forked from extern/shorewall_code
Fix Makefile and make macro substitution smarter
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3000 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f73a064339
commit
93210fa3a5
@ -1,7 +1,7 @@
|
||||
# Shorewall Makefile to restart if config-files are newer than last restart
|
||||
VARDIR=/var/lib/shorewall
|
||||
CONFDIR=/etc/shorewall
|
||||
all: $(VARDIR)/restarted
|
||||
all: $(VARDIR)/restore-base
|
||||
|
||||
$(VARDIR)/restore-base: $(CONFDIR)/*
|
||||
@/sbin/shorewall -q save >/dev/null; \
|
||||
|
@ -2,6 +2,11 @@ Changes in 3.0.1
|
||||
|
||||
1) Set policies for chains in nat, mangle and raw tables.
|
||||
|
||||
2) Applied Tuomo's patch for Makefile.
|
||||
|
||||
3) Add Farkas ordering to generated SOURCE and DEST column when expanding
|
||||
macros.
|
||||
|
||||
Changes in 3.0.0 Final
|
||||
|
||||
None.
|
||||
|
@ -4876,6 +4876,27 @@ map_old_action() # $1 = Potential Old Action
|
||||
echo $1
|
||||
}
|
||||
|
||||
#
|
||||
# Combine a source/dest from the macro body with one from the macro invocation
|
||||
#
|
||||
merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest from invocation
|
||||
{
|
||||
case $2 in
|
||||
-)
|
||||
echo ${1}
|
||||
;;
|
||||
*.*.*|+*|~*)
|
||||
#
|
||||
# Value in the invocation is an address -- put it behind the value from the macro
|
||||
#
|
||||
echo ${1}:${2}
|
||||
;;
|
||||
*)
|
||||
echo ${2}:${1}
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# The next three functions implement the three phases of action processing.
|
||||
#
|
||||
@ -5235,6 +5256,7 @@ process_actions3() {
|
||||
;;
|
||||
esac
|
||||
|
||||
echo ${2%:*}:${1}
|
||||
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
|
||||
|
||||
if [ -n "$is_macro" ]; then
|
||||
@ -5252,7 +5274,7 @@ process_actions3() {
|
||||
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||||
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
|
||||
|
||||
mtarget=$(merge_levels $xaction2 $mtarget)
|
||||
mtarget=$(merge_levels $xaction $mtarget)
|
||||
|
||||
case $mtarget in
|
||||
PARAM|PARAM:*)
|
||||
@ -5266,7 +5288,7 @@ process_actions3() {
|
||||
mclients=${xclients}
|
||||
;;
|
||||
*)
|
||||
mclients=${mclients}:${xclients}
|
||||
mclients=$(merge_macro_source_dest $mclients $xclients)
|
||||
;;
|
||||
esac
|
||||
else
|
||||
@ -5279,7 +5301,7 @@ process_actions3() {
|
||||
mservers=${xservers}
|
||||
;;
|
||||
*)
|
||||
mservers=${mservers}:${xservers}
|
||||
mservers=$(merge_macro_source_dest $mservers $xservers)
|
||||
;;
|
||||
esac
|
||||
else
|
||||
@ -6309,7 +6331,7 @@ process_macro() # $1 = target
|
||||
mclients=${iclients}
|
||||
;;
|
||||
*)
|
||||
mclients=${mclients}:${iclients}
|
||||
mclients=$(merge_macro_source_dest $mclients $iclients)
|
||||
;;
|
||||
esac
|
||||
else
|
||||
@ -6322,7 +6344,7 @@ process_macro() # $1 = target
|
||||
mservers=${iservers}
|
||||
;;
|
||||
*)
|
||||
mservers=${mservers}:${iservers}
|
||||
mservers=$(merge_macro_source_dest $mservers $iservers)
|
||||
;;
|
||||
esac
|
||||
else
|
||||
|
@ -7,6 +7,49 @@ Problems Corrected in 3.0.1
|
||||
the policy to ACCEPT. This could result in a ruleset that rejected or
|
||||
dropped all traffic.
|
||||
|
||||
2) The Makefile was broken such that 'make' didn't always work correctly.
|
||||
|
||||
3) If the SOURCE or DEST column in a macro body was non-empty and a dash
|
||||
("-") appeared in the corresponding column of an invocation of that
|
||||
macro, then an invalid rule was generated.
|
||||
|
||||
New Features in 3.0.1
|
||||
|
||||
1) To make the macro facility more flexible, Shorewall now examines the
|
||||
contents of the SOURCE and DEST columns in both the macro body and in
|
||||
the invocation and tries to create the intended rule. If the value in
|
||||
the invocation appears to be an address (IP or MAC) or the name of an
|
||||
ipset, then it is placed after the value in the macro body. Otherwise,
|
||||
it is placed before the value in the macro body.
|
||||
|
||||
Example 1:
|
||||
|
||||
/etc/shorewall/macro.foo:
|
||||
|
||||
PARAM - 192.168.1.5 tcp http
|
||||
|
||||
/etc/shorewallrules:
|
||||
|
||||
foo/ACCEPT net loc
|
||||
|
||||
Effective rule:
|
||||
|
||||
ACCEPT net loc:192.168.1.5 tcp http
|
||||
|
||||
Example 2:
|
||||
|
||||
/etc/shorewall/macro.bar:
|
||||
|
||||
PARAM net loc tcp http
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
bar/ACCEPT - 192.168.1.5
|
||||
|
||||
Effective rule:
|
||||
|
||||
ACCEPT net loc:192.168.1.5 tcp http
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
1) The "monitor" command has been eliminated.
|
||||
|
Loading…
Reference in New Issue
Block a user