Pre-process standard files up front

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5070 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-23 14:48:51 +01:00 · 2006-12-09 19:01:42 +00:00 · 2006-12-09 19:01:42 +00:00 · 7d68533ab2
commit 7d68533ab2
parent 14839970ba
11 changed files with 89 additions and 117 deletions
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -479,11 +479,7 @@ validate_policy()
 	fi
    done
    strip_file policy
    while read client server policy loglevel synparams; do
 	expandv client server policy loglevel synparams
 	clientwild=
 	serverwild=
@ -815,15 +811,12 @@ setup_ecn() # $1 = file name
    local hosts=
    local h
    strip_file ecn $1
    if [ -s ${TMP_DIR}/ecn ]; then
 	save_progress_message "Setting up ECN..."
 	progress_message2 "$DOING $1..."
 	while read interface host; do
 	    expandv interface host
 	    list_search  $interface $ALL_INTERFACES || \
 		fatal_error "Unknown interface $interface"
 	    list_search $interface $interfaces || \
@ -909,7 +902,7 @@ setup_tc1() {
    #
    # Process the TC Rules File
    #
-    if [ -n "$LIB_tcrules_LOADED" ]; then
+    if [ -s $TMP_DIR/tcrules ]; then
 	save_progress_message "Setting up TC Rules..."
 	save_command setup_tc_rules
 	save_command
@ -2084,11 +2077,9 @@ process_rule() # $1 = target
    else
 	loglevel="${target#*:}"
 	target="${target%%:*}"
 	expandv loglevel
 	if [ "$loglevel" != "${loglevel%:*}" ]; then
 	    logtag="${loglevel#*:}"
 	    loglevel="${loglevel%:*}"
 	    expandv logtag
 	fi
 	case $loglevel in
@ -2430,8 +2421,6 @@ process_macro() # $1 = target
    progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
    while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
 	expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
 	mtarget=$(merge_levels $itarget $mtarget)
 	case $mtarget in
@ -2550,8 +2539,6 @@ process_rules()
    {
 	local intrazone=
 	expandv xprotocol xports xcports xaddress xratelimit xuserspec
 	if [ -z "$SECTIONS" ]; then
 	    finish_section ESTABLISHED,RELATED
 	    SECTIONS="ESTABLISHED RELATED NEW"
@ -2612,8 +2599,6 @@ process_rules()
    }
    while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
 	expandv xtarget xclients xservers
 	if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
 	    rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec"
 	    progress_message "   Rule \"$rule\" ignored."
@ -2745,7 +2730,6 @@ process_default_macro() # $1 = macro name
    progress_message "..Expanding Default Macro $f into chain $macro..."
    while read target client server protocol port cport ratelimit userspec; do
 	expandv target client server protocol port cport ratelimit userspec
 	rule="$target ${client:--} ${server:--} ${protocol:--} ${port:--} ${cport:--} ${ratelimit:--} ${userspec:--}"
 	case $target in
@ -2993,8 +2977,6 @@ process_tos() # $1 = name of tos file
 	stdchain=FORWARD
    fi
    strip_file tos $1
    if [ -s $TMP_DIR/tos ] ; then
 	save_progress_message "Setting up TOS..."
@ -3005,7 +2987,6 @@ process_tos() # $1 = name of tos file
 	createmanglechain outtos
 	while read src dst protocol sport dport tos; do
 	    expandv src dst protocol sport dport tos
 	    rule="$(echo $src $dst $protocol $sport $dport $tos)"
 	    process_tos_rule
 	done < $TMP_DIR/tos
@ -3308,7 +3289,6 @@ process_blacklist()
    [ "$disposition" = REJECT ] && disposition=reject
    strip_file blacklist $f
    progress_message2 "Compiling $f..."
    cat >&3 << __EOF__
@ -3321,7 +3301,6 @@ __EOF__
    INDENT="    "
    while read networks protocol ports; do
 	expandv networks protocol ports
 	process_blacklist_rec
    done < $TMP_DIR/blacklist
@ -3506,8 +3485,6 @@ __EOF__
 	save_progress_message "Setting up RFC1918 Filtering..."
 	strip_file rfc1918
 	createchain norfc1918 no
 	createchain rfc1918 no
@ -5117,15 +5094,12 @@ __EOF__
    determine_interfaces
    determine_hosts
-    if strip_file_and_lib_load tcrules tcrules; then
+    if [ -s $TMP_DIR/tcrules ]; then
 	progress_message2 "Compiling $(find_file tcrules)..."
 	process_tc_rules
    fi
    if [ "$TC_ENABLED" = Internal ]; then
 	strip_file_and_lib_load tcdevices tc
 	strip_file_and_lib_load tcclasses tc
 	[ -n "$LIB_tc_LOADED" ] && setup_traffic_shaping
    fi
@ -5181,9 +5155,6 @@ __EOF__
    append_file init
    strip_file rules
    strip_file maclist
    TERMINATOR=fatal_error
    deletechain shorewall
@ -5278,8 +5249,6 @@ __EOF__
    progress_message2 "$DOING $f ..."
    strip_file routestopped $f
    process_routestopped -A
    if [ -n "$DISABLE_IPV6" ]; then
@ -5302,7 +5271,7 @@ __EOF__
 	run_iptables -A $chain -p udp --dport 53 -j ACCEPT
    done
-    strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting)
+    [ -n "$LIB_accounting_LOADED" ] && setup_accounting $(find_file accounting)
    createchain reject	no
    createchain dynamic no
@ -5345,7 +5314,7 @@ __EOF__
 	createchain $(out_chain $interface) no
    done
-    if strip_file_and_lib_load proxyarp proxyarp; then
+    if [ -s $TMP_DIR/proxyarp ]; then
 	progress_message2 "$DOING Proxy ARP"
 	setup_proxy_arp
    else
@ -5355,7 +5324,7 @@ __EOF__
    #
    # [re]-Establish routing
    #
-    if strip_file_and_lib_load providers providers; then
+    if [ -s $TMP_DIR/providers ]; then
 	setup_providers $(find_file providers)
 	[ -n "$ROUTEMARK_INTERFACES" ] && setup_route_marking
    else
@ -5364,14 +5333,15 @@ __EOF__
 	save_command restore_default_route
    fi
-    if strip_file_and_lib_load nat nat; then
+	
    if [ -s $TMP_DIR/nat ]; then
 	progress_message2 "$DOING NAT..."
 	setup_nat
    else
 	> $STATEDIR/nat
    fi
-    if strip_file_and_lib_load netmap nat; then
+    if [ -s $TMP_DIR/netmap ]; then
 	progress_message2 "$DOING NETMAP..."
 	setup_netmap
    fi
@ -5396,7 +5366,7 @@ __EOF__
    save_progress_message "Setting up Rules..."
    process_rules
-    if strip_file_and_lib_load tunnels tunnels; then
+    if [ -s $TMP_DIR/tunnels ]; then
 	tunnels=$(find_file tunnels)
 	progress_message2 "$DOING $tunnels..."
 	save_progress_message "Setting up Tunnels..."
@ -5428,7 +5398,7 @@ __EOF__
    progress_message2 "$DOING $(find_file policy)...";   apply_policy_rules
-    if strip_file_and_lib_load masq nat; then
+    if [ -s $TMP_DIR/nat ]; then
 	setup_masq $(find_file masq)
    fi
--- a/Shorewall/lib.accounting
+++ b/Shorewall/lib.accounting
@ -242,7 +242,6 @@ setup_accounting() # $1 = Name of accounting file
    strip_file accounting $1
    while read action chain source dest proto port sport user ; do
 	expandv action chain source dest proto port sport user
 	process_accounting_rule
    done < $TMP_DIR/accounting
--- a/Shorewall/lib.actions
+++ b/Shorewall/lib.actions
@ -329,11 +329,9 @@ process_action() # $1 = chain    (Chain to add the rules to)
    else
 	loglevel="${target#*:}"
 	target="${target%%:*}"
 	expandv loglevel
 	if [ "$loglevel" != "${loglevel%:*}" ]; then
 	    logtag="${loglevel#*:}"
 	    loglevel="${loglevel%:*}"
 	    expandv logtag
 	fi
 	case $loglevel in
@ -588,7 +586,6 @@ process_actions1() {
 		    progress_message2 "   Pre-processing $fn..."
 		    strip_file $f $fn
 		    while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
 			expandv xtarget
 			temp="${xtarget%%:*}"
 			case "$temp" in
 			    ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
@ -630,7 +627,6 @@ process_actions1() {
 					    progress_message "   ..Expanding Macro $fn..."
 					    while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
 						expandv mtarget
 						temp="${mtarget%%:*}"
 						case "$temp" in
 						    ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
@ -726,7 +722,6 @@ process_action3() {
    progress_message2 "$DOING $(find_file $f) for Chain $xchain..."
