mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Finish Virtual Zones
This commit is contained in:
parent
8ff4d004c0
commit
222c8cf88f
@ -1185,18 +1185,10 @@ sub finish_section ( $ ) {
|
||||
$sections{$_} = 1 for split /,/, $sections;
|
||||
|
||||
for my $zone ( all_zones ) {
|
||||
my $mark = defined_zone( $zone )->{mark};
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $mark1 = ( defined_zone( $zone1 )->{mark} || 0 ) << VIRTUAL_BITS;
|
||||
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
||||
|
||||
finish_chain_section $chainref, $sections if $chainref->{referenced} || $mark || $mark1;
|
||||
|
||||
if ( $sections{RELATED} ) {
|
||||
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark;
|
||||
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1;
|
||||
}
|
||||
|
||||
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -129,8 +129,15 @@ sub add_or_modify_policy_chain( $$ ) {
|
||||
push @policy_chains, $chainref;
|
||||
}
|
||||
} else {
|
||||
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||
push @policy_chains, ( $chainref = new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||
}
|
||||
|
||||
unless ( $chainref->{marked} ) {
|
||||
my $mark = defined_zone( $zone )->{mark} | ( defined_zone( $zone1 )->{mark} << VIRTUAL_BITS );
|
||||
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark;
|
||||
$chainref->{marked} = 1;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
sub print_policy($$$$) {
|
||||
|
@ -1801,6 +1801,11 @@ sub generate_matrix() {
|
||||
#
|
||||
# Take care of PREROUTING, INPUT and OUTPUT jumps
|
||||
#
|
||||
if ( $virtual ) {
|
||||
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark ! --mark 0/" . in_hex($virtual << VIRTUAL_BITS) . ' ' if $chain1;
|
||||
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $chain2;
|
||||
}
|
||||
|
||||
for my $typeref ( values %$source_hosts_ref ) {
|
||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
|
||||
my $arrayref = $typeref->{$interface};
|
||||
@ -1825,8 +1830,6 @@ sub generate_matrix() {
|
||||
my $outputref;
|
||||
my $interfacematch = '';
|
||||
|
||||
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
|
||||
|
||||
if ( use_output_chain $interface ) {
|
||||
$outputref = $filter_table->{output_chain $interface};
|
||||
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||
@ -1885,7 +1888,6 @@ sub generate_matrix() {
|
||||
}
|
||||
|
||||
if ( $chain2 ) {
|
||||
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
|
||||
add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
|
||||
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
|
||||
}
|
||||
@ -1960,7 +1962,7 @@ sub generate_matrix() {
|
||||
}
|
||||
|
||||
if ( $frwd_ref ) {
|
||||
add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
|
||||
add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $virtual;
|
||||
}
|
||||
|
||||
#
|
||||
@ -2064,7 +2066,7 @@ sub generate_matrix() {
|
||||
add_jump($excl3ref ,
|
||||
$exclusion,
|
||||
0,
|
||||
"-m mark ! --mark 0/" . in_hex($virtual1) ) if $virtual1;
|
||||
"-m mark ! --mark 0/" . in_hex($virtual1) . ' ') if $virtual1;
|
||||
|
||||
}
|
||||
}
|
||||
|
@ -12,7 +12,7 @@ Changes in Shorewall 4.4.5
|
||||
|
||||
6) Fix 'show policies' in Shorewall6.
|
||||
|
||||
7) Limit the maximum provider mark to 0xff0000.
|
||||
7) Implement 'virtual' zones.
|
||||
|
||||
Changes in Shorewall 4.4.4
|
||||
|
||||
|
@ -230,6 +230,42 @@ None.
|
||||
$FW dmz REJECT info
|
||||
$FW all ACCEPT
|
||||
|
||||
3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used
|
||||
to group together a set of sub-zones. A virtual zone must by an
|
||||
ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared
|
||||
with the 'virtual' OPTION in /etc/shorewall/zones.
|
||||
|
||||
Example:
|
||||
|
||||
virt ipv4 virtual
|
||||
|
||||
The virtual zone must have no definition in
|
||||
/etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones
|
||||
can themselves be nested in other virtual zones but there is a
|
||||
limit of four virtual zones per configuration (that limitation
|
||||
derives from the fact that each virtual zone requires 2 bits in the
|
||||
packet mark).
|
||||
|
||||
Virtual zones are use as parent zones for other zones using the
|
||||
<zone>:<parent> syntax in /etc/shorewall/zones:
|
||||
|
||||
Example:
|
||||
|
||||
virt ipv4 virtual
|
||||
loc:virt ipv4
|
||||
vpn:virt ipsec
|
||||
|
||||
As shown in that example, a virtual zone may be a parent for
|
||||
multiple zone types.
|
||||
|
||||
Virtual zones are intended to be used with
|
||||
IMPLICIT_CONTINUE=No. They provide semantic behavior similar to
|
||||
IMPLICIT_CONTINUE=Yes in that connections that do not match rules
|
||||
for the sub-zone are applied to the parent zone.
|
||||
|
||||
For more information, see
|
||||
http://www.shorewall.net/manpages/shorewall-nesting.html
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S I N 4 . 4 . 0
|
||||
----------------------------------------------------------------------------
|
||||
|
@ -154,14 +154,14 @@
|
||||
to change the 'net' interface to something other than ppp0. That way, it
|
||||
won't match ppp+.</para>
|
||||
|
||||
<para>If you are running Shorewall version 4.1.4 or later, a second way is
|
||||
to simply make the nested zones explicit:<programlisting> #ZONE TYPE OPTION
|
||||
<para>A second way is to simply make the nested zones
|
||||
explicit:<programlisting> #ZONE TYPE OPTION
|
||||
fw firewall
|
||||
loc ipv4
|
||||
net:loc ipv4
|
||||
dmz ipv4</programlisting></para>
|
||||
|
||||
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
|
||||
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=Yes in
|
||||
<filename>shorewall.conf</filename>.</para>
|
||||
|
||||
<para>When using other Shorewall versions, another way is to rewrite the
|
||||
@ -183,6 +183,60 @@
|
||||
loc ppp+:192.168.2.0/23</programlisting></para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="Virtual">
|
||||
<title>Virtual Zones</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
|
||||
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
|
||||
<filename>/etc/shorewall/interfaces</filename> or in
|
||||
<filename>/etc/shorewall/hosts</filename>. Rather, it is used as a parent
|
||||
zone for other zones in <filename>/etc/shorewall/zones</filename>.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE TYPE OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4 virtual
|
||||
loc1:loc ipv4
|
||||
loc2:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
|
||||
- eth1 detect tcpflags,nosmurfs,routefilter,logmartians</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE HOST(S) OPTIONS
|
||||
loc1 eth1:192.168.1.0/24
|
||||
loc2 eth1:192.168.2.0/24</programlisting>
|
||||
|
||||
<para>There are several restrictions on virtual zones:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>They must have type <option>ipv4</option>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>A maximum of four virtual zones may be defined.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>When a connection request to/from a sub-zone of a virtual zone does
|
||||
not match the rules for the sub-zone, the connection is compared against
|
||||
the rules (and policies) for the parent virtual zone.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
|
@ -87,6 +87,60 @@
|
||||
significant.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="Virtual">
|
||||
<title>Virtual Zones</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
|
||||
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
|
||||
<filename>/etc/shorewall6/interfaces</filename> or in
|
||||
<filename>/etc/shorewall6/hosts</filename>. Rather, it is used as a parent
|
||||
zone for other zones in <filename>/etc/shorewall6/zones</filename>.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall6/zones</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE TYPE OPTIONS
|
||||
fw firewall
|
||||
net ipv6
|
||||
loc ipv6 virtual
|
||||
loc1:loc ipv6
|
||||
loc2:loc ipv6</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,tcpflags
|
||||
- eth1 detect tcpflags</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE HOST(S) OPTIONS
|
||||
loc1 eth1:2001:19f0:feee:1::/48
|
||||
loc2 eth1:2001:19f0:feee:2::/48</programlisting>
|
||||
|
||||
<para>There are several restrictions on virtual zones:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>They must have type <option>ipv6</option>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>A maximum of four virtual zones may be defined.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>When a connection request to/from a sub-zone of a virtual zone does
|
||||
not match the rules for the sub-zone, the connection is compared against
|
||||
the rules (and policies) for the parent virtual zone.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user