Yes - -RFC1918_STRICT=No - -MACLIST_TABLE=filter - -MACLIST_TTL= - -SAVE_IPSETS=No - -MAPOLDACTIONS=No - -FASTACCEPT=No - -IMPLICIT_CONTINUE=No - -HIGH_ROUTE_MARKS=No - -USE_ACTIONS=Yes - -OPTIMIZE=0 - -EXPORTPARAMS=Yes - -EXPAND_POLICIES=Yes - -KEEP_RT_TABLES=No - -DELETE_THEN_ADD=Yes - -MULTICAST=No - -DONT_LOAD= - -AUTO_COMMENT=Yes - -MANGLE_ENABLED=Yes - -USE_DEFAULT_RT=No - -############################################################################### -# P A C K E T D I S P O S I T I O N -############################################################################### - -BLACKLIST_DISPOSITION=DROP - -MACLIST_DISPOSITION=REJECT - -TCP_FLAGS_DISPOSITION=DROP - -#LAST LINE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/start b/Shorewall-common-IPv6-Aborted/start deleted file mode 100644 index 8117566a1..000000000 --- a/Shorewall-common-IPv6-Aborted/start +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Start File -# -# /etc/shorewall/start -# -# Add commands below that you want to be executed after shorewall has -# been started or restarted. -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/started b/Shorewall-common-IPv6-Aborted/started deleted file mode 100644 index 840f472cd..000000000 --- a/Shorewall-common-IPv6-Aborted/started +++ /dev/null @@ -1,21 +0,0 @@ -# -# Shorewall version 4 - Started File -# -# /etc/shorewall/started -# -# Add commands below that you want to be executed after shorewall has -# been completely started or restarted. The difference between this -# extension script and /etc/shorewall/start is that this one is invoked -# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and -# after the 'shorewall' chain has been created (thus signaling that the -# firewall is completely up). -# -# This script should not change the firewall configuration directly but -# may do so indirectly by running /sbin/shorewall with the 'nolock' -# option. -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/stop b/Shorewall-common-IPv6-Aborted/stop deleted file mode 100644 index 0088abe10..000000000 --- a/Shorewall-common-IPv6-Aborted/stop +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Stop File -# -# /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/stopped b/Shorewall-common-IPv6-Aborted/stopped deleted file mode 100644 index 438e5e05c..000000000 --- a/Shorewall-common-IPv6-Aborted/stopped +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Stopped File -# -# /etc/shorewall/stopped -# -# Add commands below that you want to be executed at the completion of a -# "shorewall stop" command. -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/strip b/Shorewall-common-IPv6-Aborted/strip deleted file mode 100755 index eae1ffe6e..000000000 --- a/Shorewall-common-IPv6-Aborted/strip +++ /dev/null @@ -1,110 +0,0 @@ -#! /bin/sh -# -# Script for use from Perl to strip config files and perform shell variable -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -############################################################################### -# Filter that expands variables -# -expand_line() { - local line - - while read line; do - echo $(expand $line) - done -} - -# -# Read a file and handle "INCLUDE" directives -# - -read_file() # $1 = file name, $2 = nest count -{ - local first - local rest - - if [ -f $1 ]; then - while read first rest; do - if [ "x$first" = "xINCLUDE" ]; then - if [ $2 -lt 4 ]; then - read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) - else - echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 - fi - else - eval "$first $rest" - fi - done < $1 - else - echo " WARNING -- No such file: $1" >&2 - fi -} - -# -# Split a colon-separated list into a space-separated list -# -split() { - local ifs - ifs=$IFS - IFS=: - echo $* - IFS=$ifs -} - -# -# Find a File -- For relative file name, look in ${SHOREWALL_DIR} then each ${CONFIG_PATH} then ${CONFDIR} -# -find_file() -{ - local saveifs - saveifs= - local directory - - case $1 in - /*) - echo $1 - ;; - *) - for directory in $(split $CONFIG_PATH); do - if [ -f $directory/$1 ]; then - echo $directory/$1 - return - fi - done - - echo ${CONFDIR}/$1 - ;; - esac -} - -# -# Strip comments and blank lines from a file and place the result in the -# temporary directory -# -if [ ! -f $TMP_DIR/$1 ]; then - [ $# = 1 ] && fname=$(find_file $1) || fname=$2 - - if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_line > $TMP_DIR/$1 - else - > $TMP_DIR/$1 - fi -fi diff --git a/Shorewall-common-IPv6-Aborted/tcclasses b/Shorewall-common-IPv6-Aborted/tcclasses deleted file mode 100644 index 44e63a103..000000000 --- a/Shorewall-common-IPv6-Aborted/tcclasses +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall version 4 - Tcclasses File -# -# For information about entries in this file, type "man shorewall-tcclasses" -# -# See http://shorewall.net/traffic_shaping.htm for additional information. -# -############################################################################### -#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/tcdevices b/Shorewall-common-IPv6-Aborted/tcdevices deleted file mode 100644 index 2a93faadd..000000000 --- a/Shorewall-common-IPv6-Aborted/tcdevices +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Tcdevices File -# -# For information about entries in this file, type "man shorewall-tcdevices" -# -# See http://shorewall.net/traffic_shaping.htm for additional information. -# -############################################################################### -#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED -#INTERFACE INTERFACES -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/tcfilters b/Shorewall-common-IPv6-Aborted/tcfilters deleted file mode 100644 index d8fb44607..000000000 --- a/Shorewall-common-IPv6-Aborted/tcfilters +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Tcfilters File -# -# For information about entries in this file, type "man shorewall-tcfilters" -# -# See http://shorewall.net/traffic_shaping.htm for additional information. -# -############################################################################### -#INTERFACE: SOURCE DEST PROTO DEST SOURCE -#CLASS PORT(S) PORT(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/tcrules b/Shorewall-common-IPv6-Aborted/tcrules deleted file mode 100644 index cd32eddc1..000000000 --- a/Shorewall-common-IPv6-Aborted/tcrules +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall version 4 - Tcrules File -# -# For information about entries in this file, type "man shorewall-tcrules" -# -# See http://shorewall.net/traffic_shaping.htm for additional information. -# For usage in selecting among multiple ISPs, see -# http://shorewall.net/MultiISP.html -# -# See http://shorewall.net/PacketMarking.html for a detailed description of -# the Netfilter/Shorewall packet marking mechanism. -###################################################################################################################### -#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER -# PORT(S) PORT(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/tos b/Shorewall-common-IPv6-Aborted/tos deleted file mode 100644 index 80ca1c131..000000000 --- a/Shorewall-common-IPv6-Aborted/tos +++ /dev/null @@ -1,9 +0,0 @@ -# -# Shorewall version 4 - Tos File -# -# For information about entries in this file, type "man shorewall-tos" -# -############################################################################### -#SOURCE DEST PROTOCOL SOURCE DEST TOS MARK -# PORTS PORTS -#LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/tunnel b/Shorewall-common-IPv6-Aborted/tunnel deleted file mode 100755 index a0a3c374c..000000000 --- a/Shorewall-common-IPv6-Aborted/tunnel +++ /dev/null @@ -1,166 +0,0 @@ -#!/bin/sh - -RCDLINKS="2,S45 3,S45 6,K45" -################################################################################ -# Script to create a gre or ipip tunnel -- Shorewall 4 -# -# Modified - Steve Cowles 5/9/2000 -# Incorporated init {start|stop} syntax and iproute2 usage -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Modify the following variables to match your configuration -# -# chkconfig: 2345 26 89 -# description: GRE/IP Tunnel -# -################################################################################ - -# -# Type of tunnel (gre or ipip) -# - -tunnel_type=gre - -# Name of the tunnel -# - -tunnel="dfwbos" -# -# Address of your External Interface (only required for gre tunnels) -# -myrealip="x.x.x.x" - -# Address of the local system -- this is the address of one of your -# local interfaces (or for a mobile host, the address that this system has -# when attached to the local network). -# - -myip="192.168.1.254" - -# Address of the Remote system -- this is the address of one of the -# remote system's local interfaces (or if the remote system is a mobile host, -# the address that it uses when attached to the local network). - -hisip="192.168.9.1" - -# Internet address of the Remote system -# - -gateway="x.x.x.x" - -# Remote sub-network -- if the remote system is a gateway for a -# private subnetwork that you wish to -# access, enter it here. If the remote -# system is a stand-alone/mobile host, leave this -# empty - -subnet="192.168.9.0/24" - -# GRE Key -- set this to a number or to a dotted quad if you want -# a keyed GRE tunnel. You must specify a KEY if you -# intend to load ip_conntrack_proto_gre on either -# gateway system - -key= - -PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin - -load_modules () { - case $tunnel_type in - ipip) - echo "Loading IP-ENCAP Module" - modprobe ipip - ;; - gre) - echo "Loading GRE Module" - modprobe ip_gre - ;; - esac -} - -do_stop() { - - if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then - echo "Stopping $tunnel" - ip link set dev $tunnel down - fi - - if [ -n "`ip addr show $tunnel 2>/dev/null`" ]; then - echo "Deleting $tunnel" - ip tunnel del $tunnel - fi -} - -do_start() { - - #NOTE: Comment out the next line if you have built gre/ipip into your kernel - - load_modules - - if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then - do_stop - fi - - echo "Adding $tunnel" - - case $tunnel_type in - gre) - ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key} - ;; - *) - ip tunnel add $tunnel mode ipip remote $gateway - ;; - esac - - echo "Starting $tunnel" - - - ip link set dev $tunnel up - - case $tunnel_type in - gre) - ip addr add $myip dev $tunnel - ;; - *) - ip addr add $myip peer $hisip dev $tunnel - ;; - esac - - # - # As with all interfaces, the 2.4 kernels will add the obvious host - # route for this point-to-point interface - # - - if [ -n "$subnet" ]; then - echo "Adding Routes" - case $tunnel_type in - gre) - ip route add $subnet dev $tunnel - ;; - ipip) - ip route add $subnet via $gateway dev $tunnel onlink - ;; - esac - fi -} - -case "$1" in - start) - do_start - ;; - stop) - do_stop - ;; - restart) - do_stop - sleep 1 - do_start - ;; - *) - echo "Usage: $0 {start|stop|restart}" - exit 1 -esac -exit 0 diff --git a/Shorewall-common-IPv6-Aborted/tunnels b/Shorewall-common-IPv6-Aborted/tunnels deleted file mode 100644 index d38eda2b5..000000000 --- a/Shorewall-common-IPv6-Aborted/tunnels +++ /dev/null @@ -1,12 +0,0 @@ -# -# Shorewall version 4 - Tunnels File -# -# For information about entries in this file, type "man shorewall-tunnels" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-tunnels.html -# -############################################################################### -#TYPE ZONE GATEWAY GATEWAY -# ZONE -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common-IPv6-Aborted/uninstall.sh b/Shorewall-common-IPv6-Aborted/uninstall.sh deleted file mode 100755 index faf80c728..000000000 --- a/Shorewall-common-IPv6-Aborted/uninstall.sh +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/sh -# -# Script to back uninstall Shoreline Firewall -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://www.shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# You may only use this script to uninstall the version -# shown below. Simply run this script to remove Shorewall Firewall - -VERSION=4.2.1 - -usage() # $1 = exit status -{ - ME=$(basename $0) - echo "usage: $ME" - exit $1 -} - -qt() -{ - "$@" >/dev/null 2>&1 -} - -restore_file() # $1 = file to restore -{ - if [ -f ${1}-shorewall.bkout ]; then - if (mv -f ${1}-shorewall.bkout $1); then - echo - echo "$1 restored" - else - exit 1 - fi - fi -} - -remove_file() # $1 = file to restore -{ - if [ -f $1 -o -L $1 ] ; then - rm -f $1 - echo "$1 Removed" - fi -} - -if [ -f /usr/share/shorewall/version ]; then - INSTALLED_VERSION="$(cat /usr/share/shorewall/version)" - if [ "$INSTALLED_VERSION" != "$VERSION" ]; then - echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed" - echo " and this is the $VERSION uninstaller." - VERSION="$INSTALLED_VERSION" - fi -else - echo "WARNING: Shorewall Version $VERSION is not installed" - VERSION="" -fi - -echo "Uninstalling shorewall $VERSION" - -if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then - /sbin/shorewall clear -fi - -if [ -L /usr/share/shorewall/init ]; then - FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //') -else - FIREWALL=/etc/init.d/shorewall -fi - -if [ -n "$FIREWALL" ]; then - if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then - insserv -r $FIREWALL - elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then - chkconfig --del $(basename $FIREWALL) - else - rm -f /etc/rc*.d/*$(basename $FIREWALL) - fi - - remove_file $FIREWALL - rm -f ${FIREWALL}-*.bkout -fi - -rm -f /sbin/shorewall -rm -f /sbin/shorewall-*.bkout - -rm -rf /etc/shorewall -rm -rf /etc/shorewall-*.bkout -rm -rf /var/lib/shorewall -rm -rf /var/lib/shorewall-*.bkout -rm -rf /usr/share/shorewall -rm -rf /usr/share/shorewall-*.bkout -rm -rf /usr/share/man/man5/shorewall* -rm -rf /usr/share/man/man8/shorewall* - -echo "Shorewall Uninstalled" - - diff --git a/Shorewall-common-IPv6-Aborted/wait4ifup b/Shorewall-common-IPv6-Aborted/wait4ifup deleted file mode 100755 index 01089821a..000000000 --- a/Shorewall-common-IPv6-Aborted/wait4ifup +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/sh -# -# Shorewall interface helper utility - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# This file is installed in /usr/share/shorewall/wait4ifup -# -# Shorewall documentation is available at http://www.shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# The firewall uses configuration files in /etc/shorewall/ - skeleton -# files is included with the firewall. -# -# wait4ifup [ ] -# - -interface_is_up() { - [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] -} - -case $# in - 1) - timeout=60 - ;; - 2) - timeout=$2 - ;; - *) - echo "usage: $(basename $0) [ ]" - exit 2 - ;; -esac - -while [ $timeout -gt 0 ]; do - interface_is_up $1 && exit 0 - sleep 1 - timeout=$(( $timeout - 1 )) -done - -exit 1 - - diff --git a/Shorewall-common-IPv6-Aborted/zones b/Shorewall-common-IPv6-Aborted/zones deleted file mode 100644 index d5164e93e..000000000 --- a/Shorewall-common-IPv6-Aborted/zones +++ /dev/null @@ -1,13 +0,0 @@ -# -# Shorewall version 4 - Zones File -# -# For information about this file, type "man shorewall-zones" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-zones.html -# -############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall-perl-IPv6-Aborted/COPYING b/Shorewall-perl-IPv6-Aborted/COPYING deleted file mode 100644 index 2ba72d57f..000000000 --- a/Shorewall-perl-IPv6-Aborted/COPYING +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) 19yy - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) 19yy name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/Shorewall-perl-IPv6-Aborted/README.txt b/Shorewall-perl-IPv6-Aborted/README.txt deleted file mode 100644 index 5c2c3eddc..000000000 --- a/Shorewall-perl-IPv6-Aborted/README.txt +++ /dev/null @@ -1,2 +0,0 @@ -This is the Shorewall-perl development 4.2 branch of SVN. - diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Accounting.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Accounting.pm deleted file mode 100644 index 9a845568c..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Accounting.pm +++ /dev/null @@ -1,220 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Accounting.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains the code that handles the /etc/shorewall/accounting -# file. -# -package Shorewall::Accounting; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_accounting ); -our @EXPORT_OK = qw( ); -our $VERSION = 4.0.6; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - our $jumpchainref; - $jumpchainref = undef; -} - -INIT { - initialize; -} - -# -# Accounting -# -sub process_accounting_rule( $$$$$$$$$ ) { - - our $jumpchainref; - - my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_; - - our $disposition = ''; - - sub check_chain( $ ) { - my $chainref = shift; - fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy}; - } - - sub accounting_error() { - fatal_error "Invalid Accounting rule"; - } - - sub jump_to_chain( $ ) { - my $jumpchain = $_[0]; - $jumpchainref = ensure_accounting_chain( $jumpchain ); - check_chain( $jumpchainref ); - $disposition = $jumpchain; - "-j $jumpchain"; - } - - my $target = ''; - - $proto = '' if $proto eq 'any'; - $ports = '' if $ports eq 'any' || $ports eq 'all'; - $sports = '' if $sports eq 'any' || $sports eq 'all'; - - my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF ); - my $rule2 = 0; - - unless ( $action eq 'COUNT' ) { - if ( $action eq 'DONE' ) { - $target = '-j RETURN'; - } else { - ( $action, my $cmd ) = split /:/, $action; - if ( $cmd ) { - if ( $cmd eq 'COUNT' ) { - $rule2=1; - } elsif ( $cmd ne 'JUMP' ) { - accounting_error; - } - } - - $target = jump_to_chain $action; - } - } - - my $restriction = NO_RESTRICT; - - $source = ALLIPv4 if $source eq 'any' || $source eq 'all'; - - if ( have_bridges ) { - my $fw = firewall_zone; - - if ( $source =~ /^$fw:?(.*)$/ ) { - $source = $1 ? $1 : ALLIPv4; - $restriction = OUTPUT_RESTRICT; - $chain = 'accountout' unless $chain and $chain ne '-'; - $dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all'; - } else { - $chain = 'accounting' unless $chain and $chain ne '-'; - if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIPv4 ) { - expand_rule( - ensure_filter_chain( 'accountout' , 0 ) , - OUTPUT_RESTRICT , - $rule , - $source , - $dest = ALLIPv4 , - '' , - '' , - $target , - '' , - $disposition , - '' ); - } - } - } else { - $chain = 'accounting' unless $chain and $chain ne '-'; - $dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all'; - } - - my $chainref = ensure_accounting_chain $chain; - - expand_rule - $chainref , - $restriction , - $rule , - $source , - $dest , - '' , - '' , - $target , - '' , - $disposition , - '' ; - - if ( $rule2 ) { - expand_rule - $jumpchainref , - $restriction , - $rule , - $source , - $dest , - '' , - '' , - '' , - '' , - '' , - '' ; - } -} - -sub setup_accounting() { - - my $fn = open_file 'accounting'; - - first_entry "$doing $fn..."; - - my $nonEmpty = 0; - - while ( read_a_line ) { - - my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File'; - - if ( $action eq 'COMMENT' ) { - process_comment; - } else { - $nonEmpty = 1; - process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark; - } - } - - fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting}; - - clear_comment; - - if ( have_bridges ) { - if ( $filter_table->{accounting} ) { - for my $chain ( qw/INPUT FORWARD/ ) { - insert_rule $filter_table->{$chain}, 1, '-j accounting'; - } - } - - if ( $filter_table->{accountout} ) { - insert_rule $filter_table->{OUTPUT}, 1, '-j accountout'; - } - } else { - if ( $filter_table->{accounting} ) { - for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { - insert_rule $filter_table->{$chain}, 1, '-j accounting'; - } - } - } -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Actions.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Actions.pm deleted file mode 100644 index e10c6431c..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Actions.pm +++ /dev/null @@ -1,904 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Actions.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains the code for dealing with actions (built-in, -# standard and user-defined) and Macros. -# -package Shorewall::Actions; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( merge_levels - isolate_basic_target - get_target_param - add_requiredby - createactionchain - find_logactionchain - process_actions1 - process_actions2 - process_actions3 - - find_macro - find_6macro - split_action - substitute_param - merge_macro_source_dest - merge_6macro_source_dest - merge_macro_column - - %usedactions - %default_actions - %actions - - %macros - %macros6 - $macro_commands - ); -our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.1.1; - -# -# Used Actions. Each action that is actually used has an entry with value 1. -# -our %usedactions; -# -# Default actions for each policy. -# -our %default_actions; - -# Action Table -# -# %actions{ => { requires => { = 1, -# = 1, -# ... -# } , -# actchain => # Used for generating unique chain names for each : pair. -# -our %actions; -# -# Contains an entry for each used :[:] that maps to the associated chain. -# -our %logactionchains; - -our %macros; -our %macros6; - -# -# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited). -# -our $macro_commands = { COMMENT => 0, FORMAT => 2 }; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - %usedactions = (); - %default_actions = ( DROP => 'none' , - REJECT => 'none' , - ACCEPT => 'none' , - QUEUE => 'none' ); - %actions = (); - %logactionchains = (); - %macros = (); - %macros6 = (); -} - -INIT { - initialize; -} - -# -# This function determines the logging for a subordinate action or a rule within a superior action -# -sub merge_levels ($$) { - my ( $superior, $subordinate ) = @_; - - my @supparts = split /:/, $superior; - my @subparts = split /:/, $subordinate; - - my $subparts = @subparts; - - my $target = $subparts[0]; - - push @subparts, '' while @subparts < 3; #Avoid undefined values - - my $level = $supparts[1]; - my $tag = $supparts[2]; - - if ( @supparts == 3 ) { - return "$target:none!:$tag" if $level eq 'none!'; - return "$target:$level:$tag" if $level =~ /!$/; - return $subordinate if $subparts >= 2; - return "$target:$level:$tag"; - } - - if ( @supparts == 2 ) { - return "$target:none!" if $level eq 'none!'; - return "$target:$level" if ($level =~ /!$/) || ($subparts < 2); - } - - $subordinate; -} - -# -# Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does. -# If the file exists, the macro is entered into the 'targets' table and the fully-qualified -# name of the file is stored in the 'macro' table. -# -sub find_macro( $ ) -{ - my $macro = $_[0]; - my $macrofile = find_file "macro.$macro"; - - if ( -f $macrofile ) { - $macros{$macro} = $macrofile; - $targets{$macro} = MACRO; - } else { - 0; - } -} - -sub find_6macro( $ ) -{ - my $macro = $_[0]; - my $macrofile = find_file "macro.$macro"; - - if ( -f $macrofile ) { - $macros6{$macro} = $macrofile; - $targets6{$macro} = MACRO; - } else { - 0; - } -} - -# -# Return ( action, level[:tag] ) from passed full action -# -sub split_action ( $ ) { - my $action = $_[0]; - my @a = split( /:/ , $action, 4 ); - fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 ); - ( shift @a, join ":", @a ); -} - -# -# This function substitutes the second argument for the first part of the first argument up to the first colon (":") -# -# Example: -# -# substitute_param DNAT PARAM:info:FTP -# -# produces "DNAT:info:FTP" -# -sub substitute_param( $$ ) { - my ( $param, $action ) = @_; - - if ( $action =~ /:/ ) { - my $logpart = (split_action $action)[1]; - $logpart =~ s!/$!!; - return "$param:$logpart"; - } - - $param; -} - -# -# Combine fields from a macro body with one from the macro invocation -# -sub merge_macro_source_dest( $$ ) { - my ( $body, $invocation ) = @_; - - if ( $invocation ) { - if ( $body ) { - return $body if $invocation eq '-'; - return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/; - return "$invocation:$body"; - } - - return $invocation; - } - - $body || ''; -} - -sub merge_6macro_source_dest( $$ ) { - my ( $body, $invocation ) = @_; - - if ( $invocation ) { - if ( $body ) { - return $body if $invocation eq '-'; - return "$body;$invocation" if $invocation =~ /:|.*?\.*?\.|^\+|^~|^!~/; - return "$invocation;$body"; - } - - return $invocation; - } - - $body || ''; -} - -sub merge_macro_column( $$ ) { - my ( $body, $invocation ) = @_; - - if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) { - $invocation; - } else { - $body; - } -} - -# -# Get Macro Name -- strips away trailing /* and :* from the first column in a rule, macro or action. -# -sub isolate_basic_target( $ ) { - my $target = ( split '[/:]', $_[0])[0]; - - $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target; -} - -# -# Split the passed target into the basic target and parameter -# -sub get_target_param( $ ) { - my ( $target, $param ) = split '/', $_[0]; - - unless ( defined $param ) { - ( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/; - } - - ( $target, $param ); -} - -# -# Define an Action -# -sub new_action( $ ) { - - my $action = $_[0]; - - $actions{$action} = { actchain => '', requires => {} }; -} - -# -# Record a 'requires' relationship between a pair of actions. -# -sub add_requiredby ( $$ ) { - my ($requiredby , $requires ) = @_; - $actions{$requires}{requires}{$requiredby} = 1; -} - -# -# Create and record a log action chain -- Log action chains have names -# that are formed from the action name by prepending a "%" and appending -# a 1- or 2-digit sequence number. In the functions that follow, -# the CHAIN, LEVEL and TAG variable serves as arguments to the user's -# exit. We call the exit corresponding to the name of the action but we -# set CHAIN to the name of the iptables chain where rules are to be added. -# Similarly, LEVEL and TAG contain the log level and log tag respectively. -# -# The maximum length of a chain name is 30 characters -- since the log -# action chain name is 2-3 characters longer than the base chain name, -# this function truncates the original chain name where necessary before -# it adds the leading "%" and trailing sequence number. -# -sub createlogactionchain( $$ ) { - my ( $action, $level ) = @_; - my $chain = $action; - my $actionref = $actions{$action}; - my $chainref; - - my ($lev, $tag) = split ':', $level; - - validate_level $lev; - - $actionref = new_action $action unless $actionref; - - $chain = substr $chain, 0, 28 if ( length $chain ) > 28; - - CHECKDUP: - { - $actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}}; - $chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28; - } - - $logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++; - - fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99; - - unless ( $targets{$action} & STANDARD ) { - - my $file = find_file $chain; - - if ( -f $file ) { - progress_message "Processing $file..."; - - ( $level, my $tag ) = split /:/, $level; - - $tag = $tag || ''; - - unless ( my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - fatal_error "Couldn't do $file: $!" unless defined $return; - fatal_error "Couldn't run $file" unless $return; - } - } - } -} - -sub createsimpleactionchain( $ ) { - my $action = shift; - my $chainref = new_standard_chain $action; - - $logactionchains{"$action:none"} = $chainref; - - unless ( $targets{$action} & STANDARD ) { - - my $file = find_file $action; - - if ( -f $file ) { - progress_message "Processing $file..."; - - my ( $level, $tag ) = ( '', '' ); - - unless ( my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - fatal_error "Couldn't do $file: $!" unless defined $return; - fatal_error "Couldn't run $file" unless $return; - } - } - } -} - -# -# Create an action chain and run it's associated user exit -# -sub createactionchain( $ ) { - my ( $action , $level ) = split_action $_[0]; - - my $chainref; - - if ( defined $level && $level ne '' ) { - if ( $level eq 'none' ) { - createsimpleactionchain $action; - } else { - createlogactionchain $action , $level; - } - } else { - createsimpleactionchain $action; - } -} - -# -# Find the chain that handles the passed action. If the chain cannot be found, -# a fatal error is generated and the function does not return. -# -sub find_logactionchain( $ ) { - my $fullaction = $_[0]; - my ( $action, $level ) = split_action $fullaction; - - $level = 'none' unless $level; - - fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"}; -} - -# -# The functions process_actions1-3() implement the three phases of action processing. -# -# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std -# and ${CONFDIR}/actions are scanned (in that order) and for each action: -# -# a) The related action definition file is located and scanned. -# b) Forward and unresolved action references are trapped as errors. -# c) A dependency graph is created using the 'requires' field in the 'actions' table. -# -# As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an -# is merged into the hash, its action chain is created. Where logging is specified, a chain with the name -# %n is used where the name is truncated on the right where necessary to ensure that the total -# length of the chain name does not exceed 30 characters. -# -# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of -# %usedactions is generated; again, as new actions are merged into the hash, their action chains are created. -# -# The final phase (process_actions3) is to traverse the keys of %usedactions populating each chain appropriately -# by reading the action definition files and creating rules. Note that a given action definition file is -# processed once for each unique [:level[:tag]] applied to an invocation of the action. -# - -sub process_macro1 ( $$ ) { - my ( $action, $macrofile ) = @_; - - progress_message " ..Expanding Macro $macrofile..."; - - push_open( $macrofile ); - - while ( read_a_line ) { - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands; - - next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT'; - - $mtarget =~ s/:.*$//; - - $mtarget = (split '/' , $mtarget)[0]; - - my $targettype = $targets{$mtarget}; - - $targettype = 0 unless defined $targettype; - - fatal_error "Invalid target ($mtarget)" - unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) ); - } - - progress_message " ..End Macro $macrofile"; - - pop_open; -} - -sub process_action1 ( $$ ) { - my ( $action, $wholetarget ) = @_; - - my ( $target, $level ) = split_action $wholetarget; - - $level = 'none' unless $level; - - my $targettype = $targets{$target}; - - if ( defined $targettype ) { - return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE | NFQ | CHAIN ) ); - - fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD; - - fatal_error "An action may not invoke itself" if $target eq $action; - - add_requiredby $wholetarget, $action if $targettype & ACTION; - } elsif ( $target eq 'COMMENT' ) { - fatal_error "Invalid TARGET ($wholetarget)" unless $wholetarget eq $target; - } else { - ( $target, my $param ) = get_target_param $target; - - return if $target eq 'NFQUEUE'; - - if ( defined $param ) { - my $paramtype = $targets{$param} || 0; - - fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE; - } - - fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target; - - if ( find_macro $target ) { - process_macro1( $action, $macros{$target} ); - } else { - fatal_error "Invalid TARGET ($target)"; - } - } -} - -sub process_actions1() { - - progress_message2 "Preprocessing Action Files..."; - - for my $act ( grep $targets{$_} & ACTION , keys %targets ) { - new_action $act; - } - - for my $file ( qw/actions.std actions/ ) { - open_file $file; - - while ( read_a_line ) { - my ( $action ) = split_line 1, 1, 'action file'; - - if ( $action =~ /:/ ) { - warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; - $action =~ s/:.*$//; - } - - next unless $action; - - if ( $targets{$action} ) { - warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION; - next; - } - - $targets{$action} = ACTION; - - fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/; - - new_action $action; - - my $actionfile = find_file "action.$action"; - - fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; - - progress_message2 " Pre-processing $actionfile..."; - - push_open( $actionfile ); - - while ( read_a_line ) { - - my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file'; - - process_action1( $action, $wholetarget ); - - } - - pop_open; - } - } -} - -sub process_actions2 () { - progress_message2 'Generating Transitive Closure of Used-action List...'; - - my $changed = 1; - - while ( $changed ) { - $changed = 0; - for my $target (keys %usedactions) { - my ($action, $level) = split_action $target; - my $actionref = $actions{$action}; - fatal_error "Null Action Reference in process_actions2" unless $actionref; - for my $action1 ( keys %{$actionref->{requires}} ) { - my $action2 = merge_levels $target, $action1; - unless ( $usedactions{ $action2 } ) { - $usedactions{ $action2 } = 1; - createactionchain $action2; - $changed = 1; - } - } - } - } -} - -# -# This function is called to process each rule generated from an action file. -# -sub process_action( $$$$$$$$$$ ) { - my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_; - - my ( $action , $level ) = split_action $target; - - if ( $action eq 'REJECT' ) { - $action = 'reject'; - } elsif ( $action eq 'CONTINUE' ) { - $action = 'RETURN'; - } elsif ( $action =~ /^NFQUEUE/ ) { - ( $action, my $param ) = get_target_param $action; - $param = 1 unless defined $param; - $action = "NFQUEUE --queue-num $param"; - } - - expand_rule ( $chainref , - NO_RESTRICT , - do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user , - $source , - $dest , - '', #Original Dest - '', #Original Dest port - "-j $action" , - $level , - $action , - '' ); -} - -# -# Expand Macro in action files. -# -sub process_macro3( $$$$$$$$$$$ ) { - my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_; - - my $nocomment = no_comment; - - my $format = 1; - - macro_comment $macro; - - my $fn = $macros{$macro}; - - progress_message "..Expanding Macro $fn..."; - - push_open $fn; - - while ( read_a_line ) { - - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ); - - if ( $format == 1 ) { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands; - } else { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands; - } - - if ( $mtarget eq 'COMMENT' ) { - process_comment unless $nocomment; - next; - } - - if ( $mtarget eq 'FORMAT' ) { - fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/; - $format = $msource; - next; - } - - fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1; - - if ( $mtarget =~ /^PARAM:?/ ) { - fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param; - $mtarget = substitute_param $param, $mtarget; - } - - fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-'; - - if ( $msource ) { - if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) { - $msource = $source || ''; - } elsif ( $msource eq 'DEST' ) { - $msource = $dest || ''; - } else { - $msource = merge_macro_source_dest $msource, $source; - } - } else { - $msource = ''; - } - - $msource = '' if $msource eq '-'; - - if ( $mdest ) { - if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) { - $mdest = $dest || ''; - } elsif ( $mdest eq 'SOURCE' ) { - $mdest = $source || ''; - } else { - $mdest = merge_macro_source_dest $mdest, $dest; - } - } else { - $mdest = ''; - } - - $mdest = '' if $mdest eq '-'; - - $mproto = merge_macro_column $mproto, $proto; - $mports = merge_macro_column $mports, $ports; - $msports = merge_macro_column $msports, $sports; - $mrate = merge_macro_column $mrate, $rate; - $muser = merge_macro_column $muser, $user; - - process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser; - } - - pop_open; - - progress_message '..End Macro'; - - clear_comment unless $nocomment; -} - -# -# Generate chain for non-builtin action invocation -# -sub process_action3( $$$$$ ) { - my ( $chainref, $wholeaction, $action, $level, $tag ) = @_; - my $actionfile = find_file "action.$action"; - - fatal_error "Missing Action File ($actionfile)" unless -f $actionfile; - - progress_message2 "Processing $actionfile for chain $chainref->{name}..."; - - open_file $actionfile; - - while ( read_a_line ) { - - my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file'; - - if ( $target eq 'COMMENT' ) { - process_comment; - next; - } - - my $target2 = merge_levels $wholeaction, $target; - - my ( $action2 , $level2 ) = split_action $target2; - - ( $action2 , my $param ) = get_target_param $action2; - - my $action2type = $targets{$action2} || 0; - - unless ( $action2type == STANDARD ) { - if ( $action2type & ACTION ) { - $target2 = (find_logactionchain ( $target = $target2 ))->{name}; - } else { - fatal_error "Internal Error" unless $action2type & ( MACRO | LOGRULE | NFQ | CHAIN ); - } - } - - if ( $action2type == MACRO ) { - process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ); - } else { - process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user; - } - } - - clear_comment; -} - -sub process_actions3 () { - # - # The following small functions generate rules for the builtin actions of the same name - # - sub dropBcast( $$$ ) { - my ($chainref, $level, $tag) = @_; - - if ( $capabilities{ADDRTYPE} ) { - if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 '; - } - - add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP'; - } else { - add_command $chainref, 'for address in $ALL_BCASTS; do'; - incr_cmd_level $chainref; - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne ''; - add_rule $chainref, '-d $address -j DROP'; - decr_cmd_level $chainref; - add_command $chainref, 'done'; - - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; - } - - add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; - } - - sub allowBcast( $$$ ) { - my ($chainref, $level, $tag) = @_; - - if ( $capabilities{ADDRTYPE} ) { - if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 '; - } - - add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT'; - } else { - add_command $chainref, 'for address in $ALL_BCASTS; do'; - incr_cmd_level $chainref; - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne ''; - add_rule $chainref, '-d $address -j ACCEPT'; - decr_cmd_level $chainref; - add_command $chainref, 'done'; - - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; - } - add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT'; - } - - sub dropNotSyn ( $$$ ) { - my ($chainref, $level, $tag) = @_; - - log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne ''; - add_rule $chainref , '-p tcp ! --syn -j DROP'; - } - - sub rejNotSyn ( $$$ ) { - my ($chainref, $level, $tag) = @_; - - log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne ''; - add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset'; - } - - sub dropInvalid ( $$$ ) { - my ($chainref, $level, $tag) = @_; - - log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne ''; - add_rule $chainref , '-m state --state INVALID -j DROP'; - } - - sub allowInvalid ( $$$ ) { - my ($chainref, $level, $tag) = @_; - - log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne ''; - add_rule $chainref , '-m state --state INVALID -j ACCEPT'; - } - - sub forwardUPnP ( $$$ ) { - } - - sub allowinUPnP ( $$$ ) { - my ($chainref, $level, $tag) = @_; - - if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 '; - log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 '; - } - - add_rule $chainref, '-p udp --dport 1900 -j ACCEPT'; - add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT'; - } - - sub Limit( $$$ ) { - my ($chainref, $level, $tag) = @_; - - my @tag = split /,/, $tag; - - fatal_error 'Limit rules must include ,, as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3; - - my $set = $tag[0]; - - for ( @tag[1,2] ) { - fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/ - } - - my $count = $tag[1] + 1; - - require_capability( 'RECENT_MATCH' , 'Limit rules' , '' ); - - add_rule $chainref, "-m recent --name $set --set"; - - if ( $level ne '' ) { - my $xchainref = new_chain 'filter' , "$chainref->{name}%"; - log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', ''; - add_rule $xchainref, '-j DROP'; - add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}"; - } else { - add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP"; - } - - add_rule $chainref, '-j ACCEPT'; - } - - my %builtinops = ( 'dropBcast' => \&dropBcast, - 'allowBcast' => \&allowBcast, - 'dropNotSyn' => \&dropNotSyn, - 'rejNotSyn' => \&rejNotSyn, - 'dropInvalid' => \&dropInvalid, - 'allowInvalid' => \&allowInvalid, - 'allowinUPnP' => \&allowinUPnP, - 'forwardUPnP' => \&forwardUPnP, - 'Limit' => \&Limit, ); - - for my $wholeaction ( keys %usedactions ) { - my $chainref = find_logactionchain $wholeaction; - my ( $action, $level, $tag ) = split /:/, $wholeaction; - - $level = '' unless defined $level; - $tag = '' unless defined $tag; - - if ( $targets{$action} & BUILTIN ) { - $level = '' if $level =~ /none!?/; - $builtinops{$action}->($chainref, $level, $tag); - } else { - process_action3 $chainref, $wholeaction, $action, $level, $tag; - } - } -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Chains.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Chains.pm deleted file mode 100644 index 36f603f0f..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Chains.pm +++ /dev/null @@ -1,3747 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Chains.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This is the low-level iptables module. It provides the basic services -# of chain and rule creation. It is used by the higher level modules such -# as Rules to create iptables-restore input. -# -package Shorewall::Chains; -require Exporter; - -use Scalar::Util 'reftype'; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; -use Shorewall::IPAddrs; -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( - add_rule - add_jump - add_6jump - insert_rule - new_chain - new_manual_chain - ensure_manual_chain - log_rule_limit - - %chain_table - $nat_table - $mangle_table - $filter_table - - new_6chain - new_manual_6chain - ensure_manual_6chain - - %chain6_table - $mangle6_table - $filter6_table - - ); - -our %EXPORT_TAGS = ( - internal => [ qw( STANDARD - NATRULE - BUILTIN - NONAT - NATONLY - REDIRECT - ACTION - MACRO - LOGRULE - NFQ - CHAIN - NO_RESTRICT - PREROUTE_RESTRICT - INPUT_RESTRICT - OUTPUT_RESTRICT - POSTROUTE_RESTRICT - ALL_RESTRICT - - add_command - add_commands - move_rules - process_comment - no_comment - macro_comment - clear_comment - incr_cmd_level - decr_cmd_level - chain_base - forward_chain - zone_forward_chain - use_forward_chain - use_forward_6chain - input_chain - zone_input_chain - use_input_chain - use_input_6chain - output_chain - zone_output_chain - use_output_chain - use_output_6chain - masq_chain - syn_flood_chain - mac_chain - macrecent_target - dnat_chain - snat_chain - ecn_chain - first_chains - ensure_chain - ensure_accounting_chain - ensure_mangle_chain - ensure_nat_chain - new_standard_chain - new_builtin_chain - new_nat_chain - ensure_filter_chain - initialize_chain_table - finish_section - setup_zone_mss - newexclusionchain - clearrule - do_proto - do_proto6 - mac_match - verify_mark - verify_small_mark - validate_mark - do_test - do_ratelimit - do_connlimit - do_time - do_user - do_length - do_tos - do_connbytes - do_helper - match_source_dev - match_dest_dev - iprange_match - match_source_net - match_dest_net - match_orig_dest - match_ipsec_in - match_ipsec_out - log_rule - expand_rule - addnatjump - get_interface_address - get_interface_addresses - get_interface_bcasts - get_interface_gateway - get_interface_mac - set_global_variables - create_netfilter_load - create_chainlist_reload - $section - %sections - %targets - - use_output_6chain - ensure_6chain - ensure_accounting_6chain - ensure_mangle_6chain - new_standard_6chain - new_builtin_6chain - ensure_filter_6chain - initialize_6chain_table - finish_6section - newexclusion6chain - match_source_6net - match_dest_6net - match_source_6dev - match_dest_6dev - get_interface_6address - get_interface_6addresses - get_interface_6bcasts - get_interface_6gateway - expand_6rule - set_global_6variables - create_netfilter6_load - create_6chainlist_reload - $section6 - %sections6 - %targets6 - ) ], - ); - -Exporter::export_ok_tags('internal'); - -our $VERSION = 4.1.5; - -# -# Chain Table6 -# -# %chain[6]_table { => { => { name => -# table =>
-# is_policy => undef|1 -- if 1, this is a policy chain -# is_optional => undef|1 -- See below. -# referenced => undef|1 -- If 1, will be written to the iptables-restore-input. -# builtin => undef|1 -- If 1, one of Netfilter's built-in chains. -# manual => undef|1 -- If 1, a manual chain. -# accounting => undef|1 -- If 1, an accounting chain -# log => -# policy => -# policychain => -- self-reference if this is a policy chain -# policypair => [ , ] -- Used for reporting duplicated policies -# loglevel => -# synparams => -# synchain => -# default => -# cmdlevel => -# rules => [ -# -# ... -# ] -# } , -# => ... -# } -# } -# -# 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be -# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with is_optional == 1. -# -# Only 'referenced' chains get written to the iptables-restore input. -# -# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. -# -our %chain_table; -our $nat_table; -our $mangle_table; -our $filter_table; - -our %chain6_table; -our $mangle6_table; -our $filter6_table; - -# -# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file -# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent -# on Shorewall::Rules. -# -our %sections; -our $section; - -our %sections6; -our $section6; - -our $comment; - -use constant { STANDARD => 1, #defined by Netfilter - NATRULE => 2, #Involves NAT - BUILTIN => 4, #A built-in action - NONAT => 8, #'NONAT' or 'ACCEPT+' - NATONLY => 16, #'DNAT-' or 'REDIRECT-' - REDIRECT => 32, #'REDIRECT' - ACTION => 64, #An action (may be built-in) - MACRO => 128, #A Macro - LOGRULE => 256, #'LOG' - NFQ => 512, #'NFQUEUE' - CHAIN => 1024, #Manual Chain - }; - -our %targets; -our %targets6; - -# -# expand_rule() restrictions -# -use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule - PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d
using main routing table - INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed - OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed - POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s
using main routing table - ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed - }; -our $exclseq; -our $iprangematch; -our $chainseq; - -our %interfaceaddr; -our %interfaceaddrs; -our %interfacenets; -our %interfacemacs; -our %interfacebcasts; -our %interfacegateways; -our %interface6addr; -our %interface6addrs; -our %interface6nets; -our %interface6bcasts; -our %interface6gateways; - -our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING); - -# -# Mode of the generator. -# -use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptables-restore input - CAT_MODE => 1 , # Generating iptables-restore input - CMD_MODE => 2 }; # Generating shell commands. - -our $mode; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - %chain_table = ( raw => {} , - mangle => {}, - nat => {}, - filter => {} ); - - $nat_table = $chain_table{nat}; - $mangle_table = $chain_table{mangle}; - $filter_table = $chain_table{filter}; - - # - # These get set to 1 as sections are encountered. - # - %sections = ( ESTABLISHED => 0, - RELATED => 0, - NEW => 0 - ); - # - # Current rules file section. - # - $section = 'ESTABLISHED'; - # - # Contents of last COMMENT line. - # - $comment = ''; - # - # As new targets (Actions and Macros) are discovered, they are added to the table - # - %targets = ('ACCEPT' => STANDARD, - 'ACCEPT+' => STANDARD + NONAT, - 'ACCEPT!' => STANDARD, - 'NONAT' => STANDARD + NONAT + NATONLY, - 'DROP' => STANDARD, - 'DROP!' => STANDARD, - 'REJECT' => STANDARD, - 'REJECT!' => STANDARD, - 'DNAT' => NATRULE, - 'DNAT-' => NATRULE + NATONLY, - 'REDIRECT' => NATRULE + REDIRECT, - 'REDIRECT-' => NATRULE + REDIRECT + NATONLY, - 'LOG' => STANDARD + LOGRULE, - 'CONTINUE' => STANDARD, - 'CONTINUE!' => STANDARD, - 'QUEUE' => STANDARD, - 'QUEUE!' => STANDARD, - 'NFQUEUE' => STANDARD + NFQ, - 'NFQUEUE!' => STANDARD + NFQ, - 'SAME' => NATRULE, - 'SAME-' => NATRULE + NATONLY, - 'dropBcast' => BUILTIN + ACTION, - 'allowBcast' => BUILTIN + ACTION, - 'dropNotSyn' => BUILTIN + ACTION, - 'rejNotSyn' => BUILTIN + ACTION, - 'dropInvalid' => BUILTIN + ACTION, - 'allowInvalid' => BUILTIN + ACTION, - 'allowinUPnP' => BUILTIN + ACTION, - 'forwardUPnP' => BUILTIN + ACTION, - 'Limit' => BUILTIN + ACTION, - ); - # - # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ... - # - $exclseq = 0; - # - # Used to suppress duplicate match specifications. - # - $iprangematch = 0; - # - # Sequence for naming temporary chains - # - $chainseq = undef; - # - # Keep track of which interfaces have active 'address', 'addresses', 'networks', etc. variables - # - %interfaceaddr = (); - %interfaceaddrs = (); - %interfacenets = (); - %interfacemacs = (); - %interfacebcasts = (); - %interfacegateways = (); - - %chain6_table = ( raw => {} , - mangle => {}, - filter => {} ); - - $mangle6_table = $chain6_table{mangle}; - $filter6_table = $chain6_table{filter}; - - # - # These get set to 1 as sections are encountered. - # - %sections6 = ( ESTABLISHED => 0, - RELATED => 0, - NEW => 0 - ); - # - # Current rules file section. - # - $section6 = 'ESTABLISHED'; - # - # As new targets (Actions and Macros) are discovered, they are added to the table - # - %targets6 = ('ACCEPT' => STANDARD, - 'ACCEPT!' => STANDARD, - 'DROP' => STANDARD, - 'DROP!' => STANDARD, - 'REJECT' => STANDARD, - 'REJECT!' => STANDARD, - 'LOG' => STANDARD + LOGRULE, - 'CONTINUE' => STANDARD, - 'CONTINUE!' => STANDARD, - 'QUEUE' => STANDARD, - 'QUEUE!' => STANDARD, - 'NFQUEUE' => STANDARD + NFQ, - 'NFQUEUE!' => STANDARD + NFQ, - 'dropBcast' => BUILTIN + ACTION, - 'allowBcast' => BUILTIN + ACTION, - 'dropNotSyn' => BUILTIN + ACTION, - 'rejNotSyn' => BUILTIN + ACTION, - 'dropInvalid' => BUILTIN + ACTION, - 'allowInvalid' => BUILTIN + ACTION, - 'allowinUPnP' => BUILTIN + ACTION, - 'forwardUPnP' => BUILTIN + ACTION, - 'Limit' => BUILTIN + ACTION, - ); - # - # Keep track of which interfaces have active '6address', '6addresses', '6networks', etc. variables - # - %interface6addr = (); - %interface6addrs = (); - %interface6nets = (); - %interface6bcasts = (); - %interface6gateways = (); -} - -INIT { - initialize; -} - -# -# Add a run-time command to a chain. Arguments are: -# -# Chain reference , Command -# - -# -# Process a COMMENT line (in $currentline) -# -sub process_comment() { - if ( $capabilities{COMMENTS} ) { - ( $comment = $currentline ) =~ s/^\s*COMMENT\s*//; - $comment =~ s/\s*$//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } -} - -# -# Returns True if there is a current COMMENT or if COMMENTS are not available. -# -sub no_comment() { - $comment ? 1 : $capabilities{COMMENTS} ? 0 : 1; -} - -# -# Clear the $comment variable -# -sub clear_comment() { - $comment = ''; -} - -# -# Set $comment to the passed unless there is a current comment -# -sub macro_comment( $ ) { - my $macro = $_[0]; - - $comment = $macro unless $comment || ! ( $capabilities{COMMENTS} && $config{AUTO_COMMENT} ); -} - -# -# Functions to manipulate cmdlevel -# -sub incr_cmd_level( $ ) { - $_[0]->{cmdlevel}++; -} - -sub decr_cmd_level( $ ) { - fatal_error "Internal error in decr_cmd_level()" if --$_[0]->{cmdlevel} < 0; -} - -sub add_command($$) -{ - my ($chainref, $command) = @_; - - push @{$chainref->{rules}}, join ('', ' ' x $chainref->{cmdlevel} , $command ); - - $chainref->{referenced} = 1; -} - -sub add_commands { - my $chainref = shift @_; - - for my $command ( @_ ) { - push @{$chainref->{rules}}, join ('', ' ' x $chainref->{cmdlevel} , $command ); - } - - $chainref->{referenced} = 1; -} - -sub push_rule( $$ ) { - my ($chainref, $rule) = @_; - - $rule .= qq( -m comment --comment "$comment") if $comment; - - if ( $chainref->{cmdlevel} ) { - $rule =~ s/"/\\"/g; #Must preserve quotes in the rule - add_command $chainref , qq(echo "-A $chainref->{name} $rule" >&3); - } else { - push @{$chainref->{rules}}, join( ' ', '-A' , $chainref->{name}, $rule ); - $chainref->{referenced} = 1; - } -} - -# -# Add a rule to a chain. Arguments are: -# -# Chain reference , Rule [, Expand-long-dest-port-lists ] -# -sub add_rule($$;$) -{ - my ($chainref, $rule, $expandports) = @_; - - fatal_error 'Internal Error in add_rule()' if reftype $rule; - - $iprangematch = 0; - # - # Pre-processing the port lists as was done in Shorewall-shell results in port-list - # processing driving the rest of rule generation. - # - # By post-processing each rule generated by expand_rule(), we avoid all of that - # messiness and replace it with the following localized messiness. - # - # Because source ports are seldom specified and source port lists are rarer still, - # we only worry about the destination ports. - # - if ( $expandports && $rule =~ '^(.* --dports\s+)([^ ]+)(.*)$' ) { - # - # Rule has a --dports specification - # - my ($first, $ports, $rest) = ( $1, $2, $3 ); - - if ( ( $ports =~ tr/:,/:,/ ) > 15 ) { - # - # More than 15 ports specified - # - my @ports = split '([,:])', $ports; - - while ( @ports ) { - my $count = 0; - my $newports = ''; - - while ( @ports && $count < 15 ) { - my ($port, $separator) = ( shift @ports, shift @ports ); - - $separator ||= ''; - - if ( ++$count == 15 ) { - if ( $separator eq ':' ) { - unshift @ports, $port, ':'; - chop $newports; - last; - } else { - $newports .= $port; - } - } else { - $newports .= "${port}${separator}"; - } - } - - push_rule ( $chainref, join( '', $first, $newports, $rest ) ); - } - } else { - push_rule ( $chainref, $rule ); - } - } else { - push_rule ( $chainref, $rule ); - } -} - -# -# Add a jump from the chain represented by the reference in the first argument to -# the target in the second argument. The optional third argument specifies any -# matches to be included in the rule and must end with a space character if it is non-null. -# - -sub add_jump( $$;$ ) { - my ( $fromref, $to, $predicate ) = @_; - - $predicate |= ''; - - my $toref; - # - # The second argument may be a scalar (chain name or builtin target) or a chain reference - # - if ( reftype $to ) { - $toref = $to; - $to = $toref->{name}; - } else { - # - # Ensure that we have the chain unless it is a builtin like 'ACCEPT' - # - $toref = ensure_chain( $fromref->{table} , $to ) unless ( $targets{$to} || 0 ) & STANDARD; - } - - # - # If the destination is a chain, mark it referenced - # - $toref->{referenced} = 1 if $toref; - - add_rule ($fromref, join( '', $predicate, "-j $to" ) ); -} - -sub add_6jump( $$;$ ) { - my ( $fromref, $to, $predicate ) = @_; - - $predicate |= ''; - - my $toref; - # - # The second argument may be a scalar (chain name or builtin target) or a chain reference - # - if ( reftype $to ) { - $toref = $to; - $to = $toref->{name}; - } else { - # - # Ensure that we have the chain unless it is a builtin like 'ACCEPT' - # - $toref = ensure_6chain( $fromref->{table} , $to ) unless ( $targets6{$to} || 0 ) & STANDARD; - } - - # - # If the destination is a chain, mark it referenced - # - $toref->{referenced} = 1 if $toref; - - add_rule ($fromref, join( '', $predicate, "-j $to" ) ); -} - -# -# Insert a rule into a chain. Arguments are: -# -# Chain reference , Rule Number, Rule -# -sub insert_rule($$$) -{ - my ($chainref, $number, $rule) = @_; - - fatal_error 'Internal Error in insert_rule()' if $chainref->{cmdlevel}; - - $rule .= "-m comment --comment \"$comment\"" if $comment; - - splice( @{$chainref->{rules}}, $number - 1, 0, join( ' ', '-A', $chainref->{name}, $rule ) ); - - $iprangematch = 0; - - $chainref->{referenced} = 1; - -} - -# -# Move the rules from one chain to another -# -# The rules generated by interface options are added to the interfaces's input chain and -# forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to -# a zone-oriented chain, hence this function. -# -# The source chain must not have any run-time code included in its rules. -# -sub move_rules( $$ ) { - my ($chain1, $chain2 ) = @_; - - if ( $chain1->{referenced} ) { - my @rules = @{$chain1->{rules}}; - - for ( @rules ) { - fatal_error "Internal Error in move_rules()" unless /^-A/; - s/ $chain1->{name} / $chain2->{name} /; - } - - splice @{$chain2->{rules}}, 0, 0, @rules; - - $chain2->{referenced} = 1; - $chain1->{referenced} = 0; - $chain1->{rules} = []; - } -} - -# -# Form the name of a chain. -# -sub chain_base($) { - my $chain = $_[0]; - - $chain =~ s/^@/at_/; - $chain =~ tr/[.\-%@]/_/; - $chain =~ s/\+$//; - $chain; -} - -# -# Forward Chain for an interface -# -sub forward_chain($) -{ - chain_base($_[0]) . '_fwd'; -} - -# -# Forward Chain for a zone -# -sub zone_forward_chain($) { - chain_base($_[0]) . '_frwd'; -} - -# -# Returns true if we're to use the interface's forward chain -# -sub use_forward_chain($) { - my $interface = $_[0]; - my $interfaceref = find_interface($interface); - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - $interfaceref->{nets} > 1; -} - -sub use_forward_6chain($) { - my $interface = $_[0]; - my $interfaceref = find_6interface($interface); - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - $interfaceref->{nets} > 1; -} - -# -# Input Chain for an interface -# -sub input_chain($) -{ - chain_base($_[0]) . '_in'; -} - -# -# Input Chain for a zone -# -sub zone_input_chain($) { - chain_base($_[0]) . '_input'; -} - -# -# Returns true if we're to use the interface's input chain -# -sub use_input_chain($) { - my $interface = $_[0]; - my $interfaceref = find_interface($interface); - my $nets = $interfaceref->{nets}; - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - return 1 if $nets > 1; - # - # Don't need it if it isn't associated with any zone - # - return 0 unless $nets; - # - # Interface associated with a single zone -- use the zone's input chain if it has one - # - my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}}; - - return 0 if $chainref; - # - # Use the '2fw' chain if it is referenced. - # - $chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )}; - - ! $chainref->{referenced}; -} - -sub use_input_6chain($) { - my $interface = $_[0]; - my $interfaceref = find_6interface($interface); - my $nets = $interfaceref->{nets}; - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - return 1 if $nets > 1; - # - # Don't need it if it isn't associated with any zone - # - return 0 unless $nets; - # - # Interface associated with a single zone -- use the zone's input chain if it has one - # - my $chainref = $filter6_table->{zone_input_chain $interfaceref->{zone}}; - - return 0 if $chainref; - # - # Use the '2fw' chain if it is referenced. - # - $chainref = $filter6_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )}; - - ! $chainref->{referenced}; -} - -# -# Output Chain for an interface -# -sub output_chain($) -{ - chain_base($_[0]) . '_out'; -} - -# -# Output Chain for a zone -# -sub zone_output_chain($) { - chain_base($_[0]) . '_output'; -} - -# -# Returns true if we're to use the interface's output chain -# -sub use_output_chain($) { - my $interface = $_[0]; - my $interfaceref = find_interface($interface); - my $nets = $interfaceref->{nets}; - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - return 1 if $nets > 1; - # - # Don't need it if it isn't associated with any zone - # - return 0 unless $nets; - # - # Interface associated with a single zone -- use the zone's output chain if it has one - # - my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}}; - - return 0 if $chainref; - # - # Use the 'fw2' chain if it is referenced. - # - $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )}; - - ! $chainref->{referenced}; -} - -sub use_output_6chain($) { - my $interface = $_[0]; - my $interfaceref = find_6interface($interface); - my $nets = $interfaceref->{nets}; - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - return 1 if $nets > 1; - # - # Don't need it if it isn't associated with any zone - # - return 0 unless $nets; - # - # Interface associated with a single zone -- use the zone's output chain if it has one - # - my $chainref = $filter6_table->{zone_output_chain $interfaceref->{zone}}; - - return 0 if $chainref; - # - # Use the 'fw2' chain if it is referenced. - # - $chainref = $filter6_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )}; - - ! $chainref->{referenced}; -} - -# -# Masquerade Chain for an interface -# -sub masq_chain($) -{ - chain_base($_[0]) . '_masq'; -} - -# -# Syn_flood_chain -- differs from the other _chain functions in that the argument is a chain table reference -# -sub syn_flood_chain ( $ ) { - '@' . $_[0]->{synchain}; -} - -# -# MAC Verification Chain for an interface -# -sub mac_chain( $ ) -{ - chain_base($_[0]) . '_mac'; -} - -sub macrecent_target($) -{ - $config{MACLIST_TTL} ? chain_base($_[0]) . '_rec' : 'RETURN'; -} - -# -# DNAT Chain from a zone -# -sub dnat_chain( $ ) -{ - chain_base($_[0]) . '_dnat'; -} - -# -# SNAT Chain to an interface -# -sub snat_chain( $ ) -{ - chain_base($_[0]) . '_snat'; -} - -# -# ECN Chain to an interface -# -sub ecn_chain( $ ) -{ - chain_base($_[0]) . '_ecn'; -} - -# -# First chains for an interface -# -sub first_chains( $ ) #$1 = interface -{ - my $c = chain_base($_[0]); - - ( $c . '_fwd', $c . '_in' ); -} - -# -# Create a new chain and return a reference to it. -# -sub new_chain($$) -{ - my ($table, $chain) = @_; - - warning_message "Internal error in new_chain()" if $chain_table{$table}{$chain}; - - $chain_table{$table}{$chain} = { name => $chain, - rules => [], - table => $table, - loglevel => '', - log => 1, - cmdlevel => 0 }; -} - -# -# Create a chain if it doesn't exist already -# -sub ensure_chain($$) -{ - my ($table, $chain) = @_; - - my $ref = $chain_table{$table}{$chain}; - - return $ref if $ref; - - new_chain $table, $chain; -} - -sub finish_chain_section( $$ ); - -# -# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting. -# -sub ensure_filter_chain( $$ ) -{ - my ($chain, $populate) = @_; - - my $chainref = $filter_table->{$chain}; - - $chainref = new_chain 'filter' , $chain unless $chainref; - - if ( $populate and ! $chainref->{referenced} ) { - if ( $section eq 'NEW' or $section eq 'DONE' ) { - finish_chain_section $chainref , 'ESTABLISHED,RELATED'; - } elsif ( $section eq 'RELATED' ) { - finish_chain_section $chainref , 'ESTABLISHED'; - } - } - - $chainref->{referenced} = 1; - - $chainref; -} - -# -# Create an accounting chain if necessary. -# -sub ensure_accounting_chain( $ ) -{ - my ($chain) = @_; - - my $chainref = $filter_table->{$chain}; - - if ( $chainref ) { - fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting}; - } else { - $chainref = new_chain 'filter' , $chain unless $chainref; - $chainref->{accounting} = 1; - $chainref->{referenced} = 1; - } - - $chainref; -} - -sub ensure_mangle_chain($) { - my $chain = $_[0]; - - my $chainref = ensure_chain 'mangle', $chain; - - $chainref->{referenced} = 1; - - $chainref; -} - -sub ensure_nat_chain($) { - my $chain = $_[0]; - - my $chainref = ensure_chain 'nat', $chain; - - $chainref->{referenced} = 1; - - $chainref; -} - -# -# Add a builtin chain -# -sub new_builtin_chain($$$) -{ - my ( $table, $chain, $policy ) = @_; - - my $chainref = new_chain $table, $chain; - $chainref->{referenced} = 1; - $chainref->{policy} = $policy; - $chainref->{builtin} = 1; -} - -sub new_standard_chain($) { - my $chainref = new_chain 'filter' ,$_[0]; - $chainref->{referenced} = 1; - $chainref; -} - -sub new_nat_chain($) { - my $chainref = new_chain 'nat' ,$_[0]; - $chainref->{referenced} = 1; - $chainref; -} - -sub new_manual_chain($) { - my $chain = $_[0]; - fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain}; - $targets{$chain} = CHAIN; - ( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1; - $chainref->{referenced} = 1; - $chainref; -} - -sub ensure_manual_chain($) { - my $chain = $_[0]; - my $chainref = $filter_table->{$chain} || new_manual_chain($chain); - fatal_error "$chain exists and is not a manual chain" unless $chainref->{manual}; - $chainref; -} - -# -# Add all builtin chains to the chain table -# -# -sub initialize_chain_table() -{ - for my $chain qw(OUTPUT PREROUTING) { - new_builtin_chain 'raw', $chain, 'ACCEPT'; - } - - for my $chain qw(INPUT OUTPUT FORWARD) { - new_builtin_chain 'filter', $chain, 'DROP'; - } - - for my $chain qw(PREROUTING POSTROUTING OUTPUT) { - new_builtin_chain 'nat', $chain, 'ACCEPT'; - } - - for my $chain qw(PREROUTING INPUT OUTPUT ) { - new_builtin_chain 'mangle', $chain, 'ACCEPT'; - } - - if ( $capabilities{MANGLE_FORWARD} ) { - for my $chain qw( FORWARD POSTROUTING ) { - new_builtin_chain 'mangle', $chain, 'ACCEPT'; - } - } -} - -# -# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain -# -sub finish_chain_section ($$) { - my ($chainref, $state ) = @_; - my $chain = $chainref->{name}; - my $savecomment = $comment; - - $comment = ''; - - add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; - - if ($sections{NEW} ) { - if ( $chainref->{is_policy} ) { - if ( $chainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; - if ( $section eq 'DONE' ) { - if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } else { - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } - } else { - my $policychainref = $filter_table->{$chainref->{policychain}}; - if ( $policychainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } - } - - $comment = $savecomment; -} - -# -# Do section-end processing -# -sub finish_section ( $ ) { - my $sections = $_[0]; - - for my $section ( split /,/, $sections ) { - $sections{$section} = 1; - } - - for my $zone ( all_zones ) { - for my $zone1 ( all_zones ) { - my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; - if ( $chainref->{referenced} ) { - finish_chain_section $chainref, $sections; - } - } - } -} - -# -# Helper for set_mss -# -sub set_mss1( $$ ) { - my ( $chain, $mss ) = @_; - my $chainref = ensure_chain 'filter', $chain; - - if ( $chainref->{policy} ne 'NONE' ) { - my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; - insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss" - } -} - -# -# Set up rules to set MSS to and/or from zone "$zone" -# -sub set_mss( $$$ ) { - my ( $zone, $mss, $direction) = @_; - - for my $z ( all_zones ) { - if ( $direction eq '_in' ) { - set_mss1 "${zone}2${z}" , $mss; - } elsif ( $direction eq '_out' ) { - set_mss1 "${z}2${zone}", $mss; - } else { - set_mss1 "${z}2${zone}", $mss; - set_mss1 "${zone}2${z}", $mss; - } - } -} - -# -# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate. -# -sub setup_zone_mss() { - for my $zone ( all_zones ) { - my $zoneref = find_zone( $zone ); - - set_mss( $zone, $zoneref->{options}{in_out}{mss}, '' ) if $zoneref->{options}{in_out}{mss}; - set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss}; - set_mss( $zone, $zoneref->{options}{out}{mss}, '_out' ) if $zoneref->{options}{out}{mss}; - } -} - -sub newexclusionchain() { - my $seq = $exclseq++; - "excl${seq}"; -} - -sub clearrule() { - $iprangematch = 0; -} - -# -# Return the number of ports represented by the passed list -# -sub port_count( $ ) { - ( $_[0] =~ tr/,:/,:/ ) + 1; -} - -# -# Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string. -# -sub do_proto( $$$ ) -{ - my ($proto, $ports, $sports ) = @_; - - my $output = ''; - - $proto = '' if $proto eq '-'; - $ports = '' if $ports eq '-'; - $sports = '' if $sports eq '-'; - - if ( $proto ne '' ) { - - my $synonly = ( $proto =~ s/:syn$//i ); - - my $protonum = resolve_proto $proto; - - if ( defined $protonum ) { - # - # Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent - # - my $pname = proto_name( $proto = $protonum ); - # - # $proto now contains the protocol number and $pname contains the canonical name of the protocol - # - unless ( $synonly ) { - $output = "-p $proto "; - } else { - fatal_error '":syn" is only allowed with tcp' unless $proto == TCP; - $output = "-p $proto --syn "; - } - - PROTO: - { - - if ( $proto == TCP || $proto == UDP || $proto == SCTP ) { - my $multiport = 0; - - if ( $ports ne '' ) { - if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { - fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT}; - fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; - $ports = validate_port_list $pname , $ports; - $output .= "-m multiport --dports $ports "; - $multiport = 1; - } else { - $ports = validate_portpair $pname , $ports; - $output .= "--dport $ports "; - } - } else { - $multiport = ( ( $sports =~ tr/,/,/ ) > 0 ); - } - - if ( $sports ne '' ) { - if ( $multiport ) { - fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15; - $sports = validate_port_list $pname , $sports; - $output .= "-m multiport --sports $sports "; - } else { - $sports = validate_portpair $pname , $sports; - $output .= "--sport $sports "; - } - } - - last PROTO; } - - if ( $proto == ICMP ) { - if ( $ports ne '' ) { - fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; - $ports = validate_icmp $ports; - $output .= "--icmp-type $ports "; - } - - fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; - - last PROTO; } - - fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne ''; - - } # PROTO - - } else { - fatal_error '":syn" is only allowed with tcp' if $synonly; - - if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) { - my $p = $2 ? lc $3 : 'tcp'; - require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' ); - $proto = '-p ' . proto_name($p) . ' '; - $ports = 'ipp2p' unless $ports; - $output .= "${proto}-m ipp2p --$ports "; - } else { - fatal_error "Invalid/Unknown protocol ($proto)" - } - } - } else { - # - # No protocol - # - fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne ''; - } - - $output; -} - -sub do_proto6( $$$ ) -{ - my ($proto, $ports, $sports ) = @_; - # - # Return the number of ports represented by the passed list - # - my $output = ''; - - $proto = '' if $proto eq '-'; - $ports = '' if $ports eq '-'; - $sports = '' if $sports eq '-'; - - if ( $proto ne '' ) { - - my $synonly = ( $proto =~ s/:syn$//i ); - - my $protonum = resolve_proto $proto; - - if ( defined $protonum ) { - # - # Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent - # - my $pname = proto_name( $proto = $protonum ); - # - # $proto now contains the protocol number and $pname contains the canonical name of the protocol - # - unless ( $synonly ) { - $output = "-p $proto "; - } else { - fatal_error '":syn" is only allowed with tcp' unless $proto == TCP; - $output = "-p $proto --syn "; - } - - PROTO: - { - - if ( $proto == TCP || $proto == UDP || $proto == SCTP ) { - my $multiport = 0; - - if ( $ports ne '' ) { - if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { - fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT}; - fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; - $ports = validate_port_list $pname , $ports; - $output .= "-m multiport --dports $ports "; - $multiport = 1; - } else { - $ports = validate_portpair $pname , $ports; - $output .= "--dport $ports "; - } - } else { - $multiport = ( ( $sports =~ tr/,/,/ ) > 0 ); - } - - if ( $sports ne '' ) { - if ( $multiport ) { - fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15; - $sports = validate_port_list $pname , $sports; - $output .= "-m multiport --sports $sports "; - } else { - $sports = validate_portpair $pname , $sports; - $output .= "--sport $sports "; - } - } - - last PROTO; } - - if ( $proto == IPv6_ICMP ) { - if ( $ports ne '' ) { - fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; - $ports = validate_icmp6 $ports; - $output .= "--icmpv6-type $ports "; - } - - fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne ''; - - last PROTO; } - - fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne ''; - - } # PROTO - - } else { - fatal_error "Invalid/Unknown protocol ($proto)" - } - } else { - # - # No protocol - # - fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne ''; - } - - $output; -} - -sub mac_match( $ ) { - my $mac = $_[0]; - - $mac =~ s/^(!?)~//; - my $invert = ( $1 ? '! ' : ''); - $mac =~ tr/-/:/; - - fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/; - - "--match mac --mac-source ${invert}$mac "; -} - -# -# Mark validatation functions -# -sub verify_mark( $ ) { - my $mark = $_[0]; - my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF; - my $value = numeric_value( $mark ); - - fatal_error "Invalid Mark or Mask value ($mark)" - unless defined( $value ) && $value <= $limit; - - fatal_error "Invalid High Mark or Mask value ($mark)" - if ( $value > 0xFF && $value & 0xFF ); -} - -sub verify_small_mark( $ ) { - verify_mark ( (my $mark) = $_[0] ); - fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > 0xFF; -} - -sub validate_mark( $ ) { - for ( split '/', $_[0] ) { - verify_mark $_; - } -} - -# -# Generate an appropriate -m [conn]mark match string for the contents of a MARK column -# - -sub do_test ( $$ ) -{ - my ($testval, $mask) = @_; - - my $originaltestval = $testval; - - return '' unless defined $testval and $testval ne '-'; - - $mask = '' unless defined $mask; - - my $invert = $testval =~ s/^!// ? '! ' : ''; - my $match = $testval =~ s/:C$// ? "-m connmark ${invert}--mark" : "-m mark ${invert}--mark"; - - fatal_error "Invalid MARK value ($originaltestval)" if $testval eq '/'; - - validate_mark $testval; - - $testval = join( '/', $testval, in_hex($mask) ) unless ( $testval =~ '/' ); - - "$match $testval "; -} - -my %norate = ( DROP => 1, REJECT => 1 ); - -# -# Create a "-m limit" match for the passed LIMIT/BURST -# -sub do_ratelimit( $$ ) { - my ( $rate, $action ) = @_; - - return '' unless $rate and $rate ne '-'; - - fatal_error "Rate Limiting not available with $action" if $norate{$action}; - - if ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { - "-m limit --limit $1 --limit-burst $4 "; - } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ ) { - "-m limit --limit $rate "; - } else { - fatal_error "Invalid rate ($rate)"; - } -} - -# -# Create a "-m connlimit" match for the passed CONNLIMIT -# -sub do_connlimit( $ ) { - my ( $limit ) = @_; - - return '' unless $limit and $limit ne '-'; - - require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's'; - - my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below' - - if ( $limit =~ /^(\d+):(\d+)$/ ) { - fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31; - "-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 "; - } elsif ( $limit =~ /^(\d+)$/ ) { - "-m connlimit ${invert}--connlimit-above $limit "; - } else { - fatal_error "Invalid connlimit ($limit)"; - } -} - -sub do_time( $ ) { - my ( $time ) = @_; - - return '' unless $time ne '-'; - - require_capability 'TIME_MATCH', 'A non-empty TIME', 's'; - - my $result = '-m time '; - - for my $element (split /&/, $time ) { - fatal_error "Invalid time element list ($time)" unless defined $element && $element; - - if ( $element =~ /^(timestart|timestop)=(\d{1,2}:\d{1,2}(:\d{1,2})?)$/ ) { - $result .= "--$1 $2 "; - } elsif ( $element =~ /^weekdays=(.*)$/ ) { - my $days = $1; - for my $day ( split /,/, $days ) { - fatal_error "Invalid weekday ($day)" unless $day =~ /^(Mon|Tue|Wed|Thu|Fri|Sat|Sun)$/ || ( $day =~ /^\d$/ && $day && $day <= 7);0 - } - $result .= "--weekday $days "; - } elsif ( $element =~ /^monthdays=(.*)$/ ) { - my $days = $1; - for my $day ( split /,/, $days ) { - fatal_error "Invalid day of the month ($day)" unless $day =~ /^\d{1,2}$/ && $day && $day <= 31; - } - } elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) { - $result .= "--$1 $2 "; - } elsif ( $element =~ /^(utc|localtz)$/ ) { - $result .= "--$1 "; - } else { - fatal_error "Invalid time element ($element)"; - } - } - - $result; -} - -# -# Create a "-m owner" match for the passed USER/GROUP -# -sub do_user( $ ) { - my $user = $_[0]; - my $rule = '-m owner '; - - return '' unless defined $user and $user ne '-'; - - if ( $user =~ /^(!)?(.*)\+(.*)$/ ) { - $rule .= "! --cmd-owner $2 " if defined $2 && $2 ne ''; - $user = "!$1"; - } elsif ( $user =~ /^(.*)\+(.*)$/ ) { - $rule .= "--cmd-owner $2 " if defined $2 && $2 ne ''; - $user = $1; - } - - if ( $user =~ /^!(.*):(.*)$/ ) { - $rule .= "! --uid-owner $1 " if defined $1 && $1 ne ''; - $rule .= "! --gid-owner $2 " if defined $2 && $2 ne ''; - } elsif ( $user =~ /^(.*):(.*)$/ ) { - $rule .= "--uid-owner $1 " if defined $1 && $1 ne ''; - $rule .= "--gid-owner $2 " if defined $2 && $2 ne ''; - } elsif ( $user =~ /^!(.*)$/ ) { - fatal_error "Invalid USER/GROUP (!)" if $1 eq ''; - $rule .= "! --uid-owner $1 "; - } else { - $rule .= "--uid-owner $user "; - } - - $rule; -} - -# -# Create a "-m tos" match for the passed TOS -# -sub do_tos( $ ) { - my $tos = $_[0]; - - $tos ne '-' ? "-m tos --tos $tos " : ''; -} - -my %dir = ( O => 'original' , - R => 'reply' , - B => 'both' ); - -my %mode = ( P => 'packets' , - B => 'bytes' , - A => 'avgpkt' ); - -# -# Create a "-m connbytes" match for the passed argument -# -sub do_connbytes( $ ) { - my $connbytes = $_[0]; - - return '' if $connbytes eq '-'; - # 1 2 3 5 6 - fatal_error "Invalid CONNBYTES ($connbytes)" unless $connbytes =~ /^(!)? (\d+): (\d+)? ((:[ORB]) (:[PBA])?)?$/x; - - my $invert = $1 || ''; $invert = '! ' if $invert; - my $min = $2; $min = 0 unless defined $min; - my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max; - my $dir = $5 || 'B'; - my $mode = $6 || 'B'; - - $dir =~ s/://; - $mode =~ s/://; - - "${invert}-m connbytes --connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} "; -} - -# -# Create a "-m helper" match for the passed argument -# -sub do_helper( $ ) { - my $helper = shift; - - return '' if $helper eq '-'; - - qq(-m helper --helper "$helper"); -} - -# -# Create a "-m length" match for the passed TOS -# -sub do_length( $ ) { - my $length = $_[0]; - - require_capability( 'LENGTH_MATCH' , 'A Non-empty LENGTH' , 's' ); - $length ne '-' ? "-m length --length $length " : ''; -} - -# -# Match Source Interface -# -sub match_source_dev( $ ) { - my $interface = shift; - my $interfaceref = known_interface( $interface ); - if ( $interfaceref && $interfaceref->{options}{port} ) { - "-i $interfaceref->{bridge} -m physdev --physdev-in $interface "; - } else { - "-i $interface "; - } -} - -sub match_source_6dev( $ ) { - my $interface = shift; - my $interfaceref = known_6interface( $interface ); - if ( $interfaceref && $interfaceref->{options}{port} ) { - "-i $interfaceref->{bridge} -m physdev --physdev-in $interface "; - } else { - "-i $interface "; - } -} - -# -# Match Dest device -# -sub match_dest_dev( $ ) { - my $interface = shift; - my $interfaceref = known_interface( $interface ); - if ( $interfaceref && $interfaceref->{options}{port} ) { - if ( $capabilities{PHYSDEV_BRIDGE} ) { - "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface "; - } else { - "-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; - } - } else { - "-o $interface "; - } -} - -sub match_dest_6dev( $ ) { - my $interface = shift; - my $interfaceref = known_6interface( $interface ); - if ( $interfaceref && $interfaceref->{options}{port} ) { - if ( $capabilities{PHYSDEV_BRIDGE} ) { - "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface "; - } else { - "-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; - } - } else { - "-o $interface "; - } -} - -# -# Avoid generating a second '-m iprange' in a single rule. -# -sub iprange_match() { - my $match = ''; - - require_capability( 'IPRANGE_MATCH' , 'Address Ranges' , '' ); - unless ( $iprangematch ) { - $match = '-m iprange '; - $iprangematch = 1 unless $capabilities{KLUDGEFREE}; - } - - $match; -} - -# -# Get set flags (ipsets). -# -sub get_set_flags( $$ ) { - my ( $setname, $option ) = @_; - my $options = $option; - - $setname =~ s/^!//; # Caller has already taken care of leading ! - - if ( $setname =~ /^(.*)\[([1-6])\]$/ ) { - $setname = $1; - my $count = $2; - $options .= ",$option" while --$count > 0; - } elsif ( $setname =~ /^(.*)\[(.*)\]$/ ) { - $setname = $1; - $options = $2; - } - - $setname =~ s/^\+//; - - fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/; - - "--set $setname $options " -} - -# -# Match a Source. Handles IP addresses and ranges and MAC addresses -# -sub match_source_net( $;$ ) { - my ( $net, $restriction) = @_; - - $restriction |= NO_RESTRICT; - - if ( $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) { - my ($addr1, $addr2) = ( $2, $3 ); - $net =~ s/!// if my $invert = $1 ? '! ' : ''; - validate_range $addr1, $addr2; - iprange_match . "${invert}--src-range $net "; - } elsif ( $net =~ /^!?~/ ) { - fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT; - mac_match $net; - } elsif ( $net =~ /^(!?)\+/ ) { - require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' ); - join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); - } elsif ( $net =~ s/^!// ) { - validate_net $net, 1; - "-s ! $net "; - } else { - validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-s $net "; - } -} - -# -# Match a Source. Currently only handles IP addresses and ranges -# -sub match_dest_net( $ ) { - my $net = $_[0]; - - if ( $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) { - my ($addr1, $addr2) = ( $2, $3 ); - $net =~ s/!// if my $invert = $1 ? '! ' : ''; - validate_range $addr1, $addr2; - iprange_match . "${invert}--dst-range $net "; - } elsif ( $net =~ /^(!?)\+/ ) { - require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , ''); - join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); - } elsif ( $net =~ /^!/ ) { - $net =~ s/!//; - validate_net $net, 1; - "-d ! $net "; - } else { - validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-d $net "; - } -} - -# -# Match original destination -# -sub match_orig_dest ( $ ) { - my $net = $_[0]; - - return '' if $net eq ALLIPv4; - return '' unless $capabilities{CONNTRACK_MATCH}; - - if ( $net =~ s/^!// ) { - validate_net $net, 1; - $capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net "; - } else { - validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net "; - } -} - -# -# Match Source IPSEC -# -sub match_ipsec_in( $$ ) { - my ( $zone , $hostref ) = @_; - my $match = '-m policy --dir in --pol '; - my $zoneref = find_zone( $zone ); - my $optionsref = $zoneref->{options}; - - if ( $zoneref->{type} eq 'ipsec4' ) { - $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; - } elsif ( $capabilities{POLICY_MATCH} ) { - $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; - } else { - ''; - } -} - -# -# Match Dest IPSEC -# -sub match_ipsec_out( $$ ) { - my ( $zone , $hostref ) = @_; - my $match = '-m policy --dir out --pol '; - my $zoneref = find_zone( $zone ); - my $optionsref = $zoneref->{options}; - - if ( $zoneref->{type} eq 'ipsec4' ) { - $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; - } elsif ( $capabilities{POLICY_MATCH} ) { - $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" - } else { - ''; - } -} - -# -# Generate a log message -# -sub log_rule_limit( $$$$$$$$ ) { - my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, $predicates ) = @_; - - my $prefix = ''; - - $level = validate_level $level; # Do this here again because this function can be called directly from user exits. - - return 1 if $level eq ''; - - $predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' '; - - unless ( $predicates =~ /-m limit / ) { - $limit = $globals{LOGLIMIT} unless $limit && $limit ne '-'; - $predicates .= $limit if $limit; - } - - if ( $config{LOGFORMAT} =~ /^\s*$/ ) { - if ( $level =~ '^ULOG' ) { - $prefix = "-j $level "; - } elsif ( $level =~ /^NFLOG/ ) { - $prefix = "-j $level "; - } else { - $prefix = "-j LOG $globals{LOGPARMS}--log-level $level "; - } - } else { - if ( $tag ) { - if ( $config{LOGTAGONLY} ) { - $chain = $tag; - $tag = ''; - } else { - $tag .= ' '; - } - } else { - $tag = '' unless defined $tag; - } - - $disposition =~ s/\s+.*//; - - if ( $globals{LOGRULENUMBERS} ) { - $prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag; - } else { - $prefix = (sprintf $config{LOGFORMAT} , $chain , $disposition) . $tag; - } - - if ( length $prefix > 29 ) { - $prefix = substr( $prefix, 0, 28 ) . ' '; - warning_message "Log Prefix shortened to \"$prefix\""; - } - - if ( $level =~ '^ULOG' ) { - $prefix = "-j $level --ulog-prefix \"$prefix\" "; - } elsif ( $level =~ /^NFLOG/ ) { - $prefix = "-j $level --nflog-prefix \"$prefix\" "; - } else { - $prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" "; - } - } - - if ( $command eq 'add' ) { - add_rule ( $chainref, $predicates . $prefix , 1 ); - } else { - insert_rule ( $chainref , 1 , $predicates . $prefix ); - } -} - -sub log_rule( $$$$ ) { - my ( $level, $chainref, $disposition, $predicates ) = @_; - - log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $predicates; -} - -# -# Split a comma-separated source or destination host list but keep [...] together. -# -sub mysplit( $ ) { - my @input = split_list $_[0], 'host'; - - return @input unless $_[0] =~ /\[/; - - my @result; - - while ( @input ) { - my $element = shift @input; - - if ( $element =~ /\[/ ) { - while ( substr( $element, -1, 1 ) ne ']' ) { - last unless @input; - $element .= ( ',' . shift @input ); - } - - fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']'; - } - - push @result, $element; - } - - @result; -} - -# -# Returns the name of the shell variable holding the first address of the passed interface -# -sub interface_address( $ ) { - my $variable = chain_base( $_[0] ) . '_address'; - uc $variable; -} - -# -# Record that the ruleset requires the first IP address on the passed interface -# -sub get_interface_address ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_address( $interface ); - my $function = interface_is_optional( $interface ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address'; - - $interfaceaddr{$interface} = "$variable=\$($function $interface)\n"; - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the broadcast addresses of the passed interface -# -sub interface_bcasts( $ ) { - my $variable = chain_base( $_[0] ) . '_bcasts'; - uc $variable; -} - -# -# Record that the ruleset requires the broadcast addresses on the passed interface -# -sub get_interface_bcasts ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_bcasts( $interface ); - - $interfacebcasts{$interface} = qq($variable="\$(get_interface_bcasts $interface) 255.255.255.255"); - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the gateway through the passed interface -# -sub interface_gateway( $ ) { - my $variable = chain_base( $_[0] ) . '_gateway'; - uc $variable; -} - -# -# Record that the ruleset requires the gateway address on the passed interface -# -sub get_interface_gateway ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_gateway( $interface ); - - if ( interface_is_optional $interface ) { - $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)\n); - } else { - $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface) -[ -n "\$$variable" ] || fatal_error "Unable to detect the gateway through interface $interface" -); - } - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the addresses of the passed interface -# -sub interface_addresses( $ ) { - my $variable = chain_base( $_[0] ) . '_addresses'; - uc $variable; -} - -# -# Record that the ruleset requires the IP addresses on the passed interface -# -sub get_interface_addresses ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_addresses( $interface ); - - if ( interface_is_optional $interface ) { - $interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)\n); - } else { - $interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface) -[ -n "\$$variable" ] || fatal_error "Unable to determine the IP address(es) of $interface" -); - } - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the networks routed out of the passed interface -# -sub interface_nets( $ ) { - my $variable = chain_base( $_[0] ) . '_networks'; - uc $variable; -} - -# -# Record that the ruleset requires the networks routed out of the passed interface -# -sub get_interface_nets ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_nets( $interface ); - - if ( interface_is_optional $interface ) { - $interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)\n); - } else { - $interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface) -[ -n "\$$variable" ] || fatal_error "Unable to determine the routes through interface \\"$interface\\"" -); - } - - "\$$variable"; - -} - -# -# Returns the name of the shell variable holding the MAC address of the gateway for the passed provider out of the passed interface -# -sub interface_mac( $$ ) { - my $variable = join( '_' , chain_base( $_[0] ) , chain_base( $_[1] ) , 'mac' ); - uc $variable; -} - -# -# Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number -# -sub get_interface_mac( $$$ ) { - my ( $ipaddr, $interface , $table ) = @_; - - my $variable = interface_mac( $interface , $table ); - - if ( interface_is_optional $interface ) { - $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n); - } else { - $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface) -[ -n "\$$variable" ] || fatal_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\"" -); - } - - "\$$variable"; -} - -# -# This function provides a uniform way to generate rules (something the original Shorewall sorely needed). -# -# Returns the destination interface specified in the rule, if any. -# -sub expand_rule( $$$$$$$$$$$ ) -{ - my ($chainref , # Chain - $restriction, # Determines what to do with interface names in the SOURCE or DEST - $rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST - $source, # SOURCE - $dest, # DEST - $origdest, # ORIGINAL DEST - $oport, # original destination port - $target, # Target ('-j' part of the rule) - $loglevel , # Log level (and tag) - $disposition, # Primative part of the target (RETURN, ACCEPT, ...) - $exceptionrule # Caller's matches used in exclusion case - ) = @_; - - my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl ); - my $chain = $chainref->{name}; - - our @ends = (); - # - # In the generated rules, we sometimes need run-time loops or conditional blocks. This function is used - # to define such a loop or block. - # - # $chainref = Reference to the chain - # $command = The shell command that begins the loop or conditional - # $end = The shell keyword ('done' or 'fi') that ends the loop or conditional - # - # All open loops and conditionals are closed just before expand_rule() exits - # - sub push_command( $$$ ) { - my ( $chainref, $command, $end ) = @_; - - add_command $chainref, $command; - incr_cmd_level $chainref; - push @ends, $end; - } - # - # Handle Log Level - # - my $logtag; - - if ( $loglevel ne '' ) { - ( $loglevel, $logtag, my $remainder ) = split( /:/, $loglevel, 3 ); - - fatal_error "Invalid log tag" if defined $remainder; - - if ( $loglevel =~ /^none!?