extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-12 12:47:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Finish Virtual Zones

Browse Source
This commit is contained in:
Tom Eastep 2009-11-26 12:14:58 -08:00
parent 8ff4d004c0
commit 222c8cf88f
7 changed files with 164 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1185,18 +1185,10 @@ sub finish_section ( $ ) {
$sections{$_} = 1 for split /,/, $sections; $sections{$_} = 1 for split /,/, $sections;
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
my $mark = defined_zone( $zone )->{mark};
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $mark1 = ( defined_zone( $zone1 )->{mark} || 0 ) << VIRTUAL_BITS;
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )}; my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
finish_chain_section $chainref, $sections if $chainref->{referenced} || $mark || $mark1; finish_chain_section $chainref, $sections if $chainref->{referenced};
if ( $sections{RELATED} ) {
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark;
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1;
}
} }
} }
} }

9
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -129,8 +129,15 @@ sub add_or_modify_policy_chain( $$ ) {
push @policy_chains, $chainref; push @policy_chains, $chainref;
} }
} else { } else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); push @policy_chains, ( $chainref = new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
} }
unless ( $chainref->{marked} ) {
my $mark = defined_zone( $zone )->{mark} | ( defined_zone( $zone1 )->{mark} << VIRTUAL_BITS );
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark;
$chainref->{marked} = 1;
}
} }
sub print_policy($$$$) { sub print_policy($$$$) {

12
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1801,6 +1801,11 @@ sub generate_matrix() {
# #
# Take care of PREROUTING, INPUT and OUTPUT jumps # Take care of PREROUTING, INPUT and OUTPUT jumps
# #
if ( $virtual ) {
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark ! --mark 0/" . in_hex($virtual << VIRTUAL_BITS) . ' ' if $chain1;
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $chain2;
}
for my $typeref ( values %$source_hosts_ref ) { for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
my $arrayref = $typeref->{$interface}; my $arrayref = $typeref->{$interface};
@ -1825,8 +1830,6 @@ sub generate_matrix() {
my $outputref; my $outputref;
my $interfacematch = ''; my $interfacematch = '';
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
if ( use_output_chain $interface ) { if ( use_output_chain $interface ) {
$outputref = $filter_table->{output_chain $interface}; $outputref = $filter_table->{output_chain $interface};
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
@ -1885,7 +1888,6 @@ sub generate_matrix() {
} }
if ( $chain2 ) { if ( $chain2 ) {
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match ); add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface; move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
} }
@ -1960,7 +1962,7 @@ sub generate_matrix() {
} }
if ( $frwd_ref ) { if ( $frwd_ref ) {
add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $virtual;
} }
# #
@ -2064,7 +2066,7 @@ sub generate_matrix() {
add_jump($excl3ref , add_jump($excl3ref ,
$exclusion, $exclusion,
0, 0,
"-m mark ! --mark 0/" . in_hex($virtual1) ) if $virtual1; "-m mark ! --mark 0/" . in_hex($virtual1) . ' ') if $virtual1;
} }
} }

2
Shorewall/changelog.txt
View File

@ -12,7 +12,7 @@ Changes in Shorewall 4.4.5
6) Fix 'show policies' in Shorewall6. 6) Fix 'show policies' in Shorewall6.
7) Limit the maximum provider mark to 0xff0000. 7) Implement 'virtual' zones.
Changes in Shorewall 4.4.4 Changes in Shorewall 4.4.4

36
Shorewall/releasenotes.txt
View File

@ -230,6 +230,42 @@ None.
$FW dmz REJECT info $FW dmz REJECT info
$FW all ACCEPT $FW all ACCEPT
3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used
to group together a set of sub-zones. A virtual zone must by an
ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared
with the 'virtual' OPTION in /etc/shorewall/zones.
Example:
virt ipv4 virtual
The virtual zone must have no definition in
/etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones
can themselves be nested in other virtual zones but there is a
limit of four virtual zones per configuration (that limitation
derives from the fact that each virtual zone requires 2 bits in the
packet mark).
Virtual zones are use as parent zones for other zones using the
<zone>:<parent> syntax in /etc/shorewall/zones:
Example:
virt ipv4 virtual
loc:virt ipv4
vpn:virt ipsec
As shown in that example, a virtual zone may be a parent for
multiple zone types.
Virtual zones are intended to be used with
IMPLICIT_CONTINUE=No. They provide semantic behavior similar to
IMPLICIT_CONTINUE=Yes in that connections that do not match rules
for the sub-zone are applied to the parent zone.
For more information, see
http://www.shorewall.net/manpages/shorewall-nesting.html
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0 N E W F E A T U R E S I N 4 . 4 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

60
manpages/shorewall-nesting.xml
View File

@ -154,14 +154,14 @@
to change the 'net' interface to something other than ppp0. That way, it to change the 'net' interface to something other than ppp0. That way, it
won't match ppp+.</para> won't match ppp+.</para>
<para>If you are running Shorewall version 4.1.4 or later, a second way is <para>A second way is to simply make the nested zones
to simply make the nested zones explicit:<programlisting> #ZONE TYPE OPTION explicit:<programlisting> #ZONE TYPE OPTION
fw firewall fw firewall
loc ipv4 loc ipv4
net:loc ipv4 net:loc ipv4
dmz ipv4</programlisting></para> dmz ipv4</programlisting></para>
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=No in <para>If you take this approach, be sure to set IMPLICIT_CONTINUE=Yes in
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
<para>When using other Shorewall versions, another way is to rewrite the <para>When using other Shorewall versions, another way is to rewrite the
@ -183,6 +183,60 @@
loc ppp+:192.168.2.0/23</programlisting></para> loc ppp+:192.168.2.0/23</programlisting></para>
</refsect1> </refsect1>
<refsect1 id="Virtual">
<title>Virtual Zones</title>
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
<filename>/etc/shorewall/interfaces</filename> or in
<filename>/etc/shorewall/hosts</filename>. Rather, it is used as a parent
zone for other zones in <filename>/etc/shorewall/zones</filename>.</para>
<para>Example:</para>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv4
loc ipv4 virtual
loc1:loc ipv4
loc2:loc ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
- eth1 detect tcpflags,nosmurfs,routefilter,logmartians</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
loc1 eth1:192.168.1.0/24
loc2 eth1:192.168.2.0/24</programlisting>
<para>There are several restrictions on virtual zones:</para>
<itemizedlist>
<listitem>
<para>They must have type <option>ipv4</option>.</para>
</listitem>
<listitem>
<para>A maximum of four virtual zones may be defined.</para>
</listitem>
<listitem>
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
<para>When a connection request to/from a sub-zone of a virtual zone does
not match the rules for the sub-zone, the connection is compared against
the rules (and policies) for the parent virtual zone.</para>
</refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>

54
manpages6/shorewall6-nesting.xml
View File

@ -87,6 +87,60 @@
significant.</para> significant.</para>
</refsect1> </refsect1>
<refsect1 id="Virtual">
<title>Virtual Zones</title>
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
<filename>/etc/shorewall6/interfaces</filename> or in
<filename>/etc/shorewall6/hosts</filename>. Rather, it is used as a parent
zone for other zones in <filename>/etc/shorewall6/zones</filename>.</para>
<para>Example:</para>
<para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv6
loc ipv6 virtual
loc1:loc ipv6
loc2:loc ipv6</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags
- eth1 detect tcpflags</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
loc1 eth1:2001:19f0:feee:1::/48
loc2 eth1:2001:19f0:feee:2::/48</programlisting>
<para>There are several restrictions on virtual zones:</para>
<itemizedlist>
<listitem>
<para>They must have type <option>ipv6</option>.</para>
</listitem>
<listitem>
<para>A maximum of four virtual zones may be defined.</para>
</listitem>
<listitem>
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
<para>When a connection request to/from a sub-zone of a virtual zone does
not match the rules for the sub-zone, the connection is compared against
the rules (and policies) for the parent virtual zone.</para>
</refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>