Implement bi-directional macro support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3444 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-22 21:48:39 +01:00 · 2006-02-04 20:57:38 +00:00 · 2006-02-04 20:57:38 +00:00 · f0728b5e50
commit f0728b5e50
parent 3482a47db0
4 changed files with 69 additions and 6 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -50,3 +50,5 @@ Changes in 3.1.x.
 24) Apply Steven Springl's help patch.

 25) Fix 'allow/drop/reject' while Shorewall not running.
+
+26) Implement bi-directional macros.
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -4586,7 +4586,7 @@ __EOF__
 			    esac

 			    cat >&3 << __EOF__
-${INDENT}    run_iptables -A $xchain -d \$address -j
+${INDENT}    run_iptables -A $xchain -d \$address -j ACCEPT
 ${INDENT}done

 __EOF__
@ -4711,9 +4711,12 @@ __EOF__

 			    if [ -n "$mclients" ]; then
 				case $mclients in
-				    -)
+				    -|SOURCE)
 					mclients=${xclients}
 					;;
+				    DEST)
+					mclients=${xservers}
+					;;
 				    *)
 					mclients=$(merge_macro_source_dest $mclients $xclients)
 					;;
@ -4724,9 +4727,12 @@ __EOF__

 			    if [ -n "$mservers" ]; then
 				case $mservers in
-				    -)
+				    -|DEST)
 					mservers=${xservers}
 					;;
+				    SOURCE)
+					mservers=${xclients}
+					;;
 				    *)
 					mservers=$(merge_macro_source_dest $mservers $xservers)
 					;;
@ -5766,9 +5772,12 @@ process_macro() # $1 = target

 	if [ -n "$mclients" ]; then
 	    case $mclients in
-		-)
+		-|SOURCE)
 		    mclients=${iclients}
 		    ;;
+		DEST)
+		    mclients=${iservers}
+		    ;;
 		*)
 		    mclients=$(merge_macro_source_dest $mclients $iclients)
 		    ;;
@ -5779,9 +5788,12 @@ process_macro() # $1 = target

 	if [ -n "$mservers" ]; then
 	    case $mservers in
-		-)
+		-|DEST)
 		    mservers=${iservers}
 		    ;;
+		SOURCE)
+		    mservers=${iclients}
+		    ;;
 		*)
 		    mservers=$(merge_macro_source_dest $mservers $iservers)
 		    ;;
--- a/Shorewall/macro.SMBBI
+++ b/Shorewall/macro.SMBBI
@ -0,0 +1,23 @@
+#
+# Shorewall version 3.2 - SMB Bi-directional Macro
+#
+# /usr/share/shorewall/macro.SMBBI
+#
+#	This macro handles Microsoft SMB traffic.
+#
+#	Beware!  This macro opens a lot of ports, and could possibly be used
+#	to compromise your firewall if not used with care.  You should only
+#	allow SMB traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	udp	135,445
+PARAM	-	-	udp	137:139
+PARAM	-	-	udp	1024:	137
+PARAM	-	-	tcp	135,139,445
+PARAM	DEST	SOURCE	udp	135,445
+PARAM	DEST	SOURCE	udp	137:139
+PARAM	DEST	SOURCE	udp	1024:	137
+PARAM	DEST	SOURCE	tcp	135,139,445
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -37,7 +37,33 @@ Problems Corrected in 3.1.6

 Other changes in 3.1.6

-None.
+1)  In macro files, you can now use the reserved words SOURCE and DEST
+    in the columns of the same names. When Shorewall expands the
+    macro, it will substitute the SOURCE from the macro invocation for
+    SOURCE and the DEST from the invocation for DEST. This allows you
+    to write macros that act in both directions (from source to destination
+    and from destination to source).
+
+    Example:
+
+	macro.FOO:
+
+	    PARAM      SOURCE        DEST      udp     500
+	    PARAM      DEST          SOURCE    udp     500
+
+	/etc/shorewall/rules:
+
+	    FOO/ACCEPT    fw         net
+
+	Resulting rules:
+
+	    ACCEPT        fw         net        udp     500
+	    ACCEPT        net        fw         udp     500
+
+    This new feature has been used to implement the SMBBI macro.
+    SMBBI is the same as the SMB macro with the exception that
+    it passes SMB traffic in both directions whereas SMB only
+    passes that traffic in one direction.

 Migration Considerations: