holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Make zone type numeric for faster comparison

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9684 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-03-13 22:59:49 +00:00
parent e75789d894
commit 229e573c3c
4 changed files with 64 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -265,11 +265,11 @@ sub validate_policy()
fatal_error "NONE policy not allowed with \"all\"" fatal_error "NONE policy not allowed with \"all\""
if $clientwild || $serverwild; if $clientwild || $serverwild;
fatal_error "NONE policy not allowed to/from firewall zone" fatal_error "NONE policy not allowed to/from firewall zone"
if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' ); if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
} }
unless ( $clientwild || $serverwild ) { unless ( $clientwild || $serverwild ) {
if ( zone_type( $server ) eq 'bport' ) { if ( zone_type( $server ) == BPORT ) {
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge" fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge}; unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
} }

16
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1201,7 +1201,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
# Check for illegal bridge port rule # Check for illegal bridge port rule
# #
if ( $destref->{type} eq 'bport' ) { if ( $destref->{type} == BPORT ) {
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) { unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
return 1 if $wildcard; return 1 if $wildcard;
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
@ -1356,7 +1356,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
# And generate the nat table rule(s) # And generate the nat table rule(s)
# #
expand_rule ( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ), expand_rule ( ensure_chain ('nat' , $sourceref->{type} == FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
$rule , $rule ,
$source , $source ,
@ -1394,7 +1394,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$origdest = $interfaces ? "detect:$interfaces" : ALLIP; $origdest = $interfaces ? "detect:$interfaces" : ALLIP;
} }
expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , expand_rule( ensure_chain ('nat' , $sourceref->{type} == 'FIREWALL' ? 'OUTPUT' : dnat_chain $sourcezone) ,
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
$rule , $rule ,
$source , $source ,
@ -1500,10 +1500,10 @@ sub process_rule ( $$$$$$$$$$$$ ) {
if ( $source eq 'all' ) { if ( $source eq 'all' ) {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) { if ( $includesrcfw || ( zone_type( $zone ) != FIREWALL ) ) {
if ( $dest eq 'all' ) { if ( $dest eq 'all' ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) { if ( $includedstfw || ( zone_type( $zone1 ) != FIREWALL ) ) {
if ( $intrazone || ( $zone ne $zone1 ) ) { if ( $intrazone || ( $zone ne $zone1 ) ) {
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
} }
@ -1521,7 +1521,7 @@ sub process_rule ( $$$$$$$$$$$$ ) {
} elsif ( $dest eq 'all' ) { } elsif ( $dest eq 'all' ) {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
my $sourcezone = ( split( /:/, $source, 2 ) )[0]; my $sourcezone = ( split( /:/, $source, 2 ) )[0];
if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { if ( ( $includedstfw || ( zone_type( $zone ) != FIREWALL ) ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1; process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
} }
} }
@ -1901,7 +1901,7 @@ sub generate_matrix() {
next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! $zoneref->{options}{in_out}{routeback}; next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! $zoneref->{options}{in_out}{routeback};
} }
if ( $zone1ref->{type} eq 'bport' ) { if ( $zone1ref->{type} == BPORT ) {
next unless $zoneref->{bridge} eq $zone1ref->{bridge}; next unless $zoneref->{bridge} eq $zone1ref->{bridge};
} }
@ -1953,7 +1953,7 @@ sub generate_matrix() {
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback}; next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
} }
if ( $zone1ref->{type} eq 'bport' ) { if ( $zone1ref->{type} == BPORT ) {
next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge}; next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
} }

4
Shorewall/Perl/Shorewall/Tunnels.pm
View File

@ -82,7 +82,7 @@ sub setup_tunnels() {
unless ( $gatewayzones eq '-' ) { unless ( $gatewayzones eq '-' ) {
for my $zone ( split_list $gatewayzones, 'zone' ) { for my $zone ( split_list $gatewayzones, 'zone' ) {
my $type = zone_type( $zone ); my $type = zone_type( $zone );
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport'; fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
$inchainref = ensure_filter_chain "${zone}2${fw}", 1; $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
$outchainref = ensure_filter_chain "${fw}2${zone}", 1; $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
@ -237,7 +237,7 @@ sub setup_tunnels() {
my $zonetype = zone_type( $zone ); my $zonetype = zone_type( $zone );
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport'; fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; my $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;

94
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -36,6 +36,10 @@ our @EXPORT = qw( NOTHING
NETWORK NETWORK
IPSECPROTO IPSECPROTO
IPSECMODE IPSECMODE
FIREWALL
IP
BPORT
IPSEC
determine_zones determine_zones
zone_report zone_report
@ -85,7 +89,7 @@ use constant { NOTHING => 'NOTHING',
# #
# @zones contains the ordered list of zones with sub-zones appearing before their parents. # @zones contains the ordered list of zones with sub-zones appearing before their parents.
