Partial change

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5747 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-29 18:57:53 +00:00
parent 514c0d7d88
commit cd97ccfd4e
9 changed files with 97 additions and 42 deletions

View File

@ -1433,10 +1433,14 @@ use constant { NULL_STATE => 0 ,
my $state = NULL_STATE;
my $rulenumber = 0;
sub emitr( $ ) {
my $rule = $_[0];
unless ( $slowstart ) {
$rulenumber++;
substr($rule, 80) = "#$rulenumber" unless length $rule >= 80;
emit_unindented $rule;
} elsif ( substr( $rule, 0, 1 ) eq '~' ) {
#
@ -1484,12 +1488,7 @@ sub create_netfilter_load() {
emit '';
if ( $slowstart ) {
emitj( 'TEMPFILE=$(mktempfile)',
'[ -n "$TEMPFILE" ] || fatal_error "Cannot create temporary file in /tmp"',
'',
'exec 3>>$TEMPFILE',
''
);
emit 'exec 3>${VARDIR}/.iptables-input';
} else {
emit 'iptables-restore << __EOF__';
$state = CAT_STATE;
@ -1533,7 +1532,7 @@ sub create_netfilter_load() {
if ( $slowstart ) {
emitj( ' exec 3>&-',
'',
'iptables-restore < $TEMPFILE'
'iptables-restore < ${VARDIR}/.iptables_input'
);
}
@ -1542,8 +1541,6 @@ sub create_netfilter_load() {
"fi\n"
);
emit 'rm -f $TEMPFILE' if $slowstart;
pop_indent;
emit "}\n";

View File

@ -218,6 +218,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
# Stash away file references here when we encounter INCLUDE
#
my @openstack;
my $currentfile;
my $currentfilename;
my $currentlinenumber = 0;
@ -259,7 +260,10 @@ sub find_file($)
for $directory ( split ':', $ENV{CONFIG_PATH} ) {
my $file = "$directory/$filename";
return $file if -f $file;
if ( -f $file ) {
$file =~ s|//|/|g;
return $file;
}
}
"$env{CONFDIR}/$filename";
@ -406,6 +410,8 @@ sub read_a_line {
$currentfile = undef;
open $currentfile, $filename or fatal_error "Unable to open $filename: $!";
$line='';
} else {
return 1;
}

View File

@ -51,6 +51,7 @@ sub validate_hosts_file()
);
my $ipsec = 0;
my $first_entry = 1;
open_file 'hosts';
@ -58,6 +59,11 @@ sub validate_hosts_file()
my ($zone, $hosts, $options ) = split_line 3, 'hosts file';
if ( $first_entry ) {
progress_message2 "Validating hosts file...";
$first_entry = 0;
}
my $zoneref = $zones{$zone};
my $type = $zoneref->{type};

View File

@ -101,7 +101,6 @@ sub setup_one_masq($$$$$$)
my $destnets = '';
my $target = '-j MASQUERADE ';
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
#
# Handle IPSEC options, if any
#
@ -239,12 +238,20 @@ sub setup_one_masq($$$$$$)
#
sub setup_masq()
{
my $first_entry = 1;
open_file 'masq';
while ( read_a_line ) {
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 6, 'masq file';
if ( $first_entry ) {
progress_message2 "$doing Masq file...";
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
$first_entry = 0;
}
if ( $fullinterface eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
@ -299,8 +306,6 @@ sub do_one_nat( $$$$$ )
my $policyin = '';
my $policyout = '';
require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
if ( $capabilities{POLICY_MATCH} ) {
$policyin = ' -m policy --pol none --dir in';
$policyout = '-m policy --pol none --dir out';
@ -347,12 +352,20 @@ sub do_one_nat( $$$$$ )
#
sub setup_nat() {
my $first_entry = 1;
open_file 'nat';
while ( read_a_line ) {
my ( $external, $interface, $internal, $allints, $localnat ) = split_line 5, 'nat file';
if ( $first_entry ) {
progress_message2 "$doing one-to-one NAT...";
require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
$first_entry = 0;
}
if ( $external eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
@ -374,13 +387,19 @@ sub setup_nat() {
#
sub setup_netmap() {
my $first_entry = 1;
open_file 'netmap';
while ( read_a_line ) {
my ( $type, $net1, $interface, $net2 ) = split_line 4, 'netmap file';
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
if ( $first_entry ) {
progress_message2 "$doing NETMAP...";
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
$first_entry = 0;
}
if ( $type eq 'DNAT' ) {
add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2";

View File

@ -344,13 +344,11 @@ sub setup_providers() {
#
# Setup_Providers() Starts Here....
#
progress_message2 "$doing $fn ...";
open_file 'providers';
open_file $fn;
while ( read_a_line ) {
unless ( $providers ) {
progress_message2 "$doing $fn ...";
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' );
emit "\nif [ -z \"\$NOROUTES\" ]; then";

View File

@ -65,15 +65,21 @@ sub process_tos() {
my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING';
if ( open_file 'tos' ) {
progress_message2 'Setting up TOS...';
my $first_entry = 1;
my $pretosref = new_chain 'mangle' , $chain;
my $outtosref = new_chain 'mangle' , 'outtos';
my ( $pretosref, $outtosref );
while ( read_a_line ) {
my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file';
if ( $first_entry ) {
progress_message2 'Setting up TOS...';
$pretosref = ensure_chain 'mangle' , $chain;
$outtosref = ensure_chain 'mangle' , 'outtos';
$first_entry = 0;
}
fatal_error "TOS field required: $line" unless $tos ne '-';
my $chainref;
@ -106,8 +112,10 @@ sub process_tos() {
'';
}
add_rule $mangle_table->{$stdchain}, "-j $chain";
add_rule $mangle_table->{OUTPUT}, "-j outtos";
unless ( $first_entry ) {
add_rule $mangle_table->{$stdchain}, "-j $chain";
add_rule $mangle_table->{OUTPUT}, "-j outtos";
}
}
}
@ -121,7 +129,7 @@ sub setup_ecn()
if ( open_file 'ecn' ) {
progress_message2 join( '' , '$doing ', find_file( 'ecn' ), '...' );
progress_message2 join( '' , "$doing ", find_file( 'ecn' ), '...' );
while ( read_a_line ) {

View File

@ -349,12 +349,13 @@ sub validate_tc_class( $$$$$$ ) {
}
sub setup_traffic_shaping() {
my $first_entry = 1;
save_progress_message "Setting up Traffic Control...";
my $fn = find_file 'tcdevices';
if ( -f $fn ) {
progress_message2 "$doing $fn...";
open_file $fn;
@ -362,6 +363,11 @@ sub setup_traffic_shaping() {
my ( $device, $inband, $outband ) = split_line 3, 'tcdevices';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
validate_tc_device( $device, $inband, $outband );
}
@ -370,12 +376,17 @@ sub setup_traffic_shaping() {
$fn = find_file 'tcclasses';
if ( -f $fn ) {
progress_message2 "$doing $fn...";
$first_entry = 1;
open_file $fn;
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
@ -488,23 +499,31 @@ sub setup_traffic_shaping() {
#
sub setup_tc() {
ensure_mangle_chain 'tcpre';
my $first_entry = 1;
if ( $capabilities{MANGLE_FORWARD} ) {
ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost';
if ( $capabilities{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre';
if ( $capabilities{MANGLE_FORWARD} ) {
ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost';
}
}
my $fn = find_file 'tcrules';
if ( -f $fn ) {
require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' ) if open_file $fn;
if ( open_file $fn ) {
while ( read_a_line ) {
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file';
if ( $first_entry ) {
progress_message2 "$doing TC Rules...";
require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' );
$first_entry = 0;
}
if ( $mark eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
( $comment = $line ) =~ s/^\s*COMMENT\s*//;

View File

@ -227,6 +227,9 @@ sub setup_tunnels() {
progress_message " Tunnel \"$line\" $done";
}
my $first_entry = 1;
#
# Setup_Tunnels() Starts Here
#
@ -236,6 +239,11 @@ sub setup_tunnels() {
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 4, 'tunnels file';
if ( $first_entry ) {
progress_message2 "$doing Tunnels...";
$first_entry = 0;
}
if ( $kind eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
( $comment = $line ) =~ s/^\s*COMMENT\s*//;

View File

@ -666,12 +666,11 @@ sub compiler( $ ) {
#
# Process the hosts file.
#
progress_message2 "Validating hosts file...";
validate_hosts_file;
#
# Report zone contents
#
progress_message "Determining Hosts in Zones...";
progress_message2 "Determining Hosts in Zones...";
zone_report;
#
# Do action pre-processing.
@ -715,7 +714,6 @@ sub compiler( $ ) {
#
# TCRules and Traffic Shaping
#
progress_message2 "$doing TC Rules...";
setup_tc;
#
# TOS
@ -728,7 +726,6 @@ sub compiler( $ ) {
#
# Setup Masquerading/SNAT
#
progress_message2 "$doing Masq file...";
setup_masq;
#
# MACLIST Filtration
@ -743,7 +740,6 @@ sub compiler( $ ) {
#
# Add Tunnel rules.
#
progress_message2 "$doing Tunnels...";
setup_tunnels;
#
# Post-rules action processing.
@ -763,12 +759,10 @@ sub compiler( $ ) {
#
# Setup Nat
#
progress_message2 "$doing one-to-one NAT...";
setup_nat;
#
# Setup NETMAP
#
progress_message2 "$doing NETMAP...";
setup_netmap;
#
# Accounting.