holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Removal of IPv4-only values

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8951 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-08 21:49:50 +00:00
parent 4812fb6d2d
commit 285225b87a
11 changed files with 112 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-perl/README.txt
View File

@ -1,2 +1,2 @@
This is the Shorewall-perl development 4.2 branch of SVN. This is the Shorewall-perl development 4.3 branch of SVN.

12
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -111,25 +111,25 @@ sub process_accounting_rule( $$$$$$$$$ ) {
my $restriction = NO_RESTRICT; my $restriction = NO_RESTRICT;
$source = ALLIPv4 if $source eq 'any' || $source eq 'all'; $source = ALLIP if $source eq 'any' || $source eq 'all';
if ( have_bridges ) { if ( have_bridges ) {
my $fw = firewall_zone; my $fw = firewall_zone;
if ( $source =~ /^$fw:?(.*)$/ ) { if ( $source =~ /^$fw:?(.*)$/ ) {
$source = $1 ? $1 : ALLIPv4; $source = $1 ? $1 : ALLIP;
$restriction = OUTPUT_RESTRICT; $restriction = OUTPUT_RESTRICT;
$chain = 'accountout' unless $chain and $chain ne '-'; $chain = 'accountout' unless $chain and $chain ne '-';
$dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all'; $dest = ALLIP if $dest eq 'any' || $dest eq 'all';
} else { } else {
$chain = 'accounting' unless $chain and $chain ne '-'; $chain = 'accounting' unless $chain and $chain ne '-';
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIPv4 ) { if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
expand_rule( expand_rule(
ensure_filter_chain( 'accountout' , 0 ) , ensure_filter_chain( 'accountout' , 0 ) ,
OUTPUT_RESTRICT , OUTPUT_RESTRICT ,
$rule , $rule ,
$source , $source ,
$dest = ALLIPv4 , $dest = ALLIP ,
'' , '' ,
'' , '' ,
$target , $target ,
@ -140,7 +140,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
} }
} else { } else {
$chain = 'accounting' unless $chain and $chain ne '-'; $chain = 'accounting' unless $chain and $chain ne '-';
$dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all'; $dest = ALLIP if $dest eq 'any' || $dest eq 'all';
} }
my $chainref = ensure_accounting_chain $chain; my $chainref = ensure_accounting_chain $chain;

32
Shorewall-perl/Shorewall/Chains.pm
View File

@ -150,7 +150,7 @@ our %EXPORT_TAGS = (
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = 4.1.5; our $VERSION = 4.3.0;
# #
# Chain Table # Chain Table
@ -623,13 +623,13 @@ sub use_input_chain($) {
# #
# Interface associated with a single zone -- use the zone's input chain if it has one # Interface associated with a single zone -- use the zone's input chain if it has one
# #
my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone4}}; my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}};
return 0 if $chainref; return 0 if $chainref;
# #
# Use the '<zone>2fw' chain if it is referenced. # Use the '<zone>2fw' chain if it is referenced.
# #
$chainref = $filter_table->{join( '' , $interfaceref->{zone4} , '2' , firewall_zone )}; $chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )};
! ( $chainref->{referenced} || $chainref->{is_policy} ) ! ( $chainref->{referenced} || $chainref->{is_policy} )
} }
@ -667,13 +667,13 @@ sub use_output_chain($) {
# #
# Interface associated with a single zone -- use the zone's output chain if it has one # Interface associated with a single zone -- use the zone's output chain if it has one
# #
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone4}}; my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
return 0 if $chainref; return 0 if $chainref;
# #
# Use the 'fw2<zone>' chain if it is referenced. # Use the 'fw2<zone>' chain if it is referenced.
# #
$chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone4} )}; $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
! ( $chainref->{referenced} || $chainref->{is_policy} ) ! ( $chainref->{referenced} || $chainref->{is_policy} )
} }
@ -1553,7 +1553,7 @@ sub match_source_net( $;$ ) {
"-s ! $net "; "-s ! $net ";
} else { } else {
validate_net $net, 1; validate_net $net, 1;
$net eq ALLIPv4 ? '' : "-s $net "; $net eq ALLIP ? '' : "-s $net ";
} }
} }
@ -1577,7 +1577,7 @@ sub match_dest_net( $ ) {
"-d ! $net "; "-d ! $net ";
} else { } else {
validate_net $net, 1; validate_net $net, 1;
$net eq ALLIPv4 ? '' : "-d $net "; $net eq ALLIP ? '' : "-d $net ";
} }
} }
@ -1587,7 +1587,7 @@ sub match_dest_net( $ ) {
sub match_orig_dest ( $ ) { sub match_orig_dest ( $ ) {
my $net = $_[0]; my $net = $_[0];
return '' if $net eq ALLIPv4; return '' if $net eq ALLIP;
return '' unless $capabilities{CONNTRACK_MATCH}; return '' unless $capabilities{CONNTRACK_MATCH};
if ( $net =~ s/^!// ) { if ( $net =~ s/^!// ) {
@ -1595,7 +1595,7 @@ sub match_orig_dest ( $ ) {
$capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net "; $capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
} else { } else {
validate_net $net, 1; validate_net $net, 1;
$net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net "; $net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
} }
} }
@ -1608,7 +1608,7 @@ sub match_ipsec_in( $$ ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options}; my $optionsref = $zoneref->{options};
if ( $zoneref->{type} eq 'ipsec4' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@ -1626,7 +1626,7 @@ sub match_ipsec_out( $$ ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options}; my $optionsref = $zoneref->{options};
if ( $zoneref->{type} eq 'ipsec4' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
@ -2210,12 +2210,12 @@ sub expand_rule( $$$$$$$$$$$ )
$dexcl = ''; $dexcl = '';
} }
$inets = ALLIPv4 unless $inets; $inets = ALLIP unless $inets;
$dnets = ALLIPv4 unless $dnets; $dnets = ALLIP unless $dnets;
$onets = ALLIPv4 unless $onets; $onets = ALLIP unless $onets;
fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv4; fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIP;
fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIPv4; fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIP;
if ( $iexcl || $dexcl || $oexcl ) { if ( $iexcl || $dexcl || $oexcl ) {
# #

2
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -62,7 +62,7 @@ use constant { EXPORT => 0x01 ,
sub reinitialize() { sub reinitialize() {
Shorewall::Config::initialize($family); Shorewall::Config::initialize($family);
Shorewall::Chains::initialize ($family); Shorewall::Chains::initialize ($family);
Shorewall::Zones::initialize; Shorewall::Zones::initialize ($family);
Shorewall::Policy::initialize; Shorewall::Policy::initialize;
Shorewall::Nat::initialize; Shorewall::Nat::initialize;
Shorewall::Providers::initialize; Shorewall::Providers::initialize;

4
Shorewall-perl/Shorewall/Config.pm
View File

@ -119,7 +119,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = 4.2.0; our $VERSION = 4.3.0;
# #
# describe the current command, it's present progressive, and it's completion. # describe the current command, it's present progressive, and it's completion.
@ -1453,7 +1453,7 @@ sub default_yes_no ( $$ ) {
sub default_yes_no_ipv4 ( $$ ) { sub default_yes_no_ipv4 ( $$ ) {
my ( $var, $val ) = @_; my ( $var, $val ) = @_;
default_yes_no( $var, $val ); default_yes_no( $var, $val );
warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV4 && $config{$var}; warning_message "$var=Yes is ignored for IPv6" if $family == F_IPV6 && $config{$var};
} }
my %validlevels = ( DEBUG => 7, my %validlevels = ( DEBUG => 7,

26
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -55,10 +55,6 @@ our @EXPORT = qw( ALLIPv4
rfc1918_networks rfc1918_networks
resolve_proto resolve_proto
proto_name proto_name
use_ipv4_addrs
use_ipv6_addrs
using_ipv4_addrs
using_ipv6_addrs
validate_port validate_port
validate_portpair validate_portpair
validate_port_list validate_port_list
@ -84,22 +80,6 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
sub use_ipv4_addrs() {
$family = F_IPV4;
}
sub using_ipv4() {
$family == F_IPV4;
}
sub use_ipv6_addrs() {
$family = F_IPV6;
}
sub using_ipv6() {
$family == F_IPV6;
}
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The # the compiler to run multiple times in the same process. The
@ -109,12 +89,12 @@ sub using_ipv6() {
# the second and subsequent calls to that function. # the second and subsequent calls to that function.
# #
sub initialize() { sub initialize( $ ) {
use_ipv4_addrs; $family = shift;
} }
INIT { INIT {
initialize; initialize( F_IPV4 );
} }
sub vlsm_to_mask( $ ) { sub vlsm_to_mask( $ ) {

4
Shorewall-perl/Shorewall/Policy.pm
View File

@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
our $VERSION = 4.1.1; our $VERSION = 4.3.0;
# @policy_chains is a list of references to policy chains in the filter table # @policy_chains is a list of references to policy chains in the filter table
@ -269,7 +269,7 @@ sub validate_policy()
} }
unless ( $clientwild || $serverwild ) { unless ( $clientwild || $serverwild ) {
if ( zone_type( $server ) eq 'bport4' ) { if ( zone_type( $server ) eq 'bport' ) {
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge" fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge}; unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
} }

4
Shorewall-perl/Shorewall/Providers.pm
View File

@ -419,14 +419,14 @@ sub add_an_rtrule( $$$$ ) {
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-'; fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
if ( $dest eq '-' ) { if ( $dest eq '-' ) {
$dest = 'to ' . ALLIPv4; $dest = 'to ' . ALLIP;
} else { } else {
validate_net( $dest, 0 ); validate_net( $dest, 0 );
$dest = "to $dest"; $dest = "to $dest";
} }
if ( $source eq '-' ) { if ( $source eq '-' ) {
$source = 'from ' . ALLIPv4; $source = 'from ' . ALLIP;
} elsif ( $source =~ /:/ ) { } elsif ( $source =~ /:/ ) {
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 ); ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
fatal_error "Invalid SOURCE" if defined $remainder; fatal_error "Invalid SOURCE" if defined $remainder;

