forked from extern/shorewall_code
Split out host options from interface options
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
dba858068c
commit
af24d35973
@ -602,42 +602,43 @@ sub validate_interfaces_file( $ )
|
|||||||
OBSOLETE_IF_OPTION => 5,
|
OBSOLETE_IF_OPTION => 5,
|
||||||
IPLIST_IF_OPTION => 6,
|
IPLIST_IF_OPTION => 6,
|
||||||
MASK_IF_OPTION => 7,
|
MASK_IF_OPTION => 7,
|
||||||
IF_OPTION_ZONEONLY => 8 };
|
IF_OPTION_ZONEONLY => 8,
|
||||||
|
IF_OPTION_HOST => 16};
|
||||||
|
|
||||||
my %validoptions;
|
my %validoptions;
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
%validoptions = (arp_filter => BINARY_IF_OPTION,
|
%validoptions = (arp_filter => BINARY_IF_OPTION,
|
||||||
arp_ignore => ENUM_IF_OPTION,
|
arp_ignore => ENUM_IF_OPTION,
|
||||||
blacklist => SIMPLE_IF_OPTION,
|
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
detectnets => OBSOLETE_IF_OPTION,
|
detectnets => OBSOLETE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
maclist => SIMPLE_IF_OPTION,
|
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
logmartians => BINARY_IF_OPTION,
|
logmartians => BINARY_IF_OPTION,
|
||||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
|
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||||
norfc1918 => SIMPLE_IF_OPTION,
|
norfc1918 => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
nosmurfs => SIMPLE_IF_OPTION,
|
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
optional => SIMPLE_IF_OPTION,
|
optional => SIMPLE_IF_OPTION,
|
||||||
proxyarp => BINARY_IF_OPTION,
|
proxyarp => BINARY_IF_OPTION,
|
||||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
|
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
|
||||||
routefilter => BINARY_IF_OPTION,
|
routefilter => BINARY_IF_OPTION + IF_OPTION_HOST,
|
||||||
sourceroute => BINARY_IF_OPTION,
|
sourceroute => BINARY_IF_OPTION,
|
||||||
tcpflags => SIMPLE_IF_OPTION,
|
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
upnp => SIMPLE_IF_OPTION,
|
upnp => SIMPLE_IF_OPTION,
|
||||||
mss => NUMERIC_IF_OPTION,
|
mss => NUMERIC_IF_OPTION,
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
|
%validoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
maclist => SIMPLE_IF_OPTION,
|
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
nosmurfs => SIMPLE_IF_OPTION,
|
nosmurfs => SIMPLE_IF_OPTION,
|
||||||
optional => SIMPLE_IF_OPTION,
|
optional => SIMPLE_IF_OPTION,
|
||||||
proxyndp => BINARY_IF_OPTION,
|
proxyndp => BINARY_IF_OPTION,
|
||||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
|
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
|
||||||
sourceroute => BINARY_IF_OPTION,
|
sourceroute => BINARY_IF_OPTION,
|
||||||
tcpflags => SIMPLE_IF_OPTION,
|
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
mss => NUMERIC_IF_OPTION,
|
mss => NUMERIC_IF_OPTION,
|
||||||
forward => NUMERIC_IF_OPTION,
|
forward => NUMERIC_IF_OPTION,
|
||||||
);
|
);
|
||||||
@ -735,8 +736,10 @@ sub validate_interfaces_file( $ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
my $optionsref = {};
|
my $optionsref = {};
|
||||||
|
my $hostoptionsref = {};
|
||||||
|
|
||||||
my %options;
|
my %options;
|
||||||
|
my %hostoptions;
|
||||||
|
|
||||||
if ( $options ) {
|
if ( $options ) {
|
||||||
|
|
||||||
@ -749,16 +752,20 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
|
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
|
||||||
|
|
||||||
|
my $hostopt = $type & IF_OPTION_HOST;
|
||||||
|
|
||||||
$type &= MASK_IF_OPTION;
|
$type &= MASK_IF_OPTION;
|
||||||
|
|
||||||
if ( $type == SIMPLE_IF_OPTION ) {
|
if ( $type == SIMPLE_IF_OPTION ) {
|
||||||
fatal_error "Option $option does not take a value" if defined $value;
|
fatal_error "Option $option does not take a value" if defined $value;
|
||||||
$options{$option} = 1;
|
$options{$option} = 1;
|
||||||
|
$hostoptions{$option} = 1 if $hostopt;
|
||||||
} elsif ( $type == BINARY_IF_OPTION ) {
|
} elsif ( $type == BINARY_IF_OPTION ) {
|
||||||
$value = 1 unless defined $value;
|
$value = 1 unless defined $value;
|
||||||
fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
|
fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
|
||||||
fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
|
fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
|
||||||
$options{$option} = $value;
|
$options{$option} = $value;
|
||||||
|
$hostoptions{$option} = $value if $hostopt;
|
||||||
} elsif ( $type == ENUM_IF_OPTION ) {
|
} elsif ( $type == ENUM_IF_OPTION ) {
|
||||||
fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
|
fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
|
||||||
if ( $option eq 'arp_ignore' ) {
|
if ( $option eq 'arp_ignore' ) {
|
||||||
@ -779,13 +786,26 @@ sub validate_interfaces_file( $ )
|
|||||||
my $numval = numeric_value $value;
|
my $numval = numeric_value $value;
|
||||||
fatal_error "Invalid value ($value) for option $option" unless defined $numval;
|
fatal_error "Invalid value ($value) for option $option" unless defined $numval;
|
||||||
$options{$option} = $numval;
|
$options{$option} = $numval;
|
||||||
|
$hostoptions{$option} = $numval if $hostopt;
|
||||||
} elsif ( $type == IPLIST_IF_OPTION ) {
|
} elsif ( $type == IPLIST_IF_OPTION ) {
|
||||||
fatal_error "The $option option requires a value" unless defined $value;
|
fatal_error "The $option option requires a value" unless defined $value;
|
||||||
fatal_error "Duplicate $option option" if $nets;
|
fatal_error "Duplicate $option option" if $nets;
|
||||||
|
#
|
||||||
|
# Remove parentheses from address list if present
|
||||||
|
#
|
||||||
$value =~ s/\)$// if $value =~ s/^\(//;
|
$value =~ s/\)$// if $value =~ s/^\(//;
|
||||||
|
#
|
||||||
|
# Add all IP to the front of a list if the list begins with '!'
|
||||||
|
#
|
||||||
$value = join ',' , ALLIP , $value if $value =~ /^!/;
|
$value = join ',' , ALLIP , $value if $value =~ /^!/;
|
||||||
|
#
|
||||||
|
# Convert into a Perl array
|
||||||
|
#
|
||||||
$nets = [ split_list $value, 'address' ];
|
$nets = [ split_list $value, 'address' ];
|
||||||
$options{broadcast} = 1;
|
#
|
||||||
|
# Assume 'broadcast'
|
||||||
|
#
|
||||||
|
$hostoptions{broadcast} = 1;
|
||||||
} else {
|
} else {
|
||||||
warning_message "Support for the $option interface option has been removed from Shorewall-perl";
|
warning_message "Support for the $option interface option has been removed from Shorewall-perl";
|
||||||
}
|
}
|
||||||
@ -802,6 +822,7 @@ sub validate_interfaces_file( $ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
$optionsref = \%options;
|
$optionsref = \%options;
|
||||||
|
$hostoptionsref = \%hostoptions;
|
||||||
|
|
||||||
$interfaces{$interface} = { name => $interface ,
|
$interfaces{$interface} = { name => $interface ,
|
||||||
bridge => $bridge ,
|
bridge => $bridge ,
|
||||||
@ -815,7 +836,7 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
$nets = [ allip ] unless $nets;
|
$nets = [ allip ] unless $nets;
|
||||||
|
|
||||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $optionsref ) if $zone;
|
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
|
||||||
|
|
||||||
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user