    while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
 	expandv xtarget
 	#
 	# Generate the target:level:tag to pass to process_action()
 	#
@ -768,8 +763,6 @@ process_action3() {
 		;;
 	esac
 	expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
 	if [ -n "$is_macro" ]; then
 	    xtarget1=$(map_old_action $xtarget1)
@ -783,7 +776,6 @@ process_action3() {
 	    progress_message "..Expanding Macro $(find_file macro.$xtarget1)..."
 	    while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
 		expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
 		mtarget=$(merge_levels $xaction2 $mtarget)
--- a/Shorewall/lib.config
+++ b/Shorewall/lib.config
@ -179,20 +179,6 @@ expand() # $@ = contents of variable which may be the name of another variable
    eval echo \"$@\"
 }
 #
 # Perform variable substitition on the values of the passed list of variables
 #
 expandv() # $* = list of variable names
 {
    local varval
    while [ $# -gt 0 ]; do
 	eval varval=\$${1}
 	eval $1=\"$varval\"
 	shift
    done
 }
 #
 # Add whitespace after leading "!"
 #
@ -215,6 +201,30 @@ fix_bang()
    echo $result
 }
 #
 # Read the zones file and find the firewall zone
 #
 get_firewall_zone() {
    local zone type rest comment='#*' f=$(find_file zones)
    [ -f $f ] || startup_error "Unable to find zones file"
    while read zone type rest; do
 	case $zone in
 	    $comment)
                ;;
 	    *)
 	        if [ "x$type" = xfirewall ]; then
 		    FW=$zone
 		    return
 		fi
 		;;
 	esac
    done < $f
    startup_error "No firewall zone defined"
 }
 #
 # This function assumes that the TMP_DIR variable is set and that
 # its value names an existing directory.
@ -241,17 +251,13 @@ determine_zones()
 	fi
    }
    strip_file zones
    ZONES=
    IPV4_ZONES=
    IPSEC_ZONES=
-    [ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}"
+    [ "$IPSECFILE" = zones ] && new_zone_file=Yes
    while read zone type rest; do
 	expandv zone type
 	case $zone in
 	    *:*)
 		parents=${zone#*:}
@ -334,7 +340,6 @@ validate_interfaces_file() {
    local z interface networks options r iface option
    while read z interface networks options; do
 	expandv z interface networks options
 	r="$z $interface $networks $options"
 	[ "x$z" = "x-" ] && z=
@ -495,20 +500,16 @@ setup_ipsec() {
 	    progress_message "$DOING IPSEC..."
 	    [ $PROGRAM = compiler -a -n "$IPSEC_ZONES" ] && save_progress_message "Setting up IPSEC management..."
 	    ;;
-	*)
+	ipsec)
 	    f=$IPSECFILE
 	    strip_file $f
 	    using_ipsec=Yes
-	    if [ -s ${TMP_DIR}/$f ]; then
+	    if [ -s ${TMP_DIR}/ipsec ]; then
-		progress_message "$DOING $f..."
+		progress_message "$DOING ipsec..."
 		[ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..."
 	    fi
 	    ;;
    esac
    while read zone type options in_options out_options mss; do
 	expandv zone type options in_options out_options mss
 	if [ -n "$using_ipsec" ]; then
 	    validate_zone1 $zone || fatal_error "Unknown zone: $zone"
 	fi
@ -551,7 +552,6 @@ validate_hosts_file() {
   }
   while read z hosts options; do
       expandv z hosts options
       r="$z $hosts $options"
       validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
@ -1137,7 +1137,6 @@ find_hosts() # $1 = host zone
    while read z hosts options; do
 	if [ "x$(expand $z)" = "x$1" ]; then
 	    expandv hosts
 	    interface=${hosts%%:*}
 	    addresses=${hosts#*:}
 	    case $addresses in
@ -1166,8 +1165,7 @@ find_exclusions() # $1 = host zone
    local hosts interface address addresses
    while read z hosts options; do
-	if [ "x$(expand $z)" = "x$1" ]; then
+	if [ "x$z" = "x$1" ]; then
 	    expandv hosts
 	    interface=${hosts%%:*}
 	    addresses=${hosts#*:}
 	    case $addresses in
@ -1335,11 +1333,9 @@ find_hosts_by_option() # $1 = option
    local ignore hosts interface address addresses options ipsec= list
    while read ignore hosts options; do
 	expandv options
 	list=$(separate_list $options)
 	if list_search $1 $list; then
 	    list_search ipsec $list && ipsec=ipsec || ipsec=none
 	    expandv hosts
 	    interface=${hosts%%:*}
 	    addresses=${hosts#*:}
 	    for address in $(separate_list $addresses); do
@ -1362,7 +1358,6 @@ process_routestopped() # $1 = command
    local hosts= interface host host1 options networks source= dest= matched
    while read interface host options; do
 	expandv interface host options
 	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
 	for h in $(separate_list $host); do
 	    hosts="$hosts $interface:$h"
@ -1438,11 +1433,7 @@ process_criticalhosts()
 {
    local hosts= interface host h options networks criticalhosts=
    strip_file routestopped
    while read interface host options; do
 	expandv interface host options
 	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)
 	if [ -n "$options" ]; then
@ -1574,7 +1565,7 @@ read_file() # $1 = file name, $2 = nest count
 		    error_message "WARNING: INCLUDE in $1 ignored (nested too deeply)"
 		fi
 	    else
-		echo "$first $rest"
+		echo "$(expand $first $rest)"
 	    fi
 	done < $1
    else
@ -1888,7 +1879,7 @@ do_initialize() {
 	f=$(find_file capabilities)
-	if [ -f $f ] && . $f || determine_capabilities
+	[ -f $f ] && . $f || determine_capabilities
    else
 	f=$(find_file capabilities)
@ -1896,6 +1887,8 @@ do_initialize() {
 	[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
    fi
    ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
    if [ -n "${LOGRATE}${LOGBURST}" ]; then
 	LOGLIMIT="--match limit"
 	[ -n "$LOGRATE" ]  && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
@ -2021,14 +2014,6 @@ do_initialize() {
    [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
    case ${IPSECFILE:=ipsec} in
 	ipsec|zones)
 	    ;;
 	*)
 	    fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
 	    ;;
    esac
    case ${MACLIST_TABLE:=filter} in
 	filter)
 	    ;;
@ -2098,11 +2083,6 @@ do_initialize() {
 	    ;;
    esac
    #
    # Strip the files that we use often
    #
    strip_file interfaces
    strip_file hosts
    #
    # Check out the user's shell
    #
    [ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
@ -2118,4 +2098,50 @@ do_initialize() {
    fi
    qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
    case ${IPSECFILE:=ipsec} in
 	ipsec)
 	    [ -n "${FW:=fw}" ]
 	    strip_file ipsec
 	    ;;
 	zones)
 	    get_firewall_zone
 	    ;;
 	*)
 	    fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
 	    ;;
    esac
    strip_file zones
    strip_file routestopped
    strip_file interfaces
    strip_file hosts
    if [ $PROGRAM = compiler ]; then
 	strip_file_and_lib_load accounting accounting 
 	strip_file blacklist
 	strip_file ecn
 	strip_file maclist
 	strip_file_and_lib_load masq nat
 	strip_file_and_lib_load nat nat
 	strip_file_and_lib_load netmap nat
 	strip_file policy
 	strip_file_and_lib_load providers providers
 	strip_file_and_lib_load proxyarp proxyarp
 	strip_file rfc1918
 	strip_file routestopped
 	strip_file rules
 	if [ "$TC_ENABLED" = Internal ]; then
 	    strip_file_and_lib_load tcdevices tc
 	    strip_file_and_lib_load tcclasses tc
 	fi
 	strip_file_and_lib_load tcrules tcrules
 	strip_file tos
 	strip_file_and_lib_load tunnels tunnels
    fi
    FW=
 }
--- a/Shorewall/lib.maclist
+++ b/Shorewall/lib.maclist
@ -114,7 +114,6 @@ setup_mac_lists() # $1 = Phase Number
        # Process the maclist file producing the verification rules
        #
 	while read disposition interface mac addresses; do
 	    expandv disposition interface mac addresses
 	    level=
--- a/Shorewall/lib.nat
+++ b/Shorewall/lib.nat
@ -432,7 +432,6 @@ __EOF__
 	save_progress_message "Setting up Masquerading/SNAT..."
 	while read fullinterface networks addresses proto ports ipsec; do
 	    expandv fullinterface networks addresses proto ports ipsec
 	    if [ -n "$NAT_ENABLED" ]; then
 		if [ "x$fullinterface" = xCOMMENT ]; then
 		    if [ -n "$COMMENTS" ]; then
@ -530,7 +529,6 @@ setup_nat() {
 	save_progress_message "Setting up one-to-one NAT..."
