diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 7fbf627b6..90463d74e 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,6 +12,8 @@ Changes in 2.5.7 6) Fix logging IPP2P rules. +7) Add zone type to /var/lib/shorewall/zones. + Changes in 2.5.6 1) Finish install/fallback cleanup. diff --git a/Shorewall/firewall b/Shorewall/firewall index 16e208f7a..2a0178dac 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -513,6 +513,8 @@ determine_zones() strip_file zones ZONES= + IPV4_ZONES= + IPSEC_ZONES= [ "$IPSECFILE" = zones ] && new_zone_file=Yes || test -n "${FW:=fw}" @@ -552,6 +554,7 @@ determine_zones() ipv4|IPv4|IPV4|plain|-) list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" merge_zone + IPV4_ZONES="$IPV4_ZONES $zone" ;; ipsec|IPSEC|ipsec4|IPSEC4) list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" @@ -559,6 +562,7 @@ determine_zones() eval ${zone}_is_ipsec=Yes eval ${zone}_is_complex=Yes merge_zone + IPSEC_ZONES="$IPSEC_ZONES $zone" ;; firewall) [ -n "$FW" ] && startup_error "Only one firewall zone may be defined" @@ -573,9 +577,13 @@ determine_zones() startup_error "Invalid Zone Type: $type" ;; esac + + eval ${zone}_type=$type else list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" ZONES="$ZONES $zone" + IPV4_ZONES="$IPV4_ZONES $zone" + eval ${zone}_type=ipv4 fi done < $TMP_DIR/zones @@ -2606,6 +2614,7 @@ setup_ipsec() { [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" eval ${zone}_is_ipsec=Yes eval ${zone}_is_complex=Yes + eval ${zone}_type=ipsec4 ;; *) fatal_error "Invalid IPSEC column contents" @@ -3727,7 +3736,9 @@ check_config() { determine_zones - display_list "Zones:" $ZONES + display_list "IPv4_Zones:" $IPV4_ZONES + [ -n "$IPSEC_ZONES" ] && \ + display_list "IPSEC Zones:" $IPSEC_ZONES display_list "Firewall Zone:" $FW setup_ipsec @@ -7251,7 +7262,10 @@ initialize_netfilter () { determine_zones - display_list "Zones:" $ZONES + display_list "IPv4 Zones:" $IPV4_ZONES + [ -n "$IPSEC_ZONES" ] && \ + display_list "IPSEC Zones:" $IPSEC_ZONES + display_list "Firewall Zone:" $FW echo "Validating interfaces file..." @@ -7972,7 +7986,7 @@ activate_rules() done > /var/lib/shorewall/chains - > /var/lib/shorewall/zones + echo "$FW firewall" > /var/lib/shorewall/zones # # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain. # @@ -8014,10 +8028,11 @@ activate_rules() chain2=$(rules_chain $zone $FW) eval complex=\$${zone}_is_complex + eval type=\$${zone}_type [ -n "$complex" ] && frwd_chain=${zone}_frwd - echo $zone $source_hosts >> /var/lib/shorewall/zones + echo $zone $type $source_hosts >> /var/lib/shorewall/zones if [ -n "$DYNAMIC_ZONES" ]; then echo "$FW $zone $chain1" >> /var/lib/shorewall/chains @@ -8461,7 +8476,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone # > /var/lib/shorewall/zones_$$ - while read z hosts; do + while read z type hosts; do if [ "$z" = "$zone" ]; then for h in $hostlist; do list_search $h $hosts @@ -8477,7 +8492,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone eval ${z}_hosts=\"$hosts\" - echo "$z $hosts" >> /var/lib/shorewall/zones_$$ + echo "$z $type $hosts" >> /var/lib/shorewall/zones_$$ done < /var/lib/shorewall/zones mv -f /var/lib/shorewall/zones_$$ /var/lib/shorewall/zones diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7373e68ad..97d639c64 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -29,6 +29,10 @@ New Features in 2.5.7: and /etc/shorewall/hosts. See the Migration Considerations for instructions if you wish to block "new-not-syn" TCP packets. +4) The "shorewall show zones" command now displays the zone type. You + must have restarted Shorewall using this release before this feature + will work correctly. + Migration Considerations: 1) The "monitor" command has been eliminated. diff --git a/Shorewall/shorewall b/Shorewall/shorewall index a6ba1291e..d5c07097d 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -885,8 +885,8 @@ case "$1" in if [ -f /var/lib/shorewall/zones ]; then echo "Shorewall-$version Zones at $HOSTNAME - $(date)" echo - while read zone hosts; do - echo $zone + while read zone type hosts; do + echo "$zone ($type)" for host in $hosts; do echo " $host" done