forked from extern/shorewall_code
Add CHAIN_SCRIPTS option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
a56dcc745d
commit
5ad69aa650
@ -2452,18 +2452,20 @@ sub ensure_accounting_chain( $$$ )
|
|||||||
$chainref->{ipsec} = $ipsec;
|
$chainref->{ipsec} = $ipsec;
|
||||||
$chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
|
$chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
|
||||||
|
|
||||||
unless ( $chain eq 'accounting' ) {
|
if ( $config{CHAIN_SCRIPTS} ) {
|
||||||
my $file = find_file $chain;
|
unless ( $chain eq 'accounting' ) {
|
||||||
|
my $file = find_file $chain;
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( -f $file ) {
|
||||||
progress_message "Running $file...";
|
progress_message "Running $file...";
|
||||||
|
|
||||||
my ( $level, $tag ) = ( '', '' );
|
my ( $level, $tag ) = ( '', '' );
|
||||||
|
|
||||||
unless ( my $return = eval `cat $file` ) {
|
unless ( my $return = eval `cat $file` ) {
|
||||||
fatal_error "Couldn't parse $file: $@" if $@;
|
fatal_error "Couldn't parse $file: $@" if $@;
|
||||||
fatal_error "Couldn't do $file: $!" unless defined $return;
|
fatal_error "Couldn't do $file: $!" unless defined $return;
|
||||||
fatal_error "Couldn't run $file" unless $return;
|
fatal_error "Couldn't run $file" unless $return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -790,6 +790,7 @@ sub initialize( $;$$) {
|
|||||||
WARNOLDCAPVERSION => undef,
|
WARNOLDCAPVERSION => undef,
|
||||||
DEFER_DNS_RESOLUTION => undef,
|
DEFER_DNS_RESOLUTION => undef,
|
||||||
USE_RT_NAMES => undef,
|
USE_RT_NAMES => undef,
|
||||||
|
CHAIN_SCRIPTS => undef,
|
||||||
#
|
#
|
||||||
# Packet Disposition
|
# Packet Disposition
|
||||||
#
|
#
|
||||||
@ -5302,6 +5303,7 @@ sub get_configuration( $$$$ ) {
|
|||||||
default_yes_no 'AUTOCOMMENT' , 'Yes';
|
default_yes_no 'AUTOCOMMENT' , 'Yes';
|
||||||
default_yes_no 'MULTICAST' , '';
|
default_yes_no 'MULTICAST' , '';
|
||||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||||
|
default_yes_no 'CHAIN_SCRIPTS' , 'Yes';
|
||||||
|
|
||||||
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
|
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
|
||||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||||
@ -5703,7 +5705,7 @@ sub run_user_exit( $ ) {
|
|||||||
my $chainref = $_[0];
|
my $chainref = $_[0];
|
||||||
my $file = find_file $chainref->{name};
|
my $file = find_file $chainref->{name};
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( $config{CHAIN_SCRIPTS} && -f $file ) {
|
||||||
progress_message2 "Running $file...";
|
progress_message2 "Running $file...";
|
||||||
|
|
||||||
my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
|
my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
|
||||||
@ -5756,7 +5758,7 @@ sub run_user_exit1( $ ) {
|
|||||||
sub run_user_exit2( $$ ) {
|
sub run_user_exit2( $$ ) {
|
||||||
my ($file, $chainref) = ( find_file $_[0], $_[1] );
|
my ($file, $chainref) = ( find_file $_[0], $_[1] );
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( $config{CHAIN_SCRIPTS} && -f $file ) {
|
||||||
progress_message2 "Running $file...";
|
progress_message2 "Running $file...";
|
||||||
#
|
#
|
||||||
# File may be empty -- in which case eval would fail
|
# File may be empty -- in which case eval would fail
|
||||||
|
|||||||
@ -1184,21 +1184,23 @@ sub createlogactionchain( $$$$$ ) {
|
|||||||
|
|
||||||
$chainref->{action} = $normalized;
|
$chainref->{action} = $normalized;
|
||||||
|
|
||||||
unless ( $targets{$action} & BUILTIN ) {
|
if ( $config{CHAIN_SCRIPTS} ) {
|
||||||
|
unless ( $targets{$action} & BUILTIN ) {
|
||||||
|
|
||||||
set_optflags( $chainref, DONT_OPTIMIZE );
|
set_optflags( $chainref, DONT_OPTIMIZE );
|
||||||
|
|
||||||
my $file = find_file $chain;
|
my $file = find_file $chain;
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( -f $file ) {
|
||||||
progress_message "Running $file...";
|
progress_message "Running $file...";
|
||||||
|
|
||||||
my @params = split /,/, $param;
|
my @params = split /,/, $param;
|
||||||
|
|
||||||
unless ( my $return = eval `cat $file` ) {
|
unless ( my $return = eval `cat $file` ) {
|
||||||
fatal_error "Couldn't parse $file: $@" if $@;
|
fatal_error "Couldn't parse $file: $@" if $@;
