forked from extern/shorewall_code
Fix NONE policy validation and 'routeback' for wildcard interfaces
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@786 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
e147813da0
commit
80981e802e
@ -33,3 +33,8 @@ Changes since 1.4.7
|
||||
|
||||
14) Corrected handling of /32 addresses with broadcast in maclist
|
||||
processing.
|
||||
|
||||
15) Generate error for NONE policy where source or destination zone is
|
||||
the firewall itself.
|
||||
|
||||
16) Fix 'routeback' for wildcard interfaces.
|
||||
@ -636,11 +636,11 @@ validate_interfaces_file() {
|
||||
|
||||
all_interfaces="$all_interfaces $interface"
|
||||
options=`separate_list $options`
|
||||
interface=`chain_base $interface`
|
||||
iface=`chain_base $interface`
|
||||
|
||||
eval ${interface}_broadcast="$subnet"
|
||||
eval ${interface}_zone="$z"
|
||||
eval ${interface}_options=\"$options\"
|
||||
eval ${iface}_broadcast="$subnet"
|
||||
eval ${iface}_zone="$z"
|
||||
eval ${iface}_options=\"$options\"
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
@ -763,7 +763,14 @@ validate_policy()
|
||||
esac
|
||||
|
||||
case $policy in
|
||||
ACCEPT|REJECT|DROP|CONTINUE|NONE)
|
||||
ACCEPT|REJECT|DROP|CONTINUE)
|
||||
;;
|
||||
NONE)
|
||||
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
|
||||
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
|
||||
|
||||
[ -n "$clientwild" -o -n "$serverwild" ] && \
|
||||
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
|
||||
;;
|
||||
*)
|
||||
startup_error "Invalid policy $policy"
|
||||
@ -781,8 +788,6 @@ validate_policy()
|
||||
|
||||
[ "x$loglevel" = "x-" ] && loglevel=
|
||||
|
||||
chain=${client}2${server}
|
||||
|
||||
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
|
||||
|
||||
eval ${chain}_is_policy=Yes
|
||||
|
||||
@ -43,7 +43,9 @@
|
||||
# with this SOURCE and DEST in the
|
||||
# /etc/shorewall/rules file. If such a
|
||||
# packet _is_ received, the result is
|
||||
# undefined.
|
||||
# undefined. NONE may not be used if the
|
||||
# SOURCE or DEST columns contain the
|
||||
# firewall zone ($FW) or "all".
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
|
||||
@ -59,6 +59,17 @@ Problems Corrected since version 1.4.7:
|
||||
address with a broadcast address then an error would occur during
|
||||
startup.
|
||||
|
||||
11) The NONE policy's intended use is to suppress the generating of
|
||||
rules that can't possibly be traversed. This means that a policy of
|
||||
NONE is inappropriate where the source or destination zone is
|
||||
$FW. Shorewall now generates an error message if such a policy is
|
||||
given in /etc/shorewall/policy. Previously such a policy caused
|
||||
"shorewall start" to fail.
|
||||
|
||||
12) The 'routeback' option was broken for wildcard interfaces (e.g.,
|
||||
"tun+"). This has been corrected so that 'routeback' now works as
|
||||
expected in this case.
|
||||
|
||||
Migration Issues:
|
||||
|
||||
1. The definition of the ROUTE_FILTER option in shorewall.conf has
|
||||
|
||||
Loading…
Reference in New Issue
Block a user