From ab78aac3a45919f0bd9ace9be42e1ee43c2dc937 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Sep 2010 12:46:38 -0700 Subject: [PATCH] Disallow mss and blacklist on firewall and vserver zones --- Shorewall/Perl/Shorewall/Zones.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 91e4a1209..03f1a705d 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -309,10 +309,12 @@ sub parse_zone_option_list($$) "tunnel-src" => NETWORK, "tunnel-dst" => NETWORK, ); + + use constant { UNRESTRICTED => 1, NOFW => 2 }; # # Hash of options that have their own key in the returned hash. # - my %key = ( mss => 1 , blacklist => 'blacklist' ); + my %key = ( mss => NOFW , blacklist => NOFW ); my ( $list, $zonetype ) = @_; my %h; @@ -345,6 +347,7 @@ sub parse_zone_option_list($$) } if ( $key{$e} ) { + fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER); $h{$e} = $val || 1; } else { fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;