From 3870157898dd1df8ed90fa5ac62d6eaeec516c5b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 24 Nov 2013 07:58:02 -0800 Subject: [PATCH] Issue warning on bare SECTION headings. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Accounting.pm | 1 + Shorewall/Perl/Shorewall/Config.pm | 10 ++++++++++ Shorewall/Perl/Shorewall/Rules.pm | 3 +-- Shorewall/Samples/Universal/rules | 12 ++++++------ Shorewall/Samples/one-interface/rules | 12 ++++++------ Shorewall/Samples/three-interfaces/rules | 12 ++++++------ Shorewall/Samples/two-interfaces/rules | 12 ++++++------ Shorewall/configfiles/rules | 12 ++++++------ Shorewall/manpages/shorewall-accounting.xml | 6 +++++- Shorewall/manpages/shorewall-rules.xml | 8 ++++++-- Shorewall6/Samples6/Universal/rules | 8 ++++---- Shorewall6/Samples6/one-interface/rules | 8 ++++---- Shorewall6/Samples6/three-interfaces/rules | 8 ++++---- Shorewall6/Samples6/two-interfaces/rules | 8 ++++---- Shorewall6/manpages/shorewall6-accounting.xml | 6 +++++- Shorewall6/manpages/shorewall6-rules.xml | 8 ++++++-- 16 files changed, 80 insertions(+), 54 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 21eb1b750..d12ffca60 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -432,6 +432,7 @@ sub process_accounting_rule( ) { fatal_error 'ACTION must be specified' if $action eq '-'; if ( $action eq 'SECTION' ) { + section_warning; process_section( $chain ); } else { for my $proto ( split_list $protos, 'Protocol' ) { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index b0f80cde4..76daab6f2 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -153,6 +153,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script macro_comment dump_mark_layout set_section_function + section_warning clear_section_function $product @@ -551,6 +552,7 @@ our $nocomment; # When true, ignore [?]COMMENT in the current file our $warningcount; # Used to suppress duplicate warnings about missing COMMENT support our $warningcount1; # Used to suppress duplicate warnings about COMMENT being deprecated our $warningcount2; # Used to suppress duplicate warnings about FORMAT being deprecated +our $warningcount3; # Used to suppress duplicate warnings about SECTION being deprecated our $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. @@ -683,6 +685,7 @@ sub initialize( $;$$) { $warningcount = 0; $warningcount1 = 0; $warningcount2 = 0; + $warningcount3 = 0; # # Misc Globals # @@ -2167,6 +2170,13 @@ sub clear_section_function() { $section_function = undef; } +# +# Generate a SECTION warning +# +sub section_warning() { + warning_message "'SECTION' is deprecated in favor of '?SECTION' - consider running '$product update -D'" unless $warningcount3++; +} + # # Open a file, setting $currentfile. Returns the file's absolute pathname if the file # exists, is non-empty and was successfully opened. Terminates with a fatal error diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 556ee1321..2c6805307 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -110,7 +110,6 @@ our %section_rmap = ( ALL_SECTION , 'ALL', UNTRACKED_SECTION, 'UNTRACKED', NEW_SECTION, 'NEW' ); - our @policy_chains; our %default_actions; @@ -3121,7 +3120,7 @@ sub process_raw_rule ( ) { fatal_error 'ACTION must be specified' if $target eq '-'; - process_section( $source ), return 1 if $target eq 'SECTION'; + section_warning, process_section( $source ), return 1 if $target eq 'SECTION'; # # Section Names are optional so once we get to an actual rule, we need to be sure that # we close off any missing sections. diff --git a/Shorewall/Samples/Universal/rules b/Shorewall/Samples/Universal/rules index 99baa901a..0832b3979 100644 --- a/Shorewall/Samples/Universal/rules +++ b/Shorewall/Samples/Universal/rules @@ -9,12 +9,12 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -#SECTION INVALID -#SECTION UNTRACKED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +#?SECTION INVALID +#?SECTION UNTRACKED +?SECTION NEW Invalid(DROP) net $FW tcp SSH(ACCEPT) net $FW Ping(ACCEPT) net $FW diff --git a/Shorewall/Samples/one-interface/rules b/Shorewall/Samples/one-interface/rules index 59eae5691..e122665ee 100644 --- a/Shorewall/Samples/one-interface/rules +++ b/Shorewall/Samples/one-interface/rules @@ -13,12 +13,12 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -#SECTION INVALID -#SECTION UNTRACKED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +#?SECTION INVALID +#?SECTION UNTRACKED +?SECTION NEW # Drop packets in the INVALID state diff --git a/Shorewall/Samples/three-interfaces/rules b/Shorewall/Samples/three-interfaces/rules index 002a7dea0..20ac1d282 100644 --- a/Shorewall/Samples/three-interfaces/rules +++ b/Shorewall/Samples/three-interfaces/rules @@ -13,12 +13,12 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -#SECTION