From 1f359de08b3c986793d93300cd7be3d509bf93d1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 27 Mar 2011 10:52:44 -0700 Subject: [PATCH] Handle mis-configured ipsec group on a bridge --- Shorewall/Perl/Shorewall/Zones.pm | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 0b1cc512f..121ae57f8 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -146,12 +146,13 @@ our %reservedName = ( all => 1, # %interfaces { => { name => # root => # options => { port => undef|1 -# = , #See %validinterfaceoptions +# { } => , #See %validinterfaceoptions # ... # } # zone => # nets => # bridge => +# ports => [ list of ports on this bridge ] # broadcasts => 'none', 'detect' or [ , , ... ] # number => # physical => @@ -883,6 +884,7 @@ sub process_interface( $$ ) { fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; + push @{$interfaces{$interface}{ports}}, $port; fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT; if ( $zone ) { @@ -1100,7 +1102,8 @@ sub process_interface( $$ ) { options => \%options , zone => '', physical => $physical , - base => chain_base( $physical ) + base => chain_base( $physical ), + ports => [], }; if ( $zone ) { @@ -1690,7 +1693,7 @@ sub process_host( ) { fatal_error "Unknown ZONE ($zone)" unless $type; fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL; - my $interface; + my ( $interface, $interfaceref ); if ( $family == F_IPV4 ) { if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) { @@ -1703,7 +1706,7 @@ sub process_host( ) { fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/; } - fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; + fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root}; } else { fatal_error "Invalid HOST(S) column contents: $hosts"; } @@ -1711,16 +1714,16 @@ sub process_host( ) { $interface = $1; $hosts = $2; $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; - fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; + fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root}; } else { fatal_error "Invalid HOST(S) column contents: $hosts"; } if ( $type == BPORT ) { if ( $zoneref->{bridge} eq '' ) { - fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port}; + fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port}; $zoneref->{bridge} = $interfaces{$interface}{bridge}; - } elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) { + } elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) { fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}"; } } @@ -1778,12 +1781,19 @@ sub process_host( ) { $ipsets{"${zone}_${physical}"} = 1; } + # # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers. # - $interface = '%vserver%' if $type == VSERVER; + my $ports; - add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); + if ( $type == VSERVER ) { + $ports = [ $interface = '%vserver%' ]; + } else { + $ports = @{$interfaceref->{ports}} ? $interfaceref->{ports} : [ $interface ]; + } + + add_group_to_zone( $zone, $type , $_, [ split_list( $hosts, 'host' ) ] , $optionsref) for @$ports; progress_message " Host \"$currentline\" validated";