From 170875c7ddaa1ca2a88a5eff562cd81a496c0097 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 5 Jun 2012 07:23:23 -0700 Subject: [PATCH] Convert the 'ignore' interface to be multi-valued -Allows 'ignore=1' to only exempt interface from updown processing Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 2 +- Shorewall/Perl/Shorewall/Providers.pm | 2 +- Shorewall/Perl/Shorewall/Zones.pm | 33 +++++++++++++++---- Shorewall/manpages/shorewall-interfaces.xml | 13 ++++++-- Shorewall6/manpages/shorewall6-interfaces.xml | 13 ++++++-- 5 files changed, 51 insertions(+), 12 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 6a6272eb6..5c226b86e 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -749,7 +749,7 @@ sub add_common_rules ( $ ) { my $interfaceref = find_interface $interface; - unless ( $interfaceref->{options}{ignore} ) { + unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) { my @filters = @{$interfaceref->{filter}}; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 6c90facca..0ba97b8fa 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1406,7 +1406,7 @@ sub compile_updown() { push_indent; - my $ignore = find_interfaces_by_option 'ignore'; + my $ignore = find_interfaces_by_option 'ignore', 1; my $required = find_interfaces_by_option 'required'; my $optional = find_interfaces_by_option 'optional'; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index ebd4c4dd0..89eba84d5 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -41,6 +41,8 @@ our @EXPORT = qw( NOTHING IP BPORT IPSEC + NO_UPDOWN + NO_SFILTER determine_zones zone_report @@ -221,11 +223,14 @@ use constant { SIMPLE_IF_OPTION => 1, IF_OPTION_WILDOK => 64 }; +use constant { NO_UPDOWN => 1, + NO_SFILTER => 2 }; + my %validinterfaceoptions; my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 ); -my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 ); +my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN ); my %validhostoptions; @@ -283,6 +288,7 @@ sub initialize( $$ ) { bridge => SIMPLE_IF_OPTION, detectnets => OBSOLETE_IF_OPTION, dhcp => SIMPLE_IF_OPTION, + ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, logmartians => BINARY_IF_OPTION, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, @@ -318,6 +324,7 @@ sub initialize( $$ ) { %validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION, + ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, @@ -1033,7 +1040,7 @@ sub process_interface( $$ ) { if ( $options eq 'ignore' ) { fatal_error "Ignored interfaces may not be associated with a zone" if $zone; - $options{ignore} = 1; + $options{ignore} = NO_UPDOWN | NO_SFILTER; $options = '-'; } @@ -1153,7 +1160,16 @@ sub process_interface( $$ ) { } } - fatal_error "Invalid combination of interface options" if $options{required} && $options{optional}; + fatal_error "Invalid combination of interface options" + if ( ( $options{required} && $options{optional} ) || + ( $options{required} && $options{ignore} ) || + ( $options{optional} && $options{ignore} ) ); + + if ( supplied( my $ignore = $options{ignore} ) ) { + fatal_error "Invalid value ignore=0" if ! $ignore; + } else { + $options{ignore} = 0; + } if ( $netsref eq 'dynamic' ) { my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical; @@ -1175,6 +1191,7 @@ sub process_interface( $$ ) { # No options specified -- auto-detect bridge # $hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export; + $options{ignore} ||= 0; } $physical{$physical} = $interfaces{$interface} = { name => $interface , @@ -1477,8 +1494,8 @@ NAME: # # Returns reference to array of interfaces with the passed option # -sub find_interfaces_by_option( $ ) { - my $option = $_[0]; +sub find_interfaces_by_option( $;$ ) { + my ( $option , $nonzero ) = @_; my @ints = (); for my $interface ( @interfaces ) { @@ -1487,7 +1504,11 @@ sub find_interfaces_by_option( $ ) { next unless $interfaceref->{root}; my $optionsref = $interfaceref->{options}; - if ( $optionsref && defined $optionsref->{$option} ) { + if ( $nonzero ) { + if ( $optionsref && $optionsref->{$option} ) { + push @ints , $interface + } + } elsif ( $optionsref && defined $optionsref->{$option} ) { push @ints , $interface } } diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index 2b0237d42..a065f26f4 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -343,13 +343,22 @@ loc eth2 - - ignore + ignore[=1] When specified, causes the generated script to ignore up/down events from Shorewall-init for this device. Additionally, the option exempts the interface from hairpin - filtering. + filtering. When '=1' is omitted, the ZONE column must contain + '-' and must be the only + OPTION. + + Beginning with Shorewall 4.5.5, may be specified as + '' which only causes the generated + script to ignore up/down events from Shorewall-init; hairpin + filtering is still applied. In this case, the above + restrictions on the ZONE and OPTIONS columns are + lifted. diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index 4ebe35b85..b83603d13 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -244,13 +244,22 @@ loc eth2 - - ignore + ignore[=1] When specified, causes the generated script to ignore up/down events from Shorewall-init for this device. Additionally, the option exempts the interface from hairpin - filtering. + filtering. When '=1' is omitted, the ZONE column must contain + '-' and must be the only + OPTION. + + Beginning with Shorewall 4.5.5, may be specified as + '' which only causes the generated + script to ignore up/down events from Shorewall-init; hairpin + filtering is still applied. In this case, the above + restrictions on the ZONE and OPTIONS columns are + lifted.