From e6e04fe478afc86f590bbb14a08cf5baed65ae5f Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 26 Mar 2007 00:46:15 +0000 Subject: [PATCH] Follow some advice from 'Programming Perl' git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5691 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- New/Shorewall/Chains.pm | 33 ++++++++++++++++++++++++--------- New/Shorewall/Rules.pm | 40 +++++++++++++++++++++------------------- New/compiler.pl | 10 +++++----- 3 files changed, 50 insertions(+), 33 deletions(-) diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm index 9d282a51a..bd591a5c2 100644 --- a/New/Shorewall/Chains.pm +++ b/New/Shorewall/Chains.pm @@ -250,7 +250,7 @@ sub add_command($$) { my ($chainref, $command) = @_; - push @{$chainref->{rules}}, '~' . ( ( ' ' x $loopcount ) . $command ); + push @{$chainref->{rules}}, join ('', '~', ' ' x $loopcount, $command ); $chainref->{referenced} = 1; @@ -845,7 +845,7 @@ sub match_source_net( $ ) { ( $net = $2 ) =~ s/-/:/g; "-m mac --mac-source $1 $net "; } elsif ( $net =~ /^(!?)\+/ ) { - '-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'src' + join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); } elsif ( $net =~ /^!/ ) { $net =~ s/!//; "-s ! $net "; @@ -865,7 +865,7 @@ sub match_dest_net( $ ) { iprange_match . "${invert}--dst-range $net "; } elsif ( $net =~ /^(!?)\+/ ) { - '-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'dst' + join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); } elsif ( $net =~ /^!/ ) { $net =~ s/!//; "-d ! $net "; @@ -1112,14 +1112,14 @@ sub expand_rule( $$$$$$$$$$ ) for my $interface ( @interfaces ) { get_interface_address $chainref, $interface; - add_command $chainref , 'addresses="$addresses $' . interface_address( $interface ) . '"' ; + add_command $chainref , join( '', 'addresses="$addresses $', interface_address( $interface ). '"' ); } add_command $chainref , 'for address in $addresses; do'; $rule .= '-d $address '; $loopcount++; } else { get_interface_address $chainref, $interfaces[0]; - $rule .= '-d $' . interface_address( $interfaces[0] ) . ' '; + $rule .= join ( '', '-d $', interface_address( $interfaces[0] ), ' ' ); } $dest = ''; @@ -1179,7 +1179,7 @@ sub expand_rule( $$$$$$$$$$ ) $loopcount++; } else { get_interface_address $chainref, $interfaces[0]; - $rule .= '-m conntrack --ctorigdst $' . interface_address ( $interfaces[0] ) . ' '; + $rule .= join( '', '-m conntrack --ctorigdst $', interface_address ( $interfaces[0] ), ' ' ); } $origdest = ''; @@ -1268,7 +1268,7 @@ sub expand_rule( $$$$$$$$$$ ) for my $inet ( mysplit $inets ) { $inet = match_source_net $inet; for my $dnet ( mysplit $dnets ) { - add_rule $chainref, $rule . $inet . ( match_dest_net $dnet ) . $onet . "-j $echain"; + add_rule $chainref, join( '', $rule, $inet, match_dest_net( $dnet ), $onet, "-j $echain" ); } } } @@ -1315,8 +1315,23 @@ sub expand_rule( $$$$$$$$$$ ) for my $inet ( mysplit $inets ) { $inet = match_source_net $inet; for my $dnet ( mysplit $dnets ) { - log_rule_limit $loglevel , $chainref , $chain, $disposition , '' , $logtag , 'add' , $rule . $inet . match_dest_net( $dnet ) . $onet if $loglevel; - add_rule $chainref, $rule . $inet . match_dest_net( $dnet ) . $onet . $target unless $disposition eq 'LOG'; + if ( $loglevel ) { + log_rule_limit + $loglevel , + $chainref , + $chain, + $disposition , + '' , + $logtag , + 'add' , + join( '', $rule, $inet, match_dest_net( $dnet ), $onet ); + } + + unless ( $disposition eq 'LOG' ) { + add_rule + $chainref, + join( '', $rule, $inet, match_dest_net( $dnet ), $onet, $target ); + } } } } diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index 09658d6e6..867149c33 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -166,7 +166,7 @@ sub setup_rfc1918_filteration( $ ) { my $ipsec = $hostref->[1]; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; for my $chain ( @{first_chains $interface}) { - add_rule $filter_table->{$chain} , '-m state --state NEW ' . match_source_net( $hostref->[2]) . "${policy}-j norfc1918"; + add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); } } } @@ -214,7 +214,7 @@ sub setup_blacklist() { open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!"; - progress_message( " Processing " . find_file 'blacklist' . '...' ); + progress_message( join( '', ' Processing ', find_file( 'blacklist' ), '...' ) ); while ( $line = ) { @@ -437,7 +437,7 @@ sub add_common_rules() { my $ipsec = $hostref->[1]; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; for $chain ( @{first_chains $interface}) { - add_rule $filter_table->{$chain} , '-m state --state NEW,INVALID ' . match_source_net( $hostref->[2]) . "${policy}-j smurfs"; + add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" ); } } } @@ -516,7 +516,7 @@ sub add_common_rules() { my $ipsec = $hostref->[1]; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; for $chain ( @{first_chains $interface}) { - add_rule $filter_table->{$chain} , '-p tcp ' . match_source_net( $hostref->[2]) . "${policy}-j tcpflags"; + add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" ); } } } @@ -827,7 +827,7 @@ sub process_rule1 ( $$$$$$$$$ ) { if ( $dest eq '-' ) { $dest = "$firewall_zone"; } else { - $dest = "$firewall_zone" . '::' . "$dest"; + $dest = join( '', $firewall_zone, '::', $dest ); } } elsif ( $action eq 'REJECT' ) { $action = 'reject'; @@ -875,12 +875,12 @@ sub process_rule1 ( $$$$$$$$$ ) { # Validate Policy # my $policy = $chainref->{policy}; - fatal_error "No policy defined from $sourcezone to zone $destzone" unless $policy; + fatal_error "No policy defined from zone $sourcezone to zone $destzone" unless $policy; fatal_error "Rules may not override a NONE policy: rule \"$line\"" if $policy eq 'NONE'; # # Generate Fixed part of the rule # - $rule = do_proto $proto, $ports, $sports . do_ratelimit( $ratelimit ) . ( do_user $user ); + $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit ) , do_user( $user ) ); # # Generate NAT rule(s), if any @@ -956,7 +956,7 @@ sub process_rule1 ( $$$$$$$$$ ) { # After NAT, the destination port will be the server port; Also, we log NAT rules in the nat table rather than in the filter table. # unless ( $actiontype & NATONLY ) { - $rule = do_proto $proto, $ports, $sports . do_ratelimit( $ratelimit ) . do_user $user; + $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user ); $loglevel = ''; } } else { @@ -1204,7 +1204,7 @@ sub generate_matrix() { for my $host ( @{$exclusionsref} ) { my ( $interface, $net ) = split /:/, $host; - insert_rule $chainref , $num++, "-i $interface " . match_source_net( $host ) . '-j RETURN'; + insert_rule $chainref , $num++, join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' ); } } @@ -1216,7 +1216,7 @@ sub generate_matrix() { for my $host ( @{$exclusionsref} ) { my ( $interface, $net ) = split /:/, $host; - add_rule $chainref , "-i $interface " . match_source_net( $host ) . '-j RETURN'; + add_rule $chainref , join( '', "-i $interface ", match_source_net( $host ), '-j RETURN' ); } } # @@ -1278,7 +1278,7 @@ sub generate_matrix() { for my $net ( @{$hostref->{hosts}} ) { add_rule find_chainref( 'filter' , forward_chain $interface ) , - match_source_net $net . $ipsec_match . "-j $frwd_ref->n{name}"; + match_source_net join( '', $net, $ipsec_match, "-j $frwd_ref->n{name}" ); } } } @@ -1328,25 +1328,25 @@ sub generate_matrix() { if ( $chain1 ) { if ( @$exclusions ) { - add_rule $filter_table->{output_chain $interface} , $dest . $ipsec_out_match . "-j ${zone}_output"; + add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" ); add_rule $filter_table->{"${zone}_output"} , "-j $chain1"; } else { - add_rule $filter_table->{output_chain $interface} , $dest . $ipsec_out_match . "-j $chain1"; + add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" ); } } - insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, ( "-i $interface " . $source . $ipsec_in_match ); + insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match ); if ( $chain2 ) { if ( @$exclusions ) { - add_rule $filter_table->{input_chain $interface}, $source . $ipsec_in_match . "-j ${zone}_input"; + add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" ); add_rule $filter_table->{"${zone}_input"} , "-j $chain2"; } else { - add_rule $filter_table->{input_chain $interface}, $source . $ipsec_in_match . "-j $chain2"; + add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" ); } } - add_rule $filter_table->{forward_chain $interface} , $source . $ipsec_in_match . "-j $frwd_ref->{name}" + add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" ) if $complex && $hostref->{ipsec} ne 'ipsec'; } } @@ -1470,7 +1470,7 @@ sub generate_matrix() { if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; for my $net ( @{$hostref->{hosts}} ) { - add_rule $frwd_ref, "-o $interface " . match_dest_net($net) . $ipsec_out_match . "-j $chain"; + add_rule $frwd_ref, join( '', "-o $interface ", match_dest_net($net), $ipsec_out_match, "-j $chain" ); } } } @@ -1491,7 +1491,9 @@ sub generate_matrix() { my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; for my $net1 ( @{$host1ref->{hosts}} ) { unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { - add_rule $chain3ref, "-o $interface1 " . $source_match . match_dest_net($net1) . $ipsec_out_match . "-j $chain"; + add_rule + $chain3ref , + join( '', "-o $interface1 ", $source_match, match_dest_net($net1), $ipsec_out_match, "-j $chain" ); } } } diff --git a/New/compiler.pl b/New/compiler.pl index 04d825836..81984601c 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -64,7 +64,7 @@ sub generate_script_1 { my $date = localtime; - emit( "#\n# Compiled firewall script generated by Shorewall-pl " . $env{VERSION} . " - $date\n#" ); + emit join ( '', "#\n# Compiled firewall script generated by Shorewall-pl ", $env{VERSION}, " - $date\n#" ); if ( $ENV{EXPORT} ) { emit 'SHAREDIR=/usr/share/shorewall-lite'; @@ -129,7 +129,7 @@ sub generate_script_1 { emit '[ -n "${VERBOSE:=0}" ]'; emit '[ -n "${RESTOREFILE:=$RESTOREFILE}" ]'; emit '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"'; - emit( 'VERSION="' . $env{VERSION} . '"' ); + emit join( '', 'VERSION="', $env{VERSION}, '"' ); emit "PATH=\"$config{PATH}\""; emit 'TERMINATOR=fatal_error'; @@ -593,11 +593,11 @@ sub compile_firewall( $ ) { report_capabilities if $ENV{VERBOSE} > 1; - fatal_error( 'Shorewall-pl ' . $env{VERSION} . ' requires Conntrack Match Support' ) + fatal_error join( '', 'Shorewall-pl ', $env{VERSION}, ' requires Conntrack Match Support' ) unless $capabilities{CONNTRACK_MATCH}; - fatal_error( 'Shorewall-pl ' . $env{VERSION} . ' requires Extended Multi-port Match Support' ) + fatal_error join ( '', 'Shorewall-pl ', $env{VERSION}, ' requires Extended Multi-port Match Support' ) unless $capabilities{XMULTIPORT}; - fatal_error( 'Shorewall-pl ' . $env{VERSION} . ' requires Address Type Match Support' ) + fatal_error join( '', 'Shorewall-pl ', $env{VERSION}, ' requires Address Type Match Support' ) unless $capabilities{ADDRTYPE}; fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables' if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};