mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-18 11:38:14 +01:00
Remove support for 'detectnets' from Shorewall-perl
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7377 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7a96b07e81
commit
808b7fc0a1
@ -1 +1 @@
|
|||||||
This is the Shorewall-common Stable 4.0 branch of SVN.
|
This is the Shorewall-common Development 4.0 branch of SVN.
|
||||||
|
@ -1 +1 @@
|
|||||||
This is the Shorewall-lite Stable 4.0 branch of SVN.
|
This is the Shorewall-lite Development 4.0 branch of SVN.
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
This is the Shorewall-perl Stable 4.0 branch of SVN.
|
This is the Shorewall-perl Development 4.0 branch of SVN.
|
||||||
|
|
||||||
|
@ -752,7 +752,6 @@ sub setup_mac_lists( $ ) {
|
|||||||
fatal_error "Invalid DISPOSITION ($disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
|
fatal_error "Invalid DISPOSITION ($disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
|
||||||
|
|
||||||
unless ( $maclist_interfaces{$interface} ) {
|
unless ( $maclist_interfaces{$interface} ) {
|
||||||
next if get_interface_option( $interface, 'optional' ) && get_interface_option( $interface, 'detectnets' );
|
|
||||||
fatal_error "No hosts on $interface have the maclist option specified";
|
fatal_error "No hosts on $interface have the maclist option specified";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1563,7 +1562,6 @@ sub generate_matrix() {
|
|||||||
my $exclusions = $zoneref->{exclusions};
|
my $exclusions = $zoneref->{exclusions};
|
||||||
my $frwd_ref = 0;
|
my $frwd_ref = 0;
|
||||||
my $chain = 0;
|
my $chain = 0;
|
||||||
my %needbroadcast;
|
|
||||||
|
|
||||||
if ( $complex ) {
|
if ( $complex ) {
|
||||||
$frwd_ref = $filter_table->{"${zone}_frwd"};
|
$frwd_ref = $filter_table->{"${zone}_frwd"};
|
||||||
@ -1614,39 +1612,11 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
|
add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
|
||||||
if $complex && $hostref->{ipsec} ne 'ipsec';
|
if $complex && $hostref->{ipsec} ne 'ipsec';
|
||||||
|
|
||||||
$needbroadcast{$interface}{$source} = 1 if get_interface_option $interface, 'detectnets';
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $chain1 ) {
|
|
||||||
for my $interface ( keys %needbroadcast ) {
|
|
||||||
if ( $capabilities{ADDRTYPE} ) {
|
|
||||||
add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
|
|
||||||
} else {
|
|
||||||
my $interfaceref = find_interface( $interface );
|
|
||||||
my $chain = output_chain $interface;
|
|
||||||
my $chainref = $filter_table->{$chain};
|
|
||||||
|
|
||||||
if ( $interfaceref->{broadcasts} ) {
|
|
||||||
for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) {
|
|
||||||
add_rule( $chainref, "-d $address -j $chain1" );
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
my $variable = get_interface_bcasts $interface;
|
|
||||||
|
|
||||||
add_commands( $chainref,
|
|
||||||
"for address in $variable; do",
|
|
||||||
" echo \"-A $chain -d \$address -j $chain1\" >&3",
|
|
||||||
'done' );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#
|
#
|
||||||
# F O R W A R D I N G
|
# F O R W A R D I N G
|
||||||
#
|
#
|
||||||
@ -1723,17 +1693,6 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( $zone eq $zone1 ) {
|
if ( $zone eq $zone1 ) {
|
||||||
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
|
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
|
||||||
|
|
||||||
if ( $chain3 ) {
|
|
||||||
while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) {
|
|
||||||
if ( get_interface_option( $interface, 'bridge' ) ) {
|
|
||||||
for my $source ( keys %$sourceref ) {
|
|
||||||
add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3";
|
|
||||||
add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 224.0.0.0/4 -j $chain3";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $zone1ref->{type} eq 'bport4' ) {
|
if ( $zone1ref->{type} eq 'bport4' ) {
|
||||||
|
@ -547,32 +547,6 @@ sub firewall_zone() {
|
|||||||
$firewall_zone;
|
$firewall_zone;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Return a list of networks routed out of the passed interface
|
|
||||||
#
|
|
||||||
sub get_routed_networks ( $$ ) {
|
|
||||||
my ( $interface , $error_message ) = @_;
|
|
||||||
my @networks;
|
|
||||||
|
|
||||||
if ( open IP , '-|' , "/sbin/ip route show dev $interface 2> /dev/null" ) {
|
|
||||||
while ( my $route = <IP> ) {
|
|
||||||
$route =~ s/^\s+//;
|
|
||||||
my $network = ( split /\s+/, $route )[0];
|
|
||||||
if ( $network eq 'default' ) {
|
|
||||||
fatal_error $error_message if $error_message;
|
|
||||||
warning_message "default route ignored on interface $interface";
|
|
||||||
} else {
|
|
||||||
my ( $address, $vlsm ) = split '/', $network;
|
|
||||||
$vlsm = 32 unless defined $vlsm;
|
|
||||||
push @networks, "$address/$vlsm";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
close IP
|
|
||||||
}
|
|
||||||
|
|
||||||
@networks;
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Parse the interfaces file.
|
# Parse the interfaces file.
|
||||||
#
|
#
|
||||||
@ -585,6 +559,7 @@ sub validate_interfaces_file( $ )
|
|||||||
BINARY_IF_OPTION => 2,
|
BINARY_IF_OPTION => 2,
|
||||||
ENUM_IF_OPTION => 3,
|
ENUM_IF_OPTION => 3,
|
||||||
NUMERIC_IF_OPTION => 4,
|
NUMERIC_IF_OPTION => 4,
|
||||||
|
OBSOLETE_IF_OPTION => 5,
|
||||||
MASK_IF_OPTION => 7,
|
MASK_IF_OPTION => 7,
|
||||||
|
|
||||||
IF_OPTION_ZONEONLY => 8 };
|
IF_OPTION_ZONEONLY => 8 };
|
||||||
@ -593,7 +568,7 @@ sub validate_interfaces_file( $ )
|
|||||||
arp_ignore => ENUM_IF_OPTION,
|
arp_ignore => ENUM_IF_OPTION,
|
||||||
blacklist => SIMPLE_IF_OPTION,
|
blacklist => SIMPLE_IF_OPTION,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
detectnets => SIMPLE_IF_OPTION,
|
detectnets => OBSOLETE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
maclist => SIMPLE_IF_OPTION,
|
maclist => SIMPLE_IF_OPTION,
|
||||||
logmartians => BINARY_IF_OPTION,
|
logmartians => BINARY_IF_OPTION,
|
||||||
@ -739,6 +714,8 @@ sub validate_interfaces_file( $ )
|
|||||||
} elsif ( $type == NUMERIC_IF_OPTION ) {
|
} elsif ( $type == NUMERIC_IF_OPTION ) {
|
||||||
fatal_error "The $option option requires a value" unless defined $value;
|
fatal_error "The $option option requires a value" unless defined $value;
|
||||||
$options{$option} = numeric_value $value;
|
$options{$option} = numeric_value $value;
|
||||||
|
} else {
|
||||||
|
warning_message "Support for the $option interface option has been removed from Shorewall-perl";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -756,19 +733,7 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
push @ifaces, $interface;
|
push @ifaces, $interface;
|
||||||
|
|
||||||
my @networks;
|
my @networks = allipv4;
|
||||||
|
|
||||||
if ( $options{detectnets} ) {
|
|
||||||
warning_message "Support for the 'detectnets' option will be removed from Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians'";
|
|
||||||
fatal_error "The 'detectnets' option is not allowed on a multi-zone interface" unless $zone;
|
|
||||||
fatal_error "The 'detectnets' option may not be used with a wild-card interface name" if $wildcard;
|
|
||||||
fatal_error "The 'detectnets' option may not be used with the '-e' compiler option" if $export;
|
|
||||||
@networks = get_routed_networks( $interface, 'detectnets not allowed on interface with default route' );
|
|
||||||
fatal_error "No routes found through 'detectnets' interface $interface" unless @networks || $options{optional};
|
|
||||||
delete $options{maclist} unless @networks;
|
|
||||||
} else {
|
|
||||||
@networks = allipv4;
|
|
||||||
}
|
|
||||||
|
|
||||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
|
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
|
||||||
|
|
||||||
|
@ -1 +1 @@
|
|||||||
This is the Shorewall-shell Stable 4.0 branch of SVN.
|
This is the Shorewall-shell Development 4.0 branch of SVN.
|
||||||
|
Loading…
Reference in New Issue
Block a user