On 7/17/11 10:19 AM, Steven Jan Springl wrote: > On Sunday 17 July 2011 16:34:35 Tom Eastep wrote: >> On Sun, 2011-07-17 at 15:37 +0100, Steven Jan Springl wrote: >>> On Sunday 17 July 2011 00:44:35 Tom Eastep wrote: >>>> Additional testing has uncovered some issues. Attached are three >>>> patches which should be applied in this order: >>>> >>>> STRUCTURE.patch >>>> DHCP.patch >>>> COMMANDS.patch >>> >>> STRUCTURE.patch has applied successfully. >>> >>> DHCP.patch 1 hunk failed. I have attached a copy of Misc.pm.rej and the >> >> Steven, >> >> I apparently reversed the names of the patches. Please apply >> COMMANDS.patch before DHCP.patch. >> >> Thanks and sorry for the inconvenience,
Here they are again. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
commit 950c32d46b49ca9afa9cd59d8540855be350baa1 Author: Tom Eastep <[email protected]> Date: Sat Jul 16 16:31:29 2011 -0700 Convert add_commands() calls to the equivalent add_rule() calls. Signed-off-by: Tom Eastep <[email protected]> diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 2452b31..442ae3f 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -706,11 +706,11 @@ sub add_common_rules() { for $interface ( @$list ) { set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; - - for $chain ( input_chain $interface, output_chain $interface ) { - my $ruleref = add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; - set_rule_option( $ruleref, 'dhcp', 1 ); - } + + set_rule_option( add_rule( $filter_table->{$_} , + "-p udp --dport $ports -j ACCEPT" ) , + 'dhcp', + 1 ) for input_chain( $interface ), output_chain( $interface ); add_rule( $filter_table->{forward_chain $interface} , "-p udp " . @@ -814,9 +814,11 @@ sub add_common_rules() { if ( interface_is_optional $interface ) { add_commands( $chainref, - qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) , - ' echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) , - qq(fi) ); + qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) ); + incr_cmd_level( $chainref ); + add_rule( $chainref, match_source_dev( $interface ) . " -s $variable -p udp -j ACCEPT" ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'fi' ); } else { add_rule( $chainref, match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT) ); } @@ -1005,24 +1007,26 @@ sub setup_mac_lists( $ ) { add_commands( $chainref, "for address in $variable; do" ); + incr_cmd_level( $chainref ); if ( $bridgeref->{broadcasts} ) { for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { - add_commands( $chainref , - " echo \"-A -s \$address -d $address -j RETURN\" >&3" ); + add_rule( $chainref, qq( -s \$address -d $address -j RETURN") ); } } else { my $variable1 = get_interface_bcasts $bridge; add_commands( $chainref, - " for address1 in $variable1; do" , - " echo \"-A -s \$address -d \$address1 -j RETURN\" >&3", - " done" ); + " for address1 in $variable1; do" ); + incr_cmd_level( $chainref ); + add_rule( $chainref, 's $address -d $address1 -j RETURN' ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'done' ); } - add_commands( $chainref - , " echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" , - , 'done' ); + add_rule( $chainref, '-s $address -d 224.0.0.0/4 -j RETURN' ); + decr_cmd_level( $chainref ); + add_commands( $chainref, 'done' ); } } }
commit 03913019d86052222de21c3abb7b1f132ba214db Author: Tom Eastep <[email protected]> Date: Sat Jul 16 15:34:57 2011 -0700 Mark DHCP rules for the convenience of move_rules(). Signed-off-by: Tom Eastep <[email protected]> diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 70b62ba..e6637dc 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -402,6 +402,8 @@ use constant { UNIQUE => 1, CONTROL => 16 }; my %special = ( rule => CONTROL, + + dhcp => UNIQUE, mode => CONTROL, cmdlevel => CONTROL, @@ -793,6 +795,9 @@ sub add_commands ( $$;@ ) { $chainref->{referenced} = 1; } +# +# Transform the passed rule and add it to the end of the passed chain's rule list +# sub push_rule( $$ ) { my $chainref = $_[0]; my $ruleref = transform_rule( $_[1] ); @@ -803,6 +808,8 @@ sub push_rule( $$ ) { push @{$chainref->{rules}}, $ruleref; $chainref->{referenced} = 1; trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug; + + $ruleref; } sub add_transformed_rule( $$ ) { @@ -892,6 +899,8 @@ sub handle_icmptype_list( $$$$ ) { # # Chain reference , Rule [, Expand-long-port-lists ] # +# Returns a reference to the generated internal-form rule +# sub add_rule($$;$) { my ($chainref, $rule, $expandports) = @_; @@ -993,6 +1002,8 @@ sub insert_rule1($$$) $iprangematch = 0; $chainref->{referenced} = 1; + + $ruleref; } sub insert_rule($$$) { @@ -1131,14 +1142,12 @@ sub move_rules( $$ ) { # In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain. # This hack avoids that. # - $_->{rule} = format_rule( $chain2, $_ ) for @$rules; - if ( $blacklist ) { my $rule = shift @{$rules}; - shift @{$rules} while @{$rules} > 1 && $rules->[0]{rule} eq $rules->[1]{rule}; + shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp}; unshift @{$rules}, $rule; } else { - shift @{$rules} while @{$rules} > 1 && $rules->[0]{rule} eq $rules->[1]{rule}; + shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp}; } # @@ -1152,8 +1161,7 @@ sub move_rules( $$ ) { trace( $chain2, 'I', ++$rule, $filtered1[$filtered++] ) while $filtered < $filtered1; } - splice @{$rules}, 0, 0, @filtered1; - + splice @{$rules}, 0, 0, @filtered1; } # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ec0c5d9..2452b31 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -708,7 +708,8 @@ sub add_common_rules() { set_interface_option $interface, 'use_forward_chain', 1; for $chain ( input_chain $interface, output_chain $interface ) { - add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; + my $ruleref = add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; + set_rule_option( $ruleref, 'dhcp', 1 ); } add_rule( $filter_table->{forward_chain $interface} ,
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
