From 20355a6d2416d5fd0cd8acf3130bb9114268623c Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 15 Mar 2005 21:02:11 +0000 Subject: [PATCH] Invoke 'routestopped' rules during [re]start git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2005 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 + Shorewall2/firewall | 111 +++++++++++++++++++++--------------- Shorewall2/releasenotes.txt | 23 ++++++++ 3 files changed, 91 insertions(+), 45 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index ec80768a1..530e523d2 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -2,6 +2,8 @@ Changes in 2.2.3 1) Added the 'continue' extension script. +2) Obey 'routestopped' rules during [re]start. + Changes in 2.2.2 1) The 'check' command disclaimer is toned down further and only diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 197aa9f0c..1d82858b0 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1390,6 +1390,58 @@ disable_ipv6_1() { fi } +# +# Process the routestopped file either adding or deleting rules +# + +process_routestopped() # $1 = command +{ + local hosts= interface host host1 options networks + + while read interface host options; do + expandv interface host options + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 + for h in $(separate_list $host); do + hosts="$hosts $interface:$h" + done + + routeback= + + if [ -n "$options" ]; then + for option in $(separate_list $options); do + case $option in + routeback) + if [ -n "$routeback" ]; then + error_message "Warning: Duplicate routestopped option ignored: routeback" + else + routeback=Yes + for h in $(separate_list $host); do + run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT + done + fi + ;; + *) + error_message "Warning: Unknown routestopped option ignored: $option" + ;; + esac + done + fi + + done < $TMP_DIR/routestopped + + for host in $hosts; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + + for host1 in $hosts; do + [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT + done + done +} + # # Stop the Firewall # @@ -1465,50 +1517,9 @@ stop_firewall() { hosts= - strip_file routestopped + [ -f $TMP_DIR/routestopped ] || strip_file routestopped - while read interface host options; do - expandv interface host options - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 - for h in $(separate_list $host); do - hosts="$hosts $interface:$h" - done - - routeback= - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback) - if [ -n "$routeback" ]; then - error_message "Warning: Duplicate option ignored: routeback" - else - routeback=Yes - for h in $(separate_list $host); do - $IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT - done - fi - ;; - *) - error_message "Warning: Unknown option ignored: $option" - ;; - esac - done - fi - - done < $TMP_DIR/routestopped - - for host in $hosts; do - interface=${host%:*} - networks=${host#*:} - $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - - for host1 in $hosts; do - [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done - done + process_routestopped -A $IPTABLES -A INPUT -i lo -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ @@ -5723,6 +5734,14 @@ initialize_netfilter () { run_user_exit continue + f=$(find_file routestopped) + + echo "Processing $f ..." + + strip_file routestopped $f + + process_routestopped -A + [ -n "$DISABLE_IPV6" ] && disable_ipv6 # @@ -6360,7 +6379,7 @@ activate_rules() [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange fi - } + } # # Add jumps to early SNAT chains @@ -6579,7 +6598,9 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done - + + process_routestopped -D + if [ -n "$LOGALLNEW" ]; then for table in mangle nat filter; do case $table in diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 08292f010..18cb6b73f 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -2,6 +2,8 @@ Shorewall 2.2.3 ----------------------------------------------------------------------- Problems corrected in version 2.2.3 + +None. ----------------------------------------------------------------------- New Features in version 2.2.3 @@ -13,6 +15,27 @@ New Features in version 2.2.3 It is useful for enabling certain communication while Shorewall is being [re]started. Be sure to delete any rules that you add here in your /etc/shorewall/start file. + +2) There has been ongoing confusion about how the + /etc/shorewall/routestopped file works. People understand how it + works with the 'shorewall stop' command but when they read that + 'shorewall restart' is logically equivalent to 'shorewall stop' + followed by 'shorewall start' then they erroneously conclude that + /etc/shorewall/routestopped can be used to enable new connections + during 'shorewall restart'. Up to now, it cannot -- that file is not + processed during either 'shorewall start' or 'shorewall restart'. + + Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped + will be processed TWICE during 'shorewall start' and during + 'shorewall restart'. It will be processed to add rules allowing new + connections during the 'start/restart' and it will be processed + again when the 'start/restart' is complete to remove the rules added + earlier. + + The result of this change will be that during most of [re]start, new + connections will be allowed in accordance with the contents of + /etc/shorewall/routestopped. + ----------------------------------------------------------------------- Problems corrected in version 2.2.2