From 431aa2169731a4e9780cbbc7f09fb14504f42c1e Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 20 May 2005 22:33:28 +0000 Subject: [PATCH] Implement 'loose' option in routestopped git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2150 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 19 +++++++++++++++---- Shorewall2/releasenotes.txt | 12 +++++++++++- Shorewall2/routestopped | 9 ++++++++- Shorewall2/shorewall | 3 ++- 5 files changed, 38 insertions(+), 7 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 28a13c7e9..02f951ee4 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -8,6 +8,8 @@ Changes in 2.3.2 4) Merge patch from Juan Jesús Prieto. +5) Implement 'loose' routestopped option. + Changes in 2.3.1 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in diff --git a/Shorewall2/firewall b/Shorewall2/firewall index ea887d958..f32c770c4 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1157,6 +1157,7 @@ setup_providers() # local # EOF + for table in $PROVIDERS; do eval number=\$${table}_number /bin/echo -e "$number\t$table" >> /etc/iproute2/rt_tables @@ -1641,7 +1642,7 @@ disable_ipv6_1() { process_routestopped() # $1 = command { - local hosts= interface host host1 options networks + local hosts= interface host host1 options networks loose= while read interface host options; do expandv interface host options @@ -1665,6 +1666,11 @@ process_routestopped() # $1 = command done fi ;; + loose) + for h in $(separate_list $host); do + loose="$loose $interface:$h" + done + ;; *) error_message "Warning: Unknown routestopped option ignored: $option" ;; @@ -1674,6 +1680,7 @@ process_routestopped() # $1 = command done < $TMP_DIR/routestopped + for host in $hosts; do interface=${host%:*} networks=${host#*:} @@ -1681,9 +1688,13 @@ process_routestopped() # $1 = command [ -z "$ADMINISABSENTMINDED" ] && \ run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - for host1 in $hosts; do - [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done + if list_search $host $loose ; then + run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT + else + for host1 in $hosts; do + [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT + done + fi done } diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 70b366acb..a3a425f15 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -321,7 +321,6 @@ New Features in version 2.4.0 5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at eneotecnologia.com) - If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com) you need to activate this directive if you don't want the CPM to think the system is down and send a reset @@ -343,3 +342,14 @@ New Features in version 2.4.0 backbone. If not specified or if specified as empty (e.g., CROSSBEAM="") then CROSSBEAM=No is assumed. +6) Normally when Shorewall is stopped, starting or restarting then + connections are allowed from hosts listed in + /etc/shorewall/routestopped to the firewall and to other hosts + listed in /etc/shorewall/routestopped. A new 'loose' option is + added for entries in that file which will cause Shorewall to + allow traffic from the host listed in the entry to ANY other + host. When 'loose' is specified in an entry, it is unnecessary + to also specify 'routeback'. + + + diff --git a/Shorewall2/routestopped b/Shorewall2/routestopped index e3f27be1f..f759220b2 100644 --- a/Shorewall2/routestopped +++ b/Shorewall2/routestopped @@ -23,7 +23,13 @@ # options. The currently-supported options are: # # routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. +# these hosts back to themselves. +# +# loose - Allow traffic from these hosts to ANY +# destination. Without this option, only traffic +# from this host to other listed hosts (and the +# firewall) is allowed. If 'loose' is specified +# then 'routeback' is redundent. # # Example: # @@ -31,6 +37,7 @@ # eth2 192.168.1.0/24 # eth0 192.0.2.44 # br0 - routeback +# eth3 - loose # # See http://shorewall.net/Documentation.htm#Routestopped and # http://shorewall.net/starting_and_stopping_shorewall.htm for additional diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index 07c304edf..8c457edbf 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -136,7 +136,7 @@ showchain() # $1 = name of chain } # -# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed. +# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules). # iptablesbug() @@ -146,6 +146,7 @@ iptablesbug() /^-j/ { print sline $0; next };\ /-m policy.*-j/ { print $0; next };\ /-m policy/ { sline=$0; next };\ + /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ {print ; sline="" }' else echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2