From 750237c630dd6967a53b663a2d5630c8eb4cc6f4 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 16 Jul 2006 23:07:56 +0000 Subject: [PATCH] Back out all post 3.2 changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4230 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 52 ++++++++++++++++++++++++++++++++++++++++++++- Shorewall/functions | 23 +++++++++++++++----- 2 files changed, 69 insertions(+), 6 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 90a8888fb..48afecd88 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -476,6 +476,8 @@ determine_zones() [ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}" while read zone type rest; do + expandv zone type + case $zone in *:*) parents=${zone#*:} @@ -898,7 +900,8 @@ find_hosts() # $1 = host zone local hosts interface address addresses while read z hosts options; do - if [ "x$z" = "x$1" ]; then + if [ "x$(expand $z)" = "x$1" ]; then + expandv hosts interface=${hosts%%:*} addresses=${hosts#*:} for address in $(separate_list $addresses); do @@ -1018,6 +1021,7 @@ validate_interfaces_file() { local z interface networks options r iface option while read z interface networks options; do + expandv z interface networks options r="$z $interface $networks $options" [ "x$z" = "x-" ] && z= @@ -1363,6 +1367,7 @@ __EOF__ save_command "DEFAULT_ROUTE=" while read table number mark duplicate interface gateway options copy; do + expandv table number mark duplicate interface gateway options copy provider="$table $number $mark $duplicate $interface $gateway $options $copy" add_a_provider PROVIDERS="$PROVIDERS $table" @@ -1407,6 +1412,7 @@ __EOF__ save_command while read source dest provider priority; do + expandv source dest provider priority rule="$source $dest $priority $provider" add_an_rtrule done < $TMP_DIR/route_rules @@ -1434,6 +1440,7 @@ validate_hosts_file() { } while read z hosts options; do + expandv z hosts options r="$z $hosts $options" validate_zone1 $z || fatal_error "Invalid zone ($z) in record \"$r\"" @@ -1582,6 +1589,8 @@ validate_policy() strip_file policy while read client server policy loglevel synparams; do + expandv client server policy loglevel synparams + clientwild= serverwild= @@ -1743,9 +1752,11 @@ find_hosts_by_option() # $1 = option local ignore hosts interface address addresses options ipsec= list while read ignore hosts options; do + expandv options list=$(separate_list $options) if list_search $1 $list; then list_search ipsec $list && ipsec=ipsec || ipsec=none + expandv hosts interface=${hosts%%:*} addresses=${hosts#*:} for address in $(separate_list $addresses); do @@ -1795,6 +1806,7 @@ process_routestopped() # $1 = command local hosts= interface host host1 options networks source= dest= matched while read interface host options; do + expandv interface host options [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 for h in $(separate_list $host); do hosts="$hosts $interface:$h" @@ -1873,6 +1885,8 @@ process_criticalhosts() [ -f $TMP_DIR/routestopped ] || strip_file routestopped while read interface host options; do + expandv interface host options + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 || host=$(separate_list $host) if [ -n "$options" ]; then @@ -2129,6 +2143,7 @@ setup_tunnels() # $1 = name of tunnels file strip_file tunnels $1 while read kind z gateway z1; do + expandv kind z gateway z1 tunnel="$(echo $kind $z $gateway $z1)" if validate_zone $z; then inchain=${z}2${FW} @@ -2273,6 +2288,8 @@ setup_ipsec() { esac while read zone type options in_options out_options mss; do + expandv zone type options in_options out_options mss + if [ -n "$using_ipsec" ]; then validate_zone1 $zone || fatal_error "Unknown zone: $zone" fi @@ -2378,6 +2395,7 @@ __EOF__ save_progress_message "Setting up Proxy ARP..." while read address interface external haveroute persistent; do + expandv address interface external haveroute persistent list_search $interface $setlist || setlist="$setlist $interface" list_search $external $resetlist || list_search $external $setlist || resetlist="$resetlist $external" setup_one_proxy_arp @@ -2495,6 +2513,8 @@ setup_mac_lists() { # Process the maclist file producing the verification rules # while read disposition interface mac addresses; do + expandv disposition interface mac addresses + level= case $disposition in @@ -2762,7 +2782,10 @@ setup_nat() { [ -n "$RETAIN_ALIASES" ] || save_progress_message "Setting up one-to-one NAT..." while read external interface internal allints localnat; do + expandv external interface internal allints localnat + do_one_nat + progress_message_and_save " Host $internal NAT $external on $interface" done < $TMP_DIR/nat } @@ -2795,6 +2818,8 @@ __EOF__ setup_netmap() { while read type net1 interface net2 ; do + expandv type net1 interface net2 + list_search $interface $ALL_INTERFACES || \ fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\"" @@ -2829,6 +2854,7 @@ setup_ecn() # $1 = file name progress_message2 "$DOING $1..." while read interface host; do + expandv interface host list_search $interface $ALL_INTERFACES || \ fatal_error "Unknown interface $interface" list_search $interface $interfaces || \ @@ -2916,6 +2942,7 @@ setup_tc1() { strip_file tcrules while read mark sources dests proto ports sports user testval length tos; do + expandv mark sources dests proto ports sports user testval length tos rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos") process_tc_rule done < $TMP_DIR/tcrules @@ -3212,6 +3239,7 @@ setup_accounting() # $1 = Name of accounting file strip_file accounting $1 while read action chain source dest proto port sport user ; do + expandv action chain source dest proto port sport user process_accounting_rule done < $TMP_DIR/accounting @@ -3527,9 +3555,11 @@ process_action() # $1 = chain (Chain to add the rules to) else loglevel="${target#*:}" target="${target%%:*}" + expandv loglevel if [ "$loglevel" != "${loglevel%:*}" ]; then logtag="${loglevel#*:}" loglevel="${loglevel%:*}" + expandv logtag fi case $loglevel in @@ -4024,6 +4054,7 @@ process_actions1() { progress_message2 " Pre-processing $fn..." strip_file $f $fn while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do + expandv xtarget temp="${xtarget%%:*}" case "$temp" in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) @@ -4063,6 +4094,7 @@ process_actions1() { progress_message " ..Expanding Macro $fn..." while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget temp="${mtarget%%:*}" case "$temp" in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM) @@ -4308,6 +4340,7 @@ __EOF__ progress_message2 "$DOING $(find_file $f) for Chain $xchain..." while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do + expandv xtarget # # Generate the target:level:tag to pass to process_action() # @@ -4340,6 +4373,8 @@ __EOF__ ;; esac + expandv xclients xservers xprotocol xports xcports xratelimit xuserspec + if [ -n "$is_macro" ]; then xtarget1=$(map_old_action $xtarget1) @@ -4353,6 +4388,8 @@ __EOF__ progress_message "..Expanding Macro $(find_file macro.$xtarget1)..." while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec + mtarget=$(merge_levels $xaction2 $mtarget) case $mtarget in @@ -5006,9 +5043,11 @@ __EOF__ else loglevel="${target#*:}" target="${target%%:*}" + expandv loglevel if [ "$loglevel" != "${loglevel%:*}" ]; then logtag="${loglevel#*:}" loglevel="${loglevel%:*}" + expandv logtag fi case $loglevel in @@ -5398,6 +5437,8 @@ process_macro() # $1 = target progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do + expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec + mtarget=$(merge_levels $itarget $mtarget) case $mtarget in @@ -5503,6 +5544,8 @@ process_rules() do_it() # $1 = "Yes" if the target is a macro. { + expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone= + if [ -z "$SECTIONS" ]; then finish_section ESTABLISHED,RELATED SECTIONS="ESTABLISHED RELATED NEW" @@ -5563,6 +5606,8 @@ process_rules() } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do + expandv xtarget xclients xservers + if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" progress_message " Rule \"$rule\" ignored." @@ -5837,6 +5882,7 @@ process_tos() # $1 = name of tos file createmanglechain outtos while read src dst protocol sport dport tos; do + expandv src dst protocol sport dport tos rule="$(echo $src $dst $protocol $sport $dport $tos)" process_tos_rule done < $TMP_DIR/tos @@ -6480,6 +6526,7 @@ __EOF__ fi while read fullinterface networks addresses proto ports ipsec; do + expandv fullinterface networks addresses proto ports ipsec if [ -n "$NAT_ENABLED" ]; then setup_one else @@ -6621,6 +6668,7 @@ setup_blacklist() { if [ -z "$DELAYBLACKLISTLOAD" ]; then while read networks protocol ports; do + expandv networks protocol ports process_blacklist_rec done < $TMP_DIR/blacklist fi @@ -6644,6 +6692,7 @@ refresh_blacklist() { run_iptables -F blacklst while read networks protocol ports; do + expandv networks protocol ports process_blacklist_rec done < $TMP_DIR/blacklist } @@ -6662,6 +6711,7 @@ validate_blacklist() { [ "$disposition" = REJECT ] && disposition=reject while read networks protocol ports; do + expandv networks protocol ports process_blacklist_rec done < $TMP_DIR/blacklist } diff --git a/Shorewall/functions b/Shorewall/functions index d0596e5a7..bf4d134a0 100644 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -166,10 +166,17 @@ expand() # $@ = contents of variable which may be the name of another variable eval echo \"$@\" } -expand_it() { - local line - while read line; do - expand $line +# +# Perform variable substitition on the values of the passed list of variables +# +expandv() # $* = list of variable names +{ + local varval + + while [ $# -gt 0 ]; do + eval varval=\$${1} + eval $1=\"$varval\" + shift done } @@ -621,7 +628,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) [ $# = 1 ] && fname=$(find_file $1) || fname=$2 if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | expand_it > $TMP_DIR/$1 + read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 else > $TMP_DIR/$1 fi @@ -1585,6 +1592,7 @@ setup_traffic_shaping() get_outband_for_dev() { local device inband outband while read device inband outband; do + expandv device inband outband tcdev="$device $inband $outband" if [ "$1" = "$device" ] ; then echo $outband @@ -1615,6 +1623,7 @@ setup_traffic_shaping() searchdev=$1 while read device mark rate ceil prio options; do + expandv device mark rate ceil prio options options=$(separate_list $options | tr '[A-Z]' '[a-z]') tcdev="$device $mark $rate $ceil $prio $options" if [ "$searchdev" = "$device" ] ; then @@ -1633,6 +1642,7 @@ setup_traffic_shaping() progress_message2 "Validating $devfile..." local device local device inband outband while read device inband outband; do + expandv device inband outband tcdev="$device $inband $outband" check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device" case $interface in @@ -1650,6 +1660,7 @@ setup_traffic_shaping() local classlist device mark rate ceil prio bandw wrongopt allopts opt allopts="" while read device mark rate ceil prio options; do + expandv device mark rate ceil prio options tcdev="$device $mark $rate $ceil $prio $options" ratew=$(get_outband_for_dev $device) options=$(separate_list $options | tr '[A-Z]' '[a-z]') @@ -1828,6 +1839,7 @@ setup_traffic_shaping() progress_message2 "$DOING $devfile..." while read device inband outband; do + expandv device inband outband tcdev="$device $inband $outband" add_root_tc && progress_message " TC Device $tcdev defined." done < $TMP_DIR/tcdevices @@ -1837,6 +1849,7 @@ setup_traffic_shaping() progress_message2 "$DOING $classfile..." while read device mark rate ceil prio options; do + expandv device mark rate ceil prio options tcdev="$device $mark $rate $ceil $prio $options" options=$(separate_list $options | tr '[A-Z]' '[a-z]') add_tc_class && progress_message " TC Class $tcdev defined."