forked from extern/shorewall_code
First phase of config file line preprocessing change
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5680 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e1cccb5ccb
commit
cf4ad08b96
@ -114,12 +114,8 @@ sub setup_accounting() {
|
|||||||
|
|
||||||
while ( $line = <ACC> ) {
|
while ( $line = <ACC> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = split_line 8, 'Accounting File';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
accounting_error if $extra;
|
|
||||||
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
|
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -259,9 +259,7 @@ sub process_actions1() {
|
|||||||
open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!";
|
open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!";
|
||||||
|
|
||||||
while ( $line = <F> ) {
|
while ( $line = <F> ) {
|
||||||
chomp $line;
|
my ( $action ) = split_line 1, 'action file';
|
||||||
my ( $action , $extra ) = split /\s+/, $line;
|
|
||||||
fatal_error "Invalid Action: $line" if $extra;
|
|
||||||
|
|
||||||
if ( $action =~ /:/ ) {
|
if ( $action =~ /:/ ) {
|
||||||
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
||||||
@ -293,12 +291,9 @@ sub process_actions1() {
|
|||||||
chomp $line;
|
chomp $line;
|
||||||
next if $line =~ /^\s*#/;
|
next if $line =~ /^\s*#/;
|
||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
|
|
||||||
( my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) , $extra ) = split /\s+/, $line;
|
my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file';
|
||||||
|
|
||||||
fatal_error "Invalid action rule \"$line\"\n" if $extra;
|
|
||||||
|
|
||||||
my ( $target, $level ) = split_action $wholetarget;
|
my ( $target, $level ) = split_action $wholetarget;
|
||||||
|
|
||||||
@ -324,13 +319,10 @@ sub process_actions1() {
|
|||||||
|
|
||||||
while ( $line = <M> ) {
|
while ( $line = <M> ) {
|
||||||
next if $line =~ /^\s*#/;
|
next if $line =~ /^\s*#/;
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser, $mextra ) = split /\s+/, $line;
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file';
|
||||||
|
|
||||||
fatal_error "Invalid macro rule \"$line\"" if $mextra;
|
|
||||||
|
|
||||||
$mtarget =~ s/:.*$//;
|
$mtarget =~ s/:.*$//;
|
||||||
|
|
||||||
@ -417,11 +409,10 @@ sub process_action3( $$$$$ ) {
|
|||||||
chomp $line;
|
chomp $line;
|
||||||
next if $line =~ /^\s*#/;
|
next if $line =~ /^\s*#/;
|
||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
$line = expand_shell_variables $line unless $standard;
|
$line = expand_shell_variables $line unless $standard;
|
||||||
|
|
||||||
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user , $extra ) = split /\s+/, $line;
|
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file';
|
||||||
|
|
||||||
my $target2 = merge_levels $wholeaction, $target;
|
my $target2 = merge_levels $wholeaction, $target;
|
||||||
|
|
||||||
@ -458,11 +449,10 @@ sub process_action3( $$$$$ ) {
|
|||||||
while ( $line = <M> ) {
|
while ( $line = <M> ) {
|
||||||
next if $line =~ /^\s*#/;
|
next if $line =~ /^\s*#/;
|
||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
$line = expand_shell_variables $line unless $standard;
|
$line = expand_shell_variables $line unless $standard;
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split /\s+/, $line;
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
|
||||||
|
|
||||||
if ( $mtarget =~ /^PARAM:?/ ) {
|
if ( $mtarget =~ /^PARAM:?/ ) {
|
||||||
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
|
||||||
|
@ -976,6 +976,34 @@ sub log_rule( $$$$ ) {
|
|||||||
log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $env{LOGLIMIT}, '', 'add', $predicates;
|
log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $env{LOGLIMIT}, '', 'add', $predicates;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Split a comma-separated source or destination host list but keep [...] together.
|
||||||
|
#
|
||||||
|
sub mysplit( $ ) {
|
||||||
|
my @input = split /,/, $_[0];
|
||||||
|
|
||||||
|
return @input unless $_[0] =~ /\[/;
|
||||||
|
|
||||||
|
my @result;
|
||||||
|
|
||||||
|
while ( @input ) {
|
||||||
|
my $element = shift @input;
|
||||||
|
|
||||||
|
if ( $element =~ /\[/ ) {
|
||||||
|
while ( ! ( $element =~ /\]/ ) ) {
|
||||||
|
last unless @input;
|
||||||
|
$element .= ( ',' . shift @input );
|
||||||
|
}
|
||||||
|
|
||||||
|
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
|
||||||
|
}
|
||||||
|
|
||||||
|
push @result, $element;
|
||||||
|
}
|
||||||
|
|
||||||
|
@result;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Keep track of which interfaces have active 'address' variables
|
# Keep track of which interfaces have active 'address' variables
|
||||||
#
|
#
|
||||||
|
@ -34,7 +34,7 @@ our @EXPORT = qw(ALLIPv4
|
|||||||
|
|
||||||
warning_message
|
warning_message
|
||||||
fatal_error
|
fatal_error
|
||||||
mysplit
|
split_line
|
||||||
create_temp_object
|
create_temp_object
|
||||||
finalize_object
|
finalize_object
|
||||||
emit
|
emit
|
||||||
@ -98,34 +98,24 @@ sub fatal_error
|
|||||||
die;
|
die;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
sub split_line( $$ ) {
|
||||||
# Split a comma-separated source or destination host list but keep [...] together.
|
my ( $columns, $description ) = @_;
|
||||||
#
|
|
||||||
sub mysplit( $ ) {
|
|
||||||
my @input = split /,/, $_[0];
|
|
||||||
|
|
||||||
return @input unless $_[0] =~ /\[/;
|
chomp $line;
|
||||||
|
|
||||||
|
$line =~ s/\s+/ /g;
|
||||||
|
|
||||||
my @result;
|
my @line = split /\s+/, $line;
|
||||||
|
|
||||||
while ( @input ) {
|
return @line if $line[0] eq 'COMMENT';
|
||||||
my $element = shift @input;
|
|
||||||
|
|
||||||
if ( $element =~ /\[/ ) {
|
|
||||||
while ( ! ( $element =~ /\]/ ) ) {
|
|
||||||
last unless @input;
|
|
||||||
$element .= ( ',' . shift @input );
|
|
||||||
}
|
|
||||||
|
|
||||||
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
|
|
||||||
}
|
|
||||||
|
|
||||||
push @result, $element;
|
fatal_error "Invalid $description entry: $line" if @line > $columns;
|
||||||
}
|
|
||||||
|
|
||||||
@result;
|
push @line, '-' while @line < $columns;
|
||||||
|
|
||||||
|
@line;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub create_temp_object( $ ) {
|
sub create_temp_object( $ ) {
|
||||||
my $objectfile = $_[0];
|
my $objectfile = $_[0];
|
||||||
my $suffix;
|
my $suffix;
|
||||||
|
@ -37,7 +37,7 @@ our @VERSION = 1.00;
|
|||||||
#
|
#
|
||||||
our %env = ( SHAREDIR => '/usr/share/shorewall' ,
|
our %env = ( SHAREDIR => '/usr/share/shorewall' ,
|
||||||
CONFDIR => '/etc/shorewall',
|
CONFDIR => '/etc/shorewall',
|
||||||
SHAREDIR4 => '/usr/share/shorewall-pl/',
|
SHAREDIRPL => '/usr/share/shorewall-pl/',
|
||||||
LOGPARMS => '',
|
LOGPARMS => '',
|
||||||
VERSION => '3.9.0-1',
|
VERSION => '3.9.0-1',
|
||||||
);
|
);
|
||||||
@ -392,11 +392,10 @@ sub get_configuration() {
|
|||||||
default_yes_no 'TC_EXPERT' , '';
|
default_yes_no 'TC_EXPERT' , '';
|
||||||
default_yes_no 'USE_ACTIONS' , 'Yes';
|
default_yes_no 'USE_ACTIONS' , 'Yes';
|
||||||
default_yes_no 'EXPORTPARAMS' , '';
|
default_yes_no 'EXPORTPARAMS' , '';
|
||||||
|
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||||
|
|
||||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||||
|
|
||||||
fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support' if $config{HIGH_ROUTE_MARKS} and ! $capabilities{XCONNMARK};
|
|
||||||
|
|
||||||
default 'BLACKLIST_DISPOSITION' , 'DROP';
|
default 'BLACKLIST_DISPOSITION' , 'DROP';
|
||||||
|
|
||||||
my $val;
|
my $val;
|
||||||
@ -445,11 +444,6 @@ sub get_configuration() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $config{MANGLE_ENABLED} ) {
|
|
||||||
fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
|
|
||||||
}
|
|
||||||
|
|
||||||
default 'MARK_IN_FORWARD_CHAIN' , '';
|
|
||||||
default 'RESTOREFILE' , 'restore';
|
default 'RESTOREFILE' , 'restore';
|
||||||
default 'DROP_DEFAULT' , 'Drop';
|
default 'DROP_DEFAULT' , 'Drop';
|
||||||
default 'REJECT_DEFAULT' , 'Reject';
|
default 'REJECT_DEFAULT' , 'Reject';
|
||||||
|
@ -56,12 +56,7 @@ sub validate_hosts_file()
|
|||||||
|
|
||||||
while ( $line = <HOSTS> ) {
|
while ( $line = <HOSTS> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ($zone, $hosts, $options ) = split_line 3, 'hosts file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ($zone, $hosts, $options, $extra) = split /\s+/, $line;
|
|
||||||
|
|
||||||
fatal_error "Invalid hosts file entry: $line" if $extra;
|
|
||||||
|
|
||||||
my $zoneref = $zones{$zone};
|
my $zoneref = $zones{$zone};
|
||||||
my $type = $zoneref->{type};
|
my $type = $zoneref->{type};
|
||||||
@ -77,7 +72,7 @@ sub validate_hosts_file()
|
|||||||
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
||||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid HOSTS(S) column contents: $hosts";
|
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||||
}
|
}
|
||||||
|
|
||||||
my $optionsref;
|
my $optionsref;
|
||||||
|
@ -135,14 +135,9 @@ sub validate_interfaces_file()
|
|||||||
|
|
||||||
while ( $line = <INTERFACES> ) {
|
while ( $line = <INTERFACES> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ($zone, $interface, $networks, $options ) = split_line 4, 'interfaces file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ($zone, $interface, $networks, $options, $extra) = split /\s+/, $line;
|
|
||||||
my $zoneref;
|
my $zoneref;
|
||||||
|
|
||||||
fatal_error "Invalid interfaces entry: $line" if $extra;
|
|
||||||
|
|
||||||
if ( $zone eq '-' ) {
|
if ( $zone eq '-' ) {
|
||||||
$zone = '';
|
$zone = '';
|
||||||
} else {
|
} else {
|
||||||
@ -153,7 +148,7 @@ sub validate_interfaces_file()
|
|||||||
}
|
}
|
||||||
|
|
||||||
$networks = '' if $networks eq '-';
|
$networks = '' if $networks eq '-';
|
||||||
$options = '' if $networks eq '-';
|
$options = '' if $options eq '-';
|
||||||
|
|
||||||
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
|
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
|
||||||
|
|
||||||
|
@ -250,10 +250,7 @@ sub setup_masq()
|
|||||||
|
|
||||||
while ( $line = <MASQ> ) {
|
while ( $line = <MASQ> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 6, 'masq file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $extra) = split /\s+/, $line;
|
|
||||||
|
|
||||||
if ( $fullinterface eq 'COMMENT' ) {
|
if ( $fullinterface eq 'COMMENT' ) {
|
||||||
if ( $capabilities{COMMENTS} ) {
|
if ( $capabilities{COMMENTS} ) {
|
||||||
@ -263,7 +260,6 @@ sub setup_masq()
|
|||||||
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid masq file entry: \"$line\"" if $extra;
|
|
||||||
setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec;
|
setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -360,10 +356,7 @@ sub setup_nat() {
|
|||||||
|
|
||||||
while ( $line = <NAT> ) {
|
while ( $line = <NAT> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $external, $interface, $internal, $allints, $localnat ) = split_line 5, 'nat file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $external, $interface, $internal, $allints, $localnat, $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
if ( $external eq 'COMMENT' ) {
|
if ( $external eq 'COMMENT' ) {
|
||||||
if ( $capabilities{COMMENTS} ) {
|
if ( $capabilities{COMMENTS} ) {
|
||||||
@ -373,7 +366,6 @@ sub setup_nat() {
|
|||||||
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid nat file entry: \"$line\"" if $extra;
|
|
||||||
do_one_nat $external, $interface, $internal, $allints, $localnat;
|
do_one_nat $external, $interface, $internal, $allints, $localnat;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -131,12 +131,8 @@ sub validate_policy()
|
|||||||
open POLICY, "$ENV{TMP_DIR}/policy" or fatal_error "Unable to open stripped policy file: $!";
|
open POLICY, "$ENV{TMP_DIR}/policy" or fatal_error "Unable to open stripped policy file: $!";
|
||||||
|
|
||||||
while ( $line = <POLICY> ) {
|
while ( $line = <POLICY> ) {
|
||||||
chomp $line;
|
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $client, $server, $policy, $loglevel, $synparams , $extra ) = split /\s+/, $line;
|
my ( $client, $server, $policy, $loglevel, $synparams ) = split_line 5, 'policy file';
|
||||||
|
|
||||||
fatal_error "Invalid policy file entry: $line" if $extra;
|
|
||||||
|
|
||||||
$loglevel = '' unless defined $loglevel;
|
$loglevel = '' unless defined $loglevel;
|
||||||
$synparams = '' unless defined $synparams;
|
$synparams = '' unless defined $synparams;
|
||||||
|
@ -359,12 +359,8 @@ sub setup_providers() {
|
|||||||
open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!";
|
open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!";
|
||||||
|
|
||||||
while ( $line = <PV> ) {
|
while ( $line = <PV> ) {
|
||||||
chomp $line;
|
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy, $extra ) = split /\s+/, $line;
|
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file';
|
||||||
|
|
||||||
fatal_error "Invalid providers entry: $line" if $extra;
|
|
||||||
|
|
||||||
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
|
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
|
||||||
|
|
||||||
@ -418,12 +414,7 @@ sub setup_providers() {
|
|||||||
open RR, "$ENV{TMP_DIR}/route_rules" or fatal_error "Unable to open stripped route rules file: $!";
|
open RR, "$ENV{TMP_DIR}/route_rules" or fatal_error "Unable to open stripped route rules file: $!";
|
||||||
|
|
||||||
while ( $line = <RR> ) {
|
while ( $line = <RR> ) {
|
||||||
chomp $line;
|
my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $source, $dest, $provider, $priority, $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
fatal_error "Invalid providers entry: $line" if $extra;
|
|
||||||
|
|
||||||
add_an_rtrule( $source, $dest, $provider , $priority );
|
add_an_rtrule( $source, $dest, $provider , $priority );
|
||||||
}
|
}
|
||||||
|
@ -95,12 +95,8 @@ sub setup_proxy_arp() {
|
|||||||
open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!";
|
open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!";
|
||||||
|
|
||||||
while ( $line = <PA> ) {
|
while ( $line = <PA> ) {
|
||||||
chomp $line;
|
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $address, $interface, $external, $haveroute, $persistent, $extra ) = split /\s+/, $line;
|
my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file';
|
||||||
|
|
||||||
fatal_error "Invalid proxyarp file entry: \"$line\"" if $extra;
|
|
||||||
|
|
||||||
$set{$interface} = 1;
|
$set{$interface} = 1;
|
||||||
$reset{$external} = 1 unless $set{$external};
|
$reset{$external} = 1 unless $set{$external};
|
||||||
|
@ -72,12 +72,9 @@ sub process_tos() {
|
|||||||
|
|
||||||
while ( $line = <TOS> ) {
|
while ( $line = <TOS> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ($source, $dest, $proto, $sports, $ports ) = split_line 5, 'tos file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ($source, $dest, $proto, $sports, $ports, $extra) = split /\s+/, $line;
|
### Fixme ###
|
||||||
|
|
||||||
fatal_error "Invalid tos file entry: \"$line\"" if $extra;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
close TOS;
|
close TOS;
|
||||||
@ -111,10 +108,8 @@ sub setup_rfc1918_filteration( $ ) {
|
|||||||
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
|
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
|
||||||
|
|
||||||
while ( $line = <RFC> ) {
|
while ( $line = <RFC> ) {
|
||||||
chomp $line;
|
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $networks, $target, $extra ) = split /\s+/, $line;
|
my ( $networks, $target ) = split_line 2, 'rfc1918 file';
|
||||||
|
|
||||||
my $s_target;
|
my $s_target;
|
||||||
|
|
||||||
@ -196,12 +191,7 @@ sub setup_blacklist() {
|
|||||||
|
|
||||||
while ( $line = <BL> ) {
|
while ( $line = <BL> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $networks, $protocol, $ports , $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
fatal_error "Invalid blacklist entry: \"$line\"" if $extra;
|
|
||||||
|
|
||||||
expand_rule
|
expand_rule
|
||||||
ensure_filter_chain( 'blacklst' , 0 ) ,
|
ensure_filter_chain( 'blacklst' , 0 ) ,
|
||||||
@ -251,14 +241,8 @@ sub process_criticalhosts() {
|
|||||||
while ( $line = <RS> ) {
|
while ( $line = <RS> ) {
|
||||||
|
|
||||||
my $routeback = 0;
|
my $routeback = 0;
|
||||||
|
|
||||||
chomp $line;
|
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
|
|
||||||
my ($interface, $hosts, $options, $extra) = split /\s+/, $line;
|
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
|
||||||
|
|
||||||
fatal_error "Invalid routestopped file entry: \"$line\"" if $extra;
|
|
||||||
|
|
||||||
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
|
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
|
||||||
|
|
||||||
@ -301,13 +285,7 @@ sub process_routestopped() {
|
|||||||
|
|
||||||
my $routeback = 0;
|
my $routeback = 0;
|
||||||
|
|
||||||
chomp $line;
|
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
|
|
||||||
my ($interface, $hosts, $options, $extra) = split /\s+/, $line;
|
|
||||||
|
|
||||||
fatal_error "Invalid routestopped file entry: \"$line\"" if $extra;
|
|
||||||
|
|
||||||
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
|
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
|
||||||
|
|
||||||
@ -595,10 +573,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
|
|
||||||
while ( $line = <MAC> ) {
|
while ( $line = <MAC> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $disposition, $interface, $mac, $addresses ) = split_line 4, 'maclist file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $disposition, $interface, $mac, $addresses , $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
if ( $disposition eq 'COMMENT' ) {
|
if ( $disposition eq 'COMMENT' ) {
|
||||||
if ( $capabilities{COMMENTS} ) {
|
if ( $capabilities{COMMENTS} ) {
|
||||||
@ -608,8 +583,6 @@ sub setup_mac_lists( $ ) {
|
|||||||
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid maclist entry: \"$line\"" if $extra;
|
|
||||||
|
|
||||||
( $disposition, my $level ) = split /:/, $disposition;
|
( $disposition, my $level ) = split /:/, $disposition;
|
||||||
|
|
||||||
my $targetref = $maclist_targets{$disposition};
|
my $targetref = $maclist_targets{$disposition};
|
||||||
@ -711,11 +684,10 @@ sub process_macro ( $$$$$$$$$$$ ) {
|
|||||||
chomp $line;
|
chomp $line;
|
||||||
next if $line =~ /^\s*#/;
|
next if $line =~ /^\s*#/;
|
||||||
next if $line =~ /^\s*$/;
|
next if $line =~ /^\s*$/;
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
$line =~ s/#.*$//;
|
$line =~ s/#.*$//;
|
||||||
$line = expand_shell_variables $line unless $standard;
|
$line = expand_shell_variables $line unless $standard;
|
||||||
|
|
||||||
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split /\s+/, $line;
|
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
|
||||||
|
|
||||||
$mtarget = merge_levels $target, $mtarget;
|
$mtarget = merge_levels $target, $mtarget;
|
||||||
|
|
||||||
@ -1119,10 +1091,7 @@ sub process_rules() {
|
|||||||
|
|
||||||
while ( $line = <RULES> ) {
|
while ( $line = <RULES> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user ) = split_line 9, 'rules file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
if ( $target eq 'COMMENT' ) {
|
if ( $target eq 'COMMENT' ) {
|
||||||
if ( $capabilities{COMMENTS} ) {
|
if ( $capabilities{COMMENTS} ) {
|
||||||
@ -1134,7 +1103,7 @@ sub process_rules() {
|
|||||||
} elsif ( $target eq 'SECTION' ) {
|
} elsif ( $target eq 'SECTION' ) {
|
||||||
fatal_error "Invalid SECTION $source" unless defined $sections{$source};
|
fatal_error "Invalid SECTION $source" unless defined $sections{$source};
|
||||||
fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
|
fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
|
||||||
fatal_error "Invalid Section $source $dest" if $dest;
|
fatal_error "Invalid Section $source $dest" if $dest && $dest ne '-';
|
||||||
$sectioned = 1;
|
$sectioned = 1;
|
||||||
$sections{$source} = 1;
|
$sections{$source} = 1;
|
||||||
|
|
||||||
@ -1148,7 +1117,6 @@ sub process_rules() {
|
|||||||
|
|
||||||
$section = $source;
|
$section = $source;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid rules file entry: \"$line\"" if $extra;
|
|
||||||
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user;
|
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -119,7 +119,7 @@ my @tccmd = ( { pattern => 'SAVE' ,
|
|||||||
);
|
);
|
||||||
|
|
||||||
sub process_tc_rule( $$$$$$$$$$ ) {
|
sub process_tc_rule( $$$$$$$$$$ ) {
|
||||||
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $extra ) = @_;
|
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = @_;
|
||||||
|
|
||||||
my $original_mark = $mark;
|
my $original_mark = $mark;
|
||||||
|
|
||||||
@ -357,12 +357,9 @@ sub setup_traffic_shaping() {
|
|||||||
|
|
||||||
while ( $line = <TD> ) {
|
while ( $line = <TD> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $device, $inband, $outband ) = split_line 3, 'tcdevices';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $device, $inband, $outband, $extra ) = split /\s+/, $line;
|
fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
|
||||||
|
|
||||||
fatal_error "Invalid tcdevices entry: \"$line\"" if $extra || ! $outband;
|
|
||||||
validate_tc_device( $device, $inband, $outband );
|
validate_tc_device( $device, $inband, $outband );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -378,12 +375,8 @@ sub setup_traffic_shaping() {
|
|||||||
|
|
||||||
while ( $line = <TC> ) {
|
while ( $line = <TC> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $device, $mark, $rate, $ceil, $prio, $options, $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
fatal_error "Invalid tcclasses entry: \"$line\"" if $extra || ! $ceil;
|
|
||||||
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
|
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -505,10 +498,7 @@ sub setup_tc() {
|
|||||||
|
|
||||||
while ( $line = <TC> ) {
|
while ( $line = <TC> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
if ( $mark eq 'COMMENT' ) {
|
if ( $mark eq 'COMMENT' ) {
|
||||||
if ( $capabilities{COMMENTS} ) {
|
if ( $capabilities{COMMENTS} ) {
|
||||||
@ -518,7 +508,6 @@ sub setup_tc() {
|
|||||||
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid tcrule: \"$line\"" if $extra;
|
|
||||||
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
|
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -234,10 +234,7 @@ sub setup_tunnels() {
|
|||||||
|
|
||||||
while ( $line = <TUNNELS> ) {
|
while ( $line = <TUNNELS> ) {
|
||||||
|
|
||||||
chomp $line;
|
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 4, 'tunnels file';
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my ( $kind, $zone, $gateway, $gatewayzones, $extra ) = split /\s+/, $line;
|
|
||||||
|
|
||||||
if ( $kind eq 'COMMENT' ) {
|
if ( $kind eq 'COMMENT' ) {
|
||||||
if ( $capabilities{COMMENTS} ) {
|
if ( $capabilities{COMMENTS} ) {
|
||||||
@ -247,7 +244,6 @@ sub setup_tunnels() {
|
|||||||
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid Tunnels file entry: \"$line\"" if $extra;
|
|
||||||
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
|
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -183,14 +183,10 @@ sub determine_zones()
|
|||||||
open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!";
|
open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!";
|
||||||
|
|
||||||
while ( $line = <ZONES> ) {
|
while ( $line = <ZONES> ) {
|
||||||
chomp $line;
|
|
||||||
$line =~ s/\s+/ /g;
|
|
||||||
|
|
||||||
my @parents;
|
my @parents;
|
||||||
|
|
||||||
my ($zone, $type, $options, $in_options, $out_options, $extra) = split /\s+/, $line;
|
my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file';
|
||||||
|
|
||||||
fatal_error("Invalid zone file entry: $line") if $extra;
|
|
||||||
|
|
||||||
if ( $zone =~ /(\w+):([\w,]+)/ ) {
|
if ( $zone =~ /(\w+):([\w,]+)/ ) {
|
||||||
$zone = $1;
|
$zone = $1;
|
||||||
|
@ -60,7 +60,7 @@ use Shorewall::Proc;
|
|||||||
use Shorewall::Proxyarp;
|
use Shorewall::Proxyarp;
|
||||||
|
|
||||||
sub generate_script_1 {
|
sub generate_script_1 {
|
||||||
copy $env{SHAREDIR4} . 'prog.header';
|
copy $env{SHAREDIRPL} . 'prog.header';
|
||||||
|
|
||||||
my $date = localtime;
|
my $date = localtime;
|
||||||
|
|
||||||
@ -442,7 +442,7 @@ stop_firewall() {
|
|||||||
|
|
||||||
sub generate_script_2 () {
|
sub generate_script_2 () {
|
||||||
|
|
||||||
copy $env{SHAREDIR4} . 'prog.functions';
|
copy $env{SHAREDIRPL} . 'prog.functions';
|
||||||
|
|
||||||
emit '#';
|
emit '#';
|
||||||
emit '# Setup Routing and Traffic Shaping';
|
emit '# Setup Routing and Traffic Shaping';
|
||||||
@ -575,7 +575,7 @@ esac';
|
|||||||
|
|
||||||
emit "}\n";
|
emit "}\n";
|
||||||
|
|
||||||
copy $env{SHAREDIR4} . 'prog.footer';
|
copy $env{SHAREDIRPL} . 'prog.footer';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub compile_firewall( $ ) {
|
sub compile_firewall( $ ) {
|
||||||
@ -603,6 +603,11 @@ sub compile_firewall( $ ) {
|
|||||||
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
|
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
|
||||||
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
|
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
|
||||||
if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
|
if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
|
||||||
|
fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support'
|
||||||
|
if $config{HIGH_ROUTE_MARKS} && ! $capabilities{XCONNMARK};
|
||||||
|
if ( $config{MANGLE_ENABLED} ) {
|
||||||
|
fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# Process the zones file.
|
# Process the zones file.
|
||||||
#
|
#
|
||||||
@ -730,7 +735,7 @@ sub compile_firewall( $ ) {
|
|||||||
#
|
#
|
||||||
# And generate the auxilary config file
|
# And generate the auxilary config file
|
||||||
#
|
#
|
||||||
generate_aux_config;
|
generate_aux_config if $ENV{EXPORT};
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user