Validate comma-separated lists

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8109 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-14 19:54:06 +01:00 · 2008-01-26 01:07:57 +00:00 · 2008-01-26 01:07:57 +00:00 · 7b4abdba94
commit 7b4abdba94
parent f960345b51
9 changed files with 36 additions and 29 deletions
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -956,7 +956,7 @@ sub validate_portpair( $$ ) {
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
-    my @list   = split/,/, $list;
+    my @list   = split_list $list, 'port';

    if ( @list > 1 && $list =~ /:/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
@ -1506,7 +1506,7 @@ sub log_rule( $$$$ ) {
 # Split a comma-separated source or destination host list but keep [...] together.
 #
 sub mysplit( $ ) {
-    my @input = split /,/, $_[0];
+    my @input = split_list $_[0], 'host';

    return @input unless $_[0] =~ /\[/;

@ -2283,7 +2283,7 @@ sub create_chainlist_reload($) {

    my $chains = $_[0];

-    my @chains = split ',', $chains;
+    my @chains = split_list $chains, 'chain';

    unless ( @chains ) {
 	@chains = qw( blacklst ) if $filter_table->{blacklst};
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@ -138,7 +138,7 @@ sub generate_script_1() {

    propagateconfig;

-    my @dont_load = split /,/, $config{DONT_LOAD};
+    my @dont_load = split_list $config{DONT_LOAD}, 'module';

    emit ( '[ -n "${COMMAND:=restart}" ]',
 	   '[ -n "${VERBOSE:=0}" ]',
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@ -73,6 +73,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 				       set_shorewall_dir
 				       set_debug
 				       find_file
+				       split_list
 				       split_line
 				       split_line1
 				       split_line2
@ -854,6 +855,14 @@ sub find_file($)
    "$globals{CONFDIR}/$filename";
 }

+sub split_list( $$ ) {
+    my ($list, $type ) = @_;
+
+    fatal_error "Invalid $type list ($list)" if $list =~ /^,/ or $list =~/,$/ or $list =~ /,,/;
+    
+    split /,/, $list;
+}
+
 #
 # Pre-process a line from a configuration file.

@ -1441,7 +1450,7 @@ sub load_kernel_modules( ) {
    if ( $moduleloader && open_file 'modules' ) {
 	my %loadedmodules;

-	$loadedmodules{$_}++ for split /,/, $config{DONT_LOAD};
+	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );

 	progress_message "Loading Modules...";

--- a/Shorewall-perl/Shorewall/Nat.pm
+++ b/Shorewall-perl/Shorewall/Nat.pm
@ -78,7 +78,7 @@ sub do_ipsec_options($)
    my $options = '-m policy --pol ipsec --dir out ';
    my $fmt;

-    for my $e ( split ',' , $list ) {
+    for my $e ( split_list $list, 'option' ) {
 	my $val    = undef;
 	my $invert = '';

@ -179,14 +179,12 @@ sub setup_one_masq($$$$$$$)
    #
    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
 	
-    for my $fullinterface (split /,/, $interfacelist ) {
+    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
 	my $target = '-j MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
-	fatal_error "Invalid Interface List ($interfacelist)" unless defined $fullinterface && $fullinterface ne '';
-
 	( my $interface = $fullinterface ) =~ s/:.*//;

 	if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
@ -223,14 +221,14 @@ sub setup_one_masq($$$$$$$)
 		    fatal_error "':random' is not supported by the SAME target" if $randomize;
 		    $target = '-j SAME --nodst ';
 		    $addresses =~ s/.*://;
-		    for my $addr ( split /,/, $addresses ) {
+		    for my $addr ( split_list $addresses, 'address' ) {
 			$target .= "--to $addr ";
 		    }
 		} elsif ( $addresses =~ /^SAME:/ ) {
 		    fatal_error "':random' is not supported by the SAME target" if $randomize;
 		    $target = '-j SAME ';
 		    $addresses =~ s/.*://;
-		    for my $addr ( split /,/, $addresses ) {
+		    for my $addr ( split_list $addresses, 'address' ) {
 			$target .= "--to $addr ";
 		    }
 		} elsif ( $addresses eq 'detect' ) {
@ -246,7 +244,7 @@ sub setup_one_masq($$$$$$$)
 		    }
 		} else {
 		    my $addrlist = '';
-		    for my $addr ( split /,/, $addresses ) {
+		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    $addrlist .= "--to-source $addr ";
@ -288,7 +286,7 @@ sub setup_one_masq($$$$$$$)
 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-	    for my $address ( split /,/, $addresses ) {
+	    for my $address ( split_list $addresses, 'address' ) {
 		my ( $addrs, $port ) = split /:/, $address;
 		next unless $addrs;
 		next if $addrs eq 'detect';
@ -443,7 +441,7 @@ sub setup_nat() {

 	    $digit = defined $digit ? ":$digit" : '';

-	    for my $interface ( split /,/, $interfacelist ) {
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
 		fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
 		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 	    }
@ -469,7 +467,7 @@ sub setup_netmap() {

 	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';

-	for my $interface ( split /,/, $interfacelist ) {
+	for my $interface ( split_list $interfacelist, 'interface' ) {
 	
 	    my $rulein = '';
 	    my $ruleout = '';
--- a/Shorewall-perl/Shorewall/Providers.pm
+++ b/Shorewall-perl/Shorewall/Providers.pm
@ -268,7 +268,7 @@ sub add_a_provider( $$$$$$$$ ) {
    my ( $loose, $track, $balance , $optional ) = (0,0,0,interface_is_optional( $interface ));

    unless ( $options eq '-' ) {
-	for my $option ( split /,/, $options ) {
+	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -176,7 +176,7 @@ sub setup_ecn()

 	    $hosts = ALLIPv4 if $hosts eq '-';

-	    for my $host( split /,/, $hosts ) {
+	    for my $host( split_list $hosts, 'host' ) {
 		push @hosts, [ $interface, $host ];
 	    }
 	}
@ -241,7 +241,7 @@ sub setup_rfc1918_filteration( $ ) {
 	    fatal_error "Invalid target ($target) for $networks";
 	}

-	for my $network ( split /,/, $networks ) {
+	for my $network ( split_list $networks, 'network' ) {
 	    add_rule $norfc1918ref , match_source_net( $network ) . "-j $s_target";
 	    add_rule $chainref , match_orig_dest( $network ) . "-j $target" ;
 	}
@ -356,13 +356,13 @@ sub process_criticalhosts() {

 	my @hosts;

-	for my $host ( split /,/, $hosts ) {
+	for my $host ( split_list $hosts, 'host' ) {
 	    validate_net $host, 1;
 	    push @hosts, "$interface:$host";
 	}

 	unless ( $options eq '-' ) {
-	    for my $option (split /,/, $options ) {
+	    for my $option (split_list $options, 'option' ) {
 		unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) {
 		    if ( $option eq 'critical' ) {
 			push @critical, @hosts;
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@ -327,7 +327,7 @@ sub validate_tc_device( $$$$ ) {
    my $classify = 0;

    if ( $options ne '-' ) {
-	for my $option ( split /,/, $options ) {
+	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'classify' ) {
 		$classify = 1;
 	    } else {
@ -388,7 +388,7 @@ sub validate_tc_class( $$$$$$ ) {
    $tcref = $tcref->{$markval};

    unless ( $options eq '-' ) {
-	for my $option ( split /,/, "\L$options" ) {
+	for my $option ( split_list "\L$options", 'option' ) {
 	    my $optval = $tosoptions{$option};

 	    $option = $optval if $optval;
--- a/Shorewall-perl/Shorewall/Tunnels.pm
+++ b/Shorewall-perl/Shorewall/Tunnels.pm
@ -81,7 +81,7 @@ sub setup_tunnels() {
 	}

 	unless ( $gatewayzones eq '-' ) {
-	    for my $zone ( split /,/, $gatewayzones ) {
+	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
 		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@ -187,7 +187,7 @@ sub parse_zone_option_list($$)
    my $fmt;

    if ( $list ne '-' ) {
-	for my $e ( split ',' , $list ) {
+	for my $e ( split_list $list, 'option' ) {
 	    my $val    = undef;
 	    my $invert = '';

@ -248,7 +248,7 @@ sub determine_zones()

 	if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	    $zone = $1;
-	    @parents = split ',', $2;
+	    @parents = split_list $2, 'zone';

 	    for my $p ( @parents ) {
 		fatal_error "Invalid Parent List ($2)" unless $p;
@ -647,7 +647,7 @@ sub validate_interfaces_file( $ )
 	}

 	unless ( $networks eq '' || $networks eq 'detect' ) {
-	    my @broadcasts = split /,/, $networks;
+	    my @broadcasts = split $networks, 'address';

 	    for my $address ( @broadcasts ) {
 		fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
@ -666,7 +666,7 @@ sub validate_interfaces_file( $ )

 	if ( $options ) {

-	    for my $option (split ',', $options ) {
+	    for my $option (split_list $options, 'option' ) {
 		next if $option eq '-';

 		( $option, my $value ) = split /=/, $option;
@ -931,7 +931,7 @@ sub validate_hosts_file()
 	my $optionsref = {};

 	if ( $options ne '-' ) {
-	    my @options = split ',', $options;
+	    my @options = split_list $options, 'option';
 	    my %options;

 	    for my $option ( @options )
@ -964,7 +964,7 @@ sub validate_hosts_file()
 	#
 	$hosts = join( '', ALLIPv4 , $hosts ) if substr($hosts, 0, 2 ) eq ',!';

-	add_group_to_zone( $zone, $type , $interface, [ split( ',', $hosts ) ] , $optionsref);
+	add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);

 	progress_message "   Host \"$currentline\" validated";
    }