holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Removal of IPv4-only values

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8951 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-08 21:49:50 +00:00
parent 4812fb6d2d
commit 285225b87a
11 changed files with 112 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-perl/README.txt
View File

@ -1,2 +1,2 @@
This is the Shorewall-perl development 4.2 branch of SVN.
This is the Shorewall-perl development 4.3 branch of SVN.

12
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -111,25 +111,25 @@ sub process_accounting_rule( $$$$$$$$$ ) {
my $restriction = NO_RESTRICT;
$source = ALLIPv4 if $source eq 'any' || $source eq 'all';
$source = ALLIP if $source eq 'any' || $source eq 'all';
if ( have_bridges ) {
my $fw = firewall_zone;
if ( $source =~ /^$fw:?(.*)$/ ) {
$source = $1 ? $1 : ALLIPv4;
$source = $1 ? $1 : ALLIP;
$restriction = OUTPUT_RESTRICT;
$chain = 'accountout' unless $chain and $chain ne '-';
$dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all';
$dest = ALLIP if $dest eq 'any' || $dest eq 'all';
} else {
$chain = 'accounting' unless $chain and $chain ne '-';
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIPv4 ) {
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
expand_rule(
ensure_filter_chain( 'accountout' , 0 ) ,
OUTPUT_RESTRICT ,
$rule ,
$source ,
$dest = ALLIPv4 ,
$dest = ALLIP ,
'' ,
'' ,
$target ,
@ -140,7 +140,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
}
} else {
$chain = 'accounting' unless $chain and $chain ne '-';
$dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all';
$dest = ALLIP if $dest eq 'any' || $dest eq 'all';
}
my $chainref = ensure_accounting_chain $chain;

32
Shorewall-perl/Shorewall/Chains.pm
View File

@ -150,7 +150,7 @@ our %EXPORT_TAGS = (
Exporter::export_ok_tags('internal');
our $VERSION = 4.1.5;
our $VERSION = 4.3.0;
#
# Chain Table
@ -623,13 +623,13 @@ sub use_input_chain($) {
#
# Interface associated with a single zone -- use the zone's input chain if it has one
#
my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone4}};
my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}};
return 0 if $chainref;
#
# Use the '<zone>2fw' chain if it is referenced.
#
$chainref = $filter_table->{join( '' , $interfaceref->{zone4} , '2' , firewall_zone )};
$chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )};
! ( $chainref->{referenced} || $chainref->{is_policy} )
}
@ -667,13 +667,13 @@ sub use_output_chain($) {
#
# Interface associated with a single zone -- use the zone's output chain if it has one
#
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone4}};
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
return 0 if $chainref;
#
# Use the 'fw2<zone>' chain if it is referenced.
#
$chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone4} )};
$chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
! ( $chainref->{referenced} || $chainref->{is_policy} )
}
@ -1553,7 +1553,7 @@ sub match_source_net( $;$ ) {
"-s ! $net ";
} else {
validate_net $net, 1;
$net eq ALLIPv4 ? '' : "-s $net ";
$net eq ALLIP ? '' : "-s $net ";
}
}
@ -1577,7 +1577,7 @@ sub match_dest_net( $ ) {
"-d ! $net ";
} else {
validate_net $net, 1;
$net eq ALLIPv4 ? '' : "-d $net ";
$net eq ALLIP ? '' : "-d $net ";
}
}
@ -1587,7 +1587,7 @@ sub match_dest_net( $ ) {
sub match_orig_dest ( $ ) {
my $net = $_[0];
return '' if $net eq ALLIPv4;
return '' if $net eq ALLIP;
return '' unless $capabilities{CONNTRACK_MATCH};
if ( $net =~ s/^!// ) {
@ -1595,7 +1595,7 @@ sub match_orig_dest ( $ ) {
$capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
} else {
validate_net $net, 1;
$net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net ";
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
}
}
@ -1608,7 +1608,7 @@ sub match_ipsec_in( $$ ) {
my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options};
if ( $zoneref->{type} eq 'ipsec4' ) {
if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@ -1626,7 +1626,7 @@ sub match_ipsec_out( $$ ) {
my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options};
if ( $zoneref->{type} eq 'ipsec4' ) {
if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
@ -2210,12 +2210,12 @@ sub expand_rule( $$$$$$$$$$$ )
$dexcl = '';
}
$inets = ALLIPv4 unless $inets;
$dnets = ALLIPv4 unless $dnets;
$onets = ALLIPv4 unless $onets;
$inets = ALLIP unless $inets;
$dnets = ALLIP unless $dnets;
$onets = ALLIP unless $onets;
fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv4;
fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIPv4;
fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIP;
fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIP;
if ( $iexcl || $dexcl || $oexcl ) {
#

2
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -62,7 +62,7 @@ use constant { EXPORT => 0x01 ,
sub reinitialize() {
Shorewall::Config::initialize($family);
Shorewall::Chains::initialize ($family);
Shorewall::Zones::initialize;
Shorewall::Zones::initialize ($family);
Shorewall::Policy::initialize;
Shorewall::Nat::initialize;
Shorewall::Providers::initialize;

4
Shorewall-perl/Shorewall/Config.pm
View File

@ -119,7 +119,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
Exporter::export_ok_tags('internal');
our $VERSION = 4.2.0;
our $VERSION = 4.3.0;
#
# describe the current command, it's present progressive, and it's completion.
@ -1453,7 +1453,7 @@ sub default_yes_no ( $$ ) {
sub default_yes_no_ipv4 ( $$ ) {
my ( $var, $val ) = @_;
default_yes_no( $var, $val );
warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV4 && $config{$var};
warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
}
my %validlevels = ( DEBUG => 7,

26
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -55,10 +55,6 @@ our @EXPORT = qw( ALLIPv4
rfc1918_networks
resolve_proto
proto_name
use_ipv4_addrs
use_ipv6_addrs
using_ipv4_addrs
using_ipv6_addrs
validate_port
validate_portpair
validate_port_list
@ -84,22 +80,6 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
sub use_ipv4_addrs() {
$family = F_IPV4;
}
sub using_ipv4() {
$family == F_IPV4;
}
sub use_ipv6_addrs() {
$family = F_IPV6;
}
sub using_ipv6() {
$family == F_IPV6;
}
#
# Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The
@ -109,12 +89,12 @@ sub using_ipv6() {
# the second and subsequent calls to that function.
#
sub initialize() {
use_ipv4_addrs;
sub initialize( $ ) {
$family = shift;
}
INIT {
initialize;
initialize( F_IPV4 );
}
sub vlsm_to_mask( $ ) {

4
Shorewall-perl/Shorewall/Policy.pm
View File

@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( );
our $VERSION = 4.1.1;
our $VERSION = 4.3.0;
# @policy_chains is a list of references to policy chains in the filter table
@ -269,7 +269,7 @@ sub validate_policy()
}
unless ( $clientwild || $serverwild ) {
if ( zone_type( $server ) eq 'bport4' ) {
if ( zone_type( $server ) eq 'bport' ) {
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
}

4
Shorewall-perl/Shorewall/Providers.pm
View File

@ -419,14 +419,14 @@ sub add_an_rtrule( $$$$ ) {
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
if ( $dest eq '-' ) {
$dest = 'to ' . ALLIPv4;
$dest = 'to ' . ALLIP;
} else {
validate_net( $dest, 0 );
$dest = "to $dest";
}
if ( $source eq '-' ) {
$source = 'from ' . ALLIPv4;
$source = 'from ' . ALLIP;
} elsif ( $source =~ /:/ ) {
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
fatal_error "Invalid SOURCE" if defined $remainder;

