Implement zone lists in rules file entries

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-26 17:43:15 +01:00 · 2010-08-18 12:18:58 -07:00 · 2010-08-18 12:18:58 -07:00 · 255cd6cf9c
commit 255cd6cf9c
parent 7a17b65368
5 changed files with 171 additions and 100 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1538,6 +1538,7 @@ sub process_rule ( ) {
    }

    my $intrazone = 0;
+    my $wild      = 0;
    my $includesrcfw = 1;
    my $includedstfw = 1;
    my $thisline = $currentline;
@ -1604,9 +1605,23 @@ sub process_rule ( ) {

 	unshift @source, firewall_zone if $includesrcfw;

-	$source = '';
-    } elsif ( $source !~ /:/ && $source =~ /,/ ) { 
-	@source = split ',', $source;
+	$wild   = 1;
+    } elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
+	my $zonelist = $1;
+	my $rest     = $2;
+
+	fatal_error "Invalid zone list ($zonelist)" if $zonelist =~ /,,/;
+	
+	$intrazone = ( $zonelist =~ s/\+$// );
+	$wild = 1;
+
+	if ( defined $rest ) {
+	    push( @source , $_ . $rest ) for split /,/, $zonelist;
+	} else {
+	    @source = split /,/, $zonelist;
+	}
+    } else {
+	@source = ( $source );
    }

    if ( $dest eq 'all' ) {
@ -1617,37 +1632,36 @@ sub process_rule ( ) {
 	}

 	unshift @dest, firewall_zone if $includedstfw;
-    } elsif ( $dest !~ /:/ && $dest =~ /,/ ) {
-	@dest = split /,/, $dest;
+	$wild = 1;
+    } elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
+	my $zonelist = $1;
+	my $rest     = $2;
+
+	fatal_error "Invalid zone list ($zonelist)" if $zonelist =~ /,,/;
+
+	$intrazone ||= ( $zonelist =~ s/\+$// );
+	$wild = 1;
+	
+	if ( defined $rest ) {
+	    push( @dest , $_ . $rest ) for split /,/, $zonelist;
+	} else {
+	    @dest = split /,/, $zonelist;
+	}
+    } else {
+	@dest = ( $dest );
    }

    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;

-    if ( @source ) {
-	for my $zone ( @source ) {
-	    if ( @dest ) {
-		for my $zone1 ( @dest ) {
-		    if ( $intrazone || ( $zone ne $zone1 ) ) {
-			process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
-		    }
-		}
-	    } else {
-		my $destzone = (split( /:/, $dest, 2 ) )[0];
-		$destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
-		if ( $intrazone || ( $zone ne $destzone ) ) {
-		    process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
-		}
+    for $source ( @source ) {
+	for $dest ( @dest ) {
+	    my $sourcezone = (split( /:/, $source, 2 ) )[0];
+	    my $destzone   = (split( /:/, $dest,   2 ) )[0];
+	    $destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
+	    if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
+		process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
 	    }
 	}
-    } elsif ( @dest ) {
-	for my $zone ( @dest ) {
-	    my $sourcezone = ( split( /:/, $source, 2 ) )[0];
-	    if ( ( $sourcezone ne $zone ) || $intrazone ) {
-		process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
-	    }
-	}
-    } else {
-	process_rule1  $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 0;
    }

    progress_message "   Rule \"$thisline\" $done";
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,7 @@
+Changes in Shorewall 4.4.13
+
+1)  Allow zone lists in rules SOURCE and DEST.
+
 Changes in Shorewall 4.4.12

 1)  Fix IPv6 shorecap program.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 2
+                      S H O R E W A L L  4 . 4 . 1 3
 ----------------------------------------------------------------------------

