holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Correct handling of 'complex' zones

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@772 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-10-21 15:03:02 +00:00
parent 20a23dc925
commit bb55ad3128
3 changed files with 59 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
STABLE/changelog.txt
View File

@ -9,3 +9,5 @@ Changes since 1.4.7
3) Fix error handling after "Unable to determine the routes..." 3) Fix error handling after "Unable to determine the routes..."
4) Corrected handling of LOGUNCLEAN. 4) Corrected handling of LOGUNCLEAN.
5) Corrected handling of "complex" zones.

63
STABLE/firewall
View File

@ -2315,6 +2315,26 @@ add_a_rule()
{ {
local natrule= local natrule=
do_ports() {
if [ -n "$port" ]; then
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dports"
fi
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -2369,24 +2389,11 @@ add_a_rule()
[ x$cport = x- ] && cport= [ x$cport = x- ] && cport=
case $proto in case $proto in
tcp|udp|TCP|UDP|6|17) tcp|TCP|6)
if [ -n "$port" ]; then do_ports
dports="--dport" ;;
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then udp|UDP|17)
multiport="$multioption" do_ports
dports="--dports"
fi
dports="$dports $port"
fi
if [ -n "$cport" ]; then
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sports"
fi
sports="$sports $cport"
fi
;; ;;
icmp|ICMP|1) icmp|ICMP|1)
[ -n "$port" ] && dports="--icmp-type $port" [ -n "$port" ] && dports="--icmp-type $port"
@ -4385,6 +4392,7 @@ activate_rules()
[ -n "$complex" ] && \ [ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done done
for zone1 in $zones; do for zone1 in $zones; do
@ -4405,14 +4413,24 @@ activate_rules()
routeback= routeback=
fi fi
if [ -n "$complex" ]; then
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
if list_search $host1 $source_hosts && ! list_search $host1 $routeback; then
if [ `list_count $source_hosts` -gt 1 ]; then
run_iptables -A $frwd_chain -s ! $subnet1 -o $interface1 -d $subnet1 -j $chain
fi
else
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
fi
done
else
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
if [ -n "$complex" ]; then
chain1=$frwd_chain
else
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
@ -4423,6 +4441,7 @@ activate_rules()
fi fi
done done
done done
fi
done done
done done

7
STABLE/releasenotes.txt
View File

@ -26,6 +26,13 @@ Problems Corrected since version 1.4.6:
4) Handling of the LOGUNCLEAN option in shorewall.conf has been 4) Handling of the LOGUNCLEAN option in shorewall.conf has been
corrected. corrected.
5) In Shorewall 1.4.2, an optimization was added. This optimization
involved creating a chain named "<zone>_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant
rules and that the "optimization" turns out to be less than
optimal. The implementation has now been corrected.
Migration Issues: Migration Issues:
None. None.