From 80e08e57e85e59809c35adbe1135712ffd1e3b1a Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 24 Mar 2006 00:05:09 +0000 Subject: [PATCH] Add IMPLICIT_CONTINUE option to shorewall.conf git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3723 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/compiler | 25 +++++++++++++++++++++++++ Shorewall/firewall | 3 +++ Shorewall/policy | 7 ++++++- Shorewall/releasenotes.txt | 34 +++++++++++++++++++++++++++++++++- Shorewall/shorewall.conf | 18 ++++++++++++++++++ Shorewall/zones | 11 +++++++---- 7 files changed, 94 insertions(+), 6 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index daa739df6..6341c7f7f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,8 @@ Changes in 3.2.0 Beta 3 1) Correct handling of verbosity in the 'try' command. +2) Add IMPLICIT_CONTINUE option to shorewall.conf. + Changes in 3.2.0 Beta 2 1) Make "shorewall start -f" work correctly. diff --git a/Shorewall/compiler b/Shorewall/compiler index ffcdda2a8..909076886 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -482,9 +482,11 @@ determine_zones() zone=${zone%:*} [ -n "$zone" ] || fatal_error "Invalid nested zone syntax: :$parents" parents=$(separate_list $parents) + eval ${zone}_parents=\"$parents\" ;; *) parents= + eval ${zone}_parents= ;; esac @@ -1449,6 +1451,7 @@ validate_policy() local policy local loglevel local synparams + local parents print_policy() # $1 = source zone, $2 = destination zone { @@ -1467,6 +1470,26 @@ validate_policy() eval ${chain}_policy=ACCEPT eval ${chain}_policychain=$chain ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" + + if [ -n "$IMPLICIT_CONTINUE" ]; then + eval parents=\$${zone}_parents + if [ -n "$parents" ]; then + for zone1 in $ZONES $FW; do + chain=${zone}2${zone1} + eval ${chain}_is_policy=Yes + eval ${chain}_is_optional=Yes + eval ${chain}_policy=CONTINUE + eval ${chain}_policychain=$chain + ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" + chain=${zone1}2${zone} + eval ${chain}_is_policy=Yes + eval ${chain}_is_optional=Yes + eval ${chain}_policy=CONTINUE + eval ${chain}_policychain=$chain + ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" + done + fi + fi done strip_file policy @@ -8928,6 +8951,7 @@ do_initialize() { SAVE_IPSETS= RESTOREFILE= MAPOLDACTIONS= + IMPLICIT_CONTINUE= OUTPUT= TMP_DIR= @@ -9126,6 +9150,7 @@ do_initialize() { SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) + IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) case ${IPSECFILE:=ipsec} in ipsec|zones) diff --git a/Shorewall/firewall b/Shorewall/firewall index a9a2d7f4a..eb10a3d1c 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2956,6 +2956,7 @@ do_initialize() { SAVE_IPSETS= RESTOREFILE= MAPOLDACTIONS= + IMPLICIT_CONTINUE= RESTOREBASE= TMP_DIR= @@ -3153,6 +3154,8 @@ do_initialize() { SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) + IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) + case ${IPSECFILE:=ipsec} in ipsec|zones) diff --git a/Shorewall/policy b/Shorewall/policy index 220e7fd4a..3a417960d 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -18,6 +18,11 @@ # entry in this file. The overriding entry must be explicit (cannot use # "all" in the SOURCE or DEST). # +# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then +# the implicit policy to/from any sub-zone is CONTINUE. These implicit +# CONTINUE policies may also be overridden by an explicit entry in this +# file. +# # Columns are: # # SOURCE Source zone. Must be the name of a zone defined @@ -93,7 +98,7 @@ # net all DROP info # # # # THE FOLLOWING POLICY MUST BE LAST -# # +# # # all all REJECT info # # See http://shorewall.net/Documentation.htm#Policy for additional information. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 71758fe56..b26061845 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -34,7 +34,39 @@ Problems Corrected in 3.2.0 Beta 3 Other changes in 3.2.0 Beta 2 -None. +2) A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When + this option is set to "Yes", it causes subzones to be treated differently + with respect to policies. + + Subzones are defined by following their name by ":" and a list of parent + zones (in /etc/shorewall/zones). Normally, you want to have a set of + special rules for the subzone and if a connection doesn't match any of + those subzone-specific rules then you want the parent zone rules to be + applied. with IMPLICIT_CONTINUE=Yes, that happens automatically. + + If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then + subzones are not subject to this special treatment. + + With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden + by including an explicit policy (one that does not specify "all" in either + the SOURCE or the DEST columns). + + Example: + + /etc/shorewall/zones: + + par ipv4 + chld:par ipv4 + + And traffic to/from the 'chld' zone will first pass through the applicable + 'chld' rules and if none of those rules match then it will be passed through + the appropriate 'par' rules. If you want the fw->chld policy to be + ACCEPT, simply add this entry to /etc/shorewall/policy: + + $FW chld ACCEPT + + Traffic from all other zones to 'chld' will be subject to the implicit + CONTINUE policy. Migration Considerations: diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 2380a2e2d..b44b3968f 100644 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -843,6 +843,24 @@ MAPOLDACTIONS=No FASTACCEPT=No +# +# Implicit CONTINUE policy for sub-zones +# +# When a zone is declared to be a subzone of one or more other zones, it +# is typically the case that you want the rules for the parent zone(s) to +# be applied to connections to/from the subzone that don't match any +# subzone specific rules. That way, you don't have to duplicate the parent +# zone's rules in order for them to also apply to the subzone(s). That is +# the behavior with IMPLICIT_CONTINUE=Yes. If you don't want that behavior +# and want the policies for the sub-zone to be determined by the standard +# policy processing, set IMPLICIT_CONTINUE=No or IMPLICIT_CONTINUE=. +# +# Note that even with IMPLICIT_CONTINUE=Yes, you can override the implicit +# CONTINUE policy for connections by adding an explicit policy (one that +# does not contain "all" in either the SOURCE or DEST columns). + +IMPLICIT_CONTINUE=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/zones b/Shorewall/zones index eddc5cd42..da5cf5b52 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -34,10 +34,13 @@ # b ipv4 # c:a,b ipv4 # -# Currently, Shorewall uses this information only to reorder the +# Currently, Shorewall uses this information to reorder the # zone list so that parent zones appear after their subzones in -# the list. In the future, Shorewall may make more extensive use -# of that information. +# the list. The IMPLICIT_CONTINUE option in shorewall.conf can +# also create implicit CONTINUE policies to/from the subzone. +# +# In the future, Shorewall may make additional use +# of nesting information. # # TYPE ipv4 - This is the standard Shorewall zone type and is the # default if you leave this column empty or if you enter @@ -79,7 +82,7 @@ # strict Means that packets must match all rules. # # next Separates rules; can only be used with -# strict.. +# strict # # Example: # mode=transport,reqid=44