From 2c90a8bfb5e1aed14cb3fb8c2276608644112b72 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 10 Sep 2016 08:47:48 -0700 Subject: [PATCH] Allow zone lists in the SOURCE and DEST columns of the policy files Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 36 ++++++++++++++++------- Shorewall/manpages/shorewall-policy.xml | 12 ++++++-- Shorewall6/manpages/shorewall6-policy.xml | 12 ++++++-- 3 files changed, 43 insertions(+), 17 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 0636c146c..62b6c0747 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -628,21 +628,12 @@ sub handle_nfqueue( $$ ) { # # Process an entry in the policy file. # -sub process_a_policy() { +sub process_a_policy1($$$$$$) { our %validpolicies; our @zonelist; - my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = - split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ; - - $loglevel = '' if $loglevel eq '-'; - $synparams = '' if $synparams eq '-'; - $connlimit = '' if $connlimit eq '-'; - - fatal_error 'SOURCE must be specified' if $client eq '-'; - fatal_error 'DEST must be specified' if $server eq '-'; - fatal_error 'POLICY must be specified' if $originalpolicy eq '-'; + my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = @_; my $clientwild = ( "\L$client" =~ /^all(\+)?$/ ); my $intrazone = $clientwild && $1; @@ -758,6 +749,29 @@ sub process_a_policy() { } } +sub process_a_policy() { + + our %validpolicies; + our @zonelist; + + my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) = + split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ; + + $loglevel = '' if $loglevel eq '-'; + $synparams = '' if $synparams eq '-'; + $connlimit = '' if $connlimit eq '-'; + + fatal_error 'SOURCE must be specified' if $clients eq '-'; + fatal_error 'DEST must be specified' if $servers eq '-'; + fatal_error 'POLICY must be specified' if $policy eq '-'; + + for my $client ( split_list( $clients, 'zone' ) ) { + for my $server ( split_list( $servers, 'zone' ) ) { + process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit ); + } + } +} + # # Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script # diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index 24b619d1a..b6ef38df7 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -35,7 +35,7 @@ This file determines what to do with a new connection request if we don't get a match from the /etc/shorewall/rules file . For each source/destination pair, the file is processed in order until a match is - found ("all" will match any client or server). + found ("all" will match any source or destination). @@ -61,7 +61,7 @@ SOURCE - - zone|zone[,...]|$FW|all|all+ @@ -74,12 +74,15 @@ Support for "all+" was added in Shorewall 4.5.17. "all" does not override the implicit intra-zone ACCEPT policy while "all+" does. + + Beginning with Shorewall 5.0.12, multiple zones may be listed + separated by commas. DEST - - zone|zone[,...]|$FW|all|all+ @@ -95,6 +98,9 @@ Support for "all+" was added in Shorewall 4.5.17. "all" does not override the implicit intra-zone ACCEPT policy while "all+" does. + + Beginning with Shorewall 5.0.12, multiple zones may be listed + separated by commas. diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index 614186375..fe0d0e2a7 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -35,7 +35,7 @@ This file determines what to do with a new connection request if we don't get a match from the /etc/shorewall6/rules file . For each source/destination pair, the file is processed in order until a match is - found ("all" will match any client or server). + found ("all" will match any source or destination). @@ -61,7 +61,7 @@ SOURCE - - zone|zone[,...]|$FW|all|all+ @@ -74,12 +74,15 @@ Support for "all+" was added in Shorewall 4.5.17. "all" does not override the implicit intra-zone ACCEPT policy while "all+" does. + + Beginning with Shorewall 5.0.12, multiple zones may be listed + separated by commas. DEST - - zone|zone[,...]|$FW|all|all+ @@ -95,6 +98,9 @@ Support for "all+" was added in Shorewall 4.5.17. "all" does not override the implicit intra-zone ACCEPT policy while "all+" does. + + Beginning with Shorewall 5.0.12, multiple zones may be listed + separated by commas.