mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-19 08:07:13 +02:00
Merge branch '4.5.2'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
commit
e3997abfb9
@ -4479,10 +4479,25 @@ sub get_set_flags( $$ ) {
|
|||||||
my @options = split /,/, $options;
|
my @options = split /,/, $options;
|
||||||
my %typemap = ( src => 'Source', dst => 'Destination' );
|
my %typemap = ( src => 'Source', dst => 'Destination' );
|
||||||
|
|
||||||
|
if ( $config{IPSET_WARNINGS} ) {
|
||||||
|
for ( @options ) {
|
||||||
|
warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$setname =~ s/^\+//;
|
$setname =~ s/^\+//;
|
||||||
|
|
||||||
|
if ( $config{IPSET_WARNINGS} ) {
|
||||||
|
unless ( $export || $> != 0 ) {
|
||||||
|
unless ( $ipset_exists{$setname} ) {
|
||||||
|
warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
|
||||||
|
}
|
||||||
|
|
||||||
|
$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
|
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
|
||||||
|
|
||||||
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
|
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
|
||||||
|
|||||||
@ -568,6 +568,7 @@ sub initialize( $ ) {
|
|||||||
MAPOLDACTIONS => undef,
|
MAPOLDACTIONS => undef,
|
||||||
FASTACCEPT => undef,
|
FASTACCEPT => undef,
|
||||||
IMPLICIT_CONTINUE => undef,
|
IMPLICIT_CONTINUE => undef,
|
||||||
|
IPSET_WARNINGS => undef,
|
||||||
HIGH_ROUTE_MARKS => undef,
|
HIGH_ROUTE_MARKS => undef,
|
||||||
USE_ACTIONS=> undef,
|
USE_ACTIONS=> undef,
|
||||||
OPTIMIZE => undef,
|
OPTIMIZE => undef,
|
||||||
@ -1494,7 +1495,7 @@ sub pop_include() {
|
|||||||
unless ( $ifstack == @ifstack ) {
|
unless ( $ifstack == @ifstack ) {
|
||||||
my $lastref = $ifstack[-1];
|
my $lastref = $ifstack[-1];
|
||||||
$currentlinenumber = 'EOF';
|
$currentlinenumber = 'EOF';
|
||||||
fatal_error qq(Missing "?END" to match ?IF at line number $lastref->[2])
|
fatal_error qq(Missing "?ENDIF" to match ?IF at line number $lastref->[2])
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $arrayref ) {
|
if ( $arrayref ) {
|
||||||
@ -1522,6 +1523,49 @@ sub close_file() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub process_conditional( $$ ) {
|
||||||
|
my ( $omitting, $line ) = @_;
|
||||||
|
|
||||||
|
fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
|
||||||
|
|
||||||
|
my ($keyword, $rest) = ( $1, $2 );
|
||||||
|
|
||||||
|
$rest = '' unless supplied $rest;
|
||||||
|
|
||||||
|
if ( $keyword =~ /^IF/ ) {
|
||||||
|
fatal_error "Missing IF variable" unless $rest;
|
||||||
|
my $invert = $rest =~ s/^!\s*//;
|
||||||
|
|
||||||
|
fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/;
|
||||||
|
|
||||||
|
push @ifstack, [ 'IF', $omitting, $currentlinenumber ];
|
||||||
|
|
||||||
|
if ( $rest eq '__IPV6' ) {
|
||||||
|
$omitting = $family == F_IPV4;
|
||||||
|
} elsif ( $rest eq '__IPV4' ) {
|
||||||
|
$omitting = $family == F_IPV6;
|
||||||
|
} else {
|
||||||
|
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
|
||||||
|
exists $params{$rest} ? $params{$rest} :
|
||||||
|
exists $config{$rest} ? $config{$rest} : 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
$omitting = ! $omitting if $invert;
|
||||||
|
} elsif ( $keyword eq 'ELSE' ) {
|
||||||
|
fatal_error "Invalid ?ELSE" unless $rest eq '';
|
||||||
|
my ( $last, $omit, $lineno );
|
||||||
|
( $last, $omit, $lineno ) = @{pop @ifstack} if @ifstack > $ifstack;
|
||||||
|
fatal_error q(Unexpected "?ELSE" without matching ?IF) unless defined $last && $last eq 'IF';
|
||||||
|
push @ifstack, [ 'ELSE', $omitting = ! $omit, $lineno ];
|
||||||
|
} else {
|
||||||
|
fatal_error "Invalid ?ENDIF" unless $rest eq '';
|
||||||
|
fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
|
||||||
|
(my $last, $omitting ) = @{pop @ifstack};
|
||||||
|
}
|
||||||
|
|
||||||
|
$omitting;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Functions for copying a file into the script
|
# Functions for copying a file into the script
|
||||||
#
|
#
|
||||||
@ -2039,42 +2083,10 @@ sub read_a_line(;$$$) {
|
|||||||
#
|
#
|
||||||
