Implement 'loose' option in routestopped

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2150 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-20 22:33:28 +00:00
parent 150547bc35
commit 431aa21697
5 changed files with 38 additions and 7 deletions

View File

@ -8,6 +8,8 @@ Changes in 2.3.2
4) Merge patch from Juan Jesús Prieto. 4) Merge patch from Juan Jesús Prieto.
5) Implement 'loose' routestopped option.
Changes in 2.3.1 Changes in 2.3.1
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in

View File

@ -1157,6 +1157,7 @@ setup_providers()
# local # local
# #
EOF EOF
for table in $PROVIDERS; do for table in $PROVIDERS; do
eval number=\$${table}_number eval number=\$${table}_number
/bin/echo -e "$number\t$table" >> /etc/iproute2/rt_tables /bin/echo -e "$number\t$table" >> /etc/iproute2/rt_tables
@ -1641,7 +1642,7 @@ disable_ipv6_1() {
process_routestopped() # $1 = command process_routestopped() # $1 = command
{ {
local hosts= interface host host1 options networks local hosts= interface host host1 options networks loose=
while read interface host options; do while read interface host options; do
expandv interface host options expandv interface host options
@ -1665,6 +1666,11 @@ process_routestopped() # $1 = command
done done
fi fi
;; ;;
loose)
for h in $(separate_list $host); do
loose="$loose $interface:$h"
done
;;
*) *)
error_message "Warning: Unknown routestopped option ignored: $option" error_message "Warning: Unknown routestopped option ignored: $option"
;; ;;
@ -1674,6 +1680,7 @@ process_routestopped() # $1 = command
done < $TMP_DIR/routestopped done < $TMP_DIR/routestopped
for host in $hosts; do for host in $hosts; do
interface=${host%:*} interface=${host%:*}
networks=${host#*:} networks=${host#*:}
@ -1681,9 +1688,13 @@ process_routestopped() # $1 = command
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do if list_search $host $loose ; then
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
done else
for host1 in $hosts; do
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
fi
done done
} }

View File

@ -321,7 +321,6 @@ New Features in version 2.4.0
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at 5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
eneotecnologia.com) eneotecnologia.com)
If Shorewall is running in a Crossbeam System If Shorewall is running in a Crossbeam System
(www.crossbeamsystems.com) you need to activate this directive if (www.crossbeamsystems.com) you need to activate this directive if
you don't want the CPM to think the system is down and send a reset you don't want the CPM to think the system is down and send a reset
@ -343,3 +342,14 @@ New Features in version 2.4.0
backbone. If not specified or if specified as empty (e.g., backbone. If not specified or if specified as empty (e.g.,
CROSSBEAM="") then CROSSBEAM=No is assumed. CROSSBEAM="") then CROSSBEAM=No is assumed.
6) Normally when Shorewall is stopped, starting or restarting then
connections are allowed from hosts listed in
/etc/shorewall/routestopped to the firewall and to other hosts
listed in /etc/shorewall/routestopped. A new 'loose' option is
added for entries in that file which will cause Shorewall to
allow traffic from the host listed in the entry to ANY other
host. When 'loose' is specified in an entry, it is unnecessary
to also specify 'routeback'.

View File

@ -23,7 +23,13 @@
# options. The currently-supported options are: # options. The currently-supported options are:
# #
# routeback - Set up a rule to ACCEPT traffic from # routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves. # these hosts back to themselves.
#
# loose - Allow traffic from these hosts to ANY
# destination. Without this option, only traffic
# from this host to other listed hosts (and the
# firewall) is allowed. If 'loose' is specified
# then 'routeback' is redundent.
# #
# Example: # Example:
# #
@ -31,6 +37,7 @@
# eth2 192.168.1.0/24 # eth2 192.168.1.0/24
# eth0 192.0.2.44 # eth0 192.0.2.44
# br0 - routeback # br0 - routeback
# eth3 - loose
# #
# See http://shorewall.net/Documentation.htm#Routestopped and # See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional # http://shorewall.net/starting_and_stopping_shorewall.htm for additional

View File

@ -136,7 +136,7 @@ showchain() # $1 = name of chain
} }
# #
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed. # The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
# #
iptablesbug() iptablesbug()
@ -146,6 +146,7 @@ iptablesbug()
/^-j/ { print sline $0; next };\ /^-j/ { print sline $0; next };\
/-m policy.*-j/ { print $0; next };\ /-m policy.*-j/ { print $0; next };\
/-m policy/ { sline=$0; next };\ /-m policy/ { sline=$0; next };\
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
{print ; sline="" }' {print ; sline="" }'
else else
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2