extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-16 11:20:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

First hack at INCLUDE processing

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5740 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-29 04:22:10 +00:00
parent 18170d7fd5
commit e0c8403a42
3 changed files with 75 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
New/Shorewall/Common.pm
View File

@ -99,6 +99,13 @@ sub fatal_error
die; die;
} }
#
# When splitting a line, don't pad out the columns with '-' if the first column contains one of these
#
my %no_pad = ( COMMENT => 1,
SECTION => 1 );
# #
# Pre-process a line from a configuration file. # Pre-process a line from a configuration file.
# #
@ -116,7 +123,7 @@ sub split_line( $$ ) {
my @line = split /\s+/, $line; my @line = split /\s+/, $line;
return @line if $line[0] eq 'COMMENT'; return @line if $no_pad{$line[0]};
fatal_error "Invalid $description entry: $line" if @line > $columns; fatal_error "Invalid $description entry: $line" if @line > $columns;

62
New/Shorewall/Config.pm
View File

@ -277,6 +277,56 @@ sub expand_shell_variables( $ ) {
my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line; my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line;
} }
#
# Stash away file references here when we encounter INCLUDE
#
my @filestack;
my $currentfile;
sub read_a_line {
while ( 1 ) {
while ( $line = <$currentfile> ) {
chomp $line;
next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/;
$line =~ s/#.*$//;
expand_shell_variables( $line );
my @line = split /\s+/, $line;
if ( $line[0] eq 'INCLUDE' ) {
fatal_error "Missing file name after 'INCLUDE'" unless @line > 1;
fatal_error "Invalid INCLUDE command: $line" if @line > 2;
if ( @filestack == 4 ) {
warning_message "INCLUDEs nested too deeply; $line ignored";
next;
}
my $filename = find_file $line[1];
fatal_error "$filename not found" unless ( -f $filename );
push @filestack, $currentfile;
$currentfile = '';
open $currentfile, $filename or fatal_error "Unable to open $filename: $!";
} else {
return 1;
}
}
close $currentfile;
return 0 unless @filestack;
$currentfile = pop @filestack;
}
}
# #
# Read the shorewall.conf file and establish global hashes %config and %env. # Read the shorewall.conf file and establish global hashes %config and %env.
# #
@ -285,15 +335,9 @@ sub get_configuration() {
if ( -f $file ) { if ( -f $file ) {
if ( -r _ ) { if ( -r _ ) {
open CONFIG , $file or fatal_error "Unable to open $file: $!"; open $currentfile , $file or fatal_error "Unable to open $file: $!";
while ( $line = <CONFIG> ) {
chomp $line;
next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/;
expand_shell_variables( $line );
while ( read_a_line ) {
if ( $line =~ /^([a-zA-Z]\w*)\s*=\s*(.*)$/ ) { if ( $line =~ /^([a-zA-Z]\w*)\s*=\s*(.*)$/ ) {
my ($var, $val) = ($1, $2); my ($var, $val) = ($1, $2);
unless ( exists $config{$var} ) { unless ( exists $config{$var} ) {
@ -306,8 +350,6 @@ sub get_configuration() {
fatal_error "Unrecognized entry in $file: $line"; fatal_error "Unrecognized entry in $file: $line";
} }
} }
close CONFIG;
} else { } else {
fatal_error "Cannot read $file (Hint: Are you root?)"; fatal_error "Cannot read $file (Hint: Are you root?)";
} }

20
New/Shorewall/Rules.pm
View File

@ -851,6 +851,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype; fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype;
if ( $actiontype == MACRO ) { if ( $actiontype == MACRO ) {
#
# We will be called recursively for each rule in the macro body
#
process_macro process_macro
$macros{$basictarget}, $macros{$basictarget},
$target , $target ,
@ -988,9 +991,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
} }
} }
if ( $origdest && $origdest ne '-' ) { unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
} elsif ( $origdest ne 'detect' ) {
if ( $config{DETECT_DNAT_IPADDRS} ) { if ( $config{DETECT_DNAT_IPADDRS} ) {
my $interfacesref = $zones{$sourcezone}{interfaces}; my $interfacesref = $zones{$sourcezone}{interfaces};
my @interfaces = keys %$interfacesref; my @interfaces = keys %$interfacesref;
@ -1015,7 +1016,10 @@ sub process_rule1 ( $$$$$$$$$ ) {
$action , $action ,
$serverport ? do_proto( $proto, '', '' ) : ''; $serverport ? do_proto( $proto, '', '' ) : '';
# #
# After NAT, the destination port will be the server port; Also, we log NAT rules in the nat table rather than in the filter table. # After NAT:
# - the destination port will be the server port
# - the destination IP will be the server IP
# - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
# #
unless ( $actiontype & NATONLY ) { unless ( $actiontype & NATONLY ) {
$rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user ); $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
@ -1061,6 +1065,12 @@ sub process_rule1 ( $$$$$$$$$ ) {
$loglevel = ''; $loglevel = '';
} }
unless ( $origdest eq '-' ) {
require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
} else {
$origdest = '';
}
expand_rule expand_rule
ensure_chain ('filter', $chain ) , ensure_chain ('filter', $chain ) ,
$restriction , $restriction ,
@ -1192,7 +1202,7 @@ sub process_rules() {
} elsif ( $target eq 'SECTION' ) { } elsif ( $target eq 'SECTION' ) {
fatal_error "Invalid SECTION $source" unless defined $sections{$source}; fatal_error "Invalid SECTION $source" unless defined $sections{$source};
fatal_error "Duplicate or out of order SECTION $source" if $sections{$source}; fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
fatal_error "Invalid Section $source $dest" if $dest && $dest ne '-'; fatal_error "Invalid Section $source $dest" if $dest;
$sectioned = 1; $sectioned = 1;
$sections{$source} = 1; $sections{$source} = 1;