# #
# %zones{<zone1> => {type = > <zone type> 'firewall', 'ip', 'ipsec', 'bport'; # %zones{<zone1> => {type = > <zone type> FIREWALL, IP, IPSEC, BPORT;
# options => { complex => 0|1 # options => { complex => 0|1
# nested => 0|1 # nested => 0|1
# in_out => < policy match string > # in_out => < policy match string >
@ -145,13 +149,19 @@ our @bport_zones;
our %ipsets; our %ipsets;
our $family; our $family;
use constant { FIREWALL => 1,
IP => 2,
BPORT => 3,
IPSEC => 4 };
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The # the compiler to run multiple times in the same process. The
# initialize() function does globals initialization for this # initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is # module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of # also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function. # the second and subsequent calls to that function or when compiling
# for IPv6.
# #
sub initialize( $ ) { sub initialize( $ ) {
@ -226,7 +236,7 @@ sub parse_zone_option_list($$)
if ( $key{$e} ) { if ( $key{$e} ) {
$h{$e} = $val; $h{$e} = $val;
} else { } else {
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec'; fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
$options .= $invert; $options .= $invert;
$options .= "--$e "; $options .= "--$e ";
$options .= "$val "if defined $val; $options .= "$val "if defined $val;
@ -265,7 +275,7 @@ sub determine_zones()
for my $p ( @parents ) { for my $p ( @parents ) {
fatal_error "Invalid Parent List ($2)" unless $p; fatal_error "Invalid Parent List ($2)" unless $p;
fatal_error "Unknown parent zone ($p)" unless $zones{$p}; fatal_error "Unknown parent zone ($p)" unless $zones{$p};
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} eq 'firewall'; fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
push @{$zones{$p}{children}}, $zone; push @{$zones{$p}{children}}, $zone;
} }
} }
@ -274,32 +284,32 @@ sub determine_zones()
fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/; fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/;
fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone}; fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
$type = "ip" unless $type; $type = IP unless $type;
if ( $type =~ /ipv4/i ) { if ( $type =~ /ipv4/i ) {
fatal_error "Invalid zone type ($type)" if $family == F_IPV6; fatal_error "Invalid zone type ($type)" if $family == F_IPV6;
$type = 'ip'; $type = IP;
$ip = 1; $ip = 1;
} elsif ( $type =~ /ipv6/i ) { } elsif ( $type =~ /ipv6/i ) {
fatal_error "Invalid zone type ($type)" if $family == F_IPV4; fatal_error "Invalid zone type ($type)" if $family == F_IPV4;
$type = 'ip'; $type = IP;
$ip = 1; $ip = 1;
} elsif ( $type =~ /^ipsec([46])?$/i ) { } elsif ( $type =~ /^ipsec([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if $1 && (($1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 )); fatal_error "Invalid zone type ($type)" if $1 && (($1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 ));
$type = 'ipsec'; $type = IPSEC;
} elsif ( $type =~ /^bport([46])?$/i ) { } elsif ( $type =~ /^bport([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if $1 && (( $1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 )); fatal_error "Invalid zone type ($type)" if $1 && (( $1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 ));
warning_message "Bridge Port zones should have a parent zone" unless @parents; warning_message "Bridge Port zones should have a parent zone" unless @parents;
$type = 'bport'; $type = BPORT;
push @bport_zones, $zone; push @bport_zones, $zone;
} elsif ( $type eq 'firewall' ) { } elsif ( $type eq 'firewall' ) {
fatal_error 'Firewall zone may not be nested' if @parents; fatal_error 'Firewall zone may not be nested' if @parents;
fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone; fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
$firewall_zone = $zone; $firewall_zone = $zone;
$ENV{FW} = $zone; $ENV{FW} = $zone;
$type = "firewall"; $type = FIREWALL;
} elsif ( $type eq '-' ) { } elsif ( $type eq '-' ) {
$type = 'ip'; $type = IP;
$ip = 1; $ip = 1;
} else { } else {
fatal_error "Invalid zone type ($type)" ; fatal_error "Invalid zone type ($type)" ;
@ -315,7 +325,7 @@ sub determine_zones()
options => { in_out => parse_zone_option_list( $options || '', $type ) , options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ($type eq 'ipsec' || $options || $in_options || $out_options ? 1 : 0) , complex => ($type == IPSEC || $options || $in_options || $out_options ? 1 : 0) ,
nested => @parents > 0 } , nested => @parents > 0 } ,
interfaces => {} , interfaces => {} ,
children => [] , children => [] ,
@ -353,7 +363,7 @@ sub determine_zones()
# #
sub haveipseczones() { sub haveipseczones() {
for my $zoneref ( values %zones ) { for my $zoneref ( values %zones ) {
return 1 if $zoneref->{type} eq 'ipsec'; return 1 if $zoneref->{type} == IPSEC;
} }
0; 0;
@ -366,7 +376,13 @@ sub zone_report()
{ {
progress_message2 "Determining Hosts in Zones..."; progress_message2 "Determining Hosts in Zones...";
my $ipzone = $family == F_IPV4 ? 'ipv4' : 'ipv6'; my @translate;
if ( $family == F_IPV4 ) {
@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
} else {
@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
}
for my $zone ( @zones ) for my $zone ( @zones )
{ {
@ -375,9 +391,7 @@ sub zone_report()
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $optionref = $zoneref->{options}; my $optionref = $zoneref->{options};
$type = $ipzone if $type eq 'ip'; progress_message_nocompress " $zone ($translate[$type])";
progress_message_nocompress " $zone ($type)";
my $printed = 0; my $printed = 0;
@ -407,8 +421,8 @@ sub zone_report()
} }
unless ( $printed ) { unless ( $printed ) {
fatal_error "No bridge has been associated with zone $zone" if $type eq 'bport' && ! $zoneref->{bridge}; fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall'; warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
} }
} }
@ -416,16 +430,12 @@ sub zone_report()
sub dump_zone_contents() sub dump_zone_contents()
{ {
my %xlate; my @xlate;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
%xlate = ( ip => 'ipv4' , @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
bport => 'bport4' , } else {
ipsec => 'ipsec4' ) @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
} else {
%xlate = ( ip => 'ipv6' ,
bport => 'bport6' ,
ipsec => 'ipsec6' )
} }
for my $zone ( @zones ) for my $zone ( @zones )
@ -435,11 +445,9 @@ sub dump_zone_contents()
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $optionref = $zoneref->{options}; my $optionref = $zoneref->{options};
$type = $xlate{$type} if $xlate{$type}; my $entry = "$zone $xlate[$type]";
my $entry = "$zone $type"; $entry .= ":$zoneref->{bridge}" if $type == BPORT;
$entry .= ":$zoneref->{bridge}" if $type =~ /^bport/;
if ( $hostref ) { if ( $hostref ) {
for my $type ( sort keys %$hostref ) { for my $type ( sort keys %$hostref ) {
@ -517,7 +525,7 @@ sub add_group_to_zone($$$$$)
} }
unless ( $switched ) { unless ( $switched ) {
if ( $type eq $zonetype ) { if ( $type == $zonetype ) {
fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone; fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone;
$ifacezone = $zone if $host eq ALLIP; $ifacezone = $zone if $host eq ALLIP;
} }
@ -535,15 +543,17 @@ sub add_group_to_zone($$$$$)
$zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback}; $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback};
my $gtype = $type == IPSEC ? 'ipsec' : 'ip';
$hostsref = ( $zoneref->{hosts} || ( $zoneref->{hosts} = {} ) ); $hostsref = ( $zoneref->{hosts} || ( $zoneref->{hosts} = {} ) );
$typeref = ( $hostsref->{$type} || ( $hostsref->{$type} = {} ) ); $typeref = ( $hostsref->{$gtype} || ( $hostsref->{$gtype} = {} ) );
$interfaceref = ( $typeref->{$interface} || ( $typeref->{$interface} = [] ) ); $interfaceref = ( $typeref->{$interface} || ( $typeref->{$interface} = [] ) );
$zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ); $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
push @{$interfaceref}, { options => $options, push @{$interfaceref}, { options => $options,
hosts => \@newnetworks, hosts => \@newnetworks,
ipsec => $type eq 'ipsec' ? 'ipsec' : 'none' , ipsec => $type == IPSEC ? 'ipsec' : 'none' ,
exclusions => \@exclusions }; exclusions => \@exclusions };
} }
@ -578,7 +588,7 @@ sub all_zones() {
} }
sub non_firewall_zones() { sub non_firewall_zones() {
grep ( $zones{$_}{type} ne 'firewall' , @zones ); grep ( $zones{$_}{type} != FIREWALL , @zones );
} }
sub complex_zones() { sub complex_zones() {
@ -675,7 +685,7 @@ sub validate_interfaces_file( $ )
$zoneref = $zones{$zone}; $zoneref = $zones{$zone};
fatal_error "Unknown zone ($zone)" unless $zoneref; fatal_error "Unknown zone ($zone)" unless $zoneref;
fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} eq 'firewall'; fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
} }
$networks = '' if $networks eq '-'; $networks = '' if $networks eq '-';
@ -691,7 +701,7 @@ sub validate_interfaces_file( $ )
fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport'; fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
if ( $zone ) { if ( $zone ) {
if ( $zoneref->{bridge} ) { if ( $zoneref->{bridge} ) {
@ -709,7 +719,7 @@ sub validate_interfaces_file( $ )
$interface = $port; $interface = $port;
} else { } else {
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface}; fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport'; fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
$bridge = $interface; $bridge = $interface;
} }
@ -1054,7 +1064,7 @@ sub validate_hosts_file()
my $type = $zoneref->{type}; my $type = $zoneref->{type};
fatal_error "Unknown ZONE ($zone)" unless $type; fatal_error "Unknown ZONE ($zone)" unless $type;
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type eq 'firewall'; fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
my $interface; my $interface;
@ -1078,7 +1088,7 @@ sub validate_hosts_file()
} }
} }
if ( $type eq 'bport' ) { if ( $type == BPORT ) {
if ( $zoneref->{bridge} eq '' ) { if ( $zoneref->{bridge} eq '' ) {
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port}; fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
$zoneref->{bridge} = $interfaces{$interface}{bridge}; $zoneref->{bridge} = $interfaces{$interface}{bridge};
@ -1096,7 +1106,7 @@ sub validate_hosts_file()
for my $option ( @options ) for my $option ( @options )
{ {
if ( $option eq 'ipsec' ) { if ( $option eq 'ipsec' ) {
$type = 'ipsec'; $type = IPSEC;
$zoneref->{options}{complex} = 1; $zoneref->{options}{complex} = 1;
$ipsec = 1; $ipsec = 1;
} elsif ( $validoptions{$option}) { } elsif ( $validoptions{$option}) {
@ -1148,7 +1158,7 @@ sub find_hosts_by_option( $ ) {
my $option = $_[0]; my $option = $_[0];
my @hosts; my @hosts;
for my $zone ( grep $zones{$_}{type} ne 'firewall' , @zones ) { for my $zone ( grep $zones{$_}{type} != FIREWALL , @zones ) {
while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
for my $host ( @{$arrayref} ) { for my $host ( @{$arrayref} ) {