mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-02 19:49:08 +01:00
More optional provider changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7117 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
db6bd67252
commit
71c45e607a
@ -165,6 +165,8 @@ EXPORTPARAMS=Yes
|
||||
|
||||
EXPAND_POLICIES=Yes
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
@ -288,7 +288,7 @@ sub initialize() {
|
||||
EXPORTPARAMS => undef,
|
||||
SHOREWALL_COMPILER => undef,
|
||||
EXPAND_POLICIES => undef,
|
||||
ACCOUNTING_EXPERT => undef,
|
||||
KEEP_RT_TABLES => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
|
@ -76,7 +76,7 @@ use constant { NOTHING => 'NOTHING',
|
||||
#
|
||||
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
|
||||
#
|
||||
# %zones{<zone1> => {type = > <zone type> 'firewall', 'ipv4', 'ipsec4', 'bport4';
|
||||
# %zones{<zone1> => {type = > <zone type>
|
||||
# options => { complex => 0|1
|
||||
# in_out => < policy match string >
|
||||
# in => < policy match string >
|
||||
@ -110,6 +110,16 @@ our %reservedName = ( all => 1,
|
||||
SOURCE => 1,
|
||||
DEST => 1 );
|
||||
|
||||
se constant ( ZT_IPV4 => 1,
|
||||
ZT_IPSEC => 2,
|
||||
ZT_BPORT => 4,
|
||||
ZT_IPV6 => 8,
|
||||
ZT_FIREWALL => 16,
|
||||
ZT_IPSEC4 => ZT_IPV4 | ZT_IPSEC
|
||||
ZT_IPSEC6 => ZT_IPV6 | ZT_IPSEC
|
||||
ZT_BPORT4 => ZT_IPV4 | ZT_BPORT
|
||||
ZT_BPORT6 => ZT_IPV6 | ZT_BPORT
|
||||
);
|
||||
#
|
||||
# Interface Table.
|
||||
#
|
||||
@ -209,7 +219,7 @@ sub parse_zone_option_list($$)
|
||||
if ( $key{$e} ) {
|
||||
$h{$e} = $val;
|
||||
} else {
|
||||
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec4';
|
||||
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & ZT_IPSEC;
|
||||
$options .= $invert;
|
||||
$options .= "--$e ";
|
||||
$options .= "$val "if defined $val;
|
||||
@ -251,7 +261,7 @@ sub determine_zones()
|
||||
for my $p ( @parents ) {
|
||||
fatal_error "Invalid Parent List ($2)" unless $p;
|
||||
fatal_error "Unknown parent zone ($p)" unless $zones{$p};
|
||||
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} eq 'firewall';
|
||||
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} & ZT_FIREWALL;
|
||||
push @{$zones{$p}{children}}, $zone;
|
||||
}
|
||||
}
|
||||
@ -263,20 +273,20 @@ sub determine_zones()
|
||||
$type = "ipv4" unless $type;
|
||||
|
||||
if ( $type =~ /ipv4/i ) {
|
||||
$type = 'ipv4';
|
||||
$type = ZT_IPV4;
|
||||
} elsif ( $type =~ /^ipsec4?$/i ) {
|
||||
$type = 'ipsec4';
|
||||
$type = ZT_IPSEC4;
|
||||
} elsif ( $type =~ /^bport4?$/i ) {
|
||||
warning_message "Bridge Port zones should have a parent zone" unless @parents;
|
||||
$type = 'bport4';
|
||||
$type = ZT_BPORT4;
|
||||
} elsif ( $type eq 'firewall' ) {
|
||||
fatal_error 'Firewall zone may not be nested' if @parents;
|
||||
fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
|
||||
$firewall_zone = $zone;
|
||||
$ENV{FW} = $zone;
|
||||
$type = "firewall";
|
||||
$type = ZT_FIREWALL;
|
||||
} elsif ( $type eq '-' ) {
|
||||
$type = 'ipv4';
|
||||
$type = ZT_IPV4;
|
||||
} else {
|
||||
fatal_error "Invalid zone type ($type)" ;
|
||||
}
|
||||
@ -292,7 +302,7 @@ sub determine_zones()
|
||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
||||
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) } ,
|
||||
complex => ($type & ZT_IPSEC || $options || $in_options || $out_options ? 1 : 0) } ,
|
||||
interfaces => {} ,
|
||||
children => [] ,
|
||||
hosts => {}
|
||||
@ -327,12 +337,22 @@ sub determine_zones()
|
||||
#
|
||||
sub haveipseczones() {
|
||||
for my $zoneref ( values %zones ) {
|
||||
return 1 if $zoneref->{type} eq 'ipsec4';
|
||||
return 1 if $zoneref->{type} & ZT_IPSEC;
|
||||
}
|
||||
|
||||
0;
|
||||
}
|
||||
|
||||
my @typenames = ( Untyped, #0
|
||||
firewall, #1
|
||||
ipv4, #2
|
||||
Invalid, #3
|
||||
Invalid, #4
|
||||
Invalid, #5
|
||||
ipsec4, #6
|
||||
Invalid, #7
|
||||
Invalid, #8
|
||||
|
||||
#
|
||||
# Report about zones.
|
||||
#
|
||||
|
@ -406,6 +406,12 @@
|
||||
an interface is in a state that Shorewall can [re]start
|
||||
without error doesn't mean that traffic can actually be
|
||||
sent through the interface.</para>
|
||||
|
||||
<para>Beginning with Shorewall-perl 4.0.3, you can supply
|
||||
an 'isusable' <ulink
|
||||
url="shorewall_extension_scripts.htm">extension
|
||||
script</ulink> to extend Shorewall's interface state
|
||||
detection.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -122,6 +122,40 @@
|
||||
logging rule is added to the current chain (the name of that chain
|
||||
will be in $CHAIN).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>isusable -- (Added in Shorewall-perl version 4.0.3) invoked when
|
||||
Shorewall is trying to determine the usability of the network
|
||||
interface associated with an optional entry in
|
||||
/etc/shorewall/providers. $1 is the name of the interface which will
|
||||
have been determined to be up and configured before the script is
|
||||
invoked. The return value from the script indicates whether or not the
|
||||
interface is usable (0 = usable, other = unusable).</para>
|
||||
|
||||
<para>Example:<programlisting># Ping a gateway through the passed interface
|
||||
case $1 in
|
||||
eth0)
|
||||
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
|
||||
return
|
||||
;;
|
||||
eth1)
|
||||
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
|
||||
return
|
||||
;;
|
||||
*)
|
||||
# No additional testing of other interfaces
|
||||
return 0
|
||||
;;
|
||||
esac</programlisting><caution>
|
||||
<para>The firewall state when this script is invoked is
|
||||
indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
|
||||
output on an interface is not allowed by <ulink
|
||||
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
|
||||
the script must blow it's own holes in the firewall before
|
||||
probing.</para>
|
||||
</caution></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><emphasis role="bold">If your version of Shorewall doesn't have the
|
||||
@ -373,7 +407,7 @@
|
||||
<row>
|
||||
<entry>maclog</entry>
|
||||
|
||||
<entry>initdone</entry>
|
||||
<entry>isusable</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
Loading…
Reference in New Issue
Block a user