Deprecate IMPLICIT_CONTINUE=Yes with warning message

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8229 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 16:13:18 +01:00 · 2008-02-24 16:33:46 +00:00 · 2008-02-24 16:33:46 +00:00 · e0a9add260
commit e0a9add260
parent d413d6623a
8 changed files with 53 additions and 79 deletions
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@ -160,7 +160,7 @@ MAPOLDACTIONS=No

 FASTACCEPT=No

-IMPLICIT_CONTINUE=Yes
+IMPLICIT_CONTINUE=No

 HIGH_ROUTE_MARKS=No

--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@ -162,7 +162,7 @@ MAPOLDACTIONS=No

 FASTACCEPT=No

-IMPLICIT_CONTINUE=Yes
+IMPLICIT_CONTINUE=No

 HIGH_ROUTE_MARKS=No

--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@ -160,7 +160,7 @@ MAPOLDACTIONS=No

 FASTACCEPT=No

-IMPLICIT_CONTINUE=Yes
+IMPLICIT_CONTINUE=No

 HIGH_ROUTE_MARKS=No

--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -1,3 +1,7 @@
+Changes in 4.1.6
+
+1)  Deprecate IMPLICIT_CONTINUE=Yes
+
 Changes in 4.1.5

 1)  More ruleset optimization.
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -62,84 +62,17 @@ Migration Issues.
    b) Explicitly set LOG_MARTIONS=No to maintain compatibility with 
       prior versions of Shorewall.

+5)  IMPLICIT_CONTINUE=Yes is now deprecated and a warning message is
+    issued if you have that setting and nested zones are defined in
+    /etc/shorewall/shorewall.conf. The warning may be eliminated by
+    setting IMPLICIT_CONTINUE=No and adding explicit CONTINUE policies
+    where needed.
+
 Problems corrected in 4.1.5.

-1)  An optimization added to Shorewall-shell in 4.0.0 has been backed
-    out to work around a limitation of Busybox 'sed'.
+None.

-2)  Previously, Shorewall would accept both an interface and an IP
-    address in tcrules POSTROUTING entries (such as CLASSIFY).
-
-    Example:
-
-    1:11      eth1:192.168.4.9	-	tcp	22
-
-    It also allows both a destination interface and address.
-
-    Example:
-
-    1:P	      -		eth1:192.168.4.9	tcp	22
-
-    Because Netfilter does not allow an input interface to be specified
-    in POSTROUTING or an output interface to be specified in
-    PREROUTING, Shorewall must use the routing table to generate a list
-    of networks accessed through any interface specified in these
-    cases. Given that a specific address (or set of addresses) has
-    already been specified, it makes no sense qualify it (them) by
-    another list of addresses.
-
-3)  Shorewall-perl incorrectly generated a fatal error when ':C', 
-    ':T' or ':CT' was used in a tcrules entry that gave $FW as the
-    SOURCE.
-
-New Features in 4.1.5.
-
-1)  The need for interface-specific chains (such as eth0_in, eth4_fwd,
-    etc.) in the filter table has been drastically reduced. This has
-    the effect of reducing the average number of rules that each packet
-    must traverse.
-
-2)  The default value for LOG_MARTIANS is now 'Yes' ('On' in
-    Shorewall-perl). Previously, the default value was 'No' ('Off' in
-    Shorewall-perl). The shorewall.conf file has also been 
-    updated to specify a value of 'Yes' (which is interpreted as 'On'
-    by Shorewall-perl).
-
-3)  The /usr/share/shorewall/modules file has been updated to reflect
-    module renaming in kernel 2.6.25.
-
-4)  Some users are experiencing 'File Exists' errors when Shorewall
-    executes 'ip route replace' commands. I consider this a bug in
-    either kernel 2.6.24 or in iproute2 but until the issue is
-    resolved, I've added a hack to work around the problem.
-
-    If you are experiencing these problems then add the following line
-    to your shorewall.conf file:
-
-       BROKEN_ROUTING=Yes
-
-    Note: This hack is only available in Shorewall-perl.
-
-4)  Shorewall-perl now generates an error when a MAC address appears in
-    a traffic shaping rule in the OUTPUT or POSTROUTING chains.
-
-5)  Macros are now self-commenting under control of a new AUTO_COMMENT
-    option in shorewall.conf. When this option is set, if there is not
-    a current comment when a macro is invoked, the behavior under
-    Shorewall-perl is as if the first line of the macro file was
-    "COMMENT <macro name>".
-
-    So, if you have this rule:
-
-    	SSH/ACCEPT  loc	 fw
-
-    then the generated netfilter rule will include "/* SSH */" when
-    viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
-    dump'.
-
-    The AUTO_COMMENT option has a default value of 'Yes' and is only
-    available under Shorewall-perl The option is ignored by
-    Shorewall-shell.
+New Features in 4.1.6.

 New Features in Shorewall 4.1.

@ -564,4 +497,35 @@ New Features in Shorewall 4.1.
    filter chain per zone but in most cases, the average number of
    filter rules traversed by a connection request will be reduced.

+20) The need for interface-specific chains (such as eth0_in, eth4_fwd,
+    etc.) in the filter table has been drastically reduced. This has
+    the effect of reducing the average number of rules that each packet
+    must traverse.
+
+21) The default value for LOG_MARTIANS is now 'Yes' ('On' in
+    Shorewall-perl). Previously, the default value was 'No' ('Off' in
+    Shorewall-perl). The shorewall.conf file has also been 
+    updated to specify a value of 'Yes' (which is interpreted as 'On'
+    by Shorewall-perl).
+
+22) Shorewall-perl now generates an error when a MAC address appears in
+    a traffic shaping rule in the OUTPUT or POSTROUTING chains.
+
+23) Macros are now self-commenting under control of a new AUTO_COMMENT
+    option in shorewall.conf. When this option is set, if there is not
+    a current comment when a macro is invoked, the behavior under
+    Shorewall-perl is as if the first line of the macro file was
+    "COMMENT <macro name>".
+
+    So, if you have this rule:
+
+    	SSH/ACCEPT  loc	 fw
+
+    then the generated netfilter rule will include "/* SSH */" when
+    viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
+    dump'.
+
+    The AUTO_COMMENT option has a default value of 'Yes' and is only
+    available under Shorewall-perl The option is ignored by
+    Shorewall-shell.

--- a/Shorewall-common/shorewall.conf
+++ b/Shorewall-common/shorewall.conf
@ -159,7 +159,7 @@ MAPOLDACTIONS=No

 FASTACCEPT=No

-IMPLICIT_CONTINUE=Yes
+IMPLICIT_CONTINUE=No

 HIGH_ROUTE_MARKS=No

--- a/Shorewall-perl/Shorewall/Policy.pm
+++ b/Shorewall-perl/Shorewall/Policy.pm
@ -173,6 +173,8 @@ sub validate_policy()

    my $zone;

+    my $warned = 0;
+
    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
 	my $action = $config{$option};
 	next if $action eq 'none';
@ -196,6 +198,7 @@ sub validate_policy()
 	push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );

 	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
+	    warning_message "IMPLICT_CONTINUE=Yes is deprecated" unless $warned++;
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
--- a/Shorewall-shell/compiler
+++ b/Shorewall-shell/compiler
@ -481,6 +481,8 @@ validate_policy()

    ALL_POLICY_CHAINS=

+    warned=
+
    for zone in $ZONES $FW; do
 	chain=${zone}2${zone}
 	eval ${chain}_is_policy=Yes
@ -492,6 +494,7 @@ validate_policy()
 	if [ -n "$IMPLICIT_CONTINUE" ]; then
 	    eval parents=\$${zone}_parents
 	    if [ -n "$parents" ]; then
+		[ -z "$warned" ] && error_message "WARNING: IMPLICIT_CONTINUE=Yes is deprecated" && warned=Yes
 		for zone1 in $ZONES $FW; do 
 		    if [ $zone != $zone1 ]; then
 			chain=${zone}2${zone1}