INVALID -#SECTION UNTRACKED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +#?SECTION INVALID +#?SECTION UNTRACKED +?SECTION NEW # Don't allow connection pickup from the net # diff --git a/Shorewall/Samples/two-interfaces/rules b/Shorewall/Samples/two-interfaces/rules index 0eab21390..65546463a 100644 --- a/Shorewall/Samples/two-interfaces/rules +++ b/Shorewall/Samples/two-interfaces/rules @@ -13,12 +13,12 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -#SECTION INVALID -#SECTION UNTRACKED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +#?SECTION INVALID +#?SECTION UNTRACKED +?SECTION NEW # Don't allow connection pickup from the net # diff --git a/Shorewall/configfiles/rules b/Shorewall/configfiles/rules index 2ae67a390..fd618eaa4 100644 --- a/Shorewall/configfiles/rules +++ b/Shorewall/configfiles/rules @@ -9,9 +9,9 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -#SECTION INVALID -#SECTION UNTRACKED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +#?SECTION INVALID +#?SECTION UNTRACKED +?SECTION NEW diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index bf27cdd32..286cd6485 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -79,9 +79,13 @@ Section headers have the form: - + section-name + The optional "?" was added in Shorewalll 4.6.0 and is preferred. + Existing configurations may be converted to use this form using the + shorewall update command. + When sections are enabled: diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index d9c3d6992..99db3e89b 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -40,8 +40,12 @@ The rules file is divided into sections. Each section is introduced - by a "Section Header" which is a line beginning with SECTION and followed - by the section name. + by a "Section Header" which is a line beginning with [?]SECTION and + followed by the section name. + + The optional "?" was added in Shorewalll 4.6.0 and is preferred. + Existing configurations may be converted to use this form using the + shorewall update command. Sections are as follows and must appear in the order listed: diff --git a/Shorewall6/Samples6/Universal/rules b/Shorewall6/Samples6/Universal/rules index 5dd123f07..a018ccb55 100644 --- a/Shorewall6/Samples6/Universal/rules +++ b/Shorewall6/Samples6/Universal/rules @@ -9,10 +9,10 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +?SECTION NEW Invalid(DROP) net $FW tcp SSH(ACCEPT) net $FW diff --git a/Shorewall6/Samples6/one-interface/rules b/Shorewall6/Samples6/one-interface/rules index 08d82faaf..a1dc15f20 100644 --- a/Shorewall6/Samples6/one-interface/rules +++ b/Shorewall6/Samples6/one-interface/rules @@ -13,10 +13,10 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +?SECTION NEW # Drop packets in the INVALID state diff --git a/Shorewall6/Samples6/three-interfaces/rules b/Shorewall6/Samples6/three-interfaces/rules index ef7bec56e..4699a645b 100644 --- a/Shorewall6/Samples6/three-interfaces/rules +++ b/Shorewall6/Samples6/three-interfaces/rules @@ -13,10 +13,10 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +?SECTION NEW # Don't allow connection pickup from the net # diff --git a/Shorewall6/Samples6/two-interfaces/rules b/Shorewall6/Samples6/two-interfaces/rules index 12cfe07cb..c1b15c407 100644 --- a/Shorewall6/Samples6/two-interfaces/rules +++ b/Shorewall6/Samples6/two-interfaces/rules @@ -13,10 +13,10 @@ ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -SECTION NEW +#?SECTION ALL +#?SECTION ESTABLISHED +#?SECTION RELATED +?SECTION NEW # Don't allow connection pickup from the net # diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml index 563bd76c3..7f3f53905 100644 --- a/Shorewall6/manpages/shorewall6-accounting.xml +++ b/Shorewall6/manpages/shorewall6-accounting.xml @@ -79,9 +79,13 @@ Section headers have the form: - + section-name + The optional "?" was added in Shorewalll 4.6.0 and is preferred. + Existing configurations may be converted to use this form using the + shorewall6 update command. + When sections are enabled: diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 3271ebde9..333f21642 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -33,8 +33,12 @@ request. All rules are terminating except LOG and QUEUE rules. The rules file is divided into sections. Each section is introduced - by a "Section Header" which is a line beginning with SECTION and followed - by the section name. + by a "Section Header" which is a line beginning with [?]SECTION and + followed by the section name. + + The optional "?" was added in Shorewalll 4.6.0 and is preferred. + Existing configurations may be converted to use this form using the + shorewall6 update command. Sections are as follows and must appear in the order listed: