extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 08:03:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Second Wave of changes to make script output reproducable

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-07-12 15:00:41 -07:00
parent 014ec1af1d
commit 5704438a44
6 changed files with 42 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -521,9 +521,9 @@ sub setup_accounting() {
while ( $chainswithjumps && $progress ) { while ( $chainswithjumps && $progress ) {
$progress = 0; $progress = 0;
for my $chain1 ( keys %accountingjumps ) { for my $chain1 ( sort keys %accountingjumps ) {
if ( keys %{$accountingjumps{$chain1}} ) { if ( keys %{$accountingjumps{$chain1}} ) {
for my $chain2 ( keys %{$accountingjumps{$chain1}} ) { for my $chain2 ( sort keys %{$accountingjumps{$chain1}} ) {
delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2}; delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
} }
} else { } else {

38
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1162,7 +1162,7 @@ sub merge_rules( $$$ ) {
} }
} }
for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', keys %$fromref ) { for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct' || $_ eq 'recent', sort { $b cmp $a } keys %$fromref ) {
set_rule_option( $toref, $option, $fromref->{$option} ); set_rule_option( $toref, $option, $fromref->{$option} );
} }
@ -1178,7 +1178,7 @@ sub merge_rules( $$$ ) {
set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy}; set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, keys %$fromref ) ) { for my $option ( grep( get_opttype( $_, 0 ) == EXPENSIVE, sort keys %$fromref ) ) {
set_rule_option( $toref, $option, $fromref->{$option} ); set_rule_option( $toref, $option, $fromref->{$option} );
} }
@ -3256,7 +3256,7 @@ sub optimize_level4( $$ ) {
$progress = 0; $progress = 0;
$passes++; $passes++;
my @chains = grep $_->{referenced}, values %$tableref; my @chains = grep $_->{referenced}, sort { $a->{name} cmp $b->{name} } values %$tableref;
my $chains = @chains; my $chains = @chains;
progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a..."; progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
@ -3577,7 +3577,7 @@ sub optimize_level8( $$$ ) {
} }
if ( $progress ) { if ( $progress ) {
my @rename = keys %rename; my @rename = sort keys %rename;
# #
# First create aliases for each renamed chain and change the {name} member. # First create aliases for each renamed chain and change the {name} member.
# #
@ -6840,30 +6840,31 @@ sub set_global_variables( $$ ) {
emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) ); emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
} }
} else { } else {
emit $_ for values %interfaceaddr; emit $_ for sort values %interfaceaddr;
emit "$_\n" for values %interfacegateways; emit "$_\n" for sort values %interfacegateways;
emit $_ for values %interfacemacs; emit $_ for sort values %interfacemacs;
} }
if ( $setall ) { if ( $setall ) {
emit $_ for values %interfaceaddrs; emit $_ for sort values %interfaceaddrs;
emit $_ for values %interfacenets; emit $_ for sort values %interfacenets;
unless ( have_capability( 'ADDRTYPE' ) ) { unless ( have_capability( 'ADDRTYPE' ) ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
emit $_ for values %interfacebcasts; emit $_ for sort values %interfacebcasts;
} else { } else {
emit 'ALL_ACASTS="$(get_all_acasts)"'; emit 'ALL_ACASTS="$(get_all_acasts)"';
emit $_ for values %interfaceacasts; emit $_ for sort values %interfaceacasts;
} }
} }
} }
} }
sub verify_address_variables() { sub verify_address_variables() {
while ( my ( $variable, $type ) = ( each %address_variables ) ) { for my $variable ( sort keys %address_variables ) {
my $type = $address_variables{$variable};
my $address = "\$$variable"; my $address = "\$$variable";
if ( $type eq '&' ) { if ( $type eq '&' ) {
@ -7703,7 +7704,7 @@ sub add_interface_options( $ ) {
# #
# Generate a digest for each chain # Generate a digest for each chain
# #
for my $chainref ( values %input_chains, values %forward_chains ) { for my $chainref ( sort { $a->{name} cmp $b->{name} } values %input_chains, values %forward_chains ) {
my $digest = ''; my $digest = '';
assert( $chainref ); assert( $chainref );
@ -7722,7 +7723,7 @@ sub add_interface_options( $ ) {
# Insert jumps to the interface chains into the rules chains # Insert jumps to the interface chains into the rules chains
# #
for my $zone1 ( off_firewall_zones ) { for my $zone1 ( off_firewall_zones ) {
my @input_interfaces = keys %{zone_interfaces( $zone1 )}; my @input_interfaces = sort keys %{zone_interfaces( $zone1 )};
my @forward_interfaces = @input_interfaces; my @forward_interfaces = @input_interfaces;
if ( @input_interfaces > 1 ) { if ( @input_interfaces > 1 ) {
@ -7804,7 +7805,7 @@ sub add_interface_options( $ ) {
for my $zone1 ( firewall_zone, vserver_zones ) { for my $zone1 ( firewall_zone, vserver_zones ) {
for my $zone2 ( off_firewall_zones ) { for my $zone2 ( off_firewall_zones ) {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
my @interfaces = keys %{zone_interfaces( $zone2 )}; my @interfaces = sort keys %{zone_interfaces( $zone2 )};
my $chain1ref; my $chain1ref;
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
@ -8273,7 +8274,7 @@ sub load_ipsets() {
# #
sub create_nfobjects() { sub create_nfobjects() {
my @objects = ( keys %nfobjects ); my @objects = ( sort keys %nfobjects );
if ( @objects ) { if ( @objects ) {
if ( $config{NFACCT} ) { if ( $config{NFACCT} ) {
@ -8288,7 +8289,7 @@ sub create_nfobjects() {
} }
} }
for ( keys %nfobjects ) { for ( sort keys %nfobjects ) {
emit( qq(if ! qt \$NFACCT get $_; then), emit( qq(if ! qt \$NFACCT get $_; then),
qq( \$NFACCT add $_), qq( \$NFACCT add $_),
qq(fi\n) ); qq(fi\n) );
@ -8706,7 +8707,8 @@ sub initialize_switches() {
if ( keys %switches ) { if ( keys %switches ) {
emit( 'if [ $COMMAND = start ]; then' ); emit( 'if [ $COMMAND = start ]; then' );
push_indent; push_indent;
while ( my ( $switch, $setting ) = each %switches ) { for my $switch ( sort keys %switches ) {
my $setting = $switches{$switch};
my $file = "/proc/net/nf_condition/$switch"; my $file = "/proc/net/nf_condition/$switch";
emit "[ -f $file ] && echo $setting->{setting} > $file"; emit "[ -f $file ] && echo $setting->{setting} > $file";
} }

15
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -176,7 +176,7 @@ sub setup_ecn()
} }
if ( @hosts ) { if ( @hosts ) {
my @interfaces = ( keys %interfaces ); my @interfaces = ( sort { interface_number($a) <=> interface_number($b) } keys %interfaces );
progress_message "$doing ECN control on @interfaces..."; progress_message "$doing ECN control on @interfaces...";
@ -1535,7 +1535,7 @@ sub handle_loopback_traffic() {
# Handle conntrack rules # Handle conntrack rules
# #
if ( $notrackref->{referenced} ) { if ( $notrackref->{referenced} ) {
for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) { for my $hostref ( sort { $a->{type} cmp $b->{type} } @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
my $exclusion = source_exclusion( $hostref->{exclusions}, $notrackref); my $exclusion = source_exclusion( $hostref->{exclusions}, $notrackref);
my @ipsec_match = match_ipsec_in $z1 , $hostref; my @ipsec_match = match_ipsec_in $z1 , $hostref;
@ -1556,8 +1556,8 @@ sub handle_loopback_traffic() {
# #
my $source_hosts_ref = defined_zone( $z1 )->{hosts}; my $source_hosts_ref = defined_zone( $z1 )->{hosts};
for my $typeref ( values %{$source_hosts_ref} ) { for my $typeref ( sort { $a->{type} cmp $b->{type} } values %{$source_hosts_ref} ) {
for my $hostref ( @{$typeref->{'%vserver%'}} ) { for my $hostref ( sort { $a->{type} cmp $b->{type} } @{$typeref->{'%vserver%'}} ) {
my $exclusion = source_exclusion( $hostref->{exclusions}, $natref); my $exclusion = source_exclusion( $hostref->{exclusions}, $natref);
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
@ -2200,7 +2200,8 @@ sub generate_matrix() {
# #
# Take care of PREROUTING, INPUT and OUTPUT jumps # Take care of PREROUTING, INPUT and OUTPUT jumps
# #
for my $typeref ( values %$source_hosts_ref ) { for my $type ( sort keys %$source_hosts_ref ) {
my $typeref = $source_hosts_ref->{$type};
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
if ( get_physical( $interface ) eq '+' ) { if ( get_physical( $interface ) eq '+' ) {
# #
@ -2273,7 +2274,6 @@ sub generate_matrix() {
my $chain = rules_target $zone, $zone1; my $chain = rules_target $zone, $zone1;
next unless $chain; # CONTINUE policy with no rules next unless $chain; # CONTINUE policy with no rules
my $num_ifaces = 0; my $num_ifaces = 0;
if ( $zone eq $zone1 ) { if ( $zone eq $zone1 ) {
@ -2286,7 +2286,8 @@ sub generate_matrix() {
my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
for my $typeref ( values %{$zone1ref->{hosts}} ) { for my $type ( sort keys %{$zone1ref->{hosts}} ) {
my $typeref = $zone1ref->{hosts}{$type};
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
for my $hostref ( @{$typeref->{$interface}} ) { for my $hostref ( @{$typeref->{$interface}} ) {
next if $hostref->{options}{sourceonly}; next if $hostref->{options}{sourceonly};

2
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -1594,7 +1594,7 @@ sub map_provider_to_interface() {
my $haveoptional; my $haveoptional;
for my $providerref ( values %providers ) { for my $providerref ( sort { $a->{number} cmp $b->{number} } values %providers ) {
if ( $providerref->{optional} ) { if ( $providerref->{optional} ) {
unless ( $haveoptional++ ) { unless ( $haveoptional++ ) {
emit( 'if [ -n "$interface" ]; then', emit( 'if [ -n "$interface" ]; then',

4
Shorewall/Perl/Shorewall/Proxyarp.pm
View File

@ -154,7 +154,7 @@ sub setup_proxy_arp() {
emit ''; emit '';
for my $interface ( keys %reset ) { for my $interface ( sort keys %reset ) {
unless ( $set{interface} ) { unless ( $set{interface} ) {
my $physical = get_physical $interface; my $physical = get_physical $interface;
emit ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" , emit ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@ -163,7 +163,7 @@ sub setup_proxy_arp() {
} }
} }
for my $interface ( keys %set ) { for my $interface ( sort keys %set ) {
my $physical = get_physical $interface; my $physical = get_physical $interface;
emit ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" , emit ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
" echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" ); " echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

16
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -1800,7 +1800,7 @@ sub find_interfaces_by_option1( $ ) {
my @ints = (); my @ints = ();
my $wild = 0; my $wild = 0;
for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) { for my $interface ( @interfaces ) {
my $interfaceref = $interfaces{$interface}; my $interfaceref = $interfaces{$interface};
next unless defined $interfaceref->{physical}; next unless defined $interfaceref->{physical};
@ -2170,9 +2170,9 @@ sub find_hosts_by_option( $ ) {
} }
for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) { for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
for my $type (keys %{$zones{$zone}{hosts}} ) { for my $type (sort keys %{$zones{$zone}{hosts}} ) {
my $interfaceref = $zones{$zone}{hosts}->{$type}; my $interfaceref = $zones{$zone}{hosts}->{$type};
for my $interface ( keys %$interfaceref ) { for my $interface ( sort keys %$interfaceref ) {
my $arrayref = $interfaceref->{$interface}; my $arrayref = $interfaceref->{$interface};
for my $host ( @{$arrayref} ) { for my $host ( @{$arrayref} ) {
my $ipsec = $host->{ipsec}; my $ipsec = $host->{ipsec};
@ -2199,8 +2199,10 @@ sub find_zone_hosts_by_option( $$ ) {
my @hosts; my @hosts;
unless ( $zones{$zone}{type} & FIREWALL ) { unless ( $zones{$zone}{type} & FIREWALL ) {
while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { for my $type (sort keys %{$zones{$zone}{hosts}} ) {
while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { my $interfaceref = $zones{$zone}{hosts}->{$type};
for my $interface ( sort keys %$interfaceref ) {
my $arrayref = $interfaceref->{$interface};
for my $host ( @{$arrayref} ) { for my $host ( @{$arrayref} ) {
if ( my $value = $host->{options}{$option} ) { if ( my $value = $host->{options}{$option} ) {
for my $net ( @{$host->{hosts}} ) { for my $net ( @{$host->{hosts}} ) {
@ -2212,9 +2214,7 @@ sub find_zone_hosts_by_option( $$ ) {
} }
} }
my @sorted = sort { $a->[0] cmp $b->[0] } @hosts; \@hosts
\@sorted
} }
# #