Your message dated Fri, 12 Feb 2016 16:38:54 +0000
with message-id <[email protected]>
and subject line Bug#549892: fixed in filtergen 0.12.5-1
has caused the Debian Bug report #549892,
regarding filtergen: Support globbing in include directives
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
549892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549892
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: filtergen
Severity: wishlist
Tags: patch
The attached patch implements globbing for include directives in filtergen
rulesets, along with glob()s standard sorting functionality. This allows
filtergen to be more safe (not read backup files and the like scattered
around a directory) and also to nicely order files within a directory so you
can know that 99log.fg is going to be at the end of all the rules.
- Matt
--- filtergen-0.12.4.orig/filter_syntax.5 2004-06-09 22:48:41.000000000 +1000
+++ filtergen-0.12.4.defined_include_order/filter_syntax.5 2009-10-02 08:21:35.000000000 +1000
@@ -175,6 +175,71 @@
and "sport 12345" need to be either both in the group, or both
out of it.
+.SH INCLUDING OTHER FILES
+
+You can, if necessary, include other files containing filtergen statements
+in your filter files, with the \fIinclude\fR directive. This is legal
+anywhere in the file, and acts as if you literally read the included file
+into the position where the \fIinclude\fR is placed. This allows you to,
+for example, specify a common set of addresses (say, your monitoring system)
+and reference them in multiple locations:
+
+.nf
+ input eth0 {
+ proto tcp dport ssh source {
+ include monitoring-hosts.acl
+ } accept;
+
+ ...
+
+ # NRPE
+ proto tcp dport 5666 source {
+ include monitoring-hosts.acl
+ } accept;
+ }
+
+ output eth0 {
+ proto tcp sport ssh dest {
+ include monitoring-hosts.acl
+ } accept;
+
+ ...
+
+ # NRPE
+ proto tcp sport 5666 source {
+ include monitoring-hosts.acl
+ } accept;
+ }
+.fi
+
+Whilst you could improve this particular example without an \fIinclude\fR by
+grouping your ssh and NRPE ports together, you'd still have two places to
+edit when you changed your set of monitoring hosts. Using include, you can
+have a single place to change when you change your monitoring hosts.
+
+You can also include a glob of files, rather than a single file, by using
+one of the shell globbing metacharacters '\fI*\fR', '\fI?\fR', or '\fI[\fR'.
+This will cause filtergen to expand that glob and parse the files as if you
+had included them one-by-one, in your locale's sorted order. This is very
+handy if you configure your systems with an automated system, because you
+can dump a series of files into a directory depending on what classes are
+defined, and filtergen will pick them all up. The sorting is to ensure that
+your rules appear in the order you want them, rather than some
+higgledy-piggledy mess. Note that any directories that match your glob will
+not be recursively included in this mode.
+
+Finally, you can just provide a directory name, and filtergen will include
+all the files and directories under there, recursively (excluding hidden
+files, starting with a '.'). \fBThis method of including files is strongly
+deprecated\fR. There is no defined sort order, and if your editor leaves
+backup or temporary files around, or your configuration management system
+puts it's backups in the same directory as the original file (cfengine, I'm
+looking at \fIyou\fR), you can find yourself including files you really
+didn't intend -- hence why it is a bad idea. Instead, use a glob (above)
+with an explicit extension (we like \fI*.fg\fR) to perform your directory
+inclusions with minimal chance of accidents.
+
+
.SH EXAMPLE
Here's a fairly complete example, for a single-interface machine:
--- filtergen-0.12.4.orig/scanner.l 2009-10-01 17:04:30.000000000 +1000
+++ filtergen-0.12.4.defined_include_order/scanner.l 2009-10-02 08:23:08.000000000 +1000
@@ -27,6 +27,7 @@
#include <sys/stat.h>
#include <unistd.h>
#include <dirent.h>
+#include <glob.h>
#include "parser.h"
/* include file stack */
@@ -194,7 +195,35 @@
char * fn;
if (stat(name, &st)) {
- scan_err("warning: stat failed on %s: %s", name, strerror(errno));
+ if (errno == ENOENT && (index(name, '*') != NULL || index(name, '?') != NULL || index(name, '[') != NULL)) {
+ /* Globbing fiesta! */
+ glob_t glob_buf;
+ if (glob(name, 0, NULL, &glob_buf) != 0) {
+ scan_err("warning: failed to glob %s: %s", name, strerror(errno));
+ } else {
+ int n;
+
+ /* We go through the list of files backwards, because
+ * step_into_include_file() creates a stack of all the
+ * files processed and then works on them in a LIFO
+ * fashion -- which would make all of our rules files
+ * go backwards. Since I can't wrap my head around
+ * why that is, exactly, I'm hacking it up with
+ * this instead. Fixination appreciated.
