holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Bracket non-trivial cc lists with [...]

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-19 09:39:49 -07:00
parent 56b8a9b9fa
commit f0a3e1652a
4 changed files with 24 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -5172,7 +5172,7 @@ sub match_source_net( $;$\$ ) {
return $result; return $result;
} }
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) { if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT ); fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', ''; require_capability 'GEOIP_MATCH', 'A country-code', '';
@ -5238,7 +5238,7 @@ sub imatch_source_net( $;$\$ ) {
return \@result; return \@result;
} }
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) { if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT ); fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', ''; require_capability 'GEOIP_MATCH', 'A country-code', '';
@ -5301,7 +5301,7 @@ sub match_dest_net( $;$ ) {
return $result; return $result;
} }
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) { if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT ); fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', ''; require_capability 'GEOIP_MATCH', 'A country-code', '';
@ -5362,7 +5362,7 @@ sub imatch_dest_net( $;$ ) {
return \@result; return \@result;
} }
if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) { if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT ); fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
require_capability 'GEOIP_MATCH', 'A country-code', ''; require_capability 'GEOIP_MATCH', 'A country-code', '';

12
Shorewall/manpages/shorewall-rules.xml
View File

@ -642,8 +642,10 @@
<para>Beginning with Shorewall 4.5.4, A <para>Beginning with Shorewall 4.5.4, A
<replaceable>countrycode-list</replaceable> may be specified. A <replaceable>countrycode-list</replaceable> may be specified. A
countrycode-list is a comma-separated list of two-character ISO-3661 countrycode-list is a comma-separated list of two-character ISO-3661
country codes preceded by a caret ('^'). A list of country codes country codes enclosed in square brackets ('[...]') and preceded by
supported by Shorewall may be found at <ulink a caret ('^'). When a single country code is given, the square
brackets may be omitted. A list of country codes supported by
Shorewall may be found at <ulink
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>. url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
Specifying a <replaceable>countrycode-list</replaceable> requires Specifying a <replaceable>countrycode-list</replaceable> requires
<firstterm>GeoIP Match</firstterm> support in your iptables and <firstterm>GeoIP Match</firstterm> support in your iptables and
@ -757,8 +759,10 @@
<para>Beginning with Shorewall 4.5.4, A <para>Beginning with Shorewall 4.5.4, A
<replaceable>countrycode-list</replaceable> may be specified. A <replaceable>countrycode-list</replaceable> may be specified. A
countrycode-list is a comma-separated list of two-character ISO-3661 countrycode-list is a comma-separated list of two-character ISO-3661
country codes preceded by a caret ('^'). A list of country codes country codes enclosed in square brackets ('[...]') and preceded by
supported by Shorewall may be found at <ulink a caret ('^'). When a single country code is given, the square
brackets may be omitted. A list of country codes supported by
Shorewall may be found at <ulink
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>. url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
Specifying a <replaceable>countrycode-list</replaceable> requires Specifying a <replaceable>countrycode-list</replaceable> requires
<firstterm>GeoIP Match</firstterm> support in your iptables and <firstterm>GeoIP Match</firstterm> support in your iptables and

12
Shorewall6/manpages/shorewall6-rules.xml
View File

@ -493,8 +493,10 @@
<para>Beginning with Shorewall 4.5.4, A <para>Beginning with Shorewall 4.5.4, A
<replaceable>countrycode-list</replaceable> may be specified. A <replaceable>countrycode-list</replaceable> may be specified. A
countrycode-list is a comma-separated list of two-character ISO-3661 countrycode-list is a comma-separated list of two-character ISO-3661
country codes preceded by a caret ('^'). A list of country codes country codes enclosed in square brackets ('[...]') and preceded by
supported by Shorewall may be found at <ulink a caret ('^'). When a single country code is given, the square
brackets may be omitted. A list of country codes supported by
Shorewall may be found at <ulink
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>. url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
Specifying a <replaceable>countrycode-list</replaceable> requires Specifying a <replaceable>countrycode-list</replaceable> requires
<firstterm>GeoIP Match</firstterm> support in your ip6tables and <firstterm>GeoIP Match</firstterm> support in your ip6tables and
@ -625,8 +627,10 @@
<para>Beginning with Shorewall 4.5.4, A <para>Beginning with Shorewall 4.5.4, A
<replaceable>countrycode-list</replaceable> may be specified. A <replaceable>countrycode-list</replaceable> may be specified. A
countrycode-list is a comma-separated list of two-character ISO-3661 countrycode-list is a comma-separated list of two-character ISO-3661
country codes preceded by a caret ('^'). A list of country codes country codes enclosed in square brackets ('[...]') and preceded by
supported by Shorewall may be found at <ulink a caret ('^'). When a single country code is given, the square
brackets may be omitted. A list of country codes supported by
Shorewall may be found at <ulink
url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>. url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
Specifying a <replaceable>countrycode-list</replaceable> requires Specifying a <replaceable>countrycode-list</replaceable> requires
<firstterm>GeoIP Match</firstterm> support in your ip6tables and <firstterm>GeoIP Match</firstterm> support in your ip6tables and

6
docs/ISO-3661.xml
View File

@ -40,7 +40,9 @@
<para>Beginning with Shorewall 4.5.4, Shorewall allows matching packet <para>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
SOURCE and/or DEST IP addresses by their corresponding country. That is SOURCE and/or DEST IP addresses by their corresponding country. That is
done by specifying a comma-separated list of ISO-3661 2-character Country done by specifying a comma-separated list of ISO-3661 2-character Country
Codes prefixed by a caret ('^').</para> Codes enclosed in square brackets ('[...]') and prefixed by a caret ('^').
When a single country code is given, the square brackets can be
omitted.</para>
<para>Example - Drop email from the Anonymous Proxy and Satellite Provider <para>Example - Drop email from the Anonymous Proxy and Satellite Provider
networks.</para> networks.</para>
@ -49,7 +51,7 @@
<programlisting> #ACTION SOURCE DEST PROTO DEST <programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
DROP:info net:^A1,A2 dmz tcp 25 DROP:info net:^[A1,A2] dmz tcp 25
</programlisting> </programlisting>
<para>The country codes recognized by Shorewall as of Shorewall 4.5.4 are <para>The country codes recognized by Shorewall as of Shorewall 4.5.4 are