$/i ) { - return if $disposition eq 'LOG'; - $loglevel = $logtag = ''; - } else { - $loglevel = validate_level( $loglevel ); - $logtag = '' unless defined $logtag; - } - } elsif ( $disposition eq 'LOG' ) { - fatal_error "LOG requires a level"; - } - # - # Mark Target as referenced, if it's a chain - # - if ( $disposition ) { - my $targetref = $chain_table{$chainref->{table}}{$disposition}; - $targetref->{referenced} = 1 if $targetref; - } - - # - # Isolate Source Interface, if any - # - if ( $source ) { - if ( $source eq '-' ) { - $source = ''; - } elsif ( $source =~ /^([^:]+):([^:]+)$/ ) { - $iiface = $1; - $inets = $2; - } elsif ( $source =~ /\+|~|\..*\./ ) { - $inets = $source; - } else { - $iiface = $source; - } - } else { - $source = ''; - } - - # - # Verify Interface, if any - # - if ( $iiface ) { - fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface; - - if ( $restriction & POSTROUTE_RESTRICT ) { - # - # An interface in the SOURCE column of a masq file - # - fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface ); - - my $networks = get_interface_nets ( $iiface ); - - push_command $chainref, join( '', 'for source in ', $networks, '; do' ), 'done'; - - $rule .= '-s $source '; - - } else { - fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT; - $rule .= match_source_dev( $iiface ); - } - } - - # - # Isolate Destination Interface, if any - # - if ( $dest ) { - if ( $dest eq '-' ) { - $dest = ''; - } elsif ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) { - # - # DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule - # - my @interfaces = split /\s+/, $1; - - if ( @interfaces > 1 ) { - my $list = ""; - my $optional; - - for my $interface ( @interfaces ) { - $optional++ if interface_is_optional $interface; - $list = join( ' ', $list , get_interface_address( $interface ) ); - } - - push_command( $chainref , "for address in $list; do" , 'done' ); - - push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional; - - $rule .= '-d $address '; - } else { - my $interface = $interfaces[0]; - my $variable = get_interface_address( $interface ); - - push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface ); - - $rule .= "-d $variable "; - } - - $dest = ''; - } elsif ( $dest =~ /^([^:]+):([^:]+)$/ ) { - $diface = $1; - $dnets = $2; - } elsif ( $dest =~ /\+|~|\..*\./ ) { - $dnets = $dest; - } else { - $diface = $dest; - } - } else { - $dest = ''; - } - - # - # Verify Destination Interface, if any - # - if ( $diface ) { - fatal_error "Unknown Interface ($diface)" unless known_interface $diface; - - if ( $restriction & PREROUTE_RESTRICT ) { - # - # ADDRESS 'detect' in the masq file. - # - fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface ); - push_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do', 'done' ); - $rule .= '-d $dest '; - } else { - fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); - fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; - - if ( $iiface ) { - my $bridge = port_to_bridge( $diface ); - fatal_error "Source interface ($iiface) is not a port on the same bridge as the destination interface ( $diface )" if $bridge && $bridge ne source_port_to_bridge( $iiface ); - } - - $rule .= match_dest_dev( $diface ); - } - } else { - $diface = ''; - } - - if ( $origdest ) { - if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) { - $origdest = ''; - if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' && $oport ne '-' ) { - $rule .= "-m conntrack --ctorigdstport $oport "; - } - } elsif ( $origdest =~ /^detect:(.*)$/ ) { - # - # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column - # - my @interfaces = split /\s+/, $1; - - if ( @interfaces > 1 ) { - my $list = ""; - my $optional; - - for my $interface ( @interfaces ) { - $optional++ if interface_is_optional $interface; - $list = join( ' ', $list , get_interface_address( $interface ) ); - } - - push_command( $chainref , "for address in $list; do" , 'done' ); - - push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional; - - $rule .= '-m conntrack --ctorigdst $address '; - $rule .= "--origdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; - } else { - my $interface = $interfaces[0]; - my $variable = get_interface_address( $interface ); - - push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface ); - - $rule .= "-m conntrack --ctorigdst $variable "; - $rule .= "--origdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; - } - - $origdest = ''; - } else { - fatal_error "Invalid ORIGINAL DEST" if $origdest =~ /^([^!]+)?,!([^!]+)$/ || $origdest =~ /.*!.*!/; - - if ( $origdest =~ /^([^!]+)?!([^!]+)$/ ) { - # - # Exclusion - # - $onets = $1; - $oexcl = $2; - } else { - $oexcl = ''; - $onets = $origdest; - } - - unless ( $onets ) { - my @oexcl = mysplit $oexcl; - if ( @oexcl == 1 ) { - $rule .= match_orig_dest( "!$oexcl" ); - $oexcl = ''; - } - } - - if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) { - $rule .= "-m conntrack --ctorigdstport $oport "; - } - } - } else { - $oexcl = ''; - if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) { - $rule .= "-m conntrack --ctorigdstport $oport "; - } - } - - # - # Determine if there is Source Exclusion - # - if ( $inets ) { - fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/; - - if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) { - $inets = $1; - $iexcl = $2; - } else { - $iexcl = ''; - } - - unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) { - my @iexcl = mysplit $iexcl; - if ( @iexcl == 1 ) { - $rule .= match_source_net "!$iexcl" , $restriction; - $iexcl = ''; - } - - } - } else { - $iexcl = ''; - } - - # - # Determine if there is Destination Exclusion - # - if ( $dnets ) { - fatal_error "Invalid DEST" if $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/; - - if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) { - $dnets = $1; - $dexcl = $2; - } else { - $dexcl = ''; - } - - unless ( $dnets ) { - my @dexcl = mysplit $dexcl; - if ( @dexcl == 1 ) { - $rule .= match_dest_net "!$dexcl"; - $dexcl = ''; - } - } - } else { - $dexcl = ''; - } - - $inets = ALLIPv4 unless $inets; - $dnets = ALLIPv4 unless $dnets; - $onets = ALLIPv4 unless $onets; - - fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv4; - fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIPv4; - - if ( $iexcl || $dexcl || $oexcl ) { - # - # We have non-trivial exclusion -- need to create an exclusion chain - # - fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN'; - - my $echain = newexclusionchain; - - # - # Use the current rule and sent all possible matches to the exclusion chain - # - for my $onet ( mysplit $onets ) { - $onet = match_orig_dest $onet; - for my $inet ( mysplit $inets ) { - for my $dnet ( mysplit $dnets ) { - # - # We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE} - # - add_rule( $chainref, join( '', $rule, match_source_net( $inet, $restriction ), match_dest_net( $dnet ), $onet, "-j $echain" ), 1 ); - } - } - } - - # - # Create the Exclusion Chain - # - my $echainref = new_chain $chainref->{table}, $echain; - - # - # Generate RETURNs for each exclusion - # - add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl ); - add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN' for ( mysplit $dexcl ); - add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN' for ( mysplit $oexcl ); - # - # Log rule - # - log_rule_limit $loglevel , $echainref , $chain, $disposition , '', $logtag , 'add' , '' if $loglevel; - # - # Generate Final Rule - # - add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; - } else { - # - # No exclusions - # - for my $onet ( mysplit $onets ) { - $onet = match_orig_dest $onet; - for my $inet ( mysplit $inets ) { - # - # We defer evaluating the source net match to accomodate system without $capabilities{KLUDGEFREE} - # - for my $dnet ( mysplit $dnets ) { - if ( $loglevel ne '' ) { - log_rule_limit - $loglevel , - $chainref , - $chain, - $disposition , - '' , - $logtag , - 'add' , - join( '', $rule, match_source_net( $inet , $restriction ) , match_dest_net( $dnet ), $onet ); - } - - unless ( $disposition eq 'LOG' ) { - add_rule( - $chainref, - join( '', $rule, match_source_net ($inet , $restriction ), match_dest_net( $dnet ), $onet, $target ) , - 1 ); - } - } - } - } - } - - while ( @ends ) { - decr_cmd_level $chainref; - add_command $chainref, pop @ends; - } - - $diface; -} - -# -# If the destination chain exists, then at the end of the source chain add a jump to the destination. -# -sub addnatjump( $$$ ) { - my ( $source , $dest, $predicates ) = @_; - - my $destref = $nat_table->{$dest} || {}; - - if ( $destref->{referenced} ) { - add_rule $nat_table->{$source} , $predicates . "-j $dest"; - } else { - clearrule; - } -} - -sub emit_comment() { - emit ( '#', - '# Establish the values of shell variables used in the following function calls', - '#' ); - our $emitted_comment = 1; -} - -sub emit_test() { - emit ( 'if [ "$COMMAND" != restore ]; then' , - '' ); - push_indent; - our $emitted_test = 1; -} - -# -# Generate setting of global variables -# -sub set_global_variables() { - - our ( $emitted_comment, $emitted_test ) = (0, 0); - - for ( values %interfaceaddr ) { - emit_comment unless $emitted_comment; - emit $_; - } - - for ( values %interfacegateways ) { - emit_comment unless $emitted_comment; - emit $_; - } - - for ( values %interfacemacs ) { - emit_comment unless $emitted_comment; - emit $_; - } - - for ( values %interfaceaddrs ) { - emit_comment unless $emitted_comment; - emit_test unless $emitted_test; - emit $_; - } - - for ( values %interfacenets ) { - emit_comment unless $emitted_comment; - emit_test unless $emitted_test; - emit $_; - } - - unless ( $capabilities{ADDRTYPE} ) { - emit_comment unless $emitted_comment; - emit_test unless $emitted_test; - emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; - - for ( values %interfacebcasts ) { - emit $_; - } - } - - pop_indent, emit "fi\n" if $emitted_test; - -} - -# -# What follows is the code that generates the input to iptables-restore -# -# We always write the iptables-restore input into a file then pass the -# file to iptables-restore. That way, if things go wrong, the user (and Shorewall support) -# has (have) something to look at to determine the error -# -# We may have to generate part of the input at run-time. The rules array in each chain -# table entry may contain rules (begin with '-A') or shell source. We alternate between -# writing the rules ('-A') into the temporary file to be bassed to iptables-restore -# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE). -# -# The following two functions are responsible for the mode transitions. -# -sub enter_cat_mode() { - emit ''; - emit 'cat >&3 << __EOF__'; - $mode = CAT_MODE; -} - -sub enter_cmd_mode() { - emit_unindented "__EOF__\n" if $mode == CAT_MODE; - $mode = CMD_MODE; -} - -# -# Emits the passed rule (input to iptables-restore) or command -# -sub emitr( $ ) { - my $rule = $_[0]; - - if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) { - # - # A rule - # - enter_cat_mode unless $mode == CAT_MODE; - emit_unindented $rule; - } else { - # - # A command - # - enter_cmd_mode unless $mode == CMD_MODE; - emit $rule; - } -} - -# -# Generate the netfilter input -# -sub create_netfilter_load() { - - my @table_list; - - push @table_list, 'raw' if $capabilities{RAW_TABLE}; - push @table_list, 'nat' if $capabilities{NAT_ENABLED}; - push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - push @table_list, 'filter'; - - $mode = NULL_MODE; - - emit ( 'setup_netfilter()', - '{' - ); - - push_indent; - - save_progress_message "Preparing iptables-restore input..."; - - emit ''; - - emit 'exec 3>${VARDIR}/.iptables-restore-input'; - - enter_cat_mode; - - for my $table ( @table_list ) { - emit_unindented "*$table"; - - my @chains; - # - # iptables-restore seems to be quite picky about the order of the builtin chains - # - for my $chain ( @builtins ) { - my $chainref = $chain_table{$table}{$chain}; - if ( $chainref ) { - fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; - emit_unindented ":$chain $chainref->{policy} [0:0]"; - push @chains, $chainref; - } - } - # - # First create the chains in the current table - # - for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { - my $chainref = $chain_table{$table}{$chain}; - unless ( $chainref->{builtin} ) { - fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; - emit_unindented ":$chainref->{name} - [0:0]"; - push @chains, $chainref; - } - } - # - # Then emit the rules - # - for my $chainref ( @chains ) { - emitr $_ for ( @{$chainref->{rules}} ); - } - # - # Commit the changes to the table - # - enter_cat_mode unless $mode == CAT_MODE; - emit_unindented 'COMMIT'; - } - - enter_cmd_mode; - # - # Now generate the actual iptables-restore command - # - emit( 'exec 3>&-', - '', - '[ -n "$DEBUG" ] && command=debug_restore_input || command=$IPTABLES_RESTORE', - '', - 'progress_message2 "Running $command..."', - '', - 'cat ${VARDIR}/.iptables-restore-input | $command # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', - "fi\n" - ); - - pop_indent; - - emit "}\n"; -} - -# -# Generate the netfilter input for refreshing a list of chains -# -sub create_chainlist_reload($) { - - my $chains = $_[0]; - - my @chains = split_list $chains, 'chain'; - - unless ( @chains ) { - @chains = qw( blacklst ) if $filter_table->{blacklst}; - push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - $chains = join( ',', @chains ) if @chains; - } - - $mode = NULL_MODE; - - emit( 'chainlist_reload()', - '{' - ); - - push_indent; - - if ( @chains ) { - if ( @chains == 1 ) { - progress_message2 "Compiling iptables-restore input for chain @chains..."; - save_progress_message "Preparing iptables-restore input for chain @chains..."; - } else { - progress_message2 "Compiling iptables-restore input for chains $chains..."; - save_progress_message "Preparing iptables-restore input for chains $chains..."; - } - - emit ''; - - my $table = 'filter'; - - my %chains; - - for my $chain ( @chains ) { - ( $table , $chain ) = split ':', $chain if $chain =~ /:/; - - fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; - - $chains{$table} = [] unless $chains{$table}; - - if ( $chain ) { - fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain}; - fatal_error "Built-in chains may not be refreshed" if $chain_table{table}{$chain}{builtin}; - push @{$chains{$table}}, $chain; - } else { - while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) { - push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin}; - } - } - } - - emit 'exec 3>${VARDIR}/.iptables-restore-input'; - - enter_cat_mode; - - for $table qw(nat mangle filter) { - next unless $chains{$table}; - - emit_unindented "*$table"; - - my $tableref=$chain_table{$table}; - - @chains = sort @{$chains{$table}}; - - for my $chain ( @chains ) { - my $chainref = $tableref->{$chain}; - emit_unindented ":$chainref->{name} - [0:0]"; - } - - for my $chain ( @chains ) { - my $chainref = $tableref->{$chain}; - my @rules = @{$chainref->{rules}}; - - @rules = () unless @rules; - # - # Emit the chain rules - # - emitr $_ for ( @rules ); - } - # - # Commit the changes to the table - # - enter_cat_mode unless $mode == CAT_MODE; - - emit_unindented 'COMMIT'; - } - - enter_cmd_mode; - - # - # Now generate the actual iptables-restore command - # - emit( 'exec 3>&-', - '', - 'progress_message2 "Running iptables-restore..."', - '', - 'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', - "fi\n" - ); - } else { - emit('true'); - } - - pop_indent; - - emit "}\n"; -} - -# -# Create a new 6chain and return a reference to it. -# -sub new_6chain($$) -{ - my ($table, $chain) = @_; - - warning_message "Internal error in new_6chain()" if $chain6_table{$table}{$chain}; - - $chain6_table{$table}{$chain} = { name => $chain, - rules => [], - table => $table, - loglevel => '', - log => 1, - cmdlevel => 0 }; -} - -# -# Create a 6chain if it doesn't exist already -# -sub ensure_6chain($$) -{ - my ($table, $chain) = @_; - - my $ref = $chain6_table{$table}{$chain}; - - return $ref if $ref; - - new_6chain $table, $chain; -} - -sub finish_6chain_section( $$ ); - -# -# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting. -# -sub ensure_filter_6chain( $$ ) -{ - my ($chain, $populate) = @_; - - my $chainref = $filter6_table->{$chain}; - - $chainref = new_6chain 'filter' , $chain unless $chainref; - - if ( $populate and ! $chainref->{referenced} ) { - if ( $section eq 'NEW' or $section eq 'DONE' ) { - finish_6chain_section $chainref , 'ESTABLISHED,RELATED'; - } elsif ( $section eq 'RELATED' ) { - finish_chain_section $chainref , 'ESTABLISHED'; - } - } - - $chainref->{referenced} = 1; - - $chainref; -} - -# -# Create an accounting chain if necessary. -# -sub ensure_accounting_6chain( $ ) -{ - my ($chain) = @_; - - my $chainref = $filter6_table->{$chain}; - - if ( $chainref ) { - fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting}; - } else { - $chainref = new_6chain 'filter' , $chain unless $chainref; - $chainref->{accounting} = 1; - $chainref->{referenced} = 1; - } - - $chainref; -} - -sub ensure_mangle_6chain($) { - my $chain = $_[0]; - - my $chainref = ensure_6chain 'mangle', $chain; - - $chainref->{referenced} = 1; - - $chainref; -} - -# -# Add a builtin chain -# -sub new_builtin_6chain($$$) -{ - my ( $table, $chain, $policy ) = @_; - - my $chainref = new_6chain $table, $chain; - $chainref->{referenced} = 1; - $chainref->{policy} = $policy; - $chainref->{builtin} = 1; -} - -sub new_standard_6chain($) { - my $chainref = new_6chain 'filter' ,$_[0]; - $chainref->{referenced} = 1; - $chainref; -} - -sub new_manual_6chain($) { - my $chain = $_[0]; - fatal_error "Duplicate Chain Name ($chain)" if $targets6{$chain} || $filter6_table->{$chain}; - $targets6{$chain} = CHAIN; - ( my $chainref = ensure_filter_6chain( $chain, 0) )->{manual} = 1; - $chainref->{referenced} = 1; - $chainref; -} - -sub ensure_manual_6chain($) { - my $chain = $_[0]; - my $chainref = $filter6_table->{$chain} || new_manual_6chain($chain); - fatal_error "$chain exists and is not a manual chain" unless $chainref->{manual}; - $chainref; -} - -# -# Add all builtin chains to the chain table -# -# -sub initialize_6chain_table() -{ - for my $chain qw(OUTPUT PREROUTING) { - new_builtin_6chain 'raw', $chain, 'ACCEPT'; - } - - for my $chain qw(INPUT OUTPUT FORWARD) { - new_builtin_6chain 'filter', $chain, 'DROP'; - } - - for my $chain qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING ) { - new_builtin_6chain 'mangle', $chain, 'ACCEPT'; - } -} - -# -# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain -# -sub finish_6chain_section ($$) { - my ($chainref, $state ) = @_; - my $chain = $chainref->{name}; - my $savecomment = $comment; - - $comment = ''; - - add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; - - if ($sections6{NEW} ) { - if ( $chainref->{is_policy} ) { - if ( $chainref->{synparams} ) { - my $synchainref = ensure_6chain 'filter', syn_flood_chain $chainref; - if ( $section eq 'DONE' ) { - if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } else { - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } - } else { - my $policychainref = $filter6_table->{$chainref->{policychain}}; - if ( $policychainref->{synparams} ) { - my $synchainref = ensure_6chain 'filter', syn_flood_chain $policychainref; - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } - } - - $comment = $savecomment; -} - -# -# Do section-end processing -# -sub finish_6section ( $ ) { - my $sections = $_[0]; - - for my $section ( split /,/, $sections ) { - $sections6{$section} = 1; - } - - for my $zone ( all_6zones ) { - for my $zone1 ( all_6zones ) { - my $chainref = $chain6_table{'filter'}{"${zone}2${zone1}"}; - if ( $chainref->{referenced} ) { - finish_6chain_section $chainref, $sections; - } - } - } -} - -# -# Match a Source. Handles IP addresses and ranges and MAC addresses -# -sub match_source_6net( $;$ ) { - my ( $net, $restriction) = @_; - - $restriction |= NO_RESTRICT; - - if ( $net =~ /^!?~/ ) { - fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT; - mac_match $net; - } elsif ( $net =~ /^(!?)\+/ ) { - require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' ); - join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); - } elsif ( $net =~ s/^!// ) { - validate_6net $net, 1; - "-s ! $net "; - } else { - validate_6net $net, 1; - $net eq ALLIPv6 ? '' : "-s $net "; - } -} - -# -# Match a Source. Currently only handles IP addresses and ranges -# -sub match_dest_6net( $ ) { - my $net = $_[0]; - - if ( $net =~ /^(!?)\+/ ) { - require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , ''); - join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); - } elsif ( $net =~ /^!/ ) { - $net =~ s/!//; - validate_6net $net, 1; - "-d ! $net "; - } else { - validate_6net $net, 1; - $net eq ALLIPv4 ? '' : "-d $net "; - } -} - -# -# Returns the name of the shell variable holding the first address of the passed interface -# -sub interface_6address( $ ) { - my $variable = chain_base( $_[0] ) . '_6address'; - uc $variable; -} - -# -# Record that the ruleset requires the first IP address on the passed interface -# -sub get_interface_6address ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_6address( $interface ); - my $function = interface6_is_optional( $interface ) ? 'find_first_interface_6address_if_any' : 'find_first_interface_6address'; - - $interface6addr{$interface} = "$variable=\$($function $interface)\n"; - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the broadcast addresses of the passed interface -# -sub interface_6bcasts( $ ) { - my $variable = chain_base( $_[0] ) . '_6bcasts'; - uc $variable; -} - -# -# Record that the ruleset requires the broadcast addresses on the passed interface -# -sub get_interface_6bcasts ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_6bcasts( $interface ); - - $interface6bcasts{$interface} = qq($variable="\$(get_interface_6bcasts $interface)); - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the gateway through the passed interface -# -sub interface_6gateway( $ ) { - my $variable = chain_base( $_[0] ) . '_6gateway'; - uc $variable; -} - -# -# Record that the ruleset requires the gateway address on the passed interface -# -sub get_interface_6gateway ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_6gateway( $interface ); - - if ( interface_is_optional $interface ) { - $interface6gateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_6gateway $interface)\n); - } else { - $interface6gateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_6gateway $interface) -[ -n "\$$variable" ] || fatal_error "Unable to detect the IPv6 gateway through interface $interface" -); - } - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the addresses of the passed interface -# -sub interface_6addresses( $ ) { - my $variable = chain_base( $_[0] ) . '_6addresses'; - uc $variable; -} - -# -# Record that the ruleset requires the IP addresses on the passed interface -# -sub get_interface_6addresses ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_6addresses( $interface ); - - if ( interface_is_optional $interface ) { - $interface6addrs{$interface} = qq($variable=\$(find_interface_6addresses $interface)\n); - } else { - $interface6addrs{$interface} = qq($variable=\$(find_interface_6addresses $interface) -[ -n "\$$variable" ] || fatal_error "Unable to determine the IP address(es) of $interface" -); - } - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the networks routed out of the passed interface -# -sub interface_6nets( $ ) { - my $variable = chain_base( $_[0] ) . '_6networks'; - uc $variable; -} - -# -# Record that the ruleset requires the networks routed out of the passed interface -# -sub get_interface_6nets ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_6nets( $interface ); - - if ( interface_is_optional $interface ) { - $interface6nets{$interface} = qq($variable=\$(get_routed_6networks $interface)\n); - } else { - $interface6nets{$interface} = qq($variable=\$(get_routed_6networks $interface) -[ -n "\$$variable" ] || fatal_error "Unable to determine the IPv6 routes through interface \\"$interface\\"" -); - } - - "\$$variable"; - -} - -# -# This function provides a uniform way to generate rules (something the original Shorewall sorely needed). -# -# Returns the destination interface specified in the rule, if any. -# -sub expand_6rule( $$$$$$$$$ ) -{ - my ($chainref , # Chain - $restriction, # Determines what to do with interface names in the SOURCE or DEST - $rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST - $source, # SOURCE - $dest, # DEST - $target, # Target ('-j' part of the rule) - $loglevel , # Log level (and tag) - $disposition, # Primative part of the target (RETURN, ACCEPT, ...) - $exceptionrule # Caller's matches used in exclusion case - ) = @_; - - my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl ); - my $chain = $chainref->{name}; - - our @ends = (); - # - # In the generated rules, we sometimes need run-time loops or conditional blocks. This function is used - # to define such a loop or block. - # - # $chainref = Reference to the chain - # $command = The shell command that begins the loop or conditional - # $end = The shell keyword ('done' or 'fi') that ends the loop or conditional - # - # All open loops and conditionals are closed just before expand_rule() exits - # - sub push_6command( $$$ ) { - my ( $chainref, $command, $end ) = @_; - - add_command $chainref, $command; - incr_cmd_level $chainref; - push @ends, $end; - } - # - # Handle Log Level - # - my $logtag; - - if ( $loglevel ne '' ) { - ( $loglevel, $logtag, my $remainder ) = split( /:/, $loglevel, 3 ); - - fatal_error "Invalid log tag" if defined $remainder; - - if ( $loglevel =~ /^none!?$/i ) { - return if $disposition eq 'LOG'; - $loglevel = $logtag = ''; - } else { - $loglevel = validate_level( $loglevel ); - $logtag = '' unless defined $logtag; - } - } elsif ( $disposition eq 'LOG' ) { - fatal_error "LOG requires a level"; - } - # - # Mark Target as referenced, if it's a chain - # - if ( $disposition ) { - my $targetref = $chain6_table{$chainref->{table}}{$disposition}; - $targetref->{referenced} = 1 if $targetref; - } - - # - # Isolate Source Interface, if any - # - if ( $source ) { - if ( $source eq '-' ) { - $source = ''; - } elsif ( $source =~ /^(.+);(.+)$/ ) { - $iiface = $1; - $inets = $2; - } elsif ( $source =~ /\+|~|\..*\.|:/ ) { - $inets = $source; - } else { - $iiface = $source; - } - } else { - $source = ''; - } - - # - # Verify Interface, if any - # - if ( $iiface ) { - fatal_error "Unknown IPv6 Interface ($iiface)" unless known_6interface $iiface; - - if ( $restriction & POSTROUTE_RESTRICT ) { - # - # An interface in the SOURCE column of a masq file - # - fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface ); - - my $networks = get_interface_6nets ( $iiface ); - - push_6command $chainref, join( '', 'for source in ', $networks, '; do' ), 'done'; - - $rule .= '-s $source '; - - } else { - fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT; - $rule .= match_source_6dev( $iiface ); - } - } - - # - # Isolate Destination Interface, if any - # - if ( $dest ) { - if ( $dest eq '-' ) { - $dest = ''; - } elsif ( $dest =~ /^(.+);(.+)$/ ) { - $diface = $1; - $dnets = $2; - } elsif ( $dest =~ /\+|~|\..*\.|:/ ) { - $dnets = $dest; - } else { - $diface = $dest; - } - } else { - $dest = ''; - } - - # - # Verify Destination Interface, if any - # - if ( $diface ) { - fatal_error "Unknown IPv6 Interface ($diface)" unless known_6interface $diface; - - if ( $restriction & PREROUTE_RESTRICT ) { - # - # ADDRESS 'detect' in the masq file. - # - fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface ); - push_6command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do', 'done' ); - $rule .= '-d $dest '; - } else { - fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_6bridge( $diface ); - fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; - - if ( $iiface ) { - my $bridge = port_to_6bridge( $diface ); - fatal_error "Source interface ($iiface) is not a port on the same bridge as the destination interface ( $diface )" if $bridge && $bridge ne source_port_to_bridge( $iiface ); - } - - $rule .= match_dest_6dev( $diface ); - } - } else { - $diface = ''; - } - - # - # Determine if there is Source Exclusion - # - if ( $inets ) { - fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/; - - if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) { - $inets = $1; - $iexcl = $2; - } else { - $iexcl = ''; - } - - unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) { - my @iexcl = mysplit $iexcl; - if ( @iexcl == 1 ) { - $rule .= match_source_net "!$iexcl" , $restriction; - $iexcl = ''; - } - - } - } else { - $iexcl = ''; - } - - # - # Determine if there is Destination Exclusion - # - if ( $dnets ) { - fatal_error "Invalid DEST" if $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/; - - if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) { - $dnets = $1; - $dexcl = $2; - } else { - $dexcl = ''; - } - - unless ( $dnets ) { - my @dexcl = mysplit $dexcl; - if ( @dexcl == 1 ) { - $rule .= match_dest_net "!$dexcl"; - $dexcl = ''; - } - } - } else { - $dexcl = ''; - } - - $inets = ALLIPv6 unless $inets; - $dnets = ALLIPv6 unless $dnets; - - fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv6; - fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIPv6; - - if ( $iexcl || $dexcl ) { - # - # We have non-trivial exclusion -- need to create an exclusion chain - # - fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE rules" if $disposition eq 'RETURN'; - - my $echain = newexclusionchain; - - # - # Use the current rule and sent all possible matches to the exclusion chain - # - for my $inet ( mysplit $inets ) { - for my $dnet ( mysplit $dnets ) { - # - # We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE} - # - add_rule( $chainref, join( '', $rule, match_source_6net( $inet, $restriction ), match_dest_6net( $dnet ), "-j $echain" ), 1 ); - } - } - # - # Create the Exclusion Chain - # - my $echainref = new_6chain $chainref->{table}, $echain; - - # - # Generate RETURNs for each exclusion - # - add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl ); - add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN' for ( mysplit $dexcl ); - # - # Log rule - # - log_rule_limit $loglevel , $echainref , $chain, $disposition , '', $logtag , 'add' , '' if $loglevel; - # - # Generate Final Rule - # - add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; - } else { - # - # No exclusions - # - for my $inet ( mysplit $inets ) { - # - # We defer evaluating the source net match to accomodate system without $capabilities{KLUDGEFREE} - # - for my $dnet ( mysplit $dnets ) { - if ( $loglevel ne '' ) { - log_rule_limit( - $loglevel , - $chainref , - $chain, - $disposition , - '' , - $logtag , - 'add' , - join( '', $rule, match_source_net( $inet , $restriction ) , match_dest_net( $dnet ) ) ); - } - - unless ( $disposition eq 'LOG' ) { - add_rule( - $chainref, - join( '', $rule, match_source_net ($inet , $restriction ), match_dest_net( $dnet ), $target ) , - 1 ); - } - } - } - } - - while ( @ends ) { - decr_cmd_level $chainref; - add_command $chainref, pop @ends; - } - - $diface; -} - -# -# Generate setting of global variables -# -sub set_global_6variables() { - - our ( $emitted_comment, $emitted_test ) = (0, 0); - - for ( values %interface6addr ) { - emit_comment unless $emitted_comment; - emit $_; - } - - for ( values %interface6gateways ) { - emit_comment unless $emitted_comment; - emit $_; - } - - for ( values %interface6addrs ) { - emit_comment unless $emitted_comment; - emit_test unless $emitted_test; - emit $_; - } - - for ( values %interface6nets ) { - emit_comment unless $emitted_comment; - emit_test unless $emitted_test; - emit $_; - } - - pop_indent, emit "fi\n" if $emitted_test; - -} - -# -# Generate the netfilter input -# -sub create_netfilter_6_load() { - - my @table_list; - - push @table_list, 'raw' if $capabilities{RAW_TABLE}; - push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - push @table_list, 'filter'; - - $mode = NULL_MODE; - - emit ( 'setup_netfilter_6()', - '{' - ); - - push_indent; - - save_progress_message "Preparing ip6tables-restore input..."; - - emit ''; - - emit 'exec 3>${VARDIR}/.ip6tables-restore-input'; - - enter_cat_mode; - - for my $table ( @table_list ) { - emit_unindented "*$table"; - - my @chains; - # - # iptables-restore seems to be quite picky about the order of the builtin chains - # - for my $chain ( @builtins ) { - my $chainref = $chain6_table{$table}{$chain}; - if ( $chainref ) { - fatal_error "Internal error in create_netfilter_6_load()" if $chainref->{cmdlevel}; - emit_unindented ":$chain $chainref->{policy} [0:0]"; - push @chains, $chainref; - } - } - # - # First create the chains in the current table - # - for my $chain ( grep $chain6_table{$table}{$_}->{referenced} , ( sort keys %{$chain6_table{$table}} ) ) { - my $chainref = $chain6_table{$table}{$chain}; - unless ( $chainref->{builtin} ) { - fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; - emit_unindented ":$chainref->{name} - [0:0]"; - push @chains, $chainref; - } - } - # - # Then emit the rules - # - for my $chainref ( @chains ) { - emitr $_ for ( @{$chainref->{rules}} ); - } - # - # Commit the changes to the table - # - enter_cat_mode unless $mode == CAT_MODE; - emit_unindented 'COMMIT'; - } - - enter_cmd_mode; - # - # Now generate the actual ip6tables-restore command - # - emit( 'exec 3>&-', - '', - '[ -n "$DEBUG" ] && command=debug_restore_input || command=$IP6TABLES_RESTORE', - '', - 'progress_message2 "Running $command..."', - '', - 'cat ${VARDIR}/.ip6tables-restore-input | $command # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.ip6tables-restore-input"', - "fi\n" - ); - - pop_indent; - - emit "}\n"; -} - -# -# Generate the netfilter input for refreshing a list of chains -# -sub create_6chainlist_reload($) { - - my $chains = $_[0]; - - my @chains = split_list $chains, 'chain'; - - unless ( @chains ) { - @chains = qw( blacklst ) if $filter6_table->{blacklst}; - push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - $chains = join( ',', @chains ) if @chains; - } - - $mode = NULL_MODE; - - emit( 'chainlist_6_reload()', - '{' - ); - - push_indent; - - if ( @chains ) { - if ( @chains == 1 ) { - progress_message2 "Compiling ip6tables-restore input for chain @chains..."; - save_progress_message "Preparing ip6tables-restore input for chain @chains..."; - } else { - progress_message2 "Compiling ip6tables-restore input for chains $chains..."; - save_progress_message "Preparing ip6tables-restore input for chains $chains..."; - } - - emit ''; - - my $table = 'filter'; - - my %chains; - - for my $chain ( @chains ) { - ( $table , $chain ) = split ':', $chain if $chain =~ /:/; - - fatal_error "Invalid table ( $table )" unless $table =~ /^(mangle|filter)$/; - - $chains{$table} = [] unless $chains{$table}; - - if ( $chain ) { - fatal_error "No $table chain found with name $chain" unless $chain6_table{$table}{$chain}; - fatal_error "Built-in chains may not be refreshed" if $chain6_table{table}{$chain}{builtin}; - push @{$chains{$table}}, $chain; - } else { - while ( my ( $chain, $chainref ) = each %{$chain6_table{$table}} ) { - push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin}; - } - } - } - - emit 'exec 3>${VARDIR}/.ip6tables-restore-input'; - - enter_cat_mode; - - for $table qw(mangle filter) { - next unless $chains{$table}; - - emit_unindented "*$table"; - - my $tableref=$chain6_table{$table}; - - @chains = sort @{$chains{$table}}; - - for my $chain ( @chains ) { - my $chainref = $tableref->{$chain}; - emit_unindented ":$chainref->{name} - [0:0]"; - } - - for my $chain ( @chains ) { - my $chainref = $tableref->{$chain}; - my @rules = @{$chainref->{rules}}; - - @rules = () unless @rules; - # - # Emit the chain rules - # - emitr $_ for ( @rules ); - } - # - # Commit the changes to the table - # - enter_cat_mode unless $mode == CAT_MODE; - - emit_unindented 'COMMIT'; - } - - enter_cmd_mode; - - # - # Now generate the actual iptables-restore command - # - emit( 'exec 3>&-', - '', - 'progress_message2 "Running ip6tables-restore..."', - '', - 'cat ${VARDIR}/.ip6tables-restore-input | $IP6TABLES_RESTORE -n # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "ip6tables-restore Failed. Input is in ${VARDIR}/.ip6tables-restore-input"', - "fi\n" - ); - } else { - emit('true'); - } - - pop_indent; - - emit "}\n"; -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Compiler.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Compiler.pm deleted file mode 100644 index 6e20446f8..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Compiler.pm +++ /dev/null @@ -1,935 +0,0 @@ -#! /usr/bin/perl -w -# -# The Shoreline Firewall4 (Shorewall-perl) Packet Filtering Firewall Compiler - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -package Shorewall::Compiler; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Chains qw(:DEFAULT :internal); -use Shorewall::Zones; -use Shorewall::Policy; -use Shorewall::Nat; -use Shorewall::Providers; -use Shorewall::Tc; -use Shorewall::Tunnels; -use Shorewall::Actions; -use Shorewall::Accounting; -use Shorewall::Rules; -use Shorewall::Proc; -use Shorewall::Proxyarp; - -our @ISA = qw(Exporter); -our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG ); -our @EXPORT_OK = qw( $export ); -our $VERSION = 4.3.0; - -our $export; - -our $test; - -our $reused = 0; - -use constant { EXPORT => 0x01 , - TIMESTAMP => 0x02 , - DEBUG => 0x04 }; - -# -# Reinitilize the package-globals in the other modules -# -sub reinitialize() { - Shorewall::Config::initialize; - Shorewall::Chains::initialize; - Shorewall::Zones::initialize; - Shorewall::Policy::initialize; - Shorewall::Nat::initialize; - Shorewall::Providers::initialize; - Shorewall::Tc::initialize; - Shorewall::Actions::initialize; - Shorewall::Accounting::initialize; - Shorewall::Rules::initialize; - Shorewall::Proxyarp::initialize; -} - -# -# First stage of script generation. -# -# Copy the prog.header to the generated script. -# Generate the various user-exit jacket functions. -# Generate the 'initialize()' function. -# -# Note: This function is not called when $command eq 'check'. So it must have no side effects other -# than those related to writing to the object file. - -sub generate_script_1() { - - my $date = localtime; - - if ( $test ) { - emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#"; - } else { - emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl $globals{VERSION} - $date\n#"; - copy $globals{SHAREDIRPL} . 'prog.header'; - } - - for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed/ { - emit "\nrun_${exit}_exit() {"; - push_indent; - append_file $exit or emit 'true'; - pop_indent; - emit '}'; - } - - emit ( '', - '#', - '# This function initializes the global variables used by the program', - '#', - 'initialize()', - '{', - ' #', - ' # These variables are required by the library functions called in this script', - ' #' - ); - - push_indent; - - if ( $export ) { - emit ( 'SHAREDIR=/usr/share/shorewall-lite', - 'CONFDIR=/etc/shorewall-lite', - 'PRODUCT="Shorewall Lite"' - ); - } else { - emit ( 'SHAREDIR=/usr/share/shorewall', - 'CONFDIR=/etc/shorewall', - 'PRODUCT=\'Shorewall\'', - ); - } - - emit( '[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir' ); - - if ( $export ) { - emit ( 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' , - '[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]' ); - } else { - emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") , - '[ -n "${VARDIR:=/var/lib/shorewall}" ]' ); - } - - emit 'TEMPFILE='; - - propagateconfig; - - my @dont_load = split_list $config{DONT_LOAD}, 'module'; - - emit ( '[ -n "${COMMAND:=restart}" ]', - '[ -n "${VERBOSE:=0}" ]', - qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]), - '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' ); - - emit ( qq(VERSION="$globals{VERSION}") ) unless $test; - - emit ( qq(PATH="$config{PATH}") , - 'TERMINATOR=fatal_error' , - qq(DONT_LOAD="@dont_load") , - qq(STARTUP_LOG="$config{STARTUP_LOG}") , - "LOG_VERBOSE=$config{LOG_VERBOSITY}" , - '' - ); - - if ( $config{IPTABLES} ) { - emit( qq(IPTABLES="$config{IPTABLES}"), - '[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"', - ); - } else { - emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES', - '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"' - ); - } - - emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', - '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); - - if ( $config{IPV6} eq 'On' ) { - emit( 'IP6TABLES=$(dirname ${IPTABLES})/ip6tables', - '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); - emit( 'IP6TABLES_RESTORE=$(dirname ${IPTABLES})/ip6tables-restore', - '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); - } - - append_file 'params' if $config{EXPORTPARAMS}; - - emit ( '', - "STOPPING=", - '', - '#', - '# The library requires that ${VARDIR} exist', - '#', - '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' - ); - - emit ( '', - '#', - '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', - '#', - 'qt1 $IPTABLES -N foox1234', - 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', - 'result=$?', - 'qt1 $IPTABLES -F foox1234', - 'qt1 $IPTABLES -X foox1234', - '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', - '' ); - - pop_indent; - - emit "}\n"; # End of initialize() - -} - -sub compile_stop_firewall() { - - emit <<'EOF'; -# -# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command -# -stop_firewall() { - - deletechain() { - qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 - } - - deleteallchains() { - do_iptables -F - do_iptables -X - } - - setcontinue() { - do_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - } - - delete_nat() { - do_iptables -t nat -F - do_iptables -t nat -X - - if [ -f ${VARDIR}/nat ]; then - while read external interface; do - del_ip_addr $external $interface - done < ${VARDIR}/nat - - rm -f ${VARDIR}/nat - fi - } - - case $COMMAND in - stop|clear|restore) - ;; - *) - set +x - - case $COMMAND in - start) - logger -p kern.err "ERROR:$PRODUCT start failed" - ;; - restart) - logger -p kern.err "ERROR:$PRODUCT restart failed" - ;; - restore) - logger -p kern.err "ERROR:$PRODUCT restore failed" - ;; - esac - - if [ "$RESTOREFILE" = NONE ]; then - COMMAND=clear - clear_firewall - echo "$PRODUCT Cleared" - - kill $$ - exit 2 - else - RESTOREPATH=${VARDIR}/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - - if [ -x ${RESTOREPATH}-ipsets ]; then - progress_message2 Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - for table in mangle nat filter; do - do_iptables -t $table -F - do_iptables -t $table -X - done - - ${RESTOREPATH}-ipsets - fi - - echo Restoring ${PRODUCT:=Shorewall}... - - if $RESTOREPATH restore; then - echo "$PRODUCT restored from $RESTOREPATH" - set_state "Started" - else - set_state "Unknown" - fi - - kill $$ - exit 2 - fi - fi - ;; - esac - - set_state "Stopping" - - STOPPING="Yes" - - TERMINATOR= - - deletechain shorewall - - run_stop_exit -EOF - - if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) { - emit <<'EOF'; - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt1 $IPTABLES -t mangle -P $chain ACCEPT - done -EOF - } - - if ( $capabilities{RAW_TABLE} ) { - emit <<'EOF'; - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt1 $IPTABLES -t raw -P $chain ACCEPT - done -EOF - } - - if ( $capabilities{NAT_ENABLED} ) { - emit <<'EOF'; - delete_nat - for chain in PREROUTING POSTROUTING OUTPUT; do - qt1 $IPTABLES -t nat -P $chain ACCEPT - done -EOF - } - - emit <<'EOF'; - if [ -f ${VARDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface - f=/proc/sys/net/ipv4/conf/$interface/proxy_arp - [ -f $f ] && echo 0 > $f - done < ${VARDIR}/proxyarp - fi - - rm -f ${VARDIR}/proxyarp -EOF - - push_indent; - - emit 'delete_tc1' if $config{CLEAR_TC}; - - emit( 'undo_routing', - 'restore_default_route' - ); - - my $criticalhosts = process_criticalhosts; - - if ( @$criticalhosts ) { - if ( $config{ADMINISABSENTMINDED} ) { - emit ( 'for chain in INPUT OUTPUT; do', - ' setpolicy $chain ACCEPT', - 'done', - '', - 'setpolicy FORWARD DROP', - '', - 'deleteallchains', - '' - ); - - for my $hosts ( @$criticalhosts ) { - my ( $interface, $host ) = ( split /:/, $hosts ); - my $source = match_source_net $host; - my $dest = match_dest_net $host; - - emit( "do_iptables -A INPUT -i $interface $source -j ACCEPT", - "do_iptables -A OUTPUT -o $interface $dest -j ACCEPT" - ); - } - - emit( '', - 'for chain in INPUT OUTPUT; do', - ' setpolicy $chain DROP', - "done\n" - ); - } else { - emit( '', - 'for chain in INPUT OUTPUT; do', - ' setpolicy $chain ACCEPT', - 'done', - '', - 'setpolicy FORWARD DROP', - '', - "deleteallchains\n" - ); - - for my $hosts ( @$criticalhosts ) { - my ( $interface, $host ) = ( split /:/, $hosts ); - my $source = match_source_net $host; - my $dest = match_dest_net $host; - - emit( "do_iptables -A INPUT -i $interface $source -j ACCEPT", - "do_iptables -A OUTPUT -o $interface $dest -j ACCEPT" - ); - } - - emit( "\nsetpolicy INPUT DROP", - '', - 'for chain in INPUT FORWARD; do', - ' setcontinue $chain', - "done\n" - ); - } - } elsif ( $config{ADMINISABSENTMINDED} ) { - emit( 'for chain in INPUT FORWARD; do', - ' setpolicy $chain DROP', - 'done', - '', - 'setpolicy OUTPUT ACCEPT', - '', - 'deleteallchains', - '', - 'for chain in INPUT FORWARD; do', - ' setcontinue $chain', - "done\n", - ); - } else { - emit( 'for chain in INPUT OUTPUT FORWARD; do', - ' setpolicy $chain DROP', - 'done', - '', - "deleteallchains\n" - ); - } - - process_routestopped; - - emit( 'do_iptables -A INPUT -i lo -j ACCEPT', - 'do_iptables -A OUTPUT -o lo -j ACCEPT' - ); - - emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED}; - - my $interfaces = find_interfaces_by_option 'dhcp'; - - for my $interface ( @$interfaces ) { - emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"; - emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED}; - # - # This might be a bridge - # - emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"; - } - - emit ''; - - if ( $config{IP_FORWARDING} eq 'on' ) { - emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward', - 'progress_message2 IP Forwarding Enabled' ); - } elsif ( $config{IP_FORWARDING} eq 'off' ) { - emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward', - 'progress_message2 IP Forwarding Disabled!' - ); - } - - emit 'run_stopped_exit'; - - pop_indent; - - emit ' - set_state "Stopped" - - logger -p kern.info "$PRODUCT Stopped" - - case $COMMAND in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Kill the shell in case we\'re running in a subshell - # - kill $$ - ;; - esac -} -'; - -} - -# -# Second Phase of Script Generation -# -# copies the 'prog.functions' file into the script, generates -# clear_routing_and_traffic_shaping() and the first part of -# 'setup_routing_and_traffic_shaping()' -# -# The bulk of that function is produced by the various config file -# parsing routines that are called directly out of 'compiler()'. -# -# We create two separate functions rather than one so that the -# define_firewall() shell function can set global IP configuration variables -# after the old config has been cleared and before we start instantiating -# the new config. That way, the variables reflect the way that the -# distribution's tools have configured IP without any Shorewall -# modifications and the firewall configuration is the same after -# 'restart' as it is after 'start'. -# -# Note: This function is not called when $command eq 'check'. So it must have no side effects other -# than those related to writing to the object file. -# -sub generate_script_2 () { - - copy $globals{SHAREDIRPL} . 'prog.functions' unless $test; - - emit( '', - '#', - '# Clear Routing and Traffic Shaping', - '#', - 'clear_routing_and_traffic_shaping() {' - ); - - push_indent; - - save_progress_message 'Initializing...'; - - if ( $export ) { - my $fn = find_file 'modules'; - - if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) { - emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir'; - emit 'cat > ${VARDIR}/.modules << EOF'; - open_file $fn; - while ( read_a_line ) { - emit_unindented $currentline; - } - emit_unindented 'EOF'; - emit 'reload_kernel_modules < ${VARDIR}/.modules'; - } else { - emit 'load_kernel_modules Yes'; - } - } else { - emit 'load_kernel_modules Yes'; - } - - emit ''; - - for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { - emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", - 'if [ -n "$addr" ]; then', - ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', - ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', - ' if in_network $addr $network; then', - " error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", - ' fi', - ' done', - "fi\n" ); - } - - emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', - '', - 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', - '', - 'delete_proxyarp', - '' - ); - - if ( $capabilities{NAT_ENABLED} ) { - emit( 'if [ -f ${VARDIR}/nat ]; then', - ' while read external interface; do', - ' del_ip_addr $external $interface', - ' done < ${VARDIR}/nat', - '', - ' rm -f ${VARDIR}/nat', - "fi\n" ); - } - - emit "delete_tc1\n" if $config{CLEAR_TC}; - emit "disable_ipv6\n" if $config{DISABLE_IPV6}; - - pop_indent; - - emit "}\n"; - - emit( '#', - '# Setup Routing and Traffic Shaping', - '#', - 'setup_routing_and_traffic_shaping() {' - ); - - push_indent; - -} - -# -# Third (final) stage of script generation. -# -# Generate the end of 'setup_routing_and_traffic_shaping()': -# Generate code for loading the various files in /var/lib/shorewall[-lite] -# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES -# -# Generate the 'setup_netfilter()' function that runs iptables-restore. -# Generate the 'define_firewall()' function. -# -# Note: This function is not called when $command eq 'check'. So it must have no side effects other -# than those related to writing to the object file. -# -sub generate_script_3($) { - - emit 'cat > ${VARDIR}/proxyarp << __EOF__'; - dump_proxy_arp; - emit_unindented '__EOF__'; - - emit( '', - 'if [ "$COMMAND" != refresh ]; then' ); - - push_indent; - - emit 'cat > ${VARDIR}/zones << __EOF__'; - dump_zone_contents; - emit_unindented '__EOF__'; - - pop_indent; - - emit "fi\n"; - - emit '> ${VARDIR}/nat'; - - add_addresses; - - pop_indent; - - emit "}\n"; - - progress_message2 "Creating iptables-restore input..."; - create_netfilter_load; - create_chainlist_reload( $_[0] ); - - emit "#\n# Start/Restart the Firewall\n#"; - emit 'define_firewall() {'; - push_indent; - - emit "\nclear_routing_and_traffic_shaping"; - - set_global_variables; - - emit ''; - - emit<<'EOF'; -setup_routing_and_traffic_shaping - -if [ $COMMAND = restore ]; then - iptables_save_file=${VARDIR}/$(basename $0)-iptables - if [ -f $iptables_save_file ]; then - cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux - else - fatal_error "$iptables_save_file does not exist" - fi -EOF - pop_indent; - setup_forwarding; - push_indent; - emit<<'EOF'; - set_state "Started" -else - if [ $COMMAND = refresh ]; then - chainlist_reload -EOF - setup_forwarding; - emit<<'EOF'; - run_refreshed_exit - do_iptables -N shorewall - set_state "Started" - else - setup_netfilter - restore_dynamic_rules - conditionally_flush_conntrack -EOF - setup_forwarding; - emit<<'EOF'; - run_start_exit - do_iptables -N shorewall - set_state "Started" - run_started_exit - fi - - [ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore -fi - -date > ${VARDIR}/restarted - -case $COMMAND in - start) - logger -p kern.info "$PRODUCT started" - ;; - restart) - logger -p kern.info "$PRODUCT restarted" - ;; - refresh) - logger -p kern.info "$PRODUCT refreshed" - ;; - restore) - logger -p kern.info "$PRODUCT restored" - ;; -esac -EOF - - pop_indent; - - emit "}\n"; - - copy $globals{SHAREDIRPL} . 'prog.footer' unless $test; -} - -# -# The Compiler. -# -# Arguments are named -- see %elbat below. -# -sub compiler { - - my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = - ( '', '', -1, '', 0, '', '', -1 ); - - $export = 0; - $test = 0; - - sub edit_boolean( $ ) { - my $val = numeric_value( shift ); - defined($val) && ($val >= 0) && ($val < 2); - } - - sub edit_verbosity( $ ) { - my $val = numeric_value( shift ); - defined($val) && ($val >= MIN_VERBOSITY) && ($val <= MAX_VERBOSITY); - } - - my %parms = ( object => { store => \$objectfile }, - directory => { store => \$directory }, - verbosity => { store => \$verbosity , edit => \&edit_verbosity } , - timestamp => { store => \$timestamp, edit => \&edit_boolean } , - debug => { store => \$debug, edit => \&edit_boolean } , - export => { store => \$export , edit => \&edit_boolean } , - chains => { store => \$chains }, - log => { store => \$log }, - log_verbosity => { store => \$log_verbosity, edit => \&edit_verbosity } , - test => { store => \$test }, - ); - - while ( defined ( my $name = shift ) ) { - fatal_error "Unknown parameter ($name)" unless my $ref = $parms{$name}; - fatal_error "Undefined value supplied for parameter $name" unless defined ( my $val = shift ) ; - if ( $ref->{edit} ) { - fatal_error "Invalid value ( $val ) supplied for parameter $name" unless $ref->{edit}->($val); - } - - ${$ref->{store}} = $val; - } - - reinitialize if $reused++; - - if ( $directory ne '' ) { - fatal_error "$directory is not an existing directory" unless -d $directory; - set_shorewall_dir( $directory ); - } - - set_verbose( $verbosity ); - set_log($log, $log_verbosity) if $log; - set_timestamp( $timestamp ); - set_debug( $debug ); - # - # Get shorewall.conf and capabilities. - # - get_configuration( $export ); - - report_capabilities; - - require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" , 's' ); - require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; - require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS}; - require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; - require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT}; - - set_command( 'check', 'Checking', 'Checked' ) unless $objectfile; - - initialize_chain_table; - - unless ( $command eq 'check' ) { - create_temp_object( $objectfile ); - generate_script_1; - } - - # - # Allow user to load Perl modules - # - run_user_exit1 'compile'; - # - # Process the zones file. - # - determine_zones; - # - # Process the interfaces file. - # - validate_interfaces_file ( $export ); - # - # Process the hosts file. - # - validate_hosts_file; - # - # Report zone contents - # - zone_report; - # - # Do action pre-processing. - # - process_actions1; - # - # Process the Policy File. - # - validate_policy; - # - # Compile the 'stop_firewall()' function - # - compile_stop_firewall; - # - # Start Second Part of script - # - generate_script_2 unless $command eq 'check'; - # - # Do all of the zone-independent stuff - # - add_common_rules; - # - # /proc stuff - # - setup_arp_filtering; - setup_route_filtering; - setup_martian_logging; - setup_source_routing; - # - # Proxy Arp - # - setup_proxy_arp; - # - # Handle MSS setings in the zones file - # - setup_zone_mss; - # - # [Re-]establish Routing - # - setup_providers; - # - # TOS - # - process_tos; - # - # ECN - # - setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - # - # Setup Masquerading/SNAT - # - setup_masq; - # - # MACLIST Filtration - # - setup_mac_lists 1; - # - # Process the rules file. - # - process_rules; - # - # Add Tunnel rules. - # - setup_tunnels; - # - # Post-rules action processing. - # - process_actions2; - process_actions3; - # - # MACLIST Filtration again - # - setup_mac_lists 2; - # - # Apply Policies - # - apply_policy_rules; - # - # TCRules and Traffic Shaping - # - setup_tc; - # - # Setup Nat - # - setup_nat; - # - # Setup NETMAP - # - setup_netmap; - # - # Accounting. - # - setup_accounting; - # - # We generate the matrix even though we don't write out the rules. That way, we insure that - # a compile of the script won't blow up during that step. - # - generate_matrix; - - if ( $command eq 'check' ) { - progress_message3 "Shorewall configuration verified"; - } else { - # - # Finish the script. - # - generate_script_3( $chains ); - finalize_object ( $export ); - # - # And generate the auxilary config file - # - generate_aux_config if $export; - } - - close_log if $log; - - 1; -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Config.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Config.pm deleted file mode 100644 index ade1bc212..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Config.pm +++ /dev/null @@ -1,2248 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Config.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module is responsible for lower level configuration file handling. -# It also exports functions for generating warning and error messages. -# The get_configuration function parses the shorewall.conf, capabilities and -# modules files during compiler startup. The module also provides the basic -# output file services such as creation of temporary 'object' files, writing -# into those files (emitters) and finalizing those files (renaming -# them to their final name and setting their mode appropriately). -# -package Shorewall::Config; - -use strict; -use warnings; -use File::Basename; -use File::Temp qw/ tempfile tempdir /; -use Cwd qw(abs_path getcwd); -use autouse 'Carp' => qw(longmess confess); -use Scalar::Util 'reftype'; - -our @ISA = qw(Exporter); -# -# Imported variables should be treated as read-only by importers -# -our @EXPORT = qw( - warning_message - fatal_error - progress_message - progress_message2 - progress_message3 - ); - -our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall); - -our %EXPORT_TAGS = ( internal => [ qw( create_temp_object - finalize_object - numeric_value - numeric_value1 - in_hex - in_hex2 - in_hex3 - in_hex4 - in_hex8 - emit - emit_unindented - save_progress_message - save_progress_message_short - set_timestamp - set_verbose - set_log - close_log - set_command - push_indent - pop_indent - copy - create_temp_aux_config - finalize_aux_config - set_shorewall_dir - set_debug - find_file - split_list - split_line - split_line1 - first_entry - open_file - close_file - push_open - pop_open - read_a_line - validate_level - qt - ensure_config_path - get_configuration - require_capability - report_capabilities - propagateconfig - append_file - run_user_exit - run_user_exit1 - run_user_exit2 - generate_aux_config - - $command - $doing - $done - $currentline - %config - %globals - %capabilities - - MIN_VERBOSITY - MAX_VERBOSITY - ) ] ); - -Exporter::export_ok_tags('internal'); - -our $VERSION = 4.3.0; - -# -# describe the current command, it's present progressive, and it's completion. -# -our ($command, $doing, $done ); -# -# VERBOSITY -# -our $verbose; -# -# Logging -# -our ( $log, $log_verbose ); -# -# Timestamp each progress message, if true. -# -our $timestamp; -# -# Object file handle -# -our $object; -# -# True, if last line emitted is blank -# -our $lastlineblank; -# -# Number of columns to indent the output -# -our $indent; -# -# Object's Directory and File -# -our ( $dir, $file ); -# -# Temporary output file's name -# -our $tempfile; -# -# Misc Globals -# -our %globals; -# -# From shorewall.conf file -# -our %config; -# -# Config options and global settings that are to be copied to object script -# -our @propagateconfig = qw/ IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /; -our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /; -# -# From parsing the capabilities file -# -our %capabilities; -# -# Capabilities -# -our %capdesc = ( NAT_ENABLED => 'NAT', - MANGLE_ENABLED => 'Packet Mangling', - MULTIPORT => 'Multi-port Match' , - XMULTIPORT => 'Extended Multi-port Match', - CONNTRACK_MATCH => 'Connection Tracking Match', - OLD_CONNTRACK_MATCH => - 'Old conntrack match syntax', - NEW_CONNTRACK_MATCH => - 'Extended Connection Tracking Match', - USEPKTTYPE => 'Packet Type Match', - POLICY_MATCH => 'Policy Match', - PHYSDEV_MATCH => 'Physdev Match', - PHYSDEV_BRIDGE => 'Physdev-is-bridged support', - LENGTH_MATCH => 'Packet length Match', - IPRANGE_MATCH => 'IP Range Match', - RECENT_MATCH => 'Recent Match', - OWNER_MATCH => 'Owner Match', - IPSET_MATCH => 'Ipset Match', - CONNMARK => 'CONNMARK Target', - XCONNMARK => 'Extended CONNMARK Target', - CONNMARK_MATCH => 'Connmark Match', - XCONNMARK_MATCH => 'Extended Connmark Match', - RAW_TABLE => 'Raw Table', - IPP2P_MATCH => 'IPP2P Match', - CLASSIFY_TARGET => 'CLASSIFY Target', - ENHANCED_REJECT => 'Extended Reject', - KLUDGEFREE => 'Repeat match', - MARK => 'MARK Target', - XMARK => 'Extended Mark Target', - MANGLE_FORWARD => 'Mangle FORWARD Chain', - COMMENTS => 'Comments', - ADDRTYPE => 'Address Type Match', - TCPMSS_MATCH => 'TCPMSS Match', - HASHLIMIT_MATCH => 'Hashlimit Match', - NFQUEUE_TARGET => 'NFQUEUE Target', - REALM_MATCH => 'Realm Match', - HELPER_MATCH => 'Helper Match', - CONNLIMIT_MATCH => 'Connlimit Match', - TIME_MATCH => 'Time Match', - CAPVERSION => 'Capability Version', - ); -# -# Directories to search for configuration files -# -our @config_path; -# -# Stash away file references here when we encounter INCLUDE -# -our @includestack; -# -# Allow nested opens -# -our @openstack; - -our $currentline; # Current config file line image -our $currentfile; # File handle reference -our $currentfilename; # File NAME -our $currentlinenumber; # Line number -our $scriptfile; # File Handle Reference to current temporary file being written by an in-line Perl script -our $scriptfilename; # Name of that file. -our @tempfiles; # Files that need unlinking at END -our $first_entry; # Message to output or function to call on first non-blank line of a file - -our $shorewall_dir; # Shorewall Directory - -our $debug; # If true, use Carp to report errors with stack trace. - -use constant { MIN_VERBOSITY => -1, - MAX_VERBOSITY => 2 }; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# -sub initialize() { - ( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion. - - $verbose = 0; # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy) - $log = undef; # File reference for log file - $log_verbose = -1; # Verbosity of log. - $timestamp = ''; # If true, we are to timestamp each progress message - $object = 0; # Object (script) file Handle Reference - $lastlineblank = 0; # Avoid extra blank lines in the output - $indent = ''; # Current indentation - ( $dir, $file ) = ('',''); # Object's Directory and File - $tempfile = ''; # Temporary File Name - - # - # Misc Globals - # - %globals = ( SHAREDIR => '/usr/share/shorewall' , - CONFDIR => '/etc/shorewall', - SHAREDIRPL => '/usr/share/shorewall-perl/', - ORIGINAL_POLICY_MATCH => '', - LOGPARMS => '', - TC_SCRIPT => '', - VERSION => "4.2.1", - CAPVERSION => 40202 , - ); - # - # From shorewall.conf file - # - %config = - ( STARTUP_ENABLED => undef, - VERBOSITY => undef, - # - # Logging - # - LOGFILE => undef, - LOGFORMAT => undef, - LOGTAGONLY => undef, - LOGRATE => undef, - LOGBURST => undef, - LOGALLNEW => undef, - BLACKLIST_LOGLEVEL => undef, - MACLIST_LOG_LEVEL => undef, - TCP_FLAGS_LOG_LEVEL => undef, - RFC1918_LOG_LEVEL => undef, - SMURF_LOG_LEVEL => undef, - LOG_MARTIANS => undef, - LOG_VERBOSITY => undef, - STARTUP_LOG => undef, - # - # Location of Files - # - IPTABLES => undef, - # - #PATH is inherited - # - PATH => undef, - SHOREWALL_SHELL => undef, - SUBSYSLOCK => undef, - MODULESDIR => undef, - # - #CONFIG_PATH is inherited - # - CONFIG_PATH => undef, - RESTOREFILE => undef, - IPSECFILE => undef, - LOCKFILE => undef, - # - # Default Actions/Macros - # - DROP_DEFAULT => undef, - REJECT_DEFAULT => undef, - ACCEPT_DEFAULT => undef, - QUEUE_DEFAULT => undef, - NFQUEUE_DEFAULT => undef, - # - # RSH/RCP Commands - # - RSH_COMMAND => undef, - RCP_COMMAND => undef, - # - # Firewall Options - # - BRIDGING => undef, - IP_FORWARDING => undef, - ADD_IP_ALIASES => undef, - ADD_SNAT_ALIASES => undef, - RETAIN_ALIASES => undef, - TC_ENABLED => undef, - TC_EXPERT => undef, - CLEAR_TC => undef, - MARK_IN_FORWARD_CHAIN => undef, - CLAMPMSS => undef, - ROUTE_FILTER => undef, - DETECT_DNAT_IPADDRS => undef, - MUTEX_TIMEOUT => undef, - ADMINISABSENTMINDED => undef, - BLACKLISTNEWONLY => undef, - DELAYBLACKLISTLOAD => undef, - MODULE_SUFFIX => undef, - DISABLE_IPV6 => undef, - IPV6 => undef, - DYNAMIC_ZONES => undef, - PKTTYPE=> undef, - RFC1918_STRICT => undef, - MACLIST_TABLE => undef, - MACLIST_TTL => undef, - SAVE_IPSETS => undef, - MAPOLDACTIONS => undef, - FASTACCEPT => undef, - IMPLICIT_CONTINUE => undef, - HIGH_ROUTE_MARKS => undef, - USE_ACTIONS=> undef, - OPTIMIZE => undef, - EXPORTPARAMS => undef, - SHOREWALL_COMPILER => undef, - EXPAND_POLICIES => undef, - KEEP_RT_TABLES => undef, - DELETE_THEN_ADD => undef, - MULTICAST => undef, - DONT_LOAD => '', - AUTO_COMMENT => undef , - MANGLE_ENABLED => undef , - NULL_ROUTE_RFC1918 => undef , - USE_DEFAULT_RT => undef , - # - # Packet Disposition - # - MACLIST_DISPOSITION => undef, - TCP_FLAGS_DISPOSITION => undef, - BLACKLIST_DISPOSITION => undef, - ); - - # - # From parsing the capabilities file - # - %capabilities = - ( NAT_ENABLED => undef, - MANGLE_ENABLED => undef, - MULTIPORT => undef, - XMULTIPORT => undef, - CONNTRACK_MATCH => undef, - NEW_CONNTRACK_MATCH => undef, - OLD_CONNTRACK_MATCH => undef, - USEPKTTYPE => undef, - POLICY_MATCH => undef, - PHYSDEV_MATCH => undef, - PHYSDEV_BRIDGE => undef, - LENGTH_MATCH => undef, - IPRANGE_MATCH => undef, - RECENT_MATCH => undef, - OWNER_MATCH => undef, - IPSET_MATCH => undef, - CONNMARK => undef, - XCONNMARK => undef, - CONNMARK_MATCH => undef, - XCONNMARK_MATCH => undef, - RAW_TABLE => undef, - IPP2P_MATCH => undef, - CLASSIFY_TARGET => undef, - ENHANCED_REJECT => undef, - KLUDGEFREE => undef, - MARK => undef, - XMARK => undef, - MANGLE_FORWARD => undef, - COMMENTS => undef, - ADDRTYPE => undef, - TCPMSS_MATCH => undef, - HASHLIMIT_MATCH => undef, - NFQUEUE_TARGET => undef, - REALM_MATCH => undef, - HELPER_MATCH => undef, - CONNLIMIT_MATCH => undef, - TIME_MATCH => undef, - CAPVERSION => undef, - ); - # - # Directories to search for configuration files - # - @config_path = (); - # - # Stash away file references here when we encounter INCLUDE - # - @includestack = (); - # - # Allow nested opens - # - @openstack = (); - - $currentline = ''; # Line image - $currentfile = undef; # File handle reference - $currentfilename = ''; # File NAME - $currentlinenumber = 0; # Line number - $first_entry = 0; # Message to output or function to call on first non-blank file entry - - $shorewall_dir = ''; #Shorewall Directory - - $debug = 0; -} - -INIT { - initialize; - # - # These variables appear within single quotes in shorewall.conf -- add them to ENV - # so that read_a_line doesn't have to be smart enough to parse that usage. - # - for ( qw/root system command files destination/ ) { - $ENV{$_} = '' unless exists $ENV{$_}; - } -} - -my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ); - -# -# Issue a Warning Message -# -sub warning_message -{ - my $linenumber = $currentlinenumber || 1; - my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; - our @localtime; - - $| = 1; - - if ( $log ) { - @localtime = localtime; - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - } - - if ( $debug ) { - print STDERR longmess( " WARNING: @_$currentlineinfo" ); - print $log longmess( " WARNING: @_$currentlineinfo\n" ) if $log; - } else { - print STDERR " WARNING: @_$currentlineinfo\n"; - print $log " WARNING: @_$currentlineinfo\n" if $log; - } - - $| = 0; -} - -# -# Issue fatal error message and die -# -sub fatal_error { - my $linenumber = $currentlinenumber || 1; - my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; - - $| = 1; - - if ( $log ) { - our @localtime = localtime; - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - - if ( $debug ) { - print $log longmess( " ERROR: @_$currentlineinfo\n" ); - } else { - print $log " ERROR: @_$currentlineinfo\n"; - } - - close $log; - $log = undef; - } - - confess " ERROR: @_$currentlineinfo" if $debug; - die " ERROR: @_$currentlineinfo\n"; -} - -sub fatal_error1 { - $| = 1; - - if ( $log ) { - our @localtime = localtime; - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - - if ( $debug ) { - print $log longmess( " ERROR: @_\n" ); - } else { - print $log " ERROR: @_\n"; - } - - close $log; - $log = undef; - } - - confess " ERROR: @_" if $debug; - die " ERROR: @_\n"; -} - -# -# Convert value to decimal number -# -sub numeric_value ( $ ) { - my $mark = lc $_[0]; - return undef unless $mark =~ /^-?(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/; - $mark =~ /^0/ ? oct $mark : $mark; -} - -sub numeric_value1 ( $ ) { - my $val = numeric_value $_[0]; - fatal_error "Invalid Number ($_[0])" unless defined $val; - $val; -} - -# -# Return the argument expressed in Hex -# -sub in_hex( $ ) { - sprintf '0x%x', $_[0]; -} - -sub in_hex2( $ ) { - sprintf '0x%02x', $_[0]; -} - -sub in_hex3( $ ) { - sprintf '0x%03x', $_[0]; -} - -sub in_hex4( $ ) { - sprintf '0x%04x', $_[0]; -} - -sub in_hex8( $ ) { - sprintf '0x%08x', $_[0]; -} - -# -# Write the arguments to the object file (if any) with the current indentation. -# -# Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines. -# -sub emit { - if ( $object ) { - # - # 'compile' as opposed to 'check' - # - for ( @_ ) { - unless ( /^\s*$/ ) { - my $line = $_; # This copy is necessary because the actual arguments are almost always read-only. - $line =~ s/^\n// if $lastlineblank; - $line =~ s/^/$indent/gm if $indent; - $line =~ s/ /\t/gm; - print $object "$line\n"; - $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" ); - } else { - print $object "\n" unless $lastlineblank; - $lastlineblank = 1; - } - } - } -} - -# -# Write passed message to the object with newline but no indentation. -# -sub emit_unindented( $ ) { - print $object "$_[0]\n" if $object; -} - -# -# Write a progress_message2 command with surrounding blank lines to the output file. -# -sub save_progress_message( $ ) { - emit "\nprogress_message2 @_\n" if $object; -} - -# -# Write a progress_message command to the output file. -# -sub save_progress_message_short( $ ) { - emit "progress_message $_[0]" if $object; -} - -# -# Set $timestamp -# -sub set_timestamp( $ ) { - $timestamp = shift; -} - -# -# Set $verbose -# -sub set_verbose( $ ) { - $verbose = shift; -} - -# -# Set $log and $log_verbose -# -sub set_log ( $$ ) { - my ( $l, $v ) = @_; - - if ( defined $v ) { - my $value = numeric_value( $v ); - fatal_error "Invalid Log Verbosity ( $v )" unless defined($value) && ( $value >= -1 ) && ( $value <= 2); - $log_verbose = $value; - } - - if ( $l && $log_verbose >= 0 ) { - unless ( open $log , '>>' , $l ) { - $log = undef; - fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!"; - } - } else { - $log_verbose = -1; - } -} - -sub close_log() { - close $log, $log = undef if $log; -} - -# -# Set $command, $doing and $done -# -sub set_command( $$$ ) { - ($command, $doing, $done) = @_; -} - -# -# Print the current TOD to STDOUT. -# -sub timestamp() { - our @localtime = localtime; - printf '%02d:%02d:%02d ', @localtime[2,1,0]; -} - -# -# Write a message if $verbose >= 2 -# -sub progress_message { - my $havelocaltime = 0; - - if ( $verbose > 1 ) { - timestamp, $havelocaltime = 1 if $timestamp; - # - # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession). - # The following makes such messages look more readable and uniform - # - my $line = "@_"; - $line =~ s/\s+/ /g; - print "$line\n"; - } - - if ( $log_verbose > 1 ) { - our @localtime; - - @localtime = localtime unless $havelocaltime; - - printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - my $line = "@_"; - $line =~ s/\s+/ /g; - print $log "$line\n"; - } -} - -# -# Write a message if $verbose >= 1 -# -sub progress_message2 { - my $havelocaltime = 0; - - if ( $verbose > 0 ) { - timestamp, $havelocaltime = 1 if $timestamp; - print "@_\n"; - } - - if ( $log_verbose > 0 ) { - our @localtime; - - @localtime = localtime unless $havelocaltime; - - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - print $log "@_\n"; - } -} - -# -# Write a message if $verbose >= 0 -# -sub progress_message3 { - my $havelocaltime = 0; - - if ( $verbose >= 0 ) { - timestamp, $havelocaltime = 1 if $timestamp; - print "@_\n"; - } - - if ( $log_verbose >= 0 ) { - our @localtime; - - @localtime = localtime unless $havelocaltime; - - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - print $log "@_\n"; - } -} - -# -# Push/Pop Indent -# -sub push_indent() { - $indent = "$indent "; -} - -sub pop_indent() { - $indent = substr( $indent , 0 , ( length $indent ) - 4 ); -} - -# -# Functions for copying files into the object -# -sub copy( $ ) { - if ( $object ) { - my $file = $_[0]; - - open IF , $file or fatal_error "Unable to open $file: $!"; - - while ( ) { - chomp; - if ( /^\s*$/ ) { - print $object "\n" unless $lastlineblank; - $lastlineblank = 1; - } else { - s/^/$indent/ if $indent; - print $object $_; - print $object "\n"; - $lastlineblank = 0; - } - } - - close IF; - } -} - -# -# This one handles line continuation. - -sub copy1( $ ) { - if ( $object ) { - my $file = $_[0]; - - open IF , $file or fatal_error "Unable to open $file: $!"; - - my $do_indent = 1; - - while ( ) { - chomp; - if ( /^\s*$/ ) { - print $object "\n"; - $do_indent = 1; - next; - } - - s/^/$indent/ if $indent && $do_indent; - print $object $_; - print $object "\n"; - $do_indent = ! ( /\\$/ ); - } - - close IF; - } -} - -# -# Create the temporary object file -- the passed file name is the name of the final file. -# We create a temporary file in the same directory so that we can use rename to finalize it. -# -sub create_temp_object( $ ) { - my $objectfile = $_[0]; - my $suffix; - - eval { - ( $file, $dir, $suffix ) = fileparse( $objectfile ); - }; - - die if $@; - - fatal_error "$dir is a Symbolic Link" if -l $dir; - fatal_error "Directory $dir does not exist" unless -d _; - fatal_error "Directory $dir is not writable" unless -w _; - fatal_error "$objectfile is a Symbolic Link" if -l $objectfile; - fatal_error "$objectfile is a Directory" if -d _; - fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _; - - eval { - $dir = abs_path $dir; - ( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir ); - }; - - fatal_error "Unable to create temporary file in directory $dir" if $@; - - $file = "$file.$suffix" if $suffix; - $dir .= '/' unless substr( $dir, -1, 1 ) eq '/'; - $file = $dir . $file; - -} - -# -# Finalize the object file -# -sub finalize_object( $ ) { - my $export = $_[0]; - close $object; - $object = 0; - rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!"; - chmod 0700, $file or fatal_error "Cannot secure $file for execute access"; - progress_message3 "Shorewall configuration compiled to $file" unless $export; -} - -# -# Create the temporary aux config file. -# -sub create_temp_aux_config() { - eval { - ( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir ); - }; - - die if $@; - -} - -# -# Finalize the aux config file. -# -sub finalize_aux_config() { - close $object; - $object = 0; - rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!"; - progress_message3 "Shorewall configuration compiled to $file"; -} - -# -# Set $config{CONFIG_PATH} -# -sub set_config_path( $ ) { - $config{CONFIG_PATH} = shift; -} - -# -# Set $debug -# -sub set_debug( $ ) { - $debug = shift; -} - -# -# Search the CONFIG_PATH for the passed file -# -sub find_file($) -{ - my $filename=$_[0]; - - return $filename if $filename =~ '/'; - - my $directory; - - for $directory ( @config_path ) { - my $file = "$directory$filename"; - return $file if -f $file; - } - - "$globals{CONFDIR}/$filename"; -} - -sub split_list( $$ ) { - my ($list, $type ) = @_; - - fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/; - - split /,/, $list; -} - -# -# Pre-process a line from a configuration file. - -# ensure that it has an appropriate number of columns. -# supply '-' in omitted trailing columns. -# -sub split_line( $$$ ) { - my ( $mincolumns, $maxcolumns, $description ) = @_; - - fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $currentline =~ /["'`\\]/; - fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/; - - my @line = split( ' ', $currentline ); - - my $line = @line; - - fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns; - - $line-- while $line > 0 && $line[$line-1] eq '-'; - - fatal_error "Invalid $description entry (too few columns)" if $line < $mincolumns; - - push @line, '-' while @line < $maxcolumns; - - @line; -} - -# -# Version of 'split_line' used on files with exceptions -# -sub split_line1( $$$;$ ) { - my ( $mincolumns, $maxcolumns, $description, $nopad) = @_; - - fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/; - - my @line = split( ' ', $currentline ); - - $nopad = { COMMENT => 0 } unless $nopad; - - my $first = $line[0]; - my $columns = $nopad->{$first}; - - if ( defined $columns ) { - fatal_error "Invalid $first entry" if $columns && @line != $columns; - return @line - } - - fatal_error "Shorewall Configuration file entries may not contain single quotes" if $currentline =~ /'/; - - my $line = @line; - - fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns; - - $line-- while $line > 0 && $line[$line-1] eq '-'; - - fatal_error "Invalid $description entry (too few columns)" if $line < $mincolumns; - - push @line, '-' while @line < $maxcolumns; - - @line; -} - -# -# Open a file, setting $currentfile. Returns the file's absolute pathname if the file -# exists, is non-empty and was successfully opened. Terminates with a fatal error -# if the file exists, is non-empty, but the open fails. -# -sub do_open_file( $ ) { - my $fname = $_[0]; - open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!"; - $currentlinenumber = 0; - $currentfilename = $fname; -} - -sub open_file( $ ) { - my $fname = find_file $_[0]; - - fatal_error 'Internal Error in open_file()' if defined $currentfile; - - -f $fname && -s _ ? do_open_file $fname : ''; -} - -# -# Pop the include stack -# -sub pop_include() { - my $arrayref = pop @includestack; - - if ( $arrayref ) { - ( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref; - } else { - $currentfile = undef; - } -} - -# -# This function is normally called below in read_a_line() when EOF is reached. Clients of the -# module may also call the function to close the file before EOF -# - -sub close_file() { - if ( $currentfile ) { - my $result = close $currentfile; - - pop_include; - - fatal_error "SHELL Script failed" unless $result; - - $first_entry = 0; - - } -} - -# -# The following two functions allow module clients to nest opens. This happens frequently -# in the Actions module. -# -sub push_open( $ ) { - - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - my @a = @includestack; - push @openstack, \@a; - @includestack = (); - $currentfile = undef; - open_file( $_[0] ); - -} - -sub pop_open() { - @includestack = @{pop @openstack}; - pop_include; -} - -sub shorewall { - unless ( $scriptfile ) { - fatal_error "shorewall() may not be called in this context" unless $currentfile; - - $dir ||= '/tmp/'; - - eval { - ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir ); - }; - - fatal_error "Unable to create temporary file in directory $dir" if $@; - } - - print $scriptfile "@_\n"; -} - -# -# We don't announce that we are checking/compiling a file until we determine that the file contains -# at least one non-blank, non-commentary line. -# -# The argument to this function may be either a scalar or a function reference. When the first -# non-blank/non-commentary line is reached: -# -# - if a function reference was passed to first_entry(), that function is called -# - otherwise, the argument to first_entry() is passed to progress_message2(). -# -# We do this processing in read_a_line() rather than in the higher-level routines because -# Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement -# until we get back to the caller of read_a_line(), we could issue error messages about parsing and -# running scripts in the file before we'd even indicated that we are processing it. -# -sub first_entry( $ ) { - $first_entry = $_[0]; - my $reftype = reftype $first_entry; - if ( $reftype ) { - fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE'; - } -} - -sub embedded_shell( $ ) { - my $multiline = shift; - - fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; - my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber ); - - if ( $multiline ) { - # - # Multi-line script - # - fatal_error "Invalid BEGIN SHELL directive" unless $currentline =~ /^\s*$/; - $command .= "\n"; - - my $last = 0; - - while ( <$currentfile> ) { - $currentlinenumber++; - last if $last = s/^\s*END(\s+SHELL)?\s*;?//; - $command .= $_; - } - - fatal_error ( "Missing END SHELL" ) unless $last; - fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/; - } - - $command .= q('); - - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - $currentfile = undef; - open $currentfile , '-|', $command or fatal_error qq(Shell Command failed); - $currentfilename = "SHELL\@$currentfilename:$currentlinenumber"; - $currentline = ''; - $currentlinenumber = 0; -} - -sub embedded_perl( $ ) { - my $multiline = shift; - - my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); - - if ( $multiline ) { - # - # Multi-line script - # - fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/; - $command .= "\n"; - - my $last = 0; - - while ( <$currentfile> ) { - $currentlinenumber++; - last if $last = s/^\s*END(\s+PERL)?\s*;?//; - $command .= $_; - } - - fatal_error ( "Missing END PERL" ) unless $last; - fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/; - } - - unless (my $return = eval $command ) { - if ( $@ ) { - # - # Perl found the script offensive or the script itself died - # - $@ =~ s/, <\$currentfile> line \d+//g; - fatal_error1 "$@"; - } - - unless ( defined $return ) { - fatal_error "Perl Script failed: $!" if $!; - fatal_error "Perl Script failed"; - } - - fatal_error "Perl Script Returned False"; - } - - if ( $scriptfile ) { - fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; - - close $scriptfile or fatal_error "Internal Error in embedded_perl()"; - - $scriptfile = undef; - - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - $currentfile = undef; - - open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename"; - - push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin - - $scriptfilename = ''; - - $currentfilename = "PERL\@$currentfilename:$linenumber"; - $currentline = ''; - $currentlinenumber = 0; - } -} - -# -# Read a line from the current include stack. -# -# - Ignore blank or comment-only lines. -# - Remove trailing comments. -# - Handle Line Continuation -# - Handle embedded SHELL and PERL scripts -# - Expand shell variables from $ENV. -# - Handle INCLUDE -# - -sub read_a_line() { - while ( $currentfile ) { - - $currentline = ''; - $currentlinenumber = 0; - - while ( <$currentfile> ) { - - $currentlinenumber = $. unless $currentlinenumber; - - chomp; - # - # Continuation - # - chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\'; - # - # Remove Trailing Comments -- result might be a blank line - # - $currentline =~ s/#.*$//; - # - # Ignore ( concatenated ) Blank Lines - # - $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/; - # - # Line not blank -- Handle any first-entry message/capabilities check - # - if ( $first_entry ) { - reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry ); - $first_entry = 0; - } - # - # Must check for shell/perl before doing variable expansion - # - if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) { - embedded_shell( $1 ); - } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) { - embedded_perl( $1 ); - } else { - my $count = 0; - # - # Expand Shell Variables using %ENV - # - # $1 $2 $3 - $4 - while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) { - my $val = $ENV{$3}; - - unless ( defined $val ) { - fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3}; - $val = ''; - } - - $currentline = join( '', $1 , $val , $4 ); - fatal_error "Variable Expansion Loop" if ++$count > 100; - } - - if ( $currentline =~ /^\s*INCLUDE\s/ ) { - - my @line = split ' ', $currentline; - - fatal_error "Invalid INCLUDE command" if @line != 2; - fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4; - - my $filename = find_file $line[1]; - - fatal_error "INCLUDE file $filename not found" unless -f $filename; - fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; - - if ( -s _ ) { - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - $currentfile = undef; - do_open_file $filename; - } else { - $currentlinenumber = 0; - } - - $currentline = ''; - } else { - return 1; - } - } - } - - close_file; - } -} - -# -# Simple version of the above. Doesn't do line concatenation, shell variable expansion or INCLUDE processing -# -sub read_a_line1() { - while ( $currentfile ) { - while ( $currentline = <$currentfile> ) { - next if $currentline =~ /^\s*#/; - chomp $currentline; - next if $currentline =~ /^\s*$/; - $currentline =~ s/#.*$//; # Remove Trailing Comments - fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/; - $currentlinenumber = $.; - return 1; - } - - close_file; - } -} - -# -# Provide the passed default value for the passed configuration variable -# -sub default ( $$ ) { - my ( $var, $val ) = @_; - - $config{$var} = $val unless defined $config{$var} && $config{$var} ne ''; -} - -# -# Provide a default value for a yes/no configuration variable. -# -sub default_yes_no ( $$ ) { - my ( $var, $val ) = @_; - - my $curval = "\L$config{$var}"; - - if ( defined $curval && $curval ne '' ) { - if ( $curval eq 'no' ) { - $config{$var} = ''; - } else { - fatal_error "Invalid value for $var ($val)" unless $curval eq 'yes'; - } - } else { - $config{$var} = $val; - } -} - -my %validlevels = ( DEBUG => 7, - INFO => 6, - NOTICE => 5, - WARNING => 4, - WARN => 4, - ERR => 3, - ERROR => 3, - CRIT => 2, - ALERT => 1, - EMERG => 0, - PANIC => 0, - NONE => '', - ULOG => 'ULOG', - NFLOG => 'NFLOG'); - -my @suffixes = qw(group range threshold nlgroup cprange qthreshold); - -# -# Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate" -# -sub level_error( $ ) { - fatal_error "Invalid log level ($_[0])"; -} - -sub validate_level( $ ) { - my $rawlevel = $_[0]; - my $level = uc $rawlevel; - - if ( defined $level && $level ne '' ) { - $level =~ s/!$//; - my $value = $validlevels{$level}; - return $value if defined $value; - return $level if $level =~ /^[0-7]$/; - - if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) { - my $olevel = $1; - my @options = split /,/, $2; - my $prefix = lc $olevel; - my $index = $prefix eq 'ulog' ? 3 : 0; - - level_error( $level ) if @options > 3; - - for ( @options ) { - if ( defined $_ and $_ ne '' ) { - level_error( $level ) unless /^\d+/; - $olevel .= " --${prefix}-$suffixes[$index] $_"; - } - - $index++; - } - - return $olevel; - } - - if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) { - return $rawlevel; - } - - level_error( $rawlevel ); - } - - ''; -} - -# -# Validate a log level and supply default -# -sub default_log_level( $$ ) { - my ( $level, $default ) = @_; - - my $value = $config{$level}; - - unless ( defined $value && $value ne '' ) { - $config{$level} = $default; - } else { - $config{$level} = validate_level $value; - } -} - -# -# Check a tri-valued variable -# -sub check_trivalue( $$ ) { - my ( $var, $default) = @_; - my $val = "\L$config{$var}"; - - if ( defined $val ) { - if ( $val eq 'yes' || $val eq 'on' ) { - $config{$var} = 'on'; - } elsif ( $val eq 'no' || $val eq 'off' ) { - $config{$var} = 'off'; - } elsif ( $val eq 'keep' ) { - $config{$var} = ''; - } elsif ( $val eq '' ) { - $config{$var} = $default - } else { - fatal_error "Invalid value ($val) for $var"; - } - } else { - $config{var} = $default - } -} - -# -# Produce a report of the detected capabilities -# -sub report_capabilities() { - sub report_capability( $ ) { - my $cap = $_[0]; - print " $capdesc{$cap}: "; - if ( $cap eq 'CAPVERSION' ) { - my $version = $capabilities{CAPVERSION}; - printf "%d.%d.