Shorewall 1.4.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@520 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp/etc/shorewall/hosts

@@ -1,10 +1,17 @@
 #
 # Shorewall 1.4 - /etc/shorewall/hosts
 #
-#    WARNING: 90% of Shorewall users don't need to add entries to this
+#	THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
-#             file and 80% of those who try to add such entries get it
+#
-#	      wrong. Unless you are ABSOLUTELY SURE that you need entries
+#	1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
-#	      in this file, don't touch it!
+#	   A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
+#	   BETWEEN THESE NETWORKS.
+#
+#	2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
+#	   INTERFACE.
+#
+#	IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
+#	THIS FILE.
 #
 #	This file is used to define zones in terms of subnets and/or
 #	individual IP addresses. Most simple setups don't need to

Lrp/etc/shorewall/policy

@@ -22,7 +22,26 @@
 #			 Shorewall will not start!
 #
 #	POLICY		Policy if no match from the rules file is found. Must
-#			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
+#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
+#
+#			ACCEPT		- Accept the connection
+#			DROP		- Ignore the connection request
+#			REJECT		- For TCP, send RST. For all other, send
+#					  "port unreachable" ICMP.
+#			CONTINUE	- Pass the connection request past
+#					  any other rules that it might also
+#					  match (where the source or destination
+#					  zone in those rules is a superset of
+#					  the SOURCE or DEST in this policy).
+#			NONE		- Assume that there will never be any
+#					  packets from this SOURCE
+#					  to this DEST. Shorewall will not set up
+#					  any infrastructure to handle such
+#				 	  packets and you may not have any rules
+#					  with this SOURCE and DEST in the
+#					  /etc/shorewall/rules file. If such a 
+#					  packet _is_ received, the result is 
+#					  undefined.
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no

Lrp/etc/shorewall/rules

@@ -15,7 +15,8 @@
 # Columns are:
 #
 #
-#	ACTION		ACCEPT, DROP, REJECT, DNAT or REDIRECT
+#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
+#			or LOG.
 #
 #				ACCEPT   -- allow the connection request
 #				DROP     -- ignore the request
@@ -39,6 +40,7 @@
 #					    connection request will be passed
 #					    to the rules defined for that
 #					    (those) zone(s).
+#				LOG      -- Simply log the packet and continue.
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be

Lrp/usr/share/shorewall/firewall

@@ -672,6 +672,7 @@ validate_policy()
     print_policy() # $1 = source zone, $2 = destination zone
     {
 	[ $command != check ] || \
+	    [ $1 = $2 ]  || \
 	    [ $1 = all ] || \
 	    [ $2 = all ] || \
 	    echo "   Policy for $1 to $2 is $policy"
@@ -708,7 +709,7 @@ validate_policy()
 	esac
 
 	case $policy in
-	ACCEPT|REJECT|DROP|CONTINUE)
+	ACCEPT|REJECT|DROP|CONTINUE|NONE)
 	    ;;
 	*)
 	    startup_error "Invalid policy $policy"
@@ -728,7 +729,7 @@ validate_policy()
 
 	chain=${client}2${server}
 
-	all_policy_chains="$all_policy_chains $chain"
+	[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
 
 	eval ${chain}_is_policy=Yes
 	eval ${chain}_policy=$policy
@@ -743,6 +744,7 @@ validate_policy()
 
 			if [ -z "$pc" ]; then
 			    eval ${zone}2${zone1}_policychain=$chain
+			    eval ${zone}2${zone1}_policy=$policy
 			    print_policy $zone $zone1
 			fi
 		    done
@@ -753,6 +755,7 @@ validate_policy()
 
 		    if [ -z "$pc" ]; then
 			eval ${zone}2${server}_policychain=$chain
+			eval ${zone}2${server}_policy=$policy
 			print_policy $zone $server
 		    fi
 		done
@@ -763,6 +766,7 @@ validate_policy()
 
 		    if [ -z "$pc" ]; then
 			eval ${client}2${zone}_policychain=$chain
+			eval ${client}2${zone}_policy=$policy
 			print_policy $client $zone
 		    fi
 	    done
@@ -1438,7 +1442,7 @@ delete_nat() {
 #
 setup_ecn() # $1 = file name
 {
-    local interfaces
+    local interfaces=""
     local hosts
     local h
 
@@ -2151,7 +2155,7 @@ process_rule() # $1 = target
 	else
 	    serverport=
 	    [ -z "$serverzone" -o -z "$servers" ] && \
-	        startup_error "Empty destination zone or qualifier: rule \"$rule\""
+	        fatal_error "Empty destination zone or qualifier: rule \"$rule\""
 	fi
     fi
 
@@ -2165,6 +2169,11 @@ process_rule() # $1 = target
 
     chain=${source}2${dest}
 
+    eval policy=\$${chain}_policy
+
+    [ $policy = NONE ] && \
+	fatal_error "Rules may not override a NONE policy: rule \"$rule\""
+
     [ $command = check ] || ensurechain $chain
 
     if [ "x$chain" = x${FW}2${FW} ]; then
@@ -2683,6 +2692,8 @@ rules_chain() # $1 = source zone, $2 = destination zone
 
     havechain $chain && { echo $chain; return; }
 
+    [ "$1" = "$2" ] && { echo ACCEPT; return; }
+
     eval chain=\$${chain}_policychain
 
     [ -n "$chain" ] && { echo $chain; return; }
@@ -3670,41 +3681,27 @@ activate_rules()
 	done
 
 	for zone1 in $zones; do
+
+	    eval policy=\$${zone}2${zone1}_policy
+
+	    [ "$policy" = NONE ] && continue
+	    
 	    eval dest_hosts=\$${zone1}_hosts
 
 	    chain="`rules_chain $zone $zone1`"
 
 	    echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
 
-	    if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
-		have_canonical=Yes
-	    else
-		have_canonical=
-	    fi
-
 	    for host in $source_hosts; do
 		interface=${host%:*}
 		subnet=${host#*:}
 		chain1=`forward_chain $interface`
 
-		if [ -n "$have_canonical" ]; then
-		    bounce=yes
-		else
-		    case $interface in
-			*+*)
-			    bounce=yes
-			    ;;
-			*)
-			    bounce=
-			    ;;
-		    esac
-		fi
-
 		for host1 in $dest_hosts; do
 		    interface1=${host1%:*}
 		    subnet1=${host1#*:}
 
-		    if [ $interface != $interface1 -o -n "$bounce" ]; then
+		    if [ "$host" != "$host1" ]; then
 			run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
 		    fi
 		done

Lrp/usr/share/shorewall/version

@@ -1 +1 @@
-1.4.0
+1.4.1

Lrp/var/lib/lrpkg/shorwall.conf

@@ -16,6 +16,7 @@
 /etc/shorewall/tos		TOS       Type of Service policy
 /etc/shorewall/blacklist	Blacklist Blacklisted hosts
 /etc/shorewall/rfc1918		RFC1918   Defines 'norfc1918' interface option
+/etc/shorewall/ecn		ECN       Disable ECN to hosts and networks
 /etc/shorewall/init		Init      Commands executed before [re]start
 /etc/shorewall/start		Start     Commands executed after [re]start
 /etc/shorewall/stop		Stop      Commands executed before stop

Lrp/var/lib/lrpkg/shorwall.version

@@ -1 +1 @@
-1.4.0
+1.4.1