Allow INCLUDE in extension scripts

Shorewall/Perl/Shorewall/Config.pm

@@ -1163,192 +1163,6 @@ sub pop_indent() {
     }
 }
 
-#
-# Functions for copying files into the script
-#
-sub copy( $ ) {
-    assert( $script_enabled );
-
-    if ( $script ) {
-	my $file = $_[0];
-
-	open IF , $file or fatal_error "Unable to open $file: $!";
-
-	while ( <IF> ) {
-	    chomp;
-	    if ( /^\s*$/ ) {
-		print $script "\n" unless $lastlineblank;
-		$lastlineblank = 1;
-	    } else {
-		if  ( $indent ) {
-		    s/^(\s*)/$indent1$1$indent2/;
-		    s/        /\t/ if $indent2;
-		}
-
-		print $script $_;
-		print $script "\n";
-		$lastlineblank = 0;
-	    }
-	}
-
-	close IF;
-    }
-}
-
-sub close_file();
-
-#
-# This one handles line continuation and 'here documents'
-
-sub copy1( $ ) {
-    assert( $script_enabled );
-
-    my $result = 0;
-
-    if ( $script || $debug ) {
-	my ( $do_indent, $here_documents ) = ( 1, '');
-
-	open_file( $_[0] );
-	
-	while ( $currentfile ) {
-	    while ( <$currentfile> ) {
-		chomp;
-
-		if ( /^${here_documents}\s*$/ ) {
-		    if ( $script ) {
-			print $script $here_documents if $here_documents;
-			print $script "\n";
-		    }
-
-		    if ( $debug ) {
-			print "GS-----> $here_documents" if $here_documents;
-			print "GS----->\n";
-		    }
-
-		    $do_indent = 1;
-		    $here_documents = '';
-		    next;
-		}
-
-		if ( $do_indent && /.*<<\s*([^ ]+)s*(.*)/ ) {
-		    $here_documents = $1;
-		    s/^(\s*)/$indent1$1$indent2/;
-		    s/        /\t/ if $indent2;
-		    $do_indent = 0;
-
-		    if ( $script ) {
-			print $script $_;
-			print $script "\n";
-		    }
-
-		    if ( $debug ) {
-			s/\n/\nGS-----> /g;
-			print "GS-----> $_\n";
-		    }
-
-		    $result = 1;
-		    next;
-		}
-
-		if ( $indent && $do_indent ) {
-		    s/^(\s*)/$indent1$1$indent2/;
-		    s/        /\t/ if $indent2;
-		}
-
-		if ( $script ) {
-		    print $script $_;
-		    print $script "\n";
-		}
-
-		$do_indent = ! ( $here_documents || /\\$/ );
-
-		$result = 1 unless $result || /^\s*$/ || /^\s*#/;
-
-		if ( $debug ) {
-		    s/\n/\nGS-----> /g;
-		    print "GS-----> $_\n";
-		}
-	    }
-
-	    close_file;
-	}
-    }
-
-    $lastlineblank = 0;
-
-    $result;
-}
-
-#
-# This one drops header comments and replaces them with a three-line banner
-#
-sub copy2( $$ ) {
-    my ( $file, $trace ) = @_;
-
-    assert( $script_enabled );
-    my $empty = 1;
-
-    if ( $script || $trace ) {
-	my $file = $_[0];
-
-	open IF , $file or fatal_error "Unable to open $file: $!";
-
-	while ( <IF> ) {
-	    $empty = 0, last unless /^#/;
-	}
-
-	unless ( $empty ) {
-	    emit <<EOF;
-################################################################################
-#   Functions imported from $file
-################################################################################
-EOF
-	    chomp;
-	    emit( $_ ) unless /^\s*$/;
-
-	    while ( <IF> ) {
-		chomp;
-		if ( /^\s*$/ ) {
-		    unless ( $lastlineblank ) {
-			print $script "\n" if $script;
-			print "GS----->\n" if $trace;
-		    }
-
-		    $lastlineblank = 1;
-		} else {
-		    if  ( $indent ) {
-			s/^(\s*)/$indent1$1$indent2/;
-			s/        /\t/ if $indent2;
-		    }
-
-		    if ( $script ) {
-			print $script $_;
-			print $script "\n";
-		    }
-
-		    if ( $trace ) {
-			s/\n/GS-----> \n/g;
-			print "GS-----> $_\n";
-		    }
-
-		    $lastlineblank = 0;
-		}
-	    }
-
-	    close IF;
-
-	    unless ( $lastlineblank ) {
-		print $script "\n" if $script;
-		print "GS----->\n" if $trace;
-	    }
-
-	    emit( '################################################################################',
-		  "#   End of imports from $file",
-		  '################################################################################' );
-	}
-    }
-}
-
 #
 # Create the temporary script file -- the passed file name is the name of the final file.
 # We create a temporary file in the same directory so that we can use rename to finalize it.
@@ -1638,6 +1452,216 @@ sub close_file() {
     }
 }
 
+#
+# Functions for copying files into the script
+#
+sub copy( $ ) {
+    assert( $script_enabled );
+
+    if ( $script ) {
+	my $file = $_[0];
+
+	open IF , $file or fatal_error "Unable to open $file: $!";
+
+	while ( <IF> ) {
+	    chomp;
+	    if ( /^\s*$/ ) {
+		print $script "\n" unless $lastlineblank;
+		$lastlineblank = 1;
+	    } else {
+		if  ( $indent ) {
+		    s/^(\s*)/$indent1$1$indent2/;
+		    s/        /\t/ if $indent2;
+		}
+
+		print $script $_;
+		print $script "\n";
+		$lastlineblank = 0;
+	    }
+	}
+
+	close IF;
+    }
+}
+
+#
+# This variant of copy handles line continuation, 'here documents' and INCLUDE
+#
+sub copy1( $ ) {
+    assert( $script_enabled );
+
+    my $result = 0;
+
+    if ( $script || $debug ) {
+	my ( $do_indent, $here_documents ) = ( 1, '');
+
+	open_file( $_[0] );
+	
+	while ( $currentfile ) {
+	    while ( <$currentfile> ) {
+		$currentlinenumber++;
+
+		chomp;
+
+		if ( /^${here_documents}\s*$/ ) {
+		    if ( $script ) {
+			print $script $here_documents if $here_documents;
+			print $script "\n";
+		    }
+
+		    if ( $debug ) {
+			print "GS-----> $here_documents" if $here_documents;
+			print "GS----->\n";
+		    }
+
+		    $do_indent = 1;
+		    $here_documents = '';
+		    next;
+		}
+
+		if ( $do_indent && /.*<<\s*([^ ]+)s*(.*)/ ) {
+		    $here_documents = $1;
+		    s/^(\s*)/$indent1$1$indent2/;
+		    s/        /\t/ if $indent2;
+		    $do_indent = 0;
+
+		    if ( $script ) {
+			print $script $_;
+			print $script "\n";
+		    }
+
+		    if ( $debug ) {
+			s/\n/\nGS-----> /g;
+			print "GS-----> $_\n";
+		    }
+
+		    $result = 1;
+		    next;
+		}
+
+		if ( $do_indent ) {
+		    if ( /^\s*INCLUDE\s/ ) {
+			my @line = split / /;
+
+			fatal_error "Invalid INCLUDE command"    if @line != 2;
+			fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+
+			my $filename = find_file $line[1];
+
+			fatal_error "INCLUDE file $filename not found" unless -f $filename;
+			fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
+
+			if ( -s _ ) {
+			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+			    $currentfile = undef;
+			    do_open_file $filename;
+			} else {
+			    $currentlinenumber = 0;
+			}
+
+			next;
+		    }
+			
+		    if ( $indent ) {
+			s/^(\s*)/$indent1$1$indent2/;
+			s/        /\t/ if $indent2;
+		    }
+		}
+
+		if ( $script ) {
+		    print $script $_;
+		    print $script "\n";
+		}
+
+		$do_indent = ! ( $here_documents || /\\$/ );
+
+		$result = 1 unless $result || /^\s*$/ || /^\s*#/;
+
+		if ( $debug ) {
+		    s/\n/\nGS-----> /g;
+		    print "GS-----> $_\n";
+		}
+	    }
+
+	    close_file;
+	}
+    }
+
+    $lastlineblank = 0;
+
+    $result;
+}
+
+#
+# This one drops header comments and replaces them with a three-line banner
+#
+sub copy2( $$ ) {
+    my ( $file, $trace ) = @_;
+
+    assert( $script_enabled );
+    my $empty = 1;
+
+    if ( $script || $trace ) {
+	my $file = $_[0];
+
+	open IF , $file or fatal_error "Unable to open $file: $!";
+
+	while ( <IF> ) {
+	    $empty = 0, last unless /^#/;
+	}
+
+	unless ( $empty ) {
+	    emit <<EOF;
+################################################################################
+#   Functions imported from $file
+################################################################################
+EOF
+	    chomp;
+	    emit( $_ ) unless /^\s*$/;
+
+	    while ( <IF> ) {
+		chomp;
+		if ( /^\s*$/ ) {
+		    unless ( $lastlineblank ) {
+			print $script "\n" if $script;
+			print "GS----->\n" if $trace;
+		    }
+
+		    $lastlineblank = 1;
+		} else {
+		    if  ( $indent ) {
+			s/^(\s*)/$indent1$1$indent2/;
+			s/        /\t/ if $indent2;
+		    }
+
+		    if ( $script ) {
+			print $script $_;
+			print $script "\n";
+		    }
+
+		    if ( $trace ) {
+			s/\n/GS-----> \n/g;
+			print "GS-----> $_\n";
+		    }
+
+		    $lastlineblank = 0;
+		}
+	    }
+
+	    close IF;
+
+	    unless ( $lastlineblank ) {
+		print $script "\n" if $script;
+		print "GS----->\n" if $trace;
+	    }
+
+	    emit( '################################################################################',
+		  "#   End of imports from $file",
+		  '################################################################################' );
+	}
+    }
+}
+
 #
 # The following two functions allow module clients to nest opens. This happens frequently
 # in the Rules module.

