From 68f537ac5bac04c56bf27e9b379e0352c9a37286 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 28 Sep 2010 10:48:44 -0700 Subject: [PATCH] Bypass processing logic when an optional config file is absent. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Accounting.pm | 62 +++--- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/Perl/Shorewall/Nat.pm | 95 +++++---- Shorewall/Perl/Shorewall/Providers.pm | 19 +- Shorewall/Perl/Shorewall/Raw.pm | 25 +-- Shorewall/Perl/Shorewall/Rules.pm | 284 +++++++++++++------------ Shorewall/Perl/Shorewall/Tunnels.pm | 23 +- Shorewall/Perl/Shorewall/Zones.pm | 9 +- 8 files changed, 266 insertions(+), 253 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 05cc57b95..090b1e3e2 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_accounting ); our @EXPORT_OK = qw( ); -our $VERSION = '4.4.13'; +our $VERSION = '4.4.14'; # # Called by the compiler to [re-]initialize this module's state @@ -224,48 +224,48 @@ sub process_accounting_rule( ) { sub setup_accounting() { - my $fn = open_file 'accounting'; + if ( my $fn = open_file 'accounting' ) { - first_entry "$doing $fn..."; + first_entry "$doing $fn..."; - my $nonEmpty = 0; + my $nonEmpty = 0; - $nonEmpty |= process_accounting_rule while read_a_line; + $nonEmpty |= process_accounting_rule while read_a_line; - clear_comment; + clear_comment; - if ( have_bridges ) { - if ( $filter_table->{accounting} ) { - for my $chain ( qw/INPUT FORWARD/ ) { + if ( have_bridges ) { + if ( $filter_table->{accounting} ) { + for my $chain ( qw/INPUT FORWARD/ ) { + add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 ); + } + } + + if ( $filter_table->{accountout} ) { + add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 ); + } + } elsif ( $filter_table->{accounting} ) { + for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 ); } } - if ( $filter_table->{accountout} ) { - add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 ); + if ( $filter_table->{accipsecin} ) { + for my $chain ( qw/INPUT FORWARD/ ) { + add_jump( $filter_table->{$chain}, 'accipsecin', 0, '', 0, 0 ); + } } - } elsif ( $filter_table->{accounting} ) { - for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { - add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 ); + + if ( $filter_table->{accipsecout} ) { + for my $chain ( qw/FORWARD OUTPUT/ ) { + add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 ); + } + } + + for ( accounting_chainrefs ) { + warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}}; } } - - if ( $filter_table->{accipsecin} ) { - for my $chain ( qw/INPUT FORWARD/ ) { - add_jump( $filter_table->{$chain}, 'accipsecin', 0, '', 0, 0 ); - } - } - - if ( $filter_table->{accipsecout} ) { - for my $chain ( qw/FORWARD OUTPUT/ ) { - add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 ); - } - } - - for ( accounting_chainrefs ) { - warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}}; - } - } 1; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 20ba13e07..f15f3b4df 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -132,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script Exporter::export_ok_tags('internal'); -our $VERSION = '4.4_13'; +our $VERSION = '4.4_14'; # # describe the current command, it's present progressive, and it's completion. diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index b73dc3be7..80ae33439 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -36,7 +36,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses ); our @EXPORT_OK = (); -our $VERSION = '4.4_13'; +our $VERSION = '4.4_14'; our @addresses_to_add; our %addresses_to_add; @@ -262,14 +262,14 @@ sub process_one_masq( ) # sub setup_masq() { - my $fn = open_file 'masq'; + if ( my $fn = open_file 'masq' ) { - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); + first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); - process_one_masq while read_a_line; - - clear_comment; + process_one_masq while read_a_line; + clear_comment; + } } # @@ -359,32 +359,32 @@ sub do_one_nat( $$$$$ ) # sub setup_nat() { - my $fn = open_file 'nat'; + if ( my $fn = open_file 'nat' ) { - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); + first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); - while ( read_a_line ) { + while ( read_a_line ) { - my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file'; + my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file'; - if ( $external eq 'COMMENT' ) { - process_comment; - } else { - ( $interfacelist, my $digit ) = split /:/, $interfacelist; + if ( $external eq 'COMMENT' ) { + process_comment; + } else { + ( $interfacelist, my $digit ) = split /:/, $interfacelist; - $digit = defined $digit ? ":$digit" : ''; + $digit = defined $digit ? ":$digit" : ''; - for my $interface ( split_list $interfacelist , 'interface' ) { - fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne ''; - do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat; + for my $interface ( split_list $interfacelist , 'interface' ) { + fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne ''; + do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat; + } + + progress_message " NAT entry \"$currentline\" $done"; } - - progress_message " NAT entry \"$currentline\" $done"; } + clear_comment; } - - clear_comment; } # @@ -392,40 +392,43 @@ sub setup_nat() { # sub setup_netmap() { - my $fn = open_file 'netmap'; + if ( my $fn = open_file 'netmap' ) { - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } ); + first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } ); - while ( read_a_line ) { + while ( read_a_line ) { - my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file'; + my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file'; - $net3 = ALLIP if $net3 eq '-'; + $net3 = ALLIP if $net3 eq '-'; - for my $interface ( split_list $interfacelist, 'interface' ) { + for my $interface ( split_list $interfacelist, 'interface' ) { - my $rulein = ''; - my $ruleout = ''; - my $iface = $interface; + my $rulein = ''; + my $ruleout = ''; + my $iface = $interface; - fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); + fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); - unless ( $interfaceref->{root} ) { - $rulein = match_source_dev( $interface ); - $ruleout = match_dest_dev( $interface ); - $interface = $interfaceref->{name}; + unless ( $interfaceref->{root} ) { + $rulein = match_source_dev( $interface ); + $ruleout = match_dest_dev( $interface ); + $interface = $interfaceref->{name}; + } + + if ( $type eq 'DNAT' ) { + add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2"; + } elsif ( $type eq 'SNAT' ) { + add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 ) . "-s $net1 -j NETMAP --to $net2"; + } else { + fatal_error "Invalid type ($type)"; + } + + progress_message " Network $net1 on $iface mapped to $net2 ($type)"; } - - if ( $type eq 'DNAT' ) { - add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2"; - } elsif ( $type eq 'SNAT' ) { - add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 ) . "-s $net1 -j NETMAP --to $net2"; - } else { - fatal_error "Invalid type ($type)"; - } - - progress_message " Network $net1 on $iface mapped to $net2 ($type)"; } + + clear_comment; } } diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 5fe6de0e3..7960cfe57 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces ); our @EXPORT_OK = qw( initialize lookup_provider ); -our $VERSION = '4.4_13'; +our $VERSION = '4.4_14'; use constant { LOCAL_TABLE => 255, MAIN_TABLE => 254, @@ -757,15 +757,16 @@ sub setup_providers() { $lastmark = 0; - my $fn = open_file 'providers'; + if ( my $fn = open_file 'providers' ) { - first_entry sub() { - progress_message2 "$doing $fn..."; - emit "\nif [ -z \"\$g_noroutes\" ]; then"; - push_indent; - start_providers; }; - - add_a_provider, $providers++ while read_a_line; + first_entry sub() { + progress_message2 "$doing $fn..."; + emit "\nif [ -z \"\$g_noroutes\" ]; then"; + push_indent; + start_providers; }; + + add_a_provider, $providers++ while read_a_line; + } if ( $providers ) { finish_providers; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index a9e6a3e47..6d690c913 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -34,7 +34,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_notrack ); our @EXPORT_OK = qw( ); -our $VERSION = '4.4_13'; +our $VERSION = '4.4_14'; # # Notrack @@ -76,24 +76,25 @@ sub process_notrack_rule( $$$$$$ ) { sub setup_notrack() { - my $fn = open_file 'notrack'; + if ( my $fn = open_file 'notrack' ) { - first_entry "$doing $fn..."; + first_entry "$doing $fn..."; - my $nonEmpty = 0; + my $nonEmpty = 0; - while ( read_a_line ) { + while ( read_a_line ) { - my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File'; + my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File'; - if ( $source eq 'COMMENT' ) { - process_comment; - } else { - process_notrack_rule $source, $dest, $proto, $ports, $sports, $user; + if ( $source eq 'COMMENT' ) { + process_comment; + } else { + process_notrack_rule $source, $dest, $proto, $ports, $sports, $user; + } } - } - clear_comment; + clear_comment; + } } 1; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index cb015b139..e0955e6ed 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos compile_stop_firewall ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = '4.4_13'; +our $VERSION = '4.4_14'; our $macro_nest_level; our $current_param; @@ -322,119 +322,120 @@ sub setup_blacklist() { sub process_routestopped() { - my ( @allhosts, %source, %dest , %notrack, @rule ); + if ( my $fn = open_file 'routestopped' ) { + my ( @allhosts, %source, %dest , %notrack, @rule ); - my $fn = open_file 'routestopped'; + my $seq = 0; - my $seq = 0; + first_entry "$doing $fn..."; - first_entry "$doing $fn..."; + while ( read_a_line ) { - while ( read_a_line ) { + my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file'; - my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file'; + my $interfaceref; - my $interfaceref; + fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface; + $hosts = ALLIP unless $hosts && $hosts ne '-'; - fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface; - $hosts = ALLIP unless $hosts && $hosts ne '-'; + my $routeback = 0; - my $routeback = 0; + my @hosts; - my @hosts; + $seq++; - $seq++; - - my $rule = do_proto( $proto, $ports, $sports, 0 ); - - for my $host ( split /,/, $hosts ) { - fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS}; - validate_host $host, 1; - push @hosts, "$interface|$host|$seq"; - push @rule, $rule; - } - - unless ( $options eq '-' ) { - for my $option (split /,/, $options ) { - if ( $option eq 'routeback' ) { - if ( $routeback ) { - warning_message "Duplicate 'routeback' option ignored"; - } else { - $routeback = 1; - } - } elsif ( $option eq 'source' ) { - for my $host ( split /,/, $hosts ) { - $source{"$interface|$host|$seq"} = 1; - } - } elsif ( $option eq 'dest' ) { - for my $host ( split /,/, $hosts ) { - $dest{"$interface|$host|$seq"} = 1; - } - } elsif ( $option eq 'notrack' ) { - for my $host ( split /,/, $hosts ) { - $notrack{"$interface|$host|$seq"} = 1; - } - } else { - warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical'; - warning_message "The 'critical' option is no longer supported (or needed)"; - } - } - } - - if ( $routeback || $interfaceref->{options}{routeback} ) { - my $chainref = $filter_table->{FORWARD}; + my $rule = do_proto( $proto, $ports, $sports, 0 ); for my $host ( split /,/, $hosts ) { - add_rule( $chainref , - match_source_dev( $interface ) . - match_dest_dev( $interface ) . - match_source_net( $host ) . - match_dest_net( $host ) ); - clearrule; + fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS}; + validate_host $host, 1; + push @hosts, "$interface|$host|$seq"; + push @rule, $rule; } - } - push @allhosts, @hosts; - } - for my $host ( @allhosts ) { - my ( $interface, $h, $seq ) = split /\|/, $host; - my $source = match_source_net $h; - my $dest = match_dest_net $h; - my $sourcei = match_source_dev $interface; - my $desti = match_dest_dev $interface; - my $rule = shift @rule; + unless ( $options eq '-' ) { + for my $option (split /,/, $options ) { + if ( $option eq 'routeback' ) { + if ( $routeback ) { + warning_message "Duplicate 'routeback' option ignored"; + } else { + $routeback = 1; + } + } elsif ( $option eq 'source' ) { + for my $host ( split /,/, $hosts ) { + $source{"$interface|$host|$seq"} = 1; + } + } elsif ( $option eq 'dest' ) { + for my $host ( split /,/, $hosts ) { + $dest{"$interface|$host|$seq"} = 1; + } + } elsif ( $option eq 'notrack' ) { + for my $host ( split /,/, $hosts ) { + $notrack{"$interface|$host|$seq"} = 1; + } + } else { + warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical'; + warning_message "The 'critical' option is no longer supported (or needed)"; + } + } + } - add_rule $filter_table->{INPUT}, "$sourcei $source $rule -j ACCEPT", 1; - add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED}; + if ( $routeback || $interfaceref->{options}{routeback} ) { + my $chainref = $filter_table->{FORWARD}; - my $matched = 0; - - if ( $source{$host} ) { - add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1; - $matched = 1; - } - - if ( $dest{$host} ) { - add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1; - $matched = 1; - } - - if ( $notrack{$host} ) { - add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1; - add_rule $raw_table->{OUTPUT}, "$desti $dest $rule -j NOTRACK", 1; - } - - unless ( $matched ) { - for my $host1 ( @allhosts ) { - unless ( $host eq $host1 ) { - my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1; - my $dest1 = match_dest_net $h1; - my $desti1 = match_dest_dev $interface1; - add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1; + for my $host ( split /,/, $hosts ) { + add_rule( $chainref , + match_source_dev( $interface ) . + match_dest_dev( $interface ) . + match_source_net( $host ) . + match_dest_net( $host ) ); clearrule; } } + + push @allhosts, @hosts; + } + + for my $host ( @allhosts ) { + my ( $interface, $h, $seq ) = split /\|/, $host; + my $source = match_source_net $h; + my $dest = match_dest_net $h; + my $sourcei = match_source_dev $interface; + my $desti = match_dest_dev $interface; + my $rule = shift @rule; + + add_rule $filter_table->{INPUT}, "$sourcei $source $rule -j ACCEPT", 1; + add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED}; + + my $matched = 0; + + if ( $source{$host} ) { + add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1; + $matched = 1; + } + + if ( $dest{$host} ) { + add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1; + $matched = 1; + } + + if ( $notrack{$host} ) { + add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1; + add_rule $raw_table->{OUTPUT}, "$desti $dest $rule -j NOTRACK", 1; + } + + unless ( $matched ) { + for my $host1 ( @allhosts ) { + unless ( $host eq $host1 ) { + my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1; + my $dest1 = match_dest_net $h1; + my $desti1 = match_dest_dev $interface1; + add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1; + clearrule; + } + } + } } } } @@ -759,54 +760,55 @@ sub setup_mac_lists( $ ) { } } - my $fn = open_file 'maclist'; + if ( my $fn = open_file 'maclist' ) { - first_entry "$doing $fn..."; + first_entry "$doing $fn..."; - while ( read_a_line ) { + while ( read_a_line ) { - my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file'; + my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file'; - if ( $original_disposition eq 'COMMENT' ) { - process_comment; - } else { - my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 ); - - fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition; - - my $targetref = $maclist_targets{$disposition}; - - fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} ); - fatal_error "Unknown Interface ($interface)" unless known_interface( $interface ); - fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface}; - - my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; - - $mac = '' unless $mac && ( $mac ne '-' ); - $addresses = '' unless defined $addresses && ( $addresses ne '-' ); - - fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses; - - $mac = mac_match $mac if $mac; - - if ( $addresses ) { - for my $address ( split ',', $addresses ) { - my $source = match_source_net $address; - log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" - if defined $level && $level ne ''; - add_jump $chainref , $targetref->{target}, 0, "${mac}${source}"; - } + if ( $original_disposition eq 'COMMENT' ) { + process_comment; } else { - log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac - if defined $level && $level ne ''; - add_jump $chainref , $targetref->{target}, 0, "$mac"; + my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 ); + + fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition; + + my $targetref = $maclist_targets{$disposition}; + + fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} ); + fatal_error "Unknown Interface ($interface)" unless known_interface( $interface ); + fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface}; + + my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; + + $mac = '' unless $mac && ( $mac ne '-' ); + $addresses = '' unless defined $addresses && ( $addresses ne '-' ); + + fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses; + + $mac = mac_match $mac if $mac; + + if ( $addresses ) { + for my $address ( split ',', $addresses ) { + my $source = match_source_net $address; + log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" + if defined $level && $level ne ''; + add_jump $chainref , $targetref->{target}, 0, "${mac}${source}"; + } + } else { + log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac + if defined $level && $level ne ''; + add_jump $chainref , $targetref->{target}, 0, "$mac"; + } + + progress_message " Maclist entry \"$currentline\" $done"; } - - progress_message " Maclist entry \"$currentline\" $done"; } - } - clear_comment; + clear_comment; + } # # Generate jumps from the input and forward chains # @@ -1653,11 +1655,15 @@ sub process_rules() { my $fn = open_file 'rules'; - first_entry "$doing $fn..."; + if ( $fn ) { - process_rule while read_a_line; + first_entry "$doing $fn..."; + + process_rule while read_a_line; + + clear_comment; + } - clear_comment; $section = 'DONE'; } @@ -1698,7 +1704,7 @@ sub generate_dest_rules( $$$$ ) { if ( $type2 == VSERVER ) { for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) { - my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain); + my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain); for my $net ( @{$hostref->{hosts}} ) { add_jump( $chainref, @@ -1739,7 +1745,7 @@ sub generate_source_rules( $$$$ ) { } # -# Loopback traffic -- this is where we assemble the intra-firewall traffic routing +# Loopback traffic -- this is where we assemble the intra-firewall chains # sub handle_loopback_traffic() { my @zones = ( vserver_zones, firewall_zone ); diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index b0553eba6..586f8b32d 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -34,7 +34,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tunnels ); our @EXPORT_OK = ( ); -our $VERSION = '4.4_13'; +our $VERSION = '4.4_14'; # # Here starts the tunnel stuff -- we really should get rid of this crap... @@ -277,22 +277,23 @@ sub setup_tunnels() { # # Setup_Tunnels() Starts Here # - my $fn = open_file 'tunnels'; + if ( my $fn = open_file 'tunnels' ) { - first_entry "$doing $fn..."; + first_entry "$doing $fn..."; - while ( read_a_line ) { + while ( read_a_line ) { - my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file'; + my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file'; - if ( $kind eq 'COMMENT' ) { - process_comment; - } else { - setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; + if ( $kind eq 'COMMENT' ) { + process_comment; + } else { + setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; + } } - } - clear_comment; + clear_comment; + } } 1; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 3b60a48b5..3a9092ace 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.4_13'; +our $VERSION = '4.4_14'; # # IPSEC Option types @@ -1774,11 +1774,12 @@ sub validate_hosts_file() { my $ipsec = 0; - my $fn = open_file 'hosts'; + if ( my $fn = open_file 'hosts' ) { - first_entry "$doing $fn..."; + first_entry "$doing $fn..."; - $ipsec |= process_host while read_a_line; + $ipsec |= process_host while read_a_line; + } $have_ipsec = $ipsec || haveipseczones;