On 05/13/2013 07:24 AM, Tom Eastep wrote: > On 05/13/2013 07:22 AM, Dash Four wrote:
>> Correct, but I do have "all all DROP" (I can't add "all+ all+ DROP" in >> policy yet, can I?). > > No -- not yet. Here is a lightly-tested patch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 8c902fe..2cf3fb2 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -344,14 +344,21 @@ sub new_policy_chain($$$$$)
#
# Set the passed chain's policychain and policy to the passed values.
#
-sub set_policy_chain($$$$$)
+sub set_policy_chain($$$$$$)
{
- my ($source, $dest, $chain1, $chainref, $policy ) = @_;
+ my ($source, $dest, $chain1, $chainref, $policy, $intrazone) = @_;
my $chainref1 = $filter_table->{$chain1};
$chainref1 = new_rules_chain $chain1 unless $chainref1;
+ if ( $intrazone &&
+ $source eq $dest &&
+ $chainref1->{provisional} ) {
+ $chainref1->{policychain} = '';
+ $chainref1->{provisional} = '';
+ }
+
unless ( $chainref1->{policychain} ) {
if ( $config{EXPAND_POLICIES} ) {
#
@@ -477,11 +484,13 @@ sub process_a_policy() {
fatal_error 'DEST must be specified' if $server eq '-';
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
- my $clientwild = ( "\L$client" eq 'all' );
+ my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
+ my $intrazone = $clientwild && $1;
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
- my $serverwild = ( "\L$server" eq 'all' );
+ my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
+ $intrazone ||= $serverwild && $1;
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
@@ -568,19 +577,19 @@ sub process_a_policy() {
if ( $serverwild ) {
for my $zone ( @zonelist ) {
for my $zone1 ( @zonelist ) {
- set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
+ set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy, $intrazone;
print_policy $zone, $zone1, $policy, $chain;
}
}
} else {
for my $zone ( all_zones ) {
- set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
+ set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy, $intrazone;
print_policy $zone, $server, $policy, $chain;
}
}
} elsif ( $serverwild ) {
for my $zone ( @zonelist ) {
- set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
+ set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy, $intrazone;
print_policy $client, $zone, $policy, $chain;
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
