Add PERL_HASH_SEED option

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -405,14 +405,14 @@ our $VERSION = 'MODULEVERSION';
 #   Provider Chains for provider <p>
 #      Load Balance    - ~<p>
 #
-#   Zone-pair chains for rules chain <z12z2>
+#   Zone-pair chains for rules chain <z1-z2>
 #
-#      Syn Flood       - @<z12z2>
-#      Blacklist       - <z12z2>~
-#      Established     - ^<z12z2>
-#      Related         - +<z12z2>
-#      Invalid         - _<z12z2>
-#      Untracked       - &<z12z2>
+#      Syn Flood       - @<z1-z2>
+#      Blacklist       - <z1-z2>~
+#      Established     - ^<z1-z2>
+#      Related         - +<z1-z2>
+#      Invalid         - _<z1-z2>
+#      Untracked       - &<z1-z2>
 #
 our %chain_table;
 our $raw_table;
@@ -434,7 +434,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       REDIRECT     =>     0x20,       #'REDIRECT'
 	       ACTION       =>     0x40,       #An action (may be built-in)
 	       MACRO        =>     0x80,       #A Macro
-	       LOGRULE      =>    0x100,       #'LOG','NFLOG'
+	       LOGRULE      =>    0x100,       #'LOG','ULOG','NFLOG'
 	       NFQ          =>    0x200,       #'NFQUEUE'
 	       CHAIN        =>    0x400,       #Manual Chain
 	       SET          =>    0x800,       #SET
@@ -1081,11 +1081,11 @@ sub format_option( $$ ) {
 
     assert( ! reftype $value );
 
-    my $rule = '';
+    my $rule;
 
     $value =~ s/\s*$//;
 
-    $rule .= join( ' ' , ' -m', $option, $value );
+    $rule = join( ' ' , ' -m', $option, $value );
 
     $rule;
 }

Shorewall/Perl/Shorewall/Config.pm

@@ -907,6 +907,7 @@ sub initialize( $;$$) {
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
+	  PERL_HASH_SEED => undef ,
 	  #
 	  # Packet Disposition
 	  #

Shorewall/Perl/Shorewall/Zones.pm

@@ -108,24 +108,6 @@ our @EXPORT = ( qw( NOTHING
 
 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
-
-#
-# IPSEC Option types
-#
-use constant { NOTHING    => 'NOTHING',
-	       NUMERIC    => '0x[\da-fA-F]+|\d+',
-	       NETWORK    => '\d+.\d+.\d+.\d+(\/\d+)?',
-	       IPSECPROTO => 'ah|esp|ipcomp',
-	       IPSECMODE  => 'tunnel|transport'
-	       };
-
-#
-# Option columns
-#
-use constant { IN_OUT     => 1,
-	       IN         => 2,
-	       OUT        => 3 };
-
 #
 # Zone Table.
 #
@@ -221,6 +203,26 @@ our $zonemarkincr;
 our $zonemarklimit;
 our $loopback_interface;
 
+#
+# IPSEC Option types
+#
+use constant { NOTHING    => 'NOTHING',
+	       NUMERIC    => '0x[\da-fA-F]+|\d+',
+	       IPSECPROTO => 'ah|esp|ipcomp',
+	       IPSECMODE  => 'tunnel|transport'
+	     };
+
+sub NETWORK() {
+    $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
+}
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
@@ -276,19 +278,7 @@ our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =
 
 our %validhostoptions;
 
-our %validzoneoptions = ( mss            => NUMERIC,
-			  nomark         => NOTHING,
-			  blacklist      => NOTHING,
-			  dynamic_shared => NOTHING,
-			  strict         => NOTHING,
-			  next           => NOTHING,
-			  reqid          => NUMERIC,
-			  spi            => NUMERIC,
-			  proto          => IPSECPROTO,
-			  mode           => IPSECMODE,
-			 "tunnel-src"   => NETWORK,
-			 "tunnel-dst"   => NETWORK,
-		       );
+our %validzoneoptions;
 
