diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 8d84244fb..7f4fe0490 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -49,7 +49,6 @@ our $defaultchain; our $ipsecdir; our $defaultrestriction; our $restriction; -our $accounting_commands = { COMMENT => 0, SECTION => 2 }; our $sectionname; our $acctable; @@ -149,20 +148,10 @@ sub process_accounting_rule( ) { $jumpchainref = 0; my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = - split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands; + split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }; fatal_error 'ACTION must be specified' if $action eq '-'; - if ( $action eq 'COMMENT' ) { - process_comment; - return 0; - } - - if ( $action eq 'SECTION' ) { - process_section( $chain ); - return 0; - } - $asection = LEGACY if $asection < 0; our $disposition = ''; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 34f258657..bc11abe00 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1882,7 +1882,7 @@ sub split_line1( $$;$$ ) { my @line = split( ' ', $columns ); - $nopad = { COMMENT => 0 } unless $nopad; + $nopad = {} unless $nopad; my $first = supplied $line[0] ? $line[0] : '-'; my $npcolumns = $nopad->{$first}; @@ -2952,6 +2952,25 @@ sub read_a_line($) { # $currentline =~ s/\s*$//; } + + if ( $comments_allowed && $currentline =~ /^\s*COMMENT\b/ ) { + process_comment; + $currentline = ''; + $currentlinenumber = 0; + next + } + + if ( $max_format > 1 && $currentline =~ /^\s*FORMAT\s+(.+)/ ) { + format_warning; + my $format = $1; + fatal_error( "Invalid format ($format)" ) unless $format =~ /\d+/; + fatal_error( "Format must be between 1 and $max_format" ) unless $format && $format <= $max_format; + $file_format = $format; + $currentline = ''; + $currentlinenumber = 0; + next + } + # # Line not blank -- Handle any first-entry message/capabilities check # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 04faf311d..ae8a3c880 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -683,7 +683,7 @@ sub process_stoppedrules() { $result = 1; my ( $target, $source, $dest, $proto, $ports, $sports ) = - split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0 }; + split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }; fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/; @@ -1216,47 +1216,43 @@ sub setup_mac_lists( $ ) { my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 }; - if ( $original_disposition eq 'COMMENT' ) { - process_comment; - } else { - my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 ); + my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 ); - fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition; + fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition; - my $targetref = $maclist_targets{$disposition}; + my $targetref = $maclist_targets{$disposition}; - fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} ); - fatal_error "Unknown Interface ($interface)" unless known_interface( $interface ); - fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface}; + fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} ); + fatal_error "Unknown Interface ($interface)" unless known_interface( $interface ); + fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface}; - my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; + my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; - $mac = '' unless $mac && ( $mac ne '-' ); - $addresses = '' unless defined $addresses && ( $addresses ne '-' ); + $mac = '' unless $mac && ( $mac ne '-' ); + $addresses = '' unless defined $addresses && ( $addresses ne '-' ); - fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses; + fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses; - $mac = do_mac $mac if $mac; + $mac = do_mac $mac if $mac; - if ( $addresses ) { - for my $address ( split ',', $addresses ) { - my $source = match_source_net $address; - log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" - if supplied $level; - - add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; - add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" ); - } - } else { - log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac + if ( $addresses ) { + for my $address ( split ',', $addresses ) { + my $source = match_source_net $address; + log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" if supplied $level; add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; - add_jump ( $chainref , $targetref->{target}, 0, "$mac" ); + add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" ); } + } else { + log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac + if supplied $level; - progress_message " Maclist entry \"$currentline\" $done"; + add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; + add_jump ( $chainref , $targetref->{target}, 0, "$mac" ); } + + progress_message " Maclist entry \"$currentline\" $done"; } clear_comment; diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 54e122016..24c0dea6e 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -61,11 +61,6 @@ sub process_one_masq( ) my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 }; - if ( $interfacelist eq 'COMMENT' ) { - process_comment; - return 1; - } - fatal_error 'INTERFACE must be specified' if $interfacelist eq '-'; my $pre_nat; @@ -387,23 +382,19 @@ sub setup_nat() { my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 }; - if ( $external eq 'COMMENT' ) { - process_comment; - } else { - ( $interfacelist, my $digit ) = split /:/, $interfacelist; + ( $interfacelist, my $digit ) = split /:/, $interfacelist; - $digit = defined $digit ? ":$digit" : ''; + $digit = defined $digit ? ":$digit" : ''; - fatal_error 'EXTERNAL must be specified' if $external eq '-'; - fatal_error 'INTERNAL must be specified' if $interfacelist eq '-'; + fatal_error 'EXTERNAL must be specified' if $external eq '-'; + fatal_error 'INTERNAL must be specified' if $interfacelist eq '-'; - for my $interface ( split_list $interfacelist , 'interface' ) { - fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface; - do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat; - } - - progress_message " NAT entry \"$currentline\" $done"; + for my $interface ( split_list $interfacelist , 'interface' ) { + fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface; + do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat; } + + progress_message " NAT entry \"$currentline\" $done"; } clear_comment; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index a2cd4da6c..184039940 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -227,7 +227,7 @@ sub setup_conntrack() { if ( $fn ) { - my $action = 'NOTRACK'; + my $action; my $empty = 1; @@ -238,24 +238,9 @@ sub setup_conntrack() { if ( $file_format == 1 ) { ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 }; - - if ( $source eq 'FORMAT' ) { - process_format( $dest ); - next; - } + $action = 'NOTRACK'; } else { - ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 }; - - if ( $action eq 'FORMAT' ) { - process_format( $source ); - $action = 'NOTRACK'; - next; - } - } - - if ( $action eq 'COMMENT' ) { - process_comment; - next; + ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }; } $empty = 0; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 51d3f490f..24027148c 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -75,9 +75,9 @@ our @builtins; # # Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited). # -our $rule_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2 }; -our $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 }; -our $macro_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 }; +our $rule_commands = { SECTION => 2 }; +our $action_commands = { SECTION => 2, DEFAULTS => 2 }; +our $macro_commands = { SECTION => 2, DEFAULT => 2 }; our %rulecolumns = ( action => 0, source => 1, @@ -1578,18 +1578,6 @@ sub process_action($) { fatal_error 'TARGET must be specified' if $target eq '-'; - if ( $target eq 'COMMENT' ) { - process_comment; - next; - } - - if ( $target eq 'FORMAT' ) { - format_warning; - fatal_error "FORMAT must be 1 or 2" unless $source =~ /^[12]$/; - $file_format = $source; - next; - } - if ( $target eq 'DEFAULTS' ) { default_action_params( $action, split_list $source, 'defaults' ), next if $file_format == 2; fatal_error 'DEFAULTS only allowed in FORMAT-2 actions'; @@ -1683,18 +1671,6 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$) { fatal_error 'TARGET must be specified' if $mtarget eq '-'; - if ( $mtarget eq 'COMMENT' ) { - process_comment unless $nocomment; - next; - } - - if ( $mtarget eq 'FORMAT' ) { - format_warning; - fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/; - $file_format = $msource; - next; - } - if ( $mtarget =~ /^DEFAULTS?$/ ) { $param = $msource unless supplied $param; next; @@ -1819,21 +1795,11 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) { fatal_error 'TARGET must be specified' if $mtarget eq '-'; - if ( $mtarget eq 'COMMENT' ) { - process_comment unless $nocomment; - next; - } - if ( $mtarget eq 'DEFAULTS' ) { default_action_params( $chainref, split_list( $msource, 'defaults' ) ); next; } - if ( $mtarget eq 'FORMAT' ) { - fatal_error "FORMAT must be 2" unless $msource eq '2'; - next; - } - $mtarget = merge_levels( $target, $mtarget ) unless $nolog; my $action = isolate_basic_target $mtarget; @@ -2593,7 +2559,6 @@ sub process_rule ( ) { fatal_error 'ACTION must be specified' if $target eq '-'; - process_comment, return 1 if $target eq 'COMMENT'; process_section( $source ), return 1 if $target eq 'SECTION'; # # Section Names are optional so once we get to an actual rule, we need to be sure that diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 65bfccd56..bd7404736 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -208,32 +208,17 @@ sub process_tc_rule( ) { my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); if ( $family == F_IPV4 ) { ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) = - split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { COMMENT => 0, FORMAT => 2 } , 15; + split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15; $headers = '-'; } else { ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) = - split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, { COMMENT => 0, FORMAT => 2 }, 16; + split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16; } our %tccmd; fatal_error 'MARK must be specified' if $originalmark eq '-'; - if ( $originalmark eq 'COMMENT' ) { - process_comment; - return; - } - - if ( $originalmark eq 'FORMAT' ) { - format_warning; - if ( $source =~ /^([12])$/ ) { - $file_format = $1; - return; - } - - fatal_error "Invalid FORMAT ($source)"; - } - my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); fatal_error "Invalid MARK ($originalmark)" unless supplied $mark; @@ -1803,11 +1788,6 @@ sub process_tc_priority() { fatal_error 'BAND must be specified' if $band eq '-'; - if ( $band eq 'COMMENT' ) { - process_comment; - return; - } - fatal_error "Invalid tcpri entry" if ( $proto eq '-' && $ports eq '-' && $address eq '-' && @@ -2207,11 +2187,6 @@ sub process_secmark_rule() { fatal_error 'SECMARK must be specified' if $secmark eq '-'; - if ( $secmark eq 'COMMENT' ) { - process_comment; - return; - } - my %chns = ( T => 'tcpost' , P => 'tcpre' , F => 'tcfor' , diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index e5d3e1522..9d7f45dcf 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -291,16 +291,12 @@ sub setup_tunnels() { while ( read_a_line( NORMAL_READ ) ) { - my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4; + my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4; fatal_error 'TYPE must be specified' if $kind eq '-'; - if ( $kind eq 'COMMENT' ) { - process_comment; - } else { - fatal_error 'ZONE must be specified' if $zone eq '-'; - setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; - } + fatal_error 'ZONE must be specified' if $zone eq '-'; + setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; } clear_comment; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index d919f7ac4..9aaadda0d 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1004,22 +1004,12 @@ sub process_interface( $$ ) { my $bridge = ''; if ( $file_format == 1 ) { - ($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 }; + ($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }; } else { - ($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 }; + ($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }; $bcasts = '-'; } - if ( $zone eq 'FORMAT' ) { - format_warning; - if ( $originalinterface =~ /^([12])$/ ) { - $file_format = $1; - return; - } - - fatal_error "Invalid FORMAT ($originalinterface)"; - } - if ( $zone eq '-' ) { $zone = ''; } else {