extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-09 23:28:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reorganize Tunnel Creation; Automatic 'multi' on wildcard interfaces

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@89 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-06-21 15:57:01 +00:00
parent b2b099de05
commit 115e052f12
2 changed files with 50 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
Shorewall/firewall
View File

@ -1012,52 +1012,35 @@ setup_tunnels() # $1 = name of tunnels file
local inchain local inchain
local outchain local outchain
setup_one_ipsec() # $1 = zone, $2 = gateway $3 = gateway zone setup_one_ipsec() # $1 = gateway $2 = gateway zone
{ {
if ! validate_zone $1; then
error_message "Invalid gateway zone ($3)" \
" -- Tunnel \"$tunnel\" Ignored"
return 1
fi
options="-m state --state NEW -j ACCEPT" options="-m state --state NEW -j ACCEPT"
inchain=${1}2${FW} addrule $inchain -p 50 -s $1 $options
outchain=${FW}2${1} addrule $outchain -p 50 -d $1 $options
addrule $inchain -p 50 -s $2 $options run_iptables -A $inchain -p 51 -s $1 $options
addrule $outchain -p 50 -d $2 $options run_iptables -A $outchain -p 51 -d $1 $options
run_iptables -A $inchain -p 51 -s $2 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
run_iptables -A $outchain -p 51 -d $2 $options run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
run_iptables -A $inchain -p udp -s $2 --sport 500 --dport 500 $options
run_iptables -A $outchain -p udp -d $2 --dport 500 --sport 500 $options
if [ -n "$3" ]; then if [ -n "$2" ]; then
if validate_zone $3; then if validate_zone $2; then
addrule ${FW}2${3} -p udp --sport 500 --dport 500 $options addrule ${FW}2${2} -p udp --sport 500 --dport 500 $options
else else
error_message "Warning: Invalid gateway zone ($3)" \ error_message "Warning: Invalid gateway zone ($2)" \
" -- Tunnel \"$tunnel\" may encounter keying problems" " -- Tunnel \"$tunnel\" may encounter keying problems"
fi fi
fi fi
return 0 echo " IPSEC tunnel to $gateway defined."
} }
setup_one_other() # $1 = zone, $2 = gateway, $3 = protocol setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
{ {
if ! validate_zone $1; then
error_message "Invalid gateway zone ($3)" \
" -- Tunnel \"$tunnel\" Ignored"
return 1
fi
options="-m state --state NEW -j ACCEPT" options="-m state --state NEW -j ACCEPT"
inchain=${1}2${FW}
outchain=${FW}2${1}
addrule $inchain -p $3 -s $2 $options addrule $inchain -p $3 -s $2 $options
addrule $outchain -p $3 -d $2 $options addrule $outchain -p $3 -d $2 $options
return 0 echo " $1 tunnel to $gateway defined."
} }
strip_file tunnels $1 strip_file tunnels $1
@ -1065,24 +1048,28 @@ setup_tunnels() # $1 = name of tunnels file
while read kind z gateway z1; do while read kind z gateway z1; do
expandv kind z gateway z1 expandv kind z gateway z1
tunnel="`echo $kind $z $gateway $z1`" tunnel="`echo $kind $z $gateway $z1`"
if validate_zone $z; then
inchain=${z}2${FW}
outchain=${FW}2${z}
case $kind in case $kind in
ipsec|IPSEC) ipsec|IPSEC)
setup_one_ipsec $z $gateway $z1 && \ setup_one_ipsec $gateway $z1
echo " IPSEC tunnel to $gateway defined."
;; ;;
ipip|IPIP) ipip|IPIP)
setup_one_other $z $gateway 4 && \ setup_one_other IPIP $gateway 4
echo " IPIP tunnel to $gateway defined."
;; ;;
gre|GRE) gre|GRE)
setup_one_other $z $gateway 47 $z1 \ setup_one_other GRE $gateway 47
echo " GRE tunnel to $gateway defined."
;; ;;
*) *)
error_message "Tunnels of type $kind are not supported:" \ error_message "Tunnels of type $kind are not supported:" \
"Tunnel \"$tunnel\" Ignored" "Tunnel \"$tunnel\" Ignored"
;; ;;
esac esac
else
error_message "Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" Ignored"
fi
done < $TMP_DIR/tunnels done < $TMP_DIR/tunnels
} }
@ -1379,6 +1366,7 @@ delete_tc()
# The caller has established the following variables: # # The caller has established the following variables: #
# cli = Source IP, interface or MAC Specification # # cli = Source IP, interface or MAC Specification #
# serv = Destination IP Specification # # serv = Destination IP Specification #
# servport = Port the server is listening on #
# dest_interface = Destination Interface Specification # # dest_interface = Destination Interface Specification #
# proto = Protocol Specification # # proto = Protocol Specification #
# addr = Original Destination Address # # addr = Original Destination Address #
@ -2866,7 +2854,14 @@ activate_rules() {
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
case $interface in
*+*)
multi=yes
;;
*)
list_search $interface $multi_interfaces && multi=yes || multi= list_search $interface $multi_interfaces && multi=yes || multi=
;;
esac
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}

21
Shorewall/releasenotes.txt
View File

@ -2,22 +2,11 @@ This is a minor release of Shorewall.
In this release: In this release:
1. A new "logwatch" command has been added to the /sbin/shorewall program. 1. Entries in /etc/shorewall/interface that use the wildcard character
("+") now have the "multi" option assumed.
2. Shorewall can now take advantage of the Netfilter 'multiport' match
function (kernel configuration option CONFIG_IP_NF_MATCH_MULTIPORT).
3. Dynamic blacklisting is now supported through the use of three new
commands in /sbin/shorewall:
deny - drop packets from one or more hosts.
reject - reject packets from one or more hosts.
allow - reverse the effect of a prior 'deny' or 'reject' command.
save - save the current dynamic blacklisting settings so that they
will be applied the next time that Shorewall is started.
4. The 'firewall', 'version' and 'functions' files have been moved from
/etc/shorewall to /var/lib/shorewall.