Implement VALIDATE_PORTS

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6609 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-20 01:12:35 +00:00
parent 35a791585c
commit 700f662d04
5 changed files with 78 additions and 28 deletions

View File

@ -8,6 +8,8 @@ Changes in 4.0.0 Beta 6
4) DYNAMIC_ZONES=Yes and bridges. 4) DYNAMIC_ZONES=Yes and bridges.
5) Implement VALIDATE_PORTS
Changes in 4.0.0 Beta 5 Changes in 4.0.0 Beta 5
1) Fix undefined function call when both an input interface and an 1) Fix undefined function call when both an input interface and an

View File

@ -67,6 +67,18 @@ Other changes in Shorewall 4.0.0 Beta 6
are installed, the additional shorewall.conf file is read to see if are installed, the additional shorewall.conf file is read to see if
it specifies a SHOREWALL_COMPILER. it specifies a SHOREWALL_COMPILER.
3) Shorewall-perl validates protocol names and service names against
/etc/protocols and /etc/services. That's the good news. The bad
news is that this extra validation has a fixed overhead of almost
.8 seconds on my x86_64 box. This fixed cost is mostly attributable
to the cost of reading and digesting /etc/services.
To give people the choice of whether they want to incure this fixed
cost on each compilation, I've added a VALIDATE_PORTS option in
/etc/shorewall/shorewall.conf. If you set this to 'No', you can
save the extra processing time but the script may fail at runtime
because of typing errors.
Migration Considerations: Migration Considerations:
1) You cannot simply upgrade your existing Shorewall package. You must 1) You cannot simply upgrade your existing Shorewall package. You must

View File

@ -32,6 +32,12 @@ VERBOSITY=1
SHOREWALL_COMPILER= SHOREWALL_COMPILER=
###############################################################################
# C O M P I L E R O P T I O N S
###############################################################################
VALIDATE_PORTS=Yes
############################################################################### ###############################################################################
# L O G G I N G # L O G G I N G
############################################################################### ###############################################################################

View File

@ -760,7 +760,7 @@ sub validate_proto( $ ) {
return $value if defined $value; return $value if defined $value;
return $proto if $proto =~ /^(\d+)$/ && $proto <= 65535; return $proto if $proto =~ /^(\d+)$/ && $proto <= 65535;
return $proto if $proto eq 'all'; return $proto if $proto eq 'all';
fatal_error "Invalid/Unknown protocol ($proto)"; fatal_error "Invalid/Unknown protocol ($proto)" if $config{VALIDATE_PORTS};
} }
sub validate_portpair( $ ) { sub validate_portpair( $ ) {
@ -782,9 +782,10 @@ sub validate_portpair( $ ) {
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535; $value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
} }
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value; if ( $config{VALIDATE_PORTS} ) {
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
$port = $value; $port = $value;
}
} }
if ( @ports == 2 ) { if ( @ports == 2 ) {

View File

@ -221,6 +221,10 @@ sub initialize() {
EXPORTPARAMS => undef, EXPORTPARAMS => undef,
SHOREWALL_COMPILER => undef, SHOREWALL_COMPILER => undef,
# #
# Compiler Options
#
VALIDATE_PORTS => undef,
#
# Packet Disposition # Packet Disposition
# #
MACLIST_DISPOSITION => undef, MACLIST_DISPOSITION => undef,
@ -586,6 +590,27 @@ sub read_a_line {
} }
} }
#
# Simple version of the above. Doesn't do line concatenation, shell variable expansion or INCLUDE processing
#
sub read_a_line1 {
while ( $currentfile ) {
while ( $line = <$currentfile> ) {
$currentlinenumber++;
next if $line =~ /^\s*#/;
chomp $line;
next if $line =~ /^\s*$/;
$line =~ s/#.*$//; # Remove Trailing Comments -- result might be a blank line
$line =~ s/^\s+//; # Remove Leading white space
$line =~ s/\s+$//; # Remove Trailing white space
return 1;
}
close_file;
}
}
# #
# Provide the passed default value for the passed configuration variable # Provide the passed default value for the passed configuration variable
# #
@ -971,7 +996,7 @@ sub get_capabilities( $ ) {
# If we successfully called open_file above, then this loop will read the capabilities file. # If we successfully called open_file above, then this loop will read the capabilities file.
# Otherwise, the first call to read_a_line() below will return false # Otherwise, the first call to read_a_line() below will return false
# #
while ( read_a_line ) { while ( read_a_line1 ) {
if ( $line =~ /^([a-zA-Z]\w*)=(.*)$/ ) { if ( $line =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
my ($var, $val) = ($1, $2); my ($var, $val) = ($1, $2);
unless ( exists $capabilities{$var} ) { unless ( exists $capabilities{$var} ) {
@ -992,6 +1017,31 @@ sub get_capabilities( $ ) {
} }
} }
sub get_protos_and_ports() {
open_file '/etc/protocols' or fatal_error "Cannot open /etc/protocols: $!";
while ( read_a_line1 ) {
my ( $proto1, $number, $proto2, $proto3 ) = split_line( 2, 4, '/etc/protocols entry');
$protocols{ $proto1 } = $number;
$protocols{ $proto2 } = $number unless $proto2 eq '-' || $proto3 ne '-';
}
open_file '/etc/services' or fatal_error "Cannot open /etc/services: $!";
while ( read_a_line1 ) {
my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry');
my ( $number, $proto ) = split '/', $proto_number;
$services{ $name1 } = $number;
while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) {
$services{ $name1 } = $number;
}
}
}
# #
# - Read the shorewall.conf file # - Read the shorewall.conf file
# - Read the capabilities file, if any # - Read the capabilities file, if any
@ -1084,6 +1134,7 @@ sub get_configuration( $ ) {
default_yes_no 'EXPORTPARAMS' , ''; default_yes_no 'EXPORTPARAMS' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
default_yes_no 'VALIDATE_PORTS' , 'Yes';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
@ -1201,29 +1252,7 @@ sub get_configuration( $ ) {
$config{LOCKFILE} = ''; $config{LOCKFILE} = '';
} }
open_file '/etc/protocols' or fatal_error "Cannot open /etc/protocols: $!"; get_protos_and_ports if $config{VALIDATE_PORTS};
while ( read_a_line ) {
my ( $proto1, $number, $proto2, $proto3 ) = split_line( 2, 4, '/etc/protocols entry');
$protocols{ $proto1 } = $number;
$protocols{ $proto2 } = $number unless $proto2 eq '-' || $proto3 ne '-';
}
open_file '/etc/services' or fatal_error "Cannot open /etc/services: $!";
while ( read_a_line ) {
my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry');
my ( $number, $proto ) = split '/', $proto_number;
$services{ $name1 } = $number;
while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) {
$services{ $name1 } = $number;
}
}
} }
# #