mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-24 13:40:48 +01:00
Some early code cleanup
This commit is contained in:
Tom Eastep
parent
11962560fe
commit
404a7250b0
@ -154,6 +154,25 @@ use constant { FIREWALL => 1,
|
|||||||
BPORT => 3,
|
BPORT => 3,
|
||||||
IPSEC => 4 };
|
IPSEC => 4 };
|
||||||
|
|
||||||
|
use constant { SIMPLE_IF_OPTION => 1,
|
||||||
|
BINARY_IF_OPTION => 2,
|
||||||
|
ENUM_IF_OPTION => 3,
|
||||||
|
NUMERIC_IF_OPTION => 4,
|
||||||
|
OBSOLETE_IF_OPTION => 5,
|
||||||
|
IPLIST_IF_OPTION => 6,
|
||||||
|
MASK_IF_OPTION => 7,
|
||||||
|
|
||||||
|
IF_OPTION_ZONEONLY => 8,
|
||||||
|
IF_OPTION_HOST => 16,
|
||||||
|
};
|
||||||
|
|
||||||
|
our %validinterfaceoptions;
|
||||||
|
|
||||||
|
our %validhostoptions;
|
||||||
|
|
||||||
|
our $num;
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||||
# the compiler to run multiple times in the same process. The
|
# the compiler to run multiple times in the same process. The
|
||||||
@ -169,11 +188,67 @@ sub initialize( $ ) {
|
|||||||
@zones = ();
|
@zones = ();
|
||||||
%zones = ();
|
%zones = ();
|
||||||
$firewall_zone = '';
|
$firewall_zone = '';
|
||||||
|
$num = 0;
|
||||||
|
|
||||||
@interfaces = ();
|
@interfaces = ();
|
||||||
%interfaces = ();
|
%interfaces = ();
|
||||||
@bport_zones = ();
|
@bport_zones = ();
|
||||||
%ipsets = ();
|
%ipsets = ();
|
||||||
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
|
||||||
|
arp_ignore => ENUM_IF_OPTION,
|
||||||
|
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
|
bridge => SIMPLE_IF_OPTION,
|
||||||
|
detectnets => OBSOLETE_IF_OPTION,
|
||||||
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
|
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
|
logmartians => BINARY_IF_OPTION,
|
||||||
|
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||||
|
norfc1918 => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
|
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
|
optional => SIMPLE_IF_OPTION,
|
||||||
|
proxyarp => BINARY_IF_OPTION,
|
||||||
|
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
|
||||||
|
routefilter => BINARY_IF_OPTION ,
|
||||||
|
sourceroute => BINARY_IF_OPTION,
|
||||||
|
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
|
upnp => SIMPLE_IF_OPTION,
|
||||||
|
mss => NUMERIC_IF_OPTION,
|
||||||
|
);
|
||||||
|
%validhostoptions = (
|
||||||
|
blacklist => 1,
|
||||||
|
maclist => 1,
|
||||||
|
norfc1918 => 1,
|
||||||
|
nosmurfs => 1,
|
||||||
|
routeback => 1,
|
||||||
|
tcpflags => 1,
|
||||||
|
broadcast => 1,
|
||||||
|
destonly => 1,
|
||||||
|
sourceonly => 1,
|
||||||
|
);
|
||||||
|
} else {
|
||||||
|
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
|
bridge => SIMPLE_IF_OPTION,
|
||||||
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
|
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
|
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||||
|
nosmurfs => SIMPLE_IF_OPTION,
|
||||||
|
optional => SIMPLE_IF_OPTION,
|
||||||
|
proxyndp => BINARY_IF_OPTION,
|
||||||
|
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
|
||||||
|
sourceroute => BINARY_IF_OPTION,
|
||||||
|
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
|
mss => NUMERIC_IF_OPTION,
|
||||||
|
forward => NUMERIC_IF_OPTION,
|
||||||
|
);
|
||||||
|
%validhostoptions = (
|
||||||
|
blacklist => 1,
|
||||||
|
maclist => 1,
|
||||||
|
routeback => 1,
|
||||||
|
tcpflags => 1,
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
INIT {
|
INIT {
|
||||||
@ -250,19 +325,10 @@ sub parse_zone_option_list($$)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Parse the zones file.
|
# Process a record in the zones file
|
||||||
#
|
#
|
||||||
sub determine_zones()
|
sub process_zone( \$ ) {
|
||||||
{
|
my $ip = $_[0];
|
||||||
my @z;
|
|
||||||
|
|
||||||
my $ip = 0;
|
|
||||||
|
|
||||||
my $fn = open_file 'zones';
|
|
||||||
|
|
||||||
first_entry "$doing $fn...";
|
|
||||||
|
|
||||||
while ( read_a_line ) {
|
|
||||||
|
|
||||||
my @parents;
|
my @parents;
|
||||||
|
|
||||||
@ -287,11 +353,11 @@ sub determine_zones()
|
|||||||
if ( $type =~ /ipv4/i ) {
|
if ( $type =~ /ipv4/i ) {
|
||||||
fatal_error "Invalid zone type ($type)" if $family == F_IPV6;
|
fatal_error "Invalid zone type ($type)" if $family == F_IPV6;
|
||||||
$type = IP;
|
$type = IP;
|
||||||
$ip = 1;
|
$$ip = 1;
|
||||||
} elsif ( $type =~ /ipv6/i ) {
|
} elsif ( $type =~ /ipv6/i ) {
|
||||||
fatal_error "Invalid zone type ($type)" if $family == F_IPV4;
|
fatal_error "Invalid zone type ($type)" if $family == F_IPV4;
|
||||||
$type = IP;
|
$type = IP;
|
||||||
$ip = 1;
|
$$ip = 1;
|
||||||
} elsif ( $type =~ /^ipsec([46])?$/i ) {
|
} elsif ( $type =~ /^ipsec([46])?$/i ) {
|
||||||
fatal_error "Invalid zone type ($type)" if $1 && (($1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 ));
|
fatal_error "Invalid zone type ($type)" if $1 && (($1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 ));
|
||||||
$type = IPSEC;
|
$type = IPSEC;
|
||||||
@ -308,7 +374,7 @@ sub determine_zones()
|
|||||||
$type = FIREWALL;
|
$type = FIREWALL;
|
||||||
} elsif ( $type eq '-' ) {
|
} elsif ( $type eq '-' ) {
|
||||||
$type = IP;
|
$type = IP;
|
||||||
$ip = 1;
|
$$ip = 1;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid zone type ($type)" ;
|
fatal_error "Invalid zone type ($type)" ;
|
||||||
}
|
}
|
||||||
@ -329,9 +395,23 @@ sub determine_zones()
|
|||||||
children => [] ,
|
children => [] ,
|
||||||
hosts => {}
|
hosts => {}
|
||||||
};
|
};
|
||||||
push @z, $zone;
|
|
||||||
|
|
||||||
}
|
return $zone;
|
||||||
|
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# Parse the zones file.
|
||||||
|
#
|
||||||
|
sub determine_zones()
|
||||||
|
{
|
||||||
|
my @z;
|
||||||
|
my $ip = 0;
|
||||||
|
|
||||||
|
my $fn = open_file 'zones';
|
||||||
|
|
||||||
|
first_entry "$doing $fn...";
|
||||||
|
|
||||||
|
push @z, process_zone( $ip ) while read_a_line;
|
||||||
|
|
||||||
fatal_error "No firewall zone defined" unless $firewall_zone;
|
fatal_error "No firewall zone defined" unless $firewall_zone;
|
||||||
fatal_error "No IP zones defined" unless $ip;
|
fatal_error "No IP zones defined" unless $ip;
|
||||||
@ -599,81 +679,10 @@ sub firewall_zone() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Parse the interfaces file.
|
# Process a record in the interfaces file
|
||||||
#
|
#
|
||||||
|
sub process_interface() {
|
||||||
sub validate_interfaces_file( $ )
|
|
||||||
{
|
|
||||||
my $export = shift;
|
|
||||||
my $num = 0;
|
|
||||||
|
|
||||||
use constant { SIMPLE_IF_OPTION => 1,
|
|
||||||
BINARY_IF_OPTION => 2,
|
|
||||||
ENUM_IF_OPTION => 3,
|
|
||||||
NUMERIC_IF_OPTION => 4,
|
|
||||||
OBSOLETE_IF_OPTION => 5,
|
|
||||||
IPLIST_IF_OPTION => 6,
|
|
||||||
MASK_IF_OPTION => 7,
|
|
||||||
|
|
||||||
IF_OPTION_ZONEONLY => 8,
|
|
||||||
IF_OPTION_HOST => 16,
|
|
||||||
};
|
|
||||||
|
|
||||||
my %validoptions;
|
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
%validoptions = (arp_filter => BINARY_IF_OPTION,
|
|
||||||
arp_ignore => ENUM_IF_OPTION,
|
|
||||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
|
||||||
bridge => SIMPLE_IF_OPTION,
|
|
||||||
detectnets => OBSOLETE_IF_OPTION,
|
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
|
||||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
|
||||||
logmartians => BINARY_IF_OPTION,
|
|
||||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
|
|
||||||
norfc1918 => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
|
||||||
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
|
||||||
optional => SIMPLE_IF_OPTION,
|
|
||||||
proxyarp => BINARY_IF_OPTION,
|
|
||||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
|
|
||||||
routefilter => BINARY_IF_OPTION ,
|
|
||||||
sourceroute => BINARY_IF_OPTION,
|
|
||||||
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
|
||||||
upnp => SIMPLE_IF_OPTION,
|
|
||||||
mss => NUMERIC_IF_OPTION,
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
%validoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
|
||||||
bridge => SIMPLE_IF_OPTION,
|
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
|
||||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
|
||||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
|
|
||||||
nosmurfs => SIMPLE_IF_OPTION,
|
|
||||||
optional => SIMPLE_IF_OPTION,
|
|
||||||
proxyndp => BINARY_IF_OPTION,
|
|
||||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
|
|
||||||
sourceroute => BINARY_IF_OPTION,
|
|
||||||
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
|
||||||
mss => NUMERIC_IF_OPTION,
|
|
||||||
forward => NUMERIC_IF_OPTION,
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
my $fn = open_file 'interfaces';
|
|
||||||
|
|
||||||
my $first_entry = 1;
|
|
||||||
|
|
||||||
my @ifaces;
|
|
||||||
|
|
||||||
while ( read_a_line ) {
|
|
||||||
|
|
||||||
my $nets;
|
my $nets;
|
||||||
|
|
||||||
if ( $first_entry ) {
|
|
||||||
progress_message2 "$doing $fn...";
|
|
||||||
$first_entry = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
|
my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
|
||||||
my $zoneref;
|
my $zoneref;
|
||||||
my $bridge = '';
|
my $bridge = '';
|
||||||
@ -763,7 +772,7 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
( $option, my $value ) = split /=/, $option;
|
( $option, my $value ) = split /=/, $option;
|
||||||
|
|
||||||
fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option};
|
fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
|
||||||
|
|
||||||
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
|
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
|
||||||
|
|
||||||
@ -854,8 +863,6 @@ sub validate_interfaces_file( $ )
|
|||||||
broadcasts => $broadcasts ,
|
broadcasts => $broadcasts ,
|
||||||
options => \%options };
|
options => \%options };
|
||||||
|
|
||||||
push @ifaces, $interface;
|
|
||||||
|
|
||||||
$nets = [ allip ] unless $nets;
|
$nets = [ allip ] unless $nets;
|
||||||
|
|
||||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
|
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
|
||||||
@ -864,7 +871,22 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
progress_message " Interface \"$currentline\" Validated";
|
progress_message " Interface \"$currentline\" Validated";
|
||||||
|
|
||||||
}
|
return $interface;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Parse the interfaces file.
