Bypass processing logic when an optional config file is absent.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-28 10:48:44 -07:00
parent 47fbc83419
commit 68f537ac5b
8 changed files with 266 additions and 253 deletions

View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting ); our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
our $VERSION = '4.4.13'; our $VERSION = '4.4.14';
# #
# Called by the compiler to [re-]initialize this module's state # Called by the compiler to [re-]initialize this module's state
@ -224,48 +224,48 @@ sub process_accounting_rule( ) {
sub setup_accounting() { sub setup_accounting() {
my $fn = open_file 'accounting'; if ( my $fn = open_file 'accounting' ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
my $nonEmpty = 0; my $nonEmpty = 0;
$nonEmpty |= process_accounting_rule while read_a_line; $nonEmpty |= process_accounting_rule while read_a_line;
clear_comment; clear_comment;
if ( have_bridges ) { if ( have_bridges ) {
if ( $filter_table->{accounting} ) { if ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD/ ) { for my $chain ( qw/INPUT FORWARD/ ) {
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
}
}
if ( $filter_table->{accountout} ) {
add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
}
} elsif ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 ); add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
} }
} }
if ( $filter_table->{accountout} ) { if ( $filter_table->{accipsecin} ) {
add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 ); for my $chain ( qw/INPUT FORWARD/ ) {
add_jump( $filter_table->{$chain}, 'accipsecin', 0, '', 0, 0 );
}
} }
} elsif ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { if ( $filter_table->{accipsecout} ) {
add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 ); for my $chain ( qw/FORWARD OUTPUT/ ) {
add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
}
}
for ( accounting_chainrefs ) {
warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
} }
} }
if ( $filter_table->{accipsecin} ) {
for my $chain ( qw/INPUT FORWARD/ ) {
add_jump( $filter_table->{$chain}, 'accipsecin', 0, '', 0, 0 );
}
}
if ( $filter_table->{accipsecout} ) {
for my $chain ( qw/FORWARD OUTPUT/ ) {
add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
}
}
for ( accounting_chainrefs ) {
warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
}
} }
1; 1;

View File

@ -132,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
# #
# describe the current command, it's present progressive, and it's completion. # describe the current command, it's present progressive, and it's completion.

View File

@ -36,7 +36,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses ); our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
our @EXPORT_OK = (); our @EXPORT_OK = ();
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
our @addresses_to_add; our @addresses_to_add;
our %addresses_to_add; our %addresses_to_add;
@ -262,14 +262,14 @@ sub process_one_masq( )
# #
sub setup_masq() sub setup_masq()
{ {
my $fn = open_file 'masq'; if ( my $fn = open_file 'masq' ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
process_one_masq while read_a_line; process_one_masq while read_a_line;
clear_comment;
clear_comment;
}
} }
# #
@ -359,32 +359,32 @@ sub do_one_nat( $$$$$ )
# #
sub setup_nat() { sub setup_nat() {
my $fn = open_file 'nat'; if ( my $fn = open_file 'nat' ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
while ( read_a_line ) { while ( read_a_line ) {
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file'; my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
if ( $external eq 'COMMENT' ) { if ( $external eq 'COMMENT' ) {
process_comment; process_comment;
} else { } else {
( $interfacelist, my $digit ) = split /:/, $interfacelist; ( $interfacelist, my $digit ) = split /:/, $interfacelist;
$digit = defined $digit ? ":$digit" : ''; $digit = defined $digit ? ":$digit" : '';
for my $interface ( split_list $interfacelist , 'interface' ) { for my $interface ( split_list $interfacelist , 'interface' ) {
fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne ''; fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat; do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
}
progress_message " NAT entry \"$currentline\" $done";
} }
progress_message " NAT entry \"$currentline\" $done";
} }
clear_comment;
} }
clear_comment;
} }
# #
@ -392,40 +392,43 @@ sub setup_nat() {
# #
sub setup_netmap() { sub setup_netmap() {
my $fn = open_file 'netmap'; if ( my $fn = open_file 'netmap' ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } ); first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
while ( read_a_line ) { while ( read_a_line ) {
my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file'; my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
$net3 = ALLIP if $net3 eq '-'; $net3 = ALLIP if $net3 eq '-';
for my $interface ( split_list $interfacelist, 'interface' ) { for my $interface ( split_list $interfacelist, 'interface' ) {
my $rulein = ''; my $rulein = '';
my $ruleout = ''; my $ruleout = '';
my $iface = $interface; my $iface = $interface;
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
unless ( $interfaceref->{root} ) { unless ( $interfaceref->{root} ) {
$rulein = match_source_dev( $interface ); $rulein = match_source_dev( $interface );
$ruleout = match_dest_dev( $interface ); $ruleout = match_dest_dev( $interface );
$interface = $interfaceref->{name}; $interface = $interfaceref->{name};
}
if ( $type eq 'DNAT' ) {
add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
} elsif ( $type eq 'SNAT' ) {
add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 ) . "-s $net1 -j NETMAP --to $net2";
} else {
fatal_error "Invalid type ($type)";
}
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
} }
if ( $type eq 'DNAT' ) {
add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
} elsif ( $type eq 'SNAT' ) {
add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 ) . "-s $net1 -j NETMAP --to $net2";
} else {
fatal_error "Invalid type ($type)";
}
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
} }
clear_comment;
} }
} }

View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces ); our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
our @EXPORT_OK = qw( initialize lookup_provider ); our @EXPORT_OK = qw( initialize lookup_provider );
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
use constant { LOCAL_TABLE => 255, use constant { LOCAL_TABLE => 255,
MAIN_TABLE => 254, MAIN_TABLE => 254,
@ -757,15 +757,16 @@ sub setup_providers() {
$lastmark = 0; $lastmark = 0;
my $fn = open_file 'providers'; if ( my $fn = open_file 'providers' ) {
first_entry sub() { first_entry sub() {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
emit "\nif [ -z \"\$g_noroutes\" ]; then"; emit "\nif [ -z \"\$g_noroutes\" ]; then";
push_indent; push_indent;
start_providers; }; start_providers; };
add_a_provider, $providers++ while read_a_line; add_a_provider, $providers++ while read_a_line;
}
if ( $providers ) { if ( $providers ) {
finish_providers; finish_providers;

View File

@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_notrack ); our @EXPORT = qw( setup_notrack );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
# #
# Notrack # Notrack
@ -76,24 +76,25 @@ sub process_notrack_rule( $$$$$$ ) {
sub setup_notrack() { sub setup_notrack() {
my $fn = open_file 'notrack'; if ( my $fn = open_file 'notrack' ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
my $nonEmpty = 0; my $nonEmpty = 0;
while ( read_a_line ) { while ( read_a_line ) {
my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File'; my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
if ( $source eq 'COMMENT' ) { if ( $source eq 'COMMENT' ) {
process_comment; process_comment;
} else { } else {
process_notrack_rule $source, $dest, $proto, $ports, $sports, $user; process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
}
} }
}
clear_comment; clear_comment;
}
} }
1; 1;

