extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 12:14:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reformat the code in define_firewall()

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1251 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-04-06 22:11:11 +00:00
parent a269ac1384
commit 429b6924de
3 changed files with 22 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Shorewall2/changelog.txt
View File

@ -1,40 +1,4 @@
Changes since 2.0.0 Changes since 2.0.1
1) Eliminate Warning about Policy as rule when using actions. 1) Reformat the code in define_firewall().
2) Add bridging Code.
3) Cleanup Warning elimination.
4) Add 'nobogons'
5) Add 'netmap'
6) Fix another <zone>_frwd problem.
7) Add -x option to /sbin/shorewall.
8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
9) Improve zone-definition checking.
10) Add additional options to hosts file
11) Replace 'subnet' with 'network' in the code
12) Fix item 10 above :-(
13) Replace good code with crap to satisfy 'ash'.
14) Fix if_match to only do wild-card matches on patterns ending in
"+".
15) Tighten edits on bridge port names.
16) Make 'routeback' on interfaces work again.
17) Reduce useless intra-zone rules on bridges.
18) Make 'routeback' on hosts work again.
19) Fix display of ICMP packets.

72
Shorewall2/firewall
View File

@ -5130,7 +5130,6 @@ activate_rules()
done done
for interface in $all_interfaces ; do for interface in $all_interfaces ; do
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
run_iptables -A INPUT -i $interface -j $(input_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface)
addnatjump POSTROUTING $(masq_chain $interface) -o $interface addnatjump POSTROUTING $(masq_chain $interface) -o $interface
@ -5196,83 +5195,42 @@ define_firewall() # $1 = Command (Start or Restart)
echo "${1}ing Shorewall..." echo "${1}ing Shorewall..."
verify_os_version verify_os_version
verify_ip verify_ip
load_kernel_modules load_kernel_modules
echo "Initializing..." echo "Initializing..."; initialize_netfilter
echo "Configuring Proxy ARP"; setup_proxy_arp
initialize_netfilter echo "Setting up NAT..."; setup_nat
echo "Setting up NETMAP..."; setup_netmap
echo "Configuring Proxy ARP" echo "Adding Common Rules"; add_common_rules
setup_proxy_arp
echo "Setting up NAT..."
setup_nat
echo "Setting up NETMAP..."
setup_netmap
echo "Adding Common Rules"
add_common_rules
tunnels=$(find_file tunnels) tunnels=$(find_file tunnels)
[ -f $tunnels ] && \ [ -f $tunnels ] && \
echo "Processing $tunnels..." && setup_tunnels $tunnels echo "Processing $tunnels..." && setup_tunnels $tunnels
maclist_hosts=$(find_hosts_by_option maclist) maclist_hosts=$(find_hosts_by_option maclist)
[ -n "$maclist_hosts" ] && setup_mac_lists
if [ -n "$maclist_hosts" ] ; then echo "Pre-processing Actions..."; process_actions1
setup_mac_lists echo "Processing $rules..."; process_rules
fi echo "Processing Actions..."; process_actions2
echo "Processing $policy..."; apply_policy_rules
rules=$(find_file rules)
echo "Pre-processing Actions..."
process_actions1
echo "Processing $rules..."
process_rules
echo "Processing Actions..."
process_actions2
policy=$(find_file policy)
echo "Processing $policy..."
apply_policy_rules
masq=$(find_file masq) masq=$(find_file masq)
[ -f $masq ] && setup_masq $masq
[ -f $masq ] && setup_masq $masq
tos=$(find_file tos) tos=$(find_file tos)
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
ecn=$(find_file ecn) ecn=$(find_file ecn)
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
[ -n "$TC_ENABLED" ] && setup_tc [ -n "$TC_ENABLED" ] && setup_tc
echo "Activating Rules..." echo "Activating Rules..."; activate_rules
activate_rules
[ -n "$aliases_to_add" ] && \ [ -n "$aliases_to_add" ] && \
echo "Adding IP Addresses..." && \ echo "Adding IP Addresses..." && add_ip_aliases
add_ip_aliases
run_user_exit start run_user_exit start

95
Shorewall2/releasenotes.txt
View File

@ -1,100 +1,15 @@
Shorewall 2.0.1 Shorewall 2.0.2-Beta 1
---------------------------------------------------------------------- ----------------------------------------------------------------------
Problems Corrected since 2.0.0 Problems Corrected since 2.0.1
1) Using actions in the manner recommended in the documentation None.
results in a Warning that the rule is a policy.
2) When a zone on a single interface is defined using
/etc/shorewall/hosts, superfluous rules are generated in the
<zone>_frwd chain.
3) Thanks to Sean Mathews, a long-standing problem with Proxy ARP and
IPSEC has been corrected. Thanks Sean!!!
4) The "shorewall show log" and "shorewall logwatch" commands
incorrectly displayed type 3 ICMP packets.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1: Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
1) The function of 'norfc1918' is now split between that option and a None.
new 'nobogons' option.
The rfc1918 file released with Shorewall now contains entries for
only those three address ranges reserved by RFC 1918. A 'nobogons'
interface option has been added which handles bogon source
addresses (those which are reserved by the IANA, those reserved for
DHCP auto-configuration and the class C test-net reserved for
testing and documentation examples). This will allow users to
perform RFC 1918 filtering without having to deal with out
of date data from IANA. Those who are willing to update their
/usr/share/shorewall/bogons file regularly can specify the
'nobogons' option in addition to 'norfc1918'.
The level at which bogon packets are logged is specified in the new
BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not
specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then
bogon packets whose TARGET is 'logdrop' in
/usr/share/shorewall/bogons are logged at the 'info' level.
New Features: New Features:
1) Support for Bridging Firewalls has been added. For details, see None.
http://shorewall.net/bridge.html
2) Support for NETMAP has been added. NETMAP allows NAT to be defined
between two network:
a.b.c.1 -> x.y.z.1
a.b.c.2 -> x.y.z.2
a.b.c.3 -> x.y.z.3
...
http://shorewall.net/netmap.html
3) The /sbin/shorewall program now accepts a "-x" option to cause
iptables to print out the actual packet and byte counts rather than
abbreviated counts such as "13MB".
Commands affected by this are:
shorewall -x show [ <chain>[ <chain> ...] ]
shorewall -x show tos|mangle
shorewall -x show nat
shorewall -x status
shorewall -x monitor [ <interval> ]
4) Shorewall now traps two common zone definition errors:
- Including the firewall zone in a /etc/shorewall/hosts record.
- Defining an interface for a zone in both /etc/shorewall/interfaces
and /etc/shorewall/hosts.
In the second case, the following will appear during "shorewall
[re]start" or "shorewall check":
Determining Hosts in Zones...
...
Error: Invalid zone definition for zone <name of zone>
Terminated
5) To support bridging, the following options have been added to
entries in /etc/shorewall/hosts:
norfc1918
nobogons
blacklist
tcpflags
nosmurfs
newnotsyn
With the exception of 'newnotsyn', these options are only
useful when the entry refers to a bridge port.
Example:
#ZONE HOST(S) OPTIONS
net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs