update -t also converts the 'tos' file

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-08-26 13:51:02 -07:00
parent e0734a45ee
commit dc2406d25b
4 changed files with 125 additions and 27 deletions

View File

@ -2145,7 +2145,7 @@ sub split_line2( $$;$$$ ) {
#
# This file supports INLINE or IPTABLES
#
if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
if ( $currentline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) {
$inline_matches = $pairs;
if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) {
@ -4970,7 +4970,8 @@ EOF
-f find_file 'blacklist' ||
-f find_file 'tcrules' ||
-f find_file 'routestopped' ||
-f find_file 'notrack'
-f find_file 'notrack' ||
-f find_file 'tos'
);
}
} else {
@ -5549,13 +5550,13 @@ sub get_configuration( $$$$$ ) {
my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
my $units;
if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|seconds|minutes|hour|day))):(\d+)$/ ) {
if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
fatal_error "Invalid rate ($1)" unless $2;
fatal_error "Invalid burst value ($5)" unless $5;
$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
$units = $4;
} elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|seconds|minutes|hour|day))?)$/ ) {
} elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))?)$/ ) {
fatal_error "Invalid rate ($1)" unless $2;
$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
$units = $4;
@ -5575,11 +5576,11 @@ sub get_configuration( $$$$$ ) {
$limit .= "--hashlimit-htable-expire $expire ";
}
} elsif ( $rate =~ /^((\d+)(\/(sec|min|seconds|minutes|hour|day))):(\d+)$/ ) {
} elsif ( $rate =~ /^((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) {
fatal_error "Invalid rate ($1)" unless $2;
fatal_error "Invalid burst value ($5)" unless $5;
$limit = "-m limit --limit $1 --limit-burst $5 ";
} elsif ( $rate =~ /^(\d+)(\/(sec|min|seconds|minutes|hour|day))?$/ ) {
} elsif ( $rate =~ /^(\d+)(\/(sec|min|second|minute|hour|day))?$/ ) {
fatal_error "Invalid rate (${1}${2})" unless $1;
$limit = "-m limit --limit $rate ";
} else {

View File

@ -3161,11 +3161,90 @@ sub process_secmark_rule() {
}
}
sub convert_tos($$) {
my ( $mangle, $fn1 ) = @_;
my $have_tos = 0;
sub unlink_tos( $ ) {
my $fn = shift;
if ( unlink $fn ) {
warning_message "Empty tos file ($fn) removed";
} else {
warning_message "Unable to remove empty tos file $fn: $!";
}
}
if ( my $fn = open_file 'tos' ) {
while ( read_a_line( NORMAL_READ ) ) {
$have_tos = 1;
my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) =
split_line( 'tos file entry',
{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } );
my $chain_designator = 'P';
decode_tos($tos, 1);
my ( $srczone , $source , $remainder );
if ( $family == F_IPV4 ) {
( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
fatal_error 'Invalid SOURCE' if defined $remainder;
} elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
$srczone = $1;
$source = $2;
} else {
$srczone = $src;
}
if ( $srczone eq firewall_zone ) {
$chain_designator = 'O';
$src = $source || '-';
} else {
$src =~ s/^all:?//;
}
$dst =~ s/^all:?//;
$src = '-' unless supplied $src;
$dst = '-' unless supplied $dst;
$proto = '-' unless supplied $proto;
$ports = '-' unless supplied $ports;
$sports = '-' unless supplied $sports;
$mark = '-' unless supplied $mark;
print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n"
}
if ( $have_tos ) {
progress_message2 "Converted $fn to $fn1";
if ( rename $fn, "$fn.bak" ) {
progress_message2 "$fn renamed $fn.bak";
} else {
fatal_error "Cannot Rename $fn to $fn.bak: $!";
}
} else {
unlink_tos( $fn );
}
} elsif ( -f ( $fn = find_file( 'tos' ) ) ) {
if ( unlink $fn ) {
warning_message "Empty tos file ($fn) removed";
} else {
warning_message "Unable to remove empty tos file $fn: $!";
}
}
}
#
# Process the mangle file and setup traffic shaping
#
sub setup_tc( $ ) {
$tcrules = $_[0];
my $convert = $_[0];
if ( $config{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre';
@ -3221,7 +3300,7 @@ sub setup_tc( $ ) {
if ( $fn = open_file( 'tcrules' , 2, 1 ) ) {
my $fn1;
if ( $tcrules ) {
if ( $convert ) {
#
# We are going to convert this tcrules file to the equivalent mangle file
#
@ -3234,29 +3313,43 @@ sub setup_tc( $ ) {
process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ );
if ( $have_tcrules ) {
if ( $mangle ) {
if ( $convert ) {
if ( $have_tcrules ) {
progress_message2 "Converted $fn to $fn1";
if ( rename $fn, "$fn.bak" ) {
progress_message2 "$fn renamed $fn.bak";
} else {
fatal_error "Cannot Rename $fn to $fn.bak: $!";
}
close $mangle, directive_callback( 0 );
} else {
warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'";
}
} elsif ( $tcrules ) {
close $mangle, directive_callback( 0 );
if ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
if ( unlink $fn ) {
warning_message "Empty tcrules file ($fn) removed";
} else {
warning_message "Unable to remove empty tcrules file $fn: $!";
}
}
convert_tos( $mangle, $fn1 );
close $mangle, directive_callback( 0 );
}
} elsif ( $convert ) {
if ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
if ( unlink $fn ) {
warning_message "Empty tcrules file ($fn) removed";
} else {
warning_message "Unable to remove empty tcrules file $fn: $!";
}
}
if ( -f ( my $fn = find_file( 'tos' ) ) ) {
my $fn1;
#
# We are going to convert this tosfile to the equivalent mangle file
#
open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
convert_tos( $mangle, $fn1 );
close $mangle;
}
}

View File

@ -2316,11 +2316,13 @@
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-t</option> option was added in Shorewall 4.6.0.
When specified, <option>-t</option> causes <ulink
url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink> to be
converted to <ulink
When specified, <option>-t</option> causes the <emphasis
role="bold">tcrules</emphasis> file to be converted to <ulink
url="shorewall-mangle.html">shorewall-mangle(5)</ulink>. The old
file is renamed with a .bak suffix.</para>
file is renamed with a .bak suffix. Beginning with Shorewall
4.6.12.2, this option also causes the <emphasis
role="bold">tos</emphasis> file to be converted to <ulink
url="shorewall-mangle.html">shorewall-mangle(5)</ulink>.</para>
<important>
<para>There are some notable restrictions with the

View File

@ -2185,11 +2185,13 @@
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-t</option> option was added in Shorewall 4.6.0.
When specified, <option>-t</option> causes <ulink
url="shorewall6-tcrules.html">shorewall6-tcrules(5)</ulink> to be
converted to <ulink
When specified, <option>-t</option> causes the <emphasis
role="bold">tcrules</emphasis> file to be converted to <ulink
url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>. The old
file is renamed with a .bak suffix.</para>
file is renamed with a .bak suffix. Beginning with Shorewall
4.6.12.2, this option also causes the <emphasis
role="bold">tos</emphasis> file to be converted to <ulink
url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.</para>
<important>
<para>There are some notable restrictions with the