From 28e3a4a7eda9b10bbe21971615503b7f988c03a6 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 19 Dec 2005 23:37:40 +0000 Subject: [PATCH] Fix security hole in bridge handling; fix bug in NONE intra-zone policy handling git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3182 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 ++++ Shorewall/firewall | 47 ++++++++++++++++---------------------- Shorewall/releasenotes.txt | 9 ++++++++ 3 files changed, 33 insertions(+), 27 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 5e0fd8152..d7e1e423e 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,10 @@ Changes in 3.0.4 3) Enabled loopback traffic under the DISABLE_IPV6 option. +4) Close hole in bridged configurations. + +5) Fix bug in NONE intra-zone policy handling. + Changes in 3.0.3 1) Implement "shorewall show macros" diff --git a/Shorewall/firewall b/Shorewall/firewall index 9865538f8..e01acfd68 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -8293,26 +8293,27 @@ apply_policy_rules() { eval loglevel=\$${chain}_loglevel eval optional=\$${chain}_is_optional - if ! havechain $chain && [ -z "$optional" -a "$policy" != CONTINUE ]; then - # - # The chain doesn't exist. Create the chain and add policy - # rules - # - createchain $chain yes - # - # If either client or server is 'all' then this MUST be - # a policy chain and we must apply the appropriate policy rules - # - # Otherwise, this is a canonical chain which will be handled in - # the for loop below - # - case $chain in - all2*|*2all) - policy_rules $chain $policy $loglevel - ;; - esac + if [ "$policy" != NONE ]; then + if ! havechain $chain && [ -z "$optional" -a "$policy" != CONTINUE ]; then + # + # The chain doesn't exist. Create the chain and add policy + # rules + # + createchain $chain yes + # + # If either client or server is 'all' then this MUST be + # a policy chain and we must apply the appropriate policy rules + # + # Otherwise, this is a canonical chain which will be handled in + # the for loop below + # + case $chain in + all2*|*2all) + policy_rules $chain $policy $loglevel + ;; + esac + fi fi - done # @@ -8571,14 +8572,6 @@ activate_rules() run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface) addnatjump POSTROUTING $(masq_chain $interface) -o $interface - # - # Bridges under the 2.4 kernel have the wierd property that REJECTS have the physdev-in and physdev-out set to the input physdev. - # To accomodate this feature/bug, we effectively set 'routeback' on bridge ports. - # - eval ports=\$$(chain_base $interface)_ports - for port in $ports; do - run_iptables -A $(forward_chain $interface) -o $interface -m physdev --physdev-in $port --physdev-out $port -j ACCEPT - done done chain=${FW}2${FW} diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 8bea93787..4798eede3 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -51,6 +51,15 @@ Problems Corrected in 3.0.4 1) The shorewall.conf file is once again "console friendly". Patch is courtesy of Tuomo Soini. +2) A potential security hole has been closed. Previously, Shorewall ACCEPTed + all traffic from a bridge port that was sent back out on the same port. If + the port was described in /etc/shorewall/hosts using the wildcard "+" (eg, + xenbr0:vif+), this could lead to traffic being passed in variance with the + supplied policies and rules. + +3) Previously, an intra-zone policy of NONE would cause a startup error. That + problem has been corrected. + New Features in 3.0.4 1) By popular demand, the 'Limit' action described at