Tighten zone-definition checking

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1219 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-03-20 17:21:15 +00:00
parent a232826ac1
commit f857af963e
4 changed files with 32 additions and 2 deletions

View File

@ -15,3 +15,5 @@ Changes since 2.0.0
7) Add -x option to /sbin/shorewall. 7) Add -x option to /sbin/shorewall.
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC. 8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
9) Improve zone-definition checking.

View File

@ -587,6 +587,10 @@ determine_hosts() {
for host in $hosts; do for host in $hosts; do
interface=${host%:*} interface=${host%:*}
if list_search $interface $interfaces; then if list_search $interface $interfaces; then
list_search $interface:0.0.0.0/0 $hosts && \
startup_error "Invalid zone definition for zone $zone"
list_search $interface:0/0 $hosts && \
startup_error "Invalid zone definition for zone $zone"
eval ${zone}_is_complex=Yes eval ${zone}_is_complex=Yes
else else
if [ -z "$interfaces" ]; then if [ -z "$interfaces" ]; then
@ -616,6 +620,13 @@ validate_zone() # $1 = zone
{ {
list_search $1 $zones $FW list_search $1 $zones $FW
} }
#
# Ensure that the passed zone is defined in the zones file.
#
validate_zone1() # $1 = zone
{
list_search $1 $zones
}
# #
# Validate the zone names and options in the interfaces file # Validate the zone names and options in the interfaces file
@ -701,7 +712,7 @@ validate_hosts_file() {
while read z hosts options; do while read z hosts options; do
expandv z hosts options expandv z hosts options
r="$z $hosts $options" r="$z $hosts $options"
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
interface=${hosts%%:*} interface=${hosts%%:*}
iface=$(chain_base $interface) iface=$(chain_base $interface)

View File

@ -5,7 +5,11 @@
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
# #
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. # IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
# #------------------------------------------------------------------------------
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
# ZONE AND INTERFACE IN THIS FILE.
#------------------------------------------------------------------------------
# This file is used to define zones in terms of subnets and/or # This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to # individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file. # (should not) place anything in this file.

View File

@ -72,4 +72,17 @@ New Features:
shorewall -x status shorewall -x status
shorewall -x monitor [ <interval> ] shorewall -x monitor [ <interval> ]
4) Shorewall now traps two common zone definition errors:
- Including the firewall zone in a /etc/shorewall/hosts record.
- Defining a interface for a zone in both /etc/shorewall/interfaces
and /etc/shorewall/hosts.
In the second case, the following will appear during "shorewall
[re]start" or "shorewall check":
Determining Hosts in Zones...
...
Error: Invalid zone definition for zone <name of zone>
Terminated