First phase of config file line preprocessing change

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5680 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-25 16:38:00 +00:00
parent e1cccb5ccb
commit cf4ad08b96
16 changed files with 86 additions and 169 deletions

View File

@ -114,12 +114,8 @@ sub setup_accounting() {
while ( $line = <ACC> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user ) = split_line 8, 'Accounting File';
my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $extra ) = split /\s+/, $line;
accounting_error if $extra;
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user;
}

View File

@ -259,9 +259,7 @@ sub process_actions1() {
open F, "$ENV{TMP_DIR}/$file" or fatal_error "Unable to open stripped $file file: $!";
while ( $line = <F> ) {
chomp $line;
my ( $action , $extra ) = split /\s+/, $line;
fatal_error "Invalid Action: $line" if $extra;
my ( $action ) = split_line 1, 'action file';
if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@ -293,12 +291,9 @@ sub process_actions1() {
chomp $line;
next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/;
$line =~ s/\s+/ /g;
$line =~ s/#.*$//;
( my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) , $extra ) = split /\s+/, $line;
fatal_error "Invalid action rule \"$line\"\n" if $extra;
my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 8, 'action file';
my ( $target, $level ) = split_action $wholetarget;
@ -324,13 +319,10 @@ sub process_actions1() {
while ( $line = <M> ) {
next if $line =~ /^\s*#/;
$line =~ s/\s+/ /g;
$line =~ s/#.*$//;
next if $line =~ /^\s*$/;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser, $mextra ) = split /\s+/, $line;
fatal_error "Invalid macro rule \"$line\"" if $mextra;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $ mrate, $muser ) = split_line 8, 'macro file';
$mtarget =~ s/:.*$//;
@ -417,11 +409,10 @@ sub process_action3( $$$$$ ) {
chomp $line;
next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/;
$line =~ s/\s+/ /g;
$line =~ s/#.*$//;
$line = expand_shell_variables $line unless $standard;
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user , $extra ) = split /\s+/, $line;
my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line 8, 'action file';
my $target2 = merge_levels $wholeaction, $target;
@ -458,11 +449,10 @@ sub process_action3( $$$$$ ) {
while ( $line = <M> ) {
next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/;
$line =~ s/\s+/ /g;
$line =~ s/#.*$//;
$line = expand_shell_variables $line unless $standard;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split /\s+/, $line;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
if ( $mtarget =~ /^PARAM:?/ ) {
fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;

View File

@ -976,6 +976,34 @@ sub log_rule( $$$$ ) {
log_rule_limit $level, $chainref, $chainref->{name} , $disposition, $env{LOGLIMIT}, '', 'add', $predicates;
}
#
# Split a comma-separated source or destination host list but keep [...] together.
#
sub mysplit( $ ) {
my @input = split /,/, $_[0];
return @input unless $_[0] =~ /\[/;
my @result;
while ( @input ) {
my $element = shift @input;
if ( $element =~ /\[/ ) {
while ( ! ( $element =~ /\]/ ) ) {
last unless @input;
$element .= ( ',' . shift @input );
}
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
}
push @result, $element;
}
@result;
}
#
# Keep track of which interfaces have active 'address' variables
#

View File

@ -34,7 +34,7 @@ our @EXPORT = qw(ALLIPv4
warning_message
fatal_error
mysplit
split_line
create_temp_object
finalize_object
emit
@ -98,32 +98,22 @@ sub fatal_error
die;
}
#
# Split a comma-separated source or destination host list but keep [...] together.
#
sub mysplit( $ ) {
my @input = split /,/, $_[0];
sub split_line( $$ ) {
my ( $columns, $description ) = @_;
return @input unless $_[0] =~ /\[/;
chomp $line;
my @result;
$line =~ s/\s+/ /g;
while ( @input ) {
my $element = shift @input;
my @line = split /\s+/, $line;
if ( $element =~ /\[/ ) {
while ( ! ( $element =~ /\]/ ) ) {
last unless @input;
$element .= ( ',' . shift @input );
}
return @line if $line[0] eq 'COMMENT';
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
}
fatal_error "Invalid $description entry: $line" if @line > $columns;
push @result, $element;
}
push @line, '-' while @line < $columns;
@result;
@line;
}
sub create_temp_object( $ ) {

View File

@ -37,7 +37,7 @@ our @VERSION = 1.00;
#
our %env = ( SHAREDIR => '/usr/share/shorewall' ,
CONFDIR => '/etc/shorewall',
SHAREDIR4 => '/usr/share/shorewall-pl/',
SHAREDIRPL => '/usr/share/shorewall-pl/',
LOGPARMS => '',
VERSION => '3.9.0-1',
);
@ -392,11 +392,10 @@ sub get_configuration() {
default_yes_no 'TC_EXPERT' , '';
default_yes_no 'USE_ACTIONS' , 'Yes';
default_yes_no 'EXPORTPARAMS' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support' if $config{HIGH_ROUTE_MARKS} and ! $capabilities{XCONNMARK};
default 'BLACKLIST_DISPOSITION' , 'DROP';
my $val;
@ -445,11 +444,6 @@ sub get_configuration() {
}
}
if ( $config{MANGLE_ENABLED} ) {
fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
}
default 'MARK_IN_FORWARD_CHAIN' , '';
default 'RESTOREFILE' , 'restore';
default 'DROP_DEFAULT' , 'Drop';
default 'REJECT_DEFAULT' , 'Reject';

View File

@ -56,12 +56,7 @@ sub validate_hosts_file()
while ( $line = <HOSTS> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ($zone, $hosts, $options, $extra) = split /\s+/, $line;
fatal_error "Invalid hosts file entry: $line" if $extra;
my ($zone, $hosts, $options ) = split_line 3, 'hosts file';
my $zoneref = $zones{$zone};
my $type = $zoneref->{type};
@ -77,7 +72,7 @@ sub validate_hosts_file()
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
} else {
fatal_error "Invalid HOSTS(S) column contents: $hosts";
fatal_error "Invalid HOST(S) column contents: $hosts";
}
my $optionsref;

View File

@ -135,14 +135,9 @@ sub validate_interfaces_file()
while ( $line = <INTERFACES> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ($zone, $interface, $networks, $options, $extra) = split /\s+/, $line;
my ($zone, $interface, $networks, $options ) = split_line 4, 'interfaces file';
my $zoneref;
fatal_error "Invalid interfaces entry: $line" if $extra;
if ( $zone eq '-' ) {
$zone = '';
} else {
@ -153,7 +148,7 @@ sub validate_interfaces_file()
}
$networks = '' if $networks eq '-';
$options = '' if $networks eq '-';
$options = '' if $options eq '-';
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};

View File

@ -250,10 +250,7 @@ sub setup_masq()
while ( $line = <MASQ> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $extra) = split /\s+/, $line;
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 6, 'masq file';
if ( $fullinterface eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
@ -263,7 +260,6 @@ sub setup_masq()
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
}
} else {
fatal_error "Invalid masq file entry: \"$line\"" if $extra;
setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec;
}
}
@ -360,10 +356,7 @@ sub setup_nat() {
while ( $line = <NAT> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $external, $interface, $internal, $allints, $localnat, $extra ) = split /\s+/, $line;
my ( $external, $interface, $internal, $allints, $localnat ) = split_line 5, 'nat file';
if ( $external eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
@ -373,7 +366,6 @@ sub setup_nat() {
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
}
} else {
fatal_error "Invalid nat file entry: \"$line\"" if $extra;
do_one_nat $external, $interface, $internal, $allints, $localnat;
}

View File

@ -131,12 +131,8 @@ sub validate_policy()
open POLICY, "$ENV{TMP_DIR}/policy" or fatal_error "Unable to open stripped policy file: $!";
while ( $line = <POLICY> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $client, $server, $policy, $loglevel, $synparams , $extra ) = split /\s+/, $line;
fatal_error "Invalid policy file entry: $line" if $extra;
my ( $client, $server, $policy, $loglevel, $synparams ) = split_line 5, 'policy file';
$loglevel = '' unless defined $loglevel;
$synparams = '' unless defined $synparams;

View File

@ -359,12 +359,8 @@ sub setup_providers() {
open PV, "$ENV{TMP_DIR}/providers" or fatal_error "Unable to open stripped providers file: $!";
while ( $line = <PV> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy, $extra ) = split /\s+/, $line;
fatal_error "Invalid providers entry: $line" if $extra;
my ( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 8, 'providers file';
add_a_provider( $table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy );
@ -418,12 +414,7 @@ sub setup_providers() {
open RR, "$ENV{TMP_DIR}/route_rules" or fatal_error "Unable to open stripped route rules file: $!";
while ( $line = <RR> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $source, $dest, $provider, $priority, $extra ) = split /\s+/, $line;
fatal_error "Invalid providers entry: $line" if $extra;
my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file';
add_an_rtrule( $source, $dest, $provider , $priority );
}

View File

@ -95,12 +95,8 @@ sub setup_proxy_arp() {
open PA, "$ENV{TMP_DIR}/proxyarp" or fatal_error "Unable to open stripped proxyarp file: $!";
while ( $line = <PA> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $address, $interface, $external, $haveroute, $persistent, $extra ) = split /\s+/, $line;
fatal_error "Invalid proxyarp file entry: \"$line\"" if $extra;
my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 5, 'proxyarp file';
$set{$interface} = 1;
$reset{$external} = 1 unless $set{$external};

View File

@ -72,12 +72,9 @@ sub process_tos() {
while ( $line = <TOS> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ($source, $dest, $proto, $sports, $ports ) = split_line 5, 'tos file';
my ($source, $dest, $proto, $sports, $ports, $extra) = split /\s+/, $line;
fatal_error "Invalid tos file entry: \"$line\"" if $extra;
### Fixme ###
}
close TOS;
@ -111,10 +108,8 @@ sub setup_rfc1918_filteration( $ ) {
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
while ( $line = <RFC> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $networks, $target, $extra ) = split /\s+/, $line;
my ( $networks, $target ) = split_line 2, 'rfc1918 file';
my $s_target;
@ -196,12 +191,7 @@ sub setup_blacklist() {
while ( $line = <BL> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $networks, $protocol, $ports , $extra ) = split /\s+/, $line;
fatal_error "Invalid blacklist entry: \"$line\"" if $extra;
my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file';
expand_rule
ensure_filter_chain( 'blacklst' , 0 ) ,
@ -252,13 +242,7 @@ sub process_criticalhosts() {
my $routeback = 0;
chomp $line;
$line =~ s/\s+/ /g;
my ($interface, $hosts, $options, $extra) = split /\s+/, $line;
fatal_error "Invalid routestopped file entry: \"$line\"" if $extra;
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
@ -301,13 +285,7 @@ sub process_routestopped() {
my $routeback = 0;
chomp $line;
$line =~ s/\s+/ /g;
my ($interface, $hosts, $options, $extra) = split /\s+/, $line;
fatal_error "Invalid routestopped file entry: \"$line\"" if $extra;
my ($interface, $hosts, $options ) = split_line 3, 'routestopped file';
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
@ -595,10 +573,7 @@ sub setup_mac_lists( $ ) {
while ( $line = <MAC> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $disposition, $interface, $mac, $addresses , $extra ) = split /\s+/, $line;
my ( $disposition, $interface, $mac, $addresses ) = split_line 4, 'maclist file';
if ( $disposition eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
@ -608,8 +583,6 @@ sub setup_mac_lists( $ ) {
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
}
} else {
fatal_error "Invalid maclist entry: \"$line\"" if $extra;
( $disposition, my $level ) = split /:/, $disposition;
my $targetref = $maclist_targets{$disposition};
@ -711,11 +684,10 @@ sub process_macro ( $$$$$$$$$$$ ) {
chomp $line;
next if $line =~ /^\s*#/;
next if $line =~ /^\s*$/;
$line =~ s/\s+/ /g;
$line =~ s/#.*$//;
$line = expand_shell_variables $line unless $standard;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split /\s+/, $line;
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line 8, 'macro file';
$mtarget = merge_levels $target, $mtarget;
@ -1119,10 +1091,7 @@ sub process_rules() {
while ( $line = <RULES> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $extra ) = split /\s+/, $line;
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user ) = split_line 9, 'rules file';
if ( $target eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
@ -1134,7 +1103,7 @@ sub process_rules() {
} elsif ( $target eq 'SECTION' ) {
fatal_error "Invalid SECTION $source" unless defined $sections{$source};
fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
fatal_error "Invalid Section $source $dest" if $dest;
fatal_error "Invalid Section $source $dest" if $dest && $dest ne '-';
$sectioned = 1;
$sections{$source} = 1;
@ -1148,7 +1117,6 @@ sub process_rules() {
$section = $source;
} else {
fatal_error "Invalid rules file entry: \"$line\"" if $extra;
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user;
}
}

