diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 3cb5dd943..78d759c65 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -19,6 +19,8 @@ Changes in 2.2.4 8) Add '-v' option +9) Allow 'none' in /etc/shorewall/rules. + Changes in 2.2.3 1) Added the 'continue' extension script. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index cff3bc873..508fcaee3 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -4588,7 +4588,7 @@ process_rules() } do_it() { - expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec + expandv xprotocol xports xcports xaddress xratelimit xuserspec if [ "x$xclients" = xall ]; then xclients="$zones $FW" @@ -4596,13 +4596,13 @@ process_rules() xservers="$zones $FW" fi process_wildcard_rule - continue + return fi if [ "x$xservers" = xall ]; then xservers="$zones $FW" process_wildcard_rule - continue + return fi rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" @@ -4610,7 +4610,11 @@ process_rules() } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - expandv xtarget + expandv xtarget xclients xservers + + if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then + continue + fi case "${xtarget%%:*}" in ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-) diff --git a/Shorewall2/functions b/Shorewall2/functions index 80c5ef2d5..66b89e8d4 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -249,7 +249,7 @@ find_zones() # $1 = name of the zone file [ -n "$zone" ] && case "$zone" in \#*) ;; - $FW) + $FW|all|none) echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2 ;; *) diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index e26a3814b..8f64532a7 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -157,6 +157,19 @@ New Features in version 2.2.4 MAC address in the log message (if any) to be displayed. As previously, when "-v" is omitted, the MAC address is suppressed. +7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or + DEST columns now causes the rule to be ignored. This is most useful + when used with shell variables: + + Example: + + /etc/shorewall/rules: + + AllowFTP $FTP_CLIENTS fw + + When FTP_CLIENTS is set to 'none', the above rule is ignored. + Otherwise, the rule is evaluated and generates iptables rules. + ----------------------------------------------------------------------- Problems corrected in version 2.2.3 diff --git a/Shorewall2/rules b/Shorewall2/rules index c3ec0fff9..06b40d5a6 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -112,11 +112,14 @@ # # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, or "all" If the ACTION is DNAT or +# firewall itself, "all" or "none" If the ACTION is DNAT or # REDIRECT, sub-zones of the specified zone may be # excluded from the rule by following the zone name with # "!' and a comma-separated list of sub-zone names. # +# When "none" is used either in the SOURCE or DEST column, +# the rule is ignored. +# # When "all" is used either in the SOURCE or DEST column # intra-zone traffic is not affected. You must add # separate rules to handle that traffic. @@ -157,7 +160,10 @@ # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones, $FW to indicate the firewall -# itself or "all" +# itself, "all" or "none". +# +# When "none" is used either in the SOURCE or DEST column, +# the rule is ignored. # # When "all" is used either in the SOURCE or DEST column # intra-zone traffic is not affected. You must add