holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Use 'our' for globals to aid debugging.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-12-23 13:16:54 -08:00
parent bd563ae9b7
commit 15817078b8
12 changed files with 267 additions and 255 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -40,18 +40,18 @@ our $VERSION = 'MODULEVERSION';
#
# Per-IP accounting tables. Each entry contains the associated network.
#
my %tables;
our %tables;
my $jumpchainref;
my %accountingjumps;
my $asection;
my $defaultchain;
my $ipsecdir;
my $defaultrestriction;
my $restriction;
my $accounting_commands = { COMMENT => 0, SECTION => 2 };
my $sectionname;
my $acctable;
our $jumpchainref;
our %accountingjumps;
our $asection;
our $defaultchain;
our $ipsecdir;
our $defaultrestriction;
our $restriction;
our $accounting_commands = { COMMENT => 0, SECTION => 2 };
our $sectionname;
our $acctable;
#
# Sections in the Accounting File

116
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -332,8 +332,8 @@ our $rawpost_table;
our $nat_table;
our $mangle_table;
our $filter_table;
my $export;
my %renamed;
our $export;
our %renamed;
our %nfobjects;
#
@ -375,14 +375,14 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i an
#
# See initialize() below for additional comments on these variables
#
my $iprangematch;
my %chainseq;
my $idiotcount;
my $idiotcount1;
my $hashlimitset;
my $global_variables;
my %address_variables;
my $ipset_rules;
our $iprangematch;
our %chainseq;
our $idiotcount;
our $idiotcount1;
our $hashlimitset;
our $global_variables;
our %address_variables;
our $ipset_rules;
#
# Determines the commands for which a particular interface-oriented shell variable needs to be set
@ -434,18 +434,18 @@ our %tosmap = ( 'Minimize-Delay' => 0x10,
#
# These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
#
my %interfaceaddr; # First interface address
my %interfaceaddrs; # All interface addresses
my %interfacenets; # Networks routed out of the interface
my %interfacemacs; # Interface MAC
my %interfacebcasts; # Broadcast addresses associated with the interface (IPv4)
my %interfaceacasts; # Anycast addresses associated with the interface (IPv6)
my %interfacegateways; # Gateway of default route out of the interface
our %interfaceaddr; # First interface address
our %interfaceaddrs; # All interface addresses
our %interfacenets; # Networks routed out of the interface
our %interfacemacs; # Interface MAC
our %interfacebcasts; # Broadcast addresses associated with the interface (IPv4)
our %interfaceacasts; # Anycast addresses associated with the interface (IPv6)
our %interfacegateways; # Gateway of default route out of the interface
#
# Built-in Chains
#
my @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
#
# Mode of the emitter (part of this module that converts rules in the chain table into iptables-restore input)
@ -454,7 +454,7 @@ use constant { NULL_MODE => 0 , # Emitting neither shell commands nor iptables
CAT_MODE => 1 , # Emitting iptables-restore input
CMD_MODE => 2 }; # Emitting shell commands.
my $mode;
our $mode;
#
# Address Family
#
@ -463,7 +463,7 @@ our $family;
#
# These are the current builtin targets
#
my %builtin_target = ( ACCEPT => 1,
our %builtin_target = ( ACCEPT => 1,
ACCOUNT => 1,
AUDIT => 1,
CHAOS => 1,
@ -518,7 +518,7 @@ my %builtin_target = ( ACCEPT => 1,
ULOG => 1,
);
my %ipset_exists;
our %ipset_exists;
#
# Rules are stored in an internal form
@ -549,55 +549,55 @@ use constant { UNIQUE => 1,
MATCH => 8,
CONTROL => 16 };
my %opttype = ( rule => CONTROL,
cmd => CONTROL,
our %opttype = ( rule => CONTROL,
cmd => CONTROL,
dhcp => UNIQUE,
dhcp => UNIQUE,
mode => CONTROL,
cmdlevel => CONTROL,
simple => CONTROL,
mode => CONTROL,
cmdlevel => CONTROL,
simple => CONTROL,
i => UNIQUE,
s => UNIQUE,
o => UNIQUE,
d => UNIQUE,
p => UNIQUE,
dport => UNIQUE,
sport => UNIQUE,
'icmp-type' => UNIQUE,
'icmpv6-type' => UNIQUE,
i => UNIQUE,
s => UNIQUE,
o => UNIQUE,
d => UNIQUE,
p => UNIQUE,
dport => UNIQUE,
sport => UNIQUE,
'icmp-type' => UNIQUE,
'icmpv6-type' => UNIQUE,
comment => CONTROL,
comment => CONTROL,
policy => MATCH,
state => EXCLUSIVE,
policy => MATCH,
state => EXCLUSIVE,
jump => TARGET,
target => TARGET,
targetopts => TARGET,
);
jump => TARGET,
target => TARGET,
targetopts => TARGET,
);
my %aliases = ( protocol => 'p',
source => 's',
destination => 'd',
jump => 'j',
goto => 'g',
'in-interface' => 'i',
'out-interface' => 'o',
dport => 'dport',
sport => 'sport',
'icmp-type' => 'icmp-type',
'icmpv6-type' => 'icmpv6-type',
);
our %aliases = ( protocol => 'p',
source => 's',
destination => 'd',
jump => 'j',
goto => 'g',
'in-interface' => 'i',
'out-interface' => 'o',
dport => 'dport',
sport => 'sport',
'icmp-type' => 'icmp-type',
'icmpv6-type' => 'icmpv6-type',
);
my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
our @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
my %isocodes;
our %isocodes;
use constant { ISODIR => '/usr/share/xt_geoip/LE' };
my %switches;
our %switches;
#
# Rather than initializing globals in an INIT block or during declaration,

6
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -44,11 +44,11 @@ our @EXPORT = qw( compiler );
our @EXPORT_OK = qw( $export );
our $VERSION = 'MODULEVERSION';
my $export;
our $export;
my $test;
our $test;
my $family;
our $family;
#
# Initilize the package-globals in the other modules

106
Shorewall/Perl/Shorewall/Config.pm
View File

@ -209,51 +209,51 @@ our ($command, $doing, $done );
#
# VERBOSITY
#
my $verbosity;
our $verbosity;
#
# Logging
#
my ( $log, $log_verbosity );
our ( $log, $log_verbosity );
#
# Timestamp each progress message, if true.
#
my $timestamp;
our $timestamp;
#
# Script (output) file handle
#
my $script;
our $script;
#
# When 'true', writes to the script are enabled. Used to catch code emission between functions
#
my $script_enabled;
our $script_enabled;
#
# True, if last line emitted is blank
#
my $lastlineblank;
our $lastlineblank;
#
# Tabs to indent the output
#
my $indent1;
our $indent1;
#
# Characters to indent the output
#
my $indent2;
our $indent2;
#
# Total indentation
#
my $indent;
our $indent;
#
# Script's Directory and File
#
my ( $dir, $file );
our ( $dir, $file );
#
# Temporary output file's name
#
my $tempfile;
our $tempfile;
#
# Fully qualified name of the configuration file
#
my $configfile;
our $configfile;
#
# Misc Globals exported to other modules
#
@ -265,19 +265,19 @@ our %config;
#
# Entries in shorewall.conf that have been renamed
#
my %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT' );
our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT' );
#
# Config options and global settings that are to be copied to output script
#
my @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
#
# From parsing the capabilities file or detecting capabilities
#
my %capabilities;
our %capabilities;
#
# Capabilities
#
my %capdesc = ( NAT_ENABLED => 'NAT',
our %capdesc = ( NAT_ENABLED => 'NAT',
MANGLE_ENABLED => 'Packet Mangling',
MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match',
@ -461,62 +461,62 @@ our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISP
#
# Directories to search for configuration files
#
my @config_path;
our @config_path;
#
# Stash away file references here when we encounter INCLUDE
#
my @includestack;
our @includestack;
#
# Allow nested opens
#
my @openstack;
our @openstack;
#
# From the params file
#
my %params;
our %params;
#
# Entries that the compiler adds to %params
#
my %compiler_params;
our %compiler_params;
#
# Action parameters
#
our %actparms;
our $currentline; # Current config file line image
my $currentfile; # File handle reference
our $currentfile; # File handle reference
our $currentfilename; # File NAME
my $currentlinenumber; # Line number
my $perlscript; # File Handle Reference to current temporary file being written by an in-line Perl script
my $perlscriptname; # Name of that file.
my $embedded; # True if we're in an embedded perl script
my @tempfiles; # Files that need unlinking at END
my $first_entry; # Message to output or function to call on first non-blank line of a file
our $currentlinenumber; # Line number
our $perlscript; # File Handle Reference to current temporary file being written by an in-line Perl script
our $perlscriptname; # Name of that file.
our $embedded; # True if we're in an embedded perl script
our @tempfiles; # Files that need unlinking at END
our $first_entry; # Message to output or function to call on first non-blank line of a file
our $file_format; # Format of configuration file.
my $max_format; # Max format value
our $max_format; # Max format value
our $comment; # Current COMMENT
my @comments;
my $comments_allowed;
my $warningcount;
my $warningcount1;
my $warningcount2;
our @comments;
our $comments_allowed;
our $warningcount;
our $warningcount1;
our $warningcount2;
my $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files.
our $shorewall_dir; # Shorewall Directory; if non-empty, search here first for files.
our $debug; # Global debugging flag
my $confess; # If true, use Carp to report errors with stack trace.
our $confess; # If true, use Carp to report errors with stack trace.
our $family; # Protocol family (4 or 6)
our $toolname; # Name of the tool to use (iptables or iptables6)
my $toolNAME; # Tool name in CAPS
our $toolNAME; # Tool name in CAPS
our $product; # Name of product that will run the generated script
our $Product; # $product with initial cap.
our $sillyname; # Name of temporary filter chains for testing capabilities
our $sillyname1;
my $iptables; # Path to iptables/ip6tables
my $tc; # Path to tc
my $ip; # Path to ip
our $iptables; # Path to iptables/ip6tables
our $tc; # Path to tc
our $ip; # Path to ip
my $shell; # Type of shell that processed the params file
@ -530,28 +530,28 @@ use constant { MIN_VERBOSITY => -1,
F_IPV6 => 6,
};
my %validlevels; # Valid log levels.
our %validlevels; # Valid log levels.
#
# Deprecated options with their default values
#
my %deprecated = ( LOGRATE => '' ,
LOGBURST => '' ,
EXPORTPARAMS => 'no',
WIDE_TC_MARKS => 'no',
HIGH_ROUTE_MARKS => 'no'
);
our %deprecated = ( LOGRATE => '' ,
LOGBURST => '' ,
EXPORTPARAMS => 'no',
WIDE_TC_MARKS => 'no',
HIGH_ROUTE_MARKS => 'no'
);
#
# Deprecated options that are eliminated via update
#
my %converted = ( WIDE_TC_MARKS => 1,
HIGH_ROUTE_MARKS => 1 );
our %converted = ( WIDE_TC_MARKS => 1,
HIGH_ROUTE_MARKS => 1 );
#
# Variables involved in ?IF, ?ELSE ?ENDIF processing
#
my $omitting;
my @ifstack;
my $ifstack;
our $omitting;
our @ifstack;
our $ifstack;
#
# Entries on the ifstack are a 4-tuple:
#
@ -577,7 +577,7 @@ use constant { PLAIN_READ => 0, # No read_a_line options
NORMAL_READ => -1 # All options
};
my %variables; # Symbol table for expanding shell variables
our %variables; # Symbol table for expanding shell variables
sub process_shorewallrc($$);
sub add_variables( \% );

30
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -79,20 +79,20 @@ our $VERSION = 'MODULEVERSION';
#
# Some IPv4/6 useful stuff
#
my @allipv4 = ( '0.0.0.0/0' );
my @allipv6 = ( '::/0' );
my $allip;
my @allip;
my @nilipv4 = ( '0.0.0.0' );
my @nilipv6 = ( '::' );
my $nilip;
my @nilip;
my $valid_address;
my $validate_address;
my $validate_net;
my $validate_range;
my $validate_host;
my $family;
our @allipv4 = ( '0.0.0.0/0' );
our @allipv6 = ( '::/0' );
our $allip;
our @allip;
our @nilipv4 = ( '0.0.0.0' );
our @nilipv6 = ( '::' );
our $nilip;
our @nilip;
our $valid_address;
our $validate_address;
our $validate_net;
our $validate_range;
our $validate_host;
our $family;
use constant { ALLIPv4 => '0.0.0.0/0' ,
ALLIPv6 => '::/0' ,
@ -109,7 +109,7 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
IPv6_SITE_ALLRTRS => 'ff02::2' ,
};
my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
#
# Note: initialize() is declared at the bottom of the file

2
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -48,7 +48,7 @@ our @EXPORT = qw( process_tos
our @EXPORT_OK = qw( initialize );
our $VERSION = 'MODULEVERSION';
my $family;
our $family;
#
# Rather than initializing globals in an INIT block or during declaration,

4
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -42,8 +42,8 @@ Exporter::export_ok_tags('rules');
our $VERSION = 'MODULEVERSION';
my @addresses_to_add;
my %addresses_to_add;
our @addresses_to_add;
our %addresses_to_add;
#
# Called by the compiler

32
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -53,28 +53,28 @@ use constant { LOCAL_TABLE => 255,
UNSPEC_TABLE => 0
};
my @routemarked_providers;
my %routemarked_interfaces;
our @routemarked_providers;
our %routemarked_interfaces;
our @routemarked_interfaces;
my %provider_interfaces;
my @load_providers;
my @load_interfaces;
our %provider_interfaces;
our @load_providers;
our @load_interfaces;
my $balancing;
my $fallback;
my $metrics;
my $first_default_route;
my $first_fallback_route;
my $maxload;
my $tproxies;
our $balancing;
our $fallback;
our $metrics;
our $first_default_route;
our $first_fallback_route;
our $maxload;
our $tproxies;
my %providers;
our %providers;
my @providers;
our @providers;
my $family;
our $family;
my $lastmark;
our $lastmark;
use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };

11
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -36,7 +36,16 @@ our @EXPORT = qw( setup_conntrack );
our @EXPORT_OK = qw( handle_helper_rule );
our $VERSION = 'MODULEVERSION';
my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
our %valid_ctevent = ( new => 1,
related => 1,
destroy => 1,
reply => 1,
assured => 1,
protoinfo => 1,
helper => 1,
mark => 1,
natseqinfo => 1,
secmark => 1 );
#
# Notrack

70
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -58,72 +58,72 @@ our $VERSION = 'MODULEVERSION';
#
# Globals are documented in the initialize() function
#
my %sections;
our %sections;
my $section;
our $section;
my @policy_chains;
our @policy_chains;
my %default_actions;
our %default_actions;
my %macros;
our %macros;
our $family;
my @builtins;
our @builtins;
#
# Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited).
#
my $rule_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
my $macro_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };
our $rule_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
our $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
our $macro_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };
my %rulecolumns = ( action => 0,
source => 1,
dest => 2,
proto => 3,
dport => 4,
sport => 5,
origdest => 6,
rate => 7,
user => 8,
mark => 9,
connlimit => 10,
time => 11,
headers => 12,
switch => 13,
helper => 14,
);
our %rulecolumns = ( action => 0,
source => 1,
dest => 2,
proto => 3,
dport => 4,
sport => 5,
origdest => 6,
rate => 7,
user => 8,
mark => 9,
connlimit => 10,
time => 11,
headers => 12,
switch => 13,
helper => 14,
);
use constant { MAX_MACRO_NEST_LEVEL => 10 };
my $macro_nest_level;
our $macro_nest_level;
my @actionstack;
my %active;
our @actionstack;
our %active;
# Action Table
#
# %actions{ actchain => used to eliminate collisions }
#
my %actions;
our %actions;
#
# Inline Action Table
#
my %inlines;
our %inlines;
#
# Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
#
my %usedactions;
our %usedactions;
#
# Policies for which AUDIT is allowed
#
my %auditpolicies = ( ACCEPT => 1,
DROP => 1,
REJECT => 1
);
our %auditpolicies = ( ACCEPT => 1,
DROP => 1,
REJECT => 1
);
#
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:

44
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -86,7 +86,7 @@ use constant { NOMARK => 0 ,
HIGHMARK => 2
};
my %flow_keys = ( 'src' => 1,
our %flow_keys = ( 'src' => 1,
'dst' => 1,
'proto' => 1,
'proto-src' => 1,
@ -104,15 +104,15 @@ my %flow_keys = ( 'src' => 1,
'sk-gid' => 1,
'vlan-tag' => 1 );
my %designator = ( F => 'tcfor' ,
T => 'tcpost' );
our %designator = ( F => 'tcfor' ,
T => 'tcpost' );
my %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' ,
our %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' ,
'tos-maximize-throughput' => '0x08/0x08' ,
'tos-maximize-reliability' => '0x04/0x04' ,
'tos-minimize-cost' => '0x02/0x02' ,
'tos-normal-service' => '0x00/0x1e' );
my %classids;
our %classids;
#
# Perl version of Arn Bernin's 'tc4shorewall'.
@ -133,12 +133,12 @@ my %classids;
# name => <interface>
# }
#
my @tcdevices;
my %tcdevices;
my @devnums;
my $devnum;
my $sticky;
my $ipp2p;
our @tcdevices;
our %tcdevices;
our @devnums;
our $devnum;
our $sticky;
our $ipp2p;
#
# TCClasses Table
@ -159,10 +159,10 @@ my $ipp2p;
# }
# }
# }
my @tcclasses;
my %tcclasses;
our @tcclasses;
our %tcclasses;
my %restrictions = ( tcpre => PREROUTE_RESTRICT ,
our %restrictions = ( tcpre => PREROUTE_RESTRICT ,
PREROUTING => PREROUTE_RESTRICT ,
tcpost => POSTROUTE_RESTRICT ,
tcfor => NO_RESTRICT ,
@ -170,16 +170,16 @@ my %restrictions = ( tcpre => PREROUTE_RESTRICT ,
tcout => OUTPUT_RESTRICT ,
);
my $family;
our $family;
my $divertref; # DIVERT chain
our $divertref; # DIVERT chain
my %validstates = ( NEW => 0,
RELATED => 0,
ESTABLISHED => 0,
UNTRACKED => 0,
INVALID => 0,
);
our %validstates = ( NEW => 0,
RELATED => 0,
ESTABLISHED => 0,
UNTRACKED => 0,
INVALID => 0,
);
#
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:

79
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -148,12 +148,12 @@ use constant { IN_OUT => 1,
#
# $firewall_zone names the firewall zone.
#
my @zones;
my %zones;
my %zonetypes;
my $firewall_zone;
our @zones;
our %zones;
our %zonetypes;
our $firewall_zone;
my %reservedName = ( all => 1,
our %reservedName = ( all => 1,
any => 1,
none => 1,
SOURCE => 1,
@ -188,24 +188,24 @@ my %reservedName = ( all => 1,
# The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
# the same order as the interfaces are encountered in the configuration files.
#
my @interfaces;
my %interfaces;
my %roots;
my @bport_zones;
my %ipsets;
my %physical;
my %basemap;
my %basemap1;
my %mapbase;
my %mapbase1;
my $family;
my $upgrade;
my $have_ipsec;
my $baseseq;
my $minroot;
my $zonemark;
my $zonemarkincr;
my $zonemarklimit;
our @interfaces;
our %interfaces;
our %roots;
our @bport_zones;
our %ipsets;
our %physical;
our %basemap;
our %basemap1;
our %mapbase;
our %mapbase1;
our $family;
our $upgrade;
our $have_ipsec;
our $baseseq;
our $minroot;
our $zonemark;
our $zonemarkincr;
our $zonemarklimit;
use constant { FIREWALL => 1,
IP => 2,
@ -232,24 +232,24 @@ use constant { SIMPLE_IF_OPTION => 1,
use constant { NO_UPDOWN => 1,
NO_SFILTER => 2 };
my %validinterfaceoptions;
our %validinterfaceoptions;
my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
my %validhostoptions;
our %validhostoptions;
my %validzoneoptions = ( mss => NUMERIC,
nomark => NOTHING,
blacklist => NOTHING,
dynamic_shared => NOTHING,
strict => NOTHING,
next => NOTHING,
reqid => NUMERIC,
spi => NUMERIC,
proto => IPSECPROTO,
mode => IPSECMODE,
our %validzoneoptions = ( mss => NUMERIC,
nomark => NOTHING,
blacklist => NOTHING,
dynamic_shared => NOTHING,
strict => NOTHING,
next => NOTHING,
reqid => NUMERIC,
spi => NUMERIC,
proto => IPSECPROTO,
mode => IPSECMODE,
"tunnel-src" => NETWORK,
"tunnel-dst" => NETWORK,
);
@ -258,7 +258,10 @@ use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
#
# Hash of options that have their own key in the returned hash.
#
my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY, dynamic_shared => IN_OUT_ONLY );
our %zonekey = ( mss => UNRESTRICTED | COMPLEX ,
blacklist => NOFW,
nomark => NOFW | IN_OUT_ONLY,
dynamic_shared => IN_OUT_ONLY );
#
# Rather than initializing globals in an INIT block or during declaration,