holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement zone automark

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-17 16:07:45 -08:00
parent 96f5aec71f
commit 72f75c201c
3 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -3735,6 +3735,8 @@ sub get_configuration( $$$ ) {
numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0; numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
numeric_option 'ZONE_BITS' , 0, 0; numeric_option 'ZONE_BITS' , 0, 0;
require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's';
if ( $config{PROVIDER_OFFSET} ) { if ( $config{PROVIDER_OFFSET} ) {
$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS}; $config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
$globals{ZONE_OFFSET} = $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS}; $globals{ZONE_OFFSET} = $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS};

4
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1563,7 +1563,9 @@ sub generate_matrix() {
# #
my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
insert_ijump $frwd_ref , j => $filter_table->{blacklst}, -1, @state if $zoneref->{options}{in}{blacklist}; insert_ijump( $frwd_ref , j => $filter_table->{blacklst}, -1, @state ) if $zoneref->{options}{in}{blacklist};
add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};
if ( have_ipsec ) { if ( have_ipsec ) {
# #

23
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -182,6 +182,9 @@ my $upgrade;
my $have_ipsec; my $have_ipsec;
my $baseseq; my $baseseq;
my $minroot; my $minroot;
my $zonemark;
my $zonemarkincr;
my $zonemarklimit;
use constant { FIREWALL => 1, use constant { FIREWALL => 1,
IP => 2, IP => 2,
@ -480,6 +483,22 @@ sub process_zone( \$ ) {
hosts => {} hosts => {}
}; };
if ( $config{ZONE_BITS} ) {
my $mark;
if ( $type == FIREWALL ) {
$mark = 0;
} else {
fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
$mark = $zonemark;
$zonemark += $zonemarkincr;
$zoneref->{options}{complex} = 1;
}
progress_message_nocompress " Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
}
if ( $zoneref->{options}{in_out}{blacklist} ) { if ( $zoneref->{options}{in_out}{blacklist} ) {
for ( qw/in out/ ) { for ( qw/in out/ ) {
unless ( $zoneref->{options}{$_}{blacklist} ) { unless ( $zoneref->{options}{$_}{blacklist} ) {
@ -501,6 +520,10 @@ sub determine_zones()
my @z; my @z;
my $ip = 0; my $ip = 0;
$zonemark = 1 << $globals{ZONE_OFFSET};
$zonemarkincr = $zonemark;
$zonemarklimit = $zonemark << $config{ZONE_BITS};
if ( my $fn = open_file 'zones' ) { if ( my $fn = open_file 'zones' ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
push @z, process_zone( $ip ) while read_a_line; push @z, process_zone( $ip ) while read_a_line;