From bf44e514e3b4edac6546443561ecaf0d5aa12776 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 30 Nov 2013 14:13:42 -0800 Subject: [PATCH 01/15] Keep parentheses balanced when splitting a line. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 53 +++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index fafe964dd..2cc651eb0 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1982,6 +1982,57 @@ sub split_list3( $$ ) { @list2; } +sub split_list4( $ ) { + my ($list) = @_; + + return split ' ', $list unless $list =~ /\(/; + + my @list1 = split ' ', $list; + my @list2; + my $element = ''; + my $opencount = 0; + + for ( @list1 ) { + my $count; + + if ( ( $count = tr/(/(/ ) > 0 ) { + $opencount += $count; + if ( $element eq '' ) { + $element = $_; + } else { + $element = join( ',', $element, $_ ); + } + + if ( ( $count = tr/)/)/ ) > 0 ) { + if ( ! ( $opencount -= $count ) ) { + push @list2 , $element; + $element = ''; + } else { + fatal_error "Mismatched parentheses ($list)" if $opencount < 0; + } + } + } elsif ( ( $count = tr/)/)/ ) > 0 ) { + $element = join (',', $element, $_ ); + if ( ! ( $opencount -= $count ) ) { + push @list2 , $element; + $element = ''; + } else { + fatal_error "Mismatched parentheses ($list)" if $opencount < 0; + } + } elsif ( $element eq '' ) { + push @list2 , $_; + } else { + $element = join ',', $element , $_; + } + } + + unless ( $opencount == 0 ) { + fatal_error "Mismatched parentheses ($list)"; + } + + @list2; +} + # # Determine if a value has been supplied # @@ -2045,7 +2096,7 @@ sub split_line1( $$;$$ ) { fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/; fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/; - my @line = split( ' ', $columns ); + my @line = split_list4( $columns ); $nopad = {} unless $nopad; From 75258083e3653308f82f7e13be12855fee247e54 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 1 Dec 2013 09:24:49 -0800 Subject: [PATCH 02/15] Cleanup of column splitting change. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 2cc651eb0..9128de888 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1982,7 +1982,7 @@ sub split_list3( $$ ) { @list2; } -sub split_list4( $ ) { +sub split_columns( $ ) { my ($list) = @_; return split ' ', $list unless $list =~ /\(/; @@ -2008,7 +2008,7 @@ sub split_list4( $ ) { push @list2 , $element; $element = ''; } else { - fatal_error "Mismatched parentheses ($list)" if $opencount < 0; + fatal_error "Mismatched parentheses ($_)" if $opencount < 0; } } } elsif ( ( $count = tr/)/)/ ) > 0 ) { @@ -2017,7 +2017,7 @@ sub split_list4( $ ) { push @list2 , $element; $element = ''; } else { - fatal_error "Mismatched parentheses ($list)" if $opencount < 0; + fatal_error "Mismatched parentheses ($_)" if $opencount < 0; } } elsif ( $element eq '' ) { push @list2 , $_; @@ -2096,7 +2096,7 @@ sub split_line1( $$;$$ ) { fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/; fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/; - my @line = split_list4( $columns ); + my @line = split_columns( $columns ); $nopad = {} unless $nopad; From 95abeaea2407464464d4da4f8fa8caaf5f6212d7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 1 Dec 2013 09:25:32 -0800 Subject: [PATCH 03/15] Finish INLINE in the tcrules file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 20 ++++++++++++---- Shorewall/manpages/shorewall-tcrules.xml | 27 ++++++++++++++++++++++ Shorewall6/manpages/shorewall6-tcrules.xml | 26 +++++++++++++++++++++ 3 files changed, 69 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 433d5add9..93b6478a6 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -207,7 +207,7 @@ sub initialize( $ ) { sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_; -our %tccmd; + our %tccmd; unless ( %tccmd ) { %tccmd = ( SAVE => { match => sub ( $ ) { $_[0] eq 'SAVE' } , @@ -316,6 +316,15 @@ our %tccmd; fatal_error 'MARK must be specified' if $originalmark eq '-'; + my $inline; + my $raw = ''; + + if ( $inline = ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) ) { + $originalmark = $1; + $originalmark .= $2 if $2; + $raw = get_inline_matches; + } + my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); fatal_error "Invalid MARK ($originalmark)" unless supplied $mark; @@ -557,9 +566,12 @@ our %tccmd; assert ( $cmd eq 'INLINE' ); $matches = get_inline_matches; - if ( $matches =~ /^(.*\s+)-j\s+(.+) $/ ) { - $matches = $1; - $target = $2; + if ( $matches =~ /^(.*\s+)-j\s+(.+)$/ ) { + $matches = $1; + $target = $2; + my $action = $target; + $action = $1 if $action =~ /^(.+?)\s/; + fatal_error "Unknown target ($action)" unless $targets{$action} || $builtin_target{$action}; } else { $target = ''; } diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index 101a9da32..1239442fc 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -473,6 +473,33 @@ in your kernel and iptables. + + INLINE[(action)] + + Added in Shorewall 4.6.0. Allows you to place your own + ip[6]tables matches at the end of the line following a semicolon + (";"). If an action is specified, the + compiler procedes as if that action + had been specified in this column. If no action is specified, + then you may include your own jump ("-j + target + [option] ...") after any matches + specified at the end of the rule. If the target is not one known + to Shorewall, then it must be defined as a builtin action in + shorewall-actions + (5). + + The following rules are equivalent: + + 2:P eth0 - tcp 22 +INLINE(2):P eth0 - tcp 22 +INLINE(2):P eth0 - ; -p tcp +INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 +INLINE eth0 - ; -p tcp -j MARK --set-mark 2 + + + IPMARK ‒ Assigns a mark to each matching packet based on the either the source or diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index 62580b8df..9242975f4 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -503,6 +503,32 @@ in your kernel and ip6tables. + + INLINE[(action)] + + Added in Shorewall 4.6.0. Allows you to place your own + ip[6]tables matches at the end of the line following a semicolon + (";"). If an action is specified, the + compiler procedes as if that action + had been specified in this column. If no action is specified, + then you may include your own jump ("-j + target + [option] ...") after any matches + specified at the end of the rule. If the target is not one known + to Shorewall, then it must be defined as a builtin action in + shorewall6-actions + (5). + + The following rules are equivalent: + + 2:P eth0 - tcp 22 +INLINE(2):P eth0 - tcp 22 +INLINE(2):P eth0 - ; -p tcp +INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 +INLINE eth0 - ; -p tcp -j MARK --set-mark 2 + + RESTORE[/mask] -- From 8faf756113efa2a66277b74fc8e09bde352c4ed3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Dec 2013 08:33:58 -0800 Subject: [PATCH 04/15] Add note about non-ACCEPT fw->loc policy. Signed-off-by: Tom Eastep --- docs/UPnP.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/UPnP.xml b/docs/UPnP.xml index df9c43684..82597e581 100644 --- a/docs/UPnP.xml +++ b/docs/UPnP.xml @@ -22,6 +22,8 @@ 2010 + 2013 + Thomas M. Eastep @@ -120,6 +122,14 @@ forwardUPnP net loc Shorewall versions prior to 4.4.10 do not retain the dynamic rules added by linux-idg over a shorewall restart. + + If your firewall->loc policy is not ACCEPT, then you also need to + allow UDP traffic from the fireawll to the local zone. + + ACCEPT $FW loc udp - <dynamic port range> + + The dynamic port range is obtained by cat + /proc/sys/net/ip_local_port_range.
From d71c2688dc57c2c358ef41f404da6c728f891be7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Dec 2013 09:02:25 -0800 Subject: [PATCH 05/15] Clarify the need to quote/escaape settings with parentheses. Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall.conf.xml | 14 ++++++++++++++ Shorewall6/manpages/shorewall6.conf.xml | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 78c13378b..7ea1541a3 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -74,6 +74,20 @@ and can be configured to log all Shorewall messages to their own log file. + + If you want to specify parameters to ULOG or NFLOG (e.g., + NFLOG(1,0,1)), then you must either quote the setting or you must escape + the parentheses. + + Examples: + + MACLIST_LOG_LEVEL="NFLOG(1,0,1)" + + or + + MACLIST_LOG_LEVEL=NFLOG\(1,0,1\) + + Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which logs the packet's mark value along with the other usual information. The syntax is: diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 57a51d72f..f10ebf973 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -73,6 +73,20 @@ and can be configured to log all Shorewall6 message to their own log file + + If you want to specify parameters to ULOG or NFLOG (e.g., + NFLOG(1,0,1)), then you must either quote the setting or you must escape + the parentheses. + + Examples: + + MACLIST_LOG_LEVEL="NFLOG(1,0,1)" + + or + + MACLIST_LOG_LEVEL=NFLOG\(1,0,1\) + + The following options may be set in shorewall6.conf. From 670ecb203b96f084891fc86a82340cee8d093eb7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Dec 2013 14:12:08 -0800 Subject: [PATCH 06/15] Document postcompile Signed-off-by: Tom Eastep --- docs/shorewall_extension_scripts.xml | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index c4d9e4fc7..2aa6c6b54 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -220,6 +220,13 @@ esac #! /bin/sh cat - + + + postcompile -- Added in Shorewall 4.5.8. + This shell script is invoked by + /sbin/shorewall after a script has been compiled. $1 is the + path name of the compiled script. + If your version of Shorewall doesn't have the @@ -284,6 +291,13 @@ cat - check, compile, export, refresh, restart, start + + postcompile + + compile, export, load, refresh, reload, restart, restore, + start + + refresh @@ -498,7 +512,7 @@ cat - - + postcompile started @@ -548,10 +562,11 @@ cat - - Compile-time extension scripts are executed using the Perl 'eval - `cat <file>`' mechanism. Be sure that each - script returns a 'true' value; otherwise, the compiler will assume that - the script failed and will abort the compilation. + With the exception of postcompile, compile-time extension scripts + are executed using the Perl 'eval `cat + <file>`' mechanism. Be sure that each script + returns a 'true' value; otherwise, the compiler will assume that the + script failed and will abort the compilation. Each compile-time script is implicitly prefaced with: From 2bc329aa1db2c36b8bbb3db1f2dad16cc4e56d9a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 13 Dec 2013 15:44:16 -0800 Subject: [PATCH 07/15] Add INLINE support to the masq file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Nat.pm | 10 ++++++- Shorewall/manpages/shorewall-masq.xml | 40 ++++++++++++++++++++++--- Shorewall6/manpages/shorewall6-masq.xml | 37 +++++++++++++++++++++-- 3 files changed, 80 insertions(+), 7 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index c88c2efbe..d328ab393 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -66,12 +66,20 @@ sub process_one_masq1( $$$$$$$$$$ ) my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES}; my $destnets = ''; my $baserule = ''; + my $inlinematches = ''; # # Leading '+' # $pre_nat = 1 if $interfacelist =~ s/^\+//; # + # Check for INLINE + # + if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) { + $interfacelist = $1; + $inlinematches = get_inline_matches; + } + # # Parse the remaining part of the INTERFACE column # if ( $family == F_IPV4 ) { @@ -325,7 +333,7 @@ sub process_one_masq1( $$$$$$$$$$ ) expand_rule( $chainref , POSTROUTE_RESTRICT , '' , - $baserule . $rule , + $baserule . $inlinematches . $rule , $networks , $destnets , $origdest , diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index f6168775e..528b27f7d 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -80,8 +80,8 @@ eth0(Avvanta) - In that case, you will want to specify the interface's - address for that provider in the ADDRESS column. + In that case, you will want to specify the interface's address + for that provider in the ADDRESS column. The interface may be qualified by adding the character ":" followed by a comma-separated list of destination host or subnet @@ -123,12 +123,26 @@ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is preferred. + + Beginning with Shorewall 4.6.0, a new syntax is also accepted. + With the exception of the leading '+', the interfacelist and + qualifiers may appear within the parentheses of INLINE(...). + + Example: + + +INLINE(eth0) + + When this is done, you may augment the rule generated by + Shorewall with iptables matches of your own. These matches appear + after a semicolon (';') at the end of the line. + + See example 8 below. - SOURCE (Formerly called SUBNET) - - + (Formerly called SUBNET) - {interface|address[,address][exclusion]} @@ -647,6 +661,24 @@ eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C + + + Example 8: + + + Your eth1 has two public IP addresses: 70.90.191.121 and + 70.90.191.123. You want to use the iptables statistics match to + masquerade outgoing connections evenly between these two + addresses. + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + INLINE(eth1) 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50 + eth1 0.0.0.0/0 70.90.191.123 + + + diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml index fb22d4c6f..31798a445 100644 --- a/Shorewall6/manpages/shorewall6-masq.xml +++ b/Shorewall6/manpages/shorewall6-masq.xml @@ -73,8 +73,8 @@ eth0(Avvanta) - In that case, you will want to specify the interface's - address for that provider in the ADDRESS column. + In that case, you will want to specify the interface's address + for that provider in the ADDRESS column. The interface may be qualified by adding the character ":" followed by a comma-separated list of destination host or subnet @@ -96,6 +96,21 @@ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is preferred. + + Beginning with Shorewall 4.6.0, a new syntax is also accepted. + With the exception of the leading '+', the interfacelist and + qualifiers may appear within the parentheses of INLINE(...). + + Example: + + +INLINE(eth0) + + When this is done, you may augment the rule generated by + Shorewall with iptables matches of your own. These matches appear + after a semicolon (';') at the end of the line. + + See example 2 below. @@ -502,6 +517,24 @@ eth0 2001:470:b:787::0/64 - + + + Example 8: + + + Your sit1 interface has two public IP addresses: + 2001:470:a:227::1 and 2001:470:b:227::1. You want to use the + iptables statistics match to masquerade outgoing connections evenly + between these two addresses. + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + INLINE(sit1) 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50 + sit1 0.0.0.0/0 2001:470:a:227::2 + + + From 33c5893bdb49ce3c0304f612ee2295c74633fc1b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 14 Dec 2013 13:35:01 -0800 Subject: [PATCH 08/15] Implement INLINE_MATCHES Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/ARP.pm | 3 +- Shorewall/Perl/Shorewall/Accounting.pm | 3 +- Shorewall/Perl/Shorewall/Config.pm | 42 ++++++++++++------ Shorewall/Perl/Shorewall/Misc.pm | 26 ++++++++--- Shorewall/Perl/Shorewall/Nat.pm | 18 ++++++-- Shorewall/Perl/Shorewall/Providers.pm | 11 +++-- Shorewall/Perl/Shorewall/Proxyarp.pm | 4 +- Shorewall/Perl/Shorewall/Raw.pm | 4 +- Shorewall/Perl/Shorewall/Rules.pm | 44 ++++++++++++++++--- Shorewall/Perl/Shorewall/Tc.pm | 38 +++++++++++----- Shorewall/Perl/Shorewall/Tunnels.pm | 6 ++- Shorewall/Perl/Shorewall/Zones.pm | 15 +++++-- Shorewall/Samples/Universal/shorewall.conf | 2 + .../Samples/one-interface/shorewall.conf | 2 + .../Samples/three-interfaces/shorewall.conf | 2 + .../Samples/two-interfaces/shorewall.conf | 2 + Shorewall/configfiles/shorewall.conf | 2 + Shorewall/manpages/shorewall-masq.xml | 13 +++++- Shorewall/manpages/shorewall-tcrules.xml | 6 +++ Shorewall/manpages/shorewall.conf.xml | 17 +++++++ Shorewall6/Samples6/Universal/shorewall6.conf | 2 + .../Samples6/one-interface/shorewall6.conf | 2 + .../Samples6/three-interfaces/shorewall6.conf | 2 + .../Samples6/two-interfaces/shorewall6.conf | 2 + Shorewall6/configfiles/shorewall6.conf | 2 + Shorewall6/manpages/shorewall6-masq.xml | 11 +++++ Shorewall6/manpages/shorewall6-tcrules.xml | 9 ++++ Shorewall6/manpages/shorewall6.conf.xml | 17 +++++++ 28 files changed, 252 insertions(+), 55 deletions(-) diff --git a/Shorewall/Perl/Shorewall/ARP.pm b/Shorewall/Perl/Shorewall/ARP.pm index 77f6457e3..58015b9ad 100644 --- a/Shorewall/Perl/Shorewall/ARP.pm +++ b/Shorewall/Perl/Shorewall/ARP.pm @@ -82,7 +82,8 @@ sub match_arp_net( $$$ ) { # Process a rule in the arprules file # sub process_arprule() { - my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } ); + my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', + {action => 0, source => 1, dest => 2, opcode => 3 } ); my $chainref; my $iifaceref; diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index d12ffca60..68b2c15f3 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -424,7 +424,8 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { sub process_accounting_rule( ) { my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) = - split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }; + split_line1( 'Accounting File', + { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 } ); my $nonempty = 0; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9128de888..2721d6476 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -125,6 +125,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script split_list2 split_line split_line1 + split_line2 first_entry open_file close_file @@ -226,7 +227,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script Exporter::export_ok_tags('internal'); -our $VERSION = '4.5.20-Beta1'; +our $VERSION = '4.6.0-Beta1'; # # describe the current command, it's present progressive, and it's completion. @@ -833,6 +834,7 @@ sub initialize( $;$$) { CHAIN_SCRIPTS => undef, TRACK_RULES => undef, REJECT_ACTION => undef, + INLINE_MATCHES => undef, # # Packet Disposition # @@ -2050,8 +2052,8 @@ sub supplied( $ ) { # Handles all of the supported forms of column/pair specification # Handles segragating raw iptables input in INLINE rules # -sub split_line1( $$;$$ ) { - my ( $description, $columnsref, $nopad, $maxcolumns ) = @_; +sub split_line2( $$;$$$ ) { + my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_; unless ( defined $maxcolumns ) { my @maxcolumns = ( keys %$columnsref ); @@ -2070,18 +2072,25 @@ sub split_line1( $$;$$ ) { # fatal_error "Only one semicolon (';') allowed on a line" if defined $rest; - if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/) { - $inline_matches = $pairs; + if ( $inline ) { + # + # This file supports INLINE + # + if ( $config{INLINE_MATCHES} || $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/) { + $inline_matches = $pairs; - if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) { - # - # Pairs are enclosed in curly brackets. - # - $columns = $1; - $pairs = $2; - } else { - $pairs = ''; - } + if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) { + # + # Pairs are enclosed in curly brackets. + # + $columns = $1; + $pairs = $2; + } else { + $pairs = ''; + } + } + } else { + fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" } } elsif ( $currentline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) { # @@ -2140,6 +2149,10 @@ sub split_line1( $$;$$ ) { @line; } +sub split_line1( $$;$$ ) { + &split_line2( @_, undef ); +} + sub split_line($$) { &split_line1( @_, {} ); } @@ -5522,6 +5535,7 @@ sub get_configuration( $$$$ ) { default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'CHAIN_SCRIPTS' , 'Yes'; default_yes_no 'TRACK_RULES' , ''; + default_yes_no 'INLINE_MATCHES' , ''; if ( $val = $config{REJECT_ACTION} ) { fatal_error "Invalid Reject Action Name ($val)" unless $val =~ /^[a-zA-Z][\w-]*$/; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index c64369b1d..501353e99 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -82,7 +82,9 @@ sub process_tos() { while ( read_a_line( NORMAL_READ ) ) { - my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ; + my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = + split_line( 'tos file entry', + { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ); $first_entry = 0; @@ -153,7 +155,10 @@ sub setup_ecn() while ( read_a_line( NORMAL_READ ) ) { - my ($interface, $hosts ) = split_line1 'ecn file entry', { interface => 0, host => 1, hosts => 1 }, {}, 2; + my ($interface, $hosts ) = split_line1( 'ecn file entry', + { interface => 0, host => 1, hosts => 1 }, + {}, + 2 ); fatal_error 'INTERFACE must be specified' if $interface eq '-'; fatal_error "Unknown interface ($interface)" unless known_interface $interface; @@ -240,7 +245,8 @@ sub setup_blacklist() { $first_entry = 0; } - my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 }; + my ( $networks, $protocol, $ports, $options ) = split_line( 'blacklist file', + { networks => 0, proto => 1, port => 2, options => 3 } ); if ( $options eq '-' ) { $options = 'src'; @@ -400,7 +406,9 @@ sub convert_blacklist() { first_entry "Converting $fn..."; while ( read_a_line( NORMAL_READ ) ) { - my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 }; + my ( $networks, $protocol, $ports, $options ) = + split_line( 'blacklist file', + { networks => 0, proto => 1, port => 2, options => 3 } ); if ( $options eq '-' ) { $options = 'src'; @@ -560,7 +568,8 @@ sub process_routestopped() { while ( read_a_line ( NORMAL_READ ) ) { my ($interface, $hosts, $options , $proto, $ports, $sports ) = - split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 }; + split_line( 'routestopped file', + { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } ); my $interfaceref; @@ -686,7 +695,8 @@ sub process_stoppedrules() { $result = 1; my ( $target, $source, $dest, $protos, $ports, $sports ) = - split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }; + split_line1( 'stoppedrules file', + { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 } ); fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/; @@ -1220,7 +1230,9 @@ sub setup_mac_lists( $ ) { while ( read_a_line( NORMAL_READ ) ) { - my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 }; + my ( $original_disposition, $interface, $mac, $addresses ) = + split_line1( 'maclist file', + { disposition => 0, interface => 1, mac => 2, addresses => 3 } ); my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 ); diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index d328ab393..3b5d70790 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -78,7 +78,9 @@ sub process_one_masq1( $$$$$$$$$$ ) if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) { $interfacelist = $1; $inlinematches = get_inline_matches; - } + } elsif ( $config{INLINE_MATCHES} ) { + $inlinematches = get_inline_matches; + } # # Parse the remaining part of the INTERFACE column # @@ -374,7 +376,11 @@ sub process_one_masq1( $$$$$$$$$$ ) sub process_one_masq( ) { my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) = - split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 }; + split_line2( 'masq file', + { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 }, + {}, #Nopad + undef, #Columns + 1 ); #Allow inline matches fatal_error 'INTERFACE must be specified' if $interfacelist eq '-'; @@ -489,7 +495,9 @@ sub setup_nat() { while ( read_a_line( NORMAL_READ ) ) { - my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 }; + my ( $external, $interfacelist, $internal, $allints, $localnat ) = + split_line1( 'nat file', + { external => 0, interface => 1, internal => 2, allints => 3, local => 4 } ); ( $interfacelist, my $digit ) = split /:/, $interfacelist; @@ -519,7 +527,9 @@ sub setup_netmap() { while ( read_a_line( NORMAL_READ ) ) { - my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 }; + my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = + split_line( 'netmap file', + { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 } ); $net3 = ALLIP if $net3 eq '-'; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index ce172f346..dd12d1ced 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -416,7 +416,8 @@ sub process_a_provider( $ ) { my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider. my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = - split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 }; + split_line('providers file', + { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 } ); fatal_error "Duplicate provider ($table)" if $providers{$table}; @@ -1047,7 +1048,9 @@ CEOF } sub add_an_rtrule( ) { - my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'rtrules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 }; + my ( $source, $dest, $provider, $priority, $originalmark ) = + split_line( 'rtrules file', + { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 } ); our $current_if; @@ -1137,7 +1140,9 @@ sub add_an_rtrule( ) { } sub add_a_route( ) { - my ( $provider, $dest, $gateway, $device ) = split_line 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 }; + my ( $provider, $dest, $gateway, $device ) = + split_line( 'routes file', + { provider => 0, dest => 1, gateway => 2, device => 3 } ); our $current_if; diff --git a/Shorewall/Perl/Shorewall/Proxyarp.pm b/Shorewall/Perl/Shorewall/Proxyarp.pm index 2f7d9a4f3..02ab531f7 100644 --- a/Shorewall/Perl/Shorewall/Proxyarp.pm +++ b/Shorewall/Perl/Shorewall/Proxyarp.pm @@ -123,7 +123,9 @@ sub setup_proxy_arp() { while ( read_a_line( NORMAL_READ ) ) { my ( $address, $interface, $external, $haveroute, $persistent ) = - split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 }; + split_line( $file_opt . + 'file ', + { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 } ); if ( $first_entry ) { progress_message2 "$doing $fn..."; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 20de9dec2..e867d10ef 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -240,7 +240,9 @@ sub setup_conntrack() { my ( $source, $dest, $protos, $ports, $sports, $user, $switch ); if ( $file_format == 1 ) { - ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 }; + ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = + split_line1( 'Conntrack File', + { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } ); $action = 'NOTRACK'; } else { ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 2c6805307..1444e9e58 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1675,11 +1675,16 @@ sub process_action($$) { if ( $file_format == 1 ) { ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = - split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands; + split_line1( + 'action file', + { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, + $rule_commands ); $origdest = $connlimit = $time = $headers = $condition = $helper = '-'; } else { ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper ) - = split_line1 'action file', \%rulecolumns, $action_commands; + = split_line1( 'action file', + \%rulecolumns, + $action_commands ); } fatal_error 'TARGET must be specified' if $target eq '-'; @@ -1746,7 +1751,11 @@ sub process_actions() { open_file( $file, 2 ); while ( read_a_line( NORMAL_READ ) ) { - my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 }; + my ( $action, $options ) = split_line2( 'action file', + { action => 0, options => 1 }, + {}, #Nopad + undef, #Columns + 1 ); #Allow inline matches my $type = ( $action eq $config{REJECT_ACTION} ? INLINE : ACTION ); my $noinline = 0; @@ -1889,7 +1898,12 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) { my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper); if ( $file_format == 1 ) { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands; + ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = + split_line2( 'macro file', + \%rulecolumns, + $rule_commands, + undef, #Columns + 1 ); #Allow inline matches ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/; } else { ( $mtarget, @@ -1906,7 +1920,11 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) { $mtime, $mheaders, $mcondition, - $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands; + $mhelper ) = split_line2( 'macro file', + \%rulecolumns, + $rule_commands, + undef, #Columns + 1 ); #Allow inline matches } fatal_error 'TARGET must be specified' if $mtarget eq '-'; @@ -2031,7 +2049,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) { $mtime, $mheaders, $mcondition, - $mhelper ) = split_line1 'inline action file', \%rulecolumns, $rule_commands; + $mhelper ) = split_line2( 'inline action file', + \%rulecolumns, + $rule_commands, + undef, #Columns + 1 ); #Allow inline matches + fatal_error 'TARGET must be specified' if $mtarget eq '-'; @@ -2190,6 +2213,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { $param = '' unless defined $param; } } + } elsif ( $config{INLINE_MATCHES} ) { + $raw_matches = get_inline_matches; } # # Determine the validity of the action @@ -3116,7 +3141,12 @@ sub build_zone_list( $$$\$\$ ) { # sub process_raw_rule ( ) { my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) - = split_line1 'rules file', \%rulecolumns, $rule_commands; + = split_line2( 'rules file', + \%rulecolumns, + $rule_commands, + undef, #Columns + 1 ); #Allow inline matches + fatal_error 'ACTION must be specified' if $target eq '-'; diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 93b6478a6..4c07ddf52 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -316,13 +316,14 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { fatal_error 'MARK must be specified' if $originalmark eq '-'; - my $inline; my $raw = ''; - if ( $inline = ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) ) { + if ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) { $originalmark = $1; $originalmark .= $2 if $2; $raw = get_inline_matches; + } elsif ( $config{INLINE_MATCHES} ) { + $raw = get_inline_matches; } my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); @@ -828,11 +829,19 @@ sub process_tc_rule( ) { my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); if ( $family == F_IPV4 ) { ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) = - split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15; + split_line2( 'tcrules file', + { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, + {}, + 15, + 1 ); $headers = '-'; } else { ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) = - split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16; + split_line2( 'tcrules file', + { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, + {}, + 16, + 1 ); } for my $proto (split_list( $protos, 'Protocol' ) ) { @@ -959,7 +968,9 @@ sub process_flow($) { } sub process_simple_device() { - my ( $device , $type , $in_rate , $out_part ) = split_line 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 }; + my ( $device , $type , $in_rate , $out_part ) = + split_line( 'tcinterfaces', + { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 } ); fatal_error 'INTERFACE must be specified' if $device eq '-'; fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device}; @@ -1088,7 +1099,9 @@ sub process_simple_device() { my %validlinklayer = ( ethernet => 1, atm => 1, adsl => 1 ); sub validate_tc_device( ) { - my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 }; + my ( $device, $inband, $outband , $options , $redirected ) = + split_line( 'tcdevices', + { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 } ); fatal_error 'INTERFACE must be specified' if $device eq '-'; fatal_error "Invalid tcdevices entry" if $outband eq '-'; @@ -1299,7 +1312,8 @@ sub validate_filter_priority( $$ ) { sub validate_tc_class( ) { my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = - split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 }; + split_line( 'tcclasses file', + { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 } ); my $classnumber = 0; my $devref; my $device = $devclass; @@ -1962,7 +1976,8 @@ sub process_tc_filter1( $$$$$$$$$ ) { sub process_tc_filter() { my ( $devclass, $source, $dest , $protos, $portlist , $sportlist, $tos, $length, $priority ) - = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 }; + = split_line( 'tcfilters file', + { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 } ); fatal_error 'CLASS must be specified' if $devclass eq '-'; @@ -2061,7 +2076,9 @@ sub process_tc_priority1( $$$$$$ ) { } sub process_tc_priority() { - my ( $band, $protos, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 }; + my ( $band, $protos, $ports , $address, $interface, $helper ) = + split_line1( 'tcpri', + { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } ); fatal_error 'BAND must be specified' if $band eq '-'; @@ -2505,7 +2522,8 @@ sub process_secmark_rule1( $$$$$$$$$ ) { # sub process_secmark_rule() { my ( $secmark, $chainin, $source, $dest, $protos, $dport, $sport, $user, $mark ) = - split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } ); + split_line1( 'Secmarks file' , + { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } ); fatal_error 'SECMARK must be specified' if $secmark eq '-'; diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index 35c2a0083..2900bddab 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -291,7 +291,11 @@ sub setup_tunnels() { while ( read_a_line( NORMAL_READ ) ) { - my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4; + my ( $kind, $zone, $gateway, $gatewayzones ) = + split_line1( 'tunnels file', + { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, + {}, + 4 ); fatal_error 'TYPE must be specified' if $kind eq '-'; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index d5a43a2aa..d96e4d0dd 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -503,7 +503,8 @@ sub process_zone( \$ ) { my @parents; my ($zone, $type, $options, $in_options, $out_options ) = - split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 }; + split_line( 'zones file', + { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 } ); fatal_error 'ZONE must be specified' if $zone eq '-'; @@ -1079,9 +1080,12 @@ sub process_interface( $$ ) { my $bridge = ''; if ( $file_format == 1 ) { - ($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }; + ($zone, $originalinterface, $bcasts, $options ) = + split_line1( 'interfaces file', + { zone => 0, interface => 1, broadcast => 2, options => 3 } ); } else { - ($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }; + ($zone, $originalinterface, $options ) = split_line1( 'interfaces file', + { zone => 0, interface => 1, options => 2 } ); $bcasts = '-'; } @@ -1939,7 +1943,10 @@ sub verify_required_interfaces( $ ) { # sub process_host( ) { my $ipsec = 0; - my ($zone, $hosts, $options ) = split_line1 'hosts file', { zone => 0, host => 1, hosts => 1, options => 2 }, {}, 3; + my ($zone, $hosts, $options ) = split_line1( 'hosts file', + { zone => 0, host => 1, hosts => 1, options => 2 }, + {}, + 3 ); fatal_error 'ZONE must be specified' if $zone eq '-'; fatal_error 'HOSTS must be specified' if $hosts eq '-'; diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 9f8870129..a0d2ebe3b 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -162,6 +162,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=On diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 655dbf444..8c18e586f 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -173,6 +173,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=Off diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index e0fcc9cd6..2b10a5873 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -171,6 +171,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=On diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 36722e902..43b284705 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -174,6 +174,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=On diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 452124046..f3dd065a7 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -162,6 +162,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=On diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index 528b27f7d..dbdc8c280 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -142,7 +142,7 @@ - (Formerly called SUBNET) - + (Formerly called SUBNET) - {interface|address[,address][exclusion]} @@ -677,6 +677,17 @@ INLINE(eth1) 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50 eth1 0.0.0.0/0 70.90.191.123 + + If INLINE_MATCHES=Yes in shorewall.conf(5), then these + rules may be specified as follows: + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + eth1 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50 + eth1 0.0.0.0/0 70.90.191.123 + diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index 1239442fc..003293ebe 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -498,6 +498,12 @@ INLINE(2):P eth0 - ; -p tcp INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 INLINE eth0 - ; -p tcp -j MARK --set-mark 2 + + If INLINE_MATCHES=Yes in shorewall6.conf(5) then the + third rule above can be specified as follows: + + 2:P eth0 - ; -p tcp diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 135739ae9..5e34f839e 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -1005,6 +1005,23 @@ net all DROP infothen the chain name is 'net2all' + + INLINE_MATCHES={Yes|No} + + + Added in Shorewall 4.6.0. Traditionally in shorewall-rules(5), a semicolon + separates column-oriented specifications on the left from alternative + specificaitons on the right.. When INLINE_MATCHES=Yes is + specified, the specifications on the right are interpreted as if + INLINE had been specified in the ACTION column. If not specified or + if specified as the empty value, the value 'No' is assumed for + backward compatibility. + + + INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE] diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 8b9be48d0..db28db28e 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -151,6 +151,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=Off diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index f2b6781d4..acf40013c 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -151,6 +151,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=Off diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 83a1a5e1a..c4a35f988 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -151,6 +151,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=On diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index ecf5de65d..cb60abe55 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -151,6 +151,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=On diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 935af8328..f167a99e8 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -151,6 +151,8 @@ HELPERS= IMPLICIT_CONTINUE=No +INLINE_MATCHES=Yes + IPSET_WARNINGS=Yes IP_FORWARDING=Off diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml index 31798a445..b9e642df2 100644 --- a/Shorewall6/manpages/shorewall6-masq.xml +++ b/Shorewall6/manpages/shorewall6-masq.xml @@ -533,6 +533,17 @@ INLINE(sit1) 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50 sit1 0.0.0.0/0 2001:470:a:227::2 + + If INLINE_MATCHES=Yes in shorewall6.conf(5), then these + rules may be specified as follows: + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + sit1 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50 + sit1 0.0.0.0/0 2001:470:a:227::2 + diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index 9242975f4..e79a6ed53 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -527,6 +527,15 @@ INLINE(2):P eth0 - tcp 22 INLINE(2):P eth0 - ; -p tcp INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 INLINE eth0 - ; -p tcp -j MARK --set-mark 2 + + If INLINE_MATCHES=Yes in shorewall.conf(5) then the + third rule above can be specified as follows: + + 2:P eth0 - ; -p tcp + + In other words, when only matches are given after the ';', + INLINE is unnecessary. diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index aafc01da7..56115f89a 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -876,6 +876,23 @@ net all DROP infothen the chain name is 'net2all' + + INLINE_MATCHES={Yes|No} + + + Added in Shorewall 4.6.0. Traditionally in shorewall6-rules(5), a semicolon + separates column-oriented specifications on the left from alternative + specificaitons on the right.. When INLINE_MATCHES=Yes is + specified, the specifications on the right are interpreted as if + INLINE had been specified in the ACTION column. If not specified or + if specified as the empty value, the value 'No' is assumed for + backward compatibility. + + + INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE] From 9abe60bc27fb330090b7f67cea7bc6ddec4804b0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 14 Dec 2013 17:54:10 -0800 Subject: [PATCH 09/15] Implement the -i option of upgrade Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 2 + Shorewall/Perl/Shorewall/Compiler.pm | 7 +- Shorewall/Perl/Shorewall/Config.pm | 118 ++++++++++++++++++++++++--- Shorewall/Perl/compiler.pl | 8 +- Shorewall/lib.cli-std | 5 ++ 5 files changed, 125 insertions(+), 15 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index b54b33209..4d4e4e4fe 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3506,6 +3506,8 @@ shorewall_cli() { g_conditional= g_file= g_doing="Compiling" + g_directives + g_inline VERBOSE= VERBOSITY=1 diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index a6ff12195..1002fffe2 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -581,8 +581,8 @@ EOF # sub compiler { - my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives ) = - ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 ); + my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline ) = + ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 ); $export = 0; $test = 0; @@ -620,6 +620,7 @@ sub compiler { update => { store => \$update, validate=> \&validate_boolean } , convert => { store => \$convert, validate=> \&validate_boolean } , annotate => { store => \$annotate, validate=> \&validate_boolean } , + inline => { store => \$inline, validate=> \&validate_boolean } , directives => { store => \$directives, validate=> \&validate_boolean } , config_path => { store => \$config_path } , shorewallrc => { store => \$shorewallrc } , @@ -659,7 +660,7 @@ sub compiler { # # S H O R E W A L L . C O N F A N D C A P A B I L I T I E S # - get_configuration( $export , $update , $annotate , $directives ); + get_configuration( $export , $update , $annotate , $directives , $inline ); # # Create a temp file to hold the script # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 2721d6476..dfde0d0f4 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5145,7 +5145,8 @@ sub export_params() { # # Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives # -sub convert_to_directives() { +sub convert_to_directives( $ ) { + my $inline_matches = $_[0]; my $sharedir = $shorewallrc{SHAREDIR}; # # Make a copy of @config_path so that the for-loop below doesn't clobber that list @@ -5158,6 +5159,97 @@ sub convert_to_directives() { progress_message3 "Converting 'FORMAT' and 'COMMENT' lines to compiler directives..."; + for my $dir ( @path ) { + unless ( $dir =~ /$dirtest/ ) { + if ( ! -w $dir ) { + warning_message "$dir not processed (not writeable)"; + } else { + $dir =~ s|/+$||; + + opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!"; + + while ( my $file = readdir( $dirhandle ) ) { + unless ( $file eq 'capabilities' || + $file eq 'params' || + $file =~ /^shorewall6?.conf$/ || + $file =~ /\.bak$/ ) { + $file = "$dir/$file"; + + if ( -f $file && -w _ ) { + # + # writeable regular file + # + my $result; + + if ( $inline_matches ) { + $result = system << "EOF"; +perl -pi.bak -e ' +/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; +if ( /^\\s*COMMENT\\s+/ ) { + s/COMMENT/?COMMENT/; +} elsif ( /^\\s*COMMENT\\s*\$/ ) { + s/COMMENT/?COMMENT/; +}' $file +EOF + } else { + $result = system << "EOF"; +perl -pi.bak -e ' +/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; +if ( /^\\s*COMMENT\\s+/ ) { + s/COMMENT/?COMMENT/; +} elsif ( /^\\s*COMMENT\\s*\$/ ) { + s/COMMENT/?COMMENT/; +} + +unless ( /^\\s*INLINE[( \\t]/ ) { + if ( /^(.+?);(\\s*.*?)(\\s*#.*)?$/ ) { + $_ = "$1\\{$2 \\}"; + $_ .= $3 if defined $3 && $2 ne ""; + $_ .= "\\n"; + } +}' $file +EOF + } + + if ( $result == 0 ) { + if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) { + progress_message3 " File $file updated - old file renamed ${file}.bak"; + } elsif ( rename "${file}.bak" , $file ) { + progress_message " File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found"; + } else { + warning message "Unable to rename ${file}.bak to $file:$!"; + } + } else { + warning_message ("Unable to update file ${file}.bak:$!" ); + } + } else { + warning_message( "$file skipped (not writeable)" ) unless -d _; + } + } + } + + closedir $dirhandle; + } + } + } +} + +# +# Walk the CONFIG_PATH converting '; =[,...]' lines to '{=[,...]}' +# +sub convert_alternative_format() { + my $sharedir = $shorewallrc{SHAREDIR}; + # + # Make a copy of @config_path so that the for-loop below doesn't clobber that list + # + my @path = @config_path; + + $sharedir =~ s|/+$||; + + my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|; + + progress_message3 "Converting '; =[,...]' lines to '{=[,...]}..."; + for my $dir ( @path ) { unless ( $dir =~ /$dirtest/ ) { if ( ! -w $dir ) { @@ -5179,12 +5271,14 @@ sub convert_to_directives() { # writeable regular file # my $result = system << "EOF"; -perl -pi.bak -e '/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; - if ( /^\\s*COMMENT\\s+/ ) { - s/COMMENT/?COMMENT/; - } elsif ( /^\\s*COMMENT\\s*\$/ ) { - s/COMMENT/?COMMENT/; - }' $file +perl -pi.bak -e ' +unless ( /^\\s*INLINE[( \\t]/ ) { + if ( /^(.+?);(\\s*.*?)(\\s*#.*)?$/ ) { + $_ = "$1\\{$2 \\}"; + $_ .= $3 if defined $3 && $2 ne ""; + $_ .