forked from extern/shorewall_code
Convert the 'ignore' interface to be multi-valued
-Allows 'ignore=1' to only exempt interface from updown processing Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
57a9feaf2f
commit
170875c7dd
@ -749,7 +749,7 @@ sub add_common_rules ( $ ) {
|
|||||||
|
|
||||||
my $interfaceref = find_interface $interface;
|
my $interfaceref = find_interface $interface;
|
||||||
|
|
||||||
unless ( $interfaceref->{options}{ignore} ) {
|
unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) {
|
||||||
|
|
||||||
my @filters = @{$interfaceref->{filter}};
|
my @filters = @{$interfaceref->{filter}};
|
||||||
|
|
||||||
|
@ -1406,7 +1406,7 @@ sub compile_updown() {
|
|||||||
|
|
||||||
push_indent;
|
push_indent;
|
||||||
|
|
||||||
my $ignore = find_interfaces_by_option 'ignore';
|
my $ignore = find_interfaces_by_option 'ignore', 1;
|
||||||
my $required = find_interfaces_by_option 'required';
|
my $required = find_interfaces_by_option 'required';
|
||||||
my $optional = find_interfaces_by_option 'optional';
|
my $optional = find_interfaces_by_option 'optional';
|
||||||
|
|
||||||
|
@ -41,6 +41,8 @@ our @EXPORT = qw( NOTHING
|
|||||||
IP
|
IP
|
||||||
BPORT
|
BPORT
|
||||||
IPSEC
|
IPSEC
|
||||||
|
NO_UPDOWN
|
||||||
|
NO_SFILTER
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
zone_report
|
zone_report
|
||||||
@ -221,11 +223,14 @@ use constant { SIMPLE_IF_OPTION => 1,
|
|||||||
IF_OPTION_WILDOK => 64
|
IF_OPTION_WILDOK => 64
|
||||||
};
|
};
|
||||||
|
|
||||||
|
use constant { NO_UPDOWN => 1,
|
||||||
|
NO_SFILTER => 2 };
|
||||||
|
|
||||||
my %validinterfaceoptions;
|
my %validinterfaceoptions;
|
||||||
|
|
||||||
my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
|
my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
|
||||||
|
|
||||||
my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
|
my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
|
||||||
|
|
||||||
my %validhostoptions;
|
my %validhostoptions;
|
||||||
|
|
||||||
@ -283,6 +288,7 @@ sub initialize( $$ ) {
|
|||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
detectnets => OBSOLETE_IF_OPTION,
|
detectnets => OBSOLETE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
|
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
logmartians => BINARY_IF_OPTION,
|
logmartians => BINARY_IF_OPTION,
|
||||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||||
@ -318,6 +324,7 @@ sub initialize( $$ ) {
|
|||||||
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
|
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||||
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
@ -1033,7 +1040,7 @@ sub process_interface( $$ ) {
|
|||||||
|
|
||||||
if ( $options eq 'ignore' ) {
|
if ( $options eq 'ignore' ) {
|
||||||
fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
|
fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
|
||||||
$options{ignore} = 1;
|
$options{ignore} = NO_UPDOWN | NO_SFILTER;
|
||||||
$options = '-';
|
$options = '-';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1153,7 +1160,16 @@ sub process_interface( $$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
|
fatal_error "Invalid combination of interface options"
|
||||||
|
if ( ( $options{required} && $options{optional} ) ||
|
||||||
|
( $options{required} && $options{ignore} ) ||
|
||||||
|
( $options{optional} && $options{ignore} ) );
|
||||||
|
|
||||||
|
if ( supplied( my $ignore = $options{ignore} ) ) {
|
||||||
|
fatal_error "Invalid value ignore=0" if ! $ignore;
|
||||||
|
} else {
|
||||||
|
$options{ignore} = 0;
|
||||||
|
}
|
||||||
|
|
||||||
if ( $netsref eq 'dynamic' ) {
|
if ( $netsref eq 'dynamic' ) {
|
||||||
my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
|
my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
|
||||||
@ -1175,6 +1191,7 @@ sub process_interface( $$ ) {
|
|||||||
# No options specified -- auto-detect bridge
|
# No options specified -- auto-detect bridge
|
||||||
#
|
#
|
||||||
$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
|
$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
|
||||||
|
$options{ignore} ||= 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
$physical{$physical} = $interfaces{$interface} = { name => $interface ,
|
$physical{$physical} = $interfaces{$interface} = { name => $interface ,
|
||||||
@ -1477,8 +1494,8 @@ NAME:
|
|||||||
#
|
#
|
||||||
# Returns reference to array of interfaces with the passed option
|
# Returns reference to array of interfaces with the passed option
|
||||||
#
|
#
|
||||||
sub find_interfaces_by_option( $ ) {
|
sub find_interfaces_by_option( $;$ ) {
|
||||||
my $option = $_[0];
|
my ( $option , $nonzero ) = @_;
|
||||||
my @ints = ();
|
my @ints = ();
|
||||||
|
|
||||||
for my $interface ( @interfaces ) {
|
for my $interface ( @interfaces ) {
|
||||||
@ -1487,7 +1504,11 @@ sub find_interfaces_by_option( $ ) {
|
|||||||
next unless $interfaceref->{root};
|
next unless $interfaceref->{root};
|
||||||
|
|
||||||
my $optionsref = $interfaceref->{options};
|
my $optionsref = $interfaceref->{options};
|
||||||
if ( $optionsref && defined $optionsref->{$option} ) {
|
if ( $nonzero ) {
|
||||||
|
if ( $optionsref && $optionsref->{$option} ) {
|
||||||
|
push @ints , $interface
|
||||||
|
}
|
||||||
|
} elsif ( $optionsref && defined $optionsref->{$option} ) {
|
||||||
push @ints , $interface
|
push @ints , $interface
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -343,13 +343,22 @@ loc eth2 -</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ignore</emphasis></term>
|
<term><emphasis role="bold">ignore[=1]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When specified, causes the generated script to ignore
|
<para>When specified, causes the generated script to ignore
|
||||||
up/down events from Shorewall-init for this device.
|
up/down events from Shorewall-init for this device.
|
||||||
Additionally, the option exempts the interface from hairpin
|
Additionally, the option exempts the interface from hairpin
|
||||||
filtering.</para>
|
filtering. When '=1' is omitted, the ZONE column must contain
|
||||||
|
'-' and <option>ignore</option> must be the only
|
||||||
|
OPTION.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.5.5, may be specified as
|
||||||
|
'<option>ignore=1</option>' which only causes the generated
|
||||||
|
script to ignore up/down events from Shorewall-init; hairpin
|
||||||
|
filtering is still applied. In this case, the above
|
||||||
|
restrictions on the ZONE and OPTIONS columns are
|
||||||
|
lifted.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -244,13 +244,22 @@ loc eth2 -</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ignore</emphasis></term>
|
<term><emphasis role="bold">ignore[=1]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When specified, causes the generated script to ignore
|
<para>When specified, causes the generated script to ignore
|
||||||
up/down events from Shorewall-init for this device.
|
up/down events from Shorewall-init for this device.
|
||||||
Additionally, the option exempts the interface from hairpin
|
Additionally, the option exempts the interface from hairpin
|
||||||
filtering.</para>
|
filtering. When '=1' is omitted, the ZONE column must contain
|
||||||
|
'-' and <option>ignore</option> must be the only
|
||||||
|
OPTION.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.5.5, may be specified as
|
||||||
|
'<option>ignore=1</option>' which only causes the generated
|
||||||
|
script to ignore up/down events from Shorewall-init; hairpin
|
||||||
|
filtering is still applied. In this case, the above
|
||||||
|
restrictions on the ZONE and OPTIONS columns are
|
||||||
|
lifted.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user