holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Search and destroy trailing whitespace

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-04-24 14:52:57 -07:00
parent f860cd037d
commit d904a2de86
67 changed files with 476 additions and 479 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-core/configure vendored
View File

@ -56,7 +56,7 @@ getfileparams() {
esac
done
return 0
}
@ -70,7 +70,7 @@ for p in $@; do
pv=${p#*=}
if [ -n "${pn}" ]; then
case ${pn} in
VENDOR)
pn=HOST
@ -85,7 +85,7 @@ for p in $@; do
pn=CONFDIR
;;
esac
params[${pn}]="${pv}"
else
echo "ERROR: Invalid option ($p)" >&2
@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then
$params[HOST]=apple
rcfile=shorewallrc.apple
;;
cygwin*)
$params[HOST]=cygwin
rcfile=shorewallrc.cygwin

4
Shorewall-core/configure.pl
View File

@ -30,7 +30,7 @@ use strict;
#
# Build updates this
#
use constant {
use constant {
VERSION => '4.5.2.1'
};
@ -131,7 +131,7 @@ for ( qw/ HOST
PERLLIBDIR
CONFDIR
SBINDIR
MANDIR
MANDIR
INITDIR
INITSOURCE
INITFILE

4
Shorewall-core/install.sh
View File

@ -33,7 +33,7 @@ usage() # $1 = exit status
exit $1
}
fatal_error()
fatal_error()
{
echo " ERROR: $@" >&2
exit 1
@ -91,7 +91,7 @@ install_file() # $1 = source $2 = target $3 = mode
run_install $T $OWNERSHIP -m $3 $1 ${2}
}
require()
require()
{
eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
}

38
Shorewall-core/lib.cli
View File

@ -434,7 +434,7 @@ save_config() {
# order we all know and love
#
sort_routes() {
local dest
local dest
local rest
local crvsn
@ -472,7 +472,7 @@ find_tables() {
#
show_routing() {
local rule
local table
local table
if [ -n "$(ip -$g_family rule list)" ]; then
heading "Routing Rules"
@ -1029,12 +1029,12 @@ perip_accounting() {
if [ -n "$hnames" ]; then
for hname in $hnames; do
iptaccount -l $hname | egrep '^IP:|^Show'
iptaccount -l $hname | egrep '^IP:|^Show'
echo
done
else
echo " No IP Accounting Tables Defined"
echo
echo
fi
else
echo " iptaccount is not installed"
@ -1259,7 +1259,7 @@ do_dump_command() {
netstat -${g_family}tunap
else
netstat -tunap
fi
fi
if [ -n "$TC_ENABLED" ]; then
heading "Traffic Control"
@ -2036,11 +2036,11 @@ determine_capabilities() {
qt $g_tool -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
else
qt $g_tool -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes
fi
fi
if [ -n "$CONNTRACK_MATCH" ]; then
qt $g_tool -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
if [ $g_family -eq 4 ]; then
qt $g_tool -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
else
@ -2129,7 +2129,7 @@ determine_capabilities() {
qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
fi
@ -2223,10 +2223,10 @@ determine_capabilities() {
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
CAPVERSION=$SHOREWALL_CAPVERSION
KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')
case "$KERNELVERSION" in
case "$KERNELVERSION" in
*.*.*)
KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
;;
@ -2316,7 +2316,7 @@ report_capabilities() {
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
else
@ -2536,7 +2536,7 @@ forget_command() {
ipcalc_command() {
local address
local vlsm
[ $g_family -eq 6 ] && usage 1
if [ $# -eq 2 ]; then
@ -2567,7 +2567,7 @@ iprange_command() {
[ $g_family -eq 6 ] && usage 1
range=''
range=''
while [ $# -gt 0 ]; do
shift
@ -2629,7 +2629,7 @@ get_config() {
ensure_config_path
config=$(find_file ${g_program}.conf)
if [ -f $config ]; then
if [ -r $config ]; then
. $config
@ -2676,7 +2676,7 @@ get_config() {
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
exit 2
fi
else
else
IPTABLES=$(mywhich iptables 2> /dev/null)
if [ -z "$IPTABLES" ] ; then
echo " ERROR: Can't find iptables executable" >&2
@ -2691,7 +2691,7 @@ get_config() {
echo " ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
exit 2
fi
else
else
IP6TABLES=$(mywhich ip6tables 2> /dev/null)
if [ -z "$IP6TABLES" ] ; then
echo " ERROR: Can't find ip6tables executable" >&2
@ -2748,7 +2748,7 @@ verify_firewall_script() {
else
echo " The file $g_firewall does not exist" >&2
fi
exit 2
fi
}
@ -3189,7 +3189,7 @@ shorewall_cli() {
[ $# -eq 1 ] || usage 1
[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
get_config
status_command
status_command
;;
dump)
get_config Yes No Yes
@ -3299,6 +3299,6 @@ shorewall_cli() {
else
usage 1
fi
;;
;;
esac
}

2
Shorewall-core/lib.common
View File

@ -593,7 +593,7 @@ find_first_interface_address() # $1 = interface
#
[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
#
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
# along with everything else on the line
#
echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'

2
Shorewall-core/shorewallrc.cygwin
View File

@ -16,5 +16,5 @@ INITSOURCE= #Unused on Cygwin
ANNOTATED= #Unused on Cygwin
SYSTEMD= #Unused on Cygwin
SYSCONFDIR= #Unused on Cygwin
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARDIR=/var/lib #Unused on Cygwin

6
Shorewall-lite/init.debian.sh
View File

@ -23,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ;
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
@ -35,9 +35,9 @@ fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done."
else
else
echo "not done (check $INITLOG)."
fi

10
Shorewall-lite/init.fedora.sh
View File

@ -41,10 +41,10 @@ start() {
echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
touch $lockfile
success
else
else
failure
fi
echo
@ -55,10 +55,10 @@ stop() {
echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
rm -f $lockfile
success
else
else
failure
fi
echo
@ -71,7 +71,7 @@ restart() {
echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS restart 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
touch $lockfile
success
else # Failed to start, clean up lock file if present

8
Shorewall-lite/install.sh
View File

@ -33,7 +33,7 @@ usage() # $1 = exit status
exit $1
}
fatal_error()
fatal_error()
{
echo " ERROR: $@" >&2
exit 1
@ -91,7 +91,7 @@ install_file() # $1 = source $2 = target $3 = mode
run_install $T $OWNERSHIP -m $3 $1 ${2}
}
require()
require()
{
eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
}
@ -118,7 +118,7 @@ while [ $finished -eq 0 ] ; do
case "$1" in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
h)
@ -268,7 +268,7 @@ if [ -n "$DESTDIR" ]; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}

2
Shorewall-lite/shorewall-lite
View File

@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net

2
Shorewall-lite/shorewall-lite.conf
View File

@ -1,5 +1,5 @@
###############################################################################
# /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following
# /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following
# variables to override the values in the shorewall.conf file used to
# compile /var/lib/shorewall-lite/firewall. Those values may be found in
# /var/lib/shorewall-lite/firewall.conf.

3
Shorewall/Perl/.includepath
View File

@ -1,3 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<includepath />

12
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -85,7 +85,7 @@ sub initialize() {
# The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a
# the first non-commentary line in the accounting file isn't a section header
#
# This allows the section header processor to quickly check for correct order
# This allows the section header processor to quickly check for correct order
#
$asection = -1;
#
@ -194,7 +194,7 @@ sub process_accounting_rule( ) {
$ports = '' if $ports eq 'any' || $ports eq 'all';
$sports = '' if $sports eq 'any' || $sports eq 'all';
fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
my $rule2 = 0;
@ -250,7 +250,7 @@ sub process_accounting_rule( ) {
if ( $source eq 'any' || $source eq 'all' ) {
$source = ALLIP;
} else {
} else {
fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
}
@ -289,7 +289,7 @@ sub process_accounting_rule( ) {
if ( ! $chainref ) {
if ( reserved_chain_name( $chain ) ) {
fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain;
fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain;
$chainref = ensure_accounting_chain $chain, 0 , $restriction;
} elsif ( $asection ) {
fatal_error "Unknown accounting chain ($chain)";
@ -312,7 +312,7 @@ sub process_accounting_rule( ) {
}
} else {
fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
if ( $ipsec ne '-' ) {
$dir = $chainref->{ipsec};
fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
@ -338,7 +338,7 @@ sub process_accounting_rule( ) {
}
fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
$restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
expand_rule

222
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -364,7 +364,7 @@ use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
#
# Optimization masks
#
use constant {
use constant {
OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains()
OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
};
@ -500,7 +500,7 @@ my %ipset_exists;
# shell command, the text of the command is in
# the cmd
# cmd => Shell command, if mode == CMD_MODE and cmdlevel == 0
# cmdlevel => nesting level within loops and conditional blocks.
# cmdlevel => nesting level within loops and conditional blocks.
# determines indentation
# simple => true|false. If true, there are no matches or options
# jump => 'j' or 'g' (determines whether '-j' or '-g' is included)
@ -510,7 +510,7 @@ my %ipset_exists;
# <option> => iptables/ip6tables -A options (e.g., i => eth0)
# <match> => iptables match. Value may be a scalar or array.
# if an array, multiple "-m <match>"s will be generated
# }
# }
#
# The following constants and hash are used to classify keys in a rule hash
#
@ -524,7 +524,7 @@ my %opttype = ( rule => CONTROL,
cmd => CONTROL,
dhcp => UNIQUE,
mode => CONTROL,
cmdlevel => CONTROL,
simple => CONTROL,
@ -538,12 +538,12 @@ my %opttype = ( rule => CONTROL,
sport => UNIQUE,
'icmp-type' => UNIQUE,
'icmpv6-type' => UNIQUE,
comment => CONTROL,
policy => MATCH,
state => EXCLUSIVE,
jump => TARGET,
target => TARGET,
targetopts => TARGET,
@ -563,7 +563,7 @@ my %aliases = ( protocol => 'p',
);
my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
#
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
@ -620,7 +620,7 @@ sub initialize( $$$ ) {
$hashlimitset = 0;
$ipset_rules = 0 if $hard;
%ipset_exists = ();
%ipset_exists = ();
%helpers = ( amanda => TCP,
ftp => TCP,
@ -704,9 +704,9 @@ sub decr_cmd_level( $ ) {
}
#
# Transform the passed iptables rule into an internal-form hash reference.
# Most of the compiler has been converted to use the new form natively.
# A few parts, mostly those dealing with expand_rule(), still generate
# Transform the passed iptables rule into an internal-form hash reference.
# Most of the compiler has been converted to use the new form natively.
# A few parts, mostly those dealing with expand_rule(), still generate
# iptables command strings which are converted into the new form by
# transform_rule()
#
@ -718,7 +718,7 @@ sub set_rule_option( $$$ ) {
assert( defined $value && reftype $ruleref , $value, $ruleref );
$ruleref->{simple} = 0;
my $opttype = $opttype{$option} || MATCH;
if ( exists $ruleref->{$option} ) {
@ -760,7 +760,7 @@ sub transform_rule( $ ) {
while ( $input ) {
my $option;
my $invert = '';
if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
#
# Normal case of single-character
@ -769,7 +769,7 @@ sub transform_rule( $ ) {
} elsif ( $input =~ s/^(!\s+)?--([^\s]+)\s*// ) {
$invert = '!' if $1;
my $opt = $option = $2;
fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option};
fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option};
} else {
fatal_error "Unrecognized iptables option string ($input)";
}
@ -795,7 +795,7 @@ sub transform_rule( $ ) {
last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
$input =~ s/^([^\s]+)\s*//;
my $token = $1;
$params = $params eq '' ? $token : join( ' ' , $params, $token);
$params = $params eq '' ? $token : join( ' ' , $params, $token);
}
if ( $input =~ /^(?:!\s+--([^\s]+)|!\s+[^-])/ ) {
@ -861,20 +861,20 @@ sub format_option( $$ ) {
$rule;
}
sub format_rule( $$;$ ) {
my ( $chainref, $ruleref, $suppresshdr ) = @_;
return $ruleref->{cmd} if exists $ruleref->{cmd};
my $rule = $suppresshdr ? '' : "-A $chainref->{name}";
for ( @unique_options ) {
if ( exists $ruleref->{$_} ) {
my $value = $ruleref->{$_};
$rule .= ' !' if $value =~ s/^! //;
if ( length == 1 ) {
$rule .= join( '' , ' -', $_, ' ', $value );
} else {
@ -883,8 +883,8 @@ sub format_rule( $$;$ ) {
}
}
$rule .= format_option( 'state', $ruleref->{state} ) if defined $ruleref->{state};
$rule .= format_option( 'policy', $ruleref->{policy} ) if defined $ruleref->{policy};
$rule .= format_option( 'state', $ruleref->{state} ) if defined $ruleref->{state};
$rule .= format_option( 'policy', $ruleref->{policy} ) if defined $ruleref->{policy};
$rule .= format_option( $_, $ruleref->{$_} ) for sort ( grep ! $opttype{$_}, keys %{$ruleref} );
@ -913,7 +913,7 @@ sub compatible( $$ ) {
#
my @val1 = split ' ', $val1;
my @val2 = split ' ', $val2;
return 0 if @val1 > @val2; # $val1 is more specific than $val2
for ( my $i = 0; $i < @val1; $i++ ) {
@ -938,11 +938,11 @@ sub merge_rules( $$$ ) {
my ( $tableref, $toref, $fromref ) = @_;
my $target = $fromref->{target};
for my $option ( @unique_options ) {
$toref->{$option} = $fromref->{$option} if exists $fromref->{$option};
}
for my $option ( grep ! $opttype{$_}, keys %$fromref ) {
set_rule_option( $toref, $option, $fromref->{$option} );
}
@ -970,12 +970,12 @@ sub merge_rules( $$$ ) {
#
# Trace a change to the chain table
#
#
sub trace( $$$$ ) {
my ($chainref, $action, $rulenum, $message) = @_;
my $heading = $rulenum ?
sprintf " NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum :
my $heading = $rulenum ?
sprintf " NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum :
sprintf " NF-(%s)-> %s:%s", $action, $chainref->{table}, $chainref->{name};
my $length = length $heading;
@ -1176,7 +1176,7 @@ sub add_rule($$;$) {
# New add_rule implementation
#
sub push_matches {
my $ruleref = shift;
my $dont_optimize = 0;
@ -1204,9 +1204,9 @@ sub push_irule( $$$;@ ) {
( $target, my $targetopts ) = split ' ', $target, 2;
my $ruleref = {};
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
if ( $jump ) {
$ruleref->{jump} = $jump;
$ruleref->{target} = $target;
@ -1326,9 +1326,9 @@ sub insert_irule( $$$$;@ ) {
my ( $chainref, $jump, $target, $number, @matches ) = @_;
my $ruleref = {};
$ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
if ( $jump ) {
$jump = 'j' if $jump eq 'g' && ! have_capability 'GOTO_TARGET';
( $target, my $targetopts ) = split ' ', $target, 2;
@ -1393,7 +1393,7 @@ sub delete_chain_and_references( $ ) {
# We're going to delete this chain but first, we must delete all references to it.
#
my $tableref = $chain_table{$chainref->{table}};
my $name1 = $chainref->{name};
my $name1 = $chainref->{name};
for ( @{$chainref->{rules}} ) {
decrement_reference_count( $tableref->{$_->{target}}, $name1 ) if $_->{target};
}
@ -1440,7 +1440,7 @@ sub decrement_reference_count( $$ ) {
delete $toref->{references}{$chain} unless --$toref->{references}{$chain};
delete_chain( $toref ) unless ( keys %{$toref->{references}} );
}
}
}
#
# Move the rules from one chain to another
@ -1474,11 +1474,11 @@ sub move_rules( $$ ) {
# We set aside the filtered rules for the time being
#
$filtered = $filtered1;
push @filtered1 , shift @{$chain1->{rules}} while $filtered--;
$chain1->{filtered} = 0;
$filtered = $filtered2;
push @filtered2 , shift @{$chain2->{rules}} while $filtered--;
@ -1507,25 +1507,25 @@ sub move_rules( $$ ) {
trace( $chain2, 'I', ++$rule, $filtered1[$filtered++] ) while $filtered < $filtered1;
}
splice @{$rules}, 0, 0, @filtered1;
splice @{$rules}, 0, 0, @filtered1;
}
#
# Restore the filters originally in chain2 but drop duplicates of those from $chain1
#
FILTER:
while ( @filtered2 ) {
$filtered = pop @filtered2;
for ( $rule = 0; $rule < $filtered1; $rule++ ) {
$filtered2--, next FILTER if ${$rules}[$rule] eq $filtered;
}
unshift @{$rules}, $filtered;
}
$chain2->{filtered} = $filtered1 + $filtered2;
delete_chain $chain1;
$count;
@ -1736,21 +1736,21 @@ sub output_chain($)
#
# Prerouting Chain for an interface
#
sub prerouting_chain($)
sub prerouting_chain($)
{
my $interface = shift;
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
}
#
# Postouting Chain for an interface
#
sub postrouting_chain($)
sub postrouting_chain($)
{
my $interface = shift;
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
}
#
# Output Chain for a zone
#
@ -2362,7 +2362,7 @@ sub ensure_audit_chain( $;$$ ) {
$tgt ||= $action;
add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action;
if ( $tgt eq 'REJECT' ) {
add_ijump $ref , g => 'reject';
} else {
@ -2391,8 +2391,8 @@ sub require_audit($$;$) {
require_capability 'AUDIT_TARGET', 'audit', 's';
return ensure_audit_chain $target, $action, $tgt;
}
}
#
# Returns the Level and Tag for the current action chain
#
@ -2400,7 +2400,7 @@ sub get_action_logging() {
my $chainref = get_action_chain;
my $wholeaction = $chainref->{action};
my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
$level = '' if $level =~ /^none/;
( $level, $tag );
@ -2660,7 +2660,7 @@ sub replace_references1( $$ ) {
if ( $fromref->{referenced} ) {
for ( @{$fromref->{rules}} ) {
$rule++;
if ( $_->{target} eq $name ) {
if ( $_->{target} eq $name ) {
if ( compatible( $_ , $ruleref ) ) {
#
# The target is the passed chain -- merge the two rules into one
@ -2738,8 +2738,8 @@ sub optimize_level0() {
next if $family == F_IPV6 && $table eq 'nat';
my $tableref = $chain_table{$table};
my @chains = grep $_->{referenced}, values %$tableref;
my $chains = @chains;
my $chains = @chains;
for my $chainref ( @chains ) {
#
# If the chain isn't branched to, then delete it
@ -2769,8 +2769,8 @@ sub optimize_level4( $$ ) {
$passes++;
my @chains = grep $_->{referenced}, values %$tableref;
my $chains = @chains;
my $chains = @chains;
progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
for my $chainref ( @chains ) {
@ -2868,8 +2868,8 @@ sub optimize_level4( $$ ) {
$passes++;
my @chains = grep $_->{referenced}, values %$tableref;
my $chains = @chains;
my $chains = @chains;
progress_message "\n Table $table pass $passes, $chains referenced chains, level 4b...";
for my $chainref ( @chains ) {
@ -2880,8 +2880,8 @@ sub optimize_level4( $$ ) {
# Last rule is a simple branch
my $targetref = $tableref->{$lastrule->{target}};
if ( $targetref &&
($targetref->{optflags} & DONT_MOVE) == 0 &&
if ( $targetref &&
($targetref->{optflags} & DONT_MOVE) == 0 &&
( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
copy_rules( $targetref, $chainref );
$progress = 1;
@ -2942,7 +2942,7 @@ sub optimize_level8( $$$ ) {
unless ( $chainref->{name} =~ /^~/ ) {
#
# For simple use of the BLACKLIST section, we can end up with many identical
# For simple use of the BLACKLIST section, we can end up with many identical
# chains. To distinguish them from other renamed chains, we keep track of
# these chains via the 'blacklistsection' member.
#
@ -2962,14 +2962,14 @@ sub optimize_level8( $$$ ) {
#
for my $oldname ( @rename ) {
my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
$tableref->{$newname} = $tableref->{$oldname};
$tableref->{$oldname}{name} = $newname;
progress_message " Chain $oldname renamed to $newname";
}
#
# Next, map the combined names
# Next, map the combined names
#
while ( my ( $oldname, $combinedname ) = each %combined ) {
