Bring 4.0 changes to trunk

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8271 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2008-03-07 00:36:16 +00:00 · 2008-03-07 00:36:16 +00:00 · 1e7c0d0947
commit 1e7c0d0947
parent 77be234a24
5 changed files with 26 additions and 9 deletions
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -1036,12 +1036,13 @@ sub do_proto( $$$ )
 	  PROTO:
 	    {

-		if ( $proto == TCP || $proto == UDP ) {
+		if ( $proto == TCP || $proto == UDP || $proto == SCTP ) {
 		    my $multiport = 0;

 		    if ( $ports ne '' ) {
 			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
 			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
+			    fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
 			    $ports = validate_port_list $pname , $ports;
 			    $output .= "-m multiport --dports $ports ";
 			    $multiport = 1;
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@ -1212,7 +1212,12 @@ sub read_a_line() {
 		#                            $1      $2      $3           -     $4
 		while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 		    my $val = $ENV{$3};
-		    $val = '' unless defined $val;
+
+		    unless ( defined $val ) {
+			fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
+			$val = '';
+		    }
+
 		    $currentline = join( '', $1 , $val , $4 );
 		    fatal_error "Variable Expansion Loop" if ++$count > 100;
 		}
--- a/Shorewall-perl/Shorewall/IPAddrs.pm
+++ b/Shorewall-perl/Shorewall/IPAddrs.pm
@ -35,6 +35,7 @@ our @EXPORT = qw( ALLIPv4
 		  TCP
 		  UDP
 		  ICMP
+		  SCTP

 		  validate_address
 		  validate_net
@ -58,7 +59,7 @@ our $VERSION = 4.1.5;
 #
 our @allipv4 = ( '0.0.0.0/0' );

-use constant { ALLIPv4 => '0.0.0.0/0' , ICMP => 1, TCP => 6, UDP => 17 };
+use constant { ALLIPv4 => '0.0.0.0/0' , ICMP => 1, TCP => 6, UDP => 17 , SCTP => 132 };

 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -1015,6 +1015,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
    my $destref;

    if ( $source =~ /^(.+?):(.*)/ ) {
+	fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
 	$sourcezone = $1;
 	$source = $2;
    } else {
@ -1023,6 +1024,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
    }

    if ( $dest =~ /^(.*?):(.*)/ ) {
+	fatal_error "Missing DEST Qualifier ($dest)" if $2 eq '';
 	$destzone = $1;
 	$dest = $2;
    } else {
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@ -81,17 +81,20 @@ use constant { NOMARK    => 0 ,
 our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 		 target    => 'CONNMARK --save-mark --mask' ,
 		 mark      => SMALLMARK ,
-		 mask      => '0xFF'
+		 mask      => '0xFF' ,
+		 connmark  => 1
 	       } ,
 	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 		target    => 'CONNMARK --restore-mark --mask' ,
 		mark      => SMALLMARK ,
-		mask      => '0xFF'
+		mask      => '0xFF' ,
+		connmark  => 1
 		} ,
 	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 		target    => 'RETURN' ,
 		mark      => NOMARK ,
-		mask      => ''
+		mask      => '' ,
+		connmark  => 0
 		} ,
 	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
 		target    => 'MARK --or-mark' ,
@ -100,7 +103,8 @@ our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
 		target    => 'MARK --and-mark ' ,
 		mark      => HIGHMARK ,
-		mask      => ''
+		mask      => '' ,
+		connmark  => 0
 		}
 	      );

@ -204,6 +208,8 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 	    $target   = $tcsref->{target} if $tcsref->{target};
 	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};

+	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
+
 	} else {
 	    fatal_error "Invalid MARK ($original_mark)"   unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;

@ -228,6 +234,8 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 	    for my $tccmd ( @tccmd ) {
 		if ( $tccmd->{match}($cmd) ) {
 		    fatal_error "$mark not valid with :C[FPT]" if $connmark;
+		    
+		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};

 		    $target      = "$tccmd->{target} ";
 		    my $marktype = $tccmd->{mark};
@ -327,9 +335,9 @@ sub validate_tc_device( $$$$$ ) {
 	}
    }

-    my @redirected;
+    my @redirected = ();

-    @redirected = split_list( $redirected , 'device' ) if defined $redirected;
+    @redirected = split_list( $redirected , 'device' ) if defined $redirected && $redirected ne '-';;

    for my $rdevice ( @redirected ) {
 	fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;