mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-28 16:39:29 +01:00
Implement VALIDATE_PORTS
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6609 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
35a791585c
commit
700f662d04
@ -8,6 +8,8 @@ Changes in 4.0.0 Beta 6
|
|||||||
|
|
||||||
4) DYNAMIC_ZONES=Yes and bridges.
|
4) DYNAMIC_ZONES=Yes and bridges.
|
||||||
|
|
||||||
|
5) Implement VALIDATE_PORTS
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 5
|
Changes in 4.0.0 Beta 5
|
||||||
|
|
||||||
1) Fix undefined function call when both an input interface and an
|
1) Fix undefined function call when both an input interface and an
|
||||||
|
@ -67,6 +67,18 @@ Other changes in Shorewall 4.0.0 Beta 6
|
|||||||
are installed, the additional shorewall.conf file is read to see if
|
are installed, the additional shorewall.conf file is read to see if
|
||||||
it specifies a SHOREWALL_COMPILER.
|
it specifies a SHOREWALL_COMPILER.
|
||||||
|
|
||||||
|
3) Shorewall-perl validates protocol names and service names against
|
||||||
|
/etc/protocols and /etc/services. That's the good news. The bad
|
||||||
|
news is that this extra validation has a fixed overhead of almost
|
||||||
|
.8 seconds on my x86_64 box. This fixed cost is mostly attributable
|
||||||
|
to the cost of reading and digesting /etc/services.
|
||||||
|
|
||||||
|
To give people the choice of whether they want to incure this fixed
|
||||||
|
cost on each compilation, I've added a VALIDATE_PORTS option in
|
||||||
|
/etc/shorewall/shorewall.conf. If you set this to 'No', you can
|
||||||
|
save the extra processing time but the script may fail at runtime
|
||||||
|
because of typing errors.
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
1) You cannot simply upgrade your existing Shorewall package. You must
|
1) You cannot simply upgrade your existing Shorewall package. You must
|
||||||
|
@ -32,6 +32,12 @@ VERBOSITY=1
|
|||||||
|
|
||||||
SHOREWALL_COMPILER=
|
SHOREWALL_COMPILER=
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# C O M P I L E R O P T I O N S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
VALIDATE_PORTS=Yes
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O G G I N G
|
# L O G G I N G
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -760,7 +760,7 @@ sub validate_proto( $ ) {
|
|||||||
return $value if defined $value;
|
return $value if defined $value;
|
||||||
return $proto if $proto =~ /^(\d+)$/ && $proto <= 65535;
|
return $proto if $proto =~ /^(\d+)$/ && $proto <= 65535;
|
||||||
return $proto if $proto eq 'all';
|
return $proto if $proto eq 'all';
|
||||||
fatal_error "Invalid/Unknown protocol ($proto)";
|
fatal_error "Invalid/Unknown protocol ($proto)" if $config{VALIDATE_PORTS};
|
||||||
}
|
}
|
||||||
|
|
||||||
sub validate_portpair( $ ) {
|
sub validate_portpair( $ ) {
|
||||||
@ -782,9 +782,10 @@ sub validate_portpair( $ ) {
|
|||||||
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
|
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
|
if ( $config{VALIDATE_PORTS} ) {
|
||||||
|
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
|
||||||
$port = $value;
|
$port = $value;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( @ports == 2 ) {
|
if ( @ports == 2 ) {
|
||||||
|
@ -221,6 +221,10 @@ sub initialize() {
|
|||||||
EXPORTPARAMS => undef,
|
EXPORTPARAMS => undef,
|
||||||
SHOREWALL_COMPILER => undef,
|
SHOREWALL_COMPILER => undef,
|
||||||
#
|
#
|
||||||
|
# Compiler Options
|
||||||
|
#
|
||||||
|
VALIDATE_PORTS => undef,
|
||||||
|
#
|
||||||
# Packet Disposition
|
# Packet Disposition
|
||||||
#
|
#
|
||||||
MACLIST_DISPOSITION => undef,
|
MACLIST_DISPOSITION => undef,
|
||||||
@ -586,6 +590,27 @@ sub read_a_line {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Simple version of the above. Doesn't do line concatenation, shell variable expansion or INCLUDE processing
|
||||||
|
#
|
||||||
|
sub read_a_line1 {
|
||||||
|
while ( $currentfile ) {
|
||||||
|
while ( $line = <$currentfile> ) {
|
||||||
|
$currentlinenumber++;
|
||||||
|
next if $line =~ /^\s*#/;
|
||||||
|
chomp $line;
|
||||||
|
next if $line =~ /^\s*$/;
|
||||||
|
$line =~ s/#.*$//; # Remove Trailing Comments -- result might be a blank line
|
||||||
|
$line =~ s/^\s+//; # Remove Leading white space
|
||||||
|
$line =~ s/\s+$//; # Remove Trailing white space
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
close_file;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Provide the passed default value for the passed configuration variable
|
# Provide the passed default value for the passed configuration variable
|
||||||
#
|
#
|
||||||
@ -971,7 +996,7 @@ sub get_capabilities( $ ) {
|
|||||||
# If we successfully called open_file above, then this loop will read the capabilities file.
|
# If we successfully called open_file above, then this loop will read the capabilities file.
|
||||||
# Otherwise, the first call to read_a_line() below will return false
|
# Otherwise, the first call to read_a_line() below will return false
|
||||||
#
|
#
|
||||||
while ( read_a_line ) {
|
while ( read_a_line1 ) {
|
||||||
if ( $line =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
|
if ( $line =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
|
||||||
my ($var, $val) = ($1, $2);
|
my ($var, $val) = ($1, $2);
|
||||||
unless ( exists $capabilities{$var} ) {
|
unless ( exists $capabilities{$var} ) {
|
||||||
@ -992,6 +1017,31 @@ sub get_capabilities( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub get_protos_and_ports() {
|
||||||
|
open_file '/etc/protocols' or fatal_error "Cannot open /etc/protocols: $!";
|
||||||
|
|
||||||
|
while ( read_a_line1 ) {
|
||||||
|
my ( $proto1, $number, $proto2, $proto3 ) = split_line( 2, 4, '/etc/protocols entry');
|
||||||
|
|
||||||
|
$protocols{ $proto1 } = $number;
|
||||||
|
$protocols{ $proto2 } = $number unless $proto2 eq '-' || $proto3 ne '-';
|
||||||
|
}
|
||||||
|
|
||||||
|
open_file '/etc/services' or fatal_error "Cannot open /etc/services: $!";
|
||||||
|
|
||||||
|
while ( read_a_line1 ) {
|
||||||
|
my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry');
|
||||||
|
|
||||||
|
my ( $number, $proto ) = split '/', $proto_number;
|
||||||
|
|
||||||
|
$services{ $name1 } = $number;
|
||||||
|
|
||||||
|
while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) {
|
||||||
|
$services{ $name1 } = $number;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# - Read the shorewall.conf file
|
# - Read the shorewall.conf file
|
||||||
# - Read the capabilities file, if any
|
# - Read the capabilities file, if any
|
||||||
@ -1084,6 +1134,7 @@ sub get_configuration( $ ) {
|
|||||||
|
|
||||||
default_yes_no 'EXPORTPARAMS' , '';
|
default_yes_no 'EXPORTPARAMS' , '';
|
||||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||||
|
default_yes_no 'VALIDATE_PORTS' , 'Yes';
|
||||||
|
|
||||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||||
|
|
||||||
@ -1201,29 +1252,7 @@ sub get_configuration( $ ) {
|
|||||||
$config{LOCKFILE} = '';
|
$config{LOCKFILE} = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
open_file '/etc/protocols' or fatal_error "Cannot open /etc/protocols: $!";
|
get_protos_and_ports if $config{VALIDATE_PORTS};
|
||||||
|
|
||||||
while ( read_a_line ) {
|
|
||||||
my ( $proto1, $number, $proto2, $proto3 ) = split_line( 2, 4, '/etc/protocols entry');
|
|
||||||
|
|
||||||
$protocols{ $proto1 } = $number;
|
|
||||||
$protocols{ $proto2 } = $number unless $proto2 eq '-' || $proto3 ne '-';
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
open_file '/etc/services' or fatal_error "Cannot open /etc/services: $!";
|
|
||||||
|
|
||||||
while ( read_a_line ) {
|
|
||||||
my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry');
|
|
||||||
|
|
||||||
my ( $number, $proto ) = split '/', $proto_number;
|
|
||||||
|
|
||||||
$services{ $name1 } = $number;
|
|
||||||
|
|
||||||
while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) {
|
|
||||||
$services{ $name1 } = $number;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user