Fix IMPLICIT_CONTINUE intra-zone policy

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5433 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-27 10:03:41 +01:00 · 2007-02-23 17:07:13 +00:00 · 2007-02-23 17:07:13 +00:00 · fa1df2ecf8
commit fa1df2ecf8
parent bdd3554bce
4 changed files with 27 additions and 14 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -8,6 +8,8 @@ Changes in 3.4.0 Final

 4)  Fix exit status problem with 'restart'

+5)  Dump SPD and SAD in the dump command.
+
 Changes in 3.4.0 RC 2

 1)  No longer include params file in compiled output.
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -485,19 +485,21 @@ validate_policy()
 	if [ -n "$IMPLICIT_CONTINUE" ]; then
 	    eval parents=\$${zone}_parents
 	    if [ -n "$parents" ]; then
-		for zone1 in $ZONES $FW; do
-		    chain=${zone}2${zone1}
-		    eval ${chain}_is_policy=Yes
-		    eval ${chain}_is_optional=Yes
-		    eval ${chain}_policy=CONTINUE
-		    eval ${chain}_policychain=$chain
-		    ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
-		    chain=${zone1}2${zone}
-		    eval ${chain}_is_policy=Yes
-		    eval ${chain}_is_optional=Yes
-		    eval ${chain}_policy=CONTINUE
-		    eval ${chain}_policychain=$chain
-		    ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
+		for zone1 in $ZONES $FW; do 
+		    if $zone != $zone1; then
+			chain=${zone}2${zone1}
+			eval ${chain}_is_policy=Yes
+			eval ${chain}_is_optional=Yes
+			eval ${chain}_policy=CONTINUE
+			eval ${chain}_policychain=$chain
+			ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
+			chain=${zone1}2${zone}
+			eval ${chain}_is_policy=Yes
+			eval ${chain}_is_optional=Yes
+			eval ${chain}_policy=CONTINUE
+			eval ${chain}_policychain=$chain
+			ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
+		    fi
 		done
 	    fi
 	fi
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@ -658,6 +658,13 @@ dump_command() {
 	brctl show
    fi

+    if qt mywhich setkey; then
+	heading "PFKEY SPD"
+	setkey -DP
+	heading "PFKEY SAD"
+	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys 
+    fi
+
    heading "/proc"
    show_proc /proc/version
    show_proc /proc/sys/net/ipv4/ip_forward
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -46,7 +46,9 @@ Other Changes in 3.4.0 Final
    for a provider. This combination of options can lead to packets being
    dropped as 'martians'.

-None.
+2)  If the 'setkey' program is installed, then the IPSEC SPD and SAD
+    are displayed in the output of "shorewall[-lite] dump. All key
+    information (E: and A: lines) is suppressed in the command output.

 Migration Considerations: