diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index bdc15b059..d5206dbe5 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -94,7 +94,7 @@ sub process_accounting_rule( $$$$$$$$ ) { '' ; if ( $rule2 ) { - expand_rule + expand_rule $jumpchainref , NO_RESTRICT , $rule , @@ -119,10 +119,10 @@ sub setup_accounting() { my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = split_line 1, 8, 'Accounting File'; if ( $first_entry ) { - progress_message2 "$doing $fn..."; + progress_message2 "$doing $fn..."; $first_entry = 0; } - + process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user; } diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 3914a308b..4924b17a9 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -32,18 +32,18 @@ use Shorewall::Macros; use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( merge_levels +our @EXPORT = qw( merge_levels isolate_basic_target - add_requiredby + add_requiredby createlogactionchain - createactionchain + createactionchain find_logactionchain process_actions1 process_actions2 process_actions3 - %usedactions - %default_actions + %usedactions + %default_actions %actions ); our @EXPORT_OK = qw( ); @@ -100,7 +100,7 @@ sub merge_levels ($$) { return "$target:$level:$tag" if $level =~ /!$/; return $subordinate if $subparts >= 2; return "$target:$level"; - } + } if ( @supparts == 2 ) { return "$target:none!" if $level eq 'none!'; @@ -152,7 +152,7 @@ sub add_requiredby ( $$ ) { # action chain name is 2-3 characters longer than the base chain name, # this function truncates the original chain name where necessary before # it adds the leading "%" and trailing sequence number. -# +# sub createlogactionchain( $$ ) { my ( $action, $level ) = @_; my $chain = $action; @@ -243,7 +243,7 @@ sub process_actions1() { for my $act ( grep $targets{$_} & ACTION , keys %targets ) { new_action $act; } - + for my $file ( qw/actions.std actions/ ) { open_file $file; @@ -311,7 +311,7 @@ sub process_actions1() { $targettype = 0 unless defined $targettype; - fatal_error "Invalid target ($mtarget)" + fatal_error "Invalid target ($mtarget)" unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $mtarget eq 'LOG' ); } @@ -329,8 +329,8 @@ sub process_actions1() { } } -sub process_actions2 () { - progress_message2 'Generating Transitive Closure of Used-action List...'; +sub process_actions2 () { + progress_message2 'Generating Transitive Closure of Used-action List...'; my $changed = 1; @@ -367,7 +367,7 @@ sub process_action3( $$$$$ ) { expand_rule ( $chainref , NO_RESTRICT , - do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user , + do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user , $source , $dest , '', #Original Dest @@ -379,9 +379,9 @@ sub process_action3( $$$$$ ) { my $actionfile = find_file "action.$action"; my $standard = ( $actionfile =~ /^$globals{SHAREDIR}/ ); - + fatal_error "Missing Action File: $actionfile" unless -f $actionfile; - + progress_message2 "Processing $actionfile for chain $chainref->{name}..."; open_file $actionfile; @@ -474,7 +474,7 @@ sub process_action3( $$$$$ ) { } else { process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user; - } + } } $comment = ''; @@ -511,28 +511,28 @@ sub process_actions3 () { sub dropNotSyn ( $$$ ) { my ($chainref, $level, $tag) = @_; - log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level; + log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level; add_rule $chainref , '-p tcp ! --syn -j DROP'; } sub rejNotSyn ( $$$ ) { my ($chainref, $level, $tag) = @_; - log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level; + log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level; add_rule $chainref , '-p tcp ! --syn -j REJECT'; } sub dropInvalid ( $$$ ) { my ($chainref, $level, $tag) = @_; - log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level; + log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level; add_rule $chainref , '-m state --state INVALID -j REJECT'; } sub allowInvalid ( $$$ ) { my ($chainref, $level, $tag) = @_; - log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level; + log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level; add_rule $chainref , '-m state --state INVALID -j ACCEPT'; } diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 6ac492657..16d3be080 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -101,14 +101,14 @@ our @EXPORT = qw( STANDARD get_interface_addresses create_netfilter_load - @policy_chains - %chain_table - $nat_table - $mangle_table + @policy_chains + %chain_table + $nat_table + $mangle_table $filter_table $section %sections - $comment + $comment %targets ); our @EXPORT_OK = (); @@ -123,7 +123,7 @@ our @VERSION = 1.00; # table => # is_policy => 0|1 # is_optionsl => 0|1 -# referenced => 0|1 +# referenced => 0|1 # policy => # loglevel => # synparams => @@ -143,10 +143,10 @@ our @VERSION = 1.00; # # Only 'referenced' chains get written to the iptables-restore output. # -# 'loglevel', 'synparams' and 'default' only apply to policy chains. +# 'loglevel', 'synparams' and 'default' only apply to policy chains. # our @policy_chains; -our %chain_table = ( raw => {} , +our %chain_table = ( raw => {} , mangle => {}, nat => {}, filter => {} ); @@ -243,7 +243,7 @@ my $chainseq; # # Count of the number of unclosed loops in generated shell code. We insert