extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-16 17:51:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Don't unconditionally detect helpers when LOAD_HELPERS_ONLY=Yes

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-09-22 09:27:13 -07:00
parent 97cdc390c3
commit 32f89fa24b
4 changed files with 114 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
Shorewall/Perl/Shorewall/Config.pm
View File

@ -3319,26 +3319,26 @@ sub Amanda_Helper() {
have_helper( 'amanda', 'udp', 10080 );
}
sub FTP_Helper() {
have_helper( 'ftp', 'tcp', 21 );
}
sub FTP0_Helper() {
have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
}
sub FTP_Helper() {
have_helper( 'ftp', 'tcp', 21 ) || FTP0_Helper;
}
sub H323_Helpers() {
have_helper( 'RAS', 'udp', 1719 );
}
sub IRC_Helper() {
have_helper( 'irc', 'tcp', 6667 );
}
sub IRC0_Helper() {
have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
}
sub IRC_Helper() {
have_helper( 'irc', 'tcp', 6667 ) || IRC0_Helper;
}
sub Netbios_ns_Helper() {
have_helper( 'netbios-ns', 'udp', 137 );
}
@ -3347,34 +3347,34 @@ sub PPTP_Helper() {
have_helper( 'pptp', 'tcp', 1729 );
}
sub SANE_Helper() {
have_helper( 'sane', 'tcp', 6566 );
}
sub SANE0_Helper() {
have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
}
sub SIP_Helper() {
have_helper( 'sip', 'udp', 5060 );
sub SANE_Helper() {
have_helper( 'sane', 'tcp', 6566 ) || SANE0_Helper;
}
sub SIP0_Helper() {
have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
}
sub SIP_Helper() {
have_helper( 'sip', 'udp', 5060 ) || SIP0_Helper;
}
sub SNMP_Helper() {
have_helper( 'snmp', 'udp', 161 );
}
sub TFTP_Helper() {
have_helper( 'tftp', 'udp', 69 );
}
sub TFTP0_Helper() {
have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
}
sub TFTP_Helper() {
have_helper( 'tftp', 'udp', 69 ) || TFTP0_Helper;
}
sub Connlimit_Match() {
qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
}
@ -3624,17 +3624,6 @@ sub determine_capabilities() {
$globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
if ( have_capability 'CT_TARGET' ) {
$capabilities{$_} = detect_capability $_ for ( values( %helpers_map ),
'FTP0_HELPER',
'IRC0_HELPER',
'SANE0_HELPER',
'SIP0_HELPER',
'TFTP0_HELPER' );
} else {
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
}
unless ( $config{ LOAD_HELPERS_ONLY } ) {
#
# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@ -3718,6 +3707,12 @@ sub determine_capabilities() {
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
if ( have_capability 'CT_TARGET' ) {
$capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
} else {
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
}
qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" );
qt1( "$iptables -F $sillyname1" );

7
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -515,7 +515,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
role="bold">-</emphasis>|<emphasis
role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.4.24. </para>
<para>Added in Shorewall 4.4.24.</para>
<para>Prior to Shorewall 4.5.7.2, may be optionally followed by
<emphasis role="bold">:F</emphasis> but the resulting rule is
@ -1014,10 +1014,7 @@ Normal-Service =&gt; 0x00</programlisting>
<para>Names a Netfiler protocol <firstterm>helper</firstterm> module
such as <option>ftp</option>, <option>sip</option>,
<option>amanda</option>, etc. A packet will match if it was accepted
by the named helper module. You can also append "-" and a port
number to the helper module name (e.g., <emphasis
role="bold">ftp-21</emphasis>) to specify the port number that the
original connection was made on.</para>
by the named helper module.</para>
<para>Example: Mark all FTP data connections with mark
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER

17
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -420,12 +420,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
role="bold">:P</emphasis>, in which case the rule is added to
the PREROUTING chain.</para>
<para> If <emphasis role="bold">+</emphasis> is included,
packets matching the rule will have their HL (hop limit)
incremented by <replaceable>number</replaceable>. Similarly, if
<emphasis role="bold">-</emphasis> is included, matching packets
have their HL decremented by <replaceable>number</replaceable>.
If neither <emphasis role="bold">+</emphasis> nor <emphasis
<para>If <emphasis role="bold">+</emphasis> is included, packets
matching the rule will have their HL (hop limit) incremented by
<replaceable>number</replaceable>. Similarly, if <emphasis
role="bold">-</emphasis> is included, matching packets have
their HL decremented by <replaceable>number</replaceable>. If
neither <emphasis role="bold">+</emphasis> nor <emphasis
role="bold">-</emphasis> is given, the HL of matching packets is
set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para>
@ -870,10 +870,7 @@ Normal-Service =&gt; 0x00</programlisting>
<para>Optional. Names a Netfiler protocol
<firstterm>helper</firstterm> module such as <option>ftp</option>,
<option>sip</option>, <option>amanda</option>, etc. A packet will
match if it was accepted by the named helper module. You can also
append "-" and a port number to the helper module name (e.g.,
<emphasis role="bold">ftp-21</emphasis>) to specify the port number
that the original connection was made on.</para>
match if it was accepted by the named helper module. </para>
<para>Example: Mark all FTP data connections with mark
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER

97
docs/Internals.xml
View File

@ -483,7 +483,7 @@ export -p</programlisting>
<title>Pre-processor</title>
<para>Unlike preprocessors like ccp, the Shorewall pre-processor does
it's work each time that the higher-level functions ask for the next
it's work each time that the higher-level modules asks for the next
line of input.</para>
<para>The major exported functions in the pre-processor are:</para>
@ -499,8 +499,8 @@ export -p</programlisting>
role="bold">open_file</emphasis> calls <emphasis
role="bold">find_file</emphasis> who traverses the CONFIG_PATH
looking for a file with the requested name. If the file is found
and has non-zero size, it is opened and module-global variables
are set as follows, and the fully-qualified name of the file is
and has non-zero size, it is opened, module-global variables are
set as follows, and the fully-qualified name of the file is
returned by the function.</para>
<variablelist>
@ -540,8 +540,9 @@ export -p</programlisting>
<listitem>
<para>Sometimes, the higher-level modules need to suspend
processing of the current file and open another file. An obvious
example is when the Rules module needs to process a macro file.
The push_open function is called in these cases.</para>
example is when the Rules module encounters a macro invocation
and needs to process the corresponding macro file. The push_open
function is called in these cases.</para>
<para><emphasis role="bold">push_open</emphasis> pushes
<emphasis role="bold">$currentfile</emphasis>, <emphasis
@ -595,7 +596,7 @@ export -p</programlisting>
<term>first_entry( $ )</term>
<listitem>
<para>This function is called to determine what happens when the
<para>This function is called to specify what happens when the
first non-commentary and no-blank line is read from the open
file. The argument may be either a scalar or a function
reference. If the argument is a scalar then it is treaded as a
@ -634,8 +635,8 @@ export -p</programlisting>
NORMAL_READ =&gt; -1 # All options
};</programlisting>
<para>The actual argument may be a bit-wise OR of any of the
above constants.</para>
<para>The actual argument may be a bit-wise OR of any of these
constants.</para>
<para>The function does not return the logical line; that line
is rather stored in the module-global variable <emphasis
@ -658,14 +659,15 @@ export -p</programlisting>
role="bold">split_line1</emphasis> functions return an array
containing the contents of those columns.</para>
<para>The arguments to split_line1 are:</para>
<para>The arguments to <emphasis
role="bold">split_line1</emphasis> are:</para>
<itemizedlist>
<listitem>
<para>A <option>name</option> =&gt;
<replaceable>column-number</replaceable> pair for each of
the columns in the file. These are used to handle lines that
use the <ulink
the columns in the file. These are used to process lines
that use the <ulink
url="configuration_file_basics.htm#Pairs">alternate input
methods</ulink> and also serve to define the number of
columns in the file's records.</para>
@ -676,13 +678,14 @@ export -p</programlisting>
=&gt; <replaceable>number-of-columns</replaceable> pairs.
For example "{ COMMENT =&gt; 0, FORMAT 2 }" allows COMMENT
lines of an unlimited number of space-separated tokens and
it allows FORMAT lines with exactly two columns. </para>
it allows FORMAT lines with exactly two columns. The hash
reference must be the last argument passed.</para>
</listitem>
</itemizedlist>
<para>If there are fewer space-separated tokens on the line than
specified in the arguments, then "-" is returned for the the
trailing columns that were omitted.</para>
specified in the arguments, then "-" is returned for the omitted
trailing columns.</para>
</listitem>
</varlistentry>
@ -713,7 +716,7 @@ export -p</programlisting>
<simplelist>
<member>"ERROR: @_" followed by the name of the file and the
line number where the error occurred. </member>
line number where the error occurred.</member>
</simplelist>
<para>The mesage is written to the STARTUP_LOG, if any.</para>
@ -781,7 +784,69 @@ export -p</programlisting>
</section>
<section>
<title/>
<title>Script File Handling</title>
<para>The functions involved in script file creation are:</para>
<variablelist>
<varlistentry>
<term>create_temp_script( $$ )</term>
<listitem>
<para>This function creates and opens a temporary file in the
directory where the final script is to be placed; this function
is not called when the <command>check</command> command is being
processed. The first argument is the fully-qualified name of the
output script; the second (boolean) argument determines if the
compilation is for export. The function returns no meaningful
value but sets module-global variables as follows:</para>
<variablelist>
<varlistentry>
<term>$script</term>
<listitem>
<para>Handle of the open script file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$dir</term>
<listitem>
<para>The directory in which the script was
created.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$tempfile</term>
<listitem>
<para>The name of the temporary file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$file</term>
<listitem>
<para>This fully-qualified name of the script file.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>finalize_script( $ )</term>
<listitem>
<para>This function closes the temporary file and renames it to
the </para>
</listitem>
</varlistentry>
</variablelist>
<para/>
</section>