holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More fixes for ZONE_BITS

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-19 08:19:38 -08:00
parent ab1b65d6a8
commit ae8aa3a45a
2 changed files with 36 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -3746,7 +3746,7 @@ sub get_configuration( $$$ ) {
$globals{ZONE_OFFSET} = $config{PROVIDER_BITS}; $globals{ZONE_OFFSET} = $config{PROVIDER_BITS};
} }
fatal_error 'Invalid mark geometry' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31; fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
$globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} ); $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
$globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET}; $globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET};

47
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
defined_zone defined_zone
zone_type zone_type
zone_interfaces zone_interfaces
zone_mark
all_zones all_zones
all_parent_zones all_parent_zones
complex_zones complex_zones
@ -97,6 +98,14 @@ use constant { NOTHING => 'NOTHING',
IPSECPROTO => 'ah|esp|ipcomp', IPSECPROTO => 'ah|esp|ipcomp',
IPSECMODE => 'tunnel|transport' IPSECMODE => 'tunnel|transport'
}; };
#
# Option columns
#
use constant { IN_OUT => 1,
IN => 2,
OUT => 3 };
# #
# Zone Table. # Zone Table.
# #
@ -316,9 +325,10 @@ sub initialize( $$ ) {
# => mss = <MSS setting> # => mss = <MSS setting>
# => ipsec = <-m policy arguments to match options> # => ipsec = <-m policy arguments to match options>
# #
sub parse_zone_option_list($$\$) sub parse_zone_option_list($$\$$)
{ {
my %validoptions = ( mss => NUMERIC, my %validoptions = ( mss => NUMERIC,
nomark => NOTHING,
blacklist => NOTHING, blacklist => NOTHING,
strict => NOTHING, strict => NOTHING,
next => NOTHING, next => NOTHING,
@ -330,13 +340,13 @@ sub parse_zone_option_list($$\$)
"tunnel-dst" => NETWORK, "tunnel-dst" => NETWORK,
); );
use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 }; use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
# #
# Hash of options that have their own key in the returned hash. # Hash of options that have their own key in the returned hash.
# #
my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW ); my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
my ( $list, $zonetype, $complexref ) = @_; my ( $list, $zonetype, $complexref, $column ) = @_;
my %h; my %h;
my $options = ''; my $options = '';
my $fmt; my $fmt;
@ -370,6 +380,7 @@ sub parse_zone_option_list($$\$)
if ( $key ) { if ( $key ) {
fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) ); fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
$$complexref = 1 if $key & COMPLEX; $$complexref = 1 if $key & COMPLEX;
$h{$e} = $val || 1; $h{$e} = $val || 1;
} else { } else {
@ -471,9 +482,9 @@ sub process_zone( \$ ) {
my $zoneref = $zones{$zone} = { type => $type, my $zoneref = $zones{$zone} = { type => $type,
parents => \@parents, parents => \@parents,
bridge => '', bridge => '',
options => { in_out => parse_zone_option_list( $options , $type, $complex ) , options => { in_out => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
in => parse_zone_option_list( $in_options , $type , $complex ) , in => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
out => parse_zone_option_list( $out_options , $type , $complex ) , out => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
complex => ( $type & IPSEC || $complex ) , complex => ( $type & IPSEC || $complex ) ,
nested => @parents > 0 , nested => @parents > 0 ,
super => 0 , super => 0 ,
@ -489,13 +500,19 @@ sub process_zone( \$ ) {
if ( $type == FIREWALL ) { if ( $type == FIREWALL ) {
$mark = 0; $mark = 0;
} else { } else {
fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit; unless ( $zoneref->{options}{in_out}{nomark} ) {
$mark = $zonemark; fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
$zonemark += $zonemarkincr; $mark = $zonemark;
$zoneref->{options}{complex} = 1; $zonemark += $zonemarkincr;
$zoneref->{options}{complex} = 1;
}
} }
progress_message_nocompress " Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark ); if ( $zoneref->{options}{in_out}{nomark} ) {
progress_message_nocompress " Zone $zone:\tmark value not assigned";
} else {
progress_message_nocompress " Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
}
} }
@ -784,6 +801,12 @@ sub zone_interfaces( $ ) {
find_zone( $_[0] )->{interfaces}; find_zone( $_[0] )->{interfaces};
} }
sub zone_mark( $ ) {
my $zoneref = find_zone( $_[0] );
fatal_error "Zone $_[0] has no assigned mark" unless exists $zoneref->{mark};
$zoneref->{mark};
}
sub defined_zone( $ ) { sub defined_zone( $ ) {
$zones{$_[0]}; $zones{$_[0]};
} }