Bring trunk up to date with branch

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7095 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-08-09 15:16:08 +00:00
parent c27b3fb5b7
commit 8472d60c28
13 changed files with 78 additions and 103 deletions

View File

@ -42,6 +42,7 @@ loadmodule xt_limit
loadmodule xt_mac
loadmodule xt_mark
loadmodule xt_MARK
loadmodule xt_multiport
loadmodule xt_NFLOG
loadmodule xt_NFQUEUE
loadmodule xt_physdev

View File

@ -213,13 +213,13 @@ our %interfacebcasts;
our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
#
# State of the generator.
# Mode of the generator.
#
use constant { NULL_STATE => 0 , # Generating neither shell commands nor iptables-restore input
CAT_STATE => 1 , # Generating iptables-restore input
CMD_STATE => 2 }; # Generating shell commands.
use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptables-restore input
CAT_MODE => 1 , # Generating iptables-restore input
CMD_MODE => 2 }; # Generating shell commands.
our $state;
our $mode;
#
# Initialize globals -- we take this novel approach to globals initialization to allow
@ -1838,18 +1838,18 @@ sub insertnatjump( $$$$ ) {
}
}
sub emit_comment( $ ) {
sub emit_comment() {
emit ( '#',
'# Establish the values of shell variables used in the following function calls',
'#' );
${$_[0]} = 1;
our $emitted_comment = 1;
}
sub emit_test( $ ) {
sub emit_test() {
emit ( 'if [ "$COMMAND" != restore ]; then' ,
'' );
push_indent;
${$_[0]} = 1;
our $emitted_test = 1;
}
#
@ -1857,28 +1857,28 @@ sub emit_test( $ ) {
#
sub set_global_variables() {
my ( $emitted_comment, $emitted_test ) = (0, 0);
our ( $emitted_comment, $emitted_test ) = (0, 0);
for ( values %interfaceaddr ) {
emit_comment( \$emitted_comment ) unless $emitted_comment;
emit_comment unless $emitted_comment;
emit $_;
}
for ( values %interfaceaddrs ) {
emit_comment( \$emitted_comment ) unless $emitted_comment;
emit_test( \$emitted_test ) unless $emitted_test;
emit_comment unless $emitted_comment;
emit_test unless $emitted_test;
emit $_;
}
for ( values %interfacenets ) {
emit_comment( \$emitted_comment ) unless $emitted_comment;
emit_test( \$emitted_test ) unless $emitted_test;
emit_comment unless $emitted_comment;
emit_test unless $emitted_test;
emit $_;
}
unless ( $capabilities{ADDRTYPE} ) {
emit_comment( \$emitted_comment ) unless $emitted_comment;
emit_test( \$emitted_test ) unless $emitted_test;
emit_comment unless $emitted_comment;
emit_test unless $emitted_test;
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
for ( values %interfacebcasts ) {
@ -1900,19 +1900,19 @@ sub set_global_variables() {
# We may have to generate part of the input at run-time. The rules array in each chain
# table entry may contain rules (begin with '-A') or shell source. We alternate between
# writing the rules ('-A') into the temporary file to be bassed to iptables-restore
# (CAT_STATE) and and writing shell source into the generated script.
# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
#
# The following two functions are responsible for the state transitions.
# The following two functions are responsible for the mode transitions.
#
sub enter_cat_state() {
sub enter_cat_mode() {
emit '';
emit 'cat >&3 << __EOF__';
$state = CAT_STATE;
$mode = CAT_MODE;
}
sub enter_cmd_state() {
emit_unindented "__EOF__\n" if $state == CAT_STATE;
$state = CMD_STATE;
sub enter_cmd_mode() {
emit_unindented "__EOF__\n" if $mode == CAT_MODE;
$mode = CMD_MODE;
}
#
@ -1925,13 +1925,13 @@ sub emitr( $ ) {
#
# A rule
#
enter_cat_state unless $state == CAT_STATE;
enter_cat_mode unless $mode == CAT_MODE;
emit_unindented $rule;
} else {
#
# A command
#
enter_cmd_state unless $state == CMD_STATE;
enter_cmd_mode unless $mode == CMD_MODE;
emit $rule;
}
}
@ -1948,7 +1948,7 @@ sub create_netfilter_load() {
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED};
push @table_list, 'filter';
$state = NULL_STATE;
$mode = NULL_MODE;
emit ( 'setup_netfilter()',
'{'
@ -1962,7 +1962,7 @@ sub create_netfilter_load() {
emit 'exec 3>${VARDIR}/.iptables-restore-input';
enter_cat_state;
enter_cat_mode;
for my $table ( @table_list ) {
emit_unindented "*$table";
@ -1991,22 +1991,19 @@ sub create_netfilter_load() {
}
}
#
# then emit the rules
# Then emit the rules
#
for my $chainref ( @chains ) {
my $name = $chainref->{name};
for my $rule ( @{$chainref->{rules}} ) {
emitr $rule;
}
emitr $_ for ( @{$chainref->{rules}} );
}
#
# Commit the changes to the table
#
enter_cat_state unless $state == CAT_STATE;
enter_cat_mode unless $mode == CAT_MODE;
emit_unindented 'COMMIT';
}
enter_cmd_state;
enter_cmd_mode;
#
# Now generate the actual iptables-restore command
#
@ -2030,7 +2027,7 @@ sub create_netfilter_load() {
#
sub create_blacklist_reload() {
$state = NULL_STATE;
$mode = NULL_MODE;
emit( 'blacklist_reload()',
'{'
@ -2044,22 +2041,22 @@ sub create_blacklist_reload() {
emit 'exec 3>${VARDIR}/.iptables-restore-input';
enter_cat_state;
enter_cat_mode;
emit_unindented '*filter';
emit_unindented ':blacklst - [0:0]';
for my $rule ( @{$filter_table->{blacklst}{rules}} ) {
emitr $rule;
}
#
# Emit the Blacklist rules
#
emitr $_ for ( @{$filter_table->{blacklst}{rules}} );
#
# Commit the changes to the table
#
enter_cat_state unless $state == CAT_STATE;
enter_cat_mode unless $mode == CAT_MODE;
emit_unindented 'COMMIT';
enter_cmd_state;
enter_cmd_mode;
#
# Now generate the actual iptables-restore command
#

