mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-31 10:38:55 +01:00
Eliminate the CHAIN_SCRIPTS option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
a45fe692cc
commit
77e83f0afd
@ -2719,24 +2719,6 @@ sub ensure_accounting_chain( $$$ )
|
|||||||
$chainref->{restricted} = NO_RESTRICT;
|
$chainref->{restricted} = NO_RESTRICT;
|
||||||
$chainref->{ipsec} = $ipsec;
|
$chainref->{ipsec} = $ipsec;
|
||||||
$chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
|
$chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
|
||||||
|
|
||||||
if ( $config{CHAIN_SCRIPTS} ) {
|
|
||||||
unless ( $chain eq 'accounting' ) {
|
|
||||||
my $file = find_file $chain;
|
|
||||||
|
|
||||||
if ( -f $file ) {
|
|
||||||
progress_message "Running $file...";
|
|
||||||
|
|
||||||
my ( $level, $tag ) = ( '', '' );
|
|
||||||
|
|
||||||
unless ( my $return = eval `cat $file` ) {
|
|
||||||
fatal_error "Couldn't parse $file: $@" if $@;
|
|
||||||
fatal_error "Couldn't do $file: $!" unless defined $return;
|
|
||||||
fatal_error "Couldn't run $file" unless $return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$chainref;
|
$chainref;
|
||||||
|
@ -701,7 +701,7 @@ sub compiler {
|
|||||||
#
|
#
|
||||||
# Allow user to load Perl modules
|
# Allow user to load Perl modules
|
||||||
#
|
#
|
||||||
run_user_exit1 'compile';
|
run_user_exit 'compile';
|
||||||
#
|
#
|
||||||
# Create a temp file to hold the script
|
# Create a temp file to hold the script
|
||||||
#
|
#
|
||||||
|
@ -155,8 +155,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
|||||||
propagateconfig
|
propagateconfig
|
||||||
append_file
|
append_file
|
||||||
run_user_exit
|
run_user_exit
|
||||||
run_user_exit1
|
|
||||||
run_user_exit2
|
|
||||||
generate_aux_config
|
generate_aux_config
|
||||||
format_warning
|
format_warning
|
||||||
no_comment
|
no_comment
|
||||||
@ -644,6 +642,7 @@ our %eliminated = ( LOGRATE => 1,
|
|||||||
WIDE_TC_MARKS => 1,
|
WIDE_TC_MARKS => 1,
|
||||||
HIGH_ROUTE_MARKS => 1,
|
HIGH_ROUTE_MARKS => 1,
|
||||||
BLACKLISTNEWONLY => 1,
|
BLACKLISTNEWONLY => 1,
|
||||||
|
CHAIN_SCRIPTS => 1,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# Variables involved in ?IF, ?ELSE ?ENDIF processing
|
# Variables involved in ?IF, ?ELSE ?ENDIF processing
|
||||||
@ -891,7 +890,6 @@ sub initialize( $;$$) {
|
|||||||
WARNOLDCAPVERSION => undef,
|
WARNOLDCAPVERSION => undef,
|
||||||
DEFER_DNS_RESOLUTION => undef,
|
DEFER_DNS_RESOLUTION => undef,
|
||||||
USE_RT_NAMES => undef,
|
USE_RT_NAMES => undef,
|
||||||
CHAIN_SCRIPTS => undef,
|
|
||||||
TRACK_RULES => undef,
|
TRACK_RULES => undef,
|
||||||
REJECT_ACTION => undef,
|
REJECT_ACTION => undef,
|
||||||
INLINE_MATCHES => undef,
|
INLINE_MATCHES => undef,
|
||||||
@ -6213,7 +6211,6 @@ sub get_configuration( $$$$ ) {
|
|||||||
default_yes_no 'AUTOCOMMENT' , 'Yes';
|
default_yes_no 'AUTOCOMMENT' , 'Yes';
|
||||||
default_yes_no 'MULTICAST' , '';
|
default_yes_no 'MULTICAST' , '';
|
||||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||||
default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
|
|
||||||
|
|
||||||
if ( supplied ( $val = $config{TRACK_RULES} ) ) {
|
if ( supplied ( $val = $config{TRACK_RULES} ) ) {
|
||||||
if ( lc( $val ) eq 'file' ) {
|
if ( lc( $val ) eq 'file' ) {
|
||||||
@ -6730,32 +6727,7 @@ sub append_file( $;$$ ) {
|
|||||||
$result;
|
$result;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Run a Perl extension script
|
|
||||||
#
|
|
||||||
sub run_user_exit( $ ) {
|
sub run_user_exit( $ ) {
|
||||||
my $chainref = $_[0];
|
|
||||||
my $file = find_file $chainref->{name};
|
|
||||||
|
|
||||||
if ( $config{CHAIN_SCRIPTS} && -f $file ) {
|
|
||||||
progress_message2 "Running $file...";
|
|
||||||
|
|
||||||
my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
|
|
||||||
|
|
||||||
unless (my $return = eval $command ) {
|
|
||||||
fatal_error "Couldn't parse $file: $@" if $@;
|
|
||||||
|
|
||||||
unless ( defined $return ) {
|
|
||||||
fatal_error "Couldn't do $file: $!" if $!;
