mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 08:03:11 +01:00
Handle mis-configured ipsec group on a bridge
This commit is contained in:
parent
9c8bce67b5
commit
1f359de08b
@ -146,12 +146,13 @@ our %reservedName = ( all => 1,
|
|||||||
# %interfaces { <interface1> => { name => <name of interface>
|
# %interfaces { <interface1> => { name => <name of interface>
|
||||||
# root => <name without trailing '+'>
|
# root => <name without trailing '+'>
|
||||||
# options => { port => undef|1
|
# options => { port => undef|1
|
||||||
# <option1> = <val1> , #See %validinterfaceoptions
|
# { <option1> } => <val1> , #See %validinterfaceoptions
|
||||||
# ...
|
# ...
|
||||||
# }
|
# }
|
||||||
# zone => <zone name>
|
# zone => <zone name>
|
||||||
# nets => <number of nets in interface/hosts records referring to this interface>
|
# nets => <number of nets in interface/hosts records referring to this interface>
|
||||||
# bridge => <bridge>
|
# bridge => <bridge>
|
||||||
|
# ports => [ list of ports on this bridge ]
|
||||||
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
|
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
|
||||||
# number => <ordinal position in the interfaces file>
|
# number => <ordinal position in the interfaces file>
|
||||||
# physical => <physical interface name>
|
# physical => <physical interface name>
|
||||||
@ -883,6 +884,7 @@ sub process_interface( $$ ) {
|
|||||||
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
|
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
|
||||||
|
|
||||||
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
|
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
|
||||||
|
push @{$interfaces{$interface}{ports}}, $port;
|
||||||
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
|
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
|
||||||
|
|
||||||
if ( $zone ) {
|
if ( $zone ) {
|
||||||
@ -1100,7 +1102,8 @@ sub process_interface( $$ ) {
|
|||||||
options => \%options ,
|
options => \%options ,
|
||||||
zone => '',
|
zone => '',
|
||||||
physical => $physical ,
|
physical => $physical ,
|
||||||
base => chain_base( $physical )
|
base => chain_base( $physical ),
|
||||||
|
ports => [],
|
||||||
};
|
};
|
||||||
|
|
||||||
if ( $zone ) {
|
if ( $zone ) {
|
||||||
@ -1690,7 +1693,7 @@ sub process_host( ) {
|
|||||||
fatal_error "Unknown ZONE ($zone)" unless $type;
|
fatal_error "Unknown ZONE ($zone)" unless $type;
|
||||||
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
|
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
|
||||||
|
|
||||||
my $interface;
|
my ( $interface, $interfaceref );
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
||||||
@ -1703,7 +1706,7 @@ sub process_host( ) {
|
|||||||
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
|
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||||
}
|
}
|
||||||
@ -1711,16 +1714,16 @@ sub process_host( ) {
|
|||||||
$interface = $1;
|
$interface = $1;
|
||||||
$hosts = $2;
|
$hosts = $2;
|
||||||
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
||||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $type == BPORT ) {
|
if ( $type == BPORT ) {
|
||||||
if ( $zoneref->{bridge} eq '' ) {
|
if ( $zoneref->{bridge} eq '' ) {
|
||||||
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
|
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
|
||||||
$zoneref->{bridge} = $interfaces{$interface}{bridge};
|
$zoneref->{bridge} = $interfaces{$interface}{bridge};
|
||||||
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
|
} elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) {
|
||||||
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
|
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1778,12 +1781,19 @@ sub process_host( ) {
|
|||||||
$ipsets{"${zone}_${physical}"} = 1;
|
$ipsets{"${zone}_${physical}"} = 1;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
|
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
|
||||||
#
|
#
|
||||||
$interface = '%vserver%' if $type == VSERVER;
|
my $ports;
|
||||||
|
|
||||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
|
if ( $type == VSERVER ) {
|
||||||
|
$ports = [ $interface = '%vserver%' ];
|
||||||
|
} else {
|
||||||
|
$ports = @{$interfaceref->{ports}} ? $interfaceref->{ports} : [ $interface ];
|
||||||
|
}
|
||||||
|
|
||||||
|
add_group_to_zone( $zone, $type , $_, [ split_list( $hosts, 'host' ) ] , $optionsref) for @$ports;
|
||||||
|
|
||||||
progress_message " Host \"$currentline\" validated";
|
progress_message " Host \"$currentline\" validated";
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user