|
||||||
fatal_error "Couldn't do $file: $!" unless defined $return;
|
fatal_error "Couldn't do $file: $!" unless defined $return;
|
||||||
fatal_error "Couldn't run $file";
|
fatal_error "Couldn't run $file";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1218,21 +1220,23 @@ sub createsimpleactionchain( $ ) {
|
|||||||
|
|
||||||
$chainref->{action} = $normalized;
|
$chainref->{action} = $normalized;
|
||||||
|
|
||||||
unless ( $targets{$action} & BUILTIN ) {
|
if ( $config{CHAIN_SCRIPTS} ) {
|
||||||
|
unless ( $targets{$action} & BUILTIN ) {
|
||||||
|
|
||||||
set_optflags( $chainref, DONT_OPTIMIZE );
|
set_optflags( $chainref, DONT_OPTIMIZE );
|
||||||
|
|
||||||
my $file = find_file $action;
|
my $file = find_file $action;
|
||||||
|
|
||||||
if ( -f $file ) {
|
if ( -f $file ) {
|
||||||
progress_message "Running $file...";
|
progress_message "Running $file...";
|
||||||
|
|
||||||
my ( $level, $tag ) = ( '', '' );
|
my ( $level, $tag ) = ( '', '' );
|
||||||
|
|
||||||
unless ( my $return = eval `cat $file` ) {
|
unless ( my $return = eval `cat $file` ) {
|
||||||
fatal_error "Couldn't parse $file: $@" if $@;
|
fatal_error "Couldn't parse $file: $@" if $@;
|
||||||
fatal_error "Couldn't do $file: $!" unless defined $return;
|
fatal_error "Couldn't do $file: $!" unless defined $return;
|
||||||
fatal_error "Couldn't run $file";
|
fatal_error "Couldn't run $file";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -130,6 +130,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=No
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -141,6 +141,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=No
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -139,6 +139,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=No
|
||||||
|
|
||||||
CLAMPMSS=Yes
|
CLAMPMSS=Yes
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -142,6 +142,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=No
|
||||||
|
|
||||||
CLAMPMSS=Yes
|
CLAMPMSS=Yes
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -130,6 +130,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=Yes
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -466,6 +466,22 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
|
||||||
|
PERL....END PERL in configuration files, the only way to execute a
|
||||||
|
chain-specific script was to create a script file with the same name
|
||||||
|
as the chain and place it in a directory on the CONFIG_PATH. That
|
||||||
|
facility has the drawback that the compiler will attempt to run a
|
||||||
|
non-script file just because it has the same name as a chain. To
|
||||||
|
disable this facility, set CHAIN_SCRIPTS=No. If not specified or
|
||||||
|
specified as the empty value, CHAIN_SCRIPTS=Yes is assumed. </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
|
|||||||
@ -123,6 +123,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=No
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -123,6 +123,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=No
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -123,6 +123,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=No
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -123,6 +123,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=No
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
CLEAR_TC=Yes
|
||||||
|
|||||||
@ -123,6 +123,8 @@ AUTOMAKE=No
|
|||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
CHAIN_SCRIPTS=Yes
|
||||||
|
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
CLEAR_TC=No
|
CLEAR_TC=No
|
||||||
|
|||||||
@ -396,6 +396,22 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.16. Prior to the availability of BEGIN
|
||||||
|
PERL....END PERL in configuration files, the only way to execute a
|
||||||
|
chain-specific script was to create a script file with the same name
|
||||||
|
as the chain and place it in a directory on the CONFIG_PATH. That
|
||||||
|
facility has the drawback that the compiler will attempt to run a
|
||||||
|
non-script file just because it has the same name as a chain. To
|
||||||
|
disable this facility, set CHAIN_SCRIPTS=No. If not specified or
|
||||||
|
specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user