Allow 'none' in /etc/shorewall/rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2057 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-17 00:35:43 +00:00
parent d92a3f2083
commit 88e48bec5a
5 changed files with 32 additions and 7 deletions

View File

@ -19,6 +19,8 @@ Changes in 2.2.4
8) Add '-v' option
9) Allow 'none' in /etc/shorewall/rules.
Changes in 2.2.3
1) Added the 'continue' extension script.

View File

@ -4588,7 +4588,7 @@ process_rules()
}
do_it() {
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
expandv xprotocol xports xcports xaddress xratelimit xuserspec
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
@ -4596,13 +4596,13 @@ process_rules()
xservers="$zones $FW"
fi
process_wildcard_rule
continue
return
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
return
fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
@ -4610,7 +4610,11 @@ process_rules()
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
expandv xtarget
expandv xtarget xclients xservers
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
continue
fi
case "${xtarget%%:*}" in
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)

View File

@ -249,7 +249,7 @@ find_zones() # $1 = name of the zone file
[ -n "$zone" ] && case "$zone" in
\#*)
;;
$FW)
$FW|all|none)
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)

View File

@ -157,6 +157,19 @@ New Features in version 2.2.4
MAC address in the log message (if any) to be displayed. As
previously, when "-v" is omitted, the MAC address is suppressed.
7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or
DEST columns now causes the rule to be ignored. This is most useful
when used with shell variables:
Example:
/etc/shorewall/rules:
AllowFTP $FTP_CLIENTS fw
When FTP_CLIENTS is set to 'none', the above rule is ignored.
Otherwise, the rule is evaluated and generates iptables rules.
-----------------------------------------------------------------------
Problems corrected in version 2.2.3

View File

@ -112,11 +112,14 @@
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
@ -157,7 +160,10 @@
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
# itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add