forked from extern/shorewall_code
Issue warning on bare SECTION headings.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
80d54ec40b
commit
3870157898
@ -432,6 +432,7 @@ sub process_accounting_rule( ) {
|
||||
fatal_error 'ACTION must be specified' if $action eq '-';
|
||||
|
||||
if ( $action eq 'SECTION' ) {
|
||||
section_warning;
|
||||
process_section( $chain );
|
||||
} else {
|
||||
for my $proto ( split_list $protos, 'Protocol' ) {
|
||||
|
||||
@ -153,6 +153,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
macro_comment
|
||||
dump_mark_layout
|
||||
set_section_function
|
||||
section_warning
|
||||
clear_section_function
|
||||
|
||||
$product
|
||||
@ -551,6 +552,7 @@ our $nocomment; # When true, ignore [?]COMMENT in the current file
|
||||
our $warningcount; # Used to suppress duplicate warnings about missing COMMENT support
|
||||
our $warningcount1; # Used to suppress duplicate warnings about COMMENT being deprecated
|
||||
our $warningcount2; # Used to suppress duplicate warnings about FORMAT being deprecated
|
||||
our $warningcount3; # Used to suppress duplicate warnings about SECTION being deprecated
|
||||
|
||||
our $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files.
|
||||
|
||||
@ -683,6 +685,7 @@ sub initialize( $;$$) {
|
||||
$warningcount = 0;
|
||||
$warningcount1 = 0;
|
||||
$warningcount2 = 0;
|
||||
$warningcount3 = 0;
|
||||
#
|
||||
# Misc Globals
|
||||
#
|
||||
@ -2167,6 +2170,13 @@ sub clear_section_function() {
|
||||
$section_function = undef;
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a SECTION warning
|
||||
#
|
||||
sub section_warning() {
|
||||
warning_message "'SECTION' is deprecated in favor of '?SECTION' - consider running '$product update -D'" unless $warningcount3++;
|
||||
}
|
||||
|
||||
#
|
||||
# Open a file, setting $currentfile. Returns the file's absolute pathname if the file
|
||||
# exists, is non-empty and was successfully opened. Terminates with a fatal error
|
||||
|
||||
@ -110,7 +110,6 @@ our %section_rmap = ( ALL_SECTION , 'ALL',
|
||||
UNTRACKED_SECTION, 'UNTRACKED',
|
||||
NEW_SECTION, 'NEW' );
|
||||
|
||||
|
||||
our @policy_chains;
|
||||
|
||||
our %default_actions;
|
||||
@ -3121,7 +3120,7 @@ sub process_raw_rule ( ) {
|
||||
|
||||
fatal_error 'ACTION must be specified' if $target eq '-';
|
||||
|
||||
process_section( $source ), return 1 if $target eq 'SECTION';
|
||||
section_warning, process_section( $source ), return 1 if $target eq 'SECTION';
|
||||
#
|
||||
# Section Names are optional so once we get to an actual rule, we need to be sure that
|
||||
# we close off any missing sections.
|
||||
|
||||
@ -9,12 +9,12 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
#SECTION INVALID
|
||||
#SECTION UNTRACKED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
#?SECTION INVALID
|
||||
#?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
Invalid(DROP) net $FW tcp
|
||||
SSH(ACCEPT) net $FW
|
||||
Ping(ACCEPT) net $FW
|
||||
|
||||
@ -13,12 +13,12 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
#SECTION INVALID
|
||||
#SECTION UNTRACKED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
#?SECTION INVALID
|
||||
#?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
# Drop packets in the INVALID state
|
||||
|
||||
|
||||
@ -13,12 +13,12 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
#SECTION INVALID
|
||||
#SECTION UNTRACKED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
#?SECTION INVALID
|
||||
#?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
|
||||
@ -13,12 +13,12 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
#SECTION INVALID
|
||||
#SECTION UNTRACKED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
#?SECTION INVALID
|
||||
#?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
|
||||
@ -9,9 +9,9 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
#SECTION INVALID
|
||||
#SECTION UNTRACKED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
#?SECTION INVALID
|
||||
#?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
@ -79,9 +79,13 @@
|
||||
|
||||
<para>Section headers have the form:</para>
|
||||
|
||||
<para><option>SECTION</option>
|
||||
<para><option>[?]SECTION</option>
|
||||
<replaceable>section-name</replaceable></para>
|
||||
|
||||
<para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
|
||||
Existing configurations may be converted to use this form using the
|
||||
<command>shorewall update</command> command.</para>
|
||||
|
||||
<para>When sections are enabled:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
@ -40,8 +40,12 @@
|
||||
</warning>
|
||||
|
||||
<para>The rules file is divided into sections. Each section is introduced
|
||||
by a "Section Header" which is a line beginning with SECTION and followed
|
||||
by the section name.</para>
|
||||
by a "Section Header" which is a line beginning with [?]SECTION and
|
||||
followed by the section name.</para>
|
||||
|
||||
<para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
|
||||
Existing configurations may be converted to use this form using the
|
||||
<command>shorewall update</command> command.</para>
|
||||
|
||||
<para>Sections are as follows and must appear in the order listed:</para>
|
||||
|
||||
|
||||
@ -9,10 +9,10 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
?SECTION NEW
|
||||
|
||||
Invalid(DROP) net $FW tcp
|
||||
SSH(ACCEPT) net $FW
|
||||
|
||||
@ -13,10 +13,10 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
?SECTION NEW
|
||||
|
||||
# Drop packets in the INVALID state
|
||||
|
||||
|
||||
@ -13,10 +13,10 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
?SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
|
||||
@ -13,10 +13,10 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
?SECTION NEW
|
||||
|
||||
# Don't allow connection pickup from the net
|
||||
#
|
||||
|
||||
@ -79,9 +79,13 @@
|
||||
|
||||
<para>Section headers have the form:</para>
|
||||
|
||||
<para><option>SECTION</option>
|
||||
<para><option>[?]SECTION</option>
|
||||
<replaceable>section-name</replaceable></para>
|
||||
|
||||
<para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
|
||||
Existing configurations may be converted to use this form using the
|
||||
<command>shorewall6 update</command> command.</para>
|
||||
|
||||
<para>When sections are enabled:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
@ -33,8 +33,12 @@
|
||||
request. All rules are terminating except LOG and QUEUE rules.</para>
|
||||
|
||||
<para>The rules file is divided into sections. Each section is introduced
|
||||
by a "Section Header" which is a line beginning with SECTION and followed
|
||||
by the section name.</para>
|
||||
by a "Section Header" which is a line beginning with [?]SECTION and
|
||||
followed by the section name.</para>
|
||||
|
||||
<para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
|
||||
Existing configurations may be converted to use this form using the
|
||||
<command>shorewall6 update</command> command.</para>
|
||||
|
||||
<para>Sections are as follows and must appear in the order listed:</para>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user