mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Convert the 'ignore' interface to be multi-valued
-Allows 'ignore=1' to only exempt interface from updown processing Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
57a9feaf2f
commit
170875c7dd
@ -749,7 +749,7 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
my $interfaceref = find_interface $interface;
|
||||
|
||||
unless ( $interfaceref->{options}{ignore} ) {
|
||||
unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) {
|
||||
|
||||
my @filters = @{$interfaceref->{filter}};
|
||||
|
||||
|
@ -1406,7 +1406,7 @@ sub compile_updown() {
|
||||
|
||||
push_indent;
|
||||
|
||||
my $ignore = find_interfaces_by_option 'ignore';
|
||||
my $ignore = find_interfaces_by_option 'ignore', 1;
|
||||
my $required = find_interfaces_by_option 'required';
|
||||
my $optional = find_interfaces_by_option 'optional';
|
||||
|
||||
|
@ -41,6 +41,8 @@ our @EXPORT = qw( NOTHING
|
||||
IP
|
||||
BPORT
|
||||
IPSEC
|
||||
NO_UPDOWN
|
||||
NO_SFILTER
|
||||
|
||||
determine_zones
|
||||
zone_report
|
||||
@ -221,11 +223,14 @@ use constant { SIMPLE_IF_OPTION => 1,
|
||||
IF_OPTION_WILDOK => 64
|
||||
};
|
||||
|
||||
use constant { NO_UPDOWN => 1,
|
||||
NO_SFILTER => 2 };
|
||||
|
||||
my %validinterfaceoptions;
|
||||
|
||||
my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
|
||||
|
||||
my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
|
||||
my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
|
||||
|
||||
my %validhostoptions;
|
||||
|
||||
@ -283,6 +288,7 @@ sub initialize( $$ ) {
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
detectnets => OBSOLETE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
logmartians => BINARY_IF_OPTION,
|
||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||
@ -318,6 +324,7 @@ sub initialize( $$ ) {
|
||||
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
@ -1033,7 +1040,7 @@ sub process_interface( $$ ) {
|
||||
|
||||
if ( $options eq 'ignore' ) {
|
||||
fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
|
||||
$options{ignore} = 1;
|
||||
$options{ignore} = NO_UPDOWN | NO_SFILTER;
|
||||
$options = '-';
|
||||
}
|
||||
|
||||
@ -1153,7 +1160,16 @@ sub process_interface( $$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
|
||||
fatal_error "Invalid combination of interface options"
|
||||
if ( ( $options{required} && $options{optional} ) ||
|
||||
( $options{required} && $options{ignore} ) ||
|
||||
( $options{optional} && $options{ignore} ) );
|
||||
|
||||
if ( supplied( my $ignore = $options{ignore} ) ) {
|
||||
fatal_error "Invalid value ignore=0" if ! $ignore;
|
||||
} else {
|
||||
$options{ignore} = 0;
|
||||
}
|
||||
|
||||
if ( $netsref eq 'dynamic' ) {
|
||||
my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
|
||||
@ -1175,6 +1191,7 @@ sub process_interface( $$ ) {
|
||||
# No options specified -- auto-detect bridge
|
||||
#
|
||||
$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
|
||||
$options{ignore} ||= 0;
|
||||
}
|
||||
|
||||
$physical{$physical} = $interfaces{$interface} = { name => $interface ,
|
||||
@ -1477,8 +1494,8 @@ NAME:
|
||||
#
|
||||
# Returns reference to array of interfaces with the passed option
|
||||
#
|
||||
sub find_interfaces_by_option( $ ) {
|
||||
my $option = $_[0];
|
||||
sub find_interfaces_by_option( $;$ ) {
|
||||
my ( $option , $nonzero ) = @_;
|
||||
my @ints = ();
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
@ -1487,7 +1504,11 @@ sub find_interfaces_by_option( $ ) {
|
||||
next unless $interfaceref->{root};
|
||||
|
||||
my $optionsref = $interfaceref->{options};
|
||||
if ( $optionsref && defined $optionsref->{$option} ) {
|
||||
if ( $nonzero ) {
|
||||
if ( $optionsref && $optionsref->{$option} ) {
|
||||
push @ints , $interface
|
||||
}
|
||||
} elsif ( $optionsref && defined $optionsref->{$option} ) {
|
||||
push @ints , $interface
|
||||
}
|
||||
}
|
||||
|
@ -343,13 +343,22 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ignore</emphasis></term>
|
||||
<term><emphasis role="bold">ignore[=1]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>When specified, causes the generated script to ignore
|
||||
up/down events from Shorewall-init for this device.
|
||||
Additionally, the option exempts the interface from hairpin
|
||||
filtering.</para>
|
||||
filtering. When '=1' is omitted, the ZONE column must contain
|
||||
'-' and <option>ignore</option> must be the only
|
||||
OPTION.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.5, may be specified as
|
||||
'<option>ignore=1</option>' which only causes the generated
|
||||
script to ignore up/down events from Shorewall-init; hairpin
|
||||
filtering is still applied. In this case, the above
|
||||
restrictions on the ZONE and OPTIONS columns are
|
||||
lifted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -244,13 +244,22 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ignore</emphasis></term>
|
||||
<term><emphasis role="bold">ignore[=1]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>When specified, causes the generated script to ignore
|
||||
up/down events from Shorewall-init for this device.
|
||||
Additionally, the option exempts the interface from hairpin
|
||||
filtering.</para>
|
||||
filtering. When '=1' is omitted, the ZONE column must contain
|
||||
'-' and <option>ignore</option> must be the only
|
||||
OPTION.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.5, may be specified as
|
||||
'<option>ignore=1</option>' which only causes the generated
|
||||
script to ignore up/down events from Shorewall-init; hairpin
|
||||
filtering is still applied. In this case, the above
|
||||
restrictions on the ZONE and OPTIONS columns are
|
||||
lifted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user