Shorewall devel - May 2005 - Patch to fix dynamic add/delete to zone functinality

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I''m running systems with openswan and modified _updown script
supporting
shorewall dynamic hosts. Because on problems with cvs head version of
openswan I found a error from shorewall dynamic hosts support. When host
is already in zone shorewall aborts adding process with error. This is
not good thing(tm).

I found out that deleting host from dynamic zone gives warning when host
is not in zone but is successful. I changed add code to work same way.

I fixed shorewall delete warning message too, it didn''t give all
correct
information.

Patch is against shorewall 2.2.5

- --
Tuomo Soini <tis@foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFClIdJTlrZKzwul1ERAmbkAJsFC72PWsZQTShPwNbkAThvHW2daQCeO6Kx
/YAYvDuS9oBqzpizrglphVw=ZZMb
-----END PGP SIGNATURE-----
-------------- next part --------------
--- shorewall-2.2.5/firewall.dynamicadd	2005-05-11 20:20:23.000000000 +0300
+++ shorewall-2.2.5/firewall	2005-05-25 15:49:47.000000000 +0300
@@ -7001,16 +7001,20 @@
 
     while read z hosts; do
 	if [ "$z" = "$zone" ]; then
+	    found 	    for h in $hosts; do
+		[ -n "$found" ] && break
 		for host in $hostlist; do
 		    if [ "$h" = "$host" ]; then
-			rm -f ${STATEDIR}/zones_$$
-			startup_error "$host already in zone $zone"
+			found=Yes
 		    fi
 		done
 	    done
-	    
-	    [ -z "$hosts" ] && hosts=$hostlist || hosts="$hosts
$hostlist"
+	    if [ -n "$found" ]; then
+		error_message "Warning: $host does appear to be in zone $zone
already"
+	    else
+		[ -z "$hosts" ] && hosts=$hostlist || hosts="$hosts
$hostlist"
+	    fi
 	fi
 
 	eval ${z}_hosts=\"$hosts\"
@@ -7088,7 +7092,6 @@
 		fi
 	    fi
 	done < ${STATEDIR}/chains
-    
 	progress_message "$newhost added to zone $zone"
     
     done
@@ -7184,7 +7187,7 @@
 		    fi
 		done
 
-		[ -n "$found" ] || error_message "Warning: $1 does not appear
to be in zone $2"
+		[ -n "$found" ] || error_message "Warning: $host does not
appear to be in zone $zone"
 	    done
 
 	    for h in $temp; do

Tuomo Soini wrote:
> 
> I fixed shorewall delete warning message too, it didn''t give all
correct
> information.
> 
Guys -- I''ve merged Tuomo''s patch into Shorewall2/ at
cvs.shorewall.net
-- I''ll leave it to the new team to merge it into STABLE2/. I reworded
the new warning message slightly:

if [ -n "$found" ]; then
   error_message "Warning: $host appears to be in zone $zone already"
else

I''ll include this in my next Shorewall2/ commit at Sourceforge once CVS
is up and running there.

Thanks, Tuomo
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> 
> I''ll include this in my next Shorewall2/ commit at Sourceforge
once CVS
> is up and running there.
I''ve looked at the patch some more and I''m afraid that it is
badly broken.

The syntax for add is "add <zone> <hostlist>"

The patch:

a) Always reports the last entry in <hostlist> as being the duplicate
even if it is not.
b) If any host in <hostlist> is a duplicate then the entirity of
<hostlist> is omitted from the new $STATEDIR/zones file; yet
c) Rules are created for each member of the <hostlist>, including the
duplicate

So I''m backing out the patch.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> The syntax for add is "add <zone> <hostlist>"
> 
> The patch:
> 
> a) Always reports the last entry in <hostlist> as being the duplicate
> even if it is not.
Hmmh I didn''t notice that because I only add one host at time. Need to
test more.
> b) If any host in <hostlist> is a duplicate then the entirity of
> <hostlist> is omitted from the new $STATEDIR/zones file; yet
Yep. I found this out. I''m trying to find out better way to fix
problems. Hmmh. I need to remove duplicate host from hostlist to make
that part of patch work as it should.
> c) Rules are created for each member of the <hostlist>, including the
> duplicate
Because dupes are not removed.
> So I''m backing out the patch.
Correct decision. I''m working on improved patch. Thanks for debugging
:-)

