extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-16 01:39:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow reuse of compiler in a single process

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6538 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-13 23:02:39 +00:00
parent a2d51eb156
commit 980ec224a2
16 changed files with 325 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -39,6 +39,15 @@ our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( );
our @VERSION = 1.00;
sub initialize() {
our $jumpchainref;
$jumpchainref = undef;
}
INIT {
initialize;
}
#
# Accounting
#

23
Shorewall-perl/Shorewall/Actions.pm
View File

@ -48,20 +48,19 @@ our @EXPORT = qw( merge_levels
%default_actions
%actions
);
our @EXPORT_OK = qw( );
our @EXPORT_OK = qw( initialize );
our @VERSION = 1.00;
#
# Used Actions. Each action that is actually used has an entry with value 1.
#
our %usedactions;
## Firewall to DMZ
#
# Default actions for each policy.
#
our %default_actions = ( DROP => 'none' ,
REJECT => 'none' ,
ACCEPT => 'none' ,
QUEUE => 'none' );
our %default_actions;
# Action Table
#
@ -82,6 +81,20 @@ my %logactionchains;
#
# This function determines the logging for a subordinate action or a rule within a superior action
#
sub initialize() {
%default_actions = ( DROP => 'none' ,
REJECT => 'none' ,
ACCEPT => 'none' ,
QUEUE => 'none' );
%actions = ();
%logactionchains = ();
}
INIT {
initialize;
}
sub merge_levels ($$) {
my ( $superior, $subordinate ) = @_;

114
Shorewall-perl/Shorewall/Chains.pm
View File

@ -126,7 +126,7 @@ our @EXPORT = qw( STANDARD
$comment
%targets
);
our @EXPORT_OK = ();
our @EXPORT_OK = qw( initialize );
our @VERSION = 1.00;
#
@ -163,32 +163,14 @@ our @VERSION = 1.00;
# 'loglevel', 'synparams' and 'default' only apply to policy chains.
#
our @policy_chains;
our %chain_table = ( raw => {} ,
mangle => {},
nat => {},
filter => {} );
our %chain_table;
our $nat_table = $chain_table{nat};
our $mangle_table = $chain_table{mangle};
our $filter_table = $chain_table{filter};
#
# These get set to 1 as sections are encountered.
#
our %sections = ( ESTABLISHED => 0,
RELATED => 0,
NEW => 0
);
#
# Current rules file section.
#
our $section = 'ESTABLISHED';
#
# Contents of last COMMENT line.
#
our %sections;
our $section;
our $comment = '';
# Target Table. Each entry maps a target to a set of flags defined as follows.
#
use constant { STANDARD => 1, #defined by Netfilter
NATRULE => 2, #Involves NAT
BUILTIN => 4, #A built-in action
@ -199,10 +181,51 @@ use constant { STANDARD => 1, #defined by Netfilter
MACRO => 128, #A Macro
LOGRULE => 256, #'LOG'
};
our %targets;
#
# As new targets (Actions and Macros) are discovered, they are added to the table
# expand_rule() restrictions
#
our %targets = ('ACCEPT' => STANDARD,
use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule
PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d <address list> using main routing table
INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed
OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed
};
our $exclseq = 0;
our $iprangematch = 0;
our $chainseq;
sub initialize() {
@policy_chains = ();
%chain_table = ( raw => {} ,
mangle => {},
nat => {},
filter => {} );
$nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter};
#
# These get set to 1 as sections are encountered.
#
%sections = ( ESTABLISHED => 0,
RELATED => 0,
NEW => 0
);
#
# Current rules file section.
#
$section = 'ESTABLISHED';
#
# Contents of last COMMENT line.
#
$comment = '';
#
# As new targets (Actions and Macros) are discovered, they are added to the table
#
%targets = ('ACCEPT' => STANDARD,
'ACCEPT+' => STANDARD + NONAT,
'ACCEPT!' => STANDARD,
'NONAT' => STANDARD + NONAT + NATONLY,
@ -231,29 +254,24 @@ our %targets = ('ACCEPT' => STANDARD,
'forwardUPnP' => BUILTIN + ACTION,
'Limit' => BUILTIN + ACTION,
);
#
# Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
#
$exclseq = 0;
#
# Used to suppress duplicate match specifications.
#
$iprangematch = 0;
#
# Sequence for naming temporary chains
#
our $chainseq;
}
INIT {
initialize;
}
#
# expand_rule() restrictions
#
use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule
PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d <address list> using main routing table
INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed
OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed
};
#
# Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
#
our $exclseq = 0;
#
# Used to suppress duplicate match specifications.
#
our $iprangematch = 0;
#
# Sequence for naming temporary chains
#
our $chainseq;
#
# Add a run-time command to a chain. Arguments are:
#
@ -644,7 +662,7 @@ sub finish_chain_section ($$) {
}
}
} else {
my $policychainref = $chainref->{policychain};
my $policychainref = $filter_table->{$chainref->{policychain}};
if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name};
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";

36
Shorewall-perl/Shorewall/Common.pm
View File

@ -60,21 +60,37 @@ our @EXPORT = qw(
$done
$verbose
);
our @EXPORT_OK = qw( $timestamp );
our @EXPORT_OK = qw( $timestamp initialize );
our @VERSION = 1.00;
our $line = ''; # Current config file line
our ( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
our $verbose = 0; # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
our $timestamp = ''; # If true, we are to timestamp each progress message
our $object = 0; # Object (script) file Handle Reference
our $lastlineblank = 0; # Avoid extra blank lines in the output
our $indent = ''; # Current indentation
our $line;
our ($command, $doing, $done );
our $verbose;
our $timestamp;
our $object;
our $lastlineblank;
our $indent;
our ( $dir, $file ); # Object's Directory and File
our $tempfile; # Temporary File Name
sub initialize() {
$line = ''; # Current config file line
( $command, $doing, $done ) = qw/ compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
$verbose = 0; # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
$timestamp = ''; # If true, we are to timestamp each progress message
$object = 0; # Object (script) file Handle Reference
$lastlineblank = 0; # Avoid extra blank lines in the output
$indent = ''; # Current indentation
( $dir, $file ) = ('',''); # Object's Directory and File
$tempfile = ''; # Temporary File Name
}
INIT {
initialize;
}
#
# Fatal Error
#

23
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -47,10 +47,27 @@ our @EXPORT = qw( compiler EXPORT TIMESTAMP );
our @EXPORT_OK = qw( $export );
our @VERSION = 1.00;
our $export = 0;
our $export;
our $reused = 0;
use constant { EXPORT => 0x01 ,
TIMESTAMP => 0x02 };
sub initialize() {
Shorewall::Common::initialize;
Shorewall::Config::initialize;
Shorewall::Chains::initialize;
Shorewall::Interfaces::initialize;
Shorewall::Accounting::initialize;
Shorewall::Actions::initialize;
Shorewall::Nat::initialize;
Shorewall::Providers::initialize;
Shorewall::Rules::initialize;
Shorewall::Tc::initialize;
Shorewall::Zones::initialize;
}
#
# First stage of script generation.
#
@ -656,6 +673,10 @@ sub compiler( $$$$ ) {
my ( $objectfile, $directory, $verbosity, $options ) = @_;
$export = 0;
initialize if $reused++;
if ( $directory ne '' ) {
fatal_error "$directory is not an existing directory" unless -d $directory;
set_shorewall_dir( $directory );

134
Shorewall-perl/Shorewall/Config.pm
View File

@ -64,13 +64,60 @@ our @EXPORT = qw(
%protocols
%services );
our @EXPORT_OK = qw( $shorewall_dir );
our @EXPORT_OK = qw( $shorewall_dir initialize );
our @VERSION = 1.00;
#
# Misc Globals
#
our %globals = ( SHAREDIR => '/usr/share/shorewall' ,
our %globals;
#
# From shorewall.conf file
#
our %config;
#
# Config options and global settings that are to be copied to object script
#
our @propagateconfig;
our @propagateenv;
#
# From parsing the capabilities file
#
our %capabilities;
#
# /etc/protocols and /etc/services
#
our %protocols;
our %services;
#
# Capabilities
#
our %capdesc;
#
# Directories to search for configuration files
#
our @config_path;
#
# Stash away file references here when we encounter INCLUDE
#
our @includestack;
#
# Allow nested opens
#
our @openstack;
our $currentfile; # File handle reference
our $currentfilename; # File NAME
our $currentlinenumber; # Line number
our $shorewall_dir; #Shorewall Directory
sub initialize() {
#
# Misc Globals
#
%globals = ( SHAREDIR => '/usr/share/shorewall' ,
CONFDIR => '/etc/shorewall',
SHAREDIRPL => '/usr/share/shorewall-perl/',
ORIGINAL_POLICY_MATCH => '',
@ -78,11 +125,10 @@ our %globals = ( SHAREDIR => '/usr/share/shorewall' ,
TC_SCRIPT => '',
VERSION => '4.0.0-Beta4',
);
#
# From shorewall.conf file
#
our %config =
#
# From shorewall.conf file
#
%config =
( STARTUP_ENABLED => undef,
VERBOSITY => undef,
#
@ -172,16 +218,16 @@ our %config =
TCP_FLAGS_DISPOSITION => undef,
BLACKLIST_DISPOSITION => undef,
);
#
# Config options and global settings that are to be copied to object script
#
our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
#
# Config options and global settings that are to be copied to object script
#
@propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
@propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
#
# From parsing the capabilities file
#
our %capabilities =
#
# From parsing the capabilities file
#
%capabilities =
( NAT_ENABLED => undef,
MANGLE_ENABLED => undef,
MULTIPORT => undef,
@ -210,16 +256,15 @@ our %capabilities =
COMMENTS => undef,
ADDRTYPE => undef,
);
#
# /etc/protocols and /etc/services
#
our %protocols;
our %services;
#
# Capabilities
#
our %capdesc = ( NAT_ENABLED => 'NAT',
#
# /etc/protocols and /etc/services
#
%protocols = ();
%services = ();
#
# Capabilities
#
%capdesc = ( NAT_ENABLED => 'NAT',
MANGLE_ENABLED => 'Packet Mangling',
MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match',
@ -247,24 +292,29 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
COMMENTS => 'Comments',
ADDRTYPE => 'Address Type Match',
);
#
# Directories to search for configuration files
#
our @config_path;
#
# Stash away file references here when we encounter INCLUDE
#
our @includestack;
#
# Allow nested opens
#
our @openstack;
#
# Directories to search for configuration files
#
@config_path = ();
#
# Stash away file references here when we encounter INCLUDE
#
@includestack = ();
#
# Allow nested opens
#
@openstack = ();
our $currentfile; # File handle reference
our $currentfilename; # File NAME
our $currentlinenumber = 0; # Line number
$currentfile = undef; # File handle reference
$currentfilename = ''; # File NAME
$currentlinenumber = 0; # Line number
our $shorewall_dir = ''; #Shorewall Directory
$shorewall_dir = ''; #Shorewall Directory
}
INIT {
initialize;
}
#
# Issue a Warning Message

14
Shorewall-perl/Shorewall/Interfaces.pm
View File

@ -46,7 +46,7 @@ our @EXPORT = qw( add_group_to_zone
@interfaces
@bridges );
our @EXPORT_OK = ();
our @EXPORT_OK = qw( initialize );
our @VERSION = 1.00;
#
@ -67,6 +67,16 @@ our @interfaces;
our %interfaces;
our @bridges;
sub initialize() {
@interfaces = ();
%interfaces = ();
@bridges = ();
}
INIT {
initialize;
}
sub add_group_to_zone($$$$$)
{
my ($zone, $type, $interface, $networks, $options) = @_;
@ -323,7 +333,7 @@ sub validate_interfaces_file( $ )
my @networks;
if ( $options{detectnets} ) {
fatal_error "The 'detectnets' option is not allowed with multi-zone interface" unless $zone;
fatal_error "The 'detectnets' option is not allowed on a multi-zone interface" unless $zone;
fatal_error "The 'detectnets' option may not be used with a wild-card interface name" if $wildcard;
fatal_error "The 'detectnets' option may not be used with the '-e' compiler option" if $export;
@networks = get_routed_networks( $interface, 'detectnets not allowed on interface with default route' );

8
Shorewall-perl/Shorewall/Macros.pm
View File

@ -45,6 +45,14 @@ our @VERSION = 1.00;
our %macros;
sub initialize() {
%macros = ();
}
INIT {
initialize;
}
#
# Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does.
# If the file exists, the macro is entered into the 'targets' table and the fully-qualified

9
Shorewall-perl/Shorewall/Nat.pm
View File

@ -43,6 +43,15 @@ our @VERSION = 1.00;
our @addresses_to_add;
our %addresses_to_add;
sub initialize() {
@addresses_to_add = ();
%addresses_to_add = ();
}
INIT {
initialize;
}
#
# Handle IPSEC Options in a masq record
#

12
Shorewall-perl/Shorewall/Policy.pm
View File

@ -50,7 +50,9 @@ sub new_policy_chain($$$)
$chainref->{is_policy} = 1;
$chainref->{policy} = $policy;
$chainref->{is_optional} = $optional;
$chainref->{policychain} = $chainref;
$chainref->{policychain} = $chain;
$chainref;
}
#
@ -63,7 +65,7 @@ sub set_policy_chain($$$)
my $chainref1 = $filter_table->{$chain1};
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
unless ( $chainref1->{policychain} ) {
$chainref1->{policychain} = $chainref;
$chainref1->{policychain} = $chainref->{name};
$chainref1->{policy} = $policy;
}
}
@ -208,7 +210,7 @@ sub validate_policy()
} else {
$chainref->{is_policy} = 1;
$chainref->{policy} = $policy;
$chainref->{policy_chain} = $chainref;
$chainref->{policychain} = $chain;
push @policy_chains, ( $chainref );
}
} else {
@ -266,7 +268,7 @@ sub report_syn_flood_protection() {
sub default_policy( $$$ ) {
my $chainref = $_[0];
my $policyref = $chainref->{policychain};
my $policyref = $filter_table->{$chainref->{policychain}};
my $synparams = $policyref->{synparams};
my $default = $policyref->{default};
my $policy = $policyref->{policy};
@ -350,7 +352,7 @@ sub complete_standard_chain ( $$$ ) {
my ( $policy, $loglevel, $default ) = ( 'DROP', 6, $config{DROP_DEFAULT} );
my $policychainref;
$policychainref = $ruleschainref->{policychain} if $ruleschainref;
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;

3
Shorewall-perl/Shorewall/Proc.pm
View File

@ -46,9 +46,6 @@ our @EXPORT = qw(
our @EXPORT_OK = qw( );
our @VERSION = 1.00;
our %macros;
#
# ARP Filtering
#

30
Shorewall-perl/Shorewall/Providers.pm
View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_providers @routemarked_interfaces);
our @EXPORT_OK = ( );
our @EXPORT_OK = qw( initialize );
our @VERSION = 1.00;
use constant { LOCAL_NUMBER => 255,
@ -47,16 +47,30 @@ use constant { LOCAL_NUMBER => 255,
our %routemarked_interfaces;
our @routemarked_interfaces;
my $balance = 0;
my $first_default_route = 1;
our $balance;
our $first_default_route;
our %providers;
my %providers = ( 'local' => { number => LOCAL_NUMBER , mark => 0 } ,
main => { number => MAIN_NUMBER , mark => 0 } ,
default => { number => DEFAULT_NUMBER , mark => 0 } ,
unspec => { number => UNSPEC_NUMBER , mark => 0 } );
our @providers;
my @providers;
sub initialize() {
@providers = ();
%routemarked_interfaces = ();
@routemarked_interfaces = ();
$balance = 0;
$first_default_route = 1;
%providers = ( 'local' => { number => LOCAL_NUMBER , mark => 0 } ,
main => { number => MAIN_NUMBER , mark => 0 } ,
default => { number => DEFAULT_NUMBER , mark => 0 } ,
unspec => { number => UNSPEC_NUMBER , mark => 0 } );
@providers = ();
}
INIT {
initialize;
}
#
# Set up marking for 'tracked' interfaces. Unlike in Shorewall 3.x, we add these rules unconditionally, even if the associated interface isn't up.

4
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -40,6 +40,10 @@ our @VERSION = 1.00;
our @proxyarp;
sub initialize() {
@proxyarp = ();
}
sub setup_one_proxy_arp( $$$$$ ) {
my ( $address, $interface, $external, $haveroute, $persistent) = @_;

17
Shorewall-perl/Shorewall/Rules.pm
View File

@ -50,7 +50,7 @@ our @EXPORT = qw( process_tos
setup_mss
dump_rule_chains
);
our @EXPORT_OK = qw( process_rule process_rule1 );
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our @VERSION = 1.00;
#
@ -60,7 +60,16 @@ our @rule_chains;
#
# Set to one if we find a SECTION
#
our $sectioned = 0;
our $sectioned;
sub initialize() {
@rule_chains = ();
$sectioned = 0;
}
INIT {
initialize;
}
use constant { MAX_MACRO_NEST_LEVEL => 5 };
@ -1007,7 +1016,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
# Handle Optimization
#
if ( $optimize > 0 ) {
my $loglevel = $chainref->{policychain}{loglevel};
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
if ( $loglevel ne '' ) {
return 1 if $target eq "${policy}:$loglevel}";
} else {
@ -1335,7 +1344,7 @@ sub generate_matrix() {
return 'ACCEPT' if $zone eq $zone1;
if ( $chainref->{policy} ne 'CONTINUE' ) {
my $policyref = $chainref->{policychain};
my $policyref = $filter_table->{$chainref->{policychain}};
return $policyref->{name} if $policyref;
fatal_error "No policy defined for zone $zone to zone $zone1";
}

7
Shorewall-perl/Shorewall/Tc.pm
View File

@ -40,7 +40,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule );
our @EXPORT_OK = qw( process_tc_rule initialize );
our @VERSION = 1.00;
our %tcs = ( T => { chain => 'tcpost',
@ -123,6 +123,11 @@ our %classids;
our @deferred_rules;
sub initialize() {
%classids = ();
@deferred_rules = ();
}
sub process_tc_rule( $$$$$$$$$$ ) {
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = @_;

12
Shorewall-perl/Shorewall/Zones.pm
View File

@ -47,7 +47,7 @@ our @EXPORT = qw( NOTHING
$firewall_zone
%interfaces );
our @EXPORT_OK = ();
our @EXPORT_OK = qw( initialize );
our @VERSION = 1.00;
#
@ -114,6 +114,16 @@ our %reservedName = ( all => 1,
SOURCE => 1,
DEST => 1 );
sub initialize() {
@zones = ();
%zones = ();
%interfaces = ();
}
INIT {
initialize;
}
#
# Parse the passed option list and return a reference to a hash as follows:
#