$renamed{$oldname} = $renamed{$combinedname} || $combinedname;
@ -3082,7 +3082,7 @@ sub get_keys( $ ) {
# Adjacent rules are compatible if:
#
# - They all specify destination ports
# - All of the rest of their members are identical with the possible exception of 'comment'.
# - All of the rest of their members are identical with the possible exception of 'comment'.
#
# Adjacent distinct comments are combined, separated by ', '. Redundant adjacent comments are dropped.
#
@ -3097,7 +3097,7 @@ sub combine_dports {
my $ruleref;
my $ports1;
my $basenum = $rulenum;
if ( $ports1 = get_dports( $baseref ) ) {
my $proto = $baseref->{p};
my @keys1 = get_keys( $baseref );
@ -3136,7 +3136,7 @@ sub combine_dports {
}
next RULE if $ports1 eq $ports2;
last if ( $ports += port_count( $ports2 ) ) > 15;
if ( $comment2 ) {
@ -3163,7 +3163,7 @@ sub combine_dports {
push @ports, split ',', $ports2;
trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
} else {
last;
}
@ -3182,7 +3182,7 @@ sub combine_dports {
trace ( $chainref, 'R', $basenum, $baseref ) if $debug;
}
}
}
push @rules, $baseref;
@ -3192,7 +3192,7 @@ sub combine_dports {
\@rules;
}
sub optimize_level16( $$$ ) {
my ( $table, $tableref , $passes ) = @_;
my @chains = ( grep $_->{referenced}, values %{$tableref} );
@ -3296,7 +3296,7 @@ sub setup_zone_mss() {
for my $zone1 ( all_zones ) {
add_ijump ensure_chain( 'filter', rules_chain( $zone, $zone1 ) ), j => $target , @sourcedev, @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecin ;
add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ), j => $target , @destdev, @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;
add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ), j => $target , @destdev, @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;
}
}
}
@ -3402,9 +3402,9 @@ sub source_iexclusion( $$$$$;@ ) {
@exclusion = mysplit( $2 );
my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
if ( $targetopts ) {
add_ijump( $chainref1, $jump => $target, targetopts => $targetopts );
} else {
@ -3416,7 +3416,7 @@ sub source_iexclusion( $$$$$;@ ) {
add_ijump( $chainref,
$jump => $target,
targetopts => $targetopts,
imatch_source_net( $source ),
imatch_source_net( $source ),
@_ );
} else {
add_ijump( $chainref, $jump => $target, imatch_source_net( $source ), @_ );
@ -3453,9 +3453,9 @@ sub dest_iexclusion( $$$$$;@ ) {
@exclusion = mysplit( $2 );
my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
if ( $targetopts ) {
add_ijump( $chainref1, $jump => $target, targetopts => $targetopts, @_ );
} else {
@ -4082,7 +4082,7 @@ sub resolve_id( $$ ) {
$id;
}
#
# Create a "-m owner" match for the passed USER/GROUP
@ -4224,14 +4224,14 @@ sub validate_helper( $;$ ) {
my $helper_proto = $helpers{$helper_base};
if ( $helper_proto) {
if ( $helper_proto) {
#
# Recognized helper
#
if ( supplied $proto ) {
my $protonum = -1;
fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
unless ( $protonum == $helper_proto ) {
fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
@ -4299,7 +4299,7 @@ my %headers = ( hop => 1,
route => 1,
frag => 1,
auth => 1,
esp => 1,
esp => 1,
none => 1,
'hop-by-hop' => 1,
'ipv6-opts' => 1,
@ -4353,7 +4353,7 @@ sub do_probability( $ ) {
require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's';
my $invert = $probability =~ s/^!// ? '! ' : "";
fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/;
"-m statistic --mode random --probability $probability ";
@ -4449,7 +4449,7 @@ sub match_dest_dev( $;$ ) {
}
} else {
my $bridgeref = find_interface $interfaceref->{bridge};
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface ";
} else {
@ -4475,7 +4475,7 @@ sub imatch_dest_dev( $;$ ) {
}
} else {
my $bridgeref = find_interface $interfaceref->{bridge};
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
( o => $bridgeref->{physical}, physdev => "--physdev-is-bridged --physdev-out $interface" );
} else {
@ -4571,13 +4571,13 @@ sub record_runtime_address( $$;$ ) {
}
$addr . ' ';
}
#
# If the passed address is a run-time address variable for an optional interface, then
# begin a conditional rule block that tests the address for nil. Returns 1 if a conditional
# block was opened. The caller stores the result, and if the result is true the caller
# block was opened. The caller stores the result, and if the result is true the caller
# invokes conditional_rule_end() when the conditional block is complete.
#
sub conditional_rule( $$ ) {
@ -4614,7 +4614,7 @@ sub conditional_rule_end( $ ) {
my $chainref = shift;
decr_cmd_level $chainref;
add_commands( $chainref , "fi\n" );
}
}
sub mysplit( $;$ );
@ -4765,7 +4765,7 @@ sub match_dest_net( $ ) {
if ( $net =~ /^([&%])(.+)/ ) {
return '! -d ' . record_runtime_address $1, $2;
}
validate_net $net, 1;
return "! -d $net ";
}
@ -4812,7 +4812,7 @@ sub imatch_dest_net( $ ) {
if ( $net =~ /^([&%])(.+)/ ) {
return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
}
validate_net $net, 1;
return ( d => "! $net " );
}
@ -5475,7 +5475,7 @@ sub split_network( $$$ ) {
}
invalid_network_list( $srcdst, $list ) if @result > 2;
@result;
}
@ -5487,7 +5487,7 @@ sub handle_network_list( $$ ) {
my $nets = '';
my $excl = '';
my @nets = mysplit $list;
for ( @nets ) {
@ -5507,7 +5507,7 @@ sub handle_network_list( $$ ) {
$excl .= ",$_";
} else {
$nets = $nets ? join(',', $nets, $_ ) : $_;
}
}
}
( $nets, $excl );
@ -5551,7 +5551,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
$jump = $basictarget = '';
}
our @ends = ();
#
# In the generated rules, we sometimes need run-time loops or conditional blocks. This function is used
@ -5659,7 +5659,7 @@ sub expand_rule( $$$$$$$$$$;$ )
fatal_error "Source Interface ($iiface) not allowed when the SOURCE is the firewall";
}
}
$chainref->{restricted} |= $restriction;
$rule .= match_source_dev( $iiface );
}
@ -5753,12 +5753,12 @@ sub expand_rule( $$$$$$$$$$;$ )
fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
}
}
if ( $iiface ) {
my $bridge = port_to_bridge( $diface );
fatal_error "Source interface ($iiface) is not a port on the same bridge as the destination interface ( $diface )" if $bridge && $bridge ne source_port_to_bridge( $iiface );
}
$chainref->{restricted} |= $restriction;
$rule .= match_dest_dev( $diface );
}
@ -5923,7 +5923,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# Use the current rule and send all possible matches to the exclusion chain
#
for my $onet ( mysplit $onets ) {
my $cond = conditional_rule( $chainref, $onet );
$onet = match_orig_dest $onet;
@ -5944,7 +5944,7 @@ sub expand_rule( $$$$$$$$$$;$ )
conditional_rule_end( $chainref ) if $cond;
}
#
# Generate RETURNs for each exclusion
#
@ -5998,12 +5998,12 @@ sub expand_rule( $$$$$$$$$$;$ )
my $cond = conditional_rule( $chainref, $onet );
$onet = match_orig_dest $onet;
for my $inet ( mysplit $inets ) {
my $source_match;
my $cond = conditional_rule( $chainref, $inet );
$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};
for my $dnet ( mysplit $dnets ) {
@ -6091,7 +6091,7 @@ sub copy_options( $ ) {
}
#
# This function is called after the blacklist rules have been added to the canonical chains. It
# This function is called after the blacklist rules have been added to the canonical chains. It
# either copies the relevant interface option rules into each canonocal chain, or it inserts one
# or more jumps to the relevant option chains. The argument indicates whether blacklist rules are
# present.
@ -6123,7 +6123,7 @@ sub add_interface_options( $ ) {
$digest = format_rule( $chainref, $_, 1 );
}
}
$chainref->{digest} = sha1 $digest;
}
#
@ -6132,10 +6132,10 @@ sub add_interface_options( $ ) {
for my $zone1 ( off_firewall_zones ) {
my @input_interfaces = keys %{zone_interfaces( $zone1 )};
my @forward_interfaces = @input_interfaces;
if ( @input_interfaces > 1 ) {
#
# This zone has multiple interfaces - discover if all of the interfaces have the same
# This zone has multiple interfaces - discover if all of the interfaces have the same
# input and/or forward options
#
my $digest;
@ -6166,14 +6166,14 @@ sub add_interface_options( $ ) {
@forward_interfaces = ( $forward_interfaces[0] );
}
}
}
#
# Now insert the jumps
#
for my $zone2 ( all_zones ) {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
my $chain1ref;
if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) {
if ( @input_interfaces == 1 && copy_options( $input_interfaces[0] ) ) {
$chain1ref = $input_chains{$input_interfaces[0]};
@ -6232,7 +6232,7 @@ sub add_interface_options( $ ) {
my $chain1ref;
$chainref = $filter_table->{input_option_chain $interface};
if( @{$chainref->{rules}} ) {
move_rules $chainref, $chain1ref = $filter_table->{input_chain $interface};
set_interface_option( $interface, 'use_input_chain', 1 );
@ -6265,7 +6265,7 @@ sub add_interface_options( $ ) {
#
# We may have to generate part of the input at run-time. The rules array in each chain
# table entry may contain both rules or shell source, determined by the contents of the 'mode'
# member. We alternate between writing the rules into the temporary file to be passed to
# member. We alternate between writing the rules into the temporary file to be passed to
# iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
#
# The following two functions are responsible for the mode transitions.
@ -6301,7 +6301,7 @@ sub emitr( $$ ) {
# A command
#
enter_cmd_mode unless $mode == CMD_MODE;
if ( exists $ruleref->{cmd} ) {
emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
} else {
@ -6309,7 +6309,7 @@ sub emitr( $$ ) {
# Must preserve quotes in the rule
#
( my $rule = format_rule( $chainref, $ruleref ) ) =~ s/"/\\"/g;
emit join( '', ' ' x $ruleref->{cmdlevel} , 'echo "' , $rule, '" >&3' );
}
}
@ -6351,7 +6351,7 @@ sub emitr1( $$ ) {
emitstd $ruleref->{cmd};
} else {
( my $rule = format_rule( $chainref, $ruleref ) ) =~ s/"/\\"/g;
emitstd join( '', ' ' x $ruleref->{cmdlevel} , 'echo "' , $rule, '" >&3' );
}
}
@ -6487,7 +6487,7 @@ sub load_ipsets() {
'esac' ,
'' ,
'if [ "$COMMAND" = start ]; then' );
if ( $config{SAVE_IPSETS} ) {
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' $IPSET -F' ,
@ -6557,7 +6557,7 @@ sub load_ipsets() {
' grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' );
}
if ( @ipsets ) {
emit( 'elif [ "$COMMAND" = refresh ]; then' );
ensure_ipset( $_ ) for @ipsets;
@ -6761,7 +6761,7 @@ sub create_chainlist_reload($) {
unless ( @chains ) {
@chains = qw( blacklst ) if $filter_table->{blacklst};
push @chains, 'blackout' if $filter_table->{blackout};
for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
push @chains, $_->{name} if $_->{blacklistsection};
}
@ -6804,7 +6804,7 @@ sub create_chainlist_reload($) {
my $chainref;
fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
if ( $chainseq{$table} && @{$chainref->{rules}} ) {
$tables{$table} = 1;
} else {

