extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-17 02:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Generate warnings for local->non-firewall and non-firewall->local rules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-05-16 07:51:12 -07:00
parent 2e293dd356
commit 739f3779f5
2 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2376,17 +2376,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
# #
# If we are processing an inline action, we need the source zone for NAT. # If we are processing an inline action, we need the source zone for NAT.
# #
if ( $chainref->{sourcezone} ) { $sourceref = find_zone( $chainref->{sourcezone} ) if $chainref->{sourcezone};
$sourceref = find_zone( $chainref->{sourcezone} ); #
unless ( $wildcard ) { # And we need the dest zone for local/off-firewall/destonly checks
warning_message "The SOURCE in this rule is 'destonly'" if $sourceref->{destonly} && ! $sourceref->{complex}; #
} $destref = find_zone( $chainref->{destzone} ) if $chainref->{destzone};
}
} else { } else {
unless ( $wildcard ) {
warning_message "The SOURCE zone in this rule is 'destonly'" if $sourceref->{destonly} && ! $sourceref->{complex};
}
unless ( $actiontype & NATONLY ) { unless ( $actiontype & NATONLY ) {
# #
# Check for illegal bridge port rule # Check for illegal bridge port rule
@ -2403,6 +2398,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
# Ensure that the chain exists but don't mark it as referenced until after optimization is checked # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
# #
( $chainref = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone; ( $chainref = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
$chainref->{destzone} = $destzone;
my $policy = $chainref->{policy}; my $policy = $chainref->{policy};
@ -2445,6 +2441,19 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
} }
} }
# #
# Handle 'local' zone warnings
#
unless ( $wildcard ) {
if ( $sourceref ) {
warning_message( "The SOURCE zone in this rule is 'destonly'" ) if $sourceref->{destonly};
if ( $destref ) {
warning_message( "The SOURCE zone is local and the DEST zone is off-firewall" ) if $sourceref->{local} && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'local'" ) if $destref->{local} && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
}
}
}
#
# Handle actions # Handle actions
# #
my $delete_action; my $delete_action;

1
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -750,6 +750,7 @@ sub add_group_to_zone($$$$$)
$interfaceref = $interfaces{$interface}; $interfaceref = $interfaces{$interface};
$zoneref->{interfaces}{$interface} = 1; $zoneref->{interfaces}{$interface} = 1;
$zoneref->{destonly} ||= $interfaceref->{options}{destonly}; $zoneref->{destonly} ||= $interfaceref->{options}{destonly};
$zoneref->{local} ||= $interfaceref->{options}{local};
$interfaceref->{zones}{$zone} = 1; $interfaceref->{zones}{$zone} = 1;