Additional testing has uncovered some issues. Attached are three patches which should be applied in this order:
STRUCTURE.patch
DHCP.patch
COMMANDS.patch
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
commit 950c32d46b49ca9afa9cd59d8540855be350baa1 Author: Tom Eastep <[email protected]> Date: Sat Jul 16 16:31:29 2011 -0700 Convert add_commands() calls to the equivalent add_rule() calls. Signed-off-by: Tom Eastep <[email protected]> diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 2452b31..442ae3f 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -706,11 +706,11 @@ sub add_common_rules() { for $interface ( @$list ) { set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; - - for $chain ( input_chain $interface, output_chain $interface ) { - my $ruleref = add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; - set_rule_option( $ruleref, 'dhcp', 1 ); - } + + set_rule_option( add_rule( $filter_table->{$_} , + "-p udp --dport $ports -j ACCEPT" ) , + 'dhcp', + 1 ) for input_chain( $interface ), output_chain( $interface ); add_rule( $filter_table->{forward_chain $interface} , "-p udp " . @@ -814,9 +814,11 @@ sub add_common_rules() { if ( interface_is_optional $interface ) { add_commands( $chainref, - qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) , - ' echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) , - qq(fi) ); + qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) ); + incr_cmd_level( $chainref ); + add_rule( $chainref, match_source_dev( $interface ) . " -s $variable -p udp -j ACCEPT" ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'fi' ); } else { add_rule( $chainref, match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT) ); } @@ -1005,24 +1007,26 @@ sub setup_mac_lists( $ ) { add_commands( $chainref, "for address in $variable; do" ); + incr_cmd_level( $chainref ); if ( $bridgeref->{broadcasts} ) { for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { - add_commands( $chainref , - " echo \"-A -s \$address -d $address -j RETURN\" >&3" ); + add_rule( $chainref, qq( -s \$address -d $address -j RETURN") ); } } else { my $variable1 = get_interface_bcasts $bridge; add_commands( $chainref, - " for address1 in $variable1; do" , - " echo \"-A -s \$address -d \$address1 -j RETURN\" >&3", - " done" ); + " for address1 in $variable1; do" ); + incr_cmd_level( $chainref ); + add_rule( $chainref, 's $address -d $address1 -j RETURN' ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'done' ); } - add_commands( $chainref - , " echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" , - , 'done' ); + add_rule( $chainref, '-s $address -d 224.0.0.0/4 -j RETURN' ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'done' ); } } }
commit 950c32d46b49ca9afa9cd59d8540855be350baa1 Author: Tom Eastep <[email protected]> Date: Sat Jul 16 16:31:29 2011 -0700 Convert add_commands() calls to the equivalent add_rule() calls. Signed-off-by: Tom Eastep <[email protected]> diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 2452b31..442ae3f 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -706,11 +706,11 @@ sub add_common_rules() { for $interface ( @$list ) { set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; - - for $chain ( input_chain $interface, output_chain $interface ) { - my $ruleref = add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; - set_rule_option( $ruleref, 'dhcp', 1 ); - } + + set_rule_option( add_rule( $filter_table->{$_} , + "-p udp --dport $ports -j ACCEPT" ) , + 'dhcp', + 1 ) for input_chain( $interface ), output_chain( $interface ); add_rule( $filter_table->{forward_chain $interface} , "-p udp " . @@ -814,9 +814,11 @@ sub add_common_rules() { if ( interface_is_optional $interface ) { add_commands( $chainref, - qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) , - ' echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) , - qq(fi) ); + qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) ); + incr_cmd_level( $chainref ); + add_rule( $chainref, match_source_dev( $interface ) . " -s $variable -p udp -j ACCEPT" ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'fi' ); } else { add_rule( $chainref, match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT) ); } @@ -1005,24 +1007,26 @@ sub setup_mac_lists( $ ) { add_commands( $chainref, "for address in $variable; do" ); + incr_cmd_level( $chainref ); if ( $bridgeref->{broadcasts} ) { for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { - add_commands( $chainref , - " echo \"-A -s \$address -d $address -j RETURN\" >&3" ); + add_rule( $chainref, qq( -s \$address -d $address -j RETURN") ); } } else { my $variable1 = get_interface_bcasts $bridge; add_commands( $chainref, - " for address1 in $variable1; do" , - " echo \"-A -s \$address -d \$address1 -j RETURN\" >&3", - " done" ); + " for address1 in $variable1; do" ); + incr_cmd_level( $chainref ); + add_rule( $chainref, 's $address -d $address1 -j RETURN' ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'done' ); } - add_commands( $chainref - , " echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" , - , 'done' ); + add_rule( $chainref, '-s $address -d 224.0.0.0/4 -j RETURN' ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'done' ); } } }
commit 27621fa0f9c0f2be4885429ff0b8047e84a2736d Author: Tom Eastep <[email protected]> Date: Sat Jul 16 14:46:34 2011 -0700 Impose some structure on setting rule options Signed-off-by: Tom Eastep <[email protected]> diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 93ee5ce..70b62ba 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -395,6 +395,34 @@ my %builtin_target = ( ACCEPT => 1, my %ipset_exists; +use constant { UNIQUE => 1, + TARGET => 2, + EXCLUSIVE => 4, + MATCH => 8, + CONTROL => 16 }; + +my %special = ( rule => CONTROL, + + mode => CONTROL, + cmdlevel => CONTROL, + simple => CONTROL, + + i => UNIQUE, + s => UNIQUE, + o => UNIQUE, + d => UNIQUE, + p => UNIQUE, + + comment => CONTROL, + + policy => MATCH, + state => EXCLUSIVE, + ctstate => EXCLUSIVE, + + jump => TARGET, + target => TARGET, + targetopts => TARGET ); + # # Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: @@ -528,10 +556,22 @@ sub set_rule_option( $$$ ) { assert( defined $value ); + $ruleref->{simple} = 0; + + my $special = $special{$option} || MATCH; + if ( exists $ruleref->{$option} ) { assert( defined $ruleref->{$option} ); - $ruleref->{$option} = [ $ruleref->{$option} ] unless reftype $ruleref->{$option}; - push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value ); + if ( $special != EXCLUSIVE ) { + if ( $special == UNIQUE ) { + $ruleref->{$option} = $value; + } elsif ( $special == MATCH ) { + $ruleref->{$option} = [ $ruleref->{$option} ] unless reftype $ruleref->{$option}; + push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value ); + } else { + assert(0); + } + } } else { $ruleref->{$option} = $value; } @@ -632,28 +672,6 @@ sub set_rule_target( $$$ ) { 1 } -my %special = ( rule => 1, - - mode => 1, - cmdlevel => 1, - simple => 1, - - i => 1, - s => 1, - o => 1, - d => 1, - p => 1, - - comment => 1, - - policy => 1, - state => 1, - ctstate => 1, - - jump => 1, - target => 1, - targetopts => 1 ); - # # Convert a transformed rule into iptables input #
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
