holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Delete trailing whitespace

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5860 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-04-08 14:42:26 +00:00
parent d19dac49d0
commit c35af63298
20 changed files with 219 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -94,7 +94,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
'' ; '' ;
if ( $rule2 ) { if ( $rule2 ) {
expand_rule expand_rule
$jumpchainref , $jumpchainref ,
NO_RESTRICT , NO_RESTRICT ,
$rule , $rule ,
@ -119,10 +119,10 @@ sub setup_accounting() {
my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = split_line 1, 8, 'Accounting File'; my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = split_line 1, 8, 'Accounting File';
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
$first_entry = 0; $first_entry = 0;
} }
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user; process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
} }

38
Shorewall-perl/Shorewall/Actions.pm
View File

@ -32,18 +32,18 @@ use Shorewall::Macros;
use strict; use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( merge_levels our @EXPORT = qw( merge_levels
isolate_basic_target isolate_basic_target
add_requiredby add_requiredby
createlogactionchain createlogactionchain
createactionchain createactionchain
find_logactionchain find_logactionchain
process_actions1 process_actions1
process_actions2 process_actions2
process_actions3 process_actions3
%usedactions %usedactions
%default_actions %default_actions
%actions %actions
); );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
@ -100,7 +100,7 @@ sub merge_levels ($$) {
return "$target:$level:$tag" if $level =~ /!$/; return "$target:$level:$tag" if $level =~ /!$/;
return $subordinate if $subparts >= 2; return $subordinate if $subparts >= 2;
return "$target:$level"; return "$target:$level";
} }
if ( @supparts == 2 ) { if ( @supparts == 2 ) {
return "$target:none!" if $level eq 'none!'; return "$target:none!" if $level eq 'none!';
@ -152,7 +152,7 @@ sub add_requiredby ( $$ ) {
# action chain name is 2-3 characters longer than the base chain name, # action chain name is 2-3 characters longer than the base chain name,
# this function truncates the original chain name where necessary before # this function truncates the original chain name where necessary before
# it adds the leading "%" and trailing sequence number. # it adds the leading "%" and trailing sequence number.
# #
sub createlogactionchain( $$ ) { sub createlogactionchain( $$ ) {
my ( $action, $level ) = @_; my ( $action, $level ) = @_;
my $chain = $action; my $chain = $action;
@ -243,7 +243,7 @@ sub process_actions1() {
for my $act ( grep $targets{$_} & ACTION , keys %targets ) { for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
new_action $act; new_action $act;
} }
for my $file ( qw/actions.std actions/ ) { for my $file ( qw/actions.std actions/ ) {
open_file $file; open_file $file;
@ -311,7 +311,7 @@ sub process_actions1() {
$targettype = 0 unless defined $targettype; $targettype = 0 unless defined $targettype;
fatal_error "Invalid target ($mtarget)" fatal_error "Invalid target ($mtarget)"
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $mtarget eq 'LOG' ); unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $mtarget eq 'LOG' );
} }
@ -329,8 +329,8 @@ sub process_actions1() {
} }
} }
sub process_actions2 () { sub process_actions2 () {
progress_message2 'Generating Transitive Closure of Used-action List...'; progress_message2 'Generating Transitive Closure of Used-action List...';
my $changed = 1; my $changed = 1;
@ -367,7 +367,7 @@ sub process_action3( $$$$$ ) {
expand_rule ( $chainref , expand_rule ( $chainref ,
NO_RESTRICT , NO_RESTRICT ,
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user , do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
$source , $source ,
$dest , $dest ,
'', #Original Dest '', #Original Dest
@ -379,9 +379,9 @@ sub process_action3( $$$$$ ) {
my $actionfile = find_file "action.$action"; my $actionfile = find_file "action.$action";
my $standard = ( $actionfile =~ /^$globals{SHAREDIR}/ ); my $standard = ( $actionfile =~ /^$globals{SHAREDIR}/ );
fatal_error "Missing Action File: $actionfile" unless -f $actionfile; fatal_error "Missing Action File: $actionfile" unless -f $actionfile;
progress_message2 "Processing $actionfile for chain $chainref->{name}..."; progress_message2 "Processing $actionfile for chain $chainref->{name}...";
open_file $actionfile; open_file $actionfile;
@ -474,7 +474,7 @@ sub process_action3( $$$$$ ) {
} else { } else {
process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user; process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
} }
} }
$comment = ''; $comment = '';
@ -511,28 +511,28 @@ sub process_actions3 () {
sub dropNotSyn ( $$$ ) { sub dropNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level; log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j DROP'; add_rule $chainref , '-p tcp ! --syn -j DROP';
} }
sub rejNotSyn ( $$$ ) { sub rejNotSyn ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level; log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level;
add_rule $chainref , '-p tcp ! --syn -j REJECT'; add_rule $chainref , '-p tcp ! --syn -j REJECT';
} }
sub dropInvalid ( $$$ ) { sub dropInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level; log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j REJECT'; add_rule $chainref , '-m state --state INVALID -j REJECT';
} }
sub allowInvalid ( $$$ ) { sub allowInvalid ( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level; log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level;
add_rule $chainref , '-m state --state INVALID -j ACCEPT'; add_rule $chainref , '-m state --state INVALID -j ACCEPT';
} }

90
Shorewall-perl/Shorewall/Chains.pm
View File

@ -101,14 +101,14 @@ our @EXPORT = qw( STANDARD
get_interface_addresses get_interface_addresses
create_netfilter_load create_netfilter_load
@policy_chains @policy_chains
%chain_table %chain_table
$nat_table $nat_table
$mangle_table $mangle_table
$filter_table $filter_table
$section $section
%sections %sections
$comment $comment
%targets %targets
); );
our @EXPORT_OK = (); our @EXPORT_OK = ();
@ -123,7 +123,7 @@ our @VERSION = 1.00;
# table => <table name> # table => <table name>
# is_policy => 0|1 # is_policy => 0|1
# is_optionsl => 0|1 # is_optionsl => 0|1
# referenced => 0|1 # referenced => 0|1
# policy => <policy> # policy => <policy>
# loglevel => <level> # loglevel => <level>
# synparams => <burst/limit> # synparams => <burst/limit>
@ -143,10 +143,10 @@ our @VERSION = 1.00;
# #
# Only 'referenced' chains get written to the iptables-restore output. # Only 'referenced' chains get written to the iptables-restore output.
# #
# 'loglevel', 'synparams' and 'default' only apply to policy chains. # 'loglevel', 'synparams' and 'default' only apply to policy chains.
# #
our @policy_chains; our @policy_chains;
our %chain_table = ( raw => {} , our %chain_table = ( raw => {} ,
mangle => {}, mangle => {},
nat => {}, nat => {},
filter => {} ); filter => {} );
@ -243,7 +243,7 @@ my $chainseq;
# #
# Count of the number of unclosed loops in generated shell code. We insert shell code # Count of the number of unclosed loops in generated shell code. We insert shell code
# into the Chain tables 'rules' array (proceeded by '~'). create_netfilter_load() # into the Chain tables 'rules' array (proceeded by '~'). create_netfilter_load()
# emits that code inline for execution at run-time. # emits that code inline for execution at run-time.
# #
my $loopcount = 0; my $loopcount = 0;
@ -300,7 +300,7 @@ sub insert_rule($$$)
} }
# #
# Form the name of a chain. # Form the name of a chain.
# #
sub chain_base($) { sub chain_base($) {
my $chain = $_[0]; my $chain = $_[0];
@ -547,7 +547,7 @@ sub initialize_chain_table()
} }
# #
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain # Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
# #
sub finish_chain_section ($$) { sub finish_chain_section ($$) {
my ($chainref, $state ) = @_; my ($chainref, $state ) = @_;
@ -562,7 +562,7 @@ sub finish_chain_section ($$) {
if ( $section eq 'DONE' ) { if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
} }
} else { } else {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
} }
@ -579,7 +579,7 @@ sub finish_chain_section ($$) {
# #
# Do section-end processing # Do section-end processing
# #
sub finish_section ( $ ) { sub finish_section ( $ ) {
my $sections = $_[0]; my $sections = $_[0];
@ -620,7 +620,7 @@ sub do_proto( $$$ )
$output = "-p $proto "; $output = "-p $proto ";
if ( $ports ) { if ( $ports ) {
my @ports = split /,/, $ports; my @ports = split /,/, $ports;
my $count = @ports; my $count = @ports;
if ( $count > 1 ) { if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT}; fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT};
@ -629,7 +629,7 @@ sub do_proto( $$$ )
if ( $port =~ /:/ ) { if ( $port =~ /:/ ) {
fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT}; fatal_error "Port range in a list requires Extended Multiport Support in your kernel/iptables: $ports" unless $capabilities{XMULTIPORT};
$count++; $count++;
} }
} }
fatal_error "Too many entries in port list: $ports" if $count > 15; fatal_error "Too many entries in port list: $ports" if $count > 15;
@ -642,7 +642,7 @@ sub do_proto( $$$ )
if ( $sports ) { if ( $sports ) {
my @ports = split /,/, $sports; my @ports = split /,/, $sports;
my $count = @ports; my $count = @ports;
if ( $count > 1 ) { if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT}; fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT};
@ -683,7 +683,7 @@ sub mac_match( $ ) {
my $mac = $_[0]; my $mac = $_[0];
$mac =~ s/^(!?)~//; $mac =~ s/^(!?)~//;
$mac =~ s/^!// if my $invert = ( $1 ? '! ' : ''); $mac =~ s/^!// if my $invert = ( $1 ? '! ' : '');
$mac =~ s/-/:/g; $mac =~ s/-/:/g;
"--match mac --mac-source ${invert}$mac "; "--match mac --mac-source ${invert}$mac ";
@ -705,7 +705,7 @@ sub verify_mark( $ ) {
my $mark = $_[0]; my $mark = $_[0];
my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF; my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF;
fatal_error "Invalid Mark or Mask value: $mark" fatal_error "Invalid Mark or Mask value: $mark"
unless numeric_value( $mark ) <= $limit; unless numeric_value( $mark ) <= $limit;
} }
@ -837,7 +837,7 @@ sub get_set_flags( $$ ) {
# #
sub match_source_net( $ ) { sub match_source_net( $ ) {
my $net = $_[0]; my $net = $_[0];
if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) { if ( $net =~ /^(!?).*\..*\..*\..*-.*\..*\..*\..*/ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : ''; $net =~ s/!// if my $invert = $1 ? '! ' : '';
iprange_match . "${invert}--src-range $net "; iprange_match . "${invert}--src-range $net ";
@ -883,7 +883,7 @@ sub match_orig_dest ( $ ) {
return '' if $net eq ALLIPv4; return '' if $net eq ALLIPv4;
return '' unless $capabilities{CONNTRACK_MATCH}; return '' unless $capabilities{CONNTRACK_MATCH};
if ( $net =~ /^!/ ) { if ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
"-m conntrack --ctorigdst ! $net "; "-m conntrack --ctorigdst ! $net ";
@ -904,13 +904,13 @@ sub match_ipsec_in( $$ ) {
if ( $zoneref->{type} eq 'ipsec4' ) { if ( $zoneref->{type} eq 'ipsec4' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} else { } else {
''; '';
} }
} }
# #
# Match Dest IPSEC # Match Dest IPSEC
# #
@ -922,7 +922,7 @@ sub match_ipsec_out( $$ ) {
if ( $zoneref->{type} eq 'ipsec4' ) { if ( $zoneref->{type} eq 'ipsec4' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
} else { } else {
''; '';
@ -1023,11 +1023,11 @@ sub interface_address( $ ) {
} }
# #
# Record that the ruleset requires the first IP address on the passed interface # Record that the ruleset requires the first IP address on the passed interface
# #
sub get_interface_address ( $ ) { sub get_interface_address ( $ ) {
my ( $interface ) = $_[0]; my ( $interface ) = $_[0];
my $variable = interface_address( $interface ); my $variable = interface_address( $interface );
$interfaceaddr{$interface} = "$variable=\$(find_first_interface_address $interface)"; $interfaceaddr{$interface} = "$variable=\$(find_first_interface_address $interface)";
@ -1043,11 +1043,11 @@ sub interface_addresses( $ ) {
} }
# #
# Record that the ruleset requires the IP addresses on the passed interface # Record that the ruleset requires the IP addresses on the passed interface
# #
sub get_interface_addresses ( $ ) { sub get_interface_addresses ( $ ) {
my ( $interface ) = $_[0]; my ( $interface ) = $_[0];
my $variable = interface_addresses( $interface ); my $variable = interface_addresses( $interface );
$interfaceaddr{$interface} = qq($variable=\$(get_interface_addresses $interface) $interfaceaddr{$interface} = qq($variable=\$(get_interface_addresses $interface)
@ -1065,7 +1065,7 @@ sub interface_nets( $ ) {
} }
# #
# Record that the ruleset requires the first IP address on the passed interface # Record that the ruleset requires the first IP address on the passed interface
# #
sub get_interface_nets ( $ ) { sub get_interface_nets ( $ ) {
my ( $interface ) = $_[0]; my ( $interface ) = $_[0];
@ -1077,12 +1077,12 @@ sub get_interface_nets ( $ ) {
); );
"\$$variable"; "\$$variable";
} }
# #
# This function provides a uniform way to generate rules (something the original Shorewall sorely needed). # This function provides a uniform way to generate rules (something the original Shorewall sorely needed).
# #
sub expand_rule( $$$$$$$$$$ ) sub expand_rule( $$$$$$$$$$ )
{ {
my ($chainref , $restriction, $rule, $source, $dest, $origdest, $target, $loglevel , $disposition, $exceptionrule ) = @_; my ($chainref , $restriction, $rule, $source, $dest, $origdest, $target, $loglevel , $disposition, $exceptionrule ) = @_;
@ -1135,11 +1135,11 @@ sub expand_rule( $$$$$$$$$$ )
$rule .= '-s $source '; $rule .= '-s $source ';
# #
# While $loopcount > 0, calls to 'add_rule()' will be converted to calls to 'add_command()' # While $loopcount > 0, calls to 'add_rule()' will be converted to calls to 'add_command()'
# #
$loopcount++; $loopcount++;
} else { } else {
fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line" fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line"
if $restriction & OUTPUT_RESTRICT; if $restriction & OUTPUT_RESTRICT;
$rule .= "-i $iiface "; $rule .= "-i $iiface ";
} }
@ -1229,7 +1229,7 @@ sub expand_rule( $$$$$$$$$$ )
} else { } else {
get_interface_address $interfaces[0]; get_interface_address $interfaces[0];
$rule .= join( '', '-m conntrack --ctorigdst $', interface_address ( $interfaces[0] ), ' ' ); $rule .= join( '', '-m conntrack --ctorigdst $', interface_address ( $interfaces[0] ), ' ' );
} }
$origdest = ''; $origdest = '';
} else { } else {
@ -1324,7 +1324,7 @@ sub expand_rule( $$$$$$$$$$ )
} }
# #
# The final rule in the exclusion chain will not qualify the source or destination # The final rule in the exclusion chain will not qualify the source or destination
# #
$inets = ALLIPv4; $inets = ALLIPv4;
$dnets = ALLIPv4; $dnets = ALLIPv4;
@ -1354,7 +1354,7 @@ sub expand_rule( $$$$$$$$$$ )
log_rule_limit $loglevel , $echainref , $chain, $disposition , '', $logtag , 'add' , '' if $loglevel; log_rule_limit $loglevel , $echainref , $chain, $disposition , '', $logtag , 'add' , '' if $loglevel;
# #
# Generate Final Rule # Generate Final Rule
# #
add_rule $echainref, $exceptionrule . $target unless $disposition eq 'LOG'; add_rule $echainref, $exceptionrule . $target unless $disposition eq 'LOG';
} else { } else {
# #
@ -1366,20 +1366,20 @@ sub expand_rule( $$$$$$$$$$ )
$inet = match_source_net $inet; $inet = match_source_net $inet;
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
if ( $loglevel ) { if ( $loglevel ) {
log_rule_limit log_rule_limit
$loglevel , $loglevel ,
$chainref , $chainref ,
$chain, $chain,
$disposition , $disposition ,
'' , '' ,
$logtag , $logtag ,
'add' , 'add' ,
join( '', $rule, $inet, match_dest_net( $dnet ), $onet ); join( '', $rule, $inet, match_dest_net( $dnet ), $onet );
} }
unless ( $disposition eq 'LOG' ) { unless ( $disposition eq 'LOG' ) {
add_rule add_rule
$chainref, $chainref,
join( '', $rule, $inet, match_dest_net( $dnet ), $onet, $target ); join( '', $rule, $inet, match_dest_net( $dnet ), $onet, $target );
} }
} }

2
Shorewall-perl/Shorewall/Common.pm
View File

@ -101,7 +101,7 @@ sub fatal_error
# #
# Write the argument to the object file (if any) with the current indentation. # Write the argument to the object file (if any) with the current indentation.
# #
# Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines. # Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines.
# #
sub emit ( $ ) { sub emit ( $ ) {

58
Shorewall-perl/Shorewall/Config.pm
View File

@ -29,7 +29,7 @@ use Shorewall::Common;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( our @EXPORT = qw(
warning_message warning_message
fatal_error fatal_error
find_file find_file
split_line split_line
@ -65,7 +65,7 @@ our %globals = ( SHAREDIR => '/usr/share/shorewall' ,
# #
# From shorewall.conf file # From shorewall.conf file
# #
our %config = our %config =
( STARTUP_ENABLED => undef, ( STARTUP_ENABLED => undef,
VERBOSITY => undef, VERBOSITY => undef,
# #
@ -159,7 +159,7 @@ my @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
# #
# From parsing the capabilities file # From parsing the capabilities file
# #
our %capabilities = our %capabilities =
( NAT_ENABLED => undef, ( NAT_ENABLED => undef,
MANGLE_ENABLED => undef, MANGLE_ENABLED => undef,
MULTIPORT => undef, MULTIPORT => undef,
@ -237,7 +237,7 @@ my $currentlinenumber = 0;
# #
# Issue a Warning Message # Issue a Warning Message
# #
sub warning_message sub warning_message
{ {
my $lineinfo = $currentfile ? " : $currentfilename ( line $currentlinenumber )" : ''; my $lineinfo = $currentfile ? " : $currentfilename ( line $currentlinenumber )" : '';
@ -255,7 +255,7 @@ sub fatal_error {
# #
# Search the CONFIG_PATH for the passed file # Search the CONFIG_PATH for the passed file
# #
sub find_file($) sub find_file($)
{ {
my $filename=$_[0]; my $filename=$_[0];
@ -320,14 +320,14 @@ sub open_file( $ ) {
} }
# #
# This function is normally called below in read_a_line() when EOF is reached. Clients of the # This function is normally called below in read_a_line() when EOF is reached. Clients of the
# module may also call the function to close the file before EOF # module may also call the function to close the file before EOF
# #
sub close_file() { sub close_file() {
if ( $currentfile ) { if ( $currentfile ) {
close $currentfile; close $currentfile;
my $arrayref = pop @includestack; my $arrayref = pop @includestack;
if ( $arrayref ) { if ( $arrayref ) {
@ -363,7 +363,7 @@ sub pop_open() {
} else { } else {
$currentfile = undef; $currentfile = undef;
} }
} }
# #
# Read a line from the current include stack. # Read a line from the current include stack.
@ -397,7 +397,7 @@ sub read_a_line {
# #
# Ignore ( concatenated ) Blank Lines # Ignore ( concatenated ) Blank Lines
# #
if ( $line =~ /^\s*$/ ) { if ( $line =~ /^\s*$/ ) {
$line = ''; $line = '';
next; next;
} }
@ -410,18 +410,18 @@ sub read_a_line {
# #
$line = join( '', $1 , ( $ENV{$2} || '' ) , $3 ) while $line =~ /^(.*?)\${([a-zA-Z]\w*)}(.*)$/; $line = join( '', $1 , ( $ENV{$2} || '' ) , $3 ) while $line =~ /^(.*?)\${([a-zA-Z]\w*)}(.*)$/;
$line = join( '', $1 , ( $ENV{$2} || '' ) , $3 ) while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line = join( '', $1 , ( $ENV{$2} || '' ) , $3 ) while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/;
if ( $line =~ /^INCLUDE\s/ ) { if ( $line =~ /^INCLUDE\s/ ) {
my @line = split /\s+/, $line; my @line = split /\s+/, $line;
fatal_error "Invalid INCLUDE command: $line" if @line != 2; fatal_error "Invalid INCLUDE command: $line" if @line != 2;
fatal_error "INCLUDEs nested too deeply: $line" if @includestack >= 4; fatal_error "INCLUDEs nested too deeply: $line" if @includestack >= 4;
my $filename = find_file $line[1]; my $filename = find_file $line[1];
fatal_error "INCLUDE file $filename not found" unless ( -f $filename ); fatal_error "INCLUDE file $filename not found" unless ( -f $filename );
if ( -s _ ) { if ( -s _ ) {
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef; $currentfile = undef;
@ -433,7 +433,7 @@ sub read_a_line {
return 1; return 1;
} }
} }
close_file; close_file;
} }
} }
@ -500,7 +500,7 @@ sub load_kernel_modules( ) {
if ( @moduledirectories && open_file 'modules' ) { if ( @moduledirectories && open_file 'modules' ) {
my %loadedmodules; my %loadedmodules;
progress_message "Loading Modules..."; progress_message "Loading Modules...";
open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod"; open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod";
@ -509,7 +509,7 @@ sub load_kernel_modules( ) {
my $module = ( split( /\s+/, $line ) )[0]; my $module = ( split( /\s+/, $line ) )[0];
$loadedmodules{$module} = 1 unless $module eq 'Module' $loadedmodules{$module} = 1 unless $module eq 'Module'
} }
close LSMOD; close LSMOD;
$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX}; $config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX};
@ -536,7 +536,7 @@ sub load_kernel_modules( ) {
} }
} }
} }
} }
} }
# #
@ -550,14 +550,14 @@ sub qt( $ ) {
# Determine which optional facilities are supported by iptables/netfilter # Determine which optional facilities are supported by iptables/netfilter
# #
sub determine_capabilities() { sub determine_capabilities() {
my $iptables = $config{IPTABLES}; my $iptables = $config{IPTABLES};
$capabilities{NAT_ENABLED} = qt( "$iptables -t nat -L -n" ); $capabilities{NAT_ENABLED} = qt( "$iptables -t nat -L -n" );
$capabilities{MANGLE_ENABLED} = qt( "$iptables -t mangle -L -n" ); $capabilities{MANGLE_ENABLED} = qt( "$iptables -t mangle -L -n" );
qt( "$iptables -N fooX1234" ); qt( "$iptables -N fooX1234" );
$capabilities{CONNTRACK_MATCH} = qt( "$iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); $capabilities{CONNTRACK_MATCH} = qt( "$iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
$capabilities{MULTIPORT} = qt( "$iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT" ); $capabilities{MULTIPORT} = qt( "$iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT" );
$capabilities{XMULTIPORT} = qt( "$iptables -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT" ); $capabilities{XMULTIPORT} = qt( "$iptables -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT" );
@ -578,7 +578,7 @@ sub determine_capabilities() {
$capabilities{CONNMARK_MATCH} = 1; $capabilities{CONNMARK_MATCH} = 1;
$capabilities{XCONNMARK_MATCH} = qt( "$iptables -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT" ); $capabilities{XCONNMARK_MATCH} = qt( "$iptables -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT" );
} }
$capabilities{IPP2P_MATCH} = qt( "$iptables -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT" ); $capabilities{IPP2P_MATCH} = qt( "$iptables -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT" );
$capabilities{LENGTH_MATCH} = qt( "$iptables -A fooX1234 -m length --length 10:20 -j ACCEPT" ); $capabilities{LENGTH_MATCH} = qt( "$iptables -A fooX1234 -m length --length 10:20 -j ACCEPT" );
$capabilities{ENHANCED_REJECT} = qt( "$iptables -A fooX1234 -j REJECT --reject-with icmp-host-prohibited" ); $capabilities{ENHANCED_REJECT} = qt( "$iptables -A fooX1234 -j REJECT --reject-with icmp-host-prohibited" );
@ -624,7 +624,7 @@ sub determine_capabilities() {
qt( "$iptables -F fooX1234" ); qt( "$iptables -F fooX1234" );
qt( "$iptables -X fooX1234" ); qt( "$iptables -X fooX1234" );
} }
sub require_capability( $$ ) { sub require_capability( $$ ) {
my ( $capability, $description ) = @_; my ( $capability, $description ) = @_;
@ -642,10 +642,10 @@ sub ensure_config_path( $ ) {
my $f = "$globals{SHAREDIR}/configpath"; my $f = "$globals{SHAREDIR}/configpath";
$ENV{CONFDIR} = $export ? '/usr/share/shorewall/configfiles/' : '/etc/shorewall/'; $ENV{CONFDIR} = $export ? '/usr/share/shorewall/configfiles/' : '/etc/shorewall/';
unless ( $config{CONFIG_PATH} ) { unless ( $config{CONFIG_PATH} ) {
fatal_error "$f does not exist" unless -f $f; fatal_error "$f does not exist" unless -f $f;
open_file $f; open_file $f;
while ( read_a_line ) { while ( read_a_line ) {
@ -656,7 +656,7 @@ sub ensure_config_path( $ ) {
fatal_error "Unrecognized entry"; fatal_error "Unrecognized entry";
} }
} }
fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH}; fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH};
} }
@ -722,7 +722,7 @@ sub get_configuration( $ ) {
} }
load_kernel_modules; load_kernel_modules;
unless ( open_file 'capabilities' ) { unless ( open_file 'capabilities' ) {
determine_capabilities; determine_capabilities;
} }
@ -759,7 +759,7 @@ sub get_configuration( $ ) {
} }
if ( $config{IP_FORWARDING} ) { if ( $config{IP_FORWARDING} ) {
fatal_error "Invalid value ( $config{IP_FORWARDING} ) for IP_FORWARDING" fatal_error "Invalid value ( $config{IP_FORWARDING} ) for IP_FORWARDING"
unless $config{IP_FORWARDING} =~ /^(On|Off|Keep)$/i; unless $config{IP_FORWARDING} =~ /^(On|Off|Keep)$/i;
} else { } else {
$config{IP_FORWARDING} = 'On'; $config{IP_FORWARDING} = 'On';
@ -845,7 +845,7 @@ sub get_configuration( $ ) {
} else { } else {
fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter'; fatal_error "Invalid value ($val) for MACLIST_TABLE option" unless $val eq 'filter';
} }
} else { } else {
default 'MACLIST_TABLE' , 'filter'; default 'MACLIST_TABLE' , 'filter';
} }

6
Shorewall-perl/Shorewall/Hosts.pm
View File

@ -36,7 +36,7 @@ our @EXPORT_OK = ();
our @VERSION = 1.00; our @VERSION = 1.00;
# #
# Validates the hosts file. Generates entries in %zone{..}{hosts} # Validates the hosts file. Generates entries in %zone{..}{hosts}
# #
sub validate_hosts_file() sub validate_hosts_file()
{ {
@ -113,8 +113,8 @@ sub validate_hosts_file()
$capabilities{POLICY_MATCH} = '' unless $ipsec or $zones{ipsec}; $capabilities{POLICY_MATCH} = '' unless $ipsec or $zones{ipsec};
} }
# #
# Returns a reference to a array of host entries. Each entry is a # Returns a reference to a array of host entries. Each entry is a
# reference to an array containing ( interface , group type {ipsec|none} , network ); # reference to an array containing ( interface , group type {ipsec|none} , network );
# #
sub find_hosts_by_option( $ ) { sub find_hosts_by_option( $ ) {
my $option = $_[0]; my $option = $_[0];

2
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -29,7 +29,7 @@ use Shorewall::Config;
use strict; use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( our @EXPORT = qw(
ip_range_explicit ip_range_explicit
); );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );

8
Shorewall-perl/Shorewall/Interfaces.pm
View File

@ -30,9 +30,9 @@ use Shorewall::Zones;
use strict; use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( add_group_to_zone our @EXPORT = qw( add_group_to_zone
validate_interfaces_file validate_interfaces_file
known_interface known_interface
find_interfaces_by_option find_interfaces_by_option
get_interface_option get_interface_option
@ -113,7 +113,7 @@ sub add_group_to_zone($$$$$)
# #
# Parse the interfaces file. # Parse the interfaces file.
# #
sub validate_interfaces_file() sub validate_interfaces_file()
{ {
my %validoptions = (arp_filter => 1, my %validoptions = (arp_filter => 1,
@ -143,7 +143,7 @@ sub validate_interfaces_file()
my $zoneref; my $zoneref;
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
$first_entry = 0; $first_entry = 0;
} }

8
Shorewall-perl/Shorewall/Macros.pm
View File

@ -32,9 +32,9 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( find_macro our @EXPORT = qw( find_macro
split_action split_action
substitute_action substitute_action
merge_macro_source_dest merge_macro_source_dest
merge_macro_column merge_macro_column
%macros ); %macros );
@ -61,7 +61,7 @@ sub find_macro( $ )
} }
# #
# Return ( action, level[:tag] ) from passed full action # Return ( action, level[:tag] ) from passed full action
# #
sub split_action ( $ ) { sub split_action ( $ ) {
my $action = $_[0]; my $action = $_[0];

12
Shorewall-perl/Shorewall/Nat.pm
View File

@ -42,7 +42,7 @@ my %addresses_to_add;
# #
# Handle IPSEC Options in a masq record # Handle IPSEC Options in a masq record
# #
sub do_ipsec_options($) sub do_ipsec_options($)
{ {
my %validoptions = ( strict => NOTHING, my %validoptions = ( strict => NOTHING,
next => NOTHING, next => NOTHING,
@ -143,7 +143,7 @@ sub setup_one_masq($$$$$$)
$fullinterface = $one; $fullinterface = $one;
$destnets = $two; $destnets = $two;
} }
} }
# #
# Isolate and verify the interface part # Isolate and verify the interface part
@ -236,7 +236,7 @@ sub setup_one_masq($$$$$$)
# #
# Process the masq file # Process the masq file
# #
sub setup_masq() sub setup_masq()
{ {
my $first_entry = 1; my $first_entry = 1;
@ -247,7 +247,7 @@ sub setup_masq()
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 2, 6, 'masq file'; my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 2, 6, 'masq file';
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' ); require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
$first_entry = 0; $first_entry = 0;
} }
@ -361,7 +361,7 @@ sub setup_nat() {
my ( $external, $interface, $internal, $allints, $localnat ) = split_line 3, 5, 'nat file'; my ( $external, $interface, $internal, $allints, $localnat ) = split_line 3, 5, 'nat file';
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty nat file' ); require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
$first_entry = 0; $first_entry = 0;
} }
@ -396,7 +396,7 @@ sub setup_netmap() {
my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file'; my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file';
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' ); require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
$first_entry = 0; $first_entry = 0;
} }

6
Shorewall-perl/Shorewall/Policy.pm
View File

@ -44,7 +44,7 @@ sub new_policy_chain($$$)
{ {
my ($chain, $policy, $optional) = @_; my ($chain, $policy, $optional) = @_;
my $chainref = new_chain 'filter', $chain; my $chainref = new_chain 'filter', $chain;
$chainref->{is_policy} = 1; $chainref->{is_policy} = 1;
$chainref->{policy} = $policy; $chainref->{policy} = $policy;
@ -75,11 +75,11 @@ sub validate_policy()
sub print_policy($$$$) sub print_policy($$$$)
{ {
my ( $source, $dest, $policy , $chain ) = @_; my ( $source, $dest, $policy , $chain ) = @_;
progress_message " Policy for $source to $dest is $policy using chain $chain" progress_message " Policy for $source to $dest is $policy using chain $chain"
unless ( $source eq $dest ) || ( $source eq 'all' ) || ( $dest eq 'all' ); unless ( $source eq $dest ) || ( $source eq 'all' ) || ( $dest eq 'all' );
} }
my %validpolicies = ( my %validpolicies = (
ACCEPT => undef, ACCEPT => undef,
REJECT => undef, REJECT => undef,
DROP => undef, DROP => undef,

10
Shorewall-perl/Shorewall/Providers.pm
View File

@ -315,7 +315,7 @@ sub setup_providers() {
if ( $source eq '-' ) { if ( $source eq '-' ) {
$source = ''; $source = '';
} elsif ( $source =~ /:/ ) { } elsif ( $source =~ /:/ ) {
( my $interface, $source ) = split /:/, $source; ( my $interface, $source ) = split /:/, $source;
$source = "iif $interface from $source"; $source = "iif $interface from $source";
} elsif ( $source =~ /\..*\..*/ ) { } elsif ( $source =~ /\..*\..*/ ) {
@ -364,12 +364,12 @@ sub setup_providers() {
'# Initialize the file that holds \'undo\' commands', '# Initialize the file that holds \'undo\' commands',
'#', '#',
'> ${VARDIR}/undo_routing' ); '> ${VARDIR}/undo_routing' );
save_progress_message 'Adding Providers...'; save_progress_message 'Adding Providers...';
emit 'DEFAULT_ROUTE='; emit 'DEFAULT_ROUTE=';
} }
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file'; my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file';
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ); add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
@ -434,7 +434,7 @@ sub setup_providers() {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
$first_entry = 0; $first_entry = 0;
} }
my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file'; my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
add_an_rtrule( $source, $dest, $provider , $priority ); add_an_rtrule( $source, $dest, $provider , $priority );
@ -444,7 +444,7 @@ sub setup_providers() {
emit "\nrun_ip route flush cache"; emit "\nrun_ip route flush cache";
pop_indent; pop_indent;
emit "fi\n"; emit "fi\n";
setup_route_marking if @routemarked_interfaces; setup_route_marking if @routemarked_interfaces;
} else { } else {
emit "\nundo_routing"; emit "\nundo_routing";

4
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -30,7 +30,7 @@ use Shorewall::Interfaces;
use strict; use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( our @EXPORT = qw(
setup_proxy_arp setup_proxy_arp
dump_proxy_arp dump_proxy_arp
); );
@ -99,7 +99,7 @@ sub setup_proxy_arp() {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
$first_entry = 0; $first_entry = 0;
} }
$set{$interface} = 1; $set{$interface} = 1;
$reset{$external} = 1 unless $set{$external}; $reset{$external} = 1 unless $set{$external};

