From c7de19cf39c2c3f85d999eebfac19acee6289d64 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 21 Nov 2009 13:56:40 -0800 Subject: [PATCH] Allow specific policy to supersede an expanded one --- Shorewall/Perl/Shorewall/Chains.pm | 5 ++++- Shorewall/Perl/Shorewall/Policy.pm | 4 ++++ Shorewall/changelog.txt | 3 ++- Shorewall/releasenotes.txt | 15 ++++++++++++++- 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index fcf72e675..4beef440e 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -176,6 +176,7 @@ our $VERSION = '4.4_4'; # table => # is_policy => undef|1 -- if 1, this is a policy chain # provisional => undef|1 -- See below. +# expanded => undef|1 -- See below. # referenced => undef|1 -- If 1, will be written to the iptables-restore-input. # builtin => undef|1 -- If 1, one of Netfilter's built-in chains. # manual => undef|1 -- If 1, a manual chain. @@ -200,7 +201,9 @@ our $VERSION = '4.4_4'; # } # # 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be -# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. +# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. Similarly, +# 'expanded' also applies only to policy chains; when true, indicates that the chain is a policy chain as a result of +# EXPAND_POLICIES=Yes. # # Only 'referenced' chains get written to the iptables-restore input. # diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index b0273f215..2eae40bfc 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -102,6 +102,7 @@ sub set_policy_chain($$$$$) $chainref1->{default} = $chainref->{default} if defined $chainref->{default}; $chainref1->{is_policy} = 1; + $chainref1->{expanded} = 1; push @policy_chains, $chainref1; } else { $chainref1->{policychain} = $chainref->{name}; @@ -221,6 +222,9 @@ sub process_a_policy() { if ( $chainref->{provisional} ) { $chainref->{provisional} = 0; $chainref->{policy} = $policy; + } elsif ( $chainref->{expanded} ) { + $chainref->{expanded} = 0; + $chainref->{policy} = $policy; } else { fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index cdb5126b6..ecf1e3171 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,4 @@ Changes in 4.5.0 -None. +1) Allow specific policy to supersede a wildcard policy. + diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b17ecd083..29605ccec 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -28,4 +28,17 @@ None. N E W F E A T U R E S I N 4 . 5 . 0 ---------------------------------------------------------------------------- -None. +1) Previously, if EXPAND_POLICIES=Yes, the following sequence of + policies would produce a 'Duplicate Policy' error: + + $FW all ACCEPT + $FW dmz REJECT info + + Begining with 4.5.0, this sequence produces the same result as this + one: + + $FW dmz REJECT info + $FW all ACCEPT + + +