mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-11 04:07:03 +02:00
Really implement 'stop' in the generated script
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3309 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
51d7faf7c3
commit
4bebbdad3b
@ -781,105 +781,6 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
|
||||
echo "--set ${setname#+} $options"
|
||||
}
|
||||
|
||||
#
|
||||
# Source IP range
|
||||
#
|
||||
source_ip_range() # $1 = Address or Address Range
|
||||
{
|
||||
case $1 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
case $1 in
|
||||
!*)
|
||||
iprange_echo "! --src-range ${1#!}"
|
||||
;;
|
||||
*)
|
||||
iprange_echo "--src-range $1"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
!+*)
|
||||
echo "-m set ! $(get_set_flags ${1#!} src)"
|
||||
;;
|
||||
+*)
|
||||
echo "-m set $(get_set_flags $1 src)"
|
||||
;;
|
||||
*)
|
||||
echo "-s $1"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Destination IP range
|
||||
#
|
||||
dest_ip_range() # $1 = Address or Address Range
|
||||
{
|
||||
case $1 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
case $1 in
|
||||
!*)
|
||||
iprange_echo "! --dst-range ${1#!}"
|
||||
;;
|
||||
*)
|
||||
iprange_echo "--dst-range $1"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
!+*)
|
||||
echo "-m set ! $(get_set_flags ${1#!} dst)"
|
||||
;;
|
||||
+*)
|
||||
echo "-m set $(get_set_flags $1 dst)"
|
||||
;;
|
||||
*)
|
||||
echo "-d $1"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
|
||||
{
|
||||
local rangeprefix= setprefix= rangematch= setmatch=
|
||||
|
||||
case $1 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
rangeprefix="-m iprange"
|
||||
rangematch="--src-range $1"
|
||||
;;
|
||||
!+*)
|
||||
setprefix="-m set"
|
||||
setmatch="! $(get_set_flags ${1#!} src)"
|
||||
;;
|
||||
+*)
|
||||
setprefix="-m set"
|
||||
setmatch="$(get_set_flags $1 src)"
|
||||
;;
|
||||
*)
|
||||
rangematch="-s $1"
|
||||
;;
|
||||
esac
|
||||
|
||||
case $2 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
rangeprefix="-m iprange"
|
||||
rangematch="$rangematch --dst-range $2"
|
||||
;;
|
||||
!+*)
|
||||
setprefix="-m set"
|
||||
match="$setmatch ! $(get_set_flags ${2#!} dst)"
|
||||
;;
|
||||
+*)
|
||||
setprefix="-m set"
|
||||
setmatch="$setmatch $(get_set_flags $2 dst)"
|
||||
;;
|
||||
*)
|
||||
rangematch="$rangematch -d $2"
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "$rangeprefix $rangematch $setprefix $setmatch"
|
||||
}
|
||||
|
||||
#
|
||||
# Horrible hack to work around an iptables limitation
|
||||
#
|
||||
@ -1927,19 +1828,6 @@ deleteallchains() {
|
||||
run_iptables -X
|
||||
}
|
||||
|
||||
##
|
||||
# Source a user exit file if it exists
|
||||
#
|
||||
run_user_exit() # $1 = file name
|
||||
{
|
||||
local user_exit=$(find_file $1)
|
||||
|
||||
if [ -f $user_exit ]; then
|
||||
progress_message "Processing $user_exit ..."
|
||||
. $user_exit
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
|
||||
#
|
||||
@ -3942,28 +3830,6 @@ __EOF__
|
||||
fi
|
||||
}
|
||||
|
||||
delete_tc1()
|
||||
{
|
||||
clear_one_tc() {
|
||||
tc qdisc del dev $1 root 2> /dev/null
|
||||
tc qdisc del dev $1 ingress 2> /dev/null
|
||||
|
||||
}
|
||||
|
||||
run_user_exit tcclear
|
||||
|
||||
run_ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
clear_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Process a record from the accounting file
|
||||
#
|
||||
@ -9046,6 +8912,266 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||
}
|
||||
|
||||
#
|
||||
# Compile a script that will stop the firewall
|
||||
#
|
||||
# This function is called by compile_firewall() so all of the overloaded functions
|
||||
# from that script are available here
|
||||
#
|
||||
compile_stop_firewall() {
|
||||
|
||||
run_iptables() {
|
||||
#
|
||||
# Purge the temporary files that we use to prevent duplicate '-m' specifications
|
||||
#
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
|
||||
save_command " $IPTABLES $@"
|
||||
|
||||
}
|
||||
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
stop_firewall() {
|
||||
|
||||
detetechain() {
|
||||
qt $IPTABLES -L \$1 -n && qt $IPTABLES -F \$1 && qt $IPTABLES -X \$1
|
||||
}
|
||||
|
||||
deleteallchains() {
|
||||
$IPTABLES -F
|
||||
$IPTABLES -X
|
||||
}
|
||||
|
||||
setpolicy() {
|
||||
$IPTABLES -P $1 $2
|
||||
}
|
||||
|
||||
case \$COMMAND in
|
||||
stop|clear)
|
||||
;;
|
||||
*)
|
||||
set +x
|
||||
|
||||
[ -n "\${RESTOREFILE:=restore}" ]
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/\$RESTOREFILE
|
||||
|
||||
if [ -x \$RESTOREPATH ]; then
|
||||
|
||||
if [ -x \${RESTOREPATH}-ipsets ]; then
|
||||
progress_message2 Restoring Ipsets...
|
||||
#
|
||||
# We must purge iptables to be sure that there are no
|
||||
# references to ipsets
|
||||
#
|
||||
for table in mangle nat filter; do
|
||||
$IPTABLES -t \$table -F
|
||||
$IPTABLES -t \$table -X
|
||||
done
|
||||
|
||||
\${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring Shorewall...
|
||||
|
||||
if \$RESTOREPATH; then
|
||||
echo "Shorewall restored from \$RESTOREPATH"
|
||||
set_state "Started"
|
||||
else
|
||||
set_state "Unknown"
|
||||
fi
|
||||
|
||||
my_mutex_off
|
||||
kill \$\$
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
set_state "Stopping"
|
||||
|
||||
STOPPING="Yes"
|
||||
|
||||
TERMINATOR=
|
||||
|
||||
deletechain shorewall
|
||||
|
||||
determine_capabilities
|
||||
|
||||
run_user_exit stop
|
||||
|
||||
if [ -n "\$MANGLE_ENABLED" ]; then
|
||||
run_iptables -t mangle -F
|
||||
run_iptables -t mangle -X
|
||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||
qt $IPTABLES -t mangle -P \$chain ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "\$RAW_TABLE" ]; then
|
||||
run_iptables -t raw -F
|
||||
run_iptables -t raw -X
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt $IPTABLES -t raw -P \$chain ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "\$NAT_ENABLED" ]; then
|
||||
delete_nat
|
||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||
qt $IPTABLES -t nat -P \$chain ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -f /var/lib/shorewall/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i \$external -d \$address pub
|
||||
[ -z "\${haveroute}\${NOROUTES}" ] && qt ip route del \$address dev \$interface
|
||||
done < /var/lib/shorewall/proxyarp
|
||||
fi
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
|
||||
done
|
||||
fi
|
||||
|
||||
__EOF__
|
||||
[ -n "$CLEAR_TC" ] && save_command " delete_tc1"
|
||||
|
||||
[ -n "$DISABLE_IPV6" ] && save_command " disable_ipv6"
|
||||
|
||||
process_criticalhosts
|
||||
|
||||
if [ -n "$CRITICALHOSTS" ]; then
|
||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
for chain in INPUT OUTPUT; do
|
||||
setpolicy \$chain ACCEPT
|
||||
done
|
||||
|
||||
setpolicy FORWARD DROP
|
||||
|
||||
deleteallchains
|
||||
|
||||
for host in $CRITICALHOSTS; do
|
||||
interface=\${host%:*}
|
||||
networks=\${host#*:}
|
||||
$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
|
||||
done
|
||||
|
||||
for chain in INPUT OUTPUT; do
|
||||
setpolicy $\chain DROP
|
||||
done
|
||||
|
||||
__EOF__
|
||||
else
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
for chain in INPUT OUTPUT; do
|
||||
setpolicy \$chain ACCEPT
|
||||
done
|
||||
|
||||
setpolicy FORWARD DROP
|
||||
|
||||
deleteallchains
|
||||
|
||||
for host in $CRITICALHOSTS; do
|
||||
interface=\${host%:*}
|
||||
networks=\${host#*:}
|
||||
$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
|
||||
done
|
||||
|
||||
setpolicy INPUT DROP
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setcontinue \$chain
|
||||
done
|
||||
|
||||
__EOF__
|
||||
fi
|
||||
elif [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy \$chain DROP
|
||||
done
|
||||
|
||||
deleteallchains
|
||||
|
||||
__EOF__
|
||||
else
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy \$chain DROP
|
||||
done
|
||||
|
||||
setpolicy OUTPUT ACCEPT
|
||||
|
||||
deleteallchains
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setcontinue \$chain
|
||||
done
|
||||
|
||||
__EOF__
|
||||
fi
|
||||
|
||||
process_routestopped -A
|
||||
|
||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
save_command "$IPTABLES -A OUTPUT -o lo -j ACCEPT"
|
||||
|
||||
for interface in $(find_interfaces_by_option dhcp); do
|
||||
save_command "$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
save_command "$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT"
|
||||
#
|
||||
# This might be a bridge
|
||||
#
|
||||
save_command "$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"
|
||||
done
|
||||
|
||||
case "$IP_FORWARDING" in
|
||||
[Oo][Nn])
|
||||
save_command " echo 1 > /proc/sys/net/ipv4/ip_forward"
|
||||
save_command " progress_message2 IP Forwarding Enabled"
|
||||
;;
|
||||
[Oo][Ff][Ff])
|
||||
save_command " echo 0 > /proc/sys/net/ipv4/ip_forward"
|
||||
save_command " progress_message2 IP Forwarding Disabled!"
|
||||
;;
|
||||
esac
|
||||
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
run_user_exit stopped
|
||||
|
||||
set_state "Stopped"
|
||||
|
||||
logger "Shorewall Stopped"
|
||||
|
||||
case \$COMMAND in
|
||||
stop|clear)
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# The firewall is being stopped when we were trying to do something
|
||||
# else. Remove the lock file and Kill the shell in case we're in a
|
||||
# subshell
|
||||
#
|
||||
kill \$\$
|
||||
;;
|
||||
esac
|
||||
}
|
||||
__EOF__
|
||||
}
|
||||
|
||||
#
|
||||
# Compile a Restore Script
|
||||
#
|
||||
@ -9164,58 +9290,20 @@ compile_firewall() # $1 = File Name
|
||||
|
||||
__EOF__
|
||||
|
||||
if [ -n "$EXPORT" ]; then
|
||||
cat /usr/share/shorewall/functions >> $RESTOREBASE
|
||||
else
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
if [ -n "$EXPORT" ]; then
|
||||
cat /usr/share/shorewall/functions >> $RESTOREBASE
|
||||
else
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
. /usr/share/shorewall/functions
|
||||
|
||||
__EOF__
|
||||
|
||||
fi
|
||||
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
stop_firewall()
|
||||
{
|
||||
set +x
|
||||
|
||||
[ -n "\${RESTOREFILE:=restore}" ]
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x \$RESTOREPATH ]; then
|
||||
|
||||
if [ -x \${RESTOREPATH}-ipsets ]; then
|
||||
progress_message2 Restoring Ipsets...
|
||||
#
|
||||
# We must purge iptables to be sure that there are no
|
||||
# references to ipsets
|
||||
#
|
||||
for table in nat mangle filter; do
|
||||
iptables -t \$table -F
|
||||
iptables -t \$table -X
|
||||
done
|
||||
|
||||
\${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring Shorewall...
|
||||
|
||||
if \$RESTOREPATH; then
|
||||
echo "Shorewall restored from \$RESTOREPATH"
|
||||
set_state "Started"
|
||||
else
|
||||
set_state "Unknown"
|
||||
fi
|
||||
elif [ -x /sbin/shorewall ]; then
|
||||
/sbin/shorewall stop
|
||||
fi
|
||||
|
||||
kill \$\$
|
||||
exit 2
|
||||
}
|
||||
compile_stop_firewall
|
||||
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
fatal_error()
|
||||
{
|
||||
|
@ -200,6 +200,19 @@ resolve_file() # $1 = file name
|
||||
esac
|
||||
}
|
||||
|
||||
##
|
||||
# Source a user exit file if it exists
|
||||
#
|
||||
run_user_exit() # $1 = file name
|
||||
{
|
||||
local user_exit=$(find_file $1)
|
||||
|
||||
if [ -f $user_exit ]; then
|
||||
progress_message "Processing $user_exit ..."
|
||||
. $user_exit
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
@ -769,6 +782,105 @@ if_match() # $1 = Name in interfaces file - may end in "+"
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Source IP range
|
||||
#
|
||||
source_ip_range() # $1 = Address or Address Range
|
||||
{
|
||||
case $1 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
case $1 in
|
||||
!*)
|
||||
iprange_echo "! --src-range ${1#!}"
|
||||
;;
|
||||
*)
|
||||
iprange_echo "--src-range $1"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
!+*)
|
||||
echo "-m set ! $(get_set_flags ${1#!} src)"
|
||||
;;
|
||||
+*)
|
||||
echo "-m set $(get_set_flags $1 src)"
|
||||
;;
|
||||
*)
|
||||
echo "-s $1"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Destination IP range
|
||||
#
|
||||
dest_ip_range() # $1 = Address or Address Range
|
||||
{
|
||||
case $1 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
case $1 in
|
||||
!*)
|
||||
iprange_echo "! --dst-range ${1#!}"
|
||||
;;
|
||||
*)
|
||||
iprange_echo "--dst-range $1"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
!+*)
|
||||
echo "-m set ! $(get_set_flags ${1#!} dst)"
|
||||
;;
|
||||
+*)
|
||||
echo "-m set $(get_set_flags $1 dst)"
|
||||
;;
|
||||
*)
|
||||
echo "-d $1"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
|
||||
{
|
||||
local rangeprefix= setprefix= rangematch= setmatch=
|
||||
|
||||
case $1 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
rangeprefix="-m iprange"
|
||||
rangematch="--src-range $1"
|
||||
;;
|
||||
!+*)
|
||||
setprefix="-m set"
|
||||
setmatch="! $(get_set_flags ${1#!} src)"
|
||||
;;
|
||||
+*)
|
||||
setprefix="-m set"
|
||||
setmatch="$(get_set_flags $1 src)"
|
||||
;;
|
||||
*)
|
||||
rangematch="-s $1"
|
||||
;;
|
||||
esac
|
||||
|
||||
case $2 in
|
||||
*.*.*.*-*.*.*.*)
|
||||
rangeprefix="-m iprange"
|
||||
rangematch="$rangematch --dst-range $2"
|
||||
;;
|
||||
!+*)
|
||||
setprefix="-m set"
|
||||
match="$setmatch ! $(get_set_flags ${2#!} dst)"
|
||||
;;
|
||||
+*)
|
||||
setprefix="-m set"
|
||||
setmatch="$setmatch $(get_set_flags $2 dst)"
|
||||
;;
|
||||
*)
|
||||
rangematch="$rangematch -d $2"
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "$rangeprefix $rangematch $setprefix $setmatch"
|
||||
}
|
||||
|
||||
#
|
||||
# Find the value 'dev' in the passed arguments then echo the next value
|
||||
#
|
||||
@ -1217,4 +1329,26 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
|
||||
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
|
||||
}
|
||||
|
||||
delete_tc1()
|
||||
{
|
||||
clear_one_tc() {
|
||||
tc qdisc del dev $1 root 2> /dev/null
|
||||
tc qdisc del dev $1 ingress 2> /dev/null
|
||||
|
||||
}
|
||||
|
||||
run_user_exit tcclear
|
||||
|
||||
run_ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
clear_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
SHOREWALL_LIBRARY=Loaded
|
||||
|
Loading…
x
Reference in New Issue
Block a user