extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-02 19:49:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow saving a specified list of ipsets

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-28 11:19:41 -07:00
parent 38a18ac9ac
commit 3858683e94
7 changed files with 175 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
Shorewall-core/lib.cli
View File

@ -428,45 +428,47 @@ do_save() {
;; ;;
esac esac
case ${SAVE_IPSETS:=No} in if ! run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets; then
[Yy]es) case ${SAVE_IPSETS:=No} in
case ${IPSET:=ipset} in [Yy]es)
*/*) case ${IPSET:=ipset} in
if [ ! -x "$IPSET" ]; then */*)
error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved" if [ ! -x "$IPSET" ]; then
IPSET= error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
IPSET=
fi
;;
*)
IPSET="$(mywhich $IPSET)"
[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
;;
esac
if [ -n "$IPSET" ]; then
if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
#
# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
#
hack='| grep -v /31'
else
hack=
fi fi
;;
*)
IPSET="$(mywhich $IPSET)"
[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
;;
esac
if [ -n "$IPSET" ]; then if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then #
# # Don't save an 'empty' file
# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny #
# grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
hack='| grep -v /31' fi
else
hack=
fi fi
;;
if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then [Nn]o)
# ;;
# Don't save an 'empty' file *)
# error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets ;;
fi esac
fi fi
;;
[Nn]o)
;;
*)
error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
;;
esac
return $status return $status
} }

121
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -262,6 +262,7 @@ our %EXPORT_TAGS = (
set_global_variables set_global_variables
save_dynamic_chains save_dynamic_chains
load_ipsets load_ipsets
create_save_ipsets
validate_nfobject validate_nfobject
create_nfobjects create_nfobjects
create_netfilter_load create_netfilter_load
@ -7995,11 +7996,77 @@ sub ensure_ipset( $ ) {
} }
} }
#
# Generate the save_ipsets() function
#
sub create_save_ipsets() {
my @ipsets = all_ipsets;
emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
'save_ipsets() {' );
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
emit( ' local file' ,
'',
' file=$1',
''
);
if ( @ipsets ) {
ensure_ipset( $_ ) for @ipsets;
}
emit( '' ,
' rm -f ${VARDIR}/ipsets.save' ,
'' );
if ( $config{SAVE_IPSETS} ) {
if ( $family == F_IPV4 ) {
emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
' #',
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
' #',
' hack=\'| grep -v /31\'' ,
' else' ,
' hack=' ,
' fi' ,
'',
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
' fi' );
} else {
emit ( ' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
' fi' );
}
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
emit( ' rm -f ${VARDIR}/ipsets.tmp' ,
' touch ${VARDIR}/ipsets.tmp' ,
'' );
emit( " \$IPSET -S $_ >> >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
emit( " if qt \$IPSET list $_; then" ,
" \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
' else' ,
" error_message 'ipset $_ not saved (not found)'" ,
" fi\n" ) for @{$globals{SAVED_IPSETS}};
emit( " grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" );
emit( '' ,
"}\n" );
}
} else {
emit( ' error_message "WARNING: No ipsets were saved"',
"}\n" );
}
}
sub load_ipsets() { sub load_ipsets() {
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
emit ( '', emit ( '',
'local hack', 'local hack',
'', '',
@ -8026,9 +8093,25 @@ sub load_ipsets() {
emit ( '' ); emit ( '' );
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
emit ( '' ); emit ( '' );
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' $IPSET flush' ,
' $IPSET destroy' ,
' $IPSET restore < ${VARDIR}/ipsets.save' ,
" fi\n" ) for @{$globals{SAVED_IPSETS}};
} }
} else { } else {
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
if ( @{$globals{SAVED_IPSETS}} ) {
emit ( '' );
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' $IPSET flush' ,
' $IPSET destroy' ,
' $IPSET restore < ${VARDIR}/ipsets.save' ,
" fi\n" ) for @{$globals{SAVED_IPSETS}};
}
} }
emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ); emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
@ -8052,6 +8135,12 @@ sub load_ipsets() {
} }
} else { } else {
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' $IPSET flush' ,
' $IPSET destroy' ,
' $IPSET restore < ${VARDIR}/ipsets.save' ,
" fi\n" ) for @{$globals{SAVED_IPSETS}};
} }
if ( @ipsets ) { if ( @ipsets ) {
@ -8059,36 +8148,14 @@ sub load_ipsets() {
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
} }
emit( 'elif [ "$COMMAND" = stop ]; then' ); emit( 'elif [ "$COMMAND" = stop ]; then' ,
' save_ipsets'
if ( @ipsets ) { );
ensure_ipset( $_ ) for @ipsets;
emit( '' );
}
if ( $family == F_IPV4 ) {
emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
' #',
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
' #',
' hack=\'| grep -v /31\'' ,
' else' ,
' hack=' ,
' fi' ,
'',
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
' grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' );
} else {
emit ( ' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
' grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' );
}
if ( @ipsets ) { if ( @ipsets ) {
emit( 'elif [ "$COMMAND" = refresh ]; then' ); emit( 'elif [ "$COMMAND" = refresh ]; then' );
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
} };
emit ( 'fi' , emit ( 'fi' ,
'' ); '' );

1
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -348,6 +348,7 @@ sub generate_script_3($) {
create_netfilter_load( $test ); create_netfilter_load( $test );
create_arptables_load( $test ) if $have_arptables; create_arptables_load( $test ) if $have_arptables;
create_chainlist_reload( $_[0] ); create_chainlist_reload( $_[0] );
create_save_ipsets;
emit "#\n# Start/Restart the Firewall\n#"; emit "#\n# Start/Restart the Firewall\n#";

11
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1106,7 +1106,8 @@ sub initialize( $;$$) {
$family == F_IPV4 ? 'shorewall' : 'shorewall6' $family == F_IPV4 ? 'shorewall' : 'shorewall6'
) if defined $shorewallrc; ) if defined $shorewallrc;
$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/"; $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
$globals{SAVED_IPSETS} = [];
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
$globals{SHAREDIR} = "$shorewallrc{SHAREDIR}/shorewall"; $globals{SHAREDIR} = "$shorewallrc{SHAREDIR}/shorewall";
@ -5570,7 +5571,13 @@ sub get_configuration( $$$$$ ) {
unsupported_yes_no 'BRIDGING'; unsupported_yes_no 'BRIDGING';
unsupported_yes_no_warning 'RFC1918_STRICT'; unsupported_yes_no_warning 'RFC1918_STRICT';
default_yes_no 'SAVE_IPSETS' , ''; unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
my @sets = (split_list( $val= $config{SAVE_IPSETS}, 'ipset' ));
$globals{SAVED_IPSETS} = \@sets;
require_capability 'IPSET_V5', 'A saved ipset list', 's';
$config{SAVE_IPSETS} = '';
}
default_yes_no 'SAVE_ARPTABLES' , ''; default_yes_no 'SAVE_ARPTABLES' , '';
default_yes_no 'STARTUP_ENABLED' , 'Yes'; default_yes_no 'STARTUP_ENABLED' , 'Yes';
default_yes_no 'DELAYBLACKLISTLOAD' , ''; default_yes_no 'DELAYBLACKLISTLOAD' , '';

8
Shorewall/Perl/prog.footer
View File

@ -20,6 +20,7 @@ usage() {
echo " run <command> [ <parameter> ... ]" echo " run <command> [ <parameter> ... ]"
echo " status" echo " status"
echo " up <interface>" echo " up <interface>"
echo " savesets <file>"
echo " version" echo " version"
echo echo
echo "Options are:" echo "Options are:"
@ -383,6 +384,13 @@ case "$COMMAND" in
error_message "ERROR: Missing command" error_message "ERROR: Missing command"
fi fi
;; ;;
savesets)
if [ $# -eq 2 ]; then
save_ipsets $2
else
usage 2
fi
;;
version) version)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
echo $SHOREWALL_VERSION echo $SHOREWALL_VERSION

7
Shorewall/manpages/shorewall.conf.xml
View File

@ -2469,7 +2469,8 @@ INLINE - - - ; -j REJECT
<varlistentry> <varlistentry>
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis
role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term>
<listitem> <listitem>
<para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@ -2478,6 +2479,10 @@ INLINE - - - ; -j REJECT
role="bold">shorewall save</emphasis> commands and restored by the role="bold">shorewall save</emphasis> commands and restored by the
<emphasis role="bold">shorewall start</emphasis> and <emphasis <emphasis role="bold">shorewall start</emphasis> and <emphasis
role="bold">shorewall restore</emphasis> commands.</para> role="bold">shorewall restore</emphasis> commands.</para>
<para>Beginning with Shorewall 4.6.4, you can restrict the set of
ipsets saved by specifying a setlist (a comma-separated list of ipv4
ipset names).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

19
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -2122,6 +2122,25 @@ INLINE - - - ; -j REJECT
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis
role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term>
<listitem>
<para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
current contents of your ipsets will be saved by the <emphasis
role="bold">shorewall stop</emphasis> and <emphasis
role="bold">shorewall save</emphasis> commands and restored by the
<emphasis role="bold">shorewall start</emphasis> and <emphasis
role="bold">shorewall restore</emphasis> commands.</para>
<para>Beginning with Shorewall 4.6.4, you can restrict the set of
ipsets saved by specifying a setlist (a comma-separated list of ipv6
ipset names).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term> role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>