72
Shorewall-perl/Shorewall/Rules.pm
View File

@ -39,7 +39,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( process_tos our @EXPORT = qw( process_tos
setup_ecn setup_ecn
add_common_rules add_common_rules
setup_mac_lists setup_mac_lists
process_criticalhosts process_criticalhosts
process_routestopped process_routestopped
@ -68,7 +68,7 @@ sub process_tos() {
my $first_entry = 1; my $first_entry = 1;
my ( $pretosref, $outtosref ); my ( $pretosref, $outtosref );
while ( read_a_line ) { while ( read_a_line ) {
my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 6, 'tos file'; my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 6, 'tos file';
@ -99,7 +99,7 @@ sub process_tos() {
$dst =~ s/^all:?//; $dst =~ s/^all:?//;
expand_rule expand_rule
$chainref , $chainref ,
$restriction , $restriction ,
do_proto( $proto, $ports, $sports ) , do_proto( $proto, $ports, $sports ) ,
@ -158,7 +158,7 @@ sub setup_ecn()
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
if ( $capabilities{MANGLE_FORWARD} ) { if ( $capabilities{MANGLE_FORWARD} ) {
add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}"; add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
} else { } else {
@ -295,7 +295,7 @@ sub setup_blacklist() {
$first_entry = 0; $first_entry = 0;
} }
expand_rule( expand_rule(
$chainref , $chainref ,
NO_RESTRICT , NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) , do_proto( $protocol , $ports, '' ) ,
@ -306,7 +306,7 @@ sub setup_blacklist() {
'' , '' ,
$disposition , $disposition ,
'' ); '' );
progress_message " \"$line\" added to blacklist"; progress_message " \"$line\" added to blacklist";
} }
} }
@ -319,11 +319,11 @@ sub setup_blacklist() {
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2]; my $network = $hostref->[2];
my $source = match_source_net $network; my $source = match_source_net $network;
for my $chain ( @{first_chains $interface}) { for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
} }
progress_message " Blacklisting enabled on ${interface}:${network}"; progress_message " Blacklisting enabled on ${interface}:${network}";
} }
} }
@ -360,7 +360,7 @@ sub process_criticalhosts() {
for my $option (split /,/, $options ) { for my $option (split /,/, $options ) {
unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) { unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) {
if ( $option eq 'critical' ) { if ( $option eq 'critical' ) {
push @critical, @hosts; push @critical, @hosts;
} else { } else {
warning_message "Unknown routestopped option ( $option ) ignored"; warning_message "Unknown routestopped option ( $option ) ignored";
} }
@ -498,7 +498,7 @@ sub add_common_rules() {
if ( $capabilities{ADDRTYPE} ) { if ( $capabilities{ADDRTYPE} ) {
$chainref = new_standard_chain 'smurfs'; $chainref = new_standard_chain 'smurfs';
add_rule $chainref , '-s 0.0.0.0 -j RETURN'; add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
add_rule_pair $chainref, '-m addrtype --src-type MULTICAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; add_rule_pair $chainref, '-m addrtype --src-type MULTICAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
@ -603,7 +603,7 @@ sub add_common_rules() {
} }
} }
(new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1; (new_chain 'nat' , $chain = dynamic_in($interface) )->{referenced} = 1;
add_rule $filter_table->{input_chain $interface}, "-j $chain"; add_rule $filter_table->{input_chain $interface}, "-j $chain";
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface; add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
@ -752,7 +752,7 @@ sub setup_mac_lists( $ ) {
add_command $chainref, " ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do"; add_command $chainref, " ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do";
add_command $chainref, ' address=${address%/*}'; add_command $chainref, ' address=${address%/*}';
add_command $chainref, ' if [ -n "$broadcast" ]; then'; add_command $chainref, ' if [ -n "$broadcast" ]; then';
add_command $chainref, ' echo "-A $chain -s $address -d $broadcast -j RETURN" >&3'; add_command $chainref, ' echo "-A $chain -s $address -d $broadcast -j RETURN" >&3';
add_command $chainref, ' fi'; add_command $chainref, ' fi';
add_command $chainref, ''; add_command $chainref, '';
add_command $chainref, ' echo "-A $chain -s $address -d 255.255.255.255 -j RETURN" >&3'; add_command $chainref, ' echo "-A $chain -s $address -d 255.255.255.255 -j RETURN" >&3';
@ -874,15 +874,15 @@ sub process_rule1 ( $$$$$$$$$ ) {
# #
process_macro process_macro
$macros{$basictarget}, $macros{$basictarget},
$target , $target ,
$param , $param ,
$source, $source,
$dest, $dest,
$proto, $proto,
$ports, $ports,
$sports, $sports,
$origdest, $origdest,
$ratelimit, $ratelimit,
$user; $user;
return; return;
} }
@ -935,7 +935,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
$dest = ALLIPv4; $dest = ALLIPv4;
} }
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone}; fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone}; fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone};
my $restriction = NO_RESTRICT; my $restriction = NO_RESTRICT;
@ -1031,7 +1031,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
'' , '' ,
$target , $target ,
$loglevel , $loglevel ,
$action , $action ,
$serverport ? do_proto( $proto, '', '' ) : ''; $serverport ? do_proto( $proto, '', '' ) : '';
# #
# After NAT: # After NAT:
@ -1180,12 +1180,12 @@ sub process_rule ( $$$$$$$$$ ) {
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user; process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user;
} }
} }
} }
} }
} else { } else {
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user; process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user;
} }
} }
} }
} elsif ( $dest eq 'all' ) { } elsif ( $dest eq 'all' ) {
for my $zone1 ( @zones ) { for my $zone1 ( @zones ) {
@ -1258,7 +1258,7 @@ sub process_rules() {
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this functions and the rules that it generates. # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this functions and the rules that it generates.
# #
# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules. # The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
# #
sub generate_matrix() { sub generate_matrix() {
# #
# Helper functions for generate_matrix() # Helper functions for generate_matrix()
@ -1377,7 +1377,7 @@ sub generate_matrix() {
my $ipsec_match = match_ipsec_in $zone , $hostref; my $ipsec_match = match_ipsec_in $zone , $hostref;
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_rule add_rule
find_chainref( 'filter' , forward_chain $interface ) , find_chainref( 'filter' , forward_chain $interface ) ,
match_source_net join( '', $net, $ipsec_match, "-j $frwd_ref->n{name}" ); match_source_net join( '', $net, $ipsec_match, "-j $frwd_ref->n{name}" );
} }
} }
@ -1393,11 +1393,11 @@ sub generate_matrix() {
my $source_hosts_ref = $zoneref->{hosts}; my $source_hosts_ref = $zoneref->{hosts};
my $chain1 = rules_target $firewall_zone , $zone; my $chain1 = rules_target $firewall_zone , $zone;
my $chain2 = rules_target $zone, $firewall_zone; my $chain2 = rules_target $zone, $firewall_zone;
my $complex = $zoneref->{options}{complex} || 0; my $complex = $zoneref->{options}{complex} || 0;
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $exclusions = $zoneref->{exclusions}; my $exclusions = $zoneref->{exclusions};
my $need_broadcast = {}; ### Fixme ### my $need_broadcast = {}; ### Fixme ###
my $frwd_ref = 0; my $frwd_ref = 0;
my $chain = 0; my $chain = 0;
if ( $complex ) { if ( $complex ) {
@ -1421,7 +1421,7 @@ sub generate_matrix() {
my $arrayref = $typeref->{$interface}; my $arrayref = $typeref->{$interface};
for my $hostref ( @$arrayref ) { for my $hostref ( @$arrayref ) {
my $ipsec_in_match = match_ipsec_in $zone , $hostref; my $ipsec_in_match = match_ipsec_in $zone , $hostref;
my $ipsec_out_match = match_ipsec_out $zone , $hostref; my $ipsec_out_match = match_ipsec_out $zone , $hostref;
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
my $source = match_source_net $net; my $source = match_source_net $net;
my $dest = match_dest_net $net; my $dest = match_dest_net $net;
@ -1568,7 +1568,7 @@ sub generate_matrix() {
my $arrayref = $typeref->{$interface}; my $arrayref = $typeref->{$interface};
for my $hostref ( @$arrayref ) { for my $hostref ( @$arrayref ) {
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_rule $frwd_ref, join( '', "-o $interface ", match_dest_net($net), $ipsec_out_match, "-j $chain" ); add_rule $frwd_ref, join( '', "-o $interface ", match_dest_net($net), $ipsec_out_match, "-j $chain" );
} }
@ -1588,11 +1588,11 @@ sub generate_matrix() {
for my $interface1 ( keys %$type1ref ) { for my $interface1 ( keys %$type1ref ) {
my $array1ref = $type1ref->{$interface1}; my $array1ref = $type1ref->{$interface1};
for my $host1ref ( @$array1ref ) { for my $host1ref ( @$array1ref ) {
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
for my $net1 ( @{$host1ref->{hosts}} ) { for my $net1 ( @{$host1ref->{hosts}} ) {
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
add_rule add_rule
$chain3ref , $chain3ref ,
join( '', "-o $interface1 ", $source_match, match_dest_net($net1), $ipsec_out_match, "-j $chain" ); join( '', "-o $interface1 ", $source_match, match_dest_net($net1), $ipsec_out_match, "-j $chain" );
} }
} }
@ -1654,8 +1654,8 @@ sub generate_matrix() {
if ( $config{LOGALLNEW} ) { if ( $config{LOGALLNEW} ) {
for my $table qw/mangle nat filter/ { for my $table qw/mangle nat filter/ {
for my $chain ( @{$builtins{$table}} ) { for my $chain ( @{$builtins{$table}} ) {
log_rule_limit log_rule_limit
$config{LOGALLNEW} , $config{LOGALLNEW} ,
$chain_table{$table}{$chain} , $chain_table{$table}{$chain} ,
$table , $table ,
$chain , $chain ,

26
Shorewall-perl/Shorewall/Tc.pm
View File

@ -53,7 +53,7 @@ my %tcs = ( t => { chain => 'tcpost',
} , } ,
c => { target => 'CONNMARK --set-mark' , c => { target => 'CONNMARK --set-mark' ,
connmark => 1 , connmark => 1 ,
fw => 1 fw => 1
} , } ,
p => { chain => 'tcpre' , p => { chain => 'tcpre' ,
connmark => 0 , connmark => 0 ,
@ -89,7 +89,7 @@ my %tcs = ( t => { chain => 'tcpost',
use constant { NOMARK => 0 , use constant { NOMARK => 0 ,
SMALLMARK => 1 , SMALLMARK => 1 ,
HIGHMARK => 2 HIGHMARK => 2
}; };
my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
@ -105,7 +105,7 @@ my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
{ match => sub ( $ ) { $_[0] eq 'CONTINUE' }, { match => sub ( $ ) { $_[0] eq 'CONTINUE' },
target => 'RETURN' , target => 'RETURN' ,
mark => NOMARK , mark => NOMARK ,
mask => '' mask => ''
} , } ,
{ match => sub ( $ ) { $_[0] =~ '\|.*'} , { match => sub ( $ ) { $_[0] =~ '\|.*'} ,
target => 'MARK --or-mark' , target => 'MARK --or-mark' ,
@ -114,7 +114,7 @@ my @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
{ match => sub ( $ ) { $_[0] =~ '&.*' }, { match => sub ( $ ) { $_[0] =~ '&.*' },
target => 'MARK --and-mark ' , target => 'MARK --and-mark ' ,
mark => HIGHMARK , mark => HIGHMARK ,
mask => '' mask => ''
} }
); );
@ -200,11 +200,11 @@ sub process_tc_rule( $$$$$$$$$$ ) {
validate_mark $mark; validate_mark $mark;
fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes' fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) < 0xFF && $config{HIGH_ROUTE_MARKS}; if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) < 0xFF && $config{HIGH_ROUTE_MARKS};
} }
expand_rule expand_rule
ensure_chain( 'mangle' , $chain ) , ensure_chain( 'mangle' , $chain ) ,
NO_RESTRICT , NO_RESTRICT ,
do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) , do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) ,
@ -227,7 +227,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
# #
# %tcdevices { <interface> -> {in_bandwidth => <value> , # %tcdevices { <interface> -> {in_bandwidth => <value> ,
# out_bandwidth => <value> # out_bandwidth => <value>
# number => <ordinal> # number => <ordinal>
# default => <default class mark value> } # default => <default class mark value> }
# #
my @tcdevices; my @tcdevices;
@ -419,7 +419,7 @@ sub setup_traffic_shaping() {
); );
} }
$devref->{number} = $devnum++; $devref->{number} = $devnum++;
save_progress_message_short " TC Device $device defined."; save_progress_message_short " TC Device $device defined.";
@ -494,7 +494,7 @@ sub setup_traffic_shaping() {
# #
sub setup_tc() { sub setup_tc() {
my $first_entry = 1; my $first_entry = 1;
if ( $capabilities{MANGLE_ENABLED} ) { if ( $capabilities{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre'; ensure_mangle_chain 'tcpre';
@ -508,15 +508,15 @@ sub setup_tc() {
if ( my $fn = open_file 'tcrules' ) { if ( my $fn = open_file 'tcrules' ) {
while ( read_a_line ) { while ( read_a_line ) {
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 2, 10, 'tcrules file'; my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 2, 10, 'tcrules file';
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' ); require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' );
$first_entry = 0; $first_entry = 0;
} }
if ( $mark eq 'COMMENT' ) { if ( $mark eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) { if ( $capabilities{COMMENTS} ) {
( $comment = $line ) =~ s/^\s*COMMENT\s*//; ( $comment = $line ) =~ s/^\s*COMMENT\s*//;
@ -527,7 +527,7 @@ sub setup_tc() {
} else { } else {
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
} }
} }
$comment = ''; $comment = '';

10
Shorewall-perl/Shorewall/Tunnels.pm
View File

@ -51,12 +51,12 @@ sub setup_tunnels() {
my $options = '-m $state --state NEW -j ACCEPT'; my $options = '-m $state --state NEW -j ACCEPT';
add_rule $inchainref, "-p 50 $source -j ACCEPT"; add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT"; add_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) { unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT"; add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT"; add_rule $outchainref, "-p 51 $dest -j ACCEPT";
} }
add_rule $outchainref, "-p udp $dest --dport 500 $options"; add_rule $outchainref, "-p udp $dest --dport 500 $options";
@ -240,7 +240,7 @@ sub setup_tunnels() {
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 2, 4, 'tunnels file'; my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 2, 4, 'tunnels file';
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
$first_entry = 0; $first_entry = 0;
} }

20
Shorewall-perl/Shorewall/Zones.pm
View File

@ -39,9 +39,9 @@ our @EXPORT = qw( NOTHING
zone_report zone_report
dump_zone_contents dump_zone_contents
@zones @zones
%zones %zones
$firewall_zone $firewall_zone
%interfaces ); %interfaces );
our @EXPORT_OK = (); our @EXPORT_OK = ();
@ -58,7 +58,7 @@ use constant { NOTHING => 'NOTHING',
}; };
# #
# Zone Table. # Zone Table.
# #
# @zones contains the ordered list of zones with sub-zones appearing before their parents. # @zones contains the ordered list of zones with sub-zones appearing before their parents.
# #
@ -66,7 +66,7 @@ use constant { NOTHING => 'NOTHING',
# options => { complex => 0|1 # options => { complex => 0|1
# in_out => < policy match string > # in_out => < policy match string >
# in => < policy match string > # in => < policy match string >
# out => < policy match string > # out => < policy match string >
# } # }
# parents => [ <parents> ] Parents, Children and interfaces are listed by name # parents => [ <parents> ] Parents, Children and interfaces are listed by name
# children => [ <children> ] # children => [ <children> ]
@ -86,7 +86,7 @@ use constant { NOTHING => 'NOTHING',
# #
# $firewall_zone names the firewall zone. # $firewall_zone names the firewall zone.
# #
our @zones; our @zones;
our %zones; our %zones;
our $firewall_zone; our $firewall_zone;
@ -170,7 +170,7 @@ sub parse_zone_option_list($)
$h{ipsec} = $options ? "$options " : ''; $h{ipsec} = $options ? "$options " : '';
\%h; \%h;
} }
# #
@ -191,7 +191,7 @@ sub determine_zones()
my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
$first_entry = 0; $first_entry = 0;
} }
@ -266,7 +266,7 @@ sub determine_zones()
} }
$ordered{$zone} = 1; $ordered{$zone} = 1;
push @zones, $zone; push @zones, $zone;
$pushed = 1; $pushed = 1;
} }
} }
} }
@ -275,7 +275,7 @@ sub determine_zones()
# #
# Report about zones. # Report about zones.
# #
sub zone_report() sub zone_report()
{ {
for my $zone ( @zones ) for my $zone ( @zones )
{ {
@ -311,7 +311,7 @@ sub zone_report()
} }
} }
sub dump_zone_contents() sub dump_zone_contents()
{ {
for my $zone ( @zones ) for my $zone ( @zones )
{ {

