From 7c98a5df9f16ef5cc207101790e63b0b54c9dbbd Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 30 Aug 2006 22:55:39 +0000 Subject: [PATCH] Consolidate some code between rule and default macro processing git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4494 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 240 +++++++++++++++++------------------------- Shorewall/lib.actions | 2 +- 2 files changed, 100 insertions(+), 142 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 675e6a88e..6ea800d8e 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -1521,7 +1521,7 @@ __EOF__ # # Not a builtin # - process_actions3a + process_action3 ;; esac done @@ -2072,89 +2072,13 @@ __EOF__ fi fi } + # -# Process a record from the rules file +# Process the contents of the USER/GROUP column # -process_rule() # $1 = target - # $2 = clients - # $3 = servers - # $4 = protocol - # $5 = ports - # $6 = cports - # $7 = address - # $8 = ratelimit - # $9 = userspec +process_userspec() { - local target="$1" - local clients="$2" - local servers="$3" - local protocol="$4" - local ports="$5" - local cports="$6" - local address="$7" - local ratelimit="$8" - local userspec="$9" - local userandgroup= - local logtag= - local nonat= - - # # # # # F u n c t i o n B o d y # # # # # - - [ "x$ratelimit" = "x-" ] && ratelimit= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - expandv loglevel - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - expandv logtag - fi - - case $loglevel in - none*) - loglevel= - [ $target = LOG ] && return - ;; - esac - - loglevel=${loglevel%\!} - fi - # - # Save the original target in 'logtarget' for logging rules - # - logtarget=${target%-} - # - # Targets ending in "-" only apply to the nat table - # - [ $target = $logtarget ] && dnat_only= || dnat_only=Yes - - # Tranform the rule: - # - # - parse the user specification - # - set 'target' to the filter table target. - # - make $FW the destination for REDIRECT - # - remove '-' suffix from logtargets while setting 'dnat_only' - # - clear 'address' if it has been set to '-' - [ "x$userspec" = x- ] && userspec= - [ "x$address" = "x-" ] && address= if [ -n "$userspec" ]; then @@ -2203,6 +2127,99 @@ process_rule() # $1 = target [ "$userandgroup" = "-m owner" ] && userandgroup= fi +} + +# +# Process the RATE/LIMIT column contents +# +process_ratelimit() { + [ "x$ratelimit" = "x-" ] && ratelimit= + + if [ -n "$ratelimit" ]; then + case $ratelimit in + *:*) + ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" + ;; + *) + ratelimit="-m limit --limit $ratelimit" + ;; + esac + fi +} + +# +# Process a record from the rules file +# +process_rule() # $1 = target + # $2 = clients + # $3 = servers + # $4 = protocol + # $5 = ports + # $6 = cports + # $7 = address + # $8 = ratelimit + # $9 = userspec +{ + local target="$1" + local clients="$2" + local servers="$3" + local protocol="$4" + local ports="$5" + local cports="$6" + local address="$7" + local ratelimit="$8" + local userspec="$9" + local userandgroup= + local logtag= + local nonat= + + # # # # # F u n c t i o n B o d y # # # # # + + process_ratelimit + + # Isolate log level + + if [ "$target" = "${target%:*}" ]; then + loglevel= + else + loglevel="${target#*:}" + target="${target%%:*}" + expandv loglevel + if [ "$loglevel" != "${loglevel%:*}" ]; then + logtag="${loglevel#*:}" + loglevel="${loglevel%:*}" + expandv logtag + fi + + case $loglevel in + none*) + loglevel= + [ $target = LOG ] && return + ;; + esac + + loglevel=${loglevel%\!} + fi + # + # Save the original target in 'logtarget' for logging rules + # + logtarget=${target%-} + # + # Targets ending in "-" only apply to the nat table + # + [ $target = $logtarget ] && dnat_only= || dnat_only=Yes + + # Tranform the rule: + # + # - parse the user specification + # - set 'target' to the filter table target. + # - make $FW the destination for REDIRECT + # - remove '-' suffix from logtargets while setting 'dnat_only' + # - clear 'address' if it has been set to '-' + + [ "x$address" = "x-" ] && address= + + process_userspec case $target in ACCEPT+|NONAT) @@ -2844,68 +2861,9 @@ process_default_macro() # $1 = macro name esac fi - [ "x$userspec" = "x-" ] && userspec= + process_userspec - if [ -n "$userspec" ]; then - - userandgroup="-m owner" - - case "$userspec" in - !*+*) - if [ -n "${userspec#*+}" ]; then - userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" - fi - userspec=${userspec%+*} - ;; - *+*) - if [ -n "${userspec#*+}" ]; then - userandgroup="$userandgroup --cmd-owner ${userspec#*+}" - fi - userspec=${userspec%+*} - ;; - esac - - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - [ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}" - ;; - *) - [ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec" - ;; - esac - - [ "$userandgroup" = "-m owner" ] && userandgroup= - fi - - [ "x$ratelimit" = "x-" ] && ratelimit= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi + process_ratelimit add_a_rule progress_message "Rule \"$target $protocol $port $cport $ratelimit $userspec\" $DONE" diff --git a/Shorewall/lib.actions b/Shorewall/lib.actions index a1ab355ec..7b5f6ec8f 100644 --- a/Shorewall/lib.actions +++ b/Shorewall/lib.actions @@ -713,7 +713,7 @@ process_actions2() { # process_action3() is in the compiler. What follows is called from that function when the action # being processed is not a builtin. -process_actions3a() { +process_action3() { local f=action.$xaction1