extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add SAVE_IPSETS option and allow explicit src and dst specifications

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2086 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-05 22:35:17 +00:00
parent e085262d29
commit 510f7311c9
5 changed files with 188 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
Shorewall2/firewall
View File

@ -562,7 +562,7 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
local temp setname options=$2
case $1 in
*\[*[1-6]\])
*\[[1-6]\])
temp=${1#*\[}
temp=${temp%\]}
setname=${1%\[*}
@ -572,6 +572,12 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
done
echo "--set ${setname#+} $options"
;;
*\[*\])
temp=${1#*\[}
temp=${temp%\]}
setname=${1%\[*}
echo "--set ${setname#+} $temp"
;;
*)
echo "--set ${1#+} $2"
;;
@ -813,22 +819,6 @@ match_ipsec_out() # $1 = zone, $2 = host
fi
}
#
# Generate a match for packets whose source matches the passed IPSET
#
match_ipset_source()
{
echo "-m set --set ${1#+} src"
}
#
# Generate a match for packets whose destination matches the passed IPSET
#
match_ipset_dest()
{
echo "-m set --set ${1#+} dst"
}
#
# Jacket for ip_range() that takes care of iprange match
#
@ -1560,6 +1550,17 @@ stop_firewall() {
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
$RESTOREPATH
echo "Shorewall restored from $RESTOREPATH"
@ -5906,13 +5907,15 @@ report_capabilities() {
}
#
# Restore ipsets
# Restore ipset contents
#
restore_ipsets()
{
local restore_sets=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets
[ -x $restore_sets ] && $restore_sets
restore_ipset_contents() {
local ipset_script=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets
if [ -x $ipset_script ]; then
progress_message "Restoring IPSET contents..."
$ipset_script || stop_firewall
fi
}
#
@ -6008,11 +6011,12 @@ initialize_netfilter () {
deleteallchains
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
[ -n "$SAVE_IPSETS" ] && restore_ipset_contents
run_user_exit continue
f=$(find_file routestopped)
@ -7560,6 +7564,7 @@ do_initialize() {
DROPINVALID=
RFC1918_STRICT=
MACLIST_TTL=
SAVE_IPSETS=
RESTOREFILE=
RESTOREBASE=
@ -7757,6 +7762,7 @@ do_initialize() {
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
#
# Strip the files that we use often
#

22
Shorewall2/functions
View File

@ -162,6 +162,9 @@ separate_list() {
local list
local part
local newlist
local firstpart
local lastpart
local enclosure
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
@ -176,6 +179,25 @@ separate_list() {
$terminator "Invalid comma-separated list \"$@\""
echo "Warning -- invalid comma-separated list \"$@\"" >&2
;;
*\[*\]*)
#
# Where we need to embed comma-separated lists within lists, we enclose them
# within square brackets
#
firstpart=${@%%[*}
lastpart=${@#*[}
enclosure=${lastpart%]*}
lastpart=${lastpart#*]}
case $lastpart in
\,*)
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
;;
*)
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
;;
esac
return
;;
esac
list="$@"

88
Shorewall2/releasenotes.txt
View File

@ -40,13 +40,32 @@ New Features in version 2.3.0
(see http://people.netfilter.org/kadlec/ipset/).
In most places where an host or network address may be used, you may
also use the name of an ipset prefaced by "+". The name of the set
may optionally followed by a number from 1 to 6 enclosed in square
brackets ([]) -- this number indicates the maximum number of ipset
binding levels that are to be matched. Depending on the context
where the ipset name is used, either all "src" or all "dst" matches
will be used.
also use the name of an ipset prefaced by "+".
Example: "+Mirrors"
The name of the set may optionally followed by:
a) a number from 1 to 6 enclosed in square brackets ([]) -- this
number indicates the maximum number of ipset binding levels that
are to be matched. Depending on the context where the ipset name
is used, either all "src" or all "dst" matches will be used.
Example: "+Mirrors[4]"
b) a series of "src" and "dst" options separated by commas and
inclosed in square brackets ([]). These will be passed directly
to iptables in the generated --set clause. See the ipset
documentation for details.
Example: "+Mirrors[src,dst,src]"
Note that "+Mirrors[4]" used in the SOURCE column of the rules
file is equivalent to "+Mirrors[src,src,src,src]".
To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".
Example 1: Blacklist all hosts in an ipset named "blacklist"
/etc/shorewall/blacklist
@ -61,5 +80,60 @@ New Features in version 2.3.0
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT +sshok fw tcp 22
Shorewall can automatically manage the contents of your ipsets for
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
then:
A) "shorewall save" will save the contents of your ipsets. The file
where the sets are saved is formed by taking the name where the
Shorewall configuration is stored and appending "-ipsets". So if you
enter the command "shorewall save standard" then your Shorewall
configuration will be saved in /var/lib/shorewall/standard and your
ipset contents will be saved in /var/lib/shorewall/standard-ipsets.
B) During "shorewall [re]start", shorewall will restore the ipset
contents from the file specifed in RESTOREFILE
(shorewall.conf). Again "-ipsets" is appended so if you have
RESTOREFILE=standard in shorewall.conf then your ipset contents will
be restored from /var/lib/shorewall/standard-ipsets.
Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
and "shorewall start" commands will restore the ipset contents
corresponding to the Shorewall configuration restored provided that
the saved Shorewall configuration specified exists.
For example, "shorewall restore standard" would restore the ipset
contents from /var/lib/shorewall/standard-ipsets provided that
/var/lib/shorewall/standard exists and is executable and that
/var/lib/shorewall/standard-ipsets exists and is executable.
Ipsets are well suited for large blacklists. You can maintain your
blacklist using the 'ipset' utility without ever having to restart
or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
sure to "shorewall save" after altering the blacklist ipset(s).
Example /etc/shorewall/blacklist:
#ADDRESS/SUBNET PROTOCOL PORT
+Blacklist[2]
+Blacklistnets[2]
Create the blacklist ipsets using:
ipset -N Blacklist iphash
ipset -N Blacklistnets nethash
Add entries
ipset -A Blacklist 206.124.146.177
ipset -A Blacklistnets 206.124.146.0/24
To allow entries for individual ports
ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP
Now only port 25 will be blocked from 206.124.146.177.

41
Shorewall2/shorewall
View File

@ -846,6 +846,17 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
$RESTOREPATH
date > $STATEDIR/restarted
@ -1211,6 +1222,22 @@ case "$1" in
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
case $SAVE_IPSETS in
[Yy]es)
RESTOREPATH=${RESTOREPATH}-ipsets
echo "#!/bin/sh" >> /var/lib/shorewall/restore-$$
echo "ipset -U :all: :all:" >> /var/lib/shorewall/restore-$$
echo "ipset -F" >> /var/lib/shorewall/restore-$$
echo "ipset -X" >> /var/lib/shorewall/restore-$$
echo "ipset -R << __EOF__" >> /var/lib/shorewall/restore-$$
ipset -S >> /var/lib/shorewall/restore-$$
echo "__EOF__" >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Current Ipset Contents Saved to $RESTOREPATH"
;;
esac
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
@ -1246,6 +1273,12 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
rm -f ${RESTOREPATH}-ipsets
echo " ${RESTOREPATH}-ipsets removed"
fi
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
@ -1303,6 +1336,14 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ] ; then
echo Restoring Ipsets...
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
else

14
Shorewall2/shorewall.conf
View File

@ -790,6 +790,20 @@ RFC1918_STRICT=No
MACLIST_TTL=
#
# Save/Restore IPSETS
#
# If SAVE_IPSETS=Yes then Shorewall will:
#
# Restore the last saved ipset contents during "shorewall [re]start"
# Save the current ipset contents during "shorewall save"
#
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# saved during a "shorewall save" then they will be restored during
# a subsequent "shorewall restore".
SAVE_IPSETS=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################