Attachment #883887 for bug #923441





    emit( qq(if [ -n "\$g_docker" ]; then),
	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | grep -F DOCKER > \${VARDIR}/.nat_OUTPUT),
	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | grep -F -v SHOREWALL | grep -F -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
	  qq(    rm -f \${VARDIR}/.filter_DOCKER-*),
	  qq(    [ -n "\$g_dockeringress"  ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),

    if ( known_interface( $bridge ) ) {
	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
    } else {
	emit( qq(    $tool -t filter -S FORWARD | grep -E '^-A FORWARD.*[io] ($bridge|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
    }

    emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),

fi

if chain_exists dynamic; then
    $tool -S dynamic | tail -n +2 | grep -F -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
else
    rm -f \${VARDIR}/.dynamic
fi

Lines 5059-5065 sub Connmark_Action() { Link Here

(-)Shorewall.orig/Perl/Shorewall/Config.pm (-1 / +1 lines)
5059	}	5059	}
5060		5060
5061	sub Basic_Ematch() {	5061	sub Basic_Ematch() {
5062	$tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 \| egrep -q match" ) == 0;	5062	$tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 \| grep -E -q match" ) == 0;
5063	}	5063	}
5064		5064
5065	sub Fwmark_Rt_Mask() {	5065	sub Fwmark_Rt_Mask() {

Lines 2559-2565 EOF Link Here

(-)Shorewall.orig/Perl/Shorewall/Misc.pm (-2 / +2 lines)
2559	case $COMMAND in	2559	case $COMMAND in
2560	stop\|clear\|restore)	2560	stop\|clear\|restore)
2561	if chain_exists dynamic; then	2561	if chain_exists dynamic; then
2562	${IPTABLES}-save -t filter \| grep '^-A dynamic' \| fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic	2562	${IPTABLES}-save -t filter \| grep '^-A dynamic' \| grep -F -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
2563	fi	2563	fi
2564	;;	2564	;;
2565	*)	2565	*)
Lines 2574-2580 EOF Link Here
2574	case $COMMAND in	2574	case $COMMAND in
2575	stop\|clear\|restore)	2575	stop\|clear\|restore)
2576	if chain_exists dynamic; then	2576	if chain_exists dynamic; then
2577	${IP6TABLES}-save -t filter \| grep '^-A dynamic' \| fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic	2577	${IP6TABLES}-save -t filter \| grep '^-A dynamic' \| grep -F -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
2578	fi	2578	fi
2579	;;	2579	;;
2580	*)	2580	*)

Lines 364-370 sub setup_log_backend($) { Link Here

(-)Shorewall.orig/Perl/Shorewall/Proc.pm (-1 / +1 lines)
364		364
365	emit( " setting=$setting",	365	emit( " setting=$setting",
366	'',	366	'',
367	" fgrep -q $setting /proc/net/netfilter/nf_log \|\| setting=$alternative",	367	" grep -F -q $setting /proc/net/netfilter/nf_log \|\| setting=$alternative",
368	'',	368	'',
369	" if echo \$setting > $file; then",	369	" if echo \$setting > $file; then",
370	' progress_message "Log Backend set to $setting"',	370	' progress_message "Log Backend set to $setting"',

Lines 1061-1067 CEOF Link Here

(-)Shorewall.orig/Perl/Shorewall/Providers.pm (-2 / +2 lines)
1061	}	1061	}
1062		1062
1063	emit( qq(\n) ,	1063	emit( qq(\n) ,
1064	qq(if ! \$IP -6 rule ls \| egrep -q "32767:[[:space:]]+from all lookup (default\|253)"; then) ,	1064	qq(if ! \$IP -6 rule ls \| grep -E -q "32767:[[:space:]]+from all lookup (default\|253)"; then) ,
1065	qq( qt \$IP -6 rule add from all table $providers{default}->{id} prio 32767\n) ,	1065	qq( qt \$IP -6 rule add from all table $providers{default}->{id} prio 32767\n) ,
1066	qq(fi) ) if $family == F_IPV6;	1066	qq(fi) ) if $family == F_IPV6;
1067		1067
Lines 1078-1084 CEOF Link Here
1078	} elsif ( ! $noautosrc ) {	1078	} elsif ( ! $noautosrc ) {
1079	if ( $shared ) {	1079	if ( $shared ) {
1080	if ( $persistent ) {	1080	if ( $persistent ) {
1081	emit( qq(if ! egrep -q "^20000:[[:space:]]+from $address lookup $id"; then),	1081	emit( qq(if ! grep -E -q "^20000:[[:space:]]+from $address lookup $id"; then),
1082	qq( qt \$IP -$family rule del from $address pref 20000),	1082	qq( qt \$IP -$family rule del from $address pref 20000),
1083	qq( run_ip rule add from $address pref 20000 table $id),	1083	qq( run_ip rule add from $address pref 20000 table $id),
1084	qq( echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),	1084	qq( echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),




# Generate a list of all network interfaces on the system
#
find_all_interfaces() {
    ${IP:-ip} link list | grep -E '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}

#
# Generate a list of all network interfaces on the system that have an ipvX address
#
find_all_interfaces1() {
    ${IP:-ip} -$g_family addr list | grep -E '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
}

#

    status=0

    if ! loopback_interface $1; then
	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | grep -F 'state DOWN')" ]; then
	    if [ "$COMMAND" != enable ]; then
		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
		status=$?

		gateway="nexthop $gateway dead"
	    fi

	    if eval echo $route \| grep -F -q \'$gateway\'; then
		eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
		run_ip route replace table $2 $route
	    fi

Lines 483-489 case "$COMMAND" in Link Here

(-)Shorewall.orig/Perl/prog.footer (-1 / +1 lines)
483	#	483	#
484	# See what it is	484	# See what it is
485	#	485	#
486	if type $1 2> /dev/null \| fgrep -q 'is a function'; then	486	if type $1 2> /dev/null \| grep -F -q 'is a function'; then
487	#	487	#
488	# It's a shell function -- call it	488	# It's a shell function -- call it
489	#	489	#

Lines 134-140 if [ -z "$vendor" ]; then Link Here

(-)Shorewall.orig/configure (-2 / +2 lines)
134	*)	134	*)
135	if [ -f /etc/debian_version ]; then	135	if [ -f /etc/debian_version ]; then
136	params[HOST]=debian	136	params[HOST]=debian
137	ls -l /sbin/init \| fgrep -q systemd && rcfile=shorewallrc.debian.systemd \|\| rcfile=shorewallrc.debian.sysvinit	137	ls -l /sbin/init \| grep -F -q systemd && rcfile=shorewallrc.debian.systemd \|\| rcfile=shorewallrc.debian.sysvinit
138	elif [ -f /etc/altlinux-release ] ; then	138	elif [ -f /etc/altlinux-release ] ; then
139	params[HOST]=alt	139	params[HOST]=alt
140	elif [ -f /etc/redhat-release ]; then	140	elif [ -f /etc/redhat-release ]; then
Lines 163-169 else Link Here
163	if [ $vendor = linux ]; then	163	if [ $vendor = linux ]; then
164	rcfile=shorewallrc.default;	164	rcfile=shorewallrc.default;
165	elif [ $vendor = debian -a -f /etc/debian_version ]; then	165	elif [ $vendor = debian -a -f /etc/debian_version ]; then
166	ls -l /sbin/init \| fgrep -q systemd && rcfile=shorewallrc.debian.systemd \|\| rcfile=shorewallrc.debian.sysvinit	166	ls -l /sbin/init \| grep -F -q systemd && rcfile=shorewallrc.debian.systemd \|\| rcfile=shorewallrc.debian.sysvinit
167	else	167	else
168	rcfile=shorewallrc.$vendor	168	rcfile=shorewallrc.$vendor
169	fi	169	fi

Lines 1157-1163 safe_commands() { Link Here

(-)Shorewall.orig/lib.cli-std (-2 / +2 lines)
1157	;;	1157	;;
1158	t)	1158	t)
1159	[ $# -eq 1 ] && fatal_error "The -t option requires a timeout value"	1159	[ $# -eq 1 ] && fatal_error "The -t option requires a timeout value"
1160	echo $2 \| egrep -q '[[:digit:]]+[smh]' \|\| fatal_error "The timeout value must be numeric, optionally followed by a suffix (s, m or h)"	1160	echo $2 \| grep -E -q '[[:digit:]]+[smh]' \|\| fatal_error "The timeout value must be numeric, optionally followed by a suffix (s, m or h)"
1161	timeout=$2	1161	timeout=$2
1162	option=	1162	option=
1163	shift;	1163	shift;
Lines 1331-1337 try_command() { Link Here
1331	;;	1331	;;
1332	2)	1332	2)
1333	handle_directory $1	1333	handle_directory $1
1334	echo $2 \| egrep -q '[[:digit:]]+[smh]' \|\| fatal_error "The timeout value must be numeric, optionally followed by a suffix (s, m or h)"	1334	echo $2 \| grep -E -q '[[:digit:]]+[smh]' \|\| fatal_error "The timeout value must be numeric, optionally followed by a suffix (s, m or h)"
1335	timeout=$2	1335	timeout=$2
1336	;;	1336	;;
1337	*)	1337	*)