%d\n", int( $version / 10000 ) , int ( ( $version % 10000 ) / 100 ) , int ( $version % 100 ); - } else { - print $capabilities{$cap} ? "Available\n" : "Not Available\n"; - } - } - - if ( $verbose > 1 ) { - print "Shorewall has detected the following capabilities:\n"; - - for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) { - report_capability $cap; - } - } -} - -# -# Search the current PATH for the passed executable -# -sub which( $ ) { - my $prog = $_[0]; - - for ( split /:/, $config{PATH} ) { - return "$_/$prog" if -x "$_/$prog"; - } - - ''; -} - -# -# Load the kernel modules defined in the 'modules' file. -# -sub load_kernel_modules( ) { - my $moduleloader = which( 'modprobe' ) || ( which 'insmod' ); - - my $modulesdir = $config{MODULESDIR}; - - unless ( $modulesdir ) { - my $uname = `uname -r`; - fatal_error "The command 'uname -r' failed" unless $? == 0; - chomp $uname; - $modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter"; - } - - my @moduledirectories = split /:/, $modulesdir; - - if ( $moduleloader && open_file 'modules' ) { - my %loadedmodules; - - $loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' ); - - progress_message "Loading Modules..."; - - open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod"; - - while ( ) { - my $module = ( split( /\s+/, $_, 2 ) )[0]; - $loadedmodules{$module}++ unless $module eq 'Module' - } - - close LSMOD; - - $config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX}; - - my @suffixes = split /\s+/ , $config{MODULE_SUFFIX}; - - while ( read_a_line ) { - fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ ); - my ( $module, $arguments ) = ( $1, $2 ); - unless ( $loadedmodules{ $module } ) { - for my $directory ( @moduledirectories ) { - for my $suffix ( @suffixes ) { - my $modulefile = "$directory/$module.$suffix"; - if ( -f $modulefile ) { - if ( $moduleloader eq 'insmod' ) { - system ("insmod $modulefile $arguments" ); - } else { - system( "modprobe $module $arguments" ); - } - - $loadedmodules{ $module } = 1; - } - } - } - } - } - } -} - -# -# Q[uie]t version of system(). Returns true for success -# -sub qt( $ ) { - system( "@_ > /dev/null 2>&1" ) == 0; -} - -sub qt1( $ ) { - 1 while system( "@_ > /dev/null 2>&1" ) == 4; - $? == 0; -} - -# -# Determine which optional facilities are supported by iptables/netfilter -# -sub determine_capabilities( $ ) { - - my $iptables = $_[0]; - my $pid = $$; - my $sillyname = "fooX$pid"; - - $capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ); - $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" ); - - qt1( "$iptables -N $sillyname" ); - - $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); - - if ( $capabilities{CONNTRACK_MATCH} ) { - $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" ); - $capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdstport 1.2.3.4" ); - } - - if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { - $capabilities{MULTIPORT} = 1; - $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); - } - - $capabilities{XMULTIPORT} = qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" ); - $capabilities{POLICY_MATCH} = qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" ); - - if ( qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) { - $capabilities{PHYSDEV_MATCH} = 1; - $capabilities{PHYSDEV_BRIDGE} = qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" ); - unless ( $capabilities{KLUDGEFREE} ) { - $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); - } - } - - if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) { - $capabilities{IPRANGE_MATCH} = 1; - unless ( $capabilities{KLUDGEFREE} ) { - $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" ); - } - } - - $capabilities{RECENT_MATCH} = qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" ); - $capabilities{OWNER_MATCH} = qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" ); - - if ( qt1( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" )) { - $capabilities{CONNMARK_MATCH} = 1; - $capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); - } - - $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ); - $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); - $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" ); - $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); - - if ( $capabilities{MANGLE_ENABLED} ) { - qt1( "$iptables -t mangle -N $sillyname" ); - - if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) { - $capabilities{MARK} = 1; - $capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" ); - } - - if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) { - $capabilities{CONNMARK} = 1; - $capabilities{XCONNMARK} = qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); - } - - $capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); - qt1( "$iptables -t mangle -F $sillyname" ); - qt1( "$iptables -t mangle -X $sillyname" ); - - $capabilities{MANGLE_FORWARD} = qt1( "$iptables -t mangle -L FORWARD -n" ); - } - - $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" ); - - if ( which 'ipset' ) { - qt( "ipset -X $sillyname" ); - - if ( qt( "ipset -N $sillyname iphash" ) ) { - if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { - qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); - $capabilities{IPSET_MATCH} = 1; - } - - qt( "ipset -X $sillyname" ); - } - } - - $capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" ); - $capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" ); - $capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); - $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" ); - $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); - $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); - $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" ); - $capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" ); - $capabilities{TIME_MATCH} = qt1( "$iptables -A $sillyname -m time --timestart 11:00" ); - - qt1( "$iptables -F $sillyname" ); - qt1( "$iptables -X $sillyname" ); - - $capabilities{CAPVERSION} = $globals{CAPVERSION}; -} - -# -# Require the passed capability -# -sub require_capability( $$$ ) { - my ( $capability, $description, $singular ) = @_; - - fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" - unless $capabilities{$capability}; -} - -# -# Set default config path -# -sub ensure_config_path() { - - my $f = "$globals{SHAREDIR}/configpath"; - - $globals{CONFDIR} = '/usr/share/shorewall/configfiles/' if $> != 0; - - unless ( $config{CONFIG_PATH} ) { - fatal_error "$f does not exist" unless -f $f; - - open_file $f; - - $ENV{CONFDIR} = $globals{CONFDIR}; - - while ( read_a_line ) { - if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) { - my ($var, $val) = ($1, $2); - $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ) if exists $config{$var}; - } else { - fatal_error "Unrecognized entry"; - } - } - - fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH}; - } - - @config_path = split /:/, $config{CONFIG_PATH}; - - for ( @config_path ) { - $_ .= '/' unless m|/$|; - } - - if ( $shorewall_dir ) { - $shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|; - $shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|; - unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0]; - $config{CONFIG_PATH} = join ':', @config_path; - } -} - -# -# Set $shorewall_dir -# -sub set_shorewall_dir( $ ) { - $shorewall_dir = shift; - ensure_config_path; -} - -# -# Small functions called by get_configuration. We separate them so profiling is more useful -# -sub process_shorewall_conf() { - my $file = find_file 'shorewall.conf'; - - if ( -f $file ) { - if ( -r _ ) { - open_file $file; - - while ( read_a_line ) { - if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) { - my ($var, $val) = ($1, $2); - unless ( exists $config{$var} ) { - warning_message "Unknown configuration option ($var) ignored"; - next; - } - - $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ); - } else { - fatal_error "Unrecognized entry"; - } - } - } else { - fatal_error "Cannot read $file (Hint: Are you root?)"; - } - } else { - fatal_error "$file does not exist!"; - } -} - -# -# Process the records in the capabilities file -# -sub read_capabilities() { - while ( read_a_line1 ) { - if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) { - my ($var, $val) = ($1, $2); - unless ( exists $capabilities{$var} ) { - warning_message "Unknown capability ($var) ignored"; - next; - } - - $capabilities{$var} = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val; - } else { - fatal_error "Unrecognized capabilities entry"; - } - } - - if ( $capabilities{CAPVERSION} ) { - warning_message "Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall version $globals{VERSION}" unless $capabilities{CAPVERSION} >= $globals{CAPVERSION}; - } else { - warning_message "Your capabilities file may not contain all of the capabilities defined by Shorewall version $globals{VERSION}"; - } -} - -# -# Get the system's capabilities, either by probing or by reading a capabilities file -# -sub get_capabilities( $ ) { - my $export = $_[0]; - - if ( ! $export && $> == 0 ) { # $> == $EUID - my $iptables = $config{IPTABLES}; - - if ( $iptables ) { - fatal_error "IPTABLES=$iptables does not exist or is not executable" unless -x $iptables; - } else { - fatal_error "Can't find iptables executable" unless $iptables = which 'iptables'; - } - - my $iptables_restore=$iptables . '-restore'; - - fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore; - - load_kernel_modules; - - if ( open_file 'capabilities' ) { - read_capabilities; - } else { - determine_capabilities $iptables; - } - } else { - unless ( open_file 'capabilities' ) { - fatal_error "The -e compiler option requires a capabilities file" if $export; - fatal_error "Compiling under non-root uid requires a capabilities file"; - } - - read_capabilities; - } -} - -# -# Deal with options that we no longer support -# -sub unsupported_yes_no( $ ) { - my $option = shift; - - default_yes_no $option, ''; - - fatal_error "$option=Yes is not supported by Shorewall-perl $globals{VERSION}" if $config{$option}; -} - -# -# - Read the shorewall.conf file -# - Read the capabilities file, if any -# - establish global hashes %config , %globals and %capabilities -# -sub get_configuration( $ ) { - - my $export = $_[0]; - - our ( $once, @originalinc ); - - @originalinc = @INC unless $once++; - - ensure_config_path; - - process_shorewall_conf; - - ensure_config_path; - - @INC = @originalinc; - - unshift @INC, @config_path; - - default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin'; - - default 'MODULE_PREFIX', 'o gz ko o.gz ko.gz'; - - get_capabilities( $export ); - - $globals{ORIGINAL_POLICY_MATCH} = $capabilities{POLICY_MATCH}; - - if ( $config{LOGRATE} || $config{LOGBURST} ) { - $globals{LOGLIMIT} = '-m limit '; - $globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if $config{LOGRATE}; - $globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if $config{LOGBURST}; - } else { - $globals{LOGLIMIT} = ''; - } - - check_trivalue ( 'IP_FORWARDING', 'on' ); - check_trivalue ( 'ROUTE_FILTER', '' ); - check_trivalue ( 'LOG_MARTIANS', 'on' ); - - default 'STARTUP_LOG' , ''; - - if ( $config{STARTUP_LOG} ne '' ) { - if ( defined $config{LOG_VERBOSITY} ) { - if ( $config{LOG_VERBOSITY} eq '' ) { - $config{LOG_VERBOSITY} = 2; - } else { - my $val = numeric_value( $config{LOG_VERBOSITY} ); - fatal_error "Invalid LOG_VERBOSITY ($config{LOG_VERBOSITY} )" unless defined( $val ) && ( $val >= -1 ) && ( $val <= 2 ); - $config{STARTUP_LOG} = '' if $config{LOG_VERBOSITY} < 0; - } - } else { - $config{LOG_VERBOSITY} = 2; - } - } else { - $config{LOG_VERBOSITY} = -1; - } - - default_yes_no 'ADD_IP_ALIASES' , 'Yes'; - default_yes_no 'ADD_SNAT_ALIASES' , ''; - default_yes_no 'DETECT_DNAT_IPADDRS' , ''; - default_yes_no 'DETECT_DNAT_IPADDRS' , ''; - default_yes_no 'CLEAR_TC' , 'Yes'; - - if ( defined $config{CLAMPMSS} ) { - default_yes_no 'CLAMPMSS' , '' unless $config{CLAMPMSS} =~ /^\d+$/; - } else { - $config{CLAMPMSS} = ''; - } - - unless ( $config{ADD_IP_ALIASES} || $config{ADD_SNAT_ALIASES} ) { - $config{RETAIN_ALIASES} = ''; - } else { - default_yes_no 'RETAIN_ALIASES' , ''; - } - - default_yes_no 'ADMINISABSENTMINDED' , ''; - default_yes_no 'BLACKLISTNEWONLY' , ''; - - if ( defined $config{IPV6} ) { - if ( $config{IPV6} =~ /on/i ) { - $config{IPV6} = 'On'; - } elsif ( $config{IPV6} =~ /off/i ) { - $config{IPV6} = 'Off'; - } elsif ( $config{IPV6} =~ /keep/i ) { - $config{IPV6} = ''; - } - } - - default_yes_no 'DISABLE_IPV6' , ''; - - fatal_error "Incompatible settings of IPV6 (On) and DISABLE_IPV6 (Yes)" if $config{IPV6} eq 'On' && $config{DISABLE_IPV6} eq 'Yes'; - - $config{IPV6} = $config{DISABLE_IPV6} ? 'Off' : '' unless defined $config{IPV6}; - - unsupported_yes_no 'DYNAMIC_ZONES'; - unsupported_yes_no 'BRIDGING'; - unsupported_yes_no 'SAVE_IPSETS'; - unsupported_yes_no 'MAPOLDACTIONS'; - - default_yes_no 'STARTUP_ENABLED' , 'Yes'; - default_yes_no 'DELAYBLACKLISTLOAD' , ''; - - warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall-perl ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD}; - - default_yes_no 'LOGTAGONLY' , ''; $globals{LOGTAGONLY} = $config{LOGTAGONLY}; - default_yes_no 'RFC1918_STRICT' , ''; - default_yes_no 'FASTACCEPT' , ''; - - fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY}; - - default_yes_no 'IMPLICIT_CONTINUE' , ''; - default_yes_no 'HIGH_ROUTE_MARKS' , ''; - default_yes_no 'TC_EXPERT' , ''; - default_yes_no 'USE_ACTIONS' , 'Yes'; - - warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS}; - - default_yes_no 'EXPORTPARAMS' , ''; - default_yes_no 'EXPAND_POLICIES' , ''; - default_yes_no 'KEEP_RT_TABLES' , ''; - default_yes_no 'DELETE_THEN_ADD' , 'Yes'; - default_yes_no 'AUTO_COMMENT' , 'Yes'; - default_yes_no 'MULTICAST' , ''; - default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; - default_yes_no 'MANGLE_ENABLED' , 'Yes'; - default_yes_no 'NULL_ROUTE_RFC1918' , ''; - default_yes_no 'USE_DEFAULT_RT' , ''; - - $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; - - default 'BLACKLIST_DISPOSITION' , 'DROP'; - - default_log_level 'BLACKLIST_LOGLEVEL', ''; - default_log_level 'MACLIST_LOG_LEVEL', ''; - default_log_level 'TCP_FLAGS_LOG_LEVEL', ''; - default_log_level 'RFC1918_LOG_LEVEL', 6; - default_log_level 'SMURF_LOG_LEVEL', ''; - default_log_level 'LOGALLNEW', ''; - - my $val; - - $globals{MACLIST_TARGET} = 'reject'; - - if ( $val = $config{MACLIST_DISPOSITION} ) { - unless ( $val eq 'REJECT' ) { - if ( $val eq 'DROP' ) { - $globals{MACLIST_TARGET} = 'DROP'; - } elsif ( $val eq 'ACCEPT' ) { - $globals{MACLIST_TARGET} = 'RETURN'; - } else { - fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION" - } - } - } else { - $config{MACLIST_DISPOSITION} = 'REJECT'; - } - - if ( $val = $config{MACLIST_TABLE} ) { - if ( $val eq 'mangle' ) { - fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT'; - } else { - fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter'; - } - } else { - default 'MACLIST_TABLE' , 'filter'; - } - - if ( $val = $config{TCP_FLAGS_DISPOSITION} ) { - fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(REJECT|ACCEPT|DROP)$/; - } else { - $config{TCP_FLAGS_DISPOSITION} = 'DROP'; - } - - default 'TC_ENABLED' , 'Internal'; - - $val = "\L$config{TC_ENABLED}"; - - if ( $val eq 'yes' ) { - my $file = find_file 'tcstart'; - fatal_error "Unable to find tcstart file" unless -f $file; - $globals{TC_SCRIPT} = $file; - } elsif ( $val eq 'internal' ) { - $config{TC_ENABLED} = 'Internal'; - } else { - fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no'; - $config{TC_ENABLED} = ''; - } - - fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" if $config{TC_ENABLED} && ! $config{MANGLE_ENABLED}; - - default 'RESTOREFILE' , 'restore'; - default 'IPSECFILE' , 'zones'; - default 'DROP_DEFAULT' , 'Drop'; - default 'REJECT_DEFAULT' , 'Reject'; - default 'QUEUE_DEFAULT' , 'none'; - default 'NFQUEUE_DEFAULT' , 'none'; - default 'ACCEPT_DEFAULT' , 'none'; - default 'OPTIMIZE' , 0; - - fatal_error 'IPSECFILE=ipsec is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{IPSECFILE} eq 'zones'; - - for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ { - $config{$default} = 'none' if "\L$config{$default}" eq 'none'; - } - - $val = $config{OPTIMIZE}; - - fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' ); - - fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}" unless $config{IPSECFILE} eq 'zones'; - - $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre'; - - if ( $val = $config{LOGFORMAT} ) { - my $result; - - eval { - if ( $val =~ /%d/ ) { - $globals{LOGRULENUMBERS} = 'Yes'; - $result = sprintf "$val", 'fooxx2barxx', 1, 'ACCEPT'; - } else { - $result = sprintf "$val", 'fooxx2barxx', 'ACCEPT'; - } - }; - - fatal_error "Invalid LOGFORMAT ($val)" if $@; - - fatal_error "LOGFORMAT string is longer than 29 characters ($val)" if length $result > 29; - - $globals{MAXZONENAMELENGTH} = int ( 5 + ( ( 29 - (length $result ) ) / 2) ); - } else { - $config{LOGFORMAT}='Shorewall:%s:%s:'; - $globals{MAXZONENAMELENGTH} = 5; - } - - if ( $config{LOCKFILE} ) { - my ( $file, $dir, $suffix ); - - eval { - ( $file, $dir, $suffix ) = fileparse( $config{LOCKFILE} ); - }; - - die $@ if $@; - - fatal_error "LOCKFILE=$config{LOCKFILE}: Directory $dir does not exist" unless $export or -d $dir; - } else { - $config{LOCKFILE} = ''; - } -} - -# -# The values of the options in @propagateconfig are copied to the object file in OPTION= format. -# -sub propagateconfig() { - for my $option ( @propagateconfig ) { - my $value = $config{$option} || ''; - emit "$option=\"$value\""; - } - - for my $option ( @propagateenv ) { - my $value = $globals{$option} || ''; - emit "$option=\"$value\""; - } -} - -# -# Add a shell script file to the output script -- Return true if the -# file exists and is not in /usr/share/shorewall/. -# -sub append_file( $ ) { - my $user_exit = find_file $_[0]; - my $result = 0; - - unless ( $user_exit =~ /^($globals{SHAREDIR})/ ) { - if ( -f $user_exit ) { - $result = 1; - save_progress_message "Processing $user_exit ..."; - copy1 $user_exit; - } - } - - $result; -} - -# -# Run a Perl extension script -# -sub run_user_exit( $ ) { - my $chainref = $_[0]; - my $file = find_file $chainref->{name}; - - if ( -f $file ) { - progress_message "Processing $file..."; - - my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`; - - unless (my $return = eval $command ) { - fatal_error "Couldn't parse $file: $@" if $@; - - unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; - fatal_error "Couldn't do $file"; - } - - fatal_error "$file returned a false value"; - } - } -} - -sub run_user_exit1( $ ) { - my $file = find_file $_[0]; - - if ( -f $file ) { - progress_message "Processing $file..."; - # - # File may be empty -- in which case eval would fail - # - push_open $file; - - if ( read_a_line ) { - close_file; - - my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`; - - unless (my $return = eval $command ) { - fatal_error "Couldn't parse $file: $@" if $@; - - unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; - fatal_error "Couldn't do $file"; - } - - fatal_error "$file returned a false value"; - } - } else { - pop_open; - } - } -} - -sub run_user_exit2( $$ ) { - my ($file, $chainref) = ( find_file $_[0], $_[1] ); - - if ( -f $file ) { - progress_message "Processing $file..."; - # - # File may be empty -- in which case eval would fail - # - push_open $file; - - if ( read_a_line ) { - close_file; - - unless (my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - - unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; - fatal_error "Couldn't do $file"; - } - - fatal_error "$file returned a false value"; - } - } - - pop_open; - - } -} - -# -# Generate the aux config file for Shorewall Lite -# -sub generate_aux_config() { - sub conditionally_add_option( $ ) { - my $option = $_[0]; - - my $value = $config{$option}; - - emit "[ -n \"\${$option:=$value}\" ]" if $value ne ''; - } - - sub conditionally_add_option1( $ ) { - my $option = $_[0]; - - my $value = $config{$option}; - - emit "$option=\"$value\"" if $value; - } - - create_temp_aux_config; - - my $date = localtime; - - emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#"; - - for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { - conditionally_add_option $option; - } - - conditionally_add_option1 'TC_ENABLED'; - - finalize_aux_config; - -} - -END { - # - # Close files first in case we're running under Cygwin - # - close $object if $object; - close $scriptfile if $scriptfile; - close $log if $log; - # - # Unlink temporary files - # - unlink $tempfile if $tempfile; - unlink $scriptfilename if $scriptfilename; - unlink $_ for @tempfiles; -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/IPAddrs.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/IPAddrs.pm deleted file mode 100644 index e8c514778..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/IPAddrs.pm +++ /dev/null @@ -1,562 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/IPAddrs.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module provides interfaces for dealing with IPv4 addresses, protocol names, and -# port names. It also exports functions for validating protocol- and port- (service) -# related constructs. -# -package Shorewall::IPAddrs; -require Exporter; -use Socket6; -use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( ALLIPv4 - ALLIPv6 - TCP - UDP - ICMP - IPv6_ICMP - SCTP - - F_INET - F_INET6 - - validate_address - validate_6address - validate_net - validate_6net - decompose_net - validate_host - validate_6host - validate_range - validate_6range - ip_range_explicit - expand_port_range - allipv4 - allipv6 - rfc1918_networks - resolve_proto - proto_name - validate_port - validate_portpair - validate_port_list - validate_icmp - ); -our @EXPORT_OK = qw( ); -our $VERSION = 4.3.0; - -# -# Some IPv4/6 useful stuff -# -our @allipv4 = ( '0.0.0.0/0' ); -our @allipv6 = ( '::/0' ); - -use constant { ALLIPv4 => '0.0.0.0/0' , - ALLIPv6 => '::/0' , - F_INET => 1, - F_INET6 => 2, - ICMP => 1, - TCP => 6, - UDP => 17, - ICMPv6_ICMP => 58, - SCTP => 132 }; - -our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); - -sub vlsm_to_mask( $ ) { - my $vlsm = $_[0]; - - in_hex8 ( ( 0xFFFFFFFF << ( 32 - $vlsm ) ) && 0xFFFFFFFF ); -} - -sub valid_address( $ ) { - my $address = $_[0]; - - my @address = split /\./, $address; - return 0 unless @address == 4; - for my $a ( @address ) { - return 0 unless $a =~ /^\d+$/ && $a < 256; - } - - 1; -} - -sub validate_address( $$ ) { - my ( $addr, $allow_name ) = @_; - - my @addrs = ( $addr ); - - unless ( valid_address $addr ) { - fatal_error "Invalid IP Address ($addr)" unless $allow_name; - fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname $addr); - - if ( defined wantarray ) { - shift @addrs for (1..4); - for ( @addrs ) { - $_ = inet_htoa $_; - } - } - } - - defined wantarray ? wantarray ? @addrs : $addrs[0] : undef; -} - -sub decodeaddr( $ ) { - my $address = $_[0]; - - my @address = split /\./, $address; - - my $result = shift @address; - - for my $a ( @address ) { - $result = ( $result << 8 ) | $a; - } - - $result; -} - -sub encodeaddr( $ ) { - my $addr = $_[0]; - my $result = $addr & 0xff; - - for my $i ( 1..3 ) { - my $a = ($addr = $addr >> 8) & 0xff; - $result = "$a.$result"; - } - - $result; -} - -sub validate_net( $$ ) { - my ($net, $vlsm, $rest) = split( '/', $_[0], 3 ); - my $allow_name = $_[1]; - - $net = '' unless defined $net; - - fatal_error "Missing address" if $net eq ''; - fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+'; - - if ( defined $vlsm ) { - fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32; - fatal_error "Invalid Network address ($_[0])" if defined $rest; - fatal_error "Invalid IP address ($net)" unless valid_address $net; - } else { - fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net; - validate_address $net, $_[1]; - $vlsm = 32; - } - - if ( defined wantarray ) { - fatal_error "Internal Error in validate_net()" if $allow_name; - if ( wantarray ) { - ( decodeaddr( $net ) , $vlsm ); - } else { - "$net/$vlsm"; - } - } -} - -sub validate_range( $$ ) { - my ( $low, $high ) = @_; - - validate_address $low, 0; - validate_address $high, 0; - - my $first = decodeaddr $low; - my $last = decodeaddr $high; - - fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last; -} - -sub ip_range_explicit( $ ) { - my $range = $_[0]; - my @result; - - my ( $low, $high ) = split /-/, $range; - - validate_address $low, 0; - - push @result, $low; - - if ( defined $high ) { - validate_address $high, 0; - - my $first = decodeaddr $low; - my $last = decodeaddr $high; - my $diff = $last - $first; - - fatal_error "Invalid IP Range ($range)" unless $diff >= 0 && $diff <= 256; - - while ( ++$first <= $last ) { - push @result, encodeaddr( $first ); - } - } - - @result; -} - -sub decompose_net( $ ) { - my $net = $_[0]; - - return ( qw/0x00000000 0x00000000/ ) if $net eq '-'; - - ( $net, my $vlsm ) = validate_net( $net , 0 ); - - ( in_hex8( $net ) , vlsm_to_mask( $vlsm ) ); - -} - -sub validate_host( $$ ) { - my ( $host, $allow_name ) = $_[0]; - - if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) { - validate_range $1, $2; - } else { - validate_net( $host, $allow_name ); - } -} - -sub allipv4() { - @allipv4; -} - -sub allipv6() { - @allipv6; -} - -sub rfc1918_networks() { - @rfc1918_networks -} - -# -# Protocol/port validation -# - -our %nametoproto = ( all => 0, ALL => 0, icmp => 1, ICMP => 1, tcp => 6, TCP => 6, udp => 17, UDP => 17 ); -our @prototoname = ( 'all', 'icmp', '', '', '', '', 'tcp', '', '', '', '', '', '', '', '', '', '', 'udp' ); - -# -# Returns the protocol number if the passed argument is a valid protocol number or name. Returns undef otherwise -# -sub resolve_proto( $ ) { - my $proto = $_[0]; - my $number; - - $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto; -} - -sub proto_name( $ ) { - my $proto = $_[0]; - - $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto -} - -sub validate_port( $$ ) { - my ($proto, $port) = @_; - - my $value; - - if ( $port =~ /^(\d+)$/ ) { - return $port if $port <= 65535; - } else { - $proto = proto_name $proto if $proto =~ /^(\d+)$/; - $value = getservbyname( $port, $proto ); - } - - fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value; - - $value; -} - -sub validate_portpair( $$ ) { - my ($proto, $portpair) = @_; - - fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1; - - $portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':'; - $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':'; - - my @ports = split /:/, $portpair, 2; - - $_ = validate_port( $proto, $_) for ( @ports ); - - if ( @ports == 2 ) { - fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1]; - } - - join ':', @ports; - -} - -sub validate_port_list( $$ ) { - my $result = ''; - my ( $proto, $list ) = @_; - my @list = split_list( $list, 'port' ); - - if ( @list > 1 && $list =~ /:/ ) { - require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' ); - } - - $proto = proto_name $proto; - - for ( @list ) { - my $value = validate_portpair( $proto , $_ ); - $result = $result ? join ',', $result, $value : $value; - } - - $result; -} - -my %icmp_types = ( any => 'any', - 'echo-reply' => 0, - 'destination-unreachable' => 3, - 'network-unreachable' => '3/0', - 'host-unreachable' => '3/1', - 'protocol-unreachable' => '3/2', - 'port-unreachable' => '3/3', - 'fragmentation-needed' => '3/4', - 'source-route-failed' => '3/5', - 'network-unknown' => '3/6', - 'host-unknown' => '3/7', - 'network-prohibited' => '3/9', - 'host-prohibited' => '3/10', - 'TOS-network-unreachable' => '3/11', - 'TOS-host-unreachable' => '3/12', - 'communication-prohibited' => '3/13', - 'host-precedence-violation' => '3/14', - 'precedence-cutoff' => '3/15', - 'source-quench' => 4, - 'redirect' => 5, - 'network-redirect' => '5/0', - 'host-redirect' => '5/1', - 'TOS-network-redirect' => '5/2', - 'TOS-host-redirect' => '5/3', - 'echo-request' => '8', - 'router-advertisement' => 9, - 'router-solicitation' => 10, - 'time-exceeded' => 11, - 'ttl-zero-during-transit' => '11/0', - 'ttl-zero-during-reassembly' => '11/1', - 'parameter-problem' => 12, - 'ip-header-bad' => '12/0', - 'required-option-missing' => '12/1', - 'timestamp-request' => 13, - 'timestamp-reply' => 14, - 'address-mask-request' => 17, - 'address-mask-reply' => 18 ); - -sub validate_icmp( $ ) { - my $type = $_[0]; - - my $value = $icmp_types{$type}; - - return $value if defined $value; - - if ( $type =~ /^(\d+)(\/(\d+))?$/ ) { - return $type if $1 < 256 && ( ! $2 || $3 < 256 ); - } - - fatal_error "Invalid ICMP Type ($type)" -} - -# -# Expands a port range into a minimal list of ( port, mask ) pairs. -# Each port and mask are expressed as 4 hex nibbles without a leading '0x'. -# -# Example: -# -# DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n" -# 006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000 -# -sub expand_port_range( $$ ) { - my ( $proto, $range ) = @_; - - if ( $range =~ /^(.*):(.*)$/ ) { - my ( $first, $last ) = ( $1, $2); - my @result; - - fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne ''; - # - # Supply missing first/last port number - # - $first = 0 if $first eq ''; - $last = 65535 if $last eq ''; - # - # Validate the ports - # - ( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) ); - - $last++; #Increment last address for limit testing. - # - # Break the range into groups: - # - # - If the first port in the remaining range is odd, then the next group is ( , ffff ). - # - Otherwise, find the largest power of two P that divides the first address such that - # the remaining range has less than or equal to P ports. The next group is - # ( , ~( P-1 ) ). - # - while ( ( my $ports = ( $last - $first ) ) > 0 ) { - my $mask = 0xffff; #Mask for current ports in group. - my $y = 2; #Next power of two to test - my $z = 1; #Number of ports in current group (Previous value of $y). - - while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) { - $mask <<= 1; - $z = $y; - $y <<= 1; - } - # - # - push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff ); - $first += $z; - } - - fatal_error "Invalid port range ($range)" unless @result; # first port > last port - - @result; - - } else { - ( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' ); - } -} - -sub valid_6address( $ ) { - my $address = $_[0]; - - my @address = split /:/, $address; - - return 0 if @address > 8; - return 0 if @address < 8 && ! $address =~ /::/; - return 0 if $address =~ /:::/ || $address =~ /::.*::/; - - if ( $address =~ /^:/ ) { - unless ( $address eq '::' ) { - return 0 if $address =~ /:$/ || $address =~ /^:.*::/; - } - } elsif ( $address =~ /:$/ ) { - return 0 if $address =~ /::.*:$/; - } - - for my $a ( @address ) { - return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 ); - } - - 1; -} - -sub validate_6address( $$ ) { - my ( $addr, $allow_name ) = @_; - - my @addrs = ( $addr ); - - unless ( valid_6address $addr ) { - fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name; - fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname2 $addr, AF_INET6); - - if ( defined wantarray ) { - shift @addrs for (1..4); - for ( @addrs ) { - $_ = inet_ntop AF_INET6, $_; - } - } - } - - defined wantarray ? wantarray ? @addrs : $addrs[0] : undef; -} - -sub validate_6net( $$ ) { - my ($net, $vlsm, $rest) = split( '/', $_[0], 3 ); - my $allow_name = $_[1]; - - fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+'; - - if ( defined $vlsm ) { - fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 64; - fatal_error "Invalid Network address ($_[0])" if defined $rest; - fatal_error "Invalid IPv6 address ($net)" unless valid_6address $net; - } else { - fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net; - validate_6address $net, $allow_name; - } -} - -sub validate_6range( $$ ) { - my ( $low, $high ) = @_; - - validate_6address $low, 0; - validate_6address $high, 0; - - my @low = split ":", $low; - my @high = split ":", $high; - - if ( @low == @high ) { - my ( $l, $h) = ( pop @low, pop @high ); - - return 1 if hex "0x$l" <= hex "0x$h" && join( ":", @low ) eq join( ":", @high ); - } - - fatal_error "Invalid IPv6 Range ($low-$high)"; -} - -my %ipv6_icmp_types = ( any => 'any', - 'destination-unreachable' => 1, - 'no-route' => '1/0', - 'communication-prohibited' => '1/1', - 'address-unreachable' => '1/2', - 'port-unreachable' => '1/3', - 'packet-too-big' => 2, - 'time-exceeded' => 3, - 'ttl-exceeded' => 3, - 'ttl-zero-during-transit' => '3/0', - 'ttl-zero-during-reassembly' => '3/1', - 'parameter-problem' => 4, - 'bad-header' => '4/0', - 'unknown-header-type' => '4/1', - 'unknown-option' => '4/2', - 'echo-request' => 128, - 'echo-reply' => 129, - 'router-solicitation' => 133, - 'router-advertisement' => 134, - 'neighbour-solicitation' => 135, - 'neighbour-advertisement' => 136, - redirect => 137 ); - - -sub validate_icmp6( $ ) { - my $type = $_[0]; - - my $value = $ipv6_icmp_types{$type}; - - return $value if defined $value; - - if ( $type =~ /^(\d+)(\/(\d+))?$/ ) { - return $type if $1 < 256 && ( ! $2 || $3 < 256 ); - } - - fatal_error "Invalid IPv6 ICMP Type ($type)" -} - - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Nat.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Nat.pm deleted file mode 100644 index c5f27c3cd..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Nat.pm +++ /dev/null @@ -1,518 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Nat.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains code for dealing with the /etc/shorewall/masq, -# /etc/shorewall/nat and /etc/shorewall/netmap files. -# -package Shorewall::Nat; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Providers qw( lookup_provider ); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses ); -our @EXPORT_OK = (); -our $VERSION = 4.1.5; - -our @addresses_to_add; -our %addresses_to_add; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @addresses_to_add = (); - %addresses_to_add = (); -} - -INIT { - initialize; -} - -# -# Handle IPSEC Options in a masq record -# -sub do_ipsec_options($) -{ - my %validoptions = ( strict => NOTHING, - next => NOTHING, - reqid => NUMERIC, - spi => NUMERIC, - proto => IPSECPROTO, - mode => IPSECMODE, - "tunnel-src" => NETWORK, - "tunnel-dst" => NETWORK, - ); - my $list=$_[0]; - my $options = '-m policy --pol ipsec --dir out '; - my $fmt; - - for my $e ( split_list $list, 'option' ) { - my $val = undef; - my $invert = ''; - - if ( $e =~ /([\w-]+)!=(.+)/ ) { - $val = $2; - $e = $1; - $invert = '! '; - } elsif ( $e =~ /([\w-]+)=(.+)/ ) { - $val = $2; - $e = $1; - } - - $fmt = $validoptions{$e}; - - fatal_error "Invalid Option ($e)" unless $fmt; - - if ( $fmt eq NOTHING ) { - fatal_error "Option \"$e\" does not take a value" if defined $val; - } else { - fatal_error "Missing value for option \"$e\"" unless defined $val; - fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/; - } - - $options .= $invert; - $options .= "--$e "; - $options .= "$val " if defined $val; - } - - $options; -} - -# -# Process a single rule from the the masq file -# -sub setup_one_masq($$$$$$$) -{ - my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark) = @_; - - my $pre_nat; - my $add_snat_aliases = $config{ADD_SNAT_ALIASES}; - my $destnets = ''; - my $baserule = ''; - - # - # Leading '+' - # - $pre_nat = 1 if $interfacelist =~ s/^\+//; - # - # Parse the remaining part of the INTERFACE column - # - if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) { - $add_snat_aliases = 0; - $destnets = $2; - $interfacelist = $1; - } elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) { - $destnets = $2; - $interfacelist = $1; - } elsif ( $interfacelist =~ /^([^:]+):$/ ) { - $add_snat_aliases = 0; - $interfacelist = $1; - } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) { - my ( $one, $two ) = ( $1, $2 ); - if ( $2 =~ /\./ ) { - $interfacelist = $one; - $destnets = $two; - } - } - # - # If there is no source or destination then allow all addresses - # - $networks = ALLIPv4 if $networks eq '-'; - $destnets = ALLIPv4 if $destnets eq '-'; - - # - # Handle IPSEC options, if any - # - if ( $ipsec ne '-' ) { - fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH}; - - if ( $ipsec =~ /^yes$/i ) { - $baserule .= '-m policy --pol ipsec --dir out '; - } elsif ( $ipsec =~ /^no$/i ) { - $baserule .= '-m policy --pol none --dir out '; - } else { - $baserule .= do_ipsec_options $ipsec; - } - } elsif ( $capabilities{POLICY_MATCH} ) { - $baserule .= '-m policy --pol none --dir out '; - } - - # - # Handle Protocol and Ports - # - $baserule .= do_proto $proto, $ports, ''; - - # - # Handle Mark - # - $baserule .= do_test( $mark, 0xFF) if $mark ne '-'; - - for my $fullinterface (split_list $interfacelist, 'interface' ) { - my $rule = ''; - my $target = '-j MASQUERADE '; - # - # Isolate and verify the interface part - # - ( my $interface = $fullinterface ) =~ s/:.*//; - - if ( $interface =~ /(.*)[(](\w*)[)]$/ ) { - $interface = $1; - my $provider = $2; - $fullinterface =~ s/[(]\w*[)]//; - my $realm = lookup_provider( $provider ) unless $provider =~ /^\d+$/; - - fatal_error "$provider is not a shared-interface provider" unless $realm; - - $rule .= "-m realm --realm $realm "; - } - - fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); - - unless ( $interfaceref->{root} ) { - $rule .= "-o $interface "; - $interface = $interfaceref->{name}; - } - - my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface); - - my $detectaddress = 0; - my $exceptionrule = ''; - my $randomize = ''; - # - # Parse the ADDRESSES column - # - if ( $addresses ne '-' ) { - if ( $addresses eq 'random' ) { - $randomize = '--random '; - } else { - $addresses =~ s/:random$// and $randomize = '--random '; - - if ( $addresses =~ /^SAME:nodst:/ ) { - fatal_error "':random' is not supported by the SAME target" if $randomize; - $target = '-j SAME --nodst '; - $addresses =~ s/.*://; - for my $addr ( split_list $addresses, 'address' ) { - $target .= "--to $addr "; - } - } elsif ( $addresses =~ /^SAME:/ ) { - fatal_error "':random' is not supported by the SAME target" if $randomize; - $target = '-j SAME '; - $addresses =~ s/.*://; - for my $addr ( split_list $addresses, 'address' ) { - $target .= "--to $addr "; - } - } elsif ( $addresses eq 'detect' ) { - my $variable = get_interface_address $interface; - $target = "-j SNAT --to-source $variable"; - - if ( interface_is_optional $interface ) { - add_commands( $chainref, - '', - "if [ \"$variable\" != 0.0.0.0 ]; then" ); - incr_cmd_level( $chainref ); - $detectaddress = 1; - } - } elsif ( $addresses eq 'NONAT' ) { - $target = '-j RETURN'; - $add_snat_aliases = 0; - } else { - my $addrlist = ''; - for my $addr ( split_list $addresses , 'address' ) { - if ( $addr =~ /^.*\..*\..*\./ ) { - $target = '-j SNAT '; - $addrlist .= "--to-source $addr "; - $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/; - } else { - $addr =~ s/^://; - $addrlist .= "--to-ports $addr "; - $exceptionrule = do_proto( $proto, '', '' ); - } - } - - $target .= $addrlist; - } - } - - $target .= $randomize; - } else { - $add_snat_aliases = 0; - } - # - # And Generate the Rule(s) - # - expand_rule( $chainref , - POSTROUTE_RESTRICT , - $baserule . $rule , - $networks , - $destnets , - '' , - '' , - $target , - '' , - '' , - $exceptionrule ); - - if ( $detectaddress ) { - decr_cmd_level( $chainref ); - add_command( $chainref , 'fi' ); - } - - if ( $add_snat_aliases ) { - my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 ); - fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; - for my $address ( split_list $addresses, 'address' ) { - my ( $addrs, $port ) = split /:/, $address; - next unless $addrs; - next if $addrs eq 'detect'; - for my $addr ( ip_range_explicit $addrs ) { - unless ( $addresses_to_add{$addr} ) { - emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES}; - $addresses_to_add{$addr} = 1; - if ( defined $alias ) { - push @addresses_to_add, $addr, "$interface:$alias"; - $alias++; - } else { - push @addresses_to_add, $addr, $interface; - } - } - } - } - } - } - - progress_message " Masq record \"$currentline\" $done"; - -} - -# -# Process the masq file -# -sub setup_masq() -{ - my $fn = open_file 'masq'; - - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); - - while ( read_a_line ) { - - my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file'; - - if ( $fullinterface eq 'COMMENT' ) { - process_comment; - } else { - setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark; - } - } - - clear_comment; - -} - -# -# Validate the ALL INTERFACES or LOCAL column in the NAT file -# -sub validate_nat_column( $$ ) { - my $ref = $_[1]; - my $val = $$ref; - - if ( defined $val ) { - unless ( ( $val = "\L$val" ) eq 'yes' ) { - if ( ( $val eq 'no' ) || ( $val eq '-' ) ) { - $$ref = ''; - } else { - fatal_error "Invalid value ($val) for $_[0]"; - } - } - } else { - $$ref = ''; - } -} - -# -# Process a record from the NAT file -# -sub do_one_nat( $$$$$ ) -{ - my ( $external, $fullinterface, $internal, $allints, $localnat ) = @_; - - my ( $interface, $alias, $remainder ) = split( /:/, $fullinterface, 3 ); - - fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; - - sub add_nat_rule( $$ ) { - add_rule ensure_chain( 'nat', $_[0] ) , $_[1]; - } - - my $add_ip_aliases = $config{ADD_IP_ALIASES}; - - my $policyin = ''; - my $policyout = ''; - my $rulein = ''; - my $ruleout = ''; - - fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); - - unless ( $interfaceref->{root} ) { - $rulein = "-i $interface "; - $ruleout = "-o $interface "; - $interface = $interfaceref->{name}; - } - - if ( $capabilities{POLICY_MATCH} ) { - $policyin = ' -m policy --pol none --dir in'; - $policyout = '-m policy --pol none --dir out'; - } - - fatal_error "Invalid nat file entry" unless defined $interface && defined $internal; - - if ( $add_ip_aliases ) { - if ( defined( $alias ) && $alias eq '' ) { - $add_ip_aliases = ''; - } else { - emit "del_ip_addr $external $interface" unless $config{RETAIN_ALIASES}; - } - } - - validate_nat_column 'ALL INTERFACES', \$allints; - validate_nat_column 'LOCAL' , \$localnat; - - if ( $allints ) { - add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal"; - add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external"; - } else { - add_nat_rule input_chain( $interface ) , $rulein . "-d $external $policyin -j DNAT --to-destination $internal"; - add_nat_rule output_chain( $interface ) , $ruleout . "-s $internal $policyout -j SNAT --to-source $external"; - } - - add_nat_rule 'OUTPUT' , "-d $external $policyout -j DNAT --to-destination $internal " if $localnat; - - if ( $add_ip_aliases ) { - unless ( $addresses_to_add{$external} ) { - $addresses_to_add{$external} = 1; - push @addresses_to_add, ( $external , $fullinterface ); - } - } - -} - -# -# Process NAT file -# -sub setup_nat() { - - my $fn = open_file 'nat'; - - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); - - while ( read_a_line ) { - - my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file'; - - if ( $external eq 'COMMENT' ) { - process_comment; - } else { - ( $interfacelist, my $digit ) = split /:/, $interfacelist; - - $digit = defined $digit ? ":$digit" : ''; - - for my $interface ( split_list $interfacelist , 'interface' ) { - fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne ''; - do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat; - } - - progress_message " NAT entry \"$currentline\" $done"; - } - - } - - clear_comment; -} - -# -# Setup Network Mapping -# -sub setup_netmap() { - - my $fn = open_file 'netmap'; - - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } ); - - while ( read_a_line ) { - - my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file'; - - for my $interface ( split_list $interfacelist, 'interface' ) { - - my $rulein = ''; - my $ruleout = ''; - my $iface = $interface; - - fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface ); - - unless ( $interfaceref->{root} ) { - $rulein = "-i $interface "; - $ruleout = "-o $interface "; - $interface = $interfaceref->{name}; - } - - if ( $type eq 'DNAT' ) { - add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . "-d $net1 -j NETMAP --to $net2"; - } elsif ( $type eq 'SNAT' ) { - add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2"; - } else { - fatal_error "Invalid type ($type)"; - } - - progress_message " Network $net1 on $iface mapped to $net2 ($type)"; - } - } - -} - -sub add_addresses () { - if ( @addresses_to_add ) { - my $arg = ''; - - while ( @addresses_to_add ) { - my $addr = shift @addresses_to_add; - my $interface = shift @addresses_to_add; - $arg = "$arg $addr $interface"; - } - - emit "add_ip_aliases $arg"; - } -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Policy.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Policy.pm deleted file mode 100644 index 4ee7ebcb3..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Policy.pm +++ /dev/null @@ -1,855 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Policy.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module deals with the /etc/shorewall/policy file. -# -package Shorewall::Policy; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; -use Shorewall::IPAddrs; -use Shorewall::Chains qw( :DEFAULT :internal) ; -use Shorewall::Actions; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( validate_policy - validate_6policy - apply_policy_rules - apply_6policy_rules - complete_standard_chain - complete_standard_6chain - setup_syn_flood_chains - setup_syn_flood_6chains ); - -our @EXPORT_OK = qw( ); -our $VERSION = 4.3.0; - -# @policy_chains is a list of references to policy chains in the filter table - -our @policy_chains; - -# @policy_6chains is a list of references to policy chains in the filter6 table - -our @policy_6chains; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @policy_chains = (); - @policy_6chains = (); -} - -INIT { - initialize; -} - -# -# Convert a chain into a policy chain. -# -sub convert_to_policy_chain($$$$$) -{ - my ($chainref, $source, $dest, $policy, $optional ) = @_; - - $chainref->{is_policy} = 1; - $chainref->{policy} = $policy; - $chainref->{is_optional} = $optional; - $chainref->{policychain} = $chainref->{name}; - $chainref->{policypair} = [ $source, $dest ]; -} - -# -# Create a new policy chain and return a reference to it. -# -sub new_policy_chain($$$$) -{ - my ($source, $dest, $policy, $optional) = @_; - - my $chainref = new_chain( 'filter', "${source}2${dest}" ); - - convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional ); - - $chainref; -} - -# -# Create a new policy 6chain and return a reference to it. -# -sub new_policy_6chain($$$$) -{ - my ($source, $dest, $policy, $optional) = @_; - - my $chainref = new_6chain( 'filter', "${source}2${dest}" ); - - convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional ); - - $chainref; -} - -# -# Set the passed chain's policychain and policy to the passed values. -# -sub set_policy_chain($$$$$) -{ - my ($source, $dest, $chain1, $chainref, $policy ) = @_; - - my $chainref1 = $filter_table->{$chain1}; - - $chainref1 = new_chain 'filter', $chain1 unless $chainref1; - - unless ( $chainref1->{policychain} ) { - if ( $config{EXPAND_POLICIES} ) { - # - # We convert the canonical chain into a policy chain, using the settings of the - # passed policy chain. - # - $chainref1->{policychain} = $chain1; - $chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel}; - - if ( defined $chainref->{synparams} ) { - $chainref1->{synparams} = $chainref->{synparams}; - $chainref1->{synchain} = $chainref->{synchain}; - } - - $chainref1->{default} = $chainref->{default} if defined $chainref->{default}; - $chainref1->{is_policy} = 1; - push @policy_chains, $chainref1; - } else { - $chainref1->{policychain} = $chainref->{name}; - } - - $chainref1->{policy} = $policy; - $chainref1->{policypair} = [ $source, $dest ]; - } -} - -# -# Process the policy file -# -use constant { OPTIONAL => 1 }; - -sub add_or_modify_policy_chain( $$ ) { - my ( $zone, $zone1 ) = @_; - my $chain = "${zone}2${zone1}"; - my $chainref = $filter_table->{$chain}; - - if ( $chainref ) { - unless( $chainref->{is_policy} ) { - convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL ); - push @policy_chains, $chainref; - } - } else { - push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); - } -} - -sub add_or_modify_policy_6chain( $$ ) { - my ( $zone, $zone1 ) = @_; - my $chain = "${zone}2${zone1}"; - my $chainref = $filter6_table->{$chain}; - - if ( $chainref ) { - unless( $chainref->{is_policy} ) { - convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL ); - push @policy_6chains, $chainref; - } - } else { - push @policy_6chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); - } -} - -sub print_policy($$$$) { - my ( $source, $dest, $policy , $chain ) = @_; - unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) { - if ( $policy eq 'CONTINUE' ) { - my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) ); - warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} ); - } - progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest; - } -} - -sub validate_policy() -{ - my %validpolicies = ( - ACCEPT => undef, - REJECT => undef, - DROP => undef, - CONTINUE => undef, - QUEUE => undef, - NFQUEUE => undef, - NONE => undef - ); - - my %map = ( DROP_DEFAULT => 'DROP' , - REJECT_DEFAULT => 'REJECT' , - ACCEPT_DEFAULT => 'ACCEPT' , - QUEUE_DEFAULT => 'QUEUE' , - NFQUEUE_DEFAULT => 'NFQUEUE' ); - - my $zone; - my @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' ); - - for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ { - my $action = $config{$option}; - next if $action eq 'none'; - my $actiontype = $targets{$action}; - - if ( defined $actiontype ) { - fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION; - } else { - fatal_error "Default Action $option=$action not found"; - } - - unless ( $usedactions{$action} ) { - $usedactions{$action} = 1; - createactionchain $action; - } - - $default_actions{$map{$option}} = $action; - } - - for $zone ( all_zones ) { - push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL ); - - if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) { - for my $zone1 ( all_zones ) { - unless( $zone eq $zone1 ) { - add_or_modify_policy_chain( $zone, $zone1 ); - add_or_modify_policy_chain( $zone1, $zone ); - } - } - } - } - - my $fn = open_file 'policy'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file'; - - $loglevel = '' if $loglevel eq '-'; - $synparams = '' if $synparams eq '-'; - $connlimit = '' if $connlimit eq '-'; - - my $clientwild = ( "\L$client" eq 'all' ); - - unless ( $clientwild ) { - fatal_error "Undefined zone ($client)" unless defined_zone( $client ); - fatal_error "IPv6 zone ($client) not permitted in policy file" unless zone_family($client) & F_INET; - } - - my $serverwild = ( "\L$server" eq 'all' ); - - unless ( $serverwild ) { - fatal_error "Undefined zone ($server)" unless defined_zone( $server ); - fatal_error "IPv6 zone ($server) not permitted in policy file" unless zone_family($server) & F_INET; - } - - my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 ); - - fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy; - - fatal_error "Invalid default action ($default:$remainder)" if defined $remainder; - - ( $policy , my $queue ) = get_target_param $policy; - - if ( $default ) { - if ( "\L$default" eq 'none' ) { - $default = 'none'; - } else { - my $defaulttype = $targets{$default} || 0; - - if ( $defaulttype & ACTION ) { - unless ( $usedactions{$default} ) { - $usedactions{$default} = 1; - createactionchain $default; - } - } else { - fatal_error "Unknown Default Action ($default)"; - } - } - } else { - $default = $default_actions{$policy} || ''; - } - - fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy}; - - if ( defined $queue ) { - fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE'; - require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); - my $queuenum = numeric_value( $queue ); - fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535; - $policy = "NFQUEUE --queue-num $queuenum"; - } elsif ( $policy eq 'NONE' ) { - fatal_error "NONE policy not allowed with \"all\"" - if $clientwild || $serverwild; - fatal_error "NONE policy not allowed to/from firewall zone" - if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' ); - } - - unless ( $clientwild || $serverwild ) { - if ( zone_type( $server ) eq 'bport4' ) { - fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge" - unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge}; - } - } - - my $chain = "${client}2${server}"; - my $chainref; - - if ( defined $filter_table->{$chain} ) { - $chainref = $filter_table->{$chain}; - - if ( $chainref->{is_policy} ) { - if ( $chainref->{is_optional} ) { - $chainref->{is_optional} = 0; - $chainref->{policy} = $policy; - } else { - fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); - } - } elsif ( $chainref->{policy} ) { - fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); - } else { - convert_to_policy_chain( $chainref, $client, $server, $policy, 0 ); - push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); - } - } else { - $chainref = new_policy_chain $client, $server, $policy, 0; - push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); - } - - $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; - - if ( $synparams ne '' || $connlimit ne '' ) { - my $value = ''; - fatal_error "Invalid CONNLIMIT ($connlimit)" if $connlimit =~ /^!/; - $value = do_ratelimit $synparams, 'ACCEPT' if $synparams ne ''; - $value .= do_connlimit $connlimit if $connlimit ne ''; - $chainref->{synparams} = $value; - $chainref->{synchain} = $chain - } - - $chainref->{default} = $default if $default; - - if ( $clientwild ) { - if ( $serverwild ) { - for my $zone ( @zonelist ) { - for my $zone1 ( @zonelist ) { - set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy; - print_policy $zone, $zone1, $policy, $chain; - } - } - } else { - for my $zone ( all_zones ) { - set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy; - print_policy $zone, $server, $policy, $chain; - } - } - } elsif ( $serverwild ) { - for my $zone ( @zonelist ) { - set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy; - print_policy $client, $zone, $policy, $chain; - } - - } else { - print_policy $client, $server, $policy, $chain; - } - } - - for $zone ( all_zones ) { - for my $zone1 ( all_zones ) { - fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy}; - } - } -} - - -sub validate_6policy() -{ - my %validpolicies = ( - ACCEPT => undef, - REJECT => undef, - DROP => undef, - CONTINUE => undef, - QUEUE => undef, - NFQUEUE => undef, - NONE => undef - ); - - my %map = ( DROP_DEFAULT => 'DROP' , - REJECT_DEFAULT => 'REJECT' , - ACCEPT_DEFAULT => 'ACCEPT' , - QUEUE_DEFAULT => 'QUEUE' , - NFQUEUE_DEFAULT => 'NFQUEUE' ); - - my $zone; - my @zonelist = $config{EXPAND_POLICIES} ? all_6zones : ( all_6zones, 'all' ); - - for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ { - my $action = $config{$option}; - next if $action eq 'none'; - my $actiontype = $targets{$action}; - - if ( defined $actiontype ) { - fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION; - } else { - fatal_error "Default Action $option=$action not found"; - } - - unless ( $usedactions{$action} ) { - $usedactions{$action} = 1; - createactionchain $action; - } - - $default_actions{$map{$option}} = $action; - } - - for $zone ( all_6zones ) { - push @policy_6chains, ( new_policy_6chain $zone, $zone, 'ACCEPT', OPTIONAL ); - - if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) { - for my $zone1 ( all_6zones ) { - unless( $zone eq $zone1 ) { - add_or_modify_policy_chain( $zone, $zone1 ); - add_or_modify_policy_chain( $zone1, $zone ); - } - } - } - } - - my $fn = open_file '6policy'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, '6policy file'; - - $loglevel = '' if $loglevel eq '-'; - $synparams = '' if $synparams eq '-'; - $connlimit = '' if $connlimit eq '-'; - - my $clientwild = ( "\L$client" eq 'all' ); - - unless ( $clientwild ) { - fatal_error "Undefined zone ($client)" unless defined_zone( $client ); - fatal_error "IPv4 zone ($client) not permitted in policy file" unless zone_family($client) & F_INET6; - } - - my $serverwild = ( "\L$server" eq 'all' ); - - unless ( $serverwild ) { - fatal_error "Undefined zone ($server)" unless defined_zone( $server ); - fatal_error "IPv4 zone ($server) not permitted in policy file" unless zone_family($server) & F_INET6; - } - - my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 ); - - fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy; - - fatal_error "Invalid default action ($default:$remainder)" if defined $remainder; - - ( $policy , my $queue ) = get_target_param $policy; - - if ( $default ) { - if ( "\L$default" eq 'none' ) { - $default = 'none'; - } else { - my $defaulttype = $targets6{$default} || 0; - - if ( $defaulttype & ACTION ) { - unless ( $usedactions{$default} ) { - $usedactions{$default} = 1; - createactionchain $default; - } - } else { - fatal_error "Unknown Default Action ($default)"; - } - } - } else { - $default = $default_actions{$policy} || ''; - } - - fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy}; - - if ( defined $queue ) { - fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE'; - require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); - my $queuenum = numeric_value( $queue ); - fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535; - $policy = "NFQUEUE --queue-num $queuenum"; - } elsif ( $policy eq 'NONE' ) { - fatal_error "NONE policy not allowed with \"all\"" - if $clientwild || $serverwild; - fatal_error "NONE policy not allowed to/from firewall zone" - if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' ); - } - - unless ( $clientwild || $serverwild ) { - if ( zone_type( $server ) eq 'bport6' ) { - fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge" - unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge}; - } - } - - my $chain = "${client}2${server}"; - my $chainref; - - if ( defined $filter_table->{$chain} ) { - $chainref = $filter_table->{$chain}; - - if ( $chainref->{is_policy} ) { - if ( $chainref->{is_optional} ) { - $chainref->{is_optional} = 0; - $chainref->{policy} = $policy; - } else { - fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); - } - } elsif ( $chainref->{policy} ) { - fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); - } else { - convert_to_policy_chain( $chainref, $client, $server, $policy, 0 ); - push @policy_6chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); - } - } else { - $chainref = new_policy_6chain $client, $server, $policy, 0; - push @policy_6chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); - } - - $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; - - if ( $synparams ne '' || $connlimit ne '' ) { - my $value = ''; - fatal_error "Invalid CONNLIMIT ($connlimit)" if $connlimit =~ /^!/; - $value = do_ratelimit $synparams, 'ACCEPT' if $synparams ne ''; - $value .= do_connlimit $connlimit if $connlimit ne ''; - $chainref->{synparams} = $value; - $chainref->{synchain} = $chain - } - - $chainref->{default} = $default if $default; - - if ( $clientwild ) { - if ( $serverwild ) { - for my $zone ( @zonelist ) { - for my $zone1 ( @zonelist ) { - set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy; - print_policy $zone, $zone1, $policy, $chain; - } - } - } else { - for my $zone ( all_zones ) { - set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy; - print_policy $zone, $server, $policy, $chain; - } - } - } elsif ( $serverwild ) { - for my $zone ( @zonelist ) { - set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy; - print_policy $client, $zone, $policy, $chain; - } - - } else { - print_policy $client, $server, $policy, $chain; - } - } - - for $zone ( all_zones ) { - for my $zone1 ( all_zones ) { - fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy}; - } - } -} - - -# -# Policy Rule application -# -sub policy_rules( $$$$$ ) { - my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; - - unless ( $target eq 'NONE' ) { - add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE'; - add_rule $chainref, "-j $default" if $default && $default ne 'none'; - log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; - fatal_error "Null target in policy_rules()" unless $target; - $target = 'reject' if $target eq 'REJECT'; - - add_jump( $chainref , $target ) unless $target eq 'CONTINUE'; - } -} - -sub policy_6rules( $$$$$ ) { - my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; - - unless ( $target eq 'NONE' ) { - add_rule $chainref, "-j $default" if $default && $default ne 'none'; - log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; - fatal_error "Null target in policy_rules()" unless $target; - $target = 'reject' if $target eq 'REJECT'; - - add_jump( $chainref , $target ) unless $target eq 'CONTINUE'; - } -} - -sub report_syn_flood_protection() { - progress_message ' Enabled SYN flood protection'; -} - -sub default_policy( $$$ ) { - my $chainref = $_[0]; - my $policyref = $filter_table->{$chainref->{policychain}}; - my $synparams = $policyref->{synparams}; - my $default = $policyref->{default}; - my $policy = $policyref->{policy}; - my $loglevel = $policyref->{loglevel}; - - fatal_error "Internal error in default_policy()" unless $policyref; - - if ( $chainref eq $policyref ) { - policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; - } else { - if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) { - if ( $synparams ) { - report_syn_flood_protection; - policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; - } else { - add_jump $chainref, $policyref; - $chainref = $policyref; - } - } elsif ( $policy eq 'CONTINUE' ) { - report_syn_flood_protection if $synparams; - policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; - } else { - report_syn_flood_protection if $synparams; - add_jump $chainref , $policyref; - $chainref = $policyref; - } - } - - progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}"; - -} - -sub default_6policy( $$$ ) { - my $chainref = $_[0]; - my $policyref = $filter6_table->{$chainref->{policychain}}; - my $synparams = $policyref->{synparams}; - my $default = $policyref->{default}; - my $policy = $policyref->{policy}; - my $loglevel = $policyref->{loglevel}; - - fatal_error "Internal error in default_6policy()" unless $policyref; - - if ( $chainref eq $policyref ) { - policy_6rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; - } else { - if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) { - if ( $synparams ) { - report_syn_flood_protection; - policy_6rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; - } else { - add_jump $chainref, $policyref; - $chainref = $policyref; - } - } elsif ( $policy eq 'CONTINUE' ) { - report_syn_flood_protection if $synparams; - policy_6rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; - } else { - report_syn_flood_protection if $synparams; - add_jump $chainref , $policyref; - $chainref = $policyref; - } - } - - progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}"; - -} - -sub apply_policy_rules() { - progress_message2 'Applying IPv4 Policies...'; - - for my $chainref ( @policy_chains ) { - my $policy = $chainref->{policy}; - my $loglevel = $chainref->{loglevel}; - my $optional = $chainref->{is_optional}; - my $default = $chainref->{default}; - my $name = $chainref->{name}; - - if ( $policy ne 'NONE' ) { - if ( ! $chainref->{referenced} && ( ! $optional && $policy ne 'CONTINUE' ) ) { - ensure_filter_chain $name, 1; - } - - if ( $name =~ /^all2|2all$/ ) { - run_user_exit $chainref; - policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; - } - } - } - - for my $zone ( all_zones ) { - for my $zone1 ( all_zones ) { - my $chainref = $filter_table->{"${zone}2${zone1}"}; - - if ( $chainref->{referenced} ) { - run_user_exit $chainref; - default_policy $chainref, $zone, $zone1; - } - } - } -} - -sub apply_6policy_rules() { - progress_message2 'Applying IPv6 Policies...'; - - for my $chainref ( @policy_6chains ) { - my $policy = $chainref->{policy}; - my $loglevel = $chainref->{loglevel}; - my $optional = $chainref->{is_optional}; - my $default = $chainref->{default}; - my $name = $chainref->{name}; - - if ( $policy ne 'NONE' ) { - if ( ! $chainref->{referenced} && ( ! $optional && $policy ne 'CONTINUE' ) ) { - ensure_filter_6chain $name, 1; - } - - if ( $name =~ /^all2|2all$/ ) { - run_user_exit $chainref; - policy_6rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; - } - } - } - - for my $zone ( all_6zones ) { - for my $zone1 ( all_6zones ) { - my $chainref = $filter6_table->{"${zone}2${zone1}"}; - - if ( $chainref->{referenced} ) { - run_user_exit $chainref; - default_6policy $chainref, $zone, $zone1; - } - } - } -} - -# -# Complete a standard chain -# -# - run any supplied user exit -# - search the policy file for an applicable policy and add rules as -# appropriate -# - If no applicable policy is found, add rules for an assummed -# policy of DROP INFO -# -sub complete_standard_chain ( $$$$ ) { - my ( $stdchainref, $zone, $zone2, $default ) = @_; - - add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT}; - - run_user_exit $stdchainref; - - my $ruleschainref = $filter_table->{"${zone}2${zone2}"}; - my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} ); - my $policychainref; - - $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref; - - ( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref; - - policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0; -} - -# -# Complete a standard chain -# -# - run any supplied user exit -# - search the policy file for an applicable policy and add rules as -# appropriate -# - If no applicable policy is found, add rules for an assummed -# policy of DROP INFO -# -sub complete_standard_6chain ( $$$$ ) { - my ( $stdchainref, $zone, $zone2, $default ) = @_; - - add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT}; - - run_user_exit $stdchainref; - - my $ruleschainref = $filter6_table->{"${zone}2${zone2}"}; - my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} ); - my $policychainref; - - $policychainref = $filter6_table->{$ruleschainref->{policychain}} if $ruleschainref; - - ( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref; - - policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0; -} - -# -# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy -# -sub setup_syn_flood_chains() { - for my $chainref ( @policy_chains ) { - my $limit = $chainref->{synparams}; - if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) { - my $level = $chainref->{loglevel}; - my $synchainref = new_chain 'filter' , syn_flood_chain $chainref; - add_rule $synchainref , "${limit}-j RETURN"; - log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , '' - if $level ne ''; - add_rule $synchainref, '-j DROP'; - } - } -} - -# -# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy -# -sub setup_syn_flood_6chains() { - for my $chainref ( @policy_6chains ) { - my $limit = $chainref->{synparams}; - if ( $limit && ! $filter6_table->{syn_flood_chain $chainref} ) { - my $level = $chainref->{loglevel}; - my $synchainref = new_6chain 'filter' , syn_flood_chain $chainref; - add_rule $synchainref , "${limit}-j RETURN"; - log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , '' - if $level ne ''; - add_rule $synchainref, '-j DROP'; - } - } -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Proc.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Proc.pm deleted file mode 100644 index 09b41c905..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Proc.pm +++ /dev/null @@ -1,212 +0,0 @@ -# -# Shorewall 4.2 -- /usr/share/shorewall-perl/Shorewall/Proc.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains the code that deals with entries in /proc. -# -# Note: The /proc/sys/net/ipv4/conf/x/proxy_arp flag is handled -# in the Proxyarp module. -# -package Shorewall::Proc; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( - setup_arp_filtering - setup_route_filtering - setup_martian_logging - setup_source_routing - setup_forwarding - ); -our @EXPORT_OK = qw( ); -our $VERSION = 4.0.6; - -# -# ARP Filtering -# -sub setup_arp_filtering() { - save_progress_message "Setting up ARP filtering..."; - - my $interfaces = find_interfaces_by_option 'arp_filter'; - my $interfaces1 = find_interfaces_by_option 'arp_ignore'; - - if ( @$interfaces || @$interfaces1 ) { - progress_message2 "$doing ARP Filtering..."; - - for my $interface ( @$interfaces ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter"; - my $value = get_interface_option $interface, 'arp_filter'; - - emit ( '', - "if [ -f $file ]; then", - " echo $value > $file"); - emit ( 'else', - " error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface ); - emit "fi\n"; - } - - for my $interface ( @$interfaces1 ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore"; - my $value = get_interface_option $interface, 'arp_ignore'; - - fatal_error "Internal Error in setup_arp_filtering()" unless defined $value; - - emit ( "if [ -f $file ]; then", - " echo $value > $file"); - emit ( 'else', - " error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface ); - emit "fi\n"; - } - } -} - -# -# Route Filtering -# -sub setup_route_filtering() { - - my $interfaces = find_interfaces_by_option 'routefilter'; - - if ( @$interfaces || $config{ROUTE_FILTER} ) { - - progress_message2 "$doing Kernel Route Filtering..."; - - save_progress_message "Setting up Route Filtering..."; - - - if ( $config{ROUTE_FILTER} ) { - my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0; - - emit ( 'for file in /proc/sys/net/ipv4/conf/*; do', - " [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter", - 'done' ); - } - - for my $interface ( @$interfaces ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter"; - my $value = get_interface_option $interface, 'routefilter'; - - emit ( "if [ -f $file ]; then" , - " echo $value > $file" ); - emit ( 'else' , - " error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface); - emit "fi\n"; - } - - emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; - - if ( $config{ROUTE_FILTER} eq 'on' ) { - emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter'; - } elsif ( $config{ROUTE_FILTER} eq 'off' ) { - emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; - } - - emit "[ -n \"\$NOROUTES\" ] || ip route flush cache"; - } -} - -# -# Martian Logging -# - -sub setup_martian_logging() { - my $interfaces = find_interfaces_by_option 'logmartians'; - - if ( @$interfaces || $config{LOG_MARTIANS} ) { - - progress_message2 "$doing Martian Logging..."; - - save_progress_message "Setting up Martian Logging..."; - - if ( $config{LOG_MARTIANS} ) { - my $val = $config{LOG_MARTIANS} eq 'on' ? 1 : 0; - - emit ( 'for file in /proc/sys/net/ipv4/conf/*; do', - " [ -f \$file/log_martians ] && echo $val > \$file/log_martians", - 'done' ); - } - - for my $interface ( @$interfaces ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians"; - my $value = get_interface_option $interface, 'logmartians'; - - emit ( "if [ -f $file ]; then" , - " echo $value > $file" ); - - emit ( 'else' , - " error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface); - emit "fi\n"; - } - - if ( $config{LOG_MARTIANS} eq 'on' ) { - emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; - emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians'; - } elsif ( $config{LOG_MARTIANS} eq 'off' ) { - emit 'echo 0 > /proc/sys/net/ipv4/conf/all/log_martians'; - emit 'echo 0 > /proc/sys/net/ipv4/conf/default/log_martians'; - } - } -} - -# -# Source Routing -# -sub setup_source_routing() { - - save_progress_message 'Setting up Accept Source Routing...'; - - my $interfaces = find_interfaces_by_option 'sourceroute'; - - if ( @$interfaces ) { - progress_message2 "$doing Accept Source Routing..."; - - save_progress_message 'Setting up Source Routing...'; - - for my $interface ( @$interfaces ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/accept_source_route"; - my $value = get_interface_option $interface, 'sourceroute'; - - emit ( "if [ -f $file ]; then" , - " echo $value > $file" ); - emit ( 'else' , - " error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface); - emit "fi\n"; - } - } -} - -sub setup_forwarding() { - if ( $config{IP_FORWARDING} eq 'on' ) { - emit ' echo 1 > /proc/sys/net/ipv4/ip_forward'; - emit ' progress_message2 IP Forwarding Enabled'; - } elsif ( $config{IP_FORWARDING} eq 'off' ) { - emit ' echo 0 > /proc/sys/net/ipv4/ip_forward'; - emit ' progress_message2 IP Forwarding Disabled!'; - } - - emit ''; -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Providers.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Providers.pm deleted file mode 100644 index b81cb6f66..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Providers.pm +++ /dev/null @@ -1,658 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Providers.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module deals with the /etc/shorewall/providers and -# /etc/shorewall/route_rules files. -# -package Shorewall::Providers; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_providers @routemarked_interfaces); -our @EXPORT_OK = qw( initialize lookup_provider ); -our $VERSION = 4.1.5; - -use constant { LOCAL_TABLE => 255, - MAIN_TABLE => 254, - DEFAULT_TABLE => 253, - UNSPEC_TABLE => 0 - }; - -our @routemarked_providers; -our %routemarked_interfaces; -our @routemarked_interfaces; - -our $balance; -our $first_default_route; - -our %providers; - -our @providers; - - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @routemarked_providers = (); - %routemarked_interfaces = (); - @routemarked_interfaces = (); - $balance = 0; - $first_default_route = 1; - - %providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 } , - main => { number => MAIN_TABLE , mark => 0 , optional => 0 } , - default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } , - unspec => { number => UNSPEC_TABLE , mark => 0 , optional => 0 } ); - @providers = (); -} - -INIT { - initialize; -} - -# -# Set up marking for 'tracked' interfaces. -# -sub setup_route_marking() { - my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF'; - - require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' ); - require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' ); - - add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; - add_rule $mangle_table->{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; - - my $chainref = new_chain 'mangle', 'routemark'; - - my %marked_interfaces; - - for my $providerref ( @routemarked_providers ) { - my $interface = $providerref->{interface}; - my $base = uc chain_base $interface; - - add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; - - unless ( $marked_interfaces{$interface} ) { - add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; - $marked_interfaces{$interface} = 1; - } - - if ( $providerref->{shared} ) { - add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}"; - } else { - add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}"; - } - - decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional}; - } - - add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask"; -} - -sub copy_table( $$$ ) { - my ( $duplicate, $number, $realm ) = @_; - - if ( $realm ) { - emit ( "ip route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) - } else { - emit ( "ip route show table $duplicate | while read net route; do" ) - } - - emit ( ' case $net in', - ' default|nexthop)', - ' ;;', - ' *)', - " run_ip route add table $number \$net \$route $realm", - ' ;;', - ' esac', - "done\n" - ); -} - -sub copy_and_edit_table( $$$$ ) { - my ( $duplicate, $number, $copy, $realm) = @_; - - if ( $realm ) { - emit ( "ip route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) - } else { - emit ( "ip route show table $duplicate | while read net route; do" ) - } - - emit ( ' case $net in', - ' default|nexthop)', - ' ;;', - ' *)', - ' case $(find_device $route) in', - " $copy)", - " run_ip route add table $number \$net \$route $realm", - ' ;;', - ' esac', - ' ;;', - ' esac', - "done\n" ); -} - -sub balance_default_route( $$$$ ) { - my ( $weight, $gateway, $interface, $realm ) = @_; - - $balance = 1; - - emit ''; - - if ( $first_default_route ) { - if ( $gateway ) { - emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\""; - } else { - emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\""; - } - - $first_default_route = 0; - } else { - if ( $gateway ) { - emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\""; - } else { - emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\""; - } - } -} - -sub add_a_provider( $$$$$$$$ ) { - - my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_; - - fatal_error "Duplicate provider ($table)" if $providers{$table}; - - my $num = numeric_value $number; - - fatal_error "Invalid Provider number ($number)" unless defined $num; - - $number = $num; - - for my $providerref ( values %providers ) { - fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number; - } - - ( $interface, my $address ) = split /:/, $interface; - - my $shared = 0; - - if ( defined $address ) { - validate_address $address, 0; - $shared = 1; - require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s"; - } - - fatal_error "Unknown Interface ($interface)" unless known_interface $interface; - - my $provider = chain_base $table; - my $base = uc chain_base $interface; - - emit "#\n# Add Provider $table ($number)\n#"; - - emit "if interface_is_usable $interface; then"; - push_indent; - - emit "qt ip route flush table $number"; - emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing"; - - if ( $gateway eq 'detect' ) { - fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; - fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared; - $gateway = get_interface_gateway $interface; - } elsif ( $gateway && $gateway ne '-' ) { - validate_address $gateway, 0; - } else { - fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared; - $gateway = ''; - emit "run_ip route add default dev $interface table $number"; - } - - my $val = 0; - - if ( $mark ne '-' ) { - - $val = numeric_value $mark; - - fatal_error "Invalid Mark Value ($mark)" unless defined $val; - - verify_mark $mark; - - if ( $val < 256) { - fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS}; - } else { - fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS}; - } - - for my $providerref ( values %providers ) { - fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val; - } - - my $pref = 10000 + $number - 1; - - emit ( "qt ip rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; - - emit ( "run_ip rule add fwmark $mark pref $pref table $number", - "echo \"qt ip rule del fwmark $mark\" >> \${VARDIR}/undo_routing" - ); - } - - my ( $loose, $track, $balance , $default_balance, $optional, $mtu ) = (0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' ); - - unless ( $options eq '-' ) { - for my $option ( split_list $options, 'option' ) { - if ( $option eq 'track' ) { - $track = 1; - } elsif ( $option =~ /^balance=(\d+)$/ ) { - $balance = $1; - } elsif ( $option eq 'balance' ) { - $balance = 1; - } elsif ( $option eq 'loose' ) { - $loose = 1; - $default_balance = 0; - } elsif ( $option eq 'optional' ) { - set_interface_option $interface, 'optional', 1; - $optional = 1; - } elsif ( $option =~ /^src=(.*)$/ ) { - fatal_error "OPTION 'src' not allowed on shared interface" if $shared; - $address = validate_address( $1 , 1 ); - } elsif ( $option =~ /^mtu=(\d+)$/ ) { - $mtu = "mtu $1 "; - } else { - fatal_error "Invalid option ($option)"; - } - } - } - - $balance = $default_balance unless $balance; - - $providers{$table} = { provider => $table, - number => $number , - mark => $val , - interface => $interface , - optional => $optional , - gateway => $gateway , - shared => $shared }; - - if ( $track ) { - fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-'; - - if ( $routemarked_interfaces{$interface} ) { - fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1; - fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared; - } else { - $routemarked_interfaces{$interface} = $shared ? 1 : 2; - push @routemarked_interfaces, $interface; - } - - push @routemarked_providers, $providers{$table}; - } - - my $realm = ''; - - if ( $shared ) { - $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); - $realm = "realm $number"; - } - - if ( $duplicate ne '-' ) { - fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; - if ( $copy eq '-' ) { - copy_table ( $duplicate, $number, $realm ); - } else { - if ( $copy eq 'none' ) { - $copy = $interface; - } else { - $copy =~ tr/,/|/; - $copy = "$interface|$copy"; - } - - copy_and_edit_table( $duplicate, $number ,$copy , $realm); - } - } elsif ( $copy ne '-' ) { - fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; - fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column'; - } - - if ( $gateway ) { - $address = get_interface_address $interface unless $address; - emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm"; - emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm"; - } - - balance_default_route $balance , $gateway, $interface, $realm if $balance; - - if ( $loose ) { - if ( $config{DELETE_THEN_ADD} ) { - emit ( "\nfind_interface_addresses $interface | while read address; do", - ' qt ip rule del from $address', - 'done' - ); - } - } elsif ( $shared ) { - emit "qt ip rule del from $address" if $config{DELETE_THEN_ADD}; - emit( "run_ip rule add from $address pref 20000 table $number" , - "echo \"qt ip rule del from $address\" >> \${VARDIR}/undo_routing" ); - } else { - my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); - - emit "\nrulenum=0\n"; - - emit ( "find_interface_addresses $interface | while read address; do" ); - emit ( ' qt ip rule del from $address' ) if $config{DELETE_THEN_ADD}; - emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", - " echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing", - ' rulenum=$(($rulenum + 1))', - 'done' - ); - } - - emit qq(\nprogress_message " Provider $table ($number) Added"\n); - - emit ( "${base}_IS_UP=Yes" ) if $optional; - - pop_indent; - emit 'else'; - - if ( $optional ) { - emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"", - " ${base}_IS_UP=" ); - } else { - emit( " fatal_error \"Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" ); - } - - emit "fi\n"; -} - -sub add_an_rtrule( $$$$ ) { - my ( $source, $dest, $provider, $priority ) = @_; - - unless ( $providers{$provider} ) { - my $found = 0; - - if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) { - my $provider_number = numeric_value $provider; - - for ( keys %providers ) { - if ( $providers{$_}{number} == $provider_number ) { - $provider = $_; - $found = 1; - last; - } - } - } - - fatal_error "Unknown provider ($provider)" unless $found; - } - - fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-'; - - if ( $dest eq '-' ) { - $dest = 'to ' . ALLIPv4; - } else { - validate_net( $dest, 0 ); - $dest = "to $dest"; - } - - if ( $source eq '-' ) { - $source = 'from ' . ALLIPv4; - } elsif ( $source =~ /:/ ) { - ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 ); - fatal_error "Invalid SOURCE" if defined $remainder; - validate_net ( $source, 0 ); - $source = "iif $interface from $source"; - } elsif ( $source =~ /\..*\..*/ ) { - validate_net ( $source, 0 ); - $source = "from $source"; - } else { - $source = "iif $source"; - } - - fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/; - - $priority = "priority $priority"; - - emit ( "qt ip rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; - - my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); - - if ( $optional ) { - my $base = uc chain_base( $providers{$provider}{interface} ); - emit ( '', "if [ -n \$${base}_IS_UP ]; then" ); - push_indent; - } - - emit ( "run_ip rule add $source $dest $priority table $number", - "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); - - pop_indent, emit ( "fi\n" ) if $optional; - - progress_message " Routing rule \"$currentline\" $done"; -} - -# -# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business, -# it makes sense to keep all of the routing code together -# -sub setup_null_routing() { - save_progress_message "Null Routing the RFC 1918 subnets"; - for ( rfc1918_networks ) { - emit( "run_ip route replace unreachable $_" ); - emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" ); - } -} - -sub setup_providers() { - my $providers = 0; - - my $fn = open_file 'providers'; - - while ( read_a_line ) { - unless ( $providers ) { - progress_message2 "$doing $fn ..."; - require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' ); - - fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED}; - - emit "\nif [ -z \"\$NOROUTES\" ]; then"; - - push_indent; - - emit ( '#', - '# Undo any changes made since the last time that we [re]started -- this will not restore the default route', - '#', - 'undo_routing' ); - - unless ( $config{KEEP_RT_TABLES} ) { - emit ( - '#', - '# Save current routing table database so that it can be restored later', - '#', - 'cp /etc/iproute2/rt_tables ${VARDIR}/' ); - - } - - emit ( '#', - '# Capture the default route(s) if we don\'t have it (them) already.', - '#', - '[ -f ${VARDIR}/default_route ] || ip route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', - '#', - '# Initialize the file that holds \'undo\' commands', - '#', - '> ${VARDIR}/undo_routing' ); - - save_progress_message 'Adding Providers...'; - - emit 'DEFAULT_ROUTE='; - } - - my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file'; - - add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ); - - push @providers, $table; - - $providers++; - - progress_message " Provider \"$currentline\" $done"; - - } - - if ( $providers ) { - if ( $balance ) { - my $table = MAIN_TABLE; - - if ( $config{USE_DEFAULT_RT} ) { - emit ( 'run_ip rule add from all table ' . MAIN_TABLE . ' pref 999', - 'ip rule del from all table ' . MAIN_TABLE . ' pref 32766', - 'echo "qt ip rule add from all table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', - 'echo "qt ip rule del from all table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', - '' ); - $table = DEFAULT_TABLE; - } - - emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); - emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" ); - emit ( ' qt ip route del default table ' . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; - emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", - 'else', - ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"', - ' restore_default_route', - 'fi', - '' ); - } else { - emit ( '#', - '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved', - '#', - 'restore_default_route' ); - } - - unless ( $config{KEEP_RT_TABLES} ) { - emit( 'if [ -w /etc/iproute2/rt_tables ]; then', - ' cat > /etc/iproute2/rt_tables <> /etc/iproute2/rt_tables"; - } - - pop_indent; - - emit "fi\n"; - } - - my $fn = open_file 'route_rules'; - - if ( $fn ) { - - first_entry "$doing $fn..."; - - emit ''; - - while ( read_a_line ) { - - my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file'; - - add_an_rtrule( $source, $dest, $provider , $priority ); - } - } - - setup_null_routing if $config{NULL_ROUTE_RFC1918}; - emit "\nrun_ip route flush cache"; - pop_indent; - emit "fi\n"; - - setup_route_marking if @routemarked_interfaces; - } else { - emit "\nundo_routing"; - emit 'restore_default_route'; - if ( $config{NULL_ROUTE_RFC1918} ) { - emit "\nif [ -z \"\$NOROUTES\" ]; then"; - - push_indent; - - emit ( '#', - '# Initialize the file that holds \'undo\' commands', - '#', - '> ${VARDIR}/undo_routing' ); - setup_null_routing; - emit "\nrun_ip route flush cache"; - - pop_indent; - - emit "fi\n"; - } - } -} - -sub lookup_provider( $ ) { - my $provider = $_[0]; - my $providerref = $providers{ $provider }; - - unless ( $providerref ) { - fatal_error "Unknown provider ($provider)" unless $provider =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/; - - my $provider_number = numeric_value $provider; - - for ( keys %providers ) { - if ( $providers{$_}{number} == $provider_number ) { - $providerref = $providers{$_}; - last; - } - } - - fatal_error "Unknown provider ($provider)" unless $providerref; - } - - - $providerref->{shared} ? $providerref->{number} : 0; -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Proxyarp.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Proxyarp.pm deleted file mode 100644 index e727d516c..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Proxyarp.pm +++ /dev/null @@ -1,160 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Proxyarp.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# -package Shorewall::Proxyarp; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( - setup_proxy_arp - dump_proxy_arp - ); - -our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.0.6; - -our @proxyarp; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @proxyarp = (); -} - -INIT { - initialize; -} - -sub setup_one_proxy_arp( $$$$$ ) { - my ( $address, $interface, $external, $haveroute, $persistent) = @_; - - if ( "\L$haveroute" eq 'no' || $haveroute eq '-' ) { - $haveroute = ''; - } elsif ( "\L$haveroute" eq 'yes' ) { - $haveroute = 'yes'; - } else { - fatal_error "Invalid value ($haveroute) for HAVEROUTE"; - } - - if ( "\L$persistent" eq 'no' || $persistent eq '-' ) { - $persistent = ''; - } elsif ( "\L$persistent" eq 'yes' ) { - $persistent = 'yes'; - } else { - fatal_error "Invalid value ($persistent) for PERSISTENT"; - } - - unless ( $haveroute ) { - emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"; - $haveroute = 1 if $persistent; - } - - emit ( "if ! arp -i $external -Ds $address $external pub; then", - " fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" , - 'fi' , - '', - "progress_message \" Host $address connected to $interface added to ARP on $external\"\n" ); - - push @proxyarp, "$address $interface $external $haveroute"; - - progress_message " Host $address connected to $interface added to ARP on $external"; -} - -# -# Setup Proxy ARP -# -sub setup_proxy_arp() { - - my $interfaces= find_interfaces_by_option 'proxyarp'; - my $fn = open_file 'proxyarp'; - - if ( @$interfaces || $fn ) { - - my $first_entry = 1; - - save_progress_message "Setting up Proxy ARP..."; - - my ( %set, %reset ); - - while ( read_a_line ) { - - my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file'; - - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - - $set{$interface} = 1; - $reset{$external} = 1 unless $set{$external}; - - setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent ); - } - - emit ''; - - for my $interface ( keys %reset ) { - unless ( $set{interface} ) { - emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" , - " echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" ); - emit "fi\n"; - } - } - - for my $interface ( keys %set ) { - emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" , - " echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" ); - emit ( 'else' , - " error_message \" WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface ); - emit "fi\n"; - } - - for my $interface ( @$interfaces ) { - my $value = get_interface_option $interface, 'proxyarp'; - emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" , - " echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" ); - emit ( 'else' , - " error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface ); - emit "fi\n"; - } - } -} - -sub dump_proxy_arp() { - for ( @proxyarp ) { - emit_unindented $_; - } -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Rules.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Rules.pm deleted file mode 100644 index 8663df1b7..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Rules.pm +++ /dev/null @@ -1,3094 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Rules.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains the high-level code for dealing with rules. -# -package Shorewall::Rules; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); -use Shorewall::Actions; -use Shorewall::Policy; -use Shorewall::Proc; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( process_tos - setup_ecn - add_common_rules - setup_mac_lists - process_criticalhosts - process_routestopped - process_rules - generate_matrix - setup_mss - ); -our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = 4.1.5; - -# -# Set to one if we find a SECTION -# -our $sectioned; -our $sectioned6; -our $macro_nest_level; -our $current_param; -our @param_stack; - -# -# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these -# - -my %rules_commands = ( COMMENT => 0, - SECTION => 2 ); - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - $sectioned = 0; - $sectioned6 = 0; - $macro_nest_level = 0; - $current_param = ''; - @param_stack = (); -} - -INIT { - initialize; -} - -use constant { MAX_MACRO_NEST_LEVEL => 5 }; - -sub process_tos() { - my $chain = $capabilities{MANGLE_FORWARD} ? 'fortos' : 'pretos'; - my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING'; - - my %tosoptions = ( 'minimize-delay' => 0x10 , - 'maximize-throughput' => 0x08 , - 'maximize-reliability' => 0x04 , - 'minimize-cost' => 0x02 , - 'normal-service' => 0x00 ); - - if ( my $fn = open_file 'tos' ) { - my $first_entry = 1; - - my ( $pretosref, $outtosref ); - - first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } ); - - while ( read_a_line ) { - - my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry'; - - $first_entry = 0; - - fatal_error 'A value must be supplied in the TOS column' if $tos eq '-'; - - if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) { - $tos = $tosval; - } else { - my $val = numeric_value( $tos ); - fatal_error "Invalid TOS value ($tos)" unless defined( $val ) && $val < 0x1f; - } - - my $chainref; - - my $restriction = NO_RESTRICT; - - my ( $srczone , $source , $remainder ) = split( /:/, $src, 3 ); - - fatal_error 'Invalid SOURCE' if defined $remainder; - - if ( $srczone eq firewall_zone ) { - $chainref = $outtosref; - $src = $source || '-'; - $restriction = OUTPUT_RESTRICT; - } else { - $chainref = $pretosref; - $src =~ s/^all:?//; - } - - $dst =~ s/^all:?//; - - expand_rule - $chainref , - $restriction , - do_proto( $proto, $ports, $sports ) . do_test( $mark , 0xFF ) , - $src , - $dst , - '' , - '' , - "-j TOS --set-tos $tos" , - '' , - '' , - ''; - } - - unless ( $first_entry ) { - add_rule $mangle_table->{$stdchain}, "-j $chain" if $pretosref->{referenced}; - add_rule $mangle_table->{OUTPUT}, "-j outtos" if $outtosref->{referenced}; - } - } -} - -# -# Setup ECN disabling rules -# -sub setup_ecn() -{ - my %interfaces; - my @hosts; - - if ( my $fn = open_file 'ecn' ) { - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry'; - - fatal_error "Unknown interface ($interface)" unless known_interface $interface; - - $interfaces{$interface} = 1; - - $hosts = ALLIPv4 if $hosts eq '-'; - - for my $host( split_list $hosts, 'address' ) { - validate_host( $host , 1 ); - push @hosts, [ $interface, $host ]; - } - } - - if ( @hosts ) { - my @interfaces = ( keys %interfaces ); - - progress_message "$doing ECN control on @interfaces..."; - - for my $interface ( @interfaces ) { - my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); - - add_jump $mangle_table->{POSTROUTING} , $chainref, "-p tcp -o $interface "; - add_jump $mangle_table->{OUTPUT}, $chainref, "-p tcp -o $interface "; - } - - for my $host ( @hosts ) { - add_rule $mangle_table->{ecn_chain $host->[0]}, join ('', '-p tcp ', match_dest_net( $host->[1] ) , ' -j ECN --ecn-tcp-remove' ); - } - } - } -} - -sub add_rule_pair( $$$$ ) { - my ($chainref , $predicate , $target , $level ) = @_; - - log_rule( $level, $chainref, "\U$target", $predicate ) if defined $level && $level ne ''; - add_rule $chainref , "${predicate}-j $target"; -} - -sub setup_rfc1918_filteration( $ ) { - - my $listref = $_[0]; - my $norfc1918ref = new_standard_chain 'norfc1918'; - my $rfc1918ref = new_standard_chain 'rfc1918'; - my $chainref = $norfc1918ref; - - warning_message q(The 'norfc1918' option is deprecated); - - log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , ''; - - add_rule $rfc1918ref , '-j DROP'; - - $chainref = new_standard_chain 'rfc1918d' if $config{RFC1918_STRICT}; - - my $fn = open_file 'rfc1918'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - require_capability 'CONNTRACK_MATCH', "The norfc1918 option" , 's'; - - my ( $networks, $target ) = split_line 2, 2, 'rfc1918 file'; - - my $s_target; - - if ( $target eq 'logdrop' ) { - $target = 'rfc1918'; - $s_target = 'rfc1918'; - } elsif ( $target eq 'DROP' ) { - $s_target = 'DROP'; - } elsif ( $target eq 'RETURN' ) { - $s_target = $config{RFC1918_STRICT} ? 'rfc1918d' : 'RETURN'; - } else { - fatal_error "Invalid target ($target) for $networks"; - } - - for my $network ( split_list $networks, 'network' ) { - add_rule $norfc1918ref , match_source_net( $network ) . "-j $s_target"; - add_rule $chainref , match_orig_dest( $network ) . "-j $target" ; - } - } - - add_rule $norfc1918ref , '-j rfc1918d' if $config{RFC1918_STRICT}; - - for my $hostref ( @$listref ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - for my $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); - } - } -} - -sub setup_blacklist() { - - my $hosts = find_hosts_by_option 'blacklist'; - my $chainref; - my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; - my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; - - if ( @$hosts ) { - $chainref = new_standard_chain 'blacklst'; - - if ( defined $level && $level ne '' ) { - my $logchainref = new_standard_chain 'blacklog'; - - log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); - - add_rule $logchainref, "-j $target" ; - - $target = 'blacklog'; - } - } - - BLACKLIST: - { - if ( my $fn = open_file 'blacklist' ) { - - my $first_entry = 1; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - if ( $first_entry ) { - unless ( @$hosts ) { - warning_message q(The entries in $fn have been ignored because there are no 'blacklist' interfaces); - close_file; - last BLACKLIST; - } - - $first_entry = 0; - } - - my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file'; - - expand_rule( - $chainref , - NO_RESTRICT , - do_proto( $protocol , $ports, '' ) , - $networks , - '' , - '' , - '' , - "-j $target" , - '' , - $disposition , - '' ); - - progress_message " \"$currentline\" added to blacklist"; - } - } - - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - - for my $hostref ( @$hosts ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - my $network = $hostref->[2]; - my $source = match_source_net $network; - - for my $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; - } - - progress_message " Blacklisting enabled on ${interface}:${network}"; - } - } -} - -sub process_criticalhosts() { - - my @critical = (); - - my $fn = open_file 'routestopped'; - - first_entry "$doing $fn for critical hosts..."; - - while ( read_a_line ) { - - my $routeback = 0; - - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; - - fatal_error "Unknown interface ($interface)" unless known_interface $interface; - - $hosts = ALLIPv4 unless $hosts ne '-'; - - my @hosts; - - for my $host ( split_list $hosts, 'host' ) { - validate_host $host, 1; - push @hosts, "$interface:$host"; - } - - unless ( $options eq '-' ) { - for my $option (split_list $options, 'option' ) { - unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) { - if ( $option eq 'critical' ) { - push @critical, @hosts; - } else { - warning_message "Unknown routestopped option ( $option ) ignored"; - } - } - } - } - } - - \@critical; -} - -sub setup_6blacklist() { - - my $hosts = find_hosts_by_option '6blacklist'; - my $chainref; - my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; - my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; - - if ( @$hosts ) { - $chainref = new_standard_6chain 'blacklst'; - - if ( defined $level && $level ne '' ) { - my $logchainref = new_standard_6chain 'blacklog'; - - log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); - - add_rule $logchainref, "-j $target" ; - - $target = 'blacklog'; - } - } - - BLACKLIST: - { - if ( my $fn = open_file '6blacklist' ) { - - my $first_entry = 1; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - if ( $first_entry ) { - unless ( @$hosts ) { - warning_message q(The entries in $fn have been ignored because there are no 'blacklist' interfaces); - close_file; - last BLACKLIST; - } - - $first_entry = 0; - } - - my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file'; - - expand_rule( - $chainref , - NO_RESTRICT , - do_proto6( $protocol , $ports, '' ) , - $networks , - '' , - '' , - '' , - "-j $target" , - '' , - $disposition , - '' ); - - progress_message " \"$currentline\" added to blacklist"; - } - } - - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - - for my $hostref ( @$hosts ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - my $network = $hostref->[2]; - my $source = match_source_6net $network; - - for my $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; - } - - progress_message " Blacklisting enabled on ${interface};${network}"; - } - } -} - -sub process_critical6hosts() { - - my @critical = (); - - my $fn = open_file '6routestopped'; - - first_entry "$doing $fn for critical IPv6 hosts..."; - - while ( read_a_line ) { - - my $routeback = 0; - - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; - - fatal_error "Unknown interface ($interface)" unless known_6interface $interface; - - $hosts = ALLIPv6 unless $hosts ne '-'; - - my @hosts; - - for my $host ( split_list $hosts, 'host' ) { - validate_host $host, 1; - push @hosts, "$interface;$host"; - } - - unless ( $options eq '-' ) { - for my $option (split_list $options, 'option' ) { - unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) { - if ( $option eq 'critical' ) { - push @critical, @hosts; - } else { - warning_message "Unknown routestopped option ( $option ) ignored"; - } - } - } - } - } - - \@critical; -} - -sub process_routestopped() { - - my ( @allhosts, %source, %dest ); - - my $fn = open_file 'routestopped'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my $routeback = 0; - - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; - - fatal_error "Unknown interface ($interface)" unless known_interface $interface; - - $hosts = ALLIPv4 unless $hosts && $hosts ne '-'; - - my @hosts; - - for my $host ( split /,/, $hosts ) { - validate_host $host, 1; - push @hosts, "$interface:$host"; - } - - unless ( $options eq '-' ) { - for my $option (split /,/, $options ) { - if ( $option eq 'routeback' ) { - if ( $routeback ) { - warning_message "Duplicate 'routeback' option ignored"; - } else { - $routeback = 1; - - for my $host ( split /,/, $hosts ) { - my $source = match_source_net $host; - my $dest = match_dest_net $host; - - emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT"; - clearrule; - } - } - } elsif ( $option eq 'source' ) { - for my $host ( split /,/, $hosts ) { - $source{"$interface:$host"} = 1; - } - } elsif ( $option eq 'dest' ) { - for my $host ( split /,/, $hosts ) { - $dest{"$interface:$host"} = 1; - } - } else { - warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical'; - } - } - } - - push @allhosts, @hosts; - } - - for my $host ( @allhosts ) { - my ( $interface, $h ) = split /:/, $host; - my $source = match_source_net $h; - my $dest = match_dest_net $h; - my $sourcei = match_source_dev $interface; - my $desti = match_dest_dev $interface; - - emit "\$IPTABLES -A INPUT $sourcei $source -j ACCEPT"; - emit "\$IPTABLES -A OUTPUT $desti $dest -j ACCEPT" unless $config{ADMINISABSENTMINDED}; - - my $matched = 0; - - if ( $source{$host} ) { - emit "\$IPTABLES -A FORWARD $sourcei $source -j ACCEPT"; - $matched = 1; - } - - if ( $dest{$host} ) { - emit "\$IPTABLES -A FORWARD $desti $dest -j ACCEPT"; - $matched = 1; - } - - unless ( $matched ) { - for my $host1 ( @allhosts ) { - unless ( $host eq $host1 ) { - my ( $interface1, $h1 ) = split /:/, $host1; - my $dest1 = match_dest_net $h1; - my $desti1 = match_dest_dev $interface1; - emit "\$IPTABLES -A FORWARD $sourcei $desti1 $source $dest1 -j ACCEPT"; - clearrule; - } - } - } - } -} - -sub process_6routestopped() { - - my ( @allhosts, %source, %dest ); - - my $fn = open_file '6routestopped'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my $routeback = 0; - - my ($interface, $hosts, $options ) = split_line 1, 3, '6routestopped file'; - - fatal_error "Unknown interface ($interface)" unless known_6interface $interface; - - $hosts = ALLIPv6 unless $hosts && $hosts ne '-'; - - my @hosts; - - for my $host ( split /,/, $hosts ) { - validate_6host $host, 1; - push @hosts, "$interface;$host"; - } - - unless ( $options eq '-' ) { - for my $option (split /,/, $options ) { - if ( $option eq 'routeback' ) { - if ( $routeback ) { - warning_message "Duplicate 'routeback' option ignored"; - } else { - $routeback = 1; - - for my $host ( split /,/, $hosts ) { - my $source = match_source_6net $host; - my $dest = match_dest_6net $host; - - emit "run_ip6tables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT"; - clearrule; - } - } - } elsif ( $option eq 'source' ) { - for my $host ( split /,/, $hosts ) { - $source{"$interface;$host"} = 1; - } - } elsif ( $option eq 'dest' ) { - for my $host ( split /,/, $hosts ) { - $dest{"$interface;$host"} = 1; - } - } else { - warning_message "Unknown 6routestopped option ( $option ) ignored" unless $option eq 'critical'; - } - } - } - - push @allhosts, @hosts; - } - - for my $host ( @allhosts ) { - my ( $interface, $h ) = split /;/, $host; - my $source = match_source_6net $h; - my $dest = match_dest_6net $h; - my $sourcei = match_source_6dev $interface; - my $desti = match_dest_6dev $interface; - - emit "\$IP6TABLES -A INPUT $sourcei $source -j ACCEPT"; - emit "\$IP6TABLES -A OUTPUT $desti $dest -j ACCEPT" unless $config{ADMINISABSENTMINDED}; - - my $matched = 0; - - if ( $source{$host} ) { - emit "\$IP6TABLES -A FORWARD $sourcei $source -j ACCEPT"; - $matched = 1; - } - - if ( $dest{$host} ) { - emit "\$IP6TABLES -A FORWARD $desti $dest -j ACCEPT"; - $matched = 1; - } - - unless ( $matched ) { - for my $host1 ( @allhosts ) { - unless ( $host eq $host1 ) { - my ( $interface1, $h1 ) = split /;/, $host1; - my $dest1 = match_dest_6net $h1; - my $desti1 = match_dest_6dev $interface1; - emit "\$IP6TABLES -A FORWARD $sourcei $desti1 $source $dest1 -j ACCEPT"; - clearrule; - } - } - } - } -} - -sub setup_mss(); - -sub add_common_rules() { - my $interface; - my $chainref; - my $level; - my $target; - my $rule; - my $list; - my $chain; - - new_standard_chain 'dynamic'; - - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - - add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD ); - - setup_mss; - - if ( $config{FASTACCEPT} ) { - add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT ); - } - - my $rejectref = new_standard_chain 'reject'; - - $level = $config{BLACKLIST_LOGLEVEL}; - - add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ; - add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'reject' , $level ; - - for $interface ( all_interfaces ) { - ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ); - } - - run_user_exit1 'initdone'; - - setup_blacklist; - - $list = find_hosts_by_option 'nosmurfs'; - - $chainref = new_standard_chain 'smurfs'; - - if ( $capabilities{ADDRTYPE} ) { - add_rule $chainref , '-s 0.0.0.0 -j RETURN'; - add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; - } else { - add_command $chainref, 'for address in $ALL_BCASTS; do'; - incr_cmd_level $chainref; - log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' ); - add_rule $chainref, '-s $address -j DROP'; - decr_cmd_level $chainref; - add_command $chainref, 'done'; - } - - add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ; - - if ( $capabilities{ADDRTYPE} ) { - add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP'; - } else { - add_command $rejectref, 'for address in $ALL_BCASTS; do'; - incr_cmd_level $rejectref; - add_rule $rejectref, '-d $address -j DROP'; - decr_cmd_level $rejectref; - add_command $rejectref, 'done'; - } - - add_rule $rejectref , '-s 224.0.0.0/4 -j DROP'; - - if ( @$list ) { - progress_message2 'Adding Anti-smurf Rules'; - for my $hostref ( @$list ) { - $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - for $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" ); - } - } - } - - add_rule $rejectref , '-p 2 -j DROP'; - add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset'; - - if ( $capabilities{ENHANCED_REJECT} ) { - add_rule $rejectref , '-p 17 -j REJECT'; - add_rule $rejectref, '-p 1 -j REJECT --reject-with icmp-host-unreachable'; - add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited'; - } else { - add_rule $rejectref , '-j REJECT'; - } - - $list = find_interfaces_by_option 'dhcp'; - - if ( @$list ) { - progress_message2 'Adding rules for DHCP'; - - for $interface ( @$list ) { - for $chain ( input_chain $interface, output_chain $interface ) { - add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT'; - } - - add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' ); - } - } - - $list = find_hosts_by_option 'norfc1918'; - - setup_rfc1918_filteration $list if @$list; - - $list = find_hosts_by_option 'tcpflags'; - - if ( @$list ) { - my $disposition; - - progress_message2 "$doing TCP Flags filtering..."; - - $chainref = new_standard_chain 'tcpflags'; - - if ( $config{TCP_FLAGS_LOG_LEVEL} ne '' ) { - my $logflagsref = new_standard_chain 'logflags'; - - my $savelogparms = $globals{LOGPARMS}; - - $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; - - log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, ''; - - $globals{LOGPARMS} = $savelogparms; - - if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) { - add_rule $logflagsref , '-j REJECT --reject-with tcp-reset'; - } else { - add_rule $logflagsref , "-j $config{TCP_FLAGS_DISPOSITION}"; - } - - $disposition = 'logflags'; - } else { - $disposition = $config{TCP_FLAGS_DISPOSITION}; - } - - add_rule $chainref , "-p tcp --tcp-flags ALL FIN,URG,PSH -j $disposition"; - add_rule $chainref , "-p tcp --tcp-flags ALL NONE -j $disposition"; - add_rule $chainref , "-p tcp --tcp-flags SYN,RST SYN,RST -j $disposition"; - add_rule $chainref , "-p tcp --tcp-flags SYN,FIN SYN,FIN -j $disposition"; - add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition"; - - for my $hostref ( @$list ) { - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : ''; - for $chain ( first_chains $hostref->[0] ) { - add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j tcpflags" ); - } - } - } - - $list = find_interfaces_by_option 'upnp'; - - if ( @$list ) { - progress_message2 '$doing UPnP'; - - new_nat_chain( 'UPnP' ); - - for $interface ( @$list ) { - add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP'; - } - } - - setup_syn_flood_chains; - -} - -my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } , - REJECT => { target => 'reject' , mangle => 0 } , - DROP => { target => 'DROP' , mangle => 1 } ); - -sub setup_mac_lists( $ ) { - - my $phase = $_[0]; - - my %maclist_interfaces; - - my $table = $config{MACLIST_TABLE}; - - my $maclist_hosts = find_hosts_by_option 'maclist'; - - my $target = $globals{MACLIST_TARGET}; - my $level = $config{MACLIST_LOG_LEVEL}; - my $disposition = $config{MACLIST_DISPOSITION}; - my $ttl = $config{MACLIST_TTL}; - - progress_message2 "$doing MAC Filtration -- Phase $phase..."; - - for my $hostref ( @$maclist_hosts ) { - $maclist_interfaces{ $hostref->[0] } = 1; - } - - my @maclist_interfaces = ( sort keys %maclist_interfaces ); - - progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase..."; - - if ( $phase == 1 ) { - - for my $interface ( @maclist_interfaces ) { - my $chainref = new_chain $table , mac_chain $interface; - - add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' - if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' ); - - if ( $ttl ) { - my $chain1ref = new_chain $table, macrecent_target $interface; - - my $chain = $chainref->{name}; - - add_rule $chainref, "-m recent --rcheck --seconds $ttl --name $chain -j RETURN"; - add_rule $chainref, "-j $chain1ref->{name}"; - add_rule $chainref, "-m recent --update --name $chain -j RETURN"; - add_rule $chainref, "-m recent --set --name $chain"; - } - } - - my $fn = open_file 'maclist'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file'; - - if ( $original_disposition eq 'COMMENT' ) { - process_comment; - } else { - my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 ); - - fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition; - - my $targetref = $maclist_targets{$disposition}; - - fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} ); - fatal_error "Unknown Interface ($interface)" unless known_interface( $interface ); - fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface}; - - my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; - - $mac = '' unless $mac && ( $mac ne '-' ); - $addresses = '' unless defined $addresses && ( $addresses ne '-' ); - - fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses; - - $mac = mac_match $mac if $mac; - - if ( $addresses ) { - for my $address ( split ',', $addresses ) { - my $source = match_source_net $address; - log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" - if defined $level && $level ne ''; - add_rule $chainref , "${mac}${source}-j $targetref->{target}"; - } - } else { - log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac - if defined $level && $level ne ''; - add_rule $chainref , "$mac-j $targetref->{target}"; - } - - progress_message " Maclist entry \"$currentline\" $done"; - } - } - - clear_comment; - # - # Generate jumps from the input and forward chains - # - for my $hostref ( @$maclist_hosts ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - my $source = match_source_net $hostref->[2]; - my $target = mac_chain $interface; - if ( $table eq 'filter' ) { - for my $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target"; - } - } else { - add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target"; - } - } - } else { - for my $interface ( @maclist_interfaces ) { - my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; - my $chain = $chainref->{name}; - - if ( $level ne '' || $disposition ne 'ACCEPT' ) { - my $variable = get_interface_addresses source_port_to_bridge( $interface ); - - if ( $capabilities{ADDRTYPE} ) { - add_commands( $chainref, - "for address in $variable; do", - " echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3", - " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3", - 'done' ); - } else { - my $bridge = source_port_to_bridge( $interface ); - my $bridgeref = find_interface( $bridge ); - - add_commands( $chainref, - "for address in $variable; do" ); - - if ( $bridgeref->{broadcasts} ) { - for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { - add_commands( $chainref , - " echo \"-A $chainref->{name} -s \$address -d $address -j RETURN\" >&3" ); - } - } else { - my $variable1 = get_interface_bcasts $bridge; - - add_commands( $chainref, - " for address1 in $variable1; do" , - " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3", - " done" ); - } - - add_commands( $chainref, - " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3", - 'done' ); - } - } - - run_user_exit2( 'maclog', $chainref ); - - log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne ''; - add_rule $chainref, "-j $target"; - } - } -} - -sub process_rule1 ( $$$$$$$$$$$$$ ); - -# -# Expand a macro rule from the rules file -# -sub process_macro ( $$$$$$$$$$$$$$$ ) { - my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_; - - my $nocomment = no_comment; - - my $format = 1; - - macro_comment $macro; - - my $macrofile = $macros{$macro}; - - progress_message "..Expanding Macro $macrofile..."; - - push_open $macrofile; - - while ( read_a_line ) { - - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ); - - if ( $format == 1 ) { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands; - } else { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands; - } - - if ( $mtarget eq 'COMMENT' ) { - process_comment unless $nocomment; - next; - } - - if ( $mtarget eq 'FORMAT' ) { - fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/; - $format = $msource; - next; - } - - fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1; - - $mtarget = merge_levels $target, $mtarget; - - if ( $mtarget =~ /^PARAM(:.*)?$/ ) { - fatal_error 'PARAM requires a parameter to be supplied in macro invocation' unless $param ne ''; - $mtarget = substitute_param $param, $mtarget; - } - - my $action = isolate_basic_target $mtarget; - - fatal_error "Invalid or missing ACTION ($mtarget)" unless defined $action; - - my $actiontype = $targets{$action} || find_macro( $action ); - - fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO ); - - if ( $msource ) { - if ( $msource eq '-' ) { - $msource = $source || ''; - } elsif ( $msource =~ s/^DEST:?// ) { - $msource = merge_macro_source_dest $msource, $dest; - } else { - $msource =~ s/^SOURCE:?//; - $msource = merge_macro_source_dest $msource, $source; - } - } else { - $msource = ''; - } - - if ( $mdest ) { - if ( $mdest eq '-' ) { - $mdest = $dest || ''; - } elsif ( $mdest =~ s/^SOURCE:?// ) { - $mdest = merge_macro_source_dest $mdest , $source; - } else { - $mdest =~ s/DEST:?//; - $mdest = merge_macro_source_dest $mdest, $dest; - } - } else { - $mdest = ''; - } - - process_rule1( - $mtarget, - $msource, - $mdest, - merge_macro_column( $mproto, $proto ) , - merge_macro_column( $mports, $ports ) , - merge_macro_column( $msports, $sports ) , - merge_macro_column( $morigdest, $origdest ) , - merge_macro_column( $mrate, $rate ) , - merge_macro_column( $muser, $user ) , - $mark, - $connlimit, - $time, - $wildcard - ); - - progress_message " Rule \"$currentline\" $done"; - } - - pop_open; - - progress_message "..End Macro $macrofile"; - - clear_comment unless $nocomment; - -} -# -# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If -# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. -# -sub process_rule1 ( $$$$$$$$$$$$$ ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_; - my ( $action, $loglevel) = split_action $target; - my ( $basictarget, $param ) = get_target_param $action; - my $rule = ''; - my $actionchainref; - my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0; - - unless ( defined $param ) { - ( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/; - } - - $param = '' unless defined $param; - - # - # Determine the validity of the action - # - my $actiontype = $targets{$basictarget} || find_macro( $basictarget ); - - fatal_error "Unknown action ($action)" unless $actiontype; - - if ( $actiontype == MACRO ) { - # - # process_macro() will call process_rule1() recursively for each rule in the macro body - # - fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL; - - if ( $param ne '' ) { - push @param_stack, $current_param; - $current_param = $param; - } - - process_macro( $basictarget, - $target , - $current_param, - $source, - $dest, - $proto, - $ports, - $sports, - $origdest, - $ratelimit, - $user, - $mark, - $connlimit, - $time, - $wildcard ); - - $macro_nest_level--; - - $current_param = pop @param_stack if $param ne ''; - - return; - - } elsif ( $actiontype & NFQ ) { - require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); - my $paramval = $param eq '' ? 0 : numeric_value( $param ); - fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535; - $action = "NFQUEUE --queue-num $paramval"; - } else { - fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq ''; - } - # - # We can now dispense with the postfix character - # - $action =~ s/[\+\-!]$//; - # - # Mark target as used - # - if ( $actiontype & ACTION ) { - unless ( $usedactions{$target} ) { - $usedactions{$target} = 1; - createactionchain $target; - } - } - # - # Take care of irregular syntax and targets - # - if ( $actiontype & REDIRECT ) { - my $z = $actiontype & NATONLY ? '' : firewall_zone; - if ( $dest eq '-' ) { - $dest = join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports ); - } else { - $dest = join( '', $z, '::', $dest ) unless $dest =~ /:/; - } - } elsif ( $action eq 'REJECT' ) { - $action = 'reject'; - } elsif ( $action eq 'CONTINUE' ) { - $action = 'RETURN'; - } elsif ( $actiontype & LOGRULE ) { - fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne ''; - } - # - # Isolate and validate source and destination zones - # - my $sourcezone; - my $destzone; - my $sourceref; - my $destref; - my $origdstports; - - if ( $source =~ /^(.+?):(.*)/ ) { - fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq ''; - $sourcezone = $1; - $source = $2; - } else { - $sourcezone = $source; - $source = ALLIPv4; - } - - if ( $dest =~ /^(.*?):(.*)/ ) { - fatal_error "Missing DEST Qualifier ($dest)" if $2 eq ''; - $destzone = $1; - $dest = $2; - } else { - $destzone = $dest; - $dest = ALLIPv4; - } - - fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; - fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); - - if ( $actiontype & NATONLY ) { - warning_message "Destination zone ($destzone) ignored" unless $destzone eq '-' || $destzone eq ''; - } else { - fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq ''; - fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone ); - } - - my $restriction = NO_RESTRICT; - - if ( $sourcezone eq firewall_zone ) { - $restriction = $destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT; - } else { - $restriction = INPUT_RESTRICT if $destzone eq firewall_zone; - } - - my ( $chain, $chainref, $policy ); - # - # For compatibility with older Shorewall versions - # - $origdest = ALLIPv4 if $origdest eq 'all'; - - # - # Take care of chain - # - - unless ( $actiontype & NATONLY ) { - # - # Check for illegal bridge port rule - # - if ( $destref->{type} eq 'bport4' ) { - unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) { - return 1 if $wildcard; - fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; - } - } - - $chain = "${sourcezone}2${destzone}"; - $chainref = ensure_chain 'filter', $chain; - $policy = $chainref->{policy}; - - if ( $policy eq 'NONE' ) { - return 1 if $wildcard; - fatal_error "Rules may not override a NONE policy"; - } - # - # Handle Optimization - # - if ( $optimize > 0 ) { - my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel}; - if ( $loglevel ne '' ) { - return 1 if $target eq "${policy}:$loglevel}"; - } else { - return 1 if $basictarget eq $policy; - } - } - # - # Mark the chain as referenced and add appropriate rules from earlier sections. - # - $chainref = ensure_filter_chain $chain, 1; - } - - # - # Generate Fixed part of the rule - # - $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ), do_time( $time ) ); - - unless ( $section eq 'NEW' ) { - fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; - fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); - $rule .= "-m state --state $section " - } - - # - # Generate NAT rule(s), if any - # - if ( $actiontype & NATRULE ) { - my ( $server, $serverport ); - my $randomize = $dest =~ s/:random$// ? '--random ' : ''; - - require_capability( 'NAT_ENABLED' , "$basictarget rules", '' ); - # - # Isolate server port - # - if ( $dest =~ /^(.*)(:(.+))$/ ) { - # - # Server IP and Port - # - $server = $1; # May be empty - $serverport = $3; # Not Empty due to RE - $origdstports = $ports; - if ( $serverport =~ /^(\d+)-(\d+)$/ ) { - # - # Server Port Range - # - fatal_error "Invalid port range ($serverport)" unless $1 < $2; - my @ports = ( $1, $2 ); - $_ = validate_port( proto_name( $proto ), $_) for ( @ports ); - ( $ports = $serverport ) =~ tr/-/:/; - } else { - $serverport = $ports = validate_port( proto_name( $proto ), $serverport ); - } - } elsif ( $dest eq ':' ) { - # - # Rule with no server IP or port ( zone:: ) - # - $server = $serverport = ''; - } else { - # - # Simple server IP address (may be empty or "-") - # - $server = $dest; - $serverport = ''; - } - - # - # Generate the target - # - my $target = ''; - - if ( $actiontype & REDIRECT ) { - fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server; - $target = '-j REDIRECT '; - $target .= "--to-port $serverport " if $serverport; - if ( $origdest eq '' || $origdest eq '-' ) { - $origdest = ALLIPv4; - } elsif ( $origdest eq 'detect' ) { - if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { - my $interfacesref = $sourceref->{interfaces}; - my @interfaces = keys %$interfacesref; - $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; - } else { - $origdest = ALLIPv4; - } - } - } else { - fatal_error "A server must be specified in the DEST column in $action rules" if $server eq ''; - - if ( $server =~ /^(.+)-(.+)$/ ) { - validate_range( $1, $2 ); - } else { - $server = validate_address $server, 1; - } - - if ( $action eq 'SAME' ) { - fatal_error 'Port mapping not allowed in SAME rules' if $serverport; - fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone; - fatal_error "':random' is not supported by the SAME target" if $randomize; - warning_message 'Netfilter support for SAME is being dropped in early 2008'; - $target = '-j SAME '; - for my $serv ( split /,/, $server ) { - $target .= "--to $serv "; - } - } elsif ( $action eq 'DNAT' ) { - $target = '-j DNAT '; - $serverport = ":$serverport" if $serverport; - for my $serv ( split /,/, $server ) { - $target .= "--to-destination ${serv}${serverport} "; - } - } - - unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) { - if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { - my $interfacesref = $sourceref->{interfaces}; - my @interfaces = keys %$interfacesref; - $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; - } else { - $origdest = ALLIPv4; - } - } - } - - $target .= $randomize; - - # - # And generate the nat table rule(s) - # - expand_rule ( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ), - PREROUTE_RESTRICT , - $rule , - $source , - $origdest , - '' , - '' , - $target , - $loglevel , - $action , - $serverport ? do_proto( $proto, '', '' ) : '' ); - # - # After NAT: - # - the destination port will be the server port ($ports) -- we did that above - # - the destination IP will be the server IP ($dest) - # - there will be no log level (we log NAT rules in the nat table rather than in the filter table). - # - the target will be ACCEPT. - # - unless ( $actiontype & NATONLY ) { - $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) ); - $loglevel = ''; - $dest = $server; - $action = 'ACCEPT'; - } - } elsif ( $actiontype & NONAT ) { - # - # NONAT or ACCEPT+ -- May not specify a destination interface - # - fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/; - - $origdest = '' unless $origdest and $origdest ne '-'; - - if ( $origdest eq 'detect' ) { - my $interfacesref = $sourceref->{interfaces}; - my $interfaces = "@$interfacesref"; - $origdest = $interfaces ? "detect:$interfaces" : ALLIPv4; - } - - expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , - PREROUTE_RESTRICT , - $rule , - $source , - $dest , - $origdest , - '', - '-j RETURN ' , - $loglevel , - $action , - '' ); - } - - # - # Add filter table rule, unless this is a NATONLY rule type - # - unless ( $actiontype & NATONLY ) { - - if ( $actiontype & ACTION ) { - $action = (find_logactionchain $target)->{name}; - $loglevel = ''; - } - - unless ( $origdest eq '-' ) { - require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in a non-NAT rule', 's' ) unless $actiontype & NATRULE; - } else { - $origdest = ''; - } - - expand_rule( ensure_chain( 'filter', $chain ) , - $restriction , - $rule , - $source , - $dest , - $origdest , - $origdstports , - "-j $action " , - $loglevel , - $action , - '' ); - } -} - -# -# Process a Record in the rules file -# -# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column). -# -sub process_rule ( $$$$$$$$$$$$ ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit , $time ) = @_; - my $intrazone = 0; - my $includesrcfw = 1; - my $includedstfw = 1; - my $thisline = $currentline; - # - # Section Names are optional so once we get to an actual rule, we need to be sure that - # we close off any missing sections. - # - unless ( $sectioned ) { - finish_section 'ESTABLISHED,RELATED'; - $sections{$section = 'NEW'} = 1; - $sectioned = 1; - } - - # - # Handle Wildcards - # - if ( $source =~ /^all[-+]/ ) { - if ( $source eq 'all+' ) { - $source = 'all'; - $intrazone = 1; - } elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) { - $source = 'all'; - $intrazone = 1; - $includesrcfw = 0; - } elsif ( $source eq 'all-' ) { - $source = 'all'; - $includesrcfw = 0; - } else { - fatal_error "Invalid SOURCE ($source)"; - } - } - - if ( $dest =~ /^all[-+]/ ) { - if ( $dest eq 'all+' ) { - $dest = 'all'; - $intrazone = 1; - } elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) { - $dest = 'all'; - $intrazone = 1; - $includedstfw = 0; - } elsif ( $dest eq 'all-' ) { - $dest = 'all'; - $includedstfw = 0; - } else { - fatal_error "Invalid DEST ($dest)"; - } - - } - - my $action = isolate_basic_target $target; - - fatal_error "Invalid or missing ACTION ($target)" unless defined $action; - - if ( $source eq 'all' ) { - for my $zone ( all_zones ) { - if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) { - if ( $dest eq 'all' ) { - for my $zone1 ( all_zones ) { - if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) { - if ( $intrazone || ( $zone ne $zone1 ) ) { - process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } - } else { - my $destzone = (split( /:/, $dest, 2 ) )[0]; - $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid - if ( $intrazone || ( $zone ne $destzone ) ) { - process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } - } - } elsif ( $dest eq 'all' ) { - for my $zone ( all_zones ) { - my $sourcezone = ( split( /:/, $source, 2 ) )[0]; - if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { - process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } else { - process_rule1 $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 0; - } - - progress_message " Rule \"$thisline\" $done"; -} - -# -# Process the Rules File -# -sub process_rules() { - - my $fn = open_file 'rules'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands; - - if ( $target eq 'COMMENT' ) { - process_comment; - } elsif ( $target eq 'SECTION' ) { - # - # read_a_line has already verified that there are exactly two tokens on the line - # - fatal_error "Invalid SECTION ($source)" unless defined $sections{$source}; - fatal_error "Duplicate or out of order SECTION $source" if $sections{$source}; - $sectioned = 1; - $sections{$source} = 1; - - if ( $source eq 'RELATED' ) { - $sections{ESTABLISHED} = 1; - finish_section 'ESTABLISHED'; - } elsif ( $source eq 'NEW' ) { - @sections{'ESTABLISHED','RELATED'} = ( 1, 1 ); - finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); - } - - $section = $source; - } else { - if ( "\L$source" =~ /^none(:.*)?$/ || "\L$dest" =~ /^none(:.*)?$/ ) { - progress_message "Rule \"$currentline\" ignored." - } else { - process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time; - } - } - } - - clear_comment; - $section = 'DONE'; -} - -sub process_6rule1 ( $$$$$$$$$$$$ ); - -# -# Expand a macro rule from the rules file -# -sub process_6macro ( $$$$$$$$$$$$$$ ) { - my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_; - - my $nocomment = no_comment; - - my $format = 1; - - macro_comment $macro; - - my $macrofile = $macros{$macro}; - - progress_message "..Expanding Macro $macrofile..."; - - push_open $macrofile; - - while ( read_a_line ) { - - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ); - - if ( $format == 1 ) { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands; - } else { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands; - } - - if ( $mtarget eq 'COMMENT' ) { - process_comment unless $nocomment; - next; - } - - if ( $mtarget eq 'FORMAT' ) { - fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/; - $format = $msource; - next; - } - - if ( $morigdest ne '-' ) { - fatal_error "Invalid macro file entry (too many columns)" if $format == 1; - fatal_error "A macro with ORIGINAL DEST cannot be used with IPv6"; - } - - $mtarget = merge_levels $target, $mtarget; - - if ( $mtarget =~ /^PARAM(:.*)?$/ ) { - fatal_error 'PARAM requires a parameter to be supplied in macro invocation' unless $param ne ''; - $mtarget = substitute_param $param, $mtarget; - } - - my $action = isolate_basic_target $mtarget; - - fatal_error "Invalid or missing ACTION ($mtarget)" unless defined $action; - - my $actiontype = $targets6{$action} || find_6macro( $action ); - - fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO ); - - if ( $msource ) { - if ( $msource eq '-' ) { - $msource = $source || ''; - } elsif ( $msource =~ s/^DEST:?// ) { - $msource = merge_6macro_source_dest $msource, $dest; - } else { - $msource =~ s/^SOURCE:?//; - $msource = merge_6macro_source_dest $msource, $source; - } - } else { - $msource = ''; - } - - if ( $mdest ) { - if ( $mdest eq '-' ) { - $mdest = $dest || ''; - } elsif ( $mdest =~ s/^SOURCE:?// ) { - $mdest = merge_6macro_source_dest $mdest , $source; - } else { - $mdest =~ s/DEST:?//; - $mdest = merge_6macro_source_dest $mdest, $dest; - } - } else { - $mdest = ''; - } - - process_6rule1( - $mtarget, - $msource, - $mdest, - merge_macro_column( $mproto, $proto ) , - merge_macro_column( $mports, $ports ) , - merge_macro_column( $msports, $sports ) , - merge_macro_column( $mrate, $rate ) , - merge_macro_column( $muser, $user ) , - $mark, - $connlimit, - $time, - $wildcard - ); - - progress_message " IPv6 Rule \"$currentline\" $done"; - } - - pop_open; - - progress_message "..End Macro $macrofile"; - - clear_comment unless $nocomment; - -} -# -# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If -# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. -# -sub process_6rule1 ( $$$$$$$$$$$$ ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_; - my ( $action, $loglevel) = split_action $target; - my ( $basictarget, $param ) = get_target_param $action; - my $rule = ''; - my $actionchainref; - my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0; - - unless ( defined $param ) { - ( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/; - } - - $param = '' unless defined $param; - - # - # Determine the validity of the action - # - my $actiontype = $targets{$basictarget} || find_macro( $basictarget ); - - fatal_error "Unknown action ($action)" unless $actiontype; - - if ( $actiontype == MACRO ) { - # - # process_macro() will call process_rule1() recursively for each rule in the macro body - # - fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL; - - if ( $param ne '' ) { - push @param_stack, $current_param; - $current_param = $param; - } - - process_6macro( $basictarget, - $target , - $current_param, - $source, - $dest, - $proto, - $ports, - $sports, - $ratelimit, - $user, - $mark, - $connlimit, - $time, - $wildcard ); - - $macro_nest_level--; - - $current_param = pop @param_stack if $param ne ''; - - return; - - } elsif ( $actiontype & NFQ ) { - require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); - my $paramval = $param eq '' ? 0 : numeric_value( $param ); - fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535; - $action = "NFQUEUE --queue-num $paramval"; - } else { - fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq ''; - } - # - # We can now dispense with the postfix character - # - $action =~ s/[\+\-!]$//; - # - # Mark target as used - # - if ( $actiontype & ACTION ) { - unless ( $usedactions{$target} ) { - $usedactions{$target} = 1; - createactionchain $target; - } - } - # - # Take care of irregular syntax and targets - # - if ( $action eq 'REJECT' ) { - $action = 'reject'; - } elsif ( $action eq 'CONTINUE' ) { - $action = 'RETURN'; - } elsif ( $actiontype & LOGRULE ) { - fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne ''; - } - # - # Isolate and validate source and destination zones - # - my $sourcezone; - my $destzone; - my $sourceref; - my $destref; - my $origdstports; - - if ( $source =~ /^(.+?);(.*)/ ) { - fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq ''; - $sourcezone = $1; - $source = $2; - } else { - $sourcezone = $source; - $source = ALLIPv6; - } - - if ( $dest =~ /^(.*?);(.*)/ ) { - fatal_error "Missing DEST Qualifier ($dest)" if $2 eq ''; - $destzone = $1; - $dest = $2; - } else { - $destzone = $dest; - $dest = ALLIPv6; - } - - fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; - fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); - fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq ''; - fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone ); - - my $restriction = NO_RESTRICT; - - if ( $sourcezone eq firewall_zone ) { - $restriction = $destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT; - } else { - $restriction = INPUT_RESTRICT if $destzone eq firewall_zone; - } - - my ( $chain, $chainref, $policy ); - - # - # Check for illegal bridge port rule - # - if ( $destref->{type} eq 'bport4' ) { - unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) { - return 1 if $wildcard; - fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; - } - } - - $chain = "${sourcezone}2${destzone}"; - $chainref = ensure_chain 'filter', $chain; - $policy = $chainref->{policy}; - - if ( $policy eq 'NONE' ) { - return 1 if $wildcard; - fatal_error "Rules may not override a NONE policy"; - } - # - # Handle Optimization - # - if ( $optimize > 0 ) { - my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel}; - if ( $loglevel ne '' ) { - return 1 if $target eq "${policy}:$loglevel}"; - } else { - return 1 if $basictarget eq $policy; - } - } - # - # Mark the chain as referenced and add appropriate rules from earlier sections. - # - $chainref = ensure_filter_chain $chain, 1; - - # - # Generate Fixed part of the rule - # - $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ), do_time( $time ) ); - - unless ( $section eq 'NEW' ) { - fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; - fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); - $rule .= "-m state --state $section " - } - - # - # Add filter table rule - # - if ( $actiontype & ACTION ) { - $action = (find_logactionchain $target)->{name}; - $loglevel = ''; - } - - expand_6rule( ensure_chain( 'filter', $chain ) , - $restriction , - $rule , - $source , - $dest , - "-j $action " , - $loglevel , - $action , - '' ); -} - -# -# Process a Record in the rules file -# -# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column). -# -sub process_6rule ( $$$$$$$$$$$ ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit , $time ) = @_; - my $intrazone = 0; - my $includesrcfw = 1; - my $includedstfw = 1; - my $thisline = $currentline; - # - # Section Names are optional so once we get to an actual rule, we need to be sure that - # we close off any missing sections. - # - unless ( $sectioned ) { - finish_section 'ESTABLISHED,RELATED'; - $sections{$section = 'NEW'} = 1; - $sectioned = 1; - } - - # - # Handle Wildcards - # - if ( $source =~ /^all[-+]/ ) { - if ( $source eq 'all+' ) { - $source = 'all'; - $intrazone = 1; - } elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) { - $source = 'all'; - $intrazone = 1; - $includesrcfw = 0; - } elsif ( $source eq 'all-' ) { - $source = 'all'; - $includesrcfw = 0; - } else { - fatal_error "Invalid SOURCE ($source)"; - } - } - - if ( $dest =~ /^all[-+]/ ) { - if ( $dest eq 'all+' ) { - $dest = 'all'; - $intrazone = 1; - } elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) { - $dest = 'all'; - $intrazone = 1; - $includedstfw = 0; - } elsif ( $dest eq 'all-' ) { - $dest = 'all'; - $includedstfw = 0; - } else { - fatal_error "Invalid DEST ($dest)"; - } - - } - - my $action = isolate_basic_target $target; - - fatal_error "Invalid or missing ACTION ($target)" unless defined $action; - - if ( $source eq 'all' ) { - for my $zone ( all_6zones ) { - if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) { - if ( $dest eq 'all' ) { - for my $zone1 ( all_6zones ) { - if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) { - if ( $intrazone || ( $zone ne $zone1 ) ) { - process_6rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } - } else { - my $destzone = (split( /;/, $dest, 2 ) )[0]; - $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid - if ( $intrazone || ( $zone ne $destzone ) ) { - process_6rule1 $target, $zone, $dest , $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } - } - } elsif ( $dest eq 'all' ) { - for my $zone ( all_6zones ) { - my $sourcezone = ( split( /;/, $source, 2 ) )[0]; - if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { - process_6rule1 $target, $source, $zone , $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } else { - process_6rule1 $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time, 0; - } - - progress_message " Rule \"$thisline\" $done"; -} - -# -# Process the Rules File -# -sub process_6rules() { - - my $fn = open_file '6rules'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 11, '6rules file', \%rules_commands; - - if ( $target eq 'COMMENT' ) { - process_comment; - } elsif ( $target eq 'SECTION' ) { - # - # read_a_line has already verified that there are exactly two tokens on the line - # - fatal_error "Invalid SECTION ($source)" unless defined $sections{$source}; - fatal_error "Duplicate or out of order SECTION $source" if $sections{$source}; - $sectioned = 1; - $sections{$source} = 1; - - if ( $source eq 'RELATED' ) { - $sections{ESTABLISHED} = 1; - finish_section 'ESTABLISHED'; - } elsif ( $source eq 'NEW' ) { - @sections{'ESTABLISHED','RELATED'} = ( 1, 1 ); - finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); - } - - $section = $source; - } else { - if ( "\L$source" =~ /^none(:.*)?$/ || "\L$dest" =~ /^none(:.*)?$/ ) { - progress_message "Rule \"$currentline\" ignored." - } else { - process_6rule $target, $source, $dest, $proto, $ports, $sports, $ratelimit, $user, $mark, $connlimit, $time; - } - } - } - - clear_comment; - $section = 'DONE'; -} - -# -# Helper functions for generate_matrix() -#----------------------------------------- -# -# Return the target for rules from $zone to $zone1. -# -sub rules_target( $$ ) { - my ( $zone, $zone1 ) = @_; - my $chain = "${zone}2${zone1}"; - my $chainref = $filter_table->{$chain}; - - return $chain if $chainref && $chainref->{referenced}; - return 'ACCEPT' if $zone eq $zone1; - - fatal_error "Internal Error in rules_target()" unless $chainref; - - if ( $chainref->{policy} ne 'CONTINUE' ) { - my $policyref = $filter_table->{$chainref->{policychain}}; - return $policyref->{name} if $policyref; - fatal_error "No policy defined for zone $zone to zone $zone1"; - } - - ''; -} - -# -# Insert the passed exclusions at the front of the passed chain. -# -sub insert_exclusions( $$ ) { - my ( $chainref, $exclusionsref ) = @_; - - my $num = 1; - - for my $host ( @{$exclusionsref} ) { - my ( $interface, $net ) = split /:/, $host; - insert_rule $chainref , $num++, join( '', match_dest_dev $interface , match_dest_net( $net ), '-j RETURN' ); - } -} - -# -# Add the passed exclusions at the end of the passed chain. -# -sub add_exclusions ( $$ ) { - my ( $chainref, $exclusionsref ) = @_; - - for my $host ( @{$exclusionsref} ) { - my ( $interface, $net ) = split /:/, $host; - add_rule $chainref , join( '', match_dest_dev $interface, match_dest_net( $net ), '-j RETURN' ); - } -} - -# -# To quote an old comment, "generate_matrix makes a sow's ear out of a silk purse". -# -# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones). -# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates. -# -# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules. -# -sub generate_matrix() { - progress_message2 'Generating Rule Matrix...'; - - my $exclusion_seq = 1; - my %chain_exclusions; - my %policy_exclusions; - my @interfaces = ( all_interfaces ); - my $preroutingref = ensure_chain 'nat', 'dnat'; - my $fw = firewall_zone; - my @zones = non_firewall_zones; - - # - # Special processing for complex configurations - # - for my $zone ( @zones ) { - my $zoneref = find_zone( $zone ); - - next if @zones <= 2 && ! $zoneref->{options}{complex}; - - my $exclusions = $zoneref->{exclusions}; - my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); - - if ( @$exclusions ) { - my $in_ref = new_standard_chain zone_input_chain $zone; - my $out_ref = new_standard_chain zone_output_chain $zone; - - add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT'; - - for my $host ( @$exclusions ) { - my ( $interface, $net ) = split /:/, $host; - my $rule = match_source_dev( $interface ) . match_source_net( $net ) . '-j RETURN'; - add_rule $frwd_ref , $rule; - add_rule $in_ref , $rule; - add_rule $out_ref , match_dest_dev( $interface ) . match_dest_net( $net ) . '-j RETURN'; - } - } - - if ( $capabilities{POLICY_MATCH} ) { - my $type = $zoneref->{type}; - my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {}; - - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { - my $sourcechainref; - my $interfacematch = ''; - - if ( use_forward_chain( $interface ) ) { - $sourcechainref = $filter_table->{forward_chain $interface}; - } else { - $sourcechainref = $filter_table->{FORWARD}; - $interfacematch = match_source_dev $interface; - move_rules( $filter_table->{forward_chain $interface} , $frwd_ref ); - } - - my $arrayref = $source_ref->{$interface}; - - for my $hostref ( @{$arrayref} ) { - my $ipsec_match = match_ipsec_in $zone , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - add_jump( - $sourcechainref, - $frwd_ref, - join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) - ); - } - } - } - } - } - # - # Main source-zone matrix-generation loop - # - for my $zone ( @zones ) { - my $zoneref = find_zone( $zone ); - my $source_hosts_ref = $zoneref->{hosts}; - my $chain1 = rules_target firewall_zone , $zone; - my $chain2 = rules_target $zone, firewall_zone; - my $chain3 = rules_target $zone, $zone; - my $complex = $zoneref->{options}{complex} || 0; - my $type = $zoneref->{type}; - my $exclusions = $zoneref->{exclusions}; - my $frwd_ref = $filter_table->{zone_forward_chain $zone}; - my $chain = 0; - my $dnatref = ensure_chain 'nat' , dnat_chain( $zone ); - my $nested = $zoneref->{options}{nested}; - - if ( @$exclusions ) { - insert_exclusions $dnatref, $exclusions if $dnatref->{referenced}; - } - - if ( $nested ) { - # - # This is a sub-zone. We need to determine if - # - # a) A parent zone defines DNAT/REDIRECT rules; and - # b) The current zone has a CONTINUE policy to some other zone. - # - # If a) but not b), then we must avoid sending packets from this - # zone through the DNAT/REDIRECT chain for the parent. - # - my $parenthasnat = 0; - - for my $parent ( @{$zoneref->{parents}} ) { - my $ref = $nat_table->{dnat_chain $parent} || {}; - $parenthasnat = 1, last if $ref->{referenced}; - } - - if ( $parenthasnat ) { - for my $zone1 ( all_zones ) { - if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) { - # - # This zone has a continue policy to another zone. We must - # send packets from this zone through the parent's DNAT/REDIRECT chain. - # - $nested = 0; - last; - } - } - } else { - # - # No parent has DNAT so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' chain. - # - $nested = 0; - } - } - # - # Take care of PREROUTING, INPUT and OUTPUT jumps - # - for my $typeref ( values %$source_hosts_ref ) { - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - for my $hostref ( @$arrayref ) { - my $ipsec_in_match = match_ipsec_in $zone , $hostref; - my $ipsec_out_match = match_ipsec_out $zone , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - my $dest = match_dest_net $net; - - if ( $chain1 ) { - my $nextchain; - my $outputref; - my $interfacematch = ''; - - if ( use_output_chain $interface ) { - $outputref = $filter_table->{output_chain $interface}; - } else { - $outputref = $filter_table->{OUTPUT}; - $interfacematch = match_dest_dev $interface; - } - - if ( @$exclusions ) { - my $output = zone_output_chain $zone; - add_jump $outputref , $output, join( '', $interfacematch, $dest, $ipsec_out_match ); - add_jump $filter_table->{$output} , $chain1; - $nextchain = $output; - } else { - add_jump $outputref , $chain1, join( '', $interfacematch, $dest, $ipsec_out_match ); - $nextchain = $chain1; - } - - add_jump( $outputref , $nextchain, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) ) - if $hostref->{options}{broadcast}; - - move_rules( $filter_table->{output_chain $interface} , $filter_table->{$nextchain} ) unless use_output_chain $interface; - } - - next if $hostref->{options}{destonly}; - - my $source = match_source_net $net; - - if ( $dnatref->{referenced} ) { - # - # There are DNAT/REDIRECT rules with this zone as the source. - # Add a jump from this source network to this zone's DNAT/REDIRECT chain - # - add_jump $preroutingref, $dnatref, join( '', match_source_dev( $interface), $source, $ipsec_in_match ); - } - # - # If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source - # then add a RETURN jump for this source network. - # - add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested; - - my $inputchainref; - my $interfacematch = ''; - - if ( use_input_chain $interface ) { - $inputchainref = $filter_table->{input_chain $interface}; - } else { - $inputchainref = $filter_table->{INPUT}; - $interfacematch = match_source_dev $interface; - } - - if ( $chain2 ) { - my $nextchain; - - if ( @$exclusions ) { - my $input = zone_input_chain $zone; - add_jump $inputchainref, $input, join( '', $interfacematch, $source, $ipsec_in_match ); - add_jump $filter_table->{ $input } , $chain2; - $nextchain = $input; - } else { - add_jump $inputchainref, $chain2, join( '', $interfacematch, $source, $ipsec_in_match ); - $nextchain = $chain2; - } - - move_rules( $filter_table->{input_chain $interface} , $filter_table->{$nextchain} ) unless use_input_chain $interface; - } - - if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { - if ( use_forward_chain $interface ) { - add_jump $filter_table->{forward_chain $interface} , $frwd_ref, join( '', $source, $ipsec_in_match ); - } else { - add_jump $filter_table->{FORWARD} , $frwd_ref, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match ); - move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref ); - } - } - } - } - } - } - - # - # F O R W A R D I N G - # - my @dest_zones; - my $last_chain = ''; - - if ( $config{OPTIMIZE} > 0 ) { - my @temp_zones; - - ZONE1: - for my $zone1 ( @zones ) { - my $zone1ref = find_zone( $zone1 ); - my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; - - next if $policy eq 'NONE'; - - my $chain = rules_target $zone, $zone1; - - next unless $chain; - - if ( $zone eq $zone1 ) { - next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); - } - - if ( $zone1ref->{type} eq 'bport4' ) { - next unless $zoneref->{bridge} eq $zone1ref->{bridge}; - } - - if ( $chain =~ /2all$/ ) { - if ( $chain ne $last_chain ) { - $last_chain = $chain; - push @dest_zones, @temp_zones; - @temp_zones = ( $zone1 ); - } elsif ( $policy eq 'ACCEPT' ) { - push @temp_zones , $zone1; - } else { - $last_chain = $chain; - @temp_zones = ( $zone1 ); - } - } else { - push @dest_zones, @temp_zones, $zone1; - @temp_zones = (); - $last_chain = ''; - } - } - - if ( $last_chain && @temp_zones == 1 ) { - push @dest_zones, @temp_zones; - $last_chain = ''; - } - } else { - @dest_zones = @zones ; - } - # - # Here it is -- THE BIG UGLY!!!!!!!!!!!! - # - # We now loop through the destination zones creating jumps to the rules chain for each source/dest combination. - # @dest_zones is the list of destination zones that we need to handle from this source zone - # - ZONE1: - for my $zone1 ( @dest_zones ) { - my $zone1ref = find_zone( $zone1 ); - my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; - - next if $policy eq 'NONE'; - - my $chain = rules_target $zone, $zone1; - - next unless $chain; # CONTINUE policy with no rules - - my $num_ifaces = 0; - - if ( $zone eq $zone1 ) { - next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); - } - - if ( $zone1ref->{type} eq 'bport4' ) { - next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge}; - } - - my $chainref = $filter_table->{$chain}; - my $exclusions1 = $zone1ref->{exclusions}; - - my $dest_hosts_ref = $zone1ref->{hosts}; - - if ( @$exclusions1 ) { - if ( $chain eq "all2$zone1" ) { - unless ( $chain_exclusions{$chain} ) { - $chain_exclusions{$chain} = 1; - insert_exclusions $chainref , $exclusions1; - } - } elsif ( $chain =~ /2all$/ ) { - my $chain1 = $policy_exclusions{"${chain}_${zone1}"}; - - unless ( $chain1 ) { - $chain1 = newexclusionchain; - $policy_exclusions{"${chain}_${zone1}"} = $chain1; - my $chain1ref = ensure_filter_chain $chain1, 0; - add_exclusions $chain1ref, $exclusions1; - add_jump $chain1ref, $chain; - } - - $chain = $chain1; - } else { - fatal_error "Fatal Error in generate_matrix()" if $chain eq 'ACCEPT'; - insert_exclusions $chainref , $exclusions1; - } - } - - if ( $frwd_ref ) { - for my $typeref ( values %$dest_hosts_ref ) { - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - for my $hostref ( @$arrayref ) { - next if $hostref->{options}{sourceonly}; - if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { - my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - add_jump $frwd_ref, $chain, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ); - } - } - } - } - } - } else { - for my $typeref ( values %$source_hosts_ref ) { - for my $interface ( keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - my $chain3ref; - my $match_source_dev = ''; - - if ( use_forward_chain $interface ) { - $chain3ref = $filter_table->{forward_chain $interface}; - } else { - $chain3ref = $filter_table->{FORWARD}; - $match_source_dev = match_source_dev $interface; - } - - for my $hostref ( @$arrayref ) { - next if $hostref->{options}{destonly}; - for my $net ( @{$hostref->{hosts}} ) { - for my $type1ref ( values %$dest_hosts_ref ) { - for my $interface1 ( keys %$type1ref ) { - my $array1ref = $type1ref->{$interface1}; - for my $host1ref ( @$array1ref ) { - next if $host1ref->{options}{sourceonly}; - my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; - for my $net1 ( @{$host1ref->{hosts}} ) { - unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { - # - # We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE}; - # - add_jump( - $chain3ref , - $chain , - join( '', - $match_source_dev, - match_dest_dev($interface1), - match_source_net($net), - match_dest_net($net1), - $ipsec_out_match ) - ); - } - } - } - } - } - } - } - } - } - } - # - # E N D F O R W A R D I N G - # - # Now add an unconditional jump to the last unique policy-only chain determined above, if any - # - add_jump $frwd_ref , $last_chain if $last_chain; - } - } - # - # Add Nat jumps - # - for my $interface ( @interfaces ) { - addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface ); - } - - addnatjump 'PREROUTING' , 'nat_in' , ''; - addnatjump 'POSTROUTING' , 'nat_out' , ''; - addnatjump 'PREROUTING', 'dnat', ''; - - for my $interface ( @interfaces ) { - addnatjump 'PREROUTING' , input_chain( $interface ) , match_source_dev( $interface ); - addnatjump 'POSTROUTING' , output_chain( $interface ) , match_dest_dev( $interface ); - addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface ); - } - - # - # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT - # - for my $interface ( @interfaces ) { - - add_jump( $filter_table->{FORWARD} , forward_chain $interface , match_source_dev( $interface ) ) if use_forward_chain $interface; - add_jump( $filter_table->{INPUT} , input_chain $interface , match_source_dev( $interface ) ) if use_input_chain $interface; - - if ( use_output_chain $interface ) { - add_jump $filter_table->{OUTPUT} , output_chain $interface , "-o $interface " unless get_interface_option( $interface, 'port' ); - } - } - - my $chainref = $filter_table->{"${fw}2${fw}"}; - - add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' ); - add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT'; - - my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] , - nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , - filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); - - complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP'; - complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT'; - complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT'; - - if ( $config{LOGALLNEW} ) { - for my $table qw/mangle nat filter/ { - for my $chain ( @{$builtins{$table}} ) { - log_rule_limit - $config{LOGALLNEW} , - $chain_table{$table}{$chain} , - $table , - $chain , - '' , - '' , - 'insert' , - '-m state --state NEW '; - } - } - } -} - -# -# Helper functions for generate_6matrix() -#----------------------------------------- -# -# Return the target for rules from $zone to $zone1. -# -sub rules6_target( $$ ) { - my ( $zone, $zone1 ) = @_; - my $chain = "${zone}2${zone1}"; - my $chainref = $filter6_table->{$chain}; - - return $chain if $chainref && $chainref->{referenced}; - return 'ACCEPT' if $zone eq $zone1; - - fatal_error "Internal Error in rules6_target()" unless $chainref; - - if ( $chainref->{policy} ne 'CONTINUE' ) { - my $policyref = $filter6_table->{$chainref->{policychain}}; - return $policyref->{name} if $policyref; - fatal_error "No policy defined for zone $zone to zone $zone1"; - } - - ''; -} - -sub generate_6matrix() { - progress_message2 'Generating IPv6 Rule Matrix...'; - - my $exclusion_seq = 1; - my %chain_exclusions; - my %policy_exclusions; - my @interfaces = ( all_6interfaces ); - my $fw = firewall_zone; - my @zones = non_firewall_6zones; - - # - # Special processing for complex configurations - # - for my $zone ( @zones ) { - my $zoneref = find_zone( $zone ); - - next if @zones <= 2 && ! $zoneref->{options}{complex}; - - my $exclusions = $zoneref->{exclusions}; - my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); - - if ( @$exclusions ) { - my $in_ref = new_standard_chain zone_input_chain $zone; - my $out_ref = new_standard_chain zone_output_chain $zone; - - add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT'; - - for my $host ( @$exclusions ) { - my ( $interface, $net ) = split /:/, $host; - my $rule = match_source_dev( $interface ) . match_source_net( $net ) . '-j RETURN'; - add_rule $frwd_ref , $rule; - add_rule $in_ref , $rule; - add_rule $out_ref , match_dest_dev( $interface ) . match_dest_net( $net ) . '-j RETURN'; - } - } - - if ( $capabilities{POLICY_MATCH} ) { - my $type = $zoneref->{type}; - my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {}; - - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { - my $sourcechainref; - my $interfacematch = ''; - - if ( use_forward_chain( $interface ) ) { - $sourcechainref = $filter_table->{forward_chain $interface}; - } else { - $sourcechainref = $filter_table->{FORWARD}; - $interfacematch = match_source_dev $interface; - move_rules( $filter_table->{forward_chain $interface} , $frwd_ref ); - } - - my $arrayref = $source_ref->{$interface}; - - for my $hostref ( @{$arrayref} ) { - my $ipsec_match = match_ipsec_in $zone , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - add_jump6( - $sourcechainref, - $frwd_ref, - join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) - ); - } - } - } - } - } - # - # Main source-zone matrix-generation loop - # - for my $zone ( @zones ) { - my $zoneref = find_6zone( $zone ); - my $source_hosts_ref = $zoneref->{hosts}; - my $chain1 = rules6_target firewall_zone , $zone; - my $chain2 = rules6_target $zone, firewall_zone; - my $chain3 = rules6_target $zone, $zone; - my $complex = $zoneref->{options}{complex} || 0; - my $type = $zoneref->{type}; - my $exclusions = $zoneref->{exclusions}; - my $frwd_ref = $filter6_table->{zone_forward_chain $zone}; - my $chain = 0; - # - # Take care of INPUT and OUTPUT jumps - # - for my $typeref ( values %$source_hosts_ref ) { - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - for my $hostref ( @$arrayref ) { - my $ipsec_in_match = match_ipsec_in $zone , $hostref; - my $ipsec_out_match = match_ipsec_out $zone , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - my $dest = match_dest_6net $net; - - if ( $chain1 ) { - my $nextchain; - my $outputref; - my $interfacematch = ''; - - if ( use_output_6chain $interface ) { - $outputref = $filter6_table->{output_chain $interface}; - } else { - $outputref = $filter6_table->{OUTPUT}; - $interfacematch = match_dest_6dev $interface; - } - - if ( @$exclusions ) { - my $output = zone_output_chain $zone; - add_6jump $outputref , $output, join( '', $interfacematch, $dest, $ipsec_out_match ); - add_6jump $filter_table->{$output} , $chain1; - $nextchain = $output; - } else { - add_6jump $outputref , $chain1, join( '', $interfacematch, $dest, $ipsec_out_match ); - $nextchain = $chain1; - } - - add_6jump( $outputref , $nextchain, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) ) - if $hostref->{options}{broadcast}; - - move_rules( $filter6_table->{output_chain $interface} , $filter_table->{$nextchain} ) unless use_output_6chain $interface; - } - - next if $hostref->{options}{destonly}; - - clearrule; - - my $source = match_source_net $net; - my $inputchainref; - my $interfacematch = ''; - - if ( use_input_6chain $interface ) { - $inputchainref = $filter6_table->{input_chain $interface}; - } else { - $inputchainref = $filter6_table->{INPUT}; - $interfacematch = match_source_6dev $interface; - } - - if ( $chain2 ) { - my $nextchain; - - if ( @$exclusions ) { - my $input = zone_input_chain $zone; - add_6jump $inputchainref, $input, join( '', $interfacematch, $source, $ipsec_in_match ); - add_6jump $filter6_table->{ $input } , $chain2; - $nextchain = $input; - } else { - add_6jump $inputchainref, $chain2, join( '', $interfacematch, $source, $ipsec_in_match ); - $nextchain = $chain2; - } - - move_rules( $filter6_table->{input_chain $interface} , $filter_table->{$nextchain} ) unless use_input_6chain $interface; - } - - if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { - if ( use_forward_6chain $interface ) { - add_6jump $filter6_table->{forward_chain $interface} , $frwd_ref, join( '', $source, $ipsec_in_match ); - } else { - add_6jump $filter6_table->{FORWARD} , $frwd_ref, join( '', match_source_6dev( $interface ) , $source, $ipsec_in_match ); - move_rules ( $filter6_table->{forward_chain $interface} , $frwd_ref ); - } - } - } - } - } - } - - # - # F O R W A R D I N G - # - my @dest_zones; - my $last_chain = ''; - - if ( $config{OPTIMIZE} > 0 ) { - my @temp_zones; - - ZONE1: - for my $zone1 ( @zones ) { - my $zone1ref = find_6zone( $zone1 ); - my $policy = $filter6_table->{"${zone}2${zone1}"}->{policy}; - - next if $policy eq 'NONE'; - - my $chain = rules6_target $zone, $zone1; - - next unless $chain; - - if ( $zone eq $zone1 ) { - next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); - } - - if ( $zone1ref->{type} eq 'bport6' ) { - next unless $zoneref->{bridge} eq $zone1ref->{bridge}; - } - - if ( $chain =~ /2all$/ ) { - if ( $chain ne $last_chain ) { - $last_chain = $chain; - push @dest_zones, @temp_zones; - @temp_zones = ( $zone1 ); - } elsif ( $policy eq 'ACCEPT' ) { - push @temp_zones , $zone1; - } else { - $last_chain = $chain; - @temp_zones = ( $zone1 ); - } - } else { - push @dest_zones, @temp_zones, $zone1; - @temp_zones = (); - $last_chain = ''; - } - } - - if ( $last_chain && @temp_zones == 1 ) { - push @dest_zones, @temp_zones; - $last_chain = ''; - } - } else { - @dest_zones = @zones ; - } - # - # Here it is -- THE BIG UGLY!!!!!!!!!!!! - # - # We now loop through the destination zones creating jumps to the rules chain for each source/dest combination. - # @dest_zones is the list of destination zones that we need to handle from this source zone - # - ZONE1: - for my $zone1 ( @dest_zones ) { - my $zone1ref = find_6zone( $zone1 ); - my $policy = $filter6_table->{"${zone}2${zone1}"}->{policy}; - - next if $policy eq 'NONE'; - - my $chain = rules6_target $zone, $zone1; - - next unless $chain; # CONTINUE policy with no rules - - my $num_ifaces = 0; - - if ( $zone eq $zone1 ) { - next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); - } - - if ( $zone1ref->{type} eq 'bport6' ) { - next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge}; - } - - my $chainref = $filter_table->{$chain}; - my $exclusions1 = $zone1ref->{exclusions}; - - my $dest_hosts_ref = $zone1ref->{hosts}; - - if ( @$exclusions1 ) { - if ( $chain eq "all2$zone1" ) { - unless ( $chain_exclusions{$chain} ) { - $chain_exclusions{$chain} = 1; - insert_exclusions $chainref , $exclusions1; - } - } elsif ( $chain =~ /2all$/ ) { - my $chain1 = $policy_exclusions{"${chain}_${zone1}"}; - - unless ( $chain1 ) { - $chain1 = newexclusionchain; - $policy_exclusions{"${chain}_${zone1}"} = $chain1; - my $chain1ref = ensure_filter_chain $chain1, 0; - add_exclusions $chain1ref, $exclusions1; - add_6jump $chain1ref, $chain; - } - - $chain = $chain1; - } else { - fatal_error "Fatal Error in generate_matrix()" if $chain eq 'ACCEPT'; - insert_exclusions $chainref , $exclusions1; - } - } - - if ( $frwd_ref ) { - for my $typeref ( values %$dest_hosts_ref ) { - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - for my $hostref ( @$arrayref ) { - next if $hostref->{options}{sourceonly}; - if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { - my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - add_6jump $frwd_ref, $chain, join( '', match_dest_6dev( $interface) , match_dest_6net($net), $ipsec_out_match ); - } - } - } - } - } - } else { - for my $typeref ( values %$source_hosts_ref ) { - for my $interface ( keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - my $chain3ref; - my $match_source_dev = ''; - - if ( use_forward_chain $interface ) { - $chain3ref = $filter6_table->{forward_chain $interface}; - } else { - $chain3ref = $filter_table->{FORWARD}; - $match_source_dev = match_source_6dev $interface; - } - - for my $hostref ( @$arrayref ) { - next if $hostref->{options}{destonly}; - for my $net ( @{$hostref->{hosts}} ) { - for my $type1ref ( values %$dest_hosts_ref ) { - for my $interface1 ( keys %$type1ref ) { - my $array1ref = $type1ref->{$interface1}; - for my $host1ref ( @$array1ref ) { - next if $host1ref->{options}{sourceonly}; - my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; - for my $net1 ( @{$host1ref->{hosts}} ) { - unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { - # - # We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE}; - # - add_6jump( - $chain3ref , - $chain , - join( '', - $match_source_dev, - match_dest_6dev($interface1), - match_source_6net($net), - match_dest_6net($net1), - $ipsec_out_match ) - ); - } - } - } - } - } - } - } - } - } - } - # - # E N D F O R W A R D I N G - # - # Now add an unconditional jump to the last unique policy-only chain determined above, if any - # - add_6jump $frwd_ref , $last_chain if $last_chain; - } - } - # - # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT - # - for my $interface ( @interfaces ) { - - add_6jump( $filter6_table->{FORWARD} , forward_chain $interface , match_source_dev( $interface ) ) if use_forward_6chain $interface; - add_6jump( $filter6_table->{INPUT} , input_chain $interface , match_source_dev( $interface ) ) if use_input_6chain $interface; - - if ( use_output_6chain $interface ) { - add_6jump $filter6_table->{OUTPUT} , output_chain $interface , "-o $interface " unless get_interface_option( $interface, 'port' ); - } - } - - my $chainref = $filter6_table->{"${fw}2${fw}"}; - - add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' ); - add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT'; - - my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] , - nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , - filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); - - complete_standard_6chain $filter6_table->{INPUT} , 'all' , firewall_zone , 'DROP'; - complete_standard_6chain $filter6_table->{OUTPUT} , firewall_zone , 'all', 'REJECT'; - complete_standard_6chain $filter6_table->{FORWARD} , 'all' , 'all', 'REJECT'; - - if ( $config{LOGALLNEW} ) { - for my $table qw/mangle filter/ { - for my $chain ( @{$builtins{$table}} ) { - log_rule_limit - $config{LOGALLNEW} , - $chain6_table{$table}{$chain} , - $table , - $chain , - '' , - '' , - 'insert' , - '-m state --state NEW '; - } - } - } -} - -sub setup_mss( ) { - my $clampmss = $config{CLAMPMSS}; - my $option; - my $match = ''; - my $chainref = $filter_table->{FORWARD}; - - if ( $clampmss ) { - if ( "\L$clampmss" eq 'yes' ) { - $option = '--clamp-mss-to-pmtu'; - } else { - $match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH}; - $option = "--set-mss $clampmss"; - } - - $match .= '-m policy --pol none --dir out ' if $capabilities{POLICY_MATCH}; - } - - my $interfaces = find_interfaces_by_option( 'mss' ); - - if ( @$interfaces ) { - # - # Since we will need multiple rules, we create a separate chain - # - $chainref = new_chain 'filter', 'settcpmss'; - # - # Send all forwarded SYN packets to the 'settcpmss' chain - # - add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss"; - - my $in_match = ''; - my $out_match = ''; - - if ( $capabilities{POLICY_MATCH} ) { - $in_match = '-m policy --pol none --dir in '; - $out_match = '-m policy --pol none --dir out '; - } - - for ( @$interfaces ) { - my $mss = get_interface_option( $_, 'mss' ); - my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; - add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; - add_rule $chainref, "-o $_ -j RETURN" if $clampmss; - add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss"; - add_rule $chainref, "-i $_ -j RETURN" if $clampmss; - } - } - - add_rule $chainref , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option" if $clampmss; -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Tc.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Tc.pm deleted file mode 100644 index 5c6ced6dd..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Tc.pm +++ /dev/null @@ -1,915 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Tc.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Traffic Control is from tc4shorewall Version 0.5 -# (c) 2005 Arne Bernin -# Modified by Tom Eastep for integration into the Shorewall distribution -# published under GPL Version 2# -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module deals with Traffic Shaping and the tcrules file. -# -package Shorewall::Tc; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); -use Shorewall::Providers; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_tc ); -our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = 4.1.5; - -our %tcs = ( T => { chain => 'tcpost', - connmark => 0, - fw => 1 - } , - CT => { chain => 'tcpost' , - target => 'CONNMARK --set-mark' , - connmark => 1 , - fw => 1 - } , - C => { target => 'CONNMARK --set-mark' , - connmark => 1 , - fw => 1 - } , - P => { chain => 'tcpre' , - connmark => 0 , - fw => 0 - } , - CP => { chain => 'tcpre' , - target => 'CONNMARK --set-mark' , - connmark => 1 , - fw => 0 - } , - F => { chain => 'tcfor' , - connmark => 0 , - fw => 0 - } , - CF => { chain => 'tcfor' , - connmark => 1 , - fw => 0 , - } , - ); - -use constant { NOMARK => 0 , - SMALLMARK => 1 , - HIGHMARK => 2 - }; - -our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , - target => 'CONNMARK --save-mark --mask' , - mark => SMALLMARK , - mask => '0xFF' , - connmark => 1 - } , - { match => sub ( $ ) { $_[0] eq 'RESTORE' }, - target => 'CONNMARK --restore-mark --mask' , - mark => SMALLMARK , - mask => '0xFF' , - connmark => 1 - } , - { match => sub ( $ ) { $_[0] eq 'CONTINUE' }, - target => 'RETURN' , - mark => NOMARK , - mask => '' , - connmark => 0 - } , - { match => sub ( $ ) { $_[0] =~ '\|.*'} , - target => 'MARK --or-mark' , - mark => HIGHMARK , - mask => '' } , - { match => sub ( $ ) { $_[0] =~ '&.*' }, - target => 'MARK --and-mark ' , - mark => HIGHMARK , - mask => '' , - connmark => 0 - } - ); - -our %classids; - -our @deferred_rules; - -# -# Perl version of Arn Bernin's 'tc4shorewall'. -# -# TCDevices Table -# -# %tcdevices { -> {in_bandwidth => , -# out_bandwidth => , -# number => , -# classify => 0|1 -# tablenumber => -# default => -# redirected => [ , , ... ] -# } -# -our @tcdevices; -our %tcdevices; -our @devnums; -our $devnum; - - -# -# TCClasses Table -# -# %tcclasses { device => , -# mark => , -# number => , -# rate => , -# ceiling => , -# priority => , -# options => { tos => [ , , ... ]; -# tcp_ack => 1 , -# ... -# - -our @tcclasses; -our %tcclasses; - -our %restrictions = ( tcpre => PREROUTE_RESTRICT , - tcpost => POSTROUTE_RESTRICT , - tcfor => NO_RESTRICT , - tcout => OUTPUT_RESTRICT ); - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - %classids = (); - @deferred_rules = (); - @tcdevices = (); - %tcdevices = (); - @tcclasses = (); - %tcclasses = (); - @devnums = (); - $devnum = 0; -} - -INIT { - initialize; -} - -sub process_tc_rule( $$$$$$$$$$$$ ) { - my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes , $helper ) = @_; - - my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); - - fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq ''; - - my $chain = $globals{MARKING_CHAIN}; - my $target = 'MARK --set-mark'; - my $tcsref; - my $connmark = 0; - my $classid = 0; - my $device = ''; - my $fw = firewall_zone; - - if ( $source ) { - if ( $source eq $fw ) { - $chain = 'tcout'; - $source = ''; - } else { - $chain = 'tcout' if $source =~ s/^($fw)://; - } - } - - if ( $designator ) { - $tcsref = $tcs{$designator}; - - if ( $tcsref ) { - if ( $chain eq 'tcout' ) { - fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw}; - } - - $chain = $tcsref->{chain} if $tcsref->{chain}; - $target = $tcsref->{target} if $tcsref->{target}; - $mark = "$mark/0xFF" if $connmark = $tcsref->{connmark}; - - require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark; - - } else { - fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/; - - if ( $config{TC_ENABLED} eq 'Internal' ) { - fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} ); - } - - $chain = 'tcpost'; - $classid = 1; - $mark = $originalmark; - $target = 'CLASSIFY --set-class'; - } - } - - my $mask = 0xffff; - - my ($cmd, $rest) = split( '/', $mark, 2 ); - - unless ( $classid ) { - MARK: - { - for my $tccmd ( @tccmd ) { - if ( $tccmd->{match}($cmd) ) { - fatal_error "$mark not valid with :C[FPT]" if $connmark; - - require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark}; - - $target = "$tccmd->{target} "; - my $marktype = $tccmd->{mark}; - - if ( $marktype == NOMARK ) { - $mark = '' - } else { - $mark =~ s/^[|&]//; - } - - if ( $rest ) { - fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK; - - $mark = $rest if $tccmd->{mask}; - - if ( $marktype == SMALLMARK ) { - verify_small_mark $mark; - } else { - validate_mark $mark; - } - } elsif ( $tccmd->{mask} ) { - $mark = $tccmd->{mask}; - } - - last MARK; - } - } - - validate_mark $mark; - - if ( $config{HIGH_ROUTE_MARKS} ) { - my $val = numeric_value( $cmd ); - fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val; - fatal_error 'Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes' - if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= 0xFF; - } - } - } - - if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , - $restrictions{$chain} , - do_proto( $proto, $ports, $sports) . - do_user( $user ) . - do_test( $testval, $mask ) . - do_length( $length ) . - do_tos( $tos ) . - do_connbytes( $connbytes ) . - do_helper( $helper ), - $source , - $dest , - '' , - '' , - "-j $target $mark" , - '' , - '' , - '' ) ) - && $device ) { - # - # expand_rule() returns destination device if any - # - fatal_error "Class Id $originalmark is not associated with device $result" if $device ne $result; - } - - progress_message " TC Rule \"$currentline\" $done"; - -} - -sub rate_to_kbit( $ ) { - my $rate = $_[0]; - - return 0 if $rate eq '-'; - return $1 if $rate =~ /^(\d+)kbit$/i; - return $1 * 1000 if $rate =~ /^(\d+)mbit$/i; - return $1 * 8000 if $rate =~ /^(\d+)mbps$/i; - return $1 * 8 if $rate =~ /^(\d+)kbps$/i; - return int($1/125) if $rate =~ /^(\d+)(bps)?$/; - fatal_error "Invalid Rate ($rate)"; -} - -sub calculate_r2q( $ ) { - my $rate = rate_to_kbit $_[0]; - my $r2q= $rate / 200 ; - $r2q <= 5 ? 5 : $r2q; -} - -sub calculate_quantum( $$ ) { - my ( $rate, $r2q ) = @_; - $rate = rate_to_kbit $rate; - int( ( $rate * 125 ) / $r2q ); -} - -sub validate_tc_device( $$$$$ ) { - my ( $device, $inband, $outband , $options , $redirected ) = @_; - - my $devnumber; - - if ( $device =~ /:/ ) { - ( my $number, $device, my $rest ) = split /:/, $device, 3; - - fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest; - - if ( defined $number ) { - $devnumber = numeric_value( $number ); - fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber; - fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ]; - $devnum = $devnumber if $devnumber > $devnum; - } else { - fatal_error "Missing interface NUMBER"; - } - } else { - $devnumber = ++$devnum; - } - - $devnums[ $devnumber ] = $device; - - fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device}; - fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/; - - my $classify = 0; - - if ( $options ne '-' ) { - for my $option ( split_list $options, 'option' ) { - if ( $option eq 'classify' ) { - $classify = 1; - } else { - fatal_error "Unknown device option ($option)"; - } - } - } - - my @redirected = (); - - @redirected = split_list( $redirected , 'device' ) if defined $redirected && $redirected ne '-'; - - if ( @redirected ) { - fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband; - $classify = 1; - } - - for my $rdevice ( @redirected ) { - fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/; - my $rdevref = $tcdevices{$rdevice}; - fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref; - fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit'; - } - - $tcdevices{$device} = { in_bandwidth => rate_to_kbit( $inband ) . 'kbit' , - out_bandwidth => rate_to_kbit( $outband ) . 'kbit' , - number => $devnumber, - classify => $classify , - tablenumber => 1 , - redirected => \@redirected , - } , - - push @tcdevices, $device; - - progress_message " Tcdevice \"$currentline\" $done."; -} - -sub convert_rate( $$$ ) { - my ($full, $rate, $column) = @_; - - if ( $rate =~ /\bfull\b/ ) { - $rate =~ s/\bfull\b/$full/g; - progress_message " Compiling $column $_[1]"; - fatal_error "Invalid $column ($_[1])" if $rate =~ m{[^0-9*/+()-]}; - no warnings; - $rate = eval "int( $rate )"; - use warnings; - fatal_error "Invalid $column ($_[1])" unless defined $rate; - } else { - $rate = rate_to_kbit $rate - } - - fatal_error "$column may not be zero" unless $rate; - fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full; - - $rate; -} - -sub dev_by_number( $ ) { - my $dev = $_[0]; - my $devnum = numeric_value( $dev ); - my $devref; - - if ( defined $devnum ) { - $dev = $devnums[ $devnum ]; - fatal_error "Undefined INTERFACE number ($_[0])" unless defined $dev; - $devref = $tcdevices{$dev}; - fatal_error "Internal Error in dev_by_number()" unless $devref; - } else { - $devref = $tcdevices{$dev}; - fatal_error "Unknown INTERFACE ($dev)" unless $devref; - } - - ( $dev , $devref ); - -} - -sub validate_tc_class( $$$$$$ ) { - my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = @_; - - my %tosoptions = ( 'tos-minimize-delay' => 'tos=0x10/0x10' , - 'tos-maximize-throughput' => 'tos=0x08/0x08' , - 'tos-maximize-reliability' => 'tos=0x04/0x04' , - 'tos-minimize-cost' => 'tos=0x02/0x02' , - 'tos-normal-service' => 'tos=0x00/0x1e' ); - - my $classnumber = 0; - my $devref; - my $device = $devclass; - - if ( $devclass =~ /:/ ) { - ( $device, my ($number, $rest ) ) = split /:/, $device, 3; - fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest; - - ( $device , $devref) = dev_by_number( $device ); - - if ( defined $number ) { - if ( $devref->{classify} ) { - $classnumber = numeric_value( $number ); - fatal_error "Invalid interface NUMBER ($number)" unless defined $classnumber && $classnumber; - fatal_error "Duplicate interface/class number ($number)" if defined $devnums[ $classnumber ]; - } else { - warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"; - } - } else { - fatal_error "Missing interface NUMBER"; - } - } else { - ($device, $devref ) = dev_by_number( $device ); - fatal_error "Missing class NUMBER" if $devref->{classify}; - } - - my $full = rate_to_kbit $devref->{out_bandwidth}; - - $tcclasses{$device} = {} unless $tcclasses{$device}; - my $tcref = $tcclasses{$device}; - - my $markval = 0; - - if ( $mark ne '-' ) { - if ( $devref->{classify} ) { - warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored"; - } else { - fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff; - - $markval = numeric_value( $mark ); - fatal_error "Invalid MARK ($markval)" unless defined $markval; - fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber}; - $classnumber = $devnum . $mark; - } - } else { - fatal_error "Missing MARK" unless $devref->{classify}; - fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber}; - } - - $tcref->{$classnumber} = { tos => [] , - rate => convert_rate( $full, $rate, 'RATE' ) , - ceiling => convert_rate( $full, $ceil, 'CEIL' ) , - priority => $prio eq '-' ? 