forked from extern/shorewall_code
More fixes for ZONE_BITS
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
ab1b65d6a8
commit
ae8aa3a45a
@ -3746,7 +3746,7 @@ sub get_configuration( $$$ ) {
|
|||||||
$globals{ZONE_OFFSET} = $config{PROVIDER_BITS};
|
$globals{ZONE_OFFSET} = $config{PROVIDER_BITS};
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error 'Invalid mark geometry' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
|
fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
|
||||||
|
|
||||||
$globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
|
$globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
|
||||||
$globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET};
|
$globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET};
|
||||||
|
@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
|
|||||||
defined_zone
|
defined_zone
|
||||||
zone_type
|
zone_type
|
||||||
zone_interfaces
|
zone_interfaces
|
||||||
|
zone_mark
|
||||||
all_zones
|
all_zones
|
||||||
all_parent_zones
|
all_parent_zones
|
||||||
complex_zones
|
complex_zones
|
||||||
@ -97,6 +98,14 @@ use constant { NOTHING => 'NOTHING',
|
|||||||
IPSECPROTO => 'ah|esp|ipcomp',
|
IPSECPROTO => 'ah|esp|ipcomp',
|
||||||
IPSECMODE => 'tunnel|transport'
|
IPSECMODE => 'tunnel|transport'
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#
|
||||||
|
# Option columns
|
||||||
|
#
|
||||||
|
use constant { IN_OUT => 1,
|
||||||
|
IN => 2,
|
||||||
|
OUT => 3 };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Zone Table.
|
# Zone Table.
|
||||||
#
|
#
|
||||||
@ -316,9 +325,10 @@ sub initialize( $$ ) {
|
|||||||
# => mss = <MSS setting>
|
# => mss = <MSS setting>
|
||||||
# => ipsec = <-m policy arguments to match options>
|
# => ipsec = <-m policy arguments to match options>
|
||||||
#
|
#
|
||||||
sub parse_zone_option_list($$\$)
|
sub parse_zone_option_list($$\$$)
|
||||||
{
|
{
|
||||||
my %validoptions = ( mss => NUMERIC,
|
my %validoptions = ( mss => NUMERIC,
|
||||||
|
nomark => NOTHING,
|
||||||
blacklist => NOTHING,
|
blacklist => NOTHING,
|
||||||
strict => NOTHING,
|
strict => NOTHING,
|
||||||
next => NOTHING,
|
next => NOTHING,
|
||||||
@ -330,13 +340,13 @@ sub parse_zone_option_list($$\$)
|
|||||||
"tunnel-dst" => NETWORK,
|
"tunnel-dst" => NETWORK,
|
||||||
);
|
);
|
||||||
|
|
||||||
use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
|
use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
|
||||||
#
|
#
|
||||||
# Hash of options that have their own key in the returned hash.
|
# Hash of options that have their own key in the returned hash.
|
||||||
#
|
#
|
||||||
my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
|
my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
|
||||||
|
|
||||||
my ( $list, $zonetype, $complexref ) = @_;
|
my ( $list, $zonetype, $complexref, $column ) = @_;
|
||||||
my %h;
|
my %h;
|
||||||
my $options = '';
|
my $options = '';
|
||||||
my $fmt;
|
my $fmt;
|
||||||
@ -370,6 +380,7 @@ sub parse_zone_option_list($$\$)
|
|||||||
|
|
||||||
if ( $key ) {
|
if ( $key ) {
|
||||||
fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
|
fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
|
||||||
|
fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
|
||||||
$$complexref = 1 if $key & COMPLEX;
|
$$complexref = 1 if $key & COMPLEX;
|
||||||
$h{$e} = $val || 1;
|
$h{$e} = $val || 1;
|
||||||
} else {
|
} else {
|
||||||
@ -471,9 +482,9 @@ sub process_zone( \$ ) {
|
|||||||
my $zoneref = $zones{$zone} = { type => $type,
|
my $zoneref = $zones{$zone} = { type => $type,
|
||||||
parents => \@parents,
|
parents => \@parents,
|
||||||
bridge => '',
|
bridge => '',
|
||||||
options => { in_out => parse_zone_option_list( $options , $type, $complex ) ,
|
options => { in_out => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
|
||||||
in => parse_zone_option_list( $in_options , $type , $complex ) ,
|
in => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
|
||||||
out => parse_zone_option_list( $out_options , $type , $complex ) ,
|
out => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
|
||||||
complex => ( $type & IPSEC || $complex ) ,
|
complex => ( $type & IPSEC || $complex ) ,
|
||||||
nested => @parents > 0 ,
|
nested => @parents > 0 ,
|
||||||
super => 0 ,
|
super => 0 ,
|
||||||
@ -489,14 +500,20 @@ sub process_zone( \$ ) {
|
|||||||
if ( $type == FIREWALL ) {
|
if ( $type == FIREWALL ) {
|
||||||
$mark = 0;
|
$mark = 0;
|
||||||
} else {
|
} else {
|
||||||
|
unless ( $zoneref->{options}{in_out}{nomark} ) {
|
||||||
fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
|
fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
|
||||||
$mark = $zonemark;
|
$mark = $zonemark;
|
||||||
$zonemark += $zonemarkincr;
|
$zonemark += $zonemarkincr;
|
||||||
$zoneref->{options}{complex} = 1;
|
$zoneref->{options}{complex} = 1;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $zoneref->{options}{in_out}{nomark} ) {
|
||||||
|
progress_message_nocompress " Zone $zone:\tmark value not assigned";
|
||||||
|
} else {
|
||||||
progress_message_nocompress " Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
|
progress_message_nocompress " Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
if ( $zoneref->{options}{in_out}{blacklist} ) {
|
if ( $zoneref->{options}{in_out}{blacklist} ) {
|
||||||
@ -784,6 +801,12 @@ sub zone_interfaces( $ ) {
|
|||||||
find_zone( $_[0] )->{interfaces};
|
find_zone( $_[0] )->{interfaces};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub zone_mark( $ ) {
|
||||||
|
my $zoneref = find_zone( $_[0] );
|
||||||
|
fatal_error "Zone $_[0] has no assigned mark" unless exists $zoneref->{mark};
|
||||||
|
$zoneref->{mark};
|
||||||
|
}
|
||||||
|
|
||||||
sub defined_zone( $ ) {
|
sub defined_zone( $ ) {
|
||||||
$zones{$_[0]};
|
$zones{$_[0]};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user