From cf4ad08b963ca404e5e90d3316838b00a7f75c9a Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 25 Mar 2007 16:38:00 +0000 Subject: [PATCH] First phase of config file line preprocessing change git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5680 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- New/Shorewall/Accounting.pm | 6 +---- New/Shorewall/Actions.pm | 20 ++++---------- New/Shorewall/Chains.pm | 28 ++++++++++++++++++++ New/Shorewall/Common.pm | 36 ++++++++++--------------- New/Shorewall/Config.pm | 10 ++----- New/Shorewall/Hosts.pm | 9 ++----- New/Shorewall/Interfaces.pm | 9 ++----- New/Shorewall/Nat.pm | 12 ++------- New/Shorewall/Policy.pm | 6 +---- New/Shorewall/Providers.pm | 13 ++-------- New/Shorewall/Proxyarp.pm | 6 +---- New/Shorewall/Rules.pm | 52 +++++++------------------------------ New/Shorewall/Tc.pm | 23 +++++----------- New/Shorewall/Tunnels.pm | 6 +---- New/Shorewall/Zones.pm | 6 +---- New/compiler.pl | 13 +++++++--- 16 files changed, 86 insertions(+), 169 deletions(-) diff --git a/New/Shorewall/Accounting.pm b/New/Shorewall/Accounting.pm index 610e4f3d9..4f79c5795 100644 --- a/New/Shorewall/Accounting.pm +++ b/New/Shorewall/Accounting.pm @@ -114,12 +114,8 @@ sub setup_accounting() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; + my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = split_line 8, 'Accounting File'; - my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $extra ) = split /\s+/, $line; - - accounting_error if $extra; process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user; } diff --git a/New/Shorewall/Actions.pm b/New/Shorewall/Actions.pm index 2fd4c49e9..c6d9567b1 100644 --- a/New/Shorewall/Actions.pm +++ b/New/Shorewall/Actions.pm @@ -259,9 +259,7 @@ sub process_actions1() { open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!"; while ( $line = ) { - chomp $line; - my ( $action , $extra ) = split /\s+/, $line; - fatal_error "Invalid Action: $line" if $extra; + my ( $action ) = split_line 1, 'action file'; if ( $action =~ /:/ ) { warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; @@ -293,12 +291,9 @@ sub process_actions1() { chomp $line; next if $line =~ /^\s*#/; next if $line =~ /^\s*$/; - $line =~ s/\s+/ /g; $line =~ s/#.*$//; - ( my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) , $extra ) = split /\s+/, $line; - - fatal_error "Invalid action rule \"$line\"\n" if $extra; + my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file'; my ( $target, $level ) = split_action $wholetarget; @@ -324,13 +319,10 @@ sub process_actions1() { while ( $line = ) { next if $line =~ /^\s*#/; - $line =~ s/\s+/ /g; $line =~ s/#.*$//; next if $line =~ /^\s*$/; - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser, $mextra ) = split /\s+/, $line; - - fatal_error "Invalid macro rule \"$line\"" if $mextra; + my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file'; $mtarget =~ s/:.*$//; @@ -417,11 +409,10 @@ sub process_action3( $$$$$ ) { chomp $line; next if $line =~ /^\s*#/; next if $line =~ /^\s*$/; - $line =~ s/\s+/ /g; $line =~ s/#.*$//; $line = expand_shell_variables $line unless $standard; - my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user , $extra ) = split /\s+/, $line; + my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file'; my $target2 = merge_levels $wholeaction, $target; @@ -458,11 +449,10 @@ sub process_action3( $$$$$ ) { while ( $line = ) { next if $line =~ /^\s*#/; next if $line =~ /^\s*$/; - $line =~ s/\s+/ /g; $line =~ s/#.*$//; $line = expand_shell_variables $line unless $standard; - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split /\s+/, $line; + my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file'; if ( $mtarget =~ /^PARAM:?/ ) { fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param; diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm index 8f32cb0c4..f18fc71a9 100644 --- a/New/Shorewall/Chains.pm +++ b/New/Shorewall/Chains.pm @@ -976,6 +976,34 @@ sub log_rule( $$$$ ) { log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $env{LOGLIMIT}, '', 'add', $predicates; } +# +# Split a comma-separated source or destination host list but keep [...] together. +# +sub mysplit( $ ) { + my @input = split /,/, $_[0]; + + return @input unless $_[0] =~ /\[/; + + my @result; + + while ( @input ) { + my $element = shift @input; + + if ( $element =~ /\[/ ) { + while ( ! ( $element =~ /\]/ ) ) { + last unless @input; + $element .= ( ',' . shift @input ); + } + + fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']'; + } + + push @result, $element; + } + + @result; +} + # # Keep track of which interfaces have active 'address' variables # diff --git a/New/Shorewall/Common.pm b/New/Shorewall/Common.pm index d2505da72..f3df667e9 100644 --- a/New/Shorewall/Common.pm +++ b/New/Shorewall/Common.pm @@ -34,7 +34,7 @@ our @EXPORT = qw(ALLIPv4 warning_message fatal_error - mysplit + split_line create_temp_object finalize_object emit @@ -98,34 +98,24 @@ sub fatal_error die; } -# -# Split a comma-separated source or destination host list but keep [...] together. -# -sub mysplit( $ ) { - my @input = split /,/, $_[0]; +sub split_line( $$ ) { + my ( $columns, $description ) = @_; - return @input unless $_[0] =~ /\[/; + chomp $line; + + $line =~ s/\s+/ /g; - my @result; + my @line = split /\s+/, $line; - while ( @input ) { - my $element = shift @input; - - if ( $element =~ /\[/ ) { - while ( ! ( $element =~ /\]/ ) ) { - last unless @input; - $element .= ( ',' . shift @input ); - } - - fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']'; - } + return @line if $line[0] eq 'COMMENT'; - push @result, $element; - } + fatal_error "Invalid $description entry: $line" if @line > $columns; - @result; + push @line, '-' while @line < $columns; + + @line; } - + sub create_temp_object( $ ) { my $objectfile = $_[0]; my $suffix; diff --git a/New/Shorewall/Config.pm b/New/Shorewall/Config.pm index 486d7e5ea..83550fea5 100644 --- a/New/Shorewall/Config.pm +++ b/New/Shorewall/Config.pm @@ -37,7 +37,7 @@ our @VERSION = 1.00; # our %env = ( SHAREDIR => '/usr/share/shorewall' , CONFDIR => '/etc/shorewall', - SHAREDIR4 => '/usr/share/shorewall-pl/', + SHAREDIRPL => '/usr/share/shorewall-pl/', LOGPARMS => '', VERSION => '3.9.0-1', ); @@ -392,11 +392,10 @@ sub get_configuration() { default_yes_no 'TC_EXPERT' , ''; default_yes_no 'USE_ACTIONS' , 'Yes'; default_yes_no 'EXPORTPARAMS' , ''; + default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; - fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support' if $config{HIGH_ROUTE_MARKS} and ! $capabilities{XCONNMARK}; - default 'BLACKLIST_DISPOSITION' , 'DROP'; my $val; @@ -445,11 +444,6 @@ sub get_configuration() { } } - if ( $config{MANGLE_ENABLED} ) { - fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED}; - } - - default 'MARK_IN_FORWARD_CHAIN' , ''; default 'RESTOREFILE' , 'restore'; default 'DROP_DEFAULT' , 'Drop'; default 'REJECT_DEFAULT' , 'Reject'; diff --git a/New/Shorewall/Hosts.pm b/New/Shorewall/Hosts.pm index 77ab8d177..f68375ddb 100644 --- a/New/Shorewall/Hosts.pm +++ b/New/Shorewall/Hosts.pm @@ -56,12 +56,7 @@ sub validate_hosts_file() while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ($zone, $hosts, $options, $extra) = split /\s+/, $line; - - fatal_error "Invalid hosts file entry: $line" if $extra; + my ($zone, $hosts, $options ) = split_line 3, 'hosts file'; my $zoneref = $zones{$zone}; my $type = $zoneref->{type}; @@ -77,7 +72,7 @@ sub validate_hosts_file() $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; } else { - fatal_error "Invalid HOSTS(S) column contents: $hosts"; + fatal_error "Invalid HOST(S) column contents: $hosts"; } my $optionsref; diff --git a/New/Shorewall/Interfaces.pm b/New/Shorewall/Interfaces.pm index 0b535804e..3a178585a 100644 --- a/New/Shorewall/Interfaces.pm +++ b/New/Shorewall/Interfaces.pm @@ -135,14 +135,9 @@ sub validate_interfaces_file() while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ($zone, $interface, $networks, $options, $extra) = split /\s+/, $line; + my ($zone, $interface, $networks, $options ) = split_line 4, 'interfaces file'; my $zoneref; - fatal_error "Invalid interfaces entry: $line" if $extra; - if ( $zone eq '-' ) { $zone = ''; } else { @@ -153,7 +148,7 @@ sub validate_interfaces_file() } $networks = '' if $networks eq '-'; - $options = '' if $networks eq '-'; + $options = '' if $options eq '-'; fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface}; diff --git a/New/Shorewall/Nat.pm b/New/Shorewall/Nat.pm index aff3e3b13..f2d70b50e 100644 --- a/New/Shorewall/Nat.pm +++ b/New/Shorewall/Nat.pm @@ -250,10 +250,7 @@ sub setup_masq() while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $extra) = split /\s+/, $line; + my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 6, 'masq file'; if ( $fullinterface eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { @@ -263,7 +260,6 @@ sub setup_masq() warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; } } else { - fatal_error "Invalid masq file entry: \"$line\"" if $extra; setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec; } } @@ -360,10 +356,7 @@ sub setup_nat() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ( $external, $interface, $internal, $allints, $localnat, $extra ) = split /\s+/, $line; + my ( $external, $interface, $internal, $allints, $localnat ) = split_line 5, 'nat file'; if ( $external eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { @@ -373,7 +366,6 @@ sub setup_nat() { warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; } } else { - fatal_error "Invalid nat file entry: \"$line\"" if $extra; do_one_nat $external, $interface, $internal, $allints, $localnat; } diff --git a/New/Shorewall/Policy.pm b/New/Shorewall/Policy.pm index 3ac130015..e3115ca67 100644 --- a/New/Shorewall/Policy.pm +++ b/New/Shorewall/Policy.pm @@ -131,12 +131,8 @@ sub validate_policy() open POLICY, "$ENV{TMP_DIR}/policy" or fatal_error "Unable to open stripped policy file: $!"; while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - my ( $client, $server, $policy, $loglevel, $synparams , $extra ) = split /\s+/, $line; - - fatal_error "Invalid policy file entry: $line" if $extra; + my ( $client, $server, $policy, $loglevel, $synparams ) = split_line 5, 'policy file'; $loglevel = '' unless defined $loglevel; $synparams = '' unless defined $synparams; diff --git a/New/Shorewall/Providers.pm b/New/Shorewall/Providers.pm index 291bbc0af..447f5db8e 100644 --- a/New/Shorewall/Providers.pm +++ b/New/Shorewall/Providers.pm @@ -359,12 +359,8 @@ sub setup_providers() { open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!"; while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy, $extra ) = split /\s+/, $line; - - fatal_error "Invalid providers entry: $line" if $extra; + my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file'; add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ); @@ -418,12 +414,7 @@ sub setup_providers() { open RR, "$ENV{TMP_DIR}/route_rules" or fatal_error "Unable to open stripped route rules file: $!"; while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ( $source, $dest, $provider, $priority, $extra ) = split /\s+/, $line; - - fatal_error "Invalid providers entry: $line" if $extra; + my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file'; add_an_rtrule( $source, $dest, $provider , $priority ); } diff --git a/New/Shorewall/Proxyarp.pm b/New/Shorewall/Proxyarp.pm index 19f376fd2..b731df97e 100644 --- a/New/Shorewall/Proxyarp.pm +++ b/New/Shorewall/Proxyarp.pm @@ -95,12 +95,8 @@ sub setup_proxy_arp() { open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!"; while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - my ( $address, $interface, $external, $haveroute, $persistent, $extra ) = split /\s+/, $line; - - fatal_error "Invalid proxyarp file entry: \"$line\"" if $extra; + my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file'; $set{$interface} = 1; $reset{$external} = 1 unless $set{$external}; diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index 1cecf8863..7dd30f1d2 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -72,12 +72,9 @@ sub process_tos() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; + my ($source, $dest, $proto, $sports, $ports ) = split_line 5, 'tos file'; - my ($source, $dest, $proto, $sports, $ports, $extra) = split /\s+/, $line; - - fatal_error "Invalid tos file entry: \"$line\"" if $extra; + ### Fixme ### } close TOS; @@ -111,10 +108,8 @@ sub setup_rfc1918_filteration( $ ) { open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!"; while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - my ( $networks, $target, $extra ) = split /\s+/, $line; + my ( $networks, $target ) = split_line 2, 'rfc1918 file'; my $s_target; @@ -196,12 +191,7 @@ sub setup_blacklist() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ( $networks, $protocol, $ports , $extra ) = split /\s+/, $line; - - fatal_error "Invalid blacklist entry: \"$line\"" if $extra; + my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file'; expand_rule ensure_filter_chain( 'blacklst' , 0 ) , @@ -251,14 +241,8 @@ sub process_criticalhosts() { while ( $line = ) { my $routeback = 0; - - chomp $line; - $line =~ s/\s+/ /g; - - my ($interface, $hosts, $options, $extra) = split /\s+/, $line; - - fatal_error "Invalid routestopped file entry: \"$line\"" if $extra; + my ($interface, $hosts, $options ) = split_line 3, 'routestopped file'; $hosts = ALLIPv4 unless $hosts && $hosts ne '-'; @@ -301,13 +285,7 @@ sub process_routestopped() { my $routeback = 0; - chomp $line; - $line =~ s/\s+/ /g; - - - my ($interface, $hosts, $options, $extra) = split /\s+/, $line; - - fatal_error "Invalid routestopped file entry: \"$line\"" if $extra; + my ($interface, $hosts, $options ) = split_line 3, 'routestopped file'; $hosts = ALLIPv4 unless $hosts && $hosts ne '-'; @@ -595,10 +573,7 @@ sub setup_mac_lists( $ ) { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ( $disposition, $interface, $mac, $addresses , $extra ) = split /\s+/, $line; + my ( $disposition, $interface, $mac, $addresses ) = split_line 4, 'maclist file'; if ( $disposition eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { @@ -608,8 +583,6 @@ sub setup_mac_lists( $ ) { warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; } } else { - fatal_error "Invalid maclist entry: \"$line\"" if $extra; - ( $disposition, my $level ) = split /:/, $disposition; my $targetref = $maclist_targets{$disposition}; @@ -711,11 +684,10 @@ sub process_macro ( $$$$$$$$$$$ ) { chomp $line; next if $line =~ /^\s*#/; next if $line =~ /^\s*$/; - $line =~ s/\s+/ /g; $line =~ s/#.*$//; $line = expand_shell_variables $line unless $standard; - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split /\s+/, $line; + my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file'; $mtarget = merge_levels $target, $mtarget; @@ -1119,10 +1091,7 @@ sub process_rules() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $extra ) = split /\s+/, $line; + my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user ) = split_line 9, 'rules file'; if ( $target eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { @@ -1134,7 +1103,7 @@ sub process_rules() { } elsif ( $target eq 'SECTION' ) { fatal_error "Invalid SECTION $source" unless defined $sections{$source}; fatal_error "Duplicate or out of order SECTION $source" if $sections{$source}; - fatal_error "Invalid Section $source $dest" if $dest; + fatal_error "Invalid Section $source $dest" if $dest && $dest ne '-'; $sectioned = 1; $sections{$source} = 1; @@ -1148,7 +1117,6 @@ sub process_rules() { $section = $source; } else { - fatal_error "Invalid rules file entry: \"$line\"" if $extra; process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user; } } diff --git a/New/Shorewall/Tc.pm b/New/Shorewall/Tc.pm index cc140317c..73ef37cee 100644 --- a/New/Shorewall/Tc.pm +++ b/New/Shorewall/Tc.pm @@ -119,7 +119,7 @@ my @tccmd = ( { pattern => 'SAVE' , ); sub process_tc_rule( $$$$$$$$$$ ) { - my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $extra ) = @_; + my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = @_; my $original_mark = $mark; @@ -357,12 +357,9 @@ sub setup_traffic_shaping() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; + my ( $device, $inband, $outband ) = split_line 3, 'tcdevices'; - my ( $device, $inband, $outband, $extra ) = split /\s+/, $line; - - fatal_error "Invalid tcdevices entry: \"$line\"" if $extra || ! $outband; + fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-'; validate_tc_device( $device, $inband, $outband ); } @@ -378,12 +375,8 @@ sub setup_traffic_shaping() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ( $device, $mark, $rate, $ceil, $prio, $options, $extra ) = split /\s+/, $line; - - fatal_error "Invalid tcclasses entry: \"$line\"" if $extra || ! $ceil; + my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file'; + validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options ); } @@ -505,10 +498,7 @@ sub setup_tc() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $extra ) = split /\s+/, $line; + my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file'; if ( $mark eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { @@ -518,7 +508,6 @@ sub setup_tc() { warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; } } else { - fatal_error "Invalid tcrule: \"$line\"" if $extra; process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos } diff --git a/New/Shorewall/Tunnels.pm b/New/Shorewall/Tunnels.pm index 29ae9f7fb..8cd16042d 100644 --- a/New/Shorewall/Tunnels.pm +++ b/New/Shorewall/Tunnels.pm @@ -234,10 +234,7 @@ sub setup_tunnels() { while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; - - my ( $kind, $zone, $gateway, $gatewayzones, $extra ) = split /\s+/, $line; + my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 4, 'tunnels file'; if ( $kind eq 'COMMENT' ) { if ( $capabilities{COMMENTS} ) { @@ -247,7 +244,6 @@ sub setup_tunnels() { warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; } } else { - fatal_error "Invalid Tunnels file entry: \"$line\"" if $extra; setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; } } diff --git a/New/Shorewall/Zones.pm b/New/Shorewall/Zones.pm index 13f079c01..00b9c5776 100644 --- a/New/Shorewall/Zones.pm +++ b/New/Shorewall/Zones.pm @@ -183,14 +183,10 @@ sub determine_zones() open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!"; while ( $line = ) { - chomp $line; - $line =~ s/\s+/ /g; my @parents; - my ($zone, $type, $options, $in_options, $out_options, $extra) = split /\s+/, $line; - - fatal_error("Invalid zone file entry: $line") if $extra; + my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file'; if ( $zone =~ /(\w+):([\w,]+)/ ) { $zone = $1; diff --git a/New/compiler.pl b/New/compiler.pl index cc0124fd3..a32b2966a 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -60,7 +60,7 @@ use Shorewall::Proc; use Shorewall::Proxyarp; sub generate_script_1 { - copy $env{SHAREDIR4} . 'prog.header'; + copy $env{SHAREDIRPL} . 'prog.header'; my $date = localtime; @@ -442,7 +442,7 @@ stop_firewall() { sub generate_script_2 () { - copy $env{SHAREDIR4} . 'prog.functions'; + copy $env{SHAREDIRPL} . 'prog.functions'; emit '#'; emit '# Setup Routing and Traffic Shaping'; @@ -575,7 +575,7 @@ esac'; emit "}\n"; - copy $env{SHAREDIR4} . 'prog.footer'; + copy $env{SHAREDIRPL} . 'prog.footer'; } sub compile_firewall( $ ) { @@ -603,6 +603,11 @@ sub compile_firewall( $ ) { if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH}; fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match' if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH}; + fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support' + if $config{HIGH_ROUTE_MARKS} && ! $capabilities{XCONNMARK}; + if ( $config{MANGLE_ENABLED} ) { + fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED}; + } # # Process the zones file. # @@ -730,7 +735,7 @@ sub compile_firewall( $ ) { # # And generate the auxilary config file # - generate_aux_config; + generate_aux_config if $ENV{EXPORT}; } }