Partial change

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5747 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

New/Shorewall/Chains.pm

@@ -1433,10 +1433,14 @@ use constant { NULL_STATE => 0 ,
 
 my $state = NULL_STATE;
 
+my $rulenumber = 0;
+
 sub emitr( $ ) {
     my $rule = $_[0];
 
     unless ( $slowstart ) {
+	$rulenumber++;
+	substr($rule, 80) = "#$rulenumber" unless length $rule >= 80;
 	emit_unindented $rule;
     } elsif ( substr( $rule, 0, 1 ) eq '~' ) {
 	#
@@ -1484,12 +1488,7 @@ sub create_netfilter_load() {
     emit '';
 
     if ( $slowstart ) {
-	emitj( 'TEMPFILE=$(mktempfile)',
+	emit 'exec 3>${VARDIR}/.iptables-input';
-	       '[ -n "$TEMPFILE" ] || fatal_error "Cannot create temporary file in /tmp"',
-	       '',
-	       'exec 3>>$TEMPFILE',
-	       ''
-	       );
     } else {
 	emit 'iptables-restore << __EOF__';
 	$state = CAT_STATE;
@@ -1533,7 +1532,7 @@ sub create_netfilter_load() {
     if ( $slowstart ) {
 	emitj( ' exec 3>&-',
 	       '',
-	       'iptables-restore < $TEMPFILE'
+	       'iptables-restore < ${VARDIR}/.iptables_input'
 	       );
     }
 
@@ -1542,8 +1541,6 @@ sub create_netfilter_load() {
 	   "fi\n"
 	   );
 
-    emit 'rm -f $TEMPFILE' if $slowstart;
-
     pop_indent;
 
     emit "}\n";

New/Shorewall/Config.pm

@@ -218,6 +218,7 @@ my %capdesc = ( NAT_ENABLED     => 'NAT',
 # Stash away file references here when we encounter INCLUDE
 #
 my @openstack;
+
 my $currentfile;
 my $currentfilename;
 my $currentlinenumber = 0;
@@ -259,7 +260,10 @@ sub find_file($)
 
     for $directory ( split ':', $ENV{CONFIG_PATH} ) {
 	my $file = "$directory/$filename";
-	return $file if -f $file;
+	if ( -f $file ) {
+	    $file =~ s|//|/|g;
+	    return $file;
+	}
     }
 
     "$env{CONFDIR}/$filename";
@@ -406,6 +410,8 @@ sub read_a_line {
 		$currentfile = undef;
 		
 		open $currentfile, $filename or fatal_error "Unable to open $filename: $!";
+
+		$line='';
 	    } else {
 		return 1;
 	    }

New/Shorewall/Hosts.pm

@@ -51,6 +51,7 @@ sub validate_hosts_file()
 			);
 
     my $ipsec = 0;
+    my $first_entry = 1;
 
     open_file 'hosts';
 
@@ -58,6 +59,11 @@ sub validate_hosts_file()
 
 	my ($zone, $hosts, $options ) = split_line 3, 'hosts file';
 
+	if ( $first_entry ) {
+	    progress_message2 "Validating hosts file...";
+	    $first_entry = 0;
+	}
+
 	my $zoneref = $zones{$zone};
 	my $type    = $zoneref->{type};
 

New/Shorewall/Nat.pm

@@ -101,7 +101,6 @@ sub setup_one_masq($$$$$$)
     my $destnets = '';
     my $target = '-j MASQUERADE ';
 
-    require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
     #
     # Handle IPSEC options, if any
     #
@@ -239,12 +238,20 @@ sub setup_one_masq($$$$$$)
 #
 sub setup_masq() 
 {
+    my $first_entry = 1;
+
     open_file 'masq';
 
     while ( read_a_line ) {
 
 	my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 6, 'masq file';
 
+	if ( $first_entry ) {
+	    progress_message2 "$doing Masq file...";                     
+	    require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
+	    $first_entry = 0;
+	}
+
 	if ( $fullinterface eq 'COMMENT' ) {
 	    if ( $capabilities{COMMENTS} ) {
 		( $comment = $line ) =~ s/^\s*COMMENT\s*//;
@@ -299,8 +306,6 @@ sub do_one_nat( $$$$$ )
     my $policyin = '';
     my $policyout = '';
 
-    require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
-
     if ( $capabilities{POLICY_MATCH} ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
@@ -347,12 +352,20 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
+    my $first_entry = 1;
+
     open_file 'nat';
 
     while ( read_a_line ) {
 
 	my ( $external, $interface, $internal, $allints, $localnat ) = split_line 5, 'nat file';
 
+	if ( $first_entry ) {
+	    progress_message2 "$doing one-to-one NAT...";                
+	    require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
+	    $first_entry = 0;
+	}
+
 	if ( $external eq 'COMMENT' ) {
 	    if ( $capabilities{COMMENTS} ) {
 		( $comment = $line ) =~ s/^\s*COMMENT\s*//;
@@ -374,13 +387,19 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
+    my $first_entry = 1;
+
     open_file 'netmap';
 
     while ( read_a_line ) {
 
 	my ( $type, $net1, $interface, $net2 ) = split_line 4, 'netmap file';
 
-	require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
+	if ( $first_entry ) {
+	    progress_message2 "$doing NETMAP...";                
+	    require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
+	    $first_entry = 0;
+	}
 
 	if ( $type eq 'DNAT' ) {
 	    add_rule ensure_chain( 'nat' , input_chain $interface )  , "-d $net1 -j NETMAP --to $net2";

New/Shorewall/Providers.pm

@@ -344,15 +344,13 @@ sub setup_providers() {
     #
     #   Setup_Providers() Starts Here....
     #
-    progress_message2 "$doing $fn ...";
+    open_file $fn;
-
-    open_file 'providers';
 
     while ( read_a_line ) {
-
 	unless ( $providers ) {
+	    progress_message2 "$doing $fn ...";
 	    require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' );
-	    
+
 	    emit "\nif [ -z \"\$NOROUTES\" ]; then";
 
 	    push_indent;

New/Shorewall/Rules.pm

@@ -65,15 +65,21 @@ sub process_tos() {
     my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING';
 
     if ( open_file 'tos' ) {
-	progress_message2 'Setting up TOS...';
+	my $first_entry = 1;
-
-	my $pretosref = new_chain 'mangle' , $chain;
-	my $outtosref = new_chain 'mangle' , 'outtos';
 
+	my ( $pretosref, $outtosref );
+	
 	while ( read_a_line ) {
 
 	    my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file';
 
+	    if ( $first_entry ) {
+		progress_message2 'Setting up TOS...';
+		$pretosref = ensure_chain 'mangle' , $chain;
+		$outtosref = ensure_chain 'mangle' , 'outtos';
+		$first_entry = 0;
+	    }
+
 	    fatal_error "TOS field required: $line" unless $tos ne '-';
 
 	    my $chainref;
@@ -106,8 +112,10 @@ sub process_tos() {
 		'';
 	}
 
-	add_rule $mangle_table->{$stdchain}, "-j $chain";
+	unless ( $first_entry ) {
-	add_rule $mangle_table->{OUTPUT},    "-j outtos";
+	    add_rule $mangle_table->{$stdchain}, "-j $chain";
+	    add_rule $mangle_table->{OUTPUT},    "-j outtos";
+	}
     }
 }
 
@@ -121,7 +129,7 @@ sub setup_ecn()
 
     if ( open_file 'ecn' ) {
 	
-	progress_message2 join( '' , '$doing ', find_file( 'ecn' ), '...' );
+	progress_message2 join( '' , "$doing ", find_file( 'ecn' ), '...' );
 
 	while ( read_a_line ) {
 

New/Shorewall/Tc.pm

@@ -349,12 +349,13 @@ sub validate_tc_class( $$$$$$ ) {
 }
 
 sub setup_traffic_shaping() {
+    my $first_entry = 1;
+
     save_progress_message "Setting up Traffic Control...";
 
     my $fn = find_file 'tcdevices';
 
     if ( -f $fn ) {
-	progress_message2 "$doing $fn...";
 
 	open_file $fn;
 
@@ -362,6 +363,11 @@ sub setup_traffic_shaping() {
 
 	    my ( $device, $inband, $outband ) = split_line 3, 'tcdevices';
 
+	    if ( $first_entry ) {
+		progress_message2 "$doing $fn...";
+		$first_entry = 0;
+	    }
+
 	    fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
 	    validate_tc_device( $device, $inband, $outband );
 	}
@@ -370,12 +376,17 @@ sub setup_traffic_shaping() {
     $fn = find_file 'tcclasses';
 
     if ( -f $fn ) {
-	progress_message2 "$doing $fn...";
+	$first_entry = 1;
 
 	open_file $fn;
 
 	while ( read_a_line ) {
 
+	    if ( $first_entry ) {
+		progress_message2 "$doing $fn...";
+		$first_entry = 0;
+	    }
+
 	    my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
 
 	    validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
@@ -488,23 +499,31 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    ensure_mangle_chain 'tcpre';
+    my $first_entry = 1; 
 
-    if ( $capabilities{MANGLE_FORWARD} ) {
+    if ( $capabilities{MANGLE_ENABLED} ) {
-	ensure_mangle_chain 'tcfor';
+	ensure_mangle_chain 'tcpre';
-	ensure_mangle_chain 'tcpost';
+
+	if ( $capabilities{MANGLE_FORWARD} ) {
+	    ensure_mangle_chain 'tcfor';
+	    ensure_mangle_chain 'tcpost';
+	}
     }
 
     my $fn = find_file 'tcrules';
 
-    if ( -f $fn ) {
+    if ( open_file $fn ) {
-
-	require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' ) if open_file $fn;
 
 	while ( read_a_line ) {
 	    
 	    my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file';
 
+	    if ( $first_entry ) {
+		progress_message2 "$doing TC Rules...";                  
+		require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' );
+		$first_entry = 0;
+	    }
+	    
 	    if ( $mark eq 'COMMENT' ) {
 		if ( $capabilities{COMMENTS} ) {
 		    ( $comment = $line ) =~ s/^\s*COMMENT\s*//;

New/Shorewall/Tunnels.pm

@@ -227,6 +227,9 @@ sub setup_tunnels() {
 
 	progress_message "   Tunnel \"$line\" $done";
     }
+
+    my $first_entry = 1;
+
     #
     # Setup_Tunnels() Starts Here
     #
@@ -236,6 +239,11 @@ sub setup_tunnels() {
 
 	my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 4, 'tunnels file';
 
+	if ( $first_entry ) {
+	    progress_message2 "$doing Tunnels...";                       
+	    $first_entry = 0;
+	}
+
 	if ( $kind eq 'COMMENT' ) {
 	    if ( $capabilities{COMMENTS} ) {
 		( $comment = $line ) =~ s/^\s*COMMENT\s*//;

New/compiler.pl

@@ -666,12 +666,11 @@ sub compiler( $ ) {
     #
     # Process the hosts file.
     #
-    progress_message2 "Validating hosts file...";                
     validate_hosts_file;
     #
     # Report zone contents
     #
-    progress_message "Determining Hosts in Zones...";        
+    progress_message2 "Determining Hosts in Zones...";        
     zone_report;
     #
     # Do action pre-processing.
@@ -715,7 +714,6 @@ sub compiler( $ ) {
     #
     # TCRules and Traffic Shaping
     #
-    progress_message2 "$doing TC Rules...";                  
     setup_tc;
     #
     # TOS
@@ -728,7 +726,6 @@ sub compiler( $ ) {
     #
     # Setup Masquerading/SNAT
     #
-    progress_message2 "$doing Masq file...";                     
     setup_masq;
     #
     # MACLIST Filtration
@@ -743,7 +740,6 @@ sub compiler( $ ) {
     #
     # Add Tunnel rules.
     #
-    progress_message2 "$doing Tunnels...";                       
     setup_tunnels;
     #
     # Post-rules action processing.
@@ -763,12 +759,10 @@ sub compiler( $ ) {
     #
     # Setup Nat
     #
-    progress_message2 "$doing one-to-one NAT...";                
     setup_nat;
     #
     # Setup NETMAP
     #
-    progress_message2 "$doing NETMAP...";                
     setup_netmap;
     #
     # Accounting.