mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
Fix some bugs
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6476 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
4da98d2bb2
commit
b591068603
@ -151,8 +151,10 @@ sub get_routed_networks ( $$ ) {
|
||||
# Parse the interfaces file.
|
||||
#
|
||||
|
||||
sub validate_interfaces_file()
|
||||
sub validate_interfaces_file( $ )
|
||||
{
|
||||
my $export = shift;
|
||||
|
||||
use constant { SIMPLE_IF_OPTION => 1,
|
||||
BINARY_IF_OPTION => 2,
|
||||
ENUM_IF_OPTION => 3,
|
||||
@ -230,7 +232,6 @@ sub validate_interfaces_file()
|
||||
}
|
||||
}
|
||||
|
||||
$interfaces{$interface}{ports}++;
|
||||
$interfaces{$port}{bridge} = $bridge = $interface;
|
||||
$interface = $port;
|
||||
} else {
|
||||
@ -318,10 +319,11 @@ sub validate_interfaces_file()
|
||||
my @networks;
|
||||
|
||||
if ( $options{detectnets} ) {
|
||||
fatal_error "'detectnets' not allowed with multi-zone interface" unless $zone;
|
||||
fatal_error "The 'detectnets' option is not allowed with multi-zone interface" unless $zone;
|
||||
fatal_error "The 'detectnets' option may not be used with a wild-card interface name" if $wildcard;
|
||||
fatal_error "The 'detectnets' option may not be used with the '-e' compiler option" if $export;
|
||||
@networks = get_routed_networks( $interface, 'detectnets not allowed on interface with default route' );
|
||||
fatal_error "No routes through 'detectnets' interface $interface" unless @networks || $options{optional};
|
||||
fatal_error "No routes found through 'detectnets' interface $interface" unless @networks || $options{optional};
|
||||
} else {
|
||||
@networks = @allipv4;
|
||||
}
|
||||
|
||||
@ -757,7 +757,7 @@ sub setup_mac_lists( $ ) {
|
||||
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
||||
}
|
||||
} else {
|
||||
add_rule $mangle_table->{PREROUTING}, match_source_interface( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
||||
add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
||||
@ -221,29 +221,23 @@ sub determine_zones()
|
||||
fatal_error "Invalid zone name: $zone" if $reservedName{$zone} || $zone =~ /^all2|2all$/;
|
||||
fatal_error( "Duplicate zone name: $zone\n" ) if $zones{$zone};
|
||||
|
||||
my $zoneref = $zones{$zone} = {};
|
||||
$zoneref->{parents} = \@parents;
|
||||
$zoneref->{exclusions} = [];
|
||||
$zoneref->{bridge} = '';
|
||||
|
||||
$type = "ipv4" unless $type;
|
||||
|
||||
if ( $type =~ /ipv4/i ) {
|
||||
$zoneref->{type} = 'ipv4';
|
||||
$type = 'ipv4';
|
||||
} elsif ( $type =~ /^ipsec4?$/i ) {
|
||||
$zoneref->{type} = 'ipsec4';
|
||||
$type = 'ipsec4';
|
||||
} elsif ( $type =~ /^bport4?$/i ) {
|
||||
warning_message "Bridge Port zones should have a parent zone" unless @parents;
|
||||
$zoneref->{type} = 'bport4';
|
||||
|
||||
$type = 'bport4';
|
||||
} elsif ( $type eq 'firewall' ) {
|
||||
fatal_error 'Firewall zone may not be nested' if @parents;
|
||||
fatal_error "Only one firewall zone may be defined: $zone" if $firewall_zone;
|
||||
$firewall_zone = $zone;
|
||||
$ENV{FW} = $zone;
|
||||
$zoneref->{type} = "firewall";
|
||||
$type = "firewall";
|
||||
} elsif ( $type eq '-' ) {
|
||||
$type = $zoneref->{type} = 'ipv4';
|
||||
$type = 'ipv4';
|
||||
} else {
|
||||
fatal_error "Invalid zone type ($type)" ;
|
||||
}
|
||||
@ -254,16 +248,20 @@ sub determine_zones()
|
||||
$in_options = '' if $in_options eq '-';
|
||||
$out_options = '' if $out_options eq '-';
|
||||
|
||||
$zone_hash{in_out} = parse_zone_option_list( $options || '', $zoneref->{type} );
|
||||
$zone_hash{in} = parse_zone_option_list( $in_options || '', $zoneref->{type} );
|
||||
$zone_hash{out} = parse_zone_option_list( $out_options || '', $zoneref->{type} );
|
||||
$zone_hash{complex} = ($zoneref->{type} eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0);
|
||||
|
||||
$zoneref->{options} = \%zone_hash;
|
||||
$zoneref->{interfaces} = {};
|
||||
$zoneref->{children} = [];
|
||||
$zoneref->{hosts} = {};
|
||||
$zone_hash{in_out} = parse_zone_option_list( $options || '', $type );
|
||||
$zone_hash{in} = parse_zone_option_list( $in_options || '', $type );
|
||||
$zone_hash{out} = parse_zone_option_list( $out_options || '', $type );
|
||||
$zone_hash{complex} = ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0);
|
||||
|
||||
$zones{$zone} = { type => $type,
|
||||
parents => \@parents,
|
||||
exclusions => [],
|
||||
bridge => '',
|
||||
options => \%zone_hash,
|
||||
interfaces => {} ,
|
||||
children => [] ,
|
||||
hosts => {}
|
||||
};
|
||||
push @z, $zone;
|
||||
}
|
||||
|
||||
|
||||
@ -691,7 +691,7 @@ sub compiler( $ ) {
|
||||
#
|
||||
# Process the interfaces file.
|
||||
#
|
||||
validate_interfaces_file;
|
||||
validate_interfaces_file ( $export );
|
||||
#
|
||||
# Process the hosts file.
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user