diff --git a/Shorewall/compiler b/Shorewall/compiler index 695d45a92..aa6d9689e 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -365,7 +365,7 @@ chain_exists() # $1 = chain name } # -# Create a mangle chain +# Create a mangle chainhttp://www1.shorewall.net/ # # Create a variable exists_mangle_${1} and set its value to Yes to indicate that # the chain now exists. @@ -836,106 +836,10 @@ match_dest_dev() fi } -verify_interface() -{ - known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; } -} - -# -# Determine if communication to/from a host is encrypted using IPSEC -# -is_ipsec_host() # $1 = zone, $2 = host -{ - eval local is_ipsec=\$${1}_is_ipsec - eval local hosts=\"\$${1}_ipsec_hosts\" - - test -n "$is_ipsec" || list_search $2 $hosts -} - -# -# Generate a match for decrypted packets -# -match_ipsec_in() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" - echo "-m policy --pol ipsec --dir in $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in" - fi -} - -# -# Generate a match for packets that will be encrypted -# -match_ipsec_out() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" - echo "-m policy --pol ipsec --dir out $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out" - fi -} - # # Jacket for ip_range() that takes care of iprange match # -firewall_ip_range() # $1 = IP address or range -{ - [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 -} - -# -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts interface address addresses - - while read z hosts options; do - if [ "x$(expand $z)" = "x$1" ]; then - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo $interface:$address - done - fi - done < $TMP_DIR/hosts -} - -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $ZONES; do - interfaces=$(find_interfaces $zone) - interfaces=$(echo $interfaces) # Remove extra trash - eval ${zone}_interfaces=\"\$interfaces\" - done -} - -# -# Determine if an interface has a given option -# -interface_has_option() # $1 = interface, #2 = option -{ - local options - - eval options=\$$(chain_base $1)_options - - list_search $2 $options -} - # # Determine the defined hosts in each zone # @@ -996,21 +900,6 @@ determine_hosts() { done } -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $ZONES $FW -} -# -# Ensure that the passed zone is defined in the zones file. -# -validate_zone1() # $1 = zone -{ - list_search $1 $ZONES -} - # # Validate the zone names and options in the interfaces file # @@ -1193,16 +1082,6 @@ validate_hosts_file() { [ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS" } -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" -} - # # validate the policy file # @@ -1384,63 +1263,6 @@ find_bcastdetect_interfaces() { done } -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && echo $interface - done -} - -# -# This slightly slower version is used to find both the option and option followed -# by equal sign ("=") and a value -# -find_interfaces_by_option1() # $1 = option -{ - local options option - - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - for option in $options; do - if [ "${option%=*}" = "$1" ]; then - echo $interface - break - fi - done - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - local ignore hosts interface address addresses options ipsec= list - - while read ignore hosts options; do - expandv options - list=$(separate_list $options) - if list_search $1 $list; then - list_search ipsec $list && ipsec=ipsec || ipsec=none - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo ${ipsec}^$interface:$address - done - fi - done < $TMP_DIR/hosts - - for interface in $ALL_INTERFACES; do - interface_has_option $interface $1 && \ - echo none^${interface}:0.0.0.0/0 - done -} - # # Flush and delete all user-defined chains in the filter table # diff --git a/Shorewall/firewall b/Shorewall/firewall index 2623443eb..223e48f67 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -572,121 +572,7 @@ match_dest_dev() fi } -verify_interface() -{ - known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; } -} - # -# Determine if communication to/from a host is encrypted using IPSEC -# -is_ipsec_host() # $1 = zone, $2 = host -{ - eval local is_ipsec=\$${1}_is_ipsec - eval local hosts=\"\$${1}_ipsec_hosts\" - - test -n "$is_ipsec" || list_search $2 $hosts -} - -# -# Generate a match for decrypted packets -# -match_ipsec_in() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" - echo "-m policy --pol ipsec --dir in $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in" - fi -} - -# -# Generate a match for packets that will be encrypted -# -match_ipsec_out() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" - echo "-m policy --pol ipsec --dir out $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out" - fi -} - -# -# Jacket for ip_range() that takes care of iprange match -# - -firewall_ip_range() # $1 = IP address or range -{ - [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 -} - -# -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts interface address addresses - - while read z hosts options; do - if [ "x$(expand $z)" = "x$1" ]; then - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo $interface:$address - done - fi - done < $TMP_DIR/hosts -} - -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $ZONES; do - interfaces=$(find_interfaces $zone) - interfaces=$(echo $interfaces) # Remove extra trash - eval ${zone}_interfaces=\"\$interfaces\" - done -} - -# -# Determine if an interface has a given option -# -interface_has_option() # $1 = interface, #2 = option -{ - local options - - eval options=\$$(chain_base $1)_options - - list_search $2 $options -} - -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $ZONES $FW -} -# -# Ensure that the passed zone is defined in the zones file. -# -validate_zone1() # $1 = zone -{ - list_search $1 $ZONES -} - # # Validate the zone names and options in the interfaces file # @@ -769,34 +655,6 @@ validate_interfaces_file() { [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" } -# -# Check that a mark value or mask is less that 256 -# -verify_mark() # $1 = value to test -{ - verify_mark1() - { - [ $1 -lt 256 ] - } - - verify_mark2() - { - verify_mark1 $1 2> /dev/null - } - - verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" -} - -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" -} - # # Find broadcast addresses -- if we are compiling a script and 'detect' is specified for an interface # the function returns nothing for that interface @@ -812,63 +670,6 @@ find_broadcasts() { done } -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && echo $interface - done -} - -# -# This slightly slower version is used to find both the option and option followed -# by equal sign ("=") and a value -# -find_interfaces_by_option1() # $1 = option -{ - local options option - - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - for option in $options; do - if [ "${option%=*}" = "$1" ]; then - echo $interface - break - fi - done - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - local ignore hosts interface address addresses options ipsec= list - - while read ignore hosts options; do - expandv options - list=$(separate_list $options) - if list_search $1 $list; then - list_search ipsec $list && ipsec=ipsec || ipsec=none - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo ${ipsec}^$interface:$address - done - fi - done < $TMP_DIR/hosts - - for interface in $ALL_INTERFACES; do - interface_has_option $interface $1 && \ - echo none^${interface}:0.0.0.0/0 - done -} - # # Flush and delete all user-defined chains in the filter table # diff --git a/Shorewall/lib.base b/Shorewall/lib.base index 2dcae3d95..03f859611 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -867,6 +867,57 @@ if_match() # $1 = Name in interfaces file - may end in "+" esac } +verify_interface() +{ + known_interface $1 || { [ -n "$BRIDGING" ] && known_port $1 ; } +} + +# +# Determine if communication to/from a host is encrypted using IPSEC +# +is_ipsec_host() # $1 = zone, $2 = host +{ + eval local is_ipsec=\$${1}_is_ipsec + eval local hosts=\"\$${1}_ipsec_hosts\" + + test -n "$is_ipsec" || list_search $2 $hosts +} + +# +# Generate a match for decrypted packets +# +match_ipsec_in() # $1 = zone, $2 = host +{ + if is_ipsec_host $1 $2 ; then + eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" + echo "-m policy --pol ipsec --dir in $options" + elif [ -n "$POLICY_MATCH" ]; then + echo "-m policy --pol none --dir in" + fi +} + +# +# Generate a match for packets that will be encrypted +# +match_ipsec_out() # $1 = zone, $2 = host +{ + if is_ipsec_host $1 $2 ; then + eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" + echo "-m policy --pol ipsec --dir out $options" + elif [ -n "$POLICY_MATCH" ]; then + echo "-m policy --pol none --dir out" + fi +} + +# +# Jacket for ip_range() that takes care of iprange match +# + +firewall_ip_range() # $1 = IP address or range +{ + [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 +} + # # Source IP range # @@ -966,6 +1017,138 @@ both_ip_ranges() # $1 = Source address or range, $2 = dest address or range echo "$rangeprefix $rangematch $setprefix $setmatch" } +# +# +# Find hosts in a given zone +# +# Read hosts file and for each record matching the passed ZONE, +# echo the expanded contents of the "HOST(S)" column +# +find_hosts() # $1 = host zone +{ + local hosts interface address addresses + + while read z hosts options; do + if [ "x$(expand $z)" = "x$1" ]; then + expandv hosts + interface=${hosts%%:*} + addresses=${hosts#*:} + for address in $(separate_list $addresses); do + echo $interface:$address + done + fi + done < $TMP_DIR/hosts +} + +# +# Determine the interfaces on the firewall +# +# For each zone, create a variable called ${zone}_interfaces. This +# variable contains a space-separated list of interfaces to the zone +# +determine_interfaces() { + for zone in $ZONES; do + interfaces=$(find_interfaces $zone) + interfaces=$(echo $interfaces) # Remove extra trash + eval ${zone}_interfaces=\"\$interfaces\" + done +} + +# +# Determine if an interface has a given option +# +interface_has_option() # $1 = interface, #2 = option +{ + local options + + eval options=\$$(chain_base $1)_options + + list_search $2 $options +} + +# +# Ensure that the passed zone is defined in the zones file or is the firewall +# +validate_zone() # $1 = zone +{ + list_search $1 $ZONES $FW +} + +# +# Ensure that the passed zone is defined in the zones file. +# +validate_zone1() # $1 = zone +{ + list_search $1 $ZONES +} + +# +# Format a match by the passed MAC address +# The passed address begins with "~" and uses "-" as a separator between bytes +# Example: ~01-02-03-04-05-06 +# +mac_match() # $1 = MAC address formated as described above +{ + echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" +} + +# +# Find interfaces that have the passed option specified +# +find_interfaces_by_option() # $1 = option +{ + for interface in $ALL_INTERFACES; do + eval options=\$$(chain_base $interface)_options + list_search $1 $options && echo $interface + done +} + +# +# This slightly slower version is used to find both the option and option followed +# by equal sign ("=") and a value +# +find_interfaces_by_option1() # $1 = option +{ + local options option + + for interface in $ALL_INTERFACES; do + eval options=\$$(chain_base $interface)_options + for option in $options; do + if [ "${option%=*}" = "$1" ]; then + echo $interface + break + fi + done + done +} + +# +# Find hosts with the passed option +# +find_hosts_by_option() # $1 = option +{ + local ignore hosts interface address addresses options ipsec= list + + while read ignore hosts options; do + expandv options + list=$(separate_list $options) + if list_search $1 $list; then + list_search ipsec $list && ipsec=ipsec || ipsec=none + expandv hosts + interface=${hosts%%:*} + addresses=${hosts#*:} + for address in $(separate_list $addresses); do + echo ${ipsec}^$interface:$address + done + fi + done < $TMP_DIR/hosts + + for interface in $ALL_INTERFACES; do + interface_has_option $interface $1 && \ + echo none^${interface}:0.0.0.0/0 + done +} + # # Find the value 'dev' in the passed arguments then echo the next value #