Implement zone lists in rules file entries

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-26 17:43:15 +01:00 · 2010-08-18 12:18:58 -07:00 · 2010-08-18 12:18:58 -07:00 · 255cd6cf9c
commit 255cd6cf9c
parent 7a17b65368
5 changed files with 171 additions and 100 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1538,6 +1538,7 @@ sub process_rule ( ) {
    }
    my $intrazone = 0;
    my $wild      = 0;
    my $includesrcfw = 1;
    my $includedstfw = 1;
    my $thisline = $currentline;
@ -1604,9 +1605,23 @@ sub process_rule ( ) {
 	unshift @source, firewall_zone if $includesrcfw;
-	$source = '';
+	$wild   = 1;
-    } elsif ( $source !~ /:/ && $source =~ /,/ ) { 
+    } elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
-	@source = split ',', $source;
+	my $zonelist = $1;
 	my $rest     = $2;
 	fatal_error "Invalid zone list ($zonelist)" if $zonelist =~ /,,/;
 	$intrazone = ( $zonelist =~ s/\+$// );
 	$wild = 1;
 	if ( defined $rest ) {
 	    push( @source , $_ . $rest ) for split /,/, $zonelist;
 	} else {
 	    @source = split /,/, $zonelist;
 	}
    } else {
 	@source = ( $source );
    }
    if ( $dest eq 'all' ) {
@ -1617,37 +1632,36 @@ sub process_rule ( ) {
 	}
 	unshift @dest, firewall_zone if $includedstfw;
-    } elsif ( $dest !~ /:/ && $dest =~ /,/ ) {
+	$wild = 1;
-	@dest = split /,/, $dest;
+    } elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
 	my $zonelist = $1;
 	my $rest     = $2;
 	fatal_error "Invalid zone list ($zonelist)" if $zonelist =~ /,,/;
 	$intrazone ||= ( $zonelist =~ s/\+$// );
 	$wild = 1;
 	if ( defined $rest ) {
 	    push( @dest , $_ . $rest ) for split /,/, $zonelist;
 	} else {
 	    @dest = split /,/, $zonelist;
 	}
    } else {
 	@dest = ( $dest );
    }
    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
-    if ( @source ) {
+    for $source ( @source ) {
-	for my $zone ( @source ) {
+	for $dest ( @dest ) {
-	    if ( @dest ) {
+	    my $sourcezone = (split( /:/, $source, 2 ) )[0];
-		for my $zone1 ( @dest ) {
+	    my $destzone   = (split( /:/, $dest,   2 ) )[0];
-		    if ( $intrazone || ( $zone ne $zone1 ) ) {
+	    $destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
-			process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
+	    if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
-		    }
+		process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
 		}
 	    } else {
 		my $destzone = (split( /:/, $dest, 2 ) )[0];
 		$destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
 		if ( $intrazone || ( $zone ne $destzone ) ) {
 		    process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
 		}
 	    }
 	}
    } elsif ( @dest ) {
 	for my $zone ( @dest ) {
 	    my $sourcezone = ( split( /:/, $source, 2 ) )[0];
 	    if ( ( $sourcezone ne $zone ) || $intrazone ) {
 		process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
 	    }
 	}
    } else {
 	process_rule1  $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 0;
    }
    progress_message "   Rule \"$thisline\" $done";
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,7 @@
 Changes in Shorewall 4.4.13
 1)  Allow zone lists in rules SOURCE and DEST.
 Changes in Shorewall 4.4.12
 1)  Fix IPv6 shorecap program.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 2
+                      S H O R E W A L L  4 . 4 . 1 3
 ----------------------------------------------------------------------------
 I.    RELEASE 4.4 HIGHLIGHTS
@ -224,6 +224,31 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 None.
 ----------------------------------------------------------------------------
           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 None.
 ----------------------------------------------------------------------------
         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 1)  Entries in the rules file (both Shorewall and Shoreall6) may now
    contain zone lists in the SOURCE and DEST column. These are
    comma-separated lists of zones declared in the zones file and may
    optionally be followed by a plus sign ("+") to indicate that the
    rule should apply to intra-zone traffic as well as to inter-zone
    traffic.
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  Previously, the Shorewall6-lite version of shorecap was using
    iptables rather than ip6tables, with the result that many capabilities
    that are only available in IPv4 were being reported as available.
@ -266,13 +291,62 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
    correctly.
 ----------------------------------------------------------------------------
-           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
-None.
+1)  The IPv6 allowBcast action generated an invalid rule.
 2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
    ipset was used in a configuration file entry, the following
    fatal compilation error occurred:
    ERROR: ipset names in Shorewall configuration files require Ipset
    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
    If you applied the workaround given in the "Known Problems", then
    you should remove /etc/shorewall/capabilities after installing
    this fix.
 3)  The start priority of shorewall-init on Debian and Debian-based
    distributions was previously too low, making it start too late.
 4)  The log output from IPv6 logs was almost unreadable due to display
    of IPv6 addresses in uncompressed format. A similar problem
    occurred with 'shorewall6 show connections'. This update makes the
    displays much clearer at the expense of opening the slight
    possibility of two '::' sequences being incorrectly shown in the
    same address.
 5)  The new REQUIRE_INTERFACE was inadvertently omitted from
    shorewall.conf and shorewall6.conf. It has been added.
 6)  Under some versions of Perl, a Perl run-time diagnostic was produced
    when options were omitted from shorewall.conf or shorewall6.conf. 
 7) If the following options were specified in /etc/shorewall/interfaces
   for an interface with '-' in the ZONE column, then these options
   would be ignored if there was an entry in the hosts file for the
   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
   implied when the host list begins with '!').
   	blacklist
 	maclist
 	nosmurfs
 	tcpflags
   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
 8) The generated script was missing a closing quote when
   REQUIRE_INTERFACE=Yes.
 9) Previously, if nets= was specified under Shorewall6, this error
   would result:
   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
                /etc/shorewall6/interfaces (line 16)
 ----------------------------------------------------------------------------
-         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+               N E W   F E A T U R E S   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  Support has been added for ADD and DEL rules in
@ -367,64 +441,6 @@ None.
 	gateway:/etc/shorewall# 
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  The IPv6 allowBcast action generated an invalid rule.
 2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
    ipset was used in a configuration file entry, the following
    fatal compilation error occurred:
    ERROR: ipset names in Shorewall configuration files require Ipset
    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
    If you applied the workaround given in the "Known Problems", then
    you should remove /etc/shorewall/capabilities after installing
    this fix.
 3)  The start priority of shorewall-init on Debian and Debian-based
    distributions was previously too low, making it start too late.
 4)  The log output from IPv6 logs was almost unreadable due to display
    of IPv6 addresses in uncompressed format. A similar problem
    occurred with 'shorewall6 show connections'. This update makes the
    displays much clearer at the expense of opening the slight
    possibility of two '::' sequences being incorrectly shown in the
    same address.
 5)  The new REQUIRE_INTERFACE was inadvertently omitted from
    shorewall.conf and shorewall6.conf. It has been added.
 6)  Under some versions of Perl, a Perl run-time diagnostic was produced
    when options were omitted from shorewall.conf or shorewall6.conf. 
 7) If the following options were specified in /etc/shorewall/interfaces
   for an interface with '-' in the ZONE column, then these options
   would be ignored if there was an entry in the hosts file for the
   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
   implied when the host list begins with '!').
   	blacklist
 	maclist
 	nosmurfs
 	tcpflags
   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
 8) The generated script was missing a closing quote when
   REQUIRE_INTERFACE=Yes.
 9) Previously, if nets= was specified under Shorewall6, this error
   would result:
   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
                /etc/shorewall6/interfaces (line 16)
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@ -496,7 +496,7 @@
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        {<emphasis>zone</emphasis>|{<emphasis
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">any</emphasis>}[<emphasis
        role="bold">+</emphasis>][<emphasis
@ -506,12 +506,21 @@
        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
        <listitem>
-          <para>Source hosts to which the rule applies. May be a zone declared
+          <para>Source hosts to which the rule applies. May be a
-          in /etc/shorewall/zones, <emphasis role="bold">$FW</emphasis> to
+          <replaceable>zone</replaceable> declared in /etc/shorewall/zones,
-          indicate the firewall itself, <emphasis role="bold">all</emphasis>,
+          <emphasis role="bold">$FW</emphasis> to indicate the firewall
-          <emphasis role="bold">all+</emphasis>, <emphasis
+          itself, <emphasis role="bold">all</emphasis>, <emphasis
-          role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
+          role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
-          or <emphasis role="bold">none</emphasis>.</para>
+          <emphasis role="bold">all+-</emphasis> or <emphasis
          role="bold">none</emphasis>.</para>
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
          <replaceable>zone-list</replaceable> may be optionally followed by
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
@ -528,6 +537,8 @@
          affected.</para>
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
@ -624,7 +635,7 @@
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        {<emphasis>zone</emphasis>|{<emphasis
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">any</emphasis>}[<emphasis
        role="bold">+</emphasis>][<emphasis
@ -640,6 +651,14 @@
          role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
          <emphasis role="bold">none</emphasis>.</para>
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
          <replaceable>zone-list</replaceable> may be optionally followed by
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@ -358,7 +358,7 @@
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        {<emphasis>zone</emphasis>|<emphasis
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|<emphasis
        role="bold">{all|any}</emphasis>[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
@ -374,6 +374,14 @@
          role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
          or <emphasis role="bold">none</emphasis>.</para>
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
          <replaceable>zone-list</replaceable> may be optionally followed by
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
@ -389,6 +397,8 @@
          affected.</para>
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
@ -496,7 +506,7 @@
      <varlistentry>
        <term><emphasis role="bold"><emphasis role="bold">DEST</emphasis> -
-        {<emphasis>zone</emphasis>|<emphasis
+        {<emphasis>zone|zone-list</emphasis>[+]|<emphasis
        role="bold">all</emphasis>[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
@ -511,6 +521,14 @@
          role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
          <emphasis role="bold">none</emphasis>.</para>
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
          <replaceable>zone-list</replaceable> may be optionally followed by
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>