Disallow bare COMMENT, SECTION and FORMAT lines

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-08-21 11:18:40 -07:00
parent 40d1d86d2c
commit 80acdd2836
3 changed files with 2 additions and 65 deletions

View File

@ -433,13 +433,8 @@ sub process_accounting_rule( ) {
fatal_error 'ACTION must be specified' if $action eq '-'; fatal_error 'ACTION must be specified' if $action eq '-';
if ( $action eq 'SECTION' ) { for my $proto ( split_list $protos, 'Protocol' ) {
section_warning; $nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
process_section( $chain );
} else {
for my $proto ( split_list $protos, 'Protocol' ) {
$nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
}
} }
$nonempty; $nonempty;

View File

@ -153,12 +153,10 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
run_user_exit2 run_user_exit2
generate_aux_config generate_aux_config
format_warning format_warning
process_comment
no_comment no_comment
macro_comment macro_comment
dump_mark_layout dump_mark_layout
set_section_function set_section_function
section_warning
clear_section_function clear_section_function
directive_callback directive_callback
@ -563,9 +561,6 @@ our $comment; # Current COMMENT
our $comments_allowed; # True if [?]COMMENT is allowed in the current file our $comments_allowed; # True if [?]COMMENT is allowed in the current file
our $nocomment; # When true, ignore [?]COMMENT in the current file our $nocomment; # When true, ignore [?]COMMENT in the current file
our $warningcount; # Used to suppress duplicate warnings about missing COMMENT support our $warningcount; # Used to suppress duplicate warnings about missing COMMENT support
our $warningcount1; # Used to suppress duplicate warnings about COMMENT being deprecated
our $warningcount2; # Used to suppress duplicate warnings about FORMAT being deprecated
our $warningcount3; # Used to suppress duplicate warnings about SECTION being deprecated
our $checkinline; # The -i option to check/compile/etc. our $checkinline; # The -i option to check/compile/etc.
our $directive_callback; # Function to call in compiler_directive our $directive_callback; # Function to call in compiler_directive
@ -706,9 +701,6 @@ sub initialize( $;$$) {
# #
$comment = ''; $comment = '';
$warningcount = 0; $warningcount = 0;
$warningcount1 = 0;
$warningcount2 = 0;
$warningcount3 = 0;
# #
# Misc Globals # Misc Globals
# #
@ -2227,28 +2219,8 @@ sub split_line($$) {
&split_line1( @_, {} ); &split_line1( @_, {} );
} }
#
# Generate a FORMAT warning
#
sub format_warning() {
warning_message "'FORMAT' is deprecated in favor of '?FORMAT' - consider running '$product update -D'" unless $warningcount2++;
}
#
# Process a COMMENT line (in $currentline)
#
sub have_capability( $;$ ); sub have_capability( $;$ );
sub process_comment() {
if ( have_capability( 'COMMENTS' ) ) {
warning_message "'COMMENT' is deprecated in favor of '?COMMENT' - consider running '$product update -D'" unless $warningcount1++;
( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
$comment =~ s/\s*$//;
} else {
warning_message "COMMENTs ignored -- require comment support in iptables/Netfilter" unless $warningcount++;
}
}
# #
# Returns True if there is a current COMMENT or if COMMENTS are not available. # Returns True if there is a current COMMENT or if COMMENTS are not available.
# #
@ -2304,13 +2276,6 @@ sub clear_section_function() {
$section_function = undef; $section_function = undef;
} }
#
# Generate a SECTION warning
#
sub section_warning() {
warning_message "'SECTION' is deprecated in favor of '?SECTION' - consider running '$product update -D'" unless $warningcount3++;
}
# #
# Open a file, setting $currentfile. Returns the file's absolute pathname if the file # Open a file, setting $currentfile. Returns the file's absolute pathname if the file
# exists, is non-empty and was successfully opened. Terminates with a fatal error # exists, is non-empty and was successfully opened. Terminates with a fatal error
@ -3428,27 +3393,6 @@ sub read_a_line($) {
# #
$currentline =~ s/\s*$//; $currentline =~ s/\s*$//;
} }
if ( $comments_allowed && $currentline =~ /^\s*COMMENT\b/ ) {
process_comment unless $nocomment;
$directive_callback->( 'COMMENT', $currentline ) if $directive_callback;
$currentline = '';
$currentlinenumber = 0;
next
}
if ( $max_format > 1 && $currentline =~ /^\s*FORMAT\s+(.+)/ ) {
format_warning;
my $format = $1;
fatal_error( "Invalid format ($format)" ) unless $format =~ /\d+/;
fatal_error( "Format must be between 1 and $max_format" ) unless $format && $format <= $max_format;
$file_format = $format;
$directive_callback->( 'FORMAT', $currentline ) if $directive_callback;
$currentline = '';
$currentlinenumber = 0;
next
}
# #
# Line not blank -- Handle any first-entry message/capabilities check # Line not blank -- Handle any first-entry message/capabilities check
# #

View File

@ -3272,8 +3272,6 @@ sub process_raw_rule ( ) {
fatal_error 'ACTION must be specified' if $target eq '-'; fatal_error 'ACTION must be specified' if $target eq '-';
section_warning, process_section( $source ), return 1 if $target eq 'SECTION';
# #
# Section Names are optional so once we get to an actual rule, we need to be sure that # Section Names are optional so once we get to an actual rule, we need to be sure that
# we close off any missing sections. # we close off any missing sections.