From 4bebbdad3b11b5942d852c0b873ff1fc35966f7b Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 17 Jan 2006 20:03:00 +0000 Subject: [PATCH] Really implement 'stop' in the generated script git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3309 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/firewall | 446 ++++++++++++++++++++++++++------------------ Shorewall/functions | 134 +++++++++++++ 2 files changed, 401 insertions(+), 179 deletions(-) diff --git a/Shorewall/firewall b/Shorewall/firewall index 7aa06292a..7afc3685a 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -781,105 +781,6 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst echo "--set ${setname#+} $options" } -# -# Source IP range -# -source_ip_range() # $1 = Address or Address Range -{ - case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --src-range ${1#!}" - ;; - *) - iprange_echo "--src-range $1" - ;; - esac - ;; - !+*) - echo "-m set ! $(get_set_flags ${1#!} src)" - ;; - +*) - echo "-m set $(get_set_flags $1 src)" - ;; - *) - echo "-s $1" - ;; - esac -} - -# -# Destination IP range -# -dest_ip_range() # $1 = Address or Address Range -{ - case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --dst-range ${1#!}" - ;; - *) - iprange_echo "--dst-range $1" - ;; - esac - ;; - !+*) - echo "-m set ! $(get_set_flags ${1#!} dst)" - ;; - +*) - echo "-m set $(get_set_flags $1 dst)" - ;; - *) - echo "-d $1" - ;; - esac -} - -both_ip_ranges() # $1 = Source address or range, $2 = dest address or range -{ - local rangeprefix= setprefix= rangematch= setmatch= - - case $1 in - *.*.*.*-*.*.*.*) - rangeprefix="-m iprange" - rangematch="--src-range $1" - ;; - !+*) - setprefix="-m set" - setmatch="! $(get_set_flags ${1#!} src)" - ;; - +*) - setprefix="-m set" - setmatch="$(get_set_flags $1 src)" - ;; - *) - rangematch="-s $1" - ;; - esac - - case $2 in - *.*.*.*-*.*.*.*) - rangeprefix="-m iprange" - rangematch="$rangematch --dst-range $2" - ;; - !+*) - setprefix="-m set" - match="$setmatch ! $(get_set_flags ${2#!} dst)" - ;; - +*) - setprefix="-m set" - setmatch="$setmatch $(get_set_flags $2 dst)" - ;; - *) - rangematch="$rangematch -d $2" - ;; - esac - - echo "$rangeprefix $rangematch $setprefix $setmatch" -} - # # Horrible hack to work around an iptables limitation # @@ -1927,19 +1828,6 @@ deleteallchains() { run_iptables -X } -## -# Source a user exit file if it exists -# -run_user_exit() # $1 = file name -{ - local user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - progress_message "Processing $user_exit ..." - . $user_exit - fi -} - # # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING # @@ -3942,28 +3830,6 @@ __EOF__ fi } -delete_tc1() -{ - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - # # Process a record from the accounting file # @@ -9046,6 +8912,266 @@ define_firewall() # $1 = Command (Start or Restart) mv -f $RESTOREBASE /var/lib/shorewall/restore-tail } +# +# Compile a script that will stop the firewall +# +# This function is called by compile_firewall() so all of the overloaded functions +# from that script are available here +# +compile_stop_firewall() { + + run_iptables() { + # + # Purge the temporary files that we use to prevent duplicate '-m' specifications + # + [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + + save_command " $IPTABLES $@" + + } + + cat >> $RESTOREBASE << __EOF__ + +stop_firewall() { + + detetechain() { + qt $IPTABLES -L \$1 -n && qt $IPTABLES -F \$1 && qt $IPTABLES -X \$1 + } + + deleteallchains() { + $IPTABLES -F + $IPTABLES -X + } + + setpolicy() { + $IPTABLES -P $1 $2 + } + + case \$COMMAND in + stop|clear) + ;; + *) + set +x + + [ -n "\${RESTOREFILE:=restore}" ] + + RESTOREPATH=/var/lib/shorewall/\$RESTOREFILE + + if [ -x \$RESTOREPATH ]; then + + if [ -x \${RESTOREPATH}-ipsets ]; then + progress_message2 Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + for table in mangle nat filter; do + $IPTABLES -t \$table -F + $IPTABLES -t \$table -X + done + + \${RESTOREPATH}-ipsets + fi + + echo Restoring Shorewall... + + if \$RESTOREPATH; then + echo "Shorewall restored from \$RESTOREPATH" + set_state "Started" + else + set_state "Unknown" + fi + + my_mutex_off + kill \$\$ + exit 2 + fi + ;; + esac + + set_state "Stopping" + + STOPPING="Yes" + + TERMINATOR= + + deletechain shorewall + + determine_capabilities + + run_user_exit stop + + if [ -n "\$MANGLE_ENABLED" ]; then + run_iptables -t mangle -F + run_iptables -t mangle -X + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt $IPTABLES -t mangle -P \$chain ACCEPT + done + fi + + if [ -n "\$RAW_TABLE" ]; then + run_iptables -t raw -F + run_iptables -t raw -X + for chain in PREROUTING OUTPUT; do + qt $IPTABLES -t raw -P \$chain ACCEPT + done + fi + + if [ -n "\$NAT_ENABLED" ]; then + delete_nat + for chain in PREROUTING POSTROUTING OUTPUT; do + qt $IPTABLES -t nat -P \$chain ACCEPT + done + fi + + if [ -f /var/lib/shorewall/proxyarp ]; then + while read address interface external haveroute; do + qt arp -i \$external -d \$address pub + [ -z "\${haveroute}\${NOROUTES}" ] && qt ip route del \$address dev \$interface + done < /var/lib/shorewall/proxyarp + fi + + for f in /proc/sys/net/ipv4/conf/*; do + [ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp + done + fi + +__EOF__ + [ -n "$CLEAR_TC" ] && save_command " delete_tc1" + + [ -n "$DISABLE_IPV6" ] && save_command " disable_ipv6" + + process_criticalhosts + + if [ -n "$CRITICALHOSTS" ]; then + if [ -z "$ADMINISABSENTMINDED" ]; then + cat >> $RESTOREBASE << __EOF__ + + for chain in INPUT OUTPUT; do + setpolicy \$chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + for host in $CRITICALHOSTS; do + interface=\${host%:*} + networks=\${host#*:} + $IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT + $IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT + done + + for chain in INPUT OUTPUT; do + setpolicy $\chain DROP + done + +__EOF__ + else + cat >> $RESTOREBASE << __EOF__ + + for chain in INPUT OUTPUT; do + setpolicy \$chain ACCEPT + done + + setpolicy FORWARD DROP + + deleteallchains + + for host in $CRITICALHOSTS; do + interface=\${host%:*} + networks=\${host#*:} + $IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT + $IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT + done + + setpolicy INPUT DROP + + for chain in INPUT FORWARD; do + setcontinue \$chain + done + +__EOF__ + fi + elif [ -z "$ADMINISABSENTMINDED" ]; then + cat >> $RESTOREBASE << __EOF__ + + for chain in INPUT OUTPUT FORWARD; do + setpolicy \$chain DROP + done + + deleteallchains + +__EOF__ + else + cat >> $RESTOREBASE << __EOF__ + + for chain in INPUT FORWARD; do + setpolicy \$chain DROP + done + + setpolicy OUTPUT ACCEPT + + deleteallchains + + for chain in INPUT FORWARD; do + setcontinue \$chain + done + +__EOF__ + fi + + process_routestopped -A + + $IPTABLES -A INPUT -i lo -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + save_command "$IPTABLES -A OUTPUT -o lo -j ACCEPT" + + for interface in $(find_interfaces_by_option dhcp); do + save_command "$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT" + [ -z "$ADMINISABSENTMINDED" ] && \ + save_command "$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" + # + # This might be a bridge + # + save_command "$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT" + done + + case "$IP_FORWARDING" in + [Oo][Nn]) + save_command " echo 1 > /proc/sys/net/ipv4/ip_forward" + save_command " progress_message2 IP Forwarding Enabled" + ;; + [Oo][Ff][Ff]) + save_command " echo 0 > /proc/sys/net/ipv4/ip_forward" + save_command " progress_message2 IP Forwarding Disabled!" + ;; + esac + + cat >> $RESTOREBASE << __EOF__ + run_user_exit stopped + + set_state "Stopped" + + logger "Shorewall Stopped" + + case \$COMMAND in + stop|clear) + ;; + *) + # + # The firewall is being stopped when we were trying to do something + # else. Remove the lock file and Kill the shell in case we're in a + # subshell + # + kill \$\$ + ;; + esac +} +__EOF__ +} + # # Compile a Restore Script # @@ -9164,58 +9290,20 @@ compile_firewall() # $1 = File Name __EOF__ -if [ -n "$EXPORT" ]; then - cat /usr/share/shorewall/functions >> $RESTOREBASE -else - cat >> $RESTOREBASE << __EOF__ + if [ -n "$EXPORT" ]; then + cat /usr/share/shorewall/functions >> $RESTOREBASE + else + cat >> $RESTOREBASE << __EOF__ . /usr/share/shorewall/functions __EOF__ -fi - -cat >> $RESTOREBASE << __EOF__ - -stop_firewall() -{ - set +x - - [ -n "\${RESTOREFILE:=restore}" ] - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x \$RESTOREPATH ]; then - - if [ -x \${RESTOREPATH}-ipsets ]; then - progress_message2 Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - for table in nat mangle filter; do - iptables -t \$table -F - iptables -t \$table -X - done - - \${RESTOREPATH}-ipsets - fi - - echo Restoring Shorewall... - - if \$RESTOREPATH; then - echo "Shorewall restored from \$RESTOREPATH" - set_state "Started" - else - set_state "Unknown" - fi - elif [ -x /sbin/shorewall ]; then - /sbin/shorewall stop fi - kill \$\$ - exit 2 -} + compile_stop_firewall + +cat >> $RESTOREBASE << __EOF__ fatal_error() { diff --git a/Shorewall/functions b/Shorewall/functions index d6ea53bc3..67e91583f 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -200,6 +200,19 @@ resolve_file() # $1 = file name esac } +## +# Source a user exit file if it exists +# +run_user_exit() # $1 = file name +{ + local user_exit=$(find_file $1) + + if [ -f $user_exit ]; then + progress_message "Processing $user_exit ..." + . $user_exit + fi +} + # # Replace commas with spaces and echo the result # @@ -769,6 +782,105 @@ if_match() # $1 = Name in interfaces file - may end in "+" esac } +# +# Source IP range +# +source_ip_range() # $1 = Address or Address Range +{ + case $1 in + *.*.*.*-*.*.*.*) + case $1 in + !*) + iprange_echo "! --src-range ${1#!}" + ;; + *) + iprange_echo "--src-range $1" + ;; + esac + ;; + !+*) + echo "-m set ! $(get_set_flags ${1#!} src)" + ;; + +*) + echo "-m set $(get_set_flags $1 src)" + ;; + *) + echo "-s $1" + ;; + esac +} + +# +# Destination IP range +# +dest_ip_range() # $1 = Address or Address Range +{ + case $1 in + *.*.*.*-*.*.*.*) + case $1 in + !*) + iprange_echo "! --dst-range ${1#!}" + ;; + *) + iprange_echo "--dst-range $1" + ;; + esac + ;; + !+*) + echo "-m set ! $(get_set_flags ${1#!} dst)" + ;; + +*) + echo "-m set $(get_set_flags $1 dst)" + ;; + *) + echo "-d $1" + ;; + esac +} + +both_ip_ranges() # $1 = Source address or range, $2 = dest address or range +{ + local rangeprefix= setprefix= rangematch= setmatch= + + case $1 in + *.*.*.*-*.*.*.*) + rangeprefix="-m iprange" + rangematch="--src-range $1" + ;; + !+*) + setprefix="-m set" + setmatch="! $(get_set_flags ${1#!} src)" + ;; + +*) + setprefix="-m set" + setmatch="$(get_set_flags $1 src)" + ;; + *) + rangematch="-s $1" + ;; + esac + + case $2 in + *.*.*.*-*.*.*.*) + rangeprefix="-m iprange" + rangematch="$rangematch --dst-range $2" + ;; + !+*) + setprefix="-m set" + match="$setmatch ! $(get_set_flags ${2#!} dst)" + ;; + +*) + setprefix="-m set" + setmatch="$setmatch $(get_set_flags $2 dst)" + ;; + *) + rangematch="$rangematch -d $2" + ;; + esac + + echo "$rangeprefix $rangematch $setprefix $setmatch" +} + # # Find the value 'dev' in the passed arguments then echo the next value # @@ -1217,4 +1329,26 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ } +delete_tc1() +{ + clear_one_tc() { + tc qdisc del dev $1 root 2> /dev/null + tc qdisc del dev $1 ingress 2> /dev/null + + } + + run_user_exit tcclear + + run_ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + clear_one_tc ${interface%:} + ;; + *) + ;; + esac + done +} + SHOREWALL_LIBRARY=Loaded