Allow specific policy to supersede an expanded one

2009-11-21 13:56:40 -08:00 · 2009-11-21 13:56:40 -08:00 · c7de19cf39
commit c7de19cf39
parent cbe944c354
4 changed files with 24 additions and 3 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -176,6 +176,7 @@ our $VERSION = '4.4_4';
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
 #                                               provisional  => undef|1 -- See below.
+#                                               expanded     => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
 #                                               manual       => undef|1 -- If 1, a manual chain.
@ -200,7 +201,9 @@ our $VERSION = '4.4_4';
 #                 }
 #
 #       'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
-#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1.
+#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. Similarly,
+#       'expanded' also applies only to policy chains; when true, indicates that the chain is a policy chain as a result of
+#       EXPAND_POLICIES=Yes.
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@ -102,6 +102,7 @@ sub set_policy_chain($$$$$)

 	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
 	    $chainref1->{is_policy}   = 1;
+	    $chainref1->{expanded}    = 1;
 	    push @policy_chains, $chainref1;
 	} else {
 	    $chainref1->{policychain} = $chainref->{name};
@ -221,6 +222,9 @@ sub process_a_policy() {
 	    if ( $chainref->{provisional} ) {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
+	    } elsif ( $chainref->{expanded} ) {
+		$chainref->{expanded} = 0;
+		$chainref->{policy} = $policy;
 	    } else {
 		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,4 @@
 Changes in 4.5.0

-None.
+1)  Allow specific policy to supersede a wildcard policy.
+
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -28,4 +28,17 @@ None.
                N E W   F E A T U R E S   I N   4 . 5 . 0
 ----------------------------------------------------------------------------

-None.
+1)  Previously, if EXPAND_POLICIES=Yes, the following sequence of
+    policies would produce a 'Duplicate Policy' error:
+
+    	     $FW             all             ACCEPT
+    	     $FW             dmz             REJECT          info
+
+    Begining with 4.5.0, this sequence produces the same result as this
+    one:
+
+    	     $FW             dmz             REJECT          info
+    	     $FW             all             ACCEPT
+
+  
+