extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 17:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add SAVE_IPSETS option and allow explicit src and dst specifications

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2086 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-05 22:35:17 +00:00
parent e085262d29
commit 510f7311c9
5 changed files with 188 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
Shorewall2/firewall
View File

@ -562,7 +562,7 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
local temp setname options=$2 local temp setname options=$2
case $1 in case $1 in
*\[*[1-6]\]) *\[[1-6]\])
temp=${1#*\[} temp=${1#*\[}
temp=${temp%\]} temp=${temp%\]}
setname=${1%\[*} setname=${1%\[*}
@ -572,6 +572,12 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
done done
echo "--set ${setname#+} $options" echo "--set ${setname#+} $options"
;; ;;
*\[*\])
temp=${1#*\[}
temp=${temp%\]}
setname=${1%\[*}
echo "--set ${setname#+} $temp"
;;
*) *)
echo "--set ${1#+} $2" echo "--set ${1#+} $2"
;; ;;
@ -813,22 +819,6 @@ match_ipsec_out() # $1 = zone, $2 = host
fi fi
} }
#
# Generate a match for packets whose source matches the passed IPSET
#
match_ipset_source()
{
echo "-m set --set ${1#+} src"
}
#
# Generate a match for packets whose destination matches the passed IPSET
#
match_ipset_dest()
{
echo "-m set --set ${1#+} dst"
}
# #
# Jacket for ip_range() that takes care of iprange match # Jacket for ip_range() that takes care of iprange match
# #
@ -1560,6 +1550,17 @@ stop_firewall() {
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall... echo Restoring Shorewall...
$RESTOREPATH $RESTOREPATH
echo "Shorewall restored from $RESTOREPATH" echo "Shorewall restored from $RESTOREPATH"
@ -5906,13 +5907,15 @@ report_capabilities() {
} }
# #
# Restore ipsets # Restore ipset contents
# #
restore_ipsets() restore_ipset_contents() {
{ local ipset_script=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets
local restore_sets=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets
[ -x $restore_sets ] && $restore_sets if [ -x $ipset_script ]; then
progress_message "Restoring IPSET contents..."
$ipset_script || stop_firewall
fi
} }
# #
@ -6008,11 +6011,12 @@ initialize_netfilter () {
deleteallchains deleteallchains
setcontinue FORWARD setcontinue FORWARD
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
[ -n "$SAVE_IPSETS" ] && restore_ipset_contents
run_user_exit continue run_user_exit continue
f=$(find_file routestopped) f=$(find_file routestopped)
@ -7560,6 +7564,7 @@ do_initialize() {
DROPINVALID= DROPINVALID=
RFC1918_STRICT= RFC1918_STRICT=
MACLIST_TTL= MACLIST_TTL=
SAVE_IPSETS=
RESTOREFILE= RESTOREFILE=
RESTOREBASE= RESTOREBASE=
@ -7757,6 +7762,7 @@ do_initialize() {
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
# #
# Strip the files that we use often # Strip the files that we use often
# #

22
Shorewall2/functions
View File

@ -162,6 +162,9 @@ separate_list() {
local list local list
local part local part
local newlist local newlist
local firstpart
local lastpart
local enclosure
# #
# There's been whining about us not catching embedded white space in # There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases. # comma-separated lists. This is an attempt to snag some of the cases.
@ -176,6 +179,25 @@ separate_list() {
$terminator "Invalid comma-separated list \"$@\"" $terminator "Invalid comma-separated list \"$@\""
echo "Warning -- invalid comma-separated list \"$@\"" >&2 echo "Warning -- invalid comma-separated list \"$@\"" >&2
;; ;;
*\[*\]*)
#
# Where we need to embed comma-separated lists within lists, we enclose them
# within square brackets
#
firstpart=${@%%[*}
lastpart=${@#*[}
enclosure=${lastpart%]*}
lastpart=${lastpart#*]}
case $lastpart in
\,*)
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
;;
*)
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
;;
esac
return
;;
esac esac
list="$@" list="$@"

86
Shorewall2/releasenotes.txt
View File

@ -40,12 +40,31 @@ New Features in version 2.3.0
(see http://people.netfilter.org/kadlec/ipset/). (see http://people.netfilter.org/kadlec/ipset/).
In most places where an host or network address may be used, you may In most places where an host or network address may be used, you may
also use the name of an ipset prefaced by "+". The name of the set also use the name of an ipset prefaced by "+".
may optionally followed by a number from 1 to 6 enclosed in square
brackets ([]) -- this number indicates the maximum number of ipset Example: "+Mirrors"
binding levels that are to be matched. Depending on the context
where the ipset name is used, either all "src" or all "dst" matches The name of the set may optionally followed by:
will be used.
a) a number from 1 to 6 enclosed in square brackets ([]) -- this
number indicates the maximum number of ipset binding levels that
are to be matched. Depending on the context where the ipset name
is used, either all "src" or all "dst" matches will be used.
Example: "+Mirrors[4]"
b) a series of "src" and "dst" options separated by commas and
inclosed in square brackets ([]). These will be passed directly
to iptables in the generated --set clause. See the ipset
documentation for details.
Example: "+Mirrors[src,dst,src]"
Note that "+Mirrors[4]" used in the SOURCE column of the rules
file is equivalent to "+Mirrors[src,src,src,src]".
To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".
Example 1: Blacklist all hosts in an ipset named "blacklist" Example 1: Blacklist all hosts in an ipset named "blacklist"
@ -61,5 +80,60 @@ New Features in version 2.3.0
#ACTION SOURCE DEST PROTO DEST PORT(S) #ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT +sshok fw tcp 22 ACCEPT +sshok fw tcp 22
Shorewall can automatically manage the contents of your ipsets for
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
then:
A) "shorewall save" will save the contents of your ipsets. The file
where the sets are saved is formed by taking the name where the
Shorewall configuration is stored and appending "-ipsets". So if you
enter the command "shorewall save standard" then your Shorewall
configuration will be saved in /var/lib/shorewall/standard and your
ipset contents will be saved in /var/lib/shorewall/standard-ipsets.
B) During "shorewall [re]start", shorewall will restore the ipset
contents from the file specifed in RESTOREFILE
(shorewall.conf). Again "-ipsets" is appended so if you have
RESTOREFILE=standard in shorewall.conf then your ipset contents will
be restored from /var/lib/shorewall/standard-ipsets.
Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
and "shorewall start" commands will restore the ipset contents
corresponding to the Shorewall configuration restored provided that
the saved Shorewall configuration specified exists.
For example, "shorewall restore standard" would restore the ipset
contents from /var/lib/shorewall/standard-ipsets provided that
/var/lib/shorewall/standard exists and is executable and that
/var/lib/shorewall/standard-ipsets exists and is executable.
Ipsets are well suited for large blacklists. You can maintain your
blacklist using the 'ipset' utility without ever having to restart
or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
sure to "shorewall save" after altering the blacklist ipset(s).
Example /etc/shorewall/blacklist:
#ADDRESS/SUBNET PROTOCOL PORT
+Blacklist[2]
+Blacklistnets[2]
Create the blacklist ipsets using:
ipset -N Blacklist iphash
ipset -N Blacklistnets nethash
Add entries
ipset -A Blacklist 206.124.146.177
ipset -A Blacklistnets 206.124.146.0/24
To allow entries for individual ports
ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP
Now only port 25 will be blocked from 206.124.146.177.

41
Shorewall2/shorewall
View File

@ -846,6 +846,17 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall... echo Restoring Shorewall...
$RESTOREPATH $RESTOREPATH
date > $STATEDIR/restarted date > $STATEDIR/restarted
@ -1211,6 +1222,22 @@ case "$1" in
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH" echo " Currently-running Configuration Saved to $RESTOREPATH"
case $SAVE_IPSETS in
[Yy]es)
RESTOREPATH=${RESTOREPATH}-ipsets
echo "#!/bin/sh" >> /var/lib/shorewall/restore-$$
echo "ipset -U :all: :all:" >> /var/lib/shorewall/restore-$$
echo "ipset -F" >> /var/lib/shorewall/restore-$$
echo "ipset -X" >> /var/lib/shorewall/restore-$$
echo "ipset -R << __EOF__" >> /var/lib/shorewall/restore-$$
ipset -S >> /var/lib/shorewall/restore-$$
echo "__EOF__" >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Current Ipset Contents Saved to $RESTOREPATH"
;;
esac
else else
rm -f /var/lib/shorewall/restore-$$ rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved" echo " ERROR: Currently-running Configuration Not Saved"
@ -1246,6 +1273,12 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
rm -f ${RESTOREPATH}-ipsets
echo " ${RESTOREPATH}-ipsets removed"
fi
rm -f $RESTOREPATH rm -f $RESTOREPATH
echo " $RESTOREPATH removed" echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then elif [ -f $RESTOREPATH ]; then
@ -1303,6 +1336,14 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ] ; then
echo Restoring Ipsets...
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall... echo Restoring Shorewall...
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
else else

14
Shorewall2/shorewall.conf
View File

@ -790,6 +790,20 @@ RFC1918_STRICT=No
MACLIST_TTL= MACLIST_TTL=
#
# Save/Restore IPSETS
#
# If SAVE_IPSETS=Yes then Shorewall will:
#
# Restore the last saved ipset contents during "shorewall [re]start"
# Save the current ipset contents during "shorewall save"
#
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# saved during a "shorewall save" then they will be restored