diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 8f69db7a5..de45edcc3 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1163,192 +1163,6 @@ sub pop_indent() { } } -# -# Functions for copying files into the script -# -sub copy( $ ) { - assert( $script_enabled ); - - if ( $script ) { - my $file = $_[0]; - - open IF , $file or fatal_error "Unable to open $file: $!"; - - while ( ) { - chomp; - if ( /^\s*$/ ) { - print $script "\n" unless $lastlineblank; - $lastlineblank = 1; - } else { - if ( $indent ) { - s/^(\s*)/$indent1$1$indent2/; - s/ /\t/ if $indent2; - } - - print $script $_; - print $script "\n"; - $lastlineblank = 0; - } - } - - close IF; - } -} - -sub close_file(); - -# -# This one handles line continuation and 'here documents' - -sub copy1( $ ) { - assert( $script_enabled ); - - my $result = 0; - - if ( $script || $debug ) { - my ( $do_indent, $here_documents ) = ( 1, ''); - - open_file( $_[0] ); - - while ( $currentfile ) { - while ( <$currentfile> ) { - chomp; - - if ( /^${here_documents}\s*$/ ) { - if ( $script ) { - print $script $here_documents if $here_documents; - print $script "\n"; - } - - if ( $debug ) { - print "GS-----> $here_documents" if $here_documents; - print "GS----->\n"; - } - - $do_indent = 1; - $here_documents = ''; - next; - } - - if ( $do_indent && /.*<<\s*([^ ]+)s*(.*)/ ) { - $here_documents = $1; - s/^(\s*)/$indent1$1$indent2/; - s/ /\t/ if $indent2; - $do_indent = 0; - - if ( $script ) { - print $script $_; - print $script "\n"; - } - - if ( $debug ) { - s/\n/\nGS-----> /g; - print "GS-----> $_\n"; - } - - $result = 1; - next; - } - - if ( $indent && $do_indent ) { - s/^(\s*)/$indent1$1$indent2/; - s/ /\t/ if $indent2; - } - - if ( $script ) { - print $script $_; - print $script "\n"; - } - - $do_indent = ! ( $here_documents || /\\$/ ); - - $result = 1 unless $result || /^\s*$/ || /^\s*#/; - - if ( $debug ) { - s/\n/\nGS-----> /g; - print "GS-----> $_\n"; - } - } - - close_file; - } - } - - $lastlineblank = 0; - - $result; -} - -# -# This one drops header comments and replaces them with a three-line banner -# -sub copy2( $$ ) { - my ( $file, $trace ) = @_; - - assert( $script_enabled ); - my $empty = 1; - - if ( $script || $trace ) { - my $file = $_[0]; - - open IF , $file or fatal_error "Unable to open $file: $!"; - - while ( ) { - $empty = 0, last unless /^#/; - } - - unless ( $empty ) { - emit < ) { - chomp; - if ( /^\s*$/ ) { - unless ( $lastlineblank ) { - print $script "\n" if $script; - print "GS----->\n" if $trace; - } - - $lastlineblank = 1; - } else { - if ( $indent ) { - s/^(\s*)/$indent1$1$indent2/; - s/ /\t/ if $indent2; - } - - if ( $script ) { - print $script $_; - print $script "\n"; - } - - if ( $trace ) { - s/\n/GS-----> \n/g; - print "GS-----> $_\n"; - } - - $lastlineblank = 0; - } - } - - close IF; - - unless ( $lastlineblank ) { - print $script "\n" if $script; - print "GS----->\n" if $trace; - } - - emit( '################################################################################', - "# End of imports from $file", - '################################################################################' ); - } - } -} - # # Create the temporary script file -- the passed file name is the name of the final file. # We create a temporary file in the same directory so that we can use rename to finalize it. @@ -1638,6 +1452,216 @@ sub close_file() { } } +# +# Functions for copying files into the script +# +sub copy( $ ) { + assert( $script_enabled ); + + if ( $script ) { + my $file = $_[0]; + + open IF , $file or fatal_error "Unable to open $file: $!"; + + while ( ) { + chomp; + if ( /^\s*$/ ) { + print $script "\n" unless $lastlineblank; + $lastlineblank = 1; + } else { + if ( $indent ) { + s/^(\s*)/$indent1$1$indent2/; + s/ /\t/ if $indent2; + } + + print $script $_; + print $script "\n"; + $lastlineblank = 0; + } + } + + close IF; + } +} + +# +# This variant of copy handles line continuation, 'here documents' and INCLUDE +# +sub copy1( $ ) { + assert( $script_enabled ); + + my $result = 0; + + if ( $script || $debug ) { + my ( $do_indent, $here_documents ) = ( 1, ''); + + open_file( $_[0] ); + + while ( $currentfile ) { + while ( <$currentfile> ) { + $currentlinenumber++; + + chomp; + + if ( /^${here_documents}\s*$/ ) { + if ( $script ) { + print $script $here_documents if $here_documents; + print $script "\n"; + } + + if ( $debug ) { + print "GS-----> $here_documents" if $here_documents; + print "GS----->\n"; + } + + $do_indent = 1; + $here_documents = ''; + next; + } + + if ( $do_indent && /.*<<\s*([^ ]+)s*(.*)/ ) { + $here_documents = $1; + s/^(\s*)/$indent1$1$indent2/; + s/ /\t/ if $indent2; + $do_indent = 0; + + if ( $script ) { + print $script $_; + print $script "\n"; + } + + if ( $debug ) { + s/\n/\nGS-----> /g; + print "GS-----> $_\n"; + } + + $result = 1; + next; + } + + if ( $do_indent ) { + if ( /^\s*INCLUDE\s/ ) { + my @line = split / /; + + fatal_error "Invalid INCLUDE command" if @line != 2; + fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; + + my $filename = find_file $line[1]; + + fatal_error "INCLUDE file $filename not found" unless -f $filename; + fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; + + if ( -s _ ) { + push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; + $currentfile = undef; + do_open_file $filename; + } else { + $currentlinenumber = 0; + } + + next; + } + + if ( $indent ) { + s/^(\s*)/$indent1$1$indent2/; + s/ /\t/ if $indent2; + } + } + + if ( $script ) { + print $script $_; + print $script "\n"; + } + + $do_indent = ! ( $here_documents || /\\$/ ); + + $result = 1 unless $result || /^\s*$/ || /^\s*#/; + + if ( $debug ) { + s/\n/\nGS-----> /g; + print "GS-----> $_\n"; + } + } + + close_file; + } + } + + $lastlineblank = 0; + + $result; +} + +# +# This one drops header comments and replaces them with a three-line banner +# +sub copy2( $$ ) { + my ( $file, $trace ) = @_; + + assert( $script_enabled ); + my $empty = 1; + + if ( $script || $trace ) { + my $file = $_[0]; + + open IF , $file or fatal_error "Unable to open $file: $!"; + + while ( ) { + $empty = 0, last unless /^#/; + } + + unless ( $empty ) { + emit < ) { + chomp; + if ( /^\s*$/ ) { + unless ( $lastlineblank ) { + print $script "\n" if $script; + print "GS----->\n" if $trace; + } + + $lastlineblank = 1; + } else { + if ( $indent ) { + s/^(\s*)/$indent1$1$indent2/; + s/ /\t/ if $indent2; + } + + if ( $script ) { + print $script $_; + print $script "\n"; + } + + if ( $trace ) { + s/\n/GS-----> \n/g; + print "GS-----> $_\n"; + } + + $lastlineblank = 0; + } + } + + close IF; + + unless ( $lastlineblank ) { + print $script "\n" if $script; + print "GS----->\n" if $trace; + } + + emit( '################################################################################', + "# End of imports from $file", + '################################################################################' ); + } + } +} + # # The following two functions allow module clients to nest opens. This happens frequently # in the Rules module. diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 8b3bdf027..69365554f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,12 +1,14 @@ Changes in Shorewall 4.4.17 Beta 1 -1) Improve readability of logging logic in expand_rule(). +1) Improve readability of logging logic in expand_rule(). -2) Improve efficency of oddball targets in process_rule1(). +2) Improve efficency of oddball targets in process_rule1(). -3) Export (param,value) pairs with EXPORTPARAMS=No. +3) Export (param,value) pairs with EXPORTPARAMS=No. -4) Only produce 'done.' progress message on success. +4) Only produce 'done.' progress message on success. + +5) Support INCLUDE in user exits. Changes in Shorewall 4.4.16 RC 1 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 6817848ff..8f96ff857 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -36,6 +36,25 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES /etc/shorewall/shorewall6.conf have been modified to specify EXPORTPARAMS=No. +2) The INCLUDE command may now be used in the following extension + scripts: + + clear + findgw + init + isusable + refresh + refreshed + restored + start + started + stop + stopped + tcclear + + The command is executed during compilation so that the INCLUDEd + file is copied into the generated script. + ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 04c23b5ac..0ca0c5805 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -636,12 +636,75 @@ ACCEPT net:\ INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives are ignored with a warning message. + Beginning with Shorewall 4.4.17, the INCLUDE directive may also + appear in the following extension scripts: + + + + clear + + + + findgw + + + + init + + + + isusable + + + + refresh + + + + refreshed + + + + restore + + + + restored + + + + start + + + + started + + + + stop + + + + stopped + + + + tcclear + + + + When used in these scripts, the included files are copied into the + compiled firewall script. + - If you are using Prior to Shorewall 4.4.17, if you are using Shorewall Lite , it is not advisable to use INCLUDE in the params file in an - export directory. If you do that, you must ensure that the included file - is also present on the firewall system's shorewall.conf (5). If you do + that, you must ensure that the included file is also present on the + firewall system's /etc/shorewall-lite/ directory. If you only need the params file at compile