Commit fix to built-in actions wrt 'none'

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5626 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-03-22 17:27:02 +00:00 · 2007-03-22 17:27:02 +00:00 · b0030d80d9
commit b0030d80d9
parent 07d5629355
3 changed files with 46 additions and 70 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -5,6 +5,8 @@ Changes in 3.4.2
 2)  Update /sbin/shorewall[-lite] to account for mindless renaming of
    /proc/net/ip_conntrack to /proc/net/nf_conntrack.

+3)  Fix 'none[!]' and built-in actions.
+
 Changes in 3.4.1

 1)  Add rest of proxy arp fix.
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -1453,6 +1453,15 @@ process_actions3()
 	xlevel=$2
 	xtag=$3

+	case $xlevel in
+	    none|none'!')
+		ylevel=
+		;;
+	    *)
+		ylevel=$xlevel;
+		;;
+	esac
+
 	save_progress_message "Creating action chain $xaction1"

 	#
@ -1461,16 +1470,10 @@ process_actions3()
 	case $xaction1 in
 	    dropBcast)
 		if [ -n "$USEPKTTYPE" ]; then
-		    case $xlevel in
-			none'!')
-			    ;;
-			*)
-			    if [ -n "$xlevel" ]; then
-				log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
-				log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
+		    if [ -n "$ylevel" ]; then
+			log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
+			log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
 		    fi
-			    ;;
-		    esac

 		    run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
 		    run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP
@ -1480,17 +1483,9 @@ process_actions3()

 ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
 __EOF__
-			    case $xlevel in
-				none*)
-				    ;;
-				*)
-				    [ -n "$xlevel" ] && \
-					indent >&3 << __EOF__
-   log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address
+			[ -n "$ylevel" ] && indent >&3 << __EOF__
+   log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d \$address
 __EOF__
-				    ;;
-			    esac
-
 			    indent >&3 << __EOF__
    run_iptables -A $xchain -d \$address -j DROP
 done
@ -1499,14 +1494,7 @@ __EOF__
 		    done

 		    for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
-			case $xlevel in
-			    none*)
-				;;
-			    *)
-				[ -n "$xlevel" ] && \
-				    log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
-				;;
-			esac
+			[ -n "$ylevel" ] && log_rule_limit ${ylevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address

 			run_iptables -A $xchain -d $address -j DROP
 		    done
@ -1514,16 +1502,10 @@ __EOF__
 		;;
 	    allowBcast)
 		if [ -n "$USEPKTTYPE" ]; then
-		    case $xlevel in
-			none'!')
-			    ;;
-			*)
-			    if [ -n "$xlevel" ]; then
-				log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
-				log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
+		    if [ -n "$ylevel" ]; then
+			log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
+			log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
 		    fi
-			    ;;
-		    esac

 		    run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT
 		    run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
@ -1533,16 +1515,9 @@ __EOF__

 ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
 __EOF__
-			case $xlevel in
-			    none*)
-				;;
-			    *)
-				[ -n "$xlevel" ] && \
-				    indent >&3 << __EOF__
-   log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address
+			[ -n "$ylevel" ] && indent >&3 << __EOF__
+   log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d \$address
 __EOF__
-				;;
-			esac

 			indent >&3 << __EOF__
    run_iptables -A $xchain -d \$address -j ACCEPT
@ -1552,53 +1527,46 @@ __EOF__
 		    done

 		    for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
-			case $xlevel in
-			    none*)
-				;;
-			    *)
-				[ -n "$xlevel" ] && \
-				    log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
-				;;
-			esac
+			[ -n "$ylevel" ] && log_rule_limit ${ylevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address

 			run_iptables -A $xchain -d $address -j ACCEPT
 		    done
 		fi
 		;;
 	    dropNotSyn)
-		[ -n "$xlevel" ] && \
-		    log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
+		[ -n "$ylevel" ] && \
+		    log_rule_limit ${ylevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
 		run_iptables -A $xchain -p tcp ! --syn -j DROP
 		;;
 	    rejNotSyn)
-		[ -n "$xlevel" ] && \
-		    log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
+		[ -n "$ylevel" ] && \
+		    log_rule_limit ${ylevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
 		run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
 		;;
 	    dropInvalid)
-		[ -n "$xlevel" ] && \
-		    log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
+		[ -n "$ylevel" ] && \
+		    log_rule_limit ${ylevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
 		run_iptables -A $xchain -m state --state INVALID -j DROP
 		;;
 	    allowInvalid)
-		[ -n "$xlevel" ] && \
-		    log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
+		[ -n "$ylevel" ] && \
+		    log_rule_limit ${ylevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
 		run_iptables -A $xchain -m state --state INVALID -j ACCEPT
 		;;
 	    forwardUPnP)
 		;;
 	    allowinUPnP)
-		if [ -n "$xlevel" ]; then
-		    log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
-		    log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
+		if [ -n "$ylevel" ]; then
+		    log_rule_limit ${ylevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
+		    log_rule_limit ${ylevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
 		fi

 		run_iptables -A $xchain -p udp --dport 1900  -j ACCEPT
 		run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
 		;;
 	    allowoutUPnP)
-		[ -n "$xlevel" ] && \
-		    log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
+		[ -n "$ylevel" ] && \
+		    log_rule_limit ${ylevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
 		run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
 		;;
 	    Limit)
@ -1608,9 +1576,9 @@ __EOF__

 		run_iptables -A $xchain -m recent --name $1 --set

-		if [ -n "$xlevel" ]; then
+		if [ -n "$ylevel" ]; then
 		    run_iptables -N $xchain%
-		    log_rule_limit $xlevel $xchain% $1 DROP "" "" -A
+		    log_rule_limit $ylevel $xchain% $1 DROP "" "" -A
 		    run_iptables -A $xchain% -j DROP
 		    run_iptables -A $xchain -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $xchain%
 		else
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -37,6 +37,12 @@ Problems corrected in Shorewall 3.4.2
    renamed /proc/net/nf_conntrack in kernel 2.6.20. The lib.cli
    library has been updated to look for both files.

+3)  Shoreall 3.4 was not consistent with respect to its treatment of
+    log level 'none' and 'none!' and built-in actions. In particular,
+    specifying 'none' with the Limit action produced a run-time error.
+    Shorewall now correctly suppresses generation of log messages when
+    a log level of 'none' or 'none!' is given to a built-in action.
+
 Migration Considerations:

 If you are migrating from a Shorewall version earlier than 3.2.0 then