Shorewall users - Apr 2008 - zone nesting, no luck at all

I''ve been experimenting with the new zone nesting feature, but
I''m
getting nowhere and I''m starting to suspect I expect more from it than
it can deliver.

So my first question is if zone nesting relies on the zones being
subsets of each other on a network level? I.e. host based zones where
the parent zone is a superset of the child zone.

The documentation example is of this type, but it doesn''t say that this
is required. I was naively hoping that the CONTINUE policy of a child
zone would result in a -j to the parent zone chain(s) in iptables. But
no such rules are generated, and I can''t really find anything in the
code that uses the parent information in a useful way.

My specific case is that I have zones gst,wif and vir, all with their
own interfaces. I have a whole bunch of rules that apply to all three
and I don''t want to make a mess of the rules file by having multiple
copies of every rule. So I dug around and found nested zones, which
seemed to fit perfectly.

I have:

zones:

	dmz		ipv4

	gst:dmz		ipv4
	wif:dmz		ipv4
	vir:dmz		ipv4

interfaces:

	gst		eth1
	wif		eth2
	vir		virt+

policy:

	gst		all		CONTINUE
	wif		all		CONTINUE
	vir		all		CONTINUE

rules:

	ACCEPT		dmz	all	tcp	ssh

Rgds
-- 
     -- Pierre Ossman

  Linux kernel, MMC maintainer        http://www.kernel.org
  PulseAudio, core developer          http://pulseaudio.org
  rdesktop, core developer          http://www.rdesktop.org

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Pierre Ossman wrote:
> I''ve been experimenting with the new zone nesting feature, but
I''m
> getting nowhere and I''m starting to suspect I expect more from it
than
> it can deliver.
> 
> So my first question is if zone nesting relies on the zones being
> subsets of each other on a network level? I.e. host based zones where
> the parent zone is a superset of the child zone.
> 
> The documentation example is of this type, but it doesn''t say that
this
> is required. I was naively hoping that the CONTINUE policy of a child
> zone would result in a -j to the parent zone chain(s) in iptables. But
> no such rules are generated, and I can''t really find anything in
the
> code that uses the parent information in a useful way.
> 
> My specific case is that I have zones gst,wif and vir, all with their
> own interfaces. I have a whole bunch of rules that apply to all three
> and I don''t want to make a mess of the rules file by having
multiple
> copies of every rule. So I dug around and found nested zones, which
> seemed to fit perfectly.
> 
> I have:
> 
> zones:
> 
> 	dmz		ipv4
> 
> 	gst:dmz		ipv4
> 	wif:dmz		ipv4
> 	vir:dmz		ipv4
> 
> interfaces:
> 
> 	gst		eth1
> 	wif		eth2
> 	vir		virt+
> 
A shorewall dump would be helpful here. Most of the time when 
nested-zones are needed, it is with the same interface and different 
sub-zones on the same interface, you would need the hosts file to define 
that. You are doing the reverse here, each interface is a sub-zone of 
the parent (dmz) zone. I have never tried this but I think you may have 
to use gst:dmz wif:dmz vir:dmz here to define the membership to the 
parent (dmz) zone.
> policy:
> 
> 	gst		all		CONTINUE
> 	wif		all		CONTINUE
> 	vir		all		CONTINUE
> 
> rules:
> 
> 	ACCEPT		dmz	all	tcp	ssh
> 
> Rgds
Well I tried the above syntax in the interfaces file, it didn''t give me
an error and the jumps look right to me. YMMV

Jerry




-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Pierre Ossman wrote:
> So my first question is if zone nesting relies on the zones being
> subsets of each other on a network level? I.e. host based zones where
> the parent zone is a superset of the child zone.
Yes.
> 
> The documentation example is of this type, but it doesn''t say that
this
> is required. I was naively hoping that the CONTINUE policy of a child
> zone would result in a -j to the parent zone chain(s) in iptables. But
> no such rules are generated, and I can''t really find anything in
the
> code that uses the parent information in a useful way.
The 3.x and 4.0 code only use the information to order the zone list.
> 
> My specific case is that I have zones gst,wif and vir, all with their
> own interfaces.
Nested zones do not apply unless you define a super-zone that includes all 
three interfaces then make that the parent zone of each of the individual zones.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Sorry about the crappy threading. I was hoping for a cc, but didn''t get
one so I don''t have the proper message id to hang on to.

Tom Eastep
Sun, 27 Apr 2008 16:46:29 -0700
> Pierre Ossman wrote:
> 
>     My specific case is that I have zones gst,wif and vir, all with their
>     own interfaces.
> 
> Nested zones do not apply unless you define a super-zone that includes all
three interfaces then make that the parent zone of each of the individual zones.
> 
Is it possible to define a super zone that includes my three
interfaces, and just those three interfaces?

I tried adding an interface to both the child and parent zone, but the
compiler did not like that at all.

If this method is currently an impossible route, would patches that
implements a -j net2<parent> at the end of net2<child> (with a
CONTINUE
policy of course) be accepted? If I haven''t missed anything, that
should work fine when the zone has a single parent.

Rgds
-- 
     -- Pierre Ossman

  Linux kernel, MMC maintainer        http://www.kernel.org
  PulseAudio, core developer          http://pulseaudio.org
  rdesktop, core developer          http://www.rdesktop.org

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

On Mon, 28 Apr 2008 08:13:40 +0200
Pierre Ossman <drzeus-list@drzeus.cx> wrote:
> 
> If this method is currently an impossible route, would patches that
> implements a -j net2<parent> at the end of net2<child> (with a
CONTINUE
> policy of course) be accepted? If I haven''t missed anything, that
> should work fine when the zone has a single parent.
> 
Said patch below. It''s a bit rough, but gets the job done. The big
problem is that we need to make sure that all policy chains that have
children are created. In this patch I simply create all policy chains.

--- /usr/share/shorewall-shell/compiler.orig	2008-04-06 02:21:30.000000000 +0200
+++ /usr/share/shorewall-shell/compiler	2008-04-28 20:09:52.000000000 +0200
@@ -3141,8 +3141,6 @@ policy_rules() # $1 = chain to add rules
 default_policy() # $1 = client $2 = server
 {
     local chain="${1}2${2}"
-    local policy-    local loglevel     local chain1
 
     jump_to_policy_chain() {
@@ -3161,6 +3159,9 @@ default_policy() # $1 = client $2 = serv
 
     apply_default()
     {
+    local policy+    local loglevel+    local parents1 parents2
 	#
 	# Generate policy file column values for the policy chain
 	#
@@ -3208,6 +3209,24 @@ default_policy() # $1 = client $2 = serv
 		[ -n "$synparams" ] && \
 		    report_syn_flood_protection
 		policy_rules $chain $policy "${loglevel:--}" $default
+
+		eval parents1=\$${1}_parents
+		eval parents2=\$${2}_parents
+		for p1 in ${1} $parents1; do
+		    for p2 in ${2} $parents2; do
+		    	if [ $p1 = $1 -a $p2 = $2 ]; then
+		    		continue
+		    	fi
+
+			parentchain=${p1}2${p2}
+			if ! havechain $parentchain; then
+			    fatal_error "Parent chain $parentchain does not exist"
+			fi
+
+			run_iptables -A $chain -j $parentchain
+			progress_message "   Policy $policy for $1 to $2 using chain
$parentchain"
+		    done
+		done
 		;;
 	    *)
 		#
@@ -3956,7 +3975,8 @@ apply_policy_rules() {
 	eval default=\$${chain}_default
 
 	if [ "$policy" != NONE ]; then
-	    if ! havechain $chain && [ -z "$optional" -a
"$policy" != CONTINUE ]; then
+#	    if ! havechain $chain && [ -z "$optional" -a
"$policy" != CONTINUE ]; then
+	    if ! havechain $chain; then
 		#
 		# The chain doesn''t exist. Create the chain and add policy
 		# rules


-- 
     -- Pierre Ossman

  Linux kernel, MMC maintainer        http://www.kernel.org
  PulseAudio, core developer          http://pulseaudio.org
  rdesktop, core developer          http://www.rdesktop.org

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone