From 80981e802ee4a4f379bc13d5567d2dfbbe267485 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 8 Nov 2003 02:38:30 +0000 Subject: [PATCH] Fix NONE policy validation and 'routeback' for wildcard interfaces git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@786 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 5 +++++ Shorewall/firewall | 19 ++++++++++++------- Shorewall/policy | 4 +++- Shorewall/releasenotes.txt | 11 +++++++++++ 4 files changed, 31 insertions(+), 8 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 031d39f1c..2ec1d03fc 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -33,3 +33,8 @@ Changes since 1.4.7 14) Corrected handling of /32 addresses with broadcast in maclist processing. + +15) Generate error for NONE policy where source or destination zone is + the firewall itself. + +16) Fix 'routeback' for wildcard interfaces. \ No newline at end of file diff --git a/Shorewall/firewall b/Shorewall/firewall index a8232f3eb..482d17f68 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -636,11 +636,11 @@ validate_interfaces_file() { all_interfaces="$all_interfaces $interface" options=`separate_list $options` - interface=`chain_base $interface` + iface=`chain_base $interface` - eval ${interface}_broadcast="$subnet" - eval ${interface}_zone="$z" - eval ${interface}_options=\"$options\" + eval ${iface}_broadcast="$subnet" + eval ${iface}_zone="$z" + eval ${iface}_options=\"$options\" for option in $options; do case $option in @@ -763,7 +763,14 @@ validate_policy() esac case $policy in - ACCEPT|REJECT|DROP|CONTINUE|NONE) + ACCEPT|REJECT|DROP|CONTINUE) + ;; + NONE) + [ "$client" = "$FW" -o "$server" = "$FW" ] && \ + startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" + + [ -n "$clientwild" -o -n "$serverwild" ] && \ + startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" ;; *) startup_error "Invalid policy $policy" @@ -781,8 +788,6 @@ validate_policy() [ "x$loglevel" = "x-" ] && loglevel= - chain=${client}2${server} - [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" eval ${chain}_is_policy=Yes diff --git a/Shorewall/policy b/Shorewall/policy index 023a1d9f2..a32d6ba4e 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -43,7 +43,9 @@ # with this SOURCE and DEST in the # /etc/shorewall/rules file. If such a # packet _is_ received, the result is -# undefined. +# undefined. NONE may not be used if the +# SOURCE or DEST columns contain the +# firewall zone ($FW) or "all". # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c39c4fe90..3dd145478 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -59,6 +59,17 @@ Problems Corrected since version 1.4.7: address with a broadcast address then an error would occur during startup. +11) The NONE policy's intended use is to suppress the generating of + rules that can't possibly be traversed. This means that a policy of + NONE is inappropriate where the source or destination zone is + $FW. Shorewall now generates an error message if such a policy is + given in /etc/shorewall/policy. Previously such a policy caused + "shorewall start" to fail. + +12) The 'routeback' option was broken for wildcard interfaces (e.g., + "tun+"). This has been corrected so that 'routeback' now works as + expected in this case. + Migration Issues: 1. The definition of the ROUTE_FILTER option in shorewall.conf has