forked from extern/shorewall_code
Back out change for ipsec and bridges
This commit is contained in:
Tom Eastep
parent
68a9738f97
commit
31f16083d4
@ -146,13 +146,12 @@ our %reservedName = ( all => 1,
|
|||||||
# %interfaces { <interface1> => { name => <name of interface>
|
# %interfaces { <interface1> => { name => <name of interface>
|
||||||
# root => <name without trailing '+'>
|
# root => <name without trailing '+'>
|
||||||
# options => { port => undef|1
|
# options => { port => undef|1
|
||||||
# { <option1> } => <val1> , #See %validinterfaceoptions
|
# <option1> = <val1> , #See %validinterfaceoptions
|
||||||
# ...
|
# ...
|
||||||
# }
|
# }
|
||||||
# zone => <zone name>
|
# zone => <zone name>
|
||||||
# nets => <number of nets in interface/hosts records referring to this interface>
|
# nets => <number of nets in interface/hosts records referring to this interface>
|
||||||
# bridge => <bridge>
|
# bridge => <bridge>
|
||||||
# ports => [ list of ports on this bridge ]
|
|
||||||
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
|
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
|
||||||
# number => <ordinal position in the interfaces file>
|
# number => <ordinal position in the interfaces file>
|
||||||
# physical => <physical interface name>
|
# physical => <physical interface name>
|
||||||
@ -884,7 +883,6 @@ sub process_interface( $$ ) {
|
|||||||
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
|
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
|
||||||
|
|
||||||
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
|
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
|
||||||
push @{$interfaces{$interface}{ports}}, $port;
|
|
||||||
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
|
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
|
||||||
|
|
||||||
if ( $zone ) {
|
if ( $zone ) {
|
||||||
@ -1102,8 +1100,7 @@ sub process_interface( $$ ) {
|
|||||||
options => \%options ,
|
options => \%options ,
|
||||||
zone => '',
|
zone => '',
|
||||||
physical => $physical ,
|
physical => $physical ,
|
||||||
base => chain_base( $physical ),
|
base => chain_base( $physical )
|
||||||
ports => [],
|
|
||||||
};
|
};
|
||||||
|
|
||||||
if ( $zone ) {
|
if ( $zone ) {
|
||||||
@ -1693,7 +1690,7 @@ sub process_host( ) {
|
|||||||
fatal_error "Unknown ZONE ($zone)" unless $type;
|
fatal_error "Unknown ZONE ($zone)" unless $type;
|
||||||
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
|
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
|
||||||
|
|
||||||
my ( $interface, $interfaceref );
|
my $interface;
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
||||||
@ -1706,7 +1703,7 @@ sub process_host( ) {
|
|||||||
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
|
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||||
}
|
}
|
||||||
@ -1714,16 +1711,16 @@ sub process_host( ) {
|
|||||||
$interface = $1;
|
$interface = $1;
|
||||||
$hosts = $2;
|
$hosts = $2;
|
||||||
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
||||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $type == BPORT ) {
|
if ( $type == BPORT ) {
|
||||||
if ( $zoneref->{bridge} eq '' ) {
|
if ( $zoneref->{bridge} eq '' ) {
|
||||||
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
|
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
|
||||||
$zoneref->{bridge} = $interfaces{$interface}{bridge};
|
$zoneref->{bridge} = $interfaces{$interface}{bridge};
|
||||||
} elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) {
|
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
|
||||||
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
|
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1781,19 +1778,12 @@ sub process_host( ) {
|
|||||||
$ipsets{"${zone}_${physical}"} = 1;
|
$ipsets{"${zone}_${physical}"} = 1;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
|
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
|
||||||
#
|
#
|
||||||
my $ports;
|
$interface = '%vserver%' if $type == VSERVER;
|
||||||
|
|
||||||
if ( $type == VSERVER ) {
|
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
|
||||||
$ports = [ $interface = '%vserver%' ];
|
|
||||||
} else {
|
|
||||||
$ports = @{$interfaceref->{ports}} ? $interfaceref->{ports} : [ $interface ];
|
|
||||||
}
|
|
||||||
|
|
||||||
add_group_to_zone( $zone, $type , $_, [ split_list( $hosts, 'host' ) ] , $optionsref) for @$ports;
|
|
||||||
|
|
||||||
progress_message " Host \"$currentline\" validated";
|
progress_message " Host \"$currentline\" validated";
|
||||||
|
|
||||||
|
|||||||
@ -29,10 +29,14 @@
|
|||||||
/etc/shorewall/interface, then an ipsec entry (either ipsec zone or
|
/etc/shorewall/interface, then an ipsec entry (either ipsec zone or
|
||||||
the 'ipsec' option specified) in /etc/shorewall/hosts results in
|
the 'ipsec' option specified) in /etc/shorewall/hosts results in
|
||||||
the compiler generating an incorrect Netfilter configuration.
|
the compiler generating an incorrect Netfilter configuration.
|
||||||
|
|
||||||
Workaround: Change the hosts entry to specify one of the bridge
|
Workaround: Change the hosts entry to specify one of the bridge
|
||||||
ports. If the specified network spans more than one port, then
|
ports. If the specified network spans more than one port, then
|
||||||
replicate for each port.
|
replicate for each port.
|
||||||
|
|
||||||
|
Will be corrected in Shorewall 4.4.19
|
||||||
|
|
||||||
Will be corrected in Shorewall 4.4.18.2 or 4.4.19, whichever occurs
|
6) SAVE_IPSETS=Yes doesn't work unless there is a dynamic zone
|
||||||
first.
|
defined.
|
||||||
|
|
||||||
|
Workaround: Create a dummy dynamic zone.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user