1 : $prio , - mark => $markval - }; - - $tcref = $tcref->{$classnumber}; - - fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling}; - - unless ( $options eq '-' ) { - for my $option ( split_list "\L$options", 'option' ) { - my $optval = $tosoptions{$option}; - - $option = $optval if $optval; - - if ( $option eq 'default' ) { - fatal_error "Only one default class may be specified for device $device" if $devref->{default}; - $devref->{default} = $classnumber; - } elsif ( $option eq 'tcp-ack' ) { - $tcref->{tcp_ack} = 1; - } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) { - ( undef, $option ) = split /=/, $option; - push @{$tcref->{tos}}, "$option/0xff"; - } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) { - ( undef, $option ) = split /=/, $option; - push @{$tcref->{tos}}, $option; - } else { - fatal_error "Unknown option ($option)"; - } - } - } - - push @tcclasses, "$device:$classnumber"; - progress_message " Tcclass \"$currentline\" $done."; -} - -# -# Process a record from the tcfilters file -# -sub process_tc_filter( $$$$$$ ) { - my ($devclass , $source, $dest , $proto, $portlist , $sportlist ) = @_; - - my ($device, $class, $rest ) = split /:/, $devclass, 3; - - fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class ); - - ( $device , my $devref ) = dev_by_number( $device ); - - my $devnum = $devref->{number}; - - my $tcref = $tcclasses{$device}; - - fatal_error "No Classes were defined for INTERFACE $device" unless $tcref; - - $tcref = $tcref->{$class}; - - fatal_error "Unknown CLASS ($devclass)" unless $tcref; - - my $rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32"; - - my ( $net , $mask ) = decompose_net( $source ); - - $rule .= "\\\n match u32 $net $mask at 12" unless $mask eq '0x00000000'; - - ( $net , $mask ) = decompose_net( $dest ); - - $rule .= "\\\n match u32 $net $mask at 16" unless $mask eq '0x00000000'; - - my $protonumber = 0; - - unless ( $proto eq '-' ) { - $protonumber = resolve_proto $proto; - fatal_error "Unknown PROTO ($proto)" unless defined $protonumber; - - if ( $protonumber ) { - my $pnumber = in_hex2 $protonumber; - $rule .= "\\\n match u8 $pnumber 0xff at 9"; - } - } - - if ( $portlist eq '-' && $sportlist eq '-' ) { - emit( "\nrun_tc $rule\\" , - " flowid $devref->{number}:$class" , - '' ); - } else { - our $lastrule; - our $lasttnum; - # - # In order to be able to access the protocol header, we must create another hash table and link to it. - # - # Create the Table. - # - my $tnum; - - if ( $lastrule eq $rule ) { - # - # The source, dest and protocol are the same as the last rule that specified a port - # Use the same table - # - $tnum = $lasttnum - } else { - $tnum = in_hex3 $devref->{tablenumber}++; - $lasttnum = $tnum; - $lastrule = $rule; - - emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip pref 10 handle $tnum: u32 divisor 1" ); - } - # - # And link to it using the current contents of $rule - # - emit( "\nrun_tc $rule\\" , - " link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" ); - # - # The rule to match the port(s) will be inserted into the new table - # - $rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32 ht $tnum:0"; - - if ( $portlist eq '-' ) { - fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT" - unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP; - - for my $sportrange ( split_list $sportlist , 'port list' ) { - my @sportlist = expand_port_range $protonumber , $sportrange; - - while ( @sportlist ) { - my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist ); - emit( "\nrun_tc $rule\\" , - " match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" , - " flowid $devref->{number}:$class" ); - } - } - } else { - fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT" - unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP; - - for my $portrange ( split_list $portlist, 'port list' ) { - if ( $protonumber == ICMP ) { - fatal_error "SOURCE PORT(S) are not allowed with ICMP" if $sportlist ne '-'; - - my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $portrange ); - - $icmptype = in_hex2 numeric_value1 $icmptype; - $icmpcode = in_hex2 numeric_value1 $icmpcode if defined $icmpcode; - - my $rule1 = " match u8 $icmptype 0xff at nexthdr+0"; - $rule1 .= "\\\n match u8 $icmpcode 0xff at nexthdr+1" if defined $icmpcode; - emit( "\nrun_tc ${rule}\\" , - "$rule1\\" , - " flowid $devref->{number}:$class" ); - } else { - my @portlist = expand_port_range $protonumber , $portrange; - - while ( @portlist ) { - my ( $port, $mask ) = ( shift @portlist, shift @portlist ); - - my $rule1 = "match u32 0x0000${port} 0x0000${mask} at nexthdr+0"; - - if ( $sportlist eq '-' ) { - emit( "\nrun_tc ${rule}\\" , - " $rule1\\" , - " flowid $devref->{number}:$class" ); - } else { - for my $sportrange ( split_list $sportlist , 'port list' ) { - my @sportlist = expand_port_range $protonumber , $sportrange; - - while ( @sportlist ) { - my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist ); - - emit( "\nrun_tc ${rule}\\", - " $rule1\\" , - " match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" , - " flowid $devref->{number}:$class" ); - } - } - } - } - } - } - } - } - - emit ''; - - progress_message " TC Filter \"$currentline\" $done"; - - $currentline =~ s/\s+/ /g; - - save_progress_message_short qq(" TC Filter \"$currentline\" defined."); - - emit ''; - -} - -sub setup_traffic_shaping() { - our $lastrule = ''; - - save_progress_message "Setting up Traffic Control..."; - - my $fn = open_file 'tcdevices'; - - if ( $fn ) { - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $device, $inband, $outband, $options , $redirected ) = split_line 3, 5, 'tcdevices'; - - fatal_error "Invalid tcdevices entry" if $outband eq '-'; - validate_tc_device( $device, $inband, $outband , $options , $redirected ); - } - } - - $devnum = $devnum > 10 ? 10 : 1; - - $fn = open_file 'tcclasses'; - - if ( $fn ) { - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file'; - - validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options ); - } - } - - for my $device ( @tcdevices ) { - my $dev = chain_base( $device ); - my $devref = $tcdevices{$device}; - my $defmark = $devref->{default} || 0; - my $devnum = $devref->{number}; - - emit "if interface_is_up $device; then"; - - push_indent; - - emit ( "${dev}_exists=Yes", - "qt tc qdisc del dev $device root", - "qt tc qdisc del dev $device ingress", - "run_tc qdisc add dev $device root handle $devnum: htb default $defmark", - "${dev}_mtu=\$(get_device_mtu $device)", - "${dev}_mtu1=\$(get_device_mtu1 $device)", - "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" - ); - - my $inband = rate_to_kbit $devref->{in_bandwidth}; - - if ( $inband ) { - emit ( "run_tc qdisc add dev $device handle ffff: ingress", - "run_tc filter add dev $device parent ffff: protocol ip pref 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" - ); - } - - for my $rdev ( @{$devref->{redirected}} ) { - emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" ); - emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" ); - } - - save_progress_message_short " TC Device $device defined."; - - pop_indent; - emit 'else'; - push_indent; - - emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped"); - emit "${dev}_exists="; - pop_indent; - emit "fi\n"; - } - - my $lastdevice = ''; - - for my $class ( @tcclasses ) { - my ( $device, $classnum ) = split /:/, $class; - my $devref = $tcdevices{$device}; - my $tcref = $tcclasses{$device}{$classnum}; - my $mark = $tcref->{mark}; - my $devicenumber = $devref->{number}; - my $classid = join( '', $devicenumber, ':', $classnum); - my $rate = "$tcref->{rate}kbit"; - my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} ); - my $dev = chain_base $device; - - $classids{$classid}=$device; - - if ( $lastdevice ne $device ) { - if ( $lastdevice ) { - pop_indent; - emit "fi\n"; - } - - emit qq(if [ -n "\$${dev}_exists" ]; then); - push_indent; - $lastdevice = $device; - } - - emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum", - "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum", - "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq perturb 10" - ); - # - # add filters - # - emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio 1 handle $mark fw classid $classid" unless $devref->{classify}; - # - #options - # - emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack}; - - for my $tospair ( @{$tcref->{tos}} ) { - my ( $tos, $mask ) = split q(/), $tospair; - emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid"; - } - - save_progress_message_short qq(" TC Class $class defined."); - emit ''; - } - - if ( $lastdevice ) { - pop_indent; - emit "fi\n"; - } - - $fn = open_file 'tcfilters'; - - if ( $fn ) { - first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } ); - - while ( read_a_line ) { - - my ( $devclass, $source, $dest, $proto, $port, $sport ) = split_line 2, 6, 'tcfilters file'; - - process_tc_filter( $devclass, $source, $dest, $proto, $port, $sport ); - } - } -} - -# -# Process the tcrules file and setup traffic shaping -# -sub setup_tc() { - - if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) { - ensure_mangle_chain 'tcpre'; - ensure_mangle_chain 'tcout'; - - if ( $capabilities{MANGLE_FORWARD} ) { - ensure_mangle_chain 'tcfor'; - ensure_mangle_chain 'tcpost'; - } - - my $mark_part = ''; - - if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) { - $mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF'; - - for my $interface ( @routemarked_interfaces ) { - add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; - } - } - - add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre"; - add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcout"; - - if ( $capabilities{MANGLE_FORWARD} ) { - add_rule $mangle_table->{FORWARD} , '-j tcfor'; - add_rule $mangle_table->{POSTROUTING} , '-j tcpost'; - } - - if ( $config{HIGH_ROUTE_MARKS} ) { - for my $chain qw(INPUT FORWARD POSTROUTING) { - insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark 0xFF'; - } - } - } - - if ( $globals{TC_SCRIPT} ) { - save_progress_message 'Setting up Traffic Control...'; - append_file $globals{TC_SCRIPT}; - } elsif ( $config{TC_ENABLED} eq 'Internal' ) { - setup_traffic_shaping; - } - - if ( $config{TC_ENABLED} ) { - if ( my $fn = open_file 'tcrules' ) { - - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } ); - - while ( read_a_line ) { - - my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file'; - - if ( $mark eq 'COMMENT' ) { - process_comment; - } else { - process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper; - } - - } - - clear_comment; - } - } - - for ( @deferred_rules ) { - add_rule ensure_chain( 'mangle' , 'tcpost' ), $_; - } -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Tunnels.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Tunnels.pm deleted file mode 100644 index 06176cdad..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Tunnels.pm +++ /dev/null @@ -1,299 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Tunnels.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module handles the /etc/shorewall/tunnels file. -# -package Shorewall::Tunnels; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; -use Shorewall::IPAddrs; -use Shorewall::Chains qw(:DEFAULT :internal); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_tunnels ); -our @EXPORT_OK = ( ); -our $VERSION = 4.1.5; - -# -# Here starts the tunnel stuff -- we really should get rid of this crap... -# -sub setup_tunnels() { - - our $fw = firewall_zone; - - sub setup_one_ipsec { - my ($inchainref, $outchainref, $kind, $source, $dest, $gatewayzones) = @_; - - ( $kind, my ( $qualifier , $remainder ) ) = split( /:/, $kind, 3 ); - - my $noah = 1; - - fatal_error "Invalid IPSEC modifier ($qualifier:$remainder)" if defined $remainder; - - if ( defined $qualifier ) { - if ( $qualifier eq 'ah' ) { - fatal_error ":ah not allowed with ipsecnat tunnels" if $kind eq 'ipsecnat'; - $noah = 0; - } else { - fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier ne 'noah'; - } - } - - my $options = '-m state --state NEW -j ACCEPT'; - - add_rule $inchainref, "-p 50 $source -j ACCEPT"; - add_rule $outchainref, "-p 50 $dest -j ACCEPT"; - - unless ( $noah ) { - add_rule $inchainref, "-p 51 $source -j ACCEPT"; - add_rule $outchainref, "-p 51 $dest -j ACCEPT"; - } - - add_rule $outchainref, "-p udp $dest --dport 500 $options"; - - if ( $kind eq 'ipsec' ) { - add_rule $inchainref, "-p udp $source --dport 500 $options"; - } else { - add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; - add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; - } - - unless ( $gatewayzones eq '-' ) { - for my $zone ( split_list $gatewayzones, 'zone' ) { - my $type = zone_type( $zone ); - fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4'; - $inchainref = ensure_filter_chain "${zone}2${fw}", 1; - $outchainref = ensure_filter_chain "${fw}2${zone}", 1; - - unless ( $capabilities{POLICY_MATCH} ) { - add_rule $inchainref, "-p 50 $source -j ACCEPT"; - add_rule $outchainref, "-p 50 $dest -j ACCEPT"; - - unless ( $noah ) { - add_rule $inchainref, "-p 51 $source -j ACCEPT"; - add_rule $outchainref, "-p 51 $dest -j ACCEPT"; - } - } - - if ( $kind eq 'ipsec' ) { - add_rule $inchainref, "-p udp $source --dport 500 $options"; - add_rule $outchainref, "-p udp $dest --dport 500 $options"; - } else { - add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; - add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; - } - } - } - } - - sub setup_one_other { - my ($inchainref, $outchainref, $source, $dest , $protocol) = @_; - - add_rule $inchainref , "-p $protocol $source -j ACCEPT"; - add_rule $outchainref , "-p $protocol $dest -j ACCEPT"; - } - - sub setup_pptp_client { - my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; - - add_rule $outchainref, "-p 47 $dest -j ACCEPT"; - add_rule $inchainref, "-p 47 $source -j ACCEPT"; - add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT" - } - - sub setup_pptp_server { - my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; - - add_rule $inchainref, "-p 47 $dest -j ACCEPT"; - add_rule $outchainref, "-p 47 $source -j ACCEPT"; - add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT" - } - - sub setup_one_openvpn { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - my $protocol = 'udp'; - my $port = 1194; - - ( $kind, my ( $proto, $p, $remainder ) ) = split( /:/, $kind, 4 ); - - fatal_error "Invalid port ($p:$remainder)" if defined $remainder; - - if ( defined $p && $p ne '' ) { - $port = $p; - $protocol = $proto; - } elsif ( defined $proto && $proto ne '' ) { - if ( "\L$proto" =~ /udp|tcp/ ) { - $protocol = $proto; - } else { - $port = $proto; - } - } - - add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; - } - - sub setup_one_openvpn_client { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - my $protocol = 'udp'; - my $port = 1194; - - ( $kind, my ( $proto, $p , $remainder ) ) = split( /:/, $kind, 4 ); - - fatal_error "Invalid port ($p:$remainder)" if defined $remainder; - - if ( defined $p && $p ne '' ) { - $port = $p; - $protocol = $proto; - } elsif ( defined $proto && $proto ne '' ) { - if ( "\L$proto" =~ /udp|tcp/ ) { - $protocol = $proto; - } else { - $port = $proto; - } - } - - add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; - } - - sub setup_one_openvpn_server { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - my $protocol = 'udp'; - my $port = 1194; - - ( $kind, my ( $proto, $p , $remainder ) ) = split( /:/, $kind, 4 ); - - fatal_error "Invalid port ($p:$remainder)" if defined $remainder; - - if ( defined $p && $p ne '' ) { - $port = $p; - $protocol = $proto; - } elsif ( defined $proto && $proto ne '' ) { - if ( "\L$proto" =~ /udp|tcp/ ) { - $protocol = $proto; - } else { - $port = $proto; - } - } - - add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT"; - } - - sub setup_one_l2tp { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/; - - add_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT"; - add_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT"; - } - - sub setup_one_generic { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - my $protocol = 'udp'; - my $port = '--dport 5000'; - - if ( $kind =~ /.*:.*:.*/ ) { - ( $kind, $protocol, $port) = split /:/, $kind; - $port = "--dport $port"; - } else { - $port = ''; - ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/; - } - - add_rule $inchainref, "-p $protocol $source $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT"; - } - - sub setup_one_tunnel($$$$) { - my ( $kind , $zone, $gateway, $gatewayzones ) = @_; - - my $zonetype = zone_type( $zone ); - - fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport4'; - - my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; - my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; - - $gateway = ALLIPv4 if $gateway eq '-'; - - my $source = match_source_net $gateway; - my $dest = match_dest_net $gateway; - - my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } , - 'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } , - 'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } , - 'gre' => { function => \&setup_one_other, params => [ $source, $dest , 47 ] } , - '6to4' => { function => \&setup_one_other, params => [ $source, $dest , 41 ] } , - 'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, $source, $dest ] } , - 'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, $source, $dest ] } , - 'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, $source, $dest ] } , - 'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, $source, $dest ] } , - 'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, $source, $dest ] } , - 'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, $source, $dest ] } , - 'generic' => { function => \&setup_one_generic , params => [ $kind, $source, $dest ] } , - ); - - $kind = "\L$kind"; - - (my $type) = split /:/, $kind; - - my $tunnelref = $tunneltypes{ $type }; - - fatal_error "Tunnels of type $type are not supported" unless $tunnelref; - - $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} ); - - progress_message " Tunnel \"$currentline\" $done"; - } - - # - # Setup_Tunnels() Starts Here - # - my $fn = open_file 'tunnels'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file'; - - if ( $kind eq 'COMMENT' ) { - process_comment; - } else { - setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; - } - } - - clear_comment; -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/Shorewall/Zones.pm b/Shorewall-perl-IPv6-Aborted/Shorewall/Zones.pm deleted file mode 100644 index b607cc3ea..000000000 --- a/Shorewall-perl-IPv6-Aborted/Shorewall/Zones.pm +++ /dev/null @@ -1,1595 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Zones.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains the code which deals with /etc/shorewall/zones, -# /etc/shorewall/interfaces and /etc/shorewall/hosts. -# -package Shorewall::Zones; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( NOTHING - NUMERIC - NETWORK - IPSECPROTO - IPSECMODE - - determine_zones - zone_report - dump_zone_contents - find_zone - firewall_zone - defined_zone - zone_type - zone_family - all_zones - all_6zones - complex_zones - non_firewall_zones - non_firewall_6zones - single_interface - validate_interfaces_file - validate_6interfaces_file - all_interfaces - all_6interfaces - interface_number - find_interface - find_6interface - known_interface - known_6interface - have_bridges - have_6bridges - port_to_bridge - port_to_6bridge - source_port_to_bridge - source_port_to_6bridge - interface_is_optional - interface6_is_optional - find_interfaces_by_option - find_6interfaces_by_option - get_interface_option - get_6interface_option - set_interface_option - set_6interface_option - validate_hosts_file - validate_6hosts_file - find_hosts_by_option - find_6hosts_by_option - ); - -our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.3.0; - -# -# IPSEC Option types -# -use constant { NOTHING => 'NOTHING', - NUMERIC => '0x[\da-fA-F]+|\d+', - NETWORK => '\d+.\d+.\d+.\d+(\/\d+)?', - IPSECPROTO => 'ah|esp|ipcomp', - IPSECMODE => 'tunnel|transport' - }; - -# -# Zone Table. -# -# @zones contains the ordered list of zones with sub-zones appearing before their parents. -# -# %zones{ => {type = > 'firewall', 'ipv4', 'ipsec4', 'bport4', 'ipv6', 'ipsec6', 'bport6'; -# options => { complex => 0|1 -# nested => 0|1 -# in_out => < policy match string > -# in => < policy match string > -# out => < policy match string > -# } -# parents => [ ] Parents, Children and interfaces are listed by name -# children => [ ] -# interfaces => [ ] -# bridge => -# family => 1 = IPv4, 2 = IPv6, 3 = firewall -# hosts { } => [ { => { ipsec => 'ipsec'|'none' -# options => { => -# ... -# } -# hosts => [ , , ... ] -# } -# => ... -# } -# ] -# } -# => ... -# } -# -# $firewall_zone names the firewall zone. -# -our @zones; -our %zones; -our $firewall_zone; - -our %reservedName = ( all => 1, - none => 1, - SOURCE => 1, - DEST => 1 ); - -# -# Interface Table. -# -# @interfaces lists the interface names in the order that they appear in the interfaces file. -# @interfaces6 lists the interface names in the order that they appear in the interfaces6 file. -# -# %interfaces { => { name => -# root => -# options => { = , -# ... -# } -# zone => -# nets => -# bridge => -# broadcasts => 'none', 'detect' or [ , , ... ] -# number => -# } -# } -# -# %interfaces6 { => { name => -# root => -# options => { = , -# ... -# } -# zone => -# nets => -# bridge => -# broadcasts => 'none', 'detect' or [ , , ... ] -# number => -# } -# } -# -our @interfaces; -our %interfaces; -our @interfaces6; -our %interfaces6; -our @bport_zones; -our @bport_6zones; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @zones = (); - %zones = (); - $firewall_zone = ''; - - @interfaces = (); - %interfaces = (); - @bport_zones = (); - @interfaces6 = (); - %interfaces6 = (); - @bport_6zones = (); -} - -INIT { - initialize; -} - -# -# Parse the passed option list and return a reference to a hash as follows: -# -# => mss = -# => ipsec = <-m policy arguments to match options> -# -sub parse_zone_option_list($$) -{ - my %validoptions = ( mss => NUMERIC, - strict => NOTHING, - next => NOTHING, - reqid => NUMERIC, - spi => NUMERIC, - proto => IPSECPROTO, - mode => IPSECMODE, - "tunnel-src" => NETWORK, - "tunnel-dst" => NETWORK, - ); - - # - # Hash of options that have their own key in the returned hash. - # - my %key = ( mss => "mss" ); - - my ( $list, $zonetype ) = @_; - my %h; - my $options = ''; - my $fmt; - - if ( $list ne '-' ) { - for my $e ( split_list $list, 'option' ) { - my $val = undef; - my $invert = ''; - - if ( $e =~ /([\w-]+)!=(.+)/ ) { - $val = $2; - $e = $1; - $invert = '! '; - } elsif ( $e =~ /([\w-]+)=(.+)/ ) { - $val = $2; - $e = $1; - } - - $fmt = $validoptions{$e}; - - fatal_error "Invalid Option ($e)" unless $fmt; - - if ( $fmt eq NOTHING ) { - fatal_error "Option \"$e\" does not take a value" if defined $val; - } else { - fatal_error "Missing value for option \"$e\"" unless defined $val; - fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/; - } - - if ( $key{$e} ) { - $h{$e} = $val; - } else { - fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype =~ /^ipsec/; - $options .= $invert; - $options .= "--$e "; - $options .= "$val "if defined $val; - } - } - } - - $h{ipsec} = $options ? "$options " : ''; - - \%h; -} - -# -# Parse the zones file. -# -sub determine_zones() -{ - my @z; - - my $ipv4 = 0; - my $ipv6 = 0; - - my $fn = open_file 'zones'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my @parents; - - my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; - - if ( $zone =~ /(\w+):([\w,]+)/ ) { - $zone = $1; - @parents = split_list $2, 'zone'; - - for my $p ( @parents ) { - fatal_error "Invalid Parent List ($2)" unless $p; - fatal_error "Unknown parent zone ($p)" unless $zones{$p}; - fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} eq 'firewall'; - push @{$zones{$p}{children}}, $zone; - } - } - - fatal_error "Invalid zone name ($zone)" unless "\L$zone" =~ /^[a-z]\w*$/ && length $zone <= $globals{MAXZONENAMELENGTH}; - fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/; - fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone}; - - $type = "ipv4" unless $type; - - my $family = F_INET; - - if ( $type =~ /ipv4/i ) { - $type = 'ipv4'; - $ipv4 = 1; - } elsif ( $type =~ /ipv6/i ) { - $type = 'ipv6'; - $ipv6 = 1; - $family = F_INET6; - } elsif ( $type =~ /^ipsec4?$/i ) { - $type = 'ipsec4'; - } elsif ( $type =~ /^ipsec6?$/i ) { - $type = 'ipsec6'; - $family = F_INET6; - } elsif ( $type =~ /^bport4?$/i ) { - warning_message "Bridge Port zones should have a parent zone" unless @parents; - $type = 'bport4'; - push @bport_zones, $zone; - } elsif ( $type =~ /^bport6?$/i ) { - warning_message "Bridge Port zones should have a parent zone" unless @parents; - $type = 'bport6'; - $family = F_INET6; - push @bport_6zones, $zone; - } elsif ( $type eq 'firewall' ) { - fatal_error 'Firewall zone may not be nested' if @parents; - fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone; - $firewall_zone = $zone; - $ENV{FW} = $zone; - $type = "firewall"; - $family = F_INET | F_INET6; - } elsif ( $type eq '-' ) { - $type = 'ipv4'; - $ipv4 = 1; - } else { - fatal_error "Invalid zone type ($type)" ; - } - - for ( @parents ) { - fatal_error "Incompatible Parent/Child Zones Types ($_)" unless $zones{$_}{family} == $family - } - - for ( $options, $in_options, $out_options ) { - $_ = '' if $_ eq '-'; - } - - $zones{$zone} = { type => $type, - parents => \@parents, - exclusions => [], - bridge => '', - family => $family, - options => { in_out => parse_zone_option_list( $options || '', $type ) , - in => parse_zone_option_list( $in_options || '', $type ) , - out => parse_zone_option_list( $out_options || '', $type ) , - complex => ($type =~ /^ipsec/ || $options || $in_options || $out_options ? 1 : 0) , - nested => @parents > 0 } , - interfaces => {} , - children => [] , - hosts => {} - }; - push @z, $zone; - } - - fatal_error "No firewall zone defined" unless $firewall_zone; - fatal_error "No IPv4 or IPv6 zones defined" unless $ipv4 || $ipv6; - - my %ordered; - - PUSHED: - { - ZONE: - for my $zone ( @z ) { - unless ( $ordered{$zone} ) { - for ( @{$zones{$zone}{children}} ) { - next ZONE unless $ordered{$_}; - } - $ordered{$zone} = 1; - push @zones, $zone; - redo PUSHED; - } - } - } - - fatal_error "Internal error in determine_zones()" unless scalar @zones == scalar @z; - -} - -# -# Return true of we have any ipse4c zones -# -sub haveipseczones() { - for my $zoneref ( values %zones ) { - return 1 if $zoneref->{type} eq 'ipsec4'; - } - - 0; -} - -# -# Return true of we have any ipse4c zones -# -sub haveipsec6zones() { - for my $zoneref ( values %zones ) { - return 1 if $zoneref->{type} eq 'ipsec6'; - } - - 0; -} - -# -# Report about zones. -# -sub zone_report() -{ - progress_message2 "Determining Hosts in Zones..."; - - for my $zone ( @zones ) - { - my $zoneref = $zones{$zone}; - my $hostref = $zoneref->{hosts}; - my $type = $zoneref->{type}; - my $optionref = $zoneref->{options}; - - progress_message " $zone ($type)"; - - my $printed = 0; - - if ( $hostref ) { - for my $type ( sort keys %$hostref ) { - my $interfaceref = $hostref->{$type}; - - for my $interface ( sort keys %$interfaceref ) { - my $arrayref = $interfaceref->{$interface}; - for my $groupref ( @$arrayref ) { - my $hosts = $groupref->{hosts}; - if ( $hosts ) { - my $grouplist = join ',', ( @$hosts ); - progress_message " $interface $grouplist"; - $printed = 1; - } - } - - } - } - } - - unless ( $printed ) { - fatal_error "No bridge has been associated with zone $zone" if $type =~ /^bport/ && ! $zoneref->{bridge}; - warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall'; - } - - } -} - -sub dump_zone_contents() -{ - for my $zone ( @zones ) - { - my $zoneref = $zones{$zone}; - my $hostref = $zoneref->{hosts}; - my $type = $zoneref->{type}; - my $optionref = $zoneref->{options}; - my $exclusions = $zoneref->{exclusions}; - my $entry = "$zone $type"; - - $entry .= ":$zoneref->{bridge}" if $type =~ /^bport/; - - if ( $hostref ) { - for my $type ( sort keys %$hostref ) { - my $interfaceref = $hostref->{$type}; - - for my $interface ( sort keys %$interfaceref ) { - my $arrayref = $interfaceref->{$interface}; - for my $groupref ( @$arrayref ) { - my $hosts = $groupref->{hosts}; - if ( $hosts ) { - my $grouplist = join ',', ( @$hosts ); - $entry .= " $interface\($grouplist\)"; - } - } - } - } - } - - if ( @$exclusions ) { - $entry .= ' exclude'; - - for my $host ( @$exclusions ) { - $entry .= " $host"; - } - } - - emit_unindented $entry; - } -} - -# -# If the passed zone is associated with a single interface, the name of the interface is returned. Otherwise, the funtion returns ''; -# -sub single_interface( $ ) { - my $zone = $_[0]; - my $zoneref = $zones{$zone}; - - fatal_error "Internal Error in single_zone()" unless $zoneref; - - my @keys = keys( %{$zoneref->{interfaces}} ); - - @keys == 1 ? $keys[0] : ''; -} - -sub add_group_to_zone($$$$$) -{ - my ($zone, $type, $interface, $networks, $options) = @_; - my $typeref; - my $interfaceref; - my $arrayref; - my $zoneref = $zones{$zone}; - my $zonetype = $zoneref->{type}; - my $ifacezone = $interfaces{$interface}{zone}; - - $zoneref->{interfaces}{$interface} = 1; - - my @newnetworks; - my @exclusions; - my $new = \@newnetworks; - my $switched = 0; - - $ifacezone = '' unless defined $ifacezone; - - for my $host ( @$networks ) { - $interfaces{$interface}{nets}++; - - fatal_error "Invalid Host List" unless defined $host and $host ne ''; - - if ( substr( $host, 0, 1 ) eq '!' ) { - fatal_error "Only one exclusion allowed in a host list" if $switched; - $switched = 1; - $host = substr( $host, 1 ); - $new = \@exclusions; - } - - unless ( $switched ) { - if ( $type eq $zonetype ) { - fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone; - $ifacezone = $zone if $host eq ALLIPv4 || $host eq ALLIPv6; - } - } - - if ( substr( $host, 0, 1 ) eq '+' ) { - fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/; - } else { - validate_host $host, 0; - } - - push @$new, $switched ? "$interface:$host" : $host; - } - - $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback}; - - $typeref = ( $zoneref->{hosts} || ( $zoneref->{hosts} = {} ) ); - $interfaceref = ( $typeref->{$type} || ( $interfaceref = $typeref->{$type} = {} ) ); - $arrayref = ( $interfaceref->{$interface} || ( $interfaceref->{$interface} = [] ) ); - - $zoneref->{options}{complex} = 1 if @$arrayref || ( @newnetworks > 1 ) || ( @exclusions ); - - push @{$zoneref->{exclusions}}, @exclusions; - - push @{$arrayref}, { options => $options, - hosts => \@newnetworks, - ipsec => $type =~ /^ipsec/ ? 'ipsec' : 'none' }; -} - -# -# Verify that the passed zone name represents a declared zone. Return a -# reference to its zone table entry. -# -sub find_zone( $ ) { - my $zone = $_[0]; - - my $zoneref = $zones{$zone}; - - fatal_error "Unknown zone ($zone)" unless $zoneref; - - $zoneref; -} - -sub zone_type( $ ) { - find_zone( $_[0] )->{type}; -} - -sub zone_family( $ ) { - find_zone( $_[0] )->{family}; -} - -sub defined_zone( $ ) { - $zones{$_[0]}; -} - -sub all_zones() { - grep ( ! $zones{$_}{family} & F_INET , @zones ); -} - -sub all_6zones() { - grep ( ! $zones{$_}{family} & F_INET6 , @zones ); -} - -sub non_firewall_zones() { - grep ( $zones{$_}{family} == F_INET , @zones ); -} - -sub non_firewall_6zones() { - grep ( $zones{$_}{family} == F_INET6 , @zones ); -} - -sub complex_zones() { - grep( $zones{$_}{options}{complex} && $zones{$_}{family} == F_INET , @zones ); -} - -sub complex_6zones() { - grep( $zones{$_}{options}{complex} && $zones{$_}{family} == F_INET6 , @zones ); -} - -sub firewall_zone() { - $firewall_zone; -} - -# -# Parse the interfaces file. -# - -use constant { SIMPLE_IF_OPTION => 1, - BINARY_IF_OPTION => 2, - ENUM_IF_OPTION => 3, - NUMERIC_IF_OPTION => 4, - OBSOLETE_IF_OPTION => 5, - MASK_IF_OPTION => 7, - IF_OPTION_ZONEONLY => 8 }; - -sub validate_interfaces_file( $ ) -{ - my $export = shift; - my $num = 0; - - my %validoptions = (arp_filter => BINARY_IF_OPTION, - arp_ignore => ENUM_IF_OPTION, - blacklist => SIMPLE_IF_OPTION, - bridge => SIMPLE_IF_OPTION, - detectnets => OBSOLETE_IF_OPTION, - dhcp => SIMPLE_IF_OPTION, - maclist => SIMPLE_IF_OPTION, - logmartians => BINARY_IF_OPTION, - norfc1918 => SIMPLE_IF_OPTION, - nosmurfs => SIMPLE_IF_OPTION, - optional => SIMPLE_IF_OPTION, - proxyarp => BINARY_IF_OPTION, - routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, - routefilter => BINARY_IF_OPTION, - sourceroute => BINARY_IF_OPTION, - tcpflags => SIMPLE_IF_OPTION, - upnp => SIMPLE_IF_OPTION, - mss => NUMERIC_IF_OPTION, - ); - - my $fn = open_file 'interfaces'; - - my $first_entry = 1; - - my @ifaces; - - while ( read_a_line ) { - - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - - my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file'; - my $zoneref; - my $bridge = ''; - - if ( $zone eq '-' ) { - $zone = ''; - } else { - $zoneref = $zones{$zone}; - - fatal_error "Unknown zone ($zone)" unless $zoneref; - fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} eq 'firewall'; - fatal_error "IPv6 Zones not allowed in the interfaces file ($zone}" if $zoneref->{type} =~ /6/; - } - - $networks = '' if $networks eq '-'; - $options = '' if $options eq '-'; - - my ($interface, $port, $extra) = split /:/ , $originalinterface, 3; - - fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra; - - fatal_error "Invalid Interface Name (+)" if $interface eq '+'; - - if ( defined $port ) { - fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/; - require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', ''); - fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; - fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; - fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; - fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport4'; - - if ( $zone ) { - if ( $zoneref->{bridge} ) { - fatal_error "Bridge Port zones may only be associated with a single bridge" if $zoneref->{bridge} ne $interface; - } else { - $zoneref->{bridge} = $interface; - } - } - - fatal_error "Bridge Ports may not have options" if $options && $options ne '-'; - - next if $port eq ''; - - fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/; - - $bridge = $interface; - $interface = $port; - } else { - fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface}; - fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4'; - $bridge = $interface; - } - - my $wildcard = 0; - my $root; - - if ( $interface =~ /\+$/ ) { - $wildcard = 1; - $root = substr( $interface, 0, -1 ); - } else { - $root = $interface; - } - - my $broadcasts; - - unless ( $networks eq '' || $networks eq 'detect' ) { - my @broadcasts = split $networks, 'address'; - - for my $address ( @broadcasts ) { - fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - } - - if ( $capabilities{ADDRTYPE} ) { - warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available'; - } else { - $broadcasts = \@broadcasts; - } - } - - my $optionsref = {}; - - my %options; - - if ( $options ) { - - for my $option (split_list $options, 'option' ) { - next if $option eq '-'; - - ( $option, my $value ) = split /=/, $option; - - fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option}; - - fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone; - - $type &= MASK_IF_OPTION; - - if ( $type == SIMPLE_IF_OPTION ) { - fatal_error "Option $option does not take a value" if defined $value; - $options{$option} = 1; - } elsif ( $type == BINARY_IF_OPTION ) { - $value = 1 unless defined $value; - fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' ); - fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard; - $options{$option} = $value; - } elsif ( $type == ENUM_IF_OPTION ) { - fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard; - if ( $option eq 'arp_ignore' ) { - if ( defined $value ) { - if ( $value =~ /^[1-3,8]$/ ) { - $options{arp_ignore} = $value; - } else { - fatal_error "Invalid value ($value) for arp_ignore"; - } - } else { - $options{arp_ignore} = 1; - } - } else { - fatal_error "Internal Error in validate_interfaces_file"; - } - } elsif ( $type == NUMERIC_IF_OPTION ) { - fatal_error "The $option option requires a value" unless defined $value; - my $numval = numeric_value $value; - fatal_error "Invalid value ($value) for option $option" unless defined $numval; - $options{$option} = $numval; - } else { - warning_message "Support for the $option interface option has been removed from Shorewall-perl"; - } - } - - $zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback}; - - if ( $options{bridge} ) { - require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's'); - fatal_error "Bridges may not have wildcard names" if $wildcard; - } - } elsif ( $port ) { - $options{port} = 1; - } - - $optionsref = \%options; - - $interfaces{$interface} = { name => $interface , - bridge => $bridge , - nets => 0 , - number => ++$num , - root => $root , - broadcasts => $broadcasts , - options => $optionsref }; - - push @ifaces, $interface; - - my @networks = allipv4; - - add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone; - - $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() - - progress_message " Interface \"$currentline\" Validated"; - - } - - # - # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge - # - for my $interface ( @ifaces ) { - my $interfaceref = $interfaces{$interface}; - - if ( $interfaceref->{options}{bridge} ) { - my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces; - - if ( @ports ) { - push @interfaces, @ports; - } else { - $interfaceref->{options}{routeback} = 1; #so the bridge will work properly - } - } - - push @interfaces, $interface unless $interfaceref->{options}{port}; - } - # - # Be sure that we have at least one interface - # - fatal_error "No network interfaces defined" unless @interfaces; -} - -# -# Parse the interfaces file. -# - -sub validate_6interfaces_file( $ ) -{ - my $export = shift; - my $num = 0; - - my %validoptions = (blacklist => SIMPLE_IF_OPTION, - bridge => SIMPLE_IF_OPTION, - maclist => SIMPLE_IF_OPTION, - nosmurfs => SIMPLE_IF_OPTION, - optional => SIMPLE_IF_OPTION, - proxyndp => BINARY_IF_OPTION, - routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, - sourceroute => BINARY_IF_OPTION, - tcpflags => SIMPLE_IF_OPTION, - mss => NUMERIC_IF_OPTION, - ); - - my $fn = open_file '6interfaces'; - - my $first_entry = 1; - - my @ifaces; - - while ( read_a_line ) { - - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - - my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, '6interfaces file'; - my $zoneref; - my $bridge = ''; - - if ( $zone eq '-' ) { - $zone = ''; - } else { - $zoneref = $zones{$zone}; - - fatal_error "Unknown zone ($zone)" unless $zoneref; - fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} eq 'firewall'; - fatal_error "IPv4 Zones not allowed in the 6interfaces file ($zone}" if $zoneref->{type} =~ /4/; - } - - $networks = '' if $networks eq '-'; - $options = '' if $options eq '-'; - - my ($interface, $port, $extra) = split /:/ , $originalinterface, 3; - - fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra; - - fatal_error "Invalid Interface Name (+)" if $interface eq '+'; - - if ( defined $port ) { - fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/; - require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', ''); - fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; - fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; - fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; - fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport4'; - - if ( $zone ) { - if ( $zoneref->{bridge} ) { - fatal_error "Bridge Port zones may only be associated with a single bridge" if $zoneref->{bridge} ne $interface; - } else { - $zoneref->{bridge} = $interface; - } - } - - fatal_error "Bridge Ports may not have options" if $options && $options ne '-'; - - next if $port eq ''; - - fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/; - - $bridge = $interface; - $interface = $port; - } else { - fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface}; - fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4'; - $bridge = $interface; - } - - my $wildcard = 0; - my $root; - - if ( $interface =~ /\+$/ ) { - $wildcard = 1; - $root = substr( $interface, 0, -1 ); - } else { - $root = $interface; - } - - my $broadcasts; - - unless ( $networks eq '' || $networks eq 'detect' ) { - my @broadcasts = split $networks, 'address'; - - for my $address ( @broadcasts ) { - fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - } - - if ( $capabilities{ADDRTYPE} ) { - warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available'; - } else { - $broadcasts = \@broadcasts; - } - } - - my $optionsref = {}; - - my %options; - - if ( $options ) { - - for my $option (split_list $options, 'option' ) { - next if $option eq '-'; - - ( $option, my $value ) = split /=/, $option; - - fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option}; - - fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone; - - $type &= MASK_IF_OPTION; - - if ( $type == SIMPLE_IF_OPTION ) { - fatal_error "Option $option does not take a value" if defined $value; - $options{$option} = 1; - } elsif ( $type == BINARY_IF_OPTION ) { - $value = 1 unless defined $value; - fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' ); - fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard; - $options{$option} = $value; - } elsif ( $type == ENUM_IF_OPTION ) { - fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard; - if ( $option eq 'arp_ignore' ) { - if ( defined $value ) { - if ( $value =~ /^[1-3,8]$/ ) { - $options{arp_ignore} = $value; - } else { - fatal_error "Invalid value ($value) for arp_ignore"; - } - } else { - $options{arp_ignore} = 1; - } - } else { - fatal_error "Internal Error in validate_interfaces_file"; - } - } elsif ( $type == NUMERIC_IF_OPTION ) { - fatal_error "The $option option requires a value" unless defined $value; - my $numval = numeric_value $value; - fatal_error "Invalid value ($value) for option $option" unless defined $numval; - $options{$option} = $numval; - } else { - warning_message "Support for the $option interface option has been removed from Shorewall-perl"; - } - } - - $zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback}; - - if ( $options{bridge} ) { - require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's'); - fatal_error "Bridges may not have wildcard names" if $wildcard; - } - } elsif ( $port ) { - $options{port} = 1; - } - - $optionsref = \%options; - - $interfaces6{$interface} = { name => $interface , - bridge => $bridge , - nets => 0 , - number => ++$num , - root => $root , - broadcasts => $broadcasts , - options => $optionsref }; - - push @ifaces, $interface; - - my @networks = allipv4; - - add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone; - - $interfaces6{$interface}{zone6} = $zone; #Must follow the call to add_group_to_zone() - - progress_message " Interface \"$currentline\" Validated"; - - } - - # - # We now assemble the @interfaces6 array such that bridge ports immediately precede their associated bridge - # - for my $interface ( @ifaces ) { - my $interfaceref = $interfaces6{$interface}; - - if ( $interfaceref->{options}{bridge} ) { - my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces; - - if ( @ports ) { - push @interfaces, @ports; - } else { - $interfaceref->{options}{routeback} = 1; #so the bridge will work properly - } - } - - push @interfaces, $interface unless $interfaceref->{options}{port}; - } - # - # Be sure that we have at least one interface - # - fatal_error "No network interfaces defined" unless @interfaces; -} - -# -# Returns true if passed interface matches an entry in /etc/shorewall/interfaces -# -# If the passed name matches a wildcard, a entry for the name is added in %interfaces to speed up validation of other references to that name. -# -sub known_interface($) -{ - my $interface = $_[0]; - my $interfaceref = $interfaces{$interface}; - - return $interfaceref if $interfaceref; - - for my $i ( @interfaces ) { - $interfaceref = $interfaces{$i}; - my $val = $interfaceref->{root}; - next if $val eq $i; - if ( substr( $interface, 0, length $val ) eq $val ) { - # - # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces. - # - return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} }; - } - } - - 0; -} - -# -# Returns true if passed interface matches an entry in /etc/shorewall/interfaces -# -# If the passed name matches a wildcard, a entry for the name is added in %interfaces to speed up validation of other references to that name. -# -sub known_6interface($) -{ - my $interface = $_[0]; - my $interfaceref = $interfaces6{$interface}; - - return $interfaceref if $interfaceref; - - for my $i ( @interfaces6 ) { - $interfaceref = $interfaces6{$i}; - my $val = $interfaceref->{root}; - next if $val eq $i; - if ( substr( $interface, 0, length $val ) eq $val ) { - # - # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces. - # - return $interfaces6{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} }; - } - } - - 0; -} - -# -# Return interface number -# -sub interface_number( $ ) { - $interfaces{$_[0]}{number} || 256; -} - -# -# Return the interfaces list -# -sub all_interfaces() { - @interfaces; -} - -# -# Return 6interface number -# -sub interface6_number( $ ) { - $interfaces6{$_[0]}{number} || 256; -} - -# -# Return the 6interfaces list -# -sub all_interfaces6() { - @interfaces6; -} - -# -# Return a reference to the interfaces table entry for an interface -# -sub find_interface( $ ) { - my $interface = $_[0]; - my $interfaceref = $interfaces6{ $interface }; - - fatal_error "Unknown Interface ($interface)" unless $interfaceref; - - $interfaceref; -} - -# -# Return a reference to the interfaces6 table entry for an interface -# -sub find_interface6( $ ) { - my $interface = $_[0]; - my $interfaceref = $interfaces6{ $interface }; - - fatal_error "Unknown Interface ($interface)" unless $interfaceref; - - $interfaceref; -} - -# -# Returns true if there are bridge port zones defined in the config -# -sub have_bridges() { - @bport_zones > 0; -} - -# -# Returns true if there are bridge port zones defined in the config -# -sub have_6bridges() { - @bport_6zones > 0; -} - -# -# Return the bridge associated with the passed interface. If the interface is not a bridge port, -# return '' -# -sub port_to_bridge( $ ) { - my $portref = $interfaces{$_[0]}; - return $portref && $portref->{options}{port} ? $portref->{bridge} : ''; -} - -# -# Return the bridge associated with the passed interface. If the interface is not a bridge port, -# return '' -# -sub port_to_6bridge( $ ) { - my $portref = $interfaces6{$_[0]}; - return $portref && $portref->{options}{port} ? $portref->{bridge} : ''; -} - -# -# Return the bridge associated with the passed interface. -# -sub source_port_to_bridge( $ ) { - my $portref = $interfaces{$_[0]}; - return $portref ? $portref->{bridge} : ''; -} - -# -# Return the bridge associated with the passed 6interface. -# -sub source_port_to_6bridge( $ ) { - my $portref = $interfaces6{$_[0]}; - return $portref ? $portref->{bridge} : ''; -} - -# -# Return the 'optional' setting of the passed interface -# -sub interface_is_optional($) { - my $optionsref = $interfaces{$_[0]}{options}; - $optionsref && $optionsref->{optional}; -} - -# -# Return the 'optional' setting of the passed interface -# -sub interface6_is_optional($) { - my $optionsref = $interfaces6{$_[0]}{options}; - $optionsref && $optionsref->{optional}; -} - -# -# Returns reference to array of interfaces with the passed option -# -sub find_interfaces_by_option( $ ) { - my $option = $_[0]; - my @ints = (); - - for my $interface ( @interfaces ) { - my $optionsref = $interfaces{$interface}{options}; - if ( $optionsref && defined $optionsref->{$option} ) { - push @ints , $interface - } - } - - \@ints; -} - -# -# Returns reference to array of interfaces6 with the passed option -# -sub find_interfaces6_by_option( $ ) { - my $option = $_[0]; - my @ints = (); - - for my $interface ( @interfaces ) { - my $optionsref = $interfaces{$interface}{options}; - if ( $optionsref && defined $optionsref->{$option} ) { - push @ints , $interface - } - } - - \@ints; -} - -# -# Return the value of an option for an interface -# -sub get_interface_option( $$ ) { - my ( $interface, $option ) = @_; - - $interfaces{$interface}{options}{$option}; -} - -# -# Set an option for an interface -# -sub set_interface_option( $$$ ) { - my ( $interface, $option, $value ) = @_; - - $interfaces{$interface}{options}{$option} = $value; -} - -# -# Return the value of an option for an interface6 -# -sub get_interface6_option( $$ ) { - my ( $interface, $option ) = @_; - - $interfaces6{$interface}{options}{$option}; -} - -# -# Set an option for an interface6 -# -sub set_interface6_option( $$$ ) { - my ( $interface, $option, $value ) = @_; - - $interfaces6{$interface}{options}{$option} = $value; -} - -# -# Validates the hosts file. Generates entries in %zone{..}{hosts} -# -sub validate_hosts_file() -{ - my %validoptions = ( - blacklist => 1, - maclist => 1, - nosmurfs => 1, - routeback => 1, - tcpflags => 1, - broadcast => 1, - destonly => 1, - sourceonly => 1, - ); - - my $ipsec = 0; - my $first_entry = 1; - - my $fn = open_file 'hosts'; - - while ( read_a_line ) { - - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - - my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file'; - - my $zoneref = $zones{$zone}; - my $type = $zoneref->{type}; - - fatal_error "Unknown ZONE ($zone)" unless $type; - fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type eq 'firewall'; - fatal_error 'IPv6 zones not allowed in ZONE column of hosts record' if $type =~ /6/; - - my $interface; - - if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) { - $interface = $1; - $hosts = $2; - $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; - fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; - } else { - fatal_error "Invalid HOST(S) column contents: $hosts"; - } - - if ( $type eq 'bport6' ) { - if ( $zoneref->{bridge} eq '' ) { - fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port}; - $zoneref->{bridge} = $interfaces{$interface}{bridge}; - } elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) { - fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}"; - } - } - - my $optionsref = {}; - - if ( $options ne '-' ) { - my @options = split_list $options, 'option'; - my %options; - - for my $option ( @options ) - { - if ( $option eq 'ipsec' ) { - $type = 'ipsec6'; - $zoneref->{options}{complex} = 1; - $ipsec = 1; - } elsif ( $validoptions{$option}) { - $options{$option} = 1; - } else { - fatal_error "Invalid option ($option)"; - } - } - - $optionsref = \%options; - } - - # - # Looking for the '!' at the beginning of a list element is more straight-foward than looking for it in the middle. - # - # Be sure we don't have a ',!' in the original - # - fatal_error "Invalid hosts list" if $hosts =~ /,!/; - # - # Now add a comma before '!'. Do it globally - add_group_to_zone() correctly checks for multiple exclusions - # - $hosts =~ s/!/,!/g; - # - # Take care of case where the hosts list begins with '!' - # - $hosts = join( '', ALLIPv6 , $hosts ) if substr($hosts, 0, 2 ) eq ',!'; - - add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); - - progress_message " Host \"$currentline\" validated"; - } - - $capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones; -} - -# -# Validates the 6hosts file. Generates entries in %zone{..}{hosts} -# -sub validate_6hosts_file() -{ - my %validoptions = ( - blacklist => 1, - maclist => 1, - nosmurfs => 1, - routeback => 1, - tcpflags => 1, - broadcast => 1, - destonly => 1, - sourceonly => 1, - ); - - my $ipsec = 0; - my $first_entry = 1; - - my $fn = open_file '6hosts'; - - while ( read_a_line ) { - - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - - my ($zone, $hosts, $options ) = split_line 2, 3, '6hosts file'; - - my $zoneref = $zones{$zone}; - my $type = $zoneref->{type}; - - fatal_error "Unknown ZONE ($zone)" unless $type; - fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type eq 'firewall'; - fatal_error 'IPv4 zonea not allowed in ZONE column of 6hosts record' if $type =~ /4/; - - my $interface; - - if ( $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/ ) { - $interface = $1; - $hosts = $2; - $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; - fatal_error "Unknown 6interface ($interface)" unless $interfaces6{$interface}{root}; - } else { - fatal_error "Invalid HOST(S) column contents: $hosts"; - } - - if ( $type eq 'bport6' ) { - if ( $zoneref->{bridge} eq '' ) { - fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces6{$interface}{options}{port}; - $zoneref->{bridge} = $interfaces6{$interface}{bridge}; - } elsif ( $zoneref->{bridge} ne $interfaces6{$interface}{bridge} ) { - fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}"; - } - } - - my $optionsref = {}; - - if ( $options ne '-' ) { - my @options = split_list $options, 'option'; - my %options; - - for my $option ( @options ) - { - if ( $option eq 'ipsec' ) { - $type = 'ipsec6'; - $zoneref->{options}{complex} = 1; - $ipsec = 1; - } elsif ( $validoptions{$option}) { - $options{$option} = 1; - } else { - fatal_error "Invalid option ($option)"; - } - } - - $optionsref = \%options; - } - - # - # Looking for the '!' at the beginning of a list element is more straight-foward than looking for it in the middle. - # - # Be sure we don't have a ',!' in the original - # - fatal_error "Invalid hosts list" if $hosts =~ /,!/; - # - # Now add a comma before '!'. Do it globally - add_group_to_zone() correctly checks for multiple exclusions - # - $hosts =~ s/!/,!/g; - # - # Take care of case where the hosts list begins with '!' - # - $hosts = join( '', ALLIPv6 , $hosts ) if substr($hosts, 0, 2 ) eq ',!'; - - add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); - - progress_message " Host \"$currentline\" validated"; - } - - $capabilities{POLICY_MATCH} = 'Yes' if $ipsec || haveipseczones; -} - -# -# Returns a reference to a array of host entries. Each entry is a -# reference to an array containing ( interface , polciy match type {ipsec|none} , network ); -# -sub find_hosts_by_option( $ ) { - my $option = $_[0]; - my @hosts; - - for my $zone ( grep $zones{$_}{family} == F_INET , @zones ) { - while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { - while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { - for my $host ( @{$arrayref} ) { - if ( $host->{options}{$option} ) { - for my $net ( @{$host->{hosts}} ) { - push @hosts, [ $interface, $host->{ipsec} , $net ]; - } - } - } - } - } - } - - for my $interface ( @interfaces ) { - if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) { - push @hosts, [ $interface, 'none', ALLIPv4 ]; - } - } - - \@hosts; -} - -# -# Returns a reference to a array of host entries. Each entry is a -# reference to an array containing ( interface , polciy match type {ipsec|none} , network ); -# -sub find_6hosts_by_option( $ ) { - my $option = $_[0]; - my @hosts; - - for my $zone ( grep $zones{$_}{family} == F_INET6 , @zones ) { - while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { - while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { - for my $host ( @{$arrayref} ) { - if ( $host->{options}{$option} ) { - for my $net ( @{$host->{hosts}} ) { - push @hosts, [ $interface, $host->{ipsec} , $net ]; - } - } - } - } - } - } - - for my $interface ( @interfaces6 ) { - if ( ! $interfaces6{$interface}{zone} && $interfaces6{$interface}{options}{$option} ) { - push @hosts, [ $interface, 'none', ALLIPv6 ]; - } - } - - \@hosts; -} - -1; diff --git a/Shorewall-perl-IPv6-Aborted/compiler.pl b/Shorewall-perl-IPv6-Aborted/compiler.pl deleted file mode 100755 index 9a3c1826a..000000000 --- a/Shorewall-perl-IPv6-Aborted/compiler.pl +++ /dev/null @@ -1,109 +0,0 @@ -#! /usr/bin/perl -w -# -# The Shoreline Firewall4 (Shorewall-perl) Packet Filtering Firewall Compiler - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# compiler.pl [
=> { => { name => -# table =>
-# is_policy => undef|1 -- if 1, this is a policy chain -# is_optional => undef|1 -- See below. -# referenced => undef|1 -- If 1, will be written to the iptables-restore-input. -# builtin => undef|1 -- If 1, one of Netfilter's built-in chains. -# manual => undef|1 -- If 1, a manual chain. -# accounting => undef|1 -- If 1, an accounting chain -# log => -# policy => -# policychain => -- self-reference if this is a policy chain -# policypair => [ , ] -- Used for reporting duplicated policies -# loglevel => -# synparams => -# synchain => -# default => -# cmdlevel => -# rules => [ -# -# ... -# ] -# } , -# => ... -# } -# } -# -# 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be -# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with is_optional == 1. -# -# Only 'referenced' chains get written to the iptables-restore input. -# -# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. -# -our %chain_table4; -our %chain_table6; -our $chain_table; -our $nat_table; -our $mangle_table; -our $filter_table; -# -# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file -# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent -# on Shorewall::Rules. -# -our %sections; -our $section; - -our $comment; - -use constant { STANDARD => 1, #defined by Netfilter - NATRULE => 2, #Involves NAT - BUILTIN => 4, #A built-in action - NONAT => 8, #'NONAT' or 'ACCEPT+' - NATONLY => 16, #'DNAT-' or 'REDIRECT-' - REDIRECT => 32, #'REDIRECT' - ACTION => 64, #An action (may be built-in) - MACRO => 128, #A Macro - LOGRULE => 256, #'LOG' - NFQ => 512, #'NFQUEUE' - CHAIN => 1024, #Manual Chain - IPV4ONLY => 2048, #Not Available with IPV6 - }; - -# -# expand_rule() restrictions -# -use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule - PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d
using main routing table - INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed - OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed - POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s
using main routing table - ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed - }; -our $exclseq; -our $iprangematch; -our $chainseq; - -our %interfaceaddr; -our %interfaceaddrs; -our %interfacenets; -our %interfacemacs; -our %interfacebcasts; -our %interfacegateways; - -our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING); - -# -# Mode of the generator. -# -use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptables-restore input - CAT_MODE => 1 , # Generating iptables-restore input - CMD_MODE => 2 }; # Generating shell commands. - -our $mode; - -our %targets4; -our %targets6; -our $targets; -our $chain_family; - -sub use_ipv4_chains() { - $chain_table = \%chain_table4; - $nat_table = $chain_table->{nat}; - $mangle_table = $chain_table->{mangle}; - $filter_table = $chain_table->{filter}; - $targets = \%targets4; - $chain_family = F_INET; -} - -sub use_ipv6_chains() { - $chain_table = \%chain_table6; - $nat_table = undef; - $mangle_table = $chain_table->{mangle}; - $filter_table = $chain_table->{filter}; - $targets = \%targets6; - $chain_family = F_INET6; -} - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - %chain_table4 = ( raw => {} , - mangle => {} , - nat => {} , - filter => {} ); - %chain_table6 = ( raw => {} , - mangle => {} , - filter => {} ); - - use_ipv4_chains; - # - # These get set to 1 as sections are encountered. - # - %sections = ( ESTABLISHED => 0, - RELATED => 0, - NEW => 0 - ); - # - # Current rules file section. - # - $section = 'ESTABLISHED'; - # - # Contents of last COMMENT line. - # - $comment = ''; - # - # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ... - # - $exclseq = 0; - # - # Used to suppress duplicate match specifications. - # - $iprangematch = 0; - # - # Sequence for naming temporary chains - # - $chainseq = undef; - # - # Keep track of which interfaces have active 'address', 'addresses', 'networks', etc. variables - # - %interfaceaddr = (); - %interfaceaddrs = (); - %interfacenets = (); - %interfacemacs = (); - %interfacebcasts = (); - %interfacegateways = (); - # - # As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table - # - %targets4 = ('ACCEPT' => STANDARD, - 'ACCEPT+' => STANDARD + NONAT, - 'ACCEPT!' => STANDARD, - 'NONAT' => STANDARD + NONAT + NATONLY, - 'DROP' => STANDARD, - 'DROP!' => STANDARD, - 'REJECT' => STANDARD, - 'REJECT!' => STANDARD, - 'DNAT' => NATRULE, - 'DNAT-' => NATRULE + NATONLY, - 'REDIRECT' => NATRULE + REDIRECT, - 'REDIRECT-' => NATRULE + REDIRECT + NATONLY, - 'LOG' => STANDARD + LOGRULE, - 'CONTINUE' => STANDARD, - 'CONTINUE!' => STANDARD, - 'QUEUE' => STANDARD, - 'QUEUE!' => STANDARD, - 'NFQUEUE' => STANDARD + NFQ, - 'NFQUEUE!' => STANDARD + NFQ, - 'SAME' => NATRULE, - 'SAME-' => NATRULE + NATONLY, - 'dropBcast' => BUILTIN + ACTION, - 'allowBcast' => BUILTIN + ACTION, - 'dropNotSyn' => BUILTIN + ACTION, - 'rejNotSyn' => BUILTIN + ACTION, - 'dropInvalid' => BUILTIN + ACTION, - 'allowInvalid' => BUILTIN + ACTION, - 'allowinUPnP' => BUILTIN + ACTION, - 'forwardUPnP' => BUILTIN + ACTION, - 'Limit' => BUILTIN + ACTION, - ); - - %targets6 = ('ACCEPT' => STANDARD, - 'NONAT' => STANDARD + NONAT + NATONLY, - 'DROP!' => STANDARD, - 'LOG' => STANDARD + LOGRULE, - 'CONTINUE' => STANDARD, - 'CONTINUE!' => STANDARD, - 'QUEUE' => STANDARD, - 'QUEUE!' => STANDARD, - 'NFQUEUE' => STANDARD + NFQ, - 'NFQUEUE!' => STANDARD + NFQ, - 'dropBcast' => BUILTIN + ACTION, - 'allowBcast' => BUILTIN + ACTION, - 'dropNotSyn' => BUILTIN + ACTION, - 'rejNotSyn' => BUILTIN + ACTION, - 'dropInvalid' => BUILTIN + ACTION, - 'allowInvalid' => BUILTIN + ACTION, - 'allowinUPnP' => BUILTIN + ACTION, - 'forwardUPnP' => BUILTIN + ACTION, - 'Limit' => BUILTIN + ACTION, - ); - -} - -INIT { - initialize; -} - -# -# Add a run-time command to a chain. Arguments are: -# -# Chain reference , Command -# - -# -# Process a COMMENT line (in $currentline) -# -sub process_comment() { - if ( $capabilities{COMMENTS} ) { - ( $comment = $currentline ) =~ s/^\s*COMMENT\s*//; - $comment =~ s/\s*$//; - } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; - } -} - -# -# Returns True if there is a current COMMENT or if COMMENTS are not available. -# -sub no_comment() { - $comment ? 1 : $capabilities{COMMENTS} ? 0 : 1; -} - -# -# Clear the $comment variable -# -sub clear_comment() { - $comment = ''; -} - -# -# Set $comment to the passed unless there is a current comment -# -sub macro_comment( $ ) { - my $macro = $_[0]; - - $comment = $macro unless $comment || ! ( $capabilities{COMMENTS} && $config{AUTO_COMMENT} ); -} - -# -# Functions to manipulate cmdlevel -# -sub incr_cmd_level( $ ) { - $_[0]->{cmdlevel}++; -} - -sub decr_cmd_level( $ ) { - fatal_error "Internal error in decr_cmd_level()" if --$_[0]->{cmdlevel} < 0; -} - -sub add_command($$) -{ - my ($chainref, $command) = @_; - - push @{$chainref->{rules}}, join ('', ' ' x $chainref->{cmdlevel} , $command ); - - $chainref->{referenced} = 1; -} - -sub add_commands { - my $chainref = shift @_; - - for my $command ( @_ ) { - push @{$chainref->{rules}}, join ('', ' ' x $chainref->{cmdlevel} , $command ); - } - - $chainref->{referenced} = 1; -} - -sub push_rule( $$ ) { - my ($chainref, $rule) = @_; - - $rule .= qq( -m comment --comment "$comment") if $comment; - - if ( $chainref->{cmdlevel} ) { - $rule =~ s/"/\\"/g; #Must preserve quotes in the rule - add_command $chainref , qq(echo "-A $chainref->{name} $rule" >&3); - } else { - # - # We omit the chain name for now -- this makes it easier to move rules from one - # chain to another - # - push @{$chainref->{rules}}, join( ' ', '-A' , $rule ); - $chainref->{referenced} = 1; - } -} - -# -# Add a rule to a chain. Arguments are: -# -# Chain reference , Rule [, Expand-long-dest-port-lists ] -# -sub add_rule($$;$) -{ - my ($chainref, $rule, $expandports) = @_; - - fatal_error 'Internal Error in add_rule()' if reftype $rule; - - $iprangematch = 0; - # - # Pre-processing the port lists as was done in Shorewall-shell results in port-list - # processing driving the rest of rule generation. - # - # By post-processing each rule generated by expand_rule(), we avoid all of that - # messiness and replace it with the following localized messiness. - # - # Because source ports are seldom specified and source port lists are rarer still, - # we only worry about the destination ports. - # - if ( $expandports && $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) { - # - # Rule has a --dports specification - # - my ($first, $ports, $rest) = ( $1, $2, $3 ); - - if ( ( $ports =~ tr/:,/:,/ ) > 14 ) { - # - # More than 15 ports specified - # - my @ports = split '([,:])', $ports; - - while ( @ports ) { - my $count = 0; - my $newports = ''; - - while ( @ports && $count < 15 ) { - my ($port, $separator) = ( shift @ports, shift @ports ); - - $separator ||= ''; - - if ( ++$count == 15 ) { - if ( $separator eq ':' ) { - unshift @ports, $port, ':'; - chop $newports; - last; - } else { - $newports .= $port; - } - } else { - $newports .= "${port}${separator}"; - } - } - - push_rule ( $chainref, join( '', $first, $newports, $rest ) ); - } - } else { - push_rule ( $chainref, $rule ); - } - } else { - push_rule ( $chainref, $rule ); - } -} - -# -# Add a jump from the chain represented by the reference in the first argument to -# the target in the second argument. The optional third argument specifies any -# matches to be included in the rule and must end with a space character if it is non-null. -# - -sub add_jump( $$$;$ ) { - my ( $fromref, $to, $goto_ok, $predicate ) = @_; - - $predicate |= ''; - - my $toref; - # - # The second argument may be a scalar (chain name or builtin target) or a chain reference - # - if ( reftype $to ) { - $toref = $to; - $to = $toref->{name}; - } else { - # - # Ensure that we have the chain unless it is a builtin like 'ACCEPT' - # - $toref = ensure_chain( $fromref->{table} , $to ) unless ( $targets->{$to} || 0 ) & STANDARD; - } - - # - # If the destination is a chain, mark it referenced - # - $toref->{referenced} = 1 if $toref; - - my $param = $goto_ok && $toref && $capabilities{GOTO_TARGET} ? 'g' : 'j'; - - add_rule ($fromref, join( '', $predicate, "-$param $to" ) ); -} - -# -# Insert a rule into a chain. Arguments are: -# -# Chain reference , Rule Number, Rule -# -sub insert_rule($$$) -{ - my ($chainref, $number, $rule) = @_; - - fatal_error 'Internal Error in insert_rule()' if $chainref->{cmdlevel}; - - $rule .= "-m comment --comment \"$comment\"" if $comment; - - splice( @{$chainref->{rules}}, $number - 1, 0, join( ' ', '-A', $rule ) ); - - $iprangematch = 0; - - $chainref->{referenced} = 1; - -} - -# -# Move the rules from one chain to another -# -# The rules generated by interface options are added to the interfaces's input chain and -# forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to -# a zone-oriented chain, hence this function. -# -# The source chain must not have any run-time code included in its rules. -# -sub move_rules( $$ ) { - my ($chain1, $chain2 ) = @_; - - if ( $chain1->{referenced} ) { - my @rules = @{$chain1->{rules}}; - - for ( @rules ) { - fatal_error "Internal Error in move_rules()" unless /^-A/; - } - - splice @{$chain2->{rules}}, 0, 0, @rules; - - $chain2->{referenced} = 1; - $chain1->{referenced} = 0; - $chain1->{rules} = []; - } -} - -# -# Change the passed interface name so it is a legal shell variable name. -# -sub chain_base($) { - my $chain = $_[0]; - - $chain =~ s/^@/at_/; - $chain =~ tr/[.\-%@]/_/; - $chain =~ s/\+$//; - $chain; -} - -# -# Forward Chain for an interface -# -sub forward_chain($) -{ - $_[0] . '_fwd'; -} - -# -# Forward Chain for a zone -# -sub zone_forward_chain($) { - $_[0] . '_frwd'; -} - -# -# Returns true if we're to use the interface's forward chain -# -sub use_forward_chain($) { - my $interface = $_[0]; - my $interfaceref = find_interface($interface); - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - $interfaceref->{nets} > 1; -} - -# -# Input Chain for an interface -# -sub input_chain($) -{ - $_[0] . '_in'; -} - -# -# Input Chain for a zone -# -sub zone_input_chain($) { - $_[0] . '_input'; -} - -# -# Returns true if we're to use the interface's input chain -# -sub use_input_chain($) { - my $interface = $_[0]; - my $interfaceref = find_interface($interface); - my $nets = $interfaceref->{nets}; - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - return 1 if $nets > 1; - # - # Don't need it if it isn't associated with any zone - # - return 0 unless $nets; - # - # Interface associated with a single zone -- use the zone's input chain if it has one - # - my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}}; - - return 0 if $chainref; - # - # Use the '2fw' chain if it is referenced. - # - $chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )}; - - ! ( $chainref->{referenced} || $chainref->{is_policy} ) -} - -# -# Output Chain for an interface -# -sub output_chain($) -{ - $_[0] . '_out'; -} - -# -# Output Chain for a zone -# -sub zone_output_chain($) { - $_[0] . '_output'; -} - -# -# Returns true if we're to use the interface's output chain -# -sub use_output_chain($) { - my $interface = $_[0]; - my $interfaceref = find_interface($interface); - my $nets = $interfaceref->{nets}; - # - # We must use the interfaces's chain if the interface is associated with multiple zone nets - # - return 1 if $nets > 1; - # - # Don't need it if it isn't associated with any zone - # - return 0 unless $nets; - # - # Interface associated with a single zone -- use the zone's output chain if it has one - # - my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}}; - - return 0 if $chainref; - # - # Use the 'fw2' chain if it is referenced. - # - $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )}; - - ! ( $chainref->{referenced} || $chainref->{is_policy} ) -} - -# -# Masquerade Chain for an interface -# -sub masq_chain($) -{ - $_[0] . '_masq'; -} - -# -# Syn_flood_chain -- differs from the other _chain functions in that the argument is a chain table reference -# -sub syn_flood_chain ( $ ) { - '@' . $_[0]->{synchain}; -} - -# -# MAC Verification Chain for an interface -# -sub mac_chain( $ ) -{ - $_[0] . '_mac'; -} - -sub macrecent_target($) -{ - $config{MACLIST_TTL} ? $_[0] . '_rec' : 'RETURN'; -} - -# -# DNAT Chain from a zone -# -sub dnat_chain( $ ) -{ - $_[0] . '_dnat'; -} - -# -# SNAT Chain to an interface -# -sub snat_chain( $ ) -{ - $_[0] . '_snat'; -} - -# -# ECN Chain to an interface -# -sub ecn_chain( $ ) -{ - $_[0] . '_ecn'; -} - -# -# First chains for an interface -# -sub first_chains( $ ) #$1 = interface -{ - my $c = $_[0]; - - ( $c . '_fwd', $c . '_in' ); -} - -# -# Create a new chain and return a reference to it. -# -sub new_chain($$) -{ - my ($table, $chain) = @_; - - fatal_error "Internal error in new_chain()" if $chain_table->{$table}{$chain}; - - $chain_table->{$table}{$chain} = { name => $chain, - rules => [], - table => $table, - loglevel => '', - log => 1, - cmdlevel => 0 }; -} - -# -# Create a chain if it doesn't exist already -# -sub ensure_chain($$) -{ - my ($table, $chain) = @_; - - fatal_error 'Internal Error in ensure_chain' unless $table && $chain; - - my $ref = $chain_table->{$table}{$chain}; - - return $ref if $ref; - - new_chain $table, $chain; -} - -sub finish_chain_section( $$ ); - -# -# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting. -# -sub ensure_filter_chain( $$ ) -{ - my ($chain, $populate) = @_; - - my $chainref = $filter_table->{$chain}; - - $chainref = new_chain 'filter' , $chain unless $chainref; - - if ( $populate and ! $chainref->{referenced} ) { - if ( $section eq 'NEW' or $section eq 'DONE' ) { - finish_chain_section $chainref , 'ESTABLISHED,RELATED'; - } elsif ( $section eq 'RELATED' ) { - finish_chain_section $chainref , 'ESTABLISHED'; - } - } - - $chainref->{referenced} = 1; - - $chainref; -} - -# -# Create an accounting chain if necessary. -# -sub ensure_accounting_chain( $ ) -{ - my ($chain) = @_; - - my $chainref = $filter_table->{$chain}; - - if ( $chainref ) { - fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting}; - } else { - $chainref = new_chain 'filter' , $chain unless $chainref; - $chainref->{accounting} = 1; - $chainref->{referenced} = 1; - } - - $chainref; -} - -sub ensure_mangle_chain($) { - my $chain = $_[0]; - - my $chainref = ensure_chain 'mangle', $chain; - - $chainref->{referenced} = 1; - - $chainref; -} - -sub ensure_nat_chain($) { - my $chain = $_[0]; - - my $chainref = ensure_chain 'nat', $chain; - - $chainref->{referenced} = 1; - - $chainref; -} - -# -# Add a builtin chain -# -sub new_builtin_chain($$$) -{ - my ( $table, $chain, $policy ) = @_; - - my $chainref = new_chain $table, $chain; - $chainref->{referenced} = 1; - $chainref->{policy} = $policy; - $chainref->{builtin} = 1; -} - -sub new_standard_chain($) { - my $chainref = new_chain 'filter' ,$_[0]; - $chainref->{referenced} = 1; - $chainref; -} - -sub new_nat_chain($) { - my $chainref = new_chain 'nat' ,$_[0]; - $chainref->{referenced} = 1; - $chainref; -} - -sub new_manual_chain($) { - my $chain = $_[0]; - fatal_error "Duplicate Chain Name ($chain)" if $targets->{$chain} || $filter_table->{$chain}; - $targets->{$chain} = CHAIN; - ( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1; - $chainref->{referenced} = 1; - $chainref; -} - -sub ensure_manual_chain($) { - my $chain = $_[0]; - my $chainref = $filter_table->{$chain} || new_manual_chain($chain); - fatal_error "$chain exists and is not a manual chain" unless $chainref->{manual}; - $chainref; -} - -# -# Add all builtin chains to the chain table -# -# -sub initialize_chain_table() -{ - for my $chain qw(OUTPUT PREROUTING) { - new_builtin_chain 'raw' , $chain, 'ACCEPT'; - } - - for my $chain qw(INPUT OUTPUT FORWARD) { - new_builtin_chain 'filter', $chain, 'DROP'; - } - - for my $chain qw(PREROUTING POSTROUTING OUTPUT) { - new_builtin_chain 'nat', $chain, 'ACCEPT'; - } - - for my $chain qw(PREROUTING INPUT OUTPUT ) { - new_builtin_chain 'mangle', $chain, 'ACCEPT'; - } - - if ( $capabilities{MANGLE_FORWARD} ) { - for my $chain qw( FORWARD POSTROUTING ) { - new_builtin_chain 'mangle', $chain, 'ACCEPT'; - } - } - - use_ipv6_chains; - - for my $chain qw(OUTPUT PREROUTING) { - new_builtin_chain 'raw' , $chain, 'ACCEPT'; - } - - for my $chain qw(INPUT OUTPUT FORWARD) { - new_builtin_chain 'filter', $chain, 'DROP'; - } - - for my $chain qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) { - new_builtin_chain 'mangle', $chain, 'ACCEPT'; - } - - use_ipv4_chains; - -} - -# -# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain -# -sub finish_chain_section ($$) { - my ($chainref, $state ) = @_; - my $chain = $chainref->{name}; - my $savecomment = $comment; - - $comment = ''; - - add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; - - if ($sections{NEW} ) { - if ( $chainref->{is_policy} ) { - if ( $chainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; - if ( $section eq 'DONE' ) { - if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } else { - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } - } else { - my $policychainref = $filter_table->{$chainref->{policychain}}; - if ( $policychainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } - } - } - - $comment = $savecomment; -} - -# -# Do section-end processing -# -sub finish_section ( $ ) { - my $sections = $_[0]; - - for my $section ( split /,/, $sections ) { - $sections{$section} = 1; - } - - for my $zone ( all_zones ) { - for my $zone1 ( all_zones ) { - my $chainref = $filter_table->{"${zone}2${zone1}"}; - if ( $chainref->{referenced} ) { - finish_chain_section $chainref, $sections; - } - } - } -} - -# -# Helper for set_mss -# -sub set_mss1( $$ ) { - my ( $chain, $mss ) = @_; - my $chainref = ensure_chain 'filter', $chain; - - if ( $chainref->{policy} ne 'NONE' ) { - my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; - insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss" - } -} - -# -# Set up rules to set MSS to and/or from zone "$zone" -# -sub set_mss( $$$ ) { - my ( $zone, $mss, $direction) = @_; - - for my $z ( all_zones ) { - if ( $direction eq '_in' ) { - set_mss1 "${zone}2${z}" , $mss; - } elsif ( $direction eq '_out' ) { - set_mss1 "${z}2${zone}", $mss; - } else { - set_mss1 "${z}2${zone}", $mss; - set_mss1 "${zone}2${z}", $mss; - } - } -} - -# -# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate. -# -sub setup_zone_mss() { - for my $zone ( all_zones ) { - my $zoneref = find_zone( $zone ); - - set_mss( $zone, $zoneref->{options}{in_out}{mss}, '' ) if $zoneref->{options}{in_out}{mss}; - set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss}; - set_mss( $zone, $zoneref->{options}{out}{mss}, '_out' ) if $zoneref->{options}{out}{mss}; - } -} - -sub newexclusionchain() { - my $seq = $exclseq++; - "excl${seq}"; -} - -sub clearrule() { - $iprangematch = 0; -} - -# -# Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string. -# -sub do_proto( $$$ ) -{ - my ($proto, $ports, $sports ) = @_; - # - # Return the number of ports represented by the passed list - # - sub port_count( $ ) { - ( $_[0] =~ tr/,:/,:/ ) + 1; - } - - my $output = ''; - - $proto = '' if $proto eq '-'; - $ports = '' if $ports eq '-'; - $sports = '' if $sports eq '-'; - - if ( $proto ne '' ) { - - my $synonly = ( $proto =~ s/:syn$//i ); - - my $protonum = resolve_proto $proto; - - if ( defined $protonum ) { - # - # Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent - # - my $pname = proto_name( $proto = $protonum ); - # - # $proto now contains the protocol number and $pname contains the canonical name of the protocol - # - unless ( $synonly ) { - $output = "-p $proto "; - } else { - fatal_error '":syn" is only allowed with tcp' unless $proto == TCP; - $output = "-p $proto --syn "; - } - - PROTO: - { - - if ( $proto == TCP || $proto == UDP || $proto == SCTP ) { - my $multiport = 0; - - if ( $ports ne '' ) { - if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { - fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT}; - fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; - $ports = validate_port_list $pname , $ports; - $output .= "-m multiport --dports $ports "; - $multiport = 1; - } else { - $ports = validate_portpair $pname , $ports; - $output .= "--dport $ports "; - } - } else { - $multiport = ( ( $sports =~ tr/,/,/ ) > 0 ); - } - - if ( $sports ne '' ) { - if ( $multiport ) { - fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15; - $sports = validate_port_list $pname , $sports; - $output .= "-m multiport --sports $sports "; - } else { - $sports = validate_portpair $pname , $sports; - $output .= "--sport $sports "; - } - } - - last PROTO; } - - if ( $proto == ICMP ) { - if ( $ports ne '' ) { - fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; - $ports = validate_icmp $ports; - $output .= "--icmp-type $ports "; - } - - fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; - - last PROTO; } - - fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne ''; - - } # PROTO - - } else { - fatal_error '":syn" is only allowed with tcp' if $synonly; - - if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) { - my $p = $2 ? lc $3 : 'tcp'; - require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' ); - $proto = '-p ' . proto_name($p) . ' '; - $ports = 'ipp2p' unless $ports; - $output .= "${proto}-m ipp2p --$ports "; - } else { - fatal_error "Invalid/Unknown protocol ($proto)" - } - } - } else { - # - # No protocol - # - fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne ''; - } - - $output; -} - -sub mac_match( $ ) { - my $mac = $_[0]; - - $mac =~ s/^(!?)~//; - my $invert = ( $1 ? '! ' : ''); - $mac =~ tr/-/:/; - - fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/; - - "--match mac --mac-source ${invert}$mac "; -} - -# -# Mark validatation functions -# -sub verify_mark( $ ) { - my $mark = $_[0]; - my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF; - my $value = numeric_value( $mark ); - - fatal_error "Invalid Mark or Mask value ($mark)" - unless defined( $value ) && $value <= $limit; - - fatal_error "Invalid High Mark or Mask value ($mark)" - if ( $value > 0xFF && $value & 0xFF ); -} - -sub verify_small_mark( $ ) { - verify_mark ( (my $mark) = $_[0] ); - fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > 0xFF; -} - -sub validate_mark( $ ) { - for ( split '/', $_[0] ) { - verify_mark $_; - } -} - -# -# Generate an appropriate -m [conn]mark match string for the contents of a MARK column -# - -sub do_test ( $$ ) -{ - my ($testval, $mask) = @_; - - my $originaltestval = $testval; - - return '' unless defined $testval and $testval ne '-'; - - $mask = '' unless defined $mask; - - my $invert = $testval =~ s/^!// ? '! ' : ''; - my $match = $testval =~ s/:C$// ? "-m connmark ${invert}--mark" : "-m mark ${invert}--mark"; - - fatal_error "Invalid MARK value ($originaltestval)" if $testval eq '/'; - - validate_mark $testval; - - $testval = join( '/', $testval, in_hex($mask) ) unless ( $testval =~ '/' ); - - "$match $testval "; -} - -my %norate = ( DROP => 1, REJECT => 1 ); - -# -# Create a "-m limit" match for the passed LIMIT/BURST -# -sub do_ratelimit( $$ ) { - my ( $rate, $action ) = @_; - - return '' unless $rate and $rate ne '-'; - - fatal_error "Rate Limiting not available with $action" if $norate{$action}; - - if ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { - "-m limit --limit $1 --limit-burst $4 "; - } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ ) { - "-m limit --limit $rate "; - } else { - fatal_error "Invalid rate ($rate)"; - } -} - -# -# Create a "-m connlimit" match for the passed CONNLIMIT -# -sub do_connlimit( $ ) { - my ( $limit ) = @_; - - return '' unless $limit and $limit ne '-'; - - require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's'; - - my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below' - - if ( $limit =~ /^(\d+):(\d+)$/ ) { - fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31; - "-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 "; - } elsif ( $limit =~ /^(\d+)$/ ) { - "-m connlimit ${invert}--connlimit-above $limit "; - } else { - fatal_error "Invalid connlimit ($limit)"; - } -} - -sub do_time( $ ) { - my ( $time ) = @_; - - return '' unless $time ne '-'; - - require_capability 'TIME_MATCH', 'A non-empty TIME', 's'; - - my $result = '-m time '; - - for my $element (split /&/, $time ) { - fatal_error "Invalid time element list ($time)" unless defined $element && $element; - - if ( $element =~ /^(timestart|timestop)=(\d{1,2}:\d{1,2}(:\d{1,2})?)$/ ) { - $result .= "--$1 $2 "; - } elsif ( $element =~ /^weekdays=(.*)$/ ) { - my $days = $1; - for my $day ( split /,/, $days ) { - fatal_error "Invalid weekday ($day)" unless $day =~ /^(Mon|Tue|Wed|Thu|Fri|Sat|Sun)$/ || ( $day =~ /^\d$/ && $day && $day <= 7);0 - } - $result .= "--weekday $days "; - } elsif ( $element =~ /^monthdays=(.*)$/ ) { - my $days = $1; - for my $day ( split /,/, $days ) { - fatal_error "Invalid day of the month ($day)" unless $day =~ /^\d{1,2}$/ && $day && $day <= 31; - } - } elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) { - $result .= "--$1 $2 "; - } elsif ( $element =~ /^(utc|localtz)$/ ) { - $result .= "--$1 "; - } else { - fatal_error "Invalid time element ($element)"; - } - } - - $result; -} - -# -# Create a "-m owner" match for the passed USER/GROUP -# -sub do_user( $ ) { - my $user = $_[0]; - my $rule = '-m owner '; - - return '' unless defined $user and $user ne '-'; - - if ( $user =~ /^(!)?(.*)\+(.*)$/ ) { - $rule .= "! --cmd-owner $2 " if defined $2 && $2 ne ''; - $user = "!$1"; - } elsif ( $user =~ /^(.*)\+(.*)$/ ) { - $rule .= "--cmd-owner $2 " if defined $2 && $2 ne ''; - $user = $1; - } - - if ( $user =~ /^(!)?(.*):(.*)$/ ) { - my $invert = $1 ? '! ' : ''; - my $group = defined $3 ? $3 : ''; - if ( defined $2 && $2 ne '' ) { - $user = $2; - fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user ); - $rule .= "${invert}--uid-owner $user "; - } - - if ( $group ne '' ) { - fatal_error "Unknown group ($group)" unless $group =~ /\d+$/ || $globals{EXPORT} || defined getgrnam( $group ); - $rule .= "${invert}--gid-owner $group "; - } - } elsif ( $user =~ /^(!)?(.*)$/ ) { - my $invert = $1 ? '! ' : ''; - $user = $2; - fatal_error "Invalid USER/GROUP (!)" if $user eq ''; - fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user ); - $rule .= "${invert}--uid-owner $user "; - } else { - fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user ); - $rule .= "--uid-owner $user "; - } - - $rule; -} - -# -# Create a "-m tos" match for the passed TOS -# -sub do_tos( $ ) { - my $tos = $_[0]; - - $tos ne '-' ? "-m tos --tos $tos " : ''; -} - -my %dir = ( O => 'original' , - R => 'reply' , - B => 'both' ); - -my %mode = ( P => 'packets' , - B => 'bytes' , - A => 'avgpkt' ); - -# -# Create a "-m connbytes" match for the passed argument -# -sub do_connbytes( $ ) { - my $connbytes = $_[0]; - - return '' if $connbytes eq '-'; - # 1 2 3 5 6 - fatal_error "Invalid CONNBYTES ($connbytes)" unless $connbytes =~ /^(!)? (\d+): (\d+)? ((:[ORB]) (:[PBA])?)?$/x; - - my $invert = $1 || ''; $invert = '! ' if $invert; - my $min = $2; $min = 0 unless defined $min; - my $max = $3; $max = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max; - my $dir = $5 || 'B'; - my $mode = $6 || 'B'; - - $dir =~ s/://; - $mode =~ s/://; - - "${invert}-m connbytes --connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} "; -} - -# -# Create a "-m helper" match for the passed argument -# -sub do_helper( $ ) { - my $helper = shift; - - return '' if $helper eq '-'; - - qq(-m helper --helper "$helper" ); -} - -# -# Create a "-m length" match for the passed TOS -# -sub do_length( $ ) { - my $length = $_[0]; - - require_capability( 'LENGTH_MATCH' , 'A Non-empty LENGTH' , 's' ); - $length ne '-' ? "-m length --length $length " : ''; -} - -# -# Match Source Interface -# -sub match_source_dev( $ ) { - my $interface = shift; - return '' if $interface eq '+'; - my $interfaceref = known_interface( $interface ); - if ( $interfaceref && $interfaceref->{options}{port} ) { - "-i $interfaceref->{bridge} -m physdev --physdev-in $interface "; - } else { - "-i $interface "; - } -} - -# -# Match Dest device -# -sub match_dest_dev( $ ) { - my $interface = shift; - return '' if $interface eq '+'; - my $interfaceref = known_interface( $interface ); - if ( $interfaceref && $interfaceref->{options}{port} ) { - if ( $capabilities{PHYSDEV_BRIDGE} ) { - "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface "; - } else { - "-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; - } - } else { - "-o $interface "; - } -} - -# -# Avoid generating a second '-m iprange' in a single rule. -# -sub iprange_match() { - my $match = ''; - - require_capability( 'IPRANGE_MATCH' , 'Address Ranges' , '' ); - unless ( $iprangematch ) { - $match = '-m iprange '; - $iprangematch = 1 unless $capabilities{KLUDGEFREE}; - } - - $match; -} - -# -# Get set flags (ipsets). -# -sub get_set_flags( $$ ) { - my ( $setname, $option ) = @_; - my $options = $option; - - $setname =~ s/^!//; # Caller has already taken care of leading ! - - if ( $setname =~ /^(.*)\[([1-6])\]$/ ) { - $setname = $1; - my $count = $2; - $options .= ",$option" while --$count > 0; - } elsif ( $setname =~ /^(.*)\[(.*)\]$/ ) { - $setname = $1; - $options = $2; - } - - $setname =~ s/^\+//; - - fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/; - - "--set $setname $options " -} - -# -# Match a Source. Handles IP addresses and ranges and MAC addresses -# -sub match_source_net( $;$ ) { - my ( $net, $restriction) = @_; - - $restriction |= NO_RESTRICT; - - if ( $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) { - my ($addr1, $addr2) = ( $2, $3 ); - $net =~ s/!// if my $invert = $1 ? '! ' : ''; - validate_range $addr1, $addr2; - iprange_match . "${invert}--src-range $net "; - } elsif ( $net =~ /^!?~/ ) { - fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT; - mac_match $net; - } elsif ( $net =~ /^(!?)\+/ ) { - require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' ); - join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); - } elsif ( $net =~ s/^!// ) { - validate_net $net, 1; - "-s ! $net "; - } else { - validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-s $net "; - } -} - -# -# Match a Source. Currently only handles IP addresses and ranges -# -sub match_dest_net( $ ) { - my $net = $_[0]; - - if ( $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) { - my ($addr1, $addr2) = ( $2, $3 ); - $net =~ s/!// if my $invert = $1 ? '! ' : ''; - validate_range $addr1, $addr2; - iprange_match . "${invert}--dst-range $net "; - } elsif ( $net =~ /^(!?)\+/ ) { - require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , ''); - join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); - } elsif ( $net =~ /^!/ ) { - $net =~ s/!//; - validate_net $net, 1; - "-d ! $net "; - } else { - validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-d $net "; - } -} - -# -# Match original destination -# -sub match_orig_dest ( $ ) { - my $net = $_[0]; - - return '' if $net eq ALLIPv4; - return '' unless $capabilities{CONNTRACK_MATCH}; - - if ( $net =~ s/^!// ) { - validate_net $net, 1; - $capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net "; - } else { - validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net "; - } -} - -# -# Match Source IPSEC -# -sub match_ipsec_in( $$ ) { - my ( $zone , $hostref ) = @_; - my $match = '-m policy --dir in --pol '; - my $zoneref = find_zone( $zone ); - my $optionsref = $zoneref->{options}; - - if ( $zoneref->{type} eq 'ipsec4' ) { - $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; - } elsif ( $capabilities{POLICY_MATCH} ) { - $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; - } else { - ''; - } -} - -# -# Match Dest IPSEC -# -sub match_ipsec_out( $$ ) { - my ( $zone , $hostref ) = @_; - my $match = '-m policy --dir out --pol '; - my $zoneref = find_zone( $zone ); - my $optionsref = $zoneref->{options}; - - if ( $zoneref->{type} eq 'ipsec4' ) { - $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; - } elsif ( $capabilities{POLICY_MATCH} ) { - $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" - } else { - ''; - } -} - -# -# Generate a log message -# -sub log_rule_limit( $$$$$$$$ ) { - my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, $predicates ) = @_; - - my $prefix = ''; - - $level = validate_level $level; # Do this here again because this function can be called directly from user exits. - - return 1 if $level eq ''; - - $predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' '; - - unless ( $predicates =~ /-m limit / ) { - $limit = $globals{LOGLIMIT} unless $limit && $limit ne '-'; - $predicates .= $limit if $limit; - } - - if ( $config{LOGFORMAT} =~ /^\s*$/ ) { - if ( $level =~ '^ULOG' ) { - $prefix = "-j $level "; - } elsif ( $level =~ /^NFLOG/ ) { - $prefix = "-j $level "; - } else { - $prefix = "-j LOG $globals{LOGPARMS}--log-level $level "; - } - } else { - if ( $tag ) { - if ( $config{LOGTAGONLY} ) { - $chain = $tag; - $tag = ''; - } else { - $tag .= ' '; - } - } else { - $tag = '' unless defined $tag; - } - - $disposition =~ s/\s+.*//; - - if ( $globals{LOGRULENUMBERS} ) { - $prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag; - } else { - $prefix = (sprintf $config{LOGFORMAT} , $chain , $disposition) . $tag; - } - - if ( length $prefix > 29 ) { - $prefix = substr( $prefix, 0, 28 ) . ' '; - warning_message "Log Prefix shortened to \"$prefix\""; - } - - if ( $level =~ '^ULOG' ) { - $prefix = "-j $level --ulog-prefix \"$prefix\" "; - } elsif ( $level =~ /^NFLOG/ ) { - $prefix = "-j $level --nflog-prefix \"$prefix\" "; - } else { - $prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" "; - } - } - - if ( $command eq 'add' ) { - add_rule ( $chainref, $predicates . $prefix , 1 ); - } else { - insert_rule ( $chainref , 1 , $predicates . $prefix ); - } -} - -sub log_rule( $$$$ ) { - my ( $level, $chainref, $disposition, $predicates ) = @_; - - log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGLIMIT}, '', 'add', $predicates; -} - -# -# Split a comma-separated source or destination host list but keep [...] together. -# -sub mysplit( $ ) { - my @input = split_list $_[0], 'host'; - - return @input unless $_[0] =~ /\[/; - - my @result; - - while ( @input ) { - my $element = shift @input; - - if ( $element =~ /\[/ ) { - while ( substr( $element, -1, 1 ) ne ']' ) { - last unless @input; - $element .= ( ',' . shift @input ); - } - - fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']'; - } - - push @result, $element; - } - - @result; -} - -# -# Returns the name of the shell variable holding the first address of the passed interface -# -sub interface_address( $ ) { - my $variable = chain_base( $_[0] ) . '_address'; - uc $variable; -} - -# -# Record that the ruleset requires the first IP address on the passed interface -# -sub get_interface_address ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_address( $interface ); - my $function = interface_is_optional( $interface ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address'; - - $interfaceaddr{$interface} = "$variable=\$($function $interface)\n"; - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the broadcast addresses of the passed interface -# -sub interface_bcasts( $ ) { - my $variable = chain_base( $_[0] ) . '_bcasts'; - uc $variable; -} - -# -# Record that the ruleset requires the broadcast addresses on the passed interface -# -sub get_interface_bcasts ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_bcasts( $interface ); - - $interfacebcasts{$interface} = qq($variable="\$(get_interface_bcasts $interface) 255.255.255.255"); - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the gateway through the passed interface -# -sub interface_gateway( $ ) { - my $variable = chain_base( $_[0] ) . '_gateway'; - uc $variable; -} - -# -# Record that the ruleset requires the gateway address on the passed interface -# -sub get_interface_gateway ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_gateway( $interface ); - - if ( interface_is_optional $interface ) { - $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)\n); - } else { - $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface) -[ -n "\$$variable" ] || fatal_error "Unable to detect the gateway through interface $interface" -); - } - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the addresses of the passed interface -# -sub interface_addresses( $ ) { - my $variable = chain_base( $_[0] ) . '_addresses'; - uc $variable; -} - -# -# Record that the ruleset requires the IP addresses on the passed interface -# -sub get_interface_addresses ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_addresses( $interface ); - - if ( interface_is_optional $interface ) { - $interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)\n); - } else { - $interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface) -[ -n "\$$variable" ] || fatal_error "Unable to determine the IP address(es) of $interface" -); - } - - "\$$variable"; -} - -# -# Returns the name of the shell variable holding the networks routed out of the passed interface -# -sub interface_nets( $ ) { - my $variable = chain_base( $_[0] ) . '_networks'; - uc $variable; -} - -# -# Record that the ruleset requires the networks routed out of the passed interface -# -sub get_interface_nets ( $ ) { - my ( $interface ) = $_[0]; - - my $variable = interface_nets( $interface ); - - if ( interface_is_optional $interface ) { - $interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)\n); - } else { - $interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface) -[ -n "\$$variable" ] || fatal_error "Unable to determine the routes through interface \\"$interface\\"" -); - } - - "\$$variable"; - -} - -# -# Returns the name of the shell variable holding the MAC address of the gateway for the passed provider out of the passed interface -# -sub interface_mac( $$ ) { - my $variable = join( '_' , chain_base( $_[0] ) , chain_base( $_[1] ) , 'mac' ); - uc $variable; -} - -# -# Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number -# -sub get_interface_mac( $$$ ) { - my ( $ipaddr, $interface , $table ) = @_; - - my $variable = interface_mac( $interface , $table ); - - if ( interface_is_optional $interface ) { - $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n); - } else { - $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface) -[ -n "\$$variable" ] || fatal_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\"" -); - } - - "\$$variable"; -} - -# -# This function provides a uniform way to generate rules (something the original Shorewall sorely needed). -# -# Returns the destination interface specified in the rule, if any. -# -sub expand_rule( $$$$$$$$$$$ ) -{ - my ($chainref , # Chain - $restriction, # Determines what to do with interface names in the SOURCE or DEST - $rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST - $source, # SOURCE - $dest, # DEST - $origdest, # ORIGINAL DEST - $oport, # original destination port - $target, # Target ('-j' part of the rule) - $loglevel , # Log level (and tag) - $disposition, # Primative part of the target (RETURN, ACCEPT, ...) - $exceptionrule # Caller's matches used in exclusion case - ) = @_; - - my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl ); - my $chain = $chainref->{name}; - - our @ends = (); - # - # In the generated rules, we sometimes need run-time loops or conditional blocks. This function is used - # to define such a loop or block. - # - # $chainref = Reference to the chain - # $command = The shell command that begins the loop or conditional - # $end = The shell keyword ('done' or 'fi') that ends the loop or conditional - # - # All open loops and conditionals are closed just before expand_rule() exits - # - sub push_command( $$$ ) { - my ( $chainref, $command, $end ) = @_; - - add_command $chainref, $command; - incr_cmd_level $chainref; - push @ends, $end; - } - # - # Handle Log Level - # - my $logtag; - - if ( $loglevel ne '' ) { - ( $loglevel, $logtag, my $remainder ) = split( /:/, $loglevel, 3 ); - - fatal_error "Invalid log tag" if defined $remainder; - - if ( $loglevel =~ /^none!?$/i ) { - return if $disposition eq 'LOG'; - $loglevel = $logtag = ''; - } else { - $loglevel = validate_level( $loglevel ); - $logtag = '' unless defined $logtag; - } - } elsif ( $disposition eq 'LOG' ) { - fatal_error "LOG requires a level"; - } - # - # Mark Target as referenced, if it's a chain - # - if ( $disposition ) { - my $targetref = $chain_table->{$chainref->{table}}{$disposition}; - $targetref->{referenced} = 1 if $targetref; - } - - # - # Isolate Source Interface, if any - # - if ( $source ) { - if ( $source eq '-' ) { - $source = ''; - } elsif ( $chain_family == F_INET ) { - if ( $source =~ /^([^:]+):([^:]+)$/ ) { - $iiface = $1; - $inets = $2; - } elsif ( $source =~ /\+|~|\..*\./ ) { - $inets = $source; - } else { - $iiface = $source; - } - } elsif ( $source =~ /^([^;]+);([^;]+)$/ ) { - $iiface = $1; - $inets = $2; - } elsif ( $source =~ /\+|~|\..*\./ ) { - $inets = $source; - } else { - $iiface = $source; - } - } else { - $source = ''; - } - - # - # Verify Interface, if any - # - if ( $iiface ) { - fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface; - - if ( $restriction & POSTROUTE_RESTRICT ) { - # - # An interface in the SOURCE column of a masq file - # - fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface ); - - my $networks = get_interface_nets ( $iiface ); - - push_command $chainref, join( '', 'for source in ', $networks, '; do' ), 'done'; - - $rule .= '-s $source '; - - } else { - fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT; - $rule .= match_source_dev( $iiface ); - } - } - - # - # Isolate Destination Interface, if any - # - if ( $dest ) { - if ( $dest eq '-' ) { - $dest = ''; - } elsif ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) { - # - # DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule - # - my @interfaces = split /\s+/, $1; - - if ( @interfaces > 1 ) { - my $list = ""; - my $optional; - - for my $interface ( @interfaces ) { - $optional++ if interface_is_optional $interface; - $list = join( ' ', $list , get_interface_address( $interface ) ); - } - - push_command( $chainref , "for address in $list; do" , 'done' ); - - push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional; - - $rule .= '-d $address '; - } else { - my $interface = $interfaces[0]; - my $variable = get_interface_address( $interface ); - - push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface ); - - $rule .= "-d $variable "; - } - - $dest = ''; - } elsif ( $chain_family == F_INET ) { - if ( $dest =~ /^([^:]+):([^:]+)$/ ) { - $diface = $1; - $dnets = $2; - } elsif ( $dest =~ /\+|~|\..*\./ ) { - $dnets = $dest; - } else { - $diface = $dest; - } - } elsif ( $dest =~ /^([^;]+);([^;]+)$/ ) { - $diface = $1; - $dnets = $2; - } elsif ( $dest =~ /\+|~|\..*\./ ) { - $dnets = $dest; - } else { - $diface = $dest; - } - } else { - $dest = ''; - } - # - # Verify Destination Interface, if any - # - if ( $diface ) { - fatal_error "Unknown Interface ($diface)" unless known_interface $diface; - - if ( $restriction & PREROUTE_RESTRICT ) { - # - # ADDRESS 'detect' in the masq file. - # - fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface ); - push_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do', 'done' ); - $rule .= '-d $dest '; - } else { - fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); - fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; - - if ( $iiface ) { - my $bridge = port_to_bridge( $diface ); - fatal_error "Source interface ($iiface) is not a port on the same bridge as the destination interface ( $diface )" if $bridge && $bridge ne source_port_to_bridge( $iiface ); - } - - $rule .= match_dest_dev( $diface ); - } - } else { - $diface = ''; - } - - $oport = '' if defined $oport && $oport eq '-'; - - if ( $origdest ) { - if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) { - $origdest = ''; - $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; - } elsif ( $origdest =~ /^detect:(.*)$/ ) { - # - # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column - # - my @interfaces = split /\s+/, $1; - - if ( @interfaces > 1 ) { - my $list = ""; - my $optional; - - for my $interface ( @interfaces ) { - $optional++ if interface_is_optional $interface; - $list = join( ' ', $list , get_interface_address( $interface ) ); - } - - push_command( $chainref , "for address in $list; do" , 'done' ); - - push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional; - - $rule .= '-m conntrack --ctorigdst $address '; - $rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; - } else { - my $interface = $interfaces[0]; - my $variable = get_interface_address( $interface ); - - push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface ); - - $rule .= "-m conntrack --ctorigdst $variable "; - $rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; - } - - $origdest = ''; - } else { - fatal_error "Invalid ORIGINAL DEST" if $origdest =~ /^([^!]+)?,!([^!]+)$/ || $origdest =~ /.*!.*!/; - - if ( $origdest =~ /^([^!]+)?!([^!]+)$/ ) { - # - # Exclusion - # - $onets = $1; - $oexcl = $2; - } else { - $oexcl = ''; - $onets = $origdest; - } - - unless ( $onets ) { - my @oexcl = mysplit $oexcl; - if ( @oexcl == 1 ) { - $rule .= match_orig_dest( "!$oexcl" ); - $oexcl = ''; - } - } - - $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; - } - } else { - $oexcl = ''; - $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; - } - - # - # Determine if there is Source Exclusion - # - if ( $inets ) { - fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/; - - if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) { - $inets = $1; - $iexcl = $2; - } else { - $iexcl = ''; - } - - unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) { - my @iexcl = mysplit $iexcl; - if ( @iexcl == 1 ) { - $rule .= match_source_net "!$iexcl" , $restriction; - $iexcl = ''; - } - - } - } else { - $iexcl = ''; - } - - # - # Determine if there is Destination Exclusion - # - if ( $dnets ) { - fatal_error "Invalid DEST" if $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/; - - if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) { - $dnets = $1; - $dexcl = $2; - } else { - $dexcl = ''; - } - - unless ( $dnets ) { - my @dexcl = mysplit $dexcl; - if ( @dexcl == 1 ) { - $rule .= match_dest_net "!$dexcl"; - $dexcl = ''; - } - } - } else { - $dexcl = ''; - } - - $inets = ALLIPv4 unless $inets; - $dnets = ALLIPv4 unless $dnets; - $onets = ALLIPv4 unless $onets; - - fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv4; - fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIPv4; - - if ( $iexcl || $dexcl || $oexcl ) { - # - # We have non-trivial exclusion -- need to create an exclusion chain - # - fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN'; - - my $echain = newexclusionchain; - - # - # Use the current rule and sent all possible matches to the exclusion chain - # - for my $onet ( mysplit $onets ) { - $onet = match_orig_dest $onet; - for my $inet ( mysplit $inets ) { - for my $dnet ( mysplit $dnets ) { - # - # We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE} - # - add_rule( $chainref, join( '', $rule, match_source_net( $inet, $restriction ), match_dest_net( $dnet ), $onet, "-j $echain" ), 1 ); - } - } - } - - # - # Create the Exclusion Chain - # - my $echainref = new_chain $chainref->{table}, $echain; - - # - # Generate RETURNs for each exclusion - # - add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl ); - add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN' for ( mysplit $dexcl ); - add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN' for ( mysplit $oexcl ); - # - # Log rule - # - log_rule_limit $loglevel , $echainref , $chain, $disposition , '', $logtag , 'add' , '' if $loglevel; - # - # Generate Final Rule - # - add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; - } else { - # - # No exclusions - # - for my $onet ( mysplit $onets ) { - $onet = match_orig_dest $onet; - for my $inet ( mysplit $inets ) { - # - # We defer evaluating the source net match to accomodate system without $capabilities{KLUDGEFREE} - # - for my $dnet ( mysplit $dnets ) { - if ( $loglevel ne '' ) { - log_rule_limit - $loglevel , - $chainref , - $chain, - $disposition , - '' , - $logtag , - 'add' , - join( '', $rule, match_source_net( $inet , $restriction ) , match_dest_net( $dnet ), $onet ); - } - - unless ( $disposition eq 'LOG' ) { - add_rule( - $chainref, - join( '', $rule, match_source_net ($inet , $restriction ), match_dest_net( $dnet ), $onet, $target ) , - 1 ); - } - } - } - } - } - - while ( @ends ) { - decr_cmd_level $chainref; - add_command $chainref, pop @ends; - } - - $diface; -} - -# -# If the destination chain exists, then at the end of the source chain add a jump to the destination. -# -sub addnatjump( $$$ ) { - my ( $source , $dest, $predicates ) = @_; - - my $destref = $nat_table->{$dest} || {}; - - if ( $destref->{referenced} ) { - add_rule $nat_table->{$source} , $predicates . "-j $dest"; - } else { - clearrule; - } -} - -sub emit_comment() { - emit ( '#', - '# Establish the values of shell variables used in the following function calls', - '#' ); - our $emitted_comment = 1; -} - -sub emit_test() { - emit ( 'if [ "$COMMAND" != restore ]; then' , - '' ); - push_indent; - our $emitted_test = 1; -} - -# -# Generate setting of global variables -# -sub set_global_variables() { - - our ( $emitted_comment, $emitted_test ) = (0, 0); - - for ( values %interfaceaddr ) { - emit_comment unless $emitted_comment; - emit $_; - } - - for ( values %interfacegateways ) { - emit_comment unless $emitted_comment; - emit $_; - } - - for ( values %interfacemacs ) { - emit_comment unless $emitted_comment; - emit $_; - } - - for ( values %interfaceaddrs ) { - emit_comment unless $emitted_comment; - emit_test unless $emitted_test; - emit $_; - } - - for ( values %interfacenets ) { - emit_comment unless $emitted_comment; - emit_test unless $emitted_test; - emit $_; - } - - unless ( $capabilities{ADDRTYPE} ) { - emit_comment unless $emitted_comment; - emit_test unless $emitted_test; - emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; - - for ( values %interfacebcasts ) { - emit $_; - } - } - - pop_indent, emit "fi\n" if $emitted_test; - -} - -# -# What follows is the code that generates the input to iptables-restore -# -# We always write the iptables-restore input into a file then pass the -# file to iptables-restore. That way, if things go wrong, the user (and Shorewall support) -# has (have) something to look at to determine the error -# -# We may have to generate part of the input at run-time. The rules array in each chain -# table entry may contain rules (begin with '-A') or shell source. We alternate between -# writing the rules ('-A') into the temporary file to be bassed to iptables-restore -# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE). -# -# The following two functions are responsible for the mode transitions. -# -sub enter_cat_mode() { - emit ''; - emit 'cat >&3 << __EOF__'; - $mode = CAT_MODE; -} - -sub enter_cmd_mode() { - emit_unindented "__EOF__\n" if $mode == CAT_MODE; - $mode = CMD_MODE; -} - -# -# Emits the passed rule (input to iptables-restore) or command -# -sub emitr( $$ ) { - my ( $name, $rule ) = @_; - - if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) { - # - # A rule - # - enter_cat_mode unless $mode == CAT_MODE; - emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) ); - } else { - # - # A command - # - enter_cmd_mode unless $mode == CMD_MODE; - emit $rule; - } -} - -# -# Generate the netfilter input -# -sub create_netfilter_load() { - - my @table_list; - - push @table_list, 'raw' if $capabilities{RAW_TABLE}; - push @table_list, 'nat' if $capabilities{NAT_ENABLED}; - push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - push @table_list, 'filter'; - - $mode = NULL_MODE; - - emit ( 'setup_netfilter()', - '{' - ); - - push_indent; - - save_progress_message "Preparing iptables-restore input..."; - - emit ''; - - emit 'exec 3>${VARDIR}/.iptables-restore-input'; - - enter_cat_mode; - - for my $table ( @table_list ) { - emit_unindented "*$table"; - - my @chains; - # - # iptables-restore seems to be quite picky about the order of the builtin chains - # - for my $chain ( @builtins ) { - my $chainref = $chain_table->{$table}{$chain}; - if ( $chainref ) { - fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; - emit_unindented ":$chain $chainref->{policy} [0:0]"; - push @chains, $chainref; - } - } - # - # First create the chains in the current table - # - for my $chain ( grep $chain_table->{$table}{$_}->{referenced} , ( sort keys %{$chain_table->{$table}} ) ) { - my $chainref = $chain_table->{$table}{$chain}; - unless ( $chainref->{builtin} ) { - fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; - emit_unindented ":$chainref->{name} - [0:0]"; - push @chains, $chainref; - } - } - # - # Then emit the rules - # - for my $chainref ( @chains ) { - emitr $chainref->{name}, $_ for ( @{$chainref->{rules}} ); - } - # - # Commit the changes to the table - # - enter_cat_mode unless $mode == CAT_MODE; - emit_unindented 'COMMIT'; - } - - enter_cmd_mode; - # - # Now generate the actual iptables-restore command - # - emit( 'exec 3>&-', - '', - '[ -n "$DEBUG" ] && command=debug_restore_input || command=$IPTABLES_RESTORE', - '', - 'progress_message2 "Running $command..."', - '', - 'cat ${VARDIR}/.iptables-restore-input | $command # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', - "fi\n" - ); - - pop_indent; - - emit "}\n"; -} - -# -# Generate the netfilter input for refreshing a list of chains -# -sub create_chainlist_reload($) { - - my $chains = $_[0]; - - my @chains = split_list $chains, 'chain'; - - unless ( @chains ) { - @chains = qw( blacklst ) if $filter_table->{blacklst}; - push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - $chains = join( ',', @chains ) if @chains; - } - - $mode = NULL_MODE; - - emit( 'chainlist_reload()', - '{' - ); - - push_indent; - - if ( @chains ) { - if ( @chains == 1 ) { - progress_message2 "Compiling iptables-restore input for chain @chains..."; - save_progress_message "Preparing iptables-restore input for chain @chains..."; - } else { - progress_message2 "Compiling iptables-restore input for chains $chains..."; - save_progress_message "Preparing iptables-restore input for chains $chains..."; - } - - emit ''; - - my $table = 'filter'; - - my %chains; - - for my $chain ( @chains ) { - ( $table , $chain ) = split ':', $chain if $chain =~ /:/; - - fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; - - $chains{$table} = [] unless $chains{$table}; - - if ( $chain ) { - fatal_error "No $table chain found with name $chain" unless $chain_table->{$table}{$chain}; - fatal_error "Built-in chains may not be refreshed" if $chain_table->{table}{$chain}{builtin}; - push @{$chains{$table}}, $chain; - } else { - while ( my ( $chain, $chainref ) = each %{$chain_table->{$table}} ) { - next unless reftype $chainref; - push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin}; - } - } - } - - emit 'exec 3>${VARDIR}/.iptables-restore-input'; - - enter_cat_mode; - - for $table qw(nat mangle filter) { - next unless $chains{$table}; - - emit_unindented "*$table"; - - my $tableref=$chain_table->{$table}; - - @chains = sort @{$chains{$table}}; - - for my $chain ( @chains ) { - my $chainref = $tableref->{$chain}; - emit_unindented ":$chainref->{name} - [0:0]"; - } - - for my $chain ( @chains ) { - my $chainref = $tableref->{$chain}; - my @rules = @{$chainref->{rules}}; - - @rules = () unless @rules; - # - # Emit the chain rules - # - emitr $chain, $_ for ( @rules ); - } - # - # Commit the changes to the table - # - enter_cat_mode unless $mode == CAT_MODE; - - emit_unindented 'COMMIT'; - } - - enter_cmd_mode; - - # - # Now generate the actual iptables-restore command - # - emit( 'exec 3>&-', - '', - 'progress_message2 "Running iptables-restore..."', - '', - 'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', - "fi\n" - ); - } else { - emit('true'); - } - - pop_indent; - - emit "}\n"; -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Compiler.pm b/Shorewall-perl-maybe/Shorewall/Compiler.pm deleted file mode 100644 index 904688f10..000000000 --- a/Shorewall-perl-maybe/Shorewall/Compiler.pm +++ /dev/null @@ -1,962 +0,0 @@ -#! /usr/bin/perl -w -# -# The Shoreline Firewall4 (Shorewall-perl) Packet Filtering Firewall Compiler - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -package Shorewall::Compiler; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Chains qw(:DEFAULT :internal); -use Shorewall::Zones; -use Shorewall::Policy; -use Shorewall::Nat; -use Shorewall::Providers; -use Shorewall::Tc; -use Shorewall::Tunnels; -use Shorewall::Actions; -use Shorewall::Accounting; -use Shorewall::Rules; -use Shorewall::Proc; -use Shorewall::Proxyarp; -use Shorewall::IPAddrs; - -our @ISA = qw(Exporter); -our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG ); -our @EXPORT_OK = qw( $export ); -our $VERSION = 4.1.4; - -our $export; - -our $test; - -our $reused = 0; - -our $family; - -use constant { EXPORT => 0x01 , - TIMESTAMP => 0x02 , - DEBUG => 0x04 }; - -# -# Reinitilize the package-globals in the other modules -# -sub reinitialize() { - Shorewall::Config::initialize; - Shorewall::Chains::initialize; - Shorewall::Zones::initialize; - Shorewall::Policy::initialize; - Shorewall::Nat::initialize; - Shorewall::Providers::initialize; - Shorewall::Tc::initialize; - Shorewall::Actions::initialize; - Shorewall::Accounting::initialize; - Shorewall::Rules::initialize; - Shorewall::Proxyarp::initialize; - $family = 0; -} - -sub use_ipv4() { - use_ipv4_addrs; - use_ipv4_chains; - use_ipv4_interfaces; - use_ipv4_policies; - use_ipv4_rules; - $family = F_INET; -} - -sub use_ipv6() { - use_ipv6_addrs; - use_ipv6_chains; - use_ipv6_interfaces; - use_ipv6_policies; - use_ipv6_rules; - $family = F_INET; -} - -# -# First stage of script generation. -# -# Copy the prog.header to the generated script. -# Generate the various user-exit jacket functions. -# Generate the 'initialize()' function. -# -# Note: This function is not called when $command eq 'check'. So it must have no side effects other -# than those related to writing to the object file. - -sub generate_script_1() { - - my $date = localtime; - - if ( $test ) { - emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#"; - } else { - emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl $globals{VERSION} - $date\n#"; - copy $globals{SHAREDIRPL} . 'prog.header'; - } - - for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed/ { - emit "\nrun_${exit}_exit() {"; - push_indent; - append_file $exit or emit 'true'; - pop_indent; - emit '}'; - } - - emit ( '', - '#', - '# This function initializes the global variables used by the program', - '#', - 'initialize()', - '{', - ' #', - ' # These variables are required by the library functions called in this script', - ' #' - ); - - push_indent; - - if ( $export ) { - emit ( 'SHAREDIR=/usr/share/shorewall-lite', - 'CONFDIR=/etc/shorewall-lite', - 'PRODUCT="Shorewall Lite"' - ); - } else { - emit ( 'SHAREDIR=/usr/share/shorewall', - 'CONFDIR=/etc/shorewall', - 'PRODUCT=\'Shorewall\'', - ); - } - - emit( '[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir' ); - - if ( $export ) { - emit ( 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' , - '[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]' ); - } else { - emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") , - '[ -n "${VARDIR:=/var/lib/shorewall}" ]' ); - } - - emit 'TEMPFILE='; - - propagateconfig; - - my @dont_load = split_list $config{DONT_LOAD}, 'module'; - - emit ( '[ -n "${COMMAND:=restart}" ]', - '[ -n "${VERBOSE:=0}" ]', - qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]), - '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' ); - - emit ( qq(VERSION="$globals{VERSION}") ) unless $test; - - emit ( qq(PATH="$config{PATH}") , - 'TERMINATOR=fatal_error' , - qq(DONT_LOAD="@dont_load") , - qq(STARTUP_LOG="$config{STARTUP_LOG}") , - "LOG_VERBOSE=$config{LOG_VERBOSITY}" , - '' - ); - - if ( $config{IPTABLES} ) { - emit( qq(IPTABLES="$config{IPTABLES}"), - '[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"', - ); - } else { - emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES', - '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"' - ); - } - - emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', - '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); - - append_file 'params' if $config{EXPORTPARAMS}; - - emit ( '', - "STOPPING=", - '', - '#', - '# The library requires that ${VARDIR} exist', - '#', - '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' - ); - - emit ( '', - '#', - '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', - '#', - 'qt1 $IPTABLES -N foox1234', - 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', - 'result=$?', - 'qt1 $IPTABLES -F foox1234', - 'qt1 $IPTABLES -X foox1234', - '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', - '' ); - - pop_indent; - - emit "}\n"; # End of initialize() - -} - -sub compile_stop_firewall() { - - emit <<'EOF'; -# -# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command -# -stop_firewall() { - - deletechain() { - qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 - } - - deleteallchains() { - do_iptables -F - do_iptables -X - } - - setcontinue() { - do_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - } - - delete_nat() { - do_iptables -t nat -F - do_iptables -t nat -X - - if [ -f ${VARDIR}/nat ]; then - while read external interface; do - del_ip_addr $external $interface - done < ${VARDIR}/nat - - rm -f ${VARDIR}/nat - fi - } - - case $COMMAND in - stop|clear|restore) - ;; - *) - set +x - - case $COMMAND in - start) - logger -p kern.err "ERROR:$PRODUCT start failed" - ;; - restart) - logger -p kern.err "ERROR:$PRODUCT restart failed" - ;; - restore) - logger -p kern.err "ERROR:$PRODUCT restore failed" - ;; - esac - - if [ "$RESTOREFILE" = NONE ]; then - COMMAND=clear - clear_firewall - echo "$PRODUCT Cleared" - - kill $$ - exit 2 - else - RESTOREPATH=${VARDIR}/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - - if [ -x ${RESTOREPATH}-ipsets ]; then - progress_message2 Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - for table in mangle nat filter; do - do_iptables -t $table -F - do_iptables -t $table -X - done - - ${RESTOREPATH}-ipsets - fi - - echo Restoring ${PRODUCT:=Shorewall}... - - if $RESTOREPATH restore; then - echo "$PRODUCT restored from $RESTOREPATH" - set_state "Started" - else - set_state "Unknown" - fi - - kill $$ - exit 2 - fi - fi - ;; - esac - - set_state "Stopping" - - STOPPING="Yes" - - TERMINATOR= - - deletechain shorewall - - run_stop_exit -EOF - - if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) { - emit <<'EOF'; - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt1 $IPTABLES -t mangle -P $chain ACCEPT - done -EOF - } - - if ( $capabilities{RAW_TABLE} ) { - emit <<'EOF'; - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt1 $IPTABLES -t raw -P $chain ACCEPT - done -EOF - } - - if ( $capabilities{NAT_ENABLED} ) { - emit <<'EOF'; - delete_nat - for chain in PREROUTING POSTROUTING OUTPUT; do - qt1 $IPTABLES -t nat -P $chain ACCEPT - done -EOF - } - - emit <<'EOF'; - if [ -f ${VARDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface - f=/proc/sys/net/ipv4/conf/$interface/proxy_arp - [ -f $f ] && echo 0 > $f - done < ${VARDIR}/proxyarp - fi - - rm -f ${VARDIR}/proxyarp -EOF - - push_indent; - - emit 'delete_tc1' if $config{CLEAR_TC}; - - emit( 'undo_routing', - 'restore_default_route' - ); - - my $criticalhosts = process_criticalhosts; - - if ( @$criticalhosts ) { - if ( $config{ADMINISABSENTMINDED} ) { - emit ( 'for chain in INPUT OUTPUT; do', - ' setpolicy $chain ACCEPT', - 'done', - '', - 'setpolicy FORWARD DROP', - '', - 'deleteallchains', - '' - ); - - for my $hosts ( @$criticalhosts ) { - my ( $interface, $host ) = ( split /:/, $hosts ); - my $source = match_source_net $host; - my $dest = match_dest_net $host; - - emit( "do_iptables -A INPUT -i $interface $source -j ACCEPT", - "do_iptables -A OUTPUT -o $interface $dest -j ACCEPT" - ); - } - - emit( '', - 'for chain in INPUT OUTPUT; do', - ' setpolicy $chain DROP', - "done\n" - ); - } else { - emit( '', - 'for chain in INPUT OUTPUT; do', - ' setpolicy $chain ACCEPT', - 'done', - '', - 'setpolicy FORWARD DROP', - '', - "deleteallchains\n" - ); - - for my $hosts ( @$criticalhosts ) { - my ( $interface, $host ) = ( split /:/, $hosts ); - my $source = match_source_net $host; - my $dest = match_dest_net $host; - - emit( "do_iptables -A INPUT -i $interface $source -j ACCEPT", - "do_iptables -A OUTPUT -o $interface $dest -j ACCEPT" - ); - } - - emit( "\nsetpolicy INPUT DROP", - '', - 'for chain in INPUT FORWARD; do', - ' setcontinue $chain', - "done\n" - ); - } - } elsif ( $config{ADMINISABSENTMINDED} ) { - emit( 'for chain in INPUT FORWARD; do', - ' setpolicy $chain DROP', - 'done', - '', - 'setpolicy OUTPUT ACCEPT', - '', - 'deleteallchains', - '', - 'for chain in INPUT FORWARD; do', - ' setcontinue $chain', - "done\n", - ); - } else { - emit( 'for chain in INPUT OUTPUT FORWARD; do', - ' setpolicy $chain DROP', - 'done', - '', - "deleteallchains\n" - ); - } - - process_routestopped; - - emit( 'do_iptables -A INPUT -i lo -j ACCEPT', - 'do_iptables -A OUTPUT -o lo -j ACCEPT' - ); - - emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED}; - - my $interfaces = find_interfaces_by_option 'dhcp'; - - for my $interface ( @$interfaces ) { - emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"; - emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED}; - # - # This might be a bridge - # - emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"; - } - - emit ''; - - if ( $config{IP_FORWARDING} eq 'on' ) { - emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward', - 'progress_message2 IP Forwarding Enabled' ); - } elsif ( $config{IP_FORWARDING} eq 'off' ) { - emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward', - 'progress_message2 IP Forwarding Disabled!' - ); - } - - emit 'run_stopped_exit'; - - pop_indent; - - emit ' - set_state "Stopped" - - logger -p kern.info "$PRODUCT Stopped" - - case $COMMAND in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Kill the shell in case we\'re running in a subshell - # - kill $$ - ;; - esac -} -'; - -} - -# -# Second Phase of Script Generation -# -# copies the 'prog.functions' file into the script, generates -# clear_routing_and_traffic_shaping() and the first part of -# 'setup_routing_and_traffic_shaping()' -# -# The bulk of that function is produced by the various config file -# parsing routines that are called directly out of 'compiler()'. -# -# We create two separate functions rather than one so that the -# define_firewall() shell function can set global IP configuration variables -# after the old config has been cleared and before we start instantiating -# the new config. That way, the variables reflect the way that the -# distribution's tools have configured IP without any Shorewall -# modifications and the firewall configuration is the same after -# 'restart' as it is after 'start'. -# -# Note: This function is not called when $command eq 'check'. So it must have no side effects other -# than those related to writing to the object file. -# -sub generate_script_2 () { - - copy $globals{SHAREDIRPL} . 'prog.functions' unless $test; - - emit( '', - '#', - '# Clear Routing and Traffic Shaping', - '#', - 'clear_routing_and_traffic_shaping() {' - ); - - push_indent; - - save_progress_message 'Initializing...'; - - if ( $export ) { - my $fn = find_file 'modules'; - - if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) { - emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir'; - emit 'cat > ${VARDIR}/.modules << EOF'; - open_file $fn; - while ( read_a_line ) { - emit_unindented $currentline; - } - emit_unindented 'EOF'; - emit 'reload_kernel_modules < ${VARDIR}/.modules'; - } else { - emit 'load_kernel_modules Yes'; - } - } else { - emit 'load_kernel_modules Yes'; - } - - emit ''; - - for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { - emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", - 'if [ -n "$addr" ]; then', - ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', - ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', - ' if in_network $addr $network; then', - " error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", - ' fi', - ' done', - "fi\n" ); - } - - emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', - '', - 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', - '', - 'delete_proxyarp', - '' - ); - - if ( $capabilities{NAT_ENABLED} ) { - emit( 'if [ -f ${VARDIR}/nat ]; then', - ' while read external interface; do', - ' del_ip_addr $external $interface', - ' done < ${VARDIR}/nat', - '', - ' rm -f ${VARDIR}/nat', - "fi\n" ); - } - - emit "delete_tc1\n" if $config{CLEAR_TC}; - emit "disable_ipv6\n" if $config{DISABLE_IPV6}; - - pop_indent; - - emit "}\n"; - - emit( '#', - '# Setup Routing and Traffic Shaping', - '#', - 'setup_routing_and_traffic_shaping() {' - ); - - push_indent; - -} - -# -# Third (final) stage of script generation. -# -# Generate the end of 'setup_routing_and_traffic_shaping()': -# Generate code for loading the various files in /var/lib/shorewall[-lite] -# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES -# -# Generate the 'setup_netfilter()' function that runs iptables-restore. -# Generate the 'define_firewall()' function. -# -# Note: This function is not called when $command eq 'check'. So it must have no side effects other -# than those related to writing to the object file. -# -sub generate_script_3($) { - - emit 'cat > ${VARDIR}/proxyarp << __EOF__'; - dump_proxy_arp; - emit_unindented '__EOF__'; - - emit( '', - 'if [ "$COMMAND" != refresh ]; then' ); - - push_indent; - - emit 'cat > ${VARDIR}/zones << __EOF__'; - dump_zone_contents; - emit_unindented '__EOF__'; - - pop_indent; - - emit "fi\n"; - - emit '> ${VARDIR}/nat'; - - add_addresses; - - pop_indent; - - emit "}\n"; - - progress_message2 "Creating iptables-restore input..."; - create_netfilter_load; - create_chainlist_reload( $_[0] ); - - emit "#\n# Start/Restart the Firewall\n#"; - emit 'define_firewall() {'; - push_indent; - - emit "\nclear_routing_and_traffic_shaping"; - - set_global_variables; - - emit ''; - - emit<<'EOF'; -setup_routing_and_traffic_shaping - -if [ $COMMAND = restore ]; then - iptables_save_file=${VARDIR}/$(basename $0)-iptables - if [ -f $iptables_save_file ]; then - cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux - else - fatal_error "$iptables_save_file does not exist" - fi -EOF - pop_indent; - setup_forwarding; - push_indent; - emit<<'EOF'; - set_state "Started" -else - if [ $COMMAND = refresh ]; then - chainlist_reload -EOF - setup_forwarding; - emit<<'EOF'; - run_refreshed_exit - do_iptables -N shorewall - set_state "Started" - else - setup_netfilter - restore_dynamic_rules - conditionally_flush_conntrack -EOF - setup_forwarding; - emit<<'EOF'; - run_start_exit - do_iptables -N shorewall - set_state "Started" - run_started_exit - fi - - [ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore -fi - -date > ${VARDIR}/restarted - -case $COMMAND in - start) - logger -p kern.info "$PRODUCT started" - ;; - restart) - logger -p kern.info "$PRODUCT restarted" - ;; - refresh) - logger -p kern.info "$PRODUCT refreshed" - ;; - restore) - logger -p kern.info "$PRODUCT restored" - ;; -esac -EOF - - pop_indent; - - emit "}\n"; - - copy $globals{SHAREDIRPL} . 'prog.footer' unless $test; -} - -# -# Process the configuration for the current address family (F_INET or F_INET6) -# -sub process_family( $ ) { - my $chains = shift; - # - # Process the interfaces file(s). - # - validate_interfaces_file ( $globals{EXPORT} ); - # - # Process the hosts file. - # - validate_hosts_file; - # - # Report zone contents - # - zone_report; - # - # Do action pre-processing. - # - process_actions1; - # - # Process the Policy File(s). - # - validate_policy; - # - # Compile the 'stop_firewall()' function - # - compile_stop_firewall; - # - # Start Second Part of script - # - generate_script_2 unless $command eq 'check'; - # - # Do all of the zone-independent stuff - # - add_common_rules; - # - # /proc stuff - # - setup_arp_filtering; - setup_route_filtering; - setup_martian_logging; - setup_source_routing; - # - # Proxy Arp - # - setup_proxy_arp; - # - # Handle MSS setings in the zones file - # - setup_zone_mss; - # - # [Re-]establish Routing - # - setup_providers; - # - # TOS - # - process_tos 'tos'; - # - # ECN - # - setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - # - # Setup Masquerading/SNAT - # - setup_masq; - # - # MACLIST Filtration - # - setup_mac_lists 1; - # - # Process the rules file. - # - process_rules; - # - # Add Tunnel rules. - # - setup_tunnels; - # - # Post-rules action processing. - # - process_actions2; - process_actions3; - # - # MACLIST Filtration again - # - setup_mac_lists 2; - # - # Apply Policies - # - apply_policy_rules; - # - # TCRules and Traffic Shaping - # - setup_tc; - # - # Setup Nat - # - setup_nat; - # - # Setup NETMAP - # - setup_netmap; - # - # Accounting. - # - setup_accounting; - # - # We generate the matrix even though we don't write out the rules. That way, we insure that - # a compile of the script won't blow up during that step. - # - generate_matrix; - - generate_script_3( $chains ) unless $command eq 'check'; -} - -# -# The Compiler. -# -# Arguments are named -- see %parms below. -# -sub compiler { - - my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = - ( '', '', -1, '', 0, '', '', -1 ); - - $export = 0; - $test = 0; - - sub edit_boolean( $ ) { - my $val = numeric_value( shift ); - defined($val) && ($val >= 0) && ($val < 2); - } - - sub edit_verbosity( $ ) { - my $val = numeric_value( shift ); - defined($val) && ($val >= MIN_VERBOSITY) && ($val <= MAX_VERBOSITY); - } - - my %parms = ( object => { store => \$objectfile }, - directory => { store => \$directory }, - verbosity => { store => \$verbosity , edit => \&edit_verbosity } , - timestamp => { store => \$timestamp, edit => \&edit_boolean } , - debug => { store => \$debug, edit => \&edit_boolean } , - export => { store => \$export , edit => \&edit_boolean } , - chains => { store => \$chains }, - log => { store => \$log }, - log_verbosity => { store => \$log_verbosity, edit => \&edit_verbosity } , - test => { store => \$test }, - ); - - while ( defined ( my $name = shift ) ) { - fatal_error "Unknown parameter ($name)" unless my $ref = $parms{$name}; - fatal_error "Undefined value supplied for parameter $name" unless defined ( my $val = shift ) ; - if ( $ref->{edit} ) { - fatal_error "Invalid value ( $val ) supplied for parameter $name" unless $ref->{edit}->($val); - } - - ${$ref->{store}} = $val; - } - - reinitialize if $reused++; - - if ( $directory ne '' ) { - fatal_error "$directory is not an existing directory" unless -d $directory; - set_shorewall_dir( $directory ); - } - - set_verbose( $verbosity ); - set_log($log, $log_verbosity) if $log; - set_timestamp( $timestamp ); - set_debug( $debug ); - # - # Get shorewall.conf and capabilities. - # - get_configuration( $export ); - - report_capabilities; - - require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" , 's' ); - require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; - require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS}; - require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; - require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT}; - - set_command( 'check', 'Checking', 'Checked' ) unless $objectfile; - - initialize_chain_table; - - unless ( $command eq 'check' ) { - create_temp_object( $objectfile ); - generate_script_1; - } - - # - # Allow user to load Perl modules - # - run_user_exit1 'compile'; - # - # Process the zones file. - # - determine_zones; - - use_ipv4; - - process_family $chains; - - if ( $command eq 'check' ) { - progress_message3 "Shorewall configuration verified"; - } else { - # - # Finish the script. - # - finalize_object ( $export ); - # - # And generate the auxilary config file - # - generate_aux_config if $export; - } - - close_log if $log; - - 1; -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Config.pm b/Shorewall-perl-maybe/Shorewall/Config.pm deleted file mode 100644 index acbb52b6a..000000000 --- a/Shorewall-perl-maybe/Shorewall/Config.pm +++ /dev/null @@ -1,2266 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Config.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module is responsible for lower level configuration file handling. -# It also exports functions for generating warning and error messages. -# The get_configuration function parses the shorewall.conf, capabilities and -# modules files during compiler startup. The module also provides the basic -# output file services such as creation of temporary 'object' files, writing -# into those files (emitters) and finalizing those files (renaming -# them to their final name and setting their mode appropriately). -# -package Shorewall::Config; - -use strict; -use warnings; -use File::Basename; -use File::Temp qw/ tempfile tempdir /; -use Cwd qw(abs_path getcwd); -use autouse 'Carp' => qw(longmess confess); -use Scalar::Util 'reftype'; - -our @ISA = qw(Exporter); -# -# Imported variables should be treated as read-only by importers -# -our @EXPORT = qw( - warning_message - fatal_error - progress_message - progress_message2 - progress_message3 - ); - -our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall); - -our %EXPORT_TAGS = ( internal => [ qw( create_temp_object - finalize_object - numeric_value - numeric_value1 - in_hex - in_hex2 - in_hex3 - in_hex4 - in_hex8 - emit - emit_unindented - save_progress_message - save_progress_message_short - set_timestamp - set_verbose - set_log - close_log - set_command - push_indent - pop_indent - copy - create_temp_aux_config - finalize_aux_config - set_shorewall_dir - set_debug - find_file - split_list - split_line - split_line1 - first_entry - open_file - close_file - push_open - pop_open - read_a_line - validate_level - qt - ensure_config_path - get_configuration - require_capability - report_capabilities - propagateconfig - append_file - run_user_exit - run_user_exit1 - run_user_exit2 - generate_aux_config - - $command - $doing - $done - $currentline - %config - %globals - %capabilities - - MIN_VERBOSITY - MAX_VERBOSITY - ) ] ); - -Exporter::export_ok_tags('internal'); - -our $VERSION = 4.2.0; - -# -# describe the current command, it's present progressive, and it's completion. -# -our ($command, $doing, $done ); -# -# VERBOSITY -# -our $verbose; -# -# Logging -# -our ( $log, $log_verbose ); -# -# Timestamp each progress message, if true. -# -our $timestamp; -# -# Object file handle -# -our $object; -# -# True, if last line emitted is blank -# -our $lastlineblank; -# -# Number of columns to indent the output -# -our $indent; -# -# Object's Directory and File -# -our ( $dir, $file ); -# -# Temporary output file's name -# -our $tempfile; -# -# Misc Globals -# -our %globals; -# -# From shorewall.conf file -# -our %config; -# -# Config options and global settings that are to be copied to object script -# -our @propagateconfig = qw/ DISABLE_IPV6 IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /; -our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /; -# -# From parsing the capabilities file -# -our %capabilities; -# -# Capabilities -# -our %capdesc = ( NAT_ENABLED => 'NAT', - MANGLE_ENABLED => 'Packet Mangling', - MULTIPORT => 'Multi-port Match' , - XMULTIPORT => 'Extended Multi-port Match', - CONNTRACK_MATCH => 'Connection Tracking Match', - OLD_CONNTRACK_MATCH => - 'Old conntrack match syntax', - NEW_CONNTRACK_MATCH => - 'Extended Connection Tracking Match', - USEPKTTYPE => 'Packet Type Match', - POLICY_MATCH => 'Policy Match', - PHYSDEV_MATCH => 'Physdev Match', - PHYSDEV_BRIDGE => 'Physdev-is-bridged support', - LENGTH_MATCH => 'Packet length Match', - IPRANGE_MATCH => 'IP Range Match', - RECENT_MATCH => 'Recent Match', - OWNER_MATCH => 'Owner Match', - IPSET_MATCH => 'Ipset Match', - CONNMARK => 'CONNMARK Target', - XCONNMARK => 'Extended CONNMARK Target', - CONNMARK_MATCH => 'Connmark Match', - XCONNMARK_MATCH => 'Extended Connmark Match', - RAW_TABLE => 'Raw Table', - IPP2P_MATCH => 'IPP2P Match', - CLASSIFY_TARGET => 'CLASSIFY Target', - ENHANCED_REJECT => 'Extended Reject', - KLUDGEFREE => 'Repeat match', - MARK => 'MARK Target', - XMARK => 'Extended Mark Target', - MANGLE_FORWARD => 'Mangle FORWARD Chain', - COMMENTS => 'Comments', - ADDRTYPE => 'Address Type Match', - TCPMSS_MATCH => 'TCPMSS Match', - HASHLIMIT_MATCH => 'Hashlimit Match', - NFQUEUE_TARGET => 'NFQUEUE Target', - REALM_MATCH => 'Realm Match', - HELPER_MATCH => 'Helper Match', - CONNLIMIT_MATCH => 'Connlimit Match', - TIME_MATCH => 'Time Match', - GOTO_TARGET => 'Goto Support', - CAPVERSION => 'Capability Version', - ); -# -# Directories to search for configuration files -# -our @config_path; -# -# Stash away file references here when we encounter INCLUDE -# -our @includestack; -# -# Allow nested opens -# -our @openstack; - -our $currentline; # Current config file line image -our $currentfile; # File handle reference -our $currentfilename; # File NAME -our $currentlinenumber; # Line number -our $scriptfile; # File Handle Reference to current temporary file being written by an in-line Perl script -our $scriptfilename; # Name of that file. -our @tempfiles; # Files that need unlinking at END -our $first_entry; # Message to output or function to call on first non-blank line of a file - -our $shorewall_dir; # Shorewall Directory - -our $debug; # If true, use Carp to report errors with stack trace. - -use constant { MIN_VERBOSITY => -1, - MAX_VERBOSITY => 2 }; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# -sub initialize() { - ( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion. - - $verbose = 0; # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy) - $log = undef; # File reference for log file - $log_verbose = -1; # Verbosity of log. - $timestamp = ''; # If true, we are to timestamp each progress message - $object = 0; # Object (script) file Handle Reference - $lastlineblank = 0; # Avoid extra blank lines in the output - $indent = ''; # Current indentation - ( $dir, $file ) = ('',''); # Object's Directory and File - $tempfile = ''; # Temporary File Name - - # - # Misc Globals - # - %globals = ( SHAREDIR => '/usr/share/shorewall' , - CONFDIR => '/etc/shorewall', - SHAREDIRPL => '/usr/share/shorewall-perl/', - ORIGINAL_POLICY_MATCH => '', - LOGPARMS => '', - TC_SCRIPT => '', - EXPORT => 0, - VERSION => "4.2.3", - CAPVERSION => 40203 , - ); - # - # From shorewall.conf file - # - %config = - ( STARTUP_ENABLED => undef, - VERBOSITY => undef, - # - # Logging - # - LOGFILE => undef, - LOGFORMAT => undef, - LOGTAGONLY => undef, - LOGRATE => undef, - LOGBURST => undef, - LOGALLNEW => undef, - BLACKLIST_LOGLEVEL => undef, - MACLIST_LOG_LEVEL => undef, - TCP_FLAGS_LOG_LEVEL => undef, - RFC1918_LOG_LEVEL => undef, - SMURF_LOG_LEVEL => undef, - LOG_MARTIANS => undef, - LOG_VERBOSITY => undef, - STARTUP_LOG => undef, - # - # Location of Files - # - IPTABLES => undef, - # - #PATH is inherited - # - PATH => undef, - SHOREWALL_SHELL => undef, - SUBSYSLOCK => undef, - MODULESDIR => undef, - # - #CONFIG_PATH is inherited - # - CONFIG_PATH => undef, - RESTOREFILE => undef, - IPSECFILE => undef, - LOCKFILE => undef, - # - # Default Actions/Macros - # - DROP_DEFAULT => undef, - REJECT_DEFAULT => undef, - ACCEPT_DEFAULT => undef, - QUEUE_DEFAULT => undef, - NFQUEUE_DEFAULT => undef, - # - # RSH/RCP Commands - # - RSH_COMMAND => undef, - RCP_COMMAND => undef, - # - # Firewall Options - # - BRIDGING => undef, - IP_FORWARDING => undef, - ADD_IP_ALIASES => undef, - ADD_SNAT_ALIASES => undef, - RETAIN_ALIASES => undef, - TC_ENABLED => undef, - TC_EXPERT => undef, - CLEAR_TC => undef, - MARK_IN_FORWARD_CHAIN => undef, - CLAMPMSS => undef, - ROUTE_FILTER => undef, - DETECT_DNAT_IPADDRS => undef, - MUTEX_TIMEOUT => undef, - ADMINISABSENTMINDED => undef, - BLACKLISTNEWONLY => undef, - DELAYBLACKLISTLOAD => undef, - MODULE_SUFFIX => undef, - DISABLE_IPV6 => undef, - IPV6 => undef, - DYNAMIC_ZONES => undef, - PKTTYPE=> undef, - RFC1918_STRICT => undef, - MACLIST_TABLE => undef, - MACLIST_TTL => undef, - SAVE_IPSETS => undef, - MAPOLDACTIONS => undef, - FASTACCEPT => undef, - IMPLICIT_CONTINUE => undef, - HIGH_ROUTE_MARKS => undef, - USE_ACTIONS=> undef, - OPTIMIZE => undef, - EXPORTPARAMS => undef, - SHOREWALL_COMPILER => undef, - EXPAND_POLICIES => undef, - KEEP_RT_TABLES => undef, - DELETE_THEN_ADD => undef, - MULTICAST => undef, - DONT_LOAD => '', - AUTO_COMMENT => undef , - MANGLE_ENABLED => undef , - NULL_ROUTE_RFC1918 => undef , - USE_DEFAULT_RT => undef , - # - # Packet Disposition - # - MACLIST_DISPOSITION => undef, - TCP_FLAGS_DISPOSITION => undef, - BLACKLIST_DISPOSITION => undef, - ); - - # - # From parsing the capabilities file - # - %capabilities = - ( NAT_ENABLED => undef, - MANGLE_ENABLED => undef, - MULTIPORT => undef, - XMULTIPORT => undef, - CONNTRACK_MATCH => undef, - NEW_CONNTRACK_MATCH => undef, - OLD_CONNTRACK_MATCH => undef, - USEPKTTYPE => undef, - POLICY_MATCH => undef, - PHYSDEV_MATCH => undef, - PHYSDEV_BRIDGE => undef, - LENGTH_MATCH => undef, - IPRANGE_MATCH => undef, - RECENT_MATCH => undef, - OWNER_MATCH => undef, - IPSET_MATCH => undef, - CONNMARK => undef, - XCONNMARK => undef, - CONNMARK_MATCH => undef, - XCONNMARK_MATCH => undef, - RAW_TABLE => undef, - IPP2P_MATCH => undef, - CLASSIFY_TARGET => undef, - ENHANCED_REJECT => undef, - KLUDGEFREE => undef, - MARK => undef, - XMARK => undef, - MANGLE_FORWARD => undef, - COMMENTS => undef, - ADDRTYPE => undef, - TCPMSS_MATCH => undef, - HASHLIMIT_MATCH => undef, - NFQUEUE_TARGET => undef, - REALM_MATCH => undef, - HELPER_MATCH => undef, - CONNLIMIT_MATCH => undef, - TIME_MATCH => undef, - GOTO_TARGET => undef, - CAPVERSION => undef, - ); - # - # Directories to search for configuration files - # - @config_path = (); - # - # Stash away file references here when we encounter INCLUDE - # - @includestack = (); - # - # Allow nested opens - # - @openstack = (); - - $currentline = ''; # Line image - $currentfile = undef; # File handle reference - $currentfilename = ''; # File NAME - $currentlinenumber = 0; # Line number - $first_entry = 0; # Message to output or function to call on first non-blank file entry - - $shorewall_dir = ''; #Shorewall Directory - - $debug = 0; -} - -INIT { - initialize; - # - # These variables appear within single quotes in shorewall.conf -- add them to ENV - # so that read_a_line doesn't have to be smart enough to parse that usage. - # - for ( qw/root system command files destination/ ) { - $ENV{$_} = '' unless exists $ENV{$_}; - } -} - -my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ); - -# -# Issue a Warning Message -# -sub warning_message -{ - my $linenumber = $currentlinenumber || 1; - my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; - our @localtime; - - $| = 1; - - if ( $log ) { - @localtime = localtime; - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - } - - if ( $debug ) { - print STDERR longmess( " WARNING: @_$currentlineinfo" ); - print $log longmess( " WARNING: @_$currentlineinfo\n" ) if $log; - } else { - print STDERR " WARNING: @_$currentlineinfo\n"; - print $log " WARNING: @_$currentlineinfo\n" if $log; - } - - $| = 0; -} - -# -# Issue fatal error message and die -# -sub fatal_error { - my $linenumber = $currentlinenumber || 1; - my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; - - $| = 1; - - if ( $log ) { - our @localtime = localtime; - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - - if ( $debug ) { - print $log longmess( " ERROR: @_$currentlineinfo\n" ); - } else { - print $log " ERROR: @_$currentlineinfo\n"; - } - - close $log; - $log = undef; - } - - confess " ERROR: @_$currentlineinfo" if $debug; - die " ERROR: @_$currentlineinfo\n"; -} - -sub fatal_error1 { - $| = 1; - - if ( $log ) { - our @localtime = localtime; - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - - if ( $debug ) { - print $log longmess( " ERROR: @_\n" ); - } else { - print $log " ERROR: @_\n"; - } - - close $log; - $log = undef; - } - - confess " ERROR: @_" if $debug; - die " ERROR: @_\n"; -} - -# -# Convert value to decimal number -# -sub numeric_value ( $ ) { - my $mark = lc $_[0]; - return undef unless $mark =~ /^-?(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/; - $mark =~ /^0/ ? oct $mark : $mark; -} - -sub numeric_value1 ( $ ) { - my $val = numeric_value $_[0]; - fatal_error "Invalid Number ($_[0])" unless defined $val; - $val; -} - -# -# Return the argument expressed in Hex -# -sub in_hex( $ ) { - sprintf '0x%x', $_[0]; -} - -sub in_hex2( $ ) { - sprintf '0x%02x', $_[0]; -} - -sub in_hex3( $ ) { - sprintf '0x%03x', $_[0]; -} - -sub in_hex4( $ ) { - sprintf '0x%04x', $_[0]; -} - -sub in_hex8( $ ) { - sprintf '0x%08x', $_[0]; -} - -# -# Write the arguments to the object file (if any) with the current indentation. -# -# Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines. -# -sub emit { - if ( $object ) { - # - # 'compile' as opposed to 'check' - # - for ( @_ ) { - unless ( /^\s*$/ ) { - my $line = $_; # This copy is necessary because the actual arguments are almost always read-only. - $line =~ s/^\n// if $lastlineblank; - $line =~ s/^/$indent/gm if $indent; - $line =~ s/ /\t/gm; - print $object "$line\n"; - $lastlineblank = ( substr( $line, -1, 1 ) eq "\n" ); - } else { - print $object "\n" unless $lastlineblank; - $lastlineblank = 1; - } - } - } -} - -# -# Write passed message to the object with newline but no indentation. -# -sub emit_unindented( $ ) { - print $object "$_[0]\n" if $object; -} - -# -# Write a progress_message2 command with surrounding blank lines to the output file. -# -sub save_progress_message( $ ) { - emit "\nprogress_message2 @_\n" if $object; -} - -# -# Write a progress_message command to the output file. -# -sub save_progress_message_short( $ ) { - emit "progress_message $_[0]" if $object; -} - -# -# Set $timestamp -# -sub set_timestamp( $ ) { - $timestamp = shift; -} - -# -# Set $verbose -# -sub set_verbose( $ ) { - $verbose = shift; -} - -# -# Set $log and $log_verbose -# -sub set_log ( $$ ) { - my ( $l, $v ) = @_; - - if ( defined $v ) { - my $value = numeric_value( $v ); - fatal_error "Invalid Log Verbosity ( $v )" unless defined($value) && ( $value >= -1 ) && ( $value <= 2); - $log_verbose = $value; - } - - if ( $l && $log_verbose >= 0 ) { - unless ( open $log , '>>' , $l ) { - $log = undef; - fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!"; - } - } else { - $log_verbose = -1; - } -} - -sub close_log() { - close $log, $log = undef if $log; -} - -# -# Set $command, $doing and $done -# -sub set_command( $$$ ) { - ($command, $doing, $done) = @_; -} - -# -# Print the current TOD to STDOUT. -# -sub timestamp() { - our @localtime = localtime; - printf '%02d:%02d:%02d ', @localtime[2,1,0]; -} - -# -# Write a message if $verbose >= 2 -# -sub progress_message { - my $havelocaltime = 0; - - if ( $verbose > 1 ) { - timestamp, $havelocaltime = 1 if $timestamp; - # - # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession). - # The following makes such messages look more readable and uniform - # - my $line = "@_"; - $line =~ s/\s+/ /g; - print "$line\n"; - } - - if ( $log_verbose > 1 ) { - our @localtime; - - @localtime = localtime unless $havelocaltime; - - printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - my $line = "@_"; - $line =~ s/\s+/ /g; - print $log "$line\n"; - } -} - -# -# Write a message if $verbose >= 1 -# -sub progress_message2 { - my $havelocaltime = 0; - - if ( $verbose > 0 ) { - timestamp, $havelocaltime = 1 if $timestamp; - print "@_\n"; - } - - if ( $log_verbose > 0 ) { - our @localtime; - - @localtime = localtime unless $havelocaltime; - - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - print $log "@_\n"; - } -} - -# -# Write a message if $verbose >= 0 -# -sub progress_message3 { - my $havelocaltime = 0; - - if ( $verbose >= 0 ) { - timestamp, $havelocaltime = 1 if $timestamp; - print "@_\n"; - } - - if ( $log_verbose >= 0 ) { - our @localtime; - - @localtime = localtime unless $havelocaltime; - - printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - print $log "@_\n"; - } -} - -# -# Push/Pop Indent -# -sub push_indent() { - $indent = "$indent "; -} - -sub pop_indent() { - $indent = substr( $indent , 0 , ( length $indent ) - 4 ); -} - -# -# Functions for copying files into the object -# -sub copy( $ ) { - if ( $object ) { - my $file = $_[0]; - - open IF , $file or fatal_error "Unable to open $file: $!"; - - while ( ) { - chomp; - if ( /^\s*$/ ) { - print $object "\n" unless $lastlineblank; - $lastlineblank = 1; - } else { - s/^/$indent/ if $indent; - print $object $_; - print $object "\n"; - $lastlineblank = 0; - } - } - - close IF; - } -} - -# -# This one handles line continuation. - -sub copy1( $ ) { - if ( $object ) { - my $file = $_[0]; - - open IF , $file or fatal_error "Unable to open $file: $!"; - - my $do_indent = 1; - - while ( ) { - chomp; - if ( /^\s*$/ ) { - print $object "\n"; - $do_indent = 1; - next; - } - - s/^/$indent/ if $indent && $do_indent; - print $object $_; - print $object "\n"; - $do_indent = ! ( /\\$/ ); - } - - close IF; - } -} - -# -# Create the temporary object file -- the passed file name is the name of the final file. -# We create a temporary file in the same directory so that we can use rename to finalize it. -# -sub create_temp_object( $ ) { - my $objectfile = $_[0]; - my $suffix; - - eval { - ( $file, $dir, $suffix ) = fileparse( $objectfile ); - }; - - die if $@; - - fatal_error "$dir is a Symbolic Link" if -l $dir; - fatal_error "Directory $dir does not exist" unless -d _; - fatal_error "Directory $dir is not writable" unless -w _; - fatal_error "$objectfile is a Symbolic Link" if -l $objectfile; - fatal_error "$objectfile is a Directory" if -d _; - fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _; - fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq ''; - - eval { - $dir = abs_path $dir; - ( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir ); - }; - - fatal_error "Unable to create temporary file in directory $dir" if $@; - - $file = "$file.$suffix" if $suffix; - $dir .= '/' unless substr( $dir, -1, 1 ) eq '/'; - $file = $dir . $file; - -} - -# -# Finalize the object file -# -sub finalize_object( $ ) { - my $export = $_[0]; - close $object; - $object = 0; - rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!"; - chmod 0700, $file or fatal_error "Cannot secure $file for execute access"; - progress_message3 "Shorewall configuration compiled to $file" unless $export; -} - -# -# Create the temporary aux config file. -# -sub create_temp_aux_config() { - eval { - ( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir ); - }; - - die if $@; - -} - -# -# Finalize the aux config file. -# -sub finalize_aux_config() { - close $object; - $object = 0; - rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!"; - progress_message3 "Shorewall configuration compiled to $file"; -} - -# -# Set $config{CONFIG_PATH} -# -sub set_config_path( $ ) { - $config{CONFIG_PATH} = shift; -} - -# -# Set $debug -# -sub set_debug( $ ) { - $debug = shift; -} - -# -# Search the CONFIG_PATH for the passed file -# -sub find_file($) -{ - my $filename=$_[0]; - - return $filename if $filename =~ '/'; - - my $directory; - - for $directory ( @config_path ) { - my $file = "$directory$filename"; - return $file if -f $file; - } - - "$globals{CONFDIR}/$filename"; -} - -sub split_list( $$ ) { - my ($list, $type ) = @_; - - fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/; - - split /,/, $list; -} - -# -# Pre-process a line from a configuration file. - -# ensure that it has an appropriate number of columns. -# supply '-' in omitted trailing columns. -# -sub split_line( $$$ ) { - my ( $mincolumns, $maxcolumns, $description ) = @_; - - fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $currentline =~ /["'`\\]/; - fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/; - - my @line = split( ' ', $currentline ); - - my $line = @line; - - fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns; - - $line-- while $line > 0 && $line[$line-1] eq '-'; - - fatal_error "Invalid $description entry (too few columns)" if $line < $mincolumns; - - push @line, '-' while @line < $maxcolumns; - - @line; -} - -# -# Version of 'split_line' used on files with exceptions -# -sub split_line1( $$$;$ ) { - my ( $mincolumns, $maxcolumns, $description, $nopad) = @_; - - fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/; - - my @line = split( ' ', $currentline ); - - $nopad = { COMMENT => 0 } unless $nopad; - - my $first = $line[0]; - my $columns = $nopad->{$first}; - - if ( defined $columns ) { - fatal_error "Invalid $first entry" if $columns && @line != $columns; - return @line - } - - fatal_error "Shorewall Configuration file entries may not contain single quotes" if $currentline =~ /'/; - - my $line = @line; - - fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns; - - $line-- while $line > 0 && $line[$line-1] eq '-'; - - fatal_error "Invalid $description entry (too few columns)" if $line < $mincolumns; - - push @line, '-' while @line < $maxcolumns; - - @line; -} - -# -# Open a file, setting $currentfile. Returns the file's absolute pathname if the file -# exists, is non-empty and was successfully opened. Terminates with a fatal error -# if the file exists, is non-empty, but the open fails. -# -sub do_open_file( $ ) { - my $fname = $_[0]; - open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!"; - $currentlinenumber = 0; - $currentfilename = $fname; -} - -sub open_file( $ ) { - my $fname = find_file $_[0]; - - fatal_error 'Internal Error in open_file()' if defined $currentfile; - - -f $fname && -s _ ? do_open_file $fname : ''; -} - -# -# Pop the include stack -# -sub pop_include() { - my $arrayref = pop @includestack; - - if ( $arrayref ) { - ( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref; - } else { - $currentfile = undef; - } -} - -# -# This function is normally called below in read_a_line() when EOF is reached. Clients of the -# module may also call the function to close the file before EOF -# - -sub close_file() { - if ( $currentfile ) { - my $result = close $currentfile; - - pop_include; - - fatal_error "SHELL Script failed" unless $result; - - $first_entry = 0; - - } -} - -# -# The following two functions allow module clients to nest opens. This happens frequently -# in the Actions module. -# -sub push_open( $ ) { - - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - my @a = @includestack; - push @openstack, \@a; - @includestack = (); - $currentfile = undef; - open_file( $_[0] ); - -} - -sub pop_open() { - @includestack = @{pop @openstack}; - pop_include; -} - -sub shorewall { - unless ( $scriptfile ) { - fatal_error "shorewall() may not be called in this context" unless $currentfile; - - $dir ||= '/tmp/'; - - eval { - ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir ); - }; - - fatal_error "Unable to create temporary file in directory $dir" if $@; - } - - print $scriptfile "@_\n"; -} - -# -# We don't announce that we are checking/compiling a file until we determine that the file contains -# at least one non-blank, non-commentary line. -# -# The argument to this function may be either a scalar or a function reference. When the first -# non-blank/non-commentary line is reached: -# -# - if a function reference was passed to first_entry(), that function is called -# - otherwise, the argument to first_entry() is passed to progress_message2(). -# -# We do this processing in read_a_line() rather than in the higher-level routines because -# Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement -# until we get back to the caller of read_a_line(), we could issue error messages about parsing and -# running scripts in the file before we'd even indicated that we are processing it. -# -sub first_entry( $ ) { - $first_entry = $_[0]; - my $reftype = reftype $first_entry; - if ( $reftype ) { - fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE'; - } -} - -sub embedded_shell( $ ) { - my $multiline = shift; - - fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; - my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber ); - - if ( $multiline ) { - # - # Multi-line script - # - fatal_error "Invalid BEGIN SHELL directive" unless $currentline =~ /^\s*$/; - $command .= "\n"; - - my $last = 0; - - while ( <$currentfile> ) { - $currentlinenumber++; - last if $last = s/^\s*END(\s+SHELL)?\s*;?//; - $command .= $_; - } - - fatal_error ( "Missing END SHELL" ) unless $last; - fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/; - } - - $command .= q('); - - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - $currentfile = undef; - open $currentfile , '-|', $command or fatal_error qq(Shell Command failed); - $currentfilename = "SHELL\@$currentfilename:$currentlinenumber"; - $currentline = ''; - $currentlinenumber = 0; -} - -sub embedded_perl( $ ) { - my $multiline = shift; - - my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); - - if ( $multiline ) { - # - # Multi-line script - # - fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/; - $command .= "\n"; - - my $last = 0; - - while ( <$currentfile> ) { - $currentlinenumber++; - last if $last = s/^\s*END(\s+PERL)?\s*;?//; - $command .= $_; - } - - fatal_error ( "Missing END PERL" ) unless $last; - fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/; - } - - unless (my $return = eval $command ) { - if ( $@ ) { - # - # Perl found the script offensive or the script itself died - # - $@ =~ s/, <\$currentfile> line \d+//g; - fatal_error1 "$@"; - } - - unless ( defined $return ) { - fatal_error "Perl Script failed: $!" if $!; - fatal_error "Perl Script failed"; - } - - fatal_error "Perl Script Returned False"; - } - - if ( $scriptfile ) { - fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; - - close $scriptfile or fatal_error "Internal Error in embedded_perl()"; - - $scriptfile = undef; - - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - $currentfile = undef; - - open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename"; - - push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin - - $scriptfilename = ''; - - $currentfilename = "PERL\@$currentfilename:$linenumber"; - $currentline = ''; - $currentlinenumber = 0; - } -} - -# -# Read a line from the current include stack. -# -# - Ignore blank or comment-only lines. -# - Remove trailing comments. -# - Handle Line Continuation -# - Handle embedded SHELL and PERL scripts -# - Expand shell variables from $ENV. -# - Handle INCLUDE -# - -sub read_a_line() { - while ( $currentfile ) { - - $currentline = ''; - $currentlinenumber = 0; - - while ( <$currentfile> ) { - - $currentlinenumber = $. unless $currentlinenumber; - - chomp; - # - # Continuation - # - chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\'; - # - # Remove Trailing Comments -- result might be a blank line - # - $currentline =~ s/#.*$//; - # - # Ignore ( concatenated ) Blank Lines - # - $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/; - # - # Line not blank -- Handle any first-entry message/capabilities check - # - if ( $first_entry ) { - reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry ); - $first_entry = 0; - } - # - # Must check for shell/perl before doing variable expansion - # - if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) { - embedded_shell( $1 ); - } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) { - embedded_perl( $1 ); - } else { - my $count = 0; - # - # Expand Shell Variables using %ENV - # - # $1 $2 $3 - $4 - while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) { - my $val = $ENV{$3}; - - unless ( defined $val ) { - fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3}; - $val = ''; - } - - $currentline = join( '', $1 , $val , $4 ); - fatal_error "Variable Expansion Loop" if ++$count > 100; - } - - if ( $currentline =~ /^\s*INCLUDE\s/ ) { - - my @line = split ' ', $currentline; - - fatal_error "Invalid INCLUDE command" if @line != 2; - fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4; - - my $filename = find_file $line[1]; - - fatal_error "INCLUDE file $filename not found" unless -f $filename; - fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; - - if ( -s _ ) { - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - $currentfile = undef; - do_open_file $filename; - } else { - $currentlinenumber = 0; - } - - $currentline = ''; - } else { - return 1; - } - } - } - - close_file; - } -} - -# -# Simple version of the above. Doesn't do line concatenation, shell variable expansion or INCLUDE processing -# -sub read_a_line1() { - while ( $currentfile ) { - while ( $currentline = <$currentfile> ) { - next if $currentline =~ /^\s*#/; - chomp $currentline; - next if $currentline =~ /^\s*$/; - $currentline =~ s/#.*$//; # Remove Trailing Comments - fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/; - $currentlinenumber = $.; - return 1; - } - - close_file; - } -} - -# -# Provide the passed default value for the passed configuration variable -# -sub default ( $$ ) { - my ( $var, $val ) = @_; - - $config{$var} = $val unless defined $config{$var} && $config{$var} ne ''; -} - -# -# Provide a default value for a yes/no configuration variable. -# -sub default_yes_no ( $$ ) { - my ( $var, $val ) = @_; - - my $curval = "\L$config{$var}"; - - if ( defined $curval && $curval ne '' ) { - if ( $curval eq 'no' ) { - $config{$var} = ''; - } else { - fatal_error "Invalid value for $var ($val)" unless $curval eq 'yes'; - } - } else { - $config{$var} = $val; - } -} - -my %validlevels = ( DEBUG => 7, - INFO => 6, - NOTICE => 5, - WARNING => 4, - WARN => 4, - ERR => 3, - ERROR => 3, - CRIT => 2, - ALERT => 1, - EMERG => 0, - PANIC => 0, - NONE => '', - ULOG => 'ULOG', - NFLOG => 'NFLOG'); - -my @suffixes = qw(group range threshold nlgroup cprange qthreshold); - -# -# Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate" -# -sub level_error( $ ) { - fatal_error "Invalid log level ($_[0])"; -} - -sub validate_level( $ ) { - my $rawlevel = $_[0]; - my $level = uc $rawlevel; - - if ( defined $level && $level ne '' ) { - $level =~ s/!$//; - my $value = $validlevels{$level}; - return $value if defined $value; - return $level if $level =~ /^[0-7]$/; - - if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) { - my $olevel = $1; - my @options = split /,/, $2; - my $prefix = lc $olevel; - my $index = $prefix eq 'ulog' ? 3 : 0; - - level_error( $level ) if @options > 3; - - for ( @options ) { - if ( defined $_ and $_ ne '' ) { - level_error( $level ) unless /^\d+/; - $olevel .= " --${prefix}-$suffixes[$index] $_"; - } - - $index++; - } - - return $olevel; - } - - if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) { - return $rawlevel; - } - - level_error( $rawlevel ); - } - - ''; -} - -# -# Validate a log level and supply default -# -sub default_log_level( $$ ) { - my ( $level, $default ) = @_; - - my $value = $config{$level}; - - unless ( defined $value && $value ne '' ) { - $config{$level} = $default; - } else { - $config{$level} = validate_level $value; - } -} - -# -# Check a tri-valued variable -# -sub check_trivalue( $$ ) { - my ( $var, $default) = @_; - my $val = "\L$config{$var}"; - - if ( defined $val ) { - if ( $val eq 'yes' || $val eq 'on' ) { - $config{$var} = 'on'; - } elsif ( $val eq 'no' || $val eq 'off' ) { - $config{$var} = 'off'; - } elsif ( $val eq 'keep' ) { - $config{$var} = ''; - } elsif ( $val eq '' ) { - $config{$var} = $default - } else { - fatal_error "Invalid value ($val) for $var"; - } - } else { - $config{var} = $default - } -} - -# -# Produce a report of the detected capabilities -# -sub report_capability( $ ) { - my $cap = $_[0]; - print " $capdesc{$cap}: "; - if ( $cap eq 'CAPVERSION' ) { - my $version = $capabilities{CAPVERSION}; - printf "%d.%d.%d\n", int( $version / 10000 ) , int ( ( $version % 10000 ) / 100 ) , int ( $version % 100 ); - } else { - print $capabilities{$cap} ? "Available\n" : "Not Available\n"; - } -} - -sub report_capabilities() { - if ( $verbose > 1 ) { - print "Shorewall has detected the following capabilities:\n"; - - for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) { - report_capability $cap; - } - } -} - -# -# Search the current PATH for the passed executable -# -sub which( $ ) { - my $prog = $_[0]; - - for ( split /:/, $config{PATH} ) { - return "$_/$prog" if -x "$_/$prog"; - } - - ''; -} - -# -# Load the kernel modules defined in the 'modules' file. -# -sub load_kernel_modules( ) { - my $moduleloader = which( 'modprobe' ) || ( which 'insmod' ); - - my $modulesdir = $config{MODULESDIR}; - - unless ( $modulesdir ) { - my $uname = `uname -r`; - fatal_error "The command 'uname -r' failed" unless $? == 0; - chomp $uname; - $modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter"; - } - - my @moduledirectories = split /:/, $modulesdir; - - if ( $moduleloader && open_file 'modules' ) { - my %loadedmodules; - - $loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' ); - - progress_message "Loading Modules..."; - - open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod"; - - while ( ) { - my $module = ( split( /\s+/, $_, 2 ) )[0]; - $loadedmodules{$module}++ unless $module eq 'Module' - } - - close LSMOD; - - $config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX}; - - my @suffixes = split /\s+/ , $config{MODULE_SUFFIX}; - - while ( read_a_line ) { - fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ ); - my ( $module, $arguments ) = ( $1, $2 ); - unless ( $loadedmodules{ $module } ) { - for my $directory ( @moduledirectories ) { - for my $suffix ( @suffixes ) { - my $modulefile = "$directory/$module.$suffix"; - if ( -f $modulefile ) { - if ( $moduleloader eq 'insmod' ) { - system ("insmod $modulefile $arguments" ); - } else { - system( "modprobe $module $arguments" ); - } - - $loadedmodules{ $module } = 1; - } - } - } - } - } - } -} - -# -# Q[uie]t version of system(). Returns true for success -# -sub qt( $ ) { - system( "@_ > /dev/null 2>&1" ) == 0; -} - -sub qt1( $ ) { - 1 while system( "@_ > /dev/null 2>&1" ) == 4; - $? == 0; -} - -# -# Determine which optional facilities are supported by iptables/netfilter -# -sub determine_capabilities( $ ) { - - my $iptables = $_[0]; - my $pid = $$; - my $sillyname = "fooX$pid"; - my $sillyname1 = "foo1X$pid"; - - $capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ); - $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" ); - - qt1( "$iptables -N $sillyname" ); - qt1( "$iptables -N $sillyname1" ); - - $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); - - if ( $capabilities{CONNTRACK_MATCH} ) { - $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" ); - $capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdstport 1.2.3.4" ); - } - - if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { - $capabilities{MULTIPORT} = 1; - $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); - } - - $capabilities{XMULTIPORT} = qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" ); - $capabilities{POLICY_MATCH} = qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" ); - - if ( qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) { - $capabilities{PHYSDEV_MATCH} = 1; - $capabilities{PHYSDEV_BRIDGE} = qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" ); - unless ( $capabilities{KLUDGEFREE} ) { - $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); - } - } - - if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) { - $capabilities{IPRANGE_MATCH} = 1; - unless ( $capabilities{KLUDGEFREE} ) { - $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" ); - } - } - - $capabilities{RECENT_MATCH} = qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" ); - $capabilities{OWNER_MATCH} = qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" ); - - if ( qt1( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" )) { - $capabilities{CONNMARK_MATCH} = 1; - $capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); - } - - $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" ); - $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); - $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" ); - $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); - - if ( $capabilities{MANGLE_ENABLED} ) { - qt1( "$iptables -t mangle -N $sillyname" ); - - if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) { - $capabilities{MARK} = 1; - $capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" ); - } - - if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) { - $capabilities{CONNMARK} = 1; - $capabilities{XCONNMARK} = qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); - } - - $capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); - qt1( "$iptables -t mangle -F $sillyname" ); - qt1( "$iptables -t mangle -X $sillyname" ); - - $capabilities{MANGLE_FORWARD} = qt1( "$iptables -t mangle -L FORWARD -n" ); - } - - $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" ); - - if ( which 'ipset' ) { - qt( "ipset -X $sillyname" ); - - if ( qt( "ipset -N $sillyname iphash" ) ) { - if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { - qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); - $capabilities{IPSET_MATCH} = 1; - } - - qt( "ipset -X $sillyname" ); - } - } - - $capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" ); - $capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" ); - $capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); - $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" ); - $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); - $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); - $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" ); - $capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" ); - $capabilities{TIME_MATCH} = qt1( "$iptables -A $sillyname -m time --timestart 11:00" ); - $capabilities{GOTO_SUPPORT} = qt1( "$iptables -A $sillyname -g $sillyname1" ); - - qt1( "$iptables -F $sillyname" ); - qt1( "$iptables -X $sillyname" ); - qt1( "$iptables -F $sillyname1" ); - qt1( "$iptables -X $sillyname1" ); - - $capabilities{CAPVERSION} = $globals{CAPVERSION}; -} - -# -# Require the passed capability -# -sub require_capability( $$$ ) { - my ( $capability, $description, $singular ) = @_; - - fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless $capabilities{$capability}; -} - -# -# Set default config path -# -sub ensure_config_path() { - - my $f = "$globals{SHAREDIR}/configpath"; - - $globals{CONFDIR} = '/usr/share/shorewall/configfiles/' if $> != 0; - - unless ( $config{CONFIG_PATH} ) { - fatal_error "$f does not exist" unless -f $f; - - open_file $f; - - $ENV{CONFDIR} = $globals{CONFDIR}; - - while ( read_a_line ) { - if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) { - my ($var, $val) = ($1, $2); - $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ) if exists $config{$var}; - } else { - fatal_error "Unrecognized entry"; - } - } - - fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH}; - } - - @config_path = split /:/, $config{CONFIG_PATH}; - - for ( @config_path ) { - $_ .= '/' unless m|/$|; - } - - if ( $shorewall_dir ) { - $shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|; - $shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|; - unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0]; - $config{CONFIG_PATH} = join ':', @config_path; - } -} - -# -# Set $shorewall_dir -# -sub set_shorewall_dir( $ ) { - $shorewall_dir = shift; - ensure_config_path; -} - -# -# Small functions called by get_configuration. We separate them so profiling is more useful -# -sub process_shorewall_conf() { - my $file = find_file 'shorewall.conf'; - - if ( -f $file ) { - if ( -r _ ) { - open_file $file; - - while ( read_a_line ) { - if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) { - my ($var, $val) = ($1, $2); - unless ( exists $config{$var} ) { - warning_message "Unknown configuration option ($var) ignored"; - next; - } - - $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ); - } else { - fatal_error "Unrecognized entry"; - } - } - } else { - fatal_error "Cannot read $file (Hint: Are you root?)"; - } - } else { - fatal_error "$file does not exist!"; - } -} - -# -# Process the records in the capabilities file -# -sub read_capabilities() { - while ( read_a_line1 ) { - if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) { - my ($var, $val) = ($1, $2); - unless ( exists $capabilities{$var} ) { - warning_message "Unknown capability ($var) ignored"; - next; - } - - $capabilities{$var} = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val; - } else { - fatal_error "Unrecognized capabilities entry"; - } - } - - if ( $capabilities{CAPVERSION} ) { - warning_message "Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall version $globals{VERSION}" unless $capabilities{CAPVERSION} >= $globals{CAPVERSION}; - } else { - warning_message "Your capabilities file may not contain all of the capabilities defined by Shorewall version $globals{VERSION}"; - } -} - -# -# Get the system's capabilities, either by probing or by reading a capabilities file -# -sub get_capabilities( $ ) { - my $export = $_[0]; - - if ( ! $export && $> == 0 ) { # $> == $EUID - my $iptables = $config{IPTABLES}; - - if ( $iptables ) { - fatal_error "IPTABLES=$iptables does not exist or is not executable" unless -x $iptables; - } else { - fatal_error "Can't find iptables executable" unless $iptables = which 'iptables'; - } - - my $iptables_restore=$iptables . '-restore'; - - fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore; - - load_kernel_modules; - - if ( open_file 'capabilities' ) { - read_capabilities; - } else { - determine_capabilities $iptables; - } - } else { - unless ( open_file 'capabilities' ) { - fatal_error "The -e compiler option requires a capabilities file" if $export; - fatal_error "Compiling under non-root uid requires a capabilities file"; - } - - read_capabilities; - } -} - -# -# Deal with options that we no longer support -# -sub unsupported_yes_no( $ ) { - my $option = shift; - - default_yes_no $option, ''; - - fatal_error "$option=Yes is not supported by Shorewall-perl $globals{VERSION}" if $config{$option}; -} - -# -# - Read the shorewall.conf file -# - Read the capabilities file, if any -# - establish global hashes %config , %globals and %capabilities -# -sub get_configuration( $ ) { - - my $export = $_[0]; - - $globals{EXPORT} = $export; - - our ( $once, @originalinc ); - - @originalinc = @INC unless $once++; - - ensure_config_path; - - process_shorewall_conf; - - ensure_config_path; - - @INC = @originalinc; - - unshift @INC, @config_path; - - default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin'; - - default 'MODULE_PREFIX', 'o gz ko o.gz ko.gz'; - - get_capabilities( $export ); - - $globals{ORIGINAL_POLICY_MATCH} = $capabilities{POLICY_MATCH}; - - if ( $config{LOGRATE} || $config{LOGBURST} ) { - if ( defined $config{LOGRATE} ) { - fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/; - } - - if ( defined $config{LOGBURST} ) { - fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/; - } - - $globals{LOGLIMIT} = '-m limit '; - $globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if defined $config{LOGRATE}; - $globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if defined $config{LOGBURST}; - } else { - $globals{LOGLIMIT} = ''; - } - - check_trivalue ( 'IP_FORWARDING', 'on' ); - check_trivalue ( 'ROUTE_FILTER', '' ); - check_trivalue ( 'LOG_MARTIANS', 'on' ); - - default 'STARTUP_LOG' , ''; - - if ( $config{STARTUP_LOG} ne '' ) { - if ( defined $config{LOG_VERBOSITY} ) { - if ( $config{LOG_VERBOSITY} eq '' ) { - $config{LOG_VERBOSITY} = 2; - } else { - my $val = numeric_value( $config{LOG_VERBOSITY} ); - fatal_error "Invalid LOG_VERBOSITY ($config{LOG_VERBOSITY} )" unless defined( $val ) && ( $val >= -1 ) && ( $val <= 2 ); - $config{STARTUP_LOG} = '' if $config{LOG_VERBOSITY} < 0; - } - } else { - $config{LOG_VERBOSITY} = 2; - } - } else { - $config{LOG_VERBOSITY} = -1; - } - - default_yes_no 'ADD_IP_ALIASES' , 'Yes'; - default_yes_no 'ADD_SNAT_ALIASES' , ''; - default_yes_no 'DETECT_DNAT_IPADDRS' , ''; - default_yes_no 'DETECT_DNAT_IPADDRS' , ''; - default_yes_no 'CLEAR_TC' , 'Yes'; - - if ( defined $config{CLAMPMSS} ) { - default_yes_no 'CLAMPMSS' , '' unless $config{CLAMPMSS} =~ /^\d+$/; - } else { - $config{CLAMPMSS} = ''; - } - - unless ( $config{ADD_IP_ALIASES} || $config{ADD_SNAT_ALIASES} ) { - $config{RETAIN_ALIASES} = ''; - } else { - default_yes_no 'RETAIN_ALIASES' , ''; - } - - default_yes_no 'ADMINISABSENTMINDED' , ''; - default_yes_no 'BLACKLISTNEWONLY' , ''; - - if ( defined $config{IPV6} ) { - if ( $config{IPV6} =~ /on/i ) { - $config{IPV6} = 'On'; - } elsif ( $config{IPV6} =~ /off/i ) { - $config{IPV6} = 'Off'; - } elsif ( $config{IPV6} =~ /keep/i ) { - $config{IPV6} = ''; - } - } else { - $config{IPV6} = 'Off'; - } - - default_yes_no 'DISABLE_IPV6' , ''; - - fatal_error "Incompatible settings of IPV6 (On) and DISABLE_IPV6 (Yes)" if $config{IPV6} eq 'On' && $config{DISABLE_IPV6} eq 'Yes'; - - unsupported_yes_no 'DYNAMIC_ZONES'; - unsupported_yes_no 'BRIDGING'; - unsupported_yes_no 'SAVE_IPSETS'; - unsupported_yes_no 'MAPOLDACTIONS'; - - default_yes_no 'STARTUP_ENABLED' , 'Yes'; - default_yes_no 'DELAYBLACKLISTLOAD' , ''; - - warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall-perl ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD}; - - default_yes_no 'LOGTAGONLY' , ''; $globals{LOGTAGONLY} = $config{LOGTAGONLY}; - default_yes_no 'RFC1918_STRICT' , ''; - default_yes_no 'FASTACCEPT' , ''; - - fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY}; - - default_yes_no 'IMPLICIT_CONTINUE' , ''; - default_yes_no 'HIGH_ROUTE_MARKS' , ''; - default_yes_no 'TC_EXPERT' , ''; - default_yes_no 'USE_ACTIONS' , 'Yes'; - - warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS}; - - default_yes_no 'EXPORTPARAMS' , ''; - default_yes_no 'EXPAND_POLICIES' , ''; - default_yes_no 'KEEP_RT_TABLES' , ''; - default_yes_no 'DELETE_THEN_ADD' , 'Yes'; - default_yes_no 'AUTO_COMMENT' , 'Yes'; - default_yes_no 'MULTICAST' , ''; - default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; - default_yes_no 'MANGLE_ENABLED' , 'Yes'; - default_yes_no 'NULL_ROUTE_RFC1918' , ''; - default_yes_no 'USE_DEFAULT_RT' , ''; - - $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; - - default 'BLACKLIST_DISPOSITION' , 'DROP'; - - default_log_level 'BLACKLIST_LOGLEVEL', ''; - default_log_level 'MACLIST_LOG_LEVEL', ''; - default_log_level 'TCP_FLAGS_LOG_LEVEL', ''; - default_log_level 'RFC1918_LOG_LEVEL', 6; - default_log_level 'SMURF_LOG_LEVEL', ''; - default_log_level 'LOGALLNEW', ''; - - my $val; - - $globals{MACLIST_TARGET} = 'reject'; - - if ( $val = $config{MACLIST_DISPOSITION} ) { - unless ( $val eq 'REJECT' ) { - if ( $val eq 'DROP' ) { - $globals{MACLIST_TARGET} = 'DROP'; - } elsif ( $val eq 'ACCEPT' ) { - $globals{MACLIST_TARGET} = 'RETURN'; - } else { - fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION" - } - } - } else { - $config{MACLIST_DISPOSITION} = 'REJECT'; - } - - if ( $val = $config{MACLIST_TABLE} ) { - if ( $val eq 'mangle' ) { - fatal_error 'MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} eq 'REJECT'; - } else { - fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter'; - } - } else { - default 'MACLIST_TABLE' , 'filter'; - } - - if ( $val = $config{TCP_FLAGS_DISPOSITION} ) { - fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(REJECT|ACCEPT|DROP)$/; - } else { - $config{TCP_FLAGS_DISPOSITION} = 'DROP'; - } - - default 'TC_ENABLED' , 'Internal'; - - $val = "\L$config{TC_ENABLED}"; - - if ( $val eq 'yes' ) { - my $file = find_file 'tcstart'; - fatal_error "Unable to find tcstart file" unless -f $file; - $globals{TC_SCRIPT} = $file; - } elsif ( $val eq 'internal' ) { - $config{TC_ENABLED} = 'Internal'; - } else { - fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no'; - $config{TC_ENABLED} = ''; - } - - fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" if $config{TC_ENABLED} && ! $config{MANGLE_ENABLED}; - - default 'RESTOREFILE' , 'restore'; - default 'IPSECFILE' , 'zones'; - default 'DROP_DEFAULT' , 'Drop'; - default 'REJECT_DEFAULT' , 'Reject'; - default 'QUEUE_DEFAULT' , 'none'; - default 'NFQUEUE_DEFAULT' , 'none'; - default 'ACCEPT_DEFAULT' , 'none'; - default 'OPTIMIZE' , 0; - - fatal_error 'IPSECFILE=ipsec is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{IPSECFILE} eq 'zones'; - - for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ { - $config{$default} = 'none' if "\L$config{$default}" eq 'none'; - } - - $val = $config{OPTIMIZE}; - - fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' ); - - fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}" unless $config{IPSECFILE} eq 'zones'; - - $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre'; - - if ( $val = $config{LOGFORMAT} ) { - my $result; - - eval { - if ( $val =~ /%d/ ) { - $globals{LOGRULENUMBERS} = 'Yes'; - $result = sprintf "$val", 'fooxx2barxx', 1, 'ACCEPT'; - } else { - $result = sprintf "$val", 'fooxx2barxx', 'ACCEPT'; - } - }; - - fatal_error "Invalid LOGFORMAT ($val)" if $@; - - fatal_error "LOGFORMAT string is longer than 29 characters ($val)" if length $result > 29; - - $globals{MAXZONENAMELENGTH} = int ( 5 + ( ( 29 - (length $result ) ) / 2) ); - } else { - $config{LOGFORMAT}='Shorewall:%s:%s:'; - $globals{MAXZONENAMELENGTH} = 5; - } - - if ( $config{LOCKFILE} ) { - my ( $file, $dir, $suffix ); - - eval { - ( $file, $dir, $suffix ) = fileparse( $config{LOCKFILE} ); - }; - - die $@ if $@; - - fatal_error "LOCKFILE=$config{LOCKFILE}: Directory $dir does not exist" unless $export or -d $dir; - } else { - $config{LOCKFILE} = ''; - } -} - -# -# The values of the options in @propagateconfig are copied to the object file in OPTION= format. -# -sub propagateconfig() { - for my $option ( @propagateconfig ) { - my $value = $config{$option} || ''; - emit "$option=\"$value\""; - } - - for my $option ( @propagateenv ) { - my $value = $globals{$option} || ''; - emit "$option=\"$value\""; - } -} - -# -# Add a shell script file to the output script -- Return true if the -# file exists and is not in /usr/share/shorewall/. -# -sub append_file( $ ) { - my $user_exit = find_file $_[0]; - my $result = 0; - - unless ( $user_exit =~ /^($globals{SHAREDIR})/ ) { - if ( -f $user_exit ) { - $result = 1; - save_progress_message "Processing $user_exit ..."; - copy1 $user_exit; - } - } - - $result; -} - -# -# Run a Perl extension script -# -sub run_user_exit( $ ) { - my $chainref = $_[0]; - my $file = find_file $chainref->{name}; - - if ( -f $file ) { - progress_message "Processing $file..."; - - my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`; - - unless (my $return = eval $command ) { - fatal_error "Couldn't parse $file: $@" if $@; - - unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; - fatal_error "Couldn't do $file"; - } - - fatal_error "$file returned a false value"; - } - } -} - -sub run_user_exit1( $ ) { - my $file = find_file $_[0]; - - if ( -f $file ) { - progress_message "Processing $file..."; - # - # File may be empty -- in which case eval would fail - # - push_open $file; - - if ( read_a_line1 ) { - close_file; - - my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`; - - unless (my $return = eval $command ) { - fatal_error "Couldn't parse $file: $@" if $@; - - unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; - fatal_error "Couldn't do $file"; - } - - fatal_error "$file returned a false value"; - } - } else { - pop_open; - } - } -} - -sub run_user_exit2( $$ ) { - my ($file, $chainref) = ( find_file $_[0], $_[1] ); - - if ( -f $file ) { - progress_message "Processing $file..."; - # - # File may be empty -- in which case eval would fail - # - push_open $file; - - if ( read_a_line1 ) { - close_file; - - unless (my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - - unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; - fatal_error "Couldn't do $file"; - } - - fatal_error "$file returned a false value"; - } - } - - pop_open; - - } -} - -# -# Generate the aux config file for Shorewall Lite -# -sub generate_aux_config() { - sub conditionally_add_option( $ ) { - my $option = $_[0]; - - my $value = $config{$option}; - - emit "[ -n \"\${$option:=$value}\" ]" if $value ne ''; - } - - sub conditionally_add_option1( $ ) { - my $option = $_[0]; - - my $value = $config{$option}; - - emit "$option=\"$value\"" if $value; - } - - create_temp_aux_config; - - my $date = localtime; - - emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#"; - - for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { - conditionally_add_option $option; - } - - conditionally_add_option1 'TC_ENABLED'; - - finalize_aux_config; - -} - -END { - # - # Close files first in case we're running under Cygwin - # - close $object if $object; - close $scriptfile if $scriptfile; - close $log if $log; - # - # Unlink temporary files - # - unlink $tempfile if $tempfile; - unlink $scriptfilename if $scriptfilename; - unlink $_ for @tempfiles; -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/IPAddrs.pm b/Shorewall-perl-maybe/Shorewall/IPAddrs.pm deleted file mode 100644 index 8110eccdc..000000000 --- a/Shorewall-perl-maybe/Shorewall/IPAddrs.pm +++ /dev/null @@ -1,639 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/IPAddrs.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module provides interfaces for dealing with IPv4 addresses, protocol names, and -# port names. It also exports functions for validating protocol- and port- (service) -# related constructs. -# -package Shorewall::IPAddrs; -require Exporter; -use Socket6; -use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( ALLIPv4 - ALLIPv6 - ALLIP - ALL - TCP - UDP - ICMP - IPv6_ICMP - SCTP - - F_INET - F_INET6 - - validate_address - validate_net - decompose_net - validate_host - validate_range - ip_range_explicit - expand_port_range - allipv4 - allipv6 - allip - rfc1918_networks - resolve_proto - proto_name - use_ipv4_addrs - use_ipv6_addrs - using_ipv4_addrs - using_ipv6_addrs - validate_port - validate_portpair - validate_port_list - validate_icmp - ); -our @EXPORT_OK = qw( ); -our $VERSION = 4.3.0; - -# -# Some IPv4/6 useful stuff -# -our @allipv4 = ( '0.0.0.0/0' ); -our @allipv6 = ( '::/0' ); -our $family; - -use constant { ALLIPv4 => '0.0.0.0/0' , - ALLIPv6 => '::/0' , - F_INET => 1, - F_INET6 => 2, - ICMP => 1, - TCP => 6, - UDP => 17, - ICMPv6_ICMP => 58, - SCTP => 132 }; - -our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); - -sub use_ipv4_addrs() { - $family = F_INET; -} - -sub using_ipv4() { - $family == F_INET; -} - -sub use_ipv6_addrs() { - $family = F_INET6; -} - -sub using_ipv6() { - $family == F_INET6; -} - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - use_ipv4_addrs; -} - -INIT { - initialize; -} - -sub vlsm_to_mask( $ ) { - my $vlsm = $_[0]; - - in_hex8 ( ( 0xFFFFFFFF << ( 32 - $vlsm ) ) && 0xFFFFFFFF ); -} - -sub valid_4address( $ ) { - my $address = $_[0]; - - my @address = split /\./, $address; - return 0 unless @address == 4; - for my $a ( @address ) { - return 0 unless $a =~ /^\d+$/ && $a < 256; - } - - 1; -} - -sub validate_4address( $$ ) { - my ( $addr, $allow_name ) = @_; - - my @addrs = ( $addr ); - - unless ( valid_4address $addr ) { - fatal_error "Invalid IP Address ($addr)" unless $allow_name; - fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname $addr); - - if ( defined wantarray ) { - shift @addrs for (1..4); - for ( @addrs ) { - $_ = inet_htoa $_; - } - } - } - - defined wantarray ? wantarray ? @addrs : $addrs[0] : undef; -} - -sub decodeaddr( $ ) { - my $address = $_[0]; - - my @address = split /\./, $address; - - my $result = shift @address; - - for my $a ( @address ) { - $result = ( $result << 8 ) | $a; - } - - $result; -} - -sub encodeaddr( $ ) { - my $addr = $_[0]; - my $result = $addr & 0xff; - - for my $i ( 1..3 ) { - my $a = ($addr = $addr >> 8) & 0xff; - $result = "$a.$result"; - } - - $result; -} - -sub validate_4net( $$ ) { - my ($net, $vlsm, $rest) = split( '/', $_[0], 3 ); - my $allow_name = $_[1]; - - $net = '' unless defined $net; - - fatal_error "Missing address" if $net eq ''; - fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+'; - - if ( defined $vlsm ) { - fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32; - fatal_error "Invalid Network address ($_[0])" if defined $rest; - fatal_error "Invalid IP address ($net)" unless valid_4address $net; - } else { - fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net; - validate_4address $net, $_[1]; - $vlsm = 32; - } - - if ( defined wantarray ) { - fatal_error "Internal Error in validate_net()" if $allow_name; - if ( wantarray ) { - ( decodeaddr( $net ) , $vlsm ); - } else { - "$net/$vlsm"; - } - } -} - -sub validate_4range( $$ ) { - my ( $low, $high ) = @_; - - validate_4address $low, 0; - validate_4address $high, 0; - - my $first = decodeaddr $low; - my $last = decodeaddr $high; - - fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last; -} - -sub validate_4host( $$ ) { - my ( $host, $allow_name ) = $_[0]; - - if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) { - validate_4ange $1, $2; - } else { - validate_4net( $host, $allow_name ); - } -} - -sub ip_range_explicit( $ ) { - my $range = $_[0]; - my @result; - - my ( $low, $high ) = split /-/, $range; - - validate_address $low, 0; - - push @result, $low; - - if ( defined $high ) { - validate_faddress $high, 0; - - my $first = decodeaddr $low; - my $last = decodeaddr $high; - my $diff = $last - $first; - - fatal_error "Invalid IP Range ($range)" unless $diff >= 0 && $diff <= 256; - - while ( ++$first <= $last ) { - push @result, encodeaddr( $first ); - } - } - - @result; -} - -sub decompose_net( $ ) { - my $net = $_[0]; - - return ( qw/0x00000000 0x00000000/ ) if $net eq '-'; - - ( $net, my $vlsm ) = validate_net( $net , 0 ); - - ( in_hex8( $net ) , vlsm_to_mask( $vlsm ) ); - -} - -sub allipv4() { - @allipv4; -} - -sub allipv6() { - @allipv6; -} - -sub rfc1918_networks() { - @rfc1918_networks -} - -# -# Protocol/port validation -# - -our %nametoproto = ( all => 0, ALL => 0, icmp => 1, ICMP => 1, tcp => 6, TCP => 6, udp => 17, UDP => 17 ); -our @prototoname = ( 'all', 'icmp', '', '', '', '', 'tcp', '', '', '', '', '', '', '', '', '', '', 'udp' ); - -# -# Returns the protocol number if the passed argument is a valid protocol number or name. Returns undef otherwise -# -sub resolve_proto( $ ) { - my $proto = $_[0]; - my $number; - - $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto; -} - -sub proto_name( $ ) { - my $proto = $_[0]; - - $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto -} - -sub validate_port( $$ ) { - my ($proto, $port) = @_; - - my $value; - - if ( $port =~ /^(\d+)$/ ) { - return $port if $port <= 65535; - } else { - $proto = proto_name $proto if $proto =~ /^(\d+)$/; - $value = getservbyname( $port, $proto ); - } - - fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value; - - $value; -} - -sub validate_portpair( $$ ) { - my ($proto, $portpair) = @_; - - fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1; - - $portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':'; - $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':'; - - my @ports = split /:/, $portpair, 2; - - $_ = validate_port( $proto, $_) for ( @ports ); - - if ( @ports == 2 ) { - fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1]; - } - - join ':', @ports; - -} - -sub validate_port_list( $$ ) { - my $result = ''; - my ( $proto, $list ) = @_; - my @list = split_list( $list, 'port' ); - - if ( @list > 1 && $list =~ /:/ ) { - require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' ); - } - - $proto = proto_name $proto; - - for ( @list ) { - my $value = validate_portpair( $proto , $_ ); - $result = $result ? join ',', $result, $value : $value; - } - - $result; -} - -my %icmp_types = ( any => 'any', - 'echo-reply' => 0, - 'destination-unreachable' => 3, - 'network-unreachable' => '3/0', - 'host-unreachable' => '3/1', - 'protocol-unreachable' => '3/2', - 'port-unreachable' => '3/3', - 'fragmentation-needed' => '3/4', - 'source-route-failed' => '3/5', - 'network-unknown' => '3/6', - 'host-unknown' => '3/7', - 'network-prohibited' => '3/9', - 'host-prohibited' => '3/10', - 'TOS-network-unreachable' => '3/11', - 'TOS-host-unreachable' => '3/12', - 'communication-prohibited' => '3/13', - 'host-precedence-violation' => '3/14', - 'precedence-cutoff' => '3/15', - 'source-quench' => 4, - 'redirect' => 5, - 'network-redirect' => '5/0', - 'host-redirect' => '5/1', - 'TOS-network-redirect' => '5/2', - 'TOS-host-redirect' => '5/3', - 'echo-request' => '8', - 'router-advertisement' => 9, - 'router-solicitation' => 10, - 'time-exceeded' => 11, - 'ttl-zero-during-transit' => '11/0', - 'ttl-zero-during-reassembly' => '11/1', - 'parameter-problem' => 12, - 'ip-header-bad' => '12/0', - 'required-option-missing' => '12/1', - 'timestamp-request' => 13, - 'timestamp-reply' => 14, - 'address-mask-request' => 17, - 'address-mask-reply' => 18 ); - -sub validate_icmp( $ ) { - fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_INET; - - my $type = $_[0]; - - my $value = $icmp_types{$type}; - - return $value if defined $value; - - if ( $type =~ /^(\d+)(\/(\d+))?$/ ) { - return $type if $1 < 256 && ( ! $2 || $3 < 256 ); - } - - fatal_error "Invalid ICMP Type ($type)" -} - -# -# Expands a port range into a minimal list of ( port, mask ) pairs. -# Each port and mask are expressed as 4 hex nibbles without a leading '0x'. -# -# Example: -# -# DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n" -# 006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000 -# -sub expand_port_range( $$ ) { - my ( $proto, $range ) = @_; - - if ( $range =~ /^(.*):(.*)$/ ) { - my ( $first, $last ) = ( $1, $2); - my @result; - - fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne ''; - # - # Supply missing first/last port number - # - $first = 0 if $first eq ''; - $last = 65535 if $last eq ''; - # - # Validate the ports - # - ( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) ); - - $last++; #Increment last address for limit testing. - # - # Break the range into groups: - # - # - If the first port in the remaining range is odd, then the next group is ( , ffff ). - # - Otherwise, find the largest power of two P that divides the first address such that - # the remaining range has less than or equal to P ports. The next group is - # ( , ~( P-1 ) ). - # - while ( ( my $ports = ( $last - $first ) ) > 0 ) { - my $mask = 0xffff; #Mask for current ports in group. - my $y = 2; #Next power of two to test - my $z = 1; #Number of ports in current group (Previous value of $y). - - while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) { - $mask <<= 1; - $z = $y; - $y <<= 1; - } - # - # - push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff ); - $first += $z; - } - - fatal_error "Invalid port range ($range)" unless @result; # first port > last port - - @result; - - } else { - ( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' ); - } -} - -sub valid_6address( $ ) { - my $address = $_[0]; - - my @address = split /:/, $address; - - return 0 if @address > 8; - return 0 if @address < 8 && ! $address =~ /::/; - return 0 if $address =~ /:::/ || $address =~ /::.*::/; - - if ( $address =~ /^:/ ) { - unless ( $address eq '::' ) { - return 0 if $address =~ /:$/ || $address =~ /^:.*::/; - } - } elsif ( $address =~ /:$/ ) { - return 0 if $address =~ /::.*:$/; - } - - for my $a ( @address ) { - return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 ); - } - - 1; -} - -sub validate_6address( $$ ) { - my ( $addr, $allow_name ) = @_; - - my @addrs = ( $addr ); - - unless ( valid_6address $addr ) { - fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name; - fatal_error "Unknown Host ($addr)" unless (@addrs = gethostbyname2 $addr, AF_INET6); - - if ( defined wantarray ) { - shift @addrs for (1..4); - for ( @addrs ) { - $_ = inet_ntop AF_INET6, $_; - } - } - } - - defined wantarray ? wantarray ? @addrs : $addrs[0] : undef; -} - -sub validate_6net( $$ ) { - my ($net, $vlsm, $rest) = split( '/', $_[0], 3 ); - my $allow_name = $_[1]; - - fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+'; - - if ( defined $vlsm ) { - fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 64; - fatal_error "Invalid Network address ($_[0])" if defined $rest; - fatal_error "Invalid IPv6 address ($net)" unless valid_6address $net; - } else { - fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net; - validate_6address $net, $allow_name; - } -} - -sub validate_6range( $$ ) { - my ( $low, $high ) = @_; - - validate_6address $low, 0; - validate_6address $high, 0; - - my @low = split ":", $low; - my @high = split ":", $high; - - if ( @low == @high ) { - my ( $l, $h) = ( pop @low, pop @high ); - - return 1 if hex "0x$l" <= hex "0x$h" && join( ":", @low ) eq join( ":", @high ); - } - - fatal_error "Invalid IPv6 Range ($low-$high)"; -} - -sub validate_6host( $$ ) { - my ( $host, $allow_name ) = $_[0]; - - if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) { - validate_6range $1, $2; - } else { - validate_6net( $host, $allow_name ); - } -} - -my %ipv6_icmp_types = ( any => 'any', - 'destination-unreachable' => 1, - 'no-route' => '1/0', - 'communication-prohibited' => '1/1', - 'address-unreachable' => '1/2', - 'port-unreachable' => '1/3', - 'packet-too-big' => 2, - 'time-exceeded' => 3, - 'ttl-exceeded' => 3, - 'ttl-zero-during-transit' => '3/0', - 'ttl-zero-during-reassembly' => '3/1', - 'parameter-problem' => 4, - 'bad-header' => '4/0', - 'unknown-header-type' => '4/1', - 'unknown-option' => '4/2', - 'echo-request' => 128, - 'echo-reply' => 129, - 'router-solicitation' => 133, - 'router-advertisement' => 134, - 'neighbour-solicitation' => 135, - 'neighbour-advertisement' => 136, - redirect => 137 ); - - -sub validate_icmp6( $ ) { - fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_INET6; - my $type = $_[0]; - - my $value = $ipv6_icmp_types{$type}; - - return $value if defined $value; - - if ( $type =~ /^(\d+)(\/(\d+))?$/ ) { - return $type if $1 < 256 && ( ! $2 || $3 < 256 ); - } - - fatal_error "Invalid IPv6 ICMP Type ($type)" -} - -sub ALLIP() { - $family == F_INET ? ALLIPv4 : ALLIPv6; -} - -sub allip() { - $family == F_INET ? ALLIPv4 : ALLIPv6; -} - -sub valid_address ( $ ) { - $family == F_INET ? valid_4address( $_[0] ) : valid_6address( $_[0] ); -} - -sub validate_address ( $$ ) { - $family == F_INET ? validate_4address( $_[0], $_[1] ) : validate_6address( $_[0], $_[1] ); -} - -sub validate_net ( $$ ) { - $family == F_INET ? validate_4net( $_[0], $_[1] ) : validate_6net( $_[0], $_[1] ); -} - -sub validate_range ($$ ) { - $family == F_INET ? validate_4range( $_[0], $_[1] ) : validate_6range( $_[0], $_[1] ); -} - -sub validate_host ($$ ) { - $family == F_INET ? validate_4host( $_[0], $_[1] ) : validate_6host( $_[0], $_[1] ); -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Nat.pm b/Shorewall-perl-maybe/Shorewall/Nat.pm deleted file mode 100644 index c5f27c3cd..000000000 --- a/Shorewall-perl-maybe/Shorewall/Nat.pm +++ /dev/null @@ -1,518 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Nat.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains code for dealing with the /etc/shorewall/masq, -# /etc/shorewall/nat and /etc/shorewall/netmap files. -# -package Shorewall::Nat; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Providers qw( lookup_provider ); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses ); -our @EXPORT_OK = (); -our $VERSION = 4.1.5; - -our @addresses_to_add; -our %addresses_to_add; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @addresses_to_add = (); - %addresses_to_add = (); -} - -INIT { - initialize; -} - -# -# Handle IPSEC Options in a masq record -# -sub do_ipsec_options($) -{ - my %validoptions = ( strict => NOTHING, - next => NOTHING, - reqid => NUMERIC, - spi => NUMERIC, - proto => IPSECPROTO, - mode => IPSECMODE, - "tunnel-src" => NETWORK, - "tunnel-dst" => NETWORK, - ); - my $list=$_[0]; - my $options = '-m policy --pol ipsec --dir out '; - my $fmt; - - for my $e ( split_list $list, 'option' ) { - my $val = undef; - my $invert = ''; - - if ( $e =~ /([\w-]+)!=(.+)/ ) { - $val = $2; - $e = $1; - $invert = '! '; - } elsif ( $e =~ /([\w-]+)=(.+)/ ) { - $val = $2; - $e = $1; - } - - $fmt = $validoptions{$e}; - - fatal_error "Invalid Option ($e)" unless $fmt; - - if ( $fmt eq NOTHING ) { - fatal_error "Option \"$e\" does not take a value" if defined $val; - } else { - fatal_error "Missing value for option \"$e\"" unless defined $val; - fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/; - } - - $options .= $invert; - $options .= "--$e "; - $options .= "$val " if defined $val; - } - - $options; -} - -# -# Process a single rule from the the masq file -# -sub setup_one_masq($$$$$$$) -{ - my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark) = @_; - - my $pre_nat; - my $add_snat_aliases = $config{ADD_SNAT_ALIASES}; - my $destnets = ''; - my $baserule = ''; - - # - # Leading '+' - # - $pre_nat = 1 if $interfacelist =~ s/^\+//; - # - # Parse the remaining part of the INTERFACE column - # - if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) { - $add_snat_aliases = 0; - $destnets = $2; - $interfacelist = $1; - } elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) { - $destnets = $2; - $interfacelist = $1; - } elsif ( $interfacelist =~ /^([^:]+):$/ ) { - $add_snat_aliases = 0; - $interfacelist = $1; - } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) { - my ( $one, $two ) = ( $1, $2 ); - if ( $2 =~ /\./ ) { - $interfacelist = $one; - $destnets = $two; - } - } - # - # If there is no source or destination then allow all addresses - # - $networks = ALLIPv4 if $networks eq '-'; - $destnets = ALLIPv4 if $destnets eq '-'; - - # - # Handle IPSEC options, if any - # - if ( $ipsec ne '-' ) { - fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH}; - - if ( $ipsec =~ /^yes$/i ) { - $baserule .= '-m policy --pol ipsec --dir out '; - } elsif ( $ipsec =~ /^no$/i ) { - $baserule .= '-m policy --pol none --dir out '; - } else { - $baserule .= do_ipsec_options $ipsec; - } - } elsif ( $capabilities{POLICY_MATCH} ) { - $baserule .= '-m policy --pol none --dir out '; - } - - # - # Handle Protocol and Ports - # - $baserule .= do_proto $proto, $ports, ''; - - # - # Handle Mark - # - $baserule .= do_test( $mark, 0xFF) if $mark ne '-'; - - for my $fullinterface (split_list $interfacelist, 'interface' ) { - my $rule = ''; - my $target = '-j MASQUERADE '; - # - # Isolate and verify the interface part - # - ( my $interface = $fullinterface ) =~ s/:.*//; - - if ( $interface =~ /(.*)[(](\w*)[)]$/ ) { - $interface = $1; - my $provider = $2; - $fullinterface =~ s/[(]\w*[)]//; - my $realm = lookup_provider( $provider ) unless $provider =~ /^\d+$/; - - fatal_error "$provider is not a shared-interface provider" unless $realm; - - $rule .= "-m realm --realm $realm "; - } - - fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); - - unless ( $interfaceref->{root} ) { - $rule .= "-o $interface "; - $interface = $interfaceref->{name}; - } - - my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface); - - my $detectaddress = 0; - my $exceptionrule = ''; - my $randomize = ''; - # - # Parse the ADDRESSES column - # - if ( $addresses ne '-' ) { - if ( $addresses eq 'random' ) { - $randomize = '--random '; - } else { - $addresses =~ s/:random$// and $randomize = '--random '; - - if ( $addresses =~ /^SAME:nodst:/ ) { - fatal_error "':random' is not supported by the SAME target" if $randomize; - $target = '-j SAME --nodst '; - $addresses =~ s/.*://; - for my $addr ( split_list $addresses, 'address' ) { - $target .= "--to $addr "; - } - } elsif ( $addresses =~ /^SAME:/ ) { - fatal_error "':random' is not supported by the SAME target" if $randomize; - $target = '-j SAME '; - $addresses =~ s/.*://; - for my $addr ( split_list $addresses, 'address' ) { - $target .= "--to $addr "; - } - } elsif ( $addresses eq 'detect' ) { - my $variable = get_interface_address $interface; - $target = "-j SNAT --to-source $variable"; - - if ( interface_is_optional $interface ) { - add_commands( $chainref, - '', - "if [ \"$variable\" != 0.0.0.0 ]; then" ); - incr_cmd_level( $chainref ); - $detectaddress = 1; - } - } elsif ( $addresses eq 'NONAT' ) { - $target = '-j RETURN'; - $add_snat_aliases = 0; - } else { - my $addrlist = ''; - for my $addr ( split_list $addresses , 'address' ) { - if ( $addr =~ /^.*\..*\..*\./ ) { - $target = '-j SNAT '; - $addrlist .= "--to-source $addr "; - $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/; - } else { - $addr =~ s/^://; - $addrlist .= "--to-ports $addr "; - $exceptionrule = do_proto( $proto, '', '' ); - } - } - - $target .= $addrlist; - } - } - - $target .= $randomize; - } else { - $add_snat_aliases = 0; - } - # - # And Generate the Rule(s) - # - expand_rule( $chainref , - POSTROUTE_RESTRICT , - $baserule . $rule , - $networks , - $destnets , - '' , - '' , - $target , - '' , - '' , - $exceptionrule ); - - if ( $detectaddress ) { - decr_cmd_level( $chainref ); - add_command( $chainref , 'fi' ); - } - - if ( $add_snat_aliases ) { - my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 ); - fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; - for my $address ( split_list $addresses, 'address' ) { - my ( $addrs, $port ) = split /:/, $address; - next unless $addrs; - next if $addrs eq 'detect'; - for my $addr ( ip_range_explicit $addrs ) { - unless ( $addresses_to_add{$addr} ) { - emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES}; - $addresses_to_add{$addr} = 1; - if ( defined $alias ) { - push @addresses_to_add, $addr, "$interface:$alias"; - $alias++; - } else { - push @addresses_to_add, $addr, $interface; - } - } - } - } - } - } - - progress_message " Masq record \"$currentline\" $done"; - -} - -# -# Process the masq file -# -sub setup_masq() -{ - my $fn = open_file 'masq'; - - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); - - while ( read_a_line ) { - - my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file'; - - if ( $fullinterface eq 'COMMENT' ) { - process_comment; - } else { - setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark; - } - } - - clear_comment; - -} - -# -# Validate the ALL INTERFACES or LOCAL column in the NAT file -# -sub validate_nat_column( $$ ) { - my $ref = $_[1]; - my $val = $$ref; - - if ( defined $val ) { - unless ( ( $val = "\L$val" ) eq 'yes' ) { - if ( ( $val eq 'no' ) || ( $val eq '-' ) ) { - $$ref = ''; - } else { - fatal_error "Invalid value ($val) for $_[0]"; - } - } - } else { - $$ref = ''; - } -} - -# -# Process a record from the NAT file -# -sub do_one_nat( $$$$$ ) -{ - my ( $external, $fullinterface, $internal, $allints, $localnat ) = @_; - - my ( $interface, $alias, $remainder ) = split( /:/, $fullinterface, 3 ); - - fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; - - sub add_nat_rule( $$ ) { - add_rule ensure_chain( 'nat', $_[0] ) , $_[1]; - } - - my $add_ip_aliases = $config{ADD_IP_ALIASES}; - - my $policyin = ''; - my $policyout = ''; - my $rulein = ''; - my $ruleout = ''; - - fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); - - unless ( $interfaceref->{root} ) { - $rulein = "-i $interface "; - $ruleout = "-o $interface "; - $interface = $interfaceref->{name}; - } - - if ( $capabilities{POLICY_MATCH} ) { - $policyin = ' -m policy --pol none --dir in'; - $policyout = '-m policy --pol none --dir out'; - } - - fatal_error "Invalid nat file entry" unless defined $interface && defined $internal; - - if ( $add_ip_aliases ) { - if ( defined( $alias ) && $alias eq '' ) { - $add_ip_aliases = ''; - } else { - emit "del_ip_addr $external $interface" unless $config{RETAIN_ALIASES}; - } - } - - validate_nat_column 'ALL INTERFACES', \$allints; - validate_nat_column 'LOCAL' , \$localnat; - - if ( $allints ) { - add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal"; - add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external"; - } else { - add_nat_rule input_chain( $interface ) , $rulein . "-d $external $policyin -j DNAT --to-destination $internal"; - add_nat_rule output_chain( $interface ) , $ruleout . "-s $internal $policyout -j SNAT --to-source $external"; - } - - add_nat_rule 'OUTPUT' , "-d $external $policyout -j DNAT --to-destination $internal " if $localnat; - - if ( $add_ip_aliases ) { - unless ( $addresses_to_add{$external} ) { - $addresses_to_add{$external} = 1; - push @addresses_to_add, ( $external , $fullinterface ); - } - } - -} - -# -# Process NAT file -# -sub setup_nat() { - - my $fn = open_file 'nat'; - - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); - - while ( read_a_line ) { - - my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file'; - - if ( $external eq 'COMMENT' ) { - process_comment; - } else { - ( $interfacelist, my $digit ) = split /:/, $interfacelist; - - $digit = defined $digit ? ":$digit" : ''; - - for my $interface ( split_list $interfacelist , 'interface' ) { - fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne ''; - do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat; - } - - progress_message " NAT entry \"$currentline\" $done"; - } - - } - - clear_comment; -} - -# -# Setup Network Mapping -# -sub setup_netmap() { - - my $fn = open_file 'netmap'; - - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } ); - - while ( read_a_line ) { - - my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file'; - - for my $interface ( split_list $interfacelist, 'interface' ) { - - my $rulein = ''; - my $ruleout = ''; - my $iface = $interface; - - fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface ); - - unless ( $interfaceref->{root} ) { - $rulein = "-i $interface "; - $ruleout = "-o $interface "; - $interface = $interfaceref->{name}; - } - - if ( $type eq 'DNAT' ) { - add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . "-d $net1 -j NETMAP --to $net2"; - } elsif ( $type eq 'SNAT' ) { - add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2"; - } else { - fatal_error "Invalid type ($type)"; - } - - progress_message " Network $net1 on $iface mapped to $net2 ($type)"; - } - } - -} - -sub add_addresses () { - if ( @addresses_to_add ) { - my $arg = ''; - - while ( @addresses_to_add ) { - my $addr = shift @addresses_to_add; - my $interface = shift @addresses_to_add; - $arg = "$arg $addr $interface"; - } - - emit "add_ip_aliases $arg"; - } -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Policy.pm b/Shorewall-perl-maybe/Shorewall/Policy.pm deleted file mode 100644 index 9cfefef0f..000000000 --- a/Shorewall-perl-maybe/Shorewall/Policy.pm +++ /dev/null @@ -1,497 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Policy.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module deals with the /etc/shorewall/policy file. -# -package Shorewall::Policy; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; -use Shorewall::Chains qw( :DEFAULT :internal) ; -use Shorewall::Actions; -use Shorewall::IPAddrs; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( use_ipv4_policies use_ipv6_policies validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); -our @EXPORT_OK = qw( ); -our $VERSION = 4.1.1; - -# @policy_chains is a list of references to policy chains in the filter table - -my @policy_chains4; -my @policy_chains6; -my $policy_chains; -my $policy_family; - -sub use_ipv4_policies() { - $policy_chains = \@policy_chains4; - $policy_family = F_INET; -} - -sub use_ipv6_policies() { - $policy_chains = \@policy_chains6; - $policy_family = F_INET6; -} - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @policy_chains4 = (); - @policy_chains6 = (); - use_ipv4_policies; -} - -INIT { - initialize; -} - -# -# Convert a chain into a policy chain. -# -sub convert_to_policy_chain($$$$$) -{ - my ($chainref, $source, $dest, $policy, $optional ) = @_; - - $chainref->{is_policy} = 1; - $chainref->{policy} = $policy; - $chainref->{is_optional} = $optional; - $chainref->{policychain} = $chainref->{name}; - $chainref->{policypair} = [ $source, $dest ]; -} - -# -# Create a new policy chain and return a reference to it. -# -sub new_policy_chain($$$$) -{ - my ($source, $dest, $policy, $optional) = @_; - - my $chainref = new_chain( 'filter', "${source}2${dest}" ); - - convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional ); - - $chainref; -} - -# -# Set the passed chain's policychain and policy to the passed values. -# -sub set_policy_chain($$$$$) -{ - my ($source, $dest, $chain1, $chainref, $policy ) = @_; - - my $chainref1 = $filter_table->{$chain1}; - - $chainref1 = new_chain 'filter', $chain1 unless $chainref1; - - unless ( $chainref1->{policychain} ) { - if ( $config{EXPAND_POLICIES} ) { - # - # We convert the canonical chain into a policy chain, using the settings of the - # passed policy chain. - # - $chainref1->{policychain} = $chain1; - $chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel}; - - if ( defined $chainref->{synparams} ) { - $chainref1->{synparams} = $chainref->{synparams}; - $chainref1->{synchain} = $chainref->{synchain}; - } - - $chainref1->{default} = $chainref->{default} if defined $chainref->{default}; - $chainref1->{is_policy} = 1; - push @{$policy_chains}, $chainref1; - } else { - $chainref1->{policychain} = $chainref->{name}; - } - - $chainref1->{policy} = $policy; - $chainref1->{policypair} = [ $source, $dest ]; - } -} - -# -# Process the policy file -# -use constant { OPTIONAL => 1 }; - -sub add_or_modify_policy_chain( $$ ) { - my ( $zone, $zone1 ) = @_; - my $chain = "${zone}2${zone1}"; - my $chainref = $filter_table->{$chain}; - - if ( $chainref ) { - unless( $chainref->{is_policy} ) { - convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL ); - push @{$policy_chains}, $chainref; - } - } else { - push @{$policy_chains}, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); - } -} - -sub print_policy($$$$) { - my ( $source, $dest, $policy , $chain ) = @_; - unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) { - if ( $policy eq 'CONTINUE' ) { - my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) ); - warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} ); - } - progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest; - } -} - -sub validate_policy() -{ - my %validpolicies = ( - ACCEPT => undef, - REJECT => undef, - DROP => undef, - CONTINUE => undef, - QUEUE => undef, - NFQUEUE => undef, - NONE => undef - ); - - my %map = ( DROP_DEFAULT => 'DROP' , - REJECT_DEFAULT => 'REJECT' , - ACCEPT_DEFAULT => 'ACCEPT' , - QUEUE_DEFAULT => 'QUEUE' , - NFQUEUE_DEFAULT => 'NFQUEUE' ); - - my $zone; - my @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' ); - - for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ { - my $action = $config{$option}; - next if $action eq 'none'; - my $actiontype = $targets->{$action}; - - if ( defined $actiontype ) { - fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION; - } else { - fatal_error "Default Action $option=$action not found"; - } - - unless ( $usedactions->{$action} ) { - $usedactions->{$action} = 1; - createactionchain $action; - } - - $default_actions->{$map{$option}} = $action; - } - - for $zone ( all_zones ) { - push @{$policy_chains}, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL ); - - if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) { - for my $zone1 ( all_zones ) { - unless( $zone eq $zone1 ) { - add_or_modify_policy_chain( $zone, $zone1 ); - add_or_modify_policy_chain( $zone1, $zone ); - } - } - } - } - - my $fn = open_file( $policy_family == F_INET ? 'policy' : '6policy'); - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file'; - - $loglevel = '' if $loglevel eq '-'; - $synparams = '' if $synparams eq '-'; - $connlimit = '' if $connlimit eq '-'; - - my $clientwild = ( "\L$client" eq 'all' ); - - fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client ); - - my $serverwild = ( "\L$server" eq 'all' ); - - fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server ); - - my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 ); - - fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy; - - fatal_error "Invalid default action ($default:$remainder)" if defined $remainder; - - ( $policy , my $queue ) = get_target_param $policy; - - if ( $default ) { - if ( "\L$default" eq 'none' ) { - $default = 'none'; - } else { - my $defaulttype = $targets->{$default} || 0; - - if ( $defaulttype & ACTION ) { - unless ( $usedactions->{$default} ) { - $usedactions->{$default} = 1; - createactionchain $default; - } - } else { - fatal_error "Unknown Default Action ($default)"; - } - } - } else { - $default = $default_actions->{$policy} || ''; - } - - fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy}; - - if ( defined $queue ) { - fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE'; - require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); - my $queuenum = numeric_value( $queue ); - fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535; - $policy = "NFQUEUE --queue-num $queuenum"; - } elsif ( $policy eq 'NONE' ) { - fatal_error "NONE policy not allowed with \"all\"" - if $clientwild || $serverwild; - fatal_error "NONE policy not allowed to/from firewall zone" - if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' ); - } - - unless ( $clientwild || $serverwild ) { - if ( zone_type( $server ) eq 'bport4' ) { - fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge" - unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge}; - } - } - - my $chain = "${client}2${server}"; - my $chainref; - - if ( defined $filter_table->{$chain} ) { - $chainref = $filter_table->{$chain}; - - if ( $chainref->{is_policy} ) { - if ( $chainref->{is_optional} ) { - $chainref->{is_optional} = 0; - $chainref->{policy} = $policy; - } else { - fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); - } - } elsif ( $chainref->{policy} ) { - fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); - } else { - convert_to_policy_chain( $chainref, $client, $server, $policy, 0 ); - push @{$policy_chains}, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); - } - } else { - $chainref = new_policy_chain $client, $server, $policy, 0; - push @{$policy_chains}, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); - } - - $chainref->{loglevel} = validate_level( $loglevel ) if defined $loglevel && $loglevel ne ''; - - if ( $synparams ne '' || $connlimit ne '' ) { - my $value = ''; - fatal_error "Invalid CONNLIMIT ($connlimit)" if $connlimit =~ /^!/; - $value = do_ratelimit $synparams, 'ACCEPT' if $synparams ne ''; - $value .= do_connlimit $connlimit if $connlimit ne ''; - $chainref->{synparams} = $value; - $chainref->{synchain} = $chain - } - - $chainref->{default} = $default if $default; - - if ( $clientwild ) { - if ( $serverwild ) { - for my $zone ( @zonelist ) { - for my $zone1 ( @zonelist ) { - set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy; - print_policy $zone, $zone1, $policy, $chain; - } - } - } else { - for my $zone ( all_zones ) { - set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy; - print_policy $zone, $server, $policy, $chain; - } - } - } elsif ( $serverwild ) { - for my $zone ( @zonelist ) { - set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy; - print_policy $client, $zone, $policy, $chain; - } - - } else { - print_policy $client, $server, $policy, $chain; - } - } - - for $zone ( all_zones ) { - for my $zone1 ( all_zones ) { - fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy}; - } - } -} - -# -# Policy Rule application -# -sub policy_rules( $$$$$ ) { - my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; - - unless ( $target eq 'NONE' ) { - add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE'; - add_rule $chainref, "-j $default" if $default && $default ne 'none'; - log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; - fatal_error "Null target in policy_rules()" unless $target; - $target = 'reject' if $target eq 'REJECT'; - - add_jump( $chainref , $target, 1 ) unless $target eq 'CONTINUE'; - } -} - -sub report_syn_flood_protection() { - progress_message ' Enabled SYN flood protection'; -} - -sub default_policy( $$$ ) { - my $chainref = $_[0]; - my $policyref = $filter_table->{$chainref->{policychain}}; - my $synparams = $policyref->{synparams}; - my $default = $policyref->{default}; - my $policy = $policyref->{policy}; - my $loglevel = $policyref->{loglevel}; - - fatal_error "Internal error in default_policy()" unless $policyref; - - if ( $chainref eq $policyref ) { - policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; - } else { - if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) { - if ( $synparams ) { - report_syn_flood_protection; - policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; - } else { - add_jump $chainref, $policyref, 1; - $chainref = $policyref; - } - } elsif ( $policy eq 'CONTINUE' ) { - report_syn_flood_protection if $synparams; - policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; - } else { - report_syn_flood_protection if $synparams; - add_jump $chainref , $policyref, 1; - $chainref = $policyref; - } - } - - progress_message " Policy $policy from $_[1] to $_[2] using chain $chainref->{name}"; - -} - -sub apply_policy_rules() { - progress_message2 'Applying Policies...'; - - for my $chainref ( @{$policy_chains} ) { - my $policy = $chainref->{policy}; - my $loglevel = $chainref->{loglevel}; - my $optional = $chainref->{is_optional}; - my $default = $chainref->{default}; - my $name = $chainref->{name}; - - if ( $policy ne 'NONE' ) { - if ( ! $chainref->{referenced} && ( ! $optional && $policy ne 'CONTINUE' ) ) { - ensure_filter_chain $name, 1; - } - - if ( $name =~ /^all2|2all$/ ) { - run_user_exit $chainref; - policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; - } - } - } - - for my $zone ( all_zones ) { - for my $zone1 ( all_zones ) { - my $chainref = $filter_table->{"${zone}2${zone1}"}; - - if ( $chainref->{referenced} ) { - run_user_exit $chainref; - default_policy $chainref, $zone, $zone1; - } - } - } -} - -# -# Complete a standard chain -# -# - run any supplied user exit -# - search the policy file for an applicable policy and add rules as -# appropriate -# - If no applicable policy is found, add rules for an assummed -# policy of DROP INFO -# -sub complete_standard_chain ( $$$$ ) { - my ( $stdchainref, $zone, $zone2, $default ) = @_; - - add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT}; - - run_user_exit $stdchainref; - - my $ruleschainref = $filter_table->{"${zone}2${zone2}"}; - my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} ); - my $policychainref; - - $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref; - - ( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref; - - policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0; -} - -# -# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy -# -sub setup_syn_flood_chains() { - for my $chainref ( @{$policy_chains} ) { - my $limit = $chainref->{synparams}; - if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) { - my $level = $chainref->{loglevel}; - my $synchainref = new_chain 'filter' , syn_flood_chain $chainref; - add_rule $synchainref , "${limit}-j RETURN"; - log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , '' - if $level ne ''; - add_rule $synchainref, '-j DROP'; - } - } -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Proc.pm b/Shorewall-perl-maybe/Shorewall/Proc.pm deleted file mode 100644 index 09b41c905..000000000 --- a/Shorewall-perl-maybe/Shorewall/Proc.pm +++ /dev/null @@ -1,212 +0,0 @@ -# -# Shorewall 4.2 -- /usr/share/shorewall-perl/Shorewall/Proc.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains the code that deals with entries in /proc. -# -# Note: The /proc/sys/net/ipv4/conf/x/proxy_arp flag is handled -# in the Proxyarp module. -# -package Shorewall::Proc; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( - setup_arp_filtering - setup_route_filtering - setup_martian_logging - setup_source_routing - setup_forwarding - ); -our @EXPORT_OK = qw( ); -our $VERSION = 4.0.6; - -# -# ARP Filtering -# -sub setup_arp_filtering() { - save_progress_message "Setting up ARP filtering..."; - - my $interfaces = find_interfaces_by_option 'arp_filter'; - my $interfaces1 = find_interfaces_by_option 'arp_ignore'; - - if ( @$interfaces || @$interfaces1 ) { - progress_message2 "$doing ARP Filtering..."; - - for my $interface ( @$interfaces ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter"; - my $value = get_interface_option $interface, 'arp_filter'; - - emit ( '', - "if [ -f $file ]; then", - " echo $value > $file"); - emit ( 'else', - " error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface ); - emit "fi\n"; - } - - for my $interface ( @$interfaces1 ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/arp_ignore"; - my $value = get_interface_option $interface, 'arp_ignore'; - - fatal_error "Internal Error in setup_arp_filtering()" unless defined $value; - - emit ( "if [ -f $file ]; then", - " echo $value > $file"); - emit ( 'else', - " error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface ); - emit "fi\n"; - } - } -} - -# -# Route Filtering -# -sub setup_route_filtering() { - - my $interfaces = find_interfaces_by_option 'routefilter'; - - if ( @$interfaces || $config{ROUTE_FILTER} ) { - - progress_message2 "$doing Kernel Route Filtering..."; - - save_progress_message "Setting up Route Filtering..."; - - - if ( $config{ROUTE_FILTER} ) { - my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0; - - emit ( 'for file in /proc/sys/net/ipv4/conf/*; do', - " [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter", - 'done' ); - } - - for my $interface ( @$interfaces ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter"; - my $value = get_interface_option $interface, 'routefilter'; - - emit ( "if [ -f $file ]; then" , - " echo $value > $file" ); - emit ( 'else' , - " error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface); - emit "fi\n"; - } - - emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; - - if ( $config{ROUTE_FILTER} eq 'on' ) { - emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter'; - } elsif ( $config{ROUTE_FILTER} eq 'off' ) { - emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; - } - - emit "[ -n \"\$NOROUTES\" ] || ip route flush cache"; - } -} - -# -# Martian Logging -# - -sub setup_martian_logging() { - my $interfaces = find_interfaces_by_option 'logmartians'; - - if ( @$interfaces || $config{LOG_MARTIANS} ) { - - progress_message2 "$doing Martian Logging..."; - - save_progress_message "Setting up Martian Logging..."; - - if ( $config{LOG_MARTIANS} ) { - my $val = $config{LOG_MARTIANS} eq 'on' ? 1 : 0; - - emit ( 'for file in /proc/sys/net/ipv4/conf/*; do', - " [ -f \$file/log_martians ] && echo $val > \$file/log_martians", - 'done' ); - } - - for my $interface ( @$interfaces ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians"; - my $value = get_interface_option $interface, 'logmartians'; - - emit ( "if [ -f $file ]; then" , - " echo $value > $file" ); - - emit ( 'else' , - " error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface); - emit "fi\n"; - } - - if ( $config{LOG_MARTIANS} eq 'on' ) { - emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; - emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians'; - } elsif ( $config{LOG_MARTIANS} eq 'off' ) { - emit 'echo 0 > /proc/sys/net/ipv4/conf/all/log_martians'; - emit 'echo 0 > /proc/sys/net/ipv4/conf/default/log_martians'; - } - } -} - -# -# Source Routing -# -sub setup_source_routing() { - - save_progress_message 'Setting up Accept Source Routing...'; - - my $interfaces = find_interfaces_by_option 'sourceroute'; - - if ( @$interfaces ) { - progress_message2 "$doing Accept Source Routing..."; - - save_progress_message 'Setting up Source Routing...'; - - for my $interface ( @$interfaces ) { - my $file = "/proc/sys/net/ipv4/conf/$interface/accept_source_route"; - my $value = get_interface_option $interface, 'sourceroute'; - - emit ( "if [ -f $file ]; then" , - " echo $value > $file" ); - emit ( 'else' , - " error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface); - emit "fi\n"; - } - } -} - -sub setup_forwarding() { - if ( $config{IP_FORWARDING} eq 'on' ) { - emit ' echo 1 > /proc/sys/net/ipv4/ip_forward'; - emit ' progress_message2 IP Forwarding Enabled'; - } elsif ( $config{IP_FORWARDING} eq 'off' ) { - emit ' echo 0 > /proc/sys/net/ipv4/ip_forward'; - emit ' progress_message2 IP Forwarding Disabled!'; - } - - emit ''; -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Providers.pm b/Shorewall-perl-maybe/Shorewall/Providers.pm deleted file mode 100644 index d1a9bd6c9..000000000 --- a/Shorewall-perl-maybe/Shorewall/Providers.pm +++ /dev/null @@ -1,658 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Providers.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module deals with the /etc/shorewall/providers and -# /etc/shorewall/route_rules files. -# -package Shorewall::Providers; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_providers @routemarked_interfaces); -our @EXPORT_OK = qw( initialize lookup_provider ); -our $VERSION = 4.1.5; - -use constant { LOCAL_TABLE => 255, - MAIN_TABLE => 254, - DEFAULT_TABLE => 253, - UNSPEC_TABLE => 0 - }; - -our @routemarked_providers; -our %routemarked_interfaces; -our @routemarked_interfaces; - -our $balance; -our $first_default_route; - -our %providers; - -our @providers; - - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @routemarked_providers = (); - %routemarked_interfaces = (); - @routemarked_interfaces = (); - $balance = 0; - $first_default_route = 1; - - %providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 } , - main => { number => MAIN_TABLE , mark => 0 , optional => 0 } , - default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } , - unspec => { number => UNSPEC_TABLE , mark => 0 , optional => 0 } ); - @providers = (); -} - -INIT { - initialize; -} - -# -# Set up marking for 'tracked' interfaces. -# -sub setup_route_marking() { - my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF'; - - require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' ); - require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' ); - - add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; - add_rule $mangle_table->{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; - - my $chainref = new_chain 'mangle', 'routemark'; - - my %marked_interfaces; - - for my $providerref ( @routemarked_providers ) { - my $interface = $providerref->{interface}; - my $base = uc chain_base $interface; - - add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; - - unless ( $marked_interfaces{$interface} ) { - add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; - $marked_interfaces{$interface} = 1; - } - - if ( $providerref->{shared} ) { - add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}"; - } else { - add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}"; - } - - decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional}; - } - - add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask"; -} - -sub copy_table( $$$ ) { - my ( $duplicate, $number, $realm ) = @_; - - if ( $realm ) { - emit ( "ip route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) - } else { - emit ( "ip route show table $duplicate | while read net route; do" ) - } - - emit ( ' case $net in', - ' default|nexthop)', - ' ;;', - ' *)', - " run_ip route add table $number \$net \$route $realm", - ' ;;', - ' esac', - "done\n" - ); -} - -sub copy_and_edit_table( $$$$ ) { - my ( $duplicate, $number, $copy, $realm) = @_; - - if ( $realm ) { - emit ( "ip route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) - } else { - emit ( "ip route show table $duplicate | while read net route; do" ) - } - - emit ( ' case $net in', - ' default|nexthop)', - ' ;;', - ' *)', - ' case $(find_device $route) in', - " $copy)", - " run_ip route add table $number \$net \$route $realm", - ' ;;', - ' esac', - ' ;;', - ' esac', - "done\n" ); -} - -sub balance_default_route( $$$$ ) { - my ( $weight, $gateway, $interface, $realm ) = @_; - - $balance = 1; - - emit ''; - - if ( $first_default_route ) { - if ( $gateway ) { - emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\""; - } else { - emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\""; - } - - $first_default_route = 0; - } else { - if ( $gateway ) { - emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\""; - } else { - emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\""; - } - } -} - -sub add_a_provider( $$$$$$$$ ) { - - my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_; - - fatal_error "Duplicate provider ($table)" if $providers{$table}; - - my $num = numeric_value $number; - - fatal_error "Invalid Provider number ($number)" unless defined $num; - - $number = $num; - - for my $providerref ( values %providers ) { - fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number; - } - - ( $interface, my $address ) = split /:/, $interface; - - my $shared = 0; - - if ( defined $address ) { - validate_address $address, 0; - $shared = 1; - require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s"; - } - - fatal_error "Unknown Interface ($interface)" unless known_interface $interface; - - my $provider = chain_base $table; - my $base = uc chain_base $interface; - - emit "#\n# Add Provider $table ($number)\n#"; - - emit "if interface_is_usable $interface; then"; - push_indent; - - emit "qt ip route flush table $number"; - emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing"; - - if ( $gateway eq 'detect' ) { - fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; - fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared; - $gateway = get_interface_gateway $interface; - } elsif ( $gateway && $gateway ne '-' ) { - validate_address $gateway, 0; - } else { - fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared; - $gateway = ''; - emit "run_ip route add default dev $interface table $number"; - } - - my $val = 0; - - if ( $mark ne '-' ) { - - $val = numeric_value $mark; - - fatal_error "Invalid Mark Value ($mark)" unless defined $val; - - verify_mark $mark; - - if ( $val < 256) { - fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS}; - } else { - fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS}; - } - - for my $providerref ( values %providers ) { - fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val; - } - - my $pref = 10000 + $number - 1; - - emit ( "qt ip rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; - - emit ( "run_ip rule add fwmark $mark pref $pref table $number", - "echo \"qt ip rule del fwmark $mark\" >> \${VARDIR}/undo_routing" - ); - } - - my ( $loose, $track, $balance , $default_balance, $optional, $mtu ) = (0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' ); - - unless ( $options eq '-' ) { - for my $option ( split_list $options, 'option' ) { - if ( $option eq 'track' ) { - $track = 1; - } elsif ( $option =~ /^balance=(\d+)$/ ) { - $balance = $1; - } elsif ( $option eq 'balance' ) { - $balance = 1; - } elsif ( $option eq 'loose' ) { - $loose = 1; - $default_balance = 0; - } elsif ( $option eq 'optional' ) { - set_interface_option $interface, 'optional', 1; - $optional = 1; - } elsif ( $option =~ /^src=(.*)$/ ) { - fatal_error "OPTION 'src' not allowed on shared interface" if $shared; - $address = validate_address( $1 , 1 ); - } elsif ( $option =~ /^mtu=(\d+)$/ ) { - $mtu = "mtu $1 "; - } else { - fatal_error "Invalid option ($option)"; - } - } - } - - $balance = $default_balance unless $balance; - - $providers{$table} = { provider => $table, - number => $number , - mark => $val , - interface => $interface , - optional => $optional , - gateway => $gateway , - shared => $shared }; - - if ( $track ) { - fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-'; - - if ( $routemarked_interfaces{$interface} ) { - fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1; - fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared; - } else { - $routemarked_interfaces{$interface} = $shared ? 1 : 2; - push @routemarked_interfaces, $interface; - } - - push @routemarked_providers, $providers{$table}; - } - - my $realm = ''; - - if ( $shared ) { - $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); - $realm = "realm $number"; - } - - if ( $duplicate ne '-' ) { - fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; - if ( $copy eq '-' ) { - copy_table ( $duplicate, $number, $realm ); - } else { - if ( $copy eq 'none' ) { - $copy = $interface; - } else { - $copy =~ tr/,/|/; - $copy = "$interface|$copy"; - } - - copy_and_edit_table( $duplicate, $number ,$copy , $realm); - } - } elsif ( $copy ne '-' ) { - fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; - fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column'; - } - - if ( $gateway ) { - $address = get_interface_address $interface unless $address; - emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm"; - emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm"; - } - - balance_default_route $balance , $gateway, $interface, $realm if $balance; - - if ( $loose ) { - if ( $config{DELETE_THEN_ADD} ) { - emit ( "\nfind_interface_addresses $interface | while read address; do", - ' qt ip rule del from $address', - 'done' - ); - } - } elsif ( $shared ) { - emit "qt ip rule del from $address" if $config{DELETE_THEN_ADD}; - emit( "run_ip rule add from $address pref 20000 table $number" , - "echo \"qt ip rule del from $address\" >> \${VARDIR}/undo_routing" ); - } else { - my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); - - emit "\nrulenum=0\n"; - - emit ( "find_interface_addresses $interface | while read address; do" ); - emit ( ' qt ip rule del from $address' ) if $config{DELETE_THEN_ADD}; - emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", - " echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing", - ' rulenum=$(($rulenum + 1))', - 'done' - ); - } - - emit qq(\nprogress_message " Provider $table ($number) Added"\n); - - emit ( "${base}_IS_UP=Yes" ) if $optional; - - pop_indent; - emit 'else'; - - if ( $optional ) { - emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"", - " ${base}_IS_UP=" ); - } else { - emit( " fatal_error \"Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" ); - } - - emit "fi\n"; -} - -sub add_an_rtrule( $$$$ ) { - my ( $source, $dest, $provider, $priority ) = @_; - - unless ( $providers{$provider} ) { - my $found = 0; - - if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) { - my $provider_number = numeric_value $provider; - - for ( keys %providers ) { - if ( $providers{$_}{number} == $provider_number ) { - $provider = $_; - $found = 1; - last; - } - } - } - - fatal_error "Unknown provider ($provider)" unless $found; - } - - fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-'; - - if ( $dest eq '-' ) { - $dest = 'to ' . ALLIP; - } else { - validate_net( $dest, 0 ); - $dest = "to $dest"; - } - - if ( $source eq '-' ) { - $source = 'from ' . ALLIP; - } elsif ( $source =~ /:/ ) { - ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 ); - fatal_error "Invalid SOURCE" if defined $remainder; - validate_net ( $source, 0 ); - $source = "iif $interface from $source"; - } elsif ( $source =~ /\..*\..*/ ) { - validate_net ( $source, 0 ); - $source = "from $source"; - } else { - $source = "iif $source"; - } - - fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/; - - $priority = "priority $priority"; - - emit ( "qt ip rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; - - my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); - - if ( $optional ) { - my $base = uc chain_base( $providers{$provider}{interface} ); - emit ( '', "if [ -n \$${base}_IS_UP ]; then" ); - push_indent; - } - - emit ( "run_ip rule add $source $dest $priority table $number", - "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); - - pop_indent, emit ( "fi\n" ) if $optional; - - progress_message " Routing rule \"$currentline\" $done"; -} - -# -# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business, -# it makes sense to keep all of the routing code together -# -sub setup_null_routing() { - save_progress_message "Null Routing the RFC 1918 subnets"; - for ( rfc1918_networks ) { - emit( "run_ip route replace unreachable $_" ); - emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" ); - } -} - -sub setup_providers() { - my $providers = 0; - - my $fn = open_file 'providers'; - - while ( read_a_line ) { - unless ( $providers ) { - progress_message2 "$doing $fn ..."; - require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' ); - - fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED}; - - emit "\nif [ -z \"\$NOROUTES\" ]; then"; - - push_indent; - - emit ( '#', - '# Undo any changes made since the last time that we [re]started -- this will not restore the default route', - '#', - 'undo_routing' ); - - unless ( $config{KEEP_RT_TABLES} ) { - emit ( - '#', - '# Save current routing table database so that it can be restored later', - '#', - 'cp /etc/iproute2/rt_tables ${VARDIR}/' ); - - } - - emit ( '#', - '# Capture the default route(s) if we don\'t have it (them) already.', - '#', - '[ -f ${VARDIR}/default_route ] || ip route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', - '#', - '# Initialize the file that holds \'undo\' commands', - '#', - '> ${VARDIR}/undo_routing' ); - - save_progress_message 'Adding Providers...'; - - emit 'DEFAULT_ROUTE='; - } - - my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file'; - - add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ); - - push @providers, $table; - - $providers++; - - progress_message " Provider \"$currentline\" $done"; - - } - - if ( $providers ) { - if ( $balance ) { - my $table = MAIN_TABLE; - - if ( $config{USE_DEFAULT_RT} ) { - emit ( 'run_ip rule add from all table ' . MAIN_TABLE . ' pref 999', - 'ip rule del from all table ' . MAIN_TABLE . ' pref 32766', - 'echo "qt ip rule add from all table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', - 'echo "qt ip rule del from all table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', - '' ); - $table = DEFAULT_TABLE; - } - - emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); - emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" ); - emit ( ' qt ip route del default table ' . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; - emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", - 'else', - ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"', - ' restore_default_route', - 'fi', - '' ); - } else { - emit ( '#', - '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved', - '#', - 'restore_default_route' ); - } - - unless ( $config{KEEP_RT_TABLES} ) { - emit( 'if [ -w /etc/iproute2/rt_tables ]; then', - ' cat > /etc/iproute2/rt_tables <> /etc/iproute2/rt_tables"; - } - - pop_indent; - - emit "fi\n"; - } - - my $fn = open_file 'route_rules'; - - if ( $fn ) { - - first_entry "$doing $fn..."; - - emit ''; - - while ( read_a_line ) { - - my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file'; - - add_an_rtrule( $source, $dest, $provider , $priority ); - } - } - - setup_null_routing if $config{NULL_ROUTE_RFC1918}; - emit "\nrun_ip route flush cache"; - pop_indent; - emit "fi\n"; - - setup_route_marking if @routemarked_interfaces; - } else { - emit "\nundo_routing"; - emit 'restore_default_route'; - if ( $config{NULL_ROUTE_RFC1918} ) { - emit "\nif [ -z \"\$NOROUTES\" ]; then"; - - push_indent; - - emit ( '#', - '# Initialize the file that holds \'undo\' commands', - '#', - '> ${VARDIR}/undo_routing' ); - setup_null_routing; - emit "\nrun_ip route flush cache"; - - pop_indent; - - emit "fi\n"; - } - } -} - -sub lookup_provider( $ ) { - my $provider = $_[0]; - my $providerref = $providers{ $provider }; - - unless ( $providerref ) { - fatal_error "Unknown provider ($provider)" unless $provider =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/; - - my $provider_number = numeric_value $provider; - - for ( keys %providers ) { - if ( $providers{$_}{number} == $provider_number ) { - $providerref = $providers{$_}; - last; - } - } - - fatal_error "Unknown provider ($provider)" unless $providerref; - } - - - $providerref->{shared} ? $providerref->{number} : 0; -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Proxyarp.pm b/Shorewall-perl-maybe/Shorewall/Proxyarp.pm deleted file mode 100644 index e727d516c..000000000 --- a/Shorewall-perl-maybe/Shorewall/Proxyarp.pm +++ /dev/null @@ -1,160 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Proxyarp.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# -package Shorewall::Proxyarp; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( - setup_proxy_arp - dump_proxy_arp - ); - -our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.0.6; - -our @proxyarp; - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @proxyarp = (); -} - -INIT { - initialize; -} - -sub setup_one_proxy_arp( $$$$$ ) { - my ( $address, $interface, $external, $haveroute, $persistent) = @_; - - if ( "\L$haveroute" eq 'no' || $haveroute eq '-' ) { - $haveroute = ''; - } elsif ( "\L$haveroute" eq 'yes' ) { - $haveroute = 'yes'; - } else { - fatal_error "Invalid value ($haveroute) for HAVEROUTE"; - } - - if ( "\L$persistent" eq 'no' || $persistent eq '-' ) { - $persistent = ''; - } elsif ( "\L$persistent" eq 'yes' ) { - $persistent = 'yes'; - } else { - fatal_error "Invalid value ($persistent) for PERSISTENT"; - } - - unless ( $haveroute ) { - emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"; - $haveroute = 1 if $persistent; - } - - emit ( "if ! arp -i $external -Ds $address $external pub; then", - " fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" , - 'fi' , - '', - "progress_message \" Host $address connected to $interface added to ARP on $external\"\n" ); - - push @proxyarp, "$address $interface $external $haveroute"; - - progress_message " Host $address connected to $interface added to ARP on $external"; -} - -# -# Setup Proxy ARP -# -sub setup_proxy_arp() { - - my $interfaces= find_interfaces_by_option 'proxyarp'; - my $fn = open_file 'proxyarp'; - - if ( @$interfaces || $fn ) { - - my $first_entry = 1; - - save_progress_message "Setting up Proxy ARP..."; - - my ( %set, %reset ); - - while ( read_a_line ) { - - my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file'; - - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - - $set{$interface} = 1; - $reset{$external} = 1 unless $set{$external}; - - setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent ); - } - - emit ''; - - for my $interface ( keys %reset ) { - unless ( $set{interface} ) { - emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" , - " echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" ); - emit "fi\n"; - } - } - - for my $interface ( keys %set ) { - emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" , - " echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" ); - emit ( 'else' , - " error_message \" WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface ); - emit "fi\n"; - } - - for my $interface ( @$interfaces ) { - my $value = get_interface_option $interface, 'proxyarp'; - emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" , - " echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" ); - emit ( 'else' , - " error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface ); - emit "fi\n"; - } - } -} - -sub dump_proxy_arp() { - for ( @proxyarp ) { - emit_unindented $_; - } -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Rules.pm b/Shorewall-perl-maybe/Shorewall/Rules.pm deleted file mode 100644 index f8eb7f17b..000000000 --- a/Shorewall-perl-maybe/Shorewall/Rules.pm +++ /dev/null @@ -1,2074 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Rules.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains the high-level code for dealing with rules. -# -package Shorewall::Rules; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); -use Shorewall::Actions; -use Shorewall::Policy; -use Shorewall::Proc; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( use_ipv4_rules - use_ipv6_rules - process_tos - setup_ecn - add_common_rules - setup_mac_lists - process_criticalhosts - process_routestopped - process_rules - generate_matrix - setup_mss - ); -our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = 4.1.5; - -# -# Set to one if we find a SECTION -# -our $sectioned; -our $macro_nest_level; -our $current_param; -our @param_stack; -our $rules_family; - -# -# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these -# - -my %rules_commands = ( COMMENT => 0, - SECTION => 2 ); - -sub use_ipv4_rules() { - $rules_family = F_INET; -} - -sub use_ipv6_rules() { - $rules_family = F_INET6; -} - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - $sectioned = 0; - $macro_nest_level = 0; - $current_param = ''; - @param_stack = (); - use_ipv4_rules; -} - -INIT { - initialize; -} - -use constant { MAX_MACRO_NEST_LEVEL => 5 }; - -sub process_tos( $ ) { - my $filename = shift; - my $chain = $capabilities{MANGLE_FORWARD} ? 'fortos' : 'pretos'; - my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING'; - - my %tosoptions = ( 'minimize-delay' => 0x10 , - 'maximize-throughput' => 0x08 , - 'maximize-reliability' => 0x04 , - 'minimize-cost' => 0x02 , - 'normal-service' => 0x00 ); - - if ( my $fn = open_file $filename ) { - my $first_entry = 1; - - my ( $pretosref, $outtosref ); - - first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } ); - - while ( read_a_line ) { - - my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry'; - - $first_entry = 0; - - fatal_error 'A value must be supplied in the TOS column' if $tos eq '-'; - - if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) { - $tos = $tosval; - } else { - my $val = numeric_value( $tos ); - fatal_error "Invalid TOS value ($tos)" unless defined( $val ) && $val < 0x1f; - } - - my $chainref; - - my $restriction = NO_RESTRICT; - - my ( $srczone , $source , $remainder ); - - ( $srczone , $source , $remainder ) = split( $rules_family == F_INET ? /:/ : /;/, $src, 3 ); - - fatal_error 'Invalid SOURCE' if defined $remainder; - - if ( $srczone eq firewall_zone ) { - $chainref = $outtosref; - $src = $source || '-'; - $restriction = OUTPUT_RESTRICT; - } else { - $chainref = $pretosref; - $src =~ s/^all:?//; - } - - $dst =~ s/^all:?//; - - expand_rule - $chainref , - $restriction , - do_proto( $proto, $ports, $sports ) . do_test( $mark , 0xFF ) , - $src , - $dst , - '' , - '' , - "-j TOS --set-tos $tos" , - '' , - '' , - ''; - } - - unless ( $first_entry ) { - add_rule $mangle_table->{$stdchain}, "-j $chain" if $pretosref->{referenced}; - add_rule $mangle_table->{OUTPUT}, "-j outtos" if $outtosref->{referenced}; - } - } -} - -# -# Setup ECN disabling rules -# -sub setup_ecn() -{ - my %interfaces; - my @hosts; - - if ( my $fn = open_file 'ecn' ) { - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry'; - - fatal_error "Unknown interface ($interface)" unless known_interface $interface; - - $interfaces{$interface} = 1; - - $hosts = ALLIP if $hosts eq '-'; - - for my $host( split_list $hosts, 'address' ) { - validate_host( $host , 1 ); - push @hosts, [ $interface, $host ]; - } - } - - if ( @hosts ) { - my @interfaces = ( keys %interfaces ); - - progress_message "$doing ECN control on @interfaces..."; - - for my $interface ( @interfaces ) { - my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); - - add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp -o $interface "; - add_jump $mangle_table->{OUTPUT}, $chainref, 0, "-p tcp -o $interface "; - } - - for my $host ( @hosts ) { - add_rule $mangle_table->{ecn_chain $host->[0]}, join ('', '-p tcp ', match_dest_net( $host->[1] ) , ' -j ECN --ecn-tcp-remove' ); - } - } - } -} - -sub add_rule_pair( $$$$ ) { - my ($chainref , $predicate , $target , $level ) = @_; - - log_rule( $level, $chainref, "\U$target", $predicate ) if defined $level && $level ne ''; - add_rule $chainref , "${predicate}-j $target"; -} - -sub setup_rfc1918_filteration( $ ) { - - my $listref = $_[0]; - my $norfc1918ref = new_standard_chain 'norfc1918'; - my $rfc1918ref = new_standard_chain 'rfc1918'; - my $chainref = $norfc1918ref; - - warning_message q(The 'norfc1918' option is deprecated); - - log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , ''; - - add_rule $rfc1918ref , '-j DROP'; - - $chainref = new_standard_chain 'rfc1918d' if $config{RFC1918_STRICT}; - - my $fn = open_file 'rfc1918'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - require_capability 'CONNTRACK_MATCH', "The norfc1918 option" , 's'; - - my ( $networks, $target ) = split_line 2, 2, 'rfc1918 file'; - - my $s_target; - - if ( $target eq 'logdrop' ) { - $target = 'rfc1918'; - $s_target = 'rfc1918'; - } elsif ( $target eq 'DROP' ) { - $s_target = 'DROP'; - } elsif ( $target eq 'RETURN' ) { - $s_target = $config{RFC1918_STRICT} ? 'rfc1918d' : 'RETURN'; - } else { - fatal_error "Invalid target ($target) for $networks"; - } - - for my $network ( split_list $networks, 'network' ) { - add_rule $norfc1918ref , match_source_net( $network ) . "-j $s_target"; - add_rule $chainref , match_orig_dest( $network ) . "-j $target" ; - } - } - - add_rule $norfc1918ref , '-j rfc1918d' if $config{RFC1918_STRICT}; - - for my $hostref ( @$listref ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - for my $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); - } - } -} - -sub setup_blacklist( $ ) { - my $filename = shift; - my $hosts = find_hosts_by_option 'blacklist'; - my $chainref; - my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; - my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; - - if ( @$hosts ) { - $chainref = new_standard_chain 'blacklst'; - - if ( defined $level && $level ne '' ) { - my $logchainref = new_standard_chain 'blacklog'; - - log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); - - add_rule $logchainref, "-j $target" ; - - $target = 'blacklog'; - } - } - - BLACKLIST: - { - if ( my $fn = open_file $filename ) { - - my $first_entry = 1; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - if ( $first_entry ) { - unless ( @$hosts ) { - warning_message q(The entries in $fn have been ignored because there are no 'blacklist' interfaces); - close_file; - last BLACKLIST; - } - - $first_entry = 0; - } - - my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file'; - - expand_rule( - $chainref , - NO_RESTRICT , - do_proto( $protocol , $ports, '' ) , - $networks , - '' , - '' , - '' , - "-j $target" , - '' , - $disposition , - '' ); - - progress_message " \"$currentline\" added to blacklist"; - } - } - - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - - for my $hostref ( @$hosts ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - my $network = $hostref->[2]; - my $source = match_source_net $network; - - for my $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; - } - - progress_message " Blacklisting enabled on ${interface}:${network}"; - } - } -} - -sub process_criticalhosts() { - - my @critical = (); - - my $fn = open_file 'routestopped'; - - first_entry "$doing $fn for critical hosts..."; - - while ( read_a_line ) { - - my $routeback = 0; - - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; - - fatal_error "Unknown interface ($interface)" unless known_interface $interface; - - $hosts = ALLIP unless $hosts ne '-'; - - my @hosts; - - for my $host ( split_list $hosts, 'host' ) { - validate_host $host, 1; - push @hosts, "$interface:$host"; - } - - unless ( $options eq '-' ) { - for my $option (split_list $options, 'option' ) { - unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) { - if ( $option eq 'critical' ) { - push @critical, @hosts; - } else { - warning_message "Unknown routestopped option ( $option ) ignored"; - } - } - } - } - } - - \@critical; -} - -sub process_routestopped() { - - my ( @allhosts, %source, %dest ); - - my $fn = open_file 'routestopped'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my $routeback = 0; - - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; - - fatal_error "Unknown interface ($interface)" unless known_interface $interface; - - $hosts = ALLIP unless $hosts && $hosts ne '-'; - - my @hosts; - - for my $host ( split /,/, $hosts ) { - validate_host $host, 1; - push @hosts, "$interface:$host"; - } - - unless ( $options eq '-' ) { - for my $option (split /,/, $options ) { - if ( $option eq 'routeback' ) { - if ( $routeback ) { - warning_message "Duplicate 'routeback' option ignored"; - } else { - $routeback = 1; - - for my $host ( split /,/, $hosts ) { - my $source = match_source_net $host; - my $dest = match_dest_net $host; - - emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT"; - clearrule; - } - } - } elsif ( $option eq 'source' ) { - for my $host ( split /,/, $hosts ) { - $source{"$interface:$host"} = 1; - } - } elsif ( $option eq 'dest' ) { - for my $host ( split /,/, $hosts ) { - $dest{"$interface:$host"} = 1; - } - } else { - warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical'; - } - } - } - - push @allhosts, @hosts; - } - - for my $host ( @allhosts ) { - my ( $interface, $h ) = split /:/, $host; - my $source = match_source_net $h; - my $dest = match_dest_net $h; - my $sourcei = match_source_dev $interface; - my $desti = match_dest_dev $interface; - - emit "\$IPTABLES -A INPUT $sourcei $source -j ACCEPT"; - emit "\$IPTABLES -A OUTPUT $desti $dest -j ACCEPT" unless $config{ADMINISABSENTMINDED}; - - my $matched = 0; - - if ( $source{$host} ) { - emit "\$IPTABLES -A FORWARD $sourcei $source -j ACCEPT"; - $matched = 1; - } - - if ( $dest{$host} ) { - emit "\$IPTABLES -A FORWARD $desti $dest -j ACCEPT"; - $matched = 1; - } - - unless ( $matched ) { - for my $host1 ( @allhosts ) { - unless ( $host eq $host1 ) { - my ( $interface1, $h1 ) = split /:/, $host1; - my $dest1 = match_dest_net $h1; - my $desti1 = match_dest_dev $interface1; - emit "\$IPTABLES -A FORWARD $sourcei $desti1 $source $dest1 -j ACCEPT"; - clearrule; - } - } - } - } -} - -sub setup_mss(); - -sub add_common_rules() { - my $interface; - my $chainref; - my $level; - my $target; - my $rule; - my $list; - my $chain; - - new_standard_chain 'dynamic'; - - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - - add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD ); - - setup_mss; - - if ( $config{FASTACCEPT} ) { - add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT ); - } - - my $rejectref = new_standard_chain 'reject'; - - $level = $config{BLACKLIST_LOGLEVEL}; - - add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ; - add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'reject' , $level ; - - for $interface ( all_interfaces ) { - ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ); - } - - run_user_exit1 'initdone'; - - setup_blacklist 'blacklist'; - - $list = find_hosts_by_option 'nosmurfs'; - - $chainref = new_standard_chain 'smurfs'; - - if ( $capabilities{ADDRTYPE} ) { - add_rule $chainref , '-s 0.0.0.0 -j RETURN'; - add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; - } else { - add_command $chainref, 'for address in $ALL_BCASTS; do'; - incr_cmd_level $chainref; - log_rule( $config{SMURF_LOG_LEVEL} , $chainref, 'DROP', '-s $address ' ); - add_rule $chainref, '-s $address -j DROP'; - decr_cmd_level $chainref; - add_command $chainref, 'done'; - } - - add_rule_pair $chainref, '-s 224.0.0.0/4 ', 'DROP', $config{SMURF_LOG_LEVEL} ; - - if ( $capabilities{ADDRTYPE} ) { - add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP'; - } else { - add_command $rejectref, 'for address in $ALL_BCASTS; do'; - incr_cmd_level $rejectref; - add_rule $rejectref, '-d $address -j DROP'; - decr_cmd_level $rejectref; - add_command $rejectref, 'done'; - } - - add_rule $rejectref , '-s 224.0.0.0/4 -j DROP'; - - if ( @$list ) { - progress_message2 'Adding Anti-smurf Rules'; - for my $hostref ( @$list ) { - $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - for $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" ); - } - } - } - - add_rule $rejectref , '-p 2 -j DROP'; - add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset'; - - if ( $capabilities{ENHANCED_REJECT} ) { - add_rule $rejectref , '-p 17 -j REJECT'; - add_rule $rejectref, '-p 1 -j REJECT --reject-with icmp-host-unreachable'; - add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited'; - } else { - add_rule $rejectref , '-j REJECT'; - } - - $list = find_interfaces_by_option 'dhcp'; - - if ( @$list ) { - progress_message2 'Adding rules for DHCP'; - - for $interface ( @$list ) { - for $chain ( input_chain $interface, output_chain $interface ) { - add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT'; - } - - add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' ); - } - } - - $list = find_hosts_by_option 'norfc1918'; - - setup_rfc1918_filteration $list if @$list; - - $list = find_hosts_by_option 'tcpflags'; - - if ( @$list ) { - my $disposition; - - progress_message2 "$doing TCP Flags filtering..."; - - $chainref = new_standard_chain 'tcpflags'; - - if ( $config{TCP_FLAGS_LOG_LEVEL} ne '' ) { - my $logflagsref = new_standard_chain 'logflags'; - - my $savelogparms = $globals{LOGPARMS}; - - $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; - - log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, ''; - - $globals{LOGPARMS} = $savelogparms; - - if ( $config{TCP_FLAGS_DISPOSITION} eq 'REJECT' ) { - add_rule $logflagsref , '-j REJECT --reject-with tcp-reset'; - } else { - add_rule $logflagsref , "-j $config{TCP_FLAGS_DISPOSITION}"; - } - - $disposition = 'logflags'; - } else { - $disposition = $config{TCP_FLAGS_DISPOSITION}; - } - - add_rule $chainref , "-p tcp --tcp-flags ALL FIN,URG,PSH -j $disposition"; - add_rule $chainref , "-p tcp --tcp-flags ALL NONE -j $disposition"; - add_rule $chainref , "-p tcp --tcp-flags SYN,RST SYN,RST -j $disposition"; - add_rule $chainref , "-p tcp --tcp-flags SYN,FIN SYN,FIN -j $disposition"; - add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition"; - - for my $hostref ( @$list ) { - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : ''; - for $chain ( first_chains $hostref->[0] ) { - add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j tcpflags" ); - } - } - } - - $list = find_interfaces_by_option 'upnp'; - - if ( @$list ) { - progress_message2 '$doing UPnP'; - - new_nat_chain( 'UPnP' ); - - for $interface ( @$list ) { - add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP'; - } - } - - setup_syn_flood_chains; - -} - -my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } , - REJECT => { target => 'reject' , mangle => 0 } , - DROP => { target => 'DROP' , mangle => 1 } ); - -sub setup_mac_lists( $ ) { - - my $phase = $_[0]; - - my %maclist_interfaces; - - my $table = $config{MACLIST_TABLE}; - - my $maclist_hosts = find_hosts_by_option 'maclist'; - - my $target = $globals{MACLIST_TARGET}; - my $level = $config{MACLIST_LOG_LEVEL}; - my $disposition = $config{MACLIST_DISPOSITION}; - my $ttl = $config{MACLIST_TTL}; - - progress_message2 "$doing MAC Filtration -- Phase $phase..."; - - for my $hostref ( @$maclist_hosts ) { - $maclist_interfaces{ $hostref->[0] } = 1; - } - - my @maclist_interfaces = ( sort keys %maclist_interfaces ); - - progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase..."; - - if ( $phase == 1 ) { - - for my $interface ( @maclist_interfaces ) { - my $chainref = new_chain $table , mac_chain $interface; - - add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' - if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' ); - - if ( $ttl ) { - my $chain1ref = new_chain $table, macrecent_target $interface; - - my $chain = $chainref->{name}; - - add_rule $chainref, "-m recent --rcheck --seconds $ttl --name $chain -j RETURN"; - add_rule $chainref, "-j $chain1ref->{name}"; - add_rule $chainref, "-m recent --update --name $chain -j RETURN"; - add_rule $chainref, "-m recent --set --name $chain"; - } - } - - my $fn = open_file( $rules_family == F_INET ? 'maclist' : '6maclist'); - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file'; - - if ( $original_disposition eq 'COMMENT' ) { - process_comment; - } else { - my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 ); - - fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition; - - my $targetref = $maclist_targets{$disposition}; - - fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} ); - fatal_error "Unknown Interface ($interface)" unless known_interface( $interface ); - fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface}; - - my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; - - $mac = '' unless $mac && ( $mac ne '-' ); - $addresses = '' unless defined $addresses && ( $addresses ne '-' ); - - fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses; - - $mac = mac_match $mac if $mac; - - if ( $addresses ) { - for my $address ( split ',', $addresses ) { - my $source = match_source_net $address; - log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" - if defined $level && $level ne ''; - add_rule $chainref , "${mac}${source}-j $targetref->{target}"; - } - } else { - log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac - if defined $level && $level ne ''; - add_rule $chainref , "$mac-j $targetref->{target}"; - } - - progress_message " Maclist entry \"$currentline\" $done"; - } - } - - clear_comment; - # - # Generate jumps from the input and forward chains - # - for my $hostref ( @$maclist_hosts ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - my $source = match_source_net $hostref->[2]; - my $target = mac_chain $interface; - if ( $table eq 'filter' ) { - for my $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target"; - } - } else { - add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target"; - } - } - } else { - for my $interface ( @maclist_interfaces ) { - my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; - my $chain = $chainref->{name}; - - if ( $level ne '' || $disposition ne 'ACCEPT' ) { - my $variable = get_interface_addresses source_port_to_bridge( $interface ); - - if ( $capabilities{ADDRTYPE} ) { - add_commands( $chainref, - "for address in $variable; do", - " echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3", - " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3", - 'done' ); - } else { - my $bridge = source_port_to_bridge( $interface ); - my $bridgeref = find_interface( $bridge ); - - add_commands( $chainref, - "for address in $variable; do" ); - - if ( $bridgeref->{broadcasts} ) { - for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { - add_commands( $chainref , - " echo \"-A $chainref->{name} -s \$address -d $address -j RETURN\" >&3" ); - } - } else { - my $variable1 = get_interface_bcasts $bridge; - - add_commands( $chainref, - " for address1 in $variable1; do" , - " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3", - " done" ); - } - - add_commands( $chainref, - " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3", - 'done' ); - } - } - - run_user_exit2( 'maclog', $chainref ); - - log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne ''; - add_rule $chainref, "-j $target"; - } - } -} - -sub process_rule1 ( $$$$$$$$$$$$$ ); - -# -# Expand a macro rule from the rules file -# -sub process_macro ( $$$$$$$$$$$$$$$ ) { - my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_; - - my $nocomment = no_comment; - - my $format = 1; - - macro_comment $macro; - - my $macrofile = $macros->{$macro}; - - progress_message "..Expanding Macro $macrofile..."; - - push_open $macrofile; - - while ( read_a_line ) { - - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ); - - if ( $format == 1 ) { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands; - } else { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands; - } - - if ( $mtarget eq 'COMMENT' ) { - process_comment unless $nocomment; - next; - } - - if ( $mtarget eq 'FORMAT' ) { - fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/; - $format = $msource; - next; - } - - fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1; - - $mtarget = merge_levels $target, $mtarget; - - if ( $mtarget =~ /^PARAM(:.