Implement library load on demand

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4400 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-08-22 20:20:42 +00:00
parent 6ab40df245
commit 94ad76f97d
13 changed files with 131 additions and 113 deletions

View File

@ -235,8 +235,6 @@ setup_accounting() # $1 = Name of accounting file
save_progress_message "Setting up Accounting..." save_progress_message "Setting up Accounting..."
strip_file accounting $1
while read action chain source dest proto port sport user ; do while read action chain source dest proto port sport user ; do
expandv action chain source dest proto port sport user expandv action chain source dest proto port sport user
process_accounting_rule process_accounting_rule

View File

@ -38,8 +38,6 @@ setup_ecn() # $1 = file name
local hosts= local hosts=
local h local h
strip_file ecn $1
progress_message2 "$DOING $1..." progress_message2 "$DOING $1..."
while read interface host; do while read interface host; do

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall 3.2 -- /usr/share/shorewall/clib.proxyarp # Shorewall 3.2 -- /usr/share/shorewall/clib.maclist
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #

View File

@ -302,8 +302,6 @@ __EOF__
default_number=253 default_number=253
unspec_number=0 unspec_number=0
strip_file providers $1
if [ -s $TMP_DIR/providers ]; then if [ -s $TMP_DIR/providers ]; then
balance= balance=

View File

@ -48,8 +48,6 @@ setup_tc1() {
# #
# Process the TC Rules File # Process the TC Rules File
# #
strip_file tcrules
while read mark sources dests proto ports sports user testval length tos; do while read mark sources dests proto ports sports user testval length tos; do
expandv mark sources dests proto ports sports user testval length tos expandv mark sources dests proto ports sports user testval length tos
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos") rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")

View File

@ -198,8 +198,6 @@ process_tos() # $1 = name of tos file
{ {
progress_message2 "$DOING $1..." progress_message2 "$DOING $1..."
strip_file tos $1
if [ -s $TMP_DIR/tos ] ; then if [ -s $TMP_DIR/tos ] ; then
createmanglechain pretos createmanglechain pretos
createmanglechain outtos createmanglechain outtos

View File

@ -102,7 +102,6 @@ setup_ipsec() {
;; ;;
*) *)
f=$IPSECFILE f=$IPSECFILE
strip_file $f
progress_message2 "$DOING $f..." progress_message2 "$DOING $f..."
using_ipsec=Yes using_ipsec=Yes
;; ;;
@ -476,8 +475,6 @@ setup_tunnels() # $1 = name of tunnels file
progress_message_and_save " GENERIC tunnel to $1:$p defined." progress_message_and_save " GENERIC tunnel to $1:$p defined."
} }
strip_file tunnels $1
while read kind z gateway z1; do while read kind z gateway z1; do
expandv kind z gateway z1 expandv kind z gateway z1
tunnel="$(echo $kind $z $gateway $z1)" tunnel="$(echo $kind $z $gateway $z1)"
@ -594,8 +591,6 @@ setup_tunnels() # $1 = name of tunnels file
progress_message_and_save " GENERIC tunnel to $1:$p defined." progress_message_and_save " GENERIC tunnel to $1:$p defined."
} }
strip_file tunnels $1
while read kind z gateway z1; do while read kind z gateway z1; do
expandv kind z gateway z1 expandv kind z gateway z1
tunnel="$(echo $kind $z $gateway $z1)" tunnel="$(echo $kind $z $gateway $z1)"

View File

@ -40,6 +40,7 @@
# SHOREWALL_DIR A directory name was passed to /sbin/shorewall # SHOREWALL_DIR A directory name was passed to /sbin/shorewall
# VERBOSE Standard Shorewall verbosity control. # VERBOSE Standard Shorewall verbosity control.
#
# Fatal error -- stops the compiler after issuing the error message # Fatal error -- stops the compiler after issuing the error message
# #
fatal_error() # $* = Error Message fatal_error() # $* = Error Message
@ -51,6 +52,36 @@ fatal_error() # $* = Error Message
exit 2 exit 2
} }
#
# Load a compile-time library
#
clib_load() # $1 = library name, $2=name of 'loaded' symbol, $3-n = Fatal Error Message
{
eval local loaded="\$${2}"
local clib=${SHAREDIR}/clib.${1}
if [ -z "$loaded" ]; then
if [ -x $clib ]; then
. $clib
else
shift 2
fatal_error "$@"
fi
fi
}
try_clib_load() # $1 = library name, $2=name of 'loaded' symbol
{
eval local loaded="\$${2}"
local clib=${SHAREDIR}/clib.${1}
if [ -z "$loaded" ]; then
[ -x $clib ] && . $clib
fi
}
# #
# Write the passed args to the compiler output file. # Write the passed args to the compiler output file.
# #
@ -460,8 +491,6 @@ determine_zones()
fi fi
} }
strip_file zones
ZONES= ZONES=
IPV4_ZONES= IPV4_ZONES=
IPSEC_ZONES= IPSEC_ZONES=
@ -511,7 +540,7 @@ determine_zones()
ipsec|IPSEC|ipsec4|IPSEC4) ipsec|IPSEC|ipsec4|IPSEC4)
list_search $zone $ZONES $FW && fatal_error "Zone $zone is defined more than once" list_search $zone $ZONES $FW && fatal_error "Zone $zone is defined more than once"
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
[ -n "$CLIB_TUNNELS_LOADED" ] || fatal_error "Shorewall clib.tunnels module not loaded" clib_load tunnels CLIB_TUNNELS_LOADED "The $type zone type requires Shorewall compiler module clib.tunnels which is not installed"
eval ${zone}_is_ipsec=Yes eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes eval ${zone}_is_complex=Yes
merge_zone merge_zone
@ -1116,12 +1145,10 @@ validate_hosts_file() {
norfc1918|blacklist|tcpflags|nosmurfs|-) norfc1918|blacklist|tcpflags|nosmurfs|-)
;; ;;
maclist) maclist)
[ -n "$CLIB_MACLIST_LOADED" ] || \ clib_load maclist CLIB_MACLIST_LOADED "The maclist host option requires Shorewall compiler module clib.maclist which is not installed"
fatal_error "Shorewall module clib.maclist not loaded"
;; ;;
ipsec) ipsec)
[ -n "$CLIB_TUNNELS_LOADED" ] || \ clib_load tunnels CLIB_TUNNELS_LOADED "The ipsec host option requires Shorewall compiler module clib.tunnels which is not installed"
fatal_error "Shorewall module clib.tunnels not loaded"
[ -n "$POLICY_MATCH" ] || \ [ -n "$POLICY_MATCH" ] || \
fatal_error "Your kernel and/or iptables does not support policy match: ipsec" fatal_error "Your kernel and/or iptables does not support policy match: ipsec"
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
@ -1209,8 +1236,6 @@ validate_policy()
fi fi
done done
strip_file policy
while read client server policy loglevel synparams; do while read client server policy loglevel synparams; do
expandv client server policy loglevel synparams expandv client server policy loglevel synparams
@ -1505,8 +1530,6 @@ process_criticalhosts()
{ {
local hosts= interface host h options networks criticalhosts= local hosts= interface host h options networks criticalhosts=
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
while read interface host options; do while read interface host options; do
expandv interface host options expandv interface host options
@ -2456,10 +2479,6 @@ process_actions1() {
USEDACTIONS= USEDACTIONS=
strip_file actions
strip_file actions.std ${SHAREDIR}/actions.std
for inputfile in actions.std actions; do for inputfile in actions.std actions; do
while read xaction rest; do while read xaction rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
@ -2506,6 +2525,7 @@ process_actions1() {
eval requiredby=\"\$requiredby_${xaction}\" eval requiredby=\"\$requiredby_${xaction}\"
list_search $xtarget $requiredby || eval requiredby_${xaction}=\"$requiredby $xtarget\" list_search $xtarget $requiredby || eval requiredby_${xaction}=\"$requiredby $xtarget\"
else else
try_clib_load macros CLIB_MACROS_LOADED
if [ -n "$CLIB_MACROS_LOADED" ]; then if [ -n "$CLIB_MACROS_LOADED" ]; then
verify_macro_from_action verify_macro_from_action
else else
@ -3900,6 +3920,8 @@ process_rules()
;; ;;
esac esac
try_clib_load macros CLIB_MACROS_LOADED
if [ -n "$CLIB_MACROS_LOADED" ]; then if [ -n "$CLIB_MACROS_LOADED" ]; then
f=macro.$xtarget1 f=macro.$xtarget1
@ -3918,7 +3940,7 @@ process_rules()
fi fi
else else
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec"
fatal_error "Invalid Action in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\" (do you need the clib.macros Shorewall compile-time library?)"
fi fi
fi fi
;; ;;
@ -4537,8 +4559,6 @@ __EOF__
} }
strip_file masq $1
if [ -n "$NAT_ENABLED" ]; then if [ -n "$NAT_ENABLED" ]; then
progress_message2 "$DOING Masquerading/SNAT" progress_message2 "$DOING Masquerading/SNAT"
save_progress_message "Setting up Masquerading/SNAT..." save_progress_message "Setting up Masquerading/SNAT..."
@ -4654,15 +4674,12 @@ process_blacklist_rec() {
# #
setup_blacklist() { setup_blacklist() {
local hosts="$(find_hosts_by_option blacklist)" local hosts="$(find_hosts_by_option blacklist)"
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
local ipsec policy local ipsec policy
if [ -n "$hosts" -a -f $f ]; then if [ -n "$hosts" -a -s $TMP_DIR/blacklist ]; then
progress_message2 "$DOING Blacklisting..." progress_message2 "$DOING Blacklisting..."
strip_file blacklist $f
createchain blacklst no createchain blacklst no
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
@ -4698,14 +4715,11 @@ setup_blacklist() {
# Refresh the Black List # Refresh the Black List
# #
refresh_blacklist() { refresh_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
progress_message2 "$DOING Black List..." progress_message2 "$DOING Black List..."
save_progress_message "Loading Black List..." save_progress_message "Loading Black List..."
strip_file blacklist $f
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
run_iptables -F blacklst run_iptables -F blacklst
@ -4720,13 +4734,10 @@ refresh_blacklist() {
# Verify the Black List # Verify the Black List
# #
validate_blacklist() { validate_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
progress_message2 "Checking Black List..." progress_message2 "Checking Black List..."
strip_file blacklist $f
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
while read networks protocol ports; do while read networks protocol ports; do
@ -4809,12 +4820,6 @@ initialize_netfilter () {
# accepting new connections. # accepting new connections.
# #
strip_file rules
[ -n "$CLIB_PROXYARP_LOADED" ] && strip_file proxyarp
[ -n "$CLIB_MACLIST_LOADED" ] && strip_file maclist
strip_file nat
strip_file netmap
progress_message2 "Pre-processing Actions..." progress_message2 "Pre-processing Actions..."
process_actions1 process_actions1
@ -4847,7 +4852,7 @@ initialize_netfilter () {
done done
fi fi
[ -n "$CLIB_TCRULES_LOADED" ] && [ -n "$CLEAR_TC" ] && delete_tc [ -n "$CLIB_TCRULES_LOADED" -a -n "$CLEAR_TC" ] && delete_tc
progress_message2 "Deleting user chains..." progress_message2 "Deleting user chains..."
@ -4909,8 +4914,6 @@ initialize_netfilter () {
progress_message2 "$DOING $f ..." progress_message2 "$DOING $f ..."
strip_file routestopped $f
process_routestopped -A process_routestopped -A
if [ -n "$DISABLE_IPV6" ]; then if [ -n "$DISABLE_IPV6" ]; then
@ -4935,8 +4938,7 @@ initialize_netfilter () {
if [ -n "$CLIB_ACCOUNTING_LOADED" ]; then if [ -n "$CLIB_ACCOUNTING_LOADED" ]; then
accounting_file=$(find_file accounting) accounting_file=$(find_file accounting)
setup_accounting $accounting_file
[ -f $accounting_file ] && setup_accounting $accounting_file
fi fi
createchain reject no createchain reject no
@ -5125,8 +5127,6 @@ __EOF__
save_progress_message "Setting up RFC1918 Filtering..." save_progress_message "Setting up RFC1918 Filtering..."
strip_file rfc1918
createchain norfc1918 no createchain norfc1918 no
createchain rfc1918 no createchain rfc1918 no
@ -6423,11 +6423,9 @@ __EOF__
if [ -n "$CLIB_TUNNELS_LOADED" ]; then if [ -n "$CLIB_TUNNELS_LOADED" ]; then
tunnels=$(find_file tunnels) tunnels=$(find_file tunnels)
if [ -f $tunnels ]; then progress_message2 "$DOING $tunnels..."
progress_message2 "$DOING $tunnels..." save_progress_message "Setting up Tunnels..."
save_progress_message "Setting up Tunnels..." setup_tunnels $tunnels
setup_tunnels $tunnels
fi
fi fi
save_progress_message "Setting up Actions..." save_progress_message "Setting up Actions..."
@ -6475,13 +6473,15 @@ __EOF__
save_command add_ip_aliases $ALIASES_TO_ADD save_command add_ip_aliases $ALIASES_TO_ADD
fi fi
if [ -n "$CLIB_PROXYARP_LOADED" ]; then files="zones nat"
for file in chains nat proxyarp zones; do
save_command "cat > \${VARDIR}/$file $LEFTSHIFT __EOF__" [ -n "$CLIB_PROXYARP_LOADED" ] && files="$files proxyarp"
cat $STATEDIR/$file >&3
save_command_unindented __EOF__ for file in chains $files; do
done save_command "cat > \${VARDIR}/$file $LEFTSHIFT __EOF__"
fi cat $STATEDIR/$file >&3
save_command_unindented __EOF__
done
cat >&3 << __EOF__ cat >&3 << __EOF__
@ -6737,18 +6737,6 @@ do_initialize() {
else else
fatal_error "$FUNCTIONS does not exist!" fatal_error "$FUNCTIONS does not exist!"
fi fi
#
# Load compiler libraries
#
for clib in ${SHAREDIR}/clib.*; do
case $clib in
${SHAREDIR}/clib.\*)
;;
*)
. $clib
;;
esac
done
TMP_DIR=$(mktempdir) TMP_DIR=$(mktempdir)
@ -6974,10 +6962,45 @@ do_initialize() {
[ -n "${RESTOREFILE:=restore}" ] [ -n "${RESTOREFILE:=restore}" ]
# #
# Strip the files that we use often # Strip the files and load modules
# #
strip_file zones
strip_file policy
strip_file interfaces strip_file interfaces
strip_file hosts strip_file hosts
strip_file routestopped
strip_file actions
strip_file actions.std ${SHAREDIR}/actions.std
strip_file masq
strip_file blacklist
strip_file rules
strip_file proxyarp
[ -s $TMP_DIR/proxyarp ] && clib_load proxyarp CLIB_PROXYARP_LOADED "Use of the proxyarp file requires the Shorewall clib.proxyarp modules which is not installed"
strip_file maclist
[ -s $TMP_DIR/maclist ] && clib_load maclist CLIB_MACLIST_LOADED "Use of the maclist file requires the Shorewall clib.maclist modules which is not installed"
strip_file nat
strip_file netmap
strip_file tcrules
if [ -s $TMP_DIR/tcrules ]; then
clib_load tcrules CLIB_TCRULES_LOADED "Entries in the tcrules file require Shorewall compiler module clib.tcrules which is not installed"
lib_load tcrules LIB_TCRULES_LOADED "Entries in the tcrules file require Shorewall library module lib.tcrules which is not installed"
fi
strip_file rfc1918
strip_file accounting
[ -s $TMP_DIR/accounting ] && clib_load accounting CLIB_ACCOUNTING_LOADED "Entries in the accounting file require Shorewall compiler module clib.accounting which is not installed"
strip_file ecn
[ -s $TMP_DIR/ecn ] && clib_load ecn CLIB_ECN_LOADED "Entries in the ecn file require Shorewall compiler module clib.ecn which is not installed"
strip_file providers
[ -s $TMP_DIR/providers ] && clib_load providers CLIB_PROVIDERS_LOADED "Entries in the providers file require Shorewall compiler module clib.providers which is not installed"
strip_file tos
[ -s $TMP_DIR/tos ] && clib_load tos CLIB_TOS_LOADED "Entries in the tos file require Shorewall compiler module clib.tos which is not installed"
strip_file ipsec
[ -s $TMP_DIR/ipsec ] && clib_load tunnels CLIB_TUNNELS_LOADED "Entries in the ipsec file require Shorewall compiler module clib.tunnels which is not installed"
strip_file tunnels
[ -s $TMP_DIR/tunnels ] && clib_load tunnels CLIB_TUNNELS_LOADED "Entries in the tunnels file require Shorewall compiler module clib.tunnels which is not installed"
strip_file tcdevices $devfile
[ -s $TMP_DIR/tcdevices ] && lib_load tc LIB_TC_LOADED "Entries in the tcdevices file require Shorewall library module lib.tc which is not installed"
strip_file tcclasses $classfile
# #
# Check out the user's shell # Check out the user's shell
# #

View File

@ -1578,16 +1578,26 @@ refresh_tc() {
# #
strip_file tcrules strip_file tcrules
while read mark sources dests proto ports sports user testval; do if [ -s $TMP_DIR/tcrules ]; then
expandv mark sources dests proto ports sports user testval tos lib_load tcrules LIB_TCRULES_LOADED "Entries in the tcrules file require the Shorewall library lib.tcrules which is not installed"
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $tos")
process_tc_rule while read mark sources dests proto ports sports user testval; do
done < $TMP_DIR/tcrules expandv mark sources dests proto ports sports user testval tos
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $tos")
process_tc_rule
done < $TMP_DIR/tcrules
fi
if [ -n "$TC_SCRIPT" ]; then if [ -n "$TC_SCRIPT" ]; then
run_user_exit $TC_SCRIPT run_user_exit $TC_SCRIPT
elif [ -n "$TC_ENABLED" ]; then elif [ -n "$TC_ENABLED" ]; then
setup_traffic_shaping strip_file tcdevices
strip_file tcclasses
if [ -s $TMP_DIR/tcdevices ]; then
lib_load tc LIB_TC_LOADED "Entries in the tcdevices file require the Shorewall library lib.tc which is not installed"
setup_traffic_shaping
fi
fi fi
} }
@ -1615,6 +1625,8 @@ refresh_firewall()
# #
# Blacklist # Blacklist
# #
strip_file blacklist
refresh_blacklist refresh_blacklist
ecn=$(find_file ecn) ecn=$(find_file ecn)

View File

@ -23,29 +23,29 @@
LIBVERSION=30192 LIBVERSION=30192
#
# Load a run-time library
#
lib_load() # $1 = library name, $2=name of 'loaded' symbol, $3-n = Fatal Error Message
{
eval local loaded="\$${2}"
local lib=${SHAREDIR}/lib.${1}
if [ -z "$loaded" ]; then
if [ -x $lib ]; then
. $lib
else
shift 2
fatal_error "$@"
fi
fi
}
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
[ -n "${CONFDIR:=/etc/shorewall}" ] [ -n "${CONFDIR:=/etc/shorewall}" ]
SHOREWALL_LIBRARY=Loaded SHOREWALL_LIBRARY=Loaded
if [ $# -gt 0 ]; then lib_load base base LIB_BASE_LOADED "Installation Error: ${SHAREDIR}/lib.base not found"
#
# Load a specific set of libraries
#
for lib in $@; do
. ${SHAREDIR}/lib.${lib}
done
else
for lib in ${SHAREDIR}/lib.*; do
case $lib in
${SHAREDIR}/lib.\*)
echo " ERROR: ${SHAREDIR}/lib.\* not found" >&2
exit 2
;;
*)
. $lib
;;
esac
done
fi

View File

@ -1576,3 +1576,5 @@ get_device_mtu() # $1 = device
echo 1500 echo 1500
fi fi
} }
LIB_BASE_LOADED=Yes

View File

@ -305,9 +305,6 @@ setup_traffic_shaping()
return 0 return 0
} }
strip_file tcdevices $devfile
strip_file tcclasses $classfile
validate_tcdevices_file validate_tcdevices_file
validate_tcclasses_file validate_tcclasses_file

View File

@ -1683,10 +1683,9 @@ FIREWALL=$SHAREDIR/firewall
FUNCTIONS=$SHAREDIR/functions FUNCTIONS=$SHAREDIR/functions
VERSION_FILE=$SHAREDIR/version VERSION_FILE=$SHAREDIR/version
HELP=$SHAREDIR/help HELP=$SHAREDIR/help
LIBRARIES="base"
if [ -f $FUNCTIONS ]; then if [ -f $FUNCTIONS ]; then
. $FUNCTIONS $LIBRARIES . $FUNCTIONS
else else
echo " ERROR: $FUNCTIONS does not exist!" >&2 echo " ERROR: $FUNCTIONS does not exist!" >&2
exit 2 exit 2