holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Don't allow fowarding between local zones.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-05-28 06:14:44 -07:00
parent 8743b64e00
commit a48a4b7a2e
4 changed files with 11 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -2179,7 +2179,7 @@ sub generate_matrix() {
} # Interface Loop
} #Type Loop
next if $type == LOOPBACK;
next if $type & ( LOOPBACK | LOCAL );
if ( $frwd_ref ) {
#
@ -2203,10 +2203,7 @@ sub generate_matrix() {
next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
next if $type1 == LOOPBACK;
next if $type == LOCAL && $type1 != LOCAL;
next if $type1 == LOCAL && $type != LOCAL;
next if $type1 & ( LOOPBACK | LOCAL );
my $chain = rules_target $zone, $zone1;

9
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2448,10 +2448,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
warning_message( "The SOURCE zone in this rule is 'destonly'" ) if $sourceref->{destonly};
if ( $destref ) {
warning_message( "The SOURCE zone is loopback and the DEST zone is off-firewall" ) if $sourceref->{type} == LOOPBACK && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" ) if $destref->{type} == LOOPBACK && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
warning_message( "The SOURCE zone is 'local' and the DEST zone is off-firewall" ) if $sourceref->{type} == LOCAL && ! ( $destref->{type} & ( FIREWALL | VSERVER | LOCAL) );
warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" ) if $destref->{type} == LOCAL && ! ( $sourceref->{type} & ( FIREWALL | VSERVER | LOCAL) );
warning_message( "The SOURCE zone is loopback and the DEST zone is off-firewall" ) if $sourceref->{type} == LOOPBACK && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" ) if $destref->{type} == LOOPBACK && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
warning_message( "The SOURCE zone is 'local' and the DEST zone is off-firewall" ) if $sourceref->{type} == LOCAL && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'local'" ) if $destref->{type} == LOCAL && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
warning_message( "\$FW to \$FW rules are ignored when there is a defined 'loopback' zone" ) if loopback_zones && $sourceref->{type} == FIREWALL && $destref->{type} == FIREWALL;
}
}

5
Shorewall/manpages/shorewall-zones.xml
View File

@ -259,9 +259,8 @@ c:a,b ipv4</programlisting>
role="bold">local</emphasis> is the same as <emphasis
role="bold">ipv4</emphasis> with the exception that the zone
is only accessible from the <emphasis
role="bold">firewall</emphasis>, <emphasis
role="bold">vserver</emphasis> and other <emphasis
role="bold">local</emphasis> zones.</para>
role="bold">firewall</emphasis> and <emphasis
role="bold">vserver</emphasis> zones.</para>
</listitem>
</varlistentry>
</variablelist>

5
Shorewall6/manpages/shorewall6-zones.xml
View File

@ -257,9 +257,8 @@ c:a,b ipv6</programlisting>
role="bold">local</emphasis> is the same as <emphasis
role="bold">ipv6</emphasis> with the exception that the zone
is only accessible from the <emphasis
role="bold">firewall</emphasis>, <emphasis
role="bold">vserver</emphasis> and other <emphasis
role="bold">local</emphasis> zones.</para>
role="bold">firewall</emphasis> and <emphasis
role="bold">vserver</emphasis> zones.</para>
</listitem>
</varlistentry>
</variablelist>