# Line not blank -- Handle conditionals
|
# Line not blank -- Handle conditionals
|
||||||
#
|
#
|
||||||
if ( $currentline =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/ ) {
|
if ( $currentline =~ /^\s*\?/ ) {
|
||||||
my $rest = $2;
|
$omitting = process_conditional( $omitting, $currentline);
|
||||||
|
$currentline='';
|
||||||
$rest = '' unless supplied $rest;
|
next;
|
||||||
|
|
||||||
if ( $1 =~ /^IF/ ) {
|
|
||||||
fatal_error "Missing IF variable" unless $rest;
|
|
||||||
my $invert = $rest =~ s/^!\s*//;
|
|
||||||
|
|
||||||
fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/;
|
|
||||||
|
|
||||||
push @ifstack, [ 'IF', $omitting, $currentlinenumber ];
|
|
||||||
|
|
||||||
if ( $rest eq '__IPV6' ) {
|
|
||||||
$omitting = $family == F_IPV4;
|
|
||||||
} elsif ( $rest eq '__IPV4' ) {
|
|
||||||
$omitting = $family == F_IPV6;
|
|
||||||
} else {
|
|
||||||
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
|
|
||||||
exists $params{$rest} ? $params{$rest} :
|
|
||||||
exists $config{$rest} ? $config{$rest} : 0 );
|
|
||||||
}
|
|
||||||
|
|
||||||
$omitting = ! $omitting if $invert;
|
|
||||||
} elsif ( $1 eq 'ELSE' ) {
|
|
||||||
fatal_error "Invalid ?ELSE" unless $rest eq '';
|
|
||||||
my ( $last, $omit, $lineno ) = @{pop @ifstack};
|
|
||||||
fatal_error q(Unexpected "?ELSE" without matching ?IF) unless defined $last && $last eq 'IF';
|
|
||||||
push @ifstack, [ 'ELSE', $omitting = ! $omit, $lineno ];
|
|
||||||
} else {
|
|
||||||
fatal_error "Invalid ?END" unless $rest eq '';
|
|
||||||
fatal_error q(Unexpected "?END" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
|
|
||||||
(my $last, $omitting ) = @{pop @ifstack};
|
|
||||||
}
|
|
||||||
|
|
||||||
$currentline='', next;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $omitting ) {
|
if ( $omitting ) {
|
||||||
@ -3855,6 +3867,7 @@ sub get_configuration( $$$ ) {
|
|||||||
default_yes_no 'EXPORTMODULES' , '';
|
default_yes_no 'EXPORTMODULES' , '';
|
||||||
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
|
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
|
||||||
default_yes_no 'USE_PHYSICAL_NAMES' , '';
|
default_yes_no 'USE_PHYSICAL_NAMES' , '';
|
||||||
|
default_yes_no 'IPSET_WARNINGS' , 'Yes';
|
||||||
|
|
||||||
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
|
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
|
||||||
|
|
||||||
|
|||||||
@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
|||||||
@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
|||||||
@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
|||||||
@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
|||||||
@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
|||||||
@ -848,6 +848,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
|
||||||
|
rules compiler to issue a warning when:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>The compiler is being run by root and an ipset specified
|
||||||
|
in the configuration does not exists. Only one warning is issued
|
||||||
|
for each missing ipset.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When [src] is specified in a destination column and when
|
||||||
|
[dst] is specified in a source column.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||||
@ -2092,14 +2115,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
tcrules. This was done so that tcrules could reset the packet mark
|
tcrules. This was done so that tcrules could reset the packet mark
|
||||||
to zero, thus allowing the packet to be routed using the 'main'
|
to zero, thus allowing the packet to be routed using the 'main'
|
||||||
routing table. Using the main table allowed dynamic routes (such as
|
routing table. Using the main table allowed dynamic routes (such as
|
||||||
those added for VPNs) to be effective. The rtrules file was
|
those added for VPNs) to be effective. The rtrules file was created
|
||||||
created to provide a better alternative to clearing the packet mark.
|
to provide a better alternative to clearing the packet mark. As a
|
||||||
