forked from extern/shorewall_code
Add IMPLICIT_CONTINUE option to shorewall.conf
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3723 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a37611bd46
commit
80e08e57e8
@ -2,6 +2,8 @@ Changes in 3.2.0 Beta 3
|
||||
|
||||
1) Correct handling of verbosity in the 'try' command.
|
||||
|
||||
2) Add IMPLICIT_CONTINUE option to shorewall.conf.
|
||||
|
||||
Changes in 3.2.0 Beta 2
|
||||
|
||||
1) Make "shorewall start -f" work correctly.
|
||||
|
@ -482,9 +482,11 @@ determine_zones()
|
||||
zone=${zone%:*}
|
||||
[ -n "$zone" ] || fatal_error "Invalid nested zone syntax: :$parents"
|
||||
parents=$(separate_list $parents)
|
||||
eval ${zone}_parents=\"$parents\"
|
||||
;;
|
||||
*)
|
||||
parents=
|
||||
eval ${zone}_parents=
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1449,6 +1451,7 @@ validate_policy()
|
||||
local policy
|
||||
local loglevel
|
||||
local synparams
|
||||
local parents
|
||||
|
||||
print_policy() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
@ -1467,6 +1470,26 @@ validate_policy()
|
||||
eval ${chain}_policy=ACCEPT
|
||||
eval ${chain}_policychain=$chain
|
||||
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
|
||||
|
||||
if [ -n "$IMPLICIT_CONTINUE" ]; then
|
||||
eval parents=\$${zone}_parents
|
||||
if [ -n "$parents" ]; then
|
||||
for zone1 in $ZONES $FW; do
|
||||
chain=${zone}2${zone1}
|
||||
eval ${chain}_is_policy=Yes
|
||||
eval ${chain}_is_optional=Yes
|
||||
eval ${chain}_policy=CONTINUE
|
||||
eval ${chain}_policychain=$chain
|
||||
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
|
||||
chain=${zone1}2${zone}
|
||||
eval ${chain}_is_policy=Yes
|
||||
eval ${chain}_is_optional=Yes
|
||||
eval ${chain}_policy=CONTINUE
|
||||
eval ${chain}_policychain=$chain
|
||||
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
strip_file policy
|
||||
@ -8928,6 +8951,7 @@ do_initialize() {
|
||||
SAVE_IPSETS=
|
||||
RESTOREFILE=
|
||||
MAPOLDACTIONS=
|
||||
IMPLICIT_CONTINUE=
|
||||
|
||||
OUTPUT=
|
||||
TMP_DIR=
|
||||
@ -9126,6 +9150,7 @@ do_initialize() {
|
||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
|
||||
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
|
||||
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
|
||||
|
||||
case ${IPSECFILE:=ipsec} in
|
||||
ipsec|zones)
|
||||
|
@ -2956,6 +2956,7 @@ do_initialize() {
|
||||
SAVE_IPSETS=
|
||||
RESTOREFILE=
|
||||
MAPOLDACTIONS=
|
||||
IMPLICIT_CONTINUE=
|
||||
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
@ -3153,6 +3154,8 @@ do_initialize() {
|
||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
|
||||
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
|
||||
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
|
||||
|
||||
|
||||
case ${IPSECFILE:=ipsec} in
|
||||
ipsec|zones)
|
||||
|
@ -18,6 +18,11 @@
|
||||
# entry in this file. The overriding entry must be explicit (cannot use
|
||||
# "all" in the SOURCE or DEST).
|
||||
#
|
||||
# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
|
||||
# the implicit policy to/from any sub-zone is CONTINUE. These implicit
|
||||
# CONTINUE policies may also be overridden by an explicit entry in this
|
||||
# file.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SOURCE Source zone. Must be the name of a zone defined
|
||||
|
@ -34,7 +34,39 @@ Problems Corrected in 3.2.0 Beta 3
|
||||
|
||||
Other changes in 3.2.0 Beta 2
|
||||
|
||||
None.
|
||||
2) A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When
|
||||
this option is set to "Yes", it causes subzones to be treated differently
|
||||
with respect to policies.
|
||||
|
||||
Subzones are defined by following their name by ":" and a list of parent
|
||||
zones (in /etc/shorewall/zones). Normally, you want to have a set of
|
||||
special rules for the subzone and if a connection doesn't match any of
|
||||
those subzone-specific rules then you want the parent zone rules to be
|
||||
applied. with IMPLICIT_CONTINUE=Yes, that happens automatically.
|
||||
|
||||
If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
|
||||
subzones are not subject to this special treatment.
|
||||
|
||||
With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
|
||||
by including an explicit policy (one that does not specify "all" in either
|
||||
the SOURCE or the DEST columns).
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
par ipv4
|
||||
chld:par ipv4
|
||||
|
||||
And traffic to/from the 'chld' zone will first pass through the applicable
|
||||
'chld' rules and if none of those rules match then it will be passed through
|
||||
the appropriate 'par' rules. If you want the fw->chld policy to be
|
||||
ACCEPT, simply add this entry to /etc/shorewall/policy:
|
||||
|
||||
$FW chld ACCEPT
|
||||
|
||||
Traffic from all other zones to 'chld' will be subject to the implicit
|
||||
CONTINUE policy.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
|
@ -843,6 +843,24 @@ MAPOLDACTIONS=No
|
||||
|
||||
FASTACCEPT=No
|
||||
|
||||
#
|
||||
# Implicit CONTINUE policy for sub-zones
|
||||
#
|
||||
# When a zone is declared to be a subzone of one or more other zones, it
|
||||
# is typically the case that you want the rules for the parent zone(s) to
|
||||
# be applied to connections to/from the subzone that don't match any
|
||||
# subzone specific rules. That way, you don't have to duplicate the parent
|
||||
# zone's rules in order for them to also apply to the subzone(s). That is
|
||||
# the behavior with IMPLICIT_CONTINUE=Yes. If you don't want that behavior
|
||||
# and want the policies for the sub-zone to be determined by the standard
|
||||
# policy processing, set IMPLICIT_CONTINUE=No or IMPLICIT_CONTINUE=.
|
||||
#
|
||||
# Note that even with IMPLICIT_CONTINUE=Yes, you can override the implicit
|
||||
# CONTINUE policy for connections by adding an explicit policy (one that
|
||||
# does not contain "all" in either the SOURCE or DEST columns).
|
||||
|
||||
IMPLICIT_CONTINUE=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
@ -34,10 +34,13 @@
|
||||
# b ipv4
|
||||
# c:a,b ipv4
|
||||
#
|
||||
# Currently, Shorewall uses this information only to reorder the
|
||||
# Currently, Shorewall uses this information to reorder the
|
||||
# zone list so that parent zones appear after their subzones in
|
||||
# the list. In the future, Shorewall may make more extensive use
|
||||
# of that information.
|
||||
# the list. The IMPLICIT_CONTINUE option in shorewall.conf can
|
||||
# also create implicit CONTINUE policies to/from the subzone.
|
||||
#
|
||||
# In the future, Shorewall may make additional use
|
||||
# of nesting information.
|
||||
#
|
||||
# TYPE ipv4 - This is the standard Shorewall zone type and is the
|
||||
# default if you leave this column empty or if you enter
|
||||
@ -79,7 +82,7 @@
|
||||
# strict Means that packets must match all rules.
|
||||
#
|
||||
# next Separates rules; can only be used with
|
||||
# strict..
|
||||
# strict
|
||||
#
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
|
Loading…
Reference in New Issue
Block a user