holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

Browse Source
This commit is contained in:
Tom Eastep 2016-09-10 08:48:48 -07:00
commit 7e32a10176
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
3 changed files with 43 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -628,21 +628,12 @@ sub handle_nfqueue( $$ ) {
# #
# Process an entry in the policy file. # Process an entry in the policy file.
# #
sub process_a_policy() { sub process_a_policy1($$$$$$) {
our %validpolicies; our %validpolicies;
our @zonelist; our @zonelist;
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = @_;
split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
$loglevel = '' if $loglevel eq '-';
$synparams = '' if $synparams eq '-';
$connlimit = '' if $connlimit eq '-';
fatal_error 'SOURCE must be specified' if $client eq '-';
fatal_error 'DEST must be specified' if $server eq '-';
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
my $clientwild = ( "\L$client" =~ /^all(\+)?$/ ); my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
my $intrazone = $clientwild && $1; my $intrazone = $clientwild && $1;
@ -758,6 +749,29 @@ sub process_a_policy() {
} }
} }
sub process_a_policy() {
our %validpolicies;
our @zonelist;
my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
$loglevel = '' if $loglevel eq '-';
$synparams = '' if $synparams eq '-';
$connlimit = '' if $connlimit eq '-';
fatal_error 'SOURCE must be specified' if $clients eq '-';
fatal_error 'DEST must be specified' if $servers eq '-';
fatal_error 'POLICY must be specified' if $policy eq '-';
for my $client ( split_list( $clients, 'zone' ) ) {
for my $server ( split_list( $servers, 'zone' ) ) {
process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit );
}
}
}
# #
# Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script # Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
# #

12
Shorewall/manpages/shorewall-policy.xml
View File

@ -35,7 +35,7 @@
<para>This file determines what to do with a new connection request if <para>This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall/rules file . For each we don't get a match from the /etc/shorewall/rules file . For each
source/destination pair, the file is processed in order until a match is source/destination pair, the file is processed in order until a match is
found ("all" will match any client or server).</para> found ("all" will match any source or destination).</para>
</important> </important>
<important> <important>
@ -61,7 +61,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE</emphasis> -
<emphasis>zone</emphasis>|<emphasis <emphasis>zone</emphasis>[,...]|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term> role="bold">all+</emphasis></term>
@ -74,12 +74,15 @@
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+" not override the implicit intra-zone ACCEPT policy while "all+"
does.</para> does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST</emphasis> -
<emphasis>zone</emphasis>|<emphasis <emphasis>zone</emphasis>[,...]|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term> role="bold">all+</emphasis></term>
@ -95,6 +98,9 @@
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+" not override the implicit intra-zone ACCEPT policy while "all+"
does.</para> does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

12
Shorewall6/manpages/shorewall6-policy.xml
View File

@ -35,7 +35,7 @@
<para>This file determines what to do with a new connection request if <para>This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall6/rules file . For each we don't get a match from the /etc/shorewall6/rules file . For each
source/destination pair, the file is processed in order until a match is source/destination pair, the file is processed in order until a match is
found ("all" will match any client or server).</para> found ("all" will match any source or destination).</para>
</important> </important>
<important> <important>
@ -61,7 +61,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE</emphasis> -
<emphasis>zone</emphasis>|<emphasis <emphasis>zone</emphasis>[,...]|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term> role="bold">all+</emphasis></term>
@ -74,12 +74,15 @@
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+" not override the implicit intra-zone ACCEPT policy while "all+"
does.</para> does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST</emphasis> -
<emphasis>zone</emphasis>|<emphasis <emphasis>zone</emphasis>[,...]|<emphasis
role="bold">$FW</emphasis>|<emphasis role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term> role="bold">all+</emphasis></term>
@ -95,6 +98,9 @@
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+" not override the implicit intra-zone ACCEPT policy while "all+"
does.</para> does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>