Shorewall/changelog.txt

@@ -1,12 +1,14 @@
 Changes in Shorewall 4.4.17 Beta 1
 
-1) Improve readability of logging logic in expand_rule().
+1)  Improve readability of logging logic in expand_rule().
 
-2) Improve efficency of oddball targets in process_rule1().
+2)  Improve efficency of oddball targets in process_rule1().
 
-3) Export (param,value) pairs with EXPORTPARAMS=No.
+3)  Export (param,value) pairs with EXPORTPARAMS=No.
 
-4) Only produce 'done.' progress message on success.
+4)  Only produce 'done.' progress message on success.
+
+5)  Support INCLUDE in user exits.
 
 Changes in Shorewall 4.4.16 RC 1
 

Shorewall/releasenotes.txt

@@ -36,6 +36,25 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     /etc/shorewall/shorewall6.conf have been modified to specify
     EXPORTPARAMS=No.
 
+2)  The INCLUDE command may now be used in the following extension
+    scripts:
+
+	clear
+	findgw
+	init
+	isusable
+	refresh
+	refreshed
+	restored
+	start
+	started
+	stop
+	stopped
+	tcclear
+
+     The command is executed during compilation so that the INCLUDEd
+     file is copied into the generated script.
+
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------

docs/configuration_file_basics.xml

@@ -636,12 +636,75 @@ ACCEPT      net:\
     <para>INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
     directives are ignored with a warning message.</para>
 
+    <para>Beginning with Shorewall 4.4.17, the INCLUDE directive may also
+    appear in the following <ulink
+    url="shorewall_extension_scripts.htm">extension scripts</ulink>:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>clear</para>
+      </listitem>
+
+      <listitem>
+        <para>findgw</para>
+      </listitem>
+
+      <listitem>
+        <para>init</para>
+      </listitem>
+
+      <listitem>
+        <para>isusable</para>
+      </listitem>
+
+      <listitem>
+        <para>refresh</para>
+      </listitem>
+
+      <listitem>
+        <para>refreshed</para>
+      </listitem>
+
+      <listitem>
+        <para>restore</para>
+      </listitem>
+
+      <listitem>
+        <para>restored</para>
+      </listitem>
+
+      <listitem>
+        <para>start</para>
+      </listitem>
+
+      <listitem>
+        <para>started</para>
+      </listitem>
+
+      <listitem>
+        <para>stop</para>
+      </listitem>
+
+      <listitem>
+        <para>stopped</para>
+      </listitem>
+
+      <listitem>
+        <para>tcclear</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>When used in these scripts, the included files are copied into the
+    compiled firewall script.</para>
+
     <caution>
-      <para>If you are using <ulink
+      <para>Prior to Shorewall 4.4.17, if you are using <ulink
       url="CompiledPrograms.html%23Lite">Shorewall Lite</ulink> , it is not
       advisable to use INCLUDE in the <filename>params</filename> file in an
-      export directory. If you do that, you must ensure that the included file
+      export directory if you set EXPORTPARAMS=Yes in <ulink
-      is also present on the firewall system's <filename
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). If you do
+      that, you must ensure that the included file is also present on the
+      firewall system's <filename
       class="directory">/etc/shorewall-lite/</filename> directory.</para>
 
       <para>If you only need the <filename>params</filename> file at compile