From 955a9f0051ab51f936afbca5824554ca6fb68009 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 18 Mar 2012 19:10:46 -0700 Subject: [PATCH 1/6] Correct Steven's issues Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 89 +++++++++++++++++------------- 1 file changed, 50 insertions(+), 39 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 261b66d8a..1e9df3a96 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1494,7 +1494,7 @@ sub pop_include() { unless ( $ifstack == @ifstack ) { my $lastref = $ifstack[-1]; $currentlinenumber = 'EOF'; - fatal_error qq(Missing "?END" to match ?IF at line number $lastref->[2]) + fatal_error qq(Missing "?ENDIF" to match ?IF at line number $lastref->[2]) } if ( $arrayref ) { @@ -1522,6 +1522,49 @@ sub close_file() { } } +sub process_conditional( $$ ) { + my ( $omitting, $line ) = @_; + + fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/; + + my ($keyword, $rest) = ( $1, $2 ); + + $rest = '' unless supplied $rest; + + if ( $keyword =~ /^IF/ ) { + fatal_error "Missing IF variable" unless $rest; + my $invert = $rest =~ s/^!\s*//; + + fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/; + + push @ifstack, [ 'IF', $omitting, $currentlinenumber ]; + + if ( $rest eq '__IPV6' ) { + $omitting = $family == F_IPV4; + } elsif ( $rest eq '__IPV4' ) { + $omitting = $family == F_IPV6; + } else { + $omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} : + exists $params{$rest} ? $params{$rest} : + exists $config{$rest} ? $config{$rest} : 0 ); + } + + $omitting = ! $omitting if $invert; + } elsif ( $keyword eq 'ELSE' ) { + fatal_error "Invalid ?ELSE" unless $rest eq ''; + my ( $last, $omit, $lineno ); + ( $last, $omit, $lineno ) = @{pop @ifstack} if @ifstack > $ifstack; + fatal_error q(Unexpected "?ELSE" without matching ?IF) unless defined $last && $last eq 'IF'; + push @ifstack, [ 'ELSE', $omitting = ! $omit, $lineno ]; + } else { + fatal_error "Invalid ?ENDIF" unless $rest eq ''; + fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack; + (my $last, $omitting ) = @{pop @ifstack}; + } + + $omitting; +} + # # Functions for copying a file into the script # @@ -2039,44 +2082,12 @@ sub read_a_line(;$$$) { # # Line not blank -- Handle conditionals # - if ( $currentline =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/ ) { - my $rest = $2; - - $rest = '' unless supplied $rest; - - if ( $1 =~ /^IF/ ) { - fatal_error "Missing IF variable" unless $rest; - my $invert = $rest =~ s/^!\s*//; - - fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/; - - push @ifstack, [ 'IF', $omitting, $currentlinenumber ]; - - if ( $rest eq '__IPV6' ) { - $omitting = $family == F_IPV4; - } elsif ( $rest eq '__IPV4' ) { - $omitting = $family == F_IPV6; - } else { - $omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} : - exists $params{$rest} ? $params{$rest} : - exists $config{$rest} ? $config{$rest} : 0 ); - } - - $omitting = ! $omitting if $invert; - } elsif ( $1 eq 'ELSE' ) { - fatal_error "Invalid ?ELSE" unless $rest eq ''; - my ( $last, $omit, $lineno ) = @{pop @ifstack}; - fatal_error q(Unexpected "?ELSE" without matching ?IF) unless defined $last && $last eq 'IF'; - push @ifstack, [ 'ELSE', $omitting = ! $omit, $lineno ]; - } else { - fatal_error "Invalid ?END" unless $rest eq ''; - fatal_error q(Unexpected "?END" without matching ?IF or ?ELSE) if @ifstack <= $ifstack; - (my $last, $omitting ) = @{pop @ifstack}; - } - - $currentline='', next; - } - + if ( $currentline =~ /^\s*\?/ ) { + $omitting = process_conditional( $omitting, $currentline); + $currentline=''; + next; + } + if ( $omitting ) { progress_message " OMITTED: $currentline"; $currentline=''; From 15ca0fd1f03047ce5c938084d1eeed0590f5a7c0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 18 Mar 2012 13:36:23 -0700 Subject: [PATCH 2/6] Add IPSET_WARNINGS option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 20 +++++--- Shorewall/Perl/Shorewall/Config.pm | 2 + Shorewall/Samples/Universal/shorewall.conf | 2 + .../Samples/one-interface/shorewall.conf | 2 + .../Samples/three-interfaces/shorewall.conf | 2 + .../Samples/two-interfaces/shorewall.conf | 2 + Shorewall/configfiles/shorewall.conf | 2 + Shorewall/manpages/shorewall.conf.xml | 39 ++++++++++++--- Shorewall6/Samples6/Universal/shorewall6.conf | 2 + .../Samples6/one-interface/shorewall6.conf | 2 + .../Samples6/three-interfaces/shorewall6.conf | 2 + .../Samples6/two-interfaces/shorewall6.conf | 2 + Shorewall6/configfiles/shorewall6.conf | 2 + Shorewall6/manpages/shorewall6.conf.xml | 49 +++++++++++++------ 14 files changed, 101 insertions(+), 29 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 2911e5a43..1c5c6d56f 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4483,20 +4483,26 @@ sub get_set_flags( $$ ) { my @options = split /,/, $options; my %typemap = ( src => 'Source', dst => 'Destination' ); - for ( @options ) { - warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option; + if ( $config{IPSET_WARNINGS} ) { + for ( @options ) { + warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option; + } } } $setname =~ s/^\+//; - unless ( $export || $> != 0 ) { - unless ( $ipset_exists{$setname} ) { - warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname"; - } - $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings + if ( $config{IPSET_WARNINGS} ) { + unless ( $export || $> != 0 ) { + unless ( $ipset_exists{$setname} ) { + warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname"; + } + + $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings + } } + fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/; have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options "; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 1e9df3a96..3d87e6954 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -568,6 +568,7 @@ sub initialize( $ ) { MAPOLDACTIONS => undef, FASTACCEPT => undef, IMPLICIT_CONTINUE => undef, + IPSET_WARNINGS => undef, HIGH_ROUTE_MARKS => undef, USE_ACTIONS=> undef, OPTIMIZE => undef, @@ -3866,6 +3867,7 @@ sub get_configuration( $$$ ) { default_yes_no 'EXPORTMODULES' , ''; default_yes_no 'LEGACY_FASTSTART' , 'Yes'; default_yes_no 'USE_PHYSICAL_NAMES' , ''; + default_yes_no 'IPSET_WARNINGS' , 'Yes'; require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 506c1396d..a7ce12422 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=On KEEP_RT_TABLES=No diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 632ab0e41..d5e9a1c07 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=Off KEEP_RT_TABLES=No diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index d4d66bdcc..ea53c331f 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=On KEEP_RT_TABLES=No diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index f685c698e..d6b6dbe1f 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=On KEEP_RT_TABLES=No diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 226b1d86a..777de5306 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=On KEEP_RT_TABLES=No diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 24a6ffa23..abf031fda 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -848,6 +848,29 @@ net all DROP infothen the chain name is 'net2all' + + IPSET_WARNINGS={Yes|No} + + + Added in Shorewall 4.5.2. Default is Yes. When set, causes the + rules compiler to issue a warning when: + + + + The compiler is being run by root and an ipset specified + in the configuration does not exists. Only one warning is issued + for each missing ipset. + + + + When [src] is specified in a destination column and when + [dst] is specified in a source column. + + + + + IPTABLES=[pathname] @@ -2092,14 +2115,14 @@ net all DROP infothen the chain name is 'net2all' tcrules. This was done so that tcrules could reset the packet mark to zero, thus allowing the packet to be routed using the 'main' routing table. Using the main table allowed dynamic routes (such as - those added for VPNs) to be effective. The rtrules file was - created to provide a better alternative to clearing the packet mark. - As a consequence, passing these packets to PREROUTING complicates - things without providing any real benefit. Beginning with Shorewall - 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving - through 'tracked' interfaces will not be passed to the PREROUTING - rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this - change should be transparent to most, if not all, users. + those added for VPNs) to be effective. The rtrules file was created + to provide a better alternative to clearing the packet mark. As a + consequence, passing these packets to PREROUTING complicates things + without providing any real benefit. Beginning with Shorewall 4.4.6, + when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through + 'tracked' interfaces will not be passed to the PREROUTING rules. + Since TRACK_PROVIDERS was just introduced in 4.4.3, this change + should be transparent to most, if not all, users. diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index f3409a9c7..7d86dd9d6 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=Off KEEP_RT_TABLES=Yes diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 24a329ef6..7ea50a30b 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=Off KEEP_RT_TABLES=Yes diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 0c6d4166d..1177054ba 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=On KEEP_RT_TABLES=Yes diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index baf7da56e..c4d7f73b2 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=On KEEP_RT_TABLES=Yes diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 44da0c1dc..12e20bd3c 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes + IP_FORWARDING=Off KEEP_RT_TABLES=Yes diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index da0dfa698..7bf77bc18 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -756,6 +756,29 @@ net all DROP infothen the chain name is 'net2all' + + IPSET_WARNINGS={Yes|No} + + + Added in Shorewall 4.5.2. Default is Yes. When set, causes the + rules compiler to issue a warning when: + + + + The compiler is being run by root and an ipset specified + in the configuration does not exists. Only one warning is issued + for each missing ipset. + + + + When [src] is specified in a destination column and when + [dst] is specified in a source column. + + + + + KEEP_RT_TABLES={Yes|No} @@ -1809,15 +1832,14 @@ net all DROP infothen the chain name is 'net2all' to zero, thus allowing the packet to be routed using the 'main' routing table. Using the main table allowed dynamic routes (such as those added for VPNs) to be effective. The shorewall6-rtrules(5) - file was created to provide a better alternative to clearing the - packet mark. As a consequence, passing these packets to PREROUTING - complicates things without providing any real benefit. Beginning - with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, - packets arriving through 'tracked' interfaces will not be passed to - the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in - 4.4.3, this change should be transparent to most, if not all, - users. + url="shorewall6-rtrules.html">shorewall6-rtrules(5) file was + created to provide a better alternative to clearing the packet mark. + As a consequence, passing these packets to PREROUTING complicates + things without providing any real benefit. Beginning with Shorewall + 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving + through 'tracked' interfaces will not be passed to the PREROUTING + rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this + change should be transparent to most, if not all, users. @@ -1977,10 +1999,9 @@ net all DROP infothen the chain name is 'net2all' shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5), shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-proxyarp(5), - shorewall6-rtrules(5), shorewall6-routestopped(5), - shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), - shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), - shorewall6-zones(5) + shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5), + shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5), + shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), + shorewall6-tunnels(5), shorewall6-zones(5) From 78306e9f5b39dcf18457972437ef3e53496ca5d7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 18 Mar 2012 12:28:26 -0700 Subject: [PATCH 3/6] Don't issue missing SHOREWALL_SHELL warning when compiling for export Signed-off-by: Tom Eastep --- Shorewall/lib.cli-std | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index eb0f6493e..83c4e0d1b 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -239,7 +239,7 @@ get_config() { LOG_VERBOSITY=-1 fi - if [ -n "$SHOREWALL_SHELL" ]; then + if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then if [ ! -x "$SHOREWALL_SHELL" ]; then echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 SHOREWALL_SHELL=/bin/sh From 826d8644482cb582b496fb9dac88859f43814fb7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 18 Mar 2012 12:09:22 -0700 Subject: [PATCH 4/6] Document MANDIR Signed-off-by: Tom Eastep --- docs/Install.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/Install.xml b/docs/Install.xml index 09107e2c3..faa5dc6c5 100644 --- a/docs/Install.xml +++ b/docs/Install.xml @@ -288,6 +288,15 @@ pathname for PERLLIB. + + + MANDIR + + + Determines where the man pages are installed. Default is + distribution-dependent as shown below. + + From 29ccde1603fbc2cbd76264901dca4fa8f605f532 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 18 Mar 2012 11:20:24 -0700 Subject: [PATCH 5/6] Add an Id to the default location section of the Install doc Signed-off-by: Tom Eastep --- docs/Install.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Install.xml b/docs/Install.xml index faa5dc6c5..a19018246 100644 --- a/docs/Install.xml +++ b/docs/Install.xml @@ -300,7 +300,7 @@ -
+
Default Install Locations The default install locations are distribution dependent as shown From 5caf68bc314a83c4df20e25647c7447e4d8099ca Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 17 Mar 2012 18:29:32 -0700 Subject: [PATCH 6/6] Remove .project Signed-off-by: Tom Eastep --- Shorewall/Perl/.project | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 Shorewall/Perl/.project diff --git a/Shorewall/Perl/.project b/Shorewall/Perl/.project deleted file mode 100644 index 4ac4c5354..000000000 --- a/Shorewall/Perl/.project +++ /dev/null @@ -1,17 +0,0 @@ - - - Shorewall - - - - - - org.epic.perleditor.perlbuilder - - - - - - org.epic.perleditor.perlnature - -