extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-08 14:01:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enhanced syntax for SOURCE and DEST columns in the rules file

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-11-25 15:10:14 -08:00
parent 01306e1230
commit 799b17210c
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
4 changed files with 103 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/Perl/Shorewall/Config.pm
View File

@ -130,6 +130,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
split_list split_list
split_list1 split_list1
split_list2 split_list2
split_list3
split_line split_line
split_line1 split_line1
split_line2 split_line2

61
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2748,6 +2748,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
fatal_error "Unknown ACTION ($action)" unless $actiontype; fatal_error "Unknown ACTION ($action)" unless $actiontype;
$usergenerated = $actiontype & IPTABLES; $usergenerated = $actiontype & IPTABLES;
#
# For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
#
$source =~ s/[()]//g;
$dest =~ s/[()]//g;
if ( $actiontype == MACRO ) { if ( $actiontype == MACRO ) {
# #
@ -3777,22 +3782,8 @@ sub build_zone_list( $$$\$\$ ) {
# #
# Process a Record in the rules file # Process a Record in the rules file
# #
sub process_raw_rule ( ) { sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) = @_;
= split_line2( 'rules file',
\%rulecolumns,
$rule_commands,
undef, #Columns
1 ); #Allow inline matches
fatal_error 'ACTION must be specified' if $target eq '-';
#
# Section Names are optional so once we get to an actual rule, we need to be sure that
# we close off any missing sections.
#
next_section if $section != $next_section;
if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) { if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
progress_message "Rule \"$currentline\" ignored."; progress_message "Rule \"$currentline\" ignored.";
return 1; return 1;
@ -3858,6 +3849,44 @@ sub process_raw_rule ( ) {
progress_message qq( Rule "$thisline" $done); progress_message qq( Rule "$thisline" $done);
} }
sub process_raw_rule ( ) {
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
= split_line2( 'rules file',
\%rulecolumns,
$rule_commands,
undef, #Columns
1 ); #Allow inline matches
fatal_error 'ACTION must be specified' if $target eq '-';
#
# Section Names are optional so once we get to an actual rule, we need to be sure that
# we close off any missing sections.
#
next_section if $section != $next_section;
my ( @source, @dest );
if ( $source =~ /:\(.+\)/ ) {
@source = split_list3( $source, 'SOURCE' );
} else {
@source = ( $source );
}
if ( $dest =~ /:\(.+\)/ ) {
@dest = split_list3( $dest, 'DEST' );
} else {
@dest = ( $dest );
}
for $source ( @source ) {
for $dest ( @dest ) {
process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
}
}
}
sub intrazone_allowed( $$ ) { sub intrazone_allowed( $$ ) {
my ( $zone, $zoneref ) = @_; my ( $zone, $zoneref ) = @_;

33
Shorewall/manpages/shorewall-rules.xml
View File

@ -907,8 +907,8 @@
role="bold">+</emphasis>][<emphasis role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis role="bold">-</emphasis>]}<emphasis
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis role="bold">:</emphasis>[(]{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term> role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}[)][,...]</term>
<listitem> <listitem>
<para>Source hosts to which the rule applies. May be a <para>Source hosts to which the rule applies. May be a
@ -1093,6 +1093,26 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
tupples can be listed, separated by commas. Where the
<replaceable>address-list</replaceable> consists of more than a
single address, the list must be enclosed in parentheses.</para>
<para>Example:</para>
<variablelist>
<varlistentry>
<term>dmz:(192.168.2.2,192.168.2.3),net:(206.124.146.22,155.186.235.0/24!155.186.235.16/28)</term>
<listitem>
<para>Hosts 192.168.2.2 and 192.168.2.3 in the dmz zone, host
206.124.146.22 in the dmz zone and network 155.186.235.0/24 in
the net zone excluding 155.186.235.16/28.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1103,7 +1123,7 @@
role="bold">any</emphasis>}[<emphasis role="bold">any</emphasis>}[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis role="bold">-</emphasis>]}<emphasis
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis role="bold">[:{</emphasis><emphasis>interface</emphasis>|[(]<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>][)]|[(]<emphasis>exclusion</emphasis>[)]|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
role="bold">random</emphasis>]]</term> role="bold">random</emphasis>]]</term>
@ -1270,6 +1290,13 @@
the port number on the firewall that the request should be the port number on the firewall that the request should be
redirected to. That is equivalent to specifying redirected to. That is equivalent to specifying
<option>$FW</option>::<replaceable>port</replaceable>.</para> <option>$FW</option>::<replaceable>port</replaceable>.</para>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
tupples can be listed, separated by commas. Where the
<replaceable>address-list</replaceable> consists of more than a
single address, the list must be enclosed in parentheses. See the
example in the SOURCE section above.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

34
Shorewall6/manpages/shorewall6-rules.xml
View File

@ -866,9 +866,9 @@
role="bold">{all|any}</emphasis>[<emphasis role="bold">{all|any}</emphasis>[<emphasis
role="bold">+</emphasis>][<emphasis role="bold">+</emphasis>][<emphasis
role="bold">-</emphasis>]}<emphasis role="bold">-</emphasis>]}<emphasis
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis role="bold">[:</emphasis><emphasis>interface</emphasis>][(][<emphasis
role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term> role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}[)][,...]</term>
<listitem> <listitem>
<para>Source hosts to which the rule applies. May be a zone declared <para>Source hosts to which the rule applies. May be a zone declared
@ -960,7 +960,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>dmz:2002:ce7c::92b4:1::2</term> <term>dmz:[2002:ce7c:2b4:1::2]</term>
<listitem> <listitem>
<para>Host 2002:ce7c:92b4:1::2 in the DMZ</para> <para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
@ -976,7 +976,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>loc:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term> <term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
<listitem> <listitem>
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
@ -994,11 +994,11 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80</term> <term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
<listitem> <listitem>
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for <para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
2001:4d48:ad51:24:6:/80.</para> 2001:4d48:ad51:24:6::/80.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1024,7 +1024,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>loc:eth1:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term> <term>loc:eth1:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
<listitem> <listitem>
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
@ -1033,6 +1033,26 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
tupples can be listed, separated by commas. Where the
<replaceable>address-list</replaceable> consists of more than a
single address, the list must be enclosed in parentheses.</para>
<para>Example:</para>
<variablelist>
<varlistentry>
<term>dmz:([2002:c37c:92b4:1::2],[2002:c37c:92b4:1::3]),loc:eth1:([2002:cec792b4:1::2],[2002:cec792b4:1::44])</term>
<listitem>
<para>Hosts 2002:c37c:92b4:1::2 and 2002:c37c:92b4:1::3 in the
dmz zone and hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44
in the loc zone via interface eth1</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>