32
Shorewall-perl/Shorewall/Rules.pm
View File

@ -177,7 +177,7 @@ sub setup_ecn()
$interfaces{$interface} = 1; $interfaces{$interface} = 1;
$hosts = ALLIPv4 if $hosts eq '-'; $hosts = ALLIP if $hosts eq '-';
for my $host( split_list $hosts, 'address' ) { for my $host( split_list $hosts, 'address' ) {
validate_host( $host , 1 ); validate_host( $host , 1 );
@ -361,7 +361,7 @@ sub process_criticalhosts() {
fatal_error "Unknown interface ($interface)" unless known_interface $interface; fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$hosts = ALLIPv4 unless $hosts ne '-'; $hosts = ALLIP unless $hosts ne '-';
my @hosts; my @hosts;
@ -402,7 +402,7 @@ sub process_routestopped() {
fatal_error "Unknown interface ($interface)" unless known_interface $interface; fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$hosts = ALLIPv4 unless $hosts && $hosts ne '-'; $hosts = ALLIP unless $hosts && $hosts ne '-';
my @hosts; my @hosts;
@ -1034,7 +1034,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source = $2; $source = $2;
} else { } else {
$sourcezone = $source; $sourcezone = $source;
$source = ALLIPv4; $source = ALLIP;
} }
if ( $dest =~ /^(.*?):(.*)/ ) { if ( $dest =~ /^(.*?):(.*)/ ) {
@ -1048,7 +1048,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$destzone = '-'; $destzone = '-';
} else { } else {
$destzone = $dest; $destzone = $dest;
$dest = ALLIPv4; $dest = ALLIP;
} }
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
@ -1073,7 +1073,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
# For compatibility with older Shorewall versions # For compatibility with older Shorewall versions
# #
$origdest = ALLIPv4 if $origdest eq 'all'; $origdest = ALLIP if $origdest eq 'all';
# #
# Take care of chain # Take care of chain
@ -1083,7 +1083,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
# Check for illegal bridge port rule # Check for illegal bridge port rule
# #
if ( $destref->{type} eq 'bport4' ) { if ( $destref->{type} eq 'bport' ) {
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) { unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
return 1 if $wildcard; return 1 if $wildcard;
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
@ -1178,14 +1178,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$target = '-j REDIRECT '; $target = '-j REDIRECT ';
$target .= "--to-port $serverport " if $serverport; $target .= "--to-port $serverport " if $serverport;
if ( $origdest eq '' || $origdest eq '-' ) { if ( $origdest eq '' || $origdest eq '-' ) {
$origdest = ALLIPv4; $origdest = ALLIP;
} elsif ( $origdest eq 'detect' ) { } elsif ( $origdest eq 'detect' ) {
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
my $interfacesref = $sourceref->{interfaces}; my $interfacesref = $sourceref->{interfaces};
my @interfaces = keys %$interfacesref; my @interfaces = keys %$interfacesref;
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
} else { } else {
$origdest = ALLIPv4; $origdest = ALLIP;
} }
} }
} else { } else {
@ -1218,9 +1218,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
my $interfacesref = $sourceref->{interfaces}; my $interfacesref = $sourceref->{interfaces};
my @interfaces = keys %$interfacesref; my @interfaces = keys %$interfacesref;
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
} else { } else {
$origdest = ALLIPv4; $origdest = ALLIP;
} }
} }
} }
@ -1265,7 +1265,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $origdest eq 'detect' ) { if ( $origdest eq 'detect' ) {
my $interfacesref = $sourceref->{interfaces}; my $interfacesref = $sourceref->{interfaces};
my $interfaces = "@$interfacesref"; my $interfaces = "@$interfacesref";
$origdest = $interfaces ? "detect:$interfaces" : ALLIPv4; $origdest = $interfaces ? "detect:$interfaces" : ALLIP;
} }
expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
@ -1604,7 +1604,7 @@ sub generate_matrix() {
if ( $capabilities{POLICY_MATCH} ) { if ( $capabilities{POLICY_MATCH} ) {
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {}; my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
my $sourcechainref; my $sourcechainref;
@ -1821,7 +1821,7 @@ sub generate_matrix() {
next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
} }
if ( $zone1ref->{type} eq 'bport4' ) { if ( $zone1ref->{type} eq 'bport' ) {
next unless $zoneref->{bridge} eq $zone1ref->{bridge}; next unless $zoneref->{bridge} eq $zone1ref->{bridge};
} }
@ -1873,7 +1873,7 @@ sub generate_matrix() {
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions ); next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
} }
if ( $zone1ref->{type} eq 'bport4' ) { if ( $zone1ref->{type} eq 'bport' ) {
next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge}; next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
} }

6
Shorewall-perl/Shorewall/Tunnels.pm
View File

@ -83,7 +83,7 @@ sub setup_tunnels() {
unless ( $gatewayzones eq '-' ) { unless ( $gatewayzones eq '-' ) {
for my $zone ( split_list $gatewayzones, 'zone' ) { for my $zone ( split_list $gatewayzones, 'zone' ) {
my $type = zone_type( $zone ); my $type = zone_type( $zone );
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4'; fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport';
$inchainref = ensure_filter_chain "${zone}2${fw}", 1; $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
$outchainref = ensure_filter_chain "${fw}2${zone}", 1; $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
@ -238,12 +238,12 @@ sub setup_tunnels() {
my $zonetype = zone_type( $zone ); my $zonetype = zone_type( $zone );
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport4'; fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype eq 'firewall' || $zonetype eq 'bport';
my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; my $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
$gateway = ALLIPv4 if $gateway eq '-'; $gateway = ALLIP if $gateway eq '-';
my $source = match_source_net $gateway; my $source = match_source_net $gateway;
my $dest = match_dest_net $gateway; my $dest = match_dest_net $gateway;

92
Shorewall-perl/Shorewall/Zones.pm
View File

@ -82,7 +82,7 @@ use constant { NOTHING => 'NOTHING',
# #
# @zones contains the ordered list of zones with sub-zones appearing before their parents. # @zones contains the ordered list of zones with sub-zones appearing before their parents.
# #
# %zones{<zone1> => {type = > <zone type> 'firewall', 'ipv4', 'ipsec4', 'bport4'; # %zones{<zone1> => {type = > <zone type> 'firewall', 'ip', 'ipsec', 'bport';
# options => { complex => 0|1 # options => { complex => 0|1
# nested => 0|1 # nested => 0|1
# in_out => < policy match string > # in_out => < policy match string >
@ -127,7 +127,7 @@ our %reservedName = ( all => 1,
# options => { <option1> = <val1> , # options => { <option1> = <val1> ,
# ... # ...
# } # }
# zone4 => <zone name> # zone => <zone name>
# nets => <number of nets in interface/hosts records referring to this interface> # nets => <number of nets in interface/hosts records referring to this interface>
# bridge => <bridge> # bridge => <bridge>
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ] # broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
@ -138,6 +138,7 @@ our %reservedName = ( all => 1,
our @interfaces; our @interfaces;
our %interfaces; our %interfaces;
our @bport_zones; our @bport_zones;
our $family;
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
@ -148,7 +149,8 @@ our @bport_zones;
# the second and subsequent calls to that function. # the second and subsequent calls to that function.
# #
sub initialize() { sub initialize( $ ) {
$family = shift;
@zones = (); @zones = ();
%zones = (); %zones = ();
$firewall_zone = ''; $firewall_zone = '';
@ -159,7 +161,7 @@ sub initialize() {
} }
INIT { INIT {
initialize; initialize( F_IPV4 );
} }
# #
@ -219,7 +221,7 @@ sub parse_zone_option_list($$)
if ( $key{$e} ) { if ( $key{$e} ) {
$h{$e} = $val; $h{$e} = $val;
} else { } else {
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec4'; fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec';
$options .= $invert; $options .= $invert;
$options .= "--$e "; $options .= "--$e ";
$options .= "$val "if defined $val; $options .= "$val "if defined $val;
@ -239,7 +241,7 @@ sub determine_zones()
{ {
my @z; my @z;
my $ipv4 = 0; my $ip = 0;
my $fn = open_file 'zones'; my $fn = open_file 'zones';
@ -267,16 +269,23 @@ sub determine_zones()
fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/; fatal_error "Invalid zone name ($zone)" if $reservedName{$zone} || $zone =~ /^all2|2all$/;
fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone}; fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
$type = "ipv4" unless $type; $type = "ip" unless $type;
if ( $type =~ /ipv4/i ) { if ( $type =~ /ipv4/i ) {
$type = 'ipv4'; fatal_error "Invalid zone type ($type)" if $family == F_IPV6;
$ipv4 = 1; $type = 'ip';
} elsif ( $type =~ /^ipsec4?$/i ) { $ip = 1;
$type = 'ipsec4'; } elsif ( $type =~ /ipv6/i ) {
} elsif ( $type =~ /^bport4?$/i ) { fatal_error "Invalid zone type ($type)" if $family == F_IPV4;
$type = 'ip';
$ip = 1;
} elsif ( $type =~ /^ipsec([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if ( $1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 );
$type = 'ipsec';
} elsif ( $type =~ /^bport([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if ( $1 == 4 && $family == F_IPV6 ) || ( $1 == 6 && $family == F_IPV4 );
warning_message "Bridge Port zones should have a parent zone" unless @parents; warning_message "Bridge Port zones should have a parent zone" unless @parents;
$type = 'bport4'; $type = 'bport';
push @bport_zones, $zone; push @bport_zones, $zone;
} elsif ( $type eq 'firewall' ) { } elsif ( $type eq 'firewall' ) {
fatal_error 'Firewall zone may not be nested' if @parents; fatal_error 'Firewall zone may not be nested' if @parents;
@ -285,8 +294,8 @@ sub determine_zones()
$ENV{FW} = $zone; $ENV{FW} = $zone;
$type = "firewall"; $type = "firewall";
} elsif ( $type eq '-' ) { } elsif ( $type eq '-' ) {
$type = 'ipv4'; $type = 'ip';
$ipv4 = 1; $ip = 1;
} else { } else {
fatal_error "Invalid zone type ($type)" ; fatal_error "Invalid zone type ($type)" ;
} }
@ -302,7 +311,7 @@ sub determine_zones()
options => { in_out => parse_zone_option_list( $options || '', $type ) , options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) , complex => ($type eq 'ipsec' || $options || $in_options || $out_options ? 1 : 0) ,
nested => @parents > 0 } , nested => @parents > 0 } ,
interfaces => {} , interfaces => {} ,
children => [] , children => [] ,
@ -312,7 +321,7 @@ sub determine_zones()
} }
fatal_error "No firewall zone defined" unless $firewall_zone; fatal_error "No firewall zone defined" unless $firewall_zone;
fatal_error "No IPv4 zones defined" unless $ipv4; fatal_error "No IP zones defined" unless $ip;
my %ordered; my %ordered;
@ -340,7 +349,7 @@ sub determine_zones()
# #
sub haveipseczones() { sub haveipseczones() {
for my $zoneref ( values %zones ) { for my $zoneref ( values %zones ) {
return 1 if $zoneref->{type} eq 'ipsec4'; return 1 if $zoneref->{type} eq 'ipsec';
} }
0; 0;
@ -353,6 +362,8 @@ sub zone_report()
{ {
progress_message2 "Determining Hosts in Zones..."; progress_message2 "Determining Hosts in Zones...";
my $ipzone = $family == F_IPV4 ? 'ipv4' : 'ipv6';
for my $zone ( @zones ) for my $zone ( @zones )
{ {
my $zoneref = $zones{$zone}; my $zoneref = $zones{$zone};
@ -360,6 +371,8 @@ sub zone_report()
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $optionref = $zoneref->{options}; my $optionref = $zoneref->{options};
$type = $ipzone if $type eq 'ip';
progress_message " $zone ($type)"; progress_message " $zone ($type)";
my $printed = 0; my $printed = 0;
@ -384,7 +397,7 @@ sub zone_report()
} }
unless ( $printed ) { unless ( $printed ) {
fatal_error "No bridge has been associated with zone $zone" if $type eq 'bport4' && ! $zoneref->{bridge}; fatal_error "No bridge has been associated with zone $zone" if $type eq 'bport' && ! $zoneref->{bridge};
warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall'; warning_message "*** $zone is an EMPTY ZONE ***" unless $type eq 'firewall';
} }
@ -393,6 +406,18 @@ sub zone_report()
sub dump_zone_contents() sub dump_zone_contents()
{ {
my %xlate;
if ( $family == F_IPV4 ) {
%xlate = ( ip => 'ipv4' ,
bport => 'bport4' ,
ipsec => 'ipsec4' )
} else {
%xlate = ( ip => 'ipv6' ,
bport => 'bport6' ,
ipsec => 'ipsec6' )
}
for my $zone ( @zones ) for my $zone ( @zones )
{ {
my $zoneref = $zones{$zone}; my $zoneref = $zones{$zone};
@ -400,9 +425,12 @@ sub dump_zone_contents()
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $optionref = $zoneref->{options}; my $optionref = $zoneref->{options};
my $exclusions = $zoneref->{exclusions}; my $exclusions = $zoneref->{exclusions};
$type = $xlate{$type} if $xlate{$type};
my $entry = "$zone $type"; my $entry = "$zone $type";
$entry .= ":$zoneref->{bridge}" if $type eq 'bport4'; $entry .= ":$zoneref->{bridge}" if $type =~ /^bport/;
if ( $hostref ) { if ( $hostref ) {
for my $type ( sort keys %$hostref ) { for my $type ( sort keys %$hostref ) {
@ -455,7 +483,7 @@ sub add_group_to_zone($$$$$)
my $arrayref; my $arrayref;
my $zoneref = $zones{$zone}; my $zoneref = $zones{$zone};
my $zonetype = $zoneref->{type}; my $zonetype = $zoneref->{type};
my $ifacezone = $interfaces{$interface}{zone4}; my $ifacezone = $interfaces{$interface}{zone};
$zoneref->{interfaces}{$interface} = 1; $zoneref->{interfaces}{$interface} = 1;
@ -481,7 +509,7 @@ sub add_group_to_zone($$$$$)
unless ( $switched ) { unless ( $switched ) {
if ( $type eq $zonetype ) { if ( $type eq $zonetype ) {
fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone; fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone;
$ifacezone = $zone if $host eq ALLIPv4; $ifacezone = $zone if $host eq ALLIP;
} }
} }
@ -506,7 +534,7 @@ sub add_group_to_zone($$$$$)
push @{$arrayref}, { options => $options, push @{$arrayref}, { options => $options,
hosts => \@newnetworks, hosts => \@newnetworks,
ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' }; ipsec => $type eq 'ipsec' ? 'ipsec' : 'none' };
} }
# #
@ -624,7 +652,7 @@ sub validate_interfaces_file( $ )
fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport4'; fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport';
if ( $zone ) { if ( $zone ) {
if ( $zoneref->{bridge} ) { if ( $zoneref->{bridge} ) {
@ -644,7 +672,7 @@ sub validate_interfaces_file( $ )
$interface = $port; $interface = $port;
} else { } else {
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface}; fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4'; fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport';
$bridge = $interface; $bridge = $interface;
} }
@ -746,11 +774,11 @@ sub validate_interfaces_file( $ )
push @ifaces, $interface; push @ifaces, $interface;
my @networks = allipv4; my @networks = allip;
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone; add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone;
$interfaces{$interface}{zone4} = $zone; #Must follow the call to add_group_to_zone() $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
progress_message " Interface \"$currentline\" Validated"; progress_message " Interface \"$currentline\" Validated";
@ -949,7 +977,7 @@ sub validate_hosts_file()
fatal_error "Invalid HOST(S) column contents: $hosts"; fatal_error "Invalid HOST(S) column contents: $hosts";
} }
if ( $type eq 'bport4' ) { if ( $type eq 'bport' ) {
if ( $zoneref->{bridge} eq '' ) { if ( $zoneref->{bridge} eq '' ) {
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port}; fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
$zoneref->{bridge} = $interfaces{$interface}{bridge}; $zoneref->{bridge} = $interfaces{$interface}{bridge};
@ -967,7 +995,7 @@ sub validate_hosts_file()
for my $option ( @options ) for my $option ( @options )
{ {
if ( $option eq 'ipsec' ) { if ( $option eq 'ipsec' ) {
$type = 'ipsec4'; $type = 'ipsec';
$zoneref->{options}{complex} = 1; $zoneref->{options}{complex} = 1;
$ipsec = 1; $ipsec = 1;
} elsif ( $validoptions{$option}) { } elsif ( $validoptions{$option}) {
@ -993,7 +1021,7 @@ sub validate_hosts_file()
# #
# Take care of case where the hosts list begins with '!' # Take care of case where the hosts list begins with '!'
# #
$hosts = join( '', ALLIPv4 , $hosts ) if substr($hosts, 0, 2 ) eq ',!'; $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref); add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
@ -1026,8 +1054,8 @@ sub find_hosts_by_option( $ ) {
} }
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
if ( ! $interfaces{$interface}{zone4} && $interfaces{$interface}{options}{$option} ) { if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
push @hosts, [ $interface, 'none', ALLIPv4 ]; push @hosts, [ $interface, 'none', ALLIP ];
} }
} }