extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-10 06:49:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Make 'virtual' a zone type rather than an option"

Browse Source 
This reverts commit 18eedf7e34.
This commit is contained in:
Tom Eastep 2009-11-28 07:19:10 -08:00
parent f5378e7652
commit 0b1621027b
6 changed files with 42 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -357,7 +357,7 @@ sub validate_policy()
add_or_modify_policy_chain( $zone1, $zone ); add_or_modify_policy_chain( $zone1, $zone );
} }
} }
} elsif ( zone_type( $zone ) == VIRTUAL ) { } elsif ( defined_zone( $zone )->{virtual} ) {
for my $zone1 ( @{defined_zone( $zone )->{children}} ) { for my $zone1 ( @{defined_zone( $zone )->{children}} ) {
for my $zone2 ( all_zones ) { for my $zone2 ( all_zones ) {
unless ( $zone1 eq $zone2 ) { unless ( $zone1 eq $zone2 ) {

48
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -40,7 +40,6 @@ our @EXPORT = qw( NOTHING
IP IP
BPORT BPORT
IPSEC IPSEC
VIRTUAL
VIRTUAL_BITS VIRTUAL_BITS
determine_zones determine_zones
@ -165,8 +164,7 @@ our $virtualmark;
use constant { FIREWALL => 1, use constant { FIREWALL => 1,
IP => 2, IP => 2,
BPORT => 3, BPORT => 3,
IPSEC => 4, IPSEC => 4 };
VIRTUAL => 5 };
use constant { SIMPLE_IF_OPTION => 1, use constant { SIMPLE_IF_OPTION => 1,
BINARY_IF_OPTION => 2, BINARY_IF_OPTION => 2,
@ -366,7 +364,6 @@ sub process_zone( \$ ) {
my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
my $mark = 0; my $mark = 0;
my $virtual = 0;
if ( $zone =~ /(\w+):([\w,]+)/ ) { if ( $zone =~ /(\w+):([\w,]+)/ ) {
$zone = $1; $zone = $1;
@ -392,12 +389,6 @@ sub process_zone( \$ ) {
} elsif ( $type =~ /^ipsec([46])?$/i ) { } elsif ( $type =~ /^ipsec([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
$type = IPSEC; $type = IPSEC;
for ( @parents ) {
unless ( $zones{$_}{type} == IPSEC ) {
set_super( $zones{$_} );
}
}
} elsif ( $type =~ /^bport([46])?$/i ) { } elsif ( $type =~ /^bport([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
warning_message "Bridge Port zones should have a parent zone" unless @parents; warning_message "Bridge Port zones should have a parent zone" unless @parents;
@ -409,12 +400,6 @@ sub process_zone( \$ ) {
$firewall_zone = $zone; $firewall_zone = $zone;
$ENV{FW} = $zone; $ENV{FW} = $zone;
$type = FIREWALL; $type = FIREWALL;
} elsif ( $type eq 'virtual' ) {
require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT;
$virtual = $virtualmark;
$virtualmark = $virtualmark << 1;
$type = VIRTUAL;
} elsif ( $type eq '-' ) { } elsif ( $type eq '-' ) {
$type = IP; $type = IP;
$$ip = 1; $$ip = 1;
@ -422,6 +407,25 @@ sub process_zone( \$ ) {
fatal_error "Invalid zone type ($type)" ; fatal_error "Invalid zone type ($type)" ;
} }
if ( $type eq IPSEC ) {
for ( @parents ) {
unless ( $zones{$_}{type} == IPSEC ) {
set_super( $zones{$_} );
}
}
}
my $virtual = 0;
if ( $options eq 'virtual' ) {
require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
fatal_error "Only ipv${family} zones may be virtual" unless $type == IP;
fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT;
$virtual = $virtualmark;
$virtualmark = $virtualmark << 1;
$options = '';
}
for ( $options, $in_options, $out_options ) { for ( $options, $in_options, $out_options ) {
$_ = '' if $_ eq '-'; $_ = '' if $_ eq '-';
} }
@ -507,9 +511,9 @@ sub zone_report()
my @translate; my @translate;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' ); @translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
} else { } else {
@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' ); @translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
} }
for my $zone ( @zones ) for my $zone ( @zones )
@ -552,7 +556,7 @@ sub zone_report()
unless ( $printed ) { unless ( $printed ) {
fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge}; fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $type == VIRTUAL && @{$zoneref->{children}} ); warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $zoneref->{virtual} && @{$zoneref->{children}} );
} }
} }
} }
@ -565,9 +569,9 @@ sub dump_zone_contents()
my @xlate; my @xlate;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' ); @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
} else { } else {
@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' ); @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
} }
for my $zone ( @zones ) for my $zone ( @zones )
@ -608,7 +612,7 @@ sub dump_zone_contents()
} }
} }
if ( $type == VIRTUAL && @{$zoneref->{children}} ) { if ( $zoneref->{virtual} && @{$zoneref->{children}} ) {
$entry .= " ("; $entry .= " (";
$entry .= "$_," for @{$zoneref->{children}}; $entry .= "$_," for @{$zoneref->{children}};
$entry =~ s/,$/) /; $entry =~ s/,$/) /;

9
Shorewall/releasenotes.txt
View File

@ -231,12 +231,13 @@ None.
$FW all ACCEPT $FW all ACCEPT
3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used 3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used
to group together a set of sub-zones. A virtual zone is declared to group together a set of sub-zones. A virtual zone must by an
as TYPE 'virtual' in /etc/shorewall/zones. ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared
with the 'virtual' OPTION in /etc/shorewall/zones.
Example: Example:
virt virtual virt ipv4 virtual
The virtual zone must have no definition in The virtual zone must have no definition in
/etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones /etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones
@ -250,7 +251,7 @@ None.
Example: Example:
virt virtual virt ipv4 virtual
loc:virt ipv4 loc:virt ipv4
vpn:virt ipsec vpn:virt ipsec

6
manpages/shorewall-nesting.xml
View File

@ -199,7 +199,7 @@
<programlisting> #ZONE TYPE OPTIONS <programlisting> #ZONE TYPE OPTIONS
fw firewall fw firewall
net ipv4 net ipv4
loc virtual #Virtual Zone loc ipv4 virtual
loc1:loc ipv4 loc1:loc ipv4
loc2:loc ipv4</programlisting> loc2:loc ipv4</programlisting>
@ -218,6 +218,10 @@
<para>There are several restrictions on virtual zones:</para> <para>There are several restrictions on virtual zones:</para>
<itemizedlist> <itemizedlist>
<listitem>
<para>They must have type <option>ipv4</option>.</para>
</listitem>
<listitem> <listitem>
<para>A maximum of four virtual zones may be defined.</para> <para>A maximum of four virtual zones may be defined.</para>
</listitem> </listitem>

6
manpages6/shorewall6-nesting.xml
View File

@ -103,7 +103,7 @@
<programlisting> #ZONE TYPE OPTIONS <programlisting> #ZONE TYPE OPTIONS
fw firewall fw firewall
net ipv6 net ipv6
loc virtual #Virtual Zone loc ipv6 virtual
loc1:loc ipv6 loc1:loc ipv6
loc2:loc ipv6</programlisting> loc2:loc ipv6</programlisting>
@ -122,6 +122,10 @@
<para>There are several restrictions on virtual zones:</para> <para>There are several restrictions on virtual zones:</para>
<itemizedlist> <itemizedlist>
<listitem>
<para>They must have type <option>ipv6</option>.</para>
</listitem>
<listitem> <listitem>
<para>A maximum of four virtual zones may be defined.</para> <para>A maximum of four virtual zones may be defined.</para>
</listitem> </listitem>

11
manpages6/shorewall6-zones.xml
View File

@ -169,17 +169,6 @@ c:a,b ipv6</programlisting>
single bridge.</para> single bridge.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">virtual</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.5. Virtual zones are containers
for other zones. See <ulink
url="shorewall6-nesting.html">shorewall6-nesting (5)</ulink>
for details.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>