mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-08 22:58:50 +01:00
Add support for "all+" in the policy file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
e3d9b2762d
commit
c8133145e6
@ -344,14 +344,21 @@ sub new_policy_chain($$$$$)
|
||||
#
|
||||
# Set the passed chain's policychain and policy to the passed values.
|
||||
#
|
||||
sub set_policy_chain($$$$$)
|
||||
sub set_policy_chain($$$$$$)
|
||||
{
|
||||
my ($source, $dest, $chain1, $chainref, $policy ) = @_;
|
||||
my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
|
||||
|
||||
my $chainref1 = $filter_table->{$chain1};
|
||||
|
||||
$chainref1 = new_rules_chain $chain1 unless $chainref1;
|
||||
|
||||
if ( $intrazone &&
|
||||
$source eq $dest &&
|
||||
$chainref1->{provisional} ) {
|
||||
$chainref1->{policychain} = '';
|
||||
$chainref1->{provisional} = '';
|
||||
}
|
||||
|
||||
unless ( $chainref1->{policychain} ) {
|
||||
if ( $config{EXPAND_POLICIES} ) {
|
||||
#
|
||||
@ -477,11 +484,13 @@ sub process_a_policy() {
|
||||
fatal_error 'DEST must be specified' if $server eq '-';
|
||||
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
|
||||
|
||||
my $clientwild = ( "\L$client" eq 'all' );
|
||||
my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
|
||||
my $intrazone = $clientwild && $1;
|
||||
|
||||
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
|
||||
|
||||
my $serverwild = ( "\L$server" eq 'all' );
|
||||
my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
|
||||
$intrazone ||= $serverwild && $1;
|
||||
|
||||
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
|
||||
|
||||
@ -568,19 +577,19 @@ sub process_a_policy() {
|
||||
if ( $serverwild ) {
|
||||
for my $zone ( @zonelist ) {
|
||||
for my $zone1 ( @zonelist ) {
|
||||
set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
|
||||
set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
|
||||
print_policy $zone, $zone1, $policy, $chain;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for my $zone ( all_zones ) {
|
||||
set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
|
||||
set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
|
||||
print_policy $zone, $server, $policy, $chain;
|
||||
}
|
||||
}
|
||||
} elsif ( $serverwild ) {
|
||||
for my $zone ( @zonelist ) {
|
||||
set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
|
||||
set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
|
||||
print_policy $client, $zone, $policy, $chain;
|
||||
}
|
||||
|
||||
|
||||
@ -59,26 +59,39 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Source zone. Must be the name of a zone defined in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or
|
||||
"all".</para>
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
"all+".</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination zone. Must be the name of a zone defined in <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or "all".
|
||||
If the DEST is a bport zone, then the SOURCE must be "all", another
|
||||
bport zone associated with the same bridge, or it must be an ipv4
|
||||
zone that is associated with only the same bridge.</para>
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||
"all+", another bport zone associated with the same bridge, or it
|
||||
must be an ipv4 zone that is associated with only the same
|
||||
bridge.</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -59,26 +59,39 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Source zone. Must be the name of a zone defined in <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW or
|
||||
"all".</para>
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
"all+".</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination zone. Must be the name of a zone defined in <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW or
|
||||
"all". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||
another bport zone associated with the same bridge, or it must be an
|
||||
ipv6 zone that is associated with only the same bridge.</para>
|
||||
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
|
||||
"all+". If the DEST is a bport zone, then the SOURCE must be "all",
|
||||
"all+", another bport zone associated with the same bridge, or it
|
||||
must be an ipv4 zone that is associated with only the same
|
||||
bridge.</para>
|
||||
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user