diff options
Diffstat (limited to 'contrib/ipfilter/perl/ipfmeta.pl')
| -rw-r--r-- | contrib/ipfilter/perl/ipfmeta.pl | 210 |
1 files changed, 0 insertions, 210 deletions
diff --git a/contrib/ipfilter/perl/ipfmeta.pl b/contrib/ipfilter/perl/ipfmeta.pl deleted file mode 100644 index 1a7bb3f..0000000 --- a/contrib/ipfilter/perl/ipfmeta.pl +++ /dev/null @@ -1,210 +0,0 @@ -#!/usr/bin/perl -w -# -# Written by Camiel Dobbelaar <cd@sentia.nl>, Aug-2000 -# ipfmeta is in the Public Domain. -# - -use strict; -use Getopt::Std; - -## PROCESS COMMANDLINE -our($opt_v); $opt_v=1; -getopts('v:') || die "usage: ipfmeta [-v verboselevel] [objfile]\n"; -my $verbose = $opt_v + 0; -my $objfile = shift || "ipf.objs"; -my $MAXRECURSION = 10; - -## READ OBJECTS -open(FH, "$objfile") || die "cannot open $objfile: $!\n"; -my @tokens; -while (<FH>) { - chomp; - s/#.*$//; # remove comments - s/^\s+//; # compress whitespace - s/\s+$//; - next if m/^$/; # skip empty lines - push (@tokens, split); -} -close(FH) || die "cannot close $objfile: $!\n"; -# link objects with their values -my $obj=""; -my %objs; -while (@tokens) { - my $token = shift(@tokens); - if ($token =~ m/^\[([^]]*)\]$/) { - # new object - $obj = $1; - } else { - # new value - push(@{$objs{$obj}}, $token) unless ($obj eq ""); - } -} - -# sort objects: longest first -my @objs = sort { length($b) <=> length($a) } keys %objs; - -## SUBSTITUTE OBJECTS WITH THEIR VALUES FROM STDIN -foreach (<STDIN>) { - foreach (expand($_, 0)) { - print; - } -} - -## END - -sub expand { - my $line = shift; - my $level = shift; - my @retlines = $line; - my $obj; - my $val; - - # coarse protection - if ($level > $MAXRECURSION) { - print STDERR "ERR: recursion exceeds $MAXRECURSION levels\n"; - return; - } - - foreach $obj (@objs) { - if ($line =~ m/$obj/) { - @retlines = ""; - if ($level < $verbose) { - # add metarule as a comment - push(@retlines, "# ".$line); - } - foreach $val (@{$objs{$obj}}) { - my $newline = $line; - $newline =~ s/$obj/$val/; - push(@retlines, expand($newline, $level+1)); - } - last; - } - } - - return @retlines; -} - -__END__ - -=head1 NAME - -B<ipfmeta> - use objects in IP filter files - -=head1 SYNOPSIS - -B<ipfmeta> [F<options>] [F<objfile>] - -=head1 DESCRIPTION - -B<ipfmeta> is used to simplify the maintenance of your IP filter -ruleset. It does this through the use of 'objects'. A matching -object gets replaced by its values at runtime. This is similar to -what a macro processor like m4 does. - -B<ipfmeta> is specifically geared towards IP filter. It is line -oriented, if an object has multiple values, the line with the object -is duplicated and substituted for each value. It is also recursive, -an object may have another object as a value. - -Rules to be processed are read from stdin, output goes to stdout. - -The verbose option allows for the inclusion of the metarules in the -output as comments. - -Definition of the objects and their values is done in a separate -file, the filename defaults to F<ipf.objs>. An object is delimited -by square brackets. A value is delimited by whitespace. Comments -start with '#' and end with a newline. Empty lines and extraneous -whitespace are allowed. A value belongs to the first object that -precedes it. - -It is recommended that you use all caps or another distinguishing -feature for object names. You can use B<ipfmeta> for NAT rules also, -for instance to keep them in sync with filter rules. Combine -B<ipfmeta> with a Makefile to save typing. - -=head1 OPTIONS - -=over 4 - -=item B<-v> I<verboselevel> - -Include metarules in output as comments. Default is 1, the top level -metarules. Higher levels cause expanded metarules to be included. -Level 0 does not add comments at all. - -=back - -=head1 BUGS - -A value can not have whitespace in it. - -=head1 EXAMPLE - -(this does not look good, formatted) - -I<ipf.objs> - -[PRIVATE] 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 - -[MULTICAST] 224.0.0.0/4 - -[UNWANTED] PRIVATE MULTICAST - -[NOC] xxx.yy.zz.1/32 xxx.yy.zz.2/32 - -[WEBSERVERS] 192.168.1.1/32 192.168.1.2/32 - -[MGMT-PORTS] 22 23 - -I<ipf.metarules> - -block in from UNWANTED to any - -pass in from NOC to WEBSERVERS port = MGMT-PORTS - -pass out all - -I<Run> - -ipfmeta ipf.objs <ipf.metarules >ipf.rules - -I<Output> - -# block in from UNWANTED to any - -block in from 10.0.0.0/8 to any - -block in from 127.0.0.0/8 to any - -block in from 172.16.0.0/12 to any - -block in from 192.168.0.0/16 to any - -block in from 224.0.0.0/4 to any - -# pass in from NOC to WEBSERVERS port = MGMT-PORTS - -pass in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 22 - -pass in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 23 - -pass in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 22 - -pass in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 23 - -pass in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 22 - -pass in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 23 - -pass in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 22 - -pass in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 23 - -pass out all - -=head1 AUTHOR - -Camiel Dobbelaar <cd@sentia.nl>. B<ipfmeta> is in the Public Domain. - -=cut |
