extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-15 14:16:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

Zone exclusion

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-08-18 16:10:58 -07:00
parent 4460b49842
commit 4322d7b2af
6 changed files with 173 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1541,10 +1541,13 @@ sub process_rule ( ) {
my $wild = 0; my $wild = 0;
my $thisline = $currentline; my $thisline = $currentline;
my $action = isolate_basic_target $target; my $action = isolate_basic_target $target;
my $fw = firewall_zone;
my $any; my $any;
my $rest; my $rest;
my @source; my @source;
my @dest; my @dest;
my $exclude;
my %exclude;
# #
# Section Names are optional so once we get to an actual rule, we need to be sure that # Section Names are optional so once we get to an actual rule, we need to be sure that
@ -1564,30 +1567,41 @@ sub process_rule ( ) {
$any = ( $source =~ s/^any/all/ ); $any = ( $source =~ s/^any/all/ );
if ( $source =~ /^(all[-+]*)(:.*)?/ ) { if ( $source =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
$source = $1; $source = $1;
$rest = $2; $exclude = $2;
$rest = $3;
my $includefw = 1; if ( defined $exclude ) {
$exclude =~ s/!//;
fatal_error "Invalid exclusion list (!$exclude)" if $exclude =~ /^,|!|,,|,$/;
for ( split /,/, $exclude ) {
fatal_error "Unknown zone ($_)" unless defined_zone $_;
$exclude{$_} = 1;
}
}
unless ( $source eq 'all' ) { unless ( $source eq 'all' ) {
if ( $source eq 'all+' ) { if ( $source eq 'all+' ) {
$intrazone = 1; $intrazone = 1;
} elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) { } elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) {
$intrazone = 1; $intrazone = 1;
$includefw = 0; $exclude{$fw} = 1;
} elsif ( $source eq 'all-' ) { } elsif ( $source eq 'all-' ) {
$includefw = 0; $exclude{$fw} = 1;
} else { } else {
fatal_error "Invalid SOURCE ($source)"; fatal_error "Invalid SOURCE ($source)";
} }
} }
@source = $any ? all_parent_zones : non_firewall_zones; @source = grep ! $exclude{$_}, $any ? all_parent_zones : non_firewall_zones;
unshift @source, firewall_zone if $includefw; unshift @source, $fw unless $exclude{$fw};
$wild = 1; $wild = 1;
%exclude = ();
} elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) { } elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
$source = $1; $source = $1;
$rest = $2; $rest = $2;
@ -1609,28 +1623,36 @@ sub process_rule ( ) {
$any = ( $dest =~ s/^any/all/ ); $any = ( $dest =~ s/^any/all/ );
if ( $dest =~ /^(all[-+]*)(:.*)?/ ) { if ( $dest =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
$dest = $1; $dest = $1;
$rest = $2; $exclude = $2;
$rest = $3;
my $includefw = 1; if ( defined $exclude ) {
$exclude =~ s/!//;
fatal_error "Invalid exclusion list (!$exclude)" if $exclude =~ /^,|!|,,|,$/;
for ( split /,/, $exclude ) {
fatal_error "Unknown zone ($_)" unless defined_zone $_;
$exclude{$_} = 1;
}
}
unless ( $dest eq 'all' ) { unless ( $dest eq 'all' ) {
if ( $dest eq 'all+' ) { if ( $dest eq 'all+' ) {
$intrazone = 1; $intrazone = 1;
} elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) { } elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) {
$intrazone = 1; $intrazone = 1;
$includefw = 0; $exclude{$fw} = 1;
} elsif ( $dest eq 'all-' ) { } elsif ( $dest eq 'all-' ) {
$includefw = 0; $exclude{$fw} = 1;
} else { } else {
fatal_error "Invalid DEST ($dest)"; fatal_error "Invalid DEST ($dest)";
} }
} }
@dest = $any ? all_parent_zones : non_firewall_zones; @dest = grep ! $exclude{$_}, $any ? all_parent_zones : non_firewall_zones;
unshift @dest, firewall_zone if $includefw; unshift @dest, $fw unless $exclude{$fw};
$wild = 1; $wild = 1;
} elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) { } elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
$dest = $1; $dest = $1;
@ -1654,7 +1676,7 @@ sub process_rule ( ) {
for $dest ( @dest ) { for $dest ( @dest ) {
my $sourcezone = (split( /:/, $source, 2 ) )[0]; my $sourcezone = (split( /:/, $source, 2 ) )[0];
my $destzone = (split( /:/, $dest, 2 ) )[0]; my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone; $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) { if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild; process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
} }

9
Shorewall/releasenotes.txt
View File

@ -45,6 +45,15 @@ None.
fw,dmz:90.90.191.120/29 fw,dmz:90.90.191.120/29
all:+blacklist all:+blacklist
The 'all' and 'any' keywords now support exclusion in the form of a
comma-separated list of excluded zones.
Examples:
all!fw (same as all-).
any+!dmz,loc (All zones except 'dmz' and 'loc' and
include intra-zone rules).
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

65
manpages/shorewall-exclusion.xml
View File

@ -20,17 +20,22 @@
<arg choice="plain" <arg choice="plain"
rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg> rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<arg choice="plain"
rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
</cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>Exclusion is used when you wish to exclude one or more addresses <para>The first form of exclusion is used when you wish to exclude one or
from a definition. An exclaimation point is followed by a comma-separated more addresses from a definition. An exclaimation point is followed by a
list of addresses. The addresses may be single host addresses (e.g., comma-separated list of addresses. The addresses may be single host
192.168.1.4) or they may be network addresses in CIDR format (e.g., addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
192.168.1.0/24). If your kernel and iptables include iprange support, you format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange
may also specify ranges of ip addresses of the form support, you may also specify ranges of ip addresses of the form
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para> <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
<para>No embedded whitespace is allowed.</para> <para>No embedded whitespace is allowed.</para>
@ -39,6 +44,46 @@
ranges. In that case, the final list of address is formed by taking the ranges. In that case, the final list of address is formed by taking the
first list and then removing the addresses defined in the first list and then removing the addresses defined in the
exclusion.</para> exclusion.</para>
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is
allowed after <emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> in the SOURCE and DEST columns of
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list
generated by those key words.</para>
<warning>
<para>If you omit a sub-zone and there is an explicit or explicit
CONTINUE policy, a connection to/from that zone can still be matched by
the rule generated for a parent zone.</para>
<para>For example:</para>
<blockquote>
<para>/etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE
z1 ip
z2:z1 ip
...</programlisting>
<para>/etc/shorewall/policy:</para>
<programlisting>#SOURCE DEST POLICY
z1 net CONTINUE
z2 net REJECT</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT all!z2 net tcp 22</programlisting>
<para>In this case, SSH connections from <emphasis
role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
be accepted by the generated <emphasis role="bold">z1</emphasis> to
net ACCEPT rule.</para>
</blockquote>
</warning>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -79,6 +124,14 @@
<para>192.168.1.0/24!192.168.1.3,192.168.1.9</para> <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>Example 5 - All parent zones except loc</term>
<listitem>
<para>any!loc</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

17
manpages/shorewall-rules.xml
View File

@ -533,8 +533,10 @@
used either in the <emphasis role="bold">SOURCE</emphasis> or used either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
role="bold">-</emphasis>] is "used, intra-zone traffic is role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
affected.</para> Beginning with Shorewall 4.4.13, exclusion is supported -- see see
<ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
@ -546,6 +548,13 @@
mac addresses must begin with "~" and must use "-" as a mac addresses must begin with "~" and must use "-" as a
separator.</para> separator.</para>
<para>The above restriction on <emphasis
role="bold">all</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
<emphasis role="bold">any</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
removed in Shorewall-4.4.13. </para>
<para><emphasis role="bold">any</emphasis> is equivalent to <para><emphasis role="bold">any</emphasis> is equivalent to
<emphasis role="bold">all</emphasis> when there are no nested zones. <emphasis role="bold">all</emphasis> when there are no nested zones.
When there are nested zones, <emphasis role="bold">any</emphasis> When there are nested zones, <emphasis role="bold">any</emphasis>
@ -667,7 +676,9 @@
the <emphasis role="bold">SOURCE</emphasis> or <emphasis the <emphasis role="bold">SOURCE</emphasis> or <emphasis
role="bold">DEST</emphasis> column intra-zone traffic is not role="bold">DEST</emphasis> column intra-zone traffic is not
affected. When <emphasis role="bold">all+</emphasis> is used, affected. When <emphasis role="bold">all+</emphasis> is used,
intra-zone traffic is affected.</para> intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
exclusion is supported -- see see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para><emphasis role="bold">any</emphasis> is equivalent to <para><emphasis role="bold">any</emphasis> is equivalent to
<emphasis role="bold">all</emphasis> when there are no nested zones. <emphasis role="bold">all</emphasis> when there are no nested zones.

45
manpages6/shorewall6-exclusion.xml
View File

@ -20,6 +20,11 @@
<arg choice="plain" <arg choice="plain"
rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg> rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<arg choice="plain"
rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
</cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
@ -39,6 +44,46 @@
ranges. In that case, the final list of address is formed by taking the ranges. In that case, the final list of address is formed by taking the
first list and then removing the addresses defined in the first list and then removing the addresses defined in the
exclusion.</para> exclusion.</para>
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is
allowed after <emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> in the SOURCE and DEST columns of
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list
generated by those key words.</para>
<warning>
<para>If you omit a sub-zone and there is an explicit or explicit
CONTINUE policy, a connection to/from that zone can still be matched by
the rule generated for a parent zone.</para>
<para>For example:</para>
<blockquote>
<para>/etc/shorewall6/zones:</para>
<programlisting>#ZONE TYPE
z1 ip
z2:z1 ip
...</programlisting>
<para>/etc/shorewall6/policy:</para>
<programlisting>#SOURCE DEST POLICY
z1 net CONTINUE
z2 net REJECT</programlisting>
<para>/etc/shorewall6/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT all!z2 net tcp 22</programlisting>
<para>In this case, SSH connections from <emphasis
role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
be accepted by the generated <emphasis role="bold">z1</emphasis> to
net ACCEPT rule.</para>
</blockquote>
</warning>
</refsect1> </refsect1>
<refsect1> <refsect1>

10
manpages6/shorewall6-rules.xml
View File

@ -393,8 +393,10 @@
used either in the <emphasis role="bold">SOURCE</emphasis> or used either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is <emphasis role="bold">DEST</emphasis> column intra-zone traffic is
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
role="bold">-</emphasis>] is "used, intra-zone traffic is role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
affected.</para> Beginning with Shorewall 4.4.13, exclusion is supported -- see see
<ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
@ -527,7 +529,9 @@
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
<replaceable>zone-list</replaceable> may be optionally followed by <replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as "+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic.</para> well as inter-zone traffic. Beginning with Shorewall-4.4.13,
exclusion is supported -- see see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>When <emphasis role="bold">none</emphasis> is used either in <para>When <emphasis role="bold">none</emphasis> is used either in
the <emphasis role="bold">SOURCE</emphasis> or <emphasis the <emphasis role="bold">SOURCE</emphasis> or <emphasis