forked from extern/shorewall_code
More optional provider changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7117 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
db6bd67252
commit
71c45e607a
@ -165,6 +165,8 @@ EXPORTPARAMS=Yes
|
|||||||
|
|
||||||
EXPAND_POLICIES=Yes
|
EXPAND_POLICIES=Yes
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|||||||
@ -288,7 +288,7 @@ sub initialize() {
|
|||||||
EXPORTPARAMS => undef,
|
EXPORTPARAMS => undef,
|
||||||
SHOREWALL_COMPILER => undef,
|
SHOREWALL_COMPILER => undef,
|
||||||
EXPAND_POLICIES => undef,
|
EXPAND_POLICIES => undef,
|
||||||
ACCOUNTING_EXPERT => undef,
|
KEEP_RT_TABLES => undef,
|
||||||
#
|
#
|
||||||
# Packet Disposition
|
# Packet Disposition
|
||||||
#
|
#
|
||||||
|
|||||||
@ -76,7 +76,7 @@ use constant { NOTHING => 'NOTHING',
|
|||||||
#
|
#
|
||||||
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
|
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
|
||||||
#
|
#
|
||||||
# %zones{<zone1> => {type = > <zone type> 'firewall', 'ipv4', 'ipsec4', 'bport4';
|
# %zones{<zone1> => {type = > <zone type>
|
||||||
# options => { complex => 0|1
|
# options => { complex => 0|1
|
||||||
# in_out => < policy match string >
|
# in_out => < policy match string >
|
||||||
# in => < policy match string >
|
# in => < policy match string >
|
||||||
@ -110,6 +110,16 @@ our %reservedName = ( all => 1,
|
|||||||
SOURCE => 1,
|
SOURCE => 1,
|
||||||
DEST => 1 );
|
DEST => 1 );
|
||||||
|
|
||||||
|
se constant ( ZT_IPV4 => 1,
|
||||||
|
ZT_IPSEC => 2,
|
||||||
|
ZT_BPORT => 4,
|
||||||
|
ZT_IPV6 => 8,
|
||||||
|
ZT_FIREWALL => 16,
|
||||||
|
ZT_IPSEC4 => ZT_IPV4 | ZT_IPSEC
|
||||||
|
ZT_IPSEC6 => ZT_IPV6 | ZT_IPSEC
|
||||||
|
ZT_BPORT4 => ZT_IPV4 | ZT_BPORT
|
||||||
|
ZT_BPORT6 => ZT_IPV6 | ZT_BPORT
|
||||||
|
);
|
||||||
#
|
#
|
||||||
# Interface Table.
|
# Interface Table.
|
||||||
#
|
#
|
||||||
@ -209,7 +219,7 @@ sub parse_zone_option_list($$)
|
|||||||
if ( $key{$e} ) {
|
if ( $key{$e} ) {
|
||||||
$h{$e} = $val;
|
$h{$e} = $val;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec4';
|
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & ZT_IPSEC;
|
||||||
$options .= $invert;
|
$options .= $invert;
|
||||||
$options .= "--$e ";
|
$options .= "--$e ";
|
||||||
$options .= "$val "if defined $val;
|
$options .= "$val "if defined $val;
|
||||||
@ -251,7 +261,7 @@ sub determine_zones()
|
|||||||
for my $p ( @parents ) {
|
for my $p ( @parents ) {
|
||||||
fatal_error "Invalid Parent List ($2)" unless $p;
|
fatal_error "Invalid Parent List ($2)" unless $p;
|
||||||
fatal_error "Unknown parent zone ($p)" unless $zones{$p};
|
fatal_error "Unknown parent zone ($p)" unless $zones{$p};
|
||||||
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} eq 'firewall';
|
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} & ZT_FIREWALL;
|
||||||
push @{$zones{$p}{children}}, $zone;
|
push @{$zones{$p}{children}}, $zone;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -263,20 +273,20 @@ sub determine_zones()
|
|||||||
$type = "ipv4" unless $type;
|
$type = "ipv4" unless $type;
|
||||||
|
|
||||||
if ( $type =~ /ipv4/i ) {
|
if ( $type =~ /ipv4/i ) {
|
||||||
$type = 'ipv4';
|
$type = ZT_IPV4;
|
||||||
} elsif ( $type =~ /^ipsec4?$/i ) {
|
} elsif ( $type =~ /^ipsec4?$/i ) {
|
||||||
$type = 'ipsec4';
|
$type = ZT_IPSEC4;
|
||||||
} elsif ( $type =~ /^bport4?$/i ) {
|
} elsif ( $type =~ /^bport4?$/i ) {
|
||||||
warning_message "Bridge Port zones should have a parent zone" unless @parents;
|
warning_message "Bridge Port zones should have a parent zone" unless @parents;
|
||||||
$type = 'bport4';
|
$type = ZT_BPORT4;
|
||||||
} elsif ( $type eq 'firewall' ) {
|
} elsif ( $type eq 'firewall' ) {
|
||||||
fatal_error 'Firewall zone may not be nested' if @parents;
|
fatal_error 'Firewall zone may not be nested' if @parents;
|
||||||
fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
|
fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
|
||||||
$firewall_zone = $zone;
|
$firewall_zone = $zone;
|
||||||
$ENV{FW} = $zone;
|
$ENV{FW} = $zone;
|
||||||
$type = "firewall";
|
$type = ZT_FIREWALL;
|
||||||
} elsif ( $type eq '-' ) {
|
} elsif ( $type eq '-' ) {
|
||||||
$type = 'ipv4';
|
$type = ZT_IPV4;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid zone type ($type)" ;
|
fatal_error "Invalid zone type ($type)" ;
|
||||||
}
|
}
|
||||||
@ -292,7 +302,7 @@ sub determine_zones()
|
|||||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
out => parse_zone_option_list( $out_options || '', $type ) ,
|
||||||
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) } ,
|
complex => ($type & ZT_IPSEC || $options || $in_options || $out_options ? 1 : 0) } ,
|
||||||
interfaces => {} ,
|
interfaces => {} ,
|
||||||
children => [] ,
|
children => [] ,
|
||||||
hosts => {}
|
hosts => {}
|
||||||
@ -327,12 +337,22 @@ sub determine_zones()
|
|||||||
#
|
#
|
||||||
sub haveipseczones() {
|
sub haveipseczones() {
|
||||||
for my $zoneref ( values %zones ) {
|
for my $zoneref ( values %zones ) {
|
||||||
return 1 if $zoneref->{type} eq 'ipsec4';
|
return 1 if $zoneref->{type} & ZT_IPSEC;
|
||||||
}
|
}
|
||||||
|
|
||||||
0;
|
0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my @typenames = ( Untyped, #0
|
||||||
|
firewall, #1
|
||||||
|
ipv4, #2
|
||||||
|
Invalid, #3
|
||||||
|
Invalid, #4
|
||||||
|
Invalid, #5
|
||||||
|
ipsec4, #6
|
||||||
|
Invalid, #7
|
||||||
|
Invalid, #8
|
||||||
|
|
||||||
#
|
#
|
||||||
# Report about zones.
|
# Report about zones.
|
||||||
#
|
#
|
||||||
|
|||||||
@ -406,6 +406,12 @@
|
|||||||
an interface is in a state that Shorewall can [re]start
|
an interface is in a state that Shorewall can [re]start
|
||||||
without error doesn't mean that traffic can actually be
|
without error doesn't mean that traffic can actually be
|
||||||
sent through the interface.</para>
|
sent through the interface.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall-perl 4.0.3, you can supply
|
||||||
|
an 'isusable' <ulink
|
||||||
|
url="shorewall_extension_scripts.htm">extension
|
||||||
|
script</ulink> to extend Shorewall's interface state
|
||||||
|
detection.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|||||||
@ -122,6 +122,40 @@
|
|||||||
logging rule is added to the current chain (the name of that chain
|
logging rule is added to the current chain (the name of that chain
|
||||||
will be in $CHAIN).</para>
|
will be in $CHAIN).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>isusable -- (Added in Shorewall-perl version 4.0.3) invoked when
|
||||||
|
Shorewall is trying to determine the usability of the network
|
||||||
|
interface associated with an optional entry in
|
||||||
|
/etc/shorewall/providers. $1 is the name of the interface which will
|
||||||
|
have been determined to be up and configured before the script is
|
||||||
|
invoked. The return value from the script indicates whether or not the
|
||||||
|
interface is usable (0 = usable, other = unusable).</para>
|
||||||
|
|
||||||
|
<para>Example:<programlisting># Ping a gateway through the passed interface
|
||||||
|
case $1 in
|
||||||
|
eth0)
|
||||||
|
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
|
||||||
|
return
|
||||||
|
;;
|
||||||
|
eth1)
|
||||||
|
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
|
||||||
|
return
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# No additional testing of other interfaces
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
esac</programlisting><caution>
|
||||||
|
<para>The firewall state when this script is invoked is
|
||||||
|
indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink
|
||||||
|
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
|
||||||
|
output on an interface is not allowed by <ulink
|
||||||
|
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
|
||||||
|
the script must blow it's own holes in the firewall before
|
||||||
|
probing.</para>
|
||||||
|
</caution></para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para><emphasis role="bold">If your version of Shorewall doesn't have the
|
<para><emphasis role="bold">If your version of Shorewall doesn't have the
|
||||||
@ -373,7 +407,7 @@
|
|||||||
<row>
|
<row>
|
||||||
<entry>maclog</entry>
|
<entry>maclog</entry>
|
||||||
|
|
||||||
<entry>initdone</entry>
|
<entry>isusable</entry>
|
||||||
|
|
||||||
<entry></entry>
|
<entry></entry>
|
||||||
</row>
|
</row>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user