holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow 'all-' in rules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3922 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-05-18 18:05:16 +00:00
parent 6f1bcedcfd
commit e97139242b
4 changed files with 45 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -2,6 +2,8 @@ Changes in 3.2.0 Beta 8
1) Issue more helpful BRIDGING=No error messages. 1) Issue more helpful BRIDGING=No error messages.
2) Implement "all-" in rules file.
Changes in 3.2.0 Beta 7 Changes in 3.2.0 Beta 7
1) Fix mark/mask validation. 1) Fix mark/mask validation.

42
Shorewall/compiler
View File

@ -5559,6 +5559,10 @@ process_rules()
xclients=all xclients=all
intrazone=Yes intrazone=Yes
;; ;;
all+-|all-+)
xclients=all-
intrazone=Yes
;;
esac esac
case $xservers in case $xservers in
@ -5566,22 +5570,34 @@ process_rules()
xservers=all xservers=all
intrazone=Yes intrazone=Yes
;; ;;
all+-|all-+)
xservers=all-
intrazone=Yes
;;
esac esac
if [ "x$xclients" = xall ]; then case $xclients in
xclients="$ZONES $FW" all|all-)
if [ "x$xservers" = xall ]; then [ $xclients = all ] && xclients="$ZONES $FW" || xclients="$ZONES"
xservers="$ZONES $FW"
fi
process_wildcard_rule "$1" $intrazone
return
fi
if [ "x$xservers" = xall ]; then if [ "x$xservers" = xall ]; then
xservers="$ZONES $FW" xservers="$ZONES $FW"
process_wildcard_rule "$1" $intrazone elif [ "x$xservers" = xall- ]; then
return xservers="$ZONES"
fi fi
process_wildcard_rule "$1" $intrazone
return
;;
esac
case $xservers in
all|all-)
xservers="$ZONES $FW"
process_wildcard_rule "$1" $intrazone
return
;;
esac
if [ "$1" = Yes ]; then if [ "$1" = Yes ]; then
process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec

7
Shorewall/releasenotes.txt
View File

@ -40,7 +40,12 @@ Problems Corrected in 3.2.0 Beta 8
ERROR: BRIDGING=Yes is required for this zone definition: loc br0:eth0 ERROR: BRIDGING=Yes is required for this zone definition: loc br0:eth0
Other changes in 3.2.0 Beta 7 Other changes in 3.2.0 Beta 8
1) In /etc/shorewall/rules, the values "all-" and "all+-" may now be
used for zone names. "all-" means "All zones except the firewall";
"all+-" means "All zones except the firewall" and intra-zone
traffic is included.
Migration Considerations: Migration Considerations:

13
Shorewall/rules
View File

@ -162,16 +162,19 @@
# #
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all", "all+" or "none". # firewall itself, "all", "all+", "all-", "all+-" or
# "none".
# #
# When "none" is used either in the SOURCE or DEST # When "none" is used either in the SOURCE or DEST
# column, the rule is ignored. # column, the rule is ignored.
# #
# When "all" is used either in the SOURCE or DEST column # "all" means "All Zones", including the firewall itself.
# intra-zone traffic is not affected. When "all+" is # "all-" means "All Zones, except the firewall itself".
# used, intra-zone traffic is affected. # When "all[-]" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+[-]" is
# "used, intra-zone traffic is affected.
# #
# Except when "all[+]" is specified, clients may be # Except when "all[+][-]" is specified, clients may be
# further restricted to a list of subnets and/or hosts by # further restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets # appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC # and/or hosts. Hosts may be specified by IP or MAC