extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 02:08:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Clean up V4/V5 ipset enforcement

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-04-14 09:00:38 -07:00
parent 541ecb67b4
commit 216bc715e8
3 changed files with 34 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8288,14 +8288,20 @@ sub create_save_ipsets() {
'' ); '' );
if ( $family == F_IPV6 || $setting !~ /yes/i ) { if ( $family == F_IPV6 || $setting !~ /yes/i ) {
#
# Requires V5 or later
#
emit( '' , emit( '' ,
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" , " for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
' $IPSET -F $set' , ' $IPSET flush $set' ,
' $IPSET -X $set' , ' $IPSET destroy $set' ,
" done" , " done" ,
'', '',
); );
} else { } else {
#
# Restoring all ipsets (IPv4 and IPv6, if any)
#
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' , emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' $IPSET -F' , ' $IPSET -F' ,
' $IPSET -X' , ' $IPSET -X' ,
@ -8322,6 +8328,9 @@ sub create_save_ipsets() {
if ( $config{SAVE_IPSETS} ) { if ( $config{SAVE_IPSETS} ) {
if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) { if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
#
# Requires V5 or later
#
my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 '; my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
emit( '' , emit( '' ,
@ -8332,11 +8341,14 @@ sub create_save_ipsets() {
emit( '', emit( '',
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" , " for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
" \$IPSET -S \$set >> \$file" , " \$IPSET save \$set >> \$file" ,
" done" , " done" ,
'', '',
); );
} else { } else {
#
# Saving all ipsets (IPv4 and IPv6, if any )
#
emit ( emit (
'', '',
' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' , ' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
@ -8347,9 +8359,12 @@ sub create_save_ipsets() {
emit( " return 0", emit( " return 0",
"}\n" ); "}\n" );
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) { } elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
#
# Requires V5 or later
#
my %ipsets; my %ipsets;
# #
# Remove duplicates # Requires V
# #
$ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} ); $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
@ -8365,8 +8380,8 @@ sub create_save_ipsets() {
if ( @sets > 1 ) { if ( @sets > 1 ) {
emit( '' , emit( '' ,
" for set in @sets; do" , " for set in @sets; do" ,
' if qt $IPSET -L $set; then' , ' if qt $IPSET list $set; then' ,
' $IPSET -S $set >> ${VARDIR}/ipsets.tmp' , ' $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
' else' , ' else' ,
' error_message "ipset $set not saved (not found)"' , ' error_message "ipset $set not saved (not found)"' ,
' fi' , ' fi' ,
@ -8375,15 +8390,15 @@ sub create_save_ipsets() {
my $set = $sets[0]; my $set = $sets[0];
emit( '' , emit( '' ,
" if qt \$IPSET -L $set; then" , " if qt \$IPSET list $set; then" ,
" \$IPSET -S $set >> \${VARDIR}/ipsets.tmp" , " \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
' else' , ' else' ,
" error_message 'ipset $set not saved (not found)'" , " error_message 'ipset $set not saved (not found)'" ,
' fi' ); ' fi' );
} }
emit( '' , emit( '' ,
" grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" , " grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
'' , '' ,
' return 0', ' return 0',
'' , '' ,

13
Shorewall/Perl/Shorewall/Config.pm
View File

@ -346,7 +346,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
=> 'Ipset Match nomatch', => 'Ipset Match nomatch',
IPSET_MATCH_COUNTERS IPSET_MATCH_COUNTERS
=> 'Ipset Match counters', => 'Ipset Match counters',
IPSET_V5 => 'Version 5 ipsets', IPSET_V5 => 'Version 5 or later ipset',
CONNMARK => 'CONNMARK Target', CONNMARK => 'CONNMARK Target',
XCONNMARK => 'Extended CONNMARK Target', XCONNMARK => 'Extended CONNMARK Target',
CONNMARK_MATCH => 'Connmark Match', CONNMARK_MATCH => 'Connmark Match',
@ -5863,16 +5863,21 @@ sub get_configuration( $$$$ ) {
unsupported_yes_no 'BRIDGING'; unsupported_yes_no 'BRIDGING';
unsupported_yes_no_warning 'RFC1918_STRICT'; unsupported_yes_no_warning 'RFC1918_STRICT';
$val = $config{SAVE_IPSETS};
unless (default_yes_no 'SAVE_IPSETS', '', '*' ) { unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
$val = $config{SAVE_IPSETS}; if ( $val eq 'ipv4' ) {
unless ( $val eq 'ipv4' ) { fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
} else {
my @sets = split_list( $val , 'ipset' ); my @sets = split_list( $val , 'ipset' );
$globals{SAVED_IPSETS} = \@sets; $globals{SAVED_IPSETS} = \@sets;
require_capability 'IPSET_V5', 'A saved ipset list', 's';
$config{SAVE_IPSETS} = ''; $config{SAVE_IPSETS} = '';
} }
require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
} }
default_yes_no 'SAVE_ARPTABLES' , ''; default_yes_no 'SAVE_ARPTABLES' , '';
default_yes_no 'STARTUP_ENABLED' , 'Yes'; default_yes_no 'STARTUP_ENABLED' , 'Yes';
default_yes_no 'DELAYBLACKLISTLOAD' , ''; default_yes_no 'DELAYBLACKLISTLOAD' , '';

2
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -1279,7 +1279,7 @@ sub process_interface( $$ ) {
fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone; fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
fatal_error "Duplicate $option option" if $netsref; fatal_error "Duplicate $option option" if $netsref;
if ( $value eq 'dynamic' ) { if ( $value eq 'dynamic' ) {
require_capability( 'IPSET_MATCH', 'Dynamic nets', ''); require_capability( 'IPSET_V5', 'Dynamic nets', '');
$hostoptions{dynamic} = 1; $hostoptions{dynamic} = 1;
# #
# Defer remaining processing until we have the final physical interface name # Defer remaining processing until we have the final physical interface name