forked from extern/shorewall_code
Back out all post 3.2 changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4230 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
3f9c8996bb
commit
750237c630
@ -476,6 +476,8 @@ determine_zones()
|
||||
[ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}"
|
||||
|
||||
while read zone type rest; do
|
||||
expandv zone type
|
||||
|
||||
case $zone in
|
||||
*:*)
|
||||
parents=${zone#*:}
|
||||
@ -898,7 +900,8 @@ find_hosts() # $1 = host zone
|
||||
local hosts interface address addresses
|
||||
|
||||
while read z hosts options; do
|
||||
if [ "x$z" = "x$1" ]; then
|
||||
if [ "x$(expand $z)" = "x$1" ]; then
|
||||
expandv hosts
|
||||
interface=${hosts%%:*}
|
||||
addresses=${hosts#*:}
|
||||
for address in $(separate_list $addresses); do
|
||||
@ -1018,6 +1021,7 @@ validate_interfaces_file() {
|
||||
local z interface networks options r iface option
|
||||
|
||||
while read z interface networks options; do
|
||||
expandv z interface networks options
|
||||
r="$z $interface $networks $options"
|
||||
|
||||
[ "x$z" = "x-" ] && z=
|
||||
@ -1363,6 +1367,7 @@ __EOF__
|
||||
save_command "DEFAULT_ROUTE="
|
||||
|
||||
while read table number mark duplicate interface gateway options copy; do
|
||||
expandv table number mark duplicate interface gateway options copy
|
||||
provider="$table $number $mark $duplicate $interface $gateway $options $copy"
|
||||
add_a_provider
|
||||
PROVIDERS="$PROVIDERS $table"
|
||||
@ -1407,6 +1412,7 @@ __EOF__
|
||||
save_command
|
||||
|
||||
while read source dest provider priority; do
|
||||
expandv source dest provider priority
|
||||
rule="$source $dest $priority $provider"
|
||||
add_an_rtrule
|
||||
done < $TMP_DIR/route_rules
|
||||
@ -1434,6 +1440,7 @@ validate_hosts_file() {
|
||||
}
|
||||
|
||||
while read z hosts options; do
|
||||
expandv z hosts options
|
||||
r="$z $hosts $options"
|
||||
validate_zone1 $z || fatal_error "Invalid zone ($z) in record \"$r\""
|
||||
|
||||
@ -1582,6 +1589,8 @@ validate_policy()
|
||||
strip_file policy
|
||||
|
||||
while read client server policy loglevel synparams; do
|
||||
expandv client server policy loglevel synparams
|
||||
|
||||
clientwild=
|
||||
serverwild=
|
||||
|
||||
@ -1743,9 +1752,11 @@ find_hosts_by_option() # $1 = option
|
||||
local ignore hosts interface address addresses options ipsec= list
|
||||
|
||||
while read ignore hosts options; do
|
||||
expandv options
|
||||
list=$(separate_list $options)
|
||||
if list_search $1 $list; then
|
||||
list_search ipsec $list && ipsec=ipsec || ipsec=none
|
||||
expandv hosts
|
||||
interface=${hosts%%:*}
|
||||
addresses=${hosts#*:}
|
||||
for address in $(separate_list $addresses); do
|
||||
@ -1795,6 +1806,7 @@ process_routestopped() # $1 = command
|
||||
local hosts= interface host host1 options networks source= dest= matched
|
||||
|
||||
while read interface host options; do
|
||||
expandv interface host options
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
||||
for h in $(separate_list $host); do
|
||||
hosts="$hosts $interface:$h"
|
||||
@ -1873,6 +1885,8 @@ process_criticalhosts()
|
||||
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
|
||||
|
||||
while read interface host options; do
|
||||
expandv interface host options
|
||||
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host)
|
||||
|
||||
if [ -n "$options" ]; then
|
||||
@ -2129,6 +2143,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
strip_file tunnels $1
|
||||
|
||||
while read kind z gateway z1; do
|
||||
expandv kind z gateway z1
|
||||
tunnel="$(echo $kind $z $gateway $z1)"
|
||||
if validate_zone $z; then
|
||||
inchain=${z}2${FW}
|
||||
@ -2273,6 +2288,8 @@ setup_ipsec() {
|
||||
esac
|
||||
|
||||
while read zone type options in_options out_options mss; do
|
||||
expandv zone type options in_options out_options mss
|
||||
|
||||
if [ -n "$using_ipsec" ]; then
|
||||
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
|
||||
fi
|
||||
@ -2378,6 +2395,7 @@ __EOF__
|
||||
save_progress_message "Setting up Proxy ARP..."
