From bf8c38e054b97577e65756f17f97adb89fd6d94a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 10 Nov 2009 14:12:55 -0800 Subject: [PATCH] Add ZONE2ZONE option to shorewall.conf --- Samples/one-interface/shorewall.conf | 2 ++ Samples/three-interfaces/shorewall.conf | 2 ++ Samples/two-interfaces/shorewall.conf | 2 ++ Samples6/one-interface/shorewall6.conf | 2 ++ Samples6/three-interfaces/shorewall6.conf | 2 ++ Samples6/two-interfaces/shorewall6.conf | 2 ++ Shorewall/Perl/Shorewall/Chains.pm | 22 +++++++++++++++------- Shorewall/Perl/Shorewall/Config.pm | 14 +++++++++++--- Shorewall/Perl/Shorewall/Policy.pm | 20 ++++++++++---------- Shorewall/Perl/Shorewall/Rules.pm | 14 +++++++------- Shorewall/Perl/Shorewall/Tunnels.pm | 8 ++++---- Shorewall/Perl/Shorewall/Zones.pm | 3 +-- Shorewall/changelog.txt | 2 ++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/releasenotes.txt | 15 +++++++++++++++ Shorewall6/shorewall6.conf | 2 ++ manpages/shorewall.conf.xml | 11 +++++++++++ manpages6/shorewall6.conf.xml | 11 +++++++++++ 18 files changed, 103 insertions(+), 33 deletions(-) diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 4c0d234ab..0092e1822 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -193,6 +193,8 @@ WIDE_TC_MARKS=Yes TRACK_PROVIDERS=Yes +ZONE2ZONE=2 + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index 3d2256bea..3aa82142f 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -193,6 +193,8 @@ WIDE_TC_MARKS=Yes TRACK_PROVIDERS=Yes +ZONE2ZONE=2 + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index 3bfb589be..7176b1178 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -200,6 +200,8 @@ WIDE_TC_MARKS=Yes TRACK_PROVIDERS=Yes +ZONE2ZONE=2 + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index eafb77a0a..74ac280df 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes TRACK_PROVIDERS=Yes +ZONE2ZONE=2 + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index a1576f5c9..eef2ff494 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes TRACK_PROVIDERS=Yes +ZONE2ZONE=2 + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index 6d369784f..2f71b9fbb 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes TRACK_PROVIDERS=Yes +ZONE2ZONE=2 + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f7767371b..e25dc28b3 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -85,6 +85,7 @@ our %EXPORT_TAGS = ( decr_cmd_level chain_base forward_chain + canonical_chain zone_forward_chain use_forward_chain input_chain @@ -667,6 +668,13 @@ sub chain_base($) { $chain; } +# +# Name of canonical chain +# +sub canonical_chain ($$) { + join "$config{ZONE2ZONE}", @_; +} + # # Forward Chain for an interface # @@ -756,7 +764,7 @@ sub use_input_chain($) { # # Use the '2fw' chain if it is referenced. # - $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )}; + $chainref = $filter_table->{canonical_chain( $zone, firewall_zone )}; ! ( $chainref->{referenced} || $chainref->{is_policy} ) } @@ -800,7 +808,7 @@ sub use_output_chain($) { # # Use the 'fw2' chain if it is referenced. # - $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )}; + $chainref = $filter_table->{canonical_chain( firewall_zone , $interfaceref->{zone} )}; ! ( $chainref->{referenced} || $chainref->{is_policy} ) } @@ -1172,7 +1180,7 @@ sub finish_section ( $ ) { for my $zone ( all_zones ) { for my $zone1 ( all_zones ) { - my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; + my $chainref = $chain_table{'filter'}{canonical_chain( $zone, $zone1 )}; finish_chain_section $chainref, $sections if $chainref->{referenced}; } } @@ -1199,12 +1207,12 @@ sub set_mss( $$$ ) { for my $z ( all_zones ) { if ( $direction eq '_in' ) { - set_mss1 "${zone}2${z}" , $mss; + set_mss1 canonical_chain( ${zone}, ${z} ) , $mss; } elsif ( $direction eq '_out' ) { - set_mss1 "${z}2${zone}", $mss; + set_mss1 canonical_chain( ${z}, ${zone} ) , $mss; } else { - set_mss1 "${z}2${zone}", $mss; - set_mss1 "${zone}2${z}", $mss; + set_mss1 canonical_chain( ${z}, ${zone} ) , $mss; + set_mss1 canonical_chain( ${zone}, ${z} ) , $mss; } } } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 231160897..58a70e2a3 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -441,6 +441,7 @@ sub initialize( $ ) { WIDE_TC_MARKS => undef, TRACK_PROVIDERS => undef, LOGICAL_NAMES => undef, + ZONE2ZONE => undef, # # Packet Disposition # @@ -549,6 +550,7 @@ sub initialize( $ ) { WIDE_TC_MARKS => undef, TRACK_PROVIDERS => undef, LOGICAL_NAMES => undef, + ZONE2ZONE => undef, # # Packet Disposition # @@ -2411,9 +2413,17 @@ sub get_configuration( $ ) { default_yes_no 'TRACK_PROVIDERS' , ''; default_yes_no 'LOGICAL_NAMES' , ''; + my $val; + + if ( defined ( $val = $config{ZONE2ZONE} ) ) { + fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/; + } else { + $config{ZONE2ZONE} = '2'; + } + $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; - default 'BLACKLIST_DISPOSITION' , 'DROP'; + default 'BLACKLIST_DISPOSITION' , 'DROP'; default_log_level 'BLACKLIST_LOGLEVEL', ''; default_log_level 'MACLIST_LOG_LEVEL', ''; @@ -2425,8 +2435,6 @@ sub get_configuration( $ ) { default_log_level 'SMURF_LOG_LEVEL', ''; default_log_level 'LOGALLNEW', ''; - my $val; - $globals{MACLIST_TARGET} = 'reject'; if ( $val = $config{MACLIST_DISPOSITION} ) { diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 15fa1e7b0..b1eb604d3 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -68,7 +68,7 @@ sub new_policy_chain($$$$) { my ($source, $dest, $policy, $optional) = @_; - my $chainref = new_chain( 'filter', "${source}2${dest}" ); + my $chainref = new_chain( 'filter', canonical_chain( ${source}, ${dest} ) ); convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional ); @@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 }; sub add_or_modify_policy_chain( $$ ) { my ( $zone, $zone1 ) = @_; - my $chain = "${zone}2${zone1}"; + my $chain = canonical_chain( ${zone}, ${zone1} ); my $chainref = $filter_table->{$chain}; if ( $chainref ) { @@ -211,7 +211,7 @@ sub process_a_policy() { } } - my $chain = "${client}2${server}"; + my $chain = canonical_chain( ${client}, ${server} ); my $chainref; if ( defined $filter_table->{$chain} ) { @@ -252,19 +252,19 @@ sub process_a_policy() { if ( $serverwild ) { for my $zone ( @zonelist ) { for my $zone1 ( @zonelist ) { - set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy; + set_policy_chain $client, $server, canonical_chain( ${zone}, ${zone1} ), $chainref, $policy; print_policy $zone, $zone1, $policy, $chain; } } } else { for my $zone ( all_zones ) { - set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy; + set_policy_chain $client, $server, canonical_chain( ${zone}, ${server} ), $chainref, $policy; print_policy $zone, $server, $policy, $chain; } } } elsif ( $serverwild ) { for my $zone ( @zonelist ) { - set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy; + set_policy_chain $client, $server, canonical_chain( ${client}, ${zone} ), $chainref, $policy; print_policy $client, $zone, $policy, $chain; } @@ -334,7 +334,7 @@ sub validate_policy() for $zone ( all_zones ) { for my $zone1 ( all_zones ) { - fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy}; + fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{canonical_chain( ${zone}, ${zone1} )}{policy}; } } } @@ -409,7 +409,7 @@ sub apply_policy_rules() { ensure_filter_chain $name, 1; } - if ( $name =~ /^all2|2all$/ ) { + if ( $name =~ /^all2|2all$|^all-|-all$/ ) { run_user_exit $chainref; policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; } @@ -418,7 +418,7 @@ sub apply_policy_rules() { for my $zone ( all_zones ) { for my $zone1 ( all_zones ) { - my $chainref = $filter_table->{"${zone}2${zone1}"}; + my $chainref = $filter_table->{canonical_chain( ${zone}, ${zone1} )}; if ( $chainref->{referenced} ) { run_user_exit $chainref; @@ -444,7 +444,7 @@ sub complete_standard_chain ( $$$$ ) { run_user_exit $stdchainref; - my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all}; + my $ruleschainref = $filter_table->{canonical_chain( ${zone}, ${zone2} ) } || $filter_table->{canonical_chain( 'all', 'all' ) }; my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} ); my $policychainref; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 53094a73c..e9a923686 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1132,7 +1132,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { } } - $chain = "${sourcezone}2${destzone}"; + $chain = canonical_chain( ${sourcezone}, ${destzone} ); $chainref = ensure_chain 'filter', $chain; $policy = $chainref->{policy}; @@ -1619,7 +1619,7 @@ sub add_interface_jumps { # Loopback # my $fw = firewall_zone; - my $chainref = $filter_table->{"${fw}2${fw}"}; + my $chainref = $filter_table->{canonical_chain( ${fw}, ${fw} )}; add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' ); add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT'; @@ -1643,7 +1643,7 @@ sub generate_matrix() { # sub rules_target( $$ ) { my ( $zone, $zone1 ) = @_; - my $chain = "${zone}2${zone1}"; + my $chain = canonical_chain( ${zone}, ${zone1} ); my $chainref = $filter_table->{$chain}; return $chain if $chainref && $chainref->{referenced}; @@ -1776,7 +1776,7 @@ sub generate_matrix() { if ( $parenthasnat || $parenthasnotrack ) { for my $zone1 ( all_zones ) { - if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) { + if ( $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) { # # This zone has a continue policy to another zone. We must # send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain. @@ -1908,7 +1908,7 @@ sub generate_matrix() { for my $zone1 ( @zones ) { my $zone1ref = find_zone( $zone1 ); - my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; + my $policy = $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy}; next if $policy eq 'NONE'; @@ -1924,7 +1924,7 @@ sub generate_matrix() { next unless $zoneref->{bridge} eq $zone1ref->{bridge}; } - if ( $chain =~ /2all$/ ) { + if ( $chain =~ /(2all|-all|_all)$/ ) { if ( $chain ne $last_chain ) { $last_chain = $chain; push @dest_zones, @temp_zones; @@ -1958,7 +1958,7 @@ sub generate_matrix() { for my $zone1 ( @dest_zones ) { my $zone1ref = find_zone( $zone1 ); - next if $filter_table->{"${zone}2${zone1}"}->{policy} eq 'NONE'; + next if $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE'; my $chain = rules_target $zone, $zone1; diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index 43403cb2b..3802ab571 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -83,8 +83,8 @@ sub setup_tunnels() { for my $zone ( split_list $gatewayzones, 'zone' ) { my $type = zone_type( $zone ); fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT; - $inchainref = ensure_filter_chain "${zone}2${fw}", 1; - $outchainref = ensure_filter_chain "${fw}2${zone}", 1; + $inchainref = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1; + $outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1; unless ( $capabilities{POLICY_MATCH} ) { add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT"; @@ -239,8 +239,8 @@ sub setup_tunnels() { fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT; - my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; - my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; + my $inchainref = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1; + my $outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1; $gateway = ALLIP if $gateway eq '-'; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 353fd14a5..889ac30ba 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -904,8 +904,7 @@ sub process_interface( $ ) { } $physical{$value} = 1; - my $wildphy = $value =~ /\+$/ ? 1 : 0; - fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" unless $wildphy == $wildcard; + fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/; $physical = $value; } else { assert(0); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index dc1a36bad..68eb0e104 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -10,6 +10,8 @@ Changes in Shorewall 4.4.4 5) Implement 'physical' interface option. +6) Implement ZONE2ZONE option. + Changes in Shorewall 4.4.3 1) Move Debian INITLOG initialization to /etc/default/shorewall diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 952f83a19..66ccd5ae8 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -191,6 +191,8 @@ WIDE_TC_MARKS=No TRACK_PROVIDERS=No +ZONE2ZONE=2 + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index a03eba14b..848f2120a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -246,6 +246,21 @@ None. If you need to refer to a particular port on br1 (for example p1023), you write it as y1023; Shorewall will translate that name to p1023 when needed. + + As shown in the above example, It is allowed to have a physical + name ending in '+' with a logical name that does not end with '+'. + The reverse is not allowed; that is, if the logical name ends in + '+' then the physical name must also end in '+'. + +4) Previously, Shorewall has used the character '2' to form the name + of chains involving zones and/or the word 'all' (e.g., fw2net, + all2all). When zones names are given numeric suffixes, these + generated names are hard to read (e.g., foo1232bar). To make these + names clearer, a ZONE2ZONE option has been added. + + ZONE2ZONE has a default value of "2" but can also be given the + value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate + the two parts of the name with a hyphen (e.g., foo123-bar). ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index 768889e8d..d423dad2c 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -147,6 +147,8 @@ WIDE_TC_MARKS=No TRACK_PROVIDERS=No +ZONE2ZONE=2 + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 15593fb8c..55927100d 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -1574,6 +1574,17 @@ net all DROP infothen the chain name is 'net2all' option (see above). + + + ZONE2ZONE={|} + + + Added in Shorewall 4.4.4. This option determines how Shorewall + constructs chain names involving zone names and/or 'all'. The + default is '2' (e.g., fw2net). + + diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index dcb90510c..8a367444b 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -1218,6 +1218,17 @@ net all DROP infothen the chain name is 'net2all' option (see above). + + + ZONE2ZONE={|} + + + Added in Shorewall 4.4.4. This option determines how Shorewall + constructs chain names involving zone names and/or 'all'. The + default is '2' (e.g., fw2net). + +