Use 'NONE' policies for LOOPBACK and LOCAL zones to non-firewall zones.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-11 16:18:13 +01:00 · 2013-06-02 07:31:32 -07:00 · 2013-06-02 07:31:32 -07:00 · 3867902b27
commit 3867902b27
parent adf51d0059
2 changed files with 22 additions and 10 deletions
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -2172,15 +2172,13 @@ sub generate_matrix() {
 			    #
 			    # FORWARDING Jump for non-IPSEC host group
 			    #
-			    add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec' && ! ( $type & ( LOOPBACK | LOCAL ) );
+			    add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec';
 			}
 		    } # Subnet Loop
 		} # Hostref Loop
 	    } # Interface Loop
 	} #Type Loop
 	next if $type & ( LOOPBACK | LOCAL );
 	if ( $frwd_ref ) {
 	    #
 	    #                                            F O R W A R D I N G
@ -2203,8 +2201,6 @@ sub generate_matrix() {
 		next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';
 		next if $type1 & ( LOOPBACK | LOCAL );
 		my $chain = rules_target $zone, $zone1;
 		next unless $chain; # CONTINUE policy with no rules
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -658,6 +658,27 @@ sub process_policies()
 	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL, 0 ) if zone_type( $zone ) & BPORT;
 	my $zoneref = find_zone( $zone );
 	my $type    = $zoneref->{type};
 	if ( $type == LOCAL ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
 		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
 		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	} elsif ( $type == LOOPBACK ) {
 	    for my $zone1 ( off_firewall_zones ) {
 		unless ( $zone eq $zone1 || zone_type( $zone1 ) == LOOPBACK ) {
 		    my $name  = rules_chain( $zone,  $zone1 );
 		    my $name1 = rules_chain( $zone1, $zone  );
 		    set_policy_chain( $zone,  $zone1, $name,  ensure_rules_chain( $name  ), 'NONE', 0 );
 		    set_policy_chain( $zone1, $zone,  $name1, ensure_rules_chain( $name1 ), 'NONE', 0 );
 		}
 	    }
 	}
 	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} & VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
@ -2448,11 +2469,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	    warning_message( "The SOURCE zone in this rule is 'destonly'" ) if $sourceref->{destonly};
 	    if ( $destref ) {
 		warning_message( "The SOURCE zone is loopback and the DEST zone is off-firewall" )   if $sourceref->{type} == LOOPBACK && ! ( $destref->{type}   & ( FIREWALL | VSERVER ) );
 		warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" ) if $destref->{type}   == LOOPBACK && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
 		warning_message( "The SOURCE zone is 'local' and the DEST zone is off-firewall" )    if $sourceref->{type} == LOCAL    && ! ( $destref->{type}   & ( FIREWALL | VSERVER ) );
 		warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'local'" )    if $destref->{type}   == LOCAL    && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
 		warning_message( "\$FW to \$FW rules are ignored when there is a defined 'loopback' zone" ) if loopback_zones && $sourceref->{type} == FIREWALL && $destref->{type} == FIREWALL;
 	    }
 	}