 I.    RELEASE 4.4 HIGHLIGHTS
@ -224,6 +224,31 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

+None.
+----------------------------------------------------------------------------
+           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
+----------------------------------------------------------------------------
+
+None.
+
+----------------------------------------------------------------------------
+         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+----------------------------------------------------------------------------
+
+1)  Entries in the rules file (both Shorewall and Shoreall6) may now
+    contain zone lists in the SOURCE and DEST column. These are
+    comma-separated lists of zones declared in the zones file and may
+    optionally be followed by a plus sign ("+") to indicate that the
+    rule should apply to intra-zone traffic as well as to inter-zone
+    traffic.
+
+----------------------------------------------------------------------------
+V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
+      I N   P R I O R  R E L E A S E S
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
+----------------------------------------------------------------------------
+
 1)  Previously, the Shorewall6-lite version of shorecap was using
    iptables rather than ip6tables, with the result that many capabilities
    that are only available in IPv4 were being reported as available.
@ -266,13 +291,62 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
    correctly.

 ----------------------------------------------------------------------------
-           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------

-None.
+1)  The IPv6 allowBcast action generated an invalid rule.
+
+2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
+    ipset was used in a configuration file entry, the following
+    fatal compilation error occurred:
+
+    ERROR: ipset names in Shorewall configuration files require Ipset
+    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
+
+    If you applied the workaround given in the "Known Problems", then
+    you should remove /etc/shorewall/capabilities after installing
+    this fix.
+
+3)  The start priority of shorewall-init on Debian and Debian-based
+    distributions was previously too low, making it start too late.
+
+4)  The log output from IPv6 logs was almost unreadable due to display
+    of IPv6 addresses in uncompressed format. A similar problem
+    occurred with 'shorewall6 show connections'. This update makes the
+    displays much clearer at the expense of opening the slight
+    possibility of two '::' sequences being incorrectly shown in the
+    same address.
+
+5)  The new REQUIRE_INTERFACE was inadvertently omitted from
+    shorewall.conf and shorewall6.conf. It has been added.
+
+6)  Under some versions of Perl, a Perl run-time diagnostic was produced
+    when options were omitted from shorewall.conf or shorewall6.conf. 
+
+7) If the following options were specified in /etc/shorewall/interfaces
+   for an interface with '-' in the ZONE column, then these options
+   would be ignored if there was an entry in the hosts file for the
+   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
+   implied when the host list begins with '!').
+
+   	blacklist
+	maclist
+	nosmurfs
+	tcpflags
+
+   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
+
+8) The generated script was missing a closing quote when
+   REQUIRE_INTERFACE=Yes.
+
+9) Previously, if nets= was specified under Shorewall6, this error
+   would result:
+
+   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
+                /etc/shorewall6/interfaces (line 16)

 ----------------------------------------------------------------------------
-         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+               N E W   F E A T U R E S   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------

 1)  Support has been added for ADD and DEL rules in
@ -367,64 +441,6 @@ None.

 	gateway:/etc/shorewall# 

----------------------------------------------------------------------------
-V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
-      I N   P R I O R  R E L E A S E S
----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
----------------------------------------------------------------------------
-
-1)  The IPv6 allowBcast action generated an invalid rule.
-
-2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
-    ipset was used in a configuration file entry, the following
-    fatal compilation error occurred:
-
-    ERROR: ipset names in Shorewall configuration files require Ipset
-    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
-
-    If you applied the workaround given in the "Known Problems", then
-    you should remove /etc/shorewall/capabilities after installing
-    this fix.
-
-3)  The start priority of shorewall-init on Debian and Debian-based
-    distributions was previously too low, making it start too late.
-
-4)  The log output from IPv6 logs was almost unreadable due to display
-    of IPv6 addresses in uncompressed format. A similar problem
-    occurred with 'shorewall6 show connections'. This update makes the
-    displays much clearer at the expense of opening the slight
-    possibility of two '::' sequences being incorrectly shown in the
-    same address.
-
-5)  The new REQUIRE_INTERFACE was inadvertently omitted from
-    shorewall.conf and shorewall6.conf. It has been added.
-
-6)  Under some versions of Perl, a Perl run-time diagnostic was produced
-    when options were omitted from shorewall.conf or shorewall6.conf. 
-
-7) If the following options were specified in /etc/shorewall/interfaces
-   for an interface with '-' in the ZONE column, then these options
-   would be ignored if there was an entry in the hosts file for the
-   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
-   implied when the host list begins with '!').
-
-   	blacklist
-	maclist
-	nosmurfs
-	tcpflags
-
-   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
-
-8) The generated script was missing a closing quote when
-   REQUIRE_INTERFACE=Yes.
-
-9) Previously, if nets= was specified under Shorewall6, this error
-   would result:
-
-   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
-                /etc/shorewall6/interfaces (line 16)
-
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@ -496,7 +496,7 @@

      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        {<emphasis>zone</emphasis>|{<emphasis
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">any</emphasis>}[<emphasis
        role="bold">+</emphasis>][<emphasis
@ -506,12 +506,21 @@
        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>

        <listitem>
-          <para>Source hosts to which the rule applies. May be a zone declared
-          in /etc/shorewall/zones, <emphasis role="bold">$FW</emphasis> to
-          indicate the firewall itself, <emphasis role="bold">all</emphasis>,
-          <emphasis role="bold">all+</emphasis>, <emphasis
-          role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
-          or <emphasis role="bold">none</emphasis>.</para>
+          <para>Source hosts to which the rule applies. May be a
+          <replaceable>zone</replaceable> declared in /etc/shorewall/zones,
+          <emphasis role="bold">$FW</emphasis> to indicate the firewall
+          itself, <emphasis role="bold">all</emphasis>, <emphasis
+          role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
+          <emphasis role="bold">all+-</emphasis> or <emphasis
+          role="bold">none</emphasis>.</para>
+
+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
+          <replaceable>zone-list</replaceable> may be optionally followed by
+          "+" to indicate that the rule is to apply to intra-zone traffic as
+          well as inter-zone traffic.</para>

          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
@ -528,6 +537,8 @@
          affected.</para>

          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
@ -624,7 +635,7 @@

      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
-        {<emphasis>zone</emphasis>|{<emphasis
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
        role="bold">all</emphasis>|<emphasis
        role="bold">any</emphasis>}[<emphasis
        role="bold">+</emphasis>][<emphasis
@ -640,6 +651,14 @@
          role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
          <emphasis role="bold">none</emphasis>.</para>

+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
+          <replaceable>zone-list</replaceable> may be optionally followed by
+          "+" to indicate that the rule is to apply to intra-zone traffic as
+          well as inter-zone traffic.</para>
+
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@ -358,7 +358,7 @@

      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
-        {<emphasis>zone</emphasis>|<emphasis
+        {<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|<emphasis
        role="bold">{all|any}</emphasis>[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
@ -374,6 +374,14 @@
          role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
          or <emphasis role="bold">none</emphasis>.</para>

+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
+          <replaceable>zone-list</replaceable> may be optionally followed by
+          "+" to indicate that the rule is to apply to intra-zone traffic as
+          well as inter-zone traffic.</para>
+
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
@ -389,6 +397,8 @@
          affected.</para>

          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">any</emphasis>[<emphasis
          role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
          specified, clients may be further restricted to a list of networks
          and/or hosts by appending ":" and a comma-separated list of network
@ -496,7 +506,7 @@

      <varlistentry>
        <term><emphasis role="bold"><emphasis role="bold">DEST</emphasis> -
-        {<emphasis>zone</emphasis>|<emphasis
+        {<emphasis>zone|zone-list</emphasis>[+]|<emphasis
        role="bold">all</emphasis>[<emphasis
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
@ -511,6 +521,14 @@
          role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
          <emphasis role="bold">none</emphasis>.</para>

+          <para>Beginning with Shorewall 4.4.13, you may use a
+          <replaceable>zone-list </replaceable>which consists of a
+          comma-separated list of zones declared in <ulink
+          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
+          <replaceable>zone-list</replaceable> may be optionally followed by
+          "+" to indicate that the rule is to apply to intra-zone traffic as
+          well as inter-zone traffic.</para>
+
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>