extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix security hole in bridge handling; fix bug in NONE intra-zone policy handling

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3182 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-12-19 23:37:40 +00:00
parent e99e0bd05b
commit 28e3a4a7ed
3 changed files with 33 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -6,6 +6,10 @@ Changes in 3.0.4
3) Enabled loopback traffic under the DISABLE_IPV6 option. 3) Enabled loopback traffic under the DISABLE_IPV6 option.
4) Close hole in bridged configurations.
5) Fix bug in NONE intra-zone policy handling.
Changes in 3.0.3 Changes in 3.0.3
1) Implement "shorewall show macros" 1) Implement "shorewall show macros"

11
Shorewall/firewall
View File

@ -8293,6 +8293,7 @@ apply_policy_rules() {
eval loglevel=\$${chain}_loglevel eval loglevel=\$${chain}_loglevel
eval optional=\$${chain}_is_optional eval optional=\$${chain}_is_optional
if [ "$policy" != NONE ]; then
if ! havechain $chain && [ -z "$optional" -a "$policy" != CONTINUE ]; then if ! havechain $chain && [ -z "$optional" -a "$policy" != CONTINUE ]; then
# #
# The chain doesn't exist. Create the chain and add policy # The chain doesn't exist. Create the chain and add policy
@ -8312,7 +8313,7 @@ apply_policy_rules() {
;; ;;
esac esac
fi fi
fi
done done
# #
@ -8571,14 +8572,6 @@ activate_rules()
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
run_iptables -A INPUT -i $interface -j $(input_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface)
addnatjump POSTROUTING $(masq_chain $interface) -o $interface addnatjump POSTROUTING $(masq_chain $interface) -o $interface
#
# Bridges under the 2.4 kernel have the wierd property that REJECTS have the physdev-in and physdev-out set to the input physdev.
# To accomodate this feature/bug, we effectively set 'routeback' on bridge ports.
#
eval ports=\$$(chain_base $interface)_ports
for port in $ports; do
run_iptables -A $(forward_chain $interface) -o $interface -m physdev --physdev-in $port --physdev-out $port -j ACCEPT
done
done done
chain=${FW}2${FW} chain=${FW}2${FW}

9
Shorewall/releasenotes.txt
View File

@ -51,6 +51,15 @@ Problems Corrected in 3.0.4
1) The shorewall.conf file is once again "console friendly". Patch is 1) The shorewall.conf file is once again "console friendly". Patch is
courtesy of Tuomo Soini. courtesy of Tuomo Soini.
2) A potential security hole has been closed. Previously, Shorewall ACCEPTed
all traffic from a bridge port that was sent back out on the same port. If
the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
xenbr0:vif+), this could lead to traffic being passed in variance with the
supplied policies and rules.
3) Previously, an intra-zone policy of NONE would cause a startup error. That
problem has been corrected.
New Features in 3.0.4 New Features in 3.0.4
1) By popular demand, the 'Limit' action described at 1) By popular demand, the 'Limit' action described at