mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Implement Run-time Address Variables
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
17a1cd3c57
commit
156b04c380
@ -2679,6 +2679,15 @@ sub have_ipset_rules() {
|
||||
$ipset_rules;
|
||||
}
|
||||
|
||||
sub get_interface_address( $ );
|
||||
|
||||
sub record_runtime_address( $ ) {
|
||||
my $interface = shift;
|
||||
fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
|
||||
fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
|
||||
get_interface_address( $interface ) . ' ';
|
||||
}
|
||||
|
||||
sub mysplit( $ );
|
||||
|
||||
#
|
||||
@ -2714,8 +2723,14 @@ sub match_source_net( $;$ ) {
|
||||
|
||||
$result;
|
||||
} elsif ( $net =~ s/^!// ) {
|
||||
validate_net $net, 1;
|
||||
"! -s $net ";
|
||||
if ( $net =~ /^&(.+)/ ) {
|
||||
'! -s ' . record_runtime_address $1;
|
||||
} else {
|
||||
validate_net $net, 1;
|
||||
"! -s $net ";
|
||||
}
|
||||
} elsif ( $net =~ /^&(.+)/ ) {
|
||||
'-s ' . record_runtime_address $1;
|
||||
} else {
|
||||
validate_net $net, 1;
|
||||
$net eq ALLIP ? '' : "-s $net ";
|
||||
@ -2749,10 +2764,15 @@ sub match_dest_net( $ ) {
|
||||
}
|
||||
|
||||
$result;
|
||||
} elsif ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
validate_net $net, 1;
|
||||
"! -d $net ";
|
||||
} elsif ( $net =~ s/^!// ) {
|
||||
if ( $net =~ /^&(.+)/ ) {
|
||||
'! -d ' . record_runtime_address $1;
|
||||
} else {
|
||||
validate_net $net, 1;
|
||||
"! -d $net ";
|
||||
}
|
||||
} elsif ( $net =~ /^&(.+)/ ) {
|
||||
'-d ' . record_runtime_address $1;
|
||||
} else {
|
||||
validate_net $net, 1;
|
||||
$net eq ALLIP ? '' : "-d $net ";
|
||||
@ -2769,10 +2789,20 @@ sub match_orig_dest ( $ ) {
|
||||
return '' unless have_capability( 'CONNTRACK_MATCH' );
|
||||
|
||||
if ( $net =~ s/^!// ) {
|
||||
validate_net $net, 1;
|
||||
if ( $net =~ /^&(.+)/ ) {
|
||||
$net = record_runtime_address $1;
|
||||
} else {
|
||||
validate_net $net, 1;
|
||||
}
|
||||
|
||||
have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
|
||||
} else {
|
||||
validate_net $net, 1;
|
||||
if ( $net =~ /^&(.+)/ ) {
|
||||
$net = record_runtime_address $1;
|
||||
} else {
|
||||
validate_net $net, 1;
|
||||
}
|
||||
|
||||
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
|
||||
}
|
||||
}
|
||||
@ -3501,7 +3531,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
if ( $source =~ /^(.+?):(.+)$/ ) {
|
||||
$iiface = $1;
|
||||
$inets = $2;
|
||||
} elsif ( $source =~ /\+|~|\..*\./ ) {
|
||||
} elsif ( $source =~ /\+|&|~|\..*\./ ) {
|
||||
$inets = $source;
|
||||
} else {
|
||||
$iiface = $source;
|
||||
@ -3515,7 +3545,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$inets = $source;
|
||||
}
|
||||
} elsif ( $source =~ /\+|~|\..*\./ ) {
|
||||
} elsif ( $source =~ /(?:\+|&|~|\..*\.)/ ) {
|
||||
$inets = $source;
|
||||
} else {
|
||||
$iiface = $source;
|
||||
@ -3592,7 +3622,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
if ( $dest =~ /^(.+?):(.+)$/ ) {
|
||||
$diface = $1;
|
||||
$dnets = $2;
|
||||
} elsif ( $dest =~ /\+|~|\..*\./ ) {
|
||||
} elsif ( $dest =~ /\+|&|~|\..*\./ ) {
|
||||
$dnets = $dest;
|
||||
} else {
|
||||
$diface = $dest;
|
||||
@ -3606,7 +3636,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
} else {
|
||||
$dnets = $dest;
|
||||
}
|
||||
} elsif ( $dest =~ /\+|~|\..*\./ ) {
|
||||
} elsif ( $dest =~ /^(?:\+|&|\..*\.)/ ) {
|
||||
$dnets = $dest;
|
||||
} else {
|
||||
$diface = $dest;
|
||||
|
@ -10,6 +10,8 @@ Changes in Shorewall 4.4.17 Beta 1
|
||||
|
||||
5) Add 'USE_LOCAL_MODULES' option.
|
||||
|
||||
6) Implement runtime address variables (&interface)
|
||||
|
||||
Changes in Shorewall 4.4.17 Beta 1
|
||||
|
||||
1) Improve readability of logging logic in expand_rule().
|
||||
|
@ -54,6 +54,54 @@ Beta 1
|
||||
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
Beta 2
|
||||
|
||||
1) Traditionally, the -lite products have used the modules (or
|
||||
helpers) file on the firewall system unless there is a modules (or
|
||||
helpers) file in the configuration directory. This release
|
||||
introduces the USE_LOCAL_MODULES option in shorewall[6].conf.
|
||||
|
||||
When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the
|
||||
administrative system will be used to determine the set of modules
|
||||
loaded.
|
||||
|
||||
2) Given that shell variables are expanded at compile time, there was
|
||||
previously no way to cause such variables to be expended at run
|
||||
time. This made it difficult (to impossible) to include dynamic IP
|
||||
addresses in a Shorewall-lite configuration.
|
||||
|
||||
This release implements "Run-time address variables". In
|
||||
configuration files, these variables are expressed as an apersand
|
||||
('&') followed by the name of an interface defined in
|
||||
/etc/shorewall/interfaces.
|
||||
|
||||
Example:
|
||||
|
||||
ð0 would represent the primary IP address of eth0.
|
||||
|
||||
Run-time address variables may be used in the SOURCE and DEST
|
||||
column of the following configuration files:
|
||||
|
||||
accounting
|
||||
action files
|
||||
blacklist
|
||||
macro files
|
||||
rules
|
||||
tcrules
|
||||
tos
|
||||
|
||||
They may also appear in the ORIGINAL DEST column of
|
||||
|
||||
action files
|
||||
macro files
|
||||
rules
|
||||
|
||||
For optional interfaces, if the interface is not usable at the time
|
||||
that the firewall starts the all-zero address will be used (0.0.0.0
|
||||
in IPv4 and :: in IPv6), resulting in no packets matching the rule.
|
||||
|
||||
Beta 1
|
||||
|
||||
1) The shell variables set in /etc/shorewall/params
|
||||
(/etc/shorewall6/params) are now available in the compiled script
|
||||
at run-time with EXPORTPARAMS=No. The EXPORTPARAMS option is now
|
||||
@ -85,15 +133,6 @@ Beta 1
|
||||
INCLUDE was performed on the firewall system rather than on the
|
||||
administrative system.
|
||||
|
||||
3) Traditionally, the -lite products have used the modules (or
|
||||
helpers) file on the firewall system unless there is a modules (or
|
||||
helpers) file in the configuration directory. This release
|
||||
introduces the USE_LOCAL_MODULES option in shorewall[6].conf.
|
||||
|
||||
When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the
|
||||
administrative system will be used to determine the set of modules
|
||||
loaded.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
|
@ -620,6 +620,12 @@ ACCEPT net:\
|
||||
role="bold">loc</emphasis> zone — <emphasis
|
||||
role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The primary IP address of eth0 in the $FW zone - <emphasis
|
||||
role="bold">$FW:&eth0</emphasis> (see <link
|
||||
linkend="Rvariables">Run-time Address Variables</link> below)</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
@ -713,7 +719,7 @@ ACCEPT net:\
|
||||
<filename>params</filename> file from being copied into the compiled
|
||||
script. With EXPORTPARAMS=No, it is perfectly okay to use INCLUDE in the
|
||||
<filename>params</filename> file. Note that with Shorewall 4.4.17 and
|
||||
later: </para>
|
||||
later:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -954,14 +960,103 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
|
||||
<para>The <command>shorewall-lite call</command> command allows you to
|
||||
to call interactively any Shorewall function that you can call in an
|
||||
extension script.</para>
|
||||
|
||||
<note>
|
||||
<para>Within your configuration files, only the $VAR and ${VAR}
|
||||
forms of variable expansion are supported. You may not use the more
|
||||
exotic forms supported by the shell (${VAR:=val}, ${VAR:-val},
|
||||
...)</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<note>
|
||||
<para>Within your configuration files, only the $VAR and ${VAR} forms of
|
||||
variable expansion are supported. You may not use the more exotic forms
|
||||
supported by the shell (${VAR:=val}, ${VAR:-val}, ...)</para>
|
||||
</note>
|
||||
<para id="Rvariables">Given that shell variables are expanded at compile
|
||||
time, there is no way to cause such variables to be expended at run time.
|
||||
Prior to Shorewall 4.4.17, this made it difficult (to impossible) to
|
||||
include dynamic IP addresses in a <ulink
|
||||
url="CompiledPrograms.html">Shorewall-lite</ulink> configuration.</para>
|
||||
|
||||
<para>Version 4.4.17 implemented <firstterm>Run-time address
|
||||
variables</firstterm>. In configuration files, these variables are
|
||||
expressed as an apersand ('&') followed by the logical name of an
|
||||
interface defined in shorewall-interfaces (5). Wildcard interfaces (those
|
||||
ending in '+') are not supported and will cause a compilation
|
||||
error.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Example:</term>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">&eth0</emphasis> would represent the
|
||||
primary IP address of eth0.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Run-time address variables may be used in the SOURCE and DEST column
|
||||
of the following configuration files:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Actions.html">Action</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>They may also appear in the ORIGINAL DEST column of:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>For optional interfaces, if the interface is not usable at the time
|
||||
that the firewall starts the all-zero address will be used (0.0.0.0 in
|
||||
IPv4 and :: in IPv6), resulting in no packets matching the rule. </para>
|
||||
</section>
|
||||
|
||||
<section id="Embedded">
|
||||
|
@ -481,10 +481,10 @@
|
||||
</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
|
||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
|
||||
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
|
||||
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
|
||||
shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||
|
@ -553,7 +553,7 @@
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
|
||||
<emphasis role="bold">any</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
||||
removed in Shorewall-4.4.13. </para>
|
||||
removed in Shorewall-4.4.13.</para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
@ -572,6 +572,13 @@
|
||||
square brackets ([]) to indicate the number of levels of source
|
||||
bindings to be matched.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
||||
firewall interface can be specified by an apersand ('&')
|
||||
followed by the logican name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
@ -638,6 +645,15 @@
|
||||
155.186.235.16/28</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:&eth0</term>
|
||||
|
||||
<listitem>
|
||||
<para>The primary IP address of eth0 in the firewall zone
|
||||
(Shorewall 4.4.17 and later).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -743,6 +759,13 @@
|
||||
role="bold">DEST</emphasis> columns may specify an ipset
|
||||
name.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
||||
firewall interface can be specified by an apersand ('&')
|
||||
followed by the logical name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>The <replaceable>port</replaceable> that the server is
|
||||
listening on may be included and separated from the server's IP
|
||||
address by ":". If omitted, the firewall will not modifiy the
|
||||
@ -900,6 +923,13 @@
|
||||
if the original destination address in the connection request does
|
||||
not match any of the addresses listed.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
||||
firewall interface can be specified by an apersand ('&')
|
||||
followed by the logical name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>For other actions, this column may be included and may contain
|
||||
one or more addresses (host or network) separated by commas. Address
|
||||
ranges are not allowed. When this column is supplied, rules are
|
||||
@ -1370,12 +1400,13 @@
|
||||
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-route_rules(5), shorewall-routestopped(5), shorewall.conf(5),
|
||||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||
shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -425,6 +425,13 @@
|
||||
square brackets ([]) to indicate the number of levels of source
|
||||
bindings to be matched.</para>
|
||||
|
||||
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
||||
firewall interface can be specified by an apersand ('&')
|
||||
followed by the logican name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>When an <replaceable>interface</replaceable> is not specified,
|
||||
you may omit the angled brackets ('<' and '>') around the
|
||||
address(es) or you may supply them to improve readability.</para>
|
||||
@ -478,17 +485,24 @@
|
||||
2001:4d48:ad51:24:6:/80.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:&eth0</term>
|
||||
|
||||
<listitem>
|
||||
<para>The primary IP address of eth0 in the firewall zone
|
||||
(Shorewall6 4.4.17 and later).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<blockquote>
|
||||
<para>Alternatively, clients may be specified by interface by
|
||||
appending ":" to the zone name followed by the interface name. For
|
||||
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
|
||||
client that communicates with the firewall system through eth1.
|
||||
This may be optionally followed by another colon (":") and an
|
||||
IP/MAC/subnet address as described above (e.g., <emphasis
|
||||
role="bold">loc:eth1:<2002:ce7c::92b4:1::2></emphasis>).</para>
|
||||
</blockquote>
|
||||
<para>Alternatively, clients may be specified by interface by
|
||||
appending ":" to the zone name followed by the interface name. For
|
||||
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
|
||||
client that communicates with the firewall system through eth1. This
|
||||
may be optionally followed by another colon (":") and an
|
||||
IP/MAC/subnet address as described above (e.g., <emphasis
|
||||
role="bold">loc:eth1:<2002:ce7c::92b4:1::2></emphasis>).</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
@ -533,6 +547,13 @@
|
||||
exclusion is supported -- see see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
||||
firewall interface can be specified by an apersand ('&')
|
||||
followed by the logican name of the interface as found in the
|
||||
INTERFACE column of <ulink
|
||||
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
||||
|
Loading…
Reference in New Issue
Block a user