shell code -# into the Chain tables 'rules' array (proceeded by '~'). create_netfilter_load() +# into the Chain tables 'rules' array (proceeded by '~'). create_netfilter_load() # emits that code inline for execution at run-time. # my $loopcount = 0; @@ -300,7 +300,7 @@ sub insert_rule($$$) } # -# Form the name of a chain. +# Form the name of a chain. # sub chain_base($) { my $chain = $_[0]; @@ -547,7 +547,7 @@ sub initialize_chain_table() } # -# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain +# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain # sub finish_chain_section ($$) { my ($chainref, $state ) = @_; @@ -562,7 +562,7 @@ sub finish_chain_section ($$) { if ( $section eq 'DONE' ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) { add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; - } + } } else { add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; } @@ -579,7 +579,7 @@ sub finish_chain_section ($$) { # # Do section-end processing -# +# sub finish_section ( $ ) { my $sections = $_[0]; @@ -620,7 +620,7 @@ sub do_proto( $$$ ) $output = "-p $proto "; if ( $ports ) { my @ports = split /,/, $ports; - my $count = @ports; + my $count = @ports; if ( $count > 1 ) { fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT}; @@ -629,7 +629,7 @@ sub do_proto( $$$ ) if ( $port =~ /:/ ) { fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT}; $count++; - } + } } fatal_error "Too many entries in port list: $ports" if $count > 15; @@ -642,7 +642,7 @@ sub do_proto( $$$ ) if ( $sports ) { my @ports = split /,/, $sports; - my $count = @ports; + my $count = @ports; if ( $count > 1 ) { fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT}; @@ -683,7 +683,7 @@ sub mac_match( $ ) { my $mac = $_[0]; $mac =~ s/^(!?)~//; - $mac =~ s/^!// if my $invert = ( $1 ? '! ' : ''); + $mac =~ s/^!// if my $invert = ( $1 ? '! ' : ''); $mac =~ s/-/:/g; "--match mac --mac-source ${invert}$mac "; @@ -705,7 +705,7 @@ sub verify_mark( $ ) { my $mark = $_[0]; my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF; - fatal_error "Invalid Mark or Mask value: $mark" + fatal_error "Invalid Mark or Mask value: $mark" unless numeric_value( $mark ) <= $limit; } @@ -837,7 +837,7 @@ sub get_set_flags( $$ ) { # sub match_source_net( $ ) { my $net = $_[0]; - + if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { $net =~ s/!// if my $invert = $1 ? '! ' : ''; iprange_match . "${invert}--src-range $net "; @@ -883,7 +883,7 @@ sub match_orig_dest ( $ ) { return '' if $net eq ALLIPv4; return '' unless $capabilities{CONNTRACK_MATCH}; - + if ( $net =~ /^!/ ) { $net =~ s/!//; "-m conntrack --ctorigdst ! $net "; @@ -904,13 +904,13 @@ sub match_ipsec_in( $$ ) { if ( $zoneref->{type} eq 'ipsec4' ) { $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; - } elsif ( $capabilities{POLICY_MATCH} ) { + } elsif ( $capabilities{POLICY_MATCH} ) { $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; } else { ''; } } - + # # Match Dest IPSEC # @@ -922,7 +922,7 @@ sub match_ipsec_out( $$ ) { if ( $zoneref->{type} eq 'ipsec4' ) { $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; - } elsif ( $capabilities{POLICY_MATCH} ) { + } elsif ( $capabilities{POLICY_MATCH} ) { $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" } else { ''; @@ -1023,11 +1023,11 @@ sub interface_address( $ ) { } # -# Record that the ruleset requires the first IP address on the passed interface +# Record that the ruleset requires the first IP address on the passed interface # sub get_interface_address ( $ ) { my ( $interface ) = $_[0]; - + my $variable = interface_address( $interface ); $interfaceaddr{$interface} = "$variable=\$(find_first_interface_address $interface)"; @@ -1043,11 +1043,11 @@ sub interface_addresses( $ ) { } # -# Record that the ruleset requires the IP addresses on the passed interface +# Record that the ruleset requires the IP addresses on the passed interface # sub get_interface_addresses ( $ ) { my ( $interface ) = $_[0]; - + my $variable = interface_addresses( $interface ); $interfaceaddr{$interface} = qq($variable=\$(get_interface_addresses $interface) @@ -1065,7 +1065,7 @@ sub interface_nets( $ ) { } # -# Record that the ruleset requires the first IP address on the passed interface +# Record that the ruleset requires the first IP address on the passed interface # sub get_interface_nets ( $ ) { my ( $interface ) = $_[0]; @@ -1077,12 +1077,12 @@ sub get_interface_nets ( $ ) { ); "\$$variable"; - + } # # This function provides a uniform way to generate rules (something the original Shorewall sorely needed). -# +# sub expand_rule( $$$$$$$$$$ ) { my ($chainref , $restriction, $rule, $source, $dest, $origdest, $target, $loglevel , $disposition, $exceptionrule ) = @_; @@ -1135,11 +1135,11 @@ sub expand_rule( $$$$$$$$$$ ) $rule .= '-s $source '; # - # While $loopcount > 0, calls to 'add_rule()' will be converted to calls to 'add_command()' + # While $loopcount > 0, calls to 'add_rule()' will be converted to calls to 'add_command()' # $loopcount++; } else { - fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line" + fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line" if $restriction & OUTPUT_RESTRICT; $rule .= "-i $iiface "; } @@ -1229,7 +1229,7 @@ sub expand_rule( $$$$$$$$$$ ) } else { get_interface_address $interfaces[0]; $rule .