More optional provider changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7117 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-08-10 20:55:54 +00:00
parent db6bd67252
commit 71c45e607a
5 changed files with 74 additions and 12 deletions

View File

@ -165,6 +165,8 @@ EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################

View File

@ -288,7 +288,7 @@ sub initialize() {
EXPORTPARAMS => undef,
SHOREWALL_COMPILER => undef,
EXPAND_POLICIES => undef,
ACCOUNTING_EXPERT => undef,
KEEP_RT_TABLES => undef,
#
# Packet Disposition
#

View File

@ -76,7 +76,7 @@ use constant { NOTHING => 'NOTHING',
#
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
#
# %zones{<zone1> => {type = > <zone type> 'firewall', 'ipv4', 'ipsec4', 'bport4';
# %zones{<zone1> => {type = > <zone type>
# options => { complex => 0|1
# in_out => < policy match string >
# in => < policy match string >
@ -110,6 +110,16 @@ our %reservedName = ( all => 1,
SOURCE => 1,
DEST => 1 );
se constant ( ZT_IPV4 => 1,
ZT_IPSEC => 2,
ZT_BPORT => 4,
ZT_IPV6 => 8,
ZT_FIREWALL => 16,
ZT_IPSEC4 => ZT_IPV4 | ZT_IPSEC
ZT_IPSEC6 => ZT_IPV6 | ZT_IPSEC
ZT_BPORT4 => ZT_IPV4 | ZT_BPORT
ZT_BPORT6 => ZT_IPV6 | ZT_BPORT
);
#
# Interface Table.
#
@ -209,7 +219,7 @@ sub parse_zone_option_list($$)
if ( $key{$e} ) {
$h{$e} = $val;
} else {
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec4';
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & ZT_IPSEC;
$options .= $invert;
$options .= "--$e ";
$options .= "$val "if defined $val;
@ -251,7 +261,7 @@ sub determine_zones()
for my $p ( @parents ) {
fatal_error "Invalid Parent List ($2)" unless $p;
fatal_error "Unknown parent zone ($p)" unless $zones{$p};
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} eq 'firewall';
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} & ZT_FIREWALL;
push @{$zones{$p}{children}}, $zone;
}
}
@ -263,20 +273,20 @@ sub determine_zones()
$type = "ipv4" unless $type;
if ( $type =~ /ipv4/i ) {
$type = 'ipv4';
$type = ZT_IPV4;
} elsif ( $type =~ /^ipsec4?$/i ) {
$type = 'ipsec4';
$type = ZT_IPSEC4;
} elsif ( $type =~ /^bport4?$/i ) {
warning_message "Bridge Port zones should have a parent zone" unless @parents;
$type = 'bport4';
$type = ZT_BPORT4;
} elsif ( $type eq 'firewall' ) {
fatal_error 'Firewall zone may not be nested' if @parents;
fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
$firewall_zone = $zone;
$ENV{FW} = $zone;
$type = "firewall";
$type = ZT_FIREWALL;
} elsif ( $type eq '-' ) {
$type = 'ipv4';
$type = ZT_IPV4;
} else {
fatal_error "Invalid zone type ($type)" ;
}
@ -292,7 +302,7 @@ sub determine_zones()
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) } ,
complex => ($type & ZT_IPSEC || $options || $in_options || $out_options ? 1 : 0) } ,
interfaces => {} ,
children => [] ,
hosts => {}
@ -327,12 +337,22 @@ sub determine_zones()
#
sub haveipseczones() {
for my $zoneref ( values %zones ) {
return 1 if $zoneref->{type} eq 'ipsec4';
return 1 if $zoneref->{type} & ZT_IPSEC;
}
0;
}
my @typenames = ( Untyped, #0
firewall, #1
ipv4, #2
Invalid, #3
Invalid, #4
Invalid, #5
ipsec4, #6
Invalid, #7
Invalid, #8
#
# Report about zones.
#

View File

@ -406,6 +406,12 @@
an interface is in a state that Shorewall can [re]start
without error doesn't mean that traffic can actually be
sent through the interface.</para>
<para>Beginning with Shorewall-perl 4.0.3, you can supply
an 'isusable' <ulink
url="shorewall_extension_scripts.htm">extension
script</ulink> to extend Shorewall's interface state
detection.</para>
</note>
</listitem>
</varlistentry>

View File

@ -122,6 +122,40 @@
logging rule is added to the current chain (the name of that chain
will be in $CHAIN).</para>
</listitem>
<listitem>
<para>isusable -- (Added in Shorewall-perl version 4.0.3) invoked when
Shorewall is trying to determine the usability of the network
interface associated with an optional entry in
/etc/shorewall/providers. $1 is the name of the interface which will
have been determined to be up and configured before the script is
invoked. The return value from the script indicates whether or not the
interface is usable (0 = usable, other = unusable).</para>
<para>Example:<programlisting># Ping a gateway through the passed interface
case $1 in
eth0)
ping -c 4 -I eth0 206.124.146.254 &gt; /dev/null 2&gt;&amp;1
return
;;
eth1)
ping -c 4 -I eth1 192.168.12.254 &gt; /dev/null 2&gt;&amp;1
return
;;
*)
# No additional testing of other interfaces
return 0
;;
esac</programlisting><caution>
<para>The firewall state when this script is invoked is
indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
output on an interface is not allowed by <ulink
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
the script must blow it's own holes in the firewall before
probing.</para>
</caution></para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">If your version of Shorewall doesn't have the
@ -373,7 +407,7 @@
<row>
<entry>maclog</entry>
<entry>initdone</entry>
<entry>isusable</entry>
<entry></entry>
</row>