From 6d20c6672ddfddc2215e842db2258c71d08576d3 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 8 May 2007 22:28:48 +0000 Subject: [PATCH] Cleanup in process_rule1(); cosmetic changes to global variable generation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6293 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 19 +++++++++--- Shorewall-perl/Shorewall/Rules.pm | 46 ++++++++++++++---------------- Shorewall-perl/compiler.pl | 3 -- 3 files changed, 37 insertions(+), 31 deletions(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 40641f5ab..596ded4ad 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1716,23 +1716,34 @@ sub emitr( $ ) { } } +my $emitted_comment = 0; + +sub emit_comment() { + unless ( $emitted_comment ) { + emitj ( '#', + '# Establish the values of shell variables used in the following function calls', + '#' ); + $emitted_comment = 1; + } +} + # -# Generate function that sets global variables +# Generate setting of global variables # sub set_global_variables() { - # - # Establish the values of shell variables used in the following shell commands and/or 'here documents' input. - # for ( values %interfaceaddr ) { + emit_comment; emit $_; } for ( values %interfaceaddrs ) { + emit_comment; emit $_; } for ( values %interfacenets ) { + emit_comment; emit $_; } diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 89b526ec0..26ff5b498 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -970,7 +970,7 @@ sub process_rule1 ( $$$$$$$$$$ ) { # $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) ); - if ( $section eq 'ESTABLISHED' || $section eq 'RELATED' ) { + unless ( $section eq 'NEW' ) { fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT; $rule .= "-m state --state $section " @@ -1061,32 +1061,30 @@ sub process_rule1 ( $$$$$$$$$$ ) { $dest = $server; $action = 'ACCEPT'; } - } else { - if ( $actiontype & NONAT ) { - # - # NONAT or ACCEPT+ -- May not specify a destination interface - # - fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/; + } elsif ( $actiontype & NONAT ) { + # + # NONAT or ACCEPT+ -- May not specify a destination interface + # + fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/; - $origdest = '' unless $origdest and $origdest ne '-'; + $origdest = '' unless $origdest and $origdest ne '-'; - if ( $origdest eq 'detect' ) { - my $interfacesref = $zones{$sourcezone}{interfaces}; - my $interfaces = "@$interfacesref"; - $origdest = $interfaces ? "detect:$interfaces" : ALLIPv4; - } - - expand_rule( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , - PREROUTE_RESTRICT , - $rule , - $source , - $dest , - $origdest , - '-j RETURN ' , - $loglevel , - $action , - '' ); + if ( $origdest eq 'detect' ) { + my $interfacesref = $zones{$sourcezone}{interfaces}; + my $interfaces = "@$interfacesref"; + $origdest = $interfaces ? "detect:$interfaces" : ALLIPv4; } + + expand_rule( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , + PREROUTE_RESTRICT , + $rule , + $source , + $dest , + $origdest , + '-j RETURN ' , + $loglevel , + $action , + '' ); } # # Add filter table rule, unless this is a NATONLY rule type diff --git a/Shorewall-perl/compiler.pl b/Shorewall-perl/compiler.pl index 9292b0862..61450bd49 100755 --- a/Shorewall-perl/compiler.pl +++ b/Shorewall-perl/compiler.pl @@ -584,14 +584,11 @@ sub generate_script_3() { emit 'define_firewall() {'; push_indent; - emit ''; - set_global_variables; emit ''; emit<<'EOF'; - setup_routing_and_traffic_shaping; if [ $COMMAND = restore ]; then