From 80acdd28362dd43948aad85e776bc2d819dfc987 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 21 Aug 2015 11:18:40 -0700 Subject: [PATCH] Disallow bare COMMENT, SECTION and FORMAT lines Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Accounting.pm | 9 +---- Shorewall/Perl/Shorewall/Config.pm | 56 -------------------------- Shorewall/Perl/Shorewall/Rules.pm | 2 - 3 files changed, 2 insertions(+), 65 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index a87548b17..da461daa7 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -433,13 +433,8 @@ sub process_accounting_rule( ) { fatal_error 'ACTION must be specified' if $action eq '-'; - if ( $action eq 'SECTION' ) { - section_warning; - process_section( $chain ); - } else { - for my $proto ( split_list $protos, 'Protocol' ) { - $nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ); - } + for my $proto ( split_list $protos, 'Protocol' ) { + $nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ); } $nonempty; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 6147e0190..4deb166da 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -153,12 +153,10 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script run_user_exit2 generate_aux_config format_warning - process_comment no_comment macro_comment dump_mark_layout set_section_function - section_warning clear_section_function directive_callback @@ -563,9 +561,6 @@ our $comment; # Current COMMENT our $comments_allowed; # True if [?]COMMENT is allowed in the current file our $nocomment; # When true, ignore [?]COMMENT in the current file our $warningcount; # Used to suppress duplicate warnings about missing COMMENT support -our $warningcount1; # Used to suppress duplicate warnings about COMMENT being deprecated -our $warningcount2; # Used to suppress duplicate warnings about FORMAT being deprecated -our $warningcount3; # Used to suppress duplicate warnings about SECTION being deprecated our $checkinline; # The -i option to check/compile/etc. our $directive_callback; # Function to call in compiler_directive @@ -706,9 +701,6 @@ sub initialize( $;$$) { # $comment = ''; $warningcount = 0; - $warningcount1 = 0; - $warningcount2 = 0; - $warningcount3 = 0; # # Misc Globals # @@ -2227,28 +2219,8 @@ sub split_line($$) { &split_line1( @_, {} ); } -# -# Generate a FORMAT warning -# -sub format_warning() { - warning_message "'FORMAT' is deprecated in favor of '?FORMAT' - consider running '$product update -D'" unless $warningcount2++; -} - -# -# Process a COMMENT line (in $currentline) -# sub have_capability( $;$ ); -sub process_comment() { - if ( have_capability( 'COMMENTS' ) ) { - warning_message "'COMMENT' is deprecated in favor of '?COMMENT' - consider running '$product update -D'" unless $warningcount1++; - ( $comment = $currentline ) =~ s/^\s*COMMENT\s*//; - $comment =~ s/\s*$//; - } else { - warning_message "COMMENTs ignored -- require comment support in iptables/Netfilter" unless $warningcount++; - } -} - # # Returns True if there is a current COMMENT or if COMMENTS are not available. # @@ -2304,13 +2276,6 @@ sub clear_section_function() { $section_function = undef; } -# -# Generate a SECTION warning -# -sub section_warning() { - warning_message "'SECTION' is deprecated in favor of '?SECTION' - consider running '$product update -D'" unless $warningcount3++; -} - # # Open a file, setting $currentfile. Returns the file's absolute pathname if the file # exists, is non-empty and was successfully opened. Terminates with a fatal error @@ -3428,27 +3393,6 @@ sub read_a_line($) { # $currentline =~ s/\s*$//; } - - if ( $comments_allowed && $currentline =~ /^\s*COMMENT\b/ ) { - process_comment unless $nocomment; - $directive_callback->( 'COMMENT', $currentline ) if $directive_callback; - $currentline = ''; - $currentlinenumber = 0; - next - } - - if ( $max_format > 1 && $currentline =~ /^\s*FORMAT\s+(.+)/ ) { - format_warning; - my $format = $1; - fatal_error( "Invalid format ($format)" ) unless $format =~ /\d+/; - fatal_error( "Format must be between 1 and $max_format" ) unless $format && $format <= $max_format; - $file_format = $format; - $directive_callback->( 'FORMAT', $currentline ) if $directive_callback; - $currentline = ''; - $currentlinenumber = 0; - next - } - # # Line not blank -- Handle any first-entry message/capabilities check # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index e47bf76c3..534e06181 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -3272,8 +3272,6 @@ sub process_raw_rule ( ) { fatal_error 'ACTION must be specified' if $target eq '-'; - - section_warning, process_section( $source ), return 1 if $target eq 'SECTION'; # # Section Names are optional so once we get to an actual rule, we need to be sure that # we close off any missing sections.