Make 'virtual' a zone type rather than an option

2009-11-27 08:17:18 -08:00 · 2009-11-27 08:17:18 -08:00 · 18eedf7e34
commit 18eedf7e34
parent 1699d8e941
6 changed files with 40 additions and 42 deletions
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@ -357,7 +357,7 @@ sub validate_policy()
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
 	    }
- 	} elsif ( defined_zone( $zone )->{virtual} ) {
+ 	} elsif ( zone_type( $zone ) == VIRTUAL ) {
 	    for my $zone1 ( @{defined_zone( $zone )->{children}} ) {
 		for my $zone2 ( all_zones ) {
 		    unless ( $zone1 eq $zone2 ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -40,6 +40,7 @@ our @EXPORT = qw( NOTHING
 		  IP
 		  BPORT
 		  IPSEC
+		  VIRTUAL
 		  VIRTUAL_BITS

 		  determine_zones
@ -164,7 +165,8 @@ our $virtualmark;
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 3,
-	       IPSEC    => 4 };
+	       IPSEC    => 4,
+	       VIRTUAL  => 5 };

 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@ -364,6 +366,7 @@ sub process_zone( \$ ) {
    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';

    my $mark = 0;
+    my $virtual = 0;

    if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
@ -389,6 +392,12 @@ sub process_zone( \$ ) {
    } elsif ( $type =~ /^ipsec([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
 	$type = IPSEC;
+
+	for ( @parents ) {
+	    unless ( $zones{$_}{type} == IPSEC ) {
+		set_super( $zones{$_} );
+	    }
+	}
    } elsif ( $type =~ /^bport([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
 	warning_message "Bridge Port zones should have a parent zone" unless @parents;
@ -400,6 +409,12 @@ sub process_zone( \$ ) {
 	$firewall_zone = $zone;
 	$ENV{FW} = $zone;
 	$type = FIREWALL;
+    } elsif ( $type eq 'virtual' ) {
+	require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
+	fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT;
+	$virtual = $virtualmark;
+	$virtualmark = $virtualmark << 1;
+	$type = VIRTUAL;
    } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
@ -407,25 +422,6 @@ sub process_zone( \$ ) {
 	fatal_error "Invalid zone type ($type)" ;
    }

-    if ( $type eq IPSEC ) {
-	for ( @parents ) {
-	    unless ( $zones{$_}{type} == IPSEC ) {
-		set_super( $zones{$_} );
-	    }
-	}
-    }
-
-    my $virtual = 0;
-
-    if ( $options eq 'virtual' ) {
-	require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
-	fatal_error "Only ipv${family} zones may be virtual" unless $type == IP;
-	fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT;
-	$virtual = $virtualmark;
-	$virtualmark = $virtualmark << 1;
-	$options = '';
-    }
-
    for ( $options, $in_options, $out_options ) {
 	$_ = '' if $_ eq '-';
    }
@ -511,9 +507,9 @@ sub zone_report()
    my @translate;

    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
+	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' );
    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
+	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' );
    }

    for my $zone ( @zones )
@ -556,7 +552,7 @@ sub zone_report()

 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
-	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $zoneref->{virtual} && @{$zoneref->{children}} );
+	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $type == VIRTUAL && @{$zoneref->{children}} );
 	}
    }
 }
@ -569,9 +565,9 @@ sub dump_zone_contents()
    my @xlate;

    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
+	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' );
    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
+	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' );
    }

    for my $zone ( @zones )
@ -612,7 +608,7 @@ sub dump_zone_contents()
 	    }
 	}

-	if ( $zoneref->{virtual} && @{$zoneref->{children}} ) {
+	if ( $type == VIRTUAL && @{$zoneref->{children}} ) {
 	    $entry .= " (";
 	    $entry .= "$_," for @{$zoneref->{children}};
 	    $entry =~ s/,$/) /;
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -231,13 +231,12 @@ None.
    	     $FW             all             ACCEPT

 3)  Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used
-    to group together a set of sub-zones. A virtual zone must by an
-    ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared
-    with the 'virtual' OPTION in /etc/shorewall/zones.
+    to group together a set of sub-zones. A virtual zone is declared
+    as TYPE 'virtual' in /etc/shorewall/zones.

    Example:

-	virt		ipv4	virtual
+	virt		virtual

    The virtual zone must have no definition in
    /etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones
@ -251,7 +250,7 @@ None.

    Example:

-	virt		ipv4	virtual
+	virt			virtual
    	loc:virt		ipv4
    	vpn:virt		ipsec    

--- a/manpages/shorewall-nesting.xml
+++ b/manpages/shorewall-nesting.xml
@ -199,7 +199,7 @@
    <programlisting>        #ZONE            TYPE          OPTIONS
        fw               firewall
        net              ipv4
-        loc              ipv4          virtual
+        loc              virtual       #Virtual Zone
        loc1:loc         ipv4
        loc2:loc         ipv4</programlisting>

@ -218,10 +218,6 @@
    <para>There are several restrictions on virtual zones:</para>

    <itemizedlist>
-      <listitem>
-        <para>They must have type <option>ipv4</option>.</para>
-      </listitem>
-
      <listitem>
        <para>A maximum of four virtual zones may be defined.</para>
      </listitem>
--- a/manpages6/shorewall6-nesting.xml
+++ b/manpages6/shorewall6-nesting.xml
@ -103,7 +103,7 @@
    <programlisting>        #ZONE            TYPE          OPTIONS
        fw               firewall
        net              ipv6
-        loc              ipv6          virtual
+        loc              virtual       #Virtual Zone
        loc1:loc         ipv6
        loc2:loc         ipv6</programlisting>

@ -122,10 +122,6 @@
    <para>There are several restrictions on virtual zones:</para>

    <itemizedlist>
-      <listitem>
-        <para>They must have type <option>ipv6</option>.</para>
-      </listitem>
-
      <listitem>
        <para>A maximum of four virtual zones may be defined.</para>
      </listitem>
--- a/manpages6/shorewall6-zones.xml
+++ b/manpages6/shorewall6-zones.xml
@ -169,6 +169,17 @@ c:a,b     ipv6</programlisting>
                single bridge.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">virtual</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.5. Virtual zones are containers
+                for other zones. See <ulink
+                url="shorewall6-nesting.html">shorewall6-nesting (5)</ulink>
+                for details.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>