holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Do nothing when a rules file section is empty.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-04-18 14:13:34 -07:00
parent 240d3d8cab
commit 4d4e8b3df4
3 changed files with 44 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -67,6 +67,7 @@ our $VERSION = 'MODULEVERSION';
our %sections; our %sections;
our $section; our $section;
our $next_section;
use constant { NULL_SECTION => 0x00, use constant { NULL_SECTION => 0x00,
BLACKLIST_SECTION => 0x01, BLACKLIST_SECTION => 0x01,
@ -239,7 +240,8 @@ sub initialize( $ ) {
# #
# Current rules file section. # Current rules file section.
# #
$section = NULL_SECTION; $section = NULL_SECTION;
$next_section = NULL_SECTION;
# #
# Macro=><macro file> mapping # Macro=><macro file> mapping
# #
@ -3065,22 +3067,35 @@ sub process_section ($) {
if ( $sect eq 'BLACKLIST' ) { if ( $sect eq 'BLACKLIST' ) {
fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file"; fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
} elsif ( $sect eq 'ESTABLISHED' ) { } elsif ( $sect eq 'ESTABLISHED' ) {
$sections{ALL} = 1; $sections{ALL} = 1;
} elsif ( $sect eq 'RELATED' ) { } elsif ( $sect eq 'RELATED' ) {
@sections{'ALL','ESTABLISHED'} = ( 1, 1); @sections{'ALL','ESTABLISHED'} = ( 1, 1);
finish_section 'ESTABLISHED';
} elsif ( $sect eq 'INVALID' ) { } elsif ( $sect eq 'INVALID' ) {
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 ); @sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
finish_section ( 'ESTABLISHED,RELATED' );
} elsif ( $sect eq 'UNTRACKED' ) { } elsif ( $sect eq 'UNTRACKED' ) {
@sections{'ALL','ESTABLISHED','RELATED', 'INVALID' } = ( 1, 1, 1, 1 ); @sections{'ALL','ESTABLISHED','RELATED', 'INVALID' } = ( 1, 1, 1, 1 );
finish_section ( 'ESTABLISHED,RELATED,INVALID' );
} elsif ( $sect eq 'NEW' ) { } elsif ( $sect eq 'NEW' ) {
@sections{'ALL','ESTABLISHED','RELATED','INVALID','UNTRACKED', 'NEW'} = ( 1, 1, 1, 1, 1, 1 ); @sections{'ALL','ESTABLISHED','RELATED','INVALID','UNTRACKED', 'NEW'} = ( 1, 1, 1, 1, 1, 1 );
}
$next_section = $section_map{$sect};
}
sub next_section() {
if ( $next_section == RELATED_SECTION ) {
finish_section 'ESTABLISHED';
} elsif ( $next_section == INVALID_SECTION ) {
finish_section ( 'ESTABLISHED,RELATED' );
} elsif ( $next_section == UNTRACKED_SECTION ) {
finish_section ( 'ESTABLISHED,RELATED,INVALID' );
} elsif ( $next_section == NEW_SECTION ) {
finish_section ( 'ESTABLISHED,RELATED,INVALID,UNTRACKED' ); finish_section ( 'ESTABLISHED,RELATED,INVALID,UNTRACKED' );
} }
$section = $section_map{$sect}; $section = $next_section;
} }
# #
@ -3167,7 +3182,7 @@ sub process_raw_rule ( ) {
# Section Names are optional so once we get to an actual rule, we need to be sure that # Section Names are optional so once we get to an actual rule, we need to be sure that
# we close off any missing sections. # we close off any missing sections.
# #
process_section( 'NEW' ) unless $section; next_section if $section != $next_section;
if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) { if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
progress_message "Rule \"$currentline\" ignored."; progress_message "Rule \"$currentline\" ignored.";
@ -3330,7 +3345,7 @@ sub process_rules( $ ) {
# #
# Process the blrules file # Process the blrules file
# #
$section = BLACKLIST_SECTION; $section = $next_section = BLACKLIST_SECTION;
my $fn = open_file( 'blrules', 1, 1 ); my $fn = open_file( 'blrules', 1, 1 );
@ -3359,7 +3374,8 @@ sub process_rules( $ ) {
process_raw_rule while read_a_line( NORMAL_READ ); process_raw_rule while read_a_line( NORMAL_READ );
} }
$section = NULL_SECTION; $section = NULL_SECTION;
$next_section = NEW_SECTION;
add_interface_options( $blrules ); add_interface_options( $blrules );
@ -3383,7 +3399,7 @@ sub process_rules( $ ) {
# #
# No need to finish the NEW section since no rules need to be generated # No need to finish the NEW section since no rules need to be generated
# #
$section = DEFAULTACTION_SECTION; $section = $next_section = DEFAULTACTION_SECTION;
} }
1; 1;

14
Shorewall/configfiles/rules
View File

@ -8,10 +8,10 @@
# #
###################################################################################################################################################################################################### ######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP # PORT(S) PORT(S) DEST LIMIT GROUP
#SECTION ALL ?SECTION ALL
#SECTION ESTABLISHED ?SECTION ESTABLISHED
#SECTION RELATED ?SECTION RELATED
#SECTION INVALID ?SECTION INVALID
#SECTION UNTRACKED ?SECTION UNTRACKED
SECTION NEW ?SECTION NEW

14
Shorewall6/configfiles/rules
View File

@ -8,10 +8,10 @@
# #
###################################################################################################################################################################################################### ######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP # PORT(S) PORT(S) DEST LIMIT GROUP
#SECTION ALL ?SECTION ALL
#SECTION ESTABLISHED ?SECTION ESTABLISHED
#SECTION RELATED ?SECTION RELATED
#SECTION INVALID ?SECTION INVALID
#SECTION UNTRACKED ?SECTION UNTRACKED
SECTION NEW ?SECTION NEW