holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove support for 'detectnets' from Shorewall-perl

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7377 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-21 17:24:57 +00:00
parent 7a96b07e81
commit 808b7fc0a1
6 changed files with 9 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/README.txt
View File

@ -1 +1 @@
This is the Shorewall-common Stable 4.0 branch of SVN.
This is the Shorewall-common Development 4.0 branch of SVN.

2
Shorewall-lite/README.txt
View File

@ -1 +1 @@
This is the Shorewall-lite Stable 4.0 branch of SVN.
This is the Shorewall-lite Development 4.0 branch of SVN.

2
Shorewall-perl/README.txt
View File

@ -1,2 +1,2 @@
This is the Shorewall-perl Stable 4.0 branch of SVN.
This is the Shorewall-perl Development 4.0 branch of SVN.

41
Shorewall-perl/Shorewall/Rules.pm
View File

@ -752,7 +752,6 @@ sub setup_mac_lists( $ ) {
fatal_error "Invalid DISPOSITION ($disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
unless ( $maclist_interfaces{$interface} ) {
next if get_interface_option( $interface, 'optional' ) && get_interface_option( $interface, 'detectnets' );
fatal_error "No hosts on $interface have the maclist option specified";
}
@ -1563,7 +1562,6 @@ sub generate_matrix() {
my $exclusions = $zoneref->{exclusions};
my $frwd_ref = 0;
my $chain = 0;
my %needbroadcast;
if ( $complex ) {
$frwd_ref = $filter_table->{"${zone}_frwd"};
@ -1614,39 +1612,11 @@ sub generate_matrix() {
add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
if $complex && $hostref->{ipsec} ne 'ipsec';
$needbroadcast{$interface}{$source} = 1 if get_interface_option $interface, 'detectnets';
}
}
}
}
if ( $chain1 ) {
for my $interface ( keys %needbroadcast ) {
if ( $capabilities{ADDRTYPE} ) {
add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
} else {
my $interfaceref = find_interface( $interface );
my $chain = output_chain $interface;
my $chainref = $filter_table->{$chain};
if ( $interfaceref->{broadcasts} ) {
for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) {
add_rule( $chainref, "-d $address -j $chain1" );
}
} else {
my $variable = get_interface_bcasts $interface;
add_commands( $chainref,
"for address in $variable; do",
" echo \"-A $chain -d \$address -j $chain1\" >&3",
'done' );
}
}
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
}
}
#
# F O R W A R D I N G
#
@ -1723,17 +1693,6 @@ sub generate_matrix() {
if ( $zone eq $zone1 ) {
next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! ( $zoneref->{options}{in_out}{routeback} || @$exclusions );
if ( $chain3 ) {
while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) {
if ( get_interface_option( $interface, 'bridge' ) ) {
for my $source ( keys %$sourceref ) {
add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3";
add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 224.0.0.0/4 -j $chain3";
}
}
}
}
}
if ( $zone1ref->{type} eq 'bport4' ) {

45
Shorewall-perl/Shorewall/Zones.pm
View File

@ -547,32 +547,6 @@ sub firewall_zone() {
$firewall_zone;
}
#
# Return a list of networks routed out of the passed interface
#
sub get_routed_networks ( $$ ) {
my ( $interface , $error_message ) = @_;
my @networks;
if ( open IP , '-|' , "/sbin/ip route show dev $interface 2> /dev/null" ) {
while ( my $route = <IP> ) {
$route =~ s/^\s+//;
my $network = ( split /\s+/, $route )[0];
if ( $network eq 'default' ) {
fatal_error $error_message if $error_message;
warning_message "default route ignored on interface $interface";
} else {
my ( $address, $vlsm ) = split '/', $network;
$vlsm = 32 unless defined $vlsm;
push @networks, "$address/$vlsm";
}
}
close IP
}
@networks;
}
#
# Parse the interfaces file.
#
@ -585,6 +559,7 @@ sub validate_interfaces_file( $ )
BINARY_IF_OPTION => 2,
ENUM_IF_OPTION => 3,
NUMERIC_IF_OPTION => 4,
OBSOLETE_IF_OPTION => 5,
MASK_IF_OPTION => 7,
IF_OPTION_ZONEONLY => 8 };
@ -593,7 +568,7 @@ sub validate_interfaces_file( $ )
arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION,
detectnets => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
logmartians => BINARY_IF_OPTION,
@ -739,6 +714,8 @@ sub validate_interfaces_file( $ )
} elsif ( $type == NUMERIC_IF_OPTION ) {
fatal_error "The $option option requires a value" unless defined $value;
$options{$option} = numeric_value $value;
} else {
warning_message "Support for the $option interface option has been removed from Shorewall-perl";
}
}
@ -756,19 +733,7 @@ sub validate_interfaces_file( $ )
push @ifaces, $interface;
my @networks;
if ( $options{detectnets} ) {
warning_message "Support for the 'detectnets' option will be removed from Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians'";
fatal_error "The 'detectnets' option is not allowed on a multi-zone interface" unless $zone;
fatal_error "The 'detectnets' option may not be used with a wild-card interface name" if $wildcard;
fatal_error "The 'detectnets' option may not be used with the '-e' compiler option" if $export;
@networks = get_routed_networks( $interface, 'detectnets not allowed on interface with default route' );
fatal_error "No routes found through 'detectnets' interface $interface" unless @networks || $options{optional};
delete $options{maclist} unless @networks;
} else {
@networks = allipv4;
}
my @networks = allipv4;
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;

2
Shorewall-shell/README.txt
View File

@ -1 +1 @@
This is the Shorewall-shell Stable 4.0 branch of SVN.
This is the Shorewall-shell Development 4.0 branch of SVN.