From 7ed52360d599f8f588fed5210b81b174527d3aed Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 7 Sep 2011 12:19:13 -0700 Subject: [PATCH 1/3] Set all interfaces's 'routefilter' option if ROUTE_FILTER=on Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 140218d3c..8129049f0 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -557,7 +557,11 @@ sub add_common_rules() { $interfaceref->{options}{use_forward_chain} = 1; } elsif ( $interfaceref->{bridge} eq $interface ) { add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++ - unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter} || $interfaceref->{physical} eq '+'; + unless( $config{ROUTE_FILTER} eq 'on' || + $interfaceref->{options}{routeback} || + $interfaceref->{options}{routefilter} || + $interfaceref->{physical} eq '+' ); + $interfaceref->{options}{use_forward_chain} = 1; } From a3f6b9292e6152401d7e1fcb014eb4f2e7fb5b26 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 7 Sep 2011 16:34:42 -0700 Subject: [PATCH 2/3] Change "see above" to "see below" in routefilter description Signed-off-by: Tom Eastep --- manpages/shorewall-interfaces.xml | 2 +- manpages6/shorewall6-interfaces.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index 5c0788f18..76b252c8e 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -521,7 +521,7 @@ loc eth2 - Beginning with Shorewall 4.4.20, if you specify this option, then you should also specify either - (see above) or + (see below) or on all interfaces (see below). diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index dcefddee8..9b403aac6 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -319,7 +319,7 @@ loc eth2 - Beginning with Shorewall 4.4.20, if you specify this option, then you should also specify - (see above). + (see below). From 8ce60ce8251749fcd545530364fe83b441b8f76c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 10 Sep 2011 08:18:46 -0700 Subject: [PATCH 3/3] Don't emit dangerous %ENV entries to the generated script Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 968007fc2..4e26d406e 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3373,13 +3373,22 @@ sub export_params() { # # Don't export pairs from %ENV # - if ( exists $ENV{$param} && defined $ENV{$param} ) { + if ( exists $ENV{$param} ) { + next unless defined $ENV{$param}; next if $value eq $ENV{$param}; + # + # Don't export anything from %ENV that contains quotes. + # We don't know that $SHOREWALL_SHELL was used to + # process the params file (may even be processed on a + # different system) so we don't know $SHOREWALL_SHELL's + # convention for escaping quotes + # + next if $value =~ /[\n'"]/; } emit "#\n# From the params file\n#" unless $count++; - if ( $value =~ /[\s()[]/ ) { + if ( $value =~ /[\s()[`]/ ) { emit "$param='$value'"; } else { emit "$param=$value";