diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 48a9dc869..2c938bfb2 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -423,7 +423,7 @@ sub process_action3( $$$$$ ) { while ( read_a_line ) { - my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 1, 8, 'action file'; + my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file'; if ( $target eq 'COMMENT' ) { process_comment; diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 4af83cf85..c133d7ab7 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -657,6 +657,10 @@ sub finish_chain_section ($$) { sub finish_section ( $ ) { my $sections = $_[0]; + for my $section ( split /,/, $sections ) { + $sections{$section} = 1; + } + for my $zone ( @zones ) { for my $zone1 ( @zones ) { my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 53a51c88c..876d5b8b0 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -38,6 +38,8 @@ our @EXPORT = qw( fatal_error find_file split_line + split_line1 + split_line2 open_file close_file push_open @@ -293,13 +295,6 @@ sub find_file($) "$globals{CONFDIR}/$filename"; } -# -# When splitting a line, don't pad out the columns with '-' if the first column contains one of these -# - -my %no_pad = ( COMMENT => 1, - SECTION => 1 ); - # # Pre-process a line from a configuration file. @@ -309,11 +304,58 @@ my %no_pad = ( COMMENT => 1, sub split_line( $$$ ) { my ( $mincolumns, $maxcolumns, $description ) = @_; + fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $line =~ /["'`\\]/; + + my @line = split /\s+/, $line; + + fatal_error "Invalid $description entry (too few columns)" if @line < $mincolumns; + fatal_error "Invalid $description entry (too many columns)" if @line > $maxcolumns; + + push @line, '-' while @line < $maxcolumns; + + @line; +} + +sub split_line1( $$$ ) { + my ( $mincolumns, $maxcolumns, $description ) = @_; + fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $line =~ /["`\\]/; my @line = split /\s+/, $line; - return @line if $no_pad{$line[0]}; + return @line if $line[0] eq 'COMMENT'; + + fatal_error "Shorewall Configuration file entries may not contain single quotes" if $line =~ /'/; + + fatal_error "Invalid $description entry (too few columns)" if @line < $mincolumns; + fatal_error "Invalid $description entry (too many columns)" if @line > $maxcolumns; + + push @line, '-' while @line < $maxcolumns; + + @line; +} + +# +# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these +# + +my %no_pad = ( COMMENT => 0, + SECTION => 2 ); + +sub split_line2( $$$ ) { + my ( $mincolumns, $maxcolumns, $description ) = @_; + + fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $line =~ /["`\\]/; + + my @line = split /\s+/, $line; + + my $first = $line[0]; + my $columns = $no_pad{$first}; + + if ( defined $columns ) { + fatal_error "Invalid $first entry" if $columns && @line != $columns; + return @line + } fatal_error "Shorewall Configuration file entries may not contain single quotes" if $line =~ /'/; diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index 6294b7509..bc7e5d207 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -268,7 +268,7 @@ sub setup_masq() $first_entry = 0; } - my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line 2, 7, 'masq file'; + my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file'; if ( $fullinterface eq 'COMMENT' ) { process_comment; @@ -377,7 +377,7 @@ sub setup_nat() { $first_entry = 0; } - my ( $external, $interface, $internal, $allints, $localnat ) = split_line 3, 5, 'nat file'; + my ( $external, $interface, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file'; if ( $external eq 'COMMENT' ) { process_comment; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 74f67c37b..0b302f97f 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -696,7 +696,7 @@ sub setup_mac_lists( $ ) { $first_entry = 0; } - my ( $disposition, $interface, $mac, $addresses ) = split_line 3, 4, 'maclist file'; + my ( $disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file'; if ( $disposition eq 'COMMENT' ) { process_comment; @@ -1257,7 +1257,7 @@ sub process_rules() { $first_entry = 0; } - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line 1, 10, 'rules file'; + my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line2 1, 10, 'rules file'; if ( $target eq 'COMMENT' ) { process_comment; diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 2c92f2f5a..af715ee40 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -530,7 +530,7 @@ sub setup_tc() { $first_entry = 0; } - my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 2, 10, 'tcrules file'; + my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line1 2, 10, 'tcrules file'; if ( $mark eq 'COMMENT' ) { process_comment; diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 3085f92c5..c89a7a8c4 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -260,7 +260,7 @@ sub setup_tunnels() { $first_entry = 0; } - my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 2, 4, 'tunnels file'; + my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file'; if ( $kind eq 'COMMENT' ) { process_comment;