extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-24 14:39:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add support for "all+" in the policy file.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-05-13 09:01:12 -07:00
parent e3d9b2762d
commit c8133145e6
3 changed files with 58 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -344,14 +344,21 @@ sub new_policy_chain($$$$$)
# #
# Set the passed chain's policychain and policy to the passed values. # Set the passed chain's policychain and policy to the passed values.
# #
sub set_policy_chain($$$$$) sub set_policy_chain($$$$$$)
{ {
my ($source, $dest, $chain1, $chainref, $policy ) = @_; my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
my $chainref1 = $filter_table->{$chain1}; my $chainref1 = $filter_table->{$chain1};
$chainref1 = new_rules_chain $chain1 unless $chainref1; $chainref1 = new_rules_chain $chain1 unless $chainref1;
if ( $intrazone &&
$source eq $dest &&
$chainref1->{provisional} ) {
$chainref1->{policychain} = '';
$chainref1->{provisional} = '';
}
unless ( $chainref1->{policychain} ) { unless ( $chainref1->{policychain} ) {
if ( $config{EXPAND_POLICIES} ) { if ( $config{EXPAND_POLICIES} ) {
# #
@ -477,11 +484,13 @@ sub process_a_policy() {
fatal_error 'DEST must be specified' if $server eq '-'; fatal_error 'DEST must be specified' if $server eq '-';
fatal_error 'POLICY must be specified' if $originalpolicy eq '-'; fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
my $clientwild = ( "\L$client" eq 'all' ); my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
my $intrazone = $clientwild && $1;
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client ); fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
my $serverwild = ( "\L$server" eq 'all' ); my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
$intrazone ||= $serverwild && $1;
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server ); fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
@ -568,19 +577,19 @@ sub process_a_policy() {
if ( $serverwild ) { if ( $serverwild ) {
for my $zone ( @zonelist ) { for my $zone ( @zonelist ) {
for my $zone1 ( @zonelist ) { for my $zone1 ( @zonelist ) {
set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy; set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
print_policy $zone, $zone1, $policy, $chain; print_policy $zone, $zone1, $policy, $chain;
} }
} }
} else { } else {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy; set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
print_policy $zone, $server, $policy, $chain; print_policy $zone, $server, $policy, $chain;
} }
} }
} elsif ( $serverwild ) { } elsif ( $serverwild ) {
for my $zone ( @zonelist ) { for my $zone ( @zonelist ) {
set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy; set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
print_policy $client, $zone, $policy, $chain; print_policy $client, $zone, $policy, $chain;
} }

29
Shorewall/manpages/shorewall-policy.xml
View File

@ -59,26 +59,39 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE</emphasis> -
<emphasis>zone</emphasis>|<emphasis <emphasis>zone</emphasis>|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term> role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
<listitem> <listitem>
<para>Source zone. Must be the name of a zone defined in <ulink <para>Source zone. Must be the name of a zone defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
"all".</para> "all+".</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does. </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST</emphasis> -
<emphasis>zone</emphasis>|<emphasis <emphasis>zone</emphasis>|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term> role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
<listitem> <listitem>
<para>Destination zone. Must be the name of a zone defined in <ulink <para>Destination zone. Must be the name of a zone defined in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or "all". url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
If the DEST is a bport zone, then the SOURCE must be "all", another "all+". If the DEST is a bport zone, then the SOURCE must be "all",
bport zone associated with the same bridge, or it must be an ipv4 "all+", another bport zone associated with the same bridge, or it
zone that is associated with only the same bridge.</para> must be an ipv4 zone that is associated with only the same
bridge.</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does. </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

29
Shorewall6/manpages/shorewall6-policy.xml
View File

@ -59,26 +59,39 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE</emphasis> -
<emphasis>zone</emphasis>|<emphasis <emphasis>zone</emphasis>|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term> role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
<listitem> <listitem>
<para>Source zone. Must be the name of a zone defined in <ulink <para>Source zone. Must be the name of a zone defined in <ulink
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW or url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
"all".</para> "all+".</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST</emphasis> -
<emphasis>zone</emphasis>|<emphasis <emphasis>zone</emphasis>|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term> role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
<listitem> <listitem>
<para>Destination zone. Must be the name of a zone defined in <ulink <para>Destination zone. Must be the name of a zone defined in <ulink
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $FW or url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
"all". If the DEST is a bport zone, then the SOURCE must be "all", "all+". If the DEST is a bport zone, then the SOURCE must be "all",
another bport zone associated with the same bridge, or it must be an "all+", another bport zone associated with the same bridge, or it
ipv6 zone that is associated with only the same bridge.</para> must be an ipv4 zone that is associated with only the same
bridge.</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>