As a consequence, passing these packets to PREROUTING complicates
|
consequence, passing these packets to PREROUTING complicates things
|
||||||
things without providing any real benefit. Beginning with Shorewall
|
without providing any real benefit. Beginning with Shorewall 4.4.6,
|
||||||
4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
|
when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
|
||||||
through 'tracked' interfaces will not be passed to the PREROUTING
|
'tracked' interfaces will not be passed to the PREROUTING rules.
|
||||||
rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
|
Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
|
||||||
change should be transparent to most, if not all, users.</para>
|
should be transparent to most, if not all, users.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|||||||
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|||||||
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|||||||
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|||||||
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|||||||
@ -756,6 +756,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
|
||||||
|
rules compiler to issue a warning when:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>The compiler is being run by root and an ipset specified
|
||||||
|
in the configuration does not exists. Only one warning is issued
|
||||||
|
for each missing ipset.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When [src] is specified in a destination column and when
|
||||||
|
[dst] is specified in a source column.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
|
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
@ -1809,15 +1832,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
to zero, thus allowing the packet to be routed using the 'main'
|
to zero, thus allowing the packet to be routed using the 'main'
|
||||||
routing table. Using the main table allowed dynamic routes (such as
|
routing table. Using the main table allowed dynamic routes (such as
|
||||||
those added for VPNs) to be effective. The <ulink
|
those added for VPNs) to be effective. The <ulink
|
||||||
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
|
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
|
||||||
file was created to provide a better alternative to clearing the
|
created to provide a better alternative to clearing the packet mark.
|
||||||
packet mark. As a consequence, passing these packets to PREROUTING
|
As a consequence, passing these packets to PREROUTING complicates
|
||||||
complicates things without providing any real benefit. Beginning
|
things without providing any real benefit. Beginning with Shorewall
|
||||||
with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
|
4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
|
||||||
packets arriving through 'tracked' interfaces will not be passed to
|
through 'tracked' interfaces will not be passed to the PREROUTING
|
||||||
the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
|
rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
|
||||||
4.4.3, this change should be transparent to most, if not all,
|
change should be transparent to most, if not all, users.</para>
|
||||||
users.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1977,10 +1999,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
|
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
|
||||||
shorewall6-nat(5), shorewall6-netmap(5),
|
shorewall6-nat(5), shorewall6-netmap(5),
|
||||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||||
shorewall6-providers(5), shorewall6-proxyarp(5),
|
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
|
||||||
shorewall6-rtrules(5), shorewall6-routestopped(5),
|
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
|
||||||
shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
||||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||||
shorewall6-zones(5)</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
</refentry>
|
</refentry>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user