View File

@ -119,7 +119,7 @@ my @tccmd = ( { pattern => 'SAVE' ,
);
sub process_tc_rule( $$$$$$$$$$ ) {
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $extra ) = @_;
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = @_;
my $original_mark = $mark;
@ -357,12 +357,9 @@ sub setup_traffic_shaping() {
while ( $line = <TD> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $device, $inband, $outband ) = split_line 3, 'tcdevices';
my ( $device, $inband, $outband, $extra ) = split /\s+/, $line;
fatal_error "Invalid tcdevices entry: \"$line\"" if $extra || ! $outband;
fatal_error "Invalid tcdevices entry: \"$line\"" if $outband eq '-';
validate_tc_device( $device, $inband, $outband );
}
@ -378,12 +375,8 @@ sub setup_traffic_shaping() {
while ( $line = <TC> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 6, 'tcclasses file';
my ( $device, $mark, $rate, $ceil, $prio, $options, $extra ) = split /\s+/, $line;
fatal_error "Invalid tcclasses entry: \"$line\"" if $extra || ! $ceil;
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
}
@ -505,10 +498,7 @@ sub setup_tc() {
while ( $line = <TC> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $extra ) = split /\s+/, $line;
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file';
if ( $mark eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
@ -518,7 +508,6 @@ sub setup_tc() {
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
}
} else {
fatal_error "Invalid tcrule: \"$line\"" if $extra;
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
}

View File

@ -234,10 +234,7 @@ sub setup_tunnels() {
while ( $line = <TUNNELS> ) {
chomp $line;
$line =~ s/\s+/ /g;
my ( $kind, $zone, $gateway, $gatewayzones, $extra ) = split /\s+/, $line;
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line 4, 'tunnels file';
if ( $kind eq 'COMMENT' ) {
if ( $capabilities{COMMENTS} ) {
@ -247,7 +244,6 @@ sub setup_tunnels() {
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
}
} else {
fatal_error "Invalid Tunnels file entry: \"$line\"" if $extra;
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
}
}

View File

@ -183,14 +183,10 @@ sub determine_zones()
open ZONES, "$ENV{TMP_DIR}/zones" or fatal_error "Unable to open stripped zones file: $!";
while ( $line = <ZONES> ) {
chomp $line;
$line =~ s/\s+/ /g;
my @parents;
my ($zone, $type, $options, $in_options, $out_options, $extra) = split /\s+/, $line;
fatal_error("Invalid zone file entry: $line") if $extra;
my ($zone, $type, $options, $in_options, $out_options ) = split_line 5, 'zones file';
if ( $zone =~ /(\w+):([\w,]+)/ ) {
$zone = $1;

View File

@ -60,7 +60,7 @@ use Shorewall::Proc;
use Shorewall::Proxyarp;
sub generate_script_1 {
copy $env{SHAREDIR4} . 'prog.header';
copy $env{SHAREDIRPL} . 'prog.header';
my $date = localtime;
@ -442,7 +442,7 @@ stop_firewall() {
sub generate_script_2 () {
copy $env{SHAREDIR4} . 'prog.functions';
copy $env{SHAREDIRPL} . 'prog.functions';
emit '#';
emit '# Setup Routing and Traffic Shaping';
@ -575,7 +575,7 @@ esac';
emit "}\n";
copy $env{SHAREDIR4} . 'prog.footer';
copy $env{SHAREDIRPL} . 'prog.footer';
}
sub compile_firewall( $ ) {
@ -603,6 +603,11 @@ sub compile_firewall( $ ) {
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support'
if $config{HIGH_ROUTE_MARKS} && ! $capabilities{XCONNMARK};
if ( $config{MANGLE_ENABLED} ) {
fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
}
#
# Process the zones file.
#
@ -730,7 +735,7 @@ sub compile_firewall( $ ) {
#
# And generate the auxilary config file
#
generate_aux_config;
generate_aux_config if $ENV{EXPORT};
}
}