forked from extern/shorewall_code
Partial change
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5747 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
514c0d7d88
commit
cd97ccfd4e
@ -1433,10 +1433,14 @@ use constant { NULL_STATE => 0 ,
|
||||
|
||||
my $state = NULL_STATE;
|
||||
|
||||
my $rulenumber = 0;
|
||||
|
||||
sub emitr( $ ) {
|
||||
my $rule = $_[0];
|
||||
|
||||
unless ( $slowstart ) {
|
||||
$rulenumber++;
|
||||
substr($rule, 80) = "#$rulenumber" unless length $rule >= 80;
|
||||
emit_unindented $rule;
|
||||
} elsif ( substr( $rule, 0, 1 ) eq '~' ) {
|
||||
#
|
||||
@ -1484,12 +1488,7 @@ sub create_netfilter_load() {
|
||||
emit '';
|
||||
|
||||
if ( $slowstart ) {
|
||||
emitj( 'TEMPFILE=$(mktempfile)',
|
||||
'[ -n "$TEMPFILE" ] || fatal_error "Cannot create temporary file in /tmp"',
|
||||
'',
|
||||
'exec 3>>$TEMPFILE',
|
||||
''
|
||||
);
|
||||
emit 'exec 3>${VARDIR}/.iptables-input';
|
||||
} else {
|
||||
emit 'iptables-restore << __EOF__';
|
||||
$state = CAT_STATE;
|
||||
@ -1533,7 +1532,7 @@ sub create_netfilter_load() {
|
||||
if ( $slowstart ) {
|
||||
emitj( ' exec 3>&-',
|
||||
'',
|
||||
'iptables-restore < $TEMPFILE'
|
||||
'iptables-restore < ${VARDIR}/.iptables_input'
|
||||
);
|
||||
}
|
||||
|
||||
@ -1542,8 +1541,6 @@ sub create_netfilter_load() {
|
||||
"fi\n"
|
||||
);
|
||||
|
||||
emit 'rm -f $TEMPFILE' if $slowstart;
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "}\n";
|
||||
|
@ -218,6 +218,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
# Stash away file references here when we encounter INCLUDE
|
||||
#
|
||||
my @openstack;
|
||||
|
||||
my $currentfile;
|
||||
my $currentfilename;
|
||||
my $currentlinenumber = 0;
|
||||
@ -259,7 +260,10 @@ sub find_file($)
|
||||
|
||||
for $directory ( split ':', $ENV{CONFIG_PATH} ) {
|
||||
my $file = "$directory/$filename";
|
||||
return $file if -f $file;
|
||||
if ( -f $file ) {
|
||||
$file =~ s|//|/|g;
|
||||
return $file;
|
||||
}
|
||||
}
|
||||
|
||||
"$env{CONFDIR}/$filename";
|
||||
@ -406,6 +410,8 @@ sub read_a_line {
|
||||
$currentfile = undef;
|
||||
|
||||
open $currentfile, $filename or fatal_error "Unable to open $filename: $!";
|
||||
|
||||
$line='';
|
||||
} else {
|
||||
return 1;
|
||||
}
|
||||
|
@ -51,6 +51,7 @@ sub validate_hosts_file()
|
||||
);
|
||||
|
||||
my $ipsec = 0;
|
||||
my $first_entry = 1;
|
||||
|
||||
open_file 'hosts';
|
||||
|
||||
@ -58,6 +59,11 @@ sub validate_hosts_file()
|
||||
|
||||
my ($zone, $hosts, $options ) = split_line 3, 'hosts file';
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "Validating hosts file...";
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
my $zoneref = $zones{$zone};
|
||||
my $type = $zoneref->{type};
|
||||
|
||||
|
@ -101,7 +101,6 @@ sub setup_one_masq($$$$$$)
|
||||
my $destnets = '';
|
||||
my $target = '-j MASQUERADE ';
|
||||
|
||||
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
|
||||
#
|
||||
# Handle IPSEC options, if any
|
||||
#
|
||||
@ -239,12 +238,20 @@ sub setup_one_masq($$$$$$)
|
||||
#
|
||||
sub setup_masq()
|
||||
{
|
||||
my $first_entry = 1;
|
||||
|
||||
open_file 'masq';
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 6, 'masq file';
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing Masq file...";
|
||||
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
if ( $fullinterface eq 'COMMENT' ) {
|
||||
if ( $capabilities{COMMENTS} ) {
|
||||
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
|
||||
@ -299,8 +306,6 @@ sub do_one_nat( $$$$$ )
|
||||
my $policyin = '';
|
||||
my $policyout = '';
|
||||
|
||||
