extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-27 18:13:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow icmp-type in tcrules and more whitespace

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2711 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-19 14:43:22 +00:00
parent 09773c6c65
commit 1a5852b7c9
1 changed files with 129 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

251
Shorewall/firewall
View File

@ -251,7 +251,7 @@ finish_chain_section() # $1 = canonical chain $2 = state list
run_iptables -A $1 -p tcp --syn -j @$1 run_iptables -A $1 -p tcp --syn -j @$1
;; ;;
*) *)
esac esac
else else
run_iptables -A $1 -p tcp --syn -j @$1 run_iptables -A $1 -p tcp --syn -j @$1
@ -331,7 +331,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
esac esac
fi fi
eval exists_${c}=Yes eval exists_${c}=Yes
fi fi
@ -533,9 +533,9 @@ determine_zones()
esac esac
for parent in $parents; do for parent in $parents; do
[ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed" [ "$parent" = "$FW" ] && startup_error "Sub-zones of the firewall zone are not allowed"
list_search $parent $ZONES || startup_error "Parent zone not defined: $parent" list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
done done
[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone" [ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
@ -737,7 +737,7 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
while [ $temp -gt 1 ]; do while [ $temp -gt 1 ]; do
options="$options,$2" options="$options,$2"
temp=$(($temp - 1)) temp=$(($temp - 1))
done done
;; ;;
*\[*\]) *\[*\])
options=${1#*\[} options=${1#*\[}
@ -1354,7 +1354,7 @@ setup_providers()
done done
fi fi
} }
strip_file providers $1 strip_file providers $1
if [ -s $TMP_DIR/providers ]; then if [ -s $TMP_DIR/providers ]; then
@ -1365,7 +1365,7 @@ setup_providers()
else else
echo "Validating $1..." echo "Validating $1..."
fi fi
while read table number mark duplicate interface gateway options copy; do while read table number mark duplicate interface gateway options copy; do
expandv table number mark duplicate interface gateway options copy expandv table number mark duplicate interface gateway options copy
provider="$table $number $mark $duplicate $interface $gateway $options $copy" provider="$table $number $mark $duplicate $interface $gateway $options $copy"
@ -1403,8 +1403,8 @@ EOF
cat /etc/iproute2/rt_tables >> $RESTOREBASE cat /etc/iproute2/rt_tables >> $RESTOREBASE
save_command __EOF__ save_command __EOF__
fi fi
ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache" ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache"
fi fi
fi fi
@ -1446,7 +1446,7 @@ validate_hosts_file() {
eval ports=\$${iface}_ports eval ports=\$${iface}_ports
eval zports=\$${z}_ports eval zports=\$${z}_ports
for host in $(separate_list $hosts); do for host in $(separate_list $hosts); do
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
case $host in case $host in
@ -1458,7 +1458,7 @@ validate_hosts_file() {
*.*.*.*) *.*.*.*)
;; ;;
+*) +*)
eval ${z}_is_complex=Yes eval ${z}_is_complex=Yes
;; ;;
*) *)
known_interface $host && \ known_interface $host && \
@ -1469,7 +1469,7 @@ validate_hosts_file() {
else else
case $host in case $host in
+*) +*)
eval ${z}_is_complex=Yes eval ${z}_is_complex=Yes
;; ;;
esac esac
fi fi
@ -1548,7 +1548,7 @@ validate_policy()
eval ${chain}_policy=ACCEPT eval ${chain}_policy=ACCEPT
eval ${chain}_policychain=$chain eval ${chain}_policychain=$chain
ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain"
done done
strip_file policy strip_file policy
@ -1829,7 +1829,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
fi fi
;; ;;
esac esac
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
[ -z "$STOPPING" ] && { stop_firewall; exit 2; } [ -z "$STOPPING" ] && { stop_firewall; exit 2; }
fi fi
@ -1946,7 +1946,7 @@ process_routestopped() # $1 = command
esac esac
done done
fi fi
done < $TMP_DIR/routestopped done < $TMP_DIR/routestopped
@ -1968,7 +1968,7 @@ process_routestopped() # $1 = command
run_iptables $1 FORWARD -o $interface $(dest_ip_range $networks) -j ACCEPT run_iptables $1 FORWARD -o $interface $(dest_ip_range $networks) -j ACCEPT
matched=Yes matched=Yes
fi fi
if [ -z "$matched" ]; then if [ -z "$matched" ]; then
for host1 in $hosts; do for host1 in $hosts; do
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
@ -2003,7 +2003,7 @@ process_criticalhosts()
;; ;;
esac esac
done done
fi fi
done < $TMP_DIR/routestopped done < $TMP_DIR/routestopped
if [ -n "$criticalhosts" ]; then if [ -n "$criticalhosts" ]; then
@ -2064,7 +2064,7 @@ stop_firewall() {
[ -z "$RESTOREFILE" ] && RESTOREFILE=restore [ -z "$RESTOREFILE" ] && RESTOREFILE=restore
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then if [ -x ${RESTOREPATH}-ipsets ]; then
@ -2086,7 +2086,7 @@ stop_firewall() {
else else
set_state "Unknown" set_state "Unknown"
fi fi
my_mutex_off my_mutex_off
kill $$ kill $$
exit 2 exit 2
@ -2110,7 +2110,7 @@ stop_firewall() {
[ -n "$RAW_TABLE" ] && \ [ -n "$RAW_TABLE" ] && \
run_iptables -t raw -F && \ run_iptables -t raw -F && \
run_iptables -t raw -X run_iptables -t raw -X
[ -n "$NAT_ENABLED" ] && delete_nat [ -n "$NAT_ENABLED" ] && delete_nat
delete_proxy_arp delete_proxy_arp
@ -2127,7 +2127,7 @@ stop_firewall() {
done done
setpolicy FORWARD DROP setpolicy FORWARD DROP
deleteallchains deleteallchains
enable_critical_hosts enable_critical_hosts
@ -2141,7 +2141,7 @@ stop_firewall() {
done done
setpolicy FORWARD DROP setpolicy FORWARD DROP
deleteallchains deleteallchains
enable_critical_hosts enable_critical_hosts
@ -2156,15 +2156,15 @@ stop_firewall() {
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP setpolicy $chain DROP
done done
deleteallchains deleteallchains
else else
for chain in INPUT FORWARD; do for chain in INPUT FORWARD; do
setpolicy $chain DROP setpolicy $chain DROP
done done
setpolicy OUTPUT ACCEPT setpolicy OUTPUT ACCEPT
deleteallchains deleteallchains
for chain in INPUT FORWARD; do for chain in INPUT FORWARD; do
@ -2524,7 +2524,7 @@ setup_ipsec() {
_in) _in)
set_mss1 ${zone}2${z} $1 set_mss1 ${zone}2${z} $1
;; ;;
_out) _out)
set_mss1 ${z}2${zone} $1 set_mss1 ${z}2${zone} $1
;; ;;
*) *)
@ -2548,7 +2548,7 @@ setup_ipsec() {
val=${option#*=} val=${option#*=}
case $option in case $option in
mss=[0-9]*) set_mss $val $1 ;; mss=[0-9]*) set_mss $val $1 ;;
strict) newoptions="$newoptions --strict" ;; strict) newoptions="$newoptions --strict" ;;
next) newoptions="$newoptions --next" ;; next) newoptions="$newoptions --next" ;;
reqid=*) newoptions="$newoptions --reqid $val" ;; reqid=*) newoptions="$newoptions --reqid $val" ;;
@ -2609,7 +2609,7 @@ setup_ipsec() {
;; ;;
esac esac
fi fi
do_options "" $options do_options "" $options
do_options "_in" $in_options do_options "_in" $in_options
do_options "_out" $out_options do_options "_out" $out_options
@ -2926,7 +2926,7 @@ setup_nat() {
do_one_nat() { do_one_nat() {
local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*} local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}
if [ -n "$add_ip_aliases" ]; then if [ -n "$add_ip_aliases" ]; then
case $interface in case $interface in
*:) *:)
@ -2943,7 +2943,7 @@ setup_nat() {
validate_one allints "ALL INTERFACES" $allints validate_one allints "ALL INTERFACES" $allints
validate_one localnat "LOCAL" $localnat validate_one localnat "LOCAL" $localnat
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$allints" ]; then if [ -n "$allints" ]; then
addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
@ -2976,7 +2976,7 @@ setup_nat() {
while read external interface internal allints localnat; do while read external interface internal allints localnat; do
expandv external interface internal allints localnat expandv external interface internal allints localnat
do_one_nat do_one_nat
progress_message " Host $internal NAT $external on $interface" progress_message " Host $internal NAT $external on $interface"
@ -3141,7 +3141,7 @@ process_tc_rule()
$FW) $FW)
[ $chain = tcpost ] || chain=tcout [ $chain = tcpost ] || chain=tcout
;; ;;
*) *)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
@ -3154,7 +3154,7 @@ process_tc_rule()
fatal_error "Invalid use of a user/group: rule \"$rule\"" fatal_error "Invalid use of a user/group: rule \"$rule\""
r="$r-m owner" r="$r-m owner"
case "$user" in case "$user" in
*+*) *+*)
r="$r --cmd-owner ${user#*+} " r="$r --cmd-owner ${user#*+} "
@ -3192,15 +3192,22 @@ process_tc_rule()
multiport= multiport=
if [ "x$proto" = xipp2p ]; then case $proto in
[ "x$port" = "x-" ] && port="ipp2p" ipp2p|IPP2P)
r="${r}-p tcp -m ipp2p --${port} " [ "x$port" = "x-" ] && port="ipp2p"
else r="${r}-p tcp -m ipp2p --${port} "
[ "x$proto" = "x-" ] && proto=all           ;;
[ "x$proto" = "x" ] && proto=all icmp|ICMP|1)
[ "$proto" = "all" ] || r="${r}-p $proto " r="${r}-p icmp "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port"   = "x-" ] || r="${r}--icmp-type $port"
fi ;;
*)
[ "x$proto"  = "x-"  ] && proto=all
[ "x$proto"  = "x"   ] && proto=all
[ "$proto"   = "all" ] || r="${r}-p $proto "
[ "x$port"   = "x-"  ] || r="${r}--dport $port "
;;
esac
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "
@ -3238,10 +3245,10 @@ process_tc_rule()
;; ;;
*) *)
chain=tcpost chain=tcpost
target="CLASSIFY --set-class" target="CLASSIFY --set-class"
;; ;;
esac esac
fi fi
case $mark in case $mark in
@ -3272,7 +3279,7 @@ process_tc_rule()
verify_mark $mark verify_mark $mark
fi fi
;; ;;
esac esac
case $testval in case $testval in
-) -)
@ -3385,7 +3392,7 @@ setup_tc1() {
if [ -n "$ROUTEMARK_INTERFACES" ]; then if [ -n "$ROUTEMARK_INTERFACES" ]; then
# #
# Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send # Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
# packets that are not part of a marked connection to the 'tcpre/tcout' chains # packets that are not part of a marked connection to the 'tcpre/tcout' chains
# #
run_iptables -t mangle -A PREROUTING -m mark --mark 0 -j tcpre run_iptables -t mangle -A PREROUTING -m mark --mark 0 -j tcpre
@ -3404,7 +3411,7 @@ setup_tc1() {
run_user_exit tcstart run_user_exit tcstart
f=$(find_file tcstart) # In case the script used this variable f=$(find_file tcstart) # In case the script used this variable
if [ $f != /usr/share/shorewall/tcstart ]; then if [ $f != /usr/share/shorewall/tcstart ]; then
save_progress_message "Restoring Traffic Control..." save_progress_message "Restoring Traffic Control..."
save_command . $f save_command . $f
@ -3476,7 +3483,7 @@ process_accounting_rule() {
rule2= rule2=
jumpchain= jumpchain=
user1= user1=
accounting_error() { accounting_error() {
error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user
} }
@ -3496,7 +3503,7 @@ process_accounting_rule() {
return 2 return 2
fi fi
fi fi
rule="$rule -j $jumpchain" rule="$rule -j $jumpchain"
} }
@ -3557,7 +3564,7 @@ process_accounting_rule() {
rule="$rule -m multiport --dports $port" rule="$rule -m multiport --dports $port"
multiport=Yes multiport=Yes
else else
rule="$rule --dport $port" rule="$rule --dport $port"
fi fi
;; ;;
esac esac
@ -3589,7 +3596,7 @@ process_accounting_rule() {
rule="$rule ! --cmd-owner ${user#*+} " rule="$rule ! --cmd-owner ${user#*+} "
fi fi
user1=${user%+*} user1=${user%+*}
;; ;;
*+*) *+*)
if [ -n "${user#*+}" ]; then if [ -n "${user#*+}" ]; then
rule="$rule --cmd-owner ${user#*+} " rule="$rule --cmd-owner ${user#*+} "
@ -3849,7 +3856,7 @@ add_an_action()
fi fi
dports="$dports $port" dports="$dports $port"
fi fi
if [ -n "$cport" ]; then if [ -n "$cport" ]; then
sports="--sport" sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
@ -3989,7 +3996,7 @@ add_an_action()
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
run_iptables2 -A $chain1 $proto $multiport $cli $sports \ run_iptables2 -A $chain1 $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $user -j $target $(dest_ip_range $srv) $dports $ratelimit $user -j $target
done done
@ -4051,14 +4058,14 @@ process_action() # $1 = chain (Chain to add the rules to)
if [ -n "$userspec" ]; then if [ -n "$userspec" ]; then
userandgroup="-m owner" userandgroup="-m owner"
case "$userspec" in case "$userspec" in
!*+*) !*+*)
if [ -n "${userspec#*+}" ]; then if [ -n "${userspec#*+}" ]; then
userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}"
fi fi
userspec=${userspec%+*} userspec=${userspec%+*}
;; ;;
*+*) *+*)
if [ -n "${userspec#*+}" ]; then if [ -n "${userspec#*+}" ]; then
userandgroup="$userandgroup --cmd-owner ${userspec#*+}" userandgroup="$userandgroup --cmd-owner ${userspec#*+}"
@ -4292,9 +4299,9 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
else else
TAG= TAG=
fi fi
[ none = "${LEVEL%\!}" ] && LEVEL= [ none = "${LEVEL%\!}" ] && LEVEL=
run_user_exit $1 run_user_exit $1
fi fi
@ -4475,7 +4482,7 @@ map_old_action() # $1 = Potential Old Action
echo $1 echo $1
return return
fi fi
case $1 in case $1 in
Allow*) Allow*)
macro=${1#*w} macro=${1#*w}
@ -4495,7 +4502,7 @@ map_old_action() # $1 = Potential Old Action
;; ;;
esac esac
esac esac
if [ -f $(find_file macro.$macro) ]; then if [ -f $(find_file macro.$macro) ]; then
echo $macro/$aktion echo $macro/$aktion
fi fi
@ -4514,7 +4521,7 @@ map_old_action() # $1 = Potential Old Action
# b) Forward and unresolved action references are trapped as errors. # b) Forward and unresolved action references are trapped as errors.
# c) A dependency graph is created. For each <action>, the variable 'requiredby_<action>' lists the # c) A dependency graph is created. For each <action>, the variable 'requiredby_<action>' lists the
# action[:level[:tag]] of each action invoked by <action>. # action[:level[:tag]] of each action invoked by <action>.
# d) All actions are listed in the global variable ACTIONS. # d) All actions are listed in the global variable ACTIONS.
# e) Common actions are recorded (in variables of the name <policy>_common) and are added to the global # e) Common actions are recorded (in variables of the name <policy>_common) and are added to the global
# USEDACTIONS # USEDACTIONS
# #
@ -4531,7 +4538,7 @@ map_old_action() # $1 = Potential Old Action
# processed once for each unique [:level[:tag]] applied to an invocation of the action. # processed once for each unique [:level[:tag]] applied to an invocation of the action.
# #
process_actions1() { process_actions1() {
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP" ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
USEDACTIONS= USEDACTIONS=
@ -4563,13 +4570,13 @@ process_actions1() {
esac esac
[ -z "$xaction" ] && continue [ -z "$xaction" ] && continue
[ "$xaction" = "$(chain_base $xaction)" ] || startup_error "Invalid Action Name: $xaction" [ "$xaction" = "$(chain_base $xaction)" ] || startup_error "Invalid Action Name: $xaction"
if ! list_search $xaction $ACTIONS; then if ! list_search $xaction $ACTIONS; then
f=action.$xaction f=action.$xaction
fn=$(find_file $f) fn=$(find_file $f)
eval requiredby_${action}= eval requiredby_${action}=
if [ -f $fn ]; then if [ -f $fn ]; then
@ -4605,16 +4612,16 @@ process_actions1() {
f1=macro.${temp} f1=macro.${temp}
fn=$(find_file $f1) fn=$(find_file $f1)
if [ ! -f $TMP_DIR/$f1 ]; then if [ ! -f $TMP_DIR/$f1 ]; then
# #
# We must only verify macros once to ensure that they don't invoke any non-standard actions # We must only verify macros once to ensure that they don't invoke any non-standard actions
# #
if [ -f $fn ]; then if [ -f $fn ]; then
strip_file $f1 $fn strip_file $f1 $fn
progress_message " ..Expanding Macro $fn..." progress_message " ..Expanding Macro $fn..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget expandv mtarget
temp="${mtarget%%:*}" temp="${mtarget%%:*}"
@ -4666,7 +4673,7 @@ process_actions2() {
while [ -n "$changed" ]; do while [ -n "$changed" ]; do
changed= changed=
for xaction in $USEDACTIONS; do for xaction in $USEDACTIONS; do
eval required=\"\$requiredby_${xaction%%:*}\" eval required=\"\$requiredby_${xaction%%:*}\"
for xaction1 in $required; do for xaction1 in $required; do
@ -4722,7 +4729,7 @@ process_actions3() {
fi fi
;; ;;
esac esac
run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP
else else
@ -4735,7 +4742,7 @@ process_actions3() {
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
;; ;;
esac esac
run_iptables -A $xchain -d $address -j DROP run_iptables -A $xchain -d $address -j DROP
done done
fi fi
@ -4767,7 +4774,7 @@ process_actions3() {
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
;; ;;
esac esac
run_iptables -A $xchain -d $address -j ACCEPT run_iptables -A $xchain -d $address -j ACCEPT
done done
fi fi
@ -4775,7 +4782,7 @@ process_actions3() {
;; ;;
dropNonSyn) dropNonSyn)
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\"" error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
@ -4835,9 +4842,9 @@ process_actions3() {
# Not a builtin # Not a builtin
# #
f=action.$xaction1 f=action.$xaction1
echo "Processing $(find_file $f) for Chain $xchain..." echo "Processing $(find_file $f) for Chain $xchain..."
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
expandv xtarget expandv xtarget
# #
@ -4877,7 +4884,7 @@ process_actions3() {
if [ -n "$is_macro" ]; then if [ -n "$is_macro" ]; then
xtarget1=$(map_old_action $xtarget1) xtarget1=$(map_old_action $xtarget1)
case $xtarget1 in case $xtarget1 in
*/*) */*)
param=${xtarget1#*/} param=${xtarget1#*/}
@ -4888,7 +4895,7 @@ process_actions3() {
progress_message "..Expanding Macro $(find_file macro.$xtarget1)..." progress_message "..Expanding Macro $(find_file macro.$xtarget1)..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
mtarget=$(merge_levels $xaction2 $mtarget) mtarget=$(merge_levels $xaction2 $mtarget)
case $mtarget in case $mtarget in
@ -5069,7 +5076,7 @@ add_nat_rule() {
addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN
done done
done done
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $(dnat_chain $source) $logtarget "$ratelimit" "$logtag" -A -t nat log_rule_limit $loglevel $chain $(dnat_chain $source) $logtarget "$ratelimit" "$logtag" -A -t nat
fi fi
@ -5083,7 +5090,7 @@ add_nat_rule() {
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
fi fi
addnatrule $chain $proto $ratelimit $cli $sports \ addnatrule $chain $proto $ratelimit $cli $sports \
-d $adr $multiport $dports -j $target1 -d $adr $multiport $dports -j $target1
done done
@ -5165,7 +5172,7 @@ process_rule() # $1 = target
fi fi
dports="$dports $port" dports="$dports $port"
fi fi
if [ -n "$cport" ]; then if [ -n "$cport" ]; then
sports="--sport" sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
@ -5180,7 +5187,7 @@ process_rule() # $1 = target
{ {
fatal_error "Unknown interface $1 in rule: \"$rule\"" fatal_error "Unknown interface $1 in rule: \"$rule\""
} }
rule_interface_verify() rule_interface_verify()
{ {
verify_interface $1 || interface_error $1 verify_interface $1 || interface_error $1
@ -5265,7 +5272,7 @@ process_rule() # $1 = target
servport=$serverport servport=$serverport
multiport= multiport=
user="$userandgroup" user="$userandgroup"
# Restore $chain to the canonical chain. # Restore $chain to the canonical chain.
chain=$logchain chain=$logchain
@ -5306,7 +5313,7 @@ process_rule() # $1 = target
# Some misc. setup # Some misc. setup
case "$logtarget" in case "$logtarget" in
ACCEPT|DROP|REJECT|CONTINUE) ACCEPT|DROP|REJECT|CONTINUE)
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" ] ; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" ] ; then
error_message "Warning -- Rule \"$rule\" is a POLICY" error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file" error_message " -- and should be moved to the policy file"
@ -5314,7 +5321,7 @@ process_rule() # $1 = target
;; ;;
REDIRECT) REDIRECT)
[ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\"" [ -n "$excludedest" ] && fatal_error "Invalid DEST for this ACTION; rule \"$rule\""
[ -n "$serv" ] && \ [ -n "$serv" ] && \
fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\"" fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\""
servport=${servport:=$port} servport=${servport:=$port}
@ -5492,7 +5499,7 @@ process_rule() # $1 = target
;; ;;
esac esac
loglevel=${loglevel%\!} loglevel=${loglevel%\!}
fi fi
# #
# Save the original target in 'logtarget' for logging rules # Save the original target in 'logtarget' for logging rules
@ -5524,7 +5531,7 @@ process_rule() # $1 = target
userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}" userandgroup="$userandgroup ! --cmd-owner ${userspec#*+}"
fi fi
userspec=${userspec%+*} userspec=${userspec%+*}
;; ;;
*+*) *+*)
if [ -n "${userspec#*+}" ]; then if [ -n "${userspec#*+}" ]; then
userandgroup="$userandgroup --cmd-owner ${userspec#*+}" userandgroup="$userandgroup --cmd-owner ${userspec#*+}"
@ -5634,7 +5641,7 @@ process_rule() # $1 = target
else else
excludezones="${clientzone#*!}" excludezones="${clientzone#*!}"
clientzone="${clientzone%!*}" clientzone="${clientzone%!*}"
case $logtarget in case $logtarget in
DNAT|REDIRECT|SAME) DNAT|REDIRECT|SAME)
;; ;;
@ -5713,7 +5720,7 @@ process_rule() # $1 = target
chain=${source}2${dest} chain=${source}2${dest}
# If we have one or more exclusion lists, we will create a new chain and # If we have one or more exclusion lists, we will create a new chain and
# store it's name in 'chain'. We still want log rules to reflect the # store it's name in 'chain'. We still want log rules to reflect the
