From 285225b87ab8989f0a481b7c7b60a004dc74e173 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 8 Dec 2008 21:49:50 +0000 Subject: [PATCH] Removal of IPv4-only values git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8951 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/README.txt | 2 +- Shorewall-perl/Shorewall/Accounting.pm | 12 ++-- Shorewall-perl/Shorewall/Chains.pm | 32 ++++----- Shorewall-perl/Shorewall/Compiler.pm | 2 +- Shorewall-perl/Shorewall/Config.pm | 4 +- Shorewall-perl/Shorewall/IPAddrs.pm | 26 +------- Shorewall-perl/Shorewall/Policy.pm | 4 +- Shorewall-perl/Shorewall/Providers.pm | 4 +- Shorewall-perl/Shorewall/Rules.pm | 32 ++++----- Shorewall-perl/Shorewall/Tunnels.pm | 6 +- Shorewall-perl/Shorewall/Zones.pm | 92 +++++++++++++++++--------- 11 files changed, 112 insertions(+), 104 deletions(-) diff --git a/Shorewall-perl/README.txt b/Shorewall-perl/README.txt index 5c2c3eddc..c3e698aba 100644 --- a/Shorewall-perl/README.txt +++ b/Shorewall-perl/README.txt @@ -1,2 +1,2 @@ -This is the Shorewall-perl development 4.2 branch of SVN. +This is the Shorewall-perl development 4.3 branch of SVN. diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index 9a845568c..0f5dfeb83 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -111,25 +111,25 @@ sub process_accounting_rule( $$$$$$$$$ ) { my $restriction = NO_RESTRICT; - $source = ALLIPv4 if $source eq 'any' || $source eq 'all'; + $source = ALLIP if $source eq 'any' || $source eq 'all'; if ( have_bridges ) { my $fw = firewall_zone; if ( $source =~ /^$fw:?(.*)$/ ) { - $source = $1 ? $1 : ALLIPv4; + $source = $1 ? $1 : ALLIP; $restriction = OUTPUT_RESTRICT; $chain = 'accountout' unless $chain and $chain ne '-'; - $dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all'; + $dest = ALLIP if $dest eq 'any' || $dest eq 'all'; } else { $chain = 'accounting' unless $chain and $chain ne '-'; - if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIPv4 ) { + if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) { expand_rule( ensure_filter_chain( 'accountout' , 0 ) , OUTPUT_RESTRICT , $rule , $source , - $dest = ALLIPv4 , + $dest = ALLIP , '' , '' , $target , @@ -140,7 +140,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { } } else { $chain = 'accounting' unless $chain and $chain ne '-'; - $dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all'; + $dest = ALLIP if $dest eq 'any' || $dest eq 'all'; } my $chainref = ensure_accounting_chain $chain; diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index b56847b18..934a209d5 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -150,7 +150,7 @@ our %EXPORT_TAGS = ( Exporter::export_ok_tags('internal'); -our $VERSION = 4.1.5; +our $VERSION = 4.3.0; # # Chain Table @@ -623,13 +623,13 @@ sub use_input_chain($) { # # Interface associated with a single zone -- use the zone's input chain if it has one # - my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone4}}; + my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}}; return 0 if $chainref; # # Use the '2fw' chain if it is referenced. # - $chainref = $filter_table->{join( '' , $interfaceref->{zone4} , '2' , firewall_zone )}; + $chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )}; ! ( $chainref->{referenced} || $chainref->{is_policy} ) } @@ -667,13 +667,13 @@ sub use_output_chain($) { # # Interface associated with a single zone -- use the zone's output chain if it has one # - my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone4}}; + my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}}; return 0 if $chainref; # # Use the 'fw2' chain if it is referenced. # - $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone4} )}; + $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )}; ! ( $chainref->{referenced} || $chainref->{is_policy} ) } @@ -1553,7 +1553,7 @@ sub match_source_net( $;$ ) { "-s ! $net "; } else { validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-s $net "; + $net eq ALLIP ? '' : "-s $net "; } } @@ -1577,7 +1577,7 @@ sub match_dest_net( $ ) { "-d ! $net "; } else { validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-d $net "; + $net eq ALLIP ? '' : "-d $net "; } } @@ -1587,7 +1587,7 @@ sub match_dest_net( $ ) { sub match_orig_dest ( $ ) { my $net = $_[0]; - return '' if $net eq ALLIPv4; + return '' if $net eq ALLIP; return '' unless $capabilities{CONNTRACK_MATCH}; if ( $net =~ s/^!// ) { @@ -1595,7 +1595,7 @@ sub match_orig_dest ( $ ) { $capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net "; } else { validate_net $net, 1; - $net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net "; + $net eq ALLIP ? '' : "-m conntrack --ctorigdst $net "; } } @@ -1608,7 +1608,7 @@ sub match_ipsec_in( $$ ) { my $zoneref = find_zone( $zone ); my $optionsref = $zoneref->{options}; - if ( $zoneref->{type} eq 'ipsec4' ) { + if ( $zoneref->{type} eq 'ipsec' ) { $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; } elsif ( $capabilities{POLICY_MATCH} ) { $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; @@ -1626,7 +1626,7 @@ sub match_ipsec_out( $$ ) { my $zoneref = find_zone( $zone ); my $optionsref = $zoneref->{options}; - if ( $zoneref->{type} eq 'ipsec4' ) { + if ( $zoneref->{type} eq 'ipsec' ) { $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; } elsif ( $capabilities{POLICY_MATCH} ) { $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" @@ -2210,12 +2210,12 @@ sub expand_rule( $$$$$$$$$$$ ) $dexcl = ''; } - $inets = ALLIPv4 unless $inets; - $dnets = ALLIPv4 unless $dnets; - $onets = ALLIPv4 unless $onets; + $inets = ALLIP unless $inets; + $dnets = ALLIP unless $dnets; + $onets = ALLIP unless $onets; - fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv4; - fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIPv4; + fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIP; + fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIP; if ( $iexcl || $dexcl || $oexcl ) { # diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 933c2fe10..2668ab57a 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -62,7 +62,7 @@ use constant { EXPORT => 0x01 , sub reinitialize() { Shorewall::Config::initialize($family); Shorewall::Chains::initialize ($family); - Shorewall::Zones::initialize; + Shorewall::Zones::initialize ($family); Shorewall::Policy::initialize; Shorewall::Nat::initialize; Shorewall::Providers::initialize; diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 073ac68ec..b714256a9 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -119,7 +119,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object Exporter::export_ok_tags('internal'); -our $VERSION = 4.2.0; +our $VERSION = 4.3.0; # # describe the current command, it's present progressive, and it's completion. @@ -1453,7 +1453,7 @@ sub default_yes_no ( $$ ) { sub default_yes_no_ipv4 ( $$ ) { my ( $var, $val ) = @_; default_yes_no( $var, $val ); - warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV4 && $config{$var}; + warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var}; } my %validlevels = ( DEBUG => 7, diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index d44b95ccb..96bce1c44 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -55,10 +55,6 @@ our @EXPORT = qw( ALLIPv4 rfc1918_networks resolve_proto proto_name - use_ipv4_addrs - use_ipv6_addrs - using_ipv4_addrs - using_ipv6_addrs validate_port validate_portpair validate_port_list @@ -84,22 +80,6 @@ use constant { ALLIPv4 => '0.0.0.0/0' , our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); -sub use_ipv4_addrs() { - $family = F_IPV4; -} - -sub using_ipv4() { - $family == F_IPV4; -} - -sub use_ipv6_addrs() { - $family = F_IPV6; -} - -sub using_ipv6() { - $family == F_IPV6; -} - # # Initialize globals -- we take this novel approach to globals initialization to allow # the compiler to run multiple times in the same process. The @@ -109,12 +89,12 @@ sub using_ipv6() { # the second and subsequent calls to that function. # -sub initialize() { - use_ipv4_addrs; +sub initialize( $ ) { + $family = shift; } INIT { - initialize; + initialize( F_IPV4 ); } sub vlsm_to_mask( $ ) { diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 2a80e7657..db2c333ba 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -34,7 +34,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); our @EXPORT_OK = qw( ); -our $VERSION = 4.1.1; +our $VERSION = 4.3.0; # @policy_chains is a list of references to policy chains in the filter table @@ -269,7 +269,7 @@ sub validate_policy() } unless ( $clientwild || $serverwild ) { - if ( zone_type( $server ) eq 'bport4' ) { + if ( zone_type( $server ) eq 'bport' ) { fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge" unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge}; } diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index b81cb6f66..d1a9bd6c9 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -419,14 +419,14 @@ sub add_an_rtrule( $$$$ ) { fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-'; if ( $dest eq '-' ) { - $dest = 'to ' . ALLIPv4; + $dest = 'to ' . ALLIP; } else { validate_net( $dest, 0 ); $dest = "to $dest"; } if ( $source eq '-' ) { - $source = 'from ' . ALLIPv4; + $source = 'from ' . ALLIP; } elsif ( $source =~ /:/ ) { ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 ); fatal_error "Invalid SOURCE" if defined $remainder; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index ee4b0a6a9..fe4a5153e 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -177,7 +177,7 @@ sub setup_ecn() $interfaces{$interface} = 1; - $hosts = ALLIPv4 if $hosts eq '-'; + $hosts = ALLIP if $hosts eq '-'; for my $host( split_list $hosts, 'address' ) { validate_host( $host , 1 ); @@ -361,7 +361,7 @@ sub process_criticalhosts() { fatal_error "Unknown interface ($interface)" unless known_interface $interface; - $hosts = ALLIPv4 unless $hosts ne '-'; + $hosts = ALLIP unless $hosts ne '-'; my @hosts; @@ -402,7 +402,7 @@ sub process_routestopped() { fatal_error "Unknown interface ($interface)" unless known_interface $interface; - $hosts = ALLIPv4 unless $hosts && $hosts ne '-'; + $hosts = ALLIP unless $hosts && $hosts ne '-'; my @hosts; @@ -1034,7 +1034,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $source = $2; } else { $sourcezone = $source; - $source = ALLIPv4; + $source = ALLIP; } if ( $dest =~ /^(.*?):(.*)/ ) { @@ -1048,7 +1048,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $destzone = '-'; } else { $destzone = $dest; - $dest = ALLIPv4; + $dest = ALLIP; } fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; @@ -1073,7 +1073,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { # # For compatibility with older Shorewall versions # - $origdest = ALLIPv4 if $origdest eq 'all'; + $origdest = ALLIP if $origdest eq 'all'; # # Take care of chain @@ -1083,7 +1083,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { # # Check for illegal bridge port rule # - if ( $destref->{type} eq 'bport4' ) { + if ( $destref->{type} eq 'bport' ) { unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) { return 1 if $wildcard; fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; @@ -1178,14 +1178,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $target = '-j REDIRECT '; $target .= "--to-port $serverport " if $serverport; if ( $origdest eq '' || $origdest eq '-' ) { - $origdest = ALLIPv4; + $origdest = ALLIP; } elsif ( $origdest eq 'detect' ) { if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { my $interfacesref = $sourceref->{interfaces}; my @interfaces = keys %$interfacesref; - $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; + $origdest = @interfaces ? "detect:@interfaces" : ALLIP; } else { - $origdest = ALLIPv4; + $origdest = ALLIP; } } } else { @@ -1218,9 +1218,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { my $interfacesref = $sourceref->{interfaces}; my @interfaces = keys %$interfacesref; - $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; + $origdest = @interfaces ? "detect:@interfaces" : ALLIP; } else { - $origdest = ALLIPv4; + $origdest = ALLIP; } } } @@ -1265,7 +1265,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { if ( $origdest eq 'detect' ) { my $interfacesref = $sourceref->{interfaces}; my $interfaces = "@$interfacesref"; - $origdest = $interfaces ? "detect:$interfaces" : ALLIPv4; + $origdest = $interfaces ? "detect:$interfaces" : ALLIP; } expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , @@ -1604,7 +1604,7 @@ sub generate_matrix() { if ( $capabilities{POLICY_MATCH} ) { my $type = $zoneref->{type}; - my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {}; + my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {}; for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { my $sourcechainref; @@ -1821,7 +1821,7 @@ sub generate_matrix() { next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); } - if ( $zone1ref->{type} eq 'bport4' ) { + if ( $zone1ref->{type} eq 'bport' ) { next unless $zoneref->{bridge} eq $zone1ref->{bridge}; } @@ -1873,7 +1873,7 @@ sub generate_matrix() { next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); } - if ( $zone1ref->{type} eq 'bport4' ) { + if ( $zone1ref->{type} eq 'bport' ) { next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge}; } diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 06176cdad..a2d370887 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -83,7 +83,7 @@ sub setup_tunnels() { unless ( $gatewayzones eq '-' ) { for my $zone ( split_list $gatewayzones, 'zone' ) { my $type = zone_type( $zone ); - fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4'; + fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport'; $inchainref = ensure_filter_chain "${zone}2${fw}", 1; $outchainref = ensure_filter_chain "${fw}2${zone}", 1; @@ -238,12 +238,12 @@ sub setup_tunnels() { my $zonetype = zone_type( $zone ); - fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport4'; + fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport'; my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; - $gateway = ALLIPv4 if $gateway eq '-'; + $gateway = ALLIP if $gateway eq '-'; my $source = match_source_net $gateway; my $dest = match_dest_net $gateway; diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index a8aa45ada..7fbc3f9f5 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -82,7 +82,7 @@ use constant { NOTHING => 'NOTHING', # # @zones contains the ordered list of zones with sub-zones appearing before their parents. # -# %zones{ => {type = > 'firewall', 'ipv4', 'ipsec4', 'bport4'; +# %zones{ => {type = > 'firewall', 'ip', 'ipsec', 'bport'; # options => { complex => 0|1 # nested => 0|1 # in_out => < policy match string > @@ -127,7 +127,7 @@ our %reservedName = ( all => 1, # options => { = , # ... # } -# zone4 => +# zone => # nets => # bridge => # broadcasts => 'none', 'detect' or [ , , ... ] @@ -138,6 +138,7 @@ our %reservedName = ( all => 1, our @interfaces; our %interfaces; our @bport_zones; +our $family; # # Initialize globals -- we take this novel approach to globals initialization to allow @@ -148,7 +149,8 @@ our @bport_zones; # the second and subsequent calls to that function. # -sub initialize() { +sub initialize( $ ) { + $family = shift; @zones = (); %zones = (); $firewall_zone = ''; @@ -159,7 +161,7 @@ sub initialize() { } INIT { - initialize; + initialize( F_IPV4 ); } # @@ -219,7 +221,7 @@ sub parse_zone_option_list($$) if ( $key{$e} ) { $h{$e} = $val; } else { - fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec4'; + fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec'; $options .= $invert; $options .= "--$e "; $options .= "$val "if defined $val; @@ -239,7 +241,7 @@ sub determine_zones() { my @z; - my $ipv4 = 0; + my $ip = 0; my $fn = open_file 'zones'; @@ -267,16 +269,23 @@ sub determine_zones() fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/; fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone}; - $type = "ipv4" unless $type; + $type = "ip" unless $type; if ( $type =~ /ipv4/i ) { - $type = 'ipv4'; - $ipv4 = 1; - } elsif ( $type =~ /^ipsec4?$/i ) { - $type = 'ipsec4'; - } elsif ( $type =~ /^bport4?$/i ) { + fatal_error "Invalid zone type ($type)" if $family == F_IPV6; + $type = 'ip'; + $ip = 1; + } elsif ( $type =~ /ipv6/i ) { + fatal_error "Invalid zone type ($type)" if $family == F_IPV4; + $type = 'ip'; + $ip = 1; + } elsif ( $type =~ /^ipsec([46])?$/i ) { + fatal_error "Invalid zone type ($type)" if ( $1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 ); + $type = 'ipsec'; + } elsif ( $type =~ /^bport([46])?$/i ) { + fatal_error "Invalid zone type ($type)" if ( $1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 ); warning_message "Bridge Port zones should have a parent zone" unless @parents; - $type = 'bport4'; + $type = 'bport'; push @bport_zones, $zone; } elsif ( $type eq 'firewall' ) { fatal_error 'Firewall zone may not be nested' if @parents; @@ -285,8 +294,8 @@ sub determine_zones() $ENV{FW} = $zone; $type = "firewall"; } elsif ( $type eq '-' ) { - $type = 'ipv4'; - $ipv4 = 1; + $type = 'ip'; + $ip = 1; } else { fatal_error "Invalid zone type ($type)" ; } @@ -302,7 +311,7 @@ sub determine_zones() options => { in_out => parse_zone_option_list( $options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) , - complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) , + complex => ($type eq 'ipsec' || $options || $in_options || $out_options ? 1 : 0) , nested => @parents > 0 } , interfaces => {} , children => [] , @@ -312,7 +321,7 @@ sub determine_zones() } fatal_error "No firewall zone defined" unless $firewall_zone; - fatal_error "No IPv4 zones defined" unless $ipv4; + fatal_error "No IP zones defined" unless $ip; my %ordered; @@ -340,7 +349,7 @@ sub determine_zones() # sub haveipseczones() { for my $zoneref ( values %zones ) { - return 1 if $zoneref->{type} eq 'ipsec4'; + return 1 if $zoneref->{type} eq 'ipsec'; } 0; @@ -353,6 +362,8 @@ sub zone_report() { progress_message2 "Determining Hosts in Zones..."; + my $ipzone = $family == F_IPV4 ? 'ipv4' : 'ipv6'; + for my $zone ( @zones ) { my $zoneref = $zones{$zone}; @@ -360,6 +371,8 @@ sub zone_report() my $type = $zoneref->{type}; my $optionref = $zoneref->{options}; + $type = $ipzone if $type eq 'ip'; + progress_message " $zone ($type)"; my $printed = 0; @@ -384,7 +397,7 @@ sub zone_report() } unless ( $printed ) { - fatal_error "No bridge has been associated with zone $zone" if $type eq 'bport4' && ! $zoneref->{bridge}; + fatal_error "No bridge has been associated with zone $zone" if $type eq 'bport' && ! $zoneref->{bridge}; warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall'; } @@ -393,6 +406,18 @@ sub zone_report() sub dump_zone_contents() { + my %xlate; + + if ( $family == F_IPV4 ) { + %xlate = ( ip => 'ipv4' , + bport => 'bport4' , + ipsec => 'ipsec4' ) + } else { + %xlate = ( ip => 'ipv6' , + bport => 'bport6' , + ipsec => 'ipsec6' ) + } + for my $zone ( @zones ) { my $zoneref = $zones{$zone}; @@ -400,9 +425,12 @@ sub dump_zone_contents() my $type = $zoneref->{type}; my $optionref = $zoneref->{options}; my $exclusions = $zoneref->{exclusions}; + + $type = $xlate{$type} if $xlate{$type}; + my $entry = "$zone $type"; - $entry .= ":$zoneref->{bridge}" if $type eq 'bport4'; + $entry .= ":$zoneref->{bridge}" if $type =~ /^bport/; if ( $hostref ) { for my $type ( sort keys %$hostref ) { @@ -455,7 +483,7 @@ sub add_group_to_zone($$$$$) my $arrayref; my $zoneref = $zones{$zone}; my $zonetype = $zoneref->{type}; - my $ifacezone = $interfaces{$interface}{zone4}; + my $ifacezone = $interfaces{$interface}{zone}; $zoneref->{interfaces}{$interface} = 1; @@ -481,7 +509,7 @@ sub add_group_to_zone($$$$$) unless ( $switched ) { if ( $type eq $zonetype ) { fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone; - $ifacezone = $zone if $host eq ALLIPv4; + $ifacezone = $zone if $host eq ALLIP; } } @@ -506,7 +534,7 @@ sub add_group_to_zone($$$$$) push @{$arrayref}, { options => $options, hosts => \@newnetworks, - ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' }; + ipsec => $type eq 'ipsec' ? 'ipsec' : 'none' }; } # @@ -624,7 +652,7 @@ sub validate_interfaces_file( $ ) fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; - fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport4'; + fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport'; if ( $zone ) { if ( $zoneref->{bridge} ) { @@ -644,7 +672,7 @@ sub validate_interfaces_file( $ ) $interface = $port; } else { fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface}; - fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4'; + fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport'; $bridge = $interface; } @@ -746,11 +774,11 @@ sub validate_interfaces_file( $ ) push @ifaces, $interface; - my @networks = allipv4; + my @networks = allip; add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone; - $interfaces{$interface}{zone4} = $zone; #Must follow the call to add_group_to_zone() + $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() progress_message " Interface \"$currentline\" Validated"; @@ -949,7 +977,7 @@ sub validate_hosts_file() fatal_error "Invalid HOST(S) column contents: $hosts"; } - if ( $type eq 'bport4' ) { + if ( $type eq 'bport' ) { if ( $zoneref->{bridge} eq '' ) { fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port}; $zoneref->{bridge} = $interfaces{$interface}{bridge}; @@ -967,7 +995,7 @@ sub validate_hosts_file() for my $option ( @options ) { if ( $option eq 'ipsec' ) { - $type = 'ipsec4'; + $type = 'ipsec'; $zoneref->{options}{complex} = 1; $ipsec = 1; } elsif ( $validoptions{$option}) { @@ -993,7 +1021,7 @@ sub validate_hosts_file() # # Take care of case where the hosts list begins with '!' # - $hosts = join( '', ALLIPv4 , $hosts ) if substr($hosts, 0, 2 ) eq ',!'; + $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!'; add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); @@ -1026,8 +1054,8 @@ sub find_hosts_by_option( $ ) { } for my $interface ( @interfaces ) { - if ( ! $interfaces{$interface}{zone4} && $interfaces{$interface}{options}{$option} ) { - push @hosts, [ $interface, 'none', ALLIPv4 ]; + if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) { + push @hosts, [ $interface, 'none', ALLIP ]; } }