From 510f7311c9ff95c89f171ba2057c8aaf7de3cec8 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 5 May 2005 22:35:17 +0000 Subject: [PATCH] Add SAVE_IPSETS option and allow explicit src and dst specifications git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2086 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/firewall | 54 +++++++++++++---------- Shorewall2/functions | 22 ++++++++++ Shorewall2/releasenotes.txt | 88 ++++++++++++++++++++++++++++++++++--- Shorewall2/shorewall | 41 +++++++++++++++++ Shorewall2/shorewall.conf | 14 ++++++ 5 files changed, 188 insertions(+), 31 deletions(-) diff --git a/Shorewall2/firewall b/Shorewall2/firewall index bd093dc40..48e345cba 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -562,7 +562,7 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst local temp setname options=$2 case $1 in - *\[*[1-6]\]) + *\[[1-6]\]) temp=${1#*\[} temp=${temp%\]} setname=${1%\[*} @@ -572,6 +572,12 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst done echo "--set ${setname#+} $options" ;; + *\[*\]) + temp=${1#*\[} + temp=${temp%\]} + setname=${1%\[*} + echo "--set ${setname#+} $temp" + ;; *) echo "--set ${1#+} $2" ;; @@ -813,22 +819,6 @@ match_ipsec_out() # $1 = zone, $2 = host fi } -# -# Generate a match for packets whose source matches the passed IPSET -# -match_ipset_source() -{ - echo "-m set --set ${1#+} src" -} - -# -# Generate a match for packets whose destination matches the passed IPSET -# -match_ipset_dest() -{ - echo "-m set --set ${1#+} dst" -} - # # Jacket for ip_range() that takes care of iprange match # @@ -1560,6 +1550,17 @@ stop_firewall() { RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ]; then + echo Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + echo Restoring Shorewall... $RESTOREPATH echo "Shorewall restored from $RESTOREPATH" @@ -5906,13 +5907,15 @@ report_capabilities() { } # -# Restore ipsets +# Restore ipset contents # -restore_ipsets() -{ - local restore_sets=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets - - [ -x $restore_sets ] && $restore_sets +restore_ipset_contents() { + local ipset_script=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets + + if [ -x $ipset_script ]; then + progress_message "Restoring IPSET contents..." + $ipset_script || stop_firewall + fi } # @@ -6008,11 +6011,12 @@ initialize_netfilter () { deleteallchains - setcontinue FORWARD setcontinue INPUT setcontinue OUTPUT + [ -n "$SAVE_IPSETS" ] && restore_ipset_contents + run_user_exit continue f=$(find_file routestopped) @@ -7560,6 +7564,7 @@ do_initialize() { DROPINVALID= RFC1918_STRICT= MACLIST_TTL= + SAVE_IPSETS= RESTOREFILE= RESTOREBASE= @@ -7757,6 +7762,7 @@ do_initialize() { LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) + SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) # # Strip the files that we use often # diff --git a/Shorewall2/functions b/Shorewall2/functions index 4da085b32..941b5cf61 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -162,6 +162,9 @@ separate_list() { local list local part local newlist + local firstpart + local lastpart + local enclosure # # There's been whining about us not catching embedded white space in # comma-separated lists. This is an attempt to snag some of the cases. @@ -176,6 +179,25 @@ separate_list() { $terminator "Invalid comma-separated list \"$@\"" echo "Warning -- invalid comma-separated list \"$@\"" >&2 ;; + *\[*\]*) + # + # Where we need to embed comma-separated lists within lists, we enclose them + # within square brackets + # + firstpart=${@%%[*} + lastpart=${@#*[} + enclosure=${lastpart%]*} + lastpart=${lastpart#*]} + case $lastpart in + \,*) + echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" + ;; + *) + echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)" + ;; + esac + return + ;; esac list="$@" diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 26990f322..a3451ccb3 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -40,13 +40,32 @@ New Features in version 2.3.0 (see http://people.netfilter.org/kadlec/ipset/). In most places where an host or network address may be used, you may - also use the name of an ipset prefaced by "+". The name of the set - may optionally followed by a number from 1 to 6 enclosed in square - brackets ([]) -- this number indicates the maximum number of ipset - binding levels that are to be matched. Depending on the context - where the ipset name is used, either all "src" or all "dst" matches - will be used. - + also use the name of an ipset prefaced by "+". + + Example: "+Mirrors" + + The name of the set may optionally followed by: + + a) a number from 1 to 6 enclosed in square brackets ([]) -- this + number indicates the maximum number of ipset binding levels that + are to be matched. Depending on the context where the ipset name + is used, either all "src" or all "dst" matches will be used. + + Example: "+Mirrors[4]" + + b) a series of "src" and "dst" options separated by commas and + inclosed in square brackets ([]). These will be passed directly + to iptables in the generated --set clause. See the ipset + documentation for details. + + Example: "+Mirrors[src,dst,src]" + + Note that "+Mirrors[4]" used in the SOURCE column of the rules + file is equivalent to "+Mirrors[src,src,src,src]". + + To generate a negative match, prefix the "+" with "!" as in + "!+Mirrors". + Example 1: Blacklist all hosts in an ipset named "blacklist" /etc/shorewall/blacklist @@ -61,5 +80,60 @@ New Features in version 2.3.0 #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT +sshok fw tcp 22 + Shorewall can automatically manage the contents of your ipsets for + you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf + then: + A) "shorewall save" will save the contents of your ipsets. The file + where the sets are saved is formed by taking the name where the + Shorewall configuration is stored and appending "-ipsets". So if you + enter the command "shorewall save standard" then your Shorewall + configuration will be saved in /var/lib/shorewall/standard and your + ipset contents will be saved in /var/lib/shorewall/standard-ipsets. + B) During "shorewall [re]start", shorewall will restore the ipset + contents from the file specifed in RESTOREFILE + (shorewall.conf). Again "-ipsets" is appended so if you have + RESTOREFILE=standard in shorewall.conf then your ipset contents will + be restored from /var/lib/shorewall/standard-ipsets. + + Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" + and "shorewall start" commands will restore the ipset contents + corresponding to the Shorewall configuration restored provided that + the saved Shorewall configuration specified exists. + + For example, "shorewall restore standard" would restore the ipset + contents from /var/lib/shorewall/standard-ipsets provided that + /var/lib/shorewall/standard exists and is executable and that + /var/lib/shorewall/standard-ipsets exists and is executable. + + Ipsets are well suited for large blacklists. You can maintain your + blacklist using the 'ipset' utility without ever having to restart + or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be + sure to "shorewall save" after altering the blacklist ipset(s). + + Example /etc/shorewall/blacklist: + + #ADDRESS/SUBNET PROTOCOL PORT + +Blacklist[2] + +Blacklistnets[2] + + Create the blacklist ipsets using: + + ipset -N Blacklist iphash + ipset -N Blacklistnets nethash + + Add entries + + ipset -A Blacklist 206.124.146.177 + ipset -A Blacklistnets 206.124.146.0/24 + + To allow entries for individual ports + + ipset -N SMTP portmap --from 1 --to 31 + ipset -A SMTP 25 + + ipset -A Blacklist 206.124.146.177 + ipset -B Blacklist 206.124.146.177 -b SMTP + + Now only port 25 will be blocked from 206.124.146.177. diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index f870aeb4f..ea188fcc5 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -846,6 +846,17 @@ case "$1" in RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ]; then + echo Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + echo Restoring Shorewall... $RESTOREPATH date > $STATEDIR/restarted @@ -1211,6 +1222,22 @@ case "$1" in mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" + + case $SAVE_IPSETS in + [Yy]es) + RESTOREPATH=${RESTOREPATH}-ipsets + echo "#!/bin/sh" >> /var/lib/shorewall/restore-$$ + echo "ipset -U :all: :all:" >> /var/lib/shorewall/restore-$$ + echo "ipset -F" >> /var/lib/shorewall/restore-$$ + echo "ipset -X" >> /var/lib/shorewall/restore-$$ + echo "ipset -R << __EOF__" >> /var/lib/shorewall/restore-$$ + ipset -S >> /var/lib/shorewall/restore-$$ + echo "__EOF__" >> /var/lib/shorewall/restore-$$ + mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH + chmod +x $RESTOREPATH + echo " Current Ipset Contents Saved to $RESTOREPATH" + ;; + esac else rm -f /var/lib/shorewall/restore-$$ echo " ERROR: Currently-running Configuration Not Saved" @@ -1246,6 +1273,12 @@ case "$1" in RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + rm -f ${RESTOREPATH}-ipsets + echo " ${RESTOREPATH}-ipsets removed" + fi + rm -f $RESTOREPATH echo " $RESTOREPATH removed" elif [ -f $RESTOREPATH ]; then @@ -1303,6 +1336,14 @@ case "$1" in RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ] ; then + echo Restoring Ipsets... + iptables -F + iptables -X + ${RESTOREPATH}-ipsets + fi + echo Restoring Shorewall... $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" else diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index 76850fd5e..366a518a0 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -790,6 +790,20 @@ RFC1918_STRICT=No MACLIST_TTL= +# +# Save/Restore IPSETS +# +# If SAVE_IPSETS=Yes then Shorewall will: +# +# Restore the last saved ipset contents during "shorewall [re]start" +# Save the current ipset contents during "shorewall save" +# +# Regardless of the setting of SAVE_IPSETS, if ipset contents were +# saved during a "shorewall save" then they will be restored during +# a subsequent "shorewall restore". + +SAVE_IPSETS=No + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################