holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add intermediate input chain for complex zones

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-24 21:01:53 +00:00
parent 1a36e13f8c
commit 886ad1e547
3 changed files with 31 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Shorewall/changelog.txt
View File

@ -1,9 +1,7 @@
Changes since 1.4.0 Changes since 1.4.1
1. Implement NONE policy. 1. Re-order steps in the 'check' command so that the policy file is
checked before the rules file.
2. Never create rules for <iface>:<subnet> to itself. 2. Create an intermediate chain for input from zones defined in terms
of specific hosts or networks.
3. Always allow intrazone traffic.
4. Correct building of ECN interface list under ash.

22
Shorewall/firewall
View File

@ -542,6 +542,9 @@ determine_hosts() {
interfaces="$interfaces $interface" interfaces="$interfaces $interface"
fi fi
fi fi
[ "${host#*:}" = "0.0.0.0/0" ] || \
eval ${zone}_is_constrained=Yes
done done
eval ${zone}_interfaces="\$interfaces" eval ${zone}_interfaces="\$interfaces"
@ -3661,6 +3664,13 @@ activate_rules()
chain1=`rules_chain $FW $zone` chain1=`rules_chain $FW $zone`
chain2=`rules_chain $zone $FW` chain2=`rules_chain $zone $FW`
eval constrained=\$${zone}_is_constrained
if [ -n "$constrained" ]; then
frwd_chain=${zone}_frwd
createchain $frwd_chain No
fi
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
@ -3678,6 +3688,8 @@ activate_rules()
run_iptables -A `input_chain $interface` -s $subnet -j $chain2 run_iptables -A `input_chain $interface` -s $subnet -j $chain2
[ -n "$constrained" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done done
for zone1 in $zones; do for zone1 in $zones; do
@ -3694,15 +3706,21 @@ activate_rules()
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:}
if [ -n "$constrained" ]; then
chain1=$frwd_chain
subnet=
else
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
subnet="-s ${host#*:}"
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ "$host" != "$host1" ]; then if [ "$host" != "$host1" ]; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain run_iptables -A $chain1 $subnet -o $interface1 -d $subnet1 -j $chain
fi fi
done done
done done

18
Shorewall/releasenotes.txt
View File

@ -1,19 +1,11 @@
This is a minor release of Shorewall. This is a minor release of Shorewall.
This release introduces incompatibilities with prior releases. See
http://www.shorewall.net/upgrade_issues.htm.
Changes are: Changes are:
a) There is now a new NONE policy specifiable in a) Where an entry in the/etc/shorewall/hosts file specifies a
/etc/shorewall/policy. This policy will cause Shorewall to assume that particular host or network, Shorewall now creates an intermediate
there will never be any traffic between the source and destination chain for handling input from the related zone. This can
zones. substantially reduce the number of rules traversed by connections
requests from such zones.
b) Shorewall no longer creates rules to govern traffic from an
interface:subnet to itself.
c) Intra-zone traffic is always accepted now (exception is (b)
above).. Intrazone policies and rules are no longer allowed.