Add ZONE2ZONE option to shorewall.conf

This commit is contained in:
Tom Eastep 2009-11-10 14:12:55 -08:00
parent 7120a73f0e
commit bf8c38e054
18 changed files with 103 additions and 33 deletions

View File

@ -193,6 +193,8 @@ WIDE_TC_MARKS=Yes
TRACK_PROVIDERS=Yes TRACK_PROVIDERS=Yes
ZONE2ZONE=2
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -193,6 +193,8 @@ WIDE_TC_MARKS=Yes
TRACK_PROVIDERS=Yes TRACK_PROVIDERS=Yes
ZONE2ZONE=2
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -200,6 +200,8 @@ WIDE_TC_MARKS=Yes
TRACK_PROVIDERS=Yes TRACK_PROVIDERS=Yes
ZONE2ZONE=2
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
TRACK_PROVIDERS=Yes TRACK_PROVIDERS=Yes
ZONE2ZONE=2
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
TRACK_PROVIDERS=Yes TRACK_PROVIDERS=Yes
ZONE2ZONE=2
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
TRACK_PROVIDERS=Yes TRACK_PROVIDERS=Yes
ZONE2ZONE=2
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -85,6 +85,7 @@ our %EXPORT_TAGS = (
decr_cmd_level decr_cmd_level
chain_base chain_base
forward_chain forward_chain
canonical_chain
zone_forward_chain zone_forward_chain
use_forward_chain use_forward_chain
input_chain input_chain
@ -667,6 +668,13 @@ sub chain_base($) {
$chain; $chain;
} }
#
# Name of canonical chain
#
sub canonical_chain ($$) {
join "$config{ZONE2ZONE}", @_;
}
# #
# Forward Chain for an interface # Forward Chain for an interface
# #
@ -756,7 +764,7 @@ sub use_input_chain($) {
# #
# Use the '<zone>2fw' chain if it is referenced. # Use the '<zone>2fw' chain if it is referenced.
# #
$chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )}; $chainref = $filter_table->{canonical_chain( $zone, firewall_zone )};
! ( $chainref->{referenced} || $chainref->{is_policy} ) ! ( $chainref->{referenced} || $chainref->{is_policy} )
} }
@ -800,7 +808,7 @@ sub use_output_chain($) {
# #
# Use the 'fw2<zone>' chain if it is referenced. # Use the 'fw2<zone>' chain if it is referenced.
# #
$chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )}; $chainref = $filter_table->{canonical_chain( firewall_zone , $interfaceref->{zone} )};
! ( $chainref->{referenced} || $chainref->{is_policy} ) ! ( $chainref->{referenced} || $chainref->{is_policy} )
} }
@ -1172,7 +1180,7 @@ sub finish_section ( $ ) {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; my $chainref = $chain_table{'filter'}{canonical_chain( $zone, $zone1 )};
finish_chain_section $chainref, $sections if $chainref->{referenced}; finish_chain_section $chainref, $sections if $chainref->{referenced};
} }
} }
@ -1199,12 +1207,12 @@ sub set_mss( $$$ ) {
for my $z ( all_zones ) { for my $z ( all_zones ) {
if ( $direction eq '_in' ) { if ( $direction eq '_in' ) {
set_mss1 "${zone}2${z}" , $mss; set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
} elsif ( $direction eq '_out' ) { } elsif ( $direction eq '_out' ) {
set_mss1 "${z}2${zone}", $mss; set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
} else { } else {
set_mss1 "${z}2${zone}", $mss; set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
set_mss1 "${zone}2${z}", $mss; set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
} }
} }
} }

View File

@ -441,6 +441,7 @@ sub initialize( $ ) {
WIDE_TC_MARKS => undef, WIDE_TC_MARKS => undef,
TRACK_PROVIDERS => undef, TRACK_PROVIDERS => undef,
LOGICAL_NAMES => undef, LOGICAL_NAMES => undef,
ZONE2ZONE => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -549,6 +550,7 @@ sub initialize( $ ) {
WIDE_TC_MARKS => undef, WIDE_TC_MARKS => undef,
TRACK_PROVIDERS => undef, TRACK_PROVIDERS => undef,
LOGICAL_NAMES => undef, LOGICAL_NAMES => undef,
ZONE2ZONE => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -2411,6 +2413,14 @@ sub get_configuration( $ ) {
default_yes_no 'TRACK_PROVIDERS' , ''; default_yes_no 'TRACK_PROVIDERS' , '';
default_yes_no 'LOGICAL_NAMES' , ''; default_yes_no 'LOGICAL_NAMES' , '';
my $val;
if ( defined ( $val = $config{ZONE2ZONE} ) ) {
fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
} else {
$config{ZONE2ZONE} = '2';
}
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
default 'BLACKLIST_DISPOSITION' , 'DROP'; default 'BLACKLIST_DISPOSITION' , 'DROP';
@ -2425,8 +2435,6 @@ sub get_configuration( $ ) {
default_log_level 'SMURF_LOG_LEVEL', ''; default_log_level 'SMURF_LOG_LEVEL', '';
default_log_level 'LOGALLNEW', ''; default_log_level 'LOGALLNEW', '';
my $val;
$globals{MACLIST_TARGET} = 'reject'; $globals{MACLIST_TARGET} = 'reject';
if ( $val = $config{MACLIST_DISPOSITION} ) { if ( $val = $config{MACLIST_DISPOSITION} ) {

View File

@ -68,7 +68,7 @@ sub new_policy_chain($$$$)
{ {
my ($source, $dest, $policy, $optional) = @_; my ($source, $dest, $policy, $optional) = @_;
my $chainref = new_chain( 'filter', "${source}2${dest}" ); my $chainref = new_chain( 'filter', canonical_chain( ${source}, ${dest} ) );
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional ); convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 };
sub add_or_modify_policy_chain( $$ ) { sub add_or_modify_policy_chain( $$ ) {
my ( $zone, $zone1 ) = @_; my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}"; my $chain = canonical_chain( ${zone}, ${zone1} );
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{$chain};
if ( $chainref ) { if ( $chainref ) {
@ -211,7 +211,7 @@ sub process_a_policy() {
} }
} }
my $chain = "${client}2${server}"; my $chain = canonical_chain( ${client}, ${server} );
my $chainref; my $chainref;
if ( defined $filter_table->{$chain} ) { if ( defined $filter_table->{$chain} ) {
@ -252,19 +252,19 @@ sub process_a_policy() {
if ( $serverwild ) { if ( $serverwild ) {
for my $zone ( @zonelist ) { for my $zone ( @zonelist ) {
for my $zone1 ( @zonelist ) { for my $zone1 ( @zonelist ) {
set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy; set_policy_chain $client, $server, canonical_chain( ${zone}, ${zone1} ), $chainref, $policy;
print_policy $zone, $zone1, $policy, $chain; print_policy $zone, $zone1, $policy, $chain;
} }
} }
} else { } else {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy; set_policy_chain $client, $server, canonical_chain( ${zone}, ${server} ), $chainref, $policy;
print_policy $zone, $server, $policy, $chain; print_policy $zone, $server, $policy, $chain;
} }
} }
} elsif ( $serverwild ) { } elsif ( $serverwild ) {
for my $zone ( @zonelist ) { for my $zone ( @zonelist ) {
set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy; set_policy_chain $client, $server, canonical_chain( ${client}, ${zone} ), $chainref, $policy;
print_policy $client, $zone, $policy, $chain; print_policy $client, $zone, $policy, $chain;
} }
@ -334,7 +334,7 @@ sub validate_policy()
for $zone ( all_zones ) { for $zone ( all_zones ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy}; fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{canonical_chain( ${zone}, ${zone1} )}{policy};
} }
} }
} }
@ -409,7 +409,7 @@ sub apply_policy_rules() {
ensure_filter_chain $name, 1; ensure_filter_chain $name, 1;
} }
if ( $name =~ /^all2|2all$/ ) { if ( $name =~ /^all2|2all$|^all-|-all$/ ) {
run_user_exit $chainref; run_user_exit $chainref;
policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
} }
@ -418,7 +418,7 @@ sub apply_policy_rules() {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $chainref = $filter_table->{"${zone}2${zone1}"}; my $chainref = $filter_table->{canonical_chain( ${zone}, ${zone1} )};
if ( $chainref->{referenced} ) { if ( $chainref->{referenced} ) {
run_user_exit $chainref; run_user_exit $chainref;
@ -444,7 +444,7 @@ sub complete_standard_chain ( $$$$ ) {
run_user_exit $stdchainref; run_user_exit $stdchainref;
my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all}; my $ruleschainref = $filter_table->{canonical_chain( ${zone}, ${zone2} ) } || $filter_table->{canonical_chain( 'all', 'all' ) };
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} ); my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
my $policychainref; my $policychainref;

View File

@ -1132,7 +1132,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
} }
} }
$chain = "${sourcezone}2${destzone}"; $chain = canonical_chain( ${sourcezone}, ${destzone} );
$chainref = ensure_chain 'filter', $chain; $chainref = ensure_chain 'filter', $chain;
$policy = $chainref->{policy}; $policy = $chainref->{policy};
@ -1619,7 +1619,7 @@ sub add_interface_jumps {
# Loopback # Loopback
# #
my $fw = firewall_zone; my $fw = firewall_zone;
my $chainref = $filter_table->{"${fw}2${fw}"}; my $chainref = $filter_table->{canonical_chain( ${fw}, ${fw} )};
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' ); add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT'; add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@ -1643,7 +1643,7 @@ sub generate_matrix() {
# #
sub rules_target( $$ ) { sub rules_target( $$ ) {
my ( $zone, $zone1 ) = @_; my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}"; my $chain = canonical_chain( ${zone}, ${zone1} );
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{$chain};
return $chain if $chainref && $chainref->{referenced}; return $chain if $chainref && $chainref->{referenced};
@ -1776,7 +1776,7 @@ sub generate_matrix() {
if ( $parenthasnat || $parenthasnotrack ) { if ( $parenthasnat || $parenthasnotrack ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) { if ( $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
# #
# This zone has a continue policy to another zone. We must # This zone has a continue policy to another zone. We must
# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain. # send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
@ -1908,7 +1908,7 @@ sub generate_matrix() {
for my $zone1 ( @zones ) { for my $zone1 ( @zones ) {
my $zone1ref = find_zone( $zone1 ); my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; my $policy = $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy};
next if $policy eq 'NONE'; next if $policy eq 'NONE';
@ -1924,7 +1924,7 @@ sub generate_matrix() {
next unless $zoneref->{bridge} eq $zone1ref->{bridge}; next unless $zoneref->{bridge} eq $zone1ref->{bridge};
} }
if ( $chain =~ /2all$/ ) { if ( $chain =~ /(2all|-all|_all)$/ ) {
if ( $chain ne $last_chain ) { if ( $chain ne $last_chain ) {
$last_chain = $chain; $last_chain = $chain;
push @dest_zones, @temp_zones; push @dest_zones, @temp_zones;
@ -1958,7 +1958,7 @@ sub generate_matrix() {
for my $zone1 ( @dest_zones ) { for my $zone1 ( @dest_zones ) {
my $zone1ref = find_zone( $zone1 ); my $zone1ref = find_zone( $zone1 );
next if $filter_table->{"${zone}2${zone1}"}->{policy} eq 'NONE'; next if $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
my $chain = rules_target $zone, $zone1; my $chain = rules_target $zone, $zone1;

View File

@ -83,8 +83,8 @@ sub setup_tunnels() {
for my $zone ( split_list $gatewayzones, 'zone' ) { for my $zone ( split_list $gatewayzones, 'zone' ) {
my $type = zone_type( $zone ); my $type = zone_type( $zone );
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT; fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
$inchainref = ensure_filter_chain "${zone}2${fw}", 1; $inchainref = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
$outchainref = ensure_filter_chain "${fw}2${zone}", 1; $outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
unless ( $capabilities{POLICY_MATCH} ) { unless ( $capabilities{POLICY_MATCH} ) {
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT"; add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
@ -239,8 +239,8 @@ sub setup_tunnels() {
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT; fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; my $inchainref = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; my $outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
$gateway = ALLIP if $gateway eq '-'; $gateway = ALLIP if $gateway eq '-';

View File

@ -904,8 +904,7 @@ sub process_interface( $ ) {
} }
$physical{$value} = 1; $physical{$value} = 1;
my $wildphy = $value =~ /\+$/ ? 1 : 0; fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" unless $wildphy == $wildcard;
$physical = $value; $physical = $value;
} else { } else {
assert(0); assert(0);

View File

@ -10,6 +10,8 @@ Changes in Shorewall 4.4.4
5) Implement 'physical' interface option. 5) Implement 'physical' interface option.
6) Implement ZONE2ZONE option.
Changes in Shorewall 4.4.3 Changes in Shorewall 4.4.3
1) Move Debian INITLOG initialization to /etc/default/shorewall 1) Move Debian INITLOG initialization to /etc/default/shorewall

View File

@ -191,6 +191,8 @@ WIDE_TC_MARKS=No
TRACK_PROVIDERS=No TRACK_PROVIDERS=No
ZONE2ZONE=2
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -247,6 +247,21 @@ None.
p1023), you write it as y1023; Shorewall will translate that name p1023), you write it as y1023; Shorewall will translate that name
to p1023 when needed. to p1023 when needed.
As shown in the above example, It is allowed to have a physical
name ending in '+' with a logical name that does not end with '+'.
The reverse is not allowed; that is, if the logical name ends in
'+' then the physical name must also end in '+'.
4) Previously, Shorewall has used the character '2' to form the name
of chains involving zones and/or the word 'all' (e.g., fw2net,
all2all). When zones names are given numeric suffixes, these
generated names are hard to read (e.g., foo1232bar). To make these
names clearer, a ZONE2ZONE option has been added.
ZONE2ZONE has a default value of "2" but can also be given the
value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
the two parts of the name with a hyphen (e.g., foo123-bar).
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0 N E W F E A T U R E S I N 4 . 4 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

View File

@ -147,6 +147,8 @@ WIDE_TC_MARKS=No
TRACK_PROVIDERS=No TRACK_PROVIDERS=No
ZONE2ZONE=2
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

View File

@ -1574,6 +1574,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
option (see above).</para> option (see above).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
<listitem>
<para>Added in Shorewall 4.4.4. This option determines how Shorewall
constructs chain names involving zone names and/or 'all'. The
default is '2' (e.g., fw2net).</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

View File

@ -1218,6 +1218,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
option (see above).</para> option (see above).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
<listitem>
<para>Added in Shorewall 4.4.4. This option determines how Shorewall
constructs chain names involving zone names and/or 'all'. The
default is '2' (e.g., fw2net).</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>