diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index add7313af..a87548b17 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -521,9 +521,9 @@ sub setup_accounting() { while ( $chainswithjumps && $progress ) { $progress = 0; - for my $chain1 ( keys %accountingjumps ) { + for my $chain1 ( sort keys %accountingjumps ) { if ( keys %{$accountingjumps{$chain1}} ) { - for my $chain2 ( keys %{$accountingjumps{$chain1}} ) { + for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) { delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2}; } } else { diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e8aa6de7d..ca564d328 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1162,7 +1162,7 @@ sub merge_rules( $$$ ) { } } - for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) { + for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) { set_rule_option( $toref, $option, $fromref->{$option} ); } @@ -1178,7 +1178,7 @@ sub merge_rules( $$$ ) { set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy}; - for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) { + for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) { set_rule_option( $toref, $option, $fromref->{$option} ); } @@ -3256,7 +3256,7 @@ sub optimize_level4( $$ ) { $progress = 0; $passes++; - my @chains = grep $_->{referenced}, values %$tableref; + my @chains = grep $_->{referenced}, sort { $a->{name} cmp $b->{name} } values %$tableref; my $chains = @chains; progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a..."; @@ -3577,7 +3577,7 @@ sub optimize_level8( $$$ ) { } if ( $progress ) { - my @rename = keys %rename; + my @rename = sort keys %rename; # # First create aliases for each renamed chain and change the {name} member. # @@ -6840,30 +6840,31 @@ sub set_global_variables( $$ ) { emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) ); } } else { - emit $_ for values %interfaceaddr; - emit "$_\n" for values %interfacegateways; - emit $_ for values %interfacemacs; + emit $_ for sort values %interfaceaddr; + emit "$_\n" for sort values %interfacegateways; + emit $_ for sort values %interfacemacs; } if ( $setall ) { - emit $_ for values %interfaceaddrs; - emit $_ for values %interfacenets; + emit $_ for sort values %interfaceaddrs; + emit $_ for sort values %interfacenets; unless ( have_capability( 'ADDRTYPE' ) ) { if ( $family == F_IPV4 ) { emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; - emit $_ for values %interfacebcasts; + emit $_ for sort values %interfacebcasts; } else { emit 'ALL_ACASTS="$(get_all_acasts)"'; - emit $_ for values %interfaceacasts; + emit $_ for sort values %interfaceacasts; } } } } sub verify_address_variables() { - while ( my ( $variable, $type ) = ( each %address_variables ) ) { + for my $variable ( sort keys %address_variables ) { + my $type = $address_variables{$variable}; my $address = "\$$variable"; if ( $type eq '&' ) { @@ -7703,7 +7704,7 @@ sub add_interface_options( $ ) { # # Generate a digest for each chain # - for my $chainref ( values %input_chains, values %forward_chains ) { + for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) { my $digest = ''; assert( $chainref ); @@ -7722,7 +7723,7 @@ sub add_interface_options( $ ) { # Insert jumps to the interface chains into the rules chains # for my $zone1 ( off_firewall_zones ) { - my @input_interfaces = keys %{zone_interfaces( $zone1 )}; + my @input_interfaces = sort keys %{zone_interfaces( $zone1 )}; my @forward_interfaces = @input_interfaces; if ( @input_interfaces > 1 ) { @@ -7804,7 +7805,7 @@ sub add_interface_options( $ ) { for my $zone1 ( firewall_zone, vserver_zones ) { for my $zone2 ( off_firewall_zones ) { my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; - my @interfaces = keys %{zone_interfaces( $zone2 )}; + my @interfaces = sort keys %{zone_interfaces( $zone2 )}; my $chain1ref; for my $interface ( @interfaces ) { @@ -8273,7 +8274,7 @@ sub load_ipsets() { # sub create_nfobjects() { - my @objects = ( keys %nfobjects ); + my @objects = ( sort keys %nfobjects ); if ( @objects ) { if ( $config{NFACCT} ) { @@ -8288,7 +8289,7 @@ sub create_nfobjects() { } } - for ( keys %nfobjects ) { + for ( sort keys %nfobjects ) { emit( qq(if ! qt \$NFACCT get $_; then), qq( \$NFACCT add $_), qq(fi\n) ); @@ -8706,7 +8707,8 @@ sub initialize_switches() { if ( keys %switches ) { emit( 'if [ $COMMAND = start ]; then' ); push_indent; - while ( my ( $switch, $setting ) = each %switches ) { + for my $switch ( sort keys %switches ) { + my $setting = $switches{$switch}; my $file = "/proc/net/nf_condition/$switch"; emit "[ -f $file ] && echo $setting->{setting} > $file"; } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 330eda0bd..1e18f38b7 