First hack at INCLUDE processing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5740 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-15 19:01:19 +01:00 · 2007-03-29 04:22:10 +00:00 · 2007-03-29 04:22:10 +00:00 · e0c8403a42
commit e0c8403a42
parent 18170d7fd5
3 changed files with 75 additions and 16 deletions
--- a/New/Shorewall/Common.pm
+++ b/New/Shorewall/Common.pm
@ -99,6 +99,13 @@ sub fatal_error
    die;
 }

+#
+# When splitting a line, don't pad out the columns with '-' if the first column contains one of these
+#
+
+my %no_pad = ( COMMENT => 1,
+	       SECTION => 1 );
+
 #
 # Pre-process a line from a configuration file.
 #
@ -116,7 +123,7 @@ sub split_line( $$ ) {

    my @line = split /\s+/, $line;

-    return @line if $line[0] eq 'COMMENT';
+    return @line if $no_pad{$line[0]};

    fatal_error "Invalid $description entry: $line" if @line > $columns;

--- a/New/Shorewall/Config.pm
+++ b/New/Shorewall/Config.pm
@ -277,6 +277,56 @@ sub expand_shell_variables( $ ) {
    my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line;
 }

+#
+# Stash away file references here when we encounter INCLUDE
+#
+my @filestack;
+my $currentfile;
+
+sub read_a_line {
+
+    while ( 1 ) {
+	while ( $line = <$currentfile> ) {
+	    chomp $line;
+	    next if $line =~ /^\s*#/;
+	    next if $line =~ /^\s*$/;
+	    $line =~ s/#.*$//;
+	    
+	    expand_shell_variables( $line );
+
+	    my @line = split /\s+/, $line;
+	
+	    if ( $line[0] eq 'INCLUDE' ) {
+		fatal_error "Missing file name after 'INCLUDE'" unless @line > 1;
+		fatal_error "Invalid INCLUDE command: $line"    if @line > 2;
+		
+		if ( @filestack == 4 ) {
+		    warning_message "INCLUDEs nested too deeply; $line ignored";
+		    next;
+		}
+		
+		my $filename = find_file $line[1];
+		
+		fatal_error "$filename not found" unless ( -f $filename );
+		
+		push @filestack, $currentfile;
+		
+		$currentfile = '';
+		
+		open $currentfile, $filename or fatal_error "Unable to open $filename: $!";
+	    } else {
+		return 1;
+	    }
+	}
+	
+	close $currentfile;
+
+	return 0 unless @filestack;
+
+	$currentfile = pop @filestack;
+    }
+}
+
 #
 # Read the shorewall.conf file and establish global hashes %config and %env.
 #
@ -285,15 +335,9 @@ sub get_configuration() {

    if ( -f $file ) {
 	if ( -r _ ) {
-	    open CONFIG , $file or fatal_error "Unable to open $file: $!";
-
-	    while ( $line = <CONFIG> ) {
-		chomp $line;
-		next if $line =~ /^\s*#/;
-		next if $line =~ /^\s*$/;
-
-		expand_shell_variables( $line );
+	    open $currentfile , $file or fatal_error "Unable to open $file: $!";

+	    while ( read_a_line ) {
 		if ( $line =~ /^([a-zA-Z]\w*)\s*=\s*(.*)$/ ) {
 		    my ($var, $val) = ($1, $2);
 		    unless ( exists $config{$var} ) {
@ -306,8 +350,6 @@ sub get_configuration() {
 		    fatal_error "Unrecognized entry in $file: $line";
 		}
 	    }
-
-	    close CONFIG;
 	} else {
 	    fatal_error "Cannot read $file (Hint: Are you root?)";
 	}
--- a/New/Shorewall/Rules.pm
+++ b/New/Shorewall/Rules.pm
@ -851,6 +851,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
    fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype;

    if ( $actiontype == MACRO ) {
+	#
+	# We will be called recursively for each rule in the macro body
+	#
 	process_macro
 	    $macros{$basictarget},
 	    $target , 
@ -988,9 +991,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
 		}
 	    }

-	    if ( $origdest && $origdest ne '-' ) {
-		require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
-	    } elsif ( $origdest ne 'detect' ) {
+	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
 		if ( $config{DETECT_DNAT_IPADDRS} ) {
 		    my $interfacesref = $zones{$sourcezone}{interfaces};
 		    my @interfaces = keys %$interfacesref;
@ -1015,7 +1016,10 @@ sub process_rule1 ( $$$$$$$$$ ) {
 	    $action , 
 	    $serverport ? do_proto( $proto, '', '' ) : '';
 	#
-	# After NAT, the destination port will be the server port; Also, we log NAT rules in the nat table rather than in the filter table.
+	# After NAT:
+	#   - the destination port will be the server port
+	#   - the destination IP   will be the server IP
+	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
@ -1061,6 +1065,12 @@ sub process_rule1 ( $$$$$$$$$ ) {
 	    $loglevel = '';
 	}

+	unless ( $origdest eq '-' ) {
+	    require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
+	} else {
+	    $origdest = '';
+	}
+
 	expand_rule
 	    ensure_chain ('filter', $chain ) ,
 	    $restriction ,
@ -1192,7 +1202,7 @@ sub process_rules() {
 	} elsif ( $target eq 'SECTION' ) {
 	    fatal_error "Invalid SECTION $source" unless defined $sections{$source};
 	    fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
-	    fatal_error "Invalid Section $source $dest" if $dest && $dest ne '-';
+	    fatal_error "Invalid Section $source $dest" if $dest;
 	    $sectioned = 1;
 	    $sections{$source} = 1;