extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-01 07:25:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Avoid reporting bogus duplicate interface with two bridges and wildcard ports

Browse Source
This commit is contained in:
Tom Eastep 2009-11-05 11:04:14 -08:00
parent 3cc9ee7be5
commit 28b660c853
4 changed files with 40 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1726,6 +1726,7 @@ sub match_source_dev( $ ) {
return '' if $interface eq '+'; return '' if $interface eq '+';
my $interfaceref = known_interface( $interface ); my $interfaceref = known_interface( $interface );
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
$interface =~ s/\++/+/;
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface "; "-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
} else { } else {
"-i $interface "; "-i $interface ";
@ -1741,6 +1742,7 @@ sub match_dest_dev( $ ) {
my $interfaceref = known_interface( $interface ); my $interfaceref = known_interface( $interface );
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
if ( $capabilities{PHYSDEV_BRIDGE} ) { if ( $capabilities{PHYSDEV_BRIDGE} ) {
$interface =~ s/\++/+/;
"-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface "; "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
} else { } else {
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; "-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";

20
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -503,6 +503,9 @@ sub zone_report()
if ( $hosts ) { if ( $hosts ) {
my $grouplist = join ',', ( @$hosts ); my $grouplist = join ',', ( @$hosts );
$grouplist = join '!', ( $grouplist, $exclusions) if $exclusions; $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
$interface =~ s/\++/+/;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
progress_message_nocompress " $interface:$grouplist"; progress_message_nocompress " $interface:$grouplist";
} else { } else {
@ -560,6 +563,8 @@ sub dump_zone_contents()
$grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions; $grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions;
$interface =~ s/\++/+/;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
$entry .= " $interface:$grouplist"; $entry .= " $interface:$grouplist";
} else { } else {
@ -733,7 +738,18 @@ sub process_interface( $ ) {
fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/; fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', ''); require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
fatal_error "Invalid Interface Name ($interface:$port)" unless $port eq '' || $port =~ /^[\w.@%-]+\+?$/;
if ( $port =~ /\+$/ ) {
while ( $interfaces{$port} ) {
fatal_error "Duplicate Interface ($interface:$port)" if $interfaces{$port}{bridge} eq $interface;
$port .= '+';
}
} else {
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
}
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT; fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
@ -747,8 +763,6 @@ sub process_interface( $ ) {
next if $port eq ''; next if $port eq '';
fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
$bridge = $interface; $bridge = $interface;
$interface = $port; $interface = $port;
} else { } else {

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in Shorewall 4.4.4
4) Allow long port lists in /etc/shorewall/routestopped. 4) Allow long port lists in /etc/shorewall/routestopped.
5) Handle duplicate wildcard ports on different bridges.
Changes in Shorewall 4.4.3 Changes in Shorewall 4.4.3
1) Move Debian INITLOG initialization to /etc/default/shorewall 1) Move Debian INITLOG initialization to /etc/default/shorewall

19
Shorewall/releasenotes.txt
View File

@ -190,6 +190,25 @@ Shorewall 4.4.4
2) The Shorewall operations log (specified by STARTUP_LOG) is now 2) The Shorewall operations log (specified by STARTUP_LOG) is now
secured 0600. secured 0600.
3) Previously, the following valid configuration would produce a fatal
error reporting "Duplicate interface name (p+)"
/etc/shorewall/zones:
#ZONE TYPE
fw firewall
world ipv4
z1:world bport4
z2:world bport4
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:p+
z2 br1:p+
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G
---------------------------------------------------------------------------- ----------------------------------------------------------------------------