6
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -425,7 +425,7 @@ sub generate_script_3($) {
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
} else {
emit 'cat > ${VARDIR}/proxyndp << __EOF__';
}
}
dump_proxy_arp;
emit_unindented '__EOF__';
@ -493,7 +493,7 @@ EOF
" set_state Started $config_dir" ,
' else' ,
' setup_netfilter' );
setup_load_distribution;
emit<<"EOF";
@ -578,7 +578,7 @@ sub compiler {
log => { store => \$log },
log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
test => { store => \$test },
preview => { store => \$preview, validate=> \&validate_boolean } ,
preview => { store => \$preview, validate=> \&validate_boolean } ,
confess => { store => \$confess, validate=> \&validate_boolean } ,
update => { store => \$update, validate=> \&validate_boolean } ,
convert => { store => \$convert, validate=> \&validate_boolean } ,

66
Shorewall/Perl/Shorewall/Config.pm
View File

@ -47,18 +47,18 @@ our @EXPORT = qw(
warning_message
fatal_error
assert
progress_message
progress_message_nocompress
progress_message2
progress_message3
supplied
get_action_params
get_action_chain
set_action_param
have_capability
require_capability
);
@ -301,7 +301,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
IPTABLES_S => 'iptables -S',
BASIC_FILTER => 'Basic Filter',
CT_TARGET => 'CT Target',
STATISTIC_MATCH =>
STATISTIC_MATCH =>
'Statistics Match',
IMQ_TARGET => 'IMQ Target',
DSCP_MATCH => 'DSCP Match',
@ -395,7 +395,7 @@ my $first_entry; # Message to output or function to call on first no
my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files.
our $debug; # Global debugging flag
my $confess; # If true, use Carp to report errors with stack trace.
my $confess; # If true, use Carp to report errors with stack trace.
our $family; # Protocol family (4 or 6)
our $toolname; # Name of the tool to use (iptables or iptables6)
@ -456,7 +456,7 @@ use constant { PLAIN_READ => 0, # No read_a_line options
STRIP_COMMENTS => 4, # Remove comments
SUPPRESS_WHITESPACE => 8, # Ignore blank lines
CHECK_GUNK => 16, # Look for unprintable characters
CONFIG_CONTINUATION => 32, # Suppress leading whitespace if
CONFIG_CONTINUATION => 32, # Suppress leading whitespace if
# continued line ends in ',' or ':'
DO_INCLUDE => 64, # Look for INCLUDE <filename>
NORMAL_READ => -1 # All options
@ -494,7 +494,7 @@ sub initialize( $;$ ) {
$indent = ''; # Current total indentation
( $dir, $file ) = ('',''); # Script's Directory and Filename
$tempfile = ''; # Temporary File Name
$sillyname =
$sillyname =
$sillyname1 = ''; # Temporary ipchains
$omitting = 0;
$ifstack = 0;
@ -770,7 +770,7 @@ sub initialize( $;$ ) {
$debug = 0;
$confess = 0;
%params = ();
%compiler_params = ();
@ -1496,7 +1496,7 @@ sub split_line1( $$;$ ) {
fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
$line[$column] = $value;
}
}
}
@line;
}
@ -1609,8 +1609,8 @@ sub process_conditional( $$$ ) {
$cap =~ s/^__//;
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
exists $params{$rest} ? $params{$rest} :
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
exists $params{$rest} ? $params{$rest} :
exists $config{$rest} ? $config{$rest} :
exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
}
@ -1631,7 +1631,7 @@ sub process_conditional( $$$ ) {
}
$omitting;
}
}
#
# Functions for copying a file into the script
@ -1700,7 +1700,7 @@ sub copy1( $ ) {
my ( $do_indent, $here_documents ) = ( 1, '');
open_file( $_[0] );
while ( $currentfile ) {
while ( <$currentfile> ) {
$currentlinenumber++;
@ -1772,7 +1772,7 @@ sub copy1( $ ) {
next;
}
if ( $indent ) {
s/^(\s*)/$indent1$1$indent2/;
s/ /\t/ if $indent2;
@ -2208,7 +2208,7 @@ sub read_a_line($) {
$omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
$currentline='';
next;
}
}
if ( $omitting ) {
print "OMIT=> $currentline\n" if $debug;
@ -2549,7 +2549,7 @@ sub load_kernel_modules( ) {
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/ipv6/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
}
my @moduledirectories;
my @moduledirectories;
for ( split /:/, $modulesdir ) {
push @moduledirectories, $_ if -d $_;
@ -2588,7 +2588,7 @@ sub load_kernel_modules( ) {
} else {
system( "modprobe $module $arguments" );
}
$loadedmodules{ $module } = 1;
}
}
@ -3343,7 +3343,7 @@ sub update_config_file( $ ) {
open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
unless ( open $output, '>', "$configfile.updated" ) {
unless ( open $output, '>', "$configfile.updated" ) {
close $template;
fatal_error "Unable to open $configfile.updated for output: $!";
}
@ -3414,7 +3414,7 @@ EOF
fatal_error "Can't rename $configfile to $configfile.bak: $!" unless rename $configfile, "$configfile.bak";
fatal_error "Can't rename $configfile.updated to $configfile: $!" unless rename "$configfile.updated", $configfile;
if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
} else {
@ -3457,7 +3457,7 @@ sub process_shorewall_conf( $$ ) {
warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};
$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
warning_message "Option $var=$val is deprecated"
if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
} else {
@ -3613,7 +3613,7 @@ sub get_params() {
print "Params:\n";
print $_ for @params;
}
my ( $variable , $bug );
if ( $params[0] =~ /^declare/ ) {
@ -3642,7 +3642,7 @@ sub get_params() {
} else {
warning_message "Param line ($_) ignored" unless $bug++;
}
}
}
}
} elsif ( $params[0] =~ /^export .*?="/ || $params[0] =~ /^export [^\s=]+\s*$/ ) {
#
@ -3670,7 +3670,7 @@ sub get_params() {
} else {
warning_message "Param line ($_) ignored" unless $bug++;
}
}
}
}
} else {
#
@ -3684,7 +3684,7 @@ sub get_params() {
for ( @params ) {
if ( /^export (.*?)='(.*'"'"')$/ ) {
$params{$variable=$1}="${2}\n";
$params{$variable=$1}="${2}\n";
} elsif ( /^export (.*?)='(.*)'$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^export (.*?)='(.*)$/ ) {
@ -3696,7 +3696,7 @@ sub get_params() {
$params{$variable} .= $_;
} else {
warning_message "Param line ($_) ignored" unless $bug++;
}
}
}
}
}
@ -3993,7 +3993,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'ACCOUNTING' , 'Yes';
default_yes_no 'OPTIMIZE_ACCOUNTING' , '';
if ( supplied $config{ACCOUNTING_TABLE} ) {
my $value = $config{ACCOUNTING_TABLE};
fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
@ -4030,7 +4030,7 @@ sub get_configuration( $$$ ) {
}
fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
$globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
$globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET};
@ -4045,7 +4045,7 @@ sub get_configuration( $$$ ) {
}
if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
} else {
$globals{USER_MASK} = 0;
@ -4085,7 +4085,7 @@ sub get_configuration( $$$ ) {
default_log_level 'LOGALLNEW', '';
default_log_level 'SFILTER_LOG_LEVEL', 'info';
if ( $val = $config{SFILTER_DISPOSITION} ) {
fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
@ -4272,7 +4272,7 @@ sub append_file( $;$$ ) {
my $user_exit = find_file $file;
my $result = 0;
my $save_indent = $indent;
$indent = '' if $unindented;
unless ( $user_exit =~ m(^/usr/share/shorewall6?/) ) {
@ -4468,7 +4468,7 @@ sub dump_mark_layout() {
$globals{TC_MAX} + 1,
$globals{USER_MASK},
$globals{USER_MASK} );
dumpout( "Provider",
$config{PROVIDER_BITS},
$globals{PROVIDER_MIN},
@ -4486,7 +4486,7 @@ sub dump_mark_layout() {
$globals{EXCLUSION_MASK},
$globals{EXCLUSION_MASK},
$globals{EXCLUSION_MASK} );
}
}
END {
cleanup;

8
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -293,9 +293,9 @@ sub compare_nets( $$ ) {
@net1 = decompose_net( $_[0] );
@net2 = decompose_net( $_[1] );
$net1[0] eq $net2[0] && $net1[1] == $net2[1];
}
}
sub allipv4() {
@allipv4;
@ -392,7 +392,7 @@ sub validate_portpair( $$ ) {
$what = 'port';
}
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
defined $protonum && ( $protonum == TCP ||
$protonum == UDP ||
$protonum == SCTP ||
@ -423,7 +423,7 @@ sub validate_portpair1( $$ ) {
$what = 'port';
}
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
defined $protonum && ( $protonum == TCP ||
$protonum == UDP ||
$protonum == SCTP ||

