holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Document -t option

Browse Source 
- Also copy compiler directives to the mangle file.
This commit is contained in:
Tom Eastep 2014-02-17 12:50:59 -08:00
parent a011ad8efe
commit 3e87efc82b
4 changed files with 195 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

238
Shorewall/Perl/Shorewall/Config.pm
View File

@ -158,6 +158,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
set_section_function set_section_function
section_warning section_warning
clear_section_function clear_section_function
directive_callback
$product $product
$Product $Product
@ -562,6 +563,7 @@ our $warningcount1; # Used to suppress duplicate warnings about COMMENT
our $warningcount2; # Used to suppress duplicate warnings about FORMAT being deprecated our $warningcount2; # Used to suppress duplicate warnings about FORMAT being deprecated
our $warningcount3; # Used to suppress duplicate warnings about SECTION being deprecated our $warningcount3; # Used to suppress duplicate warnings about SECTION being deprecated
our $checkinline; # The -i option to check/compile/etc. our $checkinline; # The -i option to check/compile/etc.
our $directive_callback; # Function to call in compiler_directive
our $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files. our $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files.
@ -687,6 +689,8 @@ sub initialize( $;$$) {
$ifstack = 0; $ifstack = 0;
@ifstack = (); @ifstack = ();
$embedded = 0; $embedded = 0;
$directive_callback
= 0;
# #
# Contents of last COMMENT line. # Contents of last COMMENT line.
# #
@ -2490,6 +2494,13 @@ sub evaluate_expression( $$$ ) {
$val; $val;
} }
#
# Set callback
#
sub directive_callback( $ ) {
$directive_callback = shift;
}
# #
# Each entry in @ifstack consists of a 4-tupple # Each entry in @ifstack consists of a 4-tupple
# #
@ -2518,127 +2529,128 @@ sub process_compiler_directive( $$$$ ) {
my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 ); my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
my %directives = ( IF => sub() { my %directives =
directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression; ( IF => sub() {
my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber ); directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ]; my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
$omitting = $nextomitting; push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
} , $omitting = $nextomitting;
} ,
ELSIF => sub() { ELSIF => sub() {
directive_error( "?ELSIF has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/; directive_error( "?ELSIF has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
directive_error( "Missing IF expression" , $filename, $linenumber ) unless $expression; directive_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
if ( $omitting && ! $included ) { if ( $omitting && ! $included ) {
# #
# We can only change to including if we were previously omitting # We can only change to including if we were previously omitting
# #
$omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber ); $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
$included = ! $omitting; $included = ! $omitting;
} else { } else {
# #
# We have already included -- so we don't want to include this part # We have already included -- so we don't want to include this part
# #
$omitting = 1; $omitting = 1;
} }
$ifstack[-1] = [ 'ELSIF', $prioromit, $included, $lastlinenumber ]; $ifstack[-1] = [ 'ELSIF', $prioromit, $included, $lastlinenumber ];
} , } ,
ELSE => sub() { ELSE => sub() {
directive_error( "Invalid ?ELSE" , $filename, $linenumber ) unless $expression eq ''; directive_error( "Invalid ?ELSE" , $filename, $linenumber ) unless $expression eq '';
directive_error( "?ELSE has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/; directive_error( "?ELSE has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
$omitting = $included || ! $omitting unless $prioromit; $omitting = $included || ! $omitting unless $prioromit;
$ifstack[-1] = [ 'ELSE', $prioromit, 1, $lastlinenumber ]; $ifstack[-1] = [ 'ELSE', $prioromit, 1, $lastlinenumber ];
} , } ,
ENDIF => sub() { ENDIF => sub() {
directive_error( "Invalid ?ENDIF" , $filename, $linenumber ) unless $expression eq ''; directive_error( "Invalid ?ENDIF" , $filename, $linenumber ) unless $expression eq '';
directive_error( q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) , $filename, $linenumber ) if @ifstack <= $ifstack; directive_error( q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) , $filename, $linenumber ) if @ifstack <= $ifstack;
$omitting = $prioromit; $omitting = $prioromit;
pop @ifstack; pop @ifstack;
} , } ,
SET => sub() { SET => sub() {
unless ( $omitting ) { unless ( $omitting ) {
directive_error( "Missing SET variable", $filename, $linenumber ) unless supplied $expression; directive_error( "Missing SET variable", $filename, $linenumber ) unless supplied $expression;
( my $var , $expression ) = split ' ', $expression, 2; ( my $var , $expression ) = split ' ', $expression, 2;
directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/; directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/;
directive_error( "Missing SET expression" , $filename, $linenumber) unless supplied $expression; directive_error( "Missing SET expression" , $filename, $linenumber) unless supplied $expression;
if ( ( $1 || '' ) eq '@' ) { if ( ( $1 || '' ) eq '@' ) {
$var = $2; $var = $2;
$var = numeric_value( $var ) if $var =~ /^\d/; $var = numeric_value( $var ) if $var =~ /^\d/;
$var = $2 || 'chain'; $var = $2 || 'chain';
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0}; directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
my $val = $actparms{$var} = evaluate_expression ( $expression, my $val = $actparms{$var} = evaluate_expression ( $expression,
$filename, $filename,
$linenumber ); $linenumber );
$parmsmodified = 1; $parmsmodified = 1;
} else { } else {
$variables{$2} = evaluate_expression( $expression, $variables{$2} = evaluate_expression( $expression,
$filename, $filename,
$linenumber ); $linenumber );
} }
} }
} , } ,
FORMAT => sub() { 'FORMAT' => sub() {
unless ( $omitting ) { unless ( $omitting ) {
directive_error( "?FORMAT is not allowed in this file", $filename, $linenumber ) unless $max_format > 1; directive_error( "?FORMAT is not allowed in this file", $filename, $linenumber ) unless $max_format > 1;
directive_error( "Missing format", $filename, $linenumber ) unless supplied $expression; directive_error( "Missing format", $filename, $linenumber ) unless supplied $expression;
directive_error( "Invalid format ($expression)", $filename, $linenumber ) unless $expression =~ /^\d+$/; directive_error( "Invalid format ($expression)", $filename, $linenumber ) unless $expression =~ /^\d+$/;
directive_error( "Format must be between 1 and $max_format", $filename, $linenumber ) unless $expression && $expression <= $max_format; directive_error( "Format must be between 1 and $max_format", $filename, $linenumber ) unless $expression && $expression <= $max_format;
$file_format = $expression; $file_format = $expression;
} }
} , } ,
RESET => sub() { RESET => sub() {
unless ( $omitting ) { unless ( $omitting ) {
my $var = $expression; my $var = $expression;
directive_error( "Missing RESET variable", $filename, $linenumber) unless supplied $var; directive_error( "Missing RESET variable", $filename, $linenumber) unless supplied $var;
directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/; directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/;
if ( ( $1 || '' ) eq '@' ) { if ( ( $1 || '' ) eq '@' ) {
$var = numeric_value( $var ) if $var =~ /^\d/; $var = numeric_value( $var ) if $var =~ /^\d/;
$var = $2 || 'chain'; $var = $2 || 'chain';
directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0}; directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
if ( exists $actparms{$var} ) { if ( exists $actparms{$var} ) {
if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) { if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
$actparms{$var} = ''; $actparms{$var} = '';
} else { } else {
delete $actparms{$var} delete $actparms{$var}
} }
} else { } else {
directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber ); directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
} }
} else { } else {
if ( exists $variables{$2} ) { if ( exists $variables{$2} ) {
delete $variables{$2}; delete $variables{$2};
} else { } else {
directive_warning( "Shell variable $2 does not exist", $filename, $linenumber ); directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
} }
} }
} }
} , } ,
COMMENT => sub() { COMMENT => sub() {
unless ( $omitting ) { unless ( $omitting ) {
if ( $comments_allowed ) { if ( $comments_allowed ) {
unless ( $nocomment ) { unless ( $nocomment ) {
if ( have_capability( 'COMMENTS' ) ) { if ( have_capability( 'COMMENTS' ) ) {
( $comment = $line ) =~ s/^\s*\?COMMENT\s*//; ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
$comment =~ s/\s*$//; $comment =~ s/\s*$//;
} else { } else {
directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++; directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
} }
} }
} else { } else {
directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber ); directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
} }
} }
} }
); );
if ( my $function = $directives{$keyword} ) { if ( my $function = $directives{$keyword} ) {
$function->(); $function->();
@ -2646,7 +2658,11 @@ sub process_compiler_directive( $$$$ ) {
assert( 0, $keyword ); assert( 0, $keyword );
} }
$omitting; if ( $directive_callback ) {
$directive_callback->( $keyword, $line )
} else {
$omitting;
}
} }
# #

4
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -3154,6 +3154,8 @@ sub setup_tc( $ ) {
# We are going to convert this tcrules file to the equivalent mangle file # We are going to convert this tcrules file to the equivalent mangle file
# #
open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!"; open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
} }
first_entry "$doing $fn..."; first_entry "$doing $fn...";
@ -3173,7 +3175,7 @@ sub setup_tc( $ ) {
} }
} }
close $mangle if $tcrules; close $mangle, directive_callback( 0 ) if $tcrules;
} }
if ( my $fn = open_file( 'mangle', 1, 1 ) ) { if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

34
Shorewall/manpages/shorewall.xml
View File

@ -1864,9 +1864,41 @@
url="shorewall-mangle.html">shorewall-mangle(5)</ulink>. The old url="shorewall-mangle.html">shorewall-mangle(5)</ulink>. The old
file is renamed with a .bak suffix.</para> file is renamed with a .bak suffix.</para>
<important>
<para>There are some notable restrictions with the
<option>-t</option> option:</para>
<orderedlist>
<listitem>
<para>Converted rules will be appended to the existing
<filename>mangle</filename> file; if there is no
<filename>mangle</filename> file in the CONFIG_PATH, one will
be created in <filename
class="directory">/etc/shorewall</filename>.</para>
</listitem>
<listitem>
<para>Existing comments in the <filename>tcrules</filename>
file will not be transferred to the
<filename>mangle</filename> file.</para>
</listitem>
<listitem>
<para>INCLUDEd files will be expanded inline in the
<filename>mangle</filename> file.</para>
</listitem>
<listitem>
<para>Columns in the <filename>mangle</filename> file will be
separated by a single tab character; there is no attempt made
to otherwise align the columns.</para>
</listitem>
</orderedlist>
</important>
<para>The <option>-A</option> option was added in Shorewall 4.6.0 <para>The <option>-A</option> option was added in Shorewall 4.6.0
and is equivalent to specifying the <option>-b</option>, and is equivalent to specifying the <option>-b</option>,
<option>-D</option> and the <option>-t</option> options. </para> <option>-D</option> and the <option>-t</option> options.</para>
<para>For a description of the other options, see the <emphasis <para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para> role="bold">check</emphasis> command above.</para>

32
Shorewall6/manpages/shorewall6.xml
View File

@ -1700,6 +1700,38 @@
url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>. The old url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>. The old
file is renamed with a .bak suffix.</para> file is renamed with a .bak suffix.</para>
<important>
<para>There are some notable restrictions with the
<option>-t</option> option:</para>
<orderedlist>
<listitem>
<para>Converted rules will be appended to the existing
<filename>mangle</filename> file; if there is no
<filename>mangle</filename> file in the CONFIG_PATH, one will
be created in <filename
class="directory">/etc/shorewall6</filename>.</para>
</listitem>
<listitem>
<para>Existing comments in the <filename>tcrules</filename>
file will not be transferred to the
<filename>mangle</filename> file.</para>
</listitem>
<listitem>
<para>INCLUDEd files will be expanded inline in the
<filename>mangle</filename> file.</para>
</listitem>
<listitem>
<para>Columns in the <filename>mangle</filename> file will be
separated by a single tab character; there is no attempt made
to otherwise align the columns.</para>
</listitem>
</orderedlist>
</important>
<para>The <option>-A</option> option was added in Shorewall 4.6.0 <para>The <option>-A</option> option was added in Shorewall 4.6.0
and is equivalent to specifying the <option>-b</option>, and is equivalent to specifying the <option>-b</option>,
<option>-D</option> and the <option>-t</option> options.</para> <option>-D</option> and the <option>-t</option> options.</para>