Set caller when possible in policy chains.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-20 14:51:16 -08:00 · 2013-01-20 14:51:16 -08:00 · c4a2f3d386
commit c4a2f3d386
parent bc882af6c5
2 changed files with 20 additions and 11 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -2160,8 +2160,9 @@ sub evaluate_expression( $$$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
-	    $var = numeric_value( $var ) if $var;
+	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparms{$var} : $chain;
 	    $parmsmodified ||= $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@ -2281,6 +2282,7 @@ sub process_compiler_directive( $$$$ ) {
 			       directive_error( "Missing SET expression"     , $filename, $linenumber) unless supplied $expression;
 			       if ( ( $1 || '' ) eq '@' ) {
 				   $var = $2;
 				   $var = numeric_value( $var ) if $var =~ /^\d/;
 				   $var = $2 || 'chain';
 				   directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -326,12 +326,12 @@ sub print_policy($$$$) {
    }
 }
-sub use_policy_action( $ );
+sub use_policy_action( $$ );
 sub normalize_action( $$$ );
 sub normalize_action_name( $ );
-sub process_default_action( $$$$ ) {
+sub process_default_action( $$$$$ ) {
-    my ( $originalpolicy, $policy, $default, $level ) = @_;
+    my ( $originalpolicy, $policy, $default, $level, $caller ) = @_;
    if ( supplied $default ) {
 	my $default_option = ( $policy =~ /_DEFAULT$/ );
@ -357,7 +357,7 @@ sub process_default_action( $$$$ ) {
 	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
 		       $level eq 'none' ? normalize_action_name $def :
 		       normalize_action( $def, $level, '' );
-	    use_policy_action( $default );
+	    use_policy_action( $default, $caller );
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
@ -420,7 +420,9 @@ sub process_a_policy() {
 	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
    }
-    $default = process_default_action( $originalpolicy, $policy, $default, $level );
+    my $chain = rules_chain( ${client}, ${server} );
    $default = process_default_action( $originalpolicy, $policy, $default, $level, $chain );
    if ( defined $queue ) {
 	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
@ -442,7 +444,6 @@ sub process_a_policy() {
 	}
    }
    my $chain = rules_chain( ${client}, ${server} );
    my $chainref;
    if ( defined $filter_table->{$chain} ) {
@ -555,7 +556,7 @@ sub process_policies()
 	unless ( $action eq 'none' ) {
 	    my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
 	    fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
-	    $action = process_default_action( $action, $option, $default, $level );
+	    $action = process_default_action( $action, $option, $default, $level, 'POLICY' );
 	}
 	$default_actions{$map{$option}} = $action;
@ -1604,7 +1605,7 @@ sub process_action($$) {
    while ( read_a_line( NORMAL_READ ) ) {
-	my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
+	my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper ;
 	if ( $file_format == 1 ) {
 	    ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
@ -1659,10 +1660,16 @@ sub process_action($$) {
 #
 # Create a policy action if it doesn't already exist
 #
-sub use_policy_action( $ ) {
+sub use_policy_action( $$ ) {
    my $ref = use_action( $_[0] );
-    process_action( $ref, 'POLICY' ) if $ref; 
+    if ( $ref ) {
 	process_action( $ref, $_[1] );
    } else {
 	$ref = $usedactions{$_[0]};
    }
    $ref;
 }
 ################################################################################