92
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -72,9 +72,9 @@ sub process_tos() {
my ( $pretosref, $outtosref );
first_entry( sub { progress_message2 "$doing $fn...";
first_entry( sub { progress_message2 "$doing $fn...";
warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
$pretosref = ensure_chain 'mangle' , $chain;
$pretosref = ensure_chain 'mangle' , $chain;
$outtosref = ensure_chain 'mangle' , 'outtos';
}
);
@ -202,7 +202,7 @@ sub setup_blacklist() {
my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $orig_target = $target;
#
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
# for 'refresh' to work properly.
@ -216,7 +216,7 @@ sub setup_blacklist() {
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $disposition );
}
}
}
BLACKLIST:
@ -253,7 +253,7 @@ sub setup_blacklist() {
for ( @options ) {
$whitelist++ if $_ eq 'whitelist';
$auditone++ if $_ eq 'audit';
$auditone++ if $_ eq 'audit';
}
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
@ -268,7 +268,7 @@ sub setup_blacklist() {
} else {
warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
}
@ -331,7 +331,7 @@ sub setup_blacklist() {
}
#
# Remove instances of 'blacklist' from the passed file.
# Remove instances of 'blacklist' from the passed file.
#
sub remove_blacklist( $ ) {
my $file = shift;
@ -343,7 +343,7 @@ sub remove_blacklist( $ ) {
my $oldfile = open_file $fn;
my $newfile;
my $changed;
open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
@ -358,12 +358,12 @@ sub remove_blacklist( $ ) {
$currentline = join( '#', $rule, $comment );
} else {
$currentline =~ s/blacklist/ /g;
}
}
}
print $newfile "$currentline\n";
}
close $newfile;
if ( $changed ) {
@ -384,7 +384,7 @@ sub convert_blacklist() {
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $orig_target = $target;
my @rules;
if ( @$zones || @$zones1 ) {
if ( supplied $level ) {
$target = 'blacklog';
@ -411,7 +411,7 @@ sub convert_blacklist() {
for ( @options ) {
$whitelist++ if $_ eq 'whitelist';
$auditone++ if $_ eq 'audit';
$auditone++ if $_ eq 'audit';
}
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
@ -481,7 +481,7 @@ sub convert_blacklist() {
EOF
}
print( $blrules
print( $blrules
"#\n" ,
"# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
"#\n" );
@ -509,10 +509,10 @@ EOF
$rule .= "all\t\t\t$zone\t\t\t";
}
}
$rule .= "\t$protocols" if $protocols ne '-';
$rule .= "\t$ports" if $ports ne '-';
print $blrules "$rule\n";
}
}
@ -521,19 +521,19 @@ EOF
} else {
warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty or does not exist) unless @rules;
}
if ( -f $fn ) {
rename $fn, "$fn.bak";
progress_message2 "Blacklist file $fn saved in $fn.bak";
}
for my $file ( qw(zones interfaces hosts) ) {
remove_blacklist $file;
}
progress_message2 "Blacklist successfully converted";
return 1;
return 1;
} else {
my $fn = find_file 'blacklist';
if ( -f $fn ) {
@ -697,7 +697,7 @@ sub add_common_rules ( $ ) {
if ( $config{FASTACCEPT} ) {
add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
}
}
my $policy = $config{SFILTER_DISPOSITION};
$level = $config{SFILTER_LOG_LEVEL};
@ -711,11 +711,11 @@ sub add_common_rules ( $ ) {
$chainref = new_standard_chain 'sfilter';
log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target = 'sfilter';
} else {
$target = $policy eq 'REJECT' ? 'reject' : $policy;
@ -731,11 +731,11 @@ sub add_common_rules ( $ ) {
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target1 = 'sfilter1';
} else {
#
@ -752,9 +752,9 @@ sub add_common_rules ( $ ) {
unless ( $interfaceref->{options}{ignore} ) {
my @filters = @{$interfaceref->{filter}};
$chainref = $filter_table->{forward_option_chain $interface};
if ( @filters ) {
add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
} elsif ( $interfaceref->{bridge} eq $interface ) {
@ -765,12 +765,12 @@ sub add_common_rules ( $ ) {
$interfaceref->{physical} eq '+' );
}
if ( @filters ) {
$chainref = $filter_table->{input_option_chain $interface};
add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
}
for ( option_chains( $interface ) ) {
add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
@ -915,13 +915,13 @@ sub add_common_rules ( $ ) {
1 ) for input_option_chain( $interface ), output_option_chain( $interface );
add_ijump( $filter_table->{forward_option_chain $interface} ,
j => 'ACCEPT',
j => 'ACCEPT',
p => "udp --dport $ports" ,
imatch_dest_dev( $interface ) )
if get_interface_option( $interface, 'bridge' );
unless ( $family == F_IPV6 || get_interface_option( $interface, 'allip' ) ) {
add_ijump( $filter_table->{input_chain( $interface ) } ,
add_ijump( $filter_table->{input_chain( $interface ) } ,
j => 'ACCEPT' ,
p => "udp --dport $ports" ,
s => NILIPv4 . '/32' );
@ -948,7 +948,7 @@ sub add_common_rules ( $ ) {
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
$globals{LOGPARMS} = $savelogparms;
if ( $audit ) {
@ -1128,7 +1128,7 @@ sub setup_mac_lists( $ ) {
my $source = match_source_net $address;
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if supplied $level;
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
}
@ -1348,7 +1348,7 @@ sub handle_loopback_traffic() {
my $exclusion = source_exclusion( $hostref->{exclusions}, $natref);
for my $net ( @{$hostref->{hosts}} ) {
insert_ijump( $natout,
insert_ijump( $natout,
j => $exclusion,
$rulenum++,
imatch_source_net( $net , 0, ) );
@ -1383,7 +1383,7 @@ sub add_interface_jumps {
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
if ( have_capability 'RAWPOST_TABLE' ) {
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
@ -1410,7 +1410,7 @@ sub add_interface_jumps {
) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
add_ijump( $filter_table->{forward_chain $bridge} ,
j => $forwardref ,
j => $forwardref ,
imatch_source_dev( $interface, 1 )
) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
@ -1449,7 +1449,7 @@ sub add_interface_jumps {
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
#
# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
# nat-table rules.
#
sub generate_matrix() {
@ -1462,7 +1462,7 @@ sub generate_matrix() {
my $fw = firewall_zone;
my @zones = off_firewall_zones;
my @vservers = vserver_zones;
my $notrackref = $raw_table->{notrack_chain $fw};
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
my $interface_jumps_added = 0;
@ -1480,7 +1480,7 @@ sub generate_matrix() {
#
for my $zone ( @zones ) {
my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{complex};
#
# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
@ -1689,14 +1689,14 @@ sub generate_matrix() {
imatch_source_dev( $interface),
@source,
@ipsec_in_match );
if ( get_physical( $interface ) eq '+' ) {
#
# The jump from the PREROUTING chain to dnat may not have been added above
#
#
addnatjump 'PREROUTING', 'dnat' unless $preroutingref->{references}{PREROUTING};
}
check_optimization( $dnatref ) if @source;
}
@ -1725,7 +1725,7 @@ sub generate_matrix() {
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
$inputchainref = $interfacechainref;
if ( $isport ) {
add_ijump( $filter_table->{ input_chain $bridge },
j => $inputchainref ,
@ -1762,7 +1762,7 @@ sub generate_matrix() {
if ( use_forward_chain $interface, $forwardref ) {
add_ijump $forwardref , j => $ref, @source, @ipsec_in_match;
if ( $isport ) {
add_ijump( $filter_table->{ forward_chain $bridge } ,
j => $forwardref ,
@ -1903,7 +1903,7 @@ sub generate_matrix() {
# Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
#
$chain3ref = $forwardchainref;
if ( $interfaceref->{options}{port} ) {
add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
j => $chain3ref,

16
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -54,7 +54,7 @@ sub initialize() {
#
sub process_one_masq( )
{
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
if ( $interfacelist eq 'COMMENT' ) {
@ -208,7 +208,7 @@ sub process_one_masq( )
$addrlist .= "--to-source $addr ";
$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
} else {
my $ports = $addr;
my $ports = $addr;
$ports =~ s/^://;
validate_portpair1( $proto, $ports );
$addrlist .= "--to-ports $ports ";
@ -426,7 +426,7 @@ sub setup_netmap() {
unless ( $type =~ /:/ ) {
my @rulein;
my @ruleout;
validate_net $net1, 0;
validate_net $net2, 0;
@ -439,7 +439,7 @@ sub setup_netmap() {
require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
if ( $type eq 'DNAT' ) {
dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) ,
dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) ,
j => 'NETMAP' ,
"--to $net2",
$net1 ,
@ -465,10 +465,10 @@ sub setup_netmap() {
validate_net $net2, 0;
unless ( $interfaceref->{root} ) {
@match = imatch_dest_dev( $interface );
@match = imatch_dest_dev( $interface );
$interface = $interfaceref->{name};
}
if ( $chain eq 'P' ) {
$chain = prerouting_chain $interface;
@match = imatch_source_dev( $iface ) unless $iface eq $interface;
@ -481,7 +481,7 @@ sub setup_netmap() {
my $chainref = ensure_chain( $table, $chain );
if ( $target eq 'DNAT' ) {
dest_iexclusion( $chainref ,
j => 'RAWDNAT' ,
@ -504,7 +504,7 @@ sub setup_netmap() {
fatal_error 'TYPE must be specified' if $type eq '-';
fatal_error "Invalid TYPE ($type)";
}
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
}
}

4
Shorewall/Perl/Shorewall/Proc.pm
View File

@ -286,7 +286,7 @@ sub setup_interface_proc( $ ) {
if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
}
if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
}
@ -315,6 +315,6 @@ sub setup_interface_proc( $ ) {
emit "fi\n";
}
}
1;

68
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -161,7 +161,7 @@ sub setup_route_marking() {
my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
add_ijump ( $chainref1,
j => $chainref2 ,
mark => "--mark 0/$mask" );
@ -171,7 +171,7 @@ sub setup_route_marking() {
sub copy_table( $$$ ) {
my ( $duplicate, $number, $realm ) = @_;
my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';
emit '';
@ -186,7 +186,7 @@ sub copy_table( $$$ ) {
' default)',
' ;;',
' *)' );
if ( $family == F_IPV4 ) {
emit ( ' case $net in',
' 255.255.255.255*)',
@ -218,7 +218,7 @@ sub copy_and_edit_table( $$$$ ) {
# Shell and iptables use a different wildcard character
#
$copy =~ s/\+/*/g;
emit '';
if ( $realm ) {
@ -244,7 +244,7 @@ sub copy_and_edit_table( $$$$ ) {
);
} else {
emit ( " run_ip route add table $number \$net \$route $realm" );
}
}
emit ( ' ;;',
' esac',
@ -557,9 +557,9 @@ sub process_a_provider() {
# Generate the start_provider_...() function for the passed provider
#
sub add_a_provider( $$ ) {
my ( $providerref, $tcdevices ) = @_;
my $table = $providerref->{provider};
my $number = $providerref->{number};
my $mark = $providerref->{rawmark};
@ -610,9 +610,9 @@ sub add_a_provider( $$ ) {
emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
emit( '',
emit( '',
"cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
emit_unindented 'case \$COMMAND in';
emit_unindented ' enable|disable)';
emit_unindented ' ;;';
@ -686,7 +686,7 @@ CEOF
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
}
$fallback = 1;
}
@ -724,19 +724,19 @@ CEOF
emit '';
emit $_ for @{$providers{$table}->{rules}};
}
if ( @{$providerref->{routes}} ) {
emit '';
emit $_ for @{$providers{$table}->{routes}};
}
emit( '' );
my ( $tbl, $weight );
emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
if ( $optional ) {
if ( $optional ) {
emit( '',
'if [ $COMMAND = enable ]; then' );
@ -775,7 +775,7 @@ CEOF
emit ( qq(progress_message2 " Provider $table ($number) Started") );
pop_indent;
emit( 'else' );
emit( qq( echo $weight > \${VARDIR}/${physical}_weight) ,
qq( progress_message " Provider $table ($number) Started"),
@ -785,18 +785,18 @@ CEOF
emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
emit( qq(progress_message "Provider $table ($number) Started") );
}
pop_indent;
emit 'else';
push_indent;
emit( qq(echo 1 > \${VARDIR}/${physical}.status) );
if ( $optional ) {
if ( $shared ) {
emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
} else {
emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
}
@ -839,7 +839,7 @@ CEOF
if ( $gateway ) {
$via = "via $gateway dev $physical";
} else {
} else {
$via = "dev $physical";
}
@ -856,7 +856,7 @@ CEOF
"distribute_load $maxload @load_interfaces" ) if $load;
unless ( $shared ) {
emit( '',
emit( '',
"qt \$TC qdisc del dev $physical root",
"qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
}
@ -1001,14 +1001,14 @@ sub add_a_route( ) {
my $routes = $providerref->{routes};
fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
if ( $gateway ne '-' ) {
if ( $device ne '-' ) {
push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number);
emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
} else {
push @$routes, qq(run_ip route add $dest via $gateway table $number);
emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
}
} else {
fatal_error "You must specify a device for this route" unless $physical;
@ -1055,7 +1055,7 @@ sub start_providers() {
emit 'DEFAULT_ROUTE=';
emit 'FALLBACK_ROUTE=';
emit '';
for my $provider ( qw/main default/ ) {
emit '';
emit qq(> \${VARDIR}/undo_${provider}_routing );
@ -1068,7 +1068,7 @@ sub start_providers() {
sub finish_providers() {
my $table = MAIN_TABLE;
if ( $config{USE_DEFAULT_RT} ) {
emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
@ -1096,7 +1096,7 @@ sub finish_providers() {
''
);
}
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
'else',
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
@ -1163,7 +1163,7 @@ sub process_providers( $ ) {
$lastmark = 0;
if ( my $fn = open_file 'providers' ) {
first_entry "$doing $fn...";
first_entry "$doing $fn...";
process_a_provider, $providers++ while read_a_line( NORMAL_READ );
}
@ -1180,7 +1180,7 @@ sub process_providers( $ ) {
if ( $fn ) {
first_entry "$doing $fn...";
emit '';
add_an_rtrule while read_a_line( NORMAL_READ );
@ -1196,7 +1196,7 @@ sub process_providers( $ ) {
}
add_a_provider( $providers{$_}, $tcdevices ) for @providers;
emit << 'EOF';;
#
@ -1221,7 +1221,7 @@ EOF
emit( "$providerref->{physical}|$provider)" );
}
emit ( " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
emit ( " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
" start_provider_$provider",
' else',
" startup_error \"Interface $providerref->{physical} is already enabled\"",
@ -1257,7 +1257,7 @@ EOF
my $providerref = $providers{$provider};
emit( "$providerref->{physical}|$provider)",
" if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
" if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
" stop_provider_$provider",
' else',
" startup_error \"Interface $providerref->{physical} is already disabled\"",
@ -1284,11 +1284,11 @@ sub setup_providers() {
if ( $providers ) {
emit "\nif [ -z \"\$g_noroutes\" ]; then";
push_indent;
start_providers;
emit '';
emit "start_provider_$_" for @providers;
@ -1515,7 +1515,7 @@ sub handle_stickiness( $ ) {
$rule1 = clone_rule( $_ );
clear_rule_target( $rule1 );
set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" );
set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" );
$rule2 = '';
}
@ -1549,7 +1549,7 @@ sub handle_stickiness( $ ) {
while ( my ( $key, $value ) = each %$_ ) {
$rule2->{$key} = $value;
}
clear_rule_target( $rule2 );
set_rule_option ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" );
} else {
@ -1584,7 +1584,7 @@ sub handle_stickiness( $ ) {
sub setup_load_distribution() {
emit ( '',
" distribute_load $maxload @load_interfaces" ,
''
''
) if @load_interfaces;
}

