From 9483f891fc3fffd70d981bfbb74621fa59102811 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 11 Nov 2002 19:21:47 +0000 Subject: [PATCH] Allow 'all' in rules git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/firewall | 81 ++++++++++++++++++++++++++++++++-------------- Shorewall/rules | 32 +++++++++--------- 2 files changed, 74 insertions(+), 39 deletions(-) diff --git a/Shorewall/firewall b/Shorewall/firewall index e556a5a07..43c7637c6 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -803,7 +803,7 @@ validate_rule() { # Validate the Source Zone # if ! validate_zone $clientzone; then - startup_error "Error: Undefined Client Zone in rule \"$rule\"" + [ "x$clientzone" = xall ] || startup_error "Error: Undefined Client Zone in rule \"$rule\"" fi source=$clientzone @@ -835,7 +835,7 @@ validate_rule() { # Validate the destination zone # if ! validate_zone $serverzone; then - startup_error "Error: Undefined Server Zone in rule \"$rule\"" + [ "x$serverzone" = xall ] || startup_error "Error: Undefined Server Zone in rule \"$rule\"" fi dest=$serverzone @@ -1976,17 +1976,22 @@ add_a_rule() # # Process a record from the rules file # -# The caller has loaded the column contents from the record into the following -# variables: -# -# target clients servers protocol ports cports address -# -# and has loaded a space-separated list of their values in "rule". -# -# The 'multioption' variable has also been loaded appropriately to reflect -# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf -# -process_rule() { +process_rule() # $1 = target + # $2 = clients + # $3 = servers + # $4 = protocol + # $5 = ports + # $6 = cports + # $7 = address +{ + local target="$1" + local clients="$2" + local servers="$3" + local protocol="$4" + local ports="$5" + local cports="$6" + local address="$7" + local rule="`echo $target $clients $servers $protocol $ports $cports $address`" # Function Body -- isolate log level @@ -2123,20 +2128,48 @@ process_rule() { # process_rules() # $1 = name of rules file { + process_wildcard_rule() { + for yclients in $xclients; do + for yservers in $xservers; do + if [ "${yclients}" != "${yservers}" ] ; then + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress + elif havechain ${yclients}2${yservers} ; then + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress + fi + done + done + } + strip_file rules - while read target clients servers protocol ports cports address; do - case "$target" in + while read xtarget xclients xservers xprotocol xports xcports xaddress; do + case "$xtarget" in - ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) - expandv clients servers protocol ports cports address - rule="`echo $target $clients $servers $protocol $ports $cports $address`" - process_rule - ;; - *) - rule="`echo $target $clients $servers $protocol $ports $cports $address`" - fatal_error "Error: Invalid Target in rule \"$rule\"" - ;; + ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) + expandv xclients xservers xprotocol xports xcports xaddress + + if [ "x$xclients" = xall ]; then + xclients="$zones $FW" + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + fi + process_wildcard_rule + continue + fi + + if [ "x$xservers" = xall ]; then + xservers="$zones $FW" + process_wildcard_rule + continue + fi + + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress + ;; + *) + rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`" + fatal_error "Error: Invalid Target in rule \"$rule\"" + ;; + esac done < $TMP_DIR/rules } diff --git a/Shorewall/rules b/Shorewall/rules index 39a81eb4d..cff2b3f70 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -32,17 +32,18 @@ # logged at the specified level. # # SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones or $FW to indicate the -# firewall itself. If the ACTION is DNAT or REDIRECT, -# sub-zones of the specified zone may be excluded from -# the rule by following the zone name with "!' and a -# comma-separated list of sub-zone names. +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, or "all" If the ACTION is DNAT or +# REDIRECT, sub-zones of the specified zone may be +# excluded from the rule by following the zone name with +# "!' and a comma-separated list of sub-zone names. # -# Clients may be further restricted to a list of subnets -# and/or hosts by appending ":" and a comma-separated -# list of subnets and/or hosts. Hosts may be specified -# by IP or MAC address; mac addresses must begin with -# "~" and must use "-" as a separator. +# Except when "all" is specified, clients may be further +# restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # @@ -64,12 +65,13 @@ # as described above (e.g., loc:eth1:192.168.1.5). # # DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones or $FW to indicate the firewall -# itself. +# /etc/shorewall/zones, $FW to indicate the firewall +# itself or "all" # -# The server may be further restricted to a particular -# subnet, host or interface by appending ":" and the -# subnet, host or interface. See above. +# Except when "all" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. # # Restrictions: #