# canonical chain so we store it's name in $logchain. # canonical chain so we store it's name in $logchain.
logchain=$chain logchain=$chain
@ -5891,7 +5898,7 @@ process_macro() # $1 = target
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
mtarget=$(merge_levels $itarget $mtarget) mtarget=$(merge_levels $itarget $mtarget)
case $mtarget in case $mtarget in
@ -5942,13 +5949,13 @@ process_macro() # $1 = target
else else
mservers=${iservers} mservers=${iservers}
fi fi
[ -n "$iprotocol" ] && [ "x${iprotocol}" != x- ] && mprotocol=$iprotocol [ -n "$iprotocol" ] && [ "x${iprotocol}" != x- ] && mprotocol=$iprotocol
[ -n "$iports" ] && [ "x${iports}" != x- ] && mports=$iports [ -n "$iports" ] && [ "x${iports}" != x- ] && mports=$iports
[ -n "$icports" ] && [ "x${icports}" != x- ] && mcports=$icports [ -n "$icports" ] && [ "x${icports}" != x- ] && mcports=$icports
[ -n "$iratelimit" ] && [ "x${iratelimit}" != x- ] && mratelimit=$iratelimit [ -n "$iratelimit" ] && [ "x${iratelimit}" != x- ] && mratelimit=$iratelimit
[ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec [ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec
rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}" rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}"
process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec
@ -5966,10 +5973,10 @@ process_rules()
# #
# Process a rule where the source or destination is "all" # Process a rule where the source or destination is "all"
# #
process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic
{ {
local yclients yservers ysourcezone ydestzone ypolicy local yclients yservers ysourcezone ydestzone ypolicy
for yclients in $xclients; do for yclients in $xclients; do
for yservers in $xservers; do for yservers in $xservers; do
ysourcezone=${yclients%%:*} ysourcezone=${yclients%%:*}
@ -5999,7 +6006,7 @@ process_rules()
SECTION=NEW SECTION=NEW
fi fi
case $xclients in case $xclients in
all+) all+)
xclients=all xclients=all
intrazone=Yes intrazone=Yes
@ -6097,7 +6104,7 @@ process_rules()
esac esac
f=macro.$xtarget1 f=macro.$xtarget1
if [ -f $TMP_DIR/$f ]; then if [ -f $TMP_DIR/$f ]; then
do_it Yes do_it Yes
else else
@ -6554,7 +6561,7 @@ setup_routes()
run_iptables -t mangle -N routemark run_iptables -t mangle -N routemark
for interface in $ROUTEMARK_INTERFACES ; do for interface in $ROUTEMARK_INTERFACES ; do
iface=$(chain_base $interface) iface=$(chain_base $interface)
eval mark_value=\$${iface}_routemark eval mark_value=\$${iface}_routemark
@ -6635,7 +6642,7 @@ setup_masq()
add_snat_aliases= add_snat_aliases=
destnets="${fullinterface##*:}" destnets="${fullinterface##*:}"
fullinterface="${fullinterface%:*}" fullinterface="${fullinterface%:*}"
;; ;;
*:*:*) *:*:*)
# Both alias name and networks # Both alias name and networks
destnets="${fullinterface##*:}" destnets="${fullinterface##*:}"
@ -6687,7 +6694,7 @@ setup_masq()
;; ;;
esac esac
[ "x$addresses" = x- ] && addresses= [ "x$addresses" = x- ] && addresses=
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
for address in $(separate_list $addresses); do for address in $(separate_list $addresses); do
@ -6753,12 +6760,12 @@ setup_masq()
[ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)"
;; ;;
esac esac
proto="-p $proto" proto="-p $proto"
else else
displayproto="(all)" displayproto="(all)"
[ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)"
fi fi
destination=${destnets:=0.0.0.0/0} destination=${destnets:=0.0.0.0/0}
@ -6767,7 +6774,7 @@ setup_masq()
case $destnets in case $destnets in
!*) !*)
destnets=${destnets#!} destnets=${destnets#!}
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
build_exclusion_chain newchain nat "$nomasq" "$destnets" build_exclusion_chain newchain nat "$nomasq" "$destnets"
@ -6875,7 +6882,7 @@ setup_masq()
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
done done
fi fi
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
progress_message " To $destination $displayproto from $source through ${interface} using $addresses" progress_message " To $destination $displayproto from $source through ${interface} using $addresses"
else else
@ -7014,7 +7021,7 @@ setup_blacklist() {
createchain blacklst no createchain blacklst no
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
for host in $hosts; do for host in $hosts; do
ipsec=${host%^*} ipsec=${host%^*}
host=${host#*^} host=${host#*^}
@ -7025,7 +7032,7 @@ setup_blacklist() {
for chain in $(first_chains $interface); do for chain in $(first_chains $interface); do
run_iptables -A $chain $state $(match_source_hosts $network) $policy -j blacklst run_iptables -A $chain $state $(match_source_hosts $network) $policy -j blacklst
done done
[ $network = 0/0.0.0.0 ] && network= || network=":$network" [ $network = 0/0.0.0.0 ] && network= || network=":$network"
progress_message " Blacklisting enabled on ${interface}${network}" progress_message " Blacklisting enabled on ${interface}${network}"
@ -7272,7 +7279,7 @@ determine_capabilities() {
fi fi
qt ipset -X fooX1234 qt ipset -X fooX1234
fi fi
fi fi
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
@ -7411,7 +7418,7 @@ initialize_netfilter () {
deleteallchains deleteallchains
enable_critical_hosts enable_critical_hosts
setpolicy INPUT DROP setpolicy INPUT DROP
setpolicy OUTPUT DROP setpolicy OUTPUT DROP
@ -7515,7 +7522,7 @@ initialize_netfilter () {
if [ -f /var/lib/shorewall/save ]; then if [ -f /var/lib/shorewall/save ]; then
echo "Restoring dynamic rules..." echo "Restoring dynamic rules..."