= "\\n"; + } +}' $file EOF if ( $result == 0 ) { if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) { @@ -5215,9 +5309,9 @@ EOF # - Read the capabilities file, if any # - establish global hashes %params, %config , %globals and %capabilities # -sub get_configuration( $$$$ ) { +sub get_configuration( $$$$$ ) { - my ( $export, $update, $annotate, $directives ) = @_; + my ( $export, $update, $annotate, $directives, $inline ) = @_; $globals{EXPORT} = $export; @@ -5898,7 +5992,11 @@ sub get_configuration( $$$$ ) { $variables{$var} = $config{$val}; } - convert_to_directives if $directives; + if ( $directives ) { + convert_to_directives(0); + } else { + convert_alternative_format; + } cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY}; } diff --git a/Shorewall/Perl/compiler.pl b/Shorewall/Perl/compiler.pl index 3e614e6f5..1541c0b74 100755 --- a/Shorewall/Perl/compiler.pl +++ b/Shorewall/Perl/compiler.pl @@ -40,6 +40,7 @@ # --shorewallrc= # Path to global shorewallrc file. # --shorewallrc1= # Path to export shorewallrc file. # --config_path= # Search path for config files +# --inline # Update alternative column specifications # use strict; use FindBin; @@ -73,10 +74,10 @@ usage: compiler.pl [ + The -i option was added in Shorewall 4.6.0. When this option + is specified, the compiler will walk through the directories in the + CONFIG_PATH replacing alternative column specifications following a + semicolon (";") to alternate column specifications enclosed in curly + braces ("{...}"). When a file is updated, the original is saved in a + .bak file in the same directory. + For a description of the other options, see the check command above. diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index e86d8b1fc..83f305b61 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -606,6 +606,8 @@ + + directory @@ -1612,6 +1614,13 @@ updated, the original is saved in a .bak file in the same directory. + The -i option was added in Shorewall 4.6.0. When this option + is specified, the compiler will walk through the directories in the + CONFIG_PATH replacing alternative column specifications following a + semicolon (";") to alternate column specifications enclosed in curly + braces ("{...}"). When a file is updated, the original is saved in a + .bak file in the same directory. + For a description of the other options, see the check command above. From 6d72cb31382bfaf737c95d3e9e3a3dac4fe0801c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 15 Dec 2013 09:32:09 -0800 Subject: [PATCH 11/15] Correct update inline Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 4 ++-- Shorewall/Perl/Shorewall/Config.pm | 31 ++++++++++++++++-------------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 4d4e4e4fe..7c856cbf7 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3506,8 +3506,8 @@ shorewall_cli() { g_conditional= g_file= g_doing="Compiling" - g_directives - g_inline + g_directives= + g_inline= VERBOSE= VERBOSITY=1 diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index dfde0d0f4..3878cb987 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5201,11 +5201,12 @@ if ( /^\\s*COMMENT\\s+/ ) { s/COMMENT/?COMMENT/; } -unless ( /^\\s*INLINE[( \\t]/ ) { - if ( /^(.+?);(\\s*.*?)(\\s*#.*)?$/ ) { - $_ = "$1\\{$2 \\}"; - $_ .= $3 if defined $3 && $2 ne ""; - $_ .= "\\n"; +perl -pi.bak -e ' +unless ( /^\\s*INLINE[( \\t:]/ || /^\\s*#/ ) { + if ( /^(.+?);(\\s*.+?)(\\s*#.*)?\$/ ) { + \$_ = "\$1\\{\$2 \\}"; + \$_ .= \$3 if defined \$3 && \$3 ne ""; + \$_ .= "\\n"; } }' $file EOF @@ -5220,7 +5221,7 @@ EOF warning message "Unable to rename ${file}.bak to $file:$!"; } } else { - warning_message ("Unable to update file ${file}.bak:$!" ); + warning_message ("Unable to update file $file" ); } } else { warning_message( "$file skipped (not writeable)" ) unless -d _; @@ -5270,13 +5271,15 @@ sub convert_alternative_format() { # # writeable regular file # + print "Updating $file...\n"; + my $result = system << "EOF"; perl -pi.bak -e ' -unless ( /^\\s*INLINE[( \\t]/ ) { - if ( /^(.+?);(\\s*.*?)(\\s*#.*)?$/ ) { - $_ = "$1\\{$2 \\}"; - $_ .= $3 if defined $3 && $2 ne ""; - $_ .= "\\n"; +unless ( /^\\s*INLINE[( \\t:]/ || /^\\s*#/ ) { + if ( /^(.+?);(\\s*.+?)(\\s*#.*)?\$/ ) { + \$_ = "\$1\\{\$2 \\}"; + \$_ .= \$3 if defined \$3 && \$3 ne ""; + \$_ .= "\\n"; } }' $file EOF @@ -5289,7 +5292,7 @@ EOF warning message "Unable to rename ${file}.bak to $file:$!"; } } else { - warning_message ("Unable to update file ${file}.bak:$!" ); + warning_message ("Unable to update file $file" ); } } else { warning_message( "$file skipped (not writeable)" ) unless -d _; @@ -5323,7 +5326,7 @@ sub get_configuration( $$$$$ ) { get_params; - process_shorewall_conf( $update, $annotate, $directives ); + process_shorewall_conf( $update, $annotate, $directives || $inline ); ensure_config_path; @@ -5994,7 +5997,7 @@ sub get_configuration( $$$$$ ) { if ( $directives ) { convert_to_directives(0); - } else { + } elsif ( $inline ) { convert_alternative_format; } From 4e4e7cac1d0b8fe450cb04a66564a591165d44a6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 15 Dec 2013 11:23:20 -0800 Subject: [PATCH 12/15] Redefine the -i option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 147 +++++++---------------------- Shorewall/lib.cli-std | 46 ++++++--- Shorewall/manpages/shorewall.xml | 67 +++++++++++-- Shorewall6/manpages/shorewall6.xml | 67 +++++++++++-- 4 files changed, 186 insertions(+), 141 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 3878cb987..adc87b50c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -554,6 +554,7 @@ our $warningcount; # Used to suppress duplicate warnings about missing our $warningcount1; # Used to suppress duplicate warnings about COMMENT being deprecated our $warningcount2; # Used to suppress duplicate warnings about FORMAT being deprecated our $warningcount3; # Used to suppress duplicate warnings about SECTION being deprecated +our $checkinline; # The -i option to check/compile/etc. our $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. @@ -2055,6 +2056,8 @@ sub supplied( $ ) { sub split_line2( $$;$$$ ) { my ( $description, $columnsref, $nopad, $maxcolumns, $inline ) = @_; + my $inlinematches = $config{INLINE_MATCHES}; + unless ( defined $maxcolumns ) { my @maxcolumns = ( keys %$columnsref ); $maxcolumns = @maxcolumns; @@ -2072,11 +2075,25 @@ sub split_line2( $$;$$$ ) { # fatal_error "Only one semicolon (';') allowed on a line" if defined $rest; - if ( $inline ) { + if ( $inlinematches ) { + fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" unless $inline; + + $inline_matches = $pairs; + + if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) { + # + # Pairs are enclosed in curly brackets. + # + $columns = $1; + $pairs = $2; + } else { + $pairs = ''; + } + } elsif ( $inline ) { # # This file supports INLINE # - if ( $config{INLINE_MATCHES} || $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/) { + if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/) { $inline_matches = $pairs; if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) { @@ -2086,11 +2103,12 @@ sub split_line2( $$;$$$ ) { $columns = $1; $pairs = $2; } else { + warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes" if $checkinline; $pairs = ''; } } - } else { - fatal_error "The $description does not support inline matches (INLINE_MATCHES=Yes)" + } elsif ( $checkinline ) { + warning_message "This entry needs to be changed before INLINE_MATCHES can be set to Yes"; } } elsif ( $currentline =~ /^(\s*|.*[^&@%]){(.*)}$/ ) { # @@ -5145,8 +5163,7 @@ sub export_params() { # # Walk the CONFIG_PATH converting FORMAT and COMMENT lines to compiler directives # -sub convert_to_directives( $ ) { - my $inline_matches = $_[0]; +sub convert_to_directives() { my $sharedir = $shorewallrc{SHAREDIR}; # # Make a copy of @config_path so that the for-loop below doesn't clobber that list @@ -5179,109 +5196,13 @@ sub convert_to_directives( $ ) { # # writeable regular file # - my $result; - - if ( $inline_matches ) { - $result = system << "EOF"; -perl -pi.bak -e ' -/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; -if ( /^\\s*COMMENT\\s+/ ) { - s/COMMENT/?COMMENT/; -} elsif ( /^\\s*COMMENT\\s*\$/ ) { - s/COMMENT/?COMMENT/; -}' $file -EOF - } else { - $result = system << "EOF"; -perl -pi.bak -e ' -/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; -if ( /^\\s*COMMENT\\s+/ ) { - s/COMMENT/?COMMENT/; -} elsif ( /^\\s*COMMENT\\s*\$/ ) { - s/COMMENT/?COMMENT/; -} - -perl -pi.bak -e ' -unless ( /^\\s*INLINE[( \\t:]/ || /^\\s*#/ ) { - if ( /^(.+?);(\\s*.+?)(\\s*#.*)?\$/ ) { - \$_ = "\$1\\{\$2 \\}"; - \$_ .= \$3 if defined \$3 && \$3 ne ""; - \$_ .= "\\n"; - } -}' $file -EOF - } - - if ( $result == 0 ) { - if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) { - progress_message3 " File $file updated - old file renamed ${file}.bak"; - } elsif ( rename "${file}.bak" , $file ) { - progress_message " File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found"; - } else { - warning message "Unable to rename ${file}.bak to $file:$!"; - } - } else { - warning_message ("Unable to update file $file" ); - } - } else { - warning_message( "$file skipped (not writeable)" ) unless -d _; - } - } - } - - closedir $dirhandle; - } - } - } -} - -# -# Walk the CONFIG_PATH converting '; =[,...]' lines to '{=[,...]}' -# -sub convert_alternative_format() { - my $sharedir = $shorewallrc{SHAREDIR}; - # - # Make a copy of @config_path so that the for-loop below doesn't clobber that list - # - my @path = @config_path; - - $sharedir =~ s|/+$||; - - my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|; - - progress_message3 "Converting '; =[,...]' lines to '{=[,...]}..."; - - for my $dir ( @path ) { - unless ( $dir =~ /$dirtest/ ) { - if ( ! -w $dir ) { - warning_message "$dir not processed (not writeable)"; - } else { - $dir =~ s|/+$||; - - opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!"; - - while ( my $file = readdir( $dirhandle ) ) { - unless ( $file eq 'capabilities' || - $file eq 'params' || - $file =~ /^shorewall6?.conf$/ || - $file =~ /\.bak$/ ) { - $file = "$dir/$file"; - - if ( -f $file && -w _ ) { - # - # writeable regular file - # - print "Updating $file...\n"; - my $result = system << "EOF"; -perl -pi.bak -e ' -unless ( /^\\s*INLINE[( \\t:]/ || /^\\s*#/ ) { - if ( /^(.+?);(\\s*.+?)(\\s*#.*)?\$/ ) { - \$_ = "\$1\\{\$2 \\}"; - \$_ .= \$3 if defined \$3 && \$3 ne ""; - \$_ .= "\\n"; - } -}' $file + perl -pi.bak -e '/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; + if ( /^\\s*COMMENT\\s+/ ) { + s/COMMENT/?COMMENT/; + } elsif ( /^\\s*COMMENT\\s*\$/ ) { + s/COMMENT/?COMMENT/; + }' $file EOF if ( $result == 0 ) { if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) { @@ -5314,7 +5235,7 @@ EOF # sub get_configuration( $$$$$ ) { - my ( $export, $update, $annotate, $directives, $inline ) = @_; + ( my ( $export, $update, $annotate, $directives ) , $checkinline ) = @_; $globals{EXPORT} = $export; @@ -5326,7 +5247,7 @@ sub get_configuration( $$$$$ ) { get_params; - process_shorewall_conf( $update, $annotate, $directives || $inline ); + process_shorewall_conf( $update, $annotate, $directives ); ensure_config_path; @@ -5995,11 +5916,7 @@ sub get_configuration( $$$$$ ) { $variables{$var} = $config{$val}; } - if ( $directives ) { - convert_to_directives(0); - } elsif ( $inline ) { - convert_alternative_format; - } + convert_to_directives if $directives; cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY}; } diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 81034e7bc..dfe5390f5 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -529,6 +529,10 @@ start_command() { g_confess=Yes option=${option#T} ;; + i*) + g_inline=Yes + option=${option#i} + ;; *) usage 1 ;; @@ -643,6 +647,10 @@ compile_command() { g_confess=Yes option=${option#T} ;; + i*) + g_inline=Yes + option=${option#i} + ;; -) finished=1 option= @@ -733,6 +741,10 @@ check_command() { g_confess=Yes option=${option#T} ;; + i*) + g_inline=Yes + option=${option#i} + ;; *) usage 1 ;; @@ -813,6 +825,10 @@ update_command() { g_confess=Yes option=${option#T} ;; + i*) + g_inline=Yes + option=${option#i} + ;; a*) g_annotate=Yes option=${option#a} @@ -825,10 +841,6 @@ update_command() { g_directives=Yes option=${option#D} ;; - i*) - g_inline=Yes - option=${option#i} - ;; *) usage 1 ;; @@ -915,6 +927,10 @@ restart_command() { g_confess=Yes option=${option#T} ;; + i*) + g_inline=Yes + option=${option#i} + ;; *) usage 1 ;; @@ -1010,6 +1026,10 @@ refresh_command() { g_confess=Yes option=${option#T} ;; + i*) + g_inline=Yes + option=${option#i} + ;; D) if [ $# -gt 1 ]; then g_shorewalldir="$2" @@ -1399,6 +1419,10 @@ reload_command() # $* = original arguments less the command. g_confess=Yes option=${option#T} ;; + i*) + g_inline=Yes + option=${option#i} + ;; *) usage 1 ;; @@ -1588,9 +1612,9 @@ usage() # $1 = exit status echo "where is one of:" echo " add [:] ... " echo " allow
..." - echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ ]" + echo " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ ]" echo " clear" - echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ ] [ ]" + echo " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ ] [ ]" echo " delete [:] ... " echo " disable " echo " drop
..." @@ -1613,7 +1637,7 @@ usage() # $1 = exit status echo " iptrace " fi - echo " load [ -s ] [ -c ] [ -r ] [ -T ] [ ] " + echo " load [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" @@ -1626,9 +1650,9 @@ usage() # $1 = exit status echo " refresh [ -d ] [ -n ] [ -T ] [ -D ] [ ... ]" echo " reject
..." - echo " reload [ -s ] [ -c ] [ -r ] [ -T ] [ ] " + echo " reload [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " echo " reset [ ... ]" - echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ ]" + echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ ]" echo " restore [ -n ] [ ]" echo " safe-restart [ -t ] [ ]" echo " safe-start [ -t ] [ ]" @@ -1658,11 +1682,11 @@ usage() # $1 = exit status echo " [ show | list | ls ] tc [ device ]" echo " [ show | list | ls ] vardir" echo " [ show | list | ls ] zones" - echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ ]" + echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ ]" echo " status" echo " stop" echo " try [ ]" - echo " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ ]" + echo " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [ ]" echo " version [ -a ]" echo exit $1 diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index dc533d21b..a6193d054 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -66,6 +66,8 @@ + + directory @@ -100,6 +102,8 @@ + + directory pathname @@ -291,6 +295,8 @@ + + directory system @@ -358,7 +364,7 @@ -options - + choice="plain">- directory chain @@ -393,6 +399,8 @@ + + directory system @@ -429,6 +437,8 @@ + + directory @@ -628,7 +638,7 @@ - + directory @@ -824,6 +834,12 @@ The option was added in Shorewall 4.4.20 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall.conf(5). @@ -891,6 +907,12 @@ The option was added in Shorewall 4.4.20 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall.conf(5). @@ -1121,6 +1143,12 @@ The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall.conf(5). @@ -1206,6 +1234,12 @@ and causes a Perl stack trace to be included with each compiler-generated error and warning message. + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall.conf(5). + The - option was added in Shorewall 4.5.3 and causes Shorewall to look in the given directory first for configuration files. @@ -1267,6 +1301,12 @@ The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall.conf(5). @@ -1315,6 +1355,12 @@ The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall.conf(5). @@ -1674,6 +1720,12 @@ The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall.conf(5). @@ -1778,12 +1830,11 @@ updated, the original is saved in a .bak file in the same directory. - The -i option was added in Shorewall 4.6.0. When this option - is specified, the compiler will walk through the directories in the - CONFIG_PATH replacing alternative column specifications following a - semicolon (";") to alternate column specifications enclosed in curly - braces ("{...}"). When a file is updated, the original is saved in a - .bak file in the same directory. + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall.conf(5). For a description of the other options, see the check command above. diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index 83f305b61..6be615cff 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -65,6 +65,8 @@ + + directory @@ -94,6 +96,8 @@ + + directory pathname @@ -242,6 +246,8 @@ + + directory system @@ -309,7 +315,7 @@ -options - + choice="plain">- directory chain @@ -344,6 +350,8 @@ + + directory system @@ -378,6 +386,8 @@ + + directory @@ -546,6 +556,8 @@ + + directory @@ -739,6 +751,12 @@ The option was added in Shorewall 4.4.20 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall6.conf(5). @@ -799,6 +817,12 @@ The option was added in Shorewall 4.4.20 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall6.conf(5). @@ -1003,6 +1027,12 @@ The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall6.conf(5). @@ -1090,6 +1120,12 @@ and causes a Perl stack trace to be included with each compiler-generated error and warning message. + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall6.conf(5). + The - option was added in Shorewall 4.5.3 and causes Shorewall to look in the given directory first for configuration files. @@ -1143,6 +1179,12 @@ The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall6.conf(5). @@ -1194,6 +1236,12 @@ The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall6.conf(5). @@ -1516,6 +1564,12 @@ The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message. + + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall6.conf(5). @@ -1614,12 +1668,11 @@ updated, the original is saved in a .bak file in the same directory. - The -i option was added in Shorewall 4.6.0. When this option - is specified, the compiler will walk through the directories in the - CONFIG_PATH replacing alternative column specifications following a - semicolon (";") to alternate column specifications enclosed in curly - braces ("{...}"). When a file is updated, the original is saved in a - .bak file in the same directory. + The -i option was added in Shorewall 4.6.0 and causes a + warning message to be issued if the line current line contains + alternative input specifications following a semicolon (";"). Such + lines will be handled incorrectly if INLINE_MATCHES is set to Yes in + shorewall6.conf(5). For a description of the other options, see the check command above. From fad3b42bd37469256c969bd926cc03aa83aa7e41 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 16 Dec 2013 07:40:41 -0800 Subject: [PATCH 13/15] Correct line split in the Accounting module Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Accounting.pm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 68b2c15f3..30bd34363 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -424,9 +424,11 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { sub process_accounting_rule( ) { my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) = - split_line1( 'Accounting File', - { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 } ); - + split_line2( 'Accounting File', + { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, + {}, #nopad + undef, #Max columns + 1 ); my $nonempty = 0; for my $proto ( split_list $protos, 'Protocol' ) { From 2894bb9656d1c7b9dcd00830148e52bdc3ecb7d7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 16 Dec 2013 12:31:35 -0800 Subject: [PATCH 14/15] Move INLINE processing into the Chains module. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Accounting.pm | 2 +- Shorewall/Perl/Shorewall/Chains.pm | 71 ++++++++++++++++++++++++++ Shorewall/Perl/Shorewall/Config.pm | 7 +-- Shorewall/Perl/Shorewall/Nat.pm | 4 +- Shorewall/Perl/Shorewall/Rules.pm | 50 ++---------------- Shorewall/Perl/Shorewall/Tc.pm | 6 +-- 6 files changed, 84 insertions(+), 56 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 30bd34363..c06b1ce06 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -243,7 +243,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { } } } elsif ( $action eq 'INLINE' ) { - $rule .= get_inline_matches; + $rule .= get_inline_matches(1); } else { ( $action, my $cmd ) = split /:/, $action; diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 2ffb66278..0206f9100 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -80,6 +80,10 @@ our @EXPORT = ( qw( add_interface_options state_match state_imatch + split_action + get_target_param + get_inline_matches + handle_inline STANDARD NATRULE @@ -8397,4 +8401,71 @@ sub initialize_switches() { } } +# +# Return ( action, level[:tag] ) from passed full action +# +sub split_action ( $ ) { + my $action = $_[0]; + + my @list = split_list2( $action, 'ACTION' ); + + fatal_error "Invalid ACTION ($action)" if @list > 3; + + ( shift @list, join( ':', @list ) ); +} + +# +# Get inline matches and conditionally verify the absense of -j +# +sub get_inline_matches( $ ) { + if ( $_[0] ) { + fetch_inline_matches; + } else { + my $inline_matches = fetch_inline_matches; + + fatal_error "-j is only allowed when the ACTION is INLINE with no parameter" if $inline_matches =~ /\s-j\s/; + + $inline_matches; + } +} + +# +# Split the passed target into the basic target and parameter (previously duplicated in this file) +# +sub get_target_param( $ ) { + my ( $target, $param ) = split '/', $_[0]; + + unless ( defined $param ) { + ( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/; + } + + ( $target, $param ); +} + +sub handle_inline( $$$$ ) { + my ( $action, $basictarget, $param, $loglevel ) = @_; + my $inline_matches = get_inline_matches(1); + my $raw_matches = ''; + + if ( $inline_matches =~ /^(.*\s+)?-j\s+(.+) $/ ) { + $raw_matches .= $1 if supplied $1; + $action = $2; + my ( $target ) = split ' ', $action; + fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK'; + fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne ''; + } else { + $raw_matches .= $inline_matches; + + if ( $param eq '' ) { + $action = $loglevel ? 'LOG' : ''; + } else { + ( $action, $loglevel ) = split_action $param; + ( $basictarget, $param ) = get_target_param $action; + $param = '' unless defined $param; + } + } + + return ( $action, $basictarget, $param, $loglevel, $raw_matches ); +} + 1; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index adc87b50c..5e09e4b19 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -70,7 +70,7 @@ our @EXPORT = qw( get_action_disposition set_action_disposition set_action_param - get_inline_matches + fetch_inline_matches set_inline_matches set_comment @@ -3071,7 +3071,7 @@ sub embedded_perl( $ ) { # # Return inline matches # -sub get_inline_matches() { +sub fetch_inline_matches() { "$inline_matches "; } @@ -5197,7 +5197,8 @@ sub convert_to_directives() { # writeable regular file # my $result = system << "EOF"; - perl -pi.bak -e '/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; + perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/; + /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/; if ( /^\\s*COMMENT\\s+/ ) { s/COMMENT/?COMMENT/; } elsif ( /^\\s*COMMENT\\s*\$/ ) { diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 3b5d70790..2c85d3d0d 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -77,9 +77,9 @@ sub process_one_masq1( $$$$$$$$$$ ) # if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) { $interfacelist = $1; - $inlinematches = get_inline_matches; + $inlinematches = get_inline_matches(0); } elsif ( $config{INLINE_MATCHES} ) { - $inlinematches = get_inline_matches; + $inlinematches = get_inline_matches(0); } # # Parse the remaining part of the INTERFACE column diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 1444e9e58..39bcb56cd 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -299,19 +299,6 @@ sub new_rules_chain( $ ) { ############################################################################### # Functions moved from the former Policy Module ############################################################################### -# -# Split the passed target into the basic target and parameter (previously duplicated in this file) -# -sub get_target_param( $ ) { - my ( $target, $param ) = split '/', $_[0]; - - unless ( defined $param ) { - ( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/; - } - - ( $target, $param ); -} - # # Convert a chain into a policy chain. # @@ -1104,19 +1091,6 @@ sub finish_section ( $ ) { ################################################################################ # Functions moved from the Actions module in 4.4.16 ################################################################################ -# -# Return ( action, level[:tag] ) from passed full action -# -sub split_action ( $ ) { - my $action = $_[0]; - - my @list = split_list2( $action, 'ACTION' ); - - fatal_error "Invalid ACTION ($action)" if @list > 3; - - ( shift @list, join( ':', @list ) ); -} - # # Create a normalized action name from the passed pieces. # @@ -2179,7 +2153,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { my ( $basictarget, $param ) = get_target_param $action; my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0; my $actiontype; - my $inaction = ''; # Set to true when we are process rules in an action file + my $inaction = ''; # Set to true when we are processing rules in an action file my $inchain = ''; # Set to true when a chain reference is passed. my $normalized_target; my $normalized_action; @@ -2194,27 +2168,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { $param = '' unless defined $param; if ( $basictarget eq 'INLINE' ) { - my $inline_matches = get_inline_matches; - - if ( $inline_matches =~ /^(.*\s+)?-j\s+(.+) $/ ) { - $raw_matches .= $1 if supplied $1; - $action = $2; - my ( $target ) = split ' ', $action; - fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK'; - fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne ''; - } else { - $raw_matches .= $inline_matches; - - if ( $param eq '' ) { - $action = $loglevel ? 'LOG' : ''; - } else { - ( $action, $loglevel ) = split_action $param; - ( $basictarget, $param ) = get_target_param $action; - $param = '' unless defined $param; - } - } + ( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( $action, $basictarget, $param, $loglevel ); } elsif ( $config{INLINE_MATCHES} ) { - $raw_matches = get_inline_matches; + $raw_matches = get_inline_matches(0); } # # Determine the validity of the action diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 4c07ddf52..99db00408 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -321,9 +321,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { if ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) { $originalmark = $1; $originalmark .= $2 if $2; - $raw = get_inline_matches; + $raw = get_inline_matches(0); } elsif ( $config{INLINE_MATCHES} ) { - $raw = get_inline_matches; + $raw = get_inline_matches(0); } my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); @@ -565,7 +565,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { INLINE => sub() { assert ( $cmd eq 'INLINE' ); - $matches = get_inline_matches; + $matches = get_inline_matches(1); if ( $matches =~ /^(.*\s+)-j\s+(.+)$/ ) { $matches = $1; From a5e8bc62988c66894d54a867b55b53a86a99aa54 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 18 Dec 2013 07:15:24 -0800 Subject: [PATCH 15/15] Apply Luigi's small fix for IPSET= Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index b54b33209..63b5619ab 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -582,7 +582,7 @@ show_routing() { determine_ipset_version() { local setname - if [ -z "$IPSET" -o $IPSET = ipset ]; then + if [ -z "$IPSET" -o "$IPSET" = "ipset" ]; then IPSET=$(mywhich ipset) [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located" fi