extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-03-06 18:41:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Next IPv6 Installment

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8940 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-07 22:44:29 +00:00
parent 692e83c1c8
commit 64fd8cd1f3
3 changed files with 168 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-perl/Shorewall/Chains.pm
View File

@ -690,13 +690,13 @@ sub use_input_chain($) {
# #
# Interface associated with a single zone -- use the zone's input chain if it has one # Interface associated with a single zone -- use the zone's input chain if it has one
# #
my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone4}}; my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}};
return 0 if $chainref; return 0 if $chainref;
# #
# Use the '<zone>2fw' chain if it is referenced. # Use the '<zone>2fw' chain if it is referenced.
# #
$chainref = $filter_table->{join( '' , $interfaceref->{zone4} , '2' , firewall_zone )}; $chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )};
! ( $chainref->{referenced} || $chainref->{is_policy} ) ! ( $chainref->{referenced} || $chainref->{is_policy} )
} }
@ -734,13 +734,13 @@ sub use_output_chain($) {
# #
# Interface associated with a single zone -- use the zone's output chain if it has one # Interface associated with a single zone -- use the zone's output chain if it has one
# #
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone4}}; my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
return 0 if $chainref; return 0 if $chainref;
# #
# Use the 'fw2<zone>' chain if it is referenced. # Use the 'fw2<zone>' chain if it is referenced.
# #
$chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone4} )}; $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
! ( $chainref->{referenced} || $chainref->{is_policy} ) ! ( $chainref->{referenced} || $chainref->{is_policy} )
} }

8
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -797,13 +797,15 @@ sub compiler {
# #
determine_zones; determine_zones;
# #
# Process the interfaces file. # Process the interfaces file(s).
# #
validate_interfaces_file ( $export ); validate_interfaces_file ( 'interfaces', $export );
# #
# Process the hosts file. # Process the hosts file.
# #
validate_hosts_file; my $ipsec = validate_hosts_file( 'hosts' );
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
# #
# Report zone contents # Report zone contents
# #

192
Shorewall-perl/Shorewall/Zones.pm
View File

@ -47,6 +47,7 @@ our @EXPORT = qw( NOTHING
all_zones all_zones
complex_zones complex_zones
non_firewall_zones non_firewall_zones
haveipseczones
single_interface single_interface
validate_interfaces_file validate_interfaces_file
all_interfaces all_interfaces
@ -93,6 +94,7 @@ use constant { NOTHING => 'NOTHING',
# children => [ <children> ] # children => [ <children> ]
# interfaces => [ <interfaces> ] # interfaces => [ <interfaces> ]
# bridge => <bridge> # bridge => <bridge>
# family => 1 = IPv4, 2 = IPv6, 3 = firewall
# hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none' # hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none'
# options => { <option1> => <value1> # options => { <option1> => <value1>
# ... # ...
@ -127,7 +129,7 @@ our %reservedName = ( all => 1,
# options => { <option1> = <val1> , # options => { <option1> = <val1> ,
# ... # ...
# } # }
# zone4 => <zone name> # zone => <zone name>
# nets => <number of nets in interface/hosts records referring to this interface> # nets => <number of nets in interface/hosts records referring to this interface>
# bridge => <bridge> # bridge => <bridge>
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ] # broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
@ -135,9 +137,32 @@ our %reservedName = ( all => 1,
# } # }
# } # }
# #
our @interfaces; our @interfaces4;
our %interfaces; our %interfaces4;
our @bport_zones; our @bport_zones4;
our @interfaces6;
our %interfaces6;
our @bport_zones6;
our $interface_list;
our $interface_table;
our $bport_zones;
our $zone_family;
sub use_ipv4_interfaces() {
$interface_list = \@interfaces4;
$interface_table = \%interfaces4;
$bport_zones = \@bport_zones4;
$zone_family = F_INET;
}
sub use_ipv6_interfaces() {
$interface_list = \@interfaces6;
$interface_table = \%interfaces6;
$bport_zones = \@bport_zones6;
$zone_family = F_INET6;
}
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
@ -153,9 +178,15 @@ sub initialize() {
%zones = (); %zones = ();
$firewall_zone = ''; $firewall_zone = '';
@interfaces = (); @interfaces4 = ();
%interfaces = (); %interfaces4 = ();
@bport_zones = (); @bport_zones4 = ();
@interfaces6 = ();
%interfaces6 = ();
@bport_zones6 = ();
use_ipv4_interfaces;
} }
INIT { INIT {
@ -240,6 +271,7 @@ sub determine_zones()
my @z; my @z;
my $ipv4 = 0; my $ipv4 = 0;
my $ipv6 = 0;
my $fn = open_file 'zones'; my $fn = open_file 'zones';
@ -269,21 +301,36 @@ sub determine_zones()
$type = "ipv4" unless $type; $type = "ipv4" unless $type;
my $family = F_INET;
if ( $type =~ /ipv4/i ) { if ( $type =~ /ipv4/i ) {
$type = 'ipv4'; $type = 'ipv4';
$ipv4 = 1; $ipv4 = 1;
} elsif ( $type =~ /ipv6/i ) {
$type = 'ipv6';
$ipv6 = 1;
$family = F_INET6;
} elsif ( $type =~ /^ipsec4?$/i ) { } elsif ( $type =~ /^ipsec4?$/i ) {
$type = 'ipsec4'; $type = 'ipsec4';
} elsif ( $type =~ /^ipsec6$/i ) {
$type = 'ipsec6';
$family = F_INET6;
} elsif ( $type =~ /^bport4?$/i ) { } elsif ( $type =~ /^bport4?$/i ) {
warning_message "Bridge Port zones should have a parent zone" unless @parents; warning_message "Bridge Port zones should have a parent zone" unless @parents;
$type = 'bport4'; $type = 'bport4';
push @bport_zones, $zone; push @bport_zones4, $zone;
} elsif ( $type =~ /^bport6$/i ) {
warning_message "Bridge Port zones should have a parent zone" unless @parents;
$type = 'bport6';
$family = F_INET6;
push @bport_zones6, $zone;
} elsif ( $type eq 'firewall' ) { } elsif ( $type eq 'firewall' ) {
fatal_error 'Firewall zone may not be nested' if @parents; fatal_error 'Firewall zone may not be nested' if @parents;
fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone; fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
$firewall_zone = $zone; $firewall_zone = $zone;
$ENV{FW} = $zone; $ENV{FW} = $zone;
$type = "firewall"; $type = "firewall";
$family = F_INET | F_INET6;
} elsif ( $type eq '-' ) { } elsif ( $type eq '-' ) {
$type = 'ipv4'; $type = 'ipv4';
$ipv4 = 1; $ipv4 = 1;
@ -291,6 +338,10 @@ sub determine_zones()
fatal_error "Invalid zone type ($type)" ; fatal_error "Invalid zone type ($type)" ;
} }
for ( @parents ) {
fatal_error "Incompatible Parent/Child Zones Types ($_)" unless $zones{$_}{family} == $family
}
for ( $options, $in_options, $out_options ) { for ( $options, $in_options, $out_options ) {
$_ = '' if $_ eq '-'; $_ = '' if $_ eq '-';
} }
@ -299,10 +350,11 @@ sub determine_zones()
parents => \@parents, parents => \@parents,
exclusions => [], exclusions => [],
bridge => '', bridge => '',
family => $family,
options => { in_out => parse_zone_option_list( $options || '', $type ) , options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) , complex => ($type =~ /^ipsec/ || $options || $in_options || $out_options ? 1 : 0) ,
nested => @parents > 0 } , nested => @parents > 0 } ,
interfaces => {} , interfaces => {} ,
children => [] , children => [] ,
@ -312,7 +364,7 @@ sub determine_zones()
} }
fatal_error "No firewall zone defined" unless $firewall_zone; fatal_error "No firewall zone defined" unless $firewall_zone;
fatal_error "No IPv4 zones defined" unless $ipv4; fatal_error "No IPv4 or IPv6 zones defined" unless $ipv4 || $ipv6;
my %ordered; my %ordered;
@ -340,7 +392,7 @@ sub determine_zones()
# #
sub haveipseczones() { sub haveipseczones() {
for my $zoneref ( values %zones ) { for my $zoneref ( values %zones ) {
return 1 if $zoneref->{type} eq 'ipsec4'; return 1 if $zoneref->{type} =~ /^ipsec/;
} }
0; 0;
@ -384,7 +436,7 @@ sub zone_report()
} }
unless ( $printed ) { unless ( $printed ) {
fatal_error "No bridge has been associated with zone $zone" if $type eq 'bport4' && ! $zoneref->{bridge}; fatal_error "No bridge has been associated with zone $zone" if $type =~ /^bport*/ && ! $zoneref->{bridge};
warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall'; warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall';
} }
@ -402,7 +454,7 @@ sub dump_zone_contents()
my $exclusions = $zoneref->{exclusions}; my $exclusions = $zoneref->{exclusions};
my $entry = "$zone $type"; my $entry = "$zone $type";
$entry .= ":$zoneref->{bridge}" if $type eq 'bport4'; $entry .= ":$zoneref->{bridge}" if $type =~ /^bport/;
if ( $hostref ) { if ( $hostref ) {
for my $type ( sort keys %$hostref ) { for my $type ( sort keys %$hostref ) {
@ -455,7 +507,7 @@ sub add_group_to_zone($$$$$)
my $arrayref; my $arrayref;
my $zoneref = $zones{$zone}; my $zoneref = $zones{$zone};
my $zonetype = $zoneref->{type}; my $zonetype = $zoneref->{type};
my $ifacezone = $interfaces{$interface}{zone4}; my $ifacezone = $interface_table->{$interface}{zone};
$zoneref->{interfaces}{$interface} = 1; $zoneref->{interfaces}{$interface} = 1;
@ -467,7 +519,7 @@ sub add_group_to_zone($$$$$)
$ifacezone = '' unless defined $ifacezone; $ifacezone = '' unless defined $ifacezone;
for my $host ( @$networks ) { for my $host ( @$networks ) {
$interfaces{$interface}{nets}++; $interface_table->{$interface}{nets}++;
fatal_error "Invalid Host List" unless defined $host and $host ne ''; fatal_error "Invalid Host List" unless defined $host and $host ne '';
@ -519,6 +571,7 @@ sub find_zone( $ ) {
my $zoneref = $zones{$zone}; my $zoneref = $zones{$zone};
fatal_error "Unknown zone ($zone)" unless $zoneref; fatal_error "Unknown zone ($zone)" unless $zoneref;
fatal_error "Zone has wrong address family" unless $zoneref->{family} & $zone_family;
$zoneref; $zoneref;
} }
@ -528,19 +581,21 @@ sub zone_type( $ ) {
} }
sub defined_zone( $ ) { sub defined_zone( $ ) {
$zones{$_[0]}; my $zoneref = $zones{$_[0]};
$zoneref && $zoneref->{family} & $zone_family ? $zoneref : undef;
} }
sub all_zones() { sub all_zones() {
@zones; grep ( $zones{$_}{family} & $zone_family , @zones );
} }
sub non_firewall_zones() { sub non_firewall_zones() {
grep ( $zones{$_}{type} ne 'firewall' , @zones ); grep ( $zones{$_}{type} ne 'firewall' , all_zones() );
} }
sub complex_zones() { sub complex_zones() {
grep( $zones{$_}{options}{complex} , @zones ); grep( $zones{$_}{options}{complex} , all_zones() );
} }
sub firewall_zone() { sub firewall_zone() {
@ -551,9 +606,9 @@ sub firewall_zone() {
# Parse the interfaces file. # Parse the interfaces file.
# #
sub validate_interfaces_file( $ ) sub validate_interfaces_file( $$ )
{ {
my $export = shift; my ( $filename, $export ) = @_;
my $num = 0; my $num = 0;
use constant { SIMPLE_IF_OPTION => 1, use constant { SIMPLE_IF_OPTION => 1,
@ -565,7 +620,7 @@ sub validate_interfaces_file( $ )
IF_OPTION_ZONEONLY => 8 }; IF_OPTION_ZONEONLY => 8 };
my %validoptions = (arp_filter => BINARY_IF_OPTION, my %validoptions = $zone_family == F_INET ? (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION, arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION, blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
@ -583,9 +638,20 @@ sub validate_interfaces_file( $ )
tcpflags => SIMPLE_IF_OPTION, tcpflags => SIMPLE_IF_OPTION,
upnp => SIMPLE_IF_OPTION, upnp => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION, mss => NUMERIC_IF_OPTION,
) :
(blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
proxyndp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION,
); );
my $fn = open_file 'interfaces'; my $fn = open_file $filename;
my $first_entry = 1; my $first_entry = 1;
@ -608,6 +674,7 @@ sub validate_interfaces_file( $ )
$zoneref = $zones{$zone}; $zoneref = $zones{$zone};
fatal_error "Unknown zone ($zone)" unless $zoneref; fatal_error "Unknown zone ($zone)" unless $zoneref;
fatal_error "Zone $zone has wrong address family" unless $zoneref->{family} == $zone_family;
fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} eq 'firewall'; fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} eq 'firewall';
} }
@ -622,9 +689,9 @@ sub validate_interfaces_file( $ )
fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/; fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', ''); require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; fatal_error "Duplicate Interface ($port)" if $interface_table->{$port};
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; fatal_error "$interface is not a defined bridge" unless $interface_table->{$interface} && $interface_table->{$interface}{options}{bridge};
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport4'; fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && ! $zoneref->{type} =~ /^bport/;
if ( $zone ) { if ( $zone ) {
if ( $zoneref->{bridge} ) { if ( $zoneref->{bridge} ) {
@ -643,8 +710,8 @@ sub validate_interfaces_file( $ )
$bridge = $interface; $bridge = $interface;
$interface = $port; $interface = $port;
} else { } else {
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface}; fatal_error "Duplicate Interface ($interface)" if $interface_table->{$interface};
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4'; fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} =~ /^bport/;
$bridge = $interface; $bridge = $interface;
} }
@ -661,6 +728,7 @@ sub validate_interfaces_file( $ )
my $broadcasts; my $broadcasts;
unless ( $networks eq '' || $networks eq 'detect' ) { unless ( $networks eq '' || $networks eq 'detect' ) {
fatal_error "BROADCAST may not be specified for IPv6 Interfaces" if $zone_family == F_INET6;
my @broadcasts = split $networks, 'address'; my @broadcasts = split $networks, 'address';
for my $address ( @broadcasts ) { for my $address ( @broadcasts ) {
@ -736,7 +804,7 @@ sub validate_interfaces_file( $ )
$optionsref = \%options; $optionsref = \%options;
$interfaces{$interface} = { name => $interface , $interface_table->{$interface} = { name => $interface ,
bridge => $bridge , bridge => $bridge ,
nets => 0 , nets => 0 ,
number => ++$num , number => ++$num ,
@ -750,7 +818,7 @@ sub validate_interfaces_file( $ )
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone; add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone;
$interfaces{$interface}{zone4} = $zone; #Must follow the call to add_group_to_zone() $interface_table->{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
progress_message " Interface \"$currentline\" Validated"; progress_message " Interface \"$currentline\" Validated";
@ -760,24 +828,24 @@ sub validate_interfaces_file( $ )
# We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
# #
for my $interface ( @ifaces ) { for my $interface ( @ifaces ) {
my $interfaceref = $interfaces{$interface}; my $interfaceref = $interface_table->{$interface};
if ( $interfaceref->{options}{bridge} ) { if ( $interfaceref->{options}{bridge} ) {
my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces; my @ports = grep $interface_table->{$_}{options}{port} && $interface_table->{$_}{bridge} eq $interface, @ifaces;
if ( @ports ) { if ( @ports ) {
push @interfaces, @ports; push @{$interface_list}, @ports;
} else { } else {
$interfaceref->{options}{routeback} = 1; #so the bridge will work properly $interfaceref->{options}{routeback} = 1; #so the bridge will work properly
} }
} }
push @interfaces, $interface unless $interfaceref->{options}{port}; push @{$interface_list}, $interface unless $interfaceref->{options}{port};
} }
# #
# Be sure that we have at least one interface # Be sure that we have at least one interface
# #
fatal_error "No network interfaces defined" unless @interfaces; fatal_error "No network interfaces defined" unless @{$interface_list};
} }
# #
@ -788,19 +856,19 @@ sub validate_interfaces_file( $ )
sub known_interface($) sub known_interface($)
{ {
my $interface = $_[0]; my $interface = $_[0];
my $interfaceref = $interfaces{$interface}; my $interfaceref = $interface_table->{$interface};
return $interfaceref if $interfaceref; return $interfaceref if $interfaceref;
for my $i ( @interfaces ) { for my $i ( @{$interface_list} ) {
$interfaceref = $interfaces{$i}; $interfaceref = $interface_table->{$i};
my $val = $interfaceref->{root}; my $val = $interfaceref->{root};
next if $val eq $i; next if $val eq $i;
if ( substr( $interface, 0, length $val ) eq $val ) { if ( substr( $interface, 0, length $val ) eq $val ) {
# #
# Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces. # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
# #
return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} }; return $interface_table->{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
} }
} }
@ -811,14 +879,14 @@ sub known_interface($)
# Return interface number # Return interface number
# #
sub interface_number( $ ) { sub interface_number( $ ) {
$interfaces{$_[0]}{number} || 256; $interface_table->{$_[0]}{number} || 256;
} }
# #
# Return the interfaces list # Return the interfaces list
# #
sub all_interfaces() { sub all_interfaces() {
@interfaces; @{$interface_list};
} }
# #
@ -826,7 +894,7 @@ sub all_interfaces() {
# #
sub find_interface( $ ) { sub find_interface( $ ) {
my $interface = $_[0]; my $interface = $_[0];
my $interfaceref = $interfaces{ $interface }; my $interfaceref = $interface_table->{ $interface };
fatal_error "Unknown Interface ($interface)" unless $interfaceref; fatal_error "Unknown Interface ($interface)" unless $interfaceref;
@ -837,7 +905,7 @@ sub find_interface( $ ) {
# Returns true if there are bridge port zones defined in the config # Returns true if there are bridge port zones defined in the config
# #
sub have_bridges() { sub have_bridges() {
@bport_zones > 0; @{$bport_zones} > 0;
} }
# #
@ -845,7 +913,7 @@ sub have_bridges() {
# return '' # return ''
# #
sub port_to_bridge( $ ) { sub port_to_bridge( $ ) {
my $portref = $interfaces{$_[0]}; my $portref = $interface_table->{$_[0]};
return $portref && $portref->{options}{port} ? $portref->{bridge} : ''; return $portref && $portref->{options}{port} ? $portref->{bridge} : '';
