diff --git a/New/Shorewall/Config.pm b/New/Shorewall/Config.pm index 24be47a65..dbf42a8d1 100644 --- a/New/Shorewall/Config.pm +++ b/New/Shorewall/Config.pm @@ -34,6 +34,7 @@ our @EXPORT = qw( find_file split_line open_file + close_file push_open pop_open read_a_line @@ -255,9 +256,7 @@ sub find_file($) { my $filename=$_[0]; - if ( $filename =~ '/.*' ) { - return $filename; - } + return $filename if $filename =~ '/.*'; my $directory; @@ -325,6 +324,25 @@ sub open_file( $ ) { } } +# +# This function is normally called in read_a_line() when EOF is reached. Clients of the +# module may also call the function to close the file before EOF +# + +sub close_file() { + if ( $currentfile ) { + close $currentfile; + + my $arrayref = pop @openstack; + + if ( $arrayref ) { + ( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref; + } else { + $currentfile = undef; + } + } +} + # # Allow nested opens # @@ -402,6 +420,7 @@ sub read_a_line { $currentfile = undef; open $currentfile, $filename or fatal_error "Unable to open $filename: $!"; + $currentfilename = $filename; $currentlinenumber = 0; $line = ''; @@ -410,15 +429,7 @@ sub read_a_line { } } - close $currentfile; - - my $arrayref = pop @openstack; - - if ( $arrayref ) { - ( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref; - } else { - $currentfile = undef; - } + close_file; } } @@ -601,6 +612,9 @@ sub get_configuration( $ ) { default_yes_no 'HIGH_ROUTE_MARKS' , ''; default_yes_no 'TC_EXPERT' , ''; default_yes_no 'USE_ACTIONS' , 'Yes'; + + warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS}; + default_yes_no 'EXPORTPARAMS' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; @@ -688,8 +702,7 @@ sub get_configuration( $ ) { fatal_error "Invalid LOGFORMAT ($val)" if $@; - fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\"" - if length $result > 29; + fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\"" if length $result > 29; $globals{MAXZONENAMELENGTH} = int ( 5 + ( ( 29 - (length $result ) ) / 2) ); } else { diff --git a/New/Shorewall/Interfaces.pm b/New/Shorewall/Interfaces.pm index ec6e83e8b..0713a0c8b 100644 --- a/New/Shorewall/Interfaces.pm +++ b/New/Shorewall/Interfaces.pm @@ -50,6 +50,7 @@ our @VERSION = 1.00; # ... # } # zone => +# } # } # our @interfaces; @@ -164,10 +165,7 @@ sub validate_interfaces_file() ( $interfaces{$interface}{root} = $interface ) =~ s/\+$// ; - if ( $networks && $networks ne 'detect' ) - { - warning_message 'Shorewall no longer uses broadcast addresses in rule generation:' . $networks; - } + warning_message 'Shorewall no longer uses broadcast addresses in rule generation:' . $networks if $networks && $networks ne 'detect'; my $optionsref = {}; diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index 727d5b951..603894d0d 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -256,25 +256,26 @@ sub setup_syn_flood_chains() { sub setup_blacklist() { my $hosts = find_hosts_by_option 'blacklist'; + my $chainref; + my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; + my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; if ( @$hosts ) { - - my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; - - new_standard_chain 'blacklst'; - - my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; + $chainref = new_standard_chain 'blacklst'; if ( $level ) { - my $chainref = new_standard_chain 'blacklog'; + my $logchainref = new_standard_chain 'blacklog'; - log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); + log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); - add_rule $chainref, "-j $target" ; + add_rule $logchainref, "-j $target" ; $target = 'blacklog'; } + } + BLACKLIST: + { if ( my $fn = open_file 'blacklist' ) { my $first_entry = 1; @@ -284,22 +285,28 @@ sub setup_blacklist() { my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file'; if ( $first_entry ) { + unless ( @$hosts ) { + warning_message "The entries in $fn have been ignored because there are no 'blacklist' interfaces"; + close_file; + last BLACKLIST; + } + progress_message2 "$doing $fn..."; $first_entry = 0; } - expand_rule - ensure_filter_chain( 'blacklst' , 0 ) , - NO_RESTRICT , - do_proto( $protocol , $ports, '' ) , - $networks , - '' , - '' , - "-j $target" , - '' , - $disposition , - ''; - + expand_rule( + $chainref , + NO_RESTRICT , + do_proto( $protocol , $ports, '' ) , + $networks , + '' , + '' , + "-j $target" , + '' , + $disposition , + '' ); + progress_message " \"$line\" added to blacklist"; } } @@ -312,11 +319,11 @@ sub setup_blacklist() { my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $network = $hostref->[2]; my $source = match_source_net $network; - + for my $chain ( @{first_chains $interface}) { add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; } - + progress_message " Blacklisting enabled on ${interface}:${network}"; } } diff --git a/New/releasenotes.txt b/New/releasenotes.txt index fbaa0d7c7..fee9cdff5 100644 --- a/New/releasenotes.txt +++ b/New/releasenotes.txt @@ -170,6 +170,9 @@ h) Line continuation (lines ending in '\' are concatinated with the next because it is combined with the preceding line; with the Perl-based compiler, it is processed normally. +i) USE_ACTIONS=No is not supported. That option is intended to minimize + Shorewall's footprint in embedded applications. As a consequence, + Default Macros are not supported. Installation ------------