More IPv6 Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8947 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-perl/Shorewall/Chains.pm

@@ -256,6 +256,7 @@ our $mode;
 our %targets4;
 our %targets6;
 our $targets;
+our $chain_family;
 
 sub use_ipv4_chains() {
     $chain_table  = \%chain_table4;
@@ -263,6 +264,7 @@ sub use_ipv4_chains() {
     $mangle_table = $chain_table->{mangle};
     $filter_table = $chain_table->{filter};
     $targets      = \%targets4;
+    $chain_family = F_INET;
 }    
 
 sub use_ipv6_chains() {
@@ -271,6 +273,7 @@ sub use_ipv6_chains() {
     $mangle_table = $chain_table->{mangle};
     $filter_table = $chain_table->{filter};
     $targets      = \%targets6;
+    $chain_family = F_INET6;
 }    
 
 #
@@ -1979,7 +1982,16 @@ sub expand_rule( $$$$$$$$$$$ )
     if ( $source ) {
 	if ( $source eq '-' ) {
 	    $source = '';
-	} elsif ( $source =~ /^([^:]+):([^:]+)$/ ) {
+	} elsif ( $chain_family == F_INET ) {
+	    if ( $source =~ /^([^:]+):([^:]+)$/ ) {
+		$iiface = $1;
+		$inets  = $2;
+	    } elsif ( $source =~ /\+|~|\..*\./ ) {
+		$inets = $source;
+	    } else {
+		$iiface = $source;
+	    }
+	} elsif ( $source =~ /^([^;]+);([^;]+)$/ ) {
 	    $iiface = $1;
 	    $inets  = $2;
 	} elsif ( $source =~ /\+|~|\..*\./ ) {
@@ -2051,7 +2063,16 @@ sub expand_rule( $$$$$$$$$$$ )
 	    }
 
 	    $dest = '';
-	} elsif ( $dest =~ /^([^:]+):([^:]+)$/ ) {
+	} elsif ( $chain_family == F_INET ) {
+	    if ( $dest =~ /^([^:]+):([^:]+)$/ ) {
+		$diface = $1;
+		$dnets  = $2;
+	    } elsif ( $dest =~ /\+|~|\..*\./ ) {
+		$dnets = $dest;
+	    } else {
+		$diface = $dest;
+	    }
+	} elsif ( $dest =~ /^([^;]+);([^;]+)$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
 	} elsif ( $dest =~ /\+|~|\..*\./ ) {
@@ -2062,7 +2083,6 @@ sub expand_rule( $$$$$$$$$$$ )
     } else {
 	$dest = '';
     }
-
     #
     # Verify Destination Interface, if any
     #

Shorewall-perl/Shorewall/Compiler.pm

@@ -79,6 +79,7 @@ sub use_ipv4() {
     use_ipv4_chains;
     use_ipv4_interfaces;
     use_ipv4_policies;
+    use_ipv4_rules;
     $family = F_INET;
 }
 
@@ -87,6 +88,7 @@ sub use_ipv6() {
     use_ipv6_chains;
     use_ipv6_interfaces;
     use_ipv6_policies;
+    use_ipv6_rules;
     $family = F_INET;
 }
 
@@ -730,6 +732,124 @@ EOF
     copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
 }
 
+#
+# Process the configuration for the current address family (F_INET or F_INET6)
+#
+sub process_family( $ ) {
+    my $chains = shift;
+    #
+    # Process the interfaces file(s).
+    #
+    validate_interfaces_file ( $globals{EXPORT} );
+    #
+    # Process the hosts file.
+    #
+    validate_hosts_file;
+    #
+    # Report zone contents
+    #
+    zone_report;
+    #
+    # Do action pre-processing.
+    #
+    process_actions1;
+    #
+    # Process the Policy File(s).
+    #
+    validate_policy;
+    #
+    # Compile the 'stop_firewall()' function
+    #
+    compile_stop_firewall;
+    #
+    # Start Second Part of script
+    #
+    generate_script_2 unless $command eq 'check';
+    #
+    # Do all of the zone-independent stuff
+    #
+    add_common_rules;
+    #
+    # /proc stuff
+    #
+    setup_arp_filtering;
+    setup_route_filtering;
+    setup_martian_logging;
+    setup_source_routing;
+    #
+    # Proxy Arp
+    #
+    setup_proxy_arp;
+    #
+    # Handle MSS setings in the zones file
+    #
+    setup_zone_mss;
+    #
+    # [Re-]establish Routing
+    #
+    setup_providers;
+    #
+    # TOS
+    #
+    process_tos 'tos';
+    #
+    # ECN
+    #
+    setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
+    #
+    # Setup Masquerading/SNAT
+    #
+    setup_masq;
+    #
+    # MACLIST Filtration
+    #
+    setup_mac_lists 1;
+    #
+    # Process the rules file.
+    #
+    process_rules;
+    #
+    # Add Tunnel rules.
+    #
+    setup_tunnels;
+    #
+    # Post-rules action processing.
+    #
+    process_actions2;
+    process_actions3;
+    #
+    # MACLIST Filtration again
+    #
+    setup_mac_lists 2;
+    #
+    # Apply Policies
+    #
+    apply_policy_rules;
+    #
+    # TCRules and Traffic Shaping
+    #
+    setup_tc;
+    #
+    # Setup Nat
+    #
+    setup_nat;
+    #
+    # Setup NETMAP
+    #
+    setup_netmap;
+    #
+    # Accounting.
+    #
+    setup_accounting;
+    #
+    # We generate the matrix even though we don't write out the rules. That way, we insure that
+    # a compile of the script won't blow up during that step.
+    #
+    generate_matrix;
+
+    generate_script_3( $chains ) unless $command eq 'check';
+}
+
 #
 #  The Compiler.
 #
@@ -816,126 +936,17 @@ sub compiler {
     # Process the zones file.
     #
     determine_zones;
-    #
-    # Process the interfaces file(s).
-    #
+
     use_ipv4;
-    validate_interfaces_file ( 'interfaces', $export );
-    #
-    # Process the hosts file.
-    #
-    my $ipsec = validate_hosts_file( 'hosts' );
-
-    $capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
-    #
-    # Report zone contents
-    #
-    zone_report;
-    #
-    # Do action pre-processing.
-    #
-    process_actions1;
-    #
-    # Process the Policy File(s).
-    #
-    validate_policy 'policy';
-    #
-    # Compile the 'stop_firewall()' function
-    #
-    compile_stop_firewall;
-    #
-    # Start Second Part of script
-    #
-    generate_script_2 unless $command eq 'check';
-    #
-    # Do all of the zone-independent stuff
-    #
-    add_common_rules;
-    #
-    # /proc stuff
-    #
-    setup_arp_filtering;
-    setup_route_filtering;
-    setup_martian_logging;
-    setup_source_routing;
-    #
-    # Proxy Arp
-    #
-    setup_proxy_arp;
-    #
-    # Handle MSS setings in the zones file
-    #
-    setup_zone_mss;
-    #
-    # [Re-]establish Routing
-    #
-    setup_providers;
-    #
-    # TOS
-    #
-    process_tos;
-    #
-    # ECN
-    #
-    setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
-    #
-    # Setup Masquerading/SNAT
-    #
-    setup_masq;
-    #
-    # MACLIST Filtration
-    #
-    setup_mac_lists 1;
-    #
-    # Process the rules file.
-    #
-    process_rules;
-    #
-    # Add Tunnel rules.
-    #
-    setup_tunnels;
-    #
-    # Post-rules action processing.
-    #
-    process_actions2;
-    process_actions3;
-    #
-    # MACLIST Filtration again
-    #
-    setup_mac_lists 2;
-    #
-    # Apply Policies
-    #
-    apply_policy_rules;
-    #
-    # TCRules and Traffic Shaping
-    #
-    setup_tc;
-    #
-    # Setup Nat
-    #
-    setup_nat;
-    #
-    # Setup NETMAP
-    #
-    setup_netmap;
-    #
-    # Accounting.
-    #
-    setup_accounting;
-    #
-    # We generate the matrix even though we don't write out the rules. That way, we insure that
-    # a compile of the script won't blow up during that step.
-    #
-    generate_matrix;
 
+    process_family $chains;
+    
     if ( $command eq 'check' ) {
 	progress_message3 "Shorewall configuration verified";
     } else {
 	#
 	# Finish the script.
 	#
-	generate_script_3( $chains );
 	finalize_object ( $export );
 	#
 	# And generate the auxilary config file

Shorewall-perl/Shorewall/Config.pm

@@ -1928,14 +1928,14 @@ sub get_configuration( $ ) {
 	} elsif ( $config{IPV6} =~ /keep/i ) {
 	    $config{IPV6} = '';
 	}
+    } else {
+	$config{IPV6} = 'Off';
     }
 
     default_yes_no 'DISABLE_IPV6' , '';
 
     fatal_error "Incompatible settings of IPV6 (On) and DISABLE_IPV6 (Yes)" if $config{IPV6} eq 'On' && $config{DISABLE_IPV6} eq 'Yes';
 
-    $config{IPV6} = $config{DISABLE_IPV6} ? 'Off' : '' unless defined $config{IPV6};
-
     unsupported_yes_no 'DYNAMIC_ZONES';
     unsupported_yes_no 'BRIDGING';
     unsupported_yes_no 'SAVE_IPSETS';

Shorewall-perl/Shorewall/Policy.pm

@@ -169,9 +169,8 @@ sub print_policy($$$$) {
     }
 }
 
-sub validate_policy( $ )
+sub validate_policy()
 {
-    my $filename = shift;
     my %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
@@ -223,7 +222,7 @@ sub validate_policy( $ )
 	}
     }
 
-    my $fn = open_file $filename;
+    my $fn = open_file( $policy_family == F_INET ? 'policy' : '6policy');
 
     first_entry "$doing $fn...";
 

Shorewall-perl/Shorewall/Rules.pm

@@ -35,7 +35,9 @@ use Shorewall::Proc;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( process_tos
+our @EXPORT = qw( use_ipv4_rules
+		  use_ipv6_rules
+		  process_tos
 		  setup_ecn
 		  add_common_rules
 		  setup_mac_lists
@@ -55,6 +57,7 @@ our $sectioned;
 our $macro_nest_level;
 our $current_param;
 our @param_stack;
+our $rules_family;
 
 #
 # When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
@@ -63,6 +66,14 @@ our @param_stack;
 my %rules_commands = ( COMMENT => 0,
 		       SECTION => 2 );
 
+sub use_ipv4_rules() {
+    $rules_family = F_INET;
+}
+
+sub use_ipv6_rules() {
+    $rules_family = F_INET6;
+}
+
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
@@ -77,6 +88,7 @@ sub initialize() {
     $macro_nest_level = 0;
     $current_param = '';
     @param_stack = ();
+    use_ipv4_rules;
 }
 
 INIT {
@@ -85,7 +97,8 @@ INIT {
 
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
-sub process_tos() {
+sub process_tos( $ ) {
+    my $filename = shift;
     my $chain    = $capabilities{MANGLE_FORWARD} ? 'fortos'  : 'pretos';
     my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING';
 
@@ -95,7 +108,7 @@ sub process_tos() {
 		       'minimize-cost'        => 0x02 ,
 		       'normal-service'       => 0x00 );
 
-    if ( my $fn = open_file 'tos' ) {
+    if ( my $fn = open_file $filename ) {
 	my $first_entry = 1;
 	
 	my ( $pretosref, $outtosref );
@@ -121,8 +134,10 @@ sub process_tos() {
 
 	    my $restriction = NO_RESTRICT;
 
-	    my ( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
+	    my ( $srczone , $source , $remainder );
 
+	    ( $srczone , $source , $remainder ) = split( $rules_family == F_INET ? /:/ : /;/, $src, 3 );
+	    
 	    fatal_error 'Invalid SOURCE' if defined $remainder;
 
 	    if ( $srczone eq firewall_zone ) {
@@ -267,8 +282,8 @@ sub setup_rfc1918_filteration( $ ) {
     }
 }
 
-sub setup_blacklist() {
-
+sub setup_blacklist( $ ) {
+    my $filename = shift;
     my $hosts = find_hosts_by_option 'blacklist';
     my $chainref;
     my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
@@ -290,7 +305,7 @@ sub setup_blacklist() {
 
   BLACKLIST:
     {
-	if ( my $fn = open_file 'blacklist' ) {
+	if ( my $fn = open_file $filename ) {
 
 	    my $first_entry = 1;
 	    
@@ -516,7 +531,7 @@ sub add_common_rules() {
 
     run_user_exit1 'initdone';
 
-    setup_blacklist;
+    setup_blacklist 'blacklist';
 
     $list = find_hosts_by_option 'nosmurfs';
 
@@ -699,7 +714,7 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
 
-	my $fn = open_file 'maclist';
+	my $fn = open_file( $rules_family == F_INET ? 'maclist' : '6maclist');
 
 	first_entry "$doing $fn...";
 

Shorewall-perl/Shorewall/Zones.pm

@@ -152,12 +152,14 @@ our $interface_list;
 our $interface_table;
 our $bport_zones;
 our $zone_family;
+our $zone_family_name;
 
 sub use_ipv4_interfaces() {
     $interface_list = \@interfaces4;
     $interface_table = \%interfaces4;
     $bport_zones = \@bport_zones4;
     $zone_family = F_INET;
+    $zone_family_name = 'IPv4';
 }
 
 sub use_ipv6_interfaces() {
@@ -165,6 +167,7 @@ sub use_ipv6_interfaces() {
     $interface_table = \%interfaces6;
     $bport_zones = \@bport_zones6;
     $zone_family = F_INET6;
+    $zone_family_name = 'IPv6';
 }
 
 #
@@ -401,51 +404,6 @@ sub haveipseczones() {
     0;
 }
 
-#
-# Report about zones.
-#
-sub zone_report()
-{
-    progress_message2 "Determining Hosts in Zones...";
-
-    for my $zone ( @zones )
-    {
-	my $zoneref   = $zones{$zone};
-	my $hostref   = $zoneref->{hosts};
-	my $type      = $zoneref->{type};
-	my $optionref = $zoneref->{options};
-
-	progress_message "   $zone ($type)";
-
-	my $printed = 0;
-
-	if ( $hostref ) {
-	    for my $type ( sort keys %$hostref ) {
-		my $interfaceref = $hostref->{$type};
-
-		for my $interface ( sort keys %$interfaceref ) {
-		    my $arrayref = $interfaceref->{$interface};
-		    for my $groupref ( @$arrayref ) {
-			my $hosts     = $groupref->{hosts};
-			if ( $hosts ) {
-			    my $grouplist = join ',', ( @$hosts );
-			    progress_message "      $interface:$grouplist";
-			    $printed = 1;
-			}
-		    }
-
-		}
-	    }
-	}
-
-	unless ( $printed ) {
-	    fatal_error "No bridge has been associated with zone $zone" if $type =~ /^bport*/ && ! $zoneref->{bridge};
-	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall';
-	}
-
-    }
-}
-
 sub dump_zone_contents()
 {
     for my $zone ( @zones )
@@ -605,13 +563,58 @@ sub firewall_zone() {
     $firewall_zone;
 }
 
+#
+# Report about zones.
+#
+sub zone_report()
+{
+    progress_message2 "Determining Hosts in $zone_family_name Zones...";
+
+    for my $zone ( all_zones )
+    {
+	my $zoneref   = $zones{$zone};
+	my $hostref   = $zoneref->{hosts};
+	my $type      = $zoneref->{type};
+	my $optionref = $zoneref->{options};
+
+	progress_message "   $zone ($type)";
+
+	my $printed = 0;
+
+	if ( $hostref ) {
+	    for my $type ( sort keys %$hostref ) {
+		my $interfaceref = $hostref->{$type};
+
+		for my $interface ( sort keys %$interfaceref ) {
+		    my $arrayref = $interfaceref->{$interface};
+		    for my $groupref ( @$arrayref ) {
+			my $hosts     = $groupref->{hosts};
+			if ( $hosts ) {
+			    my $grouplist = join ',', ( @$hosts );
+			    progress_message "      $interface:$grouplist";
+			    $printed = 1;
+			}
+		    }
+
+		}
+	    }
+	}
+
+	unless ( $printed ) {
+	    fatal_error "No bridge has been associated with zone $zone" if $type =~ /^bport*/ && ! $zoneref->{bridge};
+	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall';
+	}
+
+    }
+}
+
 #
 # Parse the interfaces file.
 #
 
-sub validate_interfaces_file( $$ )
+sub validate_interfaces_file( $ )
 {
-    my ( $filename, $export ) = @_;
+    my $export = shift;
     my $num    = 0;
 
     use constant { SIMPLE_IF_OPTION   => 1,
@@ -654,7 +657,7 @@ sub validate_interfaces_file( $$ )
 						    mss         => NUMERIC_IF_OPTION,
 						   );
 
-    my $fn = open_file $filename;
+    my $fn = open_file ($zone_family == F_INET ? 'interfaces' : '6interfaces');
 
     my $first_entry = 1;
 
@@ -974,10 +977,8 @@ sub set_interface_option( $$$ ) {
 #
 # Validates the hosts file. Generates entries in %zone{..}{hosts}
 #
-sub validate_hosts_file( $ )
+sub validate_hosts_file()
 {
-    my $filename = shift;
-
     my %validoptions = (
 			blacklist => 1,
 			maclist => 1,
@@ -994,7 +995,7 @@ sub validate_hosts_file( $ )
     my $ipsec = 0;
     my $first_entry = 1;
 
-    my $fn = open_file $filename;
+    my $fn = open_file ($zone_family == F_INET ? 'hosts' : '6hosts');
 
     while ( read_a_line ) {
 
@@ -1013,7 +1014,16 @@ sub validate_hosts_file( $ )
 
 	my $interface;
 
-	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
+	if ( $zone_family == F_INET ) {
+	    if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
+		$interface = $1;
+		$hosts = $2;
+		$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+		fatal_error "Unknown interface ($interface)" unless $interface_table->{$interface}{root};
+	    } else {
+		fatal_error "Invalid HOST(S) column contents: $hosts";
+	    }
+	} elsif ( $hosts =~ /^([\w.@%-]+\+?);(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
 	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
@@ -1073,7 +1083,7 @@ sub validate_hosts_file( $ )
 	progress_message "   Host \"$currentline\" validated";
     }
 
-    return $ipsec;
+    $capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
 }
 
 #