From 02a42e2fb082b9d929ae221d769090df2f3c40e2 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 29 Mar 2003 14:37:50 +0000 Subject: [PATCH] INCLUDE directive; make 'traceroute -I' work again git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@528 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 ++++ Shorewall/firewall | 6 +++++ Shorewall/functions | 26 ++++++++++++++++++++- Shorewall/releasenotes.txt | 48 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 83 insertions(+), 1 deletion(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 71da9ee4e..ee27e491d 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -7,3 +7,7 @@ Changes since 1.4.1 of specific hosts or networks. 3. Fixed common.def to use 'reject' rather than 'REJECT'. + +4. Added support for INCLUDE directive in all files. + +5. Made traceroute -I work. diff --git a/Shorewall/firewall b/Shorewall/firewall index 20ccda717..b4611d591 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -3188,6 +3188,12 @@ initialize_netfilter () { setcontinue FORWARD setcontinue INPUT setcontinue OUTPUT + + # + # Make 'traceroute -I' work + # + run_iptables -I OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT + # # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets # diff --git a/Shorewall/functions b/Shorewall/functions index c14490ba6..83c0b096b 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -181,6 +181,30 @@ mutex_off() rm -f $STATEDIR/lock } +# +# Read a file and handle "INCLUDE" directives +# + +read_file() # $1 = file name +{ + local first rest + + while read first rest; do + if [ "x$first" = "xINCLUDE" ]; then + read_file `find_file ${rest%#*}` + else + echo "$first $rest" + fi + done < $1 +} + +# +# Function for including one file into another +# +INCLUDE() { + . `find_file $@` +} + # # Strip comments and blank lines from a file and place the result in the # temporary directory @@ -192,7 +216,7 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) [ $# = 1 ] && fname=`find_file $1` || fname=$2 if [ -f $fname ]; then - cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 + read_file $fname | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 else > $TMP_DIR/$1 fi diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 740fad139..ce7d19885 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -6,6 +6,9 @@ Problems Corrected: properly rejected with TCP RST; previously, some of these requests were rejeced with an ICMP port-unreachable response. +2) 'traceroute -I' from behind the firewall previously timed out on the + first hop (e.g., to the firewall). This has been worked around. + New Features: 1) Where an entry in the/etc/shorewall/hosts file specifies a @@ -14,4 +17,49 @@ New Features: substantially reduce the number of rules traversed by connections requests from such zones. +2) Any file may include an INCLUDE directive. An INCLUDE directive + consists of the word INCLUDE followed by a file name and causes the + contents of the named file to be logically included into the file + containing the INCLUDE. File names given in an INCLUDE directive + are assumed to reside in /etc/shorewall or in an alternate + configuration directory if one has been specified for the command. + + Examples: + shorewall/params.mgmt: + MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3 + TIME_SERVERS=4.4.4.4 + BACKUP_SERVERS=5.5.5.5 + ----- end params.mgmt ----- + + + shorewall/params: + # Shorewall 1.3 /etc/shorewall/params + [..] + ####################################### + + INCLUDE params.mgmt + + # params unique to this host here + #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE + ----- end params ----- + + + shorewall/rules.mgmt: + ACCEPT net:$MGMT_SERVERS $FW tcp 22 + ACCEPT $FW net:$TIME_SERVERS udp 123 + ACCEPT $FW net:$BACKUP_SERVERS tcp 22 + ----- end rules.mgmt ----- + + shorewall/rules: + # Shorewall version 1.3 - Rules File + [..] + ####################################### + + INCLUDE rules.mgmt + + # rules unique to this host here + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + ----- end rules ----- + +