From 8472d60c28be37cd192a40c28c40db45c0c978c5 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 9 Aug 2007 15:16:08 +0000 Subject: [PATCH] Bring trunk up to date with branch git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7095 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/modules | 1 + Shorewall-perl/Shorewall/Chains.pm | 83 +++++++++++++-------------- Shorewall-perl/Shorewall/Compiler.pm | 9 +++ Shorewall-perl/Shorewall/Config.pm | 15 ++--- Shorewall-perl/Shorewall/Policy.pm | 4 +- Shorewall-perl/Shorewall/Providers.pm | 2 +- Shorewall-perl/Shorewall/Rules.pm | 13 +---- Shorewall-perl/Shorewall/Zones.pm | 12 ++-- Shorewall-perl/prog.functions | 20 ------- Shorewall-shell/compiler | 10 ++-- Shorewall-shell/lib.actions | 6 +- Shorewall-shell/lib.tc | 4 +- docs/FAQ.xml | 2 +- 13 files changed, 78 insertions(+), 103 deletions(-) diff --git a/Shorewall-common/modules b/Shorewall-common/modules index b1fd5725f..b9a6f01cd 100644 --- a/Shorewall-common/modules +++ b/Shorewall-common/modules @@ -42,6 +42,7 @@ loadmodule xt_limit loadmodule xt_mac loadmodule xt_mark loadmodule xt_MARK +loadmodule xt_multiport loadmodule xt_NFLOG loadmodule xt_NFQUEUE loadmodule xt_physdev diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 8a7d65da3..c07334f8e 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -213,13 +213,13 @@ our %interfacebcasts; our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING); # -# State of the generator. +# Mode of the generator. # -use constant { NULL_STATE => 0 , # Generating neither shell commands nor iptables-restore input - CAT_STATE => 1 , # Generating iptables-restore input - CMD_STATE => 2 }; # Generating shell commands. +use constant { NULL_MODE => 0 , # Generating neither shell commands nor iptables-restore input + CAT_MODE => 1 , # Generating iptables-restore input + CMD_MODE => 2 }; # Generating shell commands. -our $state; +our $mode; # # Initialize globals -- we take this novel approach to globals initialization to allow @@ -1838,18 +1838,18 @@ sub insertnatjump( $$$$ ) { } } -sub emit_comment( $ ) { +sub emit_comment() { emit ( '#', '# Establish the values of shell variables used in the following function calls', '#' ); - ${$_[0]} = 1; + our $emitted_comment = 1; } -sub emit_test( $ ) { +sub emit_test() { emit ( 'if [ "$COMMAND" != restore ]; then' , '' ); push_indent; - ${$_[0]} = 1; + our $emitted_test = 1; } # @@ -1857,28 +1857,28 @@ sub emit_test( $ ) { # sub set_global_variables() { - my ( $emitted_comment, $emitted_test ) = (0, 0); + our ( $emitted_comment, $emitted_test ) = (0, 0); for ( values %interfaceaddr ) { - emit_comment( \$emitted_comment ) unless $emitted_comment; + emit_comment unless $emitted_comment; emit $_; } for ( values %interfaceaddrs ) { - emit_comment( \$emitted_comment ) unless $emitted_comment; - emit_test( \$emitted_test ) unless $emitted_test; + emit_comment unless $emitted_comment; + emit_test unless $emitted_test; emit $_; } for ( values %interfacenets ) { - emit_comment( \$emitted_comment ) unless $emitted_comment; - emit_test( \$emitted_test ) unless $emitted_test; + emit_comment unless $emitted_comment; + emit_test unless $emitted_test; emit $_; } unless ( $capabilities{ADDRTYPE} ) { - emit_comment( \$emitted_comment ) unless $emitted_comment; - emit_test( \$emitted_test ) unless $emitted_test; + emit_comment unless $emitted_comment; + emit_test unless $emitted_test; emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; for ( values %interfacebcasts ) { @@ -1900,19 +1900,19 @@ sub set_global_variables() { # We may have to generate part of the input at run-time. The rules array in each chain # table entry may contain rules (begin with '-A') or shell source. We alternate between # writing the rules ('-A') into the temporary file to be bassed to iptables-restore -# (CAT_STATE) and and writing shell source into the generated script. +# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE). # -# The following two functions are responsible for the state transitions. +# The following two functions are responsible for the mode transitions. # -sub enter_cat_state() { +sub enter_cat_mode() { emit ''; emit 'cat >&3 << __EOF__'; - $state = CAT_STATE; + $mode = CAT_MODE; } -sub enter_cmd_state() { - emit_unindented "__EOF__\n" if $state == CAT_STATE; - $state = CMD_STATE; +sub enter_cmd_mode() { + emit_unindented "__EOF__\n" if $mode == CAT_MODE; + $mode = CMD_MODE; } # @@ -1925,13 +1925,13 @@ sub emitr( $ ) { # # A rule # - enter_cat_state unless $state == CAT_STATE; + enter_cat_mode unless $mode == CAT_MODE; emit_unindented $rule; } else { # # A command # - enter_cmd_state unless $state == CMD_STATE; + enter_cmd_mode unless $mode == CMD_MODE; emit $rule; } } @@ -1948,7 +1948,7 @@ sub create_netfilter_load() { push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED}; push @table_list, 'filter'; - $state = NULL_STATE; + $mode = NULL_MODE; emit ( 'setup_netfilter()', '{' @@ -1962,7 +1962,7 @@ sub create_netfilter_load() { emit 'exec 3>${VARDIR}/.iptables-restore-input'; - enter_cat_state; + enter_cat_mode; for my $table ( @table_list ) { emit_unindented "*$table"; @@ -1991,22 +1991,19 @@ sub create_netfilter_load() { } } # - # then emit the rules + # Then emit the rules # for my $chainref ( @chains ) { - my $name = $chainref->{name}; - for my $rule ( @{$chainref->{rules}} ) { - emitr $rule; - } + emitr $_ for ( @{$chainref->{rules}} ); } # # Commit the changes to the table # - enter_cat_state unless $state == CAT_STATE; + enter_cat_mode unless $mode == CAT_MODE; emit_unindented 'COMMIT'; } - enter_cmd_state; + enter_cmd_mode; # # Now generate the actual iptables-restore command # @@ -2030,7 +2027,7 @@ sub create_netfilter_load() { # sub create_blacklist_reload() { - $state = NULL_STATE; + $mode = NULL_MODE; emit( 'blacklist_reload()', '{' @@ -2044,22 +2041,22 @@ sub create_blacklist_reload() { emit 'exec 3>${VARDIR}/.iptables-restore-input'; - enter_cat_state; + enter_cat_mode; emit_unindented '*filter'; emit_unindented ':blacklst - [0:0]'; - - for my $rule ( @{$filter_table->{blacklst}{rules}} ) { - emitr $rule; - } + # + # Emit the Blacklist rules + # + emitr $_ for ( @{$filter_table->{blacklst}{rules}} ); # # Commit the changes to the table # - enter_cat_state unless $state == CAT_STATE; + enter_cat_mode unless $mode == CAT_MODE; emit_unindented 'COMMIT'; - enter_cmd_state; + enter_cmd_mode; # # Now generate the actual iptables-restore command # diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 195f068b8..ea34fb836 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -604,6 +604,11 @@ sub generate_script_3() { dump_proxy_arp; emit_unindented '__EOF__'; + emit( '', + 'if [ "$COMMAND" != refresh ]; then' ); + + push_indent; + emit 'cat > ${VARDIR}/chains << __EOF__'; dump_rule_chains; emit_unindented '__EOF__'; @@ -612,6 +617,10 @@ sub generate_script_3() { dump_zone_contents; emit_unindented '__EOF__'; + pop_indent; + + emit "fi\n"; + emit '> ${VARDIR}/nat'; add_addresses; diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index bf85b0001..3d9e7add8 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -587,11 +587,11 @@ sub create_temp_object( $ ) { die if $@; - fatal_error "Directory $dir does not exist" unless -d $dir; - fatal_error "Directory $dir is not writable" unless -w _; fatal_error "$dir is a Symbolic Link" if -l $dir; - fatal_error "$objectfile is a Directory" if -d $objectfile; - fatal_error "$dir is a Symbolic Link" if -l $objectfile; + fatal_error "Directory $dir does not exist" unless -d _; + fatal_error "Directory $dir is not writable" unless -w _; + fatal_error "$objectfile is a Symbolic Link" if -l $objectfile; + fatal_error "$objectfile is a Directory" if -d _; fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _; eval { @@ -864,12 +864,13 @@ sub read_a_line() { my @line = split ' ', $currentline; - fatal_error "Invalid INCLUDE command: $currentline" if @line != 2; - fatal_error "INCLUDEs nested too deeply: $currentline" if @includestack >= 4; + fatal_error "Invalid INCLUDE command" if @line != 2; + fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; my $filename = find_file $line[1]; - fatal_error "INCLUDE file $filename not found" unless ( -f $filename ); + fatal_error "INCLUDE file $filename not found" unless -f $filename; + fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; if ( -s _ ) { push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 2c567918d..062a72a6a 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -200,9 +200,9 @@ sub validate_policy() fatal_error "Invalid policy $policy" unless exists $validpolicies{$policy}; if ( $policy eq 'NONE' ) { - fatal_error "$client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" + fatal_error "NONE policy not allowed with \"all\"" if $clientwild || $serverwild; - fatal_error "$client, $server, $policy, $loglevel, $synparams: NONE policy not allowed to/from firewall zone" + fatal_error "NONE policy not allowed to/from firewall zone" if ( $zones{$client}{type} eq 'firewall' ) || ( $zones{$server}{type} eq 'firewall' ); } diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 55a556df2..263b8e5ea 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -294,7 +294,7 @@ sub add_a_provider( $$$$$$$$ ) { if ( $optional ) { emit ( " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" ); } else { - emit( " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" ); + emit( " fatal_error \"Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" ); } emit "fi\n"; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 5e5803547..a42a3e423 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -1617,11 +1617,7 @@ sub generate_matrix() { next unless $chain; if ( $zone eq $zone1 ) { - # - # One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning. - # - no warnings; - next if ( %{ $zoneref->{interfaces} } < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); + next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); } if ( $zone1ref->{type} eq 'bport4' ) { @@ -1675,12 +1671,7 @@ sub generate_matrix() { my $num_ifaces = 0; if ( $zone eq $zone1 ) { - # - # One thing that the Llama fails to mention is that evaluating a hash in a numeric context produces a warning. - # - no warnings; - next ZONE1 if ( $num_ifaces = %{$zoneref->{interfaces}} ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); - use warnings; + next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); if ( $chain3 ) { while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) { diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 9ca4a2168..aafd514ed 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -425,16 +425,12 @@ sub dump_zone_contents() sub single_interface( $ ) { my $zone = $_[0]; my $zoneref = $zones{$zone}; + fatal_error "Internal Error in single_zone()" unless $zoneref; - { - no warnings; - if ( %{$zoneref->{interfaces}} == 1 ) { - ( keys %{$zoneref->{interfaces}} )[0]; - } else { - ''; - } - } + my @keys = keys( %{$zoneref->{interfaces}} ); + + @keys == 1 ? $keys[0] : ''; } sub add_group_to_zone($$$$$) diff --git a/Shorewall-perl/prog.functions b/Shorewall-perl/prog.functions index d0d554164..86051f2b1 100644 --- a/Shorewall-perl/prog.functions +++ b/Shorewall-perl/prog.functions @@ -1,4 +1,3 @@ -#!/bin/sh # # Clear Proxy Arp # @@ -145,24 +144,6 @@ restore_dynamic_rules() { fi } -# -# The following functions also appear in lib.base. They are duplicated here so that -# restore scripts from prior versions continue to work. -# -get_device_mtu1() # $1 = device -{ - local output="$(ip link list dev $1 2> /dev/null)" # quotes required for /bin/ash - local mtu - - if [ -n "$output" ]; then - mtu=$(find_mtu $output) - if [ -n "$mtu" ]; then - [ $mtu = 1500 ] || echo mtu $(($mtu + 100)) - fi - fi - -} - # # Get a list of all configured broadcast addresses on the system # @@ -170,4 +151,3 @@ get_all_bcasts() { ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u } - diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index a26c67d26..37a8c3e31 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -1671,11 +1671,11 @@ add_a_rule() { if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do - run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain + run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports $dports) $user -m conntrack --ctorigdst $adr -j $chain done addr= else - run_iptables -A $logchain $state $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain + run_iptables -A $logchain $state $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain fi cli= @@ -1884,7 +1884,7 @@ __EOF__ for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ - $user $mrk $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state + $user $mrk $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports) $state fi run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ @@ -1899,7 +1899,7 @@ __EOF__ if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ - $state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) + $state $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports) fi if [ -n "$nonat" ]; then @@ -1922,7 +1922,7 @@ __EOF__ if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ - $state $(fix_bang $proto $sports $multiport $cli $dports) + $state $(fix_bang $proto $multiport $sports $cli $dports) fi [ -n "$nonat" ] && \ diff --git a/Shorewall-shell/lib.actions b/Shorewall-shell/lib.actions index 586b576c3..f2d4c443e 100644 --- a/Shorewall-shell/lib.actions +++ b/Shorewall-shell/lib.actions @@ -80,7 +80,7 @@ add_an_action() { build_exclusion_chain chain1 filter "$excludesource" "$excludedest" - run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain1 + run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports $dports) $user -j $chain1 cli= proto= @@ -219,7 +219,7 @@ add_an_action() for srv in $(firewall_ip_range $serv1); do if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \ - $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dest_interface $dports) + $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dest_interface $dports) fi run_iptables2 -A $chain1 $proto $multiport $cli $sports \ @@ -229,7 +229,7 @@ add_an_action() else if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \ - $(fix_bang $proto $sports $multiport $cli $dest_interface $dports) + $(fix_bang $proto $multiport $sports $cli $dest_interface $dports) fi run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \ diff --git a/Shorewall-shell/lib.tc b/Shorewall-shell/lib.tc index 5842f07b4..4f225cda7 100644 --- a/Shorewall-shell/lib.tc +++ b/Shorewall-shell/lib.tc @@ -175,7 +175,7 @@ setup_traffic_shaping() dev=$(chain_base $device) - save_command "if interface_is_usable $device; then" + save_command "if interface_is_up $device; then" indent="$INDENT" INDENT="$INDENT " save_command ${dev}_exists=Yes @@ -201,7 +201,7 @@ setup_traffic_shaping() INDENT="$indent" save_command else INDENT="$INDENT " - save_command error_message "\"WARNING: Device $device not up and configured -- traffic-shaping configuration skipped\"" + save_command error_message "\"WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped\"" save_command "${dev}_exists=" INDENT="$indent" save_command "fi" diff --git a/docs/FAQ.xml b/docs/FAQ.xml index baa7d9575..7e956a4fd 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -1136,7 +1136,7 @@ DROP net fw udp 10619
- (FAQ 17) Why are these packets being Dropped/Rejected?/How do I + <title>(FAQ 17) Why are these packets being Dropped/Rejected? How do I decode Shorewall log messages? Answer: Logging of