From 8bb7c2363bc45a47e113a59fdc8888ece3961c4d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 10 Sep 2016 10:06:38 -0700 Subject: [PATCH 1/4] Support '+' after a zone list in the policy files. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 19 +++++++++++++++---- Shorewall/manpages/shorewall-policy.xml | 14 ++++++++++---- Shorewall6/manpages/shorewall6-policy.xml | 14 ++++++++++---- 3 files changed, 35 insertions(+), 12 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 62b6c0747..19a44e6df 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -628,15 +628,15 @@ sub handle_nfqueue( $$ ) { # # Process an entry in the policy file. # -sub process_a_policy1($$$$$$) { +sub process_a_policy1($$$$$$$) { our %validpolicies; our @zonelist; - my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = @_; + my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_; my $clientwild = ( "\L$client" =~ /^all(\+)?$/ ); - my $intrazone = $clientwild && $1; + $intrazone = $clientwild && $1; fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client ); @@ -761,13 +761,24 @@ sub process_a_policy() { $synparams = '' if $synparams eq '-'; $connlimit = '' if $connlimit eq '-'; + my $intrazone; + + if ( $intrazone = $clients =~ /.*,.*\+$/) { + $clients =~ s/\+$//; + } + + if ( $servers =~ /.*,.*\+$/ ) { + $servers =~ s/\+$//; + $intrazone = 1; + } + fatal_error 'SOURCE must be specified' if $clients eq '-'; fatal_error 'DEST must be specified' if $servers eq '-'; fatal_error 'POLICY must be specified' if $policy eq '-'; for my $client ( split_list( $clients, 'zone' ) ) { for my $server ( split_list( $servers, 'zone' ) ) { - process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit ); + process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ); } } } diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index b6ef38df7..7bc0be4dd 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -61,7 +61,7 @@ SOURCE - - zone[,...]|zone[,...[+]]|$FW|all|all+ @@ -76,13 +76,16 @@ does. Beginning with Shorewall 5.0.12, multiple zones may be listed - separated by commas. + separated by commas. As above, if '+' is specified after two or more + zone names, then the policy overrides the implicit intra-zone ACCEPT + policy if the same zone appears in both + the SOURCE and DEST columns. DEST - - zone[,...]|zone[,...[+]]|$FW|all|all+ @@ -100,7 +103,10 @@ does. Beginning with Shorewall 5.0.12, multiple zones may be listed - separated by commas. + separated by commas. As above, if '+' is specified after two or more + zone names, then the policy overrides the implicit intra-zone ACCEPT + policy if the same zone appears in both + the SOURCE and DEST columns. diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index fe0d0e2a7..115613aff 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -61,7 +61,7 @@ SOURCE - - zone[,...]|zone[,...[+]]|$FW|all|all+ @@ -76,13 +76,16 @@ does. Beginning with Shorewall 5.0.12, multiple zones may be listed - separated by commas. + separated by commas. As above, if '+' is specified after two or more + zone names, then the policy overrides the implicit intra-zone ACCEPT + policy if the same zone appears in both + the SOURCE and DEST columns. DEST - - zone[,...]|zone[,...[+]]|$FW|all|all+ @@ -100,7 +103,10 @@ does. Beginning with Shorewall 5.0.12, multiple zones may be listed - separated by commas. + separated by commas. As above, if '+' is specified after two or more + zone names, then the policy overrides the implicit intra-zone ACCEPT + policy if the same zone appears in both + the SOURCE and DEST columns. From 2f7590106832692810a22bb1740afdb52ec616b9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 13 Sep 2016 09:29:51 -0700 Subject: [PATCH 2/4] Restore 'use Shorewall::Config(shorewall)' in embedded Perl handling Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 962e06f93..ad0305d94 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3400,7 +3400,7 @@ sub embedded_shell( $ ) { sub embedded_perl( $ ) { my $multiline = shift; - my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); + my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); $directive_callback->( 'PERL', $currentline ) if $directive_callback; From 059b1c6c8cb855d38f5d40e03ff634dbfc6cf9fc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 13 Sep 2016 11:13:19 -0700 Subject: [PATCH 3/4] Remove superfluous logic Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ad0305d94..a485e85a2 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3853,7 +3853,7 @@ sub process_shorewallrc( $$ ) { $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product"; } } elsif ( supplied $shorewallrc{VARLIB} ) { - $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR}; + $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product"; } } From afc212495feb7d412b5f4309d8ddafd0a716a8be Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 18 Sep 2016 08:57:49 -0700 Subject: [PATCH 4/4] Make POSTROUTING the default chain for CHECKSUM Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 19a44e6df..d61520ed7 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -4196,8 +4196,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { }, CHECKSUM => { - defaultchain => 0, - allowedchains => ALLCHAINS, + defaultchain => POSTROUTING, + allowedchains => POSTROUTING | FORWARD | OUTPUT, minparams => 0, maxparams => 0 , function => sub() {