mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 07:38:57 +01:00
Add SAVE_IPSETS option and allow explicit src and dst specifications
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2086 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e085262d29
commit
510f7311c9
@ -562,7 +562,7 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
|
||||
local temp setname options=$2
|
||||
|
||||
case $1 in
|
||||
*\[*[1-6]\])
|
||||
*\[[1-6]\])
|
||||
temp=${1#*\[}
|
||||
temp=${temp%\]}
|
||||
setname=${1%\[*}
|
||||
@ -572,6 +572,12 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
|
||||
done
|
||||
echo "--set ${setname#+} $options"
|
||||
;;
|
||||
*\[*\])
|
||||
temp=${1#*\[}
|
||||
temp=${temp%\]}
|
||||
setname=${1%\[*}
|
||||
echo "--set ${setname#+} $temp"
|
||||
;;
|
||||
*)
|
||||
echo "--set ${1#+} $2"
|
||||
;;
|
||||
@ -813,22 +819,6 @@ match_ipsec_out() # $1 = zone, $2 = host
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a match for packets whose source matches the passed IPSET
|
||||
#
|
||||
match_ipset_source()
|
||||
{
|
||||
echo "-m set --set ${1#+} src"
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a match for packets whose destination matches the passed IPSET
|
||||
#
|
||||
match_ipset_dest()
|
||||
{
|
||||
echo "-m set --set ${1#+} dst"
|
||||
}
|
||||
|
||||
#
|
||||
# Jacket for ip_range() that takes care of iprange match
|
||||
#
|
||||
@ -1560,6 +1550,17 @@ stop_firewall() {
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
echo Restoring Ipsets...
|
||||
#
|
||||
# We must purge iptables to be sure that there are no
|
||||
# references to ipsets
|
||||
#
|
||||
iptables -F
|
||||
iptables -X
|
||||
${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring Shorewall...
|
||||
$RESTOREPATH
|
||||
echo "Shorewall restored from $RESTOREPATH"
|
||||
@ -5906,13 +5907,15 @@ report_capabilities() {
|
||||
}
|
||||
|
||||
#
|
||||
# Restore ipsets
|
||||
# Restore ipset contents
|
||||
#
|
||||
restore_ipsets()
|
||||
{
|
||||
local restore_sets=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets
|
||||
|
||||
[ -x $restore_sets ] && $restore_sets
|
||||
restore_ipset_contents() {
|
||||
local ipset_script=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets
|
||||
|
||||
if [ -x $ipset_script ]; then
|
||||
progress_message "Restoring IPSET contents..."
|
||||
$ipset_script || stop_firewall
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
@ -6008,11 +6011,12 @@ initialize_netfilter () {
|
||||
|
||||
deleteallchains
|
||||
|
||||
|
||||
setcontinue FORWARD
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
[ -n "$SAVE_IPSETS" ] && restore_ipset_contents
|
||||
|
||||
run_user_exit continue
|
||||
|
||||
f=$(find_file routestopped)
|
||||
@ -7560,6 +7564,7 @@ do_initialize() {
|
||||
DROPINVALID=
|
||||
RFC1918_STRICT=
|
||||
MACLIST_TTL=
|
||||
SAVE_IPSETS=
|
||||
RESTOREFILE=
|
||||
|
||||
RESTOREBASE=
|
||||
@ -7757,6 +7762,7 @@ do_initialize() {
|
||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -162,6 +162,9 @@ separate_list() {
