mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 15:48:56 +01:00
Implement 'loose' option in routestopped
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2150 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
150547bc35
commit
431aa21697
@ -8,6 +8,8 @@ Changes in 2.3.2
|
||||
|
||||
4) Merge patch from Juan Jesús Prieto.
|
||||
|
||||
5) Implement 'loose' routestopped option.
|
||||
|
||||
Changes in 2.3.1
|
||||
|
||||
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
||||
|
@ -1157,6 +1157,7 @@ setup_providers()
|
||||
# local
|
||||
#
|
||||
EOF
|
||||
|
||||
for table in $PROVIDERS; do
|
||||
eval number=\$${table}_number
|
||||
/bin/echo -e "$number\t$table" >> /etc/iproute2/rt_tables
|
||||
@ -1641,7 +1642,7 @@ disable_ipv6_1() {
|
||||
|
||||
process_routestopped() # $1 = command
|
||||
{
|
||||
local hosts= interface host host1 options networks
|
||||
local hosts= interface host host1 options networks loose=
|
||||
|
||||
while read interface host options; do
|
||||
expandv interface host options
|
||||
@ -1665,6 +1666,11 @@ process_routestopped() # $1 = command
|
||||
done
|
||||
fi
|
||||
;;
|
||||
loose)
|
||||
for h in $(separate_list $host); do
|
||||
loose="$loose $interface:$h"
|
||||
done
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Unknown routestopped option ignored: $option"
|
||||
;;
|
||||
@ -1674,6 +1680,7 @@ process_routestopped() # $1 = command
|
||||
|
||||
done < $TMP_DIR/routestopped
|
||||
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
@ -1681,9 +1688,13 @@ process_routestopped() # $1 = command
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
|
||||
for host1 in $hosts; do
|
||||
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||
done
|
||||
if list_search $host $loose ; then
|
||||
run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
else
|
||||
for host1 in $hosts; do
|
||||
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||
done
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -321,7 +321,6 @@ New Features in version 2.4.0
|
||||
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
|
||||
eneotecnologia.com)
|
||||
|
||||
|
||||
If Shorewall is running in a Crossbeam System
|
||||
(www.crossbeamsystems.com) you need to activate this directive if
|
||||
you don't want the CPM to think the system is down and send a reset
|
||||
@ -343,3 +342,14 @@ New Features in version 2.4.0
|
||||
backbone. If not specified or if specified as empty (e.g.,
|
||||
CROSSBEAM="") then CROSSBEAM=No is assumed.
|
||||
|
||||
6) Normally when Shorewall is stopped, starting or restarting then
|
||||
connections are allowed from hosts listed in
|
||||
/etc/shorewall/routestopped to the firewall and to other hosts
|
||||
listed in /etc/shorewall/routestopped. A new 'loose' option is
|
||||
added for entries in that file which will cause Shorewall to
|
||||
allow traffic from the host listed in the entry to ANY other
|
||||
host. When 'loose' is specified in an entry, it is unnecessary
|
||||
to also specify 'routeback'.
|
||||
|
||||
|
||||
|
||||
|
@ -25,12 +25,19 @@
|
||||
# routeback - Set up a rule to ACCEPT traffic from
|
||||
# these hosts back to themselves.
|
||||
#
|
||||
# loose - Allow traffic from these hosts to ANY
|
||||
# destination. Without this option, only traffic
|
||||
# from this host to other listed hosts (and the
|
||||
# firewall) is allowed. If 'loose' is specified
|
||||
# then 'routeback' is redundent.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# INTERFACE HOST(S) OPTIONS
|
||||
# eth2 192.168.1.0/24
|
||||
# eth0 192.0.2.44
|
||||
# br0 - routeback
|
||||
# eth3 - loose
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||
|
@ -136,7 +136,7 @@ showchain() # $1 = name of chain
|
||||
}
|
||||
|
||||
#
|
||||
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
|
||||
# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
|
||||
#
|
||||
|
||||
iptablesbug()
|
||||
@ -146,6 +146,7 @@ iptablesbug()
|
||||
/^-j/ { print sline $0; next };\
|
||||
/-m policy.*-j/ { print $0; next };\
|
||||
/-m policy/ { sline=$0; next };\
|
||||
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
|
||||
{print ; sline="" }'
|
||||
else
|
||||
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
|
||||
|
Loading…
Reference in New Issue
Block a user