extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-09 17:49:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Henry Yang's patch plus fix LOGRATE/ratelimit conflict on rules file logging

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@723 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-08-22 15:27:08 +00:00
parent 510a35b46c
commit 3ee26da51c
7 changed files with 83 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.6-20030813 VERSION=1.4.6-20030821
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -136,6 +136,8 @@ restore_file /etc/shorewall/ecn
restore_file /etc/shorewall/accounting restore_file /etc/shorewall/accounting
restore_file /etc/shorewall/usersets
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/lib/shorewall/version restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`" oldversion="`cat /usr/lib/shorewall/version`"

43
Shorewall/firewall
View File

@ -952,14 +952,15 @@ run_user_exit() # $1 = file name
# #
# Add a logging rule. # Add a logging rule.
# #
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $... = predicates for the rule
{ {
local level=$1 local level=$1
local chain=$2 local chain=$2
local disposition=$3 local disposition=$3
local rulenum= local rulenum=
local limit=${4:-$LOGLIMIT}
shift;shift;shift shift;shift;shift;shift
if [ -n "$LOGRULENUMBERS" ]; then if [ -n "$LOGRULENUMBERS" ]; then
eval rulenum=\$${chain}_logrules eval rulenum=\$${chain}_logrules
@ -968,10 +969,10 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
case $level in case $level in
ULOG) ULOG)
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;; ;;
*) *)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"'
;; ;;
esac esac
@ -985,10 +986,10 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
else else
case $level in case $level in
ULOG) ULOG)
eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;; ;;
*) *)
eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"'
;; ;;
esac esac
@ -998,6 +999,17 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
fi fi
} }
log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
{
local level=$1
local chain=$2
local disposition=$3
shift;shift;shift
log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
}
# #
# Stop the Firewall # Stop the Firewall
# #
@ -2191,7 +2203,7 @@ add_nat_rule() {
done done
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget $ratelimit -t nat log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
fi fi
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
@ -2199,7 +2211,7 @@ add_nat_rule() {
for adr in `separate_list $addr`; do for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
ensurenatchain $chain ensurenatchain $chain
log_rule $loglevel $chain $logtarget $ratelimit -t nat \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports` `fix_bang $proto $cli $sports -d $adr $multiport $dports`
fi fi
@ -2403,7 +2415,7 @@ add_a_rule()
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in `separate_list $addr`; do for adr in `separate_list $addr`; do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget $ratelimit -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports` `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi fi
@ -2412,7 +2424,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget $ratelimit \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports` `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi fi
@ -2423,7 +2435,7 @@ add_a_rule()
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget $ratelimit \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
`fix_bang $proto $sports $multiport $state $cli $dports` `fix_bang $proto $sports $multiport $state $cli $dports`
fi fi
@ -2442,7 +2454,7 @@ add_a_rule()
if [ $command != check ]; then if [ $command != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget $ratelimit \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
`fix_bang $proto $multiport $dest_interface $state $cli $sports $dports` `fix_bang $proto $multiport $dest_interface $state $cli $sports $dports`
fi fi
@ -4936,6 +4948,7 @@ do_initialize() {
LOGRATE= LOGRATE=
LOGBURST= LOGBURST=
LOGPARMS= LOGPARMS=
LOGLIMIT=
ADD_IP_ALIASES= ADD_IP_ALIASES=
ADD_SNAT_ALIASES= ADD_SNAT_ALIASES=
TC_ENABLED= TC_ENABLED=
@ -5018,9 +5031,9 @@ do_initialize() {
TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`" TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`"
if [ -n "${LOGRATE}${LOGBURST}" ]; then if [ -n "${LOGRATE}${LOGBURST}" ]; then
LOGPARMS="--match limit" LOGLIMIT="--match limit"
[ -n "$LOGRATE" ] && LOGPARMS="$LOGPARMS --limit $LOGRATE" [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
[ -n "$LOGBURST" ] && LOGPARMS="$LOGPARMS --limit-burst $LOGBURST" [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
fi fi
if [ -n "$IP_FORWARDING" ]; then if [ -n "$IP_FORWARDING" ]; then

3
Shorewall/functions
View File

@ -381,7 +381,8 @@ ip_vlsm() {
# #
# Chain name base for an interface -- remove all periods from the passed name. # Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less "+" and anything following).
# #
chain_base() #$1 = interface chain_base() #$1 = interface
{ {

18
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.6-20030813 VERSION=1.4.6-20030821
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -553,19 +553,29 @@ if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
else else
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo echo
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi fi
## #
# Install the Accounting file # Install the Accounting file
# #
if [ -f ${PREFIX}/etc/shorewall/accounting ]; then if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
backup_file /etc/shorewall/accounting backup_file /etc/shorewall/accounting
else else
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/accounting run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
echo echo
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting" echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi fi
# #
# Install the User Sets file
#
if [ -f ${PREFIX}/etc/shorewall/usersets ]; then
backup_file /etc/shorewall/usersets
else
run_install -o $OWNER -g $GROUP -m 0600 usersets ${PREFIX}/etc/shorewall/usersets
echo
echo "User sets file installed as ${PREFIX}/etc/shorewall/usersets"
fi
#
# Backup the version file # Backup the version file
# #
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then

6
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.6_20030813 %define version 1.4.6_20030821
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -99,6 +99,7 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn %attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting %attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/share/shorewall/functions %attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/firewall
@ -107,6 +108,9 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030821-1
- Added /etc/shorewall/usersets
* Wed Aug 13 2003 Tom Eastep <tom@shorewall.net> * Wed Aug 13 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030813-1 - Changed version to 1.4.6_20030813-1
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net> * Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>

5
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6-20030813 VERSION=1.4.6-20030821
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -99,7 +99,8 @@ if [ -n "$FIREWALL" ]; then
rm -f ${FIREWALL}-*.bkout rm -f ${FIREWALL}-*.bkout
fi fi
remove_file /sbin/shorewall rm -f /sbin/shorewall
rm -f /sbin/shorewall-*.bkout
if [ -n "$VERSION" ]; then if [ -n "$VERSION" ]; then
restore_file /etc/rc.d/rc.local restore_file /etc/rc.d/rc.local

28
Shorewall/usersets Normal file
View File

@ -0,0 +1,28 @@
#
# Shorewall version 1.4 - User Sets File
#
# /etc/shorewall/usersets
#
# This file is used to define Shorewall "User Sets". A user set is a
# list of <user>, <group> or <user:group> names and can be used to
# control access by individual users to other network hosts from the
# firewall system.
#
# Columns are:
#
# USERSET The name of a user set. May be up to 6 characters in
# length and must be a valid shell identifier.
#
# USER A Linux user name or number defined in /etc/passwd.
#
# GROUP A linux group name or number defined in /etc/groups.
#
# The GROUP may be omitted. If it is supplied, then the USER may be
# entered as "-" in which case all members of the specified group are
# included in the USERSET.
#
################################################################################
#USERSET USER GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE