mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-27 18:13:13 +01:00
Alchemy -- zone file style
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2623 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
cf710d08ea
commit
f6875e9da7
@ -487,14 +487,53 @@ flushmangle() # $1 = name of chain
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Find the zones
|
# This function assumes that the TMP_DIR variable is set and that
|
||||||
|
# its value named an existing directory.
|
||||||
#
|
#
|
||||||
find_zones() # $1 = name of the zone file
|
determine_zones()
|
||||||
{
|
{
|
||||||
local zone rest
|
local zone parent parents rest new_zone_file=
|
||||||
|
|
||||||
while read zone rest; do
|
merge_zone()
|
||||||
expandv zone
|
{
|
||||||
|
local z zones="$ZONES" merged=
|
||||||
|
|
||||||
|
ZONES=
|
||||||
|
|
||||||
|
for z in $zones; do
|
||||||
|
if [ -z "$merged" ] && list_search $z $parents; then
|
||||||
|
ZONES="$ZONES $zone"
|
||||||
|
merged=Yes
|
||||||
|
fi
|
||||||
|
ZONES="$ZONES $z"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
strip_file zones
|
||||||
|
|
||||||
|
ZONES=
|
||||||
|
|
||||||
|
[ "$IPSECFILE" = zones ] && new_zone_file=Yes
|
||||||
|
|
||||||
|
while read zone type rest; do
|
||||||
|
expandv zone type
|
||||||
|
|
||||||
|
case $zone in
|
||||||
|
*:*)
|
||||||
|
parents=${zone#*:}
|
||||||
|
zone=${zone%:*}
|
||||||
|
[ -n "$zone" ] || startup_error "Invalid nested zone syntax: :$parents"
|
||||||
|
parents=$(separate_list $parents)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
parents=
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
for parent in $parents; do
|
||||||
|
[ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed"
|
||||||
|
list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
|
||||||
|
done
|
||||||
|
|
||||||
[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
|
[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
|
||||||
|
|
||||||
@ -502,35 +541,42 @@ find_zones() # $1 = name of the zone file
|
|||||||
[0-9*])
|
[0-9*])
|
||||||
startup_error "Illegal zone name \"$zone\" in zones file"
|
startup_error "Illegal zone name \"$zone\" in zones file"
|
||||||
;;
|
;;
|
||||||
$FW|all|none)
|
all|none)
|
||||||
startup_error "Reserved zone name \"$zone\" in zones file ignored"
|
startup_error "Reserved zone name \"$zone\" in zones file"
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo $zone
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
done < $1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
if [ -n "$new_zone_file" ]; then
|
||||||
# This function assumes that the TMP_DIR variable is set and that
|
case ${type:=plain} in
|
||||||
# its value named an existing directory.
|
plain|-)
|
||||||
#
|
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
|
||||||
determine_zones()
|
merge_zone
|
||||||
{
|
;;
|
||||||
local zonefile=$(find_file zones) zones=
|
ipsec)
|
||||||
|
list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
|
||||||
|
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||||
|
eval ${zone}_is_ipsec=Yes
|
||||||
|
eval ${zone}_is_complex=Yes
|
||||||
|
merge_zone
|
||||||
|
;;
|
||||||
|
firewall)
|
||||||
|
list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
|
||||||
|
[ -n "$parents" ] && startup_error "The firewall zone may not be nested"
|
||||||
|
[ -n "$rest" ] && startup_error "OPTIONS not allowed in a firewall zone"
|
||||||
|
FW=$zone
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
startup_error "Invalid Zone Type: $zone"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
ZONES="$ZONES $zone"
|
||||||
|
fi
|
||||||
|
done < $TMP_DIR/zones
|
||||||
|
|
||||||
strip_file zones $zonefile
|
[ -z "$ZONES" ] && startup_error "No plain or ipsec Zones Defined"
|
||||||
|
|
||||||
ZONES=
|
[ -z "$FW" ] && startup_error "No Firewall Zone Defined"
|
||||||
zones=$(find_zones $TMP_DIR/zones)
|
|
||||||
|
|
||||||
for zone in $zones; do
|
|
||||||
list_search $zone $ZONES && startup_error "Zone $zone is defined more than once"
|
|
||||||
ZONES="$ZONES $zone"
|
|
||||||
done
|
|
||||||
|
|
||||||
[ -z "$ZONES" ] && startup_error "ERROR: No Zones Defined"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2536,26 +2582,28 @@ setup_ipsec() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
while read zone ipsec options in_options out_options mss; do
|
while read zone type options in_options out_options mss; do
|
||||||
expandv zone ipsec options in_options out_options mss
|
expandv zone type options in_options out_options mss
|
||||||
|
|
||||||
if [ -n "$using_ipsec" ]; then
|
if [ -n "$using_ipsec" ]; then
|
||||||
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
|
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$ipsec" ]; then
|
if [ -n "$type" ]; then
|
||||||
case $ipsec in
|
if [ -n "$using_ipsec" ]; then
|
||||||
-|No|no)
|
case $type in
|
||||||
;;
|
No|no)
|
||||||
Yes|yes)
|
;;
|
||||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
Yes|yes)
|
||||||
eval ${zone}_is_ipsec=Yes
|
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||||
eval ${zone}_is_complex=Yes
|
eval ${zone}_is_ipsec=Yes
|
||||||
;;
|
eval ${zone}_is_complex=Yes
|
||||||
*)
|
;;
|
||||||
fatal_error "Invalid IPSEC column value: $ipsec"
|
*)
|
||||||
;;
|
fatal_error "Invalid IPSEC column contents"
|
||||||
esac
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
do_options "" $options
|
do_options "" $options
|
||||||
do_options "_in" $in_options
|
do_options "_in" $in_options
|
||||||
@ -9000,8 +9048,6 @@ do_initialize() {
|
|||||||
|
|
||||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||||
|
|
||||||
[ -z "$FW" ] && FW=fw
|
|
||||||
|
|
||||||
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
|
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
|
||||||
[ -n "$ALLOWRELATED" ] || \
|
[ -n "$ALLOWRELATED" ] || \
|
||||||
startup_error "ALLOWRELATED=No is not supported"
|
startup_error "ALLOWRELATED=No is not supported"
|
||||||
|
@ -89,6 +89,10 @@ Migration Considerations:
|
|||||||
columns of the /etc/shorewall/ipsec file. The latter file has been
|
columns of the /etc/shorewall/ipsec file. The latter file has been
|
||||||
removed.
|
removed.
|
||||||
|
|
||||||
|
Additionally the FW option in shorewall.conf has been deprecated and
|
||||||
|
is no longer set to 'fw' by default. New users are expected to
|
||||||
|
define the firewall zone in /etc/shorewall/zones.
|
||||||
|
|
||||||
Adhering to the principle of least astonishment, the old
|
Adhering to the principle of least astonishment, the old
|
||||||
/etc/shorewall/ipsec file will continue to be supported. A new
|
/etc/shorewall/ipsec file will continue to be supported. A new
|
||||||
IPSECFILE variable in /etc/shorewall/shorewall.conf determines the
|
IPSECFILE variable in /etc/shorewall/shorewall.conf determines the
|
||||||
@ -113,13 +117,16 @@ Migration Considerations:
|
|||||||
The names "all" and "none" are reserved and may
|
The names "all" and "none" are reserved and may
|
||||||
not beused as zone names.
|
not beused as zone names.
|
||||||
|
|
||||||
IPSEC Yes -- Communication with all zone hosts is
|
TYPE ipsec - Communication with all zone hosts is encrypted
|
||||||
ONLY encrypted. Your kernel and iptables
|
Your kernel and iptables must include policy
|
||||||
must include policy match support.
|
match support.
|
||||||
No -- Communication with some zone hosts may
|
plain - Communication with some zone hosts may be encrypted.
|
||||||
be encrypted. Encrypted hosts are
|
Encrypted hosts are designated using the 'ipsec'
|
||||||
designated using the 'ipsec' option in
|
option in /etc/shorewall/hosts.
|
||||||
/etc/shorewall/hosts.
|
firewall
|
||||||
|
- Designates the firewall itself. You must have
|
||||||
|
exactly one 'firewall' zone. No options are
|
||||||
|
permitted with a 'firewall' zone.
|
||||||
|
|
||||||
OPTIONS, A comma-separated list of options as
|
OPTIONS, A comma-separated list of options as
|
||||||
IN OPTIONS, follows:
|
IN OPTIONS, follows:
|
||||||
@ -226,7 +233,7 @@ Migration Considerations:
|
|||||||
ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
|
ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
|
||||||
information on the rules generated by entries in the tunnels file.
|
information on the rules generated by entries in the tunnels file.
|
||||||
|
|
||||||
10) In previous releases, the "refresh" command would source your tcstart
|
10) In previous releases, the "refresh" command could source your tcstart
|
||||||
script. Beginning with this release, "refresh" will run that script
|
script. Beginning with this release, "refresh" will run that script
|
||||||
if it is executable but will not source it. Users of third-party TC
|
if it is executable but will not source it. Users of third-party TC
|
||||||
scripts like WonderShaper should see no change provided that
|
scripts like WonderShaper should see no change provided that
|
||||||
|
@ -344,11 +344,11 @@ IPSECFILE=zones
|
|||||||
|
|
||||||
# NAME OF THE FIREWALL ZONE
|
# NAME OF THE FIREWALL ZONE
|
||||||
#
|
#
|
||||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
# Name of the firewall zone -- if not set or if set to an empty string, then
|
||||||
# is assumed.
|
# you must include a definition of the firewall zone in /etc/shorewall/zones.
|
||||||
#
|
#
|
||||||
|
|
||||||
FW=fw
|
FW=
|
||||||
|
|
||||||
#
|
#
|
||||||
# ENABLE IP FORWARDING
|
# ENABLE IP FORWARDING
|
||||||
|
@ -11,12 +11,16 @@
|
|||||||
# The names "all" and "none" are reserved and may not be
|
# The names "all" and "none" are reserved and may not be
|
||||||
# used as zone names.
|
# used as zone names.
|
||||||
#
|
#
|
||||||
# IPSEC Yes -- Communication with all zone hosts is encrypted
|
# TYPE ipsec - Communication with all zone hosts is encrypted
|
||||||
# ONLY Your kernel and iptables must include policy
|
# Your kernel and iptables must include policy
|
||||||
# match support.
|
# match support.
|
||||||
# No -- Communication with some zone hosts may be encrypted.
|
# plain - Communication with some zone hosts may be encrypted.
|
||||||
# Encrypted hosts are designated using the 'ipsec'
|
# Encrypted hosts are designated using the 'ipsec'
|
||||||
# option in /etc/shorewall/hosts.
|
# option in /etc/shorewall/hosts.
|
||||||
|
# firewall
|
||||||
|
# - Designates the firewall itself. You must have
|
||||||
|
# exactly one 'firewall' zone. No options are
|
||||||
|
# permitted with a 'firewall' zone.
|
||||||
#
|
#
|
||||||
# OPTIONS, A comma-separated list of options as follows:
|
# OPTIONS, A comma-separated list of options as follows:
|
||||||
# IN OPTIONS,
|
# IN OPTIONS,
|
||||||
@ -65,12 +69,15 @@
|
|||||||
# You have a three interface firewall with internet, local and DMZ
|
# You have a three interface firewall with internet, local and DMZ
|
||||||
# interfaces.
|
# interfaces.
|
||||||
#
|
#
|
||||||
# #ZONE IPSEC OPTIONS IN OUT
|
# #ZONE TYPE OPTIONS IN OUT
|
||||||
|
# # OPTIONS OPTIONS
|
||||||
|
# fw firewall
|
||||||
# net
|
# net
|
||||||
# loc
|
# loc
|
||||||
# dmz
|
# dmz
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ZONE IPSEC OPTIONS IN OUT
|
#ZONE TYPE OPTIONS IN OUT
|
||||||
# ONLY OPTIONS OPTIONS
|
# OPTIONS OPTIONS
|
||||||
|
fw firewall
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
|
Loading…
Reference in New Issue
Block a user