diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 47a3ca8b6..1626e11b7 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1185,18 +1185,10 @@ sub finish_section ( $ ) { $sections{$_} = 1 for split /,/, $sections; for my $zone ( all_zones ) { - my $mark = defined_zone( $zone )->{mark}; for my $zone1 ( all_zones ) { - my $mark1 = ( defined_zone( $zone1 )->{mark} || 0 ) << VIRTUAL_BITS; my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )}; - finish_chain_section $chainref, $sections if $chainref->{referenced} || $mark || $mark1; - - if ( $sections{RELATED} ) { - add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark; - add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1; - } - + finish_chain_section $chainref, $sections if $chainref->{referenced}; } } } diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 9454bc9d9..b8d69d85a 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -129,8 +129,15 @@ sub add_or_modify_policy_chain( $$ ) { push @policy_chains, $chainref; } } else { - push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); + push @policy_chains, ( $chainref = new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); } + + unless ( $chainref->{marked} ) { + my $mark = defined_zone( $zone )->{mark} | ( defined_zone( $zone1 )->{mark} << VIRTUAL_BITS ); + add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark; + $chainref->{marked} = 1; + } + } sub print_policy($$$$) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 7eea22ea4..81cdb9199 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1801,6 +1801,11 @@ sub generate_matrix() { # # Take care of PREROUTING, INPUT and OUTPUT jumps # + if ( $virtual ) { + add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark ! --mark 0/" . in_hex($virtual << VIRTUAL_BITS) . ' ' if $chain1; + add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $chain2; + } + for my $typeref ( values %$source_hosts_ref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { my $arrayref = $typeref->{$interface}; @@ -1825,8 +1830,6 @@ sub generate_matrix() { my $outputref; my $interfacematch = ''; - add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; - if ( use_output_chain $interface ) { $outputref = $filter_table->{output_chain $interface}; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; @@ -1885,7 +1888,6 @@ sub generate_matrix() { } if ( $chain2 ) { - add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match ); move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface; } @@ -1960,7 +1962,7 @@ sub generate_matrix() { } if ( $frwd_ref ) { - add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; + add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $virtual; } # @@ -2064,7 +2066,7 @@ sub generate_matrix() { add_jump($excl3ref , $exclusion, 0, - "-m mark ! --mark 0/" . in_hex($virtual1) ) if $virtual1; + "-m mark ! --mark 0/" . in_hex($virtual1) . ' ') if $virtual1; } } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 17048eacd..1bb5c4392 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,7 +12,7 @@ Changes in Shorewall 4.4.5 6) Fix 'show policies' in Shorewall6. -7) Limit the maximum provider mark to 0xff0000. +7) Implement 'virtual' zones. Changes in Shorewall 4.4.4 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 8702f35cf..da6bc884e 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -230,6 +230,42 @@ None. $FW dmz REJECT info $FW all ACCEPT +3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used + to group together a set of sub-zones. A virtual zone must by an + ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared + with the 'virtual' OPTION in /etc/shorewall/zones. + + Example: + + virt ipv4 virtual + + The virtual zone must have no definition in + /etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones + can themselves be nested in other virtual zones but there is a + limit of four virtual zones per configuration (that limitation + derives from the fact that each virtual zone requires 2 bits in the + packet mark). + + Virtual zones are use as parent zones for other zones using the + : syntax in /etc/shorewall/zones: + + Example: + + virt ipv4 virtual + loc:virt ipv4 + vpn:virt ipsec + + As shown in that example, a virtual zone may be a parent for + multiple zone types. + + Virtual zones are intended to be used with + IMPLICIT_CONTINUE=No. They provide semantic behavior similar to + IMPLICIT_CONTINUE=Yes in that connections that do not match rules + for the sub-zone are applied to the parent zone. + + For more information, see + http://www.shorewall.net/manpages/shorewall-nesting.html + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ---------------------------------------------------------------------------- diff --git a/manpages/shorewall-nesting.xml b/manpages/shorewall-nesting.xml index 1884696e0..405b8f4bc 100644 --- a/manpages/shorewall-nesting.xml +++ b/manpages/shorewall-nesting.xml @@ -154,14 +154,14 @@ to change the 'net' interface to something other than ppp0. That way, it won't match ppp+. - If you are running Shorewall version 4.1.4 or later, a second way is - to simply make the nested zones explicit: #ZONE TYPE OPTION + A second way is to simply make the nested zones + explicit: #ZONE TYPE OPTION fw firewall loc ipv4 net:loc ipv4 dmz ipv4 - If you take this approach, be sure to set IMPLICIT_CONTINUE=No in + If you take this approach, be sure to set IMPLICIT_CONTINUE=Yes in shorewall.conf. When using other Shorewall versions, another way is to rewrite the @@ -183,6 +183,60 @@ loc ppp+:192.168.2.0/23 + + Virtual Zones + + Beginning with Shorewall 4.4.5, Shorewall allows the declaration of + virtual zones. A virtual zone has no definition in + /etc/shorewall/interfaces or in + /etc/shorewall/hosts. Rather, it is used as a parent + zone for other zones in /etc/shorewall/zones. + + Example: + + /etc/shorewall/zones: + + #ZONE TYPE OPTIONS + fw firewall + net ipv4 + loc ipv4 virtual + loc1:loc ipv4 + loc2:loc ipv4 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians + - eth1 detect tcpflags,nosmurfs,routefilter,logmartians + + /etc/shorewall/hosts: + + #ZONE HOST(S) OPTIONS + loc1 eth1:192.168.1.0/24 + loc2 eth1:192.168.2.0/24 + + There are several restrictions on virtual zones: + + + + They must have type . + + + + A maximum of four virtual zones may be defined. + + + + They should not be used with IMPLICIT_CONTINUE=Yes in shorewall.conf(5). + + + + When a connection request to/from a sub-zone of a virtual zone does + not match the rules for the sub-zone, the connection is compared against + the rules (and policies) for the parent virtual zone. + + FILES diff --git a/manpages6/shorewall6-nesting.xml b/manpages6/shorewall6-nesting.xml index 7edbea347..307a1220c 100644 --- a/manpages6/shorewall6-nesting.xml +++ b/manpages6/shorewall6-nesting.xml @@ -87,6 +87,60 @@ significant. + + Virtual Zones + + Beginning with Shorewall 4.4.5, Shorewall allows the declaration of + virtual zones. A virtual zone has no definition in + /etc/shorewall6/interfaces or in + /etc/shorewall6/hosts. Rather, it is used as a parent + zone for other zones in /etc/shorewall6/zones. + + Example: + + /etc/shorewall6/zones: + + #ZONE TYPE OPTIONS + fw firewall + net ipv6 + loc ipv6 virtual + loc1:loc ipv6 + loc2:loc ipv6 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + net eth0 detect dhcp,tcpflags + - eth1 detect tcpflags + + /etc/shorewall/hosts: + + #ZONE HOST(S) OPTIONS + loc1 eth1:2001:19f0:feee:1::/48 + loc2 eth1:2001:19f0:feee:2::/48 + + There are several restrictions on virtual zones: + + + + They must have type . + + + + A maximum of four virtual zones may be defined. + + + + They should not be used with IMPLICIT_CONTINUE=Yes in shorewall6.conf(5). + + + + When a connection request to/from a sub-zone of a virtual zone does + not match the rules for the sub-zone, the connection is compared against + the rules (and policies) for the parent virtual zone. + + FILES