extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-14 03:34:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow specific policy to supersede a wildcard policy

Browse Source
This commit is contained in:
Tom Eastep 2009-11-23 10:02:04 -08:00
parent b30cae89e3
commit 532105ec39
3 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -107,6 +107,7 @@ sub set_policy_chain($$$$$)
$chainref1->{policychain} = $chainref->{name};
}
$chainref1->{expanded} = 1;
$chainref1->{policy} = $policy;
$chainref1->{policypair} = [ $source, $dest ];
}
@ -221,11 +222,20 @@ sub process_a_policy() {
if ( $chainref->{provisional} ) {
$chainref->{provisional} = 0;
$chainref->{policy} = $policy;
} elsif ( $chainref->{expanded} ) {
$chainref->{expanded} = 0;
$chainref->{policy} = $policy;
} else {
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
}
} elsif ( $chainref->{policy} ) {
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
if ( $chainref->{expanded} ) {
$chainref->{expanded} = 0;
convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
} else {
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
}
} else {
convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in Shorewall 4.4.5
4) Allow zone::serverport in rules DEST column.
5) Allow specific policy to supersede a wildcard policy.
Changes in Shorewall 4.4.4
1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.

12
Shorewall/releasenotes.txt
View File

@ -215,6 +215,18 @@ None.
been created to handle the request. So such rules should probably
exclude the firewall's IP addresses in the ORIGINAL DEST column.
2) Previously, the following sequence of policies would produce a
'Duplicate Policy' error:
$FW all ACCEPT
$FW dmz REJECT info
Begining with 4.4.5, this sequence produces the same result as this
one:
$FW dmz REJECT info
$FW all ACCEPT
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0
----------------------------------------------------------------------------