extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-03-05 18:11:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Generate warning when a rules file entry generates no iptables-restore input

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-08-24 08:38:49 -07:00
parent 383e792807
commit 5c49aa843c
2 changed files with 48 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall/Perl/Shorewall/Config.pm
View File

@ -114,6 +114,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
$product $product
$Product $Product
$toolname
$command $command
$doing $doing
$done $done
@ -131,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = '4.4_11'; our $VERSION = '4.4_13';
# #
# describe the current command, it's present progressive, and it's completion. # describe the current command, it's present progressive, and it's completion.

27
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -890,6 +890,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
my $format = 1; my $format = 1;
my $generated = 0;
macro_comment $macro; macro_comment $macro;
my $macrofile = $macros{$macro}; my $macrofile = $macros{$macro};
@ -961,7 +963,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
$mdest = ''; $mdest = '';
} }
process_rule1( $generated |= process_rule1(
$mtarget, $mtarget,
$msource, $msource,
$mdest, $mdest,
@ -986,6 +988,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
clear_comment unless $nocomment; clear_comment unless $nocomment;
return $generated;
} }
# #
# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
@ -1023,7 +1027,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$current_param = $param; $current_param = $param;
} }
process_macro( $basictarget, my $generated = process_macro( $basictarget,
$target , $target ,
$current_param, $current_param,
$source, $source,
@ -1043,7 +1047,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$current_param = pop @param_stack if $param ne ''; $current_param = pop @param_stack if $param ne '';
return; return $generated;
} elsif ( $actiontype & NFQ ) { } elsif ( $actiontype & NFQ ) {
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
@ -1173,7 +1177,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
if ( $destref->{type} == BPORT ) { if ( $destref->{type} == BPORT ) {
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) { unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
return 1 if $wildcard; return 0 if $wildcard;
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
} }
} }
@ -1186,7 +1190,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$policy = $chainref->{policy}; $policy = $chainref->{policy};
if ( $policy eq 'NONE' ) { if ( $policy eq 'NONE' ) {
return 1 if $wildcard; return 0 if $wildcard;
fatal_error "Rules may not override a NONE policy"; fatal_error "Rules may not override a NONE policy";
} }
# #
@ -1195,9 +1199,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $optimize > 0 ) { if ( $optimize > 0 ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel}; my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
if ( $loglevel ne '' ) { if ( $loglevel ne '' ) {
return 1 if $target eq "${policy}:$loglevel}"; return 0 if $target eq "${policy}:$loglevel}";
} else { } else {
return 1 if $basictarget eq $policy; return 0 if $basictarget eq $policy;
} }
} }
# #
@ -1494,6 +1498,8 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$log_action , $log_action ,
'' ); '' );
} }
return 1;
} }
# #
@ -1610,6 +1616,7 @@ sub process_rule ( ) {
my $thisline = $currentline; #We must save $currentline because it is overwritten by macro expansion my $thisline = $currentline; #We must save $currentline because it is overwritten by macro expansion
my $action = isolate_basic_target $target; my $action = isolate_basic_target $target;
my $fw = firewall_zone; my $fw = firewall_zone;
my $generated = 0;
my @source; my @source;
my @dest; my @dest;
@ -1624,12 +1631,14 @@ sub process_rule ( ) {
my $destzone = (split( /:/, $dest, 2 ) )[0]; my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone; $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) { if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild; $generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
} }
} }
} }
progress_message " Rule \"$thisline\" $done"; warning_message qq(Entry generated no $toolname rules) unless $generated;
progress_message qq( Rule "$thisline" $done);
} }
# #