holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow specific policy to supersede an expanded one

Browse Source
This commit is contained in:
Tom Eastep 2009-11-21 13:56:40 -08:00
parent cbe944c354
commit c7de19cf39
4 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -176,6 +176,7 @@ our $VERSION = '4.4_4';
# table => <table name> # table => <table name>
# is_policy => undef|1 -- if 1, this is a policy chain # is_policy => undef|1 -- if 1, this is a policy chain
# provisional => undef|1 -- See below. # provisional => undef|1 -- See below.
# expanded => undef|1 -- See below.
# referenced => undef|1 -- If 1, will be written to the iptables-restore-input. # referenced => undef|1 -- If 1, will be written to the iptables-restore-input.
# builtin => undef|1 -- If 1, one of Netfilter's built-in chains. # builtin => undef|1 -- If 1, one of Netfilter's built-in chains.
# manual => undef|1 -- If 1, a manual chain. # manual => undef|1 -- If 1, a manual chain.
@ -200,7 +201,9 @@ our $VERSION = '4.4_4';
# } # }
# #
# 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be # 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. # replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. Similarly,
# 'expanded' also applies only to policy chains; when true, indicates that the chain is a policy chain as a result of
# EXPAND_POLICIES=Yes.
# #
# Only 'referenced' chains get written to the iptables-restore input. # Only 'referenced' chains get written to the iptables-restore input.
# #

4
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -102,6 +102,7 @@ sub set_policy_chain($$$$$)
$chainref1->{default} = $chainref->{default} if defined $chainref->{default}; $chainref1->{default} = $chainref->{default} if defined $chainref->{default};
$chainref1->{is_policy} = 1; $chainref1->{is_policy} = 1;
$chainref1->{expanded} = 1;
push @policy_chains, $chainref1; push @policy_chains, $chainref1;
} else { } else {
$chainref1->{policychain} = $chainref->{name}; $chainref1->{policychain} = $chainref->{name};
@ -221,6 +222,9 @@ sub process_a_policy() {
if ( $chainref->{provisional} ) { if ( $chainref->{provisional} ) {
$chainref->{provisional} = 0; $chainref->{provisional} = 0;
$chainref->{policy} = $policy; $chainref->{policy} = $policy;
} elsif ( $chainref->{expanded} ) {
$chainref->{expanded} = 0;
$chainref->{policy} = $policy;
} else { } else {
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
} }

3
Shorewall/changelog.txt
View File

@ -1,3 +1,4 @@
Changes in 4.5.0 Changes in 4.5.0
None. 1) Allow specific policy to supersede a wildcard policy.

15
Shorewall/releasenotes.txt
View File

@ -28,4 +28,17 @@ None.
N E W F E A T U R E S I N 4 . 5 . 0 N E W F E A T U R E S I N 4 . 5 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
None. 1) Previously, if EXPAND_POLICIES=Yes, the following sequence of
policies would produce a 'Duplicate Policy' error:
$FW all ACCEPT
$FW dmz REJECT info
Begining with 4.5.0, this sequence produces the same result as this
one:
$FW dmz REJECT info
$FW all ACCEPT