 	while read external interface internal allints localnat; do
 	    expandv external interface internal allints localnat
 	    if [ "x$external" = xCOMMENT ]; then
 		if [ -n "$COMMENTS" ]; then
@ -560,7 +558,6 @@ setup_nat() {
 setup_netmap() {
    while read type net1 interface net2 ; do
 	expandv type net1 interface net2
 	list_search $interface $ALL_INTERFACES || \
 	    fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
--- a/Shorewall/lib.providers
+++ b/Shorewall/lib.providers
@ -347,7 +347,6 @@ __EOF__
    save_command "DEFAULT_ROUTE="
    while read table number mark duplicate interface gateway options copy; do
 	expandv table number mark duplicate interface gateway options copy
 	provider="$table $number $mark $duplicate $interface $gateway $options $copy"
 	add_a_provider
 	PROVIDERS="$PROVIDERS $table"
@ -405,7 +404,6 @@ __EOF__
 		save_command
 		while read source dest provider priority; do
 		    expandv source dest provider priority
 		    rule="$source $dest $priority $provider"
 		    add_an_rtrule
 		done < $TMP_DIR/route_rules
--- a/Shorewall/lib.proxyarp
+++ b/Shorewall/lib.proxyarp
@ -101,7 +101,6 @@ __EOF__
    save_progress_message "Setting up Proxy ARP..."
    while read address interface external haveroute persistent; do
 	expandv address interface external haveroute persistent
 	list_search $interface $setlist   || setlist="$setlist $interface"
 	list_search $external  $resetlist || list_search $external $setlist || resetlist="$resetlist $external"
 	setup_one_proxy_arp
--- a/Shorewall/lib.tc
+++ b/Shorewall/lib.tc
@ -76,7 +76,6 @@ setup_traffic_shaping()
    get_outband_for_dev() {
 	local device inband outband
 	while read device inband outband; do
 	    expandv device inband outband
 	    tcdev="$device $inband $outband"
 	    if [ "$1" = "$device" ] ; then
 		echo $outband
@ -107,7 +106,6 @@ setup_traffic_shaping()
 	searchdev=$1
 	while read device mark rate ceil prio options; do
 	    expandv device mark rate ceil prio options
 	    options=$(separate_list $options | tr '[A-Z]' '[a-z]')
 	    tcdev="$device $mark $rate $ceil $prio $options"
 	    if [ "$searchdev" = "$device" ] ; then
@ -126,7 +124,6 @@ setup_traffic_shaping()
 	progress_message2 "Validating $devfile..."
 	local device local device inband outband
 	while read device inband outband; do
 	    expandv device inband outband
 	    tcdev="$device $inband $outband"
 	    check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
 	    case $interface in
@ -146,7 +143,6 @@ setup_traffic_shaping()
 	local classlist device mark rate ceil prio bandw wrongopt allopts opt
 	allopts=""
 	while read device mark rate ceil prio options; do
 	    expandv device mark rate ceil prio options
 	    tcdev="$device $mark $rate $ceil $prio $options"
 	    ratew=$(get_outband_for_dev $device)
 	    options=$(separate_list $options | tr '[A-Z]' '[a-z]')
@ -314,7 +310,6 @@ __EOF__
 	progress_message2 "$DOING $devfile..."
 	while read device inband outband; do
 	    expandv device inband outband
 	    tcdev="$device $inband $outband"
 	    add_root_tc && progress_message "   TC Device $tcdev defined."
 	done < $TMP_DIR/tcdevices
@ -326,7 +321,6 @@ __EOF__
 	last_device=
 	while read device mark rate ceil prio options; do
 	    expandv device mark rate ceil prio options
 	    tcdev="$device $mark $rate $ceil $prio $options"
 	    options=$(separate_list $options | tr '[A-Z]' '[a-z]')
--- a/Shorewall/lib.tcrules
+++ b/Shorewall/lib.tcrules
@ -468,7 +468,6 @@ __EOF__
    INDENT="    "
    while read mark sources dests proto ports sports user testval length tos; do
 	expandv mark sources dests proto ports sports user testval length tos
 	if [ "x$mark" = xCOMMENT ]; then
 	    if [ -n "$COMMENTS" ]; then
 		    comment=$(echo $sources $dests $proto $ports $sports $user $testval $length $tos)
--- a/Shorewall/lib.tunnels
+++ b/Shorewall/lib.tunnels
@ -226,7 +226,6 @@ setup_tunnels() # $1 = name of tunnels file
    strip_file tunnels $1
    while read kind z gateway z1; do
 	expandv kind z gateway z1
 	tunnel="$(echo $kind $z $gateway $z1)"
 	if validate_zone $z; then
 	    inchain=${z}2${FW}