Generate warnings for local->non-firewall and non-firewall->local rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-23 08:03:11 +01:00 · 2013-05-16 07:51:12 -07:00 · 2013-05-16 07:51:12 -07:00 · 739f3779f5
commit 739f3779f5
parent 2e293dd356
2 changed files with 20 additions and 10 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2376,17 +2376,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	#
 	# If we are processing an inline action, we need the source zone for NAT.
 	#
-	if ( $chainref->{sourcezone} ) { 
-	    $sourceref = find_zone( $chainref->{sourcezone} );
-	    unless ( $wildcard ) {
-		warning_message "The SOURCE in this rule is 'destonly'" if $sourceref->{destonly} && ! $sourceref->{complex};
-	    }
-	}
+	$sourceref = find_zone( $chainref->{sourcezone} ) if $chainref->{sourcezone};
+	#
+	# And we need the dest zone for local/off-firewall/destonly checks
+	#
+	$destref   = find_zone( $chainref->{destzone}   ) if $chainref->{destzone};
    } else {
-	unless ( $wildcard ) {
-	    warning_message "The SOURCE zone in this rule is 'destonly'" if $sourceref->{destonly} && ! $sourceref->{complex};
-	}
-
 	unless ( $actiontype & NATONLY ) {
 	    #
 	    # Check for illegal bridge port rule
@ -2403,6 +2398,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	    #
 	    ( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
+	    $chainref->{destzone} = $destzone;

 	    my $policy = $chainref->{policy};

@ -2445,6 +2441,19 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	}
    }
    #
+    # Handle 'local' zone warnings
+    #
+    unless ( $wildcard ) {
+	if ( $sourceref ) {
+	    warning_message( "The SOURCE zone in this rule is 'destonly'" )                   if $sourceref->{destonly};
+
+	    if ( $destref ) {
+		warning_message( "The SOURCE zone is local and the DEST zone is off-firewall" )   if $sourceref->{local} && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
+		warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'local'" ) if $destref->{local} && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+	    }
+	}
+    }
+    #
    # Handle actions
    #
    my $delete_action;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -750,6 +750,7 @@ sub add_group_to_zone($$$$$)
    $interfaceref = $interfaces{$interface};
    $zoneref->{interfaces}{$interface} = 1;
    $zoneref->{destonly} ||= $interfaceref->{options}{destonly};
+    $zoneref->{local}    ||= $interfaceref->{options}{local};

    $interfaceref->{zones}{$zone} = 1;