View File

@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
compile_stop_firewall compile_stop_firewall
); );
our @EXPORT_OK = qw( process_rule process_rule1 initialize ); our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
our $macro_nest_level; our $macro_nest_level;
our $current_param; our $current_param;
@ -322,119 +322,120 @@ sub setup_blacklist() {
sub process_routestopped() { sub process_routestopped() {
my ( @allhosts, %source, %dest , %notrack, @rule ); if ( my $fn = open_file 'routestopped' ) {
my ( @allhosts, %source, %dest , %notrack, @rule );
my $fn = open_file 'routestopped'; my $seq = 0;
my $seq = 0; first_entry "$doing $fn...";
first_entry "$doing $fn..."; while ( read_a_line ) {
while ( read_a_line ) { my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file'; my $interfaceref;
my $interfaceref; fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
$hosts = ALLIP unless $hosts && $hosts ne '-';
fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface; my $routeback = 0;
$hosts = ALLIP unless $hosts && $hosts ne '-';
my $routeback = 0; my @hosts;
my @hosts; $seq++;
$seq++; my $rule = do_proto( $proto, $ports, $sports, 0 );
my $rule = do_proto( $proto, $ports, $sports, 0 );
for my $host ( split /,/, $hosts ) {
fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
validate_host $host, 1;
push @hosts, "$interface|$host|$seq";
push @rule, $rule;
}
unless ( $options eq '-' ) {
for my $option (split /,/, $options ) {
if ( $option eq 'routeback' ) {
if ( $routeback ) {
warning_message "Duplicate 'routeback' option ignored";
} else {
$routeback = 1;
}
} elsif ( $option eq 'source' ) {
for my $host ( split /,/, $hosts ) {
$source{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'dest' ) {
for my $host ( split /,/, $hosts ) {
$dest{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'notrack' ) {
for my $host ( split /,/, $hosts ) {
$notrack{"$interface|$host|$seq"} = 1;
}
} else {
warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
warning_message "The 'critical' option is no longer supported (or needed)";
}
}
}
if ( $routeback || $interfaceref->{options}{routeback} ) {
my $chainref = $filter_table->{FORWARD};
for my $host ( split /,/, $hosts ) { for my $host ( split /,/, $hosts ) {
add_rule( $chainref , fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
match_source_dev( $interface ) . validate_host $host, 1;
match_dest_dev( $interface ) . push @hosts, "$interface|$host|$seq";
match_source_net( $host ) . push @rule, $rule;
match_dest_net( $host ) );
clearrule;
} }
}
push @allhosts, @hosts;
}
for my $host ( @allhosts ) { unless ( $options eq '-' ) {
my ( $interface, $h, $seq ) = split /\|/, $host; for my $option (split /,/, $options ) {
my $source = match_source_net $h; if ( $option eq 'routeback' ) {
my $dest = match_dest_net $h; if ( $routeback ) {
my $sourcei = match_source_dev $interface; warning_message "Duplicate 'routeback' option ignored";
my $desti = match_dest_dev $interface; } else {
my $rule = shift @rule; $routeback = 1;
}
} elsif ( $option eq 'source' ) {
for my $host ( split /,/, $hosts ) {
$source{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'dest' ) {
for my $host ( split /,/, $hosts ) {
$dest{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'notrack' ) {
for my $host ( split /,/, $hosts ) {
$notrack{"$interface|$host|$seq"} = 1;
}
} else {
warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
warning_message "The 'critical' option is no longer supported (or needed)";
}
}
}
add_rule $filter_table->{INPUT}, "$sourcei $source $rule -j ACCEPT", 1; if ( $routeback || $interfaceref->{options}{routeback} ) {
add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED}; my $chainref = $filter_table->{FORWARD};
my $matched = 0; for my $host ( split /,/, $hosts ) {
add_rule( $chainref ,
if ( $source{$host} ) { match_source_dev( $interface ) .
add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1; match_dest_dev( $interface ) .
$matched = 1; match_source_net( $host ) .
} match_dest_net( $host ) );
if ( $dest{$host} ) {
add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
$matched = 1;
}
if ( $notrack{$host} ) {
add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
add_rule $raw_table->{OUTPUT}, "$desti $dest $rule -j NOTRACK", 1;
}
unless ( $matched ) {
for my $host1 ( @allhosts ) {
unless ( $host eq $host1 ) {
my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
my $dest1 = match_dest_net $h1;
my $desti1 = match_dest_dev $interface1;
add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
clearrule; clearrule;
} }
} }
push @allhosts, @hosts;
}
for my $host ( @allhosts ) {
my ( $interface, $h, $seq ) = split /\|/, $host;
my $source = match_source_net $h;
my $dest = match_dest_net $h;
my $sourcei = match_source_dev $interface;
my $desti = match_dest_dev $interface;
my $rule = shift @rule;
add_rule $filter_table->{INPUT}, "$sourcei $source $rule -j ACCEPT", 1;
add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
my $matched = 0;
if ( $source{$host} ) {
add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
$matched = 1;
}
if ( $dest{$host} ) {
add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
$matched = 1;
}
if ( $notrack{$host} ) {
add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
add_rule $raw_table->{OUTPUT}, "$desti $dest $rule -j NOTRACK", 1;
}
unless ( $matched ) {
for my $host1 ( @allhosts ) {
unless ( $host eq $host1 ) {
my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
my $dest1 = match_dest_net $h1;
my $desti1 = match_dest_dev $interface1;
add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
clearrule;
}
}
}
} }
} }
} }
@ -759,54 +760,55 @@ sub setup_mac_lists( $ ) {
} }
} }
my $fn = open_file 'maclist'; if ( my $fn = open_file 'maclist' ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
while ( read_a_line ) { while ( read_a_line ) {
my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file'; my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file';
if ( $original_disposition eq 'COMMENT' ) { if ( $original_disposition eq 'COMMENT' ) {
process_comment; process_comment;
} else {
my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
my $targetref = $maclist_targets{$disposition};
fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
$mac = '' unless $mac && ( $mac ne '-' );
$addresses = '' unless defined $addresses && ( $addresses ne '-' );
fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
$mac = mac_match $mac if $mac;
if ( $addresses ) {
for my $address ( split ',', $addresses ) {
my $source = match_source_net $address;
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if defined $level && $level ne '';
add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
}
} else { } else {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
if defined $level && $level ne '';
add_jump $chainref , $targetref->{target}, 0, "$mac"; fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
my $targetref = $maclist_targets{$disposition};
fatal_error "Invalid DISPOSITION ($original_disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
$mac = '' unless $mac && ( $mac ne '-' );
$addresses = '' unless defined $addresses && ( $addresses ne '-' );
fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
$mac = mac_match $mac if $mac;
if ( $addresses ) {
for my $address ( split ',', $addresses ) {
my $source = match_source_net $address;
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if defined $level && $level ne '';
add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
}
} else {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
if defined $level && $level ne '';
add_jump $chainref , $targetref->{target}, 0, "$mac";
}
progress_message " Maclist entry \"$currentline\" $done";
} }
progress_message " Maclist entry \"$currentline\" $done";
} }
}
clear_comment; clear_comment;
}
# #
# Generate jumps from the input and forward chains # Generate jumps from the input and forward chains
# #
@ -1653,11 +1655,15 @@ sub process_rules() {
my $fn = open_file 'rules'; my $fn = open_file 'rules';
first_entry "$doing $fn..."; if ( $fn ) {
process_rule while read_a_line; first_entry "$doing $fn...";
process_rule while read_a_line;
clear_comment;
}
clear_comment;
$section = 'DONE'; $section = 'DONE';
} }
@ -1698,7 +1704,7 @@ sub generate_dest_rules( $$$$ ) {
if ( $type2 == VSERVER ) { if ( $type2 == VSERVER ) {
for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) { for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain); my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_jump( $chainref, add_jump( $chainref,
@ -1739,7 +1745,7 @@ sub generate_source_rules( $$$$ ) {
} }
# #
# Loopback traffic -- this is where we assemble the intra-firewall traffic routing # Loopback traffic -- this is where we assemble the intra-firewall chains
# #
sub handle_loopback_traffic() { sub handle_loopback_traffic() {
my @zones = ( vserver_zones, firewall_zone ); my @zones = ( vserver_zones, firewall_zone );

View File

@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tunnels ); our @EXPORT = qw( setup_tunnels );
our @EXPORT_OK = ( ); our @EXPORT_OK = ( );
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
# #
# Here starts the tunnel stuff -- we really should get rid of this crap... # Here starts the tunnel stuff -- we really should get rid of this crap...
@ -277,22 +277,23 @@ sub setup_tunnels() {
# #
# Setup_Tunnels() Starts Here # Setup_Tunnels() Starts Here
# #
my $fn = open_file 'tunnels'; if ( my $fn = open_file 'tunnels' ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
while ( read_a_line ) { while ( read_a_line ) {
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file'; my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
if ( $kind eq 'COMMENT' ) { if ( $kind eq 'COMMENT' ) {
process_comment; process_comment;
} else { } else {
setup_one_tunnel $kind, $zone, $gateway, $gatewayzones; setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
}
} }
}
clear_comment; clear_comment;
}
} }
1; 1;

View File

@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
# #
# IPSEC Option types # IPSEC Option types
@ -1774,11 +1774,12 @@ sub validate_hosts_file()
{ {
my $ipsec = 0; my $ipsec = 0;
my $fn = open_file 'hosts'; if ( my $fn = open_file 'hosts' ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
$ipsec |= process_host while read_a_line; $ipsec |= process_host while read_a_line;
}
$have_ipsec = $ipsec || haveipseczones; $have_ipsec = $ipsec || haveipseczones;