From 97eaf708d3f1bf713cb3b058a73f25602a3b7591 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 2 Feb 2006 17:35:28 +0000 Subject: [PATCH] Remove special exclusion syntax for DNAT/REDIRECT/SAME git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3423 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 +++- Shorewall/compiler | 28 +--------------------------- Shorewall/releasenotes.txt | 18 ++++++++++++++++++ Shorewall/rules | 6 +----- 4 files changed, 23 insertions(+), 33 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 2ef6e1c7e..ae0c467e0 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -41,4 +41,6 @@ Changes in 3.1.x. 20) Speed up compilation by rewriting 'fix_bang()'. -21) Correct GATEWAY handling in the providers file. \ No newline at end of file +21) Correct GATEWAY handling in the providers file. + +22) Remove sub-zone exclusion from DNAT/REDIRECT. \ No newline at end of file diff --git a/Shorewall/compiler b/Shorewall/compiler index 955c382dd..e013ad1f4 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4845,10 +4845,6 @@ __EOF__ target1="REDIRECT --to-port $servport" fi - if [ $source = $FW ]; then - [ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\"" - fi - # Generate nat table rules if [ "$source" = "$FW" ]; then @@ -4875,7 +4871,7 @@ __EOF__ done fi else - if [ -n "${excludesource}${excludedests}${excludezones}" ]; then + if [ -n "${excludesource}${excludedests}" ]; then build_exclusion_chain chain nat "$excludesource" $excludedests if [ $addr = detect ]; then @@ -4892,13 +4888,6 @@ __EOF__ done fi - for z in $(separate_list $excludezones); do - eval hosts=\$${z}_hosts - for host in $hosts; do - addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN - done - done - if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain $(dnat_chain $source) $logtarget "$ratelimit" "$logtag" -A -t nat fi @@ -5504,21 +5493,6 @@ __EOF__ ;; esac - if [ "$clientzone" = "${clientzone%!*}" ]; then - excludezones= - else - excludezones="${clientzone#*!}" - clientzone="${clientzone%!*}" - - case $logtarget in - DNAT|REDIRECT|SAME) - ;; - *) - fatal_error "Exclude zone only allowed with DNAT, SAME or REDIRECT" - ;; - esac - fi - validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" # Parse and validate destination diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index a24d1a473..cb12b9b68 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -54,6 +54,24 @@ Migration Considerations: These changes have been made to ensure no unexpected ports are opened due to the use of macros. +2) In previous Shorewall releases, DNAT and REDIRECT rules supported a + special syntax for exclusion of a subnet from the effect of the rule. + + Example: + + Z2 is a subzone of Z1: + + DNAT Z1!Z2 loc:192.168.1.4 ... + + That syntax has never worked correctly when Z2 is a dynamic zone. + Furthermore, now that Shorewall supports exclusion lists the capability + is redundant since the above rule can now be written in the form: + + DNAT Z1:! loc:192.168.1.4 ... + + Beginning with Shorewall 3.2.0, the special exclusion syntax will no + longer be supported. + New Features: 1) A new 'shorewall generate' command has been added. diff --git a/Shorewall/rules b/Shorewall/rules index cd20c6589..c89c7689e 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -161,11 +161,7 @@ # # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all", "all+" or "none" If the ACTION -# is DNAT or REDIRECT, sub-zones of the specified zone -# may be excluded from the rule by following the zone -# name with "!' and a comma-separated list of sub-zone -# names. +# firewall itself, "all", "all+" or "none". # # When "none" is used either in the SOURCE or DEST # column, the rule is ignored.