Add IMPLICIT_CONTINUE option to shorewall.conf

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3723 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-24 00:05:09 +00:00
parent a37611bd46
commit 80e08e57e8
7 changed files with 94 additions and 6 deletions

View File

@ -2,6 +2,8 @@ Changes in 3.2.0 Beta 3
1) Correct handling of verbosity in the 'try' command.
2) Add IMPLICIT_CONTINUE option to shorewall.conf.
Changes in 3.2.0 Beta 2
1) Make "shorewall start -f" work correctly.

View File

@ -482,9 +482,11 @@ determine_zones()
zone=${zone%:*}
[ -n "$zone" ] || fatal_error "Invalid nested zone syntax: :$parents"
parents=$(separate_list $parents)
eval ${zone}_parents=\"$parents\"
;;
*)
parents=
eval ${zone}_parents=
;;
esac
@ -1449,6 +1451,7 @@ validate_policy()
local policy
local loglevel
local synparams
local parents
print_policy() # $1 = source zone, $2 = destination zone
{
@ -1467,6 +1470,26 @@ validate_policy()
eval ${chain}_policy=ACCEPT
eval ${chain}_policychain=$chain
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
if [ -n "$IMPLICIT_CONTINUE" ]; then
eval parents=\$${zone}_parents
if [ -n "$parents" ]; then
for zone1 in $ZONES $FW; do
chain=${zone}2${zone1}
eval ${chain}_is_policy=Yes
eval ${chain}_is_optional=Yes
eval ${chain}_policy=CONTINUE
eval ${chain}_policychain=$chain
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
chain=${zone1}2${zone}
eval ${chain}_is_policy=Yes
eval ${chain}_is_optional=Yes
eval ${chain}_policy=CONTINUE
eval ${chain}_policychain=$chain
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
done
fi
fi
done
strip_file policy
@ -8928,6 +8951,7 @@ do_initialize() {
SAVE_IPSETS=
RESTOREFILE=
MAPOLDACTIONS=
IMPLICIT_CONTINUE=
OUTPUT=
TMP_DIR=
@ -9126,6 +9150,7 @@ do_initialize() {
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
case ${IPSECFILE:=ipsec} in
ipsec|zones)

View File

@ -2956,6 +2956,7 @@ do_initialize() {
SAVE_IPSETS=
RESTOREFILE=
MAPOLDACTIONS=
IMPLICIT_CONTINUE=
RESTOREBASE=
TMP_DIR=
@ -3153,6 +3154,8 @@ do_initialize() {
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
case ${IPSECFILE:=ipsec} in
ipsec|zones)

View File

@ -18,6 +18,11 @@
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
# the implicit policy to/from any sub-zone is CONTINUE. These implicit
# CONTINUE policies may also be overridden by an explicit entry in this
# file.
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined

View File

@ -34,7 +34,39 @@ Problems Corrected in 3.2.0 Beta 3
Other changes in 3.2.0 Beta 2
None.
2) A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When
this option is set to "Yes", it causes subzones to be treated differently
with respect to policies.
Subzones are defined by following their name by ":" and a list of parent
zones (in /etc/shorewall/zones). Normally, you want to have a set of
special rules for the subzone and if a connection doesn't match any of
those subzone-specific rules then you want the parent zone rules to be
applied. with IMPLICIT_CONTINUE=Yes, that happens automatically.
If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
subzones are not subject to this special treatment.
With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
by including an explicit policy (one that does not specify "all" in either
the SOURCE or the DEST columns).
Example:
/etc/shorewall/zones:
par ipv4
chld:par ipv4
And traffic to/from the 'chld' zone will first pass through the applicable
'chld' rules and if none of those rules match then it will be passed through
the appropriate 'par' rules. If you want the fw->chld policy to be
ACCEPT, simply add this entry to /etc/shorewall/policy:
$FW chld ACCEPT
Traffic from all other zones to 'chld' will be subject to the implicit
CONTINUE policy.
Migration Considerations:

View File

@ -843,6 +843,24 @@ MAPOLDACTIONS=No
FASTACCEPT=No
#
# Implicit CONTINUE policy for sub-zones
#
# When a zone is declared to be a subzone of one or more other zones, it
# is typically the case that you want the rules for the parent zone(s) to
# be applied to connections to/from the subzone that don't match any
# subzone specific rules. That way, you don't have to duplicate the parent
# zone's rules in order for them to also apply to the subzone(s). That is
# the behavior with IMPLICIT_CONTINUE=Yes. If you don't want that behavior
# and want the policies for the sub-zone to be determined by the standard
# policy processing, set IMPLICIT_CONTINUE=No or IMPLICIT_CONTINUE=.
#
# Note that even with IMPLICIT_CONTINUE=Yes, you can override the implicit
# CONTINUE policy for connections by adding an explicit policy (one that
# does not contain "all" in either the SOURCE or DEST columns).
IMPLICIT_CONTINUE=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################

View File

@ -34,10 +34,13 @@
# b ipv4
# c:a,b ipv4
#
# Currently, Shorewall uses this information only to reorder the
# Currently, Shorewall uses this information to reorder the
# zone list so that parent zones appear after their subzones in
# the list. In the future, Shorewall may make more extensive use
# of that information.
# the list. The IMPLICIT_CONTINUE option in shorewall.conf can
# also create implicit CONTINUE policies to/from the subzone.
#
# In the future, Shorewall may make additional use
# of nesting information.
#
# TYPE ipv4 - This is the standard Shorewall zone type and is the
# default if you leave this column empty or if you enter
@ -79,7 +82,7 @@
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
# strict
#
# Example:
# mode=transport,reqid=44