diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 7e4ae7931..28766b7ef 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -26,6 +26,8 @@ Changes in 3.9.3 13) Add check for firewall zone existance. +14) Add checks for zone existance in 'all' processing. + Changes in 3.9.2 1) Implement '-C {shell|perl}'. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 65f29053e..a2cf5bb65 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -61,6 +61,10 @@ Problems corrected in Shorewall 3.9.3 11) The Shorewall-perl compiler now raises an error if there is no firewall zone declared. +12) If 'all' appeared in the SOURCE column and an undefined zone was + specified in the DEST column of /etc/shorewall/rules, then a Perl + run-time diagnostic was produced. + Other changes in Shorewall 3.9.3 1) An 'optional' option has been added to diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 52236652b..31b7c6757 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -1188,18 +1188,40 @@ sub process_rule ( $$$$$$$$$ ) { } } else { my $destzone = (split /:/, $dest)[0]; + fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone}; my $policychainref = $filter_table->{"${zone}2${destzone}"}{policychain}; - if ( $policychainref->{policy} ne 'NONE' ) { + fatal_error "No policy from zone $zone to zone $destzone" unless $policychainref; + if ( ( ( my $policy ) = $policychainref->{policy} ) ne 'NONE' ) { + if ( $optimize > 0 ) { + my $loglevel = $policychainref->{loglevel}; + if ( $loglevel ) { + next if $target eq "${policy}:$loglevel}"; + } else { + next if $action eq $policy; + } + } process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user; } } } } } elsif ( $dest eq 'all' ) { - for my $zone1 ( @zones ) { - my $zone = ( split /:/, $source )[0]; - if ( ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall') ) &&( ( $zone ne $zone1 ) || $intrazone) ) { - process_rule1 $target, $source, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user; + for my $zone ( @zones ) { + my $sourcezone = ( split /:/, $source )[0]; + if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { + fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone}; + my $policychainref = $filter_table->{"${sourcezone}2${zone}"}{policychain}; + if ( ( ( my $policy ) = $policychainref->{policy} ) ne 'NONE' ) { + if ( $optimize > 0 ) { + my $loglevel = $policychainref->{loglevel}; + if ( $loglevel ) { + next if $target eq "${policy}:$loglevel}"; + } else { + next if $action eq $policy; + } + } + } + process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user; } } } else {