Allow non-experts to use the user bits in the fw mark

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -4855,7 +4855,7 @@ sub validate_mark( $ ) {
 
 sub verify_small_mark( $ ) {
     my $val = validate_mark ( (my $mark) = $_[0] );
-    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX};
+    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{SMALL_MASK};
     $val;
 }
 

Shorewall/Perl/Shorewall/Config.pm

@@ -124,6 +124,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       set_shorewall_dir
 				       set_debug
 				       find_file
+				       find_writable_file
 				       split_list
 				       split_list1
 				       split_list2
@@ -1869,6 +1870,20 @@ sub find_file($)
     "$config_path[0]$filename";
 }
 
+sub find_writable_file($) {
+    my ( $filename, $nosearch ) = @_;
+
+    return $filename if $filename =~ '/';
+
+    for my $directory ( @config_path ) {
+	next if $directory =~ m|^$globals{SHAREDIR}/configfiles/?$| || $directory =~ m|^$shorewallrc{SHAREDIR}/doc/default-config/?$|;
+	my $file = "$directory$filename";
+	return $file if -f $file && -w _;
+    }
+
+    "$config_path[0]$filename";
+}
+
 #
 # Split a comma-separated list into a Perl array
 #
@@ -4807,6 +4822,12 @@ sub conditional_quote( $ ) {
 #
 # Update the shorewall[6].conf file. Save the current file with a .bak suffix.
 #
+sub update_default($$) {
+    my ( $var, $val ) = @_;
+
+    $config{$var} = $val unless defined $config{$var};
+}
+
 sub update_config_file( $$ ) {
     my ( $annotate, $directives ) = @_;
 
@@ -4862,9 +4883,8 @@ sub update_config_file( $$ ) {
 	}
     }
 
-    $config{USE_DEFAULT_RT} = 'No' unless defined $config{USE_DEFAULT_RT};
-
-    $config{EXPORTMODULES} = 'No' unless defined $config{EXPORTMODULES};
+    update_default( 'USE_DEFAULT_RT', 'No' );
+    update_default( 'EXPORTMODULES',  'No' );
 
     my $fn;
 
@@ -5358,7 +5378,7 @@ sub convert_to_directives() {
 
     my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|;
 
-    progress_message3 "Converting 'FORMAT' and 'COMMENT' lines to compiler directives...";
+    progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives...";
 
     for my $dir ( @path ) {
 	unless ( $dir =~ /$dirtest/ ) {
@@ -5393,6 +5413,7 @@ EOF
 				if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
 				    progress_message3 "   File $file updated - old file renamed ${file}.bak";
 				} elsif ( rename "${file}.bak" , $file ) {
+				    progress_message "   File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found";
 				    progress_message "   File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found";
 				} else {
 				    warning message "Unable to rename ${file}.bak to $file:$!";
@@ -5656,7 +5677,9 @@ sub get_configuration( $$$$$ ) {
 	fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on';
     }
 
-    default 'STARTUP_LOG'   , '';
+    default 'SHOREWALL_SHELL', '/bin/sh';
+
+    default 'STARTUP_LOG'    , '';
 
     if ( $config{STARTUP_LOG} ne '' ) {
 	if ( supplied $config{LOG_VERBOSITY} ) {
@@ -5879,6 +5902,10 @@ sub get_configuration( $$$$$ ) {
 	$globals{USER_MASK} = $globals{USER_BITS} = 0;
     }
 
+    $val = $config{PROVIDER_OFFSET};
+
+    $globals{SMALL_MASK} = $val ? make_mask( $val ) : $globals{TC_MASK}; 
+
     if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {

Shorewall/Perl/Shorewall/Misc.pm

@@ -480,7 +480,7 @@ sub convert_blacklist() {
 	}
 
 	if ( @rules ) {
-	    my $fn1 = find_file( 'blrules' );
+	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
 	    my $date = localtime;
 
@@ -701,7 +701,7 @@ sub convert_routestopped() {
 
 	my ( $stoppedrules, $fn1 );
 
-	if ( -f ( $fn1 = find_file( 'stoppedrules' ) ) ) {
+	if ( -f ( $fn1 = find_writable_file( 'stoppedrules' ) ) ) {
 	    open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
 	} else {
 	    open $stoppedrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
@@ -723,12 +723,16 @@ sub convert_routestopped() {
 EOF
 	}
 
-	print( $stoppedrules
-	       "#\n" ,
-	       "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" ,
-	       "#\n" );
-
-	first_entry "$doing $fn...";
+	first_entry(
+		    sub {
+			my $date = localtime;
+			progress_message2 "$doing $fn...";
+			print( $stoppedrules
+			       "#\n" ,
+			       "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
 
 	while ( read_a_line ( NORMAL_READ ) ) {
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -80,7 +80,7 @@ sub process_one_masq1( $$$$$$$$$$ )
     if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
 	$interfacelist = $1;
 	$inlinematches = get_inline_matches(0);
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$inlinematches = get_inline_matches(0);
     }	
     #

Shorewall/Perl/Shorewall/Rules.pm

@@ -455,13 +455,12 @@ sub process_default_action( $$$$ ) {
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
+	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
-
-	$default = join( ':', $default, $level ) if $level ne 'none';
     } else {
 	$default = $default_actions{$policy} || 'none';
     }
@@ -2284,7 +2283,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     if ( $basictarget eq 'INLINE' ) {
 	( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel );
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$raw_matches = get_inline_matches(0);
     }
     #

Shorewall/Perl/Shorewall/Tc.pm

@@ -749,7 +749,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
     if ( $cmd eq 'INLINE' ) {
 	( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' );
-    } elsif ( $config{INLINE_MATCHES} ) {
+    } else {
 	$raw_matches = get_inline_matches(0);
     }
 
@@ -3177,6 +3177,17 @@ sub convert_tos($$) {
     }
 
     if ( my $fn = open_file 'tos' ) {
+	first_entry(
+		    sub {
+			my $date = localtime;
+			progress_message2 "Converting $fn...";
+			print( $mangle
+			       "#\n" ,
+			       "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" ,
+			       "#\n" );
+		    }
+		   );
+
 	while ( read_a_line( NORMAL_READ ) ) {
 
 	    $have_tos = 1;
@@ -3243,10 +3254,10 @@ sub convert_tos($$) {
 sub open_mangle_for_output() {
     my ( $mangle, $fn1 );
 
-    if ( -f ( find_file( 'mangle' ) ) ) {
-	open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
+    if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
+	open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
     } else {
-	open( $mangle , '>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!";
+	open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
 	print $mangle <<'EOF';
 #
 # Shorewall version 4 - Mangle File
@@ -3337,7 +3348,20 @@ sub setup_tc( $ ) {
 		directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
 	    }
 
-	    first_entry "$doing $fn...";
+	    first_entry(
+			sub {
+			    if ( $convert ) {
+				my $date = localtime;
+				progress_message2 "Converting $fn...";
+				print( $mangle
+				       "#\n" ,
+				       "# Rules generated from tcrules file $fn by Shorewall $globals{VERSION} - $date\n" ,
+				       "#\n" );
+			    } else {
+				progress_message2 "$doing $fn...";
+			    }
+			}
+		       );
 
 	    process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ );
 

Shorewall/manpages/shorewall-mangle.xml

@@ -351,18 +351,18 @@
 
                 <para>The following rules are equivalent:</para>
 
-                <programlisting>2:P             eth0              -         tcp 22
-INLINE(2):P     eth0              -         tcp 22
-INLINE(2):P     eth0              -                 ; -p tcp
-INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
-INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
+                <programlisting>2:P                   eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
 
                 <para>If INLINE_MATCHES=Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
                 then the third rule above can be specified as follows:</para>
 
-                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
+                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6-mangle.xml

@@ -347,23 +347,23 @@
                 specified at the end of the rule. If the target is not one
                 known to Shorewall, then it must be defined as a builtin
                 action in <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>
+                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>
                 (5).</para>
 
                 <para>The following rules are equivalent:</para>
 
-                <programlisting>2:P             eth0              -         tcp 22
-INLINE(2):P     eth0              -         tcp 22
-INLINE(2):P     eth0              -                 ; -p tcp
-INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
-INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
+                <programlisting>2:P                   eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -         tcp 22
+INLINE(MARK(2)):P     eth0              -                 ; -p tcp
+INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2
 </programlisting>
 
                 <para>If INLINE_MATCHES=Yes in <ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
+                url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
                 then the third rule above can be specified as follows:</para>
 
-                <programlisting>2:P             eth0              -                 ; -p tcp</programlisting>
+                <programlisting>MARK(2):P             eth0              -                 ; -p tcp</programlisting>
               </listitem>
             </varlistentry>