|
|
||||||
fatal_error "Couldn't do $file";
|
|
||||||
}
|
|
||||||
|
|
||||||
fatal_error "$file returned a false value";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sub run_user_exit1( $ ) {
|
|
||||||
my $file = find_file $_[0];
|
my $file = find_file $_[0];
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( -f $file ) {
|
||||||
@ -6787,37 +6759,6 @@ sub run_user_exit1( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub run_user_exit2( $$ ) {
|
|
||||||
my ($file, $chainref) = ( find_file $_[0], $_[1] );
|
|
||||||
|
|
||||||
if ( $config{CHAIN_SCRIPTS} && -f $file ) {
|
|
||||||
progress_message2 "Running $file...";
|
|
||||||
#
|
|
||||||
# File may be empty -- in which case eval would fail
|
|
||||||
#
|
|
||||||
push_open $file;
|
|
||||||
|
|
||||||
if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
|
|
||||||
close_file;
|
|
||||||
pop_open;
|
|
||||||
|
|
||||||
unless (my $return = eval `cat $file` ) {
|
|
||||||
fatal_error "Couldn't parse $file: $@" if $@;
|
|
||||||
|
|
||||||
unless ( defined $return ) {
|
|
||||||
fatal_error "Couldn't do $file: $!" if $!;
|
|
||||||
fatal_error "Couldn't do $file";
|
|
||||||
}
|
|
||||||
|
|
||||||
fatal_error "$file returned a false value";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
pop_open;
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate the aux config file for Shorewall Lite
|
# Generate the aux config file for Shorewall Lite
|
||||||
#
|
#
|
||||||
|
@ -1028,7 +1028,7 @@ sub add_common_rules ( $ ) {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
run_user_exit1 'initdone';
|
run_user_exit 'initdone';
|
||||||
|
|
||||||
if ( $upgrade ) {
|
if ( $upgrade ) {
|
||||||
convert_blacklist;
|
convert_blacklist;
|
||||||
@ -1454,8 +1454,6 @@ sub setup_mac_lists( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
run_user_exit2( 'maclog', $chainref );
|
|
||||||
|
|
||||||
log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
|
log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
|
||||||
add_ijump $chainref, j => $target;
|
add_ijump $chainref, j => $target;
|
||||||
}
|
}
|
||||||
|
@ -1027,7 +1027,6 @@ sub complete_policy_chains() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $name =~ /^all[-2]|[-2]all$/ ) {
|
if ( $name =~ /^all[-2]|[-2]all$/ ) {
|
||||||
run_user_exit $chainref;
|
|
||||||
add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
|
add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1038,7 +1037,6 @@ sub complete_policy_chains() {
|
|||||||
my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
|
my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
|
||||||
|
|
||||||
if ( $chainref->{referenced} ) {
|
if ( $chainref->{referenced} ) {
|
||||||
run_user_exit $chainref;
|
|
||||||
complete_policy_chain $chainref, $zone, $zone1;
|
complete_policy_chain $chainref, $zone, $zone1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1057,8 +1055,6 @@ sub complete_policy_chains() {
|
|||||||
sub complete_standard_chain ( $$$$ ) {
|
sub complete_standard_chain ( $$$$ ) {
|
||||||
my ( $stdchainref, $zone, $zone2, $default ) = @_;
|
my ( $stdchainref, $zone, $zone2, $default ) = @_;
|
||||||
|
|
||||||
run_user_exit $stdchainref;
|
|
||||||
|
|
||||||
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
|
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
|
||||||
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
|
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
|
||||||
my $policychainref;
|
my $policychainref;
|
||||||
@ -1419,27 +1415,6 @@ sub createlogactionchain( $$$$$$ ) {
|
|||||||
|
|
||||||
$chainref->{action} = $normalized;
|
$chainref->{action} = $normalized;
|
||||||
|
|
||||||
if ( $config{CHAIN_SCRIPTS} ) {
|
|
||||||
unless ( $targets{$action} & BUILTIN ) {
|
|
||||||
|
|
||||||
set_optflags( $chainref, DONT_OPTIMIZE );
|
|
||||||
|
|
||||||
my $file = find_file $chain;
|
|
||||||
|
|
||||||
if ( -f $file ) {
|
|
||||||
progress_message "Running $file...";
|
|
||||||
|
|
||||||
my @params = split /,/, $param;
|
|
||||||
|
|
||||||
unless ( my $return = eval `cat $file` ) {
|
|
||||||
fatal_error "Couldn't parse $file: $@" if $@;
|
|
||||||
fatal_error "Couldn't do $file: $!" unless defined $return;
|
|
||||||
fatal_error "Couldn't run $file";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1455,27 +1430,6 @@ sub createsimpleactionchain( $$ ) {
|
|||||||
|
|
||||||
$chainref->{action} = $normalized;
|
$chainref->{action} = $normalized;
|
||||||
|
|
||||||
if ( $config{CHAIN_SCRIPTS} ) {
|
|
||||||
unless ( $targets{$action} & BUILTIN ) {
|
|
||||||
|
|
||||||
set_optflags( $chainref, DONT_OPTIMIZE );
|
|
||||||
|
|
||||||
my $file = find_file $action;
|
|
||||||
|
|
||||||
if ( -f $file ) {
|
|
||||||
progress_message "Running $file...";
|
|
||||||
|
|
||||||
my ( $level, $tag ) = ( '', '' );
|
|
||||||
|
|
||||||
unless ( my $return = eval `cat $file` ) {
|
|
||||||
fatal_error "Couldn't parse $file: $@" if $@;
|
|
||||||
fatal_error "Couldn't do $file: $!" unless defined $return;
|
|
||||||
fatal_error "Couldn't run $file";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -144,8 +144,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=No
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
@ -155,8 +155,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=No
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
@ -152,8 +152,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=No
|
|
||||||
|
|
||||||
CLAMPMSS=Yes
|
CLAMPMSS=Yes
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
@ -155,8 +155,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=No
|
|
||||||
|
|
||||||
CLAMPMSS=Yes
|
CLAMPMSS=Yes
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
@ -144,8 +144,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=Yes
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
@ -533,22 +533,6 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
|
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
|
|
||||||
PERL....END PERL in configuration files, the only way to execute a
|
|
||||||
chain-specific script was to create a script file with the same name
|
|
||||||
as the chain and place it in a directory on the CONFIG_PATH. That
|
|
||||||
facility has the drawback that the compiler will attempt to run a
|
|
||||||
non-script file just because it has the same name as a chain. To
|
|
||||||
disable this facility, set CHAIN_SCRIPTS=No. If not specified or
|
|
||||||
specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
|
@ -137,8 +137,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=No
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=No
|
CLEAR_TC=No
|
||||||
|
@ -138,8 +138,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=No
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=No
|
CLEAR_TC=No
|
||||||
|
@ -137,8 +137,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=No
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=No
|
CLEAR_TC=No
|
||||||
|
@ -137,8 +137,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=No
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=No
|
CLEAR_TC=No
|
||||||
|
@ -137,8 +137,6 @@ BASIC_FILTERS=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
CHAIN_SCRIPTS=Yes
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=No
|
CLEAR_TC=No
|
||||||
|
@ -453,22 +453,6 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
|
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
|
|
||||||
PERL....END PERL in configuration files, the only way to execute a
|
|
||||||
chain-specific script was to create a script file with the same name
|
|
||||||
as the chain and place it in a directory on the CONFIG_PATH. That
|
|
||||||
facility has the drawback that the compiler will attempt to run a
|
|
||||||
non-script file just because it has the same name as a chain. To
|
|
||||||
disable this facility, set CHAIN_SCRIPTS=No. If not specified or
|
|
||||||
specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
|
Loading…
Reference in New Issue
Block a user