Re: [Shorewall-devel] Shorewall 5.0.8 Beta 2

Tom Eastep Sat, 02 Apr 2016 09:15:11 -0700

On 04/01/2016 04:14 PM, Steven Jan Springl wrote:
> On Fri, 1 Apr 2016 15:03:49 -0700
> Tom Eastep <[email protected]> wrote:
> 
>> On 04/01/2016 02:05 PM, Steven Jan Springl wrote:
>>> On Fri, 1 Apr 2016 13:06:06 -0700
>>> Tom Eastep <[email protected]> wrote:
>>>
>>>>
>>>>
>>>> 1)  If a physical interface name was used in the INTERFACE column
>>>> of an entry in /etc/shorewall/masq, then previously a Perl
>>>> diagnostic was issued as the masq rule was being processed and the
>>>> iptables rule and its containing chain were dropped by the
>>>> optimizer. That has been corrected so that physical interface
>>>> names are handled correctly.
>>>>
>>>>     Similar issues with physical names in the INTERFACE column of
>>>> the nat and netmap files have also been resolved.
>>>
>>> A similar problem occurs if you specify a physical interface in the
>>> ecn file.
>>>
>>
>> The attached patch seems to resolve the issue.
>>
>> Thanks Steven,
>> -Tom
> 
> Tom
> 
> Confirmed, the patch fixes the issue.
> 
> ------------------------------------------------------
> 
> There are a few more issues with physical interfaces.
>


The attached patch should resolve these issues.

Thanks Steven,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index c5beb2d..badd3df 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2030,7 +2030,7 @@ sub chain_base( $ ) {
 sub forward_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fwd';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fwd';
 }
 
 #
@@ -2085,7 +2085,7 @@ sub use_forward_chain($$) {
 #
 sub input_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_iop';
 }
 
 #
@@ -2093,7 +2093,7 @@ sub input_option_chain($) {
 #
 sub output_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_oop';
 }
 
 #
@@ -2101,7 +2101,7 @@ sub output_option_chain($) {
 #
 sub forward_option_chain($) {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fop';
 }
 
 #
@@ -2110,7 +2110,7 @@ sub forward_option_chain($) {
 sub input_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_in';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_in';
 }
 
 #
@@ -2173,7 +2173,7 @@ sub use_input_chain($$) {
 sub output_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_out';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_out';
 }
 
 #
@@ -2182,7 +2182,7 @@ sub output_chain($)
 sub prerouting_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_pre';
 }
 
 #
@@ -2191,7 +2191,7 @@ sub prerouting_chain($)
 sub postrouting_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_post';
 }
 
 #
@@ -2244,7 +2244,7 @@ sub use_output_chain($$) {
 sub masq_chain($)
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_masq';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_masq';
 }
 
 #
@@ -2260,7 +2260,7 @@ sub syn_flood_chain ( $ ) {
 sub mac_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_mac';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_mac';
 }
 
 sub macrecent_target($)
@@ -2297,7 +2297,7 @@ sub load_chain( $ ) {
 sub snat_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_snat';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_snat';
 }
 
 #
@@ -2306,7 +2306,7 @@ sub snat_chain( $ )
 sub ecn_chain( $ )
 {
     my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_ecn';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ecn';
 }
 
 #
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 7f93deb..d57ffbe 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -82,6 +82,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interface
 		    known_interface
 		    get_physical
+		    get_logical
 		    physical_name
 		    have_bridges
 		    port_to_bridge
@@ -210,7 +211,6 @@ our %interfaces;
 our %roots;
 our @bport_zones;
 our %ipsets;
-our %physical;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -327,7 +327,6 @@ sub initialize( $$ ) {
     %interfaces = ();
     @bport_zones = ();
     %ipsets = ();
-    %physical = ();
     %basemap = ();
     %basemap1 = ();
     %mapbase = ();
@@ -1311,7 +1310,7 @@ sub process_interface( $$ ) {
 		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
 
-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
 
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
@@ -1385,21 +1384,23 @@ sub process_interface( $$ ) {
 	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
     }
 
-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
-						       bridge     => $bridge ,
-						       filter     => $filterref ,
-						       nets       => 0 ,
-						       number     => $nextinum ,
-						       root       => $root ,
-						       broadcasts => $broadcasts ,
-						       options    => \%options ,
-						       zone       => '',
-						       physical   => $physical ,
-						       base       => var_base( $physical ),
-						       zones      => {},
-						       origin     => shortlineinfo( '' ),
-						       wildcard   => $wildcard,
-						     };
+    my $interfaceref = $interfaces{$interface} = { name       => $interface ,
+						   bridge     => $bridge ,
+						   filter     => $filterref ,
+						   nets       => 0 ,
+						   number     => $nextinum ,
+						   root       => $root ,
+						   broadcasts => $broadcasts ,
+						   options    => \%options ,
+						   zone       => '',
+						   physical   => $physical ,
+						   base       => var_base( $physical ),
+						   zones      => {},
+						   origin     => shortlineinfo( '' ),
+						   wildcard   => $wildcard,
+					         };
+
+    $interfaces{$physical} = $interfaceref if $physical ne $interface;
 
     if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
@@ -1583,7 +1584,7 @@ sub known_interface($)
 	}
     }
 
-    $physical{$interface} || 0;
+    0;
 }
 
 # 
@@ -1655,13 +1656,20 @@ sub find_interface( $ ) {
 }
 
 #
-# Returns the physical interface associated with the passed logical name
+# Returns the physical interface associated with the passed interface name
 #
 sub get_physical( $ ) {
     $interfaces{ $_[0] }->{physical};
 }
 
 #
+# Returns the logical interface associated with the passed interface name
+#
+sub get_logical( $ ) {
+    $interfaces{ $_[0] }->{name};
+}
+
+#
 # This one doesn't insist that the passed name be the name of a configured interface
 #
 sub physical_name( $ ) {

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140

_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Re: [Shorewall-devel] Shorewall 5.0.8 Beta 2

Reply via email to