forked from extern/shorewall_code
First hack at INCLUDE processing
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5740 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
18170d7fd5
commit
e0c8403a42
@ -99,6 +99,13 @@ sub fatal_error
|
||||
die;
|
||||
}
|
||||
|
||||
#
|
||||
# When splitting a line, don't pad out the columns with '-' if the first column contains one of these
|
||||
#
|
||||
|
||||
my %no_pad = ( COMMENT => 1,
|
||||
SECTION => 1 );
|
||||
|
||||
#
|
||||
# Pre-process a line from a configuration file.
|
||||
#
|
||||
@ -116,7 +123,7 @@ sub split_line( $$ ) {
|
||||
|
||||
my @line = split /\s+/, $line;
|
||||
|
||||
return @line if $line[0] eq 'COMMENT';
|
||||
return @line if $no_pad{$line[0]};
|
||||
|
||||
fatal_error "Invalid $description entry: $line" if @line > $columns;
|
||||
|
||||
|
@ -277,6 +277,56 @@ sub expand_shell_variables( $ ) {
|
||||
my $line = $_[0]; $line = $1 . ( $ENV{$2} || '' ) . $3 while $line =~ /^(.*?)\$([a-zA-Z]\w*)(.*)$/; $line;
|
||||
}
|
||||
|
||||
#
|
||||
# Stash away file references here when we encounter INCLUDE
|
||||
#
|
||||
my @filestack;
|
||||
my $currentfile;
|
||||
|
||||
sub read_a_line {
|
||||
|
||||
while ( 1 ) {
|
||||
while ( $line = <$currentfile> ) {
|
||||
chomp $line;
|
||||
next if $line =~ /^\s*#/;
|
||||
next if $line =~ /^\s*$/;
|
||||
$line =~ s/#.*$//;
|
||||
|
||||
expand_shell_variables( $line );
|
||||
|
||||
my @line = split /\s+/, $line;
|
||||
|
||||
if ( $line[0] eq 'INCLUDE' ) {
|
||||
fatal_error "Missing file name after 'INCLUDE'" unless @line > 1;
|
||||
fatal_error "Invalid INCLUDE command: $line" if @line > 2;
|
||||
|
||||
if ( @filestack == 4 ) {
|
||||
warning_message "INCLUDEs nested too deeply; $line ignored";
|
||||
next;
|
||||
}
|
||||
|
||||
my $filename = find_file $line[1];
|
||||
|
||||
fatal_error "$filename not found" unless ( -f $filename );
|
||||
|
||||
push @filestack, $currentfile;
|
||||
|
||||
$currentfile = '';
|
||||
|
||||
open $currentfile, $filename or fatal_error "Unable to open $filename: $!";
|
||||
} else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
close $currentfile;
|
||||
|
||||
return 0 unless @filestack;
|
||||
|
||||
$currentfile = pop @filestack;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Read the shorewall.conf file and establish global hashes %config and %env.
|
||||
#
|
||||
@ -285,15 +335,9 @@ sub get_configuration() {
|
||||
|
||||
if ( -f $file ) {
|
||||
if ( -r _ ) {
|
||||
open CONFIG , $file or fatal_error "Unable to open $file: $!";
|
||||
|
||||
while ( $line = <CONFIG> ) {
|
||||
chomp $line;
|
||||
next if $line =~ /^\s*#/;
|
||||
next if $line =~ /^\s*$/;
|
||||
|
||||
expand_shell_variables( $line );
|
||||
open $currentfile , $file or fatal_error "Unable to open $file: $!";
|
||||
|
||||
while ( read_a_line ) {
|
||||
if ( $line =~ /^([a-zA-Z]\w*)\s*=\s*(.*)$/ ) {
|
||||
my ($var, $val) = ($1, $2);
|
||||
unless ( exists $config{$var} ) {
|
||||
@ -306,8 +350,6 @@ sub get_configuration() {
|
||||
fatal_error "Unrecognized entry in $file: $line";
|
||||
}
|
||||
}
|
||||
|
||||
close CONFIG;
|
||||
} else {
|
||||
fatal_error "Cannot read $file (Hint: Are you root?)";
|
||||
}
|
||||
|
@ -851,6 +851,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
||||
fatal_error "Unknown action ($action) in rule \"$line\"" unless $actiontype;
|
||||
|
||||
if ( $actiontype == MACRO ) {
|
||||
#
|
||||
# We will be called recursively for each rule in the macro body
|
||||
#
|
||||
process_macro
|
||||
$macros{$basictarget},
|
||||
$target ,
|
||||
@ -988,9 +991,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $origdest && $origdest ne '-' ) {
|
||||
require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
|
||||
} elsif ( $origdest ne 'detect' ) {
|
||||
unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
|
||||
if ( $config{DETECT_DNAT_IPADDRS} ) {
|
||||
my $interfacesref = $zones{$sourcezone}{interfaces};
|
||||
my @interfaces = keys %$interfacesref;
|
||||
@ -1015,7 +1016,10 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
||||
$action ,
|
||||
$serverport ? do_proto( $proto, '', '' ) : '';
|
||||
#
|
||||
# After NAT, the destination port will be the server port; Also, we log NAT rules in the nat table rather than in the filter table.
|
||||
# After NAT:
|
||||
# - the destination port will be the server port
|
||||
# - the destination IP will be the server IP
|
||||
# - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
|
||||
#
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
$rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
|
||||
@ -1061,6 +1065,12 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
||||
$loglevel = '';
|
||||
}
|
||||
|
||||
unless ( $origdest eq '-' ) {
|
||||
require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
|
||||
} else {
|
||||
$origdest = '';
|
||||
}
|
||||
|
||||
expand_rule
|
||||
ensure_chain ('filter', $chain ) ,
|
||||
$restriction ,
|
||||
@ -1192,7 +1202,7 @@ sub process_rules() {
|
||||
} elsif ( $target eq 'SECTION' ) {
|
||||
fatal_error "Invalid SECTION $source" unless defined $sections{$source};
|
||||
fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
|
||||
fatal_error "Invalid Section $source $dest" if $dest && $dest ne '-';
|
||||
fatal_error "Invalid Section $source $dest" if $dest;
|
||||
$sectioned = 1;
|
||||
$sections{$source} = 1;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user