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -176,7 +176,7 @@ sub setup_ecn() } if ( @hosts ) { - my @interfaces = ( keys %interfaces ); + my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces ); progress_message "$doing ECN control on @interfaces..."; @@ -1535,7 +1535,7 @@ sub handle_loopback_traffic() { # Handle conntrack rules # if ( $notrackref->{referenced} ) { - for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) { + for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) { my $exclusion = source_exclusion( $hostref->{exclusions}, $notrackref); my @ipsec_match = match_ipsec_in $z1 , $hostref; @@ -1556,8 +1556,8 @@ sub handle_loopback_traffic() { # my $source_hosts_ref = defined_zone( $z1 )->{hosts}; - for my $typeref ( values %{$source_hosts_ref} ) { - for my $hostref ( @{$typeref->{'%vserver%'}} ) { + for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) { + for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) { my $exclusion = source_exclusion( $hostref->{exclusions}, $natref); for my $net ( @{$hostref->{hosts}} ) { @@ -2200,7 +2200,8 @@ sub generate_matrix() { # # Take care of PREROUTING, INPUT and OUTPUT jumps # - for my $typeref ( values %$source_hosts_ref ) { + for my $type ( sort keys %$source_hosts_ref ) { + my $typeref = $source_hosts_ref->{$type}; for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { if ( get_physical( $interface ) eq '+' ) { # @@ -2273,7 +2274,6 @@ sub generate_matrix() { my $chain = rules_target $zone, $zone1; next unless $chain; # CONTINUE policy with no rules - my $num_ifaces = 0; if ( $zone eq $zone1 ) { @@ -2285,8 +2285,9 @@ sub generate_matrix() { } my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT - - for my $typeref ( values %{$zone1ref->{hosts}} ) { + + for my $type ( sort keys %{$zone1ref->{hosts}} ) { + my $typeref = $zone1ref->{hosts}{$type}; for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { for my $hostref ( @{$typeref->{$interface}} ) { next if $hostref->{options}{sourceonly}; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index e50ac99a5..2209772a1 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1594,7 +1594,7 @@ sub map_provider_to_interface() { my $haveoptional; - for my $providerref ( values %providers ) { + for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) { if ( $providerref->{optional} ) { unless ( $haveoptional++ ) { emit( 'if [ -n "$interface" ]; then', diff --git a/Shorewall/Perl/Shorewall/Proxyarp.pm b/Shorewall/Perl/Shorewall/Proxyarp.pm index 2010d4bfa..05124a6b6 100644 --- a/Shorewall/Perl/Shorewall/Proxyarp.pm +++ b/Shorewall/Perl/Shorewall/Proxyarp.pm @@ -154,7 +154,7 @@ sub setup_proxy_arp() { emit ''; - for my $interface ( keys %reset ) { + for my $interface ( sort keys %reset ) { unless ( $set{interface} ) { my $physical = get_physical $interface; emit ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" , @@ -163,7 +163,7 @@ sub setup_proxy_arp() { } } - for my $interface ( keys %set ) { + for my $interface ( sort keys %set ) { my $physical = get_physical $interface; emit ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" , " echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" ); diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 6521ca16c..e97bba848 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1800,7 +1800,7 @@ sub find_interfaces_by_option1( $ ) { my @ints = (); my $wild = 0; - for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) { + for my $interface ( @interfaces ) { my $interfaceref = $interfaces{$interface}; next unless defined $interfaceref->{physical}; @@ -2170,9 +2170,9 @@ sub find_hosts_by_option( $ ) { } for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) { - for my $type (keys %{$zones{$zone}{hosts}} ) { + for my $type (sort keys %{$zones{$zone}{hosts}} ) { my $interfaceref = $zones{$zone}{hosts}->{$type}; - for my $interface ( keys %$interfaceref ) { + for my $interface ( sort keys %$interfaceref ) { my $arrayref = $interfaceref->{$interface}; for my $host ( @{$arrayref} ) { my $ipsec = $host->{ipsec}; @@ -2199,8 +2199,10 @@ sub find_zone_hosts_by_option( $$ ) { my @hosts; unless ( $zones{$zone}{type} & FIREWALL ) { - while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { - while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { + for my $type (sort keys %{$zones{$zone}{hosts}} ) { + my $interfaceref = $zones{$zone}{hosts}->{$type}; + for my $interface ( sort keys %$interfaceref ) { + my $arrayref = $interfaceref->{$interface}; for my $host ( @{$arrayref} ) { if ( my $value = $host->{options}{$option} ) { for my $net ( @{$host->{hosts}} ) { @@ -2212,9 +2214,7 @@ sub find_zone_hosts_by_option( $$ ) { } } - my @sorted = sort { $a->[0] cmp $b->[0] } @hosts; - - \@sorted + \@hosts } #