extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-27 13:11:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix assertion failure during 'check -r' when DOCKER=Yes

Browse Source 
- avoid unnecessary mode transitions

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2018-10-31 15:17:50 -07:00
parent 282ca14182
commit 6534201284
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
1 changed files with 57 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8531,6 +8531,18 @@ sub enter_cmd_mode() {
$mode = CMD_MODE; $mode = CMD_MODE;
} }
#
# These two assure that we're in a particular mode
#
sub ensure_cat_mode() {
enter_cat_mode unless $mode == CAT_MODE;
}
sub ensure_cmd_mode() {
enter_cmd_mode unless $mode == CMD_MODE;
}
# #
# Emits the passed rule (input to iptables-restore) or command # Emits the passed rule (input to iptables-restore) or command
# #
@ -8546,7 +8558,7 @@ sub emitr( $$ ) {
# #
# A rule # A rule
# #
enter_cat_mode unless $mode == CAT_MODE; ensure_cat_mode;
if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) { if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) {
emit_unindented '# ' . $origin; emit_unindented '# ' . $origin;
@ -8557,7 +8569,7 @@ sub emitr( $$ ) {
# #
# A command # A command
# #
enter_cmd_mode unless $mode == CMD_MODE; ensure_cmd_mode;
if ( exists $ruleref->{cmd} ) { if ( exists $ruleref->{cmd} ) {
emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} ); emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
@ -8590,6 +8602,14 @@ sub enter_cmd_mode1() {
$mode = CMD_MODE; $mode = CMD_MODE;
} }
sub ensure_cat_mode1() {
enter_cat_mode1 unless $mode == CAT_MODE;
}
sub ensure_cmd_mode1() {
enter_cmd_mode1 unless $mode == CMD_MODE;
}
sub emitr1( $$ ) { sub emitr1( $$ ) {
my ( $chainref, $ruleref ) = @_; my ( $chainref, $ruleref ) = @_;
@ -8598,14 +8618,14 @@ sub emitr1( $$ ) {
# #
# A rule # A rule
# #
enter_cat_mode1 unless $mode == CAT_MODE; ensure_cat_mode1;
print format_rule( $chainref, $ruleref ) . "\n"; print format_rule( $chainref, $ruleref ) . "\n";
} else { } else {
# #
# A command # A command
# #
enter_cmd_mode1 unless $mode == CMD_MODE; ensure_cmd_mode1;
if ( exists $ruleref->{cmd} ) { if ( exists $ruleref->{cmd} ) {
emitstd $ruleref->{cmd}; emitstd $ruleref->{cmd};
@ -9159,29 +9179,26 @@ sub create_netfilter_load( $ ) {
if ( $name =~ /^DOCKER/ ) { if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) { if ( $name eq 'DOCKER' ) {
enter_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) { } elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode; ensure_cmd_mode;
emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
enter_cmd_mode; ensure_cmd_mode;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-INGRESS' ) { } elsif ( $name eq 'DOCKER-INGRESS' ) {
enter_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-USER' ) { } elsif ( $name eq 'DOCKER-USER' ) {
enter_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' ); emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
enter_cat_mode;
} else { } else {
ensure_cat_mode;
emit_unindented ":$name - [0:0]"; emit_unindented ":$name - [0:0]";
} }
} else { } else {
ensure_cat_mode;
emit_unindented ":$name - [0:0]"; emit_unindented ":$name - [0:0]";
} }
@ -9199,17 +9216,19 @@ sub create_netfilter_load( $ ) {
# #
# Then emit the rules # Then emit the rules
# #
ensure_cat_mode;
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
emitr( $chainref, $_ ) for @{$chainref->{rules}}; emitr( $chainref, $_ ) for @{$chainref->{rules}};
} }
# #
# Commit the changes to the table # Commit the changes to the table
# #
enter_cat_mode unless $mode == CAT_MODE; ensure_cat_mode;
emit_unindented 'COMMIT'; emit_unindented 'COMMIT';
} }
enter_cmd_mode; ensure_cmd_mode;
pop_indent, emit "fi\n"; pop_indent, emit "fi\n";
# #
@ -9274,33 +9293,31 @@ sub preview_netfilter_load() {
assert( $chainref->{cmdlevel} == 0 , $name ); assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name =~ /^DOCKER/ ) { if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) { if ( $name eq 'DOCKER' ) {
enter_cmd_mode1; ensure_cmd_mode1;
print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
print "\n"; print "\n";
} elsif ( $name eq 'DOCKER-ISOLATION' ) { } elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode1 unless $mode == CMD_MODE; ensure_cmd_mode1;
print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
print "\n"; print "\n";
enter_cat_mode1;
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
enter_cmd_mode1 unless $mode == CMD_MODE; ensure_cmd_mode1;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
enter_cat_mode1; print "\n";
} elsif ( $name eq 'DOCKER-INGRESS' ) { } elsif ( $name eq 'DOCKER-INGRESS' ) {
enter_cmd_mode1 unless $mode == CMD_MODE; ensure_cmd_mode1;
print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
print "\n"; print "\n";
enter_cat_mode1;
} elsif ( $name eq 'DOCKER-USER' ) { } elsif ( $name eq 'DOCKER-USER' ) {
enter_cmd_mode1 unless $mode == CMD_MODE; ensure_cmd_mode1;
print( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' ); print( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
print "\n"; print "\n";
enter_cat_mode1;
} else { } else {
enter_cmd_mode1 unless $mode == CMD_MODE; ensure_cmd_mode1;
print( ":$name - [0:0]\n" ); print( ":$name - [0:0]\n" );
} }
} else { } else {
ensure_cat_mode1;
print( ":$name - [0:0]\n" ); print( ":$name - [0:0]\n" );
} }
@ -9310,13 +9327,15 @@ sub preview_netfilter_load() {
# #
# Then emit the rules # Then emit the rules
# #
ensure_cat_mode1;
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
emitr1($chainref, $_ ) for @{$chainref->{rules}}; emitr1($chainref, $_ ) for @{$chainref->{rules}};
} }
# #
# Commit the changes to the table # Commit the changes to the table
# #
enter_cat_mode1 unless $mode == CAT_MODE; ensure_cat_mode1;
print "COMMIT\n"; print "COMMIT\n";
} }
@ -9376,29 +9395,26 @@ sub create_stop_load( $ ) {
assert( $chainref->{cmdlevel} == 0 , $name ); assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name =~ /^DOCKER/ ) { if ( $name =~ /^DOCKER/ ) {
if ( $name eq 'DOCKER' ) { if ( $name eq 'DOCKER' ) {
enter_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) { } elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
enter_cmd_mode; ensure_cmd_mode;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-INGRESS' ) { } elsif ( $name eq 'DOCKER-INGRESS' ) {
enter_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-USER' ) { } elsif ( $name eq 'DOCKER-USER' ) {
enter_cmd_mode; ensure_cmd_mode;
emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' ); emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
enter_cat_mode;
} else { } else {
ensure_cat_mode;
emit_unindented ":$name - [0:0]"; emit_unindented ":$name - [0:0]";
} }
} else { } else {
ensure_cat_mode;
emit_unindented ":$name - [0:0]"; emit_unindented ":$name - [0:0]";
} }
@ -9408,6 +9424,8 @@ sub create_stop_load( $ ) {
# #
# Then emit the rules # Then emit the rules
# #
ensure_cat_mode;
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
emitr( $chainref, $_ ) for @{$chainref->{rules}}; emitr( $chainref, $_ ) for @{$chainref->{rules}};
} }