From 7289175070e1ae431a56aa71299536af91bd8350 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 22 Nov 2017 10:25:24 -0800 Subject: [PATCH] Chop first config dir if non-root or if compiling for export. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 2 +- Shorewall/Perl/Shorewall/Config.pm | 13 ++++++++++--- Shorewall/Samples/Universal/shorewall.conf | 2 +- Shorewall/Samples/one-interface/shorewall.conf | 2 +- Shorewall/Samples/three-interfaces/shorewall.conf | 2 +- Shorewall/Samples/two-interfaces/shorewall.conf | 2 +- Shorewall/configfiles/shorewall.conf | 2 +- Shorewall/configpath | 2 +- Shorewall/manpages/shorewall.conf.xml | 12 +++++++++++- Shorewall6/Samples6/Universal/shorewall6.conf | 2 +- Shorewall6/Samples6/one-interface/shorewall6.conf | 2 +- .../Samples6/three-interfaces/shorewall6.conf | 2 +- Shorewall6/Samples6/two-interfaces/shorewall6.conf | 2 +- Shorewall6/configfiles/shorewall6.conf | 2 +- Shorewall6/configpath | 2 +- 15 files changed, 34 insertions(+), 17 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index c3ceb3394..884adc94a 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -59,7 +59,7 @@ our $have_arptables; # Initilize the package-globals in the other modules # sub initialize_package_globals( $$$ ) { - Shorewall::Config::initialize($family, $_[1], $_[2]); + Shorewall::Config::initialize($family, $export, $_[1], $_[2]); Shorewall::Chains::initialize ($family, 1, $export ); Shorewall::Zones::initialize ($family, $_[0]); Shorewall::Nat::initialize($family); diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9de1b98f0..40f4f84e2 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -675,6 +675,7 @@ our $debug; # Global debugging flag our $confess; # If true, use Carp to report errors with stack trace. our $family; # Protocol family (4 or 6) +our $export; # True when compiling for export our $toolname; # Name of the tool to use (iptables or iptables6) our $toolNAME; # Tool name in CAPS our $product; # Name of product that will run the generated script @@ -788,8 +789,8 @@ sub add_variables( \% ); # 2. The compiler can run multiple times in the same process so it has to be # able to re-initialize its dependent modules' state. # -sub initialize( $;$$) { - ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_; +sub initialize( $;$$$) { + ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_; if ( $family == F_IPV4 ) { ( $product, $Product, $toolname, $toolNAME ) = qw( shorewall Shorewall iptables IPTABLES ); @@ -5328,7 +5329,13 @@ sub ensure_config_path() { fatal_error "CONFIG_PATH not found in $f" unless $config{CONFIG_PATH}; } - @config_path = split /:/, $config{CONFIG_PATH}; + my $path = $config{CONFIG_PATH}; + + my $chop = ( $path =~ s/^:// ); + + @config_path = split /:/, $path; + + shift @config_path if $chop && ( $export || $> != 0 ); # # To accomodate Cygwin-based compilation, we have separate directories for files whose names diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 358570514..ccb843668 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL= ARPTABLES= -CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" +CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 6cc8f09ee..734514de2 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL= ARPTABLES= -CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" +CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index ce3a080bc..12505f56a 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -85,7 +85,7 @@ UNTRACKED_LOG_LEVEL= ARPTABLES= -CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" +CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index ed4ece56d..5bccdc45c 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -88,7 +88,7 @@ UNTRACKED_LOG_LEVEL= ARPTABLES= -CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" +CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 2d3204c91..2afdc9e75 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -77,7 +77,7 @@ UNTRACKED_LOG_LEVEL= ARPTABLES= -CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" +CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall/configpath b/Shorewall/configpath index 7163dc915..68034431b 100644 --- a/Shorewall/configpath +++ b/Shorewall/configpath @@ -3,4 +3,4 @@ # # /usr/share/shorewall/configpath # -CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall +CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 01d07feaa..d61c2c521 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -673,7 +673,7 @@ CONFIG_PATH=[directory[:directory]...] + role="bold">CONFIG_PATH=[[:]directory[:directory]...] Specifies where configuration files other than @@ -701,6 +701,16 @@ /etc/shorewall:/usr/share/shorewall but your particular distribution may set it differently. See the output of shorewall show config for the default on your system. + + Beginning with Shorewall 5.1.10, the CONFIG_PATH setting may + begin with a colon (":"), to signal that the first + directory listed will be skipped if the + user performing a compilation is not root or if the configuration is + being compiled for export (-e option specified or if running one of + the remote-* commands) . This prevents the compiler from looking in + /etc/shorewall[6]/ when compilation is being + done by a non-root user or if the generated script is to be sent to + a remote firewall system. diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index f50885435..9eac33764 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL= # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall +CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index b67b031b5..f97b39555 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -75,7 +75,7 @@ UNTRACKED_LOG_LEVEL= # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall" +CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 69301338b..12e3e5113 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL= # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall +CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 760f89ded..976efd109 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL= # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall +CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 0630dfad2..676230114 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -74,7 +74,7 @@ UNTRACKED_LOG_LEVEL= # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall" +CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE diff --git a/Shorewall6/configpath b/Shorewall6/configpath index 6e3209453..b6b62f207 100644 --- a/Shorewall6/configpath +++ b/Shorewall6/configpath @@ -3,4 +3,4 @@ # # /usr/share/shorewall6/configpath # -CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall +CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"