18
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -105,7 +105,7 @@ sub process_notrack_rule( $$$$$$$ ) {
'' ,
$target ,
$exception_rule );
progress_message " Notrack rule \"$currentline\" $done";
$globals{UNTRACKED} = 1;
@ -130,36 +130,36 @@ sub setup_notrack() {
my $nonEmpty = 0;
while ( read_a_line( NORMAL_READ ) ) {
while ( read_a_line( NORMAL_READ ) ) {
my ( $source, $dest, $proto, $ports, $sports, $user );
if ( $format == 1 ) {
( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
if ( $source eq 'FORMAT' ) {
$format = process_format( $dest );
next;
}
if ( $source eq 'COMMENT' ) {
process_comment;
next;
}
}
} else {
( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
if ( $action eq 'FORMAT' ) {
$format = process_format( $source );
$action = 'NOTRACK';
next;
}
if ( $action eq 'COMMENT' ) {
process_comment;
next;
}
}
}
process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
}

58
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -341,7 +341,7 @@ sub process_a_policy() {
fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
( $policy , my $queue ) = get_target_param $policy;
fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
if ( $audit ) {
@ -492,7 +492,7 @@ sub process_policies()
for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
my $action = $config{$option};
unless ( $action eq 'none' ) {
my ( $act, $param ) = get_target_param( $action );
@ -552,7 +552,7 @@ sub policy_rules( $$$$$ ) {
add_ijump $chainref, j => $default if $default && $default ne 'none';
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target;
add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
}
@ -685,7 +685,7 @@ sub setup_syn_flood_chains() {
my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel};
my $synchainref = @zones > 1 ?
my $synchainref = @zones > 1 ?
new_chain 'filter' , syn_flood_chain $chainref :
new_chain( 'filter' , '@' . $chainref->{name} );
add_rule $synchainref , "${limit}-j RETURN";
@ -763,7 +763,7 @@ sub finish_chain_section ($$) {
my $chain = $chainref->{name};
my $related_level = $config{RELATED_LOG_LEVEL};
my $related_target = $globals{RELATED_TARGET};
push_comment(''); #These rules should not have comments
if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
@ -775,7 +775,7 @@ sub finish_chain_section ($$) {
$config{RELATED_DISPOSITION},
'' );
add_ijump( $relatedref, g => $related_target );
$related_target = $relatedref->{name};
}
@ -863,9 +863,9 @@ sub split_action ( $ ) {
#
# Create a normalized action name from the passed pieces.
#
# Internally, action invocations are uniquely identified by a 4-tuple that
# Internally, action invocations are uniquely identified by a 4-tuple that
# includes the action name, log level, log tag and params. The pieces of the tuple
# are separated by ":".
# are separated by ":".
#
sub normalize_action( $$$ ) {
my $action = shift;
@ -904,7 +904,7 @@ sub externalize( $ ) {
$target .= ":$tag" if $tag;
$target;
}
#
# Define an Action
#
@ -988,7 +988,7 @@ sub createsimpleactionchain( $ ) {
my $normalized = normalize_action_name( $action );
return createlogactionchain( $normalized, $action, 'none', '', '' ) if $filter_table->{$action} || $nat_table->{$action};
my $chainref = new_standard_chain $action;
$usedactions{$normalized} = $chainref;
@ -1205,7 +1205,7 @@ sub dropBcast( $$$$ ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
}
}
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
} else {
if ( $family == F_IPV4 ) {
@ -1482,8 +1482,8 @@ sub process_action( $) {
if ( $target eq 'DEFAULTS' ) {
default_action_params( $action, split_list $source, 'defaults' ), next if $format == 2;
fatal_error 'DEFAULTS only allowed in FORMAT-2 actions';
}
fatal_error 'DEFAULTS only allowed in FORMAT-2 actions';
}
process_rule1( $chainref,
merge_levels( "$action:$level:$tag", $target ),
@ -1520,7 +1520,7 @@ sub process_action( $) {
#
sub use_policy_action( $ ) {
my $ref = use_action( $_[0] );
process_action( $ref ) if $ref;
}
@ -1559,7 +1559,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
}
fatal_error 'TARGET must be specified' if $mtarget eq '-';
if ( $mtarget eq 'COMMENT' ) {
process_comment unless $nocomment;
next;
@ -1663,12 +1663,12 @@ sub verify_audit($;$$) {
#
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
#
sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise
$target,
$target,
$current_param,
$source,
$dest,
@ -1693,7 +1693,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
my $normalized_target;
my $normalized_action;
my $blacklist = ( $section eq 'BLACKLIST' );
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
$param = '' unless defined $param;
@ -1822,8 +1822,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
CONTINUE => sub { $action = 'RETURN'; } ,
WHITELIST => sub {
fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
WHITELIST => sub {
fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
$action = 'RETURN';
} ,
@ -1838,7 +1838,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$function->();
} elsif ( $actiontype & SET ) {
my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
my ( $setname, $flags, $rest ) = split ':', $param, 3;
fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
@ -1864,7 +1864,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$sourcezone = $source;
$source = ALLIP;
}
if ( $dest =~ /^(.*?):(.*)/ ) {
fatal_error "Missing DEST Qualifier ($dest)" if $2 eq '';
$destzone = $1;
@ -1927,7 +1927,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
# We are generating rules in an action chain -- the chain name is the name of that action chain
#
$chain = $chainref->{name};
} else {
} else {
unless ( $actiontype & NATONLY ) {
#
# Check for illegal bridge port rule
@ -1971,7 +1971,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
if ( $blacklist ) {
my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} );
my $blacklistref = $filter_table->{$blacklistchain};
unless ( $blacklistref ) {
my @state;
$blacklistref = new_chain 'filter', $blacklistchain;
@ -1979,7 +1979,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
@state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
add_ijump( $chainref, j => $blacklistref, @state );
}
$chain = $blacklistchain;
$chainref = $blacklistref;
}
@ -2017,7 +2017,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
unless ( $section eq 'NEW' || $inaction ) {
if ( $config{FASTACCEPT} ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
$section eq 'BLACKLIST' ||
( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
}
@ -2407,7 +2407,7 @@ sub process_rule ( ) {
progress_message "Rule \"$currentline\" ignored.";
return 1;
}
my $intrazone = 0;
my $wild = 0;
my $thisline = $currentline; #We must save $currentline because it is overwritten by macro expansion
@ -2473,11 +2473,11 @@ sub classic_blacklist() {
my @vservers = vserver_zones;
my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
my $result;
for my $zone ( @zones ) {
my $zoneref = find_zone( $zone );
my $simple = @zones <= 2 && ! $zoneref->{complex};
if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst};
add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;

48
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -200,7 +200,7 @@ sub process_tc_rule( ) {
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
$headers = '-';
} else {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
}
@ -220,13 +220,13 @@ sub process_tc_rule( ) {
my $chain = $globals{MARKING_CHAIN};
my $classid = 0;
if ( $remainder ) {
if ( $remainder ) {
if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
$mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
} else {
fatal_error "Invalid MARK ($originalmark)"
fatal_error "Invalid MARK ($originalmark)"
unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
$designator =~ /^([0-9a-fA-F]+)$/ &&
$designator =~ /^([0-9a-fA-F]+)$/ &&
( $chain = $designator{$remainder} ) );
$mark = join( ':', $mark, $designator );
$classid = 1;
@ -287,7 +287,7 @@ sub process_tc_rule( ) {
$val = numeric_value ($s);
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
$shift = $s;
}
}
} else {
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
}
@ -379,7 +379,7 @@ sub process_tc_rule( ) {
},
DSCP => sub() {
assert( $cmd =~ /^DSCP\((\w+)\)$/ );
require_capability 'DSCP_TARGET', 'The DSCP action', 's';
require_capability 'DSCP_TARGET', 'The DSCP action', 's';
my $dscp = numeric_value( $1 );
$dscp = $dscpmap{$1} unless defined $dscp;
fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
@ -526,7 +526,7 @@ sub process_tc_rule( ) {
}
}
fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} | $restriction,
@ -587,7 +587,7 @@ sub calculate_quantum( $$ ) {
#
sub process_in_bandwidth( $ ) {
my $in_rate = shift;
return 0 if $in_rate eq '-' or $in_rate eq '0';
my $in_burst = '10kb';
@ -605,7 +605,7 @@ sub process_in_bandwidth( $ ) {
fatal_error "Invalid IN-BANDWIDTH ($in_band)" unless supplied( $in_interval ) && supplied( $in_decay );
fatal_error "Invalid Interval ($in_interval)" unless $in_interval =~ /^(?:(?:250|500)ms|(?:1|2|4|8)sec)$/;
fatal_error "Invalid Decay ($in_decay)" unless $in_decay =~ /^(?:500ms|(?:1|2|4|8|16|32|64)sec)$/;
if ( $in_decay =~ /ms/ ) {
fatal_error "Decay must be at least twice the interval" unless $in_interval eq '250ms';
} else {
@ -615,12 +615,12 @@ sub process_in_bandwidth( $ ) {
$decay =~ s/sec//;
fatal_error "Decay must be at least twice the interval" unless $decay > $interval;
}
}
}
}
$in_avrate = rate_to_kbit( $in_rate );
$in_rate = 0;
$in_rate = 0;
} else {
if ( $in_band =~ /:/ ) {
( $in_band, $burst ) = split /:/, $in_rate, 2;
@ -629,7 +629,7 @@ sub process_in_bandwidth( $ ) {
}
$in_rate = rate_to_kbit( $in_band );
}
[ $in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ];
@ -643,7 +643,7 @@ sub handle_in_bandwidth( $$ ) {
my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref;
emit ( "run_tc qdisc add dev $physical handle ffff: ingress" );
if ( have_capability 'BASIC_FILTER' ) {
if ( $in_rate ) {
emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
@ -663,7 +663,7 @@ sub handle_in_bandwidth( $$ ) {
" police rate ${in_rate}kbit burst $in_burst drop flowid :1\n" );
}
}
sub process_flow($) {
my $flow = shift;
@ -774,7 +774,7 @@ sub process_simple_device() {
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
emit '';
}
emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
"\\\n match ip protocol 6 0xff" .
"\\\n match u8 0x05 0x0f at 0" .
@ -1319,7 +1319,7 @@ sub process_tc_filter() {
} else {
push @$filtersref, ( "\nrun_tc $rule\\" ,
" link $tnum:0 offset plus 40 eat" );
}
}
#
# The rule to match the port(s) will be inserted into the new table
#
@ -1452,9 +1452,9 @@ sub process_tcfilters() {
if ( $fn ) {
my @family = ( $family );
first_entry( "$doing $fn..." );
while ( read_a_line( NORMAL_READ ) ) {
if ( $currentline =~ /^\s*IPV4\s*$/ ) {
Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4;
@ -1586,7 +1586,7 @@ sub process_tcpri() {
add_ijump( $mangle_table->{tcpost} ,
j => 'CONNMARK --save-mark --ctmask ' . in_hex( $globals{TC_MASK} ),
mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
);
}
}
@ -1711,7 +1711,7 @@ sub process_traffic_shaping() {
my $priority = $tcref->{priority} << 8;
my $parent = in_hexp $tcref->{parent};
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
if ( $devref->{qdisc} eq 'htb' ) {
@ -1758,7 +1758,7 @@ sub process_traffic_shaping() {
my ( $tos, $mask ) = split q(/), $tospair;
emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
}
save_progress_message_short qq(" TC Class $classid defined.");
emit '';
@ -1767,7 +1767,7 @@ sub process_traffic_shaping() {
emit '';
emit "$_" for @{$devref->{filters}};
save_progress_message_short qq(" TC Device $device defined.");
pop_indent;
@ -1819,7 +1819,7 @@ sub process_tc() {
# enabled.
my %empty;
$config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
}

