extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 16:54:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix merge conflicts

Browse Source
This commit is contained in:
Tom Eastep 2009-11-28 07:16:03 -08:00
commit f5bf3c9b43
15 changed files with 287 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -167,7 +167,7 @@ our %EXPORT_TAGS = (
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = '4.4_4'; our $VERSION = '4.4_5';
# #
# Chain Table # Chain Table
@ -1148,7 +1148,17 @@ sub finish_chain_section ($$) {
$comment = ''; $comment = '';
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; unless ( $config{FASTACCEPT} ) {
if ( $chainref->{marked} ) {
if ( $chainref->{marked} == @{$chainref->{rules}} ) {
insert_rule( $chainref, 0, "-m state --state $state -j ACCEPT" );
} else {
add_rule $chainref, "-m state --state $state -j ACCEPT";
}
} else {
add_rule $chainref, "-m state --state $state -j ACCEPT";
}
}
if ($sections{NEW} ) { if ($sections{NEW} ) {
if ( $chainref->{is_policy} ) { if ( $chainref->{is_policy} ) {
@ -1187,6 +1197,7 @@ sub finish_section ( $ ) {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )}; my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
finish_chain_section $chainref, $sections if $chainref->{referenced}; finish_chain_section $chainref, $sections if $chainref->{referenced};
} }
} }

5
Shorewall/Perl/Shorewall/Config.pm
View File

@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = '4.4_4'; our $VERSION = '4.4_5';
# #
# describe the current command, it's present progressive, and it's completion. # describe the current command, it's present progressive, and it's completion.
@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
IPMARK_TARGET => 'IPMARK Target', IPMARK_TARGET => 'IPMARK Target',
PERSISTENT_SNAT => 'Persistent SNAT', PERSISTENT_SNAT => 'Persistent SNAT',
OLD_HL_MATCH => 'Old Hash Limit Match', OLD_HL_MATCH => 'Old Hash Limit Match',
MARK_IN_FILTER => 'MARK in Filter Table',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
); );
# #
@ -619,6 +620,7 @@ sub initialize( $ ) {
LOG_TARGET => 1, # Assume that we have it. LOG_TARGET => 1, # Assume that we have it.
PERSISTENT_SNAT => undef, PERSISTENT_SNAT => undef,
OLD_HL_MATCH => undef, OLD_HL_MATCH => undef,
MARK_IN_FILTER => undef,
CAPVERSION => undef, CAPVERSION => undef,
); );
# #
@ -2031,6 +2033,7 @@ sub determine_capabilities( $ ) {
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" ); $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
$capabilities{MARK_IN_FILTER} = qt1( "$iptables -A $sillyname -j MARK --set-mark 1" );
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ); $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );

23
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -129,8 +129,17 @@ sub add_or_modify_policy_chain( $$ ) {
push @policy_chains, $chainref; push @policy_chains, $chainref;
} }
} else { } else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); push @policy_chains, ( $chainref = new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
} }
unless ( $chainref->{marked} ) {
my $mark = defined_zone( $zone )->{mark};
my $mark1 = defined_zone( $zone1 )->{mark} << VIRTUAL_BITS;
$chainref->{marked} = 1, add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark && $zone1 eq firewall_zone;
$chainref->{marked}++ , add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1;
}
} }
sub print_policy($$$$) { sub print_policy($$$$) {
@ -348,8 +357,16 @@ sub validate_policy()
add_or_modify_policy_chain( $zone1, $zone ); add_or_modify_policy_chain( $zone1, $zone );
} }
} }
} } elsif ( zone_type( $zone ) == VIRTUAL ) {
} for my $zone1 ( @{defined_zone( $zone )->{children}} ) {
for my $zone2 ( all_zones ) {
unless ( $zone1 eq $zone2 ) {
add_or_modify_policy_chain( $zone1, $zone2 );
add_or_modify_policy_chain( $zone2, $zone1 );
}
}
}
} }
my $fn = open_file 'policy'; my $fn = open_file 'policy';

1
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -311,6 +311,7 @@ sub add_a_provider( ) {
} }
} else { } else {
fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS}; fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
fatal_error "Invalid Mark Value ($mark)" if $val > 0xf0000;
} }
for my $providerref ( values %providers ) { for my $providerref ( values %providers ) {

38
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1692,12 +1692,14 @@ sub generate_matrix() {
for my $zone ( @zones ) { for my $zone ( @zones ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{options}{complex}; next if @zones <= 2 && ! ( $zoneref->{options}{complex} || $zoneref->{virtual} || $zoneref->{mark} );
# #
# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain # Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
# #
my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
add_rule $frwd_ref, '-j MARK --set-mark ' . in_hex( $zoneref->{mark} ) if $zoneref->{mark};
if ( $capabilities{POLICY_MATCH} ) { if ( $capabilities{POLICY_MATCH} ) {
# #
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
@ -1724,10 +1726,11 @@ sub generate_matrix() {
for my $hostref ( @{$arrayref} ) { for my $hostref ( @{$arrayref} ) {
my $ipsec_match = match_ipsec_in $zone , $hostref; my $ipsec_match = match_ipsec_in $zone , $hostref;
my $exclusion = source_exclusion( $hostref->{exclusions}, $frwd_ref );
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_jump( add_jump(
$sourcechainref, $sourcechainref,
source_exclusion( $hostref->{exclusions}, $frwd_ref ), $exclusion,
! @{$zoneref->{parents}}, ! @{$zoneref->{parents}},
join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) join( '', $interfacematch , match_source_net( $net ), $ipsec_match )
); );
@ -1759,6 +1762,7 @@ sub generate_matrix() {
my $nested = $zoneref->{options}{nested}; my $nested = $zoneref->{options}{nested};
my $parenthasnat = 0; my $parenthasnat = 0;
my $parenthasnotrack = 0; my $parenthasnotrack = 0;
my $virtual = $zoneref->{virtual};
if ( $nested ) { if ( $nested ) {
# #
@ -1799,6 +1803,11 @@ sub generate_matrix() {
# #
# Take care of PREROUTING, INPUT and OUTPUT jumps # Take care of PREROUTING, INPUT and OUTPUT jumps
# #
if ( $virtual ) {
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark ! --mark 0/" . in_hex($virtual << VIRTUAL_BITS) . ' ' if $chain1;
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $chain2;
}
for my $typeref ( values %$source_hosts_ref ) { for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
my $arrayref = $typeref->{$interface}; my $arrayref = $typeref->{$interface};
@ -1953,6 +1962,11 @@ sub generate_matrix() {
} else { } else {
@dest_zones = @zones ; @dest_zones = @zones ;
} }
if ( $frwd_ref ) {
add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $virtual;
}
# #
# Here it is -- THE BIG UGLY!!!!!!!!!!!! # Here it is -- THE BIG UGLY!!!!!!!!!!!!
# #
@ -1961,6 +1975,7 @@ sub generate_matrix() {
# #
for my $zone1 ( @dest_zones ) { for my $zone1 ( @dest_zones ) {
my $zone1ref = find_zone( $zone1 ); my $zone1ref = find_zone( $zone1 );
my $virtual1 = $zone1ref->{virtual} << VIRTUAL_BITS;
next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE'; next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
@ -1990,13 +2005,16 @@ sub generate_matrix() {
next if $hostref->{options}{sourceonly}; next if $hostref->{options}{sourceonly};
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_jump $frwd_ref, dest_exclusion( $hostref->{exclusions}, $chain), 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ); add_jump( $frwd_ref, $exclusion, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ) );
} }
} }
} }
} }
} }
add_jump( $frwd_ref, $chain, 0, '-m mark ! --mark 0/' . in_hex( $virtual1 ) . ' ' ) if $virtual1;
} else { } else {
# #
# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain # More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
@ -2032,6 +2050,7 @@ sub generate_matrix() {
for my $host1ref ( @$array1ref ) { for my $host1ref ( @$array1ref ) {
next if $host1ref->{options}{sourceonly}; next if $host1ref->{options}{sourceonly};
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
my $exclusion = dest_exclusion( $host1ref->{exclusions}, $chain );
for my $net1 ( @{$host1ref->{hosts}} ) { for my $net1 ( @{$host1ref->{hosts}} ) {
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
# #
@ -2039,7 +2058,7 @@ sub generate_matrix() {
# #
add_jump( add_jump(
$excl3ref , $excl3ref ,
dest_exclusion( $host1ref->{exclusions}, $chain ), $exclusion,
0, 0,
join( '', join( '',
$match_source_dev, $match_source_dev,
@ -2047,9 +2066,18 @@ sub generate_matrix() {
match_source_net($net), match_source_net($net),
match_dest_net($net1), match_dest_net($net1),
$ipsec_out_match ) $ipsec_out_match )
); );
} }
} }
add_rule ( $excl3ref,
$chain,
join( '',
$match_source_dev,
match_source_net($net),
'-m mark ! --mark 0/',
in_hex( $virtual1 ),
' ' ) ) if $virtual1;
} }
} }
} }

5
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -40,7 +40,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc ); our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize ); our @EXPORT_OK = qw( process_tc_rule initialize );
our $VERSION = '4.4_4'; our $VERSION = '4.4_5';
our %tcs = ( T => { chain => 'tcpost', our %tcs = ( T => { chain => 'tcpost',
connmark => 0, connmark => 0,
@ -1235,6 +1235,7 @@ sub setup_tc() {
if ( $capabilities{MANGLE_FORWARD} ) { if ( $capabilities{MANGLE_FORWARD} ) {
add_rule $mangle_table->{FORWARD} , '-j tcfor'; add_rule $mangle_table->{FORWARD} , '-j tcfor';
add_rule $mangle_table->{POSTROUTING}, '-j MARK --and-mark 0xffffff'; # Clear virtual marks
add_rule $mangle_table->{POSTROUTING} , '-j tcpost'; add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
} }
@ -1246,7 +1247,7 @@ sub setup_tc() {
# In POSTROUTING, we only want to clear routing mark and not IPMARK. # In POSTROUTING, we only want to clear routing mark and not IPMARK.
# #
insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0'; insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
} }
} }
if ( $globals{TC_SCRIPT} ) { if ( $globals{TC_SCRIPT} ) {

59
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -40,6 +40,8 @@ our @EXPORT = qw( NOTHING
IP IP
BPORT BPORT
IPSEC IPSEC
VIRTUAL
VIRTUAL_BITS
determine_zones determine_zones
zone_report zone_report
@ -75,7 +77,7 @@ our @EXPORT = qw( NOTHING
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_4'; our $VERSION = '4.4_5';
# #
# IPSEC Option types # IPSEC Option types
@ -104,6 +106,8 @@ use constant { NOTHING => 'NOTHING',
# children => [ <children> ] # children => [ <children> ]
# interfaces => { <interfaces1> => 1, ... } # interfaces => { <interfaces1> => 1, ... }
# bridge => <bridge> # bridge => <bridge>
# virtual => <virtual zone mark>
# mark => <LORed virtual zone marks of parent virtual zones>
# hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none' # hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none'
# options => { <option1> => <value1> # options => { <option1> => <value1>
# ... # ...
@ -156,11 +160,13 @@ our @bport_zones;
our %ipsets; our %ipsets;
our %physical; our %physical;
our $family; our $family;
our $virtualmark;
use constant { FIREWALL => 1, use constant { FIREWALL => 1,
IP => 2, IP => 2,
BPORT => 3, BPORT => 3,
IPSEC => 4 }; IPSEC => 4,
VIRTUAL => 5 };
use constant { SIMPLE_IF_OPTION => 1, use constant { SIMPLE_IF_OPTION => 1,
BINARY_IF_OPTION => 2, BINARY_IF_OPTION => 2,
@ -176,6 +182,11 @@ use constant { SIMPLE_IF_OPTION => 1,
IF_OPTION_HOST => 16, IF_OPTION_HOST => 16,
}; };
use constant { VIRTUAL_BASE => 0x1000000 ,
VIRTUAL_MASK => 0xf000000 ,
VIRTUAL_BITS => 4 #Bits for virtual MASK numbers
};
our %validinterfaceoptions; our %validinterfaceoptions;
our %validhostoptions; our %validhostoptions;
@ -201,6 +212,7 @@ sub initialize( $ ) {
@bport_zones = (); @bport_zones = ();
%ipsets = (); %ipsets = ();
%physical = (); %physical = ();
$virtualmark = VIRTUAL_BASE;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION, %validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
@ -353,6 +365,9 @@ sub process_zone( \$ ) {
my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
my $mark = 0;
my $virtual = 0;
if ( $zone =~ /(\w+):([\w,]+)/ ) { if ( $zone =~ /(\w+):([\w,]+)/ ) {
$zone = $1; $zone = $1;
@parents = split_list $2, 'zone'; @parents = split_list $2, 'zone';
@ -361,6 +376,7 @@ sub process_zone( \$ ) {
fatal_error "Invalid Parent List ($2)" unless $p; fatal_error "Invalid Parent List ($2)" unless $p;
fatal_error "Unknown parent zone ($p)" unless $zones{$p}; fatal_error "Unknown parent zone ($p)" unless $zones{$p};
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL; fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
$mark |= $zones{$p}{virtual};
push @{$zones{$p}{children}}, $zone; push @{$zones{$p}{children}}, $zone;
} }
} }
@ -376,6 +392,12 @@ sub process_zone( \$ ) {
} elsif ( $type =~ /^ipsec([46])?$/i ) { } elsif ( $type =~ /^ipsec([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
$type = IPSEC; $type = IPSEC;
for ( @parents ) {
unless ( $zones{$_}{type} == IPSEC ) {
set_super( $zones{$_} );
}
}
} elsif ( $type =~ /^bport([46])?$/i ) { } elsif ( $type =~ /^bport([46])?$/i ) {
fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
warning_message "Bridge Port zones should have a parent zone" unless @parents; warning_message "Bridge Port zones should have a parent zone" unless @parents;
@ -387,6 +409,12 @@ sub process_zone( \$ ) {
$firewall_zone = $zone; $firewall_zone = $zone;
$ENV{FW} = $zone; $ENV{FW} = $zone;
$type = FIREWALL; $type = FIREWALL;
} elsif ( $type eq 'virtual' ) {
require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
fatal_error "Too many virtual zones" unless $virtualmark & VIRTUAL_MASK;
$virtual = $virtualmark;
$virtualmark = $virtualmark << 1;
$type = VIRTUAL;
} elsif ( $type eq '-' ) { } elsif ( $type eq '-' ) {
$type = IP; $type = IP;
$$ip = 1; $$ip = 1;
@ -394,14 +422,6 @@ sub process_zone( \$ ) {
fatal_error "Invalid zone type ($type)" ; fatal_error "Invalid zone type ($type)" ;
} }
if ( $type eq IPSEC ) {
for ( @parents ) {
unless ( $zones{$_}{type} == IPSEC ) {
set_super( $zones{$_} );
}
}
}
for ( $options, $in_options, $out_options ) { for ( $options, $in_options, $out_options ) {
$_ = '' if $_ eq '-'; $_ = '' if $_ eq '-';
} }
@ -409,6 +429,8 @@ sub process_zone( \$ ) {
$zones{$zone} = { type => $type, $zones{$zone} = { type => $type,
parents => \@parents, parents => \@parents,
bridge => '', bridge => '',
virtual => $virtual,
mark => $mark ,
options => { in_out => parse_zone_option_list( $options || '', $type ) , options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) ,
@ -485,9 +507,9 @@ sub zone_report()
my @translate; my @translate;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); @translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' );
} else { } else {
@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); @translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' );
} }
for my $zone ( @zones ) for my $zone ( @zones )
@ -530,9 +552,8 @@ sub zone_report()
unless ( $printed ) { unless ( $printed ) {
fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge}; fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL; warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $type == VIRTUAL && @{$zoneref->{children}} );
} }
} }
} }
@ -544,9 +565,9 @@ sub dump_zone_contents()
my @xlate; my @xlate;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' );
} else { } else {
@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' );
} }
for my $zone ( @zones ) for my $zone ( @zones )
@ -587,6 +608,12 @@ sub dump_zone_contents()
} }
} }
if ( $type == VIRTUAL && @{$zoneref->{children}} ) {
$entry .= " (";
$entry .= "$_," for @{$zoneref->{children}};
$entry =~ s/,$/) /;
}
emit_unindented $entry; emit_unindented $entry;
} }
} }

2
Shorewall/changelog.txt
View File

@ -12,6 +12,8 @@ Changes in Shorewall 4.4.5
6) Fix 'show policies' in Shorewall6. 6) Fix 'show policies' in Shorewall6.
7) Implement 'virtual' zones.
Changes in Shorewall 4.4.4 Changes in Shorewall 4.4.4
1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.

6
Shorewall/lib.base
View File

@ -30,7 +30,7 @@
# #
SHOREWALL_LIBVERSION=40000 SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40402 SHOREWALL_CAPVERSION=40405
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -828,6 +828,7 @@ determine_capabilities() {
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
PERSISTENT_SNAT= PERSISTENT_SNAT=
MARK_IN_FILTER=
chain=fooX$$ chain=fooX$$
@ -958,6 +959,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
qt $IPTABLES -A $chain -j LOG || LOG_TARGET= qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
qt $IPTABLES -A $chain -j MARK --set-mark 1 && MARK_IN_FILTER=Yes
qt $IPTABLES -F $chain qt $IPTABLES -F $chain
qt $IPTABLES -X $chain qt $IPTABLES -X $chain
@ -1026,6 +1028,7 @@ report_capabilities() {
report_capability "IPMARK Target" $IPMARK_TARGET report_capability "IPMARK Target" $IPMARK_TARGET
report_capability "LOG Target" $LOG_TARGET report_capability "LOG Target" $LOG_TARGET
report_capability "Persistent SNAT" $PERSISTENT_SNAT report_capability "Persistent SNAT" $PERSISTENT_SNAT
report_capability "Mark in Filter Table" $MARK_IN_FILTER
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1085,6 +1088,7 @@ report_capabilities1() {
report_capability1 IPMARK_TARGET report_capability1 IPMARK_TARGET
report_capability1 LOG_TARGET report_capability1 LOG_TARGET
report_capability1 PERSISTENT_SNAT report_capability1 PERSISTENT_SNAT
report_capability1 MARK_IN_FILTER
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
} }

35
Shorewall/releasenotes.txt
View File

@ -230,6 +230,41 @@ None.
$FW dmz REJECT info $FW dmz REJECT info
$FW all ACCEPT $FW all ACCEPT
3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used
to group together a set of sub-zones. A virtual zone is declared
as TYPE 'virtual' in /etc/shorewall/zones.
Example:
virt virtual
The virtual zone must have no definition in
/etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones
can themselves be nested in other virtual zones but there is a
limit of four virtual zones per configuration (that limitation
derives from the fact that each virtual zone requires 2 bits in the
packet mark).
Virtual zones are used as parent zones for other zones using the
<zone>:<parent> syntax in /etc/shorewall/zones:
Example:
virt virtual
loc:virt ipv4
vpn:virt ipsec
As shown in the example, a virtual zone may be a parent for
multiple zone types.
Virtual zones are intended to be used with
IMPLICIT_CONTINUE=No. They provide semantic behavior similar to
IMPLICIT_CONTINUE=Yes in that connections that do not match rules
for the sub-zone are applied to the parent zone.
For more information, see
http://www.shorewall.net/manpages/shorewall-nesting.html
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0 N E W F E A T U R E S I N 4 . 4 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

4
Shorewall6/lib.base
View File

@ -33,7 +33,7 @@
# #
SHOREWALL_LIBVERSION=40300 SHOREWALL_LIBVERSION=40300
SHOREWALL_CAPVERSION=40402 SHOREWALL_CAPVERSION=40405
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@ -737,6 +737,7 @@ determine_capabilities() {
GOTO_TARGET= GOTO_TARGET=
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
MARK_IN_FILTER=Yes
chain=fooX$$ chain=fooX$$
@ -864,6 +865,7 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $IP6TABLES -A $chain -j MARK --set-mark 1 && MARK_IN_FILTER=Yes
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
qt $IP6TABLES -F $chain qt $IP6TABLES -F $chain

56
manpages/shorewall-nesting.xml
View File

@ -154,14 +154,14 @@
to change the 'net' interface to something other than ppp0. That way, it to change the 'net' interface to something other than ppp0. That way, it
won't match ppp+.</para> won't match ppp+.</para>
<para>If you are running Shorewall version 4.1.4 or later, a second way is <para>A second way is to simply make the nested zones
to simply make the nested zones explicit:<programlisting> #ZONE TYPE OPTION explicit:<programlisting> #ZONE TYPE OPTION
fw firewall fw firewall
loc ipv4 loc ipv4
net:loc ipv4 net:loc ipv4
dmz ipv4</programlisting></para> dmz ipv4</programlisting></para>
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=No in <para>If you take this approach, be sure to set IMPLICIT_CONTINUE=Yes in
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
<para>When using other Shorewall versions, another way is to rewrite the <para>When using other Shorewall versions, another way is to rewrite the
@ -183,6 +183,56 @@
loc ppp+:192.168.2.0/23</programlisting></para> loc ppp+:192.168.2.0/23</programlisting></para>
</refsect1> </refsect1>
<refsect1 id="Virtual">
<title>Virtual Zones</title>
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
<filename>/etc/shorewall/interfaces</filename> or in
<filename>/etc/shorewall/hosts</filename>. Rather, it is used as a parent
zone for other zones in <filename>/etc/shorewall/zones</filename>.</para>
<para>Example:</para>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv4
loc virtual #Virtual Zone
loc1:loc ipv4
loc2:loc ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
- eth1 detect tcpflags,nosmurfs,routefilter,logmartians</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
loc1 eth1:192.168.1.0/24
loc2 eth1:192.168.2.0/24</programlisting>
<para>There are several restrictions on virtual zones:</para>
<itemizedlist>
<listitem>
<para>A maximum of four virtual zones may be defined.</para>
</listitem>
<listitem>
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
<para>When a connection request to/from a sub-zone of a virtual zone does
not match the rules for the sub-zone, the connection is compared against
the rules (and policies) for the parent virtual zone.</para>
</refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>

11
manpages/shorewall-zones.xml
View File

@ -169,6 +169,17 @@ c:a,b ipv4</programlisting>
single bridge.</para> single bridge.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">virtual</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.5. Virtual zones are containers
for other zones. See <ulink
url="shorewall-nesting.html">shorewall-nesting (5)</ulink> for
details.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>

50
manpages6/shorewall6-nesting.xml
View File

@ -87,6 +87,56 @@
significant.</para> significant.</para>
</refsect1> </refsect1>
<refsect1 id="Virtual">
<title>Virtual Zones</title>
<para>Beginning with Shorewall 4.4.5, Shorewall allows the declaration of
<firstterm>virtual</firstterm> zones. A virtual zone has no definition in
<filename>/etc/shorewall6/interfaces</filename> or in
<filename>/etc/shorewall6/hosts</filename>. Rather, it is used as a parent
zone for other zones in <filename>/etc/shorewall6/zones</filename>.</para>
<para>Example:</para>
<para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTIONS
fw firewall
net ipv6
loc virtual #Virtual Zone
loc1:loc ipv6
loc2:loc ipv6</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags
- eth1 detect tcpflags</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
loc1 eth1:2001:19f0:feee:1::/48
loc2 eth1:2001:19f0:feee:2::/48</programlisting>
<para>There are several restrictions on virtual zones:</para>
<itemizedlist>
<listitem>
<para>A maximum of four virtual zones may be defined.</para>
</listitem>
<listitem>
<para>They should not be used with IMPLICIT_CONTINUE=Yes in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
<para>When a connection request to/from a sub-zone of a virtual zone does
not match the rules for the sub-zone, the connection is compared against
the rules (and policies) for the parent virtual zone.</para>
</refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>

11
manpages6/shorewall6-zones.xml
View File

@ -169,6 +169,17 @@ c:a,b ipv6</programlisting>
single bridge.</para> single bridge.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">virtual</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.5. Virtual zones are containers
for other zones. See <ulink
url="shorewall6-nesting.html">shorewall6-nesting (5)</ulink>
for details.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>