Convert the 'ignore' interface to be multi-valued

-Allows 'ignore=1' to only exempt interface from updown processing

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-06-05 07:23:23 -07:00
parent 57a9feaf2f
commit 170875c7dd
5 changed files with 51 additions and 12 deletions

View File

@ -749,7 +749,7 @@ sub add_common_rules ( $ ) {
my $interfaceref = find_interface $interface; my $interfaceref = find_interface $interface;
unless ( $interfaceref->{options}{ignore} ) { unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) {
my @filters = @{$interfaceref->{filter}}; my @filters = @{$interfaceref->{filter}};

View File

@ -1406,7 +1406,7 @@ sub compile_updown() {
push_indent; push_indent;
my $ignore = find_interfaces_by_option 'ignore'; my $ignore = find_interfaces_by_option 'ignore', 1;
my $required = find_interfaces_by_option 'required'; my $required = find_interfaces_by_option 'required';
my $optional = find_interfaces_by_option 'optional'; my $optional = find_interfaces_by_option 'optional';

View File

@ -41,6 +41,8 @@ our @EXPORT = qw( NOTHING
IP IP
BPORT BPORT
IPSEC IPSEC
NO_UPDOWN
NO_SFILTER
determine_zones determine_zones
zone_report zone_report
@ -221,11 +223,14 @@ use constant { SIMPLE_IF_OPTION => 1,
IF_OPTION_WILDOK => 64 IF_OPTION_WILDOK => 64
}; };
use constant { NO_UPDOWN => 1,
NO_SFILTER => 2 };
my %validinterfaceoptions; my %validinterfaceoptions;
my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 ); my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 ); my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
my %validhostoptions; my %validhostoptions;
@ -283,6 +288,7 @@ sub initialize( $$ ) {
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION, detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
logmartians => BINARY_IF_OPTION, logmartians => BINARY_IF_OPTION,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@ -318,6 +324,7 @@ sub initialize( $$ ) {
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, %validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@ -1033,7 +1040,7 @@ sub process_interface( $$ ) {
if ( $options eq 'ignore' ) { if ( $options eq 'ignore' ) {
fatal_error "Ignored interfaces may not be associated with a zone" if $zone; fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
$options{ignore} = 1; $options{ignore} = NO_UPDOWN | NO_SFILTER;
$options = '-'; $options = '-';
} }
@ -1153,7 +1160,16 @@ sub process_interface( $$ ) {
} }
} }
fatal_error "Invalid combination of interface options" if $options{required} && $options{optional}; fatal_error "Invalid combination of interface options"
if ( ( $options{required} && $options{optional} ) ||
( $options{required} && $options{ignore} ) ||
( $options{optional} && $options{ignore} ) );
if ( supplied( my $ignore = $options{ignore} ) ) {
fatal_error "Invalid value ignore=0" if ! $ignore;
} else {
$options{ignore} = 0;
}
if ( $netsref eq 'dynamic' ) { if ( $netsref eq 'dynamic' ) {
my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical; my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
@ -1175,6 +1191,7 @@ sub process_interface( $$ ) {
# No options specified -- auto-detect bridge # No options specified -- auto-detect bridge
# #
$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export; $hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
$options{ignore} ||= 0;
} }
$physical{$physical} = $interfaces{$interface} = { name => $interface , $physical{$physical} = $interfaces{$interface} = { name => $interface ,
@ -1477,8 +1494,8 @@ NAME:
# #
# Returns reference to array of interfaces with the passed option # Returns reference to array of interfaces with the passed option
# #
sub find_interfaces_by_option( $ ) { sub find_interfaces_by_option( $;$ ) {
my $option = $_[0]; my ( $option , $nonzero ) = @_;
my @ints = (); my @ints = ();
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
@ -1487,7 +1504,11 @@ sub find_interfaces_by_option( $ ) {
next unless $interfaceref->{root}; next unless $interfaceref->{root};
my $optionsref = $interfaceref->{options}; my $optionsref = $interfaceref->{options};
if ( $optionsref && defined $optionsref->{$option} ) { if ( $nonzero ) {
if ( $optionsref && $optionsref->{$option} ) {
push @ints , $interface
}
} elsif ( $optionsref && defined $optionsref->{$option} ) {
push @ints , $interface push @ints , $interface
} }
} }

View File

@ -343,13 +343,22 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ignore</emphasis></term> <term><emphasis role="bold">ignore[=1]</emphasis></term>
<listitem> <listitem>
<para>When specified, causes the generated script to ignore <para>When specified, causes the generated script to ignore
up/down events from Shorewall-init for this device. up/down events from Shorewall-init for this device.
Additionally, the option exempts the interface from hairpin Additionally, the option exempts the interface from hairpin
filtering.</para> filtering. When '=1' is omitted, the ZONE column must contain
'-' and <option>ignore</option> must be the only
OPTION.</para>
<para>Beginning with Shorewall 4.5.5, may be specified as
'<option>ignore=1</option>' which only causes the generated
script to ignore up/down events from Shorewall-init; hairpin
filtering is still applied. In this case, the above
restrictions on the ZONE and OPTIONS columns are
lifted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -244,13 +244,22 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ignore</emphasis></term> <term><emphasis role="bold">ignore[=1]</emphasis></term>
<listitem> <listitem>
<para>When specified, causes the generated script to ignore <para>When specified, causes the generated script to ignore
up/down events from Shorewall-init for this device. up/down events from Shorewall-init for this device.
Additionally, the option exempts the interface from hairpin Additionally, the option exempts the interface from hairpin
filtering.</para> filtering. When '=1' is omitted, the ZONE column must contain
'-' and <option>ignore</option> must be the only
OPTION.</para>
<para>Beginning with Shorewall 4.5.5, may be specified as
'<option>ignore=1</option>' which only causes the generated
script to ignore up/down events from Shorewall-init; hairpin
filtering is still applied. In this case, the above
restrictions on the ZONE and OPTIONS columns are
lifted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>