holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow zone lists in the SOURCE and DEST columns of the policy files

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-09-10 08:47:48 -07:00
parent 3954636fb5
commit 2c90a8bfb5
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
3 changed files with 43 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -628,21 +628,12 @@ sub handle_nfqueue( $$ ) {
#
# Process an entry in the policy file.
#
sub process_a_policy() {
sub process_a_policy1($$$$$$) {
our %validpolicies;
our @zonelist;
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
$loglevel = '' if $loglevel eq '-';
$synparams = '' if $synparams eq '-';
$connlimit = '' if $connlimit eq '-';
fatal_error 'SOURCE must be specified' if $client eq '-';
fatal_error 'DEST must be specified' if $server eq '-';
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = @_;
my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
my $intrazone = $clientwild && $1;
@ -758,6 +749,29 @@ sub process_a_policy() {
}
}
sub process_a_policy() {
our %validpolicies;
our @zonelist;
my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
$loglevel = '' if $loglevel eq '-';
$synparams = '' if $synparams eq '-';
$connlimit = '' if $connlimit eq '-';
fatal_error 'SOURCE must be specified' if $clients eq '-';
fatal_error 'DEST must be specified' if $servers eq '-';
fatal_error 'POLICY must be specified' if $policy eq '-';
for my $client ( split_list( $clients, 'zone' ) ) {
for my $server ( split_list( $servers, 'zone' ) ) {
process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit );
}
}
}
#
# Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
#

12
Shorewall/manpages/shorewall-policy.xml
View File

@ -35,7 +35,7 @@
<para>This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall/rules file . For each
source/destination pair, the file is processed in order until a match is
found ("all" will match any client or server).</para>
found ("all" will match any source or destination).</para>
</important>
<important>
@ -61,7 +61,7 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> -
<emphasis>zone</emphasis>|<emphasis
<emphasis>zone</emphasis>[,...]|<emphasis
role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
@ -74,12 +74,15 @@
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
<emphasis>zone</emphasis>|<emphasis
<emphasis>zone</emphasis>[,...]|<emphasis
role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
@ -95,6 +98,9 @@
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas.</para>
</listitem>
</varlistentry>

12
Shorewall6/manpages/shorewall6-policy.xml
View File

@ -35,7 +35,7 @@
<para>This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall6/rules file . For each
source/destination pair, the file is processed in order until a match is
found ("all" will match any client or server).</para>
found ("all" will match any source or destination).</para>
</important>
<important>
@ -61,7 +61,7 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> -
<emphasis>zone</emphasis>|<emphasis
<emphasis>zone</emphasis>[,...]|<emphasis
role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
@ -74,12 +74,15 @@
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
<emphasis>zone</emphasis>|<emphasis
<emphasis>zone</emphasis>[,...]|<emphasis
role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
@ -95,6 +98,9 @@
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas.</para>
</listitem>
</varlistentry>