Return to bug 923441

Lines 116-129 setpolicy() # $1 = name of chain, $2 = p Link Here

(-)Shorewall.orig/Perl/lib.runtime (-4 / +4 lines)
116	# Generate a list of all network interfaces on the system	116	# Generate a list of all network interfaces on the system
117	#	117	#
118	find_all_interfaces() {	118	find_all_interfaces() {
119	${IP:-ip} link list \| egrep '^[[:digit:]]+:' \| cut -d ' ' -f2 \| sed -r 's/(@.*)?:$//'	119	${IP:-ip} link list \| grep -E '^[[:digit:]]+:' \| cut -d ' ' -f2 \| sed -r 's/(@.*)?:$//'
120	}	120	}
121		121
122	#	122	#
123	# Generate a list of all network interfaces on the system that have an ipvX address	123	# Generate a list of all network interfaces on the system that have an ipvX address
124	#	124	#
125	find_all_interfaces1() {	125	find_all_interfaces1() {
126	${IP:-ip} -$g_family addr list \| egrep '^[[:digit:]]+:' \| cut -d ' ' -f2 \| sed -r 's/(@.*)?:$//'	126	${IP:-ip} -$g_family addr list \| grep -E '^[[:digit:]]+:' \| cut -d ' ' -f2 \| sed -r 's/(@.*)?:$//'
127	}	127	}
128		128
129	#	129	#
Lines 679-685 interface_is_usable() # $1 = interface Link Here
679	status=0	679	status=0
680		680
681	if ! loopback_interface $1; then	681	if ! loopback_interface $1; then
682	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null \| fgrep 'state DOWN')" ]; then	682	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null \| grep -F 'state DOWN')" ]; then
683	if [ "$COMMAND" != enable ]; then	683	if [ "$COMMAND" != enable ]; then
684	[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1	684	[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
685	status=$?	685	status=$?
Lines 1016-1022 delete_gateway() # $! = Description of t Link Here
1016	gateway="nexthop $gateway dead"	1016	gateway="nexthop $gateway dead"
1017	fi	1017	fi
1018		1018
1019	if eval echo $route \\| fgrep -q \'$gateway\'; then	1019	if eval echo $route \\| grep -F -q \'$gateway\'; then
1020	eval route=\`echo $route \\| sed \'s/$gateway/ /\'\`	1020	eval route=\`echo $route \\| sed \'s/$gateway/ /\'\`
1021	run_ip route replace table $2 $route	1021	run_ip route replace table $2 $route
1022	fi	1022	fi

Lines 8762-8769 sub save_docker_rules($) { Link Here

(-)Shorewall.orig/Perl/Shorewall/Chains.pm (-4 / +4 lines)
8762		8762
8763	emit( qq(if [ -n "\$g_docker" ]; then),	8763	emit( qq(if [ -n "\$g_docker" ]; then),
8764	qq( $tool -t nat -S DOCKER \| tail -n +2 > \${VARDIR}/.nat_DOCKER),	8764	qq( $tool -t nat -S DOCKER \| tail -n +2 > \${VARDIR}/.nat_DOCKER),
8765	qq( $tool -t nat -S OUTPUT \| tail -n +2 \| fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),	8765	qq( $tool -t nat -S OUTPUT \| tail -n +2 \| grep -F DOCKER > \${VARDIR}/.nat_OUTPUT),
8766	qq( $tool -t nat -S POSTROUTING \| tail -n +2 \| fgrep -v SHOREWALL \| fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),	8766	qq( $tool -t nat -S POSTROUTING \| tail -n +2 \| grep -F -v SHOREWALL \| grep -F -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
8767	qq( $tool -t filter -S DOCKER \| tail -n +2 > \${VARDIR}/.filter_DOCKER),	8767	qq( $tool -t filter -S DOCKER \| tail -n +2 > \${VARDIR}/.filter_DOCKER),
8768	qq( rm -f \${VARDIR}/.filter_DOCKER-*),	8768	qq( rm -f \${VARDIR}/.filter_DOCKER-*),
8769	qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS \| tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),	8769	qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS \| tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
Lines 8780-8786 sub save_docker_rules($) { Link Here
8780	if ( known_interface( $bridge ) ) {	8780	if ( known_interface( $bridge ) ) {
8781	emit( qq( $tool -t filter -S FORWARD \| grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );	8781	emit( qq( $tool -t filter -S FORWARD \| grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
8782	} else {	8782	} else {
8783	emit( qq( $tool -t filter -S FORWARD \| egrep '^-A FORWARD.*[io] ($bridge\|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );	8783	emit( qq( $tool -t filter -S FORWARD \| grep -E '^-A FORWARD.*[io] ($bridge\|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
8784	}	8784	}
8785		8785
8786	emit( q( [ -s ${VARDIR}/.filter_FORWARD ] \|\| rm -f ${VARDIR}/.filter_FORWARD),	8786	emit( q( [ -s ${VARDIR}/.filter_FORWARD ] \|\| rm -f ${VARDIR}/.filter_FORWARD),
Lines 8825-8831 else Link Here
8825	fi	8825	fi
8826		8826
8827	if chain_exists dynamic; then	8827	if chain_exists dynamic; then
8828	$tool -S dynamic \| tail -n +2 \| fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic	8828	$tool -S dynamic \| tail -n +2 \| grep -F -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
8829	else	8829	else
8830	rm -f \${VARDIR}/.dynamic	8830	rm -f \${VARDIR}/.dynamic
8831	fi	8831	fi