Add PERL_HASH_SEED option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-22 05:28:59 +01:00 · 2017-05-02 07:51:37 -07:00 · 2017-05-02 07:51:37 -07:00 · bb70a3637b
commit bb70a3637b
parent 6c20cc7c4f
14 changed files with 74 additions and 2 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -907,6 +907,7 @@ sub initialize( $;$$) {
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
+	  PERL_HASH_SEED => undef ,
 	  #
 	  # Packet Disposition
 	  #
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -217,6 +217,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=Yes
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -228,6 +228,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -225,6 +225,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -228,6 +228,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -217,6 +217,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@ -341,6 +341,18 @@ get_config() {
 	setup_dbl
    fi

+    if [ -z "$PERL_HASH_SEED" ]; then
+	PERL_HASH_SEED=0
+    else
+	case $PERL_HASH_SEED in
+	    [0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]|random)
+	        ;;
+	    *)
+		fatal_error "Invalid setting ($PERL_HASH_SEED) for PERL_HASH_SEED"
+		;;
+	esac
+    fi
+
    lib=$(find_file lib.cli-user)

    [ -f $lib ] && . $lib
@ -484,8 +496,17 @@ compiler() {
    #
    [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=

-    PERL_HASH_SEED=0
-    export PERL_HASH_SEED
+    case $PERL_HASH_SEED in
+	random)
+	    unset PERL_HASH_SEED
+	    unset PERL_PERTURB_KEYS
+	    ;;
+	*)
+	    export PERL_HASH_SEED
+	    PERL_PERTURB_KEYS=0
+	    export PERL_PERTURB_KEYS
+	    ;;
+    esac

    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	eval $PERL $debugflags $pc $options $@ $g_pager
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -2153,6 +2153,21 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">PERL_HASH_SEED=</emphasis><emphasis
+        role="bold"><replaceable>seed</replaceable><emphasis
+        role="bold">|random</emphasis></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.4. Sets the Perl hash
+          <replaceable>seed</replaceable> (an integer in the range 0-99999)
+          when running the Shorewall rules compiler. If not specified, the
+          value 0 is assumed. If <option>random</option> is specified, a
+          random seed will be chosed by Perl. See perlsec(1) for additional
+          information.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">PROVIDER_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -198,6 +198,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=Yes
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -199,6 +199,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -198,6 +198,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -198,6 +198,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -198,6 +198,8 @@ OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

+PERL_HASH_SEED=0
+
 REJECT_ACTION=

 REQUIRE_INTERFACE=No
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -1890,6 +1890,21 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">PERL_HASH_SEED=</emphasis><emphasis
+        role="bold"><replaceable>seed</replaceable><emphasis
+        role="bold">|random</emphasis></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.4. Sets the Perl hash
+          <replaceable>seed</replaceable> (an integer in the range 0-99999)
+          when running the Shorewall rules compiler. If not specified, the
+          value 0 is assumed. If <option>random</option> is specified, a
+          random seed will be chosed by Perl. See perlsec(1) for additional
+          information.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">PROVIDER_BITS</emphasis>=[<replaceable>number</replaceable>]</term>