mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-13 00:58:14 +01:00
Implement 'loose' option in routestopped
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2150 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
150547bc35
commit
431aa21697
@ -8,6 +8,8 @@ Changes in 2.3.2
|
|||||||
|
|
||||||
4) Merge patch from Juan Jesús Prieto.
|
4) Merge patch from Juan Jesús Prieto.
|
||||||
|
|
||||||
|
5) Implement 'loose' routestopped option.
|
||||||
|
|
||||||
Changes in 2.3.1
|
Changes in 2.3.1
|
||||||
|
|
||||||
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
||||||
|
@ -1157,6 +1157,7 @@ setup_providers()
|
|||||||
# local
|
# local
|
||||||
#
|
#
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
for table in $PROVIDERS; do
|
for table in $PROVIDERS; do
|
||||||
eval number=\$${table}_number
|
eval number=\$${table}_number
|
||||||
/bin/echo -e "$number\t$table" >> /etc/iproute2/rt_tables
|
/bin/echo -e "$number\t$table" >> /etc/iproute2/rt_tables
|
||||||
@ -1641,7 +1642,7 @@ disable_ipv6_1() {
|
|||||||
|
|
||||||
process_routestopped() # $1 = command
|
process_routestopped() # $1 = command
|
||||||
{
|
{
|
||||||
local hosts= interface host host1 options networks
|
local hosts= interface host host1 options networks loose=
|
||||||
|
|
||||||
while read interface host options; do
|
while read interface host options; do
|
||||||
expandv interface host options
|
expandv interface host options
|
||||||
@ -1665,6 +1666,11 @@ process_routestopped() # $1 = command
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
loose)
|
||||||
|
for h in $(separate_list $host); do
|
||||||
|
loose="$loose $interface:$h"
|
||||||
|
done
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
error_message "Warning: Unknown routestopped option ignored: $option"
|
error_message "Warning: Unknown routestopped option ignored: $option"
|
||||||
;;
|
;;
|
||||||
@ -1674,6 +1680,7 @@ process_routestopped() # $1 = command
|
|||||||
|
|
||||||
done < $TMP_DIR/routestopped
|
done < $TMP_DIR/routestopped
|
||||||
|
|
||||||
|
|
||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
interface=${host%:*}
|
interface=${host%:*}
|
||||||
networks=${host#*:}
|
networks=${host#*:}
|
||||||
@ -1681,9 +1688,13 @@ process_routestopped() # $1 = command
|
|||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||||
|
|
||||||
for host1 in $hosts; do
|
if list_search $host $loose ; then
|
||||||
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||||
done
|
else
|
||||||
|
for host1 in $hosts; do
|
||||||
|
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||||
|
done
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -321,7 +321,6 @@ New Features in version 2.4.0
|
|||||||
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
|
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
|
||||||
eneotecnologia.com)
|
eneotecnologia.com)
|
||||||
|
|
||||||
|
|
||||||
If Shorewall is running in a Crossbeam System
|
If Shorewall is running in a Crossbeam System
|
||||||
(www.crossbeamsystems.com) you need to activate this directive if
|
(www.crossbeamsystems.com) you need to activate this directive if
|
||||||
you don't want the CPM to think the system is down and send a reset
|
you don't want the CPM to think the system is down and send a reset
|
||||||
@ -343,3 +342,14 @@ New Features in version 2.4.0
|
|||||||
backbone. If not specified or if specified as empty (e.g.,
|
backbone. If not specified or if specified as empty (e.g.,
|
||||||
CROSSBEAM="") then CROSSBEAM=No is assumed.
|
CROSSBEAM="") then CROSSBEAM=No is assumed.
|
||||||
|
|
||||||
|
6) Normally when Shorewall is stopped, starting or restarting then
|
||||||
|
connections are allowed from hosts listed in
|
||||||
|
/etc/shorewall/routestopped to the firewall and to other hosts
|
||||||
|
listed in /etc/shorewall/routestopped. A new 'loose' option is
|
||||||
|
added for entries in that file which will cause Shorewall to
|
||||||
|
allow traffic from the host listed in the entry to ANY other
|
||||||
|
host. When 'loose' is specified in an entry, it is unnecessary
|
||||||
|
to also specify 'routeback'.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -23,7 +23,13 @@
|
|||||||
# options. The currently-supported options are:
|
# options. The currently-supported options are:
|
||||||
#
|
#
|
||||||
# routeback - Set up a rule to ACCEPT traffic from
|
# routeback - Set up a rule to ACCEPT traffic from
|
||||||
# these hosts back to themselves.
|
# these hosts back to themselves.
|
||||||
|
#
|
||||||
|
# loose - Allow traffic from these hosts to ANY
|
||||||
|
# destination. Without this option, only traffic
|
||||||
|
# from this host to other listed hosts (and the
|
||||||
|
# firewall) is allowed. If 'loose' is specified
|
||||||
|
# then 'routeback' is redundent.
|
||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
#
|
#
|
||||||
@ -31,6 +37,7 @@
|
|||||||
# eth2 192.168.1.0/24
|
# eth2 192.168.1.0/24
|
||||||
# eth0 192.0.2.44
|
# eth0 192.0.2.44
|
||||||
# br0 - routeback
|
# br0 - routeback
|
||||||
|
# eth3 - loose
|
||||||
#
|
#
|
||||||
# See http://shorewall.net/Documentation.htm#Routestopped and
|
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||||
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||||
|
@ -136,7 +136,7 @@ showchain() # $1 = name of chain
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
|
# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
|
||||||
#
|
#
|
||||||
|
|
||||||
iptablesbug()
|
iptablesbug()
|
||||||
@ -146,6 +146,7 @@ iptablesbug()
|
|||||||
/^-j/ { print sline $0; next };\
|
/^-j/ { print sline $0; next };\
|
||||||
/-m policy.*-j/ { print $0; next };\
|
/-m policy.*-j/ { print $0; next };\
|
||||||
/-m policy/ { sline=$0; next };\
|
/-m policy/ { sline=$0; next };\
|
||||||
|
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
|
||||||
{print ; sline="" }'
|
{print ; sline="" }'
|
||||||
else
|
else
|
||||||
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
|
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
|
||||||
|
Loading…
Reference in New Issue
Block a user