|
||||
local list
|
||||
local part
|
||||
local newlist
|
||||
local firstpart
|
||||
local lastpart
|
||||
local enclosure
|
||||
#
|
||||
# There's been whining about us not catching embedded white space in
|
||||
# comma-separated lists. This is an attempt to snag some of the cases.
|
||||
@ -176,6 +179,25 @@ separate_list() {
|
||||
$terminator "Invalid comma-separated list \"$@\""
|
||||
echo "Warning -- invalid comma-separated list \"$@\"" >&2
|
||||
;;
|
||||
*\[*\]*)
|
||||
#
|
||||
# Where we need to embed comma-separated lists within lists, we enclose them
|
||||
# within square brackets
|
||||
#
|
||||
firstpart=${@%%[*}
|
||||
lastpart=${@#*[}
|
||||
enclosure=${lastpart%]*}
|
||||
lastpart=${lastpart#*]}
|
||||
case $lastpart in
|
||||
\,*)
|
||||
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
|
||||
;;
|
||||
*)
|
||||
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
|
||||
;;
|
||||
esac
|
||||
return
|
||||
;;
|
||||
esac
|
||||
|
||||
list="$@"
|
||||
|
@ -40,13 +40,32 @@ New Features in version 2.3.0
|
||||
(see http://people.netfilter.org/kadlec/ipset/).
|
||||
|
||||
In most places where an host or network address may be used, you may
|
||||
also use the name of an ipset prefaced by "+". The name of the set
|
||||
may optionally followed by a number from 1 to 6 enclosed in square
|
||||
brackets ([]) -- this number indicates the maximum number of ipset
|
||||
binding levels that are to be matched. Depending on the context
|
||||
where the ipset name is used, either all "src" or all "dst" matches
|
||||
will be used.
|
||||
|
||||
also use the name of an ipset prefaced by "+".
|
||||
|
||||
Example: "+Mirrors"
|
||||
|
||||
The name of the set may optionally followed by:
|
||||
|
||||
a) a number from 1 to 6 enclosed in square brackets ([]) -- this
|
||||
number indicates the maximum number of ipset binding levels that
|
||||
are to be matched. Depending on the context where the ipset name
|
||||
is used, either all "src" or all "dst" matches will be used.
|
||||
|
||||
Example: "+Mirrors[4]"
|
||||
|
||||
b) a series of "src" and "dst" options separated by commas and
|
||||
inclosed in square brackets ([]). These will be passed directly
|
||||
to iptables in the generated --set clause. See the ipset
|
||||
documentation for details.
|
||||
|
||||
Example: "+Mirrors[src,dst,src]"
|
||||
|
||||
Note that "+Mirrors[4]" used in the SOURCE column of the rules
|
||||
file is equivalent to "+Mirrors[src,src,src,src]".
|
||||
|
||||
To generate a negative match, prefix the "+" with "!" as in
|
||||
"!+Mirrors".
|
||||
|
||||
Example 1: Blacklist all hosts in an ipset named "blacklist"
|
||||
|
||||
/etc/shorewall/blacklist
|
||||
@ -61,5 +80,60 @@ New Features in version 2.3.0
|
||||
#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT +sshok fw tcp 22
|
||||
|
||||
Shorewall can automatically manage the contents of your ipsets for
|
||||
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
|
||||
then:
|
||||
|
||||
A) "shorewall save" will save the contents of your ipsets. The file
|
||||
where the sets are saved is formed by taking the name where the
|
||||
Shorewall configuration is stored and appending "-ipsets". So if you
|
||||
enter the command "shorewall save standard" then your Shorewall
|
||||
configuration will be saved in /var/lib/shorewall/standard and your
|
||||
ipset contents will be saved in /var/lib/shorewall/standard-ipsets.
|
||||
|
||||
B) During "shorewall [re]start", shorewall will restore the ipset
|
||||
contents from the file specifed in RESTOREFILE
|
||||
(shorewall.conf). Again "-ipsets" is appended so if you have
|
||||
RESTOREFILE=standard in shorewall.conf then your ipset contents will
|
||||
be restored from /var/lib/shorewall/standard-ipsets.
|
||||
|
||||
Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
|
||||
and "shorewall start" commands will restore the ipset contents
|
||||
corresponding to the Shorewall configuration restored provided that
|
||||
the saved Shorewall configuration specified exists.
|
||||
|
||||
For example, "shorewall restore standard" would restore the ipset
|
||||
contents from /var/lib/shorewall/standard-ipsets provided that
|
||||
/var/lib/shorewall/standard exists and is executable and that
|
||||
/var/lib/shorewall/standard-ipsets exists and is executable.
|
||||
|
||||
Ipsets are well suited for large blacklists. You can maintain your
|
||||
blacklist using the 'ipset' utility without ever having to restart
|
||||
or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
|
||||
sure to "shorewall save" after altering the blacklist ipset(s).
|
||||
|
||||
Example /etc/shorewall/blacklist:
|
||||
|
||||
#ADDRESS/SUBNET PROTOCOL PORT
|
||||
+Blacklist[2]
|
||||
+Blacklistnets[2]
|
||||
|
||||
Create the blacklist ipsets using:
|
||||
|
||||
ipset -N Blacklist iphash
|
||||
ipset -N Blacklistnets nethash
|
||||
|
||||
Add entries
|
||||
|
||||
ipset -A Blacklist 206.124.146.177
|
||||
ipset -A Blacklistnets 206.124.146.0/24
|
||||
|
||||
To allow entries for individual ports
|
||||
|
||||
ipset -N SMTP portmap --from 1 --to 31
|
||||
ipset -A SMTP 25
|
||||
|
||||
ipset -A Blacklist 206.124.146.177
|
||||
ipset -B Blacklist 206.124.146.177 -b SMTP
|
||||
|
||||
Now only port 25 will be blocked from 206.124.146.177.
|
||||
|
@ -846,6 +846,17 @@ case "$1" in
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
echo Restoring Ipsets...
|
||||
#
|
||||
# We must purge iptables to be sure that there are no
|
||||
# references to ipsets
|
||||
#
|
||||
iptables -F
|
||||
iptables -X
|
||||
${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring Shorewall...
|
||||
$RESTOREPATH
|
||||
date > $STATEDIR/restarted
|
||||
@ -1211,6 +1222,22 @@ case "$1" in
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
|
||||
case $SAVE_IPSETS in
|
||||
[Yy]es)
|
||||
RESTOREPATH=${RESTOREPATH}-ipsets
|
||||
echo "#!/bin/sh" >> /var/lib/shorewall/restore-$$
|
||||
echo "ipset -U :all: :all:" >> /var/lib/shorewall/restore-$$
|
||||
echo "ipset -F" >> /var/lib/shorewall/restore-$$
|
||||
echo "ipset -X" >> /var/lib/shorewall/restore-$$
|
||||
echo "ipset -R << __EOF__" >> /var/lib/shorewall/restore-$$
|
||||
ipset -S >> /var/lib/shorewall/restore-$$
|
||||
echo "__EOF__" >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Current Ipset Contents Saved to $RESTOREPATH"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
rm -f /var/lib/shorewall/restore-$$
|
||||
echo " ERROR: Currently-running Configuration Not Saved"
|
||||
@ -1246,6 +1273,12 @@ case "$1" in
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
rm -f ${RESTOREPATH}-ipsets
|
||||
echo " ${RESTOREPATH}-ipsets removed"
|
||||
fi
|
||||
|
||||
rm -f $RESTOREPATH
|
||||
echo " $RESTOREPATH removed"
|
||||
elif [ -f $RESTOREPATH ]; then
|
||||
@ -1303,6 +1336,14 @@ case "$1" in
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
if [ -x ${RESTOREPATH}-ipsets ] ; then
|
||||
echo Restoring Ipsets...
|
||||
iptables -F
|
||||
iptables -X
|
||||
${RESTOREPATH}-ipsets
|
||||
fi
|
||||
|
||||
echo Restoring Shorewall...
|
||||
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
|
||||
else
|
||||
|
@ -790,6 +790,20 @@ RFC1918_STRICT=No
|
||||
|
||||
MACLIST_TTL=
|
||||
|
||||
#
|
||||
# Save/Restore IPSETS
|
||||
#
|
||||
# If SAVE_IPSETS=Yes then Shorewall will:
|
||||
#
|
||||
# Restore the last saved ipset contents during "shorewall [re]start"
|
||||
# Save the current ipset contents during "shorewall save"
|
||||
#
|
||||
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
|
||||
# saved during a "shorewall save" then they will be restored during
|
||||
# a subsequent "shorewall restore".
|
||||
|
||||
SAVE_IPSETS=No
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user