diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 03f01c264..945994f7d 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2452,18 +2452,20 @@ sub ensure_accounting_chain( $$$ )
$chainref->{ipsec} = $ipsec;
$chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
- unless ( $chain eq 'accounting' ) {
- my $file = find_file $chain;
+ if ( $config{CHAIN_SCRIPTS} ) {
+ unless ( $chain eq 'accounting' ) {
+ my $file = find_file $chain;
- if ( -f $file ) {
- progress_message "Running $file...";
+ if ( -f $file ) {
+ progress_message "Running $file...";
- my ( $level, $tag ) = ( '', '' );
+ my ( $level, $tag ) = ( '', '' );
- unless ( my $return = eval `cat $file` ) {
- fatal_error "Couldn't parse $file: $@" if $@;
- fatal_error "Couldn't do $file: $!" unless defined $return;
- fatal_error "Couldn't run $file" unless $return;
+ unless ( my $return = eval `cat $file` ) {
+ fatal_error "Couldn't parse $file: $@" if $@;
+ fatal_error "Couldn't do $file: $!" unless defined $return;
+ fatal_error "Couldn't run $file" unless $return;
+ }
}
}
}
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 1ef50a123..c4e07360c 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -790,6 +790,7 @@ sub initialize( $;$$) {
WARNOLDCAPVERSION => undef,
DEFER_DNS_RESOLUTION => undef,
USE_RT_NAMES => undef,
+ CHAIN_SCRIPTS => undef,
#
# Packet Disposition
#
@@ -5302,6 +5303,7 @@ sub get_configuration( $$$$ ) {
default_yes_no 'AUTOCOMMENT' , 'Yes';
default_yes_no 'MULTICAST' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
+ default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
default_yes_no 'USE_DEFAULT_RT' , '';
@@ -5703,7 +5705,7 @@ sub run_user_exit( $ ) {
my $chainref = $_[0];
my $file = find_file $chainref->{name};
- if ( -f $file ) {
+ if ( $config{CHAIN_SCRIPTS} && -f $file ) {
progress_message2 "Running $file...";
my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
@@ -5756,7 +5758,7 @@ sub run_user_exit1( $ ) {
sub run_user_exit2( $$ ) {
my ($file, $chainref) = ( find_file $_[0], $_[1] );
- if ( -f $file ) {
+ if ( $config{CHAIN_SCRIPTS} && -f $file ) {
progress_message2 "Running $file...";
#
# File may be empty -- in which case eval would fail
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index a349cf828..c0ffaaec9 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1184,21 +1184,23 @@ sub createlogactionchain( $$$$$ ) {
$chainref->{action} = $normalized;
- unless ( $targets{$action} & BUILTIN ) {
+ if ( $config{CHAIN_SCRIPTS} ) {
+ unless ( $targets{$action} & BUILTIN ) {
- set_optflags( $chainref, DONT_OPTIMIZE );
+ set_optflags( $chainref, DONT_OPTIMIZE );
- my $file = find_file $chain;
+ my $file = find_file $chain;
- if ( -f $file ) {
- progress_message "Running $file...";
+ if ( -f $file ) {
+ progress_message "Running $file...";
- my @params = split /,/, $param;
+ my @params = split /,/, $param;
- unless ( my $return = eval `cat $file` ) {
- fatal_error "Couldn't parse $file: $@" if $@;
- fatal_error "Couldn't do $file: $!" unless defined $return;
- fatal_error "Couldn't run $file";
+ unless ( my $return = eval `cat $file` ) {
+ fatal_error "Couldn't parse $file: $@" if $@;
+ fatal_error "Couldn't do $file: $!" unless defined $return;
+ fatal_error "Couldn't run $file";
+ }
}
}
}
@@ -1218,21 +1220,23 @@ sub createsimpleactionchain( $ ) {
$chainref->{action} = $normalized;
- unless ( $targets{$action} & BUILTIN ) {
+ if ( $config{CHAIN_SCRIPTS} ) {
+ unless ( $targets{$action} & BUILTIN ) {
- set_optflags( $chainref, DONT_OPTIMIZE );
+ set_optflags( $chainref, DONT_OPTIMIZE );
- my $file = find_file $action;
+ my $file = find_file $action;
- if ( -f $file ) {
- progress_message "Running $file...";
+ if ( -f $file ) {
+ progress_message "Running $file...";
- my ( $level, $tag ) = ( '', '' );
+ my ( $level, $tag ) = ( '', '' );
- unless ( my $return = eval `cat $file` ) {
- fatal_error "Couldn't parse $file: $@" if $@;
- fatal_error "Couldn't do $file: $!" unless defined $return;
- fatal_error "Couldn't run $file";
+ unless ( my $return = eval `cat $file` ) {
+ fatal_error "Couldn't parse $file: $@" if $@;
+ fatal_error "Couldn't do $file: $!" unless defined $return;
+ fatal_error "Couldn't run $file";
+ }
}
}
}
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 42212eaa7..931e15447 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -130,6 +130,8 @@ AUTOMAKE=No
BLACKLIST="NEW,INVALID,UNTRACKED"
+CHAIN_SCRIPTS=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 88708a8e0..6ce2e69b7 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -141,6 +141,8 @@ AUTOMAKE=No
BLACKLIST="NEW,INVALID,UNTRACKED"
+CHAIN_SCRIPTS=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index e9ac9e902..2c583e3fd 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -139,6 +139,8 @@ AUTOMAKE=No
BLACKLIST="NEW,INVALID,UNTRACKED"
+CHAIN_SCRIPTS=No
+
CLAMPMSS=Yes
CLEAR_TC=Yes
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 532a88d07..ab8c7357c 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -142,6 +142,8 @@ AUTOMAKE=No
BLACKLIST="NEW,INVALID,UNTRACKED"
+CHAIN_SCRIPTS=No
+
CLAMPMSS=Yes
CLEAR_TC=Yes
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index aef243b20..07db555c8 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -130,6 +130,8 @@ AUTOMAKE=No
BLACKLIST="NEW,INVALID,UNTRACKED"
+CHAIN_SCRIPTS=Yes
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 442df55d3..d9a974740 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -466,6 +466,22 @@
+
+ CHAIN_SCRIPTS={Yes|No}
+
+
+ Added in Shorewall 4.5.16. Prior to the availability of BEGIN
+ PERL....END PERL in configuration files, the only way to execute a
+ chain-specific script was to create a script file with the same name
+ as the chain and place it in a directory on the CONFIG_PATH. That
+ facility has the drawback that the compiler will attempt to run a
+ non-script file just because it has the same name as a chain. To
+ disable this facility, set CHAIN_SCRIPTS=No. If not specified or
+ specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.
+
+
+
CLAMPMSS=[Yes|
+
+ CHAIN_SCRIPTS={Yes|No}
+
+
+ Added in Shorewall 4.5.16. Prior to the availability of BEGIN
+ PERL....END PERL in configuration files, the only way to execute a
+ chain-specific script was to create a script file with the same name
+ as the chain and place it in a directory on the CONFIG_PATH. That
+ facility has the drawback that the compiler will attempt to run a
+ non-script file just because it has the same name as a chain. To
+ disable this facility, set CHAIN_SCRIPTS=No. If not specified or
+ specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.
+
+
+
CLAMPMSS=[Yes|