= join( '', '-m conntrack --ctorigdst $', interface_address ( $interfaces[0] ), ' ' ); - } + } $origdest = ''; } else { @@ -1324,7 +1324,7 @@ sub expand_rule( $$$$$$$$$$ ) } # - # The final rule in the exclusion chain will not qualify the source or destination + # The final rule in the exclusion chain will not qualify the source or destination # $inets = ALLIPv4; $dnets = ALLIPv4; @@ -1354,7 +1354,7 @@ sub expand_rule( $$$$$$$$$$ ) log_rule_limit $loglevel , $echainref , $chain, $disposition , '', $logtag , 'add' , '' if $loglevel; # # Generate Final Rule - # + # add_rule $echainref, $exceptionrule . $target unless $disposition eq 'LOG'; } else { # @@ -1366,20 +1366,20 @@ sub expand_rule( $$$$$$$$$$ ) $inet = match_source_net $inet; for my $dnet ( mysplit $dnets ) { if ( $loglevel ) { - log_rule_limit - $loglevel , - $chainref , - $chain, - $disposition , - '' , - $logtag , - 'add' , + log_rule_limit + $loglevel , + $chainref , + $chain, + $disposition , + '' , + $logtag , + 'add' , join( '', $rule, $inet, match_dest_net( $dnet ), $onet ); } unless ( $disposition eq 'LOG' ) { - add_rule - $chainref, + add_rule + $chainref, join( '', $rule, $inet, match_dest_net( $dnet ), $onet, $target ); } } diff --git a/Shorewall-perl/Shorewall/Common.pm b/Shorewall-perl/Shorewall/Common.pm index 813a09c89..77cb27a30 100644 --- a/Shorewall-perl/Shorewall/Common.pm +++ b/Shorewall-perl/Shorewall/Common.pm @@ -101,7 +101,7 @@ sub fatal_error # # Write the argument to the object file (if any) with the current indentation. -# +# # Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines. # sub emit ( $ ) { diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 2fb0dd43f..6a32bb86f 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -29,7 +29,7 @@ use Shorewall::Common; our @ISA = qw(Exporter); our @EXPORT = qw( - warning_message + warning_message fatal_error find_file split_line @@ -65,7 +65,7 @@ our %globals = ( SHAREDIR => '/usr/share/shorewall' , # # From shorewall.conf file # -our %config = +our %config = ( STARTUP_ENABLED => undef, VERBOSITY => undef, # @@ -159,7 +159,7 @@ my @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /; # # From parsing the capabilities file # -our %capabilities = +our %capabilities = ( NAT_ENABLED => undef, MANGLE_ENABLED => undef, MULTIPORT => undef, @@ -237,7 +237,7 @@ my $currentlinenumber = 0; # # Issue a Warning Message # -sub warning_message +sub warning_message { my $lineinfo = $currentfile ? " : $currentfilename ( line $currentlinenumber )" : ''; @@ -255,7 +255,7 @@ sub fatal_error { # # Search the CONFIG_PATH for the passed file # -sub find_file($) +sub find_file($) { my $filename=$_[0]; @@ -320,14 +320,14 @@ sub open_file( $ ) { } # -# This function is normally called below in read_a_line() when EOF is reached. Clients of the +# This function is normally called below in read_a_line() when EOF is reached. Clients of the # module may also call the function to close the file before EOF # sub close_file() { if ( $currentfile ) { close $currentfile; - + my $arrayref = pop @includestack; if ( $arrayref ) { @@ -363,7 +363,7 @@ sub pop_open() { } else { $currentfile = undef; } -} +} # # Read a line from the current include stack. @@ -397,7 +397,7 @@ sub read_a_line { # # Ignore ( concatenated ) Blank Lines # - if ( $line =~ /^\s*$/ ) { + if ( $line =~ /^\s*$/ ) { $line = ''; next; } @@ -410,18 +410,18 @@ sub read_a_line { # $line = join( '', $1 , ( $ENV{$2} || '' ) , $3 ) while $line =~ /^(.*?)\${([a-zA-Z]\w*)}(.*)$/; $line = join( '', $1 , ( $ENV{$2} || '' ) , $3 ) while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; - + if ( $line =~ /^INCLUDE\s/ ) { - + my @line = split /\s+/, $line; - + fatal_error "Invalid INCLUDE command: $line" if @line != 2; fatal_error "INCLUDEs nested too deeply: $line" if @includestack >= 4; - + my $filename = find_file $line[1]; - + fatal_error "INCLUDE file $filename not found" unless ( -f $filename ); - + if ( -s _ ) { push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; $currentfile = undef; @@ -433,7 +433,7 @@ sub read_a_line { return 1; } } - + close_file; } } @@ -500,7 +500,7 @@ sub load_kernel_modules( ) { if ( @moduledirectories && open_file 'modules' ) { my %loadedmodules; - + progress_message "Loading Modules..."; open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod"; @@ -509,7 +509,7 @@ sub load_kernel_modules( ) { my $module = ( split( /\s+/, $line ) )[0]; $loadedmodules{$module} = 1 unless $module eq 'Module' } - + close LSMOD; $config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX}; @@ -536,7 +536,7 @@ sub load_kernel_modules( ) { } } } - } + } } # @@ -550,14 +550,14 @@ sub qt( $ ) { # Determine which optional facilities are supported by iptables/netfilter # sub determine_capabilities() { - + my $iptables = $config{IPTABLES}; $capabilities{NAT_ENABLED} = qt( "$iptables -t nat -L -n" ); $capabilities{MANGLE_ENABLED} = qt( "$iptables -t mangle -L -n" ); qt( "$iptables -N fooX1234" ); - + $capabilities{CONNTRACK_MATCH} = qt( "$iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); $capabilities{MULTIPORT} = qt( "$iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT" ); $capabilities{XMULTIPORT} = qt( "$iptables -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT" ); @@ -578,7 +578,7 @@ sub determine_capabilities() { $capabilities{CONNMARK_MATCH} = 1; $capabilities{XCONNMARK_MATCH} = qt( "$iptables -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT" ); } - + $capabilities{IPP2P_MATCH} = qt( "$iptables -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT" ); $capabilities{LENGTH_MATCH} = qt( "$iptables -A fooX1234 -m length --length 10:20 -j ACCEPT" ); $capabilities{ENHANCED_REJECT} = qt( "$iptables -A fooX1234 -j REJECT --reject-with icmp-host-prohibited" ); @@ -624,7 +624,7 @@ sub determine_capabilities() { qt( "$iptables -F fooX1234" ); qt( "$iptables -X fooX1234" ); -} +} sub require_capability( $$ ) { my ( $capability, $description ) = @_; @@ -642,10 +642,10 @@ sub ensure_config_path( $ ) { my $f = "$globals{SHAREDIR}/configpath"; $ENV{CONFDIR} = $export ? '/usr/share/shorewall/configfiles/' : '/etc/shorewall/'; - + unless ( $config{CONFIG_PATH} ) { fatal_error "$f does not exist" unless -f $f; - + open_file $f; while ( read_a_line ) { @@ -656,7 +656,7 @@ sub ensure_config_path( $ ) { fatal_error "Unrecognized entry"; } } - + fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH}; } @@ -722,7 +722,7 @@ sub get_configuration( $ ) { } load_kernel_modules; - + unless ( open_file 'capabilities' ) { determine_capabilities; } @@ -759,7 +759,7 @@ sub get_configuration( $ ) { } if ( $config{IP_FORWARDING} ) { - fatal_error "Invalid value ( $config{IP_FORWARDING} ) for IP_FORWARDING" + fatal_error "Invalid value ( $config{IP_FORWARDING} ) for IP_FORWARDING" unless $config{IP_FORWARDING} =~ /^(On|Off|Keep)$/i; } else { $config{IP_FORWARDING} = 'On'; @@ -845,7 +845,7 @@ sub get_configuration( $ ) { } else { fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter'; } - } else { + } else { default 'MACLIST_TABLE' , 'filter'; } diff --git a/Shorewall-perl/Shorewall/Hosts.pm b/Shorewall-perl/Shorewall/Hosts.pm index 33ca0cf17..0955ea20b 100644 --- a/Shorewall-perl/Shorewall/Hosts.pm +++ b/Shorewall-perl/Shorewall/Hosts.pm @@ -36,7 +36,7 @@ our @EXPORT_OK = (); our @VERSION = 1.00; # -# Validates the hosts file. Generates entries in %zone{..}{hosts} +# Validates the hosts file. Generates entries in %zone{..}{hosts} # sub validate_hosts_file() { @@ -113,8 +113,8 @@ sub validate_hosts_file() $capabilities{POLICY_MATCH} = '' unless $ipsec or $zones{ipsec}; } # -# Returns a reference to a array of host entries. Each entry is a -# reference to an array containing ( interface , group type {ipsec|none} , network ); +# Returns a reference to a array of host entries. Each entry is a +# reference to an array containing ( interface , group type {ipsec|none} , network ); # sub find_hosts_by_option( $ ) { my $option = $_[0]; diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index 80a2623a9..1847fcb20 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -29,7 +29,7 @@ use Shorewall::Config; use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( +our @EXPORT = qw( ip_range_explicit ); our @EXPORT_OK = qw( ); diff --git a/Shorewall-perl/Shorewall/Interfaces.pm b/Shorewall-perl/Shorewall/Interfaces.pm index a70ad39df..afcef81cc 100644 --- a/Shorewall-perl/Shorewall/Interfaces.pm +++ b/Shorewall-perl/Shorewall/Interfaces.pm @@ -30,9 +30,9 @@ use Shorewall::Zones; use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( add_group_to_zone +our @EXPORT = qw( add_group_to_zone validate_interfaces_file - known_interface + known_interface find_interfaces_by_option get_interface_option @@ -113,7 +113,7 @@ sub add_group_to_zone($$$$$) # # Parse the interfaces file. # - + sub validate_interfaces_file() { my %validoptions = (arp_filter => 1, @@ -143,7 +143,7 @@ sub validate_interfaces_file() my $zoneref; if ( $first_entry ) { - progress_message2 "$doing $fn..."; + progress_message2 "$doing $fn..."; $first_entry = 0; } diff --git a/Shorewall-perl/Shorewall/Macros.pm b/Shorewall-perl/Shorewall/Macros.pm index 77de50bb9..9c390c18b 100644 --- a/Shorewall-perl/Shorewall/Macros.pm +++ b/Shorewall-perl/Shorewall/Macros.pm @@ -32,9 +32,9 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( find_macro - split_action - substitute_action - merge_macro_source_dest + split_action + substitute_action + merge_macro_source_dest merge_macro_column %macros ); @@ -61,7 +61,7 @@ sub find_macro( $ ) } # -# Return ( action, level[:tag] ) from passed full action +# Return ( action, level[:tag] ) from passed full action # sub split_action ( $ ) { my $action = $_[0]; diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index d1adadc83..9fe22dd47 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -42,7 +42,7 @@ my %addresses_to_add; # # Handle IPSEC Options in a masq record # -sub do_ipsec_options($) +sub do_ipsec_options($) { my %validoptions = ( strict => NOTHING, next => NOTHING, @@ -143,7 +143,7 @@ sub setup_one_masq($$$$$$) $fullinterface = $one; $destnets = $two; } - } + } # # Isolate and verify the interface part @@ -236,7 +236,7 @@ sub setup_one_masq($$$$$$) # # Process the masq file # -sub setup_masq() +sub setup_masq() { my $first_entry = 1; @@ -247,7 +247,7 @@ sub setup_masq() my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 2, 6, 'masq file'; if ( $first_entry ) { - progress_message2 "$doing $fn..."; + progress_message2 "$doing $fn..."; require_capability( 'NAT_ENABLED' , 'a non-empty masq file' ); $first_entry = 0; } @@ -361,7 +361,7 @@ sub setup_nat() { my ( $external, $interface, $internal, $allints, $localnat ) = split_line 3, 5, 'nat file'; if ( $first_entry ) { - progress_message2 "$doing $fn..."; + progress_message2 "$doing $fn..."; require_capability( 'NAT_ENABLED' , 'a non-empty nat file' ); $first_entry = 0; } @@ -396,7 +396,7 @@ sub setup_netmap() { my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file'; if ( $first_entry ) { - progress_message2 "$doing $fn..."; + progress_message2 "$doing $fn..."; require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' ); $first_entry = 0; } diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index d0ad890e6..2f7f6c905 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -44,7 +44,7 @@ sub new_policy_chain($$$) { my ($chain, $policy, $optional) = @_; - my $chainref = new_chain 'filter', $chain; + my $chainref = new_chain 'filter', $chain; $chainref->{is_policy} = 1; $chainref->{policy} = $policy; @@ -75,11 +75,11 @@ sub validate_policy() sub print_policy($$$$) { my ( $source, $dest, $policy , $chain ) = @_; - progress_message " Policy for $source to $dest is $policy using chain $chain" + progress_message " Policy for $source to $dest is $policy using chain $chain" unless ( $source eq $dest ) || ( $source eq 'all' ) || ( $dest eq 'all' ); } - my %validpolicies = ( + my %validpolicies = ( ACCEPT => undef, REJECT => undef, DROP => undef, diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 5305178bf..34d34d066 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -315,7 +315,7 @@ sub setup_providers() { if ( $source eq '-' ) { $source = ''; - } elsif ( $source =~ /:/ ) { + } elsif ( $source =~ /:/ ) { ( my $interface, $source ) = split /:/, $source; $source = "iif $interface from $source"; } elsif ( $source =~ /\..*\..*/ ) { @@ -364,12 +364,12 @@ sub setup_providers() { '# Initialize the file that holds \'undo\' commands', '#', '> ${VARDIR}/undo_routing' ); - + save_progress_message 'Adding Providers...'; emit 'DEFAULT_ROUTE='; } - + my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file'; add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ); @@ -434,7 +434,7 @@ sub setup_providers() { progress_message2 "$doing $fn..."; $first_entry = 0; } - + my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file'; add_an_rtrule( $source, $dest, $provider , $priority ); @@ -444,7 +444,7 @@ sub setup_providers() { emit "\nrun_ip route flush cache"; pop_indent; emit "fi\n"; - + setup_route_marking if @routemarked_interfaces; } else { emit "\nundo_routing"; diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm index 6f7007ab2..bfc2ceda6 100644 --- a/Shorewall-perl/Shorewall/Proxyarp.pm +++ b/Shorewall-perl/Shorewall/Proxyarp.pm @@ -30,7 +30,7 @@ use Shorewall::Interfaces; use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( +our @EXPORT = qw( setup_proxy_arp dump_proxy_arp ); @@ -99,7 +99,7 @@ sub setup_proxy_arp() { progress_message2 "$doing $fn..."; $first_entry = 0; } - + $set{$interface} = 1; $reset{$external} = 1 unless $set{$external}; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 9c51296a5..084437752 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -39,7 +39,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( process_tos setup_ecn - add_common_rules + add_common_rules setup_mac_lists process_criticalhosts process_routestopped @@ -68,7 +68,7 @@ sub process_tos() { my $first_entry = 1; my ( $pretosref, $outtosref ); - + while ( read_a_line ) { my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 6, 'tos file'; @@ -99,7 +99,7 @@ sub process_tos() { $dst =~ s/^all:?//; - expand_rule + expand_rule $chainref , $restriction , do_proto( $proto, $ports, $sports ) , @@ -158,7 +158,7 @@ sub setup_ecn() for my $interface ( @interfaces ) { my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); - + if ( $capabilities{MANGLE_FORWARD} ) { add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}"; } else { @@ -295,7 +295,7 @@ sub setup_blacklist() { $first_entry = 0; } - expand_rule( + expand_rule( $chainref , NO_RESTRICT , do_proto( $protocol , $ports, '' ) , @@ -306,7 +306,7 @@ sub setup_blacklist() { '' , $disposition , '' ); - + progress_message " \"$line\" added to blacklist"; } } @@ -319,11 +319,11 @@ sub setup_blacklist() { my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $network = $hostref->[2]; my $source = match_source_net $network; - + for my $chain ( @{first_chains $interface}) { add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; } - + progress_message " Blacklisting enabled on ${interface}:${network}"; } } @@ -360,7 +360,7 @@ sub process_criticalhosts() { for my $option (split /,/, $options ) { unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) { if ( $option eq 'critical' ) { - push @critical, @hosts; + push @critical, @hosts; } else { warning_message "Unknown routestopped option ( $option ) ignored"; } @@ -498,7 +498,7 @@ sub add_common_rules() { if ( $capabilities{ADDRTYPE} ) { $chainref = new_standard_chain 'smurfs'; - add_rule $chainref , '-s 0.0.0.0 -j RETURN'; + add_rule $chainref , '-s 0.0.0.0 -j RETURN'; add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; add_rule_pair $chainref, '-m addrtype --src-type MULTICAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; @@ -603,7 +603,7 @@ sub add_common_rules() { } } - (new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1; + (new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1; add_rule $filter_table->{input_chain $interface}, "-j $chain"; add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface; @@ -752,7 +752,7 @@ sub setup_mac_lists( $ ) { add_command $chainref, " ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do"; add_command $chainref, ' address=${address%/*}'; add_command $chainref, ' if [ -n "$broadcast" ]; then'; - add_command $chainref, ' echo "-A $chain -s $address -d $broadcast -j RETURN" >&3'; + add_command $chainref, ' echo "-A $chain -s $address -d $broadcast -j RETURN" >&3'; add_command $chainref, ' fi'; add_command $chainref, ''; add_command $chainref, ' echo "-A $chain -s $address -d 255.255.255.255 -j RETURN" >&3'; @@ -874,15 +874,15 @@ sub process_rule1 ( $$$$$$$$$ ) { # process_macro $macros{$basictarget}, - $target , - $param , - $source, - $dest, - $proto, - $ports, - $sports, - $origdest, - $ratelimit, + $target , + $param , + $source, + $dest, + $proto, + $ports, + $sports, + $origdest, + $ratelimit, $user; return; } @@ -935,7 +935,7 @@ sub process_rule1 ( $$$$$$$$$ ) { $dest = ALLIPv4; } - fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone}; + fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone}; fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone}; my $restriction = NO_RESTRICT; @@ -1031,7 +1031,7 @@ sub process_rule1 ( $$$$$$$$$ ) { '' , $target , $loglevel , - $action , + $action , $serverport ? do_proto( $proto, '', '' ) : ''; # # After NAT: @@ -1180,12 +1180,12 @@ sub process_rule ( $$$$$$$$$ ) { process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user; } } - } + } } } else { process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user; } - } + } } } elsif ( $dest eq 'all' ) { for my $zone1 ( @zones ) { @@ -1258,7 +1258,7 @@ sub process_rules() { # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this functions and the rules that it generates. # # The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules. -# +# sub generate_matrix() { # # Helper functions for generate_matrix() @@ -1377,7 +1377,7 @@ sub generate_matrix() { my $ipsec_match = match_ipsec_in $zone , $hostref; for my $net ( @{$hostref->{hosts}} ) { add_rule - find_chainref( 'filter' , forward_chain $interface ) , + find_chainref( 'filter' , forward_chain $interface ) , match_source_net join( '', $net, $ipsec_match, "-j $frwd_ref->n{name}" ); } } @@ -1393,11 +1393,11 @@ sub generate_matrix() { my $source_hosts_ref = $zoneref->{hosts}; my $chain1 = rules_target $firewall_zone , $zone; my $chain2 = rules_target $zone, $firewall_zone; - my $complex = $zoneref->{options}{complex} || 0; + my $complex = $zoneref->{options}{complex} || 0; my $type = $zoneref->{type}; my $exclusions = $zoneref->{exclusions}; my $need_broadcast = {}; ### Fixme ### - my $frwd_ref = 0; + my $frwd_ref = 0; my $chain = 0; if ( $complex ) { @@ -1421,7 +1421,7 @@ sub generate_matrix() { my $arrayref = $typeref->{$interface}; for my $hostref ( @$arrayref ) { my $ipsec_in_match = match_ipsec_in $zone , $hostref; - my $ipsec_out_match = match_ipsec_out $zone , $hostref; + my $ipsec_out_match = match_ipsec_out $zone , $hostref; for my $net ( @{$hostref->{hosts}} ) { my $source = match_source_net $net; my $dest = match_dest_net $net; @@ -1568,7 +1568,7 @@ sub generate_matrix() { my $arrayref = $typeref->{$interface}; for my $hostref ( @$arrayref ) { if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { - my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; + my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; for my $net ( @{$hostref->{hosts}} ) { add_rule $frwd_ref, join( '', "-o $interface ", match_dest_net($net), $ipsec_out_match, "-j $chain" ); } @@ -1588,11 +1588,11 @@ sub generate_matrix() { for my $interface1 ( keys %$type1ref ) { my $array1ref = $type1ref->{$interface1}; for my $host1ref ( @$array1ref ) { - my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; + my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; for my $net1 ( @{$host1ref->{hosts}} ) { unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { - add_rule - $chain3ref , + add_rule + $chain3ref , join( '', "-o $interface1 ", $source_match, match_dest_net($net1), $ipsec_out_match, "-j $chain" ); } } @@ -1654,8 +1654,8 @@ sub generate_matrix() { if ( $config{LOGALLNEW} ) { for my $table qw/mangle nat filter/ { for my $chain ( @{$builtins{$table}} ) { - log_rule_limit - $config{LOGALLNEW} , + log_rule_limit + $config{LOGALLNEW} , $chain_table{$table}{$chain} , $table , $chain , diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 3b8bf405d..4537aa018 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -53,7 +53,7 @@ my %tcs = ( t => { chain => 'tcpost', } , c => { target => 'CONNMARK --set-mark' , connmark => 1 , - fw => 1 + fw => 1 } , p => { chain => 'tcpre' , connmark => 0 , @@ -89,7 +89,7 @@ my %tcs = ( t => { chain => 'tcpost', use constant { NOMARK => 0 , SMALLMARK => 1 , - HIGHMARK => 2 + HIGHMARK => 2 }; my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , @@ -105,7 +105,7 @@ my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , { match => sub ( $ ) { $_[0] eq 'CONTINUE' }, target => 'RETURN' , mark => NOMARK , - mask => '' + mask => '' } , { match => sub ( $ ) { $_[0] =~ '\|.*'} , target => 'MARK --or-mark' , @@ -114,7 +114,7 @@ my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , { match => sub ( $ ) { $_[0] =~ '&.*' }, target => 'MARK --and-mark ' , mark => HIGHMARK , - mask => '' + mask => '' } ); @@ -200,11 +200,11 @@ sub process_tc_rule( $$$$$$$$$$ ) { validate_mark $mark; - fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes' + fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes' if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) < 0xFF && $config{HIGH_ROUTE_MARKS}; } - expand_rule + expand_rule ensure_chain( 'mangle' , $chain ) , NO_RESTRICT , do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) , @@ -227,7 +227,7 @@ sub process_tc_rule( $$$$$$$$$$ ) { # # %tcdevices { -> {in_bandwidth => , # out_bandwidth => -# number => +# number => # default => } # my @tcdevices; @@ -419,7 +419,7 @@ sub setup_traffic_shaping() { ); } - $devref->{number} = $devnum++; + $devref->{number} = $devnum++; save_progress_message_short " TC Device $device defined."; @@ -494,7 +494,7 @@ sub setup_traffic_shaping() { # sub setup_tc() { - my $first_entry = 1; + my $first_entry = 1; if ( $capabilities{MANGLE_ENABLED} ) { ensure_mangle_chain 'tcpre'; @@ -508,15 +508,15 @@ sub setup_tc() { if ( my $fn = open_file 'tcrules' ) { while ( read_a_line ) { - + my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 2, 10, 'tcrules file'; if ( $first_entry ) { - progress_message2 "$doing $fn..."; + progress_message2 "$doing $fn..."; require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' ); $first_entry = 0; } - + if ( $mark eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { ( $comment = $line ) =~ s/^\s*COMMENT\s*//; @@ -527,7 +527,7 @@ sub setup_tc() { } else { process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos } - + } $comment = ''; diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index d0f648d50..f8cf8489c 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -51,12 +51,12 @@ sub setup_tunnels() { my $options = '-m $state --state NEW -j ACCEPT'; - add_rule $inchainref, "-p 50 $source -j ACCEPT"; - add_rule $outchainref, "-p 50 $dest -j ACCEPT"; + add_rule $inchainref, "-p 50 $source -j ACCEPT"; + add_rule $outchainref, "-p 50 $dest -j ACCEPT"; unless ( $noah ) { - add_rule $inchainref, "-p 51 $source -j ACCEPT"; - add_rule $outchainref, "-p 51 $dest -j ACCEPT"; + add_rule $inchainref, "-p 51 $source -j ACCEPT"; + add_rule $outchainref, "-p 51 $dest -j ACCEPT"; } add_rule $outchainref, "-p udp $dest --dport 500 $options"; @@ -240,7 +240,7 @@ sub setup_tunnels() { my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 2, 4, 'tunnels file'; if ( $first_entry ) { - progress_message2 "$doing $fn..."; + progress_message2 "$doing $fn..."; $first_entry = 0; } diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index fe91f3446..4290682f4 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -39,9 +39,9 @@ our @EXPORT = qw( NOTHING zone_report dump_zone_contents - @zones + @zones %zones - $firewall_zone + $firewall_zone %interfaces ); our @EXPORT_OK = (); @@ -58,7 +58,7 @@ use constant { NOTHING => 'NOTHING', }; # -# Zone Table. +# Zone Table. # # @zones contains the ordered list of zones with sub-zones appearing before their parents. # @@ -66,7 +66,7 @@ use constant { NOTHING => 'NOTHING', # options => { complex => 0|1 # in_out => < policy match string > # in => < policy match string > -# out => < policy match string > +# out => < policy match string > # } # parents => [ ] Parents, Children and interfaces are listed by name # children => [ ] @@ -86,7 +86,7 @@ use constant { NOTHING => 'NOTHING', # # $firewall_zone names the firewall zone. # -our @zones; +our @zones; our %zones; our $firewall_zone; @@ -170,7 +170,7 @@ sub parse_zone_option_list($) $h{ipsec} = $options ? "$options " : ''; - \%h; + \%h; } # @@ -191,7 +191,7 @@ sub determine_zones() my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; if ( $first_entry ) { - progress_message2 "$doing $fn..."; + progress_message2 "$doing $fn..."; $first_entry = 0; } @@ -266,7 +266,7 @@ sub determine_zones() } $ordered{$zone} = 1; push @zones, $zone; - $pushed = 1; + $pushed = 1; } } } @@ -275,7 +275,7 @@ sub determine_zones() # # Report about zones. # -sub zone_report() +sub zone_report() { for my $zone ( @zones ) { @@ -311,7 +311,7 @@ sub zone_report() } } -sub dump_zone_contents() +sub dump_zone_contents() { for my $zone ( @zones ) { diff --git a/Shorewall-perl/compiler.pl b/Shorewall-perl/compiler.pl index 2daa8d753..6026563b9 100755 --- a/Shorewall-perl/compiler.pl +++ b/Shorewall-perl/compiler.pl @@ -101,7 +101,7 @@ sub generate_script_1() { } emit "TEMPFILE=\n"; - + for my $exit qw/init start tcclear started stop stopped/ { emit "run_${exit}_exit() {"; push_indent; @@ -111,8 +111,8 @@ sub generate_script_1() { emit "}\n"; } - emitj ( 'initialize()', - '{' + emitj ( 'initialize()', + '{' ); push_indent; @@ -327,7 +327,7 @@ EOF emit 'delete_tc1' if $config{CLEAR_TC}; emitj( 'undo_routing', - 'restore_default_route' + 'restore_default_route' ); my $criticalhosts = process_criticalhosts; @@ -484,11 +484,11 @@ sub generate_script_2 () { ); push_indent; - + emit 'local restore_file=$1'; save_progress_message 'Initializing...'; - + if ( $export ) { my $fn = find_file 'modules'; @@ -529,7 +529,7 @@ sub generate_script_2 () { 'delete_proxyarp', '' ); - + emit "delete_tc1\n" if $config{CLEAR_TC}; emit "disable_ipv6\n" if $config{DISABLE_IPV6}; setup_mss( $config{CLAMPMSS} ) if $config{CLAMPMSS}; @@ -544,7 +544,7 @@ sub generate_script_2 () { # Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES # # Generate the 'setup_netfilter()' function that runs iptables-restore. -# Generate the 'define_firewall()' function. +# Generate the 'define_firewall()' function. # sub generate_script_3() { @@ -618,23 +618,23 @@ EOF pop_indent; emit "}\n"; - + copy $globals{SHAREDIRPL} . 'prog.footer'; } # # The Compiler. # -# If the argument is non-null, it names the script file to generate. +# If the argument is non-null, it names the script file to generate. # Otherwise, this is a 'check' command and no script is produced. # sub compiler( $ ) { - + my $objectfile = $_[0]; report_capabilities if $verbose > 1; - require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" ); + require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" ); require_capability( 'ADDRTYPE' , "Shorewall-perl $globals{VERSION}" ); require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL}; require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS}; @@ -657,7 +657,7 @@ sub compiler( $ ) { # # Process the interfaces file. # - validate_interfaces_file; + validate_interfaces_file; # # Process the hosts file. # @@ -665,12 +665,12 @@ sub compiler( $ ) { # # Report zone contents # - progress_message2 "Determining Hosts in Zones..."; + progress_message2 "Determining Hosts in Zones..."; zone_report; # # Do action pre-processing. # - progress_message2 "Preprocessing Action Files..."; + progress_message2 "Preprocessing Action Files..."; process_actions1; # # Process the Policy File. @@ -702,7 +702,7 @@ sub compiler( $ ) { setup_proxy_arp; # # [Re-]establish Routing - # + # setup_providers; # # TCRules and Traffic Shaping @@ -723,7 +723,7 @@ sub compiler( $ ) { # # MACLIST Filtration # - progress_message2 "$doing MAC Filtration -- Phase 1..."; + progress_message2 "$doing MAC Filtration -- Phase 1..."; setup_mac_lists 1; # # Process the rules file. @@ -741,13 +741,13 @@ sub compiler( $ ) { # # MACLIST Filtration again # - progress_message2 "$doing MAC Filtration -- Phase 2..."; + progress_message2 "$doing MAC Filtration -- Phase 2..."; setup_mac_lists 2; # # Apply Policies # - progress_message2 'Applying Policies...'; - apply_policy_rules; + progress_message2 'Applying Policies...'; + apply_policy_rules; # # Setup Nat # @@ -761,7 +761,7 @@ sub compiler( $ ) { # setup_accounting; - progress_message2 'Generating Rule Matrix...'; + progress_message2 'Generating Rule Matrix...'; generate_matrix; generate_script_3; diff --git a/Shorewall-perl/prog.functions b/Shorewall-perl/prog.functions index 894af6331..906cf27fc 100644 --- a/Shorewall-perl/prog.functions +++ b/Shorewall-perl/prog.functions @@ -79,7 +79,7 @@ startup_error() # $* = Error Message logger -p kern.err "ERROR:$PRODUCT restore failed" ;; esac - + kill $$ exit 2 } diff --git a/Shorewall-perl/releasenotes.txt b/Shorewall-perl/releasenotes.txt index 1925b9430..d4fe81178 100644 --- a/Shorewall-perl/releasenotes.txt +++ b/Shorewall-perl/releasenotes.txt @@ -45,7 +45,7 @@ and the Bourne-shell one. Some of these will probably go away by first official release but most will not. a) The Perl-based compiler requires the following capabilities in your - kernel and iptables. + kernel and iptables. - addrtype match (may be relaxed later) - multiport match (will not be relaxed) @@ -60,10 +60,10 @@ b) Now that Netfilter has features to deal reasonably with port lists, avoiding the ugliness required to do that. The new compiler just generates an error if your list is too long. It will also produce an error if you insert a port range into a port list and you don't - have extended multiport support. + have extended multiport support. c) BRIDGING=Yes is not supported. The kernel code necessary to - support this option was removed in Linux kernel 2.6.20. + support this option was removed in Linux kernel 2.6.20. d) The BROADCAST column in the interfaces file is essentially unused; if you enter anything in this column but '-' or 'detect', you will @@ -133,10 +133,10 @@ i) Currently, support for ipsets is untested. That will change with course) will normally be produced using the ipset -S command. - The above will work most of the time but will fail in a - 'shorewall stop' - 'shorewall start' sequence if you + The above will work most of the time but will fail in a + 'shorewall stop' - 'shorewall start' sequence if you use ipsets in your routestopped file (see below). - + ii) Your ipsets may not be reloaded until Shorewall is stopped or cleared. @@ -179,7 +179,7 @@ In addition to Shorewall-3.4.2 or later, you need: ---------------------------------------------------------------------------- I N S T A L L A T I O N ---------------------------------------------------------------------------- -Either +Either $ tar -jxf shorewall-perl-3.9.1.tar.bz2 $ cd shorewall-perl-3.9.1 @@ -191,7 +191,7 @@ or ---------------------------------------------------------------------------- U S I N G T H E N E W C O M P I L E R ---------------------------------------------------------------------------- -By default, the old Bourne-shell based compiler will be used. +By default, the old Bourne-shell based compiler will be used. To use the new compiler, add this to shorewall.conf: