Re: [Shorewall-devel] various bugs and suggestions (v4.5.9+)

Wed, 21 Nov 2012 13:02:00 -0800 

On 11/21/2012 11:09 AM, Tom Eastep wrote:


I am not sure what I am supposed to put in the SOURCE/DESTINATION

columns as a "zone" when in reality I don't care which "zone" this is in
(and I don't think "all" is appropriate). For example, if I want to
emulate "-t raw -I PREROUTING 1 -m set --match-set baddies-set src -j
DROP" as well as "-t raw -I OUTPUT 1 -m set --match-set baddies-set dst
-j DROP" I tried the following:



I just recalled that 'all' can't be qualified with an ipset name (or 
anything else for that matter).


Patch attached.

With this patch:

- 'all' places the rule in PREROUTING and in OUTPUT
- 'all-' places the rule in PREROUTING
- '$FW' places the rule in OUTPUT
- All of the above can be qualified with ipsets, addresses, etc.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index ae1c027..ddc19cf 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -54,7 +54,9 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
 
-    unless ( $chainref ) {
+    if ( $chainref ) {
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
 	#
 	# Entry in the conntrack file
 	#
@@ -248,10 +250,10 @@ sub setup_conntrack() {
 
 		$empty = 0;
 
-		if ( $source eq 'all' ) {
-		    for my $zone (all_zones) {
-			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
-		    }
+		if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+		    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user ) unless $1;
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user );
 		} else {
 		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
 		}

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
























					Reply via email to