On 05/27/2013 07:30 AM, Tom Eastep wrote:
> On 05/27/2013 06:42 AM, Tom Eastep wrote:
>> On 05/27/2013 12:20 AM, Dash Four wrote:
>>>
>>> Tom Eastep wrote:
>>>> So buck up and use your fingers, Mr-4; because when it comes to
>>>> Shorewall, my keystrokes are much more valuable than yours.
>>>>
>>> Why don't you take the above, put it in your bloody pipe and smoke it? I
>>> am not going to take any advice, particularly from you, on what to do
>>> and how much I am going to bloody type, so kindly do one! As for your
>>> arthritis - I couldn't care less to be honest, so there.
>>
>> I'm not surprised.
>>
>> Apply the attached long overdue patch, then put this at the top of your
>> policy file.
>>
>> ?BEGIN PERL
>> use Shorewall::Zones;
>> use strict;
>>
>> for my $z1 ( local_zones ) {
>> for my $z2 ( local_zones ) {
>> shorewall "$z1 $z2 NONE" unless $z1 eq $z2;
>> }
>> }
>>
>> 1;
>>
>> ?END PERL
>>
>> Now, if you have two or ten thousand local zones, there will be no
>> locala2localb chains created.
>
> Or apply this patch and be done with it. If someone wants to forward
> between local zones in the future, I'll add a config option to allow it.This additional patch corrects generation of warnings for local->local forwarding rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 788d7b2..d470fab 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2448,10 +2448,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
warning_message( "The SOURCE zone in this rule is 'destonly'" ) if $sourceref->{destonly};
if ( $destref ) {
- warning_message( "The SOURCE zone is loopback and the DEST zone is off-firewall" ) if $sourceref->{type} == LOOPBACK && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
- warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" ) if $destref->{type} == LOOPBACK && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
- warning_message( "The SOURCE zone is 'local' and the DEST zone is off-firewall" ) if $sourceref->{type} == LOCAL && ! ( $destref->{type} & ( FIREWALL | VSERVER | LOCAL) );
- warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" ) if $destref->{type} == LOCAL && ! ( $sourceref->{type} & ( FIREWALL | VSERVER | LOCAL) );
+ warning_message( "The SOURCE zone is loopback and the DEST zone is off-firewall" ) if $sourceref->{type} == LOOPBACK && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
+ warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'loopback'" ) if $destref->{type} == LOOPBACK && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+ warning_message( "The SOURCE zone is 'local' and the DEST zone is off-firewall" ) if $sourceref->{type} == LOCAL && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
+ warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'local'" ) if $destref->{type} == LOCAL && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+
warning_message( "\$FW to \$FW rules are ignored when there is a defined 'loopback' zone" ) if loopback_zones && $sourceref->{type} == FIREWALL && $destref->{type} == FIREWALL;
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
