Put this puppy to bed for the night

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5520 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 09:47:51 +02:00 · 2007-03-14 04:06:32 +00:00 · 2007-03-14 04:06:32 +00:00 · ac9fe46768
commit ac9fe46768
parent 0f1892ba28
4 changed files with 256 additions and 233 deletions
--- a/New/Shorewall/Chains.pm
+++ b/New/Shorewall/Chains.pm
@ -15,11 +15,19 @@ our @EXPORT = qw( add_rule
 		  dynamic_fwd
 		  dynamic_in
 		  dynamic_out
-		  cynamic_chains
+		  dynamic_chains
 		  dnat_chain
 		  snat_chain
 		  ecn_chain
 		  first_chains
 		  new_chain
 		  ensure_chain
 		  ensure_filter_chain
 		  new_standard_chain
 		  new_builtin_chain
 		  initialize_chain_table
 		  dump_chain_table
 		  finish_section
 		  @policy_chains 
 		  %chain_table 
@ -224,4 +232,191 @@ sub first_chains( $ ) #$1 = interface
    [ $c . '_fwd', $c . '_in' ];
 }
 #
 # Create a new chain and return a reference to it.
 #
 sub new_chain($$)
 {
    my ($table, $chain) = @_;
    my %ch;
    my @rules;
    $ch{name} = $chain;
    $ch{log} = 1 if $env{LOGRULENUMBERS};
    $ch{rules} = \@rules;
    $ch{table} = $table;
    $chain_table{$table}{$chain} = \%ch;
    \%ch;
 }
 #
 # Create a chain if it doesn't exist already
 #
 sub ensure_chain($$)
 {
    my ($table, $chain) = @_;
    my $ref =  $chain_table{$table}{$chain};
    return $ref if $ref;
    new_chain $table, $chain;
 }
 sub finish_chain_section( $$ );
 #
 # Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
 #
 sub ensure_filter_chain( $$ )
 {
    my ($chain, $populate) = @_;
    my $chainref = $filter_table->{$chain};
    $chainref = new_chain 'filter' , $chain unless $chainref;
    if ( $populate and ! $chainref->{referenced} ) {
 	if ( $section eq 'NEW' or $section eq 'DONE' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	} elsif ( $section eq 'ESTABLISHED' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED';
 	}
    }
    $chainref->{referenced} = 1;
    $chainref;
 }
 #
 # Add a builtin chain
 #
 sub new_builtin_chain($$$)
 {
    my $chainref = new_chain $_[0],$_[1];
    $chainref->{referenced} = 1;
    $chainref->{policy}     = $_[2];
    $chainref->{builtin}    = 1;
 }
 sub new_standard_chain($) {
    my $chainref = new_chain 'filter' ,$_[0];
    $chainref->{referenced} = 1;
    $chainref;
 }    
 #
 # Add all builtin chains to the chain table
 #
 #
 sub initialize_chain_table()
 {
    for my $chain qw/OUTPUT PREROUTING/ {
 	new_builtin_chain 'raw', $chain, 'ACCEPT';
    }
    for my $chain qw/INPUT OUTPUT FORWARD/ {
 	new_builtin_chain 'filter', $chain, 'DROP';
    }
    for my $chain qw/PREROUTING POSTROUTING OUTPUT/ {
 	new_builtin_chain 'nat', $chain, 'ACCEPT';
    }
    for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ {
 	new_builtin_chain 'mangle', $chain, 'ACCEPT';
    }
    if ( $capabilities{MANGLE_FORWARD} ) {
 	for my $chain qw/ FORWARD POSTROUTING / {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
    }
 }
 #
 # Dump the contents of the Chain Table
 #
 sub dump_chain_table()
 {
    print "\n";
    for my $table qw/filter nat mangle/ {
 	print "Table: $table\n";
 	for my $chain ( sort keys %{$chain_table{$table}} ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    print "   Chain $chain:\n";
 	    if ( $chainref->{is_policy} ) {
 		print "      This is a policy chain\n";
 		my $val = $chainref->{is_optional} ? 'Yes' : 'No';
 		print "         Optional:  $val\n";
 		print "         Log Level: $chainref->{loglevel}\n" if $chainref->{loglevel};
 		print "         Syn Parms: $chainref->{synparams}\n" if $chainref->{synparams};
 		print "         Default:   $chainref->{default}\n" if $chainref->{default};
 	    }
 	    print "      Policy chain: $chainref->{policychain}{name}\n" if $chainref->{policychain} ;
 	    print "      Policy: $chainref->{policy}\n"                  if $chainref->{policy};
 	    print "      Referenced\n" if $chainref->{referenced};
 	    if ( @{$chainref->{rules}} ) {
 		print "      Rules:\n";
 		for my $rule (  @{$chainref->{rules}} ) {
 		    print "         $rule\n";
 		}
 	    }   
 	}
    }
 }
 #
 # Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain 
 #
 sub finish_chain_section ($$) {
    my ($chainref, $state ) = @_;
    my $chain = $chainref->{name};
    add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
    if ($sections{RELATED} ) {
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', "\@$chain";
 		if ( $section eq 'DONE' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
 			add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
 		    } 
 		} else {
 		    add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
 		}
 	    }
 	} else {
 	    my $policychainref = $chainref->{policychain};
 	    if ( $policychainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', "\@$policychainref->{name}";
 		add_rule $synchainref, "-p tcp --syn -j $synchainref->{name}";
 	    }
 	}
    }
 }		    
 #
 # Do section-end processing
 # 
 sub finish_section ( $ ) {
    my $sections = $_[0];
    for my $zone ( @zones ) {
 	for my $zone1 ( @zones ) {
 	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
 	    if ( $chainref->{referenced} ) {
 		finish_chain_section $chainref, $sections;
 	    }
 	}
    }
 }
 1;
--- a/New/Shorewall/Common.pm
+++ b/New/Shorewall/Common.pm
@ -1,9 +1,11 @@
 package Shorewall::Common;
 require Exporter;
 use File::Temp qw/ tempfile tempdir /;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(warning_message 
 		 fatal_error
 		 create_temp_object
 		 emit 
 		 emit_unindented
 		 save_progress_message
@ -15,9 +17,9 @@ our @EXPORT = qw(warning_message
 		 pop_indent
 		 copy
 		 copy1
 		 append_file
-		 $line $object $lastlineblank);
+		 $line
 		 $lastlineblank);
 our @EXPORT_OK = ();
 our @VERSION = 1.00;
@ -45,6 +47,18 @@ sub fatal_error
    die;
 }
 sub create_temp_object() {
    my $tempfile;
    eval {
 	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
    };
    fatal_error "$@" if $@;
    return $tempfile;
 }
 #
 # Write the argument to the object file (if any) with the current indentation.
 # 
@ -127,6 +141,7 @@ sub save_progress_message_short( $ ) {
 # Functions for copying files into the object
 #
 sub copy( $ ) {
    if ( $object ) {
 	my $file = $_[0];
 	open IF , $file or fatal_error "Unable to open $file: $!";
@ -138,8 +153,10 @@ sub copy( $ ) {
 	close IF;
    }
 }
 sub copy1( $ ) {
    if ( $object ) {
 	my $file = $_[0];
 	open IF , $file or fatal_error "Unable to open $file: $!";
@ -160,16 +177,6 @@ sub copy1( $ ) {
 	close IF;
    }
 sub append_file( $ ) {
    my $user_exit = find_file $_[0];
    unless ( $user_exit =~ /$env{SHAREDIR}/ ) {
 	if ( -f $user_exit ) {
 	    save_progress_message "Processing $user_exit ...";
 	    copy1 $user_exit;
 	}
    }   
 }
 1;
--- a/New/Shorewall/Config.pm
+++ b/New/Shorewall/Config.pm
@ -5,14 +5,14 @@ use warnings;
 use Shorewall::Common;
 our @ISA = qw(Exporter);
-our @EXPORT = qw(find_file do_initialize report_capabilities propagateconfig %config %env %capabilities );
+our @EXPORT = qw(find_file do_initialize report_capabilities propagateconfig append_file %config %env %capabilities );
 our @EXPORT_OK = ();
 our @VERSION = 1.00;
 #
 # From shorewall.conf file
 #
-my %config =     
+our %config =     
              ( STARTUP_ENABLED => undef,
 		VERBOSITY => undef,
 		#
@ -102,7 +102,7 @@ my @propagateenv    = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
 # Misc Globals
 #
-my %env  =   ( SHAREDIR => '/usr/share/shorewall' ,
+our %env  =   ( SHAREDIR => '/usr/share/shorewall' ,
 	       CONFDIR =>  '/etc/shorewall',
 	       LOGPARMS => '',
 	       VERSION =>  '3.9.0',
@ -111,7 +111,7 @@ my %env  =   ( SHAREDIR => '/usr/share/shorewall' ,
 #
 # From parsing the capabilities file
 #
-my %capabilities = 
+our %capabilities = 
             ( NAT_ENABLED => undef,
 	       MANGLE_ENABLED => undef,
 	       MULTIPORT => undef,
@ -491,4 +491,15 @@ sub propagateconfig() {
    }
 }
-1;
+sub append_file( $ ) {
    my $user_exit = find_file $_[0];
    unless ( $user_exit =~ /$env{SHAREDIR}/ ) {
 	if ( -f $user_exit ) {
 	    save_progress_message "Processing $user_exit ...";
 	    copy1 $user_exit;
 	}
    }   
 }
 ;
--- a/New/compiler.pl
+++ b/New/compiler.pl
@ -134,146 +134,6 @@ my %default_actions = ( DROP     => 'none' ,
 			QUEUE    => 'none' );
 #
 # Create a new chain and return a reference to it.
 #
 sub new_chain($$)
 {
    my ($table, $chain) = @_;
    my %ch;
    my @rules;
    $ch{name} = $chain;
    $ch{log} = 1 if $env{LOGRULENUMBERS};
    $ch{rules} = \@rules;
    $ch{table} = $table;
    $chain_table{$table}{$chain} = \%ch;
    \%ch;
 }
 #
 # Create a chain if it doesn't exist already
 #
 sub ensure_chain($$)
 {
    my ($table, $chain) = @_;
    my $ref =  $chain_table{$table}{$chain};
    return $ref if $ref;
    new_chain $table, $chain;
 }
 sub finish_chain_section( $$ );
 #
 # Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
 #
 sub ensure_filter_chain( $$ )
 {
    my ($chain, $populate) = @_;
    my $chainref = $filter_table->{$chain};
    $chainref = new_chain 'filter' , $chain unless $chainref;
    if ( $populate and ! $chainref->{referenced} ) {
 	if ( $section eq 'NEW' or $section eq 'DONE' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	} elsif ( $section eq 'ESTABLISHED' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED';
 	}
    }
    $chainref->{referenced} = 1;
    $chainref;
 }
 #
 # Add a builtin chain
 #
 sub new_builtin_chain($$$)
 {
    my $chainref = new_chain $_[0],$_[1];
    $chainref->{referenced} = 1;
    $chainref->{policy}     = $_[2];
    $chainref->{builtin}    = 1;
 }
 sub new_standard_chain($) {
    my $chainref = new_chain 'filter' ,$_[0];
    $chainref->{referenced} = 1;
    $chainref;
 }    
 #
 # Add all builtin chains to the chain table
 #
 #
 sub initialize_chain_table()
 {
    for my $chain qw/OUTPUT PREROUTING/ {
 	new_builtin_chain 'raw', $chain, 'ACCEPT';
    }
    for my $chain qw/INPUT OUTPUT FORWARD/ {
 	new_builtin_chain 'filter', $chain, 'DROP';
    }
    for my $chain qw/PREROUTING POSTROUTING OUTPUT/ {
 	new_builtin_chain 'nat', $chain, 'ACCEPT';
    }
    for my $chain qw/PREROUTING INPUT FORWARD OUTPUT POSTROUTING/ {
 	new_builtin_chain 'mangle', $chain, 'ACCEPT';
    }
    if ( $capabilities{MANGLE_FORWARD} ) {
 	for my $chain qw/ FORWARD POSTROUTING / {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
    }
 }
 #
 # Dump the contents of the Chain Table
 #
 sub dump_chain_table()
 {
    print "\n";
    for my $table qw/filter nat mangle/ {
 	print "Table: $table\n";
 	for my $chain ( sort keys %{$chain_table{$table}} ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    print "   Chain $chain:\n";
 	    if ( $chainref->{is_policy} ) {
 		print "      This is a policy chain\n";
 		my $val = $chainref->{is_optional} ? 'Yes' : 'No';
 		print "         Optional:  $val\n";
 		print "         Log Level: $chainref->{loglevel}\n" if $chainref->{loglevel};
 		print "         Syn Parms: $chainref->{synparams}\n" if $chainref->{synparams};
 		print "         Default:   $chainref->{default}\n" if $chainref->{default};
 	    }
 	    print "      Policy chain: $chainref->{policychain}{name}\n" if $chainref->{policychain} ;
 	    print "      Policy: $chainref->{policy}\n"                  if $chainref->{policy};
 	    print "      Referenced\n" if $chainref->{referenced};
 	    if ( @{$chainref->{rules}} ) {
 		print "      Rules:\n";
 		for my $rule (  @{$chainref->{rules}} ) {
 		    print "         $rule\n";
 		}
 	    }   
 	}
    }
 }
 #
 # This function determines the logging for a subordinate action or a rule within a subordinate action
 #
@ -2378,52 +2238,6 @@ sub setup_mac_lists( $ ) {
    }
 }
 #
 # Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain 
 #
 sub finish_chain_section ($$) {
    my ($chainref, $state ) = @_;
    my $chain = $chainref->{name};
    add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
    if ($sections{RELATED} ) {
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', "\@$chain";
 		if ( $section eq 'DONE' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
 			add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
 		    } 
 		} else {
 		    add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
 		}
 	    }
 	} else {
 	    my $policychainref = $chainref->{policychain};
 	    if ( $policychainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', "\@$policychainref->{name}";
 		add_rule $synchainref, "-p tcp --syn -j $synchainref->{name}";
 	    }
 	}
    }
 }		    
 #
 # Do section-end processing
 # 
 sub finish_section ( $ ) {
    my $sections = $_[0];
    for my $zone ( @zones ) {
 	for my $zone1 ( @zones ) {
 	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
 	    if ( $chainref->{referenced} ) {
 		finish_chain_section $chainref, $sections;
 	    }
 	}
    }
 }
 #
 # Macro and action files can have shell variables embedded. This function expands them from %ENV.
@ -4600,7 +4414,7 @@ sub generate_script_2 () {
 	    open MF, $mf or fatal_error "Unable to open $mf: $!";
-	    while ( $line = <MF> ) { print $object $line if $line =~ /^\s*loadmodule\b/; }
+	    while ( $line = <MF> ) { emit_unindented $line if $line =~ /^\s*loadmodule\b/; }
 	    close MF;
@ -4678,11 +4492,7 @@ sub compile_firewall( $ ) {
 	fatal_error "$@" if $@;
-	eval {
+	$tempfile = create_temp_object;
 	    ( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
 	};
 	fatal_error "$@" if $@;
 	generate_script_1;
    }