Add IPSET_WARNINGS option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2012-03-18 13:36:23 -07:00 · 2012-03-18 13:36:23 -07:00 · 15ca0fd1f0
commit 15ca0fd1f0
parent 955a9f0051
14 changed files with 101 additions and 29 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -4483,20 +4483,26 @@ sub get_set_flags( $$ ) {
 	my @options = split /,/, $options;
 	my %typemap = ( src => 'Source', dst => 'Destination' );

-	for ( @options ) {
-	    warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	if ( $config{IPSET_WARNINGS} ) {
+	    for ( @options ) {
+		warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	    }
 	}
    }

    $setname =~ s/^\+//;

-    unless ( $export || $> != 0 ) {
-	unless ( $ipset_exists{$setname} ) {
-	    warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
-	}

-	$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+    if ( $config{IPSET_WARNINGS} ) {
+	unless ( $export || $> != 0 ) {
+	    unless ( $ipset_exists{$setname} ) {
+		warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
+	    }
+
+	    $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	}
    }
+
    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;

    have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -568,6 +568,7 @@ sub initialize( $ ) {
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
+	  IPSET_WARNINGS => undef,
 	  HIGH_ROUTE_MARKS => undef,
 	  USE_ACTIONS=> undef,
 	  OPTIMIZE => undef,
@ -3866,6 +3867,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'EXPORTMODULES'              , '';
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
+    default_yes_no 'IPSET_WARNINGS'             , 'Yes';

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -848,6 +848,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
@ -2092,14 +2115,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          tcrules. This was done so that tcrules could reset the packet mark
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
-          those added for VPNs) to be effective. The rtrules file was
-          created to provide a better alternative to clearing the packet mark.
-          As a consequence, passing these packets to PREROUTING complicates
-          things without providing any real benefit. Beginning with Shorewall
-          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
-          through 'tracked' interfaces will not be passed to the PREROUTING
-          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
-          change should be transparent to most, if not all, users.</para>
+          those added for VPNs) to be effective. The rtrules file was created
+          to provide a better alternative to clearing the packet mark. As a
+          consequence, passing these packets to PREROUTING complicates things
+          without providing any real benefit. Beginning with Shorewall 4.4.6,
+          when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
+          'tracked' interfaces will not be passed to the PREROUTING rules.
+          Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
+          should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -756,6 +756,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1809,15 +1832,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
          those added for VPNs) to be effective. The <ulink
-          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
-          file was created to provide a better alternative to clearing the
-          packet mark. As a consequence, passing these packets to PREROUTING
-          complicates things without providing any real benefit. Beginning
-          with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
-          packets arriving through 'tracked' interfaces will not be passed to
-          the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
-          4.4.3, this change should be transparent to most, if not all,
-          users.</para>
+          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
+          created to provide a better alternative to clearing the packet mark.
+          As a consequence, passing these packets to PREROUTING complicates
+          things without providing any real benefit. Beginning with Shorewall
+          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
+          through 'tracked' interfaces will not be passed to the PREROUTING
+          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
+          change should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>

@ -1977,10 +1999,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
    shorewall6-nat(5), shorewall6-netmap(5),
    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-proxyarp(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>