From bb55ad3128152ae0bba458e947bb305d1e03ca5e Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 21 Oct 2003 15:03:02 +0000 Subject: [PATCH] Correct handling of 'complex' zones git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@772 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/changelog.txt | 2 + STABLE/firewall | 81 +++++++++++++++++++++++++---------------- STABLE/releasenotes.txt | 7 ++++ 3 files changed, 59 insertions(+), 31 deletions(-) diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index 66b3b75cb..e58b32a11 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -9,3 +9,5 @@ Changes since 1.4.7 3) Fix error handling after "Unable to determine the routes..." 4) Corrected handling of LOGUNCLEAN. + +5) Corrected handling of "complex" zones. diff --git a/STABLE/firewall b/STABLE/firewall index 45ee0654a..a83d9ee42 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -2315,6 +2315,26 @@ add_a_rule() { local natrule= + do_ports() { + if [ -n "$port" ]; then + dports="--dport" + if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then + multiport="$multioption" + dports="--dports" + fi + dports="$dports $port" + fi + + if [ -n "$cport" ]; then + sports="--sport" + if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then + multiport="$multioption" + sports="--sports" + fi + sports="$sports $cport" + fi + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -2369,25 +2389,12 @@ add_a_rule() [ x$cport = x- ] && cport= case $proto in - tcp|udp|TCP|UDP|6|17) - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - ;; + tcp|TCP|6) + do_ports + ;; + udp|UDP|17) + do_ports + ;; icmp|ICMP|1) [ -n "$port" ] && dports="--icmp-type $port" state= @@ -4385,6 +4392,7 @@ activate_rules() [ -n "$complex" ] && \ run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain + done for zone1 in $zones; do @@ -4405,24 +4413,35 @@ activate_rules() routeback= fi - for host in $source_hosts; do - interface=${host%:*} - - if [ -n "$complex" ]; then - chain1=$frwd_chain - else - chain1=`forward_chain $interface` - fi - + if [ -n "$complex" ]; then for host1 in $dest_hosts; do interface1=${host1%:*} subnet1=${host1#*:} - if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain + if list_search $host1 $source_hosts && ! list_search $host1 $routeback; then + if [ `list_count $source_hosts` -gt 1 ]; then + run_iptables -A $frwd_chain -s ! $subnet1 -o $interface1 -d $subnet1 -j $chain + fi + else + run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain fi done - done + else + for host in $source_hosts; do + interface=${host%:*} + + chain1=`forward_chain $interface` + + for host1 in $dest_hosts; do + interface1=${host1%:*} + subnet1=${host1#*:} + + if [ "$host" != "$host1" ] || list_search $host $routeback; then + run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain + fi + done + done + fi done done diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index 9f3ee69de..ced306244 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -26,6 +26,13 @@ Problems Corrected since version 1.4.6: 4) Handling of the LOGUNCLEAN option in shorewall.conf has been corrected. +5) In Shorewall 1.4.2, an optimization was added. This optimization + involved creating a chain named "_frwd" for most zones + defined using the /etc/shorewall/hosts file. It has since been + discovered that in many cases these new chains contain redundant + rules and that the "optimization" turns out to be less than + optimal. The implementation has now been corrected. + Migration Issues: None.