extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve handling of wildcard interfaces and options

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-12-22 10:30:10 -08:00
parent 5a8e9cd0a3
commit 19b7601c72
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 142 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -253,6 +253,17 @@ use constant { NO_UPDOWN => 1,
our %validinterfaceoptions; our %validinterfaceoptions;
our %procinterfaceoptions=( accept_ra => 1,
arp_filter => 1,
arp_ignore => 1,
forward => 1,
logmartians => 1,
proxyarp => 1,
proxyndp => 1,
routefilter => 1,
sourceroute => 1,
);
our %prohibitunmanaged = ( our %prohibitunmanaged = (
blacklist => 1, blacklist => 1,
bridge => 1, bridge => 1,
@ -363,9 +374,9 @@ sub initialize( $$ ) {
upnp => SIMPLE_IF_OPTION, upnp => SIMPLE_IF_OPTION,
upnpclient => SIMPLE_IF_OPTION, upnpclient => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
physical => STRING_IF_OPTION + IF_OPTION_HOST, physical => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
unmanaged => SIMPLE_IF_OPTION, unmanaged => SIMPLE_IF_OPTION,
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, wait => NUMERIC_IF_OPTION,
); );
%validhostoptions = ( %validhostoptions = (
blacklist => 1, blacklist => 1,
@ -402,18 +413,18 @@ sub initialize( $$ ) {
optional => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION,
proxyndp => BINARY_IF_OPTION, proxyndp => BINARY_IF_OPTION,
required => SIMPLE_IF_OPTION, required => SIMPLE_IF_OPTION,
routeback => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER, routeback => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK,
rpfilter => SIMPLE_IF_OPTION, rpfilter => SIMPLE_IF_OPTION,
sfilter => IPLIST_IF_OPTION, sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION, sourceroute => BINARY_IF_OPTION,
tcpflags => BINARY_IF_OPTION + IF_OPTION_HOST, tcpflags => BINARY_IF_OPTION + IF_OPTION_HOST,
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
forward => BINARY_IF_OPTION, forward => BINARY_IF_OPTION,
physical => STRING_IF_OPTION + IF_OPTION_HOST, physical => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK,
unmanaged => SIMPLE_IF_OPTION, unmanaged => SIMPLE_IF_OPTION,
upnp => SIMPLE_IF_OPTION, upnp => SIMPLE_IF_OPTION,
upnpclient => SIMPLE_IF_OPTION, upnpclient => SIMPLE_IF_OPTION,
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, wait => NUMERIC_IF_OPTION,
); );
%validhostoptions = ( %validhostoptions = (
blacklist => 1, blacklist => 1,
@ -1267,6 +1278,8 @@ sub process_interface( $$ ) {
my $hostopt = $type & IF_OPTION_HOST; my $hostopt = $type & IF_OPTION_HOST;
my $fulltype = $type;
$type &= MASK_IF_OPTION; $type &= MASK_IF_OPTION;
unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) { unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
@ -1297,7 +1310,6 @@ sub process_interface( $$ ) {
} elsif ( $type == BINARY_IF_OPTION ) { } elsif ( $type == BINARY_IF_OPTION ) {
$value = 1 unless defined $value; $value = 1 unless defined $value;
fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' ); fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
$options{$option} = $value; $options{$option} = $value;
$hostoptions{$option} = $value if $hostopt; $hostoptions{$option} = $value if $hostopt;
} elsif ( $type == ENUM_IF_OPTION ) { } elsif ( $type == ENUM_IF_OPTION ) {
@ -1321,7 +1333,6 @@ sub process_interface( $$ ) {
assert( 0 ); assert( 0 );
} }
} elsif ( $type == NUMERIC_IF_OPTION ) { } elsif ( $type == NUMERIC_IF_OPTION ) {
fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
$value = $defaultinterfaceoptions{$option} unless defined $value; $value = $defaultinterfaceoptions{$option} unless defined $value;
fatal_error "The '$option' option requires a value" unless defined $value; fatal_error "The '$option' option requires a value" unless defined $value;
my $numval = numeric_value $value; my $numval = numeric_value $value;
@ -1373,7 +1384,9 @@ sub process_interface( $$ ) {
fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port ); fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/; $physwild = ( $value =~ /\+$/ );
fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild;
$physical = $value; $physical = $value;
} else { } else {
assert(0); assert(0);
@ -1381,6 +1394,12 @@ sub process_interface( $$ ) {
} else { } else {
warning_message "Support for the $option interface option has been removed from Shorewall"; warning_message "Support for the $option interface option has been removed from Shorewall";
} }
if ( $root ) {
warning_message( "The '$option' option is ignored when used with a wildcard physical name" ), delete $options{$option} if $physwild && $procinterfaceoptions{$option};
} else {
warning_message( "The '$option' option is ignored when used with interface name '+'" ), delete $options{$option} unless $fulltype & IF_OPTION_WILDOK;
}
} }
fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive) fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
@ -1459,6 +1478,7 @@ sub process_interface( $$ ) {
zones => {}, zones => {},
origin => shortlineinfo( '' ), origin => shortlineinfo( '' ),
wildcard => $wildcard, wildcard => $wildcard,
physwild => $physwild,
}; };
$interfaces{$physical} = $interfaceref if $physical ne $interface; $interfaces{$physical} = $interfaceref if $physical ne $interface;

143
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -112,7 +112,10 @@ loc eth2 -</programlisting>
url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5) url="/manpages/shorewall-nesting.html">shorewall-nesting</ulink>(5)
for a discussion of this problem.</para> for a discussion of this problem.</para>
<para>Shorewall allows '+' as an interface name.</para> <para>Shorewall allows '+' as an interface name, but that usage is
deprecated. A better approach is to specify
'<option>physical</option>=+' in the OPTIONS column (see
below).</para>
<para>There is no need to define the loopback interface (lo) in this <para>There is no need to define the loopback interface (lo) in this
file.</para> file.</para>
@ -193,6 +196,54 @@ loc eth2 -</programlisting>
should have no embedded white-space.</para> should have no embedded white-space.</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis
role="bold">accept_ra</emphasis>[={0|1|2}]</term>
<listitem>
<para>IPv6 only; added in Shorewall 4.5.16. Values are:</para>
<variablelist>
<varlistentry>
<term>0</term>
<listitem>
<para>Do not accept Router Advertisements.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>1</term>
<listitem>
<para>Accept Route Advertisements if forwarding is
disabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>2</term>
<listitem>
<para>Overrule forwarding behavior. Accept Route
Advertisements even if forwarding is enabled.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If the option is specified without a value, then the
value 1 is assumed.</para>
<note>
<para>This option does not work with a wild-card <emphasis
role="bold">physical</emphasis> name (e.g., eth0.+).
Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term> <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
@ -209,12 +260,12 @@ loc eth2 -</programlisting>
changed; the value assigned to the setting will be the value changed; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para> specified (if any) or 1 if no value is given.</para>
<para/>
<note> <note>
<para>This option does not work with a wild-card <para>This option does not work with a wild-card <emphasis
<replaceable>interface</replaceable> name (e.g., eth0.+) in role="bold">physical</emphasis> name (e.g., eth0.+).
the INTERFACE column.</para> Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note> </note>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -243,16 +294,14 @@ loc eth2 -</programlisting>
<para>8 - do not reply for all local addresses</para> <para>8 - do not reply for all local addresses</para>
<para/>
<note> <note>
<para>This option does not work with a wild-card <para>This option does not work with a wild-card <emphasis
<replaceable>interface</replaceable> name (e.g., eth0.+) in role="bold">physical</emphasis> name (e.g., eth0.+).
the INTERFACE column.</para> Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note> </note>
<para/>
<warning> <warning>
<para>Do not specify <emphasis <para>Do not specify <emphasis
role="bold">arp_ignore</emphasis> for any interface involved role="bold">arp_ignore</emphasis> for any interface involved
@ -430,6 +479,25 @@ loc eth2 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
<listitem>
<para>IPv6 only Sets the
/proc/sys/net/ipv6/conf/interface/forwarding option to the
specified value. If no value is supplied, then 1 is
assumed.</para>
<note>
<para>This option does not work with a wild-card <emphasis
role="bold">physical</emphasis> name (e.g., eth0.+).
Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ignore[=1]</emphasis></term> <term><emphasis role="bold">ignore[=1]</emphasis></term>
@ -496,9 +564,11 @@ loc eth2 -</programlisting>
<para/> <para/>
<note> <note>
<para>This option does not work with a wild-card <para>This option does not work with a wild-card <emphasis
<replaceable>interface</replaceable> name (e.g., eth0.+) in role="bold">physical</emphasis> name (e.g., eth0.+).
the INTERFACE column.</para> Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note> </note>
<blockquote> <blockquote>
@ -625,7 +695,10 @@ loc eth2 -</programlisting>
<para>If the <emphasis>interface</emphasis> name is a wildcard <para>If the <emphasis>interface</emphasis> name is a wildcard
name (ends with '+'), then the physical name (ends with '+'), then the physical
<emphasis>name</emphasis> must also end in '+'.</para> <emphasis>name</emphasis> must also end in '+'. The physical
<replaceable>name</replaceable> may end in '+' (or be exactly
'+') when the <replaceable>interface</replaceable> name is not
a wildcard name.</para>
<para>If <option>physical</option> is not specified, then it's <para>If <option>physical</option> is not specified, then it's
value defaults to the <emphasis>interface</emphasis> value defaults to the <emphasis>interface</emphasis>
@ -647,9 +720,13 @@ loc eth2 -</programlisting>
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html. url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
</ulink></para> </ulink></para>
<para><emphasis role="bold">Note</emphasis>: This option does <note>
not work with a wild-card <replaceable>interface</replaceable> <para>This option does not work with a wild-card <emphasis
name (e.g., eth0.+) in the INTERFACE column.</para> role="bold">physical</emphasis> name (e.g., eth0.+).
Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note>
<para>Only those interfaces with the <option>proxyarp</option> <para>Only those interfaces with the <option>proxyarp</option>
option will have their setting changed; the value assigned to option will have their setting changed; the value assigned to
@ -665,9 +742,13 @@ loc eth2 -</programlisting>
<para>IPv6 only. Sets <para>IPv6 only. Sets
/proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para> /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
<para><emphasis role="bold">Note</emphasis>: This option does <note>
not work with a wild-card <replaceable>interface</replaceable> <para>This option does not work with a wild-card <emphasis
name (e.g., eth0.+) in the INTERFACE column.</para> role="bold">physical</emphasis> name (e.g., eth0.+).
Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note>
<para>Only those interfaces with the <option>proxyndp</option> <para>Only those interfaces with the <option>proxyndp</option>
option will have their setting changed; the value assigned to option will have their setting changed; the value assigned to
@ -731,9 +812,11 @@ loc eth2 -</programlisting>
filtering.</para> filtering.</para>
<note> <note>
<para>This option does not work with a wild-card <para>This option does not work with a wild-card <emphasis
<replaceable>interface</replaceable> name (e.g., eth0.+) in role="bold">physical</emphasis> name (e.g., eth0.+).
the INTERFACE column.</para> Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note> </note>
<para>This option can also be enabled globally via the <para>This option can also be enabled globally via the
@ -842,9 +925,11 @@ loc eth2 -</programlisting>
specified (if any) or 1 if no value is given.</para> specified (if any) or 1 if no value is given.</para>
<note> <note>
<para>This option does not work with a wild-card <para>This option does not work with a wild-card <emphasis
<replaceable>interface</replaceable> name (e.g., eth0.+) in role="bold">physical</emphasis> name (e.g., eth0.+).
the INTERFACE column.</para> Beginning with Shorewall 5.1.10, If this option is
specified, a warning is issued and the option is
ignored.</para>
</note> </note>
</listitem> </listitem>
</varlistentry> </varlistentry>