extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Handle mis-configured ipsec group on a bridge

Browse Source
This commit is contained in:
Tom Eastep 2011-03-27 10:52:44 -07:00
parent 9c8bce67b5
commit 1f359de08b
1 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -146,12 +146,13 @@ our %reservedName = ( all => 1,
# %interfaces { <interface1> => { name => <name of interface> # %interfaces { <interface1> => { name => <name of interface>
# root => <name without trailing '+'> # root => <name without trailing '+'>
# options => { port => undef|1 # options => { port => undef|1
# <option1> = <val1> , #See %validinterfaceoptions # { <option1> } => <val1> , #See %validinterfaceoptions
# ... # ...
# } # }
# zone => <zone name> # zone => <zone name>
# nets => <number of nets in interface/hosts records referring to this interface> # nets => <number of nets in interface/hosts records referring to this interface>
# bridge => <bridge> # bridge => <bridge>
# ports => [ list of ports on this bridge ]
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ] # broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
# number => <ordinal position in the interfaces file> # number => <ordinal position in the interfaces file>
# physical => <physical interface name> # physical => <physical interface name>
@ -883,6 +884,7 @@ sub process_interface( $$ ) {
fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
push @{$interfaces{$interface}{ports}}, $port;
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT; fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
if ( $zone ) { if ( $zone ) {
@ -1100,7 +1102,8 @@ sub process_interface( $$ ) {
options => \%options , options => \%options ,
zone => '', zone => '',
physical => $physical , physical => $physical ,
base => chain_base( $physical ) base => chain_base( $physical ),
ports => [],
}; };
if ( $zone ) { if ( $zone ) {
@ -1690,7 +1693,7 @@ sub process_host( ) {
fatal_error "Unknown ZONE ($zone)" unless $type; fatal_error "Unknown ZONE ($zone)" unless $type;
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL; fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
my $interface; my ( $interface, $interfaceref );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) { if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
@ -1703,7 +1706,7 @@ sub process_host( ) {
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/; fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
} }
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
} else { } else {
fatal_error "Invalid HOST(S) column contents: $hosts"; fatal_error "Invalid HOST(S) column contents: $hosts";
} }
@ -1711,16 +1714,16 @@ sub process_host( ) {
$interface = $1; $interface = $1;
$hosts = $2; $hosts = $2;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
} else { } else {
fatal_error "Invalid HOST(S) column contents: $hosts"; fatal_error "Invalid HOST(S) column contents: $hosts";
} }
if ( $type == BPORT ) { if ( $type == BPORT ) {
if ( $zoneref->{bridge} eq '' ) { if ( $zoneref->{bridge} eq '' ) {
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port}; fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
$zoneref->{bridge} = $interfaces{$interface}{bridge}; $zoneref->{bridge} = $interfaces{$interface}{bridge};
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) { } elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) {
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}"; fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
} }
} }
@ -1778,12 +1781,19 @@ sub process_host( ) {
$ipsets{"${zone}_${physical}"} = 1; $ipsets{"${zone}_${physical}"} = 1;
} }
# #
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers. # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
# #
$interface = '%vserver%' if $type == VSERVER; my $ports;
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); if ( $type == VSERVER ) {
$ports = [ $interface = '%vserver%' ];
} else {
$ports = @{$interfaceref->{ports}} ? $interfaceref->{ports} : [ $interface ];
}
add_group_to_zone( $zone, $type , $_, [ split_list( $hosts, 'host' ) ] , $optionsref) for @$ports;
progress_message " Host \"$currentline\" validated"; progress_message " Host \"$currentline\" validated";