From 77e83f0afdc023d20b00ec56a28f3e5b8f3b323a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 29 Nov 2016 16:33:23 -0800 Subject: [PATCH] Eliminate the CHAIN_SCRIPTS option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 18 ------ Shorewall/Perl/Shorewall/Compiler.pm | 2 +- Shorewall/Perl/Shorewall/Config.pm | 61 +------------------ Shorewall/Perl/Shorewall/Misc.pm | 4 +- Shorewall/Perl/Shorewall/Rules.pm | 46 -------------- Shorewall/Samples/Universal/shorewall.conf | 2 - .../Samples/one-interface/shorewall.conf | 2 - .../Samples/three-interfaces/shorewall.conf | 2 - .../Samples/two-interfaces/shorewall.conf | 2 - Shorewall/configfiles/shorewall.conf | 2 - Shorewall/manpages/shorewall.conf.xml | 16 ----- Shorewall6/Samples6/Universal/shorewall6.conf | 2 - .../Samples6/one-interface/shorewall6.conf | 2 - .../Samples6/three-interfaces/shorewall6.conf | 2 - .../Samples6/two-interfaces/shorewall6.conf | 2 - Shorewall6/configfiles/shorewall6.conf | 2 - Shorewall6/manpages/shorewall6.conf.xml | 16 ----- 17 files changed, 3 insertions(+), 180 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 33b4aaad5..12d7fc815 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2719,24 +2719,6 @@ sub ensure_accounting_chain( $$$ ) $chainref->{restricted} = NO_RESTRICT; $chainref->{ipsec} = $ipsec; $chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING}; - - if ( $config{CHAIN_SCRIPTS} ) { - unless ( $chain eq 'accounting' ) { - my $file = find_file $chain; - - if ( -f $file ) { - progress_message "Running $file..."; - - my ( $level, $tag ) = ( '', '' ); - - unless ( my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - fatal_error "Couldn't do $file: $!" unless defined $return; - fatal_error "Couldn't run $file" unless $return; - } - } - } - } } $chainref; diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 975a0f0e0..a2b0cbb14 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -701,7 +701,7 @@ sub compiler { # # Allow user to load Perl modules # - run_user_exit1 'compile'; + run_user_exit 'compile'; # # Create a temp file to hold the script # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 332cc3d34..632de9651 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -155,8 +155,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script propagateconfig append_file run_user_exit - run_user_exit1 - run_user_exit2 generate_aux_config format_warning no_comment @@ -644,6 +642,7 @@ our %eliminated = ( LOGRATE => 1, WIDE_TC_MARKS => 1, HIGH_ROUTE_MARKS => 1, BLACKLISTNEWONLY => 1, + CHAIN_SCRIPTS => 1, ); # # Variables involved in ?IF, ?ELSE ?ENDIF processing @@ -891,7 +890,6 @@ sub initialize( $;$$) { WARNOLDCAPVERSION => undef, DEFER_DNS_RESOLUTION => undef, USE_RT_NAMES => undef, - CHAIN_SCRIPTS => undef, TRACK_RULES => undef, REJECT_ACTION => undef, INLINE_MATCHES => undef, @@ -6213,7 +6211,6 @@ sub get_configuration( $$$$ ) { default_yes_no 'AUTOCOMMENT' , 'Yes'; default_yes_no 'MULTICAST' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; - default_yes_no 'CHAIN_SCRIPTS' , 'Yes'; if ( supplied ( $val = $config{TRACK_RULES} ) ) { if ( lc( $val ) eq 'file' ) { @@ -6730,32 +6727,7 @@ sub append_file( $;$$ ) { $result; } -# -# Run a Perl extension script -# sub run_user_exit( $ ) { - my $chainref = $_[0]; - my $file = find_file $chainref->{name}; - - if ( $config{CHAIN_SCRIPTS} && -f $file ) { - progress_message2 "Running $file..."; - - my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`; - - unless (my $return = eval $command ) { - fatal_error "Couldn't parse $file: $@" if $@; - - unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; - fatal_error "Couldn't do $file"; - } - - fatal_error "$file returned a false value"; - } - } -} - -sub run_user_exit1( $ ) { my $file = find_file $_[0]; if ( -f $file ) { @@ -6787,37 +6759,6 @@ sub run_user_exit1( $ ) { } } -sub run_user_exit2( $$ ) { - my ($file, $chainref) = ( find_file $_[0], $_[1] ); - - if ( $config{CHAIN_SCRIPTS} && -f $file ) { - progress_message2 "Running $file..."; - # - # File may be empty -- in which case eval would fail - # - push_open $file; - - if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) { - close_file; - pop_open; - - unless (my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - - unless ( defined $return ) { - fatal_error "Couldn't do $file: $!" if $!; - fatal_error "Couldn't do $file"; - } - - fatal_error "$file returned a false value"; - } - } - - pop_open; - - } -} - # # Generate the aux config file for Shorewall Lite # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index b2a8dd854..d55c86d36 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1028,7 +1028,7 @@ sub add_common_rules ( $ ) { ); } - run_user_exit1 'initdone'; + run_user_exit 'initdone'; if ( $upgrade ) { convert_blacklist; @@ -1454,8 +1454,6 @@ sub setup_mac_lists( $ ) { } } - run_user_exit2( 'maclog', $chainref ); - log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne ''; add_ijump $chainref, j => $target; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b4e5060ab..e052599ce 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1027,7 +1027,6 @@ sub complete_policy_chains() { } if ( $name =~ /^all[-2]|[-2]all$/ ) { - run_user_exit $chainref; add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; } } @@ -1038,7 +1037,6 @@ sub complete_policy_chains() { my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )}; if ( $chainref->{referenced} ) { - run_user_exit $chainref; complete_policy_chain $chainref, $zone, $zone1; } } @@ -1057,8 +1055,6 @@ sub complete_policy_chains() { sub complete_standard_chain ( $$$$ ) { my ( $stdchainref, $zone, $zone2, $default ) = @_; - run_user_exit $stdchainref; - my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) }; my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} ); my $policychainref; @@ -1419,27 +1415,6 @@ sub createlogactionchain( $$$$$$ ) { $chainref->{action} = $normalized; - if ( $config{CHAIN_SCRIPTS} ) { - unless ( $targets{$action} & BUILTIN ) { - - set_optflags( $chainref, DONT_OPTIMIZE ); - - my $file = find_file $chain; - - if ( -f $file ) { - progress_message "Running $file..."; - - my @params = split /,/, $param; - - unless ( my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - fatal_error "Couldn't do $file: $!" unless defined $return; - fatal_error "Couldn't run $file"; - } - } - } - } - $chainref; } @@ -1455,27 +1430,6 @@ sub createsimpleactionchain( $$ ) { $chainref->{action} = $normalized; - if ( $config{CHAIN_SCRIPTS} ) { - unless ( $targets{$action} & BUILTIN ) { - - set_optflags( $chainref, DONT_OPTIMIZE ); - - my $file = find_file $action; - - if ( -f $file ) { - progress_message "Running $file..."; - - my ( $level, $tag ) = ( '', '' ); - - unless ( my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - fatal_error "Couldn't do $file: $!" unless defined $return; - fatal_error "Couldn't run $file"; - } - } - } - } - $chainref; } diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 89095b14b..ed9a3c0c5 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -144,8 +144,6 @@ BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" -CHAIN_SCRIPTS=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 2ef95d18e..5aaf63567 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -155,8 +155,6 @@ BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" -CHAIN_SCRIPTS=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index b0e8e18d9..a6320090b 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -152,8 +152,6 @@ BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" -CHAIN_SCRIPTS=No - CLAMPMSS=Yes CLEAR_TC=Yes diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index f6646e4bc..6f8ba4cd5 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -155,8 +155,6 @@ BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" -CHAIN_SCRIPTS=No - CLAMPMSS=Yes CLEAR_TC=Yes diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 14602587b..3479fe3d0 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -144,8 +144,6 @@ BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" -CHAIN_SCRIPTS=Yes - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 9e63d7181..6104edfe6 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -533,22 +533,6 @@ - - CHAIN_SCRIPTS={Yes|No} - - - Added in Shorewall 4.5.16. Prior to the availability of BEGIN - PERL....END PERL in configuration files, the only way to execute a - chain-specific script was to create a script file with the same name - as the chain and place it in a directory on the CONFIG_PATH. That - facility has the drawback that the compiler will attempt to run a - non-script file just because it has the same name as a chain. To - disable this facility, set CHAIN_SCRIPTS=No. If not specified or - specified as the empty value, CHAIN_SCRIPTS=Yes is assumed. - - - CLAMPMSS=[Yes| - - CHAIN_SCRIPTS={Yes|No} - - - Added in Shorewall 4.5.16. Prior to the availability of BEGIN - PERL....END PERL in configuration files, the only way to execute a - chain-specific script was to create a script file with the same name - as the chain and place it in a directory on the CONFIG_PATH. That - facility has the drawback that the compiler will attempt to run a - non-script file just because it has the same name as a chain. To - disable this facility, set CHAIN_SCRIPTS=No. If not specified or - specified as the empty value, CHAIN_SCRIPTS=Yes is assumed. - - - CLAMPMSS=[Yes|