extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Complete Zone list Support

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-08-18 14:38:53 -07:00
parent fafb0dea73
commit 4460b49842
2 changed files with 91 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1537,13 +1537,15 @@ sub process_rule ( ) {
return 1; return 1;
} }
my $intrazone = 0; my $intrazone = 0;
my $wild = 0; my $wild = 0;
my $includesrcfw = 1; my $thisline = $currentline;
my $includedstfw = 1; my $action = isolate_basic_target $target;
my $thisline = $currentline; my $any;
my $anysource = ( $source =~ s/^any/all/ ); my $rest;
my $anydest = ( $dest =~ s/^any/all/ ); my @source;
my @dest;
# #
# Section Names are optional so once we get to an actual rule, we need to be sure that # Section Names are optional so once we get to an actual rule, we need to be sure that
# we close off any missing sections. # we close off any missing sections.
@ -1554,104 +1556,99 @@ sub process_rule ( ) {
$sectioned = 1; $sectioned = 1;
} }
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
# #
# Handle Wildcards # Handle Wildcards
# #
$any = ( $source =~ s/^any/all/ );
if ( $source =~ /^all[-+]/ ) { if ( $source =~ /^(all[-+]*)(:.*)?/ ) {
if ( $source eq 'all+' ) { $source = $1;
$source = 'all'; $rest = $2;
$intrazone = 1;
} elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) {
$source = 'all';
$intrazone = 1;
$includesrcfw = 0;
} elsif ( $source eq 'all-' ) {
$source = 'all';
$includesrcfw = 0;
} else {
fatal_error "Invalid SOURCE ($source)";
}
}
if ( $dest =~ /^all[-+]/ ) { my $includefw = 1;
if ( $dest eq 'all+' ) {
$dest = 'all'; unless ( $source eq 'all' ) {
$intrazone = 1; if ( $source eq 'all+' ) {
} elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) { $intrazone = 1;
$dest = 'all'; } elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) {
$intrazone = 1; $intrazone = 1;
$includedstfw = 0; $includefw = 0;
} elsif ( $dest eq 'all-' ) { } elsif ( $source eq 'all-' ) {
$dest = 'all'; $includefw = 0;
$includedstfw = 0; } else {
} else { fatal_error "Invalid SOURCE ($source)";
fatal_error "Invalid DEST ($dest)"; }
} }
} @source = $any ? all_parent_zones : non_firewall_zones;
my $action = isolate_basic_target $target; unshift @source, firewall_zone if $includefw;
my @source;
my @dest;
if ( $source eq 'all' ) {
if ( $anysource ) {
@source = ( all_parent_zones );
} else {
@source = ( non_firewall_zones )
}
unshift @source, firewall_zone if $includesrcfw;
$wild = 1; $wild = 1;
} elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) { } elsif ( $source =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
my $zonelist = $1; $source = $1;
my $rest = $2; $rest = $2;
fatal_error "Invalid zone list ($zonelist)" if $zonelist =~ /,,/; fatal_error "Invalid zone list ($source)" if $source =~ /,,/;
$intrazone = ( $zonelist =~ s/\+$// ); $intrazone = ( $source =~ s/\+$// );
$wild = 1; $wild = 1;
if ( defined $rest ) { @source = split /,/, $source;
push( @source , $_ . $rest ) for split /,/, $zonelist;
} else {
@source = split /,/, $zonelist;
}
} else { } else {
@source = ( $source ); @source = ( $source );
} }
if ( $dest eq 'all' ) { if ( defined $rest ) {
if ( $anydest ) { $_ .= $rest for @source;
@dest = ( all_parent_zones ); $rest = undef;
} else { }
@dest = ( non_firewall_zones )
$any = ( $dest =~ s/^any/all/ );
if ( $dest =~ /^(all[-+]*)(:.*)?/ ) {
$dest = $1;
$rest = $2;
my $includefw = 1;
unless ( $dest eq 'all' ) {
if ( $dest eq 'all+' ) {
$intrazone = 1;
} elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) {
$intrazone = 1;
$includefw = 0;
} elsif ( $dest eq 'all-' ) {
$includefw = 0;
} else {
fatal_error "Invalid DEST ($dest)";
}
} }
unshift @dest, firewall_zone if $includedstfw; @dest = $any ? all_parent_zones : non_firewall_zones;
unshift @dest, firewall_zone if $includefw;
$wild = 1; $wild = 1;
} elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) { } elsif ( $dest =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
my $zonelist = $1; $dest = $1;
my $rest = $2; $rest = $2;
fatal_error "Invalid zone list ($zonelist)" if $zonelist =~ /,,/; fatal_error "Invalid zone list ($source)" if $dest =~ /,,/;
$intrazone ||= ( $zonelist =~ s/\+$// ); $intrazone ||= ( $dest =~ s/\+$// );
$wild = 1; $wild = 1;
if ( defined $rest ) { @dest = split /,/, $dest;
push( @dest , $_ . $rest ) for split /,/, $zonelist;
} else {
@dest = split /,/, $zonelist;
}
} else { } else {
@dest = ( $dest ); @dest = ( $dest );
} }
fatal_error "Invalid or missing ACTION ($target)" unless defined $action; if ( defined $rest ) {
$_ .= $rest for @source;
}
for $source ( @source ) { for $source ( @source ) {
for $dest ( @dest ) { for $dest ( @dest ) {

26
Shorewall/releasenotes.txt
View File

@ -24,12 +24,26 @@ None.
I I I. N E W F E A T U R E S I N T H I S R E L E A S E I I I. N E W F E A T U R E S I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Entries in the rules file (both Shorewall and Shoreall6) may now 1) Entries in the rules file (both Shorewall and Shorewall6) may now
contain zone lists in the SOURCE and DEST column. These are contain zone lists in the SOURCE and DEST column. A zone list is a
comma-separated lists of zones declared in the zones file and may comma-separated list of zone names where each name appears in the
optionally be followed by a plus sign ("+") to indicate that the zones file. A zone list may be optionally followed by a plus sign
rule should apply to intra-zone traffic as well as to inter-zone ("+") to indicate that the rule should apply to intra-zone traffic
traffic. as well as to inter-zone traffic.
Zone lists behave like 'all' and 'any' with respect to Optimization
1. If the rule matches the applicable policy for a given (source
zone, dest zone), then the rule will be suppessed for that pair of
zones unless overridden by the '!' suffix on the target in the
ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
Additionally, 'any', 'all' and zone lists may be qualified in the
same way as a single zone.
Examples:
fw,dmz:90.90.191.120/29
all:+blacklist
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S