Fix security hole in bridge handling; fix bug in NONE intra-zone policy handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3182 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 09:47:51 +02:00 · 2005-12-19 23:37:40 +00:00 · 2005-12-19 23:37:40 +00:00 · 28e3a4a7ed
commit 28e3a4a7ed
parent e99e0bd05b
3 changed files with 33 additions and 27 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -6,6 +6,10 @@ Changes in 3.0.4

 3)  Enabled loopback traffic under the DISABLE_IPV6 option.

+4)  Close hole in bridged configurations.
+
+5)  Fix bug in NONE intra-zone policy handling.
+
 Changes in 3.0.3

 1) Implement "shorewall show macros"
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -8293,6 +8293,7 @@ apply_policy_rules() {
 	eval loglevel=\$${chain}_loglevel
 	eval optional=\$${chain}_is_optional

+	if [ "$policy" != NONE ]; then
 	    if ! havechain $chain && [ -z "$optional" -a "$policy" != CONTINUE ]; then
 		#
 		# The chain doesn't exist. Create the chain and add policy
@ -8312,7 +8313,7 @@ apply_policy_rules() {
 			;;
 		esac
 	    fi
-
+	fi
    done

    #
@ -8571,14 +8572,6 @@ activate_rules()
 	run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
 	run_iptables -A INPUT   -i $interface -j $(input_chain $interface)
 	addnatjump POSTROUTING $(masq_chain $interface) -o $interface
-	#
-        # Bridges under the 2.4 kernel have the wierd property that REJECTS have the physdev-in and physdev-out set to the input physdev.
-        # To accomodate this feature/bug, we effectively set 'routeback' on bridge ports.
-	#
-	eval ports=\$$(chain_base $interface)_ports
-	for port in $ports; do
-	    run_iptables -A $(forward_chain $interface) -o $interface -m physdev --physdev-in $port --physdev-out $port -j ACCEPT
-	done
    done

    chain=${FW}2${FW}
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -51,6 +51,15 @@ Problems Corrected in 3.0.4
 1)  The shorewall.conf file is once again "console friendly". Patch is
    courtesy of Tuomo Soini.

+2)  A potential security hole has been closed. Previously, Shorewall ACCEPTed
+    all traffic from a bridge port that was sent back out on the same port. If
+    the port was described in /etc/shorewall/hosts using the wildcard "+" (eg,
+    xenbr0:vif+), this could lead to traffic being passed in variance with the
+    supplied policies and rules.
+
+3)  Previously, an intra-zone policy of NONE would cause a startup error. That
+    problem has been corrected.
+
 New Features in 3.0.4

 1)  By popular demand, the 'Limit' action described at