From 4d977306f95dc03333b90c5fd8cbb9d8b09a19ab Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Nov 2009 08:37:03 -0800 Subject: [PATCH] Make 'physical' work as a general logical name facility --- Shorewall/Perl/Shorewall/Chains.pm | 29 ++++++++++++++------------- Shorewall/Perl/Shorewall/Providers.pm | 4 ++-- Shorewall/Perl/Shorewall/Tc.pm | 5 +++-- Shorewall/Perl/Shorewall/Zones.pm | 13 ++++++------ 4 files changed, 27 insertions(+), 24 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e17cdf666..7284805f2 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -673,7 +673,7 @@ sub chain_base($) { # sub forward_chain($) { - $_[0] . '_fwd'; + physical_name( $_[0] ) . '_fwd'; } # @@ -709,7 +709,7 @@ sub use_forward_chain($) { # sub input_chain($) { - $_[0] . '_in'; + physical_name( $_[0] ) . '_in'; } # @@ -767,7 +767,7 @@ sub use_input_chain($) { # sub output_chain($) { - $_[0] . '_out'; + physical_name( $_[0] ) . '_out'; } # @@ -811,7 +811,7 @@ sub use_output_chain($) { # sub masq_chain($) { - $_[0] . '_masq'; + physical_name( $_[0] ) . '_masq'; } # @@ -826,7 +826,7 @@ sub syn_flood_chain ( $ ) { # sub mac_chain( $ ) { - $_[0] . '_mac'; + physical_name( $_[0] ) . '_mac'; } sub macrecent_target($) @@ -855,7 +855,7 @@ sub notrack_chain( $ ) # sub snat_chain( $ ) { - $_[0] . '_snat'; + physical_name( $_[0] ) . '_snat'; } # @@ -863,7 +863,7 @@ sub snat_chain( $ ) # sub ecn_chain( $ ) { - $_[0] . '_ecn'; + physical_name( $_[0] ) . '_ecn'; } # @@ -871,7 +871,7 @@ sub ecn_chain( $ ) # sub first_chains( $ ) #$1 = interface { - my $c = $_[0]; + my $c = physical_name $_[0]; ( $c . '_fwd', $c . '_in' ); } @@ -2136,10 +2136,11 @@ sub interface_address( $ ) { # Record that the ruleset requires the first IP address on the passed interface # sub get_interface_address ( $ ) { - my ( $interface ) = physical_name $_[0]; + my ( $logical ) = $_[0]; + my $interface = physical_name( $logical ); my $variable = interface_address( $interface ); - my $function = interface_is_optional( $interface ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address'; + my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address'; $global_variables |= ALL_COMMANDS; @@ -2209,7 +2210,7 @@ sub get_interface_gateway ( $ ) { my ( $logical ) = $_[0]; my $interface = physical_name $logical; - my $variable = interface_gateway( $interface ); + my $variable = interface_gateway( $interface ); my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway'; @@ -2241,7 +2242,7 @@ sub get_interface_addresses ( $ ) { my ( $logical ) = $_[0]; my $interface = physical_name( $logical ); - my $variable = interface_addresses( $interface ); + my $variable = interface_addresses( $interface ); $global_variables |= NOT_RESTORE; @@ -2271,7 +2272,7 @@ sub get_interface_nets ( $ ) { my ( $logical ) = $_[0]; my $interface = physical_name( $logical ); - my $variable = interface_nets( $interface ); + my $variable = interface_nets( $interface ); $global_variables |= ALL_COMMANDS; @@ -2302,7 +2303,7 @@ sub get_interface_mac( $$$ ) { my ( $ipaddr, $logical , $table ) = @_; my $interface = physical_name( $logical ); - my $variable = interface_mac( $interface , $table ); + my $variable = interface_mac( $interface , $table ); $global_variables |= NOT_RESTORE; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index df0ab3e5d..df27d3c77 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -513,13 +513,13 @@ sub add_a_provider( ) { if ( $shared ) { emit ( " error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" ); } else { - emit ( " error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" ); + emit ( " error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" ); } } else { if ( $shared ) { emit( " fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" ); } else { - emit( " fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" ); + emit( " fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" ); } } diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 5ea4f1302..5ff845965 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1040,7 +1040,6 @@ sub setup_traffic_shaping() { } for my $device ( @tcdevices ) { - my $dev = chain_base( $device ); my $devref = $tcdevices{$device}; my $defmark = in_hexp ( $devref->{default} || 0 ); my $devnum = in_hexp $devref->{number}; @@ -1048,6 +1047,8 @@ sub setup_traffic_shaping() { $device = physical_name $device; + my $dev = chain_base( $device ); + emit "if interface_is_up $device; then"; push_indent; @@ -1225,7 +1226,7 @@ sub setup_tc() { $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF'; for my $interface ( @routemarked_interfaces ) { - add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; + add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre"; } } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index c86ae5b44..fcd4a3d6a 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -871,9 +871,9 @@ sub process_interface( $ ) { fatal_error "Duplicate $option option" if $nets; if ( $value eq 'dynamic' ) { require_capability( 'IPSET_MATCH', 'Dynamic nets', ''); - $value = "+${zone}_${interface}"; + $value = "+${zone}_${physical}"; $hostoptions{dynamic} = 1; - $ipsets{"${zone}_${interface}"} = 1; + $ipsets{"${zone}_${physical}"} = 1; } else { $hostoptions{multicast} = 1; } @@ -891,9 +891,9 @@ sub process_interface( $ ) { } elsif ( $type == STRING_IF_OPTION ) { fatal_error "The $option option requires a value" unless defined $value; - if ( $option == 'physical' ) { + if ( $option eq 'physical' ) { fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/; - fatal_error "The 'physical' option is only allowed on bridge ports" unless $port; + # fatal_error "The 'physical' option is only allowed on bridge ports" unless $port; my $wildphy = $value =~ /\+$/ ? 1 : 0; fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" unless $wildphy == $wildcard; $physical = $value; @@ -1232,9 +1232,10 @@ sub process_host( ) { if ( $hosts eq 'dynamic' ) { require_capability( 'IPSET_MATCH', 'Dynamic nets', ''); - $hosts = "+${zone}_${interface}"; + my $physical = physical_name $interface; + $hosts = "+${zone}_${physical}"; $optionsref->{dynamic} = 1; - $ipsets{"${zone}_${interface}"} = 1; + $ipsets{"${zone}_${physical}"} = 1; }