extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-24 05:30:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Some early code cleanup

Browse Source
This commit is contained in:
Tom Eastep 2009-05-05 15:43:38 -07:00
parent 11962560fe
commit 404a7250b0
1 changed files with 447 additions and 446 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

271
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -154,6 +154,25 @@ use constant { FIREWALL => 1,
BPORT => 3,
IPSEC => 4 };
use constant { SIMPLE_IF_OPTION => 1,
BINARY_IF_OPTION => 2,
ENUM_IF_OPTION => 3,
NUMERIC_IF_OPTION => 4,
OBSOLETE_IF_OPTION => 5,
IPLIST_IF_OPTION => 6,
MASK_IF_OPTION => 7,
IF_OPTION_ZONEONLY => 8,
IF_OPTION_HOST => 16,
};
our %validinterfaceoptions;
our %validhostoptions;
our $num;
#
# Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The
@ -169,11 +188,67 @@ sub initialize( $ ) {
@zones = ();
%zones = ();
$firewall_zone = '';
$num = 0;
@interfaces = ();
%interfaces = ();
@bport_zones = ();
%ipsets = ();
if ( $family == F_IPV4 ) {
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
logmartians => BINARY_IF_OPTION,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
norfc1918 => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
optional => SIMPLE_IF_OPTION,
proxyarp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
routefilter => BINARY_IF_OPTION ,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
upnp => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION,
);
%validhostoptions = (
blacklist => 1,
maclist => 1,
norfc1918 => 1,
nosmurfs => 1,
routeback => 1,
tcpflags => 1,
broadcast => 1,
destonly => 1,
sourceonly => 1,
);
} else {
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
proxyndp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
mss => NUMERIC_IF_OPTION,
forward => NUMERIC_IF_OPTION,
);
%validhostoptions = (
blacklist => 1,
maclist => 1,
routeback => 1,
tcpflags => 1,
);
}
}
INIT {
@ -250,19 +325,10 @@ sub parse_zone_option_list($$)
}
#
# Parse the zones file.
# Process a record in the zones file
#
sub determine_zones()
{
my @z;
my $ip = 0;
my $fn = open_file 'zones';
first_entry "$doing $fn...";
while ( read_a_line ) {
sub process_zone( \$ ) {
my $ip = $_[0];
my @parents;
@ -287,11 +353,11 @@ sub determine_zones()
if ( $type =~ /ipv4/i ) {
fatal_error "Invalid zone type ($type)" if $family == F_IPV6;
$type = IP;
$ip = 1;
$$ip = 1;
} elsif ( $type =~ /ipv6/i ) {
fatal_error "Invalid zone type ($type)" if $family == F_IPV4;
$type = IP;
$ip = 1;
$$ip = 1;
} elsif ( $type =~ /^ipsec([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if $1 && (($1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 ));
$type = IPSEC;
@ -308,7 +374,7 @@ sub determine_zones()
$type = FIREWALL;
} elsif ( $type eq '-' ) {
$type = IP;
$ip = 1;
$$ip = 1;
} else {
fatal_error "Invalid zone type ($type)" ;
}
@ -329,9 +395,23 @@ sub determine_zones()
children => [] ,
hosts => {}
};
push @z, $zone;
}
return $zone;
}
#
# Parse the zones file.
#
sub determine_zones()
{
my @z;
my $ip = 0;
my $fn = open_file 'zones';
first_entry "$doing $fn...";
push @z, process_zone( $ip ) while read_a_line;
fatal_error "No firewall zone defined" unless $firewall_zone;
fatal_error "No IP zones defined" unless $ip;
@ -599,81 +679,10 @@ sub firewall_zone() {
}
#
# Parse the interfaces file.
# Process a record in the interfaces file
#
sub validate_interfaces_file( $ )
{
my $export = shift;
my $num = 0;
use constant { SIMPLE_IF_OPTION => 1,
BINARY_IF_OPTION => 2,
ENUM_IF_OPTION => 3,
NUMERIC_IF_OPTION => 4,
OBSOLETE_IF_OPTION => 5,
IPLIST_IF_OPTION => 6,
MASK_IF_OPTION => 7,
IF_OPTION_ZONEONLY => 8,
IF_OPTION_HOST => 16,
};
my %validoptions;
if ( $family == F_IPV4 ) {
%validoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
logmartians => BINARY_IF_OPTION,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
norfc1918 => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
optional => SIMPLE_IF_OPTION,
proxyarp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
routefilter => BINARY_IF_OPTION ,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
upnp => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION,
);
} else {
%validoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
proxyndp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
mss => NUMERIC_IF_OPTION,
forward => NUMERIC_IF_OPTION,
);
}
my $fn = open_file 'interfaces';
my $first_entry = 1;
my @ifaces;
while ( read_a_line ) {
sub process_interface() {
my $nets;
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
my $zoneref;
my $bridge = '';
@ -763,7 +772,7 @@ sub validate_interfaces_file( $ )
( $option, my $value ) = split /=/, $option;
fatal_error "Invalid Interface option ($option)" unless my $type = $validoptions{$option};
fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
@ -854,8 +863,6 @@ sub validate_interfaces_file( $ )
broadcasts => $broadcasts ,
options => \%options };
push @ifaces, $interface;
$nets = [ allip ] unless $nets;
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
@ -864,7 +871,22 @@ sub validate_interfaces_file( $ )
progress_message " Interface \"$currentline\" Validated";
}
return $interface;
}
#
# Parse the interfaces file.
#
sub validate_interfaces_file( $ ) {
my $export = shift;
my $fn = open_file 'interfaces';
my @ifaces;
first_entry "$doing $fn...";
push @ifaces, process_interface while read_a_line;
#
# We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@ -1018,45 +1040,10 @@ sub set_interface_option( $$$ ) {
}
#
# Validates the hosts file. Generates entries in %zone{..}{hosts}
# Process a record in the hosts file
#
sub validate_hosts_file()
{
my %validoptions;
if ( $family == F_IPV4 ) {
%validoptions = (
blacklist => 1,
maclist => 1,
norfc1918 => 1,
nosmurfs => 1,
routeback => 1,
tcpflags => 1,
broadcast => 1,
destonly => 1,
sourceonly => 1,
);
} else {
%validoptions = (
blacklist => 1,
maclist => 1,
routeback => 1,
tcpflags => 1,
);
}
sub process_host( ) {
my $ipsec = 0;
my $first_entry = 1;
my $fn = open_file 'hosts';
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
my $zoneref = $zones{$zone};
@ -1102,13 +1089,12 @@ sub validate_hosts_file()
my @options = split_list $options, 'option';
my %options = ( dynamic => 0 );
for my $option ( @options )
{
for my $option ( @options ) {
if ( $option eq 'ipsec' ) {
$type = IPSEC;
$zoneref->{options}{complex} = 1;
$ipsec = 1;
} elsif ( $validoptions{$option}) {
} elsif ( $validhostoptions{$option}) {
$options{$option} = 1;
} else {
fatal_error "Invalid option ($option)";
@ -1144,7 +1130,22 @@ sub validate_hosts_file()
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
progress_message " Host \"$currentline\" validated";
}
return $ipsec;
}
#
# Validates the hosts file. Generates entries in %zone{..}{hosts}
#
sub validate_hosts_file()
{
my $ipsec = 0;
my $fn = open_file 'hosts';
first_entry "doing $fn...";
$ipsec |= process_host while read_a_line;
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
}