Bring trunk up to date with branch

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7095 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/modules

@@ -42,6 +42,7 @@ loadmodule xt_limit
 loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
+loadmodule xt_multiport
 loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_physdev

Shorewall-perl/Shorewall/Chains.pm

@@ -213,13 +213,13 @@ our %interfacebcasts;
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 
 #
-# State of the generator.
+# Mode of the generator.
 #
-use constant { NULL_STATE => 0 ,   # Generating neither shell commands nor iptables-restore input
+use constant { NULL_MODE => 0 ,   # Generating neither shell commands nor iptables-restore input
-	       CAT_STATE  => 1 ,   # Generating iptables-restore input
+	       CAT_MODE  => 1 ,   # Generating iptables-restore input
-	       CMD_STATE  => 2 };  # Generating shell commands.
+	       CMD_MODE  => 2 };  # Generating shell commands.
 
-our $state;
+our $mode;
 
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
@@ -1838,18 +1838,18 @@ sub insertnatjump( $$$$ ) {
     }
 }
 
-sub emit_comment( $ ) {
+sub emit_comment() {
     emit  ( '#',
 	    '# Establish the values of shell variables used in the following function calls',
 	    '#' );
-    ${$_[0]} = 1;
+    our $emitted_comment = 1;
 }
 
-sub emit_test( $ ) {
+sub emit_test() {
     emit ( 'if [ "$COMMAND" != restore ]; then' ,
 	   '' );
     push_indent;
-    ${$_[0]} = 1;
+    our $emitted_test = 1;
 }
     
 #
@@ -1857,28 +1857,28 @@ sub emit_test( $ ) {
 #
 sub set_global_variables() {
 
-    my ( $emitted_comment, $emitted_test ) = (0, 0);
+    our ( $emitted_comment, $emitted_test ) = (0, 0);
 
     for ( values %interfaceaddr ) {
-	emit_comment( \$emitted_comment ) unless $emitted_comment;
+	emit_comment unless $emitted_comment;
 	emit $_;
     }
 
     for ( values %interfaceaddrs ) {
-	emit_comment( \$emitted_comment ) unless $emitted_comment;
+	emit_comment unless $emitted_comment;
-	emit_test( \$emitted_test )       unless $emitted_test;
+	emit_test    unless $emitted_test;
 	emit $_;
     }
 
     for ( values %interfacenets ) {
-	emit_comment( \$emitted_comment ) unless $emitted_comment;
+	emit_comment unless $emitted_comment;
-	emit_test( \$emitted_test )       unless $emitted_test;
+	emit_test    unless $emitted_test;
 	emit $_;
     }
 
     unless ( $capabilities{ADDRTYPE} ) {
-	emit_comment( \$emitted_comment ) unless $emitted_comment;
+	emit_comment unless $emitted_comment;
-	emit_test( \$emitted_test )       unless $emitted_test;
+	emit_test    unless $emitted_test;
 	emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
 
 	for ( values %interfacebcasts ) {
@@ -1900,19 +1900,19 @@ sub set_global_variables() {
 # We may have to generate part of the input at run-time. The rules array in each chain
 # table entry may contain rules (begin with '-A') or shell source. We alternate between
 # writing the rules ('-A') into the temporary file to be bassed to iptables-restore
-# (CAT_STATE) and and writing shell source into the generated script.
+# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
-# The following two functions are responsible for the state transitions.
+# The following two functions are responsible for the mode transitions.
 #
-sub enter_cat_state() {
+sub enter_cat_mode() {
     emit '';
     emit 'cat >&3 << __EOF__';
-    $state = CAT_STATE;
+    $mode = CAT_MODE;
 }
 
-sub enter_cmd_state() {
+sub enter_cmd_mode() {
-    emit_unindented "__EOF__\n" if $state == CAT_STATE;
+    emit_unindented "__EOF__\n" if $mode == CAT_MODE;
-    $state = CMD_STATE;
+    $mode = CMD_MODE;
 }
 
 #
@@ -1925,13 +1925,13 @@ sub emitr( $ ) {
 	#
 	# A rule
 	#
-	enter_cat_state unless $state == CAT_STATE;
+	enter_cat_mode unless $mode == CAT_MODE;
 	emit_unindented $rule;
     } else {
 	#
 	# A command
 	#
-	enter_cmd_state unless $state == CMD_STATE;
+	enter_cmd_mode unless $mode == CMD_MODE;
 	emit $rule;
     }
 }
@@ -1948,7 +1948,7 @@ sub create_netfilter_load() {
     push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED};
     push @table_list, 'filter';
 
-    $state = NULL_STATE;
+    $mode = NULL_MODE;
 
     emit ( 'setup_netfilter()',
 	   '{'
@@ -1962,7 +1962,7 @@ sub create_netfilter_load() {
 
     emit 'exec 3>${VARDIR}/.iptables-restore-input';
 
-    enter_cat_state;
+    enter_cat_mode;
 
     for my $table ( @table_list ) {
 	emit_unindented "*$table";
@@ -1991,22 +1991,19 @@ sub create_netfilter_load() {
 	    }
 	}
 	#
-	# then emit the rules
+	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    my $name = $chainref->{name};
+	    emitr $_ for ( @{$chainref->{rules}} );
-	    for my $rule ( @{$chainref->{rules}} ) {
-		emitr $rule;
-	    }
 	}
 	#
 	# Commit the changes to the table
 	#
-	enter_cat_state unless $state == CAT_STATE;
+	enter_cat_mode unless $mode == CAT_MODE;
 	emit_unindented 'COMMIT';
     }
 
-    enter_cmd_state;
+    enter_cmd_mode;
     #
     # Now generate the actual iptables-restore command
     #
@@ -2030,7 +2027,7 @@ sub create_netfilter_load() {
 #
 sub create_blacklist_reload() {
 
-    $state = NULL_STATE;
+    $mode = NULL_MODE;
 
     emit(  'blacklist_reload()',
 	   '{'
@@ -2044,22 +2041,22 @@ sub create_blacklist_reload() {
 
     emit 'exec 3>${VARDIR}/.iptables-restore-input';
 
-    enter_cat_state;
+    enter_cat_mode;
 
     emit_unindented '*filter';
     emit_unindented ':blacklst - [0:0]';
-
+    #
-    for my $rule ( @{$filter_table->{blacklst}{rules}} ) {
+    # Emit the Blacklist rules
-	emitr $rule;
+    #
-    }
+    emitr $_ for ( @{$filter_table->{blacklst}{rules}} );
     #
     # Commit the changes to the table
     #
-    enter_cat_state unless $state == CAT_STATE;
+    enter_cat_mode unless $mode == CAT_MODE;
 
     emit_unindented 'COMMIT';
 
-    enter_cmd_state;
+    enter_cmd_mode;
     #
     # Now generate the actual iptables-restore command
     #

Shorewall-perl/Shorewall/Compiler.pm

@@ -604,6 +604,11 @@ sub generate_script_3() {
     dump_proxy_arp;
     emit_unindented '__EOF__';
 
+    emit( '',
+	  'if [ "$COMMAND" != refresh ]; then' );
+
+    push_indent;
+
     emit 'cat > ${VARDIR}/chains << __EOF__';
     dump_rule_chains;
     emit_unindented '__EOF__';
@@ -612,6 +617,10 @@ sub generate_script_3() {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
+    pop_indent;
+
+    emit "fi\n";
+
     emit '> ${VARDIR}/nat';
 
     add_addresses;

Shorewall-perl/Shorewall/Config.pm

@@ -587,11 +587,11 @@ sub create_temp_object( $ ) {
 
     die if $@;
 
-    fatal_error "Directory $dir does not exist"  unless -d $dir;
-    fatal_error "Directory $dir is not writable" unless -w _;
     fatal_error "$dir is a Symbolic Link"        if -l $dir;
-    fatal_error "$objectfile is a Directory"     if -d $objectfile;
+    fatal_error "Directory $dir does not exist"  unless -d _;
-    fatal_error "$dir is a Symbolic Link"        if -l $objectfile;
+    fatal_error "Directory $dir is not writable" unless -w _;
+    fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
+    fatal_error "$objectfile is a Directory"     if -d _;
     fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
 
     eval {
@@ -864,12 +864,13 @@ sub read_a_line() {
 
 		my @line = split ' ', $currentline;
 
-		fatal_error "Invalid INCLUDE command: $currentline"    if @line != 2;
+		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs nested too deeply: $currentline" if @includestack >= 4;
+		fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
 
 		my $filename = find_file $line[1];
 
-		fatal_error "INCLUDE file $filename not found" unless ( -f $filename );
+		fatal_error "INCLUDE file $filename not found" unless -f $filename;
+		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 
 		if ( -s _ ) {
 		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];

Shorewall-perl/Shorewall/Policy.pm

@@ -200,9 +200,9 @@ sub validate_policy()
 	fatal_error "Invalid policy $policy" unless exists $validpolicies{$policy};
 
 	if ( $policy eq 'NONE' ) {
-	    fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
+	    fatal_error "NONE policy not allowed with \"all\""
 		if $clientwild || $serverwild;
-	    fatal_error "$client, $server, $policy, $loglevel, $synparams: NONE policy not allowed to/from firewall zone"
+	    fatal_error "NONE policy not allowed to/from firewall zone"
 		if ( $zones{$client}{type} eq 'firewall' ) || ( $zones{$server}{type} eq 'firewall' );
 	}
 

Shorewall-perl/Shorewall/Providers.pm

@@ -294,7 +294,7 @@ sub add_a_provider( $$$$$$$$ ) {
     if ( $optional ) {
 	emit ( "    error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" );
     } else {
-	emit( "    fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" );
+	emit( "    fatal_error \"Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" );
     }
 
     emit "fi\n";

Shorewall-perl/Shorewall/Rules.pm

@@ -1617,11 +1617,7 @@ sub generate_matrix() {
 		next unless $chain;
 
 		if ( $zone eq $zone1 ) {
-		    #
+		    next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
-		    # One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
-		    #
-		    no warnings;
-		    next if ( %{ $zoneref->{interfaces} } < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
 		}
 
 		if ( $zone1ref->{type} eq 'bport4' ) {
@@ -1675,12 +1671,7 @@ sub generate_matrix() {
 	    my $num_ifaces = 0;
 
 	    if ( $zone eq $zone1 ) {
-		#
+		next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
-		# One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning.
-		#
-		no warnings;
-		next ZONE1 if ( $num_ifaces = %{$zoneref->{interfaces}} ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
-		use warnings;
 
 		if  ( $chain3 ) {
 		    while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) {

Shorewall-perl/Shorewall/Zones.pm

@@ -425,16 +425,12 @@ sub dump_zone_contents()
 sub single_interface( $ ) {
     my $zone = $_[0];
     my $zoneref = $zones{$zone};
+  
     fatal_error "Internal Error in single_zone()" unless $zoneref;
 
-    {
+    my @keys = keys( %{$zoneref->{interfaces}} );
-	no warnings;
+
-	if ( %{$zoneref->{interfaces}} == 1 ) {
+    @keys == 1 ? $keys[0] : '';
-	    ( keys %{$zoneref->{interfaces}} )[0];
-	} else {
-	    '';
-	}
-    }
 }
 
 sub add_group_to_zone($$$$$)

Shorewall-perl/prog.functions

@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Clear Proxy Arp
 #
@@ -145,24 +144,6 @@ restore_dynamic_rules() {
     fi
 }
 
-#
-# The following functions also appear in lib.base. They are duplicated here so that
-# restore scripts from prior versions continue to work.
-#
-get_device_mtu1() # $1 = device
-{
-    local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
 #
 # Get a list of all configured broadcast addresses on the system
 #
@@ -170,4 +151,3 @@ get_all_bcasts()
 {
     ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
-

Shorewall-shell/compiler

@@ -1671,11 +1671,11 @@ add_a_rule() {
 
 	if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
 	    for adr in $(separate_list $addr); do
-		run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
+		run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack --ctorigdst $adr -j $chain
 	    done
 	    addr=
 	else
-	    run_iptables -A $logchain $state $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain
+	    run_iptables -A $logchain $state $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain
 	fi
 
 	cli=
@@ -1884,7 +1884,7 @@ __EOF__
 				for adr in $(separate_list $addr); do
 				    if [ -n "$loglevel" -a -z "$natrule" ]; then
 					log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
-					    $user $mrk $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
+					    $user $mrk $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports) $state
 				    fi
 
 				    run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
@@ -1899,7 +1899,7 @@ __EOF__
 
 			    if [ -n "$loglevel" -a -z "$natrule" ]; then
 				log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
-				    $state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
+				    $state $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports)
 			    fi
 
 			    if [ -n "$nonat" ]; then
@@ -1922,7 +1922,7 @@ __EOF__
 
 		if [ -n "$loglevel" -a -z "$natrule" ]; then
 		    log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
-			$state $(fix_bang $proto $sports $multiport $cli $dports)
+			$state $(fix_bang $proto $multiport $sports $cli $dports)
 		fi
 
 		[ -n "$nonat" ] && \

Shorewall-shell/lib.actions

@@ -80,7 +80,7 @@ add_an_action()
     {
 	build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
 
-	run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain1
+	run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain1
 
 	cli=
 	proto=
@@ -219,7 +219,7 @@ add_an_action()
 	    for srv in $(firewall_ip_range $serv1); do
 		if [ -n "$loglevel" ]; then
 		    log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
-			$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dest_interface $dports)
+			$(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dest_interface $dports)
 		fi
 
 		run_iptables2 -A $chain1 $proto $multiport $cli $sports \
@@ -229,7 +229,7 @@ add_an_action()
     else
 	if [ -n "$loglevel" ]; then
 	    log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
-		$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
+		$(fix_bang $proto $multiport $sports $cli $dest_interface $dports)
 	fi
 
 	run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \

Shorewall-shell/lib.tc

@@ -175,7 +175,7 @@ setup_traffic_shaping()
 
 	dev=$(chain_base $device)
 
-	save_command "if interface_is_usable $device; then"
+	save_command "if interface_is_up $device; then"
 	indent="$INDENT"
 	INDENT="$INDENT    "
 	save_command ${dev}_exists=Yes
@@ -201,7 +201,7 @@ setup_traffic_shaping()
 	INDENT="$indent"
 	save_command else
 	INDENT="$INDENT    "
-	save_command error_message "\"WARNING: Device $device not up and configured -- traffic-shaping configuration skipped\""
+	save_command error_message "\"WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped\""
 	save_command "${dev}_exists="
 	INDENT="$indent"
 	save_command "fi"

docs/FAQ.xml

@@ -1136,7 +1136,7 @@ DROP      net       fw      udp      10619</programlisting>
     </section>
 
     <section id="faq17">
-      <title>(FAQ 17) Why are these packets being Dropped/Rejected?/How do I
+      <title>(FAQ 17) Why are these packets being Dropped/Rejected? How do I
       decode Shorewall log messages?</title>
 
       <para><emphasis role="bold">Answer:</emphasis> Logging of