From 18eedf7e3490b2f49422ea53ac119e07693d0e71 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 27 Nov 2009 08:17:18 -0800 Subject: [PATCH] Make 'virtual' a zone type rather than an option --- Shorewall/Perl/Shorewall/Policy.pm | 2 +- Shorewall/Perl/Shorewall/Zones.pm | 48 ++++++++++++++---------------- Shorewall/releasenotes.txt | 9 +++--- manpages/shorewall-nesting.xml | 6 +--- manpages6/shorewall6-nesting.xml | 6 +--- manpages6/shorewall6-zones.xml | 11 +++++++ 6 files changed, 40 insertions(+), 42 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 3969ba737..a922702ba 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -357,7 +357,7 @@ sub validate_policy() add_or_modify_policy_chain( $zone1, $zone ); } } - } elsif ( defined_zone( $zone )->{virtual} ) { + } elsif ( zone_type( $zone ) == VIRTUAL ) { for my $zone1 ( @{defined_zone( $zone )->{children}} ) { for my $zone2 ( all_zones ) { unless ( $zone1 eq $zone2 ) { diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 215784284..4f5f5db68 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -40,6 +40,7 @@ our @EXPORT = qw( NOTHING IP BPORT IPSEC + VIRTUAL VIRTUAL_BITS determine_zones @@ -164,7 +165,8 @@ our $virtualmark; use constant { FIREWALL => 1, IP => 2, BPORT => 3, - IPSEC => 4 }; + IPSEC => 4, + VIRTUAL => 5 }; use constant { SIMPLE_IF_OPTION => 1, BINARY_IF_OPTION => 2, @@ -364,6 +366,7 @@ sub process_zone( \$ ) { my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; my $mark = 0; + my $virtual = 0; if ( $zone =~ /(\w+):([\w,]+)/ ) { $zone = $1; @@ -389,6 +392,12 @@ sub process_zone( \$ ) { } elsif ( $type =~ /^ipsec([46])?$/i ) { fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; $type = IPSEC; + + for ( @parents ) { + unless ( $zones{$_}{type} == IPSEC ) { + set_super( $zones{$_} ); + } + } } elsif ( $type =~ /^bport([46])?$/i ) { fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; warning_message "Bridge Port zones should have a parent zone" unless @parents; @@ -400,6 +409,12 @@ sub process_zone( \$ ) { $firewall_zone = $zone; $ENV{FW} = $zone; $type = FIREWALL; + } elsif ( $type eq 'virtual' ) { + require_capability 'MARK_IN_FILTER' , 'virtual zones', ''; + fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT; + $virtual = $virtualmark; + $virtualmark = $virtualmark << 1; + $type = VIRTUAL; } elsif ( $type eq '-' ) { $type = IP; $$ip = 1; @@ -407,25 +422,6 @@ sub process_zone( \$ ) { fatal_error "Invalid zone type ($type)" ; } - if ( $type eq IPSEC ) { - for ( @parents ) { - unless ( $zones{$_}{type} == IPSEC ) { - set_super( $zones{$_} ); - } - } - } - - my $virtual = 0; - - if ( $options eq 'virtual' ) { - require_capability 'MARK_IN_FILTER' , 'virtual zones', ''; - fatal_error "Only ipv${family} zones may be virtual" unless $type == IP; - fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT; - $virtual = $virtualmark; - $virtualmark = $virtualmark << 1; - $options = ''; - } - for ( $options, $in_options, $out_options ) { $_ = '' if $_ eq '-'; } @@ -511,9 +507,9 @@ sub zone_report() my @translate; if ( $family == F_IPV4 ) { - @translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); + @translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' ); } else { - @translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); + @translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' ); } for my $zone ( @zones ) @@ -556,7 +552,7 @@ sub zone_report() unless ( $printed ) { fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge}; - warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $zoneref->{virtual} && @{$zoneref->{children}} ); + warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $type == VIRTUAL && @{$zoneref->{children}} ); } } } @@ -569,9 +565,9 @@ sub dump_zone_contents() my @xlate; if ( $family == F_IPV4 ) { - @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); + @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' ); } else { - @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); + @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' ); } for my $zone ( @zones ) @@ -612,7 +608,7 @@ sub dump_zone_contents() } } - if ( $zoneref->{virtual} && @{$zoneref->{children}} ) { + if ( $type == VIRTUAL && @{$zoneref->{children}} ) { $entry .= " ("; $entry .= "$_," for @{$zoneref->{children}}; $entry =~ s/,$/) /; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index da6bc884e..bbf58a8d2 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -231,13 +231,12 @@ None. $FW all ACCEPT 3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used - to group together a set of sub-zones. A virtual zone must by an - ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared - with the 'virtual' OPTION in /etc/shorewall/zones. + to group together a set of sub-zones. A virtual zone is declared + as TYPE 'virtual' in /etc/shorewall/zones. Example: - virt ipv4 virtual + virt virtual The virtual zone must have no definition in /etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones @@ -251,7 +250,7 @@ None. Example: - virt ipv4 virtual + virt virtual loc:virt ipv4 vpn:virt ipsec diff --git a/manpages/shorewall-nesting.xml b/manpages/shorewall-nesting.xml index 405b8f4bc..63b004608 100644 --- a/manpages/shorewall-nesting.xml +++ b/manpages/shorewall-nesting.xml @@ -199,7 +199,7 @@ #ZONE TYPE OPTIONS fw firewall net ipv4 - loc ipv4 virtual + loc virtual #Virtual Zone loc1:loc ipv4 loc2:loc ipv4 @@ -218,10 +218,6 @@ There are several restrictions on virtual zones: - - They must have type . - - A maximum of four virtual zones may be defined. diff --git a/manpages6/shorewall6-nesting.xml b/manpages6/shorewall6-nesting.xml index 307a1220c..aa8b80655 100644 --- a/manpages6/shorewall6-nesting.xml +++ b/manpages6/shorewall6-nesting.xml @@ -103,7 +103,7 @@ #ZONE TYPE OPTIONS fw firewall net ipv6 - loc ipv6 virtual + loc virtual #Virtual Zone loc1:loc ipv6 loc2:loc ipv6 @@ -122,10 +122,6 @@ There are several restrictions on virtual zones: - - They must have type . - - A maximum of four virtual zones may be defined. diff --git a/manpages6/shorewall6-zones.xml b/manpages6/shorewall6-zones.xml index a97c23df6..c6b358e77 100644 --- a/manpages6/shorewall6-zones.xml +++ b/manpages6/shorewall6-zones.xml @@ -169,6 +169,17 @@ c:a,b ipv6 single bridge. + + + virtual + + + Added in Shorewall 4.4.5. Virtual zones are containers + for other zones. See shorewall6-nesting (5) + for details. + +