2
Shorewall/Perl/Shorewall/Tunnels.pm
View File

@ -279,7 +279,7 @@ sub setup_tunnels() {
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
}
progress_message " Tunnel \"$currentline\" $done";
}

20
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -711,7 +711,7 @@ sub add_group_to_zone($$$$$)
my $interfaceref;
my $zoneref = $zones{$zone};
my $zonetype = $zoneref->{type};
$zoneref->{interfaces}{$interface} = 1;
@ -936,7 +936,7 @@ sub process_interface( $$ ) {
fatal_error "Invalid FORMAT ($1)";
}
if ( $zone eq '-' ) {
$zone = '';
} else {
@ -992,7 +992,7 @@ sub process_interface( $$ ) {
$root = substr( $interface, 0, -1 );
$roots{$root} = $interface;
my $len = length $root;
if ( $minroot ) {
$minroot = $len if $minroot > $len;
} else {
@ -1090,7 +1090,7 @@ sub process_interface( $$ ) {
assert( 0 );
}
} elsif ( $type == NUMERIC_IF_OPTION ) {
fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
$value = $defaultinterfaceoptions{$option} unless defined $value;
fatal_error "The '$option' option requires a value" unless defined $value;
my $numval = numeric_value $value;
@ -1208,7 +1208,7 @@ sub process_interface( $$ ) {
sub validate_interfaces_file( $ ) {
my $export = shift;
our $format = 1;
my @ifaces;
my $nextinum = 1;
@ -1297,7 +1297,7 @@ sub known_interface($)
if ( $minroot ) {
while ( length $iface > $minroot ) {
chop $iface;
if ( my $i = $roots{$iface} ) {
$interfaceref = $interfaces{$i};
@ -1373,7 +1373,7 @@ sub physical_name( $ ) {
$devref ? $devref->{physical} : $device;
}
#
# Returns true if there are bridge port zones defined in the config
#
@ -1479,7 +1479,7 @@ sub get_interface_option( $$ ) {
assert( $ref = known_interface( $interface ) );
$ref->{options}{$option};
}
#
@ -1742,7 +1742,7 @@ sub compile_updown() {
if ( @$optional ) {
my @interfaces = map $interfaces{$_}->{physical}, @$optional;
my $interfaces = join '|', @interfaces;
my $interfaces = join '|', @interfaces;
if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
emit( "$interfaces)",
@ -1838,7 +1838,7 @@ sub process_host( ) {
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts"
fatal_error "Invalid HOST(S) column contents: $hosts"
}
if ( $hosts =~ /^!?\+/ ) {

2
Shorewall/Perl/prog.footer
View File

@ -38,7 +38,7 @@ checkkernelversion() {
if [ $g_family -eq 6 ]; then
kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
case "$kernel" in
case "$kernel" in
*.*.*)
kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
;;

20
Shorewall/Samples/LICENSE
View File

@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be
introduced by others.
Finally, software patents pose a constant threat to the existence of
any free program. We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a
@ -111,7 +111,7 @@ modification follow. Pay close attention to the difference between a
"work based on the library" and a "work that uses the library". The
former contains code derived from the library, whereas the latter must
be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for
writing it). Whether that is true depends on what the Library does
and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an
@ -158,7 +158,7 @@ Library.
You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a
fee.
2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
@ -216,7 +216,7 @@ instead of to this License. (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.) Do not make any other change in
these notices.
Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.
@ -267,7 +267,7 @@ Library will still fall under Section 6.)
distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
accompany the operating system. Such a contradiction means you cannot
use both them and the Library together in an executable that you
distribute.
7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined
@ -370,7 +370,7 @@ subject to these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with
this License.
11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
the Free Software Foundation. If the Library does not specify a
license version number, you may choose any version ever published by
the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these,
write to the author to ask for permission. For software which is
@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Libraries
If you develop a new library, and you want it to be of the greatest

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -13,7 +13,7 @@
#
# For information about the settings in this file, type "man shorewall.conf"
#
# The manpage is also online at
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -14,7 +14,7 @@
#
# For information about the settings in this file, type "man shorewall.conf"
#
# The manpage is also online at
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################

4
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -3,7 +3,7 @@
# Shorewall version 4.0 - Sample shorewall.conf for two-interface
# configuration.
# Copyright (C) 2006,2007 by the Shorewall Team
# 2011 by Thomas M. Eastep
# 2011 by Thomas M. Eastep
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@ -14,7 +14,7 @@
#
# For information about the settings in this file, type "man shorewall.conf"
#
# The manpage is also online at
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################

6
Shorewall/action.Broadcast
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Broadcast[([<action>|-[,{audit|-}])]
# Broadcast[([<action>|-[,{audit|-}])]
#
# Default action is DROP
#
@ -51,7 +51,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
}
}
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
@ -64,7 +64,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
decr_cmd_level $chainref;
add_commands $chainref, 'done';
}
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';

4
Shorewall/action.Drop
View File

@ -33,7 +33,7 @@
###############################################################################
FORMAT 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL;
@ -41,7 +41,7 @@ use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) {
if ( defined $p1 ) {
if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_DROP') unless supplied $p3;

10
Shorewall/action.DropSmurfs
View File

@ -41,15 +41,15 @@ if ( $level ne '-' || $audit ne '-' ) {
fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
add_ijump( $logchainref, j => 'AUDIT --type DROP' );
}
}
add_ijump( $logchainref, j => 'DROP' );
$target = $logchainref;
} else {
$target = 'DROP';
}
if ( have_capability( 'ADDRTYPE' ) ) {
if ( $family == F_IPV4 ) {
add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ;
@ -64,7 +64,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
} else {
add_commands $chainref, 'for address in $ALL_ACASTS; do';
}
incr_cmd_level $chainref;
add_ijump( $chainref, g => $target, s => '$address' );
decr_cmd_level $chainref;
@ -80,6 +80,6 @@ if ( $family == F_IPV4 ) {
END PERL;

2
Shorewall/action.Invalid
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Invalid[([<action>|-[,{audit|-}])]
# Invalid[([<action>|-[,{audit|-}])]
#
# Default action is DROP
#

2
Shorewall/action.NotSyn
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# NotSyn[([<action>|-[,{audit|-}])]
# NotSyn[([<action>|-[,{audit|-}])]
#
# Default action is DROP
#

4
Shorewall/action.Reject
View File

@ -29,7 +29,7 @@
###############################################################################
FORMAT 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL;
@ -37,7 +37,7 @@ use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) {
if ( defined $p1 ) {
if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_REJECT') unless supplied $p3;

8
Shorewall/action.TCPFlags
View File

@ -24,7 +24,7 @@ my ( $disposition, $audit ) = get_action_params( 2 );
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
if ( $level ne '-' || $audit ne '-' ) {
my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
@ -42,13 +42,13 @@ if ( $level ne '-' || $audit ne '-' ) {
fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
}
}
add_ijump( $logchainref, g => $disposition );
$disposition = $logchainref;
}
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
@ -58,6 +58,6 @@ add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
END PERL;

10
Shorewall/init.fedora.sh
View File

@ -41,10 +41,10 @@ start() {
echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
touch $lockfile
success
else
else
failure
fi
echo
@ -55,10 +55,10 @@ stop() {
echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
rm -f $lockfile
success
else
else
failure
fi
echo
@ -71,7 +71,7 @@ restart() {
echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS restart 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
touch $lockfile
success
else # Failed to start, clean up lock file if present

8
Shorewall/install.sh
View File

@ -38,7 +38,7 @@ usage() # $1 = exit status
exit $1
}
fatal_error()
fatal_error()
{
echo " ERROR: $@" >&2
exit 1
@ -95,7 +95,7 @@ install_file() # $1 = source $2 = target $3 = mode
run_install $T $OWNERSHIP -m $3 $1 ${2}
}
require()
require()
{
eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
}
@ -335,7 +335,7 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
if [ -n "$INITFILE" ]; then
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
if [ -n "${AUXINITSOURCE}" ]; then
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
fi
@ -439,7 +439,7 @@ run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PR
if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
run_install $OWNERSHIP -m 0644 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
if [ "$SHAREDIR" != /usr/share -o "$CONFDIR" != /etc ]; then
if [ $PRODUCT = shorewall ]; then
perl -p -w -i -e "s|^CONFIG_PATH=.*|CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf

12
Shorewall/lib.cli-std
View File

@ -34,7 +34,7 @@ get_config() {
ensure_config_path
if [ "$1" = Yes ]; then
params=$(find_file params)
@ -90,7 +90,7 @@ get_config() {
exit 2
fi
fi
g_tool=$IPTABLES
else
if [ -n "$IP6TABLES" ]; then
@ -507,7 +507,7 @@ start_command() {
c*)
AUTOMAKE=
option=${option#c}
;;
;;
T*)
g_confess=Yes
option=${option#T}
@ -874,7 +874,7 @@ restart_command() {
c*)
AUTOMAKE=
option=${option#c}
;;
;;
n*)
g_noroutes=Yes
option=${option#n}
@ -1418,7 +1418,7 @@ reload_command() # $* = original arguments less the command.
fi
. $directory/$g_program.conf
ensure_config_path
fi
@ -1597,7 +1597,7 @@ usage() # $1 = exit status
echo " show dynamic <zone>"
echo " show filters"
echo " show ip"
if [ $g_family -eq 4 ]; then
echo " show ipa"
fi