*)?$/ ) { - fatal_error 'PARAM requires a parameter to be supplied in macro invocation' unless $param ne ''; - $mtarget = substitute_param $param, $mtarget; - } - - my $action = isolate_basic_target $mtarget; - - fatal_error "Invalid or missing ACTION ($mtarget)" unless defined $action; - - my $actiontype = $targets->{$action} || find_macro( $action ); - - fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO ); - - if ( $msource ) { - if ( $msource eq '-' ) { - $msource = $source || ''; - } elsif ( $msource =~ s/^DEST:?// ) { - $msource = merge_macro_source_dest $msource, $dest; - } else { - $msource =~ s/^SOURCE:?//; - $msource = merge_macro_source_dest $msource, $source; - } - } else { - $msource = ''; - } - - if ( $mdest ) { - if ( $mdest eq '-' ) { - $mdest = $dest || ''; - } elsif ( $mdest =~ s/^SOURCE:?// ) { - $mdest = merge_macro_source_dest $mdest , $source; - } else { - $mdest =~ s/DEST:?//; - $mdest = merge_macro_source_dest $mdest, $dest; - } - } else { - $mdest = ''; - } - - process_rule1( - $mtarget, - $msource, - $mdest, - merge_macro_column( $mproto, $proto ) , - merge_macro_column( $mports, $ports ) , - merge_macro_column( $msports, $sports ) , - merge_macro_column( $morigdest, $origdest ) , - merge_macro_column( $mrate, $rate ) , - merge_macro_column( $muser, $user ) , - $mark, - $connlimit, - $time, - $wildcard - ); - - progress_message " Rule \"$currentline\" $done"; - } - - pop_open; - - progress_message "..End Macro $macrofile"; - - clear_comment unless $nocomment; - -} -# -# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If -# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. -# -sub process_rule1 ( $$$$$$$$$$$$$ ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_; - my ( $action, $loglevel) = split_action $target; - my ( $basictarget, $param ) = get_target_param $action; - my $rule = ''; - my $actionchainref; - my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0; - - unless ( defined $param ) { - ( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/; - } - - $param = '' unless defined $param; - - # - # Determine the validity of the action - # - my $actiontype = $targets->{$basictarget} || find_macro( $basictarget ); - - fatal_error "Unknown action ($action)" unless $actiontype; - - if ( $actiontype == MACRO ) { - # - # process_macro() will call process_rule1() recursively for each rule in the macro body - # - fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL; - - if ( $param ne '' ) { - push @param_stack, $current_param; - $current_param = $param; - } - - process_macro( $basictarget, - $target , - $current_param, - $source, - $dest, - $proto, - $ports, - $sports, - $origdest, - $ratelimit, - $user, - $mark, - $connlimit, - $time, - $wildcard ); - - $macro_nest_level--; - - $current_param = pop @param_stack if $param ne ''; - - return; - - } elsif ( $actiontype & NFQ ) { - require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); - my $paramval = $param eq '' ? 0 : numeric_value( $param ); - fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535; - $action = "NFQUEUE --queue-num $paramval"; - } else { - fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq ''; - } - # - # We can now dispense with the postfix character - # - $action =~ s/[\+\-!]$//; - # - # Mark target as used - # - if ( $actiontype & ACTION ) { - unless ( $usedactions->{$target} ) { - $usedactions->{$target} = 1; - createactionchain $target; - } - } - # - # Take care of irregular syntax and targets - # - if ( $actiontype & REDIRECT ) { - my $z = $actiontype & NATONLY ? '' : firewall_zone; - if ( $dest eq '-' ) { - $dest = join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports ); - } else { - $dest = join( '', $z, '::', $dest ) unless $dest =~ /:/; - } - } elsif ( $action eq 'REJECT' ) { - $action = 'reject'; - } elsif ( $action eq 'CONTINUE' ) { - $action = 'RETURN'; - } elsif ( $actiontype & LOGRULE ) { - fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne ''; - } - # - # Isolate and validate source and destination zones - # - my $sourcezone; - my $destzone; - my $sourceref; - my $destref; - my $origdstports; - - if ( $source =~ /^(.+?):(.*)/ ) { - fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq ''; - $sourcezone = $1; - $source = $2; - } else { - $sourcezone = $source; - $source = ALLIP; - } - - if ( $dest =~ /^(.*?):(.*)/ ) { - fatal_error "Missing DEST Qualifier ($dest)" if $2 eq ''; - $destzone = $1; - $dest = $2; - } elsif ( $dest =~ /.*\..*\./ ) { - # - # Appears to be an address - # - $destzone = '-'; - } else { - $destzone = $dest; - $dest = ALLIP; - } - - fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; - fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); - - if ( $actiontype & NATONLY ) { - warning_message "Destination zone ($destzone) ignored" unless $destzone eq '-' || $destzone eq ''; - } else { - fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq ''; - fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone ); - } - - my $restriction = NO_RESTRICT; - - if ( $sourcezone eq firewall_zone ) { - $restriction = $destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT; - } else { - $restriction = INPUT_RESTRICT if $destzone eq firewall_zone; - } - - my ( $chain, $chainref, $policy ); - # - # For compatibility with older Shorewall versions - # - $origdest = ALLIP if $origdest eq 'all'; - - # - # Take care of chain - # - - unless ( $actiontype & NATONLY ) { - # - # Check for illegal bridge port rule - # - if ( $destref->{type} eq 'bport4' ) { - unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) { - return 1 if $wildcard; - fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; - } - } - - $chain = "${sourcezone}2${destzone}"; - $chainref = ensure_chain 'filter', $chain; - $policy = $chainref->{policy}; - - if ( $policy eq 'NONE' ) { - return 1 if $wildcard; - fatal_error "Rules may not override a NONE policy"; - } - # - # Handle Optimization - # - if ( $optimize > 0 ) { - my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel}; - if ( $loglevel ne '' ) { - return 1 if $target eq "${policy}:$loglevel}"; - } else { - return 1 if $basictarget eq $policy; - } - } - # - # Mark the chain as referenced and add appropriate rules from earlier sections. - # - $chainref = ensure_filter_chain $chain, 1; - } - - # - # Generate Fixed part of the rule - # - $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ), do_time( $time ) ); - - unless ( $section eq 'NEW' ) { - fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; - fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); - $rule .= "-m state --state $section " - } - - # - # Generate NAT rule(s), if any - # - if ( $actiontype & NATRULE ) { - my ( $server, $serverport ); - my $randomize = $dest =~ s/:random$// ? '--random ' : ''; - - require_capability( 'NAT_ENABLED' , "$basictarget rules", '' ); - # - # Isolate server port - # - if ( $dest =~ /^(.*)(:(.+))$/ ) { - # - # Server IP and Port - # - $server = $1; # May be empty - $serverport = $3; # Not Empty due to RE - $origdstports = $ports; - if ( $serverport =~ /^(\d+)-(\d+)$/ ) { - # - # Server Port Range - # - fatal_error "Invalid port range ($serverport)" unless $1 < $2; - my @ports = ( $1, $2 ); - $_ = validate_port( proto_name( $proto ), $_) for ( @ports ); - ( $ports = $serverport ) =~ tr/-/:/; - } else { - $serverport = $ports = validate_port( proto_name( $proto ), $serverport ); - } - } elsif ( $dest eq ':' ) { - # - # Rule with no server IP or port ( zone:: ) - # - $server = $serverport = ''; - } else { - # - # Simple server IP address (may be empty or "-") - # - $server = $dest; - $serverport = ''; - } - - # - # Generate the target - # - my $target = ''; - - if ( $actiontype & REDIRECT ) { - fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server; - $target = '-j REDIRECT '; - $target .= "--to-port $serverport " if $serverport; - if ( $origdest eq '' || $origdest eq '-' ) { - $origdest = ALLIP; - } elsif ( $origdest eq 'detect' ) { - if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { - my $interfacesref = $sourceref->{interfaces}; - my @interfaces = keys %$interfacesref; - $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; - } else { - $origdest = ALLIP; - } - } - } else { - fatal_error "A server must be specified in the DEST column in $action rules" if $server eq ''; - - if ( $server =~ /^(.+)-(.+)$/ ) { - validate_range( $1, $2 ); - } else { - $server = validate_address $server, 1; - } - - if ( $action eq 'SAME' ) { - fatal_error 'Port mapping not allowed in SAME rules' if $serverport; - fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone; - fatal_error "':random' is not supported by the SAME target" if $randomize; - warning_message 'Netfilter support for SAME is being dropped in early 2008'; - $target = '-j SAME '; - for my $serv ( split /,/, $server ) { - $target .= "--to $serv "; - } - } elsif ( $action eq 'DNAT' ) { - $target = '-j DNAT '; - $serverport = ":$serverport" if $serverport; - for my $serv ( split /,/, $server ) { - $target .= "--to-destination ${serv}${serverport} "; - } - } - - unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) { - if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { - my $interfacesref = $sourceref->{interfaces}; - my @interfaces = keys %$interfacesref; - $origdest = @interfaces ? "detect:@interfaces" : ALLIP; - } else { - $origdest = ALLIP; - } - } - } - - $target .= $randomize; - - # - # And generate the nat table rule(s) - # - expand_rule ( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ), - PREROUTE_RESTRICT , - $rule , - $source , - $origdest , - '' , - '' , - $target , - $loglevel , - $action , - $serverport ? do_proto( $proto, '', '' ) : '' ); - # - # After NAT: - # - the destination port will be the server port ($ports) -- we did that above - # - the destination IP will be the server IP ($dest) - # - there will be no log level (we log NAT rules in the nat table rather than in the filter table). - # - the target will be ACCEPT. - # - unless ( $actiontype & NATONLY ) { - $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) ); - $loglevel = ''; - $dest = $server; - $action = 'ACCEPT'; - } - } elsif ( $actiontype & NONAT ) { - # - # NONAT or ACCEPT+ -- May not specify a destination interface - # - fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/; - - $origdest = '' unless $origdest and $origdest ne '-'; - - if ( $origdest eq 'detect' ) { - my $interfacesref = $sourceref->{interfaces}; - my $interfaces = "@$interfacesref"; - $origdest = $interfaces ? "detect:$interfaces" : ALLIP; - } - - expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , - PREROUTE_RESTRICT , - $rule , - $source , - $dest , - $origdest , - '', - '-j RETURN ' , - $loglevel , - $action , - '' ); - } - - # - # Add filter table rule, unless this is a NATONLY rule type - # - unless ( $actiontype & NATONLY ) { - - if ( $actiontype & ACTION ) { - $action = (find_logactionchain $target)->{name}; - $loglevel = ''; - } - - unless ( $origdest eq '-' ) { - require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in a non-NAT rule', 's' ) unless $actiontype & NATRULE; - } else { - $origdest = ''; - } - - expand_rule( ensure_chain( 'filter', $chain ) , - $restriction , - $rule , - $source , - $dest , - $origdest , - $origdstports , - "-j $action " , - $loglevel , - $action , - '' ); - } -} - -# -# Process a Record in the rules file -# -# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column). -# -sub process_rule ( $$$$$$$$$$$$ ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit , $time ) = @_; - my $intrazone = 0; - my $includesrcfw = 1; - my $includedstfw = 1; - my $thisline = $currentline; - # - # Section Names are optional so once we get to an actual rule, we need to be sure that - # we close off any missing sections. - # - unless ( $sectioned ) { - finish_section 'ESTABLISHED,RELATED'; - $sections{$section = 'NEW'} = 1; - $sectioned = 1; - } - - # - # Handle Wildcards - # - if ( $source =~ /^all[-+]/ ) { - if ( $source eq 'all+' ) { - $source = 'all'; - $intrazone = 1; - } elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) { - $source = 'all'; - $intrazone = 1; - $includesrcfw = 0; - } elsif ( $source eq 'all-' ) { - $source = 'all'; - $includesrcfw = 0; - } else { - fatal_error "Invalid SOURCE ($source)"; - } - } - - if ( $dest =~ /^all[-+]/ ) { - if ( $dest eq 'all+' ) { - $dest = 'all'; - $intrazone = 1; - } elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) { - $dest = 'all'; - $intrazone = 1; - $includedstfw = 0; - } elsif ( $dest eq 'all-' ) { - $dest = 'all'; - $includedstfw = 0; - } else { - fatal_error "Invalid DEST ($dest)"; - } - - } - - my $action = isolate_basic_target $target; - - fatal_error "Invalid or missing ACTION ($target)" unless defined $action; - - if ( $source eq 'all' ) { - for my $zone ( all_zones ) { - if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) { - if ( $dest eq 'all' ) { - for my $zone1 ( all_zones ) { - if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) { - if ( $intrazone || ( $zone ne $zone1 ) ) { - process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } - } else { - my $destzone = (split( /:/, $dest, 2 ) )[0]; - $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid - if ( $intrazone || ( $zone ne $destzone ) ) { - process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } - } - } elsif ( $dest eq 'all' ) { - for my $zone ( all_zones ) { - my $sourcezone = ( split( /:/, $source, 2 ) )[0]; - if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { - process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; - } - } - } else { - process_rule1 $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 0; - } - - progress_message " Rule \"$thisline\" $done"; -} - -# -# Process the Rules File -# -sub process_rules() { - - my $fn = open_file 'rules'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands; - - if ( $target eq 'COMMENT' ) { - process_comment; - } elsif ( $target eq 'SECTION' ) { - # - # read_a_line has already verified that there are exactly two tokens on the line - # - fatal_error "Invalid SECTION ($source)" unless defined $sections{$source}; - fatal_error "Duplicate or out of order SECTION $source" if $sections{$source}; - $sectioned = 1; - $sections{$source} = 1; - - if ( $source eq 'RELATED' ) { - $sections{ESTABLISHED} = 1; - finish_section 'ESTABLISHED'; - } elsif ( $source eq 'NEW' ) { - @sections{'ESTABLISHED','RELATED'} = ( 1, 1 ); - finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); - } - - $section = $source; - } else { - if ( "\L$source" =~ /^none(:.*)?$/ || "\L$dest" =~ /^none(:.*)?$/ ) { - progress_message "Rule \"$currentline\" ignored." - } else { - process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time; - } - } - } - - clear_comment; - $section = 'DONE'; -} - -# -# Add jumps from the builtin chains to the interface-chains that are used by this configuration -# -sub add_interface_jumps { - # - # Add Nat jumps - # - for my $interface ( @_ ) { - addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface ); - } - - addnatjump 'PREROUTING' , 'nat_in' , ''; - addnatjump 'POSTROUTING' , 'nat_out' , ''; - addnatjump 'PREROUTING', 'dnat', ''; - - for my $interface ( @_ ) { - addnatjump 'PREROUTING' , input_chain( $interface ) , match_source_dev( $interface ); - addnatjump 'POSTROUTING' , output_chain( $interface ) , match_dest_dev( $interface ); - addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface ); - } - # - # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT - # - for my $interface ( @_ ) { - - add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface; - add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) if use_input_chain $interface; - - if ( use_output_chain $interface ) { - add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ); - } - } - # - # Loopback - # - my $fw = firewall_zone; - my $chainref = $filter_table->{"${fw}2${fw}"}; - - add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' ); - add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT'; -} - -# Generate the rules matrix. -# -# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse. -# -# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones). -# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates. -# -# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules. -# -sub generate_matrix() { - # - # Helper functions for generate_matrix() - #----------------------------------------- - # - # Return the target for rules from $zone to $zone1. - # - sub rules_target( $$ ) { - my ( $zone, $zone1 ) = @_; - my $chain = "${zone}2${zone1}"; - my $chainref = $filter_table->{$chain}; - - return $chain if $chainref && $chainref->{referenced}; - return 'ACCEPT' if $zone eq $zone1; - - fatal_error "Internal Error in rules_target()" unless $chainref; - - if ( $chainref->{policy} ne 'CONTINUE' ) { - my $policyref = $filter_table->{$chainref->{policychain}}; - return $policyref->{name} if $policyref; - fatal_error "No policy defined for zone $zone to zone $zone1"; - } - - ''; - } - - # - # Insert the passed exclusions at the front of the passed chain. - # - sub insert_exclusions( $$ ) { - my ( $chainref, $exclusionsref ) = @_; - - my $num = 1; - - for my $host ( @{$exclusionsref} ) { - my ( $interface, $net ) = split /:/, $host; - insert_rule $chainref , $num++, join( '', match_dest_dev $interface , match_dest_net( $net ), '-j RETURN' ); - } - } - - # - # Add the passed exclusions at the end of the passed chain. - # - sub add_exclusions ( $$ ) { - my ( $chainref, $exclusionsref ) = @_; - - for my $host ( @{$exclusionsref} ) { - my ( $interface, $net ) = split /:/, $host; - add_rule $chainref , join( '', match_dest_dev $interface, match_dest_net( $net ), '-j RETURN' ); - } - } - - # - # Set a breakpoint in this function if you want to step through generate_matrix(). - # - sub start_matrix() { - progress_message2 'Generating Rule Matrix...'; - } - - # - # G e n e r a t e _ M a t r i x ( ) S t a r t s H e r e - # - start_matrix; - - my $exclusion_seq = 1; - my %chain_exclusions; - my %policy_exclusions; - my @interfaces = ( all_interfaces ); - my $preroutingref = ensure_chain 'nat', 'dnat'; - my $fw = firewall_zone; - my @zones = non_firewall_zones; - my $interface_jumps_added = 0; - - # - # Special processing for complex configurations - # - for my $zone ( @zones ) { - my $zoneref = find_zone( $zone ); - - next if @zones <= 2 && ! $zoneref->{options}{complex}; - - my $exclusions = $zoneref->{exclusions}; - my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); - - if ( @$exclusions ) { - my $in_ref = new_standard_chain zone_input_chain $zone; - my $out_ref = new_standard_chain zone_output_chain $zone; - - add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT'; - - for my $host ( @$exclusions ) { - my ( $interface, $net ) = split /:/, $host; - my $rule = match_source_dev( $interface ) . match_source_net( $net ) . '-j RETURN'; - add_rule $frwd_ref , $rule; - add_rule $in_ref , $rule; - add_rule $out_ref , match_dest_dev( $interface ) . match_dest_net( $net ) . '-j RETURN'; - } - } - - if ( $capabilities{POLICY_MATCH} ) { - my $type = $zoneref->{type}; - my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {}; - - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { - my $sourcechainref; - my $interfacematch = ''; - - if ( use_forward_chain( $interface ) ) { - $sourcechainref = $filter_table->{forward_chain $interface}; - } else { - $sourcechainref = $filter_table->{FORWARD}; - $interfacematch = match_source_dev $interface; - move_rules( $filter_table->{forward_chain $interface} , $frwd_ref ); - } - - my $arrayref = $source_ref->{$interface}; - - for my $hostref ( @{$arrayref} ) { - my $ipsec_match = match_ipsec_in $zone , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - add_jump( - $sourcechainref, - $frwd_ref, - 1, - join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) - ); - } - } - } - } - } - - # - # Main source-zone matrix-generation loop - # - for my $zone ( @zones ) { - my $zoneref = find_zone( $zone ); - my $source_hosts_ref = $zoneref->{hosts}; - my $chain1 = rules_target firewall_zone , $zone; - my $chain2 = rules_target $zone, firewall_zone; - my $chain3 = rules_target $zone, $zone; - my $complex = $zoneref->{options}{complex} || 0; - my $type = $zoneref->{type}; - my $exclusions = $zoneref->{exclusions}; - my $frwd_ref = $filter_table->{zone_forward_chain $zone}; - my $chain = 0; - my $dnatref = ensure_chain 'nat' , dnat_chain( $zone ); - my $nested = $zoneref->{options}{nested}; - - if ( @$exclusions ) { - insert_exclusions $dnatref, $exclusions if $dnatref->{referenced}; - } - - if ( $nested ) { - # - # This is a sub-zone. We need to determine if - # - # a) A parent zone defines DNAT/REDIRECT rules; and - # b) The current zone has a CONTINUE policy to some other zone. - # - # If a) but not b), then we must avoid sending packets from this - # zone through the DNAT/REDIRECT chain for the parent. - # - my $parenthasnat = 0; - - for my $parent ( @{$zoneref->{parents}} ) { - my $ref = $nat_table->{dnat_chain $parent} || {}; - $parenthasnat = 1, last if $ref->{referenced}; - } - - if ( $parenthasnat ) { - for my $zone1 ( all_zones ) { - if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) { - # - # This zone has a continue policy to another zone. We must - # send packets from this zone through the parent's DNAT/REDIRECT chain. - # - $nested = 0; - last; - } - } - } else { - # - # No parent has DNAT so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' chain. - # - $nested = 0; - } - } - # - # Take care of PREROUTING, INPUT and OUTPUT jumps - # - for my $typeref ( values %$source_hosts_ref ) { - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - - if ( $interface eq '+' ) { - # - # Insert the interface-specific jumps before this one which is not interface-specific - # - add_interface_jumps(@interfaces) unless $interface_jumps_added++; - } - - for my $hostref ( @$arrayref ) { - my $ipsec_in_match = match_ipsec_in $zone , $hostref; - my $ipsec_out_match = match_ipsec_out $zone , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - my $dest = match_dest_net $net; - - if ( $chain1 ) { - my $nextchain; - my $outputref; - my $interfacematch = ''; - - if ( use_output_chain $interface ) { - $outputref = $filter_table->{output_chain $interface}; - } else { - $outputref = $filter_table->{OUTPUT}; - $interfacematch = match_dest_dev $interface; - } - - if ( @$exclusions ) { - my $output = zone_output_chain $zone; - add_jump $outputref , $output, 0, join( '', $interfacematch, $dest, $ipsec_out_match ); - add_jump $filter_table->{$output} , $chain1, 0; - $nextchain = $output; - } else { - add_jump $outputref , $chain1, 0, join( '', $interfacematch, $dest, $ipsec_out_match ); - $nextchain = $chain1; - } - - add_jump( $outputref , $nextchain, 0, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) ) - if $hostref->{options}{broadcast}; - - move_rules( $filter_table->{output_chain $interface} , $filter_table->{$nextchain} ) unless use_output_chain $interface; - } - - clearrule; - - next if $hostref->{options}{destonly}; - - my $source = match_source_net $net; - - if ( $dnatref->{referenced} ) { - # - # There are DNAT/REDIRECT rules with this zone as the source. - # Add a jump from this source network to this zone's DNAT/REDIRECT chain - # - add_jump $preroutingref, $dnatref, 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match ); - } - # - # If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source - # then add a RETURN jump for this source network. - # - add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested; - - my $inputchainref; - my $interfacematch = ''; - - if ( use_input_chain $interface ) { - $inputchainref = $filter_table->{input_chain $interface}; - } else { - $inputchainref = $filter_table->{INPUT}; - $interfacematch = match_source_dev $interface; - } - - if ( $chain2 ) { - my $nextchain; - - if ( @$exclusions ) { - my $input = zone_input_chain $zone; - add_jump $inputchainref, $input, 0, join( '', $interfacematch, $source, $ipsec_in_match ); - add_jump $filter_table->{ $input } , $chain2, 0; - $nextchain = $input; - } else { - add_jump $inputchainref, $chain2, 0, join( '', $interfacematch, $source, $ipsec_in_match ); - $nextchain = $chain2; - } - - move_rules( $filter_table->{input_chain $interface} , $filter_table->{$nextchain} ) unless use_input_chain $interface; - } - - if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { - if ( use_forward_chain $interface ) { - add_jump $filter_table->{forward_chain $interface} , $frwd_ref, 0, join( '', $source, $ipsec_in_match ); - } else { - add_jump $filter_table->{FORWARD} , $frwd_ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match ); - move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref ); - } - } - } - } - } - } - - # - # F O R W A R D I N G - # - my @dest_zones; - my $last_chain = ''; - - if ( $config{OPTIMIZE} > 0 ) { - my @temp_zones; - - ZONE1: - for my $zone1 ( @zones ) { - my $zone1ref = find_zone( $zone1 ); - my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; - - next if $policy eq 'NONE'; - - my $chain = rules_target $zone, $zone1; - - next unless $chain; - - if ( $zone eq $zone1 ) { - next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); - } - - if ( $zone1ref->{type} eq 'bport4' ) { - next unless $zoneref->{bridge} eq $zone1ref->{bridge}; - } - - if ( $chain =~ /2all$/ ) { - if ( $chain ne $last_chain ) { - $last_chain = $chain; - push @dest_zones, @temp_zones; - @temp_zones = ( $zone1 ); - } elsif ( $policy eq 'ACCEPT' ) { - push @temp_zones , $zone1; - } else { - $last_chain = $chain; - @temp_zones = ( $zone1 ); - } - } else { - push @dest_zones, @temp_zones, $zone1; - @temp_zones = (); - $last_chain = ''; - } - } - - if ( $last_chain && @temp_zones == 1 ) { - push @dest_zones, @temp_zones; - $last_chain = ''; - } - } else { - @dest_zones = @zones ; - } - # - # Here it is -- THE BIG UGLY!!!!!!!!!!!! - # - # We now loop through the destination zones creating jumps to the rules chain for each source/dest combination. - # @dest_zones is the list of destination zones that we need to handle from this source zone - # - ZONE1: - for my $zone1 ( @dest_zones ) { - my $zone1ref = find_zone( $zone1 ); - my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; - - next if $policy eq 'NONE'; - - my $chain = rules_target $zone, $zone1; - - next unless $chain; # CONTINUE policy with no rules - - my $num_ifaces = 0; - - if ( $zone eq $zone1 ) { - next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); - } - - if ( $zone1ref->{type} eq 'bport4' ) { - next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge}; - } - - my $chainref = $filter_table->{$chain}; - my $exclusions1 = $zone1ref->{exclusions}; - - my $dest_hosts_ref = $zone1ref->{hosts}; - - if ( @$exclusions1 ) { - if ( $chain eq "all2$zone1" ) { - unless ( $chain_exclusions{$chain} ) { - $chain_exclusions{$chain} = 1; - insert_exclusions $chainref , $exclusions1; - } - } elsif ( $chain =~ /2all$/ ) { - my $chain1 = $policy_exclusions{"${chain}_${zone1}"}; - - unless ( $chain1 ) { - $chain1 = newexclusionchain; - $policy_exclusions{"${chain}_${zone1}"} = $chain1; - my $chain1ref = ensure_filter_chain $chain1, 0; - add_exclusions $chain1ref, $exclusions1; - add_jump $chain1ref, $chain, 0; - } - - $chain = $chain1; - } else { - fatal_error "Fatal Error in generate_matrix()" if $chain eq 'ACCEPT'; - insert_exclusions $chainref , $exclusions1; - } - } - - if ( $frwd_ref ) { - for my $typeref ( values %$dest_hosts_ref ) { - for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - for my $hostref ( @$arrayref ) { - next if $hostref->{options}{sourceonly}; - if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { - my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; - for my $net ( @{$hostref->{hosts}} ) { - add_jump $frwd_ref, $chain, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ); - } - } - } - } - } - } else { - for my $typeref ( values %$source_hosts_ref ) { - for my $interface ( keys %$typeref ) { - my $arrayref = $typeref->{$interface}; - my $chain3ref; - my $match_source_dev = ''; - - if ( use_forward_chain $interface ) { - $chain3ref = $filter_table->{forward_chain $interface}; - } else { - $chain3ref = $filter_table->{FORWARD}; - $match_source_dev = match_source_dev $interface; - } - - for my $hostref ( @$arrayref ) { - next if $hostref->{options}{destonly}; - for my $net ( @{$hostref->{hosts}} ) { - for my $type1ref ( values %$dest_hosts_ref ) { - for my $interface1 ( keys %$type1ref ) { - my $array1ref = $type1ref->{$interface1}; - for my $host1ref ( @$array1ref ) { - next if $host1ref->{options}{sourceonly}; - my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; - for my $net1 ( @{$host1ref->{hosts}} ) { - unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { - # - # We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE}; - # - add_jump( - $chain3ref , - $chain , - 0, - join( '', - $match_source_dev, - match_dest_dev($interface1), - match_source_net($net), - match_dest_net($net1), - $ipsec_out_match ) - ); - } - } - } - } - } - } - } - } - } - } - # - # E N D F O R W A R D I N G - # - # Now add an unconditional jump to the last unique policy-only chain determined above, if any - # - add_jump $frwd_ref , $last_chain, 1 if $last_chain; - } - } - - add_interface_jumps @interfaces unless $interface_jumps_added; - - my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] , - nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , - filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); - - complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP'; - complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT'; - complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT'; - - if ( $config{LOGALLNEW} ) { - for my $table qw/mangle nat filter/ { - for my $chain ( @{$builtins{$table}} ) { - log_rule_limit - $config{LOGALLNEW} , - $chain_table->{$table}{$chain} , - $table , - $chain , - '' , - '' , - 'insert' , - '-m state --state NEW '; - } - } - } -} - -sub setup_mss( ) { - my $clampmss = $config{CLAMPMSS}; - my $option; - my $match = ''; - my $chainref = $filter_table->{FORWARD}; - - if ( $clampmss ) { - if ( "\L$clampmss" eq 'yes' ) { - $option = '--clamp-mss-to-pmtu'; - } else { - $match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH}; - $option = "--set-mss $clampmss"; - } - - $match .= '-m policy --pol none --dir out ' if $capabilities{POLICY_MATCH}; - } - - my $interfaces = find_interfaces_by_option( 'mss' ); - - if ( @$interfaces ) { - # - # Since we will need multiple rules, we create a separate chain - # - $chainref = new_chain 'filter', 'settcpmss'; - # - # Send all forwarded SYN packets to the 'settcpmss' chain - # - add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss"; - - my $in_match = ''; - my $out_match = ''; - - if ( $capabilities{POLICY_MATCH} ) { - $in_match = '-m policy --pol none --dir in '; - $out_match = '-m policy --pol none --dir out '; - } - - for ( @$interfaces ) { - my $mss = get_interface_option( $_, 'mss' ); - my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; - add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; - add_rule $chainref, "-o $_ -j RETURN" if $clampmss; - add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss"; - add_rule $chainref, "-i $_ -j RETURN" if $clampmss; - } - } - - add_rule $chainref , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option" if $clampmss; -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Tc.pm b/Shorewall-perl-maybe/Shorewall/Tc.pm deleted file mode 100644 index 5c6ced6dd..000000000 --- a/Shorewall-perl-maybe/Shorewall/Tc.pm +++ /dev/null @@ -1,915 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Tc.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Traffic Control is from tc4shorewall Version 0.5 -# (c) 2005 Arne Bernin -# Modified by Tom Eastep for integration into the Shorewall distribution -# published under GPL Version 2# -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module deals with Traffic Shaping and the tcrules file. -# -package Shorewall::Tc; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; -use Shorewall::Zones; -use Shorewall::Chains qw(:DEFAULT :internal); -use Shorewall::Providers; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_tc ); -our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = 4.1.5; - -our %tcs = ( T => { chain => 'tcpost', - connmark => 0, - fw => 1 - } , - CT => { chain => 'tcpost' , - target => 'CONNMARK --set-mark' , - connmark => 1 , - fw => 1 - } , - C => { target => 'CONNMARK --set-mark' , - connmark => 1 , - fw => 1 - } , - P => { chain => 'tcpre' , - connmark => 0 , - fw => 0 - } , - CP => { chain => 'tcpre' , - target => 'CONNMARK --set-mark' , - connmark => 1 , - fw => 0 - } , - F => { chain => 'tcfor' , - connmark => 0 , - fw => 0 - } , - CF => { chain => 'tcfor' , - connmark => 1 , - fw => 0 , - } , - ); - -use constant { NOMARK => 0 , - SMALLMARK => 1 , - HIGHMARK => 2 - }; - -our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , - target => 'CONNMARK --save-mark --mask' , - mark => SMALLMARK , - mask => '0xFF' , - connmark => 1 - } , - { match => sub ( $ ) { $_[0] eq 'RESTORE' }, - target => 'CONNMARK --restore-mark --mask' , - mark => SMALLMARK , - mask => '0xFF' , - connmark => 1 - } , - { match => sub ( $ ) { $_[0] eq 'CONTINUE' }, - target => 'RETURN' , - mark => NOMARK , - mask => '' , - connmark => 0 - } , - { match => sub ( $ ) { $_[0] =~ '\|.*'} , - target => 'MARK --or-mark' , - mark => HIGHMARK , - mask => '' } , - { match => sub ( $ ) { $_[0] =~ '&.*' }, - target => 'MARK --and-mark ' , - mark => HIGHMARK , - mask => '' , - connmark => 0 - } - ); - -our %classids; - -our @deferred_rules; - -# -# Perl version of Arn Bernin's 'tc4shorewall'. -# -# TCDevices Table -# -# %tcdevices { -> {in_bandwidth => , -# out_bandwidth => , -# number => , -# classify => 0|1 -# tablenumber => -# default => -# redirected => [ , , ... ] -# } -# -our @tcdevices; -our %tcdevices; -our @devnums; -our $devnum; - - -# -# TCClasses Table -# -# %tcclasses { device => , -# mark => , -# number => , -# rate => , -# ceiling => , -# priority => , -# options => { tos => [ , , ... ]; -# tcp_ack => 1 , -# ... -# - -our @tcclasses; -our %tcclasses; - -our %restrictions = ( tcpre => PREROUTE_RESTRICT , - tcpost => POSTROUTE_RESTRICT , - tcfor => NO_RESTRICT , - tcout => OUTPUT_RESTRICT ); - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - %classids = (); - @deferred_rules = (); - @tcdevices = (); - %tcdevices = (); - @tcclasses = (); - %tcclasses = (); - @devnums = (); - $devnum = 0; -} - -INIT { - initialize; -} - -sub process_tc_rule( $$$$$$$$$$$$ ) { - my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes , $helper ) = @_; - - my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); - - fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq ''; - - my $chain = $globals{MARKING_CHAIN}; - my $target = 'MARK --set-mark'; - my $tcsref; - my $connmark = 0; - my $classid = 0; - my $device = ''; - my $fw = firewall_zone; - - if ( $source ) { - if ( $source eq $fw ) { - $chain = 'tcout'; - $source = ''; - } else { - $chain = 'tcout' if $source =~ s/^($fw)://; - } - } - - if ( $designator ) { - $tcsref = $tcs{$designator}; - - if ( $tcsref ) { - if ( $chain eq 'tcout' ) { - fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw}; - } - - $chain = $tcsref->{chain} if $tcsref->{chain}; - $target = $tcsref->{target} if $tcsref->{target}; - $mark = "$mark/0xFF" if $connmark = $tcsref->{connmark}; - - require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark; - - } else { - fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/; - - if ( $config{TC_ENABLED} eq 'Internal' ) { - fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} ); - } - - $chain = 'tcpost'; - $classid = 1; - $mark = $originalmark; - $target = 'CLASSIFY --set-class'; - } - } - - my $mask = 0xffff; - - my ($cmd, $rest) = split( '/', $mark, 2 ); - - unless ( $classid ) { - MARK: - { - for my $tccmd ( @tccmd ) { - if ( $tccmd->{match}($cmd) ) { - fatal_error "$mark not valid with :C[FPT]" if $connmark; - - require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark}; - - $target = "$tccmd->{target} "; - my $marktype = $tccmd->{mark}; - - if ( $marktype == NOMARK ) { - $mark = '' - } else { - $mark =~ s/^[|&]//; - } - - if ( $rest ) { - fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK; - - $mark = $rest if $tccmd->{mask}; - - if ( $marktype == SMALLMARK ) { - verify_small_mark $mark; - } else { - validate_mark $mark; - } - } elsif ( $tccmd->{mask} ) { - $mark = $tccmd->{mask}; - } - - last MARK; - } - } - - validate_mark $mark; - - if ( $config{HIGH_ROUTE_MARKS} ) { - my $val = numeric_value( $cmd ); - fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val; - fatal_error 'Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes' - if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= 0xFF; - } - } - } - - if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , - $restrictions{$chain} , - do_proto( $proto, $ports, $sports) . - do_user( $user ) . - do_test( $testval, $mask ) . - do_length( $length ) . - do_tos( $tos ) . - do_connbytes( $connbytes ) . - do_helper( $helper ), - $source , - $dest , - '' , - '' , - "-j $target $mark" , - '' , - '' , - '' ) ) - && $device ) { - # - # expand_rule() returns destination device if any - # - fatal_error "Class Id $originalmark is not associated with device $result" if $device ne $result; - } - - progress_message " TC Rule \"$currentline\" $done"; - -} - -sub rate_to_kbit( $ ) { - my $rate = $_[0]; - - return 0 if $rate eq '-'; - return $1 if $rate =~ /^(\d+)kbit$/i; - return $1 * 1000 if $rate =~ /^(\d+)mbit$/i; - return $1 * 8000 if $rate =~ /^(\d+)mbps$/i; - return $1 * 8 if $rate =~ /^(\d+)kbps$/i; - return int($1/125) if $rate =~ /^(\d+)(bps)?$/; - fatal_error "Invalid Rate ($rate)"; -} - -sub calculate_r2q( $ ) { - my $rate = rate_to_kbit $_[0]; - my $r2q= $rate / 200 ; - $r2q <= 5 ? 5 : $r2q; -} - -sub calculate_quantum( $$ ) { - my ( $rate, $r2q ) = @_; - $rate = rate_to_kbit $rate; - int( ( $rate * 125 ) / $r2q ); -} - -sub validate_tc_device( $$$$$ ) { - my ( $device, $inband, $outband , $options , $redirected ) = @_; - - my $devnumber; - - if ( $device =~ /:/ ) { - ( my $number, $device, my $rest ) = split /:/, $device, 3; - - fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest; - - if ( defined $number ) { - $devnumber = numeric_value( $number ); - fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber; - fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ]; - $devnum = $devnumber if $devnumber > $devnum; - } else { - fatal_error "Missing interface NUMBER"; - } - } else { - $devnumber = ++$devnum; - } - - $devnums[ $devnumber ] = $device; - - fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device}; - fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/; - - my $classify = 0; - - if ( $options ne '-' ) { - for my $option ( split_list $options, 'option' ) { - if ( $option eq 'classify' ) { - $classify = 1; - } else { - fatal_error "Unknown device option ($option)"; - } - } - } - - my @redirected = (); - - @redirected = split_list( $redirected , 'device' ) if defined $redirected && $redirected ne '-'; - - if ( @redirected ) { - fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband; - $classify = 1; - } - - for my $rdevice ( @redirected ) { - fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/; - my $rdevref = $tcdevices{$rdevice}; - fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref; - fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit'; - } - - $tcdevices{$device} = { in_bandwidth => rate_to_kbit( $inband ) . 'kbit' , - out_bandwidth => rate_to_kbit( $outband ) . 'kbit' , - number => $devnumber, - classify => $classify , - tablenumber => 1 , - redirected => \@redirected , - } , - - push @tcdevices, $device; - - progress_message " Tcdevice \"$currentline\" $done."; -} - -sub convert_rate( $$$ ) { - my ($full, $rate, $column) = @_; - - if ( $rate =~ /\bfull\b/ ) { - $rate =~ s/\bfull\b/$full/g; - progress_message " Compiling $column $_[1]"; - fatal_error "Invalid $column ($_[1])" if $rate =~ m{[^0-9*/+()-]}; - no warnings; - $rate = eval "int( $rate )"; - use warnings; - fatal_error "Invalid $column ($_[1])" unless defined $rate; - } else { - $rate = rate_to_kbit $rate - } - - fatal_error "$column may not be zero" unless $rate; - fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full; - - $rate; -} - -sub dev_by_number( $ ) { - my $dev = $_[0]; - my $devnum = numeric_value( $dev ); - my $devref; - - if ( defined $devnum ) { - $dev = $devnums[ $devnum ]; - fatal_error "Undefined INTERFACE number ($_[0])" unless defined $dev; - $devref = $tcdevices{$dev}; - fatal_error "Internal Error in dev_by_number()" unless $devref; - } else { - $devref = $tcdevices{$dev}; - fatal_error "Unknown INTERFACE ($dev)" unless $devref; - } - - ( $dev , $devref ); - -} - -sub validate_tc_class( $$$$$$ ) { - my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = @_; - - my %tosoptions = ( 'tos-minimize-delay' => 'tos=0x10/0x10' , - 'tos-maximize-throughput' => 'tos=0x08/0x08' , - 'tos-maximize-reliability' => 'tos=0x04/0x04' , - 'tos-minimize-cost' => 'tos=0x02/0x02' , - 'tos-normal-service' => 'tos=0x00/0x1e' ); - - my $classnumber = 0; - my $devref; - my $device = $devclass; - - if ( $devclass =~ /:/ ) { - ( $device, my ($number, $rest ) ) = split /:/, $device, 3; - fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest; - - ( $device , $devref) = dev_by_number( $device ); - - if ( defined $number ) { - if ( $devref->{classify} ) { - $classnumber = numeric_value( $number ); - fatal_error "Invalid interface NUMBER ($number)" unless defined $classnumber && $classnumber; - fatal_error "Duplicate interface/class number ($number)" if defined $devnums[ $classnumber ]; - } else { - warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"; - } - } else { - fatal_error "Missing interface NUMBER"; - } - } else { - ($device, $devref ) = dev_by_number( $device ); - fatal_error "Missing class NUMBER" if $devref->{classify}; - } - - my $full = rate_to_kbit $devref->{out_bandwidth}; - - $tcclasses{$device} = {} unless $tcclasses{$device}; - my $tcref = $tcclasses{$device}; - - my $markval = 0; - - if ( $mark ne '-' ) { - if ( $devref->{classify} ) { - warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored"; - } else { - fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff; - - $markval = numeric_value( $mark ); - fatal_error "Invalid MARK ($markval)" unless defined $markval; - fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber}; - $classnumber = $devnum . $mark; - } - } else { - fatal_error "Missing MARK" unless $devref->{classify}; - fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber}; - } - - $tcref->{$classnumber} = { tos => [] , - rate => convert_rate( $full, $rate, 'RATE' ) , - ceiling => convert_rate( $full, $ceil, 'CEIL' ) , - priority => $prio eq '-' ? 1 : $prio , - mark => $markval - }; - - $tcref = $tcref->{$classnumber}; - - fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling}; - - unless ( $options eq '-' ) { - for my $option ( split_list "\L$options", 'option' ) { - my $optval = $tosoptions{$option}; - - $option = $optval if $optval; - - if ( $option eq 'default' ) { - fatal_error "Only one default class may be specified for device $device" if $devref->{default}; - $devref->{default} = $classnumber; - } elsif ( $option eq 'tcp-ack' ) { - $tcref->{tcp_ack} = 1; - } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) { - ( undef, $option ) = split /=/, $option; - push @{$tcref->{tos}}, "$option/0xff"; - } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) { - ( undef, $option ) = split /=/, $option; - push @{$tcref->{tos}}, $option; - } else { - fatal_error "Unknown option ($option)"; - } - } - } - - push @tcclasses, "$device:$classnumber"; - progress_message " Tcclass \"$currentline\" $done."; -} - -# -# Process a record from the tcfilters file -# -sub process_tc_filter( $$$$$$ ) { - my ($devclass , $source, $dest , $proto, $portlist , $sportlist ) = @_; - - my ($device, $class, $rest ) = split /:/, $devclass, 3; - - fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class ); - - ( $device , my $devref ) = dev_by_number( $device ); - - my $devnum = $devref->{number}; - - my $tcref = $tcclasses{$device}; - - fatal_error "No Classes were defined for INTERFACE $device" unless $tcref; - - $tcref = $tcref->{$class}; - - fatal_error "Unknown CLASS ($devclass)" unless $tcref; - - my $rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32"; - - my ( $net , $mask ) = decompose_net( $source ); - - $rule .= "\\\n match u32 $net $mask at 12" unless $mask eq '0x00000000'; - - ( $net , $mask ) = decompose_net( $dest ); - - $rule .= "\\\n match u32 $net $mask at 16" unless $mask eq '0x00000000'; - - my $protonumber = 0; - - unless ( $proto eq '-' ) { - $protonumber = resolve_proto $proto; - fatal_error "Unknown PROTO ($proto)" unless defined $protonumber; - - if ( $protonumber ) { - my $pnumber = in_hex2 $protonumber; - $rule .= "\\\n match u8 $pnumber 0xff at 9"; - } - } - - if ( $portlist eq '-' && $sportlist eq '-' ) { - emit( "\nrun_tc $rule\\" , - " flowid $devref->{number}:$class" , - '' ); - } else { - our $lastrule; - our $lasttnum; - # - # In order to be able to access the protocol header, we must create another hash table and link to it. - # - # Create the Table. - # - my $tnum; - - if ( $lastrule eq $rule ) { - # - # The source, dest and protocol are the same as the last rule that specified a port - # Use the same table - # - $tnum = $lasttnum - } else { - $tnum = in_hex3 $devref->{tablenumber}++; - $lasttnum = $tnum; - $lastrule = $rule; - - emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip pref 10 handle $tnum: u32 divisor 1" ); - } - # - # And link to it using the current contents of $rule - # - emit( "\nrun_tc $rule\\" , - " link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" ); - # - # The rule to match the port(s) will be inserted into the new table - # - $rule = "filter add dev $device protocol ip parent $devnum:0 pref 10 u32 ht $tnum:0"; - - if ( $portlist eq '-' ) { - fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT" - unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP; - - for my $sportrange ( split_list $sportlist , 'port list' ) { - my @sportlist = expand_port_range $protonumber , $sportrange; - - while ( @sportlist ) { - my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist ); - emit( "\nrun_tc $rule\\" , - " match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" , - " flowid $devref->{number}:$class" ); - } - } - } else { - fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT" - unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP; - - for my $portrange ( split_list $portlist, 'port list' ) { - if ( $protonumber == ICMP ) { - fatal_error "SOURCE PORT(S) are not allowed with ICMP" if $sportlist ne '-'; - - my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $portrange ); - - $icmptype = in_hex2 numeric_value1 $icmptype; - $icmpcode = in_hex2 numeric_value1 $icmpcode if defined $icmpcode; - - my $rule1 = " match u8 $icmptype 0xff at nexthdr+0"; - $rule1 .= "\\\n match u8 $icmpcode 0xff at nexthdr+1" if defined $icmpcode; - emit( "\nrun_tc ${rule}\\" , - "$rule1\\" , - " flowid $devref->{number}:$class" ); - } else { - my @portlist = expand_port_range $protonumber , $portrange; - - while ( @portlist ) { - my ( $port, $mask ) = ( shift @portlist, shift @portlist ); - - my $rule1 = "match u32 0x0000${port} 0x0000${mask} at nexthdr+0"; - - if ( $sportlist eq '-' ) { - emit( "\nrun_tc ${rule}\\" , - " $rule1\\" , - " flowid $devref->{number}:$class" ); - } else { - for my $sportrange ( split_list $sportlist , 'port list' ) { - my @sportlist = expand_port_range $protonumber , $sportrange; - - while ( @sportlist ) { - my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist ); - - emit( "\nrun_tc ${rule}\\", - " $rule1\\" , - " match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0\\" , - " flowid $devref->{number}:$class" ); - } - } - } - } - } - } - } - } - - emit ''; - - progress_message " TC Filter \"$currentline\" $done"; - - $currentline =~ s/\s+/ /g; - - save_progress_message_short qq(" TC Filter \"$currentline\" defined."); - - emit ''; - -} - -sub setup_traffic_shaping() { - our $lastrule = ''; - - save_progress_message "Setting up Traffic Control..."; - - my $fn = open_file 'tcdevices'; - - if ( $fn ) { - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $device, $inband, $outband, $options , $redirected ) = split_line 3, 5, 'tcdevices'; - - fatal_error "Invalid tcdevices entry" if $outband eq '-'; - validate_tc_device( $device, $inband, $outband , $options , $redirected ); - } - } - - $devnum = $devnum > 10 ? 10 : 1; - - $fn = open_file 'tcclasses'; - - if ( $fn ) { - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file'; - - validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options ); - } - } - - for my $device ( @tcdevices ) { - my $dev = chain_base( $device ); - my $devref = $tcdevices{$device}; - my $defmark = $devref->{default} || 0; - my $devnum = $devref->{number}; - - emit "if interface_is_up $device; then"; - - push_indent; - - emit ( "${dev}_exists=Yes", - "qt tc qdisc del dev $device root", - "qt tc qdisc del dev $device ingress", - "run_tc qdisc add dev $device root handle $devnum: htb default $defmark", - "${dev}_mtu=\$(get_device_mtu $device)", - "${dev}_mtu1=\$(get_device_mtu1 $device)", - "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" - ); - - my $inband = rate_to_kbit $devref->{in_bandwidth}; - - if ( $inband ) { - emit ( "run_tc qdisc add dev $device handle ffff: ingress", - "run_tc filter add dev $device parent ffff: protocol ip pref 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" - ); - } - - for my $rdev ( @{$devref->{redirected}} ) { - emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" ); - emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" ); - } - - save_progress_message_short " TC Device $device defined."; - - pop_indent; - emit 'else'; - push_indent; - - emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped"); - emit "${dev}_exists="; - pop_indent; - emit "fi\n"; - } - - my $lastdevice = ''; - - for my $class ( @tcclasses ) { - my ( $device, $classnum ) = split /:/, $class; - my $devref = $tcdevices{$device}; - my $tcref = $tcclasses{$device}{$classnum}; - my $mark = $tcref->{mark}; - my $devicenumber = $devref->{number}; - my $classid = join( '', $devicenumber, ':', $classnum); - my $rate = "$tcref->{rate}kbit"; - my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} ); - my $dev = chain_base $device; - - $classids{$classid}=$device; - - if ( $lastdevice ne $device ) { - if ( $lastdevice ) { - pop_indent; - emit "fi\n"; - } - - emit qq(if [ -n "\$${dev}_exists" ]; then); - push_indent; - $lastdevice = $device; - } - - emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum", - "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum", - "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq perturb 10" - ); - # - # add filters - # - emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio 1 handle $mark fw classid $classid" unless $devref->{classify}; - # - #options - # - emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack}; - - for my $tospair ( @{$tcref->{tos}} ) { - my ( $tos, $mask ) = split q(/), $tospair; - emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio 10 u32 match ip tos $tos $mask flowid $classid"; - } - - save_progress_message_short qq(" TC Class $class defined."); - emit ''; - } - - if ( $lastdevice ) { - pop_indent; - emit "fi\n"; - } - - $fn = open_file 'tcfilters'; - - if ( $fn ) { - first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } ); - - while ( read_a_line ) { - - my ( $devclass, $source, $dest, $proto, $port, $sport ) = split_line 2, 6, 'tcfilters file'; - - process_tc_filter( $devclass, $source, $dest, $proto, $port, $sport ); - } - } -} - -# -# Process the tcrules file and setup traffic shaping -# -sub setup_tc() { - - if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) { - ensure_mangle_chain 'tcpre'; - ensure_mangle_chain 'tcout'; - - if ( $capabilities{MANGLE_FORWARD} ) { - ensure_mangle_chain 'tcfor'; - ensure_mangle_chain 'tcpost'; - } - - my $mark_part = ''; - - if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) { - $mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF'; - - for my $interface ( @routemarked_interfaces ) { - add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; - } - } - - add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre"; - add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcout"; - - if ( $capabilities{MANGLE_FORWARD} ) { - add_rule $mangle_table->{FORWARD} , '-j tcfor'; - add_rule $mangle_table->{POSTROUTING} , '-j tcpost'; - } - - if ( $config{HIGH_ROUTE_MARKS} ) { - for my $chain qw(INPUT FORWARD POSTROUTING) { - insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark 0xFF'; - } - } - } - - if ( $globals{TC_SCRIPT} ) { - save_progress_message 'Setting up Traffic Control...'; - append_file $globals{TC_SCRIPT}; - } elsif ( $config{TC_ENABLED} eq 'Internal' ) { - setup_traffic_shaping; - } - - if ( $config{TC_ENABLED} ) { - if ( my $fn = open_file 'tcrules' ) { - - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } ); - - while ( read_a_line ) { - - my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file'; - - if ( $mark eq 'COMMENT' ) { - process_comment; - } else { - process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper; - } - - } - - clear_comment; - } - } - - for ( @deferred_rules ) { - add_rule ensure_chain( 'mangle' , 'tcpost' ), $_; - } -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Tunnels.pm b/Shorewall-perl-maybe/Shorewall/Tunnels.pm deleted file mode 100644 index 06176cdad..000000000 --- a/Shorewall-perl-maybe/Shorewall/Tunnels.pm +++ /dev/null @@ -1,299 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Tunnels.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module handles the /etc/shorewall/tunnels file. -# -package Shorewall::Tunnels; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::Zones; -use Shorewall::IPAddrs; -use Shorewall::Chains qw(:DEFAULT :internal); - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( setup_tunnels ); -our @EXPORT_OK = ( ); -our $VERSION = 4.1.5; - -# -# Here starts the tunnel stuff -- we really should get rid of this crap... -# -sub setup_tunnels() { - - our $fw = firewall_zone; - - sub setup_one_ipsec { - my ($inchainref, $outchainref, $kind, $source, $dest, $gatewayzones) = @_; - - ( $kind, my ( $qualifier , $remainder ) ) = split( /:/, $kind, 3 ); - - my $noah = 1; - - fatal_error "Invalid IPSEC modifier ($qualifier:$remainder)" if defined $remainder; - - if ( defined $qualifier ) { - if ( $qualifier eq 'ah' ) { - fatal_error ":ah not allowed with ipsecnat tunnels" if $kind eq 'ipsecnat'; - $noah = 0; - } else { - fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier ne 'noah'; - } - } - - my $options = '-m state --state NEW -j ACCEPT'; - - add_rule $inchainref, "-p 50 $source -j ACCEPT"; - add_rule $outchainref, "-p 50 $dest -j ACCEPT"; - - unless ( $noah ) { - add_rule $inchainref, "-p 51 $source -j ACCEPT"; - add_rule $outchainref, "-p 51 $dest -j ACCEPT"; - } - - add_rule $outchainref, "-p udp $dest --dport 500 $options"; - - if ( $kind eq 'ipsec' ) { - add_rule $inchainref, "-p udp $source --dport 500 $options"; - } else { - add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; - add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; - } - - unless ( $gatewayzones eq '-' ) { - for my $zone ( split_list $gatewayzones, 'zone' ) { - my $type = zone_type( $zone ); - fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4'; - $inchainref = ensure_filter_chain "${zone}2${fw}", 1; - $outchainref = ensure_filter_chain "${fw}2${zone}", 1; - - unless ( $capabilities{POLICY_MATCH} ) { - add_rule $inchainref, "-p 50 $source -j ACCEPT"; - add_rule $outchainref, "-p 50 $dest -j ACCEPT"; - - unless ( $noah ) { - add_rule $inchainref, "-p 51 $source -j ACCEPT"; - add_rule $outchainref, "-p 51 $dest -j ACCEPT"; - } - } - - if ( $kind eq 'ipsec' ) { - add_rule $inchainref, "-p udp $source --dport 500 $options"; - add_rule $outchainref, "-p udp $dest --dport 500 $options"; - } else { - add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; - add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; - } - } - } - } - - sub setup_one_other { - my ($inchainref, $outchainref, $source, $dest , $protocol) = @_; - - add_rule $inchainref , "-p $protocol $source -j ACCEPT"; - add_rule $outchainref , "-p $protocol $dest -j ACCEPT"; - } - - sub setup_pptp_client { - my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; - - add_rule $outchainref, "-p 47 $dest -j ACCEPT"; - add_rule $inchainref, "-p 47 $source -j ACCEPT"; - add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT" - } - - sub setup_pptp_server { - my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; - - add_rule $inchainref, "-p 47 $dest -j ACCEPT"; - add_rule $outchainref, "-p 47 $source -j ACCEPT"; - add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT" - } - - sub setup_one_openvpn { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - my $protocol = 'udp'; - my $port = 1194; - - ( $kind, my ( $proto, $p, $remainder ) ) = split( /:/, $kind, 4 ); - - fatal_error "Invalid port ($p:$remainder)" if defined $remainder; - - if ( defined $p && $p ne '' ) { - $port = $p; - $protocol = $proto; - } elsif ( defined $proto && $proto ne '' ) { - if ( "\L$proto" =~ /udp|tcp/ ) { - $protocol = $proto; - } else { - $port = $proto; - } - } - - add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; - } - - sub setup_one_openvpn_client { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - my $protocol = 'udp'; - my $port = 1194; - - ( $kind, my ( $proto, $p , $remainder ) ) = split( /:/, $kind, 4 ); - - fatal_error "Invalid port ($p:$remainder)" if defined $remainder; - - if ( defined $p && $p ne '' ) { - $port = $p; - $protocol = $proto; - } elsif ( defined $proto && $proto ne '' ) { - if ( "\L$proto" =~ /udp|tcp/ ) { - $protocol = $proto; - } else { - $port = $proto; - } - } - - add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; - } - - sub setup_one_openvpn_server { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - my $protocol = 'udp'; - my $port = 1194; - - ( $kind, my ( $proto, $p , $remainder ) ) = split( /:/, $kind, 4 ); - - fatal_error "Invalid port ($p:$remainder)" if defined $remainder; - - if ( defined $p && $p ne '' ) { - $port = $p; - $protocol = $proto; - } elsif ( defined $proto && $proto ne '' ) { - if ( "\L$proto" =~ /udp|tcp/ ) { - $protocol = $proto; - } else { - $port = $proto; - } - } - - add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT"; - } - - sub setup_one_l2tp { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/; - - add_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT"; - add_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT"; - } - - sub setup_one_generic { - my ($inchainref, $outchainref, $kind, $source, $dest) = @_; - - my $protocol = 'udp'; - my $port = '--dport 5000'; - - if ( $kind =~ /.*:.*:.*/ ) { - ( $kind, $protocol, $port) = split /:/, $kind; - $port = "--dport $port"; - } else { - $port = ''; - ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/; - } - - add_rule $inchainref, "-p $protocol $source $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT"; - } - - sub setup_one_tunnel($$$$) { - my ( $kind , $zone, $gateway, $gatewayzones ) = @_; - - my $zonetype = zone_type( $zone ); - - fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport4'; - - my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; - my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; - - $gateway = ALLIPv4 if $gateway eq '-'; - - my $source = match_source_net $gateway; - my $dest = match_dest_net $gateway; - - my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } , - 'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, $source, $dest , $gatewayzones ] } , - 'ipip' => { function => \&setup_one_other, params => [ $source, $dest , 4 ] } , - 'gre' => { function => \&setup_one_other, params => [ $source, $dest , 47 ] } , - '6to4' => { function => \&setup_one_other, params => [ $source, $dest , 41 ] } , - 'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, $source, $dest ] } , - 'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, $source, $dest ] } , - 'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, $source, $dest ] } , - 'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, $source, $dest ] } , - 'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, $source, $dest ] } , - 'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, $source, $dest ] } , - 'generic' => { function => \&setup_one_generic , params => [ $kind, $source, $dest ] } , - ); - - $kind = "\L$kind"; - - (my $type) = split /:/, $kind; - - my $tunnelref = $tunneltypes{ $type }; - - fatal_error "Tunnels of type $type are not supported" unless $tunnelref; - - $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} ); - - progress_message " Tunnel \"$currentline\" $done"; - } - - # - # Setup_Tunnels() Starts Here - # - my $fn = open_file 'tunnels'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file'; - - if ( $kind eq 'COMMENT' ) { - process_comment; - } else { - setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; - } - } - - clear_comment; -} - -1; diff --git a/Shorewall-perl-maybe/Shorewall/Zones.pm b/Shorewall-perl-maybe/Shorewall/Zones.pm deleted file mode 100644 index e5bfa228b..000000000 --- a/Shorewall-perl-maybe/Shorewall/Zones.pm +++ /dev/null @@ -1,1120 +0,0 @@ -# -# Shorewall-perl 4.2 -- /usr/share/shorewall-perl/Shorewall/Zones.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module contains the code which deals with /etc/shorewall/zones, -# /etc/shorewall/interfaces and /etc/shorewall/hosts. -# -package Shorewall::Zones; -require Exporter; -use Shorewall::Config qw(:DEFAULT :internal); -use Shorewall::IPAddrs; - -use strict; - -our @ISA = qw(Exporter); -our @EXPORT = qw( NOTHING - NUMERIC - NETWORK - IPSECPROTO - IPSECMODE - - use_ipv4_interfaces - use_ipv6_interfaces - - determine_zones - zone_report - dump_zone_contents - find_zone - firewall_zone - defined_zone - zone_type - all_zones - complex_zones - non_firewall_zones - haveipseczones - single_interface - validate_interfaces_file - all_interfaces - interface_number - find_interface - known_interface - have_bridges - port_to_bridge - source_port_to_bridge - interface_is_optional - find_interfaces_by_option - get_interface_option - set_interface_option - validate_hosts_file - find_hosts_by_option - ); - -our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.1.5; - -# -# IPSEC Option types -# -use constant { NOTHING => 'NOTHING', - NUMERIC => '0x[\da-fA-F]+|\d+', - NETWORK => '\d+.\d+.\d+.\d+(\/\d+)?', - IPSECPROTO => 'ah|esp|ipcomp', - IPSECMODE => 'tunnel|transport' - }; - -# -# Zone Table. -# -# @zones contains the ordered list of zones with sub-zones appearing before their parents. -# -# %zones{ => {type = > 'firewall', 'ipv4', 'ipsec4', 'bport4'; -# options => { complex => 0|1 -# nested => 0|1 -# in_out => < policy match string > -# in => < policy match string > -# out => < policy match string > -# } -# parents => [ ] Parents, Children and interfaces are listed by name -# children => [ ] -# interfaces => [ ] -# bridge => -# family => 1 = IPv4, 2 = IPv6, 3 = firewall -# hosts { } => [ { => { ipsec => 'ipsec'|'none' -# options => { => -# ... -# } -# hosts => [ , , ... ] -# } -# => ... -# } -# ] -# } -# => ... -# } -# -# $firewall_zone names the firewall zone. -# -our @zones; -our %zones; -our $firewall_zone; - -our %reservedName = ( all => 1, - none => 1, - SOURCE => 1, - DEST => 1 ); - -# -# Interface Table. -# -# @interfaces lists the interface names in the order that they appear in the interfaces file. -# -# %interfaces { => { name => -# root => -# options => { = , -# ... -# } -# zone => -# nets => -# bridge => -# broadcasts => 'none', 'detect' or [ , , ... ] -# number => -# } -# } -# -our @interfaces4; -our %interfaces4; -our @bport_zones4; - -our @interfaces6; -our %interfaces6; -our @bport_zones6; - -our $interface_list; -our $interface_table; -our $bport_zones; -our $zone_family; -our $zone_family_name; - -sub use_ipv4_interfaces() { - $interface_list = \@interfaces4; - $interface_table = \%interfaces4; - $bport_zones = \@bport_zones4; - $zone_family = F_INET; - $zone_family_name = 'IPv4'; -} - -sub use_ipv6_interfaces() { - $interface_list = \@interfaces6; - $interface_table = \%interfaces6; - $bport_zones = \@bport_zones6; - $zone_family = F_INET6; - $zone_family_name = 'IPv6'; -} - -# -# Initialize globals -- we take this novel approach to globals initialization to allow -# the compiler to run multiple times in the same process. The -# initialize() function does globals initialization for this -# module and is called from an INIT block below. The function is -# also called by Shorewall::Compiler::compiler at the beginning of -# the second and subsequent calls to that function. -# - -sub initialize() { - @zones = (); - %zones = (); - $firewall_zone = ''; - - @interfaces4 = (); - %interfaces4 = (); - @bport_zones4 = (); - - @interfaces6 = (); - %interfaces6 = (); - @bport_zones6 = (); - - use_ipv4_interfaces; -} - -INIT { - initialize; -} - -# -# Parse the passed option list and return a reference to a hash as follows: -# -# => mss = -# => ipsec = <-m policy arguments to match options> -# -sub parse_zone_option_list($$) -{ - my %validoptions = ( mss => NUMERIC, - strict => NOTHING, - next => NOTHING, - reqid => NUMERIC, - spi => NUMERIC, - proto => IPSECPROTO, - mode => IPSECMODE, - "tunnel-src" => NETWORK, - "tunnel-dst" => NETWORK, - ); - - # - # Hash of options that have their own key in the returned hash. - # - my %key = ( mss => "mss" ); - - my ( $list, $zonetype ) = @_; - my %h; - my $options = ''; - my $fmt; - - if ( $list ne '-' ) { - for my $e ( split_list $list, 'option' ) { - my $val = undef; - my $invert = ''; - - if ( $e =~ /([\w-]+)!=(.+)/ ) { - $val = $2; - $e = $1; - $invert = '! '; - } elsif ( $e =~ /([\w-]+)=(.+)/ ) { - $val = $2; - $e = $1; - } - - $fmt = $validoptions{$e}; - - fatal_error "Invalid Option ($e)" unless $fmt; - - if ( $fmt eq NOTHING ) { - fatal_error "Option \"$e\" does not take a value" if defined $val; - } else { - fatal_error "Missing value for option \"$e\"" unless defined $val; - fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/; - } - - if ( $key{$e} ) { - $h{$e} = $val; - } else { - fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec4'; - $options .= $invert; - $options .= "--$e "; - $options .= "$val "if defined $val; - } - } - } - - $h{ipsec} = $options ? "$options " : ''; - - \%h; -} - -# -# Parse the zones file. -# -sub determine_zones() -{ - my @z; - - my $ipv4 = 0; - my $ipv6 = 0; - - my $fn = open_file 'zones'; - - first_entry "$doing $fn..."; - - while ( read_a_line ) { - - my @parents; - - my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; - - if ( $zone =~ /(\w+):([\w,]+)/ ) { - $zone = $1; - @parents = split_list $2, 'zone'; - - for my $p ( @parents ) { - fatal_error "Invalid Parent List ($2)" unless $p; - fatal_error "Unknown parent zone ($p)" unless $zones{$p}; - fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} eq 'firewall'; - push @{$zones{$p}{children}}, $zone; - } - } - - fatal_error "Invalid zone name ($zone)" unless "\L$zone" =~ /^[a-z]\w*$/ && length $zone <= $globals{MAXZONENAMELENGTH}; - fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/; - fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone}; - - $type = "ipv4" unless $type; - - my $family = F_INET; - - if ( $type =~ /ipv4/i ) { - $type = 'ipv4'; - $ipv4 = 1; - } elsif ( $type =~ /ipv6/i ) { - $type = 'ipv6'; - $ipv6 = 1; - $family = F_INET6; - } elsif ( $type =~ /^ipsec4?$/i ) { - $type = 'ipsec4'; - } elsif ( $type =~ /^ipsec6$/i ) { - $type = 'ipsec6'; - $family = F_INET6; - } elsif ( $type =~ /^bport4?$/i ) { - warning_message "Bridge Port zones should have a parent zone" unless @parents; - $type = 'bport4'; - push @bport_zones4, $zone; - } elsif ( $type =~ /^bport6$/i ) { - warning_message "Bridge Port zones should have a parent zone" unless @parents; - $type = 'bport6'; - $family = F_INET6; - push @bport_zones6, $zone; - } elsif ( $type eq 'firewall' ) { - fatal_error 'Firewall zone may not be nested' if @parents; - fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone; - $firewall_zone = $zone; - $ENV{FW} = $zone; - $type = "firewall"; - $family = F_INET | F_INET6; - } elsif ( $type eq '-' ) { - $type = 'ipv4'; - $ipv4 = 1; - } else { - fatal_error "Invalid zone type ($type)" ; - } - - for ( @parents ) { - fatal_error "Incompatible Parent/Child Zones Types ($_)" unless $zones{$_}{family} == $family - } - - for ( $options, $in_options, $out_options ) { - $_ = '' if $_ eq '-'; - } - - $zones{$zone} = { type => $type, - parents => \@parents, - exclusions => [], - bridge => '', - family => $family, - options => { in_out => parse_zone_option_list( $options || '', $type ) , - in => parse_zone_option_list( $in_options || '', $type ) , - out => parse_zone_option_list( $out_options || '', $type ) , - complex => ($type =~ /^ipsec/ || $options || $in_options || $out_options ? 1 : 0) , - nested => @parents > 0 } , - interfaces => {} , - children => [] , - hosts => {} - }; - push @z, $zone; - } - - fatal_error "No firewall zone defined" unless $firewall_zone; - fatal_error "No IPv4 or IPv6 zones defined" unless $ipv4 || $ipv6; - - my %ordered; - - PUSHED: - { - ZONE: - for my $zone ( @z ) { - unless ( $ordered{$zone} ) { - for ( @{$zones{$zone}{children}} ) { - next ZONE unless $ordered{$_}; - } - $ordered{$zone} = 1; - push @zones, $zone; - redo PUSHED; - } - } - } - - fatal_error "Internal error in determine_zones()" unless scalar @zones == scalar @z; - -} - -# -# Return true of we have any ipsec zones -# -sub haveipseczones() { - for my $zoneref ( values %zones ) { - return 1 if $zoneref->{type} =~ /^ipsec/; - } - - 0; -} - -sub dump_zone_contents() -{ - for my $zone ( @zones ) - { - my $zoneref = $zones{$zone}; - my $hostref = $zoneref->{hosts}; - my $type = $zoneref->{type}; - my $optionref = $zoneref->{options}; - my $exclusions = $zoneref->{exclusions}; - my $entry = "$zone $type"; - - $entry .= ":$zoneref->{bridge}" if $type =~ /^bport/; - - if ( $hostref ) { - for my $type ( sort keys %$hostref ) { - my $interfaceref = $hostref->{$type}; - - for my $interface ( sort keys %$interfaceref ) { - my $arrayref = $interfaceref->{$interface}; - for my $groupref ( @$arrayref ) { - my $hosts = $groupref->{hosts}; - if ( $hosts ) { - my $grouplist = join ',', ( @$hosts ); - $entry .= " $interface:$grouplist"; - } - } - } - } - } - - if ( @$exclusions ) { - $entry .= ' exclude'; - - for my $host ( @$exclusions ) { - $entry .= " $host"; - } - } - - emit_unindented $entry; - } -} - -# -# If the passed zone is associated with a single interface, the name of the interface is returned. Otherwise, the funtion returns ''; -# -sub single_interface( $ ) { - my $zone = $_[0]; - my $zoneref = $zones{$zone}; - - fatal_error "Internal Error in single_zone()" unless $zoneref; - - my @keys = keys( %{$zoneref->{interfaces}} ); - - @keys == 1 ? $keys[0] : ''; -} - -sub add_group_to_zone($$$$$) -{ - my ($zone, $type, $interface, $networks, $options) = @_; - my $typeref; - my $interfaceref; - my $arrayref; - my $zoneref = $zones{$zone}; - my $zonetype = $zoneref->{type}; - my $ifacezone = $interface_table->{$interface}{zone}; - - $zoneref->{interfaces}{$interface} = 1; - - my @newnetworks; - my @exclusions; - my $new = \@newnetworks; - my $switched = 0; - - $ifacezone = '' unless defined $ifacezone; - - for my $host ( @$networks ) { - $interface_table->{$interface}{nets}++; - - fatal_error "Invalid Host List" unless defined $host and $host ne ''; - - if ( substr( $host, 0, 1 ) eq '!' ) { - fatal_error "Only one exclusion allowed in a host list" if $switched; - $switched = 1; - $host = substr( $host, 1 ); - $new = \@exclusions; - } - - unless ( $switched ) { - if ( $type eq $zonetype ) { - fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone; - $ifacezone = $zone if $host eq ALLIP; - } - } - - if ( substr( $host, 0, 1 ) eq '+' ) { - fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/; - } else { - validate_host $host, 0; - } - - push @$new, $switched ? "$interface:$host" : $host; - } - - $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback}; - - $typeref = ( $zoneref->{hosts} || ( $zoneref->{hosts} = {} ) ); - $interfaceref = ( $typeref->{$type} || ( $interfaceref = $typeref->{$type} = {} ) ); - $arrayref = ( $interfaceref->{$interface} || ( $interfaceref->{$interface} = [] ) ); - - $zoneref->{options}{complex} = 1 if @$arrayref || ( @newnetworks > 1 ) || ( @exclusions ); - - push @{$zoneref->{exclusions}}, @exclusions; - - push @{$arrayref}, { options => $options, - hosts => \@newnetworks, - ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' }; -} - -# -# Verify that the passed zone name represents a declared zone. Return a -# reference to its zone table entry. -# -sub find_zone( $ ) { - my $zone = $_[0]; - - my $zoneref = $zones{$zone}; - - fatal_error "Unknown zone ($zone)" unless $zoneref; - fatal_error "Zone has wrong address family" unless $zoneref->{family} & $zone_family; - - $zoneref; -} - -sub zone_type( $ ) { - find_zone( $_[0] )->{type}; -} - -sub defined_zone( $ ) { - my $zoneref = $zones{$_[0]}; - - $zoneref && $zoneref->{family} & $zone_family ? $zoneref : undef; -} - -sub all_zones() { - grep ( $zones{$_}{family} & $zone_family , @zones ); -} - -sub non_firewall_zones() { - grep ( $zones{$_}{type} ne 'firewall' , all_zones() ); -} - -sub complex_zones() { - grep( $zones{$_}{options}{complex} , all_zones() ); -} - -sub firewall_zone() { - $firewall_zone; -} - -# -# Report about zones. -# -sub zone_report() -{ - progress_message2 "Determining Hosts in $zone_family_name Zones..."; - - for my $zone ( all_zones ) - { - my $zoneref = $zones{$zone}; - my $hostref = $zoneref->{hosts}; - my $type = $zoneref->{type}; - my $optionref = $zoneref->{options}; - - progress_message " $zone ($type)"; - - my $printed = 0; - - if ( $hostref ) { - for my $type ( sort keys %$hostref ) { - my $interfaceref = $hostref->{$type}; - - for my $interface ( sort keys %$interfaceref ) { - my $arrayref = $interfaceref->{$interface}; - for my $groupref ( @$arrayref ) { - my $hosts = $groupref->{hosts}; - if ( $hosts ) { - my $grouplist = join ',', ( @$hosts ); - progress_message " $interface:$grouplist"; - $printed = 1; - } - } - - } - } - } - - unless ( $printed ) { - fatal_error "No bridge has been associated with zone $zone" if $type =~ /^bport*/ && ! $zoneref->{bridge}; - warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall'; - } - - } -} - -# -# Parse the interfaces file. -# - -sub validate_interfaces_file( $ ) -{ - my $export = shift; - my $num = 0; - - use constant { SIMPLE_IF_OPTION => 1, - BINARY_IF_OPTION => 2, - ENUM_IF_OPTION => 3, - NUMERIC_IF_OPTION => 4, - OBSOLETE_IF_OPTION => 5, - MASK_IF_OPTION => 7, - - IF_OPTION_ZONEONLY => 8 }; - - my %validoptions = $zone_family == F_INET ? (arp_filter => BINARY_IF_OPTION, - arp_ignore => ENUM_IF_OPTION, - blacklist => SIMPLE_IF_OPTION, - bridge => SIMPLE_IF_OPTION, - detectnets => OBSOLETE_IF_OPTION, - dhcp => SIMPLE_IF_OPTION, - maclist => SIMPLE_IF_OPTION, - logmartians => BINARY_IF_OPTION, - norfc1918 => SIMPLE_IF_OPTION, - nosmurfs => SIMPLE_IF_OPTION, - optional => SIMPLE_IF_OPTION, - proxyarp => BINARY_IF_OPTION, - routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, - routefilter => BINARY_IF_OPTION, - sourceroute => BINARY_IF_OPTION, - tcpflags => SIMPLE_IF_OPTION, - upnp => SIMPLE_IF_OPTION, - mss => NUMERIC_IF_OPTION, - ) : - (blacklist => SIMPLE_IF_OPTION, - bridge => SIMPLE_IF_OPTION, - maclist => SIMPLE_IF_OPTION, - nosmurfs => SIMPLE_IF_OPTION, - optional => SIMPLE_IF_OPTION, - proxyndp => BINARY_IF_OPTION, - routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, - sourceroute => BINARY_IF_OPTION, - tcpflags => SIMPLE_IF_OPTION, - mss => NUMERIC_IF_OPTION, - ); - - my $fn = open_file ($zone_family == F_INET ? 'interfaces' : '6interfaces'); - - my $first_entry = 1; - - my @ifaces; - - while ( read_a_line ) { - - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - - my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file'; - my $zoneref; - my $bridge = ''; - - if ( $zone eq '-' ) { - $zone = ''; - } else { - $zoneref = $zones{$zone}; - - fatal_error "Unknown zone ($zone)" unless $zoneref; - fatal_error "Zone $zone has wrong address family" unless $zoneref->{family} == $zone_family; - fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} eq 'firewall'; - } - - $networks = '' if $networks eq '-'; - $options = '' if $options eq '-'; - - my ($interface, $port, $extra) = split /:/ , $originalinterface, 3; - - fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra; - - if ( defined $port ) { - fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/; - require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', ''); - fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; - fatal_error "Duplicate Interface ($port)" if $interface_table->{$port}; - fatal_error "$interface is not a defined bridge" unless $interface_table->{$interface} && $interface_table->{$interface}{options}{bridge}; - fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && ! $zoneref->{type} =~ /^bport/; - - if ( $zone ) { - if ( $zoneref->{bridge} ) { - fatal_error "Bridge Port zones may only be associated with a single bridge" if $zoneref->{bridge} ne $interface; - } else { - $zoneref->{bridge} = $interface; - } - } - - fatal_error "Bridge Ports may not have options" if $options && $options ne '-'; - - next if $port eq ''; - - fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/; - - $bridge = $interface; - $interface = $port; - } else { - fatal_error "Duplicate Interface ($interface)" if $interface_table->{$interface}; - fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} =~ /^bport/; - $bridge = $interface; - } - - my $wildcard = 0; - my $root; - - if ( $interface =~ /\+$/ ) { - $wildcard = 1; - $root = substr( $interface, 0, -1 ); - } else { - $root = $interface; - } - - my $broadcasts; - - unless ( $networks eq '' || $networks eq 'detect' ) { - fatal_error "BROADCAST may not be specified for IPv6 Interfaces" if $zone_family == F_INET6; - my @broadcasts = split $networks, 'address'; - - for my $address ( @broadcasts ) { - fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - } - - if ( $capabilities{ADDRTYPE} ) { - warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available'; - } else { - $broadcasts = \@broadcasts; - } - } - - my $optionsref = {}; - - my %options; - - if ( $options ) { - - for my $option (split_list $options, 'option' ) { - next if $option eq '-'; - - ( $option, my $value ) = split /=/, $option; - - fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option}; - - fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone; - - $type &= MASK_IF_OPTION; - - if ( $type == SIMPLE_IF_OPTION ) { - fatal_error "Option $option does not take a value" if defined $value; - $options{$option} = 1; - } elsif ( $type == BINARY_IF_OPTION ) { - $value = 1 unless defined $value; - fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' ); - fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard; - $options{$option} = $value; - } elsif ( $type == ENUM_IF_OPTION ) { - fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard; - if ( $option eq 'arp_ignore' ) { - if ( defined $value ) { - if ( $value =~ /^[1-3,8]$/ ) { - $options{arp_ignore} = $value; - } else { - fatal_error "Invalid value ($value) for arp_ignore"; - } - } else { - $options{arp_ignore} = 1; - } - } else { - fatal_error "Internal Error in validate_interfaces_file"; - } - } elsif ( $type == NUMERIC_IF_OPTION ) { - fatal_error "The $option option requires a value" unless defined $value; - my $numval = numeric_value $value; - fatal_error "Invalid value ($value) for option $option" unless defined $numval; - $options{$option} = $numval; - } else { - warning_message "Support for the $option interface option has been removed from Shorewall-perl"; - } - } - - $zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback}; - - if ( $options{bridge} ) { - require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's'); - fatal_error "Bridges may not have wildcard names" if $wildcard; - } - } elsif ( $port ) { - $options{port} = 1; - } - - $optionsref = \%options; - - $interface_table->{$interface} = { name => $interface , - bridge => $bridge , - nets => 0 , - number => ++$num , - root => $root , - broadcasts => $broadcasts , - options => $optionsref }; - - push @ifaces, $interface; - - my @networks = allip; - - add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone; - - $interface_table->{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() - - progress_message " Interface \"$currentline\" Validated"; - - } - - # - # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge - # - for my $interface ( @ifaces ) { - my $interfaceref = $interface_table->{$interface}; - - if ( $interfaceref->{options}{bridge} ) { - my @ports = grep $interface_table->{$_}{options}{port} && $interface_table->{$_}{bridge} eq $interface, @ifaces; - - if ( @ports ) { - push @{$interface_list}, @ports; - } else { - $interfaceref->{options}{routeback} = 1; #so the bridge will work properly - } - } - - push @{$interface_list}, $interface unless $interfaceref->{options}{port}; - } - # - # Be sure that we have at least one interface - # - fatal_error "No network interfaces defined" unless @{$interface_list}; -} - -# -# Returns true if passed interface matches an entry in /etc/shorewall/interfaces -# -# If the passed name matches a wildcard, a entry for the name is added in %interfaces to speed up validation of other references to that name. -# -sub known_interface($) -{ - my $interface = $_[0]; - my $interfaceref = $interface_table->{$interface}; - - return $interfaceref if $interfaceref; - - for my $i ( @{$interface_list} ) { - $interfaceref = $interface_table->{$i}; - my $val = $interfaceref->{root}; - next if $val eq $i; - if ( substr( $interface, 0, length $val ) eq $val ) { - # - # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces. - # - return $interface_table->{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} }; - } - } - - 0; -} - -# -# Return interface number -# -sub interface_number( $ ) { - $interface_table->{$_[0]}{number} || 256; -} - -# -# Return the interfaces list -# -sub all_interfaces() { - @{$interface_list}; -} - -# -# Return a reference to the interfaces table entry for an interface -# -sub find_interface( $ ) { - my $interface = $_[0]; - my $interfaceref = $interface_table->{ $interface }; - - fatal_error "Unknown Interface ($interface)" unless $interfaceref; - - $interfaceref; -} - -# -# Returns true if there are bridge port zones defined in the config -# -sub have_bridges() { - @{$bport_zones} > 0; -} - -# -# Return the bridge associated with the passed interface. If the interface is not a bridge port, -# return '' -# -sub port_to_bridge( $ ) { - my $portref = $interface_table->{$_[0]}; - return $portref && $portref->{options}{port} ? $portref->{bridge} : ''; -} - -# -# Return the bridge associated with the passed interface. -# -sub source_port_to_bridge( $ ) { - my $portref = $interface_table->{$_[0]}; - return $portref ? $portref->{bridge} : ''; -} - -# -# Return the 'optional' setting of the passed interface -# -sub interface_is_optional($) { - my $optionsref = $interface_table->{$_[0]}{options}; - $optionsref && $optionsref->{optional}; -} - -# -# Returns reference to array of interfaces with the passed option -# -sub find_interfaces_by_option( $ ) { - my $option = $_[0]; - my @ints = (); - - for my $interface ( @{$interface_list} ) { - my $optionsref = $interface_table->{$interface}{options}; - if ( $optionsref && defined $optionsref->{$option} ) { - push @ints , $interface - } - } - - \@ints; -} - -# -# Return the value of an option for an interface -# -sub get_interface_option( $$ ) { - my ( $interface, $option ) = @_; - - $interface_table->{$interface}{options}{$option}; -} - -# -# Set an option for an interface -# -sub set_interface_option( $$$ ) { - my ( $interface, $option, $value ) = @_; - - $interface_table->{$interface}{options}{$option} = $value; -} - -# -# Validates the hosts file. Generates entries in %zone{..}{hosts} -# -sub validate_hosts_file() -{ - my %validoptions = ( - blacklist => 1, - maclist => 1, - norfc1918 => 1, - nosmurfs => 1, - routeback => 1, - routefilter => 1, - tcpflags => 1, - broadcast => 1, - destonly => 1, - sourceonly => 1, - ); - - my $ipsec = 0; - my $first_entry = 1; - - my $fn = open_file ($zone_family == F_INET ? 'hosts' : '6hosts'); - - while ( read_a_line ) { - - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - - my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file'; - - my $zoneref = $zones{$zone}; - my $type = $zoneref->{type}; - - fatal_error "Unknown ZONE ($zone)" unless $type; - fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type eq 'firewall'; - - my $interface; - - if ( $zone_family == F_INET ) { - if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) { - $interface = $1; - $hosts = $2; - $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; - fatal_error "Unknown interface ($interface)" unless $interface_table->{$interface}{root}; - } else { - fatal_error "Invalid HOST(S) column contents: $hosts"; - } - } elsif ( $hosts =~ /^([\w.@%-]+\+?);(.*)$/ ) { - $interface = $1; - $hosts = $2; - $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; - fatal_error "Unknown interface ($interface)" unless $interface_table->{$interface}{root}; - } else { - fatal_error "Invalid HOST(S) column contents: $hosts"; - } - - if ( $type =~ /^bport/ ) { - if ( $zoneref->{bridge} eq '' ) { - fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interface_table->{$interface}{options}{port}; - $zoneref->{bridge} = $interface_table->{$interface}{bridge}; - } elsif ( $zoneref->{bridge} ne $interface_table->{$interface}{bridge} ) { - fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}"; - } - } - - my $optionsref = {}; - - if ( $options ne '-' ) { - my @options = split_list $options, 'option'; - my %options; - - for my $option ( @options ) - { - if ( $option eq 'ipsec' ) { - $type = 'ipsec4'; - $zoneref->{options}{complex} = 1; - $ipsec = 1; - } elsif ( $validoptions{$option}) { - $options{$option} = 1; - } else { - fatal_error "Invalid option ($option)"; - } - } - - $optionsref = \%options; - } - - # - # Looking for the '!' at the beginning of a list element is more straight-foward than looking for it in the middle. - # - # Be sure we don't have a ',!' in the original - # - fatal_error "Invalid hosts list" if $hosts =~ /,!/; - # - # Now add a comma before '!'. Do it globally - add_group_to_zone() correctly checks for multiple exclusions - # - $hosts =~ s/!/,!/g; - # - # Take care of case where the hosts list begins with '!' - # - $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!'; - - add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); - - progress_message " Host \"$currentline\" validated"; - } - - $capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones; -} - -# -# Returns a reference to a array of host entries. Each entry is a -# reference to an array containing ( interface , polciy match type {ipsec|none} , network ); -# -sub find_hosts_by_option( $ ) { - my $option = $_[0]; - my @hosts; - - for my $zone ( non_firewall_zones() ) { - while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { - while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { - for my $host ( @{$arrayref} ) { - if ( $host->{options}{$option} ) { - for my $net ( @{$host->{hosts}} ) { - push @hosts, [ $interface, $host->{ipsec} , $net ]; - } - } - } - } - } - } - - for my $interface ( @{$interface_list} ) { - if ( ! $interface_table->{$interface}{zone} && $interface_table->{$interface}{options}{$option} ) { - push @hosts, [ $interface, 'none', ALLIP ]; - } - } - - \@hosts; -} - -1; diff --git a/Shorewall-perl-maybe/compiler.pl b/Shorewall-perl-maybe/compiler.pl deleted file mode 100755 index 9a3c1826a..000000000 --- a/Shorewall-perl-maybe/compiler.pl +++ /dev/null @@ -1,109 +0,0 @@ -#! /usr/bin/perl -w -# -# The Shoreline Firewall4 (Shorewall-perl) Packet Filtering Firewall Compiler - V4.2 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# compiler.pl [