require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
|
||||
|
||||
if ( $capabilities{POLICY_MATCH} ) {
|
||||
$policyin = ' -m policy --pol none --dir in';
|
||||
$policyout = '-m policy --pol none --dir out';
|
||||
@ -347,12 +352,20 @@ sub do_one_nat( $$$$$ )
|
||||
#
|
||||
sub setup_nat() {
|
||||
|
||||
my $first_entry = 1;
|
||||
|
||||
open_file 'nat';
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $external, $interface, $internal, $allints, $localnat ) = split_line 5, 'nat file';
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing one-to-one NAT...";
|
||||
require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
if ( $external eq 'COMMENT' ) {
|
||||
if ( $capabilities{COMMENTS} ) {
|
||||
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
|
||||
@ -374,13 +387,19 @@ sub setup_nat() {
|
||||
#
|
||||
sub setup_netmap() {
|
||||
|
||||
my $first_entry = 1;
|
||||
|
||||
open_file 'netmap';
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $type, $net1, $interface, $net2 ) = split_line 4, 'netmap file';
|
||||
|
||||
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing NETMAP...";
|
||||
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2";
|
||||
|
@ -344,13 +344,11 @@ sub setup_providers() {
|
||||
#
|
||||
# Setup_Providers() Starts Here....
|
||||
#
|
||||
progress_message2 "$doing $fn ...";
|
||||
|
||||
open_file 'providers';
|
||||
open_file $fn;
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
unless ( $providers ) {
|
||||
progress_message2 "$doing $fn ...";
|
||||
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' );
|
||||
|
||||
emit "\nif [ -z \"\$NOROUTES\" ]; then";
|
||||
|
@ -65,15 +65,21 @@ sub process_tos() {
|
||||
my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING';
|
||||
|
||||
if ( open_file 'tos' ) {
|
||||
progress_message2 'Setting up TOS...';
|
||||
my $first_entry = 1;
|
||||
|
||||
my $pretosref = new_chain 'mangle' , $chain;
|
||||
my $outtosref = new_chain 'mangle' , 'outtos';
|
||||
my ( $pretosref, $outtosref );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file';
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 'Setting up TOS...';
|
||||
$pretosref = ensure_chain 'mangle' , $chain;
|
||||
$outtosref = ensure_chain 'mangle' , 'outtos';
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
fatal_error "TOS field required: $line" unless $tos ne '-';
|
||||
|
||||
my $chainref;
|
||||
@ -106,8 +112,10 @@ sub process_tos() {
|
||||
'';
|
||||
}
|
||||
|
||||
add_rule $mangle_table->{$stdchain}, "-j $chain";
|
||||
add_rule $mangle_table->{OUTPUT}, "-j outtos";
|
||||
unless ( $first_entry ) {
|
||||
add_rule $mangle_table->{$stdchain}, "-j $chain";
|
||||
add_rule $mangle_table->{OUTPUT}, "-j outtos";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -121,7 +129,7 @@ sub setup_ecn()
|
||||
|
||||
if ( open_file 'ecn' ) {
|
||||
|
||||
progress_message2 join( '' , '$doing ', find_file( 'ecn' ), '...' );
|
||||
progress_message2 join( '' , "$doing ", find_file( 'ecn' ), '...' );
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
|
@ -349,12 +349,13 @@ sub validate_tc_class( $$$$$$ ) {
|
||||
}
|
||||
|
||||
sub setup_traffic_shaping() {
|
||||
my $first_entry = 1;
|
||||
|
||||
save_progress_message "Setting up Traffic Control...";
|
||||
|
||||
my $fn = find_file 'tcdevices';
|
||||
|
||||
if ( -f $fn ) {
|
||||
progress_message2 "$doing $fn...";
|
||||
|
||||
open_file $fn;
|
||||
|
||||
@ -362,6 +363,11 @@ sub setup_traffic_shaping() {
|
||||
|
||||
my ( $device, $inband, $outband ) = split_line 3, 'tcdevices';
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing $fn...";
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
|
||||
validate_tc_device( $device, $inband, $outband );
|
||||
}
|
||||
@ -370,12 +376,17 @@ sub setup_traffic_shaping() {
|
||||
$fn = find_file 'tcclasses';
|
||||
|
||||
if ( -f $fn ) {
|
||||
progress_message2 "$doing $fn...";
|
||||
$first_entry = 1;
|
||||
|
||||
open_file $fn;
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing $fn...";
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
|
||||
|
||||
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
|
||||
@ -488,23 +499,31 @@ sub setup_traffic_shaping() {
|
||||
#
|
||||
sub setup_tc() {
|
||||
|
||||
ensure_mangle_chain 'tcpre';
|
||||
my $first_entry = 1;
|
||||
|
||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||
ensure_mangle_chain 'tcfor';
|
||||
ensure_mangle_chain 'tcpost';
|
||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||
ensure_mangle_chain 'tcpre';
|
||||
|
||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||
ensure_mangle_chain 'tcfor';
|
||||
ensure_mangle_chain 'tcpost';
|
||||
}
|
||||
}
|
||||
|
||||
my $fn = find_file 'tcrules';
|
||||
|
||||
if ( -f $fn ) {
|
||||
|
||||
require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' ) if open_file $fn;
|
||||
if ( open_file $fn ) {
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file';
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing TC Rules...";
|
||||
require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' );
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
if ( $mark eq 'COMMENT' ) {
|
||||
if ( $capabilities{COMMENTS} ) {
|
||||
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
|
||||
|
@ -227,6 +227,9 @@ sub setup_tunnels() {
|
||||
|
||||
progress_message " Tunnel \"$line\" $done";
|
||||
}
|
||||
|
||||
my $first_entry = 1;
|
||||
|
||||
#
|
||||
# Setup_Tunnels() Starts Here
|
||||
#
|
||||
@ -236,6 +239,11 @@ sub setup_tunnels() {
|
||||
|
||||
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 4, 'tunnels file';
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing Tunnels...";
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
if ( $kind eq 'COMMENT' ) {
|
||||
if ( $capabilities{COMMENTS} ) {
|
||||
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
|
||||
|
@ -666,12 +666,11 @@ sub compiler( $ ) {
|
||||
#
|
||||
# Process the hosts file.
|
||||
#
|
||||
progress_message2 "Validating hosts file...";
|
||||
validate_hosts_file;
|
||||
#
|
||||
# Report zone contents
|
||||
#
|
||||
progress_message "Determining Hosts in Zones...";
|
||||
progress_message2 "Determining Hosts in Zones...";
|
||||
zone_report;
|
||||
#
|
||||
# Do action pre-processing.
|
||||
@ -715,7 +714,6 @@ sub compiler( $ ) {
|
||||
#
|
||||
# TCRules and Traffic Shaping
|
||||
#
|
||||
progress_message2 "$doing TC Rules...";
|
||||
setup_tc;
|
||||
#
|
||||
# TOS
|
||||
@ -728,7 +726,6 @@ sub compiler( $ ) {
|
||||
#
|
||||
# Setup Masquerading/SNAT
|
||||
#
|
||||
progress_message2 "$doing Masq file...";
|
||||
setup_masq;
|
||||
#
|
||||
# MACLIST Filtration
|
||||
@ -743,7 +740,6 @@ sub compiler( $ ) {
|
||||
#
|
||||
# Add Tunnel rules.
|
||||
#
|
||||
progress_message2 "$doing Tunnels...";
|
||||
setup_tunnels;
|
||||
#
|
||||
# Post-rules action processing.
|
||||
@ -763,12 +759,10 @@ sub compiler( $ ) {
|
||||
#
|
||||
# Setup Nat
|
||||
#
|
||||
progress_message2 "$doing one-to-one NAT...";
|
||||
setup_nat;
|
||||
#
|
||||
# Setup NETMAP
|
||||
#
|
||||
progress_message2 "$doing NETMAP...";
|
||||
setup_netmap;
|
||||
#
|
||||
# Accounting.
|
||||
|
Loading…
Reference in New Issue
Block a user