14
Shorewall/lib.core
View File

@ -203,7 +203,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
local mask
[ $g_family -eq 4 ] && mask=32 || mask=128
$IP -$g_family route show dev $1 2> /dev/null |
while read address rest; do
@ -385,7 +385,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
done < ${VARDIR}/default_route
replace_default_route $1
if [ $result = 1 ]; then
#
# We didn't restore a default route with metric 0
@ -617,7 +617,7 @@ EOF
for interface in $@; do
qt $g_tool -t mangle -F ~$interface
eval load=\$${interface}_load
if [ -n "$load" ]; then
load=$(bc <<EOF
scale=8
@ -888,7 +888,7 @@ add_gateway() # $1 = Delta $2 = Table Number
local weight
local delta
local dev
route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
if [ -z "$route" ]; then
@ -920,7 +920,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
gateway=$1
if [ -n "$route" ]; then
if echo $route | fgrep -q ' nexthop '; then
gateway="nexthop $gateway"
@ -1214,7 +1214,7 @@ add_gateway() # $1 = Delta $2 = Table Number
local weight
local delta
local dev
run_ip route add default scope global table $2 $1
}
@ -1229,7 +1229,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
gateway=$1
dev=$(find_device $route)
[ "$dev" = "$3" ] && run_ip route delete default table $2
}

2
Shorewall/manpages/shorewall-rules.xml
View File

@ -1505,7 +1505,7 @@
SSH connection to the ipset S:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
# PORT(S)
ADD(+S:dst,src,dst) net fw tcp 22</programlisting>
</listitem>
</varlistentry>

4
Shorewall/manpages/shorewall-tcfilters.xml
View File

@ -204,7 +204,7 @@
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
protocols.</para>
<programlisting> #CLASS SOURCE DEST PROTO DEST
<programlisting> #CLASS SOURCE DEST PROTO DEST
# PORT
IPV4
@ -213,7 +213,7 @@
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
IPV6
1:10 ::/0 ::/0 icmp6 echo-request
1:10 ::/0 ::/0 icmp6 echo-reply</programlisting>
</listitem>

2
Shorewall/manpages/shorewall-tunnels.xml
View File

@ -57,7 +57,7 @@
<programlisting> <emphasis role="bold">6to4</emphasis> or <emphasis
role="bold">6in4</emphasis> - 6to4 or 6in4 tunnel. The <emphasis
role="bold">6in4</emphasis> synonym was added in 4.4.24.
role="bold">6in4</emphasis> synonym was added in 4.4.24.
<emphasis role="bold">ipsec</emphasis> - IPv4 IPSEC
<emphasis role="bold">ipsecnat</emphasis> - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
<emphasis role="bold">ipip</emphasis> - IPv4 encapsulated in IPv4 (Protocol 4)

2
Shorewall/shorewall
View File

@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net

6
Shorewall6-lite/init.debian.sh
View File

@ -24,7 +24,7 @@ export SHOREWALL_INIT_SCRIPT
test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ;
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
@ -36,9 +36,9 @@ fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done."
else
else
echo "not done (check $INITLOG)."
fi

10
Shorewall6-lite/init.fedora.sh
View File

@ -41,10 +41,10 @@ start() {
echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
touch $lockfile
success
else
else
failure
fi
echo
@ -55,10 +55,10 @@ stop() {
echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
rm -f $lockfile
success
else
else
failure
fi
echo
@ -71,7 +71,7 @@ restart() {
echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS restart 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
touch $lockfile
success
else # Failed to start, clean up lock file if present

2
Shorewall6-lite/shorewall6-lite
View File

@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012 -
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012 -
# Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net

2
Shorewall6-lite/shorewall6-lite.conf
View File

@ -1,5 +1,5 @@
###############################################################################
# /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following
# /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following
# variables to override the values in the shorewall.conf file used to
# compile /var/lib/shorewall-lite/firewall. Those values may be found in
# /var/lib/shorewall-lite/firewall.conf.

8
Shorewall6/Makefile-lite
View File

@ -23,10 +23,10 @@
# to the name of the remote firewall corresponding to the directory.
#
# To make the 'firewall' script, type "make".
#
#
# Once the script is compiling correctly, you can install it by
# typing "make install".
#
#
################################################################################
# V A R I A B L E S
#
@ -55,7 +55,7 @@ all: firewall
#
# Only generate the capabilities file if it doesn't already exist
#
capabilities:
capabilities:
ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall6-lite/shorecap > $(LITEDIR)/capabilities"
scp root@$(HOST):$(LITEDIR)/capabilities .
#
@ -78,5 +78,5 @@ save:
#
# Remove generated files
#
clean:
clean:
rm -f capabilities firewall firewall.conf reload

20
Shorewall6/Samples6/LICENSE
View File

@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be
introduced by others.
Finally, software patents pose a constant threat to the existence of
any free program. We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a
@ -111,7 +111,7 @@ modification follow. Pay close attention to the difference between a
"work based on the library" and a "work that uses the library". The
former contains code derived from the library, whereas the latter must
be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for
writing it). Whether that is true depends on what the Library does
and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an
@ -158,7 +158,7 @@ Library.
You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a
fee.
2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
@ -216,7 +216,7 @@ instead of to this License. (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.) Do not make any other change in
these notices.
Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.
@ -267,7 +267,7 @@ Library will still fall under Section 6.)
distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
accompany the operating system. Such a contradiction means you cannot
use both them and the Library together in an executable that you
distribute.
7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined
@ -370,7 +370,7 @@ subject to these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with
this License.
11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
the Free Software Foundation. If the Library does not specify a
license version number, you may choose any version ever published by
the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these,
write to the author to ask for permission. For software which is
@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Libraries
If you develop a new library, and you want it to be of the greatest

2
Shorewall6/action.A_AllowICMPs
View File

@ -7,7 +7,7 @@
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST
# PORT(S)
# PORT(S)
COMMENT Needed ICMP types (RFC4890)
A_ACCEPT - - ipv6-icmp destination-unreachable

2
Shorewall6/action.AllowICMPs
View File

@ -7,7 +7,7 @@
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST
# PORT(S)
# PORT(S)
FORMAT 2
DEFAULTS ACCEPT

6
Shorewall6/action.Broadcast
View File

@ -22,7 +22,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Broadcast[([<action>|-[,{audit|-}])]
# Broadcast[([<action>|-[,{audit|-}])]
#
# Default action is DROP
#
@ -49,7 +49,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
}
}
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
@ -62,7 +62,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
decr_cmd_level $chainref;
add_commands $chainref, 'done';
}
log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne '';
add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );

4
Shorewall6/action.Drop
View File

@ -33,7 +33,7 @@
###############################################################################
FORMAT 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL;
@ -41,7 +41,7 @@ use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) {
if ( defined $p1 ) {
if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_DROP') unless supplied $p3;

4
Shorewall6/action.Reject
View File

@ -29,7 +29,7 @@
###############################################################################
FORMAT 2
#
# The following magic provides different defaults for $2 thru $5, when $1 is
# The following magic provides different defaults for $2 thru $5, when $1 is
# 'audit'.
#
BEGIN PERL;
@ -37,7 +37,7 @@ use Shorewall::Config;
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
if ( defined $p1 ) {
if ( defined $p1 ) {
if ( $p1 eq 'audit' ) {
set_action_param( 2, 'A_REJECT') unless supplied $p2;
set_action_param( 3, 'A_REJECT') unless supplied $p3;

2
Shorewall6/actions.std
View File

@ -8,7 +8,7 @@
#
# Builtin Actions are:
#
# allowBcasts # Accept multicast and anycast packets
# allowBcasts # Accept multicast and anycast packets
# dropBcasts # Silently Drop multicast and anycast packets
# dropNotSyn # Silently Drop Non-syn TCP packets
# rejNotSyn # Silently Reject Non-syn TCP packets

2
Shorewall6/configfiles/restored
View File

@ -4,7 +4,7 @@
# /etc/shorewall6/restored
#
# Add commands below that you want to be executed after shorewall6 has
# completed a 'restore' command.
# completed a 'restore' command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

2
Shorewall6/configfiles/scfilter
View File

@ -4,7 +4,7 @@
# /etc/shorewall/scfilter
#
# Replace the 'cat' command below to filter the output of
# 'show connections.
# 'show connections.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

8
Shorewall6/init.debian.sh
View File

@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall6-init.log}
test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ;
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
@ -32,9 +32,9 @@ fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done."
else
else
echo "not done (check $INITLOG)."
fi
@ -76,7 +76,7 @@ fi
export SHOREWALL_INIT_SCRIPT
# wait for an unconfigured interface
# wait for an unconfigured interface
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then

10
Shorewall6/init.fedora.sh
View File

@ -41,10 +41,10 @@ start() {
echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
touch $lockfile
success
else
else
failure
fi
echo
@ -55,10 +55,10 @@ stop() {
echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
rm -f $lockfile
success
else
else
failure
fi
echo
@ -71,7 +71,7 @@ restart() {
echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS restart 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
if [[ $retval == 0 ]]; then
touch $lockfile
success
else # Failed to start, clean up lock file if present

2
Shorewall6/init.slackware.shorewall6.sh
View File

@ -6,7 +6,7 @@
# This script only affect the IPv6 rules and configuration located
# in /etc/shorewall6
#
# http://rafb.net/p/1gsyye11.html
# http://rafb.net/p/1gsyye11.html
OPTIONS=""

2
Shorewall6/ipv6
View File

@ -59,7 +59,7 @@ SIT="sit1"
ADDRESS4=206.124.146.180
#
# Internal interfaces of the firewall -- space separated
#
#
INTERFACES="eth0"
#
# Bits 48-63 of the first internal interface address. Will be incremented

4
Shorewall6/manpages/shorewall6-tcfilters.xml
View File

@ -200,7 +200,7 @@
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
protocols.</para>
<programlisting> #CLASS SOURCE DEST PROTO DEST
<programlisting> #CLASS SOURCE DEST PROTO DEST
# PORT
IPV4
@ -209,7 +209,7 @@
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
IPV6
1:10 ::/0 ::/0 icmp6 echo-request
1:10 ::/0 ::/0 icmp6 echo-reply</programlisting>
</listitem>

6
Shorewall6/modules.essential
View File

@ -15,9 +15,9 @@
###############################################################################
loadmodule nfnetlink
loadmodule x_tables
loadmodule ip6_tables
loadmodule ip6table_filter
loadmodule ip6table_mangle
loadmodule ip6_tables
loadmodule ip6table_filter
loadmodule ip6table_mangle
loadmodule ip6table_raw
loadmodule xt_conntrack
loadmodule nf_conntrack_ipv6

2
Shorewall6/shorewall6
View File

@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
# Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net