From 97cc4930cffbbe77a6dcf0750ea5afc7e68f5595 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 6 Apr 2012 16:26:05 -0700 Subject: [PATCH 1/3] Deimplement option leading ? in embedded directives Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 8 ++++---- docs/configuration_file_basics.xml | 18 +++++++----------- 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 0b5abdf7a..a31affd8b 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1953,7 +1953,7 @@ sub embedded_shell( $ ) { my $last = 0; while ( read_a_line( 0, 0, 1 ) ) { - last if $last = $currentline =~ s/^\s*\??END(\s+SHELL)?\s*;?//; + last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//; $command .= $currentline; } @@ -1989,7 +1989,7 @@ sub embedded_perl( $ ) { my $last = 0; while ( read_a_line( 0, 0, 1 ) ) { - last if $last = $currentline =~ s/^\s*\??END(\s+PERL)?\s*;?//; + last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//; $command .= $currentline; } @@ -2208,12 +2208,12 @@ sub read_a_line(;$$$) { # Must check for shell/perl before doing variable expansion # if ( $embedded_enabled ) { - if ( $currentline =~ s/^\s*\??(BEGIN\s+)?SHELL\s*;?// ) { + if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) { embedded_shell( $1 ); next; } - if ( $currentline =~ s/^\s*\??(BEGIN\s+)?PERL\s*\;?// ) { + if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) { embedded_perl( $1 ); next; } diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index ec216bb95..eaf8c6731 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -1601,19 +1601,16 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true - [?]PERL <perl + PERL <perl script> - [?]SHELL <shell + SHELL <shell script> - The optional '?' is allowed in Shorewall versions 4.5.2 and - later. - Shell scripts run in a child shell process and their output is piped back to the compiler which processes that output as if it were embedded at the point of the script. @@ -1658,14 +1655,13 @@ use Shorewall::Config ( qw/shorewall/ ); Multi-line scripts use one of the following forms:[?]BEGIN SHELL + role="bold">BEGIN SHELL <shell script> -[?]END [ SHELL ][?]BEGIN PERL [;] +END [ SHELL ]BEGIN PERL [;] <perl script> -[?]END [ PERL ] [;]As above, the optional - leading '?' is allowed in Shorewall versions 4.5.2 and later. +END [ PERL ] [;]
From 72042209914e1f9dce9c49d1899d0be78b904524 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 7 Apr 2012 07:16:17 -0700 Subject: [PATCH 2/3] Some more fixes to conditional inclusion. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index a31affd8b..01d622858 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1548,6 +1548,8 @@ sub close_file() { # # Process an ?IF, ?ELSE or ?END directive # +sub have_capability( $ ); + sub process_conditional( $$$ ) { my ( $omitting, $line, $linenumber ) = @_; @@ -1582,7 +1584,7 @@ sub process_conditional( $$$ ) { $omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} : exists $params{$rest} ? $params{$rest} : exists $config{$rest} ? $config{$rest} : - exists $capdesc{$cap} ? have_capability $cap : 0 ); + exists $capdesc{$cap} ? have_capability( $cap ) : 0 ); } $omitting = ! $omitting if $invert; @@ -1958,7 +1960,7 @@ sub embedded_shell( $ ) { } fatal_error ( "Missing END SHELL" ) unless $last; - fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/; + fatal_error ( "Invalid END SHELL directive" ) unless $currentline =~ /^\s*$/; } $command .= q('); @@ -1994,7 +1996,7 @@ sub embedded_perl( $ ) { } fatal_error ( "Missing END PERL" ) unless $last; - fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/; + fatal_error ( "Invalid END PERL directive" ) unless $currentline =~ /^\s*$/; } unless (my $return = eval $command ) { @@ -2626,8 +2628,6 @@ sub determine_kernelversion() { # # Capability Reporting and detection. # -sub have_capability( $ ); - sub Nat_Enabled() { $family == F_IPV4 ? qt1( "$iptables -t nat -L -n" ) : ''; } From 55cd81747df3e010287d9807ec39c7aa301d1981 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 7 Apr 2012 07:38:38 -0700 Subject: [PATCH 3/3] Add emphasis in some examples; correct a typo. Signed-off-by: Tom Eastep --- docs/configuration_file_basics.xml | 36 ++++++++++++++++++------------ 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index eaf8c6731..9b94f1a03 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -2000,7 +2000,7 @@ redirect => 137 192.168.1.3, the entry in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DEST PORTS(S) -DNAT net loc:192.168.1.3 tcp 4000:4100 +DNAT net loc:192.168.1.3 tcp 4000:4100 If you omit the low port number, a value of zero is assumed; if you omit the high port number, a value of 65535 is assumed. @@ -2136,9 +2136,9 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 Support requires that you install xtables-addons. The SWITCH column contains the name of a - switch. Each switch that is initially in the - off position. You can turn on the switch - named switch1 by: + switch. Each switch is initially in the off position. You can turn on the switch named + switch1 by: echo 1 > @@ -2182,7 +2182,8 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT(S) PORT(S) DEST LIMIT GROUP -DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down +DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
@@ -2212,11 +2213,16 @@ DNAT net dmz:$BACKUP tcp 80 - - Here is an example: #ZONE INTERFACE BROADCAST OPTIONS -net COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0 -net EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2 -loc INT_IF detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1 -dmz VPS_IF detect logmartians=1,routefilter=0,routeback,physical=venet0 -loc TUN_IF detect physical=tun+ +net COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0 +net EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2 +loc INT_IF detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1 +dmz VPS_IF detect logmartians=1,routefilter=0,routeback,physical=venet0 +loc TUN_IF detect physical=tun+ In this example, COM_IF is a logical interface name that refers to Ethernet interface eth0, EXT_IF is @@ -2231,16 +2237,18 @@ loc TUN_IF detect physical=tun+ #INTERFACE SOURCE ADDRESS COMMENT Masquerade Local Network -COM_IF 0.0.0.0/0 -EXT_IF !206.124.146.0/24 206.124.146.179:persistent +COM_IF 0.0.0.0/0 +EXT_IF !206.124.146.0/24 206.124.146.179:persistent shorewall-providers (5) #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -Avvanta 1 0x10000 main EXT_IF 206.124.146.254 loose,fallback INT_IF,VPS_IF,TUN_IF -Comcast 2 0x20000 main COM_IF detect balance INT_IF,VPS_IF,TUN_IF +Avvanta 1 0x10000 main EXT_IF 206.124.146.254 loose,fallback INT_IF,VPS_IF,TUN_IF +Comcast 2 0x20000 main COM_IF detect balance INT_IF,VPS_IF,TUN_IF Note in particular that Shorewall translates TUN_IF to tun* in the COPY column.