32
Shorewall-perl/Shorewall/Rules.pm
View File

@ -177,7 +177,7 @@ sub setup_ecn()
$interfaces{$interface} = 1;
$hosts = ALLIPv4 if $hosts eq '-';
$hosts = ALLIP if $hosts eq '-';
for my $host( split_list $hosts, 'address' ) {
validate_host( $host , 1 );
@ -361,7 +361,7 @@ sub process_criticalhosts() {
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$hosts = ALLIPv4 unless $hosts ne '-';
$hosts = ALLIP unless $hosts ne '-';
my @hosts;
@ -402,7 +402,7 @@ sub process_routestopped() {
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
$hosts = ALLIP unless $hosts && $hosts ne '-';
my @hosts;
@ -1034,7 +1034,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source = $2;
} else {
$sourcezone = $source;
$source = ALLIPv4;
$source = ALLIP;
}
if ( $dest =~ /^(.*?):(.*)/ ) {
@ -1048,7 +1048,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$destzone = '-';
} else {
$destzone = $dest;
$dest = ALLIPv4;
$dest = ALLIP;
}
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
@ -1073,7 +1073,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
#
# For compatibility with older Shorewall versions
#
$origdest = ALLIPv4 if $origdest eq 'all';
$origdest = ALLIP if $origdest eq 'all';
#
# Take care of chain
@ -1083,7 +1083,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
#
# Check for illegal bridge port rule
#
if ( $destref->{type} eq 'bport4' ) {
if ( $destref->{type} eq 'bport' ) {
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
return 1 if $wildcard;
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
@ -1178,14 +1178,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$target = '-j REDIRECT ';
$target .= "--to-port $serverport " if $serverport;
if ( $origdest eq '' || $origdest eq '-' ) {
$origdest = ALLIPv4;
$origdest = ALLIP;
} elsif ( $origdest eq 'detect' ) {
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
my $interfacesref = $sourceref->{interfaces};
my @interfaces = keys %$interfacesref;
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
} else {
$origdest = ALLIPv4;
$origdest = ALLIP;
}
}
} else {
@ -1218,9 +1218,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
my $interfacesref = $sourceref->{interfaces};
my @interfaces = keys %$interfacesref;
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
} else {
$origdest = ALLIPv4;
$origdest = ALLIP;
}
}
}
@ -1265,7 +1265,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $origdest eq 'detect' ) {
my $interfacesref = $sourceref->{interfaces};
my $interfaces = "@$interfacesref";
$origdest = $interfaces ? "detect:$interfaces" : ALLIPv4;
$origdest = $interfaces ? "detect:$interfaces" : ALLIP;
}
expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
@ -1604,7 +1604,7 @@ sub generate_matrix() {
if ( $capabilities{POLICY_MATCH} ) {
my $type = $zoneref->{type};
my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {};
my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
my $sourcechainref;
@ -1821,7 +1821,7 @@ sub generate_matrix() {
next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
}
if ( $zone1ref->{type} eq 'bport4' ) {
if ( $zone1ref->{type} eq 'bport' ) {
next unless $zoneref->{bridge} eq $zone1ref->{bridge};
}
@ -1873,7 +1873,7 @@ sub generate_matrix() {
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
}
if ( $zone1ref->{type} eq 'bport4' ) {
if ( $zone1ref->{type} eq 'bport' ) {
next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
}

6
Shorewall-perl/Shorewall/Tunnels.pm
View File

@ -83,7 +83,7 @@ sub setup_tunnels() {
unless ( $gatewayzones eq '-' ) {
for my $zone ( split_list $gatewayzones, 'zone' ) {
my $type = zone_type( $zone );
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport';
$inchainref = ensure_filter_chain "${zone}2${fw}", 1;
$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
@ -238,12 +238,12 @@ sub setup_tunnels() {
my $zonetype = zone_type( $zone );
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport4';
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport';
my $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
$gateway = ALLIPv4 if $gateway eq '-';
$gateway = ALLIP if $gateway eq '-';
my $source = match_source_net $gateway;
my $dest = match_dest_net $gateway;

92
Shorewall-perl/Shorewall/Zones.pm
View File

@ -82,7 +82,7 @@ use constant { NOTHING => 'NOTHING',
#
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
#
# %zones{<zone1> => {type = > <zone type> 'firewall', 'ipv4', 'ipsec4', 'bport4';
# %zones{<zone1> => {type = > <zone type> 'firewall', 'ip', 'ipsec', 'bport';
# options => { complex => 0|1
# nested => 0|1
# in_out => < policy match string >
@ -127,7 +127,7 @@ our %reservedName = ( all => 1,
# options => { <option1> = <val1> ,
# ...
# }
# zone4 => <zone name>
# zone => <zone name>
# nets => <number of nets in interface/hosts records referring to this interface>
# bridge => <bridge>
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
@ -138,6 +138,7 @@ our %reservedName = ( all => 1,
our @interfaces;
our %interfaces;
our @bport_zones;
our $family;
#
# Initialize globals -- we take this novel approach to globals initialization to allow
@ -148,7 +149,8 @@ our @bport_zones;
# the second and subsequent calls to that function.
#
sub initialize() {
sub initialize( $ ) {
$family = shift;
@zones = ();
%zones = ();
$firewall_zone = '';
@ -159,7 +161,7 @@ sub initialize() {
}
INIT {
initialize;
initialize( F_IPV4 );
}
#
@ -219,7 +221,7 @@ sub parse_zone_option_list($$)
if ( $key{$e} ) {
$h{$e} = $val;
} else {
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec4';
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec';
$options .= $invert;
$options .= "--$e ";
$options .= "$val "if defined $val;
@ -239,7 +241,7 @@ sub determine_zones()
{
my @z;
my $ipv4 = 0;
my $ip = 0;
my $fn = open_file 'zones';
@ -267,16 +269,23 @@ sub determine_zones()
fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/;
fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
$type = "ipv4" unless $type;
$type = "ip" unless $type;
if ( $type =~ /ipv4/i ) {
$type = 'ipv4';
$ipv4 = 1;
} elsif ( $type =~ /^ipsec4?$/i ) {
$type = 'ipsec4';
} elsif ( $type =~ /^bport4?$/i ) {
fatal_error "Invalid zone type ($type)" if $family == F_IPV6;
$type = 'ip';
$ip = 1;
} elsif ( $type =~ /ipv6/i ) {
fatal_error "Invalid zone type ($type)" if $family == F_IPV4;
$type = 'ip';
$ip = 1;
} elsif ( $type =~ /^ipsec([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if ( $1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 );
$type = 'ipsec';
} elsif ( $type =~ /^bport([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if ( $1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 );
warning_message "Bridge Port zones should have a parent zone" unless @parents;
$type = 'bport4';
$type = 'bport';
push @bport_zones, $zone;
} elsif ( $type eq 'firewall' ) {
fatal_error 'Firewall zone may not be nested' if @parents;
@ -285,8 +294,8 @@ sub determine_zones()
$ENV{FW} = $zone;
$type = "firewall";
} elsif ( $type eq '-' ) {
$type = 'ipv4';
$ipv4 = 1;
$type = 'ip';
$ip = 1;
} else {
fatal_error "Invalid zone type ($type)" ;
}
@ -302,7 +311,7 @@ sub determine_zones()
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) ,
complex => ($type eq 'ipsec' || $options || $in_options || $out_options ? 1 : 0) ,
nested => @parents > 0 } ,
interfaces => {} ,
children => [] ,
@ -312,7 +321,7 @@ sub determine_zones()
}
fatal_error "No firewall zone defined" unless $firewall_zone;
fatal_error "No IPv4 zones defined" unless $ipv4;
fatal_error "No IP zones defined" unless $ip;
my %ordered;
@ -340,7 +349,7 @@ sub determine_zones()
#
sub haveipseczones() {
for my $zoneref ( values %zones ) {
return 1 if $zoneref->{type} eq 'ipsec4';
return 1 if $zoneref->{type} eq 'ipsec';
}
0;
@ -353,6 +362,8 @@ sub zone_report()
{
progress_message2 "Determining Hosts in Zones...";
my $ipzone = $family == F_IPV4 ? 'ipv4' : 'ipv6';
for my $zone ( @zones )
{
my $zoneref = $zones{$zone};
@ -360,6 +371,8 @@ sub zone_report()
my $type = $zoneref->{type};
my $optionref = $zoneref->{options};
$type = $ipzone if $type eq 'ip';
progress_message " $zone ($type)";
my $printed = 0;
@ -384,7 +397,7 @@ sub zone_report()
}
unless ( $printed ) {
fatal_error "No bridge has been associated with zone $zone" if $type eq 'bport4' && ! $zoneref->{bridge};
fatal_error "No bridge has been associated with zone $zone" if $type eq 'bport' && ! $zoneref->{bridge};
warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall';
}
@ -393,6 +406,18 @@ sub zone_report()
sub dump_zone_contents()
{
my %xlate;
if ( $family == F_IPV4 ) {
%xlate = ( ip => 'ipv4' ,
bport => 'bport4' ,
ipsec => 'ipsec4' )
} else {
%xlate = ( ip => 'ipv6' ,
bport => 'bport6' ,
ipsec => 'ipsec6' )
}
for my $zone ( @zones )
{
my $zoneref = $zones{$zone};
@ -400,9 +425,12 @@ sub dump_zone_contents()
my $type = $zoneref->{type};
my $optionref = $zoneref->{options};
my $exclusions = $zoneref->{exclusions};
$type = $xlate{$type} if $xlate{$type};
my $entry = "$zone $type";
$entry .= ":$zoneref->{bridge}" if $type eq 'bport4';
$entry .= ":$zoneref->{bridge}" if $type =~ /^bport/;
if ( $hostref ) {
for my $type ( sort keys %$hostref ) {
@ -455,7 +483,7 @@ sub add_group_to_zone($$$$$)
my $arrayref;
my $zoneref = $zones{$zone};
my $zonetype = $zoneref->{type};
my $ifacezone = $interfaces{$interface}{zone4};
my $ifacezone = $interfaces{$interface}{zone};
$zoneref->{interfaces}{$interface} = 1;
@ -481,7 +509,7 @@ sub add_group_to_zone($$$$$)
unless ( $switched ) {
if ( $type eq $zonetype ) {
fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone;
$ifacezone = $zone if $host eq ALLIPv4;
$ifacezone = $zone if $host eq ALLIP;
}
}
@ -506,7 +534,7 @@ sub add_group_to_zone($$$$$)
push @{$arrayref}, { options => $options,
hosts => \@newnetworks,
ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' };
ipsec => $type eq 'ipsec' ? 'ipsec' : 'none' };
}
#
@ -624,7 +652,7 @@ sub validate_interfaces_file( $ )
fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport4';
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport';
if ( $zone ) {
if ( $zoneref->{bridge} ) {
@ -644,7 +672,7 @@ sub validate_interfaces_file( $ )
$interface = $port;
} else {
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4';
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport';
$bridge = $interface;
}
@ -746,11 +774,11 @@ sub validate_interfaces_file( $ )
push @ifaces, $interface;
my @networks = allipv4;
my @networks = allip;
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone;
$interfaces{$interface}{zone4} = $zone; #Must follow the call to add_group_to_zone()
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
progress_message " Interface \"$currentline\" Validated";
@ -949,7 +977,7 @@ sub validate_hosts_file()
fatal_error "Invalid HOST(S) column contents: $hosts";
}
if ( $type eq 'bport4' ) {
if ( $type eq 'bport' ) {
if ( $zoneref->{bridge} eq '' ) {
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
$zoneref->{bridge} = $interfaces{$interface}{bridge};
@ -967,7 +995,7 @@ sub validate_hosts_file()
for my $option ( @options )
{
if ( $option eq 'ipsec' ) {
$type = 'ipsec4';
$type = 'ipsec';
$zoneref->{options}{complex} = 1;
$ipsec = 1;
} elsif ( $validoptions{$option}) {
@ -993,7 +1021,7 @@ sub validate_hosts_file()
#
# Take care of case where the hosts list begins with '!'
#
$hosts = join( '', ALLIPv4 , $hosts ) if substr($hosts, 0, 2 ) eq ',!';
$hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
@ -1026,8 +1054,8 @@ sub find_hosts_by_option( $ ) {
}
for my $interface ( @interfaces ) {
if ( ! $interfaces{$interface}{zone4} && $interfaces{$interface}{options}{$option} ) {
push @hosts, [ $interface, 'none', ALLIPv4 ];
if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
push @hosts, [ $interface, 'none', ALLIP ];
}
}