+ */
+ for (n = glob_buf.gl_pathc - 1; n >= 0; n--) {
+ if (stat(glob_buf.gl_pathv[n], &st)) {
+ scan_err("warning: stat failed on globbed %s: %s", glob_buf.gl_pathv[n], strerror(errno));
+ } else if (S_ISREG(st.st_mode) || S_ISLNK(st.st_mode)) {
+ step_into_include_file(glob_buf.gl_pathv[n]);
+ }
+ }
+ }
+
+ globfree(&glob_buf);
+ } else {
+ scan_err("warning: stat failed on %s: %s", name, strerror(errno));
+ }
} else {
if (S_ISDIR(st.st_mode)) {
if ((d = opendir(name)) == NULL) {
@@ -210,7 +239,8 @@
}
closedir(d);
}
- } else
+ } else {
step_into_include_file(name);
+ }
}
}
--- End Message ---
--- Begin Message ---
Source: filtergen
Source-Version: 0.12.5-1
We believe that the bug you reported is fixed in the latest version of
filtergen, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jamie Wilkinson <[email protected]> (supplier of updated filtergen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Feb 2016 03:04:52 +1100
Source: filtergen
Binary: filtergen
Architecture: source i386
Version: 0.12.5-1
Distribution: unstable
Urgency: low
Maintainer: Jamie Wilkinson <[email protected]>
Changed-By: Jamie Wilkinson <[email protected]>
Description:
filtergen - packet filter generator for various firewall systems
Closes: 549891 549892 751443
Changes:
filtergen (0.12.5-1) unstable; urgency=low
.
* New upstream release.
* New Maintainer, per private mail to mpalmer@.
* Updated standards version to 3.8.3.
* Updated to use debhelper 7.
- Specify misc:Depends.
- Update debian/compat.
- Update build dependency.
* Updated watch file for googlecode.com upstream location change.
* Bug fix: "Allow '*' as an interface name", thanks to Matthew
Palmer (Closes: #549891).
* Fix build failues when using clang instead of GCC (Closes: #751443).
* Support globbing in include directives (Closes: #549892).
* Update parser.y use of the parse-param directive to support modern bison.
* Update debhelper and debian/compat.
* Update watch file to new location.
* Add VCS headers to control file.
* Use debian/source options to build from git, add gbp.conf to debian dir.
* Convert debian/rules to dh style.
* Fix compiler warnings as errors to build with modern compiler.
* Update address of FSF.
* Add more example filters to examples.
Checksums-Sha1:
e33430555caed08f04237aacd1f2320f12c92887 1853 filtergen_0.12.5-1.dsc
36e4a8e6862ca92b5a914ef7a8a092fbece6e167 199914 filtergen_0.12.5.orig.tar.gz
2b39bb1a7c43b06d82f1e19f0028bdf0df939ffe 35248 filtergen_0.12.5-1.debian.tar.xz
95c6617576aabac163b20168f224ebc8daa6a2cc 55428 filtergen_0.12.5-1_i386.deb
Checksums-Sha256:
2c74f9cb76de2ab1d3ab13110ac4819dbfd5102130c71eb202d0815ce3a5c519 1853
filtergen_0.12.5-1.dsc
83b4634f217e41cddb3992e574333f4667eb54bf53cc106d346681978b987a2b 199914
filtergen_0.12.5.orig.tar.gz
fa093a2b8e3ff5ab2dd02a893a493453a8aa7dab2ccbc9bde5558ce945f665a6 35248
filtergen_0.12.5-1.debian.tar.xz
51e3f7b21a6b3834f9bacf570147564e4fbf31dc4f9ae592ac6525f2cb5ae3cf 55428
filtergen_0.12.5-1_i386.deb
Files:
cf35a0606706452ad381ac45ddf4ed82 1853 net optional filtergen_0.12.5-1.dsc
0df8e99e0b416d6b89b6fc7ce7172404 199914 net optional
filtergen_0.12.5.orig.tar.gz
9336d47b2f6e6de3cef6207d5f4f1425 35248 net optional
filtergen_0.12.5-1.debian.tar.xz
30611ce88708fa6d3bbb8991fdf0b9db 55428 net optional filtergen_0.12.5-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWvgdNAAoJEFdQ91TtmyE4m3sQAIwyP8TT9WynMlOkM6J00dtR
BgrNIq6UK7Lhw6sWemuz3JGDxd+nQxPmwth3FWX9J2phUtweuT9b5ZZqfPHfIzhU
J9MHYNpuKF9ffAvkJNMP3fflm90wlSPocaewAopytRwCe1cxgrAVb6sqHQgNdmZ2
f+mDMWgeAGey3oC2FTGtfA9r6XEMh+ZU5MYczsvzsVmPe4BgVGMyLifsfcAfoQRc
dz4qy5i2quJQV88Z9x3+22tMDp308iR9GpAK9k5uaQVvF9+IoON7OW8EK01ExG2Y
YAiz68whFObkfqah83d/vq3MAoG1bMH+bicntR0iKUSt+tAy/WXzozEoctmLWVKZ
cy+Dxk3tZuAFlAwpogaO99IVVqs4BP1taN/ktdYspTrGv2h8jOaFeOoE6LSt1sWh
WTt3ZDHXzq95sNAzuoieZjrv3rJuN/fnUfjzBWQK9qUtJ1JsUmEuVF6/MWESkTz1
p4x9tBAqgpWHxgnW1SyOhurNk1pkncppxeex5qky5ECZmoRxOnXpco187nneZA+k
bl00xt7x8hfrmWRHV2XoLrPhCw7wm2mN5AHI4vTdn75NRNKnnk04GuHWWKL8Yhx7
PSh06X6jxllYc8sNZjuze1peGLdRKV2foM56kV+10acaOTTjdiePr4Z4ZWActoc2
d40kJjU6LJPXxflRJSsE
=5mUu
-----END PGP SIGNATURE-----
--- End Message ---