From 3860a1dc72a214352699380253147082a687ff73 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 26 Jan 2016 16:31:04 -0800 Subject: [PATCH 01/17] Ensure that %origin is populated Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 2dd938be4..fd951d313 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5843,13 +5843,18 @@ sub get_configuration( $$$$ ) { $config{TRACK_RULES} = ''; } else { default_yes_no 'TRACK_RULES' , ''; - $globals{TRACK_RULES} = ''; } } else { - default_yes_no 'TRACK_RULES' , ''; + $config{TRACK_RULES} = ''; } %origin = () unless $globals{TRACK_RULES}; + # + # Ensure that all members of %origin have defined values + # + for ( keys %config ) { + $origin{$_} ||= ''; + } default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'BASIC_FILTERS' , ''; From b4723da07ce546e58e683b311f1827f65c8819b9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 26 Jan 2016 16:45:47 -0800 Subject: [PATCH 02/17] Eliminate $globals{TRACK_GLOBALS} Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 4 ++-- Shorewall/Perl/Shorewall/Config.pm | 10 ++++------ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 0112d5b67..91a0414b5 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2413,7 +2413,7 @@ sub add_ijump_internal( $$$$$;@ ) { my ( $target ) = split ' ', $to; $toref = $chain_table{$fromref->{table}}{$target}; fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target}; - $origin ||= $fromref->{origin} if $globals{TRACK_RULES}; + $origin ||= $fromref->{origin} if $config{TRACK_RULES} eq 'File'; } # @@ -2423,7 +2423,7 @@ sub add_ijump_internal( $$$$$;@ ) { $toref->{referenced} = 1; add_reference $fromref, $toref; $jump = 'j' unless have_capability 'GOTO_TARGET'; - $origin ||= $toref->{origin} if $globals{TRACK_RULES}; + $origin ||= $toref->{origin} if $config{TRACK_RULES} eq 'File'; $ruleref = create_irule ($fromref, $jump => $to, @matches ); } else { $ruleref = create_irule( $fromref, 'j' => $to, @matches ); diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index fd951d313..25c5d8f0c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -738,7 +738,6 @@ sub initialize( $;$$) { RPFILTER_LOG_TAG => '', INVALID_LOG_TAG => '', UNTRACKED_LOG_TAG => '', - TRACK_RULES => '', ); # # From shorewall.conf file @@ -1212,11 +1211,11 @@ sub shortlineinfo2() { } sub shortlineinfo1( $ ) { - $globals{TRACK_RULES} ? $currentfile ? shortlineinfo2 : $_[0] || '' : ''; + $config{TRACK_RULES} eq 'File' ? $currentfile ? shortlineinfo2 : $_[0] || '' : ''; } sub shortlineinfo( $ ) { - if ( $config{TRACK_RULES} ) { + if ( $config{TRACK_RULES} eq 'Yes' ) { if ( $currentfile ) { my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@'; $comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255; @@ -5839,8 +5838,7 @@ sub get_configuration( $$$$ ) { if ( supplied ( $val = $config{TRACK_RULES} ) ) { if ( lc( $val ) eq 'file' ) { - $globals{TRACK_RULES} = 'Yes'; - $config{TRACK_RULES} = ''; + $config{TRACK_RULES} = 'File'; } else { default_yes_no 'TRACK_RULES' , ''; } @@ -5848,7 +5846,7 @@ sub get_configuration( $$$$ ) { $config{TRACK_RULES} = ''; } - %origin = () unless $globals{TRACK_RULES}; + %origin = () unless $config{TRACK_RULES} eq 'File'; # # Ensure that all members of %origin have defined values # From f999acda634cfd9ef819c3128e4b9b00bcf090ba Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 27 Jan 2016 10:21:08 -0800 Subject: [PATCH 03/17] Eliminate shortlineinfo1() Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 33 +++++++++++++++++++++--------- Shorewall/Perl/Shorewall/Config.pm | 21 ++++++++++--------- Shorewall/Perl/Shorewall/Misc.pm | 6 ++++-- Shorewall/Perl/Shorewall/Zones.pm | 4 ++-- 4 files changed, 40 insertions(+), 24 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 91a0414b5..f7b3a0681 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -919,7 +919,7 @@ sub set_rule_option( $$$ ) { sub transform_rule( $;\$ ) { my ( $input, $completeref ) = @_; - my $ruleref = { mode => CAT_MODE, matches => [], target => '' , origin => shortlineinfo1( '' ) }; + my $ruleref = { mode => CAT_MODE, matches => [], target => '' , origin => shortlineinfo( '' ) }; my $simple = 1; my $target = ''; my $jump = ''; @@ -1243,6 +1243,19 @@ sub add_commands ( $$;@ ) { $chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE ); } +# +# Set the comment member of an irule +# +sub set_irule_comment( $$ ) { + my ( $chainref, $ruleref ) = @_; + + if ( $config{TRACK_RULES} eq 'Yes' ) { + $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $comment; + } else { + $ruleref->{comment} = $comment; + } +} + # # Transform the passed rule and add it to the end of the passed chain's rule list. # @@ -1254,7 +1267,8 @@ sub push_rule( $$ ) { my $complete = 0; my $ruleref = transform_rule( $_[1], $complete ); - $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment; + set_irule_comment( $chainref, $ruleref ); + $ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel}; push @{$chainref->{rules}}, $ruleref; @@ -1475,7 +1489,7 @@ sub create_irule( $$$;@ ) { ( $target, my $targetopts ) = split ' ', $target, 2; - my $ruleref = { matches => [] , origin => shortlineinfo1( '' ) }; + my $ruleref = { matches => [] , origin => shortlineinfo( '' ) }; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; @@ -1488,7 +1502,7 @@ sub create_irule( $$$;@ ) { $ruleref->{target} = ''; } - $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $ruleref->{comment} || $comment; + set_irule_comment( $chainref, $ruleref ); $iprangematch = 0; @@ -1644,7 +1658,7 @@ sub insert_rule1($$$) my $ruleref = transform_rule( $rule ); - $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment; + set_irule_comment( $chainref, $ruleref ); assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} ); $ruleref->{mode} = CAT_MODE; @@ -1670,7 +1684,7 @@ sub insert_irule( $$$$;@ ) { my ( $chainref, $jump, $target, $number, @matches ) = @_; my $rulesref = $chainref->{rules}; - my $ruleref = { origin => shortlineinfo1( '' ) }; + my $ruleref = { origin => shortlineinfo( '' ) }; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; @@ -1686,8 +1700,7 @@ sub insert_irule( $$$$;@ ) { $chainref->{optflags} |= push_matches( $ruleref, @matches ); } - - $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment; + set_irule_comment( $chainref, $ruleref ); if ( $number >= @$rulesref ) { # @@ -2302,7 +2315,7 @@ sub new_chain($$) references => {}, filtered => 0, optflags => 0, - origin => shortlineinfo1( '' ) || shortlineinfo( '' ), + origin => shortlineinfo( '' ), }; trace( $chainref, 'N', undef, '' ) if $debug; @@ -7931,7 +7944,7 @@ sub emitr( $$ ) { # enter_cat_mode unless $mode == CAT_MODE; - if ( my $origin = $ruleref->{origin} ) { + if ( ( my $origin = $ruleref->{origin} ) && $config{TRACK_RULES} eq 'File' ) { emit_unindented '# ' . $origin; } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 25c5d8f0c..9230da579 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -52,7 +52,6 @@ our @EXPORT = qw( assert currentlineinfo shortlineinfo - shortlineinfo1 shortlineinfo2 clear_currentfilename validate_level @@ -1210,23 +1209,25 @@ sub shortlineinfo2() { } } -sub shortlineinfo1( $ ) { - $config{TRACK_RULES} eq 'File' ? $currentfile ? shortlineinfo2 : $_[0] || '' : ''; -} - sub shortlineinfo( $ ) { - if ( $config{TRACK_RULES} eq 'Yes' ) { + if ( my $track = $config{TRACK_RULES} ) { if ( $currentfile ) { - my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@'; - $comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255; - $comment = '@@@ Filename Too Long @@@' if length $comment > 255; - $comment; + if ( $track eq 'Yes' ) { + my $comment = '@@@ '. join( ':', $currentfilename, $currentlinenumber ) . ' @@@'; + $comment = '@@@ ' . join( ':' , basename($currentfilename), $currentlinenumber) . ' @@@' if length $comment > 255; + $comment = '@@@ Filename Too Long @@@' if length $comment > 255; + $comment; + } else { + join( ':', $currentfilename, $currentlinenumber ); + } } else { # # Alternate lineinfo may have been passed # $_[0] || '' } + } else { + ''; } } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 26c4d15df..c03c32e32 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -107,13 +107,15 @@ sub setup_ecn() fatal_error 'INTERFACE must be specified' if $interface eq '-'; fatal_error "Unknown interface ($interface)" unless known_interface $interface; - $interfaces{$interface} ||= shortlineinfo1( '' ); + my $lineinfo = shortlineinfo( '' ); + + $interfaces{$interface} ||= $lineinfo; $hosts = ALLIP if $hosts eq '-'; for my $host( split_list $hosts, 'address' ) { validate_host( $host , 1 ); - push @hosts, [ $interface, shortlineinfo1( '' ), $host ]; + push @hosts, [ $interface, $lineinfo, $host ]; } } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 44fa74b43..7f93debf8 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -894,7 +894,7 @@ sub add_group_to_zone($$$$$$) hosts => \@newnetworks, ipsec => $type & IPSEC ? 'ipsec' : 'none' , exclusions => \@exclusions , - origin => shortlineinfo1( '' ) , + origin => shortlineinfo( '' ) , }; if ( $type != IPSEC ) { @@ -1397,7 +1397,7 @@ sub process_interface( $$ ) { physical => $physical , base => var_base( $physical ), zones => {}, - origin => shortlineinfo1('') || shortlineinfo( '' ), + origin => shortlineinfo( '' ), wildcard => $wildcard, }; From 57288086bf55a6f520d985f8762001cff5d0b7c3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 27 Jan 2016 12:55:21 -0800 Subject: [PATCH 04/17] Unify TRACK_RULES handling Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f7b3a0681..79ac87943 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1250,7 +1250,7 @@ sub set_irule_comment( $$ ) { my ( $chainref, $ruleref ) = @_; if ( $config{TRACK_RULES} eq 'Yes' ) { - $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $comment; + $ruleref->{comment} = $ruleref->{origin} || $comment; } else { $ruleref->{comment} = $comment; } @@ -1489,7 +1489,7 @@ sub create_irule( $$$;@ ) { ( $target, my $targetopts ) = split ' ', $target, 2; - my $ruleref = { matches => [] , origin => shortlineinfo( '' ) }; + my $ruleref = { matches => [] , origin => shortlineinfo( $chainref->{origin} ) }; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; @@ -1684,7 +1684,7 @@ sub insert_irule( $$$$;@ ) { my ( $chainref, $jump, $target, $number, @matches ) = @_; my $rulesref = $chainref->{rules}; - my $ruleref = { origin => shortlineinfo( '' ) }; + my $ruleref = { origin => shortlineinfo( $chainref->{origin} ) }; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; @@ -2446,7 +2446,7 @@ sub add_ijump_internal( $$$$$;@ ) { $fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to}; } - $ruleref->{origin} ||= $origin; + $ruleref->{origin} = $origin if $origin; $expandports ? handle_port_ilist( $fromref, $ruleref, 1 ) : push_irule( $fromref, $ruleref ); } From 039fd6ddd88b835e945ac301b1c77548f45c303a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 27 Jan 2016 14:24:56 -0800 Subject: [PATCH 05/17] Move origin handling into log_[i]rule_limit Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 30 ++++---- Shorewall/Perl/Shorewall/Misc.pm | 116 ++++++++++++++--------------- Shorewall/Perl/Shorewall/Rules.pm | 35 ++++----- 3 files changed, 89 insertions(+), 92 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 79ac87943..9aad6a295 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2426,7 +2426,7 @@ sub add_ijump_internal( $$$$$;@ ) { my ( $target ) = split ' ', $to; $toref = $chain_table{$fromref->{table}}{$target}; fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target}; - $origin ||= $fromref->{origin} if $config{TRACK_RULES} eq 'File'; + $origin ||= $fromref->{origin} if $config{TRACK_RULES}; } # @@ -2436,7 +2436,7 @@ sub add_ijump_internal( $$$$$;@ ) { $toref->{referenced} = 1; add_reference $fromref, $toref; $jump = 'j' unless have_capability 'GOTO_TARGET'; - $origin ||= $toref->{origin} if $config{TRACK_RULES} eq 'File'; + $origin ||= $toref->{origin} if $config{TRACK_RULES}; $ruleref = create_irule ($fromref, $jump => $to, @matches ); } else { $ruleref = create_irule( $fromref, 'j' => $to, @matches ); @@ -2752,7 +2752,7 @@ sub ensure_manual_chain($) { $chainref; } -sub log_irule_limit( $$$$$$$@ ); +sub log_irule_limit( $$$$$$$$@ ); sub ensure_blacklog_chain( $$$$$ ) { my ( $target, $disposition, $level, $tag, $audit ) = @_; @@ -2763,7 +2763,7 @@ sub ensure_blacklog_chain( $$$$$ ) { $target =~ s/A_//; $target = 'reject' if $target eq 'REJECT'; - log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' ); + log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add', '' ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, g => $target ); @@ -2778,7 +2778,7 @@ sub ensure_audit_blacklog_chain( $$$ ) { unless ( $filter_table->{A_blacklog} ) { my $logchainref = new_manual_chain 'A_blacklog'; - log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' ); + log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' , '' ); add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ); @@ -4286,7 +4286,8 @@ sub logchain( $$$$$$ ) { $disposition , [] , $logtag, - 'add' ); + 'add', + '' ); add_jump( $logchainref, $target, 0, $exceptionrule ); } @@ -6245,8 +6246,8 @@ sub do_ipsec($$) { # # Generate a log message # -sub log_rule_limit( $$$$$$$$ ) { - my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_; +sub log_rule_limit( $$$$$$$$;$ ) { + my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_; my $prefix = ''; my $chain = get_action_chain_name || $chn; @@ -6339,11 +6340,13 @@ sub log_rule_limit( $$$$$$$$ ) { $ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix ); } + $ruleref->{origin} = $origin if $origin; + $ruleref; } -sub log_irule_limit( $$$$$$$@ ) { - my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, @matches ) = @_; +sub log_irule_limit( $$$$$$$$@ ) { + my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $origin, @matches ) = @_; my $prefix = ''; my %matches; @@ -6431,7 +6434,7 @@ sub log_irule_limit( $$$$$$$@ ) { } if ( $command eq 'add' ) { - add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches ); + add_ijump_internal ( $chainref, j => $prefix , $original_matches, $origin, @matches ); } else { insert_ijump ( $chainref, j => $prefix, 0 , @matches ); } @@ -6446,7 +6449,7 @@ sub log_rule( $$$$ ) { sub log_irule( $$$;@ ) { my ( $level, $chainref, $disposition, @matches ) = @_; - log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches; + log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches; } # @@ -7456,7 +7459,8 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) { $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ), [] , $logtag , - 'add' ) + 'add' , + '' ) if $loglevel; # # Generate Final Rule diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index c03c32e32..cfdcf9a3a 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -673,17 +673,15 @@ sub add_common_rules ( $ ) { # $chainref = new_standard_chain 'sfilter'; - if ( $level ne '' ) { - my $ruleref = log_rule_limit( $level, - $chainref, - $chainref->{name}, - $policy, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ); - $ruleref->{origin} = $origin{SFILTER_LOG_LEVEL}; - } + log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '', + $origin{SFILTER_LOG_LEVEL} ) if $level ne ''; add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; @@ -704,17 +702,15 @@ sub add_common_rules ( $ ) { add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); - if ( $level ne '' ) { - my $ruleref = log_rule_limit( $level, - $chainref, - $chainref->{name}, - $policy, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ); - $ruleref->{origin} = $origin; - } + log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '' , + $origin ) if $level ne ''; add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit; @@ -791,17 +787,15 @@ sub add_common_rules ( $ ) { # $chainref = ensure_mangle_chain 'rplog'; - if ( $level ne '' ) { - my $ruleref = log_rule_limit( $level, - $chainref, - $chainref->{name}, - $policy, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ); - $ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL}; - } + log_rule_limit( $level, + $chainref, + $chainref->{name}, + $policy, + $globals{LOGLIMIT}, + $tag, + 'add', + '', + $origin{RPFILTER_LOG_LEVEL} ); add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit; @@ -860,15 +854,14 @@ sub add_common_rules ( $ ) { if ( supplied $config{SMURF_LOG_LEVEL} ) { my $smurfref = new_chain( 'filter', 'smurflog' ); - my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL}, - $smurfref, - 'smurfs' , - 'DROP', - $globals{LOGILIMIT}, - $globals{SMURF_LOG_TAG}, - 'add' ); - - $ruleref->{origin} = $origin{SMURF_LOG_LEVEL}; + log_irule_limit( $config{SMURF_LOG_LEVEL}, + $smurfref, + 'smurfs' , + 'DROP', + $globals{LOGILIMIT}, + $globals{SMURF_LOG_TAG}, + 'add', + $origin{SMURF_LOG_LEVEL} ); add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; @@ -1015,16 +1008,15 @@ sub add_common_rules ( $ ) { $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options "; - my $ruleref = log_rule_limit( $level, - $logflagsref, - 'logflags', - $disposition, - $globals{LOGLIMIT}, - $tag, - 'add', - '' ); - - $ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL}; + log_rule_limit( $level, + $logflagsref, + 'logflags', + $disposition, + $globals{LOGLIMIT}, + $tag, + 'add', + '' , + $origin{TCP_FLAGS_LOG_LEVEL} ); $globals{LOGPARMS} = $savelogparms; @@ -1301,7 +1293,7 @@ sub setup_mac_lists( $ ) { run_user_exit2( 'maclog', $chainref ); - log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne ''; + log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne ''; add_ijump $chainref, j => $target; } } @@ -2280,15 +2272,15 @@ sub generate_matrix() { for my $table ( qw/mangle nat filter/ ) { for my $chain ( @{$builtins{$table}} ) { - my $ruleref = log_rule_limit( $config{LOGALLNEW} , - $chain_table{$table}{$chain} , - $table , - $chain , - '' , - '' , - 'insert' , - state_match('NEW') ); - $ruleref->{origin} = $origin; + log_rule_limit( $config{LOGALLNEW} , + $chain_table{$table}{$chain} , + $table , + $chain , + '' , + '' , + 'insert' , + state_match('NEW') , + $origin ); } } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 0f467e0f3..a38489ca0 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -975,7 +975,8 @@ sub setup_syn_flood_chains() { 'DROP', @{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] , '' , - 'add' ) + 'add', + '' ) if $level ne ''; add_ijump $synchainref, j => 'DROP'; } @@ -1547,11 +1548,11 @@ sub dropBcast( $$$$ ) { if ( have_capability( 'ADDRTYPE' ) ) { if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' ); if ( $family == F_IPV4 ) { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' ); + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' ); } else { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ); + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ); } } @@ -1564,17 +1565,17 @@ sub dropBcast( $$$$ ) { } incr_cmd_level $chainref; - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne ''; add_ijump $chainref, j => $target, d => '$address'; decr_cmd_level $chainref; add_commands $chainref, 'done'; } if ( $family == F_IPV4 ) { - log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne ''; + log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne ''; add_ijump $chainref, j => $target, d => '224.0.0.0/4'; } else { - log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; + log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; add_ijump $chainref, j => $target, d => IPv6_MULTICAST; } } @@ -1586,8 +1587,8 @@ sub allowBcast( $$$$ ) { if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) { if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' ); - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ); + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' ); + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' ); } add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST'; @@ -1599,17 +1600,17 @@ sub allowBcast( $$$$ ) { } incr_cmd_level $chainref; - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne ''; add_ijump $chainref, j => $target, d => '$address'; decr_cmd_level $chainref; add_commands $chainref, 'done'; } if ( $family == F_IPV4 ) { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne ''; add_ijump $chainref, j => $target, d => '224.0.0.0/4'; } else { - log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne ''; + log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne ''; add_ijump $chainref, j => $target, d => IPv6_MULTICAST; } } @@ -1619,7 +1620,7 @@ sub dropNotSyn ( $$$$ ) { my $target = require_audit( 'DROP', $audit ); - log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne ''; add_ijump $chainref , j => $target, p => '6 ! --syn'; } @@ -1634,7 +1635,7 @@ sub rejNotSyn ( $$$$ ) { $target = require_audit( 'REJECT' , $audit ); } - log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne ''; + log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne ''; add_ijump $chainref , j => $target, p => '6 ! --syn'; } @@ -1650,8 +1651,8 @@ sub allowinUPnP ( $$$$ ) { my $target = require_audit( 'ACCEPT', $audit ); if ( $level ne '' ) { - log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' ); - log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' ); + log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' ); + log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' ); } add_ijump $chainref, j => $target, p => '17 --dport 1900'; @@ -1688,7 +1689,7 @@ sub Limit( $$$$ ) { if ( $level ne '' ) { my $xchainref = new_chain 'filter' , "$chainref->{name}%"; - log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' ); + log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' ); add_ijump $xchainref, j => 'DROP'; add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count"; } else { From 6e9d5f45ec389230cfb9b6a043ef79e468faa1f6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 27 Jan 2016 16:50:03 -0800 Subject: [PATCH 06/17] Avoid spurious comment in jump to interface option chains. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 9aad6a295..43e669bb2 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -7835,9 +7835,10 @@ sub add_interface_options( $ ) { } else { for my $interface ( @input_interfaces ) { $chain1ref = $input_chains{$interface}; - add_ijump ( $chainref , - j => $chain1ref->{name}, - @input_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}}; + my $ruleref = add_ijump ( $chainref , + j => $chain1ref->{name}, + @input_interfaces > 1 ? imatch_source_dev( $interface ) : () ); + $ruleref->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}} && $config{TRACK_RULES} eq 'Yes'; } } } else { From 86f2e23f3306b3288d9cfe7728255a3475758428 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 27 Jan 2016 19:01:23 -0800 Subject: [PATCH 07/17] Invoke add_irule_extended rather than a hack that predated that function Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 43e669bb2..7ab4faa0d 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -7835,10 +7835,10 @@ sub add_interface_options( $ ) { } else { for my $interface ( @input_interfaces ) { $chain1ref = $input_chains{$interface}; - my $ruleref = add_ijump ( $chainref , - j => $chain1ref->{name}, - @input_interfaces > 1 ? imatch_source_dev( $interface ) : () ); - $ruleref->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}} && $config{TRACK_RULES} eq 'Yes'; + add_ijump_extended ( $chainref , + j => $chain1ref->{name}, + interface_origin( $interface ) , + @input_interfaces > 1 ? imatch_source_dev( $interface ) : () ); } } } else { @@ -7851,7 +7851,10 @@ sub add_interface_options( $ ) { } else { for my $interface ( @forward_interfaces ) { $chain1ref = $forward_chains{$interface}; - add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () )->{comment} = interface_origin( $interface ) if @{$chain1ref->{rules}}; + add_ijump_extended( $chainref , + j => $chain1ref->{name}, + interface_origin( $interface ) , + @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () ); } } } From 94442abfcfc6378114c6281c269f7163a1726a39 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Jan 2016 10:34:16 -0800 Subject: [PATCH 08/17] Correct check for duplicate interface in providers Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 1be02f4c7..056c29e07 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -650,7 +650,7 @@ sub process_a_provider( $ ) { $balance = $default_balance unless $balance; - fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; + fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface}; if ( $duplicate ne '-' ) { fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; From 48df3d96271b4b539cd9009cd2138b31713b7902 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Jan 2016 10:34:36 -0800 Subject: [PATCH 09/17] Add origin member to the providers table Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 056c29e07..0c848f5db 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -144,20 +144,21 @@ sub setup_route_marking() { my $interface = $providerref->{interface}; my $physical = $providerref->{physical}; my $mark = $providerref->{mark}; + my $origin = $providerref->{origin}; unless ( $marked_interfaces{$interface} ) { - add_ijump $mangle_table->{PREROUTING} , j => $chainref, i => $physical, mark => "--mark 0/$mask"; - add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark $mark/$mask"; - add_ijump $mangle_table->{OUTPUT} , j => $chainref2, mark => "--mark $mark/$mask"; + add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref, $origin, i => $physical, mark => "--mark 0/$mask"; + add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark $mark/$mask"; + add_ijump_extended $mangle_table->{OUTPUT} , j => $chainref2, $origin, mark => "--mark $mark/$mask"; $marked_interfaces{$interface} = 1; } if ( $providerref->{shared} ) { add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; - add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}"; + add_ijump_extended $chainref, j => 'MARK', $origin, targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}"; decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional}; } else { - add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ); + add_ijump_extended $chainref, j => 'MARK', $origin, targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ); } } @@ -699,6 +700,7 @@ sub process_a_provider( $ ) { persistent_routes => [], routedests => {} , persistent => $persistent, + origin => shortlineinfo( '' ), }; $provider_interfaces{$interface} = $table unless $shared; From 6085c6092f3e70ffa19eb7442d7d172fcd588fb5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Jan 2016 10:58:09 -0800 Subject: [PATCH 10/17] Add origin comments to command-mode rules Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 7ab4faa0d..1f9fb4601 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -7952,7 +7952,7 @@ sub emitr( $$ ) { # enter_cat_mode unless $mode == CAT_MODE; - if ( ( my $origin = $ruleref->{origin} ) && $config{TRACK_RULES} eq 'File' ) { + if ( $config{TRACK_RULES} eq 'File' && ( my $origin = $ruleref->{origin} ) ) { emit_unindented '# ' . $origin; } @@ -7966,6 +7966,9 @@ sub emitr( $$ ) { if ( exists $ruleref->{cmd} ) { emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} ); } else { + if ( $config{TRACK_RULES} eq 'File' && ( my $origin = $ruleref->{origin} ) ) { + emit join( '', ' ' x $ruleref->{cmdlevel} , '# ' , $origin ); + } # # Must preserve quotes in the rule # From d4bea3d3ec860ecbb89f7c025894224ba271ade5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Jan 2016 11:38:48 -0800 Subject: [PATCH 11/17] Optimize TRACK_RULES handling in the Chains module Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 1f9fb4601..873f9bb35 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1249,7 +1249,9 @@ sub add_commands ( $$;@ ) { sub set_irule_comment( $$ ) { my ( $chainref, $ruleref ) = @_; - if ( $config{TRACK_RULES} eq 'Yes' ) { + our $rule_comments; + + if ( $rule_comments ) { $ruleref->{comment} = $ruleref->{origin} || $comment; } else { $ruleref->{comment} = $comment; @@ -2409,7 +2411,7 @@ sub add_ijump_internal( $$$$$;@ ) { return $dummyrule if $fromref->{complete}; - our $splitcount; + our ( $splitcount, $file_comments, $rule_comments ); my $toref; my $ruleref; @@ -2426,7 +2428,7 @@ sub add_ijump_internal( $$$$$;@ ) { my ( $target ) = split ' ', $to; $toref = $chain_table{$fromref->{table}}{$target}; fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target}; - $origin ||= $fromref->{origin} if $config{TRACK_RULES}; + $origin ||= $fromref->{origin} if $file_comments || $rule_comments; } # @@ -2436,7 +2438,7 @@ sub add_ijump_internal( $$$$$;@ ) { $toref->{referenced} = 1; add_reference $fromref, $toref; $jump = 'j' unless have_capability 'GOTO_TARGET'; - $origin ||= $toref->{origin} if $config{TRACK_RULES}; + $origin ||= $toref->{origin} if $file_comments || $rule_comments; $ruleref = create_irule ($fromref, $jump => $to, @matches ); } else { $ruleref = create_irule( $fromref, 'j' => $to, @matches ); @@ -2992,6 +2994,9 @@ sub initialize_chain_table($) { $globals{iLOGLIMIT} = ( $ruleref->{hashlimit} ? [ hashlimit => $ruleref->{hashlimit} ] : $ruleref->{limit} ? [ limit => $ruleref->{limit} ] : [] ); + + our $file_comments = $config{TRACK_RULES} eq 'File'; + our $rule_comments = $config{TRACK_RULES} eq 'Yes'; } # @@ -7943,6 +7948,8 @@ sub enter_cmd_mode() { sub emitr( $$ ) { my ( $chainref, $ruleref ) = @_; + our $file_comments; + assert( $chainref ); if ( $ruleref ) { @@ -7952,7 +7959,7 @@ sub emitr( $$ ) { # enter_cat_mode unless $mode == CAT_MODE; - if ( $config{TRACK_RULES} eq 'File' && ( my $origin = $ruleref->{origin} ) ) { + if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) { emit_unindented '# ' . $origin; } @@ -7966,7 +7973,7 @@ sub emitr( $$ ) { if ( exists $ruleref->{cmd} ) { emit join( '', ' ' x $ruleref->{cmdlevel}, $ruleref->{cmd} ); } else { - if ( $config{TRACK_RULES} eq 'File' && ( my $origin = $ruleref->{origin} ) ) { + if ( $file_comments && ( my $origin = $ruleref->{origin} ) ) { emit join( '', ' ' x $ruleref->{cmdlevel} , '# ' , $origin ); } # From 95a029316ad04c2303f4d53c42e4a064f066e3d8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Jan 2016 12:51:23 -0800 Subject: [PATCH 12/17] Improve get_keys*() Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 873f9bb35..22448cdef 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3724,7 +3724,7 @@ sub get_multi_sports( $ ) { } # -# Return an array of keys for the passed rule. 'dport' and 'comment' are omitted; +# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted; # sub get_keys( $ ) { my %skip = ( dport => 1, comment => 1, origin => 1 ); @@ -4002,10 +4002,12 @@ sub get_conntrack( $ ) { } # -# Return an array of keys for the passed rule. 'conntrack' and 'comment' are omitted; +# Return an array of keys for the passed rule. 'conntrack', 'comment' & origin are omitted; # sub get_keys1( $ ) { - sort grep $_ ne 'conntrack --ctstate' && $_ ne 'comment' && $_ ne 'origin', keys %{$_[0]}; + my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 ); + + sort grep ! $skip{$_}, keys %{$_[0]}; } # From 9188f7efa3ecdf0d5c2a01a8f0d1e0ee7cc67d90 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Jan 2016 13:38:26 -0800 Subject: [PATCH 13/17] Don't export shortlineinfo2 Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9230da579..9c516404e 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -52,7 +52,6 @@ our @EXPORT = qw( assert currentlineinfo shortlineinfo - shortlineinfo2 clear_currentfilename validate_level From 2cd098ba3102a70a9699e30b1ff7c84f16af93d0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Jan 2016 13:46:34 -0800 Subject: [PATCH 14/17] Update heading versions and copyrights Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/ARP.pm | 2 +- Shorewall/Perl/Shorewall/Accounting.pm | 4 ++-- Shorewall/Perl/Shorewall/Chains.pm | 4 ++-- Shorewall/Perl/Shorewall/Compiler.pm | 4 ++-- Shorewall/Perl/Shorewall/Config.pm | 4 ++-- Shorewall/Perl/Shorewall/IPAddrs.pm | 4 ++-- Shorewall/Perl/Shorewall/Misc.pm | 4 ++-- Shorewall/Perl/Shorewall/Nat.pm | 4 ++-- Shorewall/Perl/Shorewall/Proc.pm | 4 ++-- Shorewall/Perl/Shorewall/Providers.pm | 4 ++-- Shorewall/Perl/Shorewall/Proxyarp.pm | 4 ++-- Shorewall/Perl/Shorewall/Raw.pm | 4 ++-- Shorewall/Perl/Shorewall/Rules.pm | 4 ++-- Shorewall/Perl/Shorewall/Tc.pm | 4 ++-- Shorewall/Perl/Shorewall/Tunnels.pm | 4 ++-- 15 files changed, 29 insertions(+), 29 deletions(-) diff --git a/Shorewall/Perl/Shorewall/ARP.pm b/Shorewall/Perl/Shorewall/ARP.pm index 1fd276a23..b0afab2d6 100644 --- a/Shorewall/Perl/Shorewall/ARP.pm +++ b/Shorewall/Perl/Shorewall/ARP.pm @@ -1,5 +1,5 @@ # -# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 12f5cdee3..55de50324 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Accounting.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 22448cdef..f47ae7387 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Chains.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Chains.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 6facf29cd..396ec2008 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -1,10 +1,10 @@ #! /usr/bin/perl -w # -# The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5 +# The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0 # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9c516404e..ae5a2e9ef 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Config.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Config.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index d6d9c0ab2..c9d6abb1b 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/IPAddrs.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2015 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index cfdcf9a3a..f49925759 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 172f58e2f..8ac681fc5 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Nat.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm index 53d47256a..725941a87 100644 --- a/Shorewall/Perl/Shorewall/Proc.pm +++ b/Shorewall/Perl/Shorewall/Proc.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Proc.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 0c848f5db..d03fe1499 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Providers.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Proxyarp.pm b/Shorewall/Perl/Shorewall/Proxyarp.pm index 05124a6b6..f930bf9a2 100644 --- a/Shorewall/Perl/Shorewall/Proxyarp.pm +++ b/Shorewall/Perl/Shorewall/Proxyarp.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Proxyarp.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2011,2011 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index a55b89e31..34b51a23e 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Raw.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2009-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index a38489ca0..b02f6005c 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Rules.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Rules.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index c9e6f8ca2..62950d8e6 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1,9 +1,9 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tc.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Traffic Control is from tc4shorewall Version 0.5 # (c) 2005 Arne Bernin diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index a8e9178f1..92fd9eeb8 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -1,8 +1,8 @@ # -# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm +# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tunnels.pm # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net) +# (c) 2007-2016 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # From 2a56f50d9958bc330322e6cdc0968e2893227711 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Jan 2016 13:52:25 -0800 Subject: [PATCH 15/17] Update documentation index for 5.0 Signed-off-by: Tom Eastep --- docs/Documentation_Index.xml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 277b305a9..08881f7d9 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -5,7 +5,7 @@ - Shorewall 4.4/4.5/4.6 Documentation + Shorewall 4.4/4.5/4.6/5.0 Documentation @@ -18,7 +18,7 @@ - 2001-2014 + 2001-2016 Thomas M. Eastep @@ -327,7 +327,7 @@ Port Knocking (deprecated) - + @@ -337,7 +337,7 @@ Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - + @@ -345,7 +345,7 @@ PPTP - + @@ -354,7 +354,7 @@ Proxy ARP - + @@ -364,7 +364,7 @@ QuickStart Guides - + @@ -373,7 +373,7 @@ Release Model - + @@ -382,7 +382,7 @@ Requirements - + @@ -391,7 +391,7 @@ Routing and Shorewall - + @@ -400,7 +400,7 @@ Routing on One Interface - + @@ -408,7 +408,7 @@ Samba - + @@ -417,7 +417,7 @@ Shorewall Events - + @@ -427,7 +427,7 @@ Shorewall Init - + @@ -437,7 +437,7 @@ Shorewall Lite - + From 28983a0194dc0ec0152729789ef6e0750f0315ef Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 31 Jan 2016 09:29:24 -0800 Subject: [PATCH 16/17] Add comment describing the origin member of a rule Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f47ae7387..ef75bdc3c 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -623,9 +623,12 @@ our %ipset_exists; # Omitted, if target is ''. # target => Rule target, if jump is 'j' or 'g'. # targetopts => Target options. Only included if non-empty +# matches => List of matches in the rule #