From bb70a3637b54a97ad890b5b31db10fee8e91f9d8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 2 May 2017 07:51:37 -0700 Subject: [PATCH] Add PERL_HASH_SEED option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 1 + Shorewall/Samples/Universal/shorewall.conf | 2 ++ .../Samples/one-interface/shorewall.conf | 2 ++ .../Samples/three-interfaces/shorewall.conf | 2 ++ .../Samples/two-interfaces/shorewall.conf | 2 ++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/lib.cli-std | 25 +++++++++++++++++-- Shorewall/manpages/shorewall.conf.xml | 15 +++++++++++ Shorewall6/Samples6/Universal/shorewall6.conf | 2 ++ .../Samples6/one-interface/shorewall6.conf | 2 ++ .../Samples6/three-interfaces/shorewall6.conf | 2 ++ .../Samples6/two-interfaces/shorewall6.conf | 2 ++ Shorewall6/configfiles/shorewall6.conf | 2 ++ Shorewall6/manpages/shorewall6.conf.xml | 15 +++++++++++ 14 files changed, 74 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9c4796405..5a5f319b2 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -907,6 +907,7 @@ sub initialize( $;$$) { ZERO_MARKS => undef , FIREWALL => undef , BALANCE_PROVIDERS => undef , + PERL_HASH_SEED => undef , # # Packet Disposition # diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 9d0bec337..5fff36c70 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -217,6 +217,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=Yes diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 397604e15..febb47ee2 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -228,6 +228,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=No diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index ee8969a5f..42cc5b8cf 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -225,6 +225,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=No diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 4c1fa847b..c5da36164 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -228,6 +228,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=No diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 9f722edff..e112c4647 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -217,6 +217,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=No diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index ac010284c..3022ab64c 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -341,6 +341,18 @@ get_config() { setup_dbl fi + if [ -z "$PERL_HASH_SEED" ]; then + PERL_HASH_SEED=0 + else + case $PERL_HASH_SEED in + [0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]|random) + ;; + *) + fatal_error "Invalid setting ($PERL_HASH_SEED) for PERL_HASH_SEED" + ;; + esac + fi + lib=$(find_file lib.cli-user) [ -f $lib ] && . $lib @@ -484,8 +496,17 @@ compiler() { # [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager= - PERL_HASH_SEED=0 - export PERL_HASH_SEED + case $PERL_HASH_SEED in + random) + unset PERL_HASH_SEED + unset PERL_PERTURB_KEYS + ;; + *) + export PERL_HASH_SEED + PERL_PERTURB_KEYS=0 + export PERL_PERTURB_KEYS + ;; + esac if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then eval $PERL $debugflags $pc $options $@ $g_pager diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 23e6f25dd..4ed13d472 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -2153,6 +2153,21 @@ LOG:info:,bar net fw + + PERL_HASH_SEED=seed|random + + + Added in Shorewall 5.1.4. Sets the Perl hash + seed (an integer in the range 0-99999) + when running the Shorewall rules compiler. If not specified, the + value 0 is assumed. If is specified, a + random seed will be chosed by Perl. See perlsec(1) for additional + information. + + + PROVIDER_BITS=[number] diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index b4027d32f..18da663d1 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -198,6 +198,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=Yes diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index c516344d2..33eca75c5 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -199,6 +199,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=No diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index e69cb0957..377ac0c62 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -198,6 +198,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=No diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 8c6682474..2447783df 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -198,6 +198,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=No diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index b541bcb57..deb6c7337 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -198,6 +198,8 @@ OPTIMIZE=All OPTIMIZE_ACCOUNTING=No +PERL_HASH_SEED=0 + REJECT_ACTION= REQUIRE_INTERFACE=No diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 751e39f69..9f67921c0 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -1890,6 +1890,21 @@ LOG:info:,bar net fw + + PERL_HASH_SEED=seed|random + + + Added in Shorewall 5.1.4. Sets the Perl hash + seed (an integer in the range 0-99999) + when running the Shorewall rules compiler. If not specified, the + value 0 is assumed. If is specified, a + random seed will be chosed by Perl. See perlsec(1) for additional + information. + + + PROVIDER_BITS=[number]