mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 15:48:56 +01:00
Tighten zone-definition checking
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1219 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a232826ac1
commit
f857af963e
@ -15,3 +15,5 @@ Changes since 2.0.0
|
|||||||
7) Add -x option to /sbin/shorewall.
|
7) Add -x option to /sbin/shorewall.
|
||||||
|
|
||||||
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
|
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
|
||||||
|
|
||||||
|
9) Improve zone-definition checking.
|
||||||
|
@ -587,6 +587,10 @@ determine_hosts() {
|
|||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
interface=${host%:*}
|
interface=${host%:*}
|
||||||
if list_search $interface $interfaces; then
|
if list_search $interface $interfaces; then
|
||||||
|
list_search $interface:0.0.0.0/0 $hosts && \
|
||||||
|
startup_error "Invalid zone definition for zone $zone"
|
||||||
|
list_search $interface:0/0 $hosts && \
|
||||||
|
startup_error "Invalid zone definition for zone $zone"
|
||||||
eval ${zone}_is_complex=Yes
|
eval ${zone}_is_complex=Yes
|
||||||
else
|
else
|
||||||
if [ -z "$interfaces" ]; then
|
if [ -z "$interfaces" ]; then
|
||||||
@ -616,6 +620,13 @@ validate_zone() # $1 = zone
|
|||||||
{
|
{
|
||||||
list_search $1 $zones $FW
|
list_search $1 $zones $FW
|
||||||
}
|
}
|
||||||
|
#
|
||||||
|
# Ensure that the passed zone is defined in the zones file.
|
||||||
|
#
|
||||||
|
validate_zone1() # $1 = zone
|
||||||
|
{
|
||||||
|
list_search $1 $zones
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Validate the zone names and options in the interfaces file
|
# Validate the zone names and options in the interfaces file
|
||||||
@ -701,7 +712,7 @@ validate_hosts_file() {
|
|||||||
while read z hosts options; do
|
while read z hosts options; do
|
||||||
expandv z hosts options
|
expandv z hosts options
|
||||||
r="$z $hosts $options"
|
r="$z $hosts $options"
|
||||||
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||||
|
|
||||||
interface=${hosts%%:*}
|
interface=${hosts%%:*}
|
||||||
iface=$(chain_base $interface)
|
iface=$(chain_base $interface)
|
||||||
|
@ -5,7 +5,11 @@
|
|||||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
||||||
#
|
#
|
||||||
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
|
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
|
||||||
#
|
#------------------------------------------------------------------------------
|
||||||
|
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
|
||||||
|
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
|
||||||
|
# ZONE AND INTERFACE IN THIS FILE.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
# This file is used to define zones in terms of subnets and/or
|
# This file is used to define zones in terms of subnets and/or
|
||||||
# individual IP addresses. Most simple setups don't need to
|
# individual IP addresses. Most simple setups don't need to
|
||||||
# (should not) place anything in this file.
|
# (should not) place anything in this file.
|
||||||
|
@ -72,4 +72,17 @@ New Features:
|
|||||||
shorewall -x status
|
shorewall -x status
|
||||||
shorewall -x monitor [ <interval> ]
|
shorewall -x monitor [ <interval> ]
|
||||||
|
|
||||||
|
4) Shorewall now traps two common zone definition errors:
|
||||||
|
|
||||||
|
- Including the firewall zone in a /etc/shorewall/hosts record.
|
||||||
|
- Defining a interface for a zone in both /etc/shorewall/interfaces
|
||||||
|
and /etc/shorewall/hosts.
|
||||||
|
|
||||||
|
In the second case, the following will appear during "shorewall
|
||||||
|
[re]start" or "shorewall check":
|
||||||
|
|
||||||
|
Determining Hosts in Zones...
|
||||||
|
...
|
||||||
|
Error: Invalid zone definition for zone <name of zone>
|
||||||
|
Terminated
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user