Tighten zone-definition checking

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1219 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-03-20 17:21:15 +00:00 · 2004-03-20 17:21:15 +00:00 · f857af963e
commit f857af963e
parent a232826ac1
4 changed files with 32 additions and 2 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -15,3 +15,5 @@ Changes since 2.0.0
 7) Add -x option to /sbin/shorewall.

 8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
+
+9) Improve zone-definition checking.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -587,6 +587,10 @@ determine_hosts() {
 	for host in $hosts; do
 	    interface=${host%:*}
 	    if list_search $interface $interfaces; then
+		list_search $interface:0.0.0.0/0 $hosts && \
+		    startup_error "Invalid zone definition for zone $zone"
+		list_search $interface:0/0 $hosts && \
+		    startup_error "Invalid zone definition for zone $zone"
 		eval ${zone}_is_complex=Yes
 	    else
 		if [ -z "$interfaces" ]; then
@ -616,6 +620,13 @@ validate_zone() # $1 = zone
 {
    list_search $1 $zones $FW
 }
+#
+# Ensure that the passed zone is defined in the zones file.
+#
+validate_zone1() # $1 = zone
+{
+    list_search $1 $zones
+}

 #
 # Validate the zone names and options in the interfaces file
@ -701,7 +712,7 @@ validate_hosts_file() {
    while read z hosts options; do
 	expandv z hosts options
 	r="$z $hosts $options"
-	validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
+	validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""

 	interface=${hosts%%:*}
 	iface=$(chain_base $interface)
--- a/Shorewall2/hosts
+++ b/Shorewall2/hosts
@ -5,7 +5,11 @@
 #	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
 #
 #	IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
-#
+#------------------------------------------------------------------------------
+#	IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
+#	/etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
+#	ZONE AND INTERFACE IN THIS FILE.
+#------------------------------------------------------------------------------
 #	This file is used to define zones in terms of subnets and/or
 #	individual IP addresses. Most simple setups don't need to
 #	(should not) place anything in this file.
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -72,4 +72,17 @@ New Features:
 	    shorewall -x status
 	    shorewall -x monitor [ <interval> ]

+4) Shorewall now traps two common zone definition errors:
+
+   - Including the firewall zone in a /etc/shorewall/hosts record.
+   - Defining a interface for a zone in both /etc/shorewall/interfaces
+     and /etc/shorewall/hosts.
+
+   In the second case, the following will appear during "shorewall
+   [re]start" or "shorewall check":
+
+   Determining Hosts in Zones...
+      ...
+      Error: Invalid zone definition for zone <name of zone>
+   Terminated