extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-26 04:32:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve interface option inheritence

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-04-18 13:36:06 -07:00
parent acda5482c4
commit 240d3d8cab
1 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -804,9 +804,9 @@ sub single_interface( $ ) {
@keys == 1 ? $keys[0] : ''; @keys == 1 ? $keys[0] : '';
} }
sub add_group_to_zone($$$$$) sub add_group_to_zone($$$$$$)
{ {
my ($zone, $type, $interface, $networks, $options) = @_; my ($zone, $type, $interface, $networks, $options, $inherit_options) = @_;
my $hostsref; my $hostsref;
my $typeref; my $typeref;
my $interfaceref; my $interfaceref;
@ -818,6 +818,15 @@ sub add_group_to_zone($$$$$)
$zoneref->{destonly} ||= $interfaceref->{options}{destonly}; $zoneref->{destonly} ||= $interfaceref->{options}{destonly};
$options->{destonly} ||= $interfaceref->{options}{destonly}; $options->{destonly} ||= $interfaceref->{options}{destonly};
if ( $inherit_options && $type== $zonetype && $type != IPSEC ) {
#
# Make 'find_hosts_by_option()' work correctly for this zone
#
for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_} && ! exists $options->{$_};
}
}
$interfaceref->{zones}{$zone} = 1; $interfaceref->{zones}{$zone} = 1;
my @newnetworks; my @newnetworks;
@ -851,13 +860,6 @@ sub add_group_to_zone($$$$$)
if ( $host eq ALLIP ) { if ( $host eq ALLIP ) {
fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks; fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
$interfaces{$interface}{zone} = $zone; $interfaces{$interface}{zone} = $zone;
#
# Make 'find_hosts_by_option()' work correctly for this zone
#
for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
}
$allip = 1; $allip = 1;
} }
} }
@ -1409,12 +1411,13 @@ sub process_interface( $$ ) {
} }
$netsref ||= [ allip ]; $netsref ||= [ allip ];
add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref ); add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref , 1);
add_group_to_zone( $zone, add_group_to_zone( $zone,
$zoneref->{type}, $zoneref->{type},
$interface, $interface,
$family == F_IPV4 ? [ IPv4_MULTICAST ] : [ IPv6_MULTICAST ] , $family == F_IPV4 ? [ IPv4_MULTICAST ] : [ IPv6_MULTICAST ] ,
{ destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone; { destonly => 1 },
0) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
} }
progress_message " Interface \"$currentline\" Validated"; progress_message " Interface \"$currentline\" Validated";
@ -2077,7 +2080,7 @@ sub process_host( ) {
# #
$interface = '%vserver%' if $type & VSERVER; $interface = '%vserver%' if $type & VSERVER;
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
progress_message " Host \"$currentline\" validated"; progress_message " Host \"$currentline\" validated";