42
Shorewall-perl/compiler.pl
View File

@ -101,7 +101,7 @@ sub generate_script_1() {
} }
emit "TEMPFILE=\n"; emit "TEMPFILE=\n";
for my $exit qw/init start tcclear started stop stopped/ { for my $exit qw/init start tcclear started stop stopped/ {
emit "run_${exit}_exit() {"; emit "run_${exit}_exit() {";
push_indent; push_indent;
@ -111,8 +111,8 @@ sub generate_script_1() {
emit "}\n"; emit "}\n";
} }
emitj ( 'initialize()', emitj ( 'initialize()',
'{' '{'
); );
push_indent; push_indent;
@ -327,7 +327,7 @@ EOF
emit 'delete_tc1' if $config{CLEAR_TC}; emit 'delete_tc1' if $config{CLEAR_TC};
emitj( 'undo_routing', emitj( 'undo_routing',
'restore_default_route' 'restore_default_route'
); );
my $criticalhosts = process_criticalhosts; my $criticalhosts = process_criticalhosts;
@ -484,11 +484,11 @@ sub generate_script_2 () {
); );
push_indent; push_indent;
emit 'local restore_file=$1'; emit 'local restore_file=$1';
save_progress_message 'Initializing...'; save_progress_message 'Initializing...';
if ( $export ) { if ( $export ) {
my $fn = find_file 'modules'; my $fn = find_file 'modules';
@ -529,7 +529,7 @@ sub generate_script_2 () {
'delete_proxyarp', 'delete_proxyarp',
'' ''
); );
emit "delete_tc1\n" if $config{CLEAR_TC}; emit "delete_tc1\n" if $config{CLEAR_TC};
emit "disable_ipv6\n" if $config{DISABLE_IPV6}; emit "disable_ipv6\n" if $config{DISABLE_IPV6};
setup_mss( $config{CLAMPMSS} ) if $config{CLAMPMSS}; setup_mss( $config{CLAMPMSS} ) if $config{CLAMPMSS};
@ -544,7 +544,7 @@ sub generate_script_2 () {
# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES # Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
# #
# Generate the 'setup_netfilter()' function that runs iptables-restore. # Generate the 'setup_netfilter()' function that runs iptables-restore.
# Generate the 'define_firewall()' function. # Generate the 'define_firewall()' function.
# #
sub generate_script_3() { sub generate_script_3() {
@ -618,23 +618,23 @@ EOF
pop_indent; pop_indent;
emit "}\n"; emit "}\n";
copy $globals{SHAREDIRPL} . 'prog.footer'; copy $globals{SHAREDIRPL} . 'prog.footer';
} }
# #
# The Compiler. # The Compiler.
# #
# If the argument is non-null, it names the script file to generate. # If the argument is non-null, it names the script file to generate.
# Otherwise, this is a 'check' command and no script is produced. # Otherwise, this is a 'check' command and no script is produced.
# #
sub compiler( $ ) { sub compiler( $ ) {
my $objectfile = $_[0]; my $objectfile = $_[0];
report_capabilities if $verbose > 1; report_capabilities if $verbose > 1;
require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" ); require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" );
require_capability( 'ADDRTYPE' , "Shorewall-perl $globals{VERSION}" ); require_capability( 'ADDRTYPE' , "Shorewall-perl $globals{VERSION}" );
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL}; require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL};
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS}; require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS};
@ -657,7 +657,7 @@ sub compiler( $ ) {
# #
# Process the interfaces file. # Process the interfaces file.
# #
validate_interfaces_file; validate_interfaces_file;
# #
# Process the hosts file. # Process the hosts file.
# #
@ -665,12 +665,12 @@ sub compiler( $ ) {
# #
# Report zone contents # Report zone contents
# #
progress_message2 "Determining Hosts in Zones..."; progress_message2 "Determining Hosts in Zones...";
zone_report; zone_report;
# #
# Do action pre-processing. # Do action pre-processing.
# #
progress_message2 "Preprocessing Action Files..."; progress_message2 "Preprocessing Action Files...";
process_actions1; process_actions1;
# #
# Process the Policy File. # Process the Policy File.
@ -702,7 +702,7 @@ sub compiler( $ ) {
setup_proxy_arp; setup_proxy_arp;
# #
# [Re-]establish Routing # [Re-]establish Routing
# #
setup_providers; setup_providers;
# #
# TCRules and Traffic Shaping # TCRules and Traffic Shaping
@ -723,7 +723,7 @@ sub compiler( $ ) {
# #
# MACLIST Filtration # MACLIST Filtration
# #
progress_message2 "$doing MAC Filtration -- Phase 1..."; progress_message2 "$doing MAC Filtration -- Phase 1...";
setup_mac_lists 1; setup_mac_lists 1;
# #
# Process the rules file. # Process the rules file.
@ -741,13 +741,13 @@ sub compiler( $ ) {
# #
# MACLIST Filtration again # MACLIST Filtration again
# #
progress_message2 "$doing MAC Filtration -- Phase 2..."; progress_message2 "$doing MAC Filtration -- Phase 2...";
setup_mac_lists 2; setup_mac_lists 2;
# #
# Apply Policies # Apply Policies
# #
progress_message2 'Applying Policies...'; progress_message2 'Applying Policies...';
apply_policy_rules; apply_policy_rules;
# #
# Setup Nat # Setup Nat
# #
@ -761,7 +761,7 @@ sub compiler( $ ) {
# #
setup_accounting; setup_accounting;
progress_message2 'Generating Rule Matrix...'; progress_message2 'Generating Rule Matrix...';
generate_matrix; generate_matrix;
generate_script_3; generate_script_3;

2
Shorewall-perl/prog.functions
View File

@ -79,7 +79,7 @@ startup_error() # $* = Error Message
logger -p kern.err "ERROR:$PRODUCT restore failed" logger -p kern.err "ERROR:$PRODUCT restore failed"
;; ;;
esac esac
kill $$ kill $$
exit 2 exit 2
} }

16
Shorewall-perl/releasenotes.txt
View File

@ -45,7 +45,7 @@ and the Bourne-shell one. Some of these will probably go away by first
official release but most will not. official release but most will not.
a) The Perl-based compiler requires the following capabilities in your a) The Perl-based compiler requires the following capabilities in your
kernel and iptables. kernel and iptables.
- addrtype match (may be relaxed later) - addrtype match (may be relaxed later)
- multiport match (will not be relaxed) - multiport match (will not be relaxed)
@ -60,10 +60,10 @@ b) Now that Netfilter has features to deal reasonably with port lists,
avoiding the ugliness required to do that. The new compiler just avoiding the ugliness required to do that. The new compiler just
generates an error if your list is too long. It will also produce generates an error if your list is too long. It will also produce
an error if you insert a port range into a port list and you don't an error if you insert a port range into a port list and you don't
have extended multiport support. have extended multiport support.
c) BRIDGING=Yes is not supported. The kernel code necessary to c) BRIDGING=Yes is not supported. The kernel code necessary to
support this option was removed in Linux kernel 2.6.20. support this option was removed in Linux kernel 2.6.20.
d) The BROADCAST column in the interfaces file is essentially unused; d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will if you enter anything in this column but '-' or 'detect', you will
@ -133,10 +133,10 @@ i) Currently, support for ipsets is untested. That will change with
course) will normally be produced using the ipset -S course) will normally be produced using the ipset -S
command. command.
The above will work most of the time but will fail in a The above will work most of the time but will fail in a
'shorewall stop' - 'shorewall start' sequence if you 'shorewall stop' - 'shorewall start' sequence if you
use ipsets in your routestopped file (see below). use ipsets in your routestopped file (see below).
ii) Your ipsets may not be reloaded until Shorewall is stopped or ii) Your ipsets may not be reloaded until Shorewall is stopped or
cleared. cleared.
@ -179,7 +179,7 @@ In addition to Shorewall-3.4.2 or later, you need:
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I N S T A L L A T I O N I N S T A L L A T I O N
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Either Either
$ tar -jxf shorewall-perl-3.9.1.tar.bz2 $ tar -jxf shorewall-perl-3.9.1.tar.bz2
$ cd shorewall-perl-3.9.1 $ cd shorewall-perl-3.9.1
@ -191,7 +191,7 @@ or
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
U S I N G T H E N E W C O M P I L E R U S I N G T H E N E W C O M P I L E R
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
By default, the old Bourne-shell based compiler will be used. By default, the old Bourne-shell based compiler will be used.
To use the new compiler, add this to shorewall.conf: To use the new compiler, add this to shorewall.conf: