Zone exclusion

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-08-18 16:10:58 -07:00
parent 4460b49842
commit 4322d7b2af
6 changed files with 173 additions and 29 deletions

View File

@ -1541,10 +1541,13 @@ sub process_rule ( ) {
my $wild = 0;
my $thisline = $currentline;
my $action = isolate_basic_target $target;
my $fw = firewall_zone;
my $any;
my $rest;
my @source;
my @dest;
my $exclude;
my %exclude;
#
# Section Names are optional so once we get to an actual rule, we need to be sure that
@ -1564,30 +1567,41 @@ sub process_rule ( ) {
$any = ( $source =~ s/^any/all/ );
if ( $source =~ /^(all[-+]*)(:.*)?/ ) {
if ( $source =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
$source = $1;
$rest = $2;
$exclude = $2;
$rest = $3;
my $includefw = 1;
if ( defined $exclude ) {
$exclude =~ s/!//;
fatal_error "Invalid exclusion list (!$exclude)" if $exclude =~ /^,|!|,,|,$/;
for ( split /,/, $exclude ) {
fatal_error "Unknown zone ($_)" unless defined_zone $_;
$exclude{$_} = 1;
}
}
unless ( $source eq 'all' ) {
if ( $source eq 'all+' ) {
$intrazone = 1;
} elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) {
$intrazone = 1;
$includefw = 0;
$exclude{$fw} = 1;
} elsif ( $source eq 'all-' ) {
$includefw = 0;
$exclude{$fw} = 1;
} else {
fatal_error "Invalid SOURCE ($source)";
}
}
@source = $any ? all_parent_zones : non_firewall_zones;
@source = grep ! $exclude{$_}, $any ? all_parent_zones : non_firewall_zones;
unshift @source, firewall_zone if $includefw;
unshift @source, $fw unless $exclude{$fw};
$wild = 1;
%exclude = ();
} elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
$source = $1;
$rest = $2;
@ -1609,28 +1623,36 @@ sub process_rule ( ) {
$any = ( $dest =~ s/^any/all/ );
if ( $dest =~ /^(all[-+]*)(:.*)?/ ) {
if ( $dest =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
$dest = $1;
$rest = $2;
$exclude = $2;
$rest = $3;
my $includefw = 1;
if ( defined $exclude ) {
$exclude =~ s/!//;
fatal_error "Invalid exclusion list (!$exclude)" if $exclude =~ /^,|!|,,|,$/;
for ( split /,/, $exclude ) {
fatal_error "Unknown zone ($_)" unless defined_zone $_;
$exclude{$_} = 1;
}
}
unless ( $dest eq 'all' ) {
if ( $dest eq 'all+' ) {
$intrazone = 1;
} elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) {
$intrazone = 1;
$includefw = 0;
$exclude{$fw} = 1;
} elsif ( $dest eq 'all-' ) {
$includefw = 0;
$exclude{$fw} = 1;
} else {
fatal_error "Invalid DEST ($dest)";
}
}
@dest = $any ? all_parent_zones : non_firewall_zones;
@dest = grep ! $exclude{$_}, $any ? all_parent_zones : non_firewall_zones;
unshift @dest, firewall_zone if $includefw;
unshift @dest, $fw unless $exclude{$fw};
$wild = 1;
} elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
$dest = $1;
@ -1654,7 +1676,7 @@ sub process_rule ( ) {
for $dest ( @dest ) {
my $sourcezone = (split( /:/, $source, 2 ) )[0];
my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
}

View File

@ -45,6 +45,15 @@ None.
fw,dmz:90.90.191.120/29
all:+blacklist
The 'all' and 'any' keywords now support exclusion in the form of a
comma-separated list of excluded zones.
Examples:
all!fw (same as all-).
any+!dmz,loc (All zones except 'dmz' and 'loc' and
include intra-zone rules).
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------

View File

@ -20,17 +20,22 @@
<arg choice="plain"
rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
</cmdsynopsis>
<cmdsynopsis>
<arg choice="plain"
rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Exclusion is used when you wish to exclude one or more addresses
from a definition. An exclaimation point is followed by a comma-separated
list of addresses. The addresses may be single host addresses (e.g.,
192.168.1.4) or they may be network addresses in CIDR format (e.g.,
192.168.1.0/24). If your kernel and iptables include iprange support, you
may also specify ranges of ip addresses of the form
<para>The first form of exclusion is used when you wish to exclude one or
more addresses from a definition. An exclaimation point is followed by a
comma-separated list of addresses. The addresses may be single host
addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange
support, you may also specify ranges of ip addresses of the form
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
<para>No embedded whitespace is allowed.</para>
@ -39,6 +44,46 @@
ranges. In that case, the final list of address is formed by taking the
first list and then removing the addresses defined in the
exclusion.</para>
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is
allowed after <emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> in the SOURCE and DEST columns of
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list
generated by those key words.</para>
<warning>
<para>If you omit a sub-zone and there is an explicit or explicit
CONTINUE policy, a connection to/from that zone can still be matched by
the rule generated for a parent zone.</para>
<para>For example:</para>
<blockquote>
<para>/etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE
z1 ip
z2:z1 ip
...</programlisting>
<para>/etc/shorewall/policy:</para>
<programlisting>#SOURCE DEST POLICY
z1 net CONTINUE
z2 net REJECT</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT all!z2 net tcp 22</programlisting>
<para>In this case, SSH connections from <emphasis
role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
be accepted by the generated <emphasis role="bold">z1</emphasis> to
net ACCEPT rule.</para>
</blockquote>
</warning>
</refsect1>
<refsect1>
@ -79,6 +124,14 @@
<para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 5 - All parent zones except loc</term>
<listitem>
<para>any!loc</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -533,8 +533,10 @@
used either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
role="bold">-</emphasis>] is "used, intra-zone traffic is
affected.</para>
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
<ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
@ -546,6 +548,13 @@
mac addresses must begin with "~" and must use "-" as a
separator.</para>
<para>The above restriction on <emphasis
role="bold">all</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
<emphasis role="bold">any</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
removed in Shorewall-4.4.13. </para>
<para><emphasis role="bold">any</emphasis> is equivalent to
<emphasis role="bold">all</emphasis> when there are no nested zones.
When there are nested zones, <emphasis role="bold">any</emphasis>
@ -667,7 +676,9 @@
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
role="bold">DEST</emphasis> column intra-zone traffic is not
affected. When <emphasis role="bold">all+</emphasis> is used,
intra-zone traffic is affected.</para>
intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
exclusion is supported -- see see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para><emphasis role="bold">any</emphasis> is equivalent to
<emphasis role="bold">all</emphasis> when there are no nested zones.

View File

@ -20,6 +20,11 @@
<arg choice="plain"
rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
</cmdsynopsis>
<cmdsynopsis>
<arg choice="plain"
rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
@ -39,6 +44,46 @@
ranges. In that case, the final list of address is formed by taking the
first list and then removing the addresses defined in the
exclusion.</para>
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is
allowed after <emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> in the SOURCE and DEST columns of
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list
generated by those key words.</para>
<warning>
<para>If you omit a sub-zone and there is an explicit or explicit
CONTINUE policy, a connection to/from that zone can still be matched by
the rule generated for a parent zone.</para>
<para>For example:</para>
<blockquote>
<para>/etc/shorewall6/zones:</para>
<programlisting>#ZONE TYPE
z1 ip
z2:z1 ip
...</programlisting>
<para>/etc/shorewall6/policy:</para>
<programlisting>#SOURCE DEST POLICY
z1 net CONTINUE
z2 net REJECT</programlisting>
<para>/etc/shorewall6/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT all!z2 net tcp 22</programlisting>
<para>In this case, SSH connections from <emphasis
role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
be accepted by the generated <emphasis role="bold">z1</emphasis> to
net ACCEPT rule.</para>
</blockquote>
</warning>
</refsect1>
<refsect1>

View File

@ -393,8 +393,10 @@
used either in the <emphasis role="bold">SOURCE</emphasis> or
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
role="bold">-</emphasis>] is "used, intra-zone traffic is
affected.</para>
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
<ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
@ -527,7 +529,9 @@
url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
<replaceable>zone-list</replaceable> may be optionally followed by
"+" to indicate that the rule is to apply to intra-zone traffic as
well as inter-zone traffic.</para>
well as inter-zone traffic. Beginning with Shorewall-4.4.13,
exclusion is supported -- see see <ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
<para>When <emphasis role="bold">none</emphasis> is used either in
the <emphasis role="bold">SOURCE</emphasis> or <emphasis