holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Fix Makefile and make macro substitution smarter

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3000 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-11-15 18:44:02 +00:00
parent f73a064339
commit 93210fa3a5
4 changed files with 76 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Makefile
View File

@ -1,7 +1,7 @@
# Shorewall Makefile to restart if config-files are newer than last restart # Shorewall Makefile to restart if config-files are newer than last restart
VARDIR=/var/lib/shorewall VARDIR=/var/lib/shorewall
CONFDIR=/etc/shorewall CONFDIR=/etc/shorewall
all: $(VARDIR)/restarted all: $(VARDIR)/restore-base
$(VARDIR)/restore-base: $(CONFDIR)/* $(VARDIR)/restore-base: $(CONFDIR)/*
@/sbin/shorewall -q save >/dev/null; \ @/sbin/shorewall -q save >/dev/null; \

5
Shorewall/changelog.txt
View File

@ -2,6 +2,11 @@ Changes in 3.0.1
1) Set policies for chains in nat, mangle and raw tables. 1) Set policies for chains in nat, mangle and raw tables.
2) Applied Tuomo's patch for Makefile.
3) Add Farkas ordering to generated SOURCE and DEST column when expanding
macros.
Changes in 3.0.0 Final Changes in 3.0.0 Final
None. None.

32
Shorewall/firewall
View File

@ -4876,6 +4876,27 @@ map_old_action() # $1 = Potential Old Action
echo $1 echo $1
} }
#
# Combine a source/dest from the macro body with one from the macro invocation
#
merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest from invocation
{
case $2 in
-)
echo ${1}
;;
*.*.*|+*|~*)
#
# Value in the invocation is an address -- put it behind the value from the macro
#
echo ${1}:${2}
;;
*)
echo ${2}:${1}
;;
esac
}
# #
# The next three functions implement the three phases of action processing. # The next three functions implement the three phases of action processing.
# #
@ -5235,6 +5256,7 @@ process_actions3() {
;; ;;
esac esac
echo ${2%:*}:${1}
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
if [ -n "$is_macro" ]; then if [ -n "$is_macro" ]; then
@ -5252,7 +5274,7 @@ process_actions3() {
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
mtarget=$(merge_levels $xaction2 $mtarget) mtarget=$(merge_levels $xaction $mtarget)
case $mtarget in case $mtarget in
PARAM|PARAM:*) PARAM|PARAM:*)
@ -5266,7 +5288,7 @@ process_actions3() {
mclients=${xclients} mclients=${xclients}
;; ;;
*) *)
mclients=${mclients}:${xclients} mclients=$(merge_macro_source_dest $mclients $xclients)
;; ;;
esac esac
else else
@ -5279,7 +5301,7 @@ process_actions3() {
mservers=${xservers} mservers=${xservers}
;; ;;
*) *)
mservers=${mservers}:${xservers} mservers=$(merge_macro_source_dest $mservers $xservers)
;; ;;
esac esac
else else
@ -6309,7 +6331,7 @@ process_macro() # $1 = target
mclients=${iclients} mclients=${iclients}
;; ;;
*) *)
mclients=${mclients}:${iclients} mclients=$(merge_macro_source_dest $mclients $iclients)
;; ;;
esac esac
else else
@ -6322,7 +6344,7 @@ process_macro() # $1 = target
mservers=${iservers} mservers=${iservers}
;; ;;
*) *)
mservers=${mservers}:${iservers} mservers=$(merge_macro_source_dest $mservers $iservers)
;; ;;
esac esac
else else

43
Shorewall/releasenotes.txt
View File

@ -7,6 +7,49 @@ Problems Corrected in 3.0.1
the policy to ACCEPT. This could result in a ruleset that rejected or the policy to ACCEPT. This could result in a ruleset that rejected or
dropped all traffic. dropped all traffic.
2) The Makefile was broken such that 'make' didn't always work correctly.
3) If the SOURCE or DEST column in a macro body was non-empty and a dash
("-") appeared in the corresponding column of an invocation of that
macro, then an invalid rule was generated.
New Features in 3.0.1
1) To make the macro facility more flexible, Shorewall now examines the
contents of the SOURCE and DEST columns in both the macro body and in
the invocation and tries to create the intended rule. If the value in
the invocation appears to be an address (IP or MAC) or the name of an
ipset, then it is placed after the value in the macro body. Otherwise,
it is placed before the value in the macro body.
Example 1:
/etc/shorewall/macro.foo:
PARAM - 192.168.1.5 tcp http
/etc/shorewallrules:
foo/ACCEPT net loc
Effective rule:
ACCEPT net loc:192.168.1.5 tcp http
Example 2:
/etc/shorewall/macro.bar:
PARAM net loc tcp http
/etc/shorewall/rules:
bar/ACCEPT - 192.168.1.5
Effective rule:
ACCEPT net loc:192.168.1.5 tcp http
Migration Considerations: Migration Considerations:
1) The "monitor" command has been eliminated. 1) The "monitor" command has been eliminated.