forked from extern/shorewall_code
Allow 'none' in /etc/shorewall/rules
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2057 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d92a3f2083
commit
88e48bec5a
@ -19,6 +19,8 @@ Changes in 2.2.4
|
||||
|
||||
8) Add '-v' option
|
||||
|
||||
9) Allow 'none' in /etc/shorewall/rules.
|
||||
|
||||
Changes in 2.2.3
|
||||
|
||||
1) Added the 'continue' extension script.
|
||||
|
@ -4588,7 +4588,7 @@ process_rules()
|
||||
}
|
||||
|
||||
do_it() {
|
||||
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
|
||||
expandv xprotocol xports xcports xaddress xratelimit xuserspec
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
xclients="$zones $FW"
|
||||
@ -4596,13 +4596,13 @@ process_rules()
|
||||
xservers="$zones $FW"
|
||||
fi
|
||||
process_wildcard_rule
|
||||
continue
|
||||
return
|
||||
fi
|
||||
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
process_wildcard_rule
|
||||
continue
|
||||
return
|
||||
fi
|
||||
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
@ -4610,7 +4610,11 @@ process_rules()
|
||||
}
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||
expandv xtarget
|
||||
expandv xtarget xclients xservers
|
||||
|
||||
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
case "${xtarget%%:*}" in
|
||||
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
|
||||
|
@ -249,7 +249,7 @@ find_zones() # $1 = name of the zone file
|
||||
[ -n "$zone" ] && case "$zone" in
|
||||
\#*)
|
||||
;;
|
||||
$FW)
|
||||
$FW|all|none)
|
||||
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
;;
|
||||
*)
|
||||
|
@ -157,6 +157,19 @@ New Features in version 2.2.4
|
||||
MAC address in the log message (if any) to be displayed. As
|
||||
previously, when "-v" is omitted, the MAC address is suppressed.
|
||||
|
||||
7) In /etc/shorewall/rules, a value of 'none' in either the SOURCE or
|
||||
DEST columns now causes the rule to be ignored. This is most useful
|
||||
when used with shell variables:
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
AllowFTP $FTP_CLIENTS fw
|
||||
|
||||
When FTP_CLIENTS is set to 'none', the above rule is ignored.
|
||||
Otherwise, the rule is evaluated and generates iptables rules.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.3
|
||||
|
||||
|
@ -112,11 +112,14 @@
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, or "all" If the ACTION is DNAT or
|
||||
# firewall itself, "all" or "none" If the ACTION is DNAT or
|
||||
# REDIRECT, sub-zones of the specified zone may be
|
||||
# excluded from the rule by following the zone name with
|
||||
# "!' and a comma-separated list of sub-zone names.
|
||||
#
|
||||
# When "none" is used either in the SOURCE or DEST column,
|
||||
# the rule is ignored.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
# separate rules to handle that traffic.
|
||||
@ -157,7 +160,10 @@
|
||||
#
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||
# itself or "all"
|
||||
# itself, "all" or "none".
|
||||
#
|
||||
# When "none" is used either in the SOURCE or DEST column,
|
||||
# the rule is ignored.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
|
Loading…
Reference in New Issue
Block a user