mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Add conversion of notrack to conntrack
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
8657682dfd
commit
0d635632e3
@ -3931,7 +3931,7 @@ usage() # $1 = exit status
|
||||
echo " status [ -i ]"
|
||||
echo " stop"
|
||||
ecko " try <directory> [ <timeout> ]"
|
||||
ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]"
|
||||
ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
|
||||
echo " version [ -a ]"
|
||||
echo
|
||||
exit $1
|
||||
@ -3985,6 +3985,7 @@ shorewall_cli() {
|
||||
g_loopback=
|
||||
g_compiled=
|
||||
g_routestopped=
|
||||
g_notrack=
|
||||
|
||||
VERBOSE=
|
||||
VERBOSITY=1
|
||||
|
||||
@ -592,8 +592,8 @@ EOF
|
||||
#
|
||||
sub compiler {
|
||||
|
||||
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped ) =
|
||||
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 , 0 );
|
||||
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
|
||||
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 , 0 , 0 );
|
||||
|
||||
$export = 0;
|
||||
$test = 0;
|
||||
@ -845,7 +845,7 @@ sub compiler {
|
||||
#
|
||||
# Process the conntrack file
|
||||
#
|
||||
setup_conntrack;
|
||||
setup_conntrack( $notrack );
|
||||
#
|
||||
# Add Tunnel rules.
|
||||
#
|
||||
|
||||
@ -36,7 +36,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_conntrack );
|
||||
our @EXPORT_OK = qw( handle_helper_rule );
|
||||
our $VERSION = 'MODULEVERSION';
|
||||
our $VERSION = '4.6_10';
|
||||
|
||||
our %valid_ctevent = ( new => 1,
|
||||
related => 1,
|
||||
@ -56,7 +56,7 @@ sub initialize($) {
|
||||
}
|
||||
|
||||
#
|
||||
# Conntrack
|
||||
# Notrack
|
||||
#
|
||||
sub process_conntrack_rule( $$$$$$$$$$ ) {
|
||||
|
||||
@ -275,52 +275,131 @@ sub process_format( $ ) {
|
||||
$file_format = $format;
|
||||
}
|
||||
|
||||
sub setup_conntrack() {
|
||||
sub setup_conntrack($) {
|
||||
my $convert = shift;
|
||||
my $fn;
|
||||
my @files = $convert ? ( qw/notrack conntrack/ ) : ( 'conntrack' );
|
||||
|
||||
my $fn = open_file( 'conntrack', 3 , 1 );
|
||||
for my $name ( qw/notrack conntrack/ ) {
|
||||
|
||||
if ( $fn ) {
|
||||
$fn = open_file( $name, 3 , 1 );
|
||||
|
||||
my $action;
|
||||
if ( $fn ) {
|
||||
|
||||
first_entry( "$doing $fn..." );
|
||||
my $action;
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
|
||||
my $empty = 1;
|
||||
|
||||
( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
|
||||
first_entry( "$doing $fn..." );
|
||||
|
||||
for my $proto ( split_list $protos, 'Protocol' ) {
|
||||
if ( $file_format < 3 ) {
|
||||
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
|
||||
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
|
||||
for my $zone ( $1 ? off_firewall_zones : all_zones ) {
|
||||
process_conntrack_rule( undef ,
|
||||
undef,
|
||||
$action,
|
||||
$zone . ( $2 || ''),
|
||||
$dest,
|
||||
$proto,
|
||||
$ports,
|
||||
$sports,
|
||||
$user ,
|
||||
$switch );
|
||||
}
|
||||
} else {
|
||||
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
}
|
||||
} elsif ( $action =~ s/:O$// ) {
|
||||
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
} elsif ( $action =~ s/:OP$// || $action =~ s/:PO// ) {
|
||||
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
|
||||
|
||||
if ( $file_format == 1 ) {
|
||||
( $source, $dest, $protos, $ports, $sports, $user, $switch ) =
|
||||
split_line1( 'Conntrack File',
|
||||
{ source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
|
||||
$action = 'NOTRACK';
|
||||
} else {
|
||||
$action =~ s/:P$//;
|
||||
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
|
||||
}
|
||||
|
||||
$empty = 0;
|
||||
|
||||
for my $proto ( split_list $protos, 'Protocol' ) {
|
||||
if ( $file_format < 3 ) {
|
||||
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
|
||||
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
|
||||
for my $zone ( $1 ? off_firewall_zones : all_zones ) {
|
||||
process_conntrack_rule( undef ,
|
||||
undef,
|
||||
$action,
|
||||
$zone . ( $2 || ''),
|
||||
$dest,
|
||||
$proto,
|
||||
$ports,
|
||||
$sports,
|
||||
$user ,
|
||||
$switch );
|
||||
}
|
||||
} else {
|
||||
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
}
|
||||
} elsif ( $action =~ s/:O$// ) {
|
||||
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
} elsif ( $action =~ s/:OP$// || $action =~ s/:PO// ) {
|
||||
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
} else {
|
||||
$action =~ s/:P$//;
|
||||
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( $name eq 'notrack') {
|
||||
if ( $empty ) {
|
||||
if ( unlink( $fn ) ) {
|
||||
warning_message "Empty notrack file ($fn) removed";
|
||||
} else {
|
||||
warning_message "Unable to remove empty notrack file ($fn): $!";
|
||||
}
|
||||
$convert = undef;
|
||||
}
|
||||
}
|
||||
} elsif ( $name eq 'notrack' ) {
|
||||
$convert = undef;
|
||||
}
|
||||
}
|
||||
|
||||
if ( $convert ) {
|
||||
my $conntrack;
|
||||
my $empty = 1;
|
||||
|
||||
if ( $fn ) {
|
||||
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
} else {
|
||||
open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
|
||||
print $conntrack <<'EOF';
|
||||
#
|
||||
# Shorewall version 5 - conntrack File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-conntrack"
|
||||
#
|
||||
##############################################################################################################
|
||||
EOF
|
||||
print $conntrack '?' . "FORMAT 3";
|
||||
|
||||
print $conntrack <<'EOF';
|
||||
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
EOF
|
||||
}
|
||||
|
||||
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
||||
|
||||
while ( read_a_line( PLAIN_READ ) ) {
|
||||
#
|
||||
# Don't copy the header comments from the old notrack file
|
||||
#
|
||||
next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
|
||||
|
||||
if ( $empty ) {
|
||||
#
|
||||
# First non-commentary line
|
||||
#
|
||||
$empty = undef;
|
||||
|
||||
print $conntrack '?' . "format 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
|
||||
}
|
||||
|
||||
print $conntrack "$currentline\n";
|
||||
}
|
||||
|
||||
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||
progress_message2 "notrack file $fn saved in $fn.bak"
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
@ -3140,7 +3140,7 @@ sub process_secmark_rule() {
|
||||
}
|
||||
|
||||
#
|
||||
# Process the tcrules file and setup traffic shaping
|
||||
# Process the mangle file and setup traffic shaping
|
||||
#
|
||||
sub setup_tc( $ ) {
|
||||
$tcrules = $_[0];
|
||||
@ -3222,6 +3222,8 @@ sub setup_tc( $ ) {
|
||||
|
||||
close $mangle, directive_callback( 0 );
|
||||
}
|
||||
} elsif ( my $fn = find_file( 'tcrules' ) ) {
|
||||
warning_message "The tcrules file is no longer supported -- use the '$product update -t' to convert $fn to an equivalent 'mangle' file";
|
||||
}
|
||||
|
||||
if ( my $fn = open_file( 'mangle', 1, 1 ) ) {
|
||||
|
||||
@ -43,6 +43,7 @@
|
||||
# --inline # Update alternative column specifications
|
||||
# --tcrules # Create mangle from tcrules
|
||||
# --routestopped # Create stoppedrules from routestopped
|
||||
# --notrack # Create conntrack from notrack
|
||||
#
|
||||
use strict;
|
||||
use FindBin;
|
||||
@ -79,6 +80,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
|
||||
[ --inline ]
|
||||
[ --tcrules ]
|
||||
[ --routestopped ]
|
||||
[ --notrack ]
|
||||
_EOF_
|
||||
|
||||
exit shift @_;
|
||||
@ -110,6 +112,7 @@ my $shorewallrc1 = '';
|
||||
my $inline = 0;
|
||||
my $tcrules = 0;
|
||||
my $routestopped = 0;
|
||||
my $notrack = 0;
|
||||
|
||||
Getopt::Long::Configure ('bundling');
|
||||
|
||||
@ -145,6 +148,7 @@ my $result = GetOptions('h' => \$help,
|
||||
'inline' => \$inline,
|
||||
'tcrules' => \$tcrules,
|
||||
'routestopped' => \$routestopped,
|
||||
'notrack' => \$notrack,
|
||||
'config_path=s' => \$config_path,
|
||||
'shorewallrc=s' => \$shorewallrc,
|
||||
'shorewallrc1=s' => \$shorewallrc1,
|
||||
@ -176,4 +180,5 @@ compiler( script => $ARGV[0] || '',
|
||||
inline => $inline,
|
||||
tcrules => $tcrules,
|
||||
routestopped => $routestopped,
|
||||
notrack => $notrack
|
||||
);
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Actions File
|
||||
# Shorewall version 5 - Actions File
|
||||
#
|
||||
# /etc/shorewall/actions
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Blacklist Rules File
|
||||
# Shorewall version 5 - Blacklist Rules File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-blrules"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - conntrack File
|
||||
# Shorewall version 5 - conntrack File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-conntrack"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Findgw File
|
||||
# Shorewall version 5 - Findgw File
|
||||
#
|
||||
# /etc/shorewall/findgw
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Init File
|
||||
# Shorewall version 5 - Init File
|
||||
#
|
||||
# /etc/shorewall/init
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Interfaces File
|
||||
# Shorewall version 5 - Interfaces File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-interfaces"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - lib.private File
|
||||
# Shorewall version 5 - lib.private File
|
||||
#
|
||||
# /etc/shorewall/lib.private
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Mangle File
|
||||
# Shorewall version 5 - Mangle File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-mangle"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Nat File
|
||||
# Shorewall version 5 - Nat File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-nat"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Params File
|
||||
# Shorewall version 5 - Params File
|
||||
#
|
||||
# /etc/shorewall/params
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Providers File
|
||||
# Shorewall version 5 - Providers File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-providers"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - refresh File
|
||||
# Shorewall version 5 - refresh File
|
||||
#
|
||||
# /etc/shorewall/refresh
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Restored File
|
||||
# Shorewall version 5 - Restored File
|
||||
#
|
||||
# /etc/shorewall/restored
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Routestopped File
|
||||
# Shorewall version 5 - Routestopped File
|
||||
#
|
||||
# This file is deprecated in favor of the stoppedrules file
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Rules File
|
||||
# Shorewall version 5 - Rules File
|
||||
#
|
||||
# For information on the settings in this file, type "man shorewall-rules"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Secmarks File
|
||||
# Shorewall version 5 - Secmarks File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-secmarks"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Start File
|
||||
# Shorewall version 5 - Start File
|
||||
#
|
||||
# /etc/shorewall/start
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Stop File
|
||||
# Shorewall version 5 - Stop File
|
||||
#
|
||||
# /etc/shorewall/stop
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - tcclear File
|
||||
# Shorewall version 5 - tcclear File
|
||||
#
|
||||
# /etc/shorewall/tcclear
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Tcfilters File
|
||||
# Shorewall version 5 - Tcfilters File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-tcfilters"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Tcpri File
|
||||
# Shorewall version 5 - Tcpri File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-tcpri"
|
||||
#
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - Tunnels File
|
||||
# Shorewall version 5 - Tunnels File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-tunnels"
|
||||
#
|
||||
|
||||
@ -439,6 +439,7 @@ compiler() {
|
||||
[ -n "$g_tcrules" ] && options="$options --tcrules"
|
||||
[ -n "$g_inline" ] && options="$options --inline"
|
||||
[ -n "$g_routestopped" ] && options="$options --routestopped"
|
||||
[ -n "$g_notrack" ] && options="$options --notrack"
|
||||
|
||||
if [ -n "$PERL" ]; then
|
||||
if [ ! -x "$PERL" ]; then
|
||||
@ -849,12 +850,17 @@ update_command() {
|
||||
g_routestopped=Yes
|
||||
option=${option#s}
|
||||
;;
|
||||
n*)
|
||||
g_notrack=Yes
|
||||
option=${option#n}
|
||||
;;
|
||||
A*)
|
||||
g_inline=Yes
|
||||
g_convert=Yes
|
||||
g_directives=Yes
|
||||
g_tcrules=Yes
|
||||
g_routestopped=Yes
|
||||
g_notrack=Yes
|
||||
option=${option#A}
|
||||
;;
|
||||
*)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user