extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Finish Virtual Zones

Browse Source
This commit is contained in:
Tom Eastep 2009-11-26 12:14:58 -08:00
parent 8ff4d004c0
commit 222c8cf88f
7 changed files with 164 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1185,18 +1185,10 @@ sub finish_section ( $ ) {
$sections{$_} = 1 for split /,/, $sections;
for my $zone ( all_zones ) {
my $mark = defined_zone( $zone )->{mark};
for my $zone1 ( all_zones ) {
my $mark1 = ( defined_zone( $zone1 )->{mark} || 0 ) << VIRTUAL_BITS;
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
finish_chain_section $chainref, $sections if $chainref->{referenced} || $mark || $mark1;
if ( $sections{RELATED} ) {
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark;
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1;
}
finish_chain_section $chainref, $sections if $chainref->{referenced};
}
}
}

9
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -129,8 +129,15 @@ sub add_or_modify_policy_chain( $$ ) {
push @policy_chains, $chainref;
}
} else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
push @policy_chains, ( $chainref = new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
}
unless ( $chainref->{marked} ) {
my $mark = defined_zone( $zone )->{mark} | ( defined_zone( $zone1 )->{mark} << VIRTUAL_BITS );
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark;
$chainref->{marked} = 1;
}
}
sub print_policy($$$$) {

12
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1801,6 +1801,11 @@ sub generate_matrix() {
#
# Take care of PREROUTING, INPUT and OUTPUT jumps
#
if ( $virtual ) {
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark ! --mark 0/" . in_hex($virtual << VIRTUAL_BITS) . ' ' if $chain1;
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $chain2;
}
for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
my $arrayref = $typeref->{$interface};
@ -1825,8 +1830,6 @@ sub generate_matrix() {
my $outputref;
my $interfacematch = '';
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
if ( use_output_chain $interface ) {
$outputref = $filter_table->{output_chain $interface};
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
@ -1885,7 +1888,6 @@ sub generate_matrix() {
}
if ( $chain2 ) {
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
}
@ -1960,7 +1962,7 @@ sub generate_matrix() {
}
if ( $frwd_ref ) {
add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $virtual;
}
#
@ -2064,7 +2066,7 @@ sub generate_matrix() {
add_jump($excl3ref ,
$exclusion,
0,
"-m mark ! --mark 0/" . in_hex($virtual1) ) if $virtual1;
"-m mark ! --mark 0/" . in_hex($virtual1) . ' ') if $virtual1;
}
}

2
Shorewall/changelog.txt
View File

@ -12,7 +12,7 @@ Changes in Shorewall 4.4.5
6) Fix 'show policies' in Shorewall6.
7) Limit the maximum provider mark to 0xff0000.
7) Implement 'virtual' zones.
Changes in Shorewall 4.4.4

36
Shorewall/releasenotes.txt
View File

@ -230,6 +230,42 @@ None.
$FW dmz REJECT info
$FW all ACCEPT
3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used
to group together a set of sub-zones. A virtual zone must by an
ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared
with the 'virtual' OPTION in /etc/shorewall/zones.
Example:
virt ipv4 virtual
The virtual zone must have no definition in
/etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones
can themselves be nested in other virtual zones but there is a
limit of four virtual zones per configuration (that limitation
derives from the fact that each virtual zone requires 2 bits in the
packet mark).
Virtual zones are use as parent zones for other zones using the
<zone>:<parent> syntax in /etc/shorewall/zones:
Example:
virt ipv4 virtual
loc:virt ipv4
vpn:virt ipsec
As shown in that example, a virtual zone may be a parent for
multiple zone types.
Virtual zones are intended to be used with
IMPLICIT_CONTINUE=No. They provide semantic behavior similar to
IMPLICIT_CONTINUE=Yes in that connections that do not match rules
for the sub-zone are applied to the parent zone.
For more information, see
http://www.shorewall.net/manpages/shorewall-nesting.html
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0
----------------------------------------------------------------------------

60
manpages/shorewall-nesting.xml
View File

@ -154,14 +154,14 @@
to change the 'net' interface to something other than ppp0. That way, it
won't match ppp+.</para>
<para>If you are running Shorewall version 4.1.4 or later, a second way is
to simply make the nested zones explicit:<programlisting> #ZONE TYPE OPTION
<para>A second way is to simply make the nested zones
explicit:<programlisting> #ZONE TYPE OPTION
fw firewall
loc ipv4
net:loc ipv4
dmz ipv4</programlisting></para>
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=Yes in
<filename>shorewall.conf</filename>.</para>
<para>When using other Shorewall versions, another way is to rewrite the
@ -183,6 +183,60 @@
loc ppp+:192.168.2.0/23</programlisting></para>
</refsect1>
<refsect1 id="Virtual">
<title>Virtual Zones</title>
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
<filename>/etc/shorewall/interfaces</filename> or in
<filename>/etc/shorewall/hosts</filename>. Rather, it is used as a parent
zone for other zones in <filename>/etc/shorewall/zones</filename>.</para>
<para>Example:</para>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv4
loc ipv4 virtual
loc1:loc ipv4
loc2:loc ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
- eth1 detect tcpflags,nosmurfs,routefilter,logmartians</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
loc1 eth1:192.168.1.0/24
loc2 eth1:192.168.2.0/24</programlisting>
<para>There are several restrictions on virtual zones:</para>
<itemizedlist>
<listitem>
<para>They must have type <option>ipv4</option>.</para>
</listitem>
<listitem>
<para>A maximum of four virtual zones may be defined.</para>
</listitem>
<listitem>
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
<para>When a connection request to/from a sub-zone of a virtual zone does
not match the rules for the sub-zone, the connection is compared against
the rules (and policies) for the parent virtual zone.</para>
</refsect1>
<refsect1>
<title>FILES</title>

54
manpages6/shorewall6-nesting.xml
View File

@ -87,6 +87,60 @@
significant.</para>
</refsect1>
<refsect1 id="Virtual">
<title>Virtual Zones</title>
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
<filename>/etc/shorewall6/interfaces</filename> or in
<filename>/etc/shorewall6/hosts</filename>. Rather, it is used as a parent
zone for other zones in <filename>/etc/shorewall6/zones</filename>.</para>
<para>Example:</para>
<para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv6
loc ipv6 virtual
loc1:loc ipv6
loc2:loc ipv6</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags
- eth1 detect tcpflags</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
loc1 eth1:2001:19f0:feee:1::/48
loc2 eth1:2001:19f0:feee:2::/48</programlisting>
<para>There are several restrictions on virtual zones:</para>
<itemizedlist>
<listitem>
<para>They must have type <option>ipv6</option>.</para>
</listitem>
<listitem>
<para>A maximum of four virtual zones may be defined.</para>
</listitem>
<listitem>
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
<para>When a connection request to/from a sub-zone of a virtual zone does
not match the rules for the sub-zone, the connection is compared against
the rules (and policies) for the parent virtual zone.</para>
</refsect1>
<refsect1>
<title>FILES</title>