|
||||
|
||||
while read address interface external haveroute persistent; do
|
||||
expandv address interface external haveroute persistent
|
||||
list_search $interface $setlist || setlist="$setlist $interface"
|
||||
list_search $external $resetlist || list_search $external $setlist || resetlist="$resetlist $external"
|
||||
setup_one_proxy_arp
|
||||
@ -2495,6 +2513,8 @@ setup_mac_lists() {
|
||||
# Process the maclist file producing the verification rules
|
||||
#
|
||||
while read disposition interface mac addresses; do
|
||||
expandv disposition interface mac addresses
|
||||
|
||||
level=
|
||||
|
||||
case $disposition in
|
||||
@ -2762,7 +2782,10 @@ setup_nat() {
|
||||
[ -n "$RETAIN_ALIASES" ] || save_progress_message "Setting up one-to-one NAT..."
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
expandv external interface internal allints localnat
|
||||
|
||||
do_one_nat
|
||||
|
||||
progress_message_and_save " Host $internal NAT $external on $interface"
|
||||
done < $TMP_DIR/nat
|
||||
}
|
||||
@ -2795,6 +2818,8 @@ __EOF__
|
||||
setup_netmap() {
|
||||
|
||||
while read type net1 interface net2 ; do
|
||||
expandv type net1 interface net2
|
||||
|
||||
list_search $interface $ALL_INTERFACES || \
|
||||
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
|
||||
|
||||
@ -2829,6 +2854,7 @@ setup_ecn() # $1 = file name
|
||||
progress_message2 "$DOING $1..."
|
||||
|
||||
while read interface host; do
|
||||
expandv interface host
|
||||
list_search $interface $ALL_INTERFACES || \
|
||||
fatal_error "Unknown interface $interface"
|
||||
list_search $interface $interfaces || \
|
||||
@ -2916,6 +2942,7 @@ setup_tc1() {
|
||||
strip_file tcrules
|
||||
|
||||
while read mark sources dests proto ports sports user testval length tos; do
|
||||
expandv mark sources dests proto ports sports user testval length tos
|
||||
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")
|
||||
process_tc_rule
|
||||
done < $TMP_DIR/tcrules
|
||||
@ -3212,6 +3239,7 @@ setup_accounting() # $1 = Name of accounting file
|
||||
strip_file accounting $1
|
||||
|
||||
while read action chain source dest proto port sport user ; do
|
||||
expandv action chain source dest proto port sport user
|
||||
process_accounting_rule
|
||||
done < $TMP_DIR/accounting
|
||||
|
||||
@ -3527,9 +3555,11 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
else
|
||||
loglevel="${target#*:}"
|
||||
target="${target%%:*}"
|
||||
expandv loglevel
|
||||
if [ "$loglevel" != "${loglevel%:*}" ]; then
|
||||
logtag="${loglevel#*:}"
|
||||
loglevel="${loglevel%:*}"
|
||||
expandv logtag
|
||||
fi
|
||||
|
||||
case $loglevel in
|
||||
@ -4024,6 +4054,7 @@ process_actions1() {
|
||||
progress_message2 " Pre-processing $fn..."
|
||||
strip_file $f $fn
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
|
||||
expandv xtarget
|
||||
temp="${xtarget%%:*}"
|
||||
case "$temp" in
|
||||
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
|
||||
@ -4063,6 +4094,7 @@ process_actions1() {
|
||||
progress_message " ..Expanding Macro $fn..."
|
||||
|
||||
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||||
expandv mtarget
|
||||
temp="${mtarget%%:*}"
|
||||
case "$temp" in
|
||||
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
|
||||
@ -4308,6 +4340,7 @@ __EOF__
|
||||
progress_message2 "$DOING $(find_file $f) for Chain $xchain..."
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
|
||||
expandv xtarget
|
||||
#
|
||||
# Generate the target:level:tag to pass to process_action()
|
||||
#
|
||||
@ -4340,6 +4373,8 @@ __EOF__
|
||||
;;
|
||||
esac
|
||||
|
||||
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
|
||||
|
||||
if [ -n "$is_macro" ]; then
|
||||
|
||||
xtarget1=$(map_old_action $xtarget1)
|
||||
@ -4353,6 +4388,8 @@ __EOF__
|
||||
|
||||
progress_message "..Expanding Macro $(find_file macro.$xtarget1)..."
|
||||
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||||
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
|
||||
|
||||
mtarget=$(merge_levels $xaction2 $mtarget)
|
||||
|
||||
case $mtarget in
|
||||
@ -5006,9 +5043,11 @@ __EOF__
|
||||
else
|
||||
loglevel="${target#*:}"
|
||||
target="${target%%:*}"
|
||||
expandv loglevel
|
||||
if [ "$loglevel" != "${loglevel%:*}" ]; then
|
||||
logtag="${loglevel#*:}"
|
||||
loglevel="${loglevel%:*}"
|
||||
expandv logtag
|
||||
fi
|
||||
|
||||
case $loglevel in
|
||||
@ -5398,6 +5437,8 @@ process_macro() # $1 = target
|
||||
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
|
||||
|
||||
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||||
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
|
||||
|
||||
mtarget=$(merge_levels $itarget $mtarget)
|
||||
|
||||
case $mtarget in
|
||||
@ -5503,6 +5544,8 @@ process_rules()
|
||||
|
||||
do_it() # $1 = "Yes" if the target is a macro.
|
||||
{
|
||||
expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone=
|
||||
|
||||
if [ -z "$SECTIONS" ]; then
|
||||
finish_section ESTABLISHED,RELATED
|
||||
SECTIONS="ESTABLISHED RELATED NEW"
|
||||
@ -5563,6 +5606,8 @@ process_rules()
|
||||
}
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||
expandv xtarget xclients xservers
|
||||
|
||||
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec"
|
||||
progress_message " Rule \"$rule\" ignored."
|
||||
@ -5837,6 +5882,7 @@ process_tos() # $1 = name of tos file
|
||||
createmanglechain outtos
|
||||
|
||||
while read src dst protocol sport dport tos; do
|
||||
expandv src dst protocol sport dport tos
|
||||
rule="$(echo $src $dst $protocol $sport $dport $tos)"
|
||||
process_tos_rule
|
||||
done < $TMP_DIR/tos
|
||||
@ -6480,6 +6526,7 @@ __EOF__
|
||||
fi
|
||||
|
||||
while read fullinterface networks addresses proto ports ipsec; do
|
||||
expandv fullinterface networks addresses proto ports ipsec
|
||||
if [ -n "$NAT_ENABLED" ]; then
|
||||
setup_one
|
||||
else
|
||||
@ -6621,6 +6668,7 @@ setup_blacklist() {
|
||||
|
||||
if [ -z "$DELAYBLACKLISTLOAD" ]; then
|
||||
while read networks protocol ports; do
|
||||
expandv networks protocol ports
|
||||
process_blacklist_rec
|
||||
done < $TMP_DIR/blacklist
|
||||
fi
|
||||
@ -6644,6 +6692,7 @@ refresh_blacklist() {
|
||||
run_iptables -F blacklst
|
||||
|
||||
while read networks protocol ports; do
|
||||
expandv networks protocol ports
|
||||
process_blacklist_rec
|
||||
done < $TMP_DIR/blacklist
|
||||
}
|
||||
@ -6662,6 +6711,7 @@ validate_blacklist() {
|
||||
[ "$disposition" = REJECT ] && disposition=reject
|
||||
|
||||
while read networks protocol ports; do
|
||||
expandv networks protocol ports
|
||||
process_blacklist_rec
|
||||
done < $TMP_DIR/blacklist
|
||||
}
|
||||
|
||||
@ -166,10 +166,17 @@ expand() # $@ = contents of variable which may be the name of another variable
|
||||
eval echo \"$@\"
|
||||
}
|
||||
|
||||
expand_it() {
|
||||
local line
|
||||
while read line; do
|
||||
expand $line
|
||||
#
|
||||
# Perform variable substitition on the values of the passed list of variables
|
||||
#
|
||||
expandv() # $* = list of variable names
|
||||
{
|
||||
local varval
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
eval varval=\$${1}
|
||||
eval $1=\"$varval\"
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
@ -621,7 +628,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
|
||||
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
|
||||
|
||||
if [ -f $fname ]; then
|
||||
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_it > $TMP_DIR/$1
|
||||
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
|
||||
else
|
||||
> $TMP_DIR/$1
|
||||
fi
|
||||
@ -1585,6 +1592,7 @@ setup_traffic_shaping()
|
||||
get_outband_for_dev() {
|
||||
local device inband outband
|
||||
while read device inband outband; do
|
||||
expandv device inband outband
|
||||
tcdev="$device $inband $outband"
|
||||
if [ "$1" = "$device" ] ; then
|
||||
echo $outband
|
||||
@ -1615,6 +1623,7 @@ setup_traffic_shaping()
|
||||
searchdev=$1
|
||||
|
||||
while read device mark rate ceil prio options; do
|
||||
expandv device mark rate ceil prio options
|
||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||
tcdev="$device $mark $rate $ceil $prio $options"
|
||||
if [ "$searchdev" = "$device" ] ; then
|
||||
@ -1633,6 +1642,7 @@ setup_traffic_shaping()
|
||||
progress_message2 "Validating $devfile..."
|
||||
local device local device inband outband
|
||||
while read device inband outband; do
|
||||
expandv device inband outband
|
||||
tcdev="$device $inband $outband"
|
||||
check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
|
||||
case $interface in
|
||||
@ -1650,6 +1660,7 @@ setup_traffic_shaping()
|
||||
local classlist device mark rate ceil prio bandw wrongopt allopts opt
|
||||
allopts=""
|
||||
while read device mark rate ceil prio options; do
|
||||
expandv device mark rate ceil prio options
|
||||
tcdev="$device $mark $rate $ceil $prio $options"
|
||||
ratew=$(get_outband_for_dev $device)
|
||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||
@ -1828,6 +1839,7 @@ setup_traffic_shaping()
|
||||
progress_message2 "$DOING $devfile..."
|
||||
|
||||
while read device inband outband; do
|
||||
expandv device inband outband
|
||||
tcdev="$device $inband $outband"
|
||||
add_root_tc && progress_message " TC Device $tcdev defined."
|
||||
done < $TMP_DIR/tcdevices
|
||||
@ -1837,6 +1849,7 @@ setup_traffic_shaping()
|
||||
progress_message2 "$DOING $classfile..."
|
||||
|
||||
while read device mark rate ceil prio options; do
|
||||
expandv device mark rate ceil prio options
|
||||
tcdev="$device $mark $rate $ceil $prio $options"
|
||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||
add_tc_class && progress_message " TC Class $tcdev defined."
|
||||
|
||||
Loading…
Reference in New Issue
Block a user