extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 19:51:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow 'all' in rules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-11 19:21:47 +00:00
parent 0ad28aae80
commit 9483f891fc
2 changed files with 74 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
Shorewall/firewall
View File

@ -803,7 +803,7 @@ validate_rule() {
# Validate the Source Zone # Validate the Source Zone
# #
if ! validate_zone $clientzone; then if ! validate_zone $clientzone; then
startup_error "Error: Undefined Client Zone in rule \"$rule\"" [ "x$clientzone" = xall ] || startup_error "Error: Undefined Client Zone in rule \"$rule\""
fi fi
source=$clientzone source=$clientzone
@ -835,7 +835,7 @@ validate_rule() {
# Validate the destination zone # Validate the destination zone
# #
if ! validate_zone $serverzone; then if ! validate_zone $serverzone; then
startup_error "Error: Undefined Server Zone in rule \"$rule\"" [ "x$serverzone" = xall ] || startup_error "Error: Undefined Server Zone in rule \"$rule\""
fi fi
dest=$serverzone dest=$serverzone
@ -1976,17 +1976,22 @@ add_a_rule()
# #
# Process a record from the rules file # Process a record from the rules file
# #
# The caller has loaded the column contents from the record into the following process_rule() # $1 = target
# variables: # $2 = clients
# # $3 = servers
# target clients servers protocol ports cports address # $4 = protocol
# # $5 = ports
# and has loaded a space-separated list of their values in "rule". # $6 = cports
# # $7 = address
# The 'multioption' variable has also been loaded appropriately to reflect {
# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf local target="$1"
# local clients="$2"
process_rule() { local servers="$3"
local protocol="$4"
local ports="$5"
local cports="$6"
local address="$7"
local rule="`echo $target $clients $servers $protocol $ports $cports $address`"
# Function Body -- isolate log level # Function Body -- isolate log level
@ -2123,20 +2128,48 @@ process_rule() {
# #
process_rules() # $1 = name of rules file process_rules() # $1 = name of rules file
{ {
process_wildcard_rule() {
for yclients in $xclients; do
for yservers in $xservers; do
if [ "${yclients}" != "${yservers}" ] ; then
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress
elif havechain ${yclients}2${yservers} ; then
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress
fi
done
done
}
strip_file rules strip_file rules
while read target clients servers protocol ports cports address; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$target" in case "$xtarget" in
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*)
expandv clients servers protocol ports cports address expandv xclients xservers xprotocol xports xcports xaddress
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
process_rule if [ "x$xclients" = xall ]; then
;; xclients="$zones $FW"
*) if [ "x$xservers" = xall ]; then
rule="`echo $target $clients $servers $protocol $ports $cports $address`" xservers="$zones $FW"
fatal_error "Error: Invalid Target in rule \"$rule\"" fi
;; process_wildcard_rule
continue
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
fi
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress
;;
*)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
fatal_error "Error: Invalid Target in rule \"$rule\""
;;
esac esac
done < $TMP_DIR/rules done < $TMP_DIR/rules
} }

32
Shorewall/rules
View File

@ -32,17 +32,18 @@
# logged at the specified level. # logged at the specified level.
# #
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones or $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself. If the ACTION is DNAT or REDIRECT, # firewall itself, or "all" If the ACTION is DNAT or
# sub-zones of the specified zone may be excluded from # REDIRECT, sub-zones of the specified zone may be
# the rule by following the zone name with "!' and a # excluded from the rule by following the zone name with
# comma-separated list of sub-zone names. # "!' and a comma-separated list of sub-zone names.
# #
# Clients may be further restricted to a list of subnets # Except when "all" is specified, clients may be further
# and/or hosts by appending ":" and a comma-separated # restricted to a list of subnets and/or hosts by
# list of subnets and/or hosts. Hosts may be specified # appending ":" and a comma-separated list of subnets
# by IP or MAC address; mac addresses must begin with # and/or hosts. Hosts may be specified by IP or MAC
# "~" and must use "-" as a separator. # address; mac addresses must begin with "~" and must use
# "-" as a separator.
# #
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
# #
@ -64,12 +65,13 @@
# as described above (e.g., loc:eth1:192.168.1.5). # as described above (e.g., loc:eth1:192.168.1.5).
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
# itself. # itself or "all"
# #
# The server may be further restricted to a particular # Except when "all" is specified, the server may be
# subnet, host or interface by appending ":" and the # further restricted to a particular subnet, host or
# subnet, host or interface. See above. # interface by appending ":" and the subnet, host or
# interface. See above.
# #
# Restrictions: # Restrictions:
# #