Add ZONE2ZONE option to shorewall.conf

2009-11-10 14:12:55 -08:00 · 2009-11-10 14:12:55 -08:00 · bf8c38e054
commit bf8c38e054
parent 7120a73f0e
18 changed files with 103 additions and 33 deletions
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@ -193,6 +193,8 @@ WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@ -193,6 +193,8 @@ WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@ -200,6 +200,8 @@ WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@ -141,6 +141,8 @@ WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -85,6 +85,7 @@ our %EXPORT_TAGS = (
 				       decr_cmd_level
 				       chain_base
 				       forward_chain
 				       canonical_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@ -667,6 +668,13 @@ sub chain_base($) {
    $chain;
 }
 #
 # Name of canonical chain
 #
 sub canonical_chain ($$) {
    join "$config{ZONE2ZONE}", @_;
 }
 #
 # Forward Chain for an interface
 #
@ -756,7 +764,7 @@ sub use_input_chain($) {
    #
    # Use the '<zone>2fw' chain if it is referenced.
    #
-    $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
+    $chainref = $filter_table->{canonical_chain( $zone, firewall_zone )};
    ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@ -800,7 +808,7 @@ sub use_output_chain($) {
    #
    # Use the 'fw2<zone>' chain if it is referenced.
    #
-    $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
+    $chainref = $filter_table->{canonical_chain( firewall_zone , $interfaceref->{zone} )};
    ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@ -1172,7 +1180,7 @@ sub finish_section ( $ ) {
    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
+	    my $chainref = $chain_table{'filter'}{canonical_chain( $zone, $zone1 )};
 	    finish_chain_section $chainref, $sections if $chainref->{referenced};
 	}
    }
@ -1199,12 +1207,12 @@ sub set_mss( $$$ ) {
    for my $z ( all_zones ) {
 	if ( $direction eq '_in' ) {
-	    set_mss1 "${zone}2${z}" , $mss;
+	    set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
 	} elsif ( $direction eq '_out' ) {
-	    set_mss1 "${z}2${zone}", $mss;
+	    set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
 	} else {
-	    set_mss1 "${z}2${zone}", $mss;
+	    set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
-	    set_mss1 "${zone}2${z}", $mss;
+	    set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -441,6 +441,7 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      LOGICAL_NAMES => undef,
 	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@ -549,6 +550,7 @@ sub initialize( $ ) {
 	      WIDE_TC_MARKS => undef,
 	      TRACK_PROVIDERS => undef,
 	      LOGICAL_NAMES => undef,
 	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@ -2411,9 +2413,17 @@ sub get_configuration( $ ) {
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'LOGICAL_NAMES'              , '';
    my $val;
    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
    } else {
 	$config{ZONE2ZONE} = '2';
    }
    $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
-    default 'BLACKLIST_DISPOSITION'             , 'DROP';
+    default 'BLACKLIST_DISPOSITION'    , 'DROP';
    default_log_level 'BLACKLIST_LOGLEVEL',  '';
    default_log_level 'MACLIST_LOG_LEVEL',   '';
@ -2425,8 +2435,6 @@ sub get_configuration( $ ) {
    default_log_level 'SMURF_LOG_LEVEL',     '';
    default_log_level 'LOGALLNEW',           '';
    my $val;
    $globals{MACLIST_TARGET} = 'reject';
    if ( $val = $config{MACLIST_DISPOSITION} ) {
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@ -68,7 +68,7 @@ sub new_policy_chain($$$$)
 {
    my ($source, $dest, $policy, $optional) = @_;
-    my $chainref = new_chain( 'filter', "${source}2${dest}" );
+    my $chainref = new_chain( 'filter', canonical_chain( ${source}, ${dest} ) );
    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 };
 sub add_or_modify_policy_chain( $$ ) {
    my ( $zone, $zone1 ) = @_;
-    my $chain    = "${zone}2${zone1}";
+    my $chain    = canonical_chain( ${zone}, ${zone1} );
    my $chainref = $filter_table->{$chain};
    if ( $chainref ) {
@ -211,7 +211,7 @@ sub process_a_policy() {
 	}
    }
-    my $chain = "${client}2${server}";
+    my $chain = canonical_chain( ${client}, ${server} );
    my $chainref;
    if ( defined $filter_table->{$chain} ) {
@ -252,19 +252,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
+		    set_policy_chain $client, $server, canonical_chain( ${zone}, ${zone1} ), $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
+		set_policy_chain $client, $server, canonical_chain( ${zone}, ${server} ), $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
+	    set_policy_chain $client, $server, canonical_chain( ${client}, ${zone} ), $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
@ -334,7 +334,7 @@ sub validate_policy()
    for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{canonical_chain( ${zone}, ${zone1} )}{policy};
 	}
    }
 }
@ -409,7 +409,7 @@ sub apply_policy_rules() {
 		ensure_filter_chain $name, 1;
 	    }
-	    if ( $name =~ /^all2|2all$/ ) {
+	    if ( $name =~ /^all2|2all$|^all-|-all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@ -418,7 +418,7 @@ sub apply_policy_rules() {
    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{"${zone}2${zone1}"};
+	    my $chainref = $filter_table->{canonical_chain( ${zone}, ${zone1} )};
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@ -444,7 +444,7 @@ sub complete_standard_chain ( $$$$ ) {
    run_user_exit $stdchainref;
-    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
+    my $ruleschainref = $filter_table->{canonical_chain( ${zone}, ${zone2} ) } || $filter_table->{canonical_chain( 'all', 'all' ) };
    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policychainref;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1132,7 +1132,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
-	$chain    = "${sourcezone}2${destzone}";
+	$chain    = canonical_chain( ${sourcezone}, ${destzone} );
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};
@ -1619,7 +1619,7 @@ sub add_interface_jumps {
    # Loopback
    #
    my $fw = firewall_zone;
-    my $chainref = $filter_table->{"${fw}2${fw}"};
+    my $chainref = $filter_table->{canonical_chain( ${fw}, ${fw} )};
    add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
    add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@ -1643,7 +1643,7 @@ sub generate_matrix() {
    #
    sub rules_target( $$ ) {
 	my ( $zone, $zone1 ) = @_;
-	my $chain = "${zone}2${zone1}";
+	my $chain = canonical_chain( ${zone}, ${zone1} );
 	my $chainref = $filter_table->{$chain};
 	return $chain   if $chainref && $chainref->{referenced};
@ -1776,7 +1776,7 @@ sub generate_matrix() {
 	    if ( $parenthasnat || $parenthasnotrack ) {
 		for my $zone1 ( all_zones ) {
-		    if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
+		    if ( $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
 			#
 			# This zone has a continue policy to another zone. We must
 			# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
@ -1908,7 +1908,7 @@ sub generate_matrix() {
 	    for my $zone1 ( @zones )  {
 		my $zone1ref = find_zone( $zone1 );
-		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
+		my $policy = $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy};
 		next if $policy eq 'NONE';
@ -1924,7 +1924,7 @@ sub generate_matrix() {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}
-		if ( $chain =~ /2all$/ ) {
+		if ( $chain =~ /(2all|-all|_all)$/ ) {
 		    if ( $chain ne $last_chain ) {
 			$last_chain = $chain;
 			push @dest_zones, @temp_zones;
@ -1958,7 +1958,7 @@ sub generate_matrix() {
 	for my $zone1 ( @dest_zones ) {
 	    my $zone1ref = find_zone( $zone1 );
-	    next if $filter_table->{"${zone}2${zone1}"}->{policy}  eq 'NONE';
+	    next if $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';
 	    my $chain = rules_target $zone, $zone1;
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@ -83,8 +83,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+		$inchainref  = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
-		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+		$outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
 		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
@ -239,8 +239,8 @@ sub setup_tunnels() {
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
-	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+	my $inchainref  = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
-	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+	my $outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
 	$gateway = ALLIP if $gateway eq '-';
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -904,8 +904,7 @@ sub process_interface( $ ) {
 		    }
 		    $physical{$value} = 1;
-		    my $wildphy = $value =~ /\+$/ ? 1 : 0;
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" unless $wildphy == $wildcard;
 		    $physical = $value;
 		} else {
 		    assert(0);
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -10,6 +10,8 @@ Changes in Shorewall 4.4.4
 5)  Implement 'physical' interface option.
 6)  Implement ZONE2ZONE option.
 Changes in Shorewall 4.4.3
 1)  Move Debian INITLOG initialization to /etc/default/shorewall
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -191,6 +191,8 @@ WIDE_TC_MARKS=No
 TRACK_PROVIDERS=No
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -246,6 +246,21 @@ None.
    If you need to refer to a particular port on br1 (for example
    p1023), you write it as y1023; Shorewall will translate that name
    to p1023 when needed.
    As shown in the above example, It is allowed to have a physical
    name ending in '+' with a logical name that does not end with '+'.
    The reverse is not allowed; that is, if the logical name ends in
    '+' then the physical name must also end in '+'.
 4)  Previously, Shorewall has used the character '2' to form the name
    of chains involving zones and/or the word 'all' (e.g., fw2net,
    all2all). When zones names are given numeric suffixes, these
    generated names are hard to read (e.g., foo1232bar). To make these
    names clearer, a ZONE2ZONE option has been added.
    ZONE2ZONE has a default value of "2" but can also be given the
    value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
    the two parts of the name with a hyphen (e.g., foo123-bar).
 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 0
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@ -147,6 +147,8 @@ WIDE_TC_MARKS=No
 TRACK_PROVIDERS=No
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@ -1574,6 +1574,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          option (see above).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
        <listitem>
          <para>Added in Shorewall 4.4.4. This option determines how Shorewall
          constructs chain names involving zone names and/or 'all'. The
          default is '2' (e.g., fw2net).</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@ -1218,6 +1218,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          option (see above).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">ZONE2ZONE</emphasis>={<option>2</option>|<option>-</option>}</term>
        <listitem>
          <para>Added in Shorewall 4.4.4. This option determines how Shorewall
          constructs chain names involving zone names and/or 'all'. The
          default is '2' (e.g., fw2net).</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>