From 4cc7a1b87d2d3f5bba585ec5028f25d81e2203a3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 13 Aug 2015 13:21:51 -0700 Subject: [PATCH 1/4] Correct tcrules update Signed-off-by: Tom Eastep Conflicts: Shorewall/Perl/Shorewall/Tc.pm --- Shorewall/Perl/Shorewall/Tc.pm | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index be91e9d6c..3867a7086 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -3226,12 +3226,17 @@ sub setup_tc( $ ) { } } + close $mangle, directive_callback( 0 ) if $tcrules; + + } elsif ( $tcrules ) { close $mangle, directive_callback( 0 ); - } elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) { - if ( unlink $fn ) { - warning_message "Empty tcrules file ($fn) removed"; - } else { - warning_message "Unable to remove empty tcrules file $fn: $!"; + + if ( -f ( my $fn = find_file( 'tcrules' ) ) ) { + if ( unlink $fn ) { + warning_message "Empty tcrules file ($fn) removed"; + } else { + warning_message "Unable to remove empty tcrules file $fn: $!"; + } } } } elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) { From ea2a35415ef4001b58f8b72ef63f18f78fa63d76 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 13 Aug 2015 13:22:14 -0700 Subject: [PATCH 2/4] Correct convert_blacklist() Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 2092ccced..0f9d34d92 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -254,16 +254,12 @@ sub convert_blacklist() { my $zones1 = find_zones_by_option 'blacklist', 'out'; my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' }; my $audit = $disposition =~ /^A_/; - my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; + my $target = $disposition; my $orig_target = $target; my @rules; if ( @$zones || @$zones1 ) { - if ( supplied $level ) { - $target = 'blacklog'; - } elsif ( $audit ) { - $target = verify_audit( $disposition ); - } + $target = "$target:$level" if supplied $level; my $fn = open_file( 'blacklist' ); @@ -313,8 +309,6 @@ sub convert_blacklist() { } else { warning_message "Duplicate 'audit' option ignored" if $auditone > 1; } - - $tgt = verify_audit( 'A_' . $target, $orig_target, $target ); } for ( @options ) { From 0cef7fad356625e5b3178024dcafc8b72ba87bdf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 13 Aug 2015 14:37:13 -0700 Subject: [PATCH 3/4] Add conversion version and date to the converted files. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 8 +++++++- Shorewall/Perl/Shorewall/Raw.pm | 6 ++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 0f9d34d92..8c6e022b2 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -431,7 +431,8 @@ sub convert_routestopped() { if ( my $fn = open_file 'routestopped' ) { my ( @allhosts, %source, %dest , %notrack, @rule ); - my $seq = 0; + my $seq = 0; + my $date = localtime; my ( $stoppedrules, $fn1 ); @@ -457,6 +458,11 @@ sub convert_routestopped() { EOF } + print( $stoppedrules + "#\n" , + "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" , + "#\n" ); + first_entry "$doing $fn..."; while ( read_a_line ( NORMAL_READ ) ) { diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index b5af8fe80..43ea02d7f 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -363,6 +363,7 @@ sub setup_conntrack($) { if ( $convert ) { my $conntrack; my $empty = 1; + my $date = localtime; if ( $fn ) { open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!"; @@ -385,6 +386,11 @@ EOF EOF } + print( $conntrack + "#\n" , + "# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" , + "#\n" ); + $fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!"; while ( read_a_line( PLAIN_READ ) ) { From 4de66383858ee59e4856d075748e02a76a4d0473 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 13 Aug 2015 15:42:38 -0700 Subject: [PATCH 4/4] Correct handling of termination after .conf file not updated Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ebfce1bd9..26456261c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -4928,9 +4928,10 @@ EOF } exit 0 unless ( $directives || - -f find_file 'blacklist' || - -f find_file 'tcrules' || - -f find_file 'routestopped' + -f find_file 'blacklist' || + -f find_file 'tcrules' || + -f find_file 'routestopped' || + -f find_file 'notrack' ); } } else {