Split out host options from interface options

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-24 01:11:47 +00:00
parent dba858068c
commit af24d35973

View File

@ -602,42 +602,43 @@ sub validate_interfaces_file( $ )
OBSOLETE_IF_OPTION => 5, OBSOLETE_IF_OPTION => 5,
IPLIST_IF_OPTION => 6, IPLIST_IF_OPTION => 6,
MASK_IF_OPTION => 7, MASK_IF_OPTION => 7,
IF_OPTION_ZONEONLY => 8 }; IF_OPTION_ZONEONLY => 8,
IF_OPTION_HOST => 16};
my %validoptions; my %validoptions;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
%validoptions = (arp_filter => BINARY_IF_OPTION, %validoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION, arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION, blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION, detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
logmartians => BINARY_IF_OPTION, logmartians => BINARY_IF_OPTION,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
norfc1918 => SIMPLE_IF_OPTION, norfc1918 => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nosmurfs => SIMPLE_IF_OPTION, nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
optional => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION,
proxyarp => BINARY_IF_OPTION, proxyarp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
routefilter => BINARY_IF_OPTION, routefilter => BINARY_IF_OPTION + IF_OPTION_HOST,
sourceroute => BINARY_IF_OPTION, sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
upnp => SIMPLE_IF_OPTION, upnp => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION, mss => NUMERIC_IF_OPTION,
); );
} else { } else {
%validoptions = ( blacklist => SIMPLE_IF_OPTION, %validoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
nosmurfs => SIMPLE_IF_OPTION, nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION,
proxyndp => BINARY_IF_OPTION, proxyndp => BINARY_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
sourceroute => BINARY_IF_OPTION, sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
mss => NUMERIC_IF_OPTION, mss => NUMERIC_IF_OPTION,
forward => NUMERIC_IF_OPTION, forward => NUMERIC_IF_OPTION,
); );
@ -735,8 +736,10 @@ sub validate_interfaces_file( $ )
} }
my $optionsref = {}; my $optionsref = {};
my $hostoptionsref = {};
my %options; my %options;
my %hostoptions;
if ( $options ) { if ( $options ) {
@ -749,16 +752,20 @@ sub validate_interfaces_file( $ )
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone; fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
my $hostopt = $type & IF_OPTION_HOST;
$type &= MASK_IF_OPTION; $type &= MASK_IF_OPTION;
if ( $type == SIMPLE_IF_OPTION ) { if ( $type == SIMPLE_IF_OPTION ) {
fatal_error "Option $option does not take a value" if defined $value; fatal_error "Option $option does not take a value" if defined $value;
$options{$option} = 1; $options{$option} = 1;
$hostoptions{$option} = 1 if $hostopt;
} elsif ( $type == BINARY_IF_OPTION ) { } elsif ( $type == BINARY_IF_OPTION ) {
$value = 1 unless defined $value; $value = 1 unless defined $value;
fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' ); fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard; fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
$options{$option} = $value; $options{$option} = $value;
$hostoptions{$option} = $value if $hostopt;
} elsif ( $type == ENUM_IF_OPTION ) { } elsif ( $type == ENUM_IF_OPTION ) {
fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard; fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
if ( $option eq 'arp_ignore' ) { if ( $option eq 'arp_ignore' ) {
@ -779,13 +786,26 @@ sub validate_interfaces_file( $ )
my $numval = numeric_value $value; my $numval = numeric_value $value;
fatal_error "Invalid value ($value) for option $option" unless defined $numval; fatal_error "Invalid value ($value) for option $option" unless defined $numval;
$options{$option} = $numval; $options{$option} = $numval;
$hostoptions{$option} = $numval if $hostopt;
} elsif ( $type == IPLIST_IF_OPTION ) { } elsif ( $type == IPLIST_IF_OPTION ) {
fatal_error "The $option option requires a value" unless defined $value; fatal_error "The $option option requires a value" unless defined $value;
fatal_error "Duplicate $option option" if $nets; fatal_error "Duplicate $option option" if $nets;
#
# Remove parentheses from address list if present
#
$value =~ s/\)$// if $value =~ s/^\(//; $value =~ s/\)$// if $value =~ s/^\(//;
#
# Add all IP to the front of a list if the list begins with '!'
#
$value = join ',' , ALLIP , $value if $value =~ /^!/; $value = join ',' , ALLIP , $value if $value =~ /^!/;
#
# Convert into a Perl array
#
$nets = [ split_list $value, 'address' ]; $nets = [ split_list $value, 'address' ];
$options{broadcast} = 1; #
# Assume 'broadcast'
#
$hostoptions{broadcast} = 1;
} else { } else {
warning_message "Support for the $option interface option has been removed from Shorewall-perl"; warning_message "Support for the $option interface option has been removed from Shorewall-perl";
} }
@ -802,6 +822,7 @@ sub validate_interfaces_file( $ )
} }
$optionsref = \%options; $optionsref = \%options;
$hostoptionsref = \%hostoptions;
$interfaces{$interface} = { name => $interface , $interfaces{$interface} = { name => $interface ,
bridge => $bridge , bridge => $bridge ,
@ -815,7 +836,7 @@ sub validate_interfaces_file( $ )
$nets = [ allip ] unless $nets; $nets = [ allip ] unless $nets;
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $optionsref ) if $zone; add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()