View File

@ -604,6 +604,11 @@ sub generate_script_3() {
dump_proxy_arp;
emit_unindented '__EOF__';
emit( '',
'if [ "$COMMAND" != refresh ]; then' );
push_indent;
emit 'cat > ${VARDIR}/chains << __EOF__';
dump_rule_chains;
emit_unindented '__EOF__';
@ -612,6 +617,10 @@ sub generate_script_3() {
dump_zone_contents;
emit_unindented '__EOF__';
pop_indent;
emit "fi\n";
emit '> ${VARDIR}/nat';
add_addresses;

View File

@ -587,11 +587,11 @@ sub create_temp_object( $ ) {
die if $@;
fatal_error "Directory $dir does not exist" unless -d $dir;
fatal_error "Directory $dir is not writable" unless -w _;
fatal_error "$dir is a Symbolic Link" if -l $dir;
fatal_error "$objectfile is a Directory" if -d $objectfile;
fatal_error "$dir is a Symbolic Link" if -l $objectfile;
fatal_error "Directory $dir does not exist" unless -d _;
fatal_error "Directory $dir is not writable" unless -w _;
fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
fatal_error "$objectfile is a Directory" if -d _;
fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
eval {
@ -864,12 +864,13 @@ sub read_a_line() {
my @line = split ' ', $currentline;
fatal_error "Invalid INCLUDE command: $currentline" if @line != 2;
fatal_error "INCLUDEs nested too deeply: $currentline" if @includestack >= 4;
fatal_error "Invalid INCLUDE command" if @line != 2;
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
my $filename = find_file $line[1];
fatal_error "INCLUDE file $filename not found" unless ( -f $filename );
fatal_error "INCLUDE file $filename not found" unless -f $filename;
fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
if ( -s _ ) {
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];

View File

@ -200,9 +200,9 @@ sub validate_policy()
fatal_error "Invalid policy $policy" unless exists $validpolicies{$policy};
if ( $policy eq 'NONE' ) {
fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
fatal_error "NONE policy not allowed with \"all\""
if $clientwild || $serverwild;
fatal_error "$client, $server, $policy, $loglevel, $synparams: NONE policy not allowed to/from firewall zone"
fatal_error "NONE policy not allowed to/from firewall zone"
if ( $zones{$client}{type} eq 'firewall' ) || ( $zones{$server}{type} eq 'firewall' );
}

View File

@ -294,7 +294,7 @@ sub add_a_provider( $$$$$$$$ ) {
if ( $optional ) {
emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" );
} else {
emit( " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" );
emit( " fatal_error \"Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" );
}
emit "fi\n";

View File

@ -1617,11 +1617,7 @@ sub generate_matrix() {
next unless $chain;
if ( $zone eq $zone1 ) {
#
# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
#
no warnings;
next if ( %{ $zoneref->{interfaces} } < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
}
if ( $zone1ref->{type} eq 'bport4' ) {
@ -1675,12 +1671,7 @@ sub generate_matrix() {
my $num_ifaces = 0;
if ( $zone eq $zone1 ) {
#
# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
#
no warnings;
next ZONE1 if ( $num_ifaces = %{$zoneref->{interfaces}} ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
use warnings;
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
if ( $chain3 ) {
while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) {

View File

@ -425,16 +425,12 @@ sub dump_zone_contents()
sub single_interface( $ ) {
my $zone = $_[0];
my $zoneref = $zones{$zone};
fatal_error "Internal Error in single_zone()" unless $zoneref;
{
no warnings;
if ( %{$zoneref->{interfaces}} == 1 ) {
( keys %{$zoneref->{interfaces}} )[0];
} else {
'';
}
}
my @keys = keys( %{$zoneref->{interfaces}} );
@keys == 1 ? $keys[0] : '';
}
sub add_group_to_zone($$$$$)

View File

@ -1,4 +1,3 @@
#!/bin/sh
#
# Clear Proxy Arp
#
@ -145,24 +144,6 @@ restore_dynamic_rules() {
fi
}
#
# The following functions also appear in lib.base. They are duplicated here so that
# restore scripts from prior versions continue to work.
#
get_device_mtu1() # $1 = device
{
local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
local mtu
if [ -n "$output" ]; then
mtu=$(find_mtu $output)
if [ -n "$mtu" ]; then
[ $mtu = 1500 ] || echo mtu $(($mtu + 100))
fi
fi
}
#
# Get a list of all configured broadcast addresses on the system
#
@ -170,4 +151,3 @@ get_all_bcasts()
{
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}

View File

@ -1671,11 +1671,11 @@ add_a_rule() {
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack --ctorigdst $adr -j $chain
done
addr=
else
run_iptables -A $logchain $state $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain
run_iptables -A $logchain $state $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain
fi
cli=
@ -1884,7 +1884,7 @@ __EOF__
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$user $mrk $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
$user $mrk $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
@ -1899,7 +1899,7 @@ __EOF__
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
$state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
$state $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports)
fi
if [ -n "$nonat" ]; then
@ -1922,7 +1922,7 @@ __EOF__
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
$state $(fix_bang $proto $sports $multiport $cli $dports)
$state $(fix_bang $proto $multiport $sports $cli $dports)
fi
[ -n "$nonat" ] && \

View File

@ -80,7 +80,7 @@ add_an_action()
{
build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain1
run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain1
cli=
proto=
@ -219,7 +219,7 @@ add_an_action()
for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dest_interface $dports)
$(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
@ -229,7 +229,7 @@ add_an_action()
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
$(fix_bang $proto $multiport $sports $cli $dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \

View File

@ -175,7 +175,7 @@ setup_traffic_shaping()
dev=$(chain_base $device)
save_command "if interface_is_usable $device; then"
save_command "if interface_is_up $device; then"
indent="$INDENT"
INDENT="$INDENT "
save_command ${dev}_exists=Yes
@ -201,7 +201,7 @@ setup_traffic_shaping()
INDENT="$indent"
save_command else
INDENT="$INDENT "
save_command error_message "\"WARNING: Device $device not up and configured -- traffic-shaping configuration skipped\""
save_command error_message "\"WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped\""
save_command "${dev}_exists="
INDENT="$indent"
save_command "fi"

View File

@ -1136,7 +1136,7 @@ DROP net fw udp 10619</programlisting>
</section>
<section id="faq17">
<title>(FAQ 17) Why are these packets being Dropped/Rejected?/How do I
<title>(FAQ 17) Why are these packets being Dropped/Rejected? How do I
decode Shorewall log messages?</title>
<para><emphasis role="bold">Answer:</emphasis> Logging of