From cd97ccfd4e3e0e6ac45ee38ad91f7157914bbefd Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 29 Mar 2007 18:57:53 +0000 Subject: [PATCH] Partial change git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5747 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- New/Shorewall/Chains.pm | 15 ++++++--------- New/Shorewall/Config.pm | 8 +++++++- New/Shorewall/Hosts.pm | 6 ++++++ New/Shorewall/Nat.pm | 27 +++++++++++++++++++++++---- New/Shorewall/Providers.pm | 8 +++----- New/Shorewall/Rules.pm | 22 +++++++++++++++------- New/Shorewall/Tc.pm | 37 ++++++++++++++++++++++++++++--------- New/Shorewall/Tunnels.pm | 8 ++++++++ New/compiler.pl | 8 +------- 9 files changed, 97 insertions(+), 42 deletions(-) diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm index 7b7ede281..fcd749bb3 100644 --- a/New/Shorewall/Chains.pm +++ b/New/Shorewall/Chains.pm @@ -1433,10 +1433,14 @@ use constant { NULL_STATE => 0 , my $state = NULL_STATE; +my $rulenumber = 0; + sub emitr( $ ) { my $rule = $_[0]; unless ( $slowstart ) { + $rulenumber++; + substr($rule, 80) = "#$rulenumber" unless length $rule >= 80; emit_unindented $rule; } elsif ( substr( $rule, 0, 1 ) eq '~' ) { # @@ -1484,12 +1488,7 @@ sub create_netfilter_load() { emit ''; if ( $slowstart ) { - emitj( 'TEMPFILE=$(mktempfile)', - '[ -n "$TEMPFILE" ] || fatal_error "Cannot create temporary file in /tmp"', - '', - 'exec 3>>$TEMPFILE', - '' - ); + emit 'exec 3>${VARDIR}/.iptables-input'; } else { emit 'iptables-restore << __EOF__'; $state = CAT_STATE; @@ -1533,7 +1532,7 @@ sub create_netfilter_load() { if ( $slowstart ) { emitj( ' exec 3>&-', '', - 'iptables-restore < $TEMPFILE' + 'iptables-restore < ${VARDIR}/.iptables_input' ); } @@ -1542,8 +1541,6 @@ sub create_netfilter_load() { "fi\n" ); - emit 'rm -f $TEMPFILE' if $slowstart; - pop_indent; emit "}\n"; diff --git a/New/Shorewall/Config.pm b/New/Shorewall/Config.pm index 52c987fde..08e6bbf71 100644 --- a/New/Shorewall/Config.pm +++ b/New/Shorewall/Config.pm @@ -218,6 +218,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT', # Stash away file references here when we encounter INCLUDE # my @openstack; + my $currentfile; my $currentfilename; my $currentlinenumber = 0; @@ -259,7 +260,10 @@ sub find_file($) for $directory ( split ':', $ENV{CONFIG_PATH} ) { my $file = "$directory/$filename"; - return $file if -f $file; + if ( -f $file ) { + $file =~ s|//|/|g; + return $file; + } } "$env{CONFDIR}/$filename"; @@ -406,6 +410,8 @@ sub read_a_line { $currentfile = undef; open $currentfile, $filename or fatal_error "Unable to open $filename: $!"; + + $line=''; } else { return 1; } diff --git a/New/Shorewall/Hosts.pm b/New/Shorewall/Hosts.pm index 0cb2eac10..c4509f917 100644 --- a/New/Shorewall/Hosts.pm +++ b/New/Shorewall/Hosts.pm @@ -51,6 +51,7 @@ sub validate_hosts_file() ); my $ipsec = 0; + my $first_entry = 1; open_file 'hosts'; @@ -58,6 +59,11 @@ sub validate_hosts_file() my ($zone, $hosts, $options ) = split_line 3, 'hosts file'; + if ( $first_entry ) { + progress_message2 "Validating hosts file..."; + $first_entry = 0; + } + my $zoneref = $zones{$zone}; my $type = $zoneref->{type}; diff --git a/New/Shorewall/Nat.pm b/New/Shorewall/Nat.pm index bbbc1530a..3234b0038 100644 --- a/New/Shorewall/Nat.pm +++ b/New/Shorewall/Nat.pm @@ -101,7 +101,6 @@ sub setup_one_masq($$$$$$) my $destnets = ''; my $target = '-j MASQUERADE '; - require_capability( 'NAT_ENABLED' , 'a non-empty masq file' ); # # Handle IPSEC options, if any # @@ -239,12 +238,20 @@ sub setup_one_masq($$$$$$) # sub setup_masq() { + my $first_entry = 1; + open_file 'masq'; while ( read_a_line ) { my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 6, 'masq file'; + if ( $first_entry ) { + progress_message2 "$doing Masq file..."; + require_capability( 'NAT_ENABLED' , 'a non-empty masq file' ); + $first_entry = 0; + } + if ( $fullinterface eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { ( $comment = $line ) =~ s/^\s*COMMENT\s*//; @@ -299,8 +306,6 @@ sub do_one_nat( $$$$$ ) my $policyin = ''; my $policyout = ''; - require_capability( 'NAT_ENABLED' , 'a non-empty nat file' ); - if ( $capabilities{POLICY_MATCH} ) { $policyin = ' -m policy --pol none --dir in'; $policyout = '-m policy --pol none --dir out'; @@ -347,12 +352,20 @@ sub do_one_nat( $$$$$ ) # sub setup_nat() { + my $first_entry = 1; + open_file 'nat'; while ( read_a_line ) { my ( $external, $interface, $internal, $allints, $localnat ) = split_line 5, 'nat file'; + if ( $first_entry ) { + progress_message2 "$doing one-to-one NAT..."; + require_capability( 'NAT_ENABLED' , 'a non-empty nat file' ); + $first_entry = 0; + } + if ( $external eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { ( $comment = $line ) =~ s/^\s*COMMENT\s*//; @@ -374,13 +387,19 @@ sub setup_nat() { # sub setup_netmap() { + my $first_entry = 1; + open_file 'netmap'; while ( read_a_line ) { my ( $type, $net1, $interface, $net2 ) = split_line 4, 'netmap file'; - require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' ); + if ( $first_entry ) { + progress_message2 "$doing NETMAP..."; + require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' ); + $first_entry = 0; + } if ( $type eq 'DNAT' ) { add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2"; diff --git a/New/Shorewall/Providers.pm b/New/Shorewall/Providers.pm index 27cdea26a..9c6906e15 100644 --- a/New/Shorewall/Providers.pm +++ b/New/Shorewall/Providers.pm @@ -344,15 +344,13 @@ sub setup_providers() { # # Setup_Providers() Starts Here.... # - progress_message2 "$doing $fn ..."; - - open_file 'providers'; + open_file $fn; while ( read_a_line ) { - unless ( $providers ) { + progress_message2 "$doing $fn ..."; require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' ); - + emit "\nif [ -z \"\$NOROUTES\" ]; then"; push_indent; diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index 0f8b0e81b..276717bdf 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -65,15 +65,21 @@ sub process_tos() { my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING'; if ( open_file 'tos' ) { - progress_message2 'Setting up TOS...'; - - my $pretosref = new_chain 'mangle' , $chain; - my $outtosref = new_chain 'mangle' , 'outtos'; + my $first_entry = 1; + my ( $pretosref, $outtosref ); + while ( read_a_line ) { my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file'; + if ( $first_entry ) { + progress_message2 'Setting up TOS...'; + $pretosref = ensure_chain 'mangle' , $chain; + $outtosref = ensure_chain 'mangle' , 'outtos'; + $first_entry = 0; + } + fatal_error "TOS field required: $line" unless $tos ne '-'; my $chainref; @@ -106,8 +112,10 @@ sub process_tos() { ''; } - add_rule $mangle_table->{$stdchain}, "-j $chain"; - add_rule $mangle_table->{OUTPUT}, "-j outtos"; + unless ( $first_entry ) { + add_rule $mangle_table->{$stdchain}, "-j $chain"; + add_rule $mangle_table->{OUTPUT}, "-j outtos"; + } } } @@ -121,7 +129,7 @@ sub setup_ecn() if ( open_file 'ecn' ) { - progress_message2 join( '' , '$doing ', find_file( 'ecn' ), '...' ); + progress_message2 join( '' , "$doing ", find_file( 'ecn' ), '...' ); while ( read_a_line ) { diff --git a/New/Shorewall/Tc.pm b/New/Shorewall/Tc.pm index 2843e5955..de6e8083c 100644 --- a/New/Shorewall/Tc.pm +++ b/New/Shorewall/Tc.pm @@ -349,12 +349,13 @@ sub validate_tc_class( $$$$$$ ) { } sub setup_traffic_shaping() { + my $first_entry = 1; + save_progress_message "Setting up Traffic Control..."; my $fn = find_file 'tcdevices'; if ( -f $fn ) { - progress_message2 "$doing $fn..."; open_file $fn; @@ -362,6 +363,11 @@ sub setup_traffic_shaping() { my ( $device, $inband, $outband ) = split_line 3, 'tcdevices'; + if ( $first_entry ) { + progress_message2 "$doing $fn..."; + $first_entry = 0; + } + fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-'; validate_tc_device( $device, $inband, $outband ); } @@ -370,12 +376,17 @@ sub setup_traffic_shaping() { $fn = find_file 'tcclasses'; if ( -f $fn ) { - progress_message2 "$doing $fn..."; + $first_entry = 1; open_file $fn; while ( read_a_line ) { + if ( $first_entry ) { + progress_message2 "$doing $fn..."; + $first_entry = 0; + } + my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file'; validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options ); @@ -488,23 +499,31 @@ sub setup_traffic_shaping() { # sub setup_tc() { - ensure_mangle_chain 'tcpre'; + my $first_entry = 1; - if ( $capabilities{MANGLE_FORWARD} ) { - ensure_mangle_chain 'tcfor'; - ensure_mangle_chain 'tcpost'; + if ( $capabilities{MANGLE_ENABLED} ) { + ensure_mangle_chain 'tcpre'; + + if ( $capabilities{MANGLE_FORWARD} ) { + ensure_mangle_chain 'tcfor'; + ensure_mangle_chain 'tcpost'; + } } my $fn = find_file 'tcrules'; - if ( -f $fn ) { - - require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' ) if open_file $fn; + if ( open_file $fn ) { while ( read_a_line ) { my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file'; + if ( $first_entry ) { + progress_message2 "$doing TC Rules..."; + require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' ); + $first_entry = 0; + } + if ( $mark eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { ( $comment = $line ) =~ s/^\s*COMMENT\s*//; diff --git a/New/Shorewall/Tunnels.pm b/New/Shorewall/Tunnels.pm index f645bbe4c..95b45beb6 100644 --- a/New/Shorewall/Tunnels.pm +++ b/New/Shorewall/Tunnels.pm @@ -227,6 +227,9 @@ sub setup_tunnels() { progress_message " Tunnel \"$line\" $done"; } + + my $first_entry = 1; + # # Setup_Tunnels() Starts Here # @@ -236,6 +239,11 @@ sub setup_tunnels() { my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 4, 'tunnels file'; + if ( $first_entry ) { + progress_message2 "$doing Tunnels..."; + $first_entry = 0; + } + if ( $kind eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { ( $comment = $line ) =~ s/^\s*COMMENT\s*//; diff --git a/New/compiler.pl b/New/compiler.pl index d69a13435..5b69c3be8 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -666,12 +666,11 @@ sub compiler( $ ) { # # Process the hosts file. # - progress_message2 "Validating hosts file..."; validate_hosts_file; # # Report zone contents # - progress_message "Determining Hosts in Zones..."; + progress_message2 "Determining Hosts in Zones..."; zone_report; # # Do action pre-processing. @@ -715,7 +714,6 @@ sub compiler( $ ) { # # TCRules and Traffic Shaping # - progress_message2 "$doing TC Rules..."; setup_tc; # # TOS @@ -728,7 +726,6 @@ sub compiler( $ ) { # # Setup Masquerading/SNAT # - progress_message2 "$doing Masq file..."; setup_masq; # # MACLIST Filtration @@ -743,7 +740,6 @@ sub compiler( $ ) { # # Add Tunnel rules. # - progress_message2 "$doing Tunnels..."; setup_tunnels; # # Post-rules action processing. @@ -763,12 +759,10 @@ sub compiler( $ ) { # # Setup Nat # - progress_message2 "$doing one-to-one NAT..."; setup_nat; # # Setup NETMAP # - progress_message2 "$doing NETMAP..."; setup_netmap; # # Accounting.