mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-23 22:18:57 +01:00
Zone exclusion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
4460b49842
commit
4322d7b2af
@ -1541,11 +1541,14 @@ sub process_rule ( ) {
|
||||
my $wild = 0;
|
||||
my $thisline = $currentline;
|
||||
my $action = isolate_basic_target $target;
|
||||
my $fw = firewall_zone;
|
||||
my $any;
|
||||
my $rest;
|
||||
my @source;
|
||||
my @dest;
|
||||
|
||||
my $exclude;
|
||||
my %exclude;
|
||||
|
||||
#
|
||||
# Section Names are optional so once we get to an actual rule, we need to be sure that
|
||||
# we close off any missing sections.
|
||||
@ -1564,30 +1567,41 @@ sub process_rule ( ) {
|
||||
|
||||
$any = ( $source =~ s/^any/all/ );
|
||||
|
||||
if ( $source =~ /^(all[-+]*)(:.*)?/ ) {
|
||||
if ( $source =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
|
||||
$source = $1;
|
||||
$rest = $2;
|
||||
$exclude = $2;
|
||||
$rest = $3;
|
||||
|
||||
my $includefw = 1;
|
||||
if ( defined $exclude ) {
|
||||
$exclude =~ s/!//;
|
||||
fatal_error "Invalid exclusion list (!$exclude)" if $exclude =~ /^,|!|,,|,$/;
|
||||
for ( split /,/, $exclude ) {
|
||||
fatal_error "Unknown zone ($_)" unless defined_zone $_;
|
||||
$exclude{$_} = 1;
|
||||
}
|
||||
}
|
||||
|
||||
unless ( $source eq 'all' ) {
|
||||
if ( $source eq 'all+' ) {
|
||||
$intrazone = 1;
|
||||
} elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) {
|
||||
$intrazone = 1;
|
||||
$includefw = 0;
|
||||
$exclude{$fw} = 1;
|
||||
} elsif ( $source eq 'all-' ) {
|
||||
$includefw = 0;
|
||||
$exclude{$fw} = 1;
|
||||
} else {
|
||||
fatal_error "Invalid SOURCE ($source)";
|
||||
}
|
||||
}
|
||||
|
||||
@source = $any ? all_parent_zones : non_firewall_zones;
|
||||
@source = grep ! $exclude{$_}, $any ? all_parent_zones : non_firewall_zones;
|
||||
|
||||
unshift @source, firewall_zone if $includefw;
|
||||
unshift @source, $fw unless $exclude{$fw};
|
||||
|
||||
$wild = 1;
|
||||
|
||||
%exclude = ();
|
||||
|
||||
} elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
|
||||
$source = $1;
|
||||
$rest = $2;
|
||||
@ -1609,28 +1623,36 @@ sub process_rule ( ) {
|
||||
|
||||
$any = ( $dest =~ s/^any/all/ );
|
||||
|
||||
if ( $dest =~ /^(all[-+]*)(:.*)?/ ) {
|
||||
$dest = $1;
|
||||
$rest = $2;
|
||||
if ( $dest =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
|
||||
$dest = $1;
|
||||
$exclude = $2;
|
||||
$rest = $3;
|
||||
|
||||
my $includefw = 1;
|
||||
if ( defined $exclude ) {
|
||||
$exclude =~ s/!//;
|
||||
fatal_error "Invalid exclusion list (!$exclude)" if $exclude =~ /^,|!|,,|,$/;
|
||||
for ( split /,/, $exclude ) {
|
||||
fatal_error "Unknown zone ($_)" unless defined_zone $_;
|
||||
$exclude{$_} = 1;
|
||||
}
|
||||
}
|
||||
|
||||
unless ( $dest eq 'all' ) {
|
||||
if ( $dest eq 'all+' ) {
|
||||
$intrazone = 1;
|
||||
} elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) {
|
||||
$intrazone = 1;
|
||||
$includefw = 0;
|
||||
$exclude{$fw} = 1;
|
||||
} elsif ( $dest eq 'all-' ) {
|
||||
$includefw = 0;
|
||||
$exclude{$fw} = 1;
|
||||
} else {
|
||||
fatal_error "Invalid DEST ($dest)";
|
||||
}
|
||||
}
|
||||
|
||||
@dest = $any ? all_parent_zones : non_firewall_zones;
|
||||
@dest = grep ! $exclude{$_}, $any ? all_parent_zones : non_firewall_zones;
|
||||
|
||||
unshift @dest, firewall_zone if $includefw;
|
||||
unshift @dest, $fw unless $exclude{$fw};
|
||||
$wild = 1;
|
||||
} elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
|
||||
$dest = $1;
|
||||
@ -1654,7 +1676,7 @@ sub process_rule ( ) {
|
||||
for $dest ( @dest ) {
|
||||
my $sourcezone = (split( /:/, $source, 2 ) )[0];
|
||||
my $destzone = (split( /:/, $dest, 2 ) )[0];
|
||||
$destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
|
||||
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
|
||||
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
|
||||
process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
|
||||
}
|
||||
|
@ -45,6 +45,15 @@ None.
|
||||
fw,dmz:90.90.191.120/29
|
||||
all:+blacklist
|
||||
|
||||
The 'all' and 'any' keywords now support exclusion in the form of a
|
||||
comma-separated list of excluded zones.
|
||||
|
||||
Examples:
|
||||
|
||||
all!fw (same as all-).
|
||||
any+!dmz,loc (All zones except 'dmz' and 'loc' and
|
||||
include intra-zone rules).
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
|
@ -20,17 +20,22 @@
|
||||
<arg choice="plain"
|
||||
rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<arg choice="plain"
|
||||
rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>Exclusion is used when you wish to exclude one or more addresses
|
||||
from a definition. An exclaimation point is followed by a comma-separated
|
||||
list of addresses. The addresses may be single host addresses (e.g.,
|
||||
192.168.1.4) or they may be network addresses in CIDR format (e.g.,
|
||||
192.168.1.0/24). If your kernel and iptables include iprange support, you
|
||||
may also specify ranges of ip addresses of the form
|
||||
<para>The first form of exclusion is used when you wish to exclude one or
|
||||
more addresses from a definition. An exclaimation point is followed by a
|
||||
comma-separated list of addresses. The addresses may be single host
|
||||
addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
|
||||
format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange
|
||||
support, you may also specify ranges of ip addresses of the form
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
|
||||
|
||||
<para>No embedded whitespace is allowed.</para>
|
||||
@ -39,6 +44,46 @@
|
||||
ranges. In that case, the final list of address is formed by taking the
|
||||
first list and then removing the addresses defined in the
|
||||
exclusion.</para>
|
||||
|
||||
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is
|
||||
allowed after <emphasis role="bold">all</emphasis> and <emphasis
|
||||
role="bold">any</emphasis> in the SOURCE and DEST columns of
|
||||
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list
|
||||
generated by those key words.</para>
|
||||
|
||||
<warning>
|
||||
<para>If you omit a sub-zone and there is an explicit or explicit
|
||||
CONTINUE policy, a connection to/from that zone can still be matched by
|
||||
the rule generated for a parent zone.</para>
|
||||
|
||||
<para>For example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/zones:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE
|
||||
z1 ip
|
||||
z2:z1 ip
|
||||
...</programlisting>
|
||||
|
||||
<para>/etc/shorewall/policy:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY
|
||||
z1 net CONTINUE
|
||||
z2 net REJECT</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT all!z2 net tcp 22</programlisting>
|
||||
|
||||
<para>In this case, SSH connections from <emphasis
|
||||
role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
|
||||
be accepted by the generated <emphasis role="bold">z1</emphasis> to
|
||||
net ACCEPT rule.</para>
|
||||
</blockquote>
|
||||
</warning>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@ -79,6 +124,14 @@
|
||||
<para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 5 - All parent zones except loc</term>
|
||||
|
||||
<listitem>
|
||||
<para>any!loc</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
@ -533,8 +533,10 @@
|
||||
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
||||
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
||||
role="bold">-</emphasis>] is "used, intra-zone traffic is
|
||||
affected.</para>
|
||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
||||
<ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||
@ -546,6 +548,13 @@
|
||||
mac addresses must begin with "~" and must use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para>The above restriction on <emphasis
|
||||
role="bold">all</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
|
||||
<emphasis role="bold">any</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
||||
removed in Shorewall-4.4.13. </para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||
@ -667,7 +676,9 @@
|
||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||
role="bold">DEST</emphasis> column intra-zone traffic is not
|
||||
affected. When <emphasis role="bold">all+</emphasis> is used,
|
||||
intra-zone traffic is affected.</para>
|
||||
intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
|
||||
exclusion is supported -- see see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
|
@ -20,6 +20,11 @@
|
||||
<arg choice="plain"
|
||||
rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<arg choice="plain"
|
||||
rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
@ -39,6 +44,46 @@
|
||||
ranges. In that case, the final list of address is formed by taking the
|
||||
first list and then removing the addresses defined in the
|
||||
exclusion.</para>
|
||||
|
||||
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is
|
||||
allowed after <emphasis role="bold">all</emphasis> and <emphasis
|
||||
role="bold">any</emphasis> in the SOURCE and DEST columns of
|
||||
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list
|
||||
generated by those key words.</para>
|
||||
|
||||
<warning>
|
||||
<para>If you omit a sub-zone and there is an explicit or explicit
|
||||
CONTINUE policy, a connection to/from that zone can still be matched by
|
||||
the rule generated for a parent zone.</para>
|
||||
|
||||
<para>For example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>/etc/shorewall6/zones:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE
|
||||
z1 ip
|
||||
z2:z1 ip
|
||||
...</programlisting>
|
||||
|
||||
<para>/etc/shorewall6/policy:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY
|
||||
z1 net CONTINUE
|
||||
z2 net REJECT</programlisting>
|
||||
|
||||
<para>/etc/shorewall6/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT all!z2 net tcp 22</programlisting>
|
||||
|
||||
<para>In this case, SSH connections from <emphasis
|
||||
role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
|
||||
be accepted by the generated <emphasis role="bold">z1</emphasis> to
|
||||
net ACCEPT rule.</para>
|
||||
</blockquote>
|
||||
</warning>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
@ -393,8 +393,10 @@
|
||||
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
||||
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
||||
role="bold">-</emphasis>] is "used, intra-zone traffic is
|
||||
affected.</para>
|
||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
||||
<ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||
@ -527,7 +529,9 @@
|
||||
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
|
||||
<replaceable>zone-list</replaceable> may be optionally followed by
|
||||
"+" to indicate that the rule is to apply to intra-zone traffic as
|
||||
well as inter-zone traffic.</para>
|
||||
well as inter-zone traffic. Beginning with Shorewall-4.4.13,
|
||||
exclusion is supported -- see see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||
|
Loading…
Reference in New Issue
Block a user