} }
@ -853,7 +921,7 @@ sub port_to_bridge( $ ) {
# Return the bridge associated with the passed interface. # Return the bridge associated with the passed interface.
# #
sub source_port_to_bridge( $ ) { sub source_port_to_bridge( $ ) {
my $portref = $interfaces{$_[0]}; my $portref = $interface_table->{$_[0]};
return $portref ? $portref->{bridge} : ''; return $portref ? $portref->{bridge} : '';
} }
@ -861,7 +929,7 @@ sub source_port_to_bridge( $ ) {
# Return the 'optional' setting of the passed interface # Return the 'optional' setting of the passed interface
# #
sub interface_is_optional($) { sub interface_is_optional($) {
my $optionsref = $interfaces{$_[0]}{options}; my $optionsref = $interface_table->{$_[0]}{options};
$optionsref && $optionsref->{optional}; $optionsref && $optionsref->{optional};
} }
@ -872,8 +940,8 @@ sub find_interfaces_by_option( $ ) {
my $option = $_[0]; my $option = $_[0];
my @ints = (); my @ints = ();
for my $interface ( @interfaces ) { for my $interface ( @{$interface_list} ) {
my $optionsref = $interfaces{$interface}{options}; my $optionsref = $interface_table->{$interface}{options};
if ( $optionsref && defined $optionsref->{$option} ) { if ( $optionsref && defined $optionsref->{$option} ) {
push @ints , $interface push @ints , $interface
} }
@ -888,7 +956,7 @@ sub find_interfaces_by_option( $ ) {
sub get_interface_option( $$ ) { sub get_interface_option( $$ ) {
my ( $interface, $option ) = @_; my ( $interface, $option ) = @_;
$interfaces{$interface}{options}{$option}; $interface_table->{$interface}{options}{$option};
} }
# #
@ -897,14 +965,16 @@ sub get_interface_option( $$ ) {
sub set_interface_option( $$$ ) { sub set_interface_option( $$$ ) {
my ( $interface, $option, $value ) = @_; my ( $interface, $option, $value ) = @_;
$interfaces{$interface}{options}{$option} = $value; $interface_table->{$interface}{options}{$option} = $value;
} }
# #
# Validates the hosts file. Generates entries in %zone{..}{hosts} # Validates the hosts file. Generates entries in %zone{..}{hosts}
# #
sub validate_hosts_file() sub validate_hosts_file( $ )
{ {
my $filename = shift;
my %validoptions = ( my %validoptions = (
blacklist => 1, blacklist => 1,
maclist => 1, maclist => 1,
@ -921,7 +991,7 @@ sub validate_hosts_file()
my $ipsec = 0; my $ipsec = 0;
my $first_entry = 1; my $first_entry = 1;
my $fn = open_file 'hosts'; my $fn = open_file $filename;
while ( read_a_line ) { while ( read_a_line ) {
@ -944,16 +1014,16 @@ sub validate_hosts_file()
$interface = $1; $interface = $1;
$hosts = $2; $hosts = $2;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; fatal_error "Unknown interface ($interface)" unless $interface_table->{$interface}{root};
} else { } else {
fatal_error "Invalid HOST(S) column contents: $hosts"; fatal_error "Invalid HOST(S) column contents: $hosts";
} }
if ( $type eq 'bport4' ) { if ( $type =~ /^bport/ ) {
if ( $zoneref->{bridge} eq '' ) { if ( $zoneref->{bridge} eq '' ) {
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port}; fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interface_table->{$interface}{options}{port};
$zoneref->{bridge} = $interfaces{$interface}{bridge}; $zoneref->{bridge} = $interface_table->{$interface}{bridge};
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) { } elsif ( $zoneref->{bridge} ne $interface_table->{$interface}{bridge} ) {
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}"; fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
} }
} }
@ -1000,7 +1070,7 @@ sub validate_hosts_file()
progress_message " Host \"$currentline\" validated"; progress_message " Host \"$currentline\" validated";
} }
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones; return $ipsec;
} }
# #
@ -1011,7 +1081,7 @@ sub find_hosts_by_option( $ ) {
my $option = $_[0]; my $option = $_[0];
my @hosts; my @hosts;
for my $zone ( grep $zones{$_}{type} ne 'firewall' , @zones ) { for my $zone ( non_firewall_zones() ) {
while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
for my $host ( @{$arrayref} ) { for my $host ( @{$arrayref} ) {
@ -1025,8 +1095,8 @@ sub find_hosts_by_option( $ ) {
} }
} }
for my $interface ( @interfaces ) { for my $interface ( @{$interface_list} ) {
if ( ! $interfaces{$interface}{zone4} && $interfaces{$interface}{options}{$option} ) { if ( ! $interface_table->{$interface}{zone} && $interface_table->{$interface}{options}{$option} ) {
push @hosts, [ $interface, 'none', ALLIP ]; push @hosts, [ $interface, 'none', ALLIP ];
} }
} }