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
@@ -330,6 +320,20 @@ sub initialize( $$ ) {
     $minroot = 0;
     $loopback_interface = '';
 
+    %validzoneoptions = ( mss            => NUMERIC,
+			  nomark         => NOTHING,
+			  blacklist      => NOTHING,
+			  dynamic_shared => NOTHING,
+			  strict         => NOTHING,
+			  next           => NOTHING,
+			  reqid          => NUMERIC,
+			  spi            => NUMERIC,
+			  proto          => IPSECPROTO,
+			  mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
+		       );
+
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
@@ -1315,7 +1319,7 @@ sub process_interface( $$ ) {
 		    assert(0);
 		}
 	    } elsif ( $type == STRING_IF_OPTION ) {
-		fatal_error "The '$option' option requires a value" unless defined $value;
+		fatal_error "The '$option' option requires a value" unless supplied $value;
 
 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;

Shorewall/Perl/compiler.pl

@@ -43,6 +43,8 @@
 #         --inline                    # Update alternative column specifications
 #         --update                    # Update configuration to current release
 #
+#    If the <filename> is omitted, then a 'check' operation is performed.
+#
 use strict;
 use FindBin;
 use lib "$FindBin::Bin";

Shorewall/Perl/lib.runtime

@@ -32,7 +32,7 @@
 #	    down			Stop an optional interface
 #	    enable			Enable an optional interface
 #	    help			Show command syntax
-#	    reenable			Disable then nable an optional
+#	    reenable			Disable then enable an optional
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall

Shorewall/Samples/Universal/shorewall.conf

@@ -217,6 +217,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=Yes

Shorewall/Samples/one-interface/shorewall.conf

@@ -228,6 +228,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -225,6 +225,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -228,6 +228,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall/configfiles/shorewall.conf

@@ -217,6 +217,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall/lib.cli-std

@@ -341,6 +341,18 @@ get_config() {
 	setup_dbl
     fi
 
+    if [ -z "$PERL_HASH_SEED" ]; then
+	PERL_HASH_SEED=0
+    else
+	case $PERL_HASH_SEED in
+	    [0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]|random)
+	        ;;
+	    *)
+		fatal_error "Invalid setting ($PERL_HASH_SEED) for PERL_HASH_SEED"
+		;;
+	esac
+    fi
+
     lib=$(find_file lib.cli-user)
 
     [ -f $lib ] && . $lib
@@ -484,8 +496,17 @@ compiler() {
     #
     [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
 
-    PERL_HASH_SEED=0
-    export PERL_HASH_SEED
+    case $PERL_HASH_SEED in
+	random)
+	    unset PERL_HASH_SEED
+	    unset PERL_PERTURB_KEYS
+	    ;;
+	*)
+	    export PERL_HASH_SEED
+	    PERL_PERTURB_KEYS=0
+	    export PERL_PERTURB_KEYS
+	    ;;
+    esac
 
     if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	eval $PERL $debugflags $pc $options $@ $g_pager
@@ -513,28 +534,6 @@ start_command() {
     local rc
     rc=0
 
-    do_it() {
-	if [ -n "$AUTOMAKE" ]; then
-	    [ -n "$nolock" ] || mutex_on
-	    run_it ${VARDIR}/firewall $g_debugging start
-	    rc=$?
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    g_file="${VARDIR}/.start"
-	    if compiler $g_debugging $nolock compile "$g_file"; then
-		[ -n "$nolock" ] || mutex_on
-		run_it ${VARDIR}/.start $g_debugging start
-		rc=$?
-		[ -n "$nolock" ] || mutex_off
-	    else
-		rc=$?
-		mylogger kern.err "ERROR:$g_product start failed"
-	    fi
-	fi
-
-	exit $rc
-    }
-
     if product_is_started; then
 	error_message "Shorewall is already running"
 	exit 0
@@ -626,7 +625,25 @@ start_command() {
 	fi
     fi
 
-    do_it
+    if [ -n "$AUTOMAKE" ]; then
+	[ -n "$nolock" ] || mutex_on
+	run_it ${VARDIR}/firewall $g_debugging start
+	rc=$?
+	[ -n "$nolock" ] || mutex_off
+    else
+	g_file="${VARDIR}/.start"
+	if compiler $g_debugging $nolock compile "$g_file"; then
+	    [ -n "$nolock" ] || mutex_on
+	    run_it ${VARDIR}/.start $g_debugging start
+	    rc=$?
+	    [ -n "$nolock" ] || mutex_off
+	else
+	    rc=$?
+	    mylogger kern.err "ERROR:$g_product start failed"
+	fi
+    fi
+
+    exit $rc
 }
 
 #

Shorewall/manpages/shorewall-rules.xml

@@ -594,7 +594,7 @@
                 <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                 back end logging daemon via a netlink socket then continues to
                 the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
                 <para>The <replaceable>nflog-parameters</replaceable> are a
                 comma-separated list of up to 3 numbers:</para>
@@ -847,7 +847,7 @@
                 <para>Added in Shorewall 4.5.10. Queues matching packets to a
                 back end logging daemon via a netlink socket then continues to
                 the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
 
                 <para>Similar to<emphasis role="bold">
                 LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],

Shorewall/manpages/shorewall.conf.xml

@@ -2153,6 +2153,21 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">PERL_HASH_SEED=</emphasis><emphasis
+        role="bold"><replaceable>seed</replaceable><emphasis
+        role="bold">|random</emphasis></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.4. Sets the Perl hash
+          <replaceable>seed</replaceable> (an integer in the range 0-99999)
+          when running the Shorewall rules compiler. If not specified, the
+          value 0 is assumed. If <option>random</option> is specified, a
+          random seed will be chosed by Perl. See perlsec(1) for additional
+          information.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">PROVIDER_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -198,6 +198,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=Yes

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -199,6 +199,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -198,6 +198,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -198,6 +198,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall6/configfiles/shorewall6.conf

@@ -198,6 +198,8 @@ OPTIMIZE=All
 
 OPTIMIZE_ACCOUNTING=No
 
+PERL_HASH_SEED=0
+
 REJECT_ACTION=
 
 REQUIRE_INTERFACE=No

Shorewall6/manpages/shorewall6.conf.xml

@@ -1890,6 +1890,21 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">PERL_HASH_SEED=</emphasis><emphasis
+        role="bold"><replaceable>seed</replaceable><emphasis
+        role="bold">|random</emphasis></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.4. Sets the Perl hash
+          <replaceable>seed</replaceable> (an integer in the range 0-99999)
+          when running the Shorewall rules compiler. If not specified, the
+          value 0 is assumed. If <option>random</option> is specified, a
+          random seed will be chosed by Perl. See perlsec(1) for additional
+          information.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">PROVIDER_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

docs/Documentation_Index.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2016</year>
+      <year>2001-2017</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>

docs/ipsets.xml

@@ -26,6 +26,8 @@
 
       <year>2015</year>
 
+      <year>2017</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -54,7 +56,12 @@
     <ulink url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
     if they are not available in your current distribution. Instructions for
     installing xtables-addons may be found in the <ulink
-    url="Dynamic.html">Dynamic Zones article</ulink>.</para>
+    url="Dynamic.html">Dynamic Zones article</ulink>.
+    Note that xtables-addons might not be required
+    with the 'ipset' package provided by your distribution.
+    See also the section <ulink url="configuration_file_basics.htm#capabilities">capabilities</ulink>
+    in the <ulink url="configuration_file_basics.htm">configuration file basics article</ulink>
+    and the <ulink url="Shorewall-Lite.html#Shorecap">Shorecap program</ulink>.</para>
 
     <para>Ipset allows you to create one or more named sets of addresses then
     use those sets to define Netfilter/iptables rules. Possible uses of ipsets