if [ -f /var/lib/shorewall/save ]; then if [ -f /var/lib/shorewall/save ]; then
while read target ignore1 ignore2 address rest; do while read target ignore1 ignore2 address rest; do
case $target in case $target in
@ -7662,9 +7669,9 @@ add_common_rules() {
createchain norfc1918 no createchain norfc1918 no
createchain rfc1918 no createchain rfc1918 no
log_rule $RFC1918_LOG_LEVEL rfc1918 DROP log_rule $RFC1918_LOG_LEVEL rfc1918 DROP
run_iptables -A rfc1918 -j DROP run_iptables -A rfc1918 -j DROP
chain=norfc1918 chain=norfc1918
@ -7674,7 +7681,7 @@ add_common_rules() {
# We'll generate two chains - one for source and one for destination # We'll generate two chains - one for source and one for destination
# #
chain=rfc1918d chain=rfc1918d
createchain $chain no createchain $chain no
elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
# #
# Mangling is enabled but conntrack match isn't available -- # Mangling is enabled but conntrack match isn't available --
@ -7709,7 +7716,7 @@ add_common_rules() {
for network in $(separate_list $networks); do for network in $(separate_list $networks); do
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target
if [ -n "$CONNTRACK_MATCH" ]; then if [ -n "$CONNTRACK_MATCH" ]; then
# #
# We have connection tracking match -- match on the original destination # We have connection tracking match -- match on the original destination
@ -7813,7 +7820,7 @@ add_common_rules() {
if [ -n "${interfaces}${interfaces1}" ]; then if [ -n "${interfaces}${interfaces1}" ]; then
echo "Setting up ARP Filtering..." echo "Setting up ARP Filtering..."
for interface in $interfaces; do for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/arp_filter file=/proc/sys/net/ipv4/conf/$interface/arp_filter
if [ -f $file ]; then if [ -f $file ]; then
@ -8113,7 +8120,7 @@ activate_rules()
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
done done
fi fi
@ -8222,14 +8229,14 @@ activate_rules()
# routeback was specified for this host group # routeback was specified for this host group
# #
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
fi fi
done done
else else
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
chain3=$(forward_chain $interface) chain3=$(forward_chain $interface)
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
@ -8584,12 +8591,12 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
error_message "$h already in zone $zone" error_message "$h already in zone $zone"
fi fi
done done
[ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist" [ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist"
fi fi
eval ${z}_hosts=\"$hosts\" eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> /var/lib/shorewall/zones_$$ echo "$z $hosts" >> /var/lib/shorewall/zones_$$
done < /var/lib/shorewall/zones done < /var/lib/shorewall/zones
@ -8633,7 +8640,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
for h in $dest_hosts; do for h in $dest_hosts; do
iface=${h%%:*} iface=${h%%:*}
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi fi
@ -8750,7 +8757,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
if [ "$z" = "$zone" ]; then if [ "$z" = "$zone" ]; then
temp=$hosts temp=$hosts
hosts= hosts=
for host in $hostlist; do for host in $hostlist; do
found= found=
for h in $temp; do for h in $temp; do
@ -8771,7 +8778,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
break break
fi fi
done done
[ -n "$found" ] || hosts="$hosts $h" [ -n "$found" ] || hosts="$hosts $h"
done done
fi fi
@ -8807,11 +8814,11 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
[ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist"
for h in $dest_hosts; do for h in $dest_hosts; do
iface=${h%%:*} iface=${h%%:*}
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi fi
@ -8823,11 +8830,11 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do for h in $source_hosts; do
iface=${h%%:*} iface=${h%%:*}
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then if is_ipsec_host $z1 $h; then
qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain