Fix Makefile and make macro substitution smarter

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3000 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-08 16:54:10 +01:00 · 2005-11-15 18:44:02 +00:00 · 2005-11-15 18:44:02 +00:00 · 93210fa3a5
commit 93210fa3a5
parent f73a064339
4 changed files with 76 additions and 6 deletions
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@ -1,7 +1,7 @@
 # Shorewall Makefile to restart if config-files are newer than last restart
 VARDIR=/var/lib/shorewall
 CONFDIR=/etc/shorewall
-all: $(VARDIR)/restarted
+all: $(VARDIR)/restore-base

 $(VARDIR)/restore-base: $(CONFDIR)/*
 	@/sbin/shorewall -q save >/dev/null; \
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -2,6 +2,11 @@ Changes in 3.0.1

 1) Set policies for chains in nat, mangle and raw tables.

+2) Applied Tuomo's patch for Makefile.
+
+3) Add Farkas ordering to generated SOURCE and DEST column when expanding
+   macros.
+
 Changes in 3.0.0 Final

 None.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -4876,6 +4876,27 @@ map_old_action() # $1 = Potential Old Action
    echo $1
 }

+#
+# Combine a source/dest from the macro body with one from the macro invocation
+#
+merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest from invocation
+{
+    case $2 in
+	-)
+	    echo ${1}
+	    ;;
+	*.*.*|+*|~*)
+	    #
+	    # Value in the invocation is an address -- put it behind the value from the macro
+	    #
+	    echo ${1}:${2}
+	    ;;
+	*)
+	    echo ${2}:${1}
+	    ;;
+    esac
+}
+
 #
 # The next three functions implement the three phases of action processing.
 #
@ -5235,6 +5256,7 @@ process_actions3() {
 			    ;;
 		    esac

+	    echo ${2%:*}:${1}
 		    expandv xclients xservers xprotocol xports xcports xratelimit xuserspec

 		    if [ -n "$is_macro" ]; then
@ -5252,7 +5274,7 @@ process_actions3() {
 			while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
 			    expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec

-			    mtarget=$(merge_levels $xaction2 $mtarget)
+			    mtarget=$(merge_levels $xaction $mtarget)

 			    case $mtarget in
 				PARAM|PARAM:*)
@ -5266,7 +5288,7 @@ process_actions3() {
 					mclients=${xclients}
 					;;
 				    *)
-					mclients=${mclients}:${xclients}
+					mclients=$(merge_macro_source_dest $mclients $xclients)
 					;;
 				esac
 			    else
@ -5279,7 +5301,7 @@ process_actions3() {
 					mservers=${xservers}
 					;;
 				    *)
-					mservers=${mservers}:${xservers}
+					mservers=$(merge_macro_source_dest $mservers $xservers)
 					;;
 				esac
 			    else
@ -6309,7 +6331,7 @@ process_macro() # $1 = target
 		    mclients=${iclients}
 		    ;;
 		*)
-		    mclients=${mclients}:${iclients}
+		    mclients=$(merge_macro_source_dest $mclients $iclients)
 		    ;;
 	    esac
 	else
@ -6322,7 +6344,7 @@ process_macro() # $1 = target
 		    mservers=${iservers}
 		    ;;
 		*)
-		    mservers=${mservers}:${iservers}
+		    mservers=$(merge_macro_source_dest $mservers $iservers)
 		    ;;
 	    esac
 	else
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -7,6 +7,49 @@ Problems Corrected in 3.0.1
   the policy to ACCEPT. This could result in a ruleset that rejected or
   dropped all traffic.

+2) The Makefile was broken such that 'make' didn't always work correctly.
+
+3) If the SOURCE or DEST column in a macro body was non-empty and a dash
+   ("-") appeared in the corresponding column of an invocation of that
+   macro, then an invalid rule was generated.
+
+New Features in 3.0.1
+
+1)  To make the macro facility more flexible, Shorewall now examines the
+    contents of the SOURCE and DEST columns in both the macro body and in
+    the invocation and tries to create the intended rule. If the value in
+    the invocation appears to be an address (IP or MAC) or the name of an
+    ipset, then it is placed after the value in the macro body. Otherwise,
+    it is placed before the value in the macro body.
+
+    Example 1:
+
+    /etc/shorewall/macro.foo:
+
+	PARAM        -            192.168.1.5      tcp    http
+
+    /etc/shorewallrules:
+
+	foo/ACCEPT   net          loc
+
+    Effective rule:
+
+	ACCEPT       net          loc:192.168.1.5   tcp   http
+
+    Example 2:
+
+    /etc/shorewall/macro.bar:
+
+	PARAM        net           loc              tcp    http
+
+    /etc/shorewall/rules:
+
+	bar/ACCEPT   -             192.168.1.5
+
+    Effective rule:
+
+	ACCEPT       net           loc:192.168.1.5  tcp    http
+
 Migration Considerations:

 1) The "monitor" command has been eliminated.