diff --git a/New/Shorewall/Hosts.pm b/New/Shorewall/Hosts.pm new file mode 100644 index 000000000..ec80ea4ba --- /dev/null +++ b/New/Shorewall/Hosts.pm @@ -0,0 +1,85 @@ +package Shorewall::Hosts; +require Exporter; +use Shorewall::Common; +use Shorewall::Config; +use Shorewall::Zones; +use Shorewall::Interfaces; + +our @ISA = qw(Exporter); +our @EXPORT = qw( validate_hosts_file ); +our @EXPORT_OK = (); +our @VERSION = 1.00; + +# +# Validates the hosts file. Generates entries in %zone{..}{hosts} +# +sub validate_hosts_file() +{ + my %validoptions = ( + blacklist => 1, + maclist => 1, + norfc1918 => 1, + nosmurfs => 1, + routeback => 1, + routefilter => 1, + tcpflags => 1, + ); + + open HOSTS, "$ENV{TMP_DIR}/hosts" or fatal_error "Unable to open stripped hosts file: $!"; + + while ( $line = ) { + + chomp $line; + $line =~ s/\s+/ /g; + + my ($zone, $hosts, $options, $extra) = split /\s+/, $line; + + fatal_error "Invalid hosts file entry: $line" if $extra; + + my $zoneref = $zones{$zone}; + my $type = $zoneref->{type}; + + fatal_error "Unknown ZONE ($zone)" unless $type; + fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type eq 'firewall'; + + my $interface; + + if ( $hosts =~ /^([\w.@%-]+):(.*)$/ ) { + $interface = $1; + $hosts = $2; + $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; + fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; + } else { + fatal_error "Invalid HOSTS(S) column contents: $hosts"; + } + + my $optionsref; + + if ( $options && $options ne '-' ) { + my @options = split ',', $options; + my %options; + + for my $option ( @options ) + { + if ( $option eq 'ipsec' ) { + $type = 'ipsec'; + $zoneref->{options}{complex} = 1; + } elsif ( $validoptions{$option}) { + $options{$option} = 1; + } else { + fatal_error "Invalid option ($option)"; + } + } + + $optionsref = \%options; + } + + my @h = split ',', $hosts; + + add_group_to_zone( $zone, $type , $interface, \@h , $optionsref); + + progress_message " Host \"$line\" validated"; + } + + close HOSTS; +} diff --git a/New/Shorewall/Zones.pm b/New/Shorewall/Zones.pm index 338c076f6..e2d0edd7f 100644 --- a/New/Shorewall/Zones.pm +++ b/New/Shorewall/Zones.pm @@ -4,7 +4,7 @@ use Shorewall::Common; use Shorewall::Config; our @ISA = qw(Exporter); -our @EXPORT = qw( determine_zones validate_hosts_file add_group_to_zone dump_zone_info zone_report @zones %zones $firewall_zone ); +our @EXPORT = qw( determine_zones add_group_to_zone dump_zone_info zone_report @zones %zones $firewall_zone ); our @EXPORT_OK = (); our @VERSION = 1.00; @@ -383,78 +383,4 @@ sub zone_report() } } -# -# Validates the hosts file. Generates entries in %zone{..}{hosts} -# -sub validate_hosts_file() -{ - my %validoptions = ( - blacklist => 1, - maclist => 1, - norfc1918 => 1, - nosmurfs => 1, - routeback => 1, - routefilter => 1, - tcpflags => 1, - ); - - open HOSTS, "$ENV{TMP_DIR}/hosts" or fatal_error "Unable to open stripped hosts file: $!"; - - while ( $line = ) { - - chomp $line; - $line =~ s/\s+/ /g; - - my ($zone, $hosts, $options, $extra) = split /\s+/, $line; - - fatal_error "Invalid hosts file entry: $line" if $extra; - - my $zoneref = $zones{$zone}; - my $type = $zoneref->{type}; - - fatal_error "Unknown ZONE ($zone)" unless $type; - fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type eq 'firewall'; - - my $interface; - - if ( $hosts =~ /^([\w.@%-]+):(.*)$/ ) { - $interface = $1; - $hosts = $2; - $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; - fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; - } else { - fatal_error "Invalid HOSTS(S) column contents: $hosts"; - } - - my $optionsref; - - if ( $options && $options ne '-' ) { - my @options = split ',', $options; - my %options; - - for my $option ( @options ) - { - if ( $option eq 'ipsec' ) { - $type = 'ipsec'; - $zoneref->{options}{complex} = 1; - } elsif ( $validoptions{$option}) { - $options{$option} = 1; - } else { - fatal_error "Invalid option ($option)"; - } - } - - $optionsref = \%options; - } - - my @h = split ',', $hosts; - - add_group_to_zone( $zone, $type , $interface, \@h , $optionsref); - - progress_message " Host \"$line\" validated"; - } - - close HOSTS; -} - 1; diff --git a/New/compiler.pl b/New/compiler.pl index 66e3c693b..a08638247 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -9,6 +9,7 @@ use Shorewall::Config; use Shorewall::Chains; use Shorewall::Zones; use Shorewall::Interfaces; +use Shorewall::Hosts; # # IPSEC Option types @@ -4624,6 +4625,7 @@ sub compile_firewall( $ ) { generate_matrix; dump_chain_table if $ENV{DEBUG}; generate_script_3; + $file = "$dir/$file"; rename $tempfile, $file; chmod 0700, $file;