From c31397532c802bf2349fc7cef054e7a68800d8de Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 12 Aug 2017 09:24:05 -0700 Subject: [PATCH] Verify that parent and child zones have a common interface Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Zones.pm | 47 ++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index a2c58a68c..7b1c744ca 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -701,6 +701,40 @@ sub haveipseczones() { 0; } +# +# Returns 1 if the two interfaces passed are related +# +sub interface_match( $$ ) { + my ( $piface, $ciface ) = @_; + + return 1 if $piface eq $ciface; + + my ( $pifaceref, $cifaceref ) = @interfaces{$piface, $ciface}; + + return 1 if $piface eq $cifaceref->{bridge}; + return 1 if $ciface eq $pifaceref->{bridge}; + + if ( $minroot ) { + if ( $piface =~ /\+$/ ) { + my $root = $pifaceref->{root}; + my $rlength = length( $root ); + while ( length( $ciface ) >= $rlength ) { + return 1 if $ciface eq $root; + chop $ciface; + } + } elsif ( $ciface =~ /\+$/ ) { + my $root = $cifaceref->{root}; + my $rlength = length( $root ); + while ( length( $piface ) >= $rlength ) { + return 1 if $piface eq $root; + chop $piface; + } + } + } + + 0; +} + # # Report about zones. # @@ -738,7 +772,7 @@ sub zone_report() if ( $family == F_IPV4 ) { progress_message_nocompress " $iref->{physical}:$grouplist"; } else { - progress_message_nocompress " $iref->{physical}:<$grouplist>"; + progress_message_nocompress " $iref->{physical}:[$grouplist]"; } $printed = 1; } @@ -747,6 +781,17 @@ sub zone_report() } } + PARENT: + for my $p ( @{$zoneref->{parents}} ) { + for my $pi ( keys ( %{$zones{$p}{interfaces}} ) ) { + for my $ci ( keys( %{$zoneref->{interfaces}} ) ) { + next PARENT if interface_match( $pi, $ci ); + } + } + + warning_message "Zone $zone is defined as a sub-zone of $p, yet the two zones have no interface in common"; + } + unless ( $printed ) { fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge}; warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;