Merge branch '4.5.2'

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-02-02 02:49:54 +01:00 · 2012-03-19 07:27:53 -07:00 · 2012-03-19 07:27:53 -07:00 · e3997abfb9
commit e3997abfb9
parent 710687bbd6 5caf68bc31
14 changed files with 153 additions and 61 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -4479,10 +4479,25 @@ sub get_set_flags( $$ ) {
 	my @options = split /,/, $options;
 	my %typemap = ( src => 'Source', dst => 'Destination' );

+	if ( $config{IPSET_WARNINGS} ) {
+	    for ( @options ) {
+		warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	    }
+	}
    }

    $setname =~ s/^\+//;

+    if ( $config{IPSET_WARNINGS} ) {
+	unless ( $export || $> != 0 ) {
+	    unless ( $ipset_exists{$setname} ) {
+		warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
+	    }
+
+	    $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	}
+    }
+
    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;

    have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -568,6 +568,7 @@ sub initialize( $ ) {
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
+	  IPSET_WARNINGS => undef,
 	  HIGH_ROUTE_MARKS => undef,
 	  USE_ACTIONS=> undef,
 	  OPTIMIZE => undef,
@ -1494,7 +1495,7 @@ sub pop_include() {
    unless ( $ifstack == @ifstack ) {
 	my $lastref = $ifstack[-1];
 	$currentlinenumber = 'EOF';
-	fatal_error qq(Missing "?END" to match ?IF at line number $lastref->[2])
+	fatal_error qq(Missing "?ENDIF" to match ?IF at line number $lastref->[2])
    }

    if ( $arrayref ) {
@ -1522,6 +1523,49 @@ sub close_file() {
    }
 }

+sub process_conditional( $$ ) {
+    my ( $omitting, $line ) = @_;
+
+    fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
+    
+    my ($keyword, $rest) = ( $1, $2 );
+
+    $rest = '' unless supplied $rest;
+
+    if ( $keyword =~ /^IF/ ) {
+	fatal_error "Missing IF variable" unless $rest;
+	my $invert = $rest =~ s/^!\s*//;
+	
+	fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/;
+
+	push @ifstack, [ 'IF', $omitting, $currentlinenumber ];
+
+	if ( $rest eq '__IPV6' ) {
+	    $omitting = $family == F_IPV4;
+	} elsif ( $rest eq '__IPV4' ) {
+	    $omitting = $family == F_IPV6;
+	} else {
+	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    : 
+			    exists $params{$rest} ? $params{$rest} : 
+			    exists $config{$rest} ? $config{$rest} : 0 );
+	}
+
+	$omitting = ! $omitting if $invert;
+    } elsif ( $keyword eq 'ELSE' ) {
+	fatal_error "Invalid ?ELSE" unless $rest eq '';
+	my ( $last, $omit, $lineno );
+	( $last, $omit, $lineno ) = @{pop @ifstack} if @ifstack > $ifstack;
+	fatal_error q(Unexpected "?ELSE" without matching ?IF) unless defined $last && $last eq 'IF';
+	push @ifstack, [ 'ELSE', $omitting = ! $omit, $lineno ];
+    } else {
+	fatal_error "Invalid ?ENDIF" unless $rest eq '';
+	fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
+	(my $last, $omitting ) = @{pop @ifstack};
+    }
+
+    $omitting;
+}   
+
 #
 # Functions for copying a file into the script
 #
@ -2039,44 +2083,12 @@ sub read_a_line(;$$$) {
 	    #
 	    # Line not blank -- Handle conditionals
 	    #
-	    if ( $currentline =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/ ) {
-		my $rest = $2;
-
-		$rest = '' unless supplied $rest;
-
-		if ( $1 =~ /^IF/ ) {
-		    fatal_error "Missing IF variable" unless $rest;
-		    my $invert = $rest =~ s/^!\s*//;
-
-		    fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/;
-
-		    push @ifstack, [ 'IF', $omitting, $currentlinenumber ];
-
-		    if ( $rest eq '__IPV6' ) {
-			$omitting = $family == F_IPV4;
-		    } elsif ( $rest eq '__IPV4' ) {
-			$omitting = $family == F_IPV6;
-		    } else {
-			$omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    : 
-					exists $params{$rest} ? $params{$rest} : 
-					exists $config{$rest} ? $config{$rest} : 0 );
-		    }
-
-		    $omitting = ! $omitting if $invert;
-		} elsif ( $1 eq 'ELSE' ) {
-		    fatal_error "Invalid ?ELSE" unless $rest eq '';
-		    my ( $last, $omit, $lineno ) = @{pop @ifstack};
-		    fatal_error q(Unexpected "?ELSE" without matching ?IF) unless defined $last && $last eq 'IF';
-		    push @ifstack, [ 'ELSE', $omitting = ! $omit, $lineno ];
-		} else {
-		    fatal_error "Invalid ?END" unless $rest eq '';
-		    fatal_error q(Unexpected "?END" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
-		    (my $last, $omitting ) = @{pop @ifstack};
-		}
-
-		$currentline='', next;
-	    }   
-
+	    if ( $currentline =~ /^\s*\?/ ) {
+		$omitting = process_conditional( $omitting, $currentline);
+		$currentline='';
+		next;
+	    }		
+		    
 	    if ( $omitting ) {
 		progress_message "  OMITTED: $currentline";
 		$currentline='';
@ -3855,6 +3867,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'EXPORTMODULES'              , '';
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
+    default_yes_no 'IPSET_WARNINGS'             , 'Yes';

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -848,6 +848,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
@ -2092,14 +2115,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          tcrules. This was done so that tcrules could reset the packet mark
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
-          those added for VPNs) to be effective. The rtrules file was
-          created to provide a better alternative to clearing the packet mark.
-          As a consequence, passing these packets to PREROUTING complicates
-          things without providing any real benefit. Beginning with Shorewall
-          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
-          through 'tracked' interfaces will not be passed to the PREROUTING
-          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
-          change should be transparent to most, if not all, users.</para>
+          those added for VPNs) to be effective. The rtrules file was created
+          to provide a better alternative to clearing the packet mark. As a
+          consequence, passing these packets to PREROUTING complicates things
+          without providing any real benefit. Beginning with Shorewall 4.4.6,
+          when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
+          'tracked' interfaces will not be passed to the PREROUTING rules.
+          Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
+          should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -756,6 +756,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1809,15 +1832,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
          those added for VPNs) to be effective. The <ulink
-          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
-          file was created to provide a better alternative to clearing the
-          packet mark. As a consequence, passing these packets to PREROUTING
-          complicates things without providing any real benefit. Beginning
-          with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
-          packets arriving through 'tracked' interfaces will not be passed to
-          the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
-          4.4.3, this change should be transparent to most, if not all,
-          users.</para>
+          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
+          created to provide a better alternative to clearing the packet mark.
+          As a consequence, passing these packets to PREROUTING complicates
+          things without providing any real benefit. Beginning with Shorewall
+          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
+          through 'tracked' interfaces will not be passed to the PREROUTING
+          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
+          change should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>

@ -1977,10 +1999,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
    shorewall6-nat(5), shorewall6-netmap(5),
    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-proxyarp(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>