- --
Tuomo Soini <tis@foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFClOlLTlrZKzwul1ERAkpxAJwNTU2HkFm7xCuJdktgCKa/bro/ugCdGnW8
WKGymDR+ZIS0nRcP0QuCzzY=Uw4l
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> I''ve looked at the patch some more and I''m afraid that it
is badly broken.
Here is new one.
> 
> The syntax for add is "add <zone> <hostlist>"
> 
> The patch:
> 
> a) Always reports the last entry in <hostlist> as being the duplicate
> even if it is not.
Now it should report correct host.
> b) If any host in <hostlist> is a duplicate then the entirity of
> <hostlist> is omitted from the new $STATEDIR/zones file; yet
Fixed by generating newhostlist from non-dupe entries and using it.
> c) Rules are created for each member of the <hostlist>, including the
> duplicate
Previous fix should fix this.

- --
Tuomo Soini <tis@foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFClaLETlrZKzwul1ERAnSAAJ9gP6BAvTvWNJZKPaJrGauPjE1jiACgnDMU
bKGQXK4McSsdD2RoIY2ww08=0whC
-----END PGP SIGNATURE-----
-------------- next part --------------
--- shorewall-2.2.5/firewall.dynamicadd	2005-05-11 20:20:23.000000000 +0300
+++ shorewall-2.2.5/firewall	2005-05-26 13:06:33.000000000 +0300
@@ -6917,7 +6917,8 @@
 add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
 {
     local interface host zone z h z1 z2 chain
-    local dhcp_interfaces blacklist_interfaces maclist_interfaces
tcpflags_interfaces
+    local dhcp_interfaces blacklist_interfaces maclist_interfaces
+    local tcpflags_interfaces newhostlist     local rulenum source_chain
dest_hosts iface hosts hostlist
     nat_chain_exists() # $1 = chain name
@@ -7001,16 +7002,16 @@
 
     while read z hosts; do
 	if [ "$z" = "$zone" ]; then
-	    for h in $hosts; do
-		for host in $hostlist; do
-		    if [ "$h" = "$host" ]; then
-			rm -f ${STATEDIR}/zones_$$
-			startup_error "$host already in zone $zone"
-		    fi
-		done
+	    for h in $hostlist; do
+		list_search $h $hosts
+		if [ "$?" -gt 0 ]; then
+		    newhostlist="$newhostlist $h"
+		else
+		    error_message "$h already in zone $zone"
+		fi
 	    done
 	    
-	    [ -z "$hosts" ] && hosts=$hostlist || hosts="$hosts
$hostlist"
+	    [ -z "$hosts" ] && hosts=$newhostlist ||
hosts="$hosts $newhostlist"
 	fi
 
 	eval ${z}_hosts=\"$hosts\"
@@ -7024,7 +7025,7 @@
     #
     # Create a new Zone state file
     #
-    for newhost in $hostlist; do
+    for newhost in $newhostlist; do
         #
         # Isolate interface and host parts
         #
@@ -7184,7 +7185,7 @@
 		    fi
 		done
 
-		[ -n "$found" ] || error_message "Warning: $1 does not appear
to be in zone $2"
+		[ -n "$found" ] || error_message "Warning: $host does not
appear to be in zone $zone"
 	    done
 
 	    for h in $temp; do

Tuomo Soini wrote:
> Tom Eastep wrote:
>>>I''ve looked at the patch some more and I''m afraid
that it is badly broken.
> 
> Here is new one.
>>>The syntax for add is "add <zone> <hostlist>"
>>>
>>>The patch:
>>>
>>>a) Always reports the last entry in <hostlist> as being the
duplicate
>>>even if it is not.
> 
> Now it should report correct host.
> 
>>>b) If any host in <hostlist> is a duplicate then the entirity
of
>>><hostlist> is omitted from the new $STATEDIR/zones file; yet
> 
> Fixed by generating newhostlist from non-dupe entries and using it.
> 
>>>c) Rules are created for each member of the <hostlist>,
including the
>>>duplicate
> 
> Previous fix should fix this.
This looks much better -- Thanks!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key