|
||||||
|
#
|
||||||
|
sub validate_interfaces_file( $ ) {
|
||||||
|
my $export = shift;
|
||||||
|
|
||||||
|
my $fn = open_file 'interfaces';
|
||||||
|
|
||||||
|
my @ifaces;
|
||||||
|
|
||||||
|
first_entry "$doing $fn...";
|
||||||
|
|
||||||
|
push @ifaces, process_interface while read_a_line;
|
||||||
|
|
||||||
#
|
#
|
||||||
# We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
|
# We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
|
||||||
@ -1018,45 +1040,10 @@ sub set_interface_option( $$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Validates the hosts file. Generates entries in %zone{..}{hosts}
|
# Process a record in the hosts file
|
||||||
#
|
#
|
||||||
sub validate_hosts_file()
|
sub process_host( ) {
|
||||||
{
|
|
||||||
my %validoptions;
|
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
%validoptions = (
|
|
||||||
blacklist => 1,
|
|
||||||
maclist => 1,
|
|
||||||
norfc1918 => 1,
|
|
||||||
nosmurfs => 1,
|
|
||||||
routeback => 1,
|
|
||||||
tcpflags => 1,
|
|
||||||
broadcast => 1,
|
|
||||||
destonly => 1,
|
|
||||||
sourceonly => 1,
|
|
||||||
);
|
|
||||||
} else {
|
|
||||||
%validoptions = (
|
|
||||||
blacklist => 1,
|
|
||||||
maclist => 1,
|
|
||||||
routeback => 1,
|
|
||||||
tcpflags => 1,
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
my $ipsec = 0;
|
my $ipsec = 0;
|
||||||
my $first_entry = 1;
|
|
||||||
|
|
||||||
my $fn = open_file 'hosts';
|
|
||||||
|
|
||||||
while ( read_a_line ) {
|
|
||||||
|
|
||||||
if ( $first_entry ) {
|
|
||||||
progress_message2 "$doing $fn...";
|
|
||||||
$first_entry = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
|
my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
|
||||||
|
|
||||||
my $zoneref = $zones{$zone};
|
my $zoneref = $zones{$zone};
|
||||||
@ -1102,13 +1089,12 @@ sub validate_hosts_file()
|
|||||||
my @options = split_list $options, 'option';
|
my @options = split_list $options, 'option';
|
||||||
my %options = ( dynamic => 0 );
|
my %options = ( dynamic => 0 );
|
||||||
|
|
||||||
for my $option ( @options )
|
for my $option ( @options ) {
|
||||||
{
|
|
||||||
if ( $option eq 'ipsec' ) {
|
if ( $option eq 'ipsec' ) {
|
||||||
$type = IPSEC;
|
$type = IPSEC;
|
||||||
$zoneref->{options}{complex} = 1;
|
$zoneref->{options}{complex} = 1;
|
||||||
$ipsec = 1;
|
$ipsec = 1;
|
||||||
} elsif ( $validoptions{$option}) {
|
} elsif ( $validhostoptions{$option}) {
|
||||||
$options{$option} = 1;
|
$options{$option} = 1;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid option ($option)";
|
fatal_error "Invalid option ($option)";
|
||||||
@ -1144,7 +1130,22 @@ sub validate_hosts_file()
|
|||||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
|
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
|
||||||
|
|
||||||
progress_message " Host \"$currentline\" validated";
|
progress_message " Host \"$currentline\" validated";
|
||||||
}
|
|
||||||
|
return $ipsec;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Validates the hosts file. Generates entries in %zone{..}{hosts}
|
||||||
|
#
|
||||||
|
sub validate_hosts_file()
|
||||||
|
{
|
||||||
|
my $ipsec = 0;
|
||||||
|
|
||||||
|
my $fn = open_file 'hosts';
|
||||||
|
|
||||||
|
first_entry "doing $fn...";
|
||||||
|
|
||||||
|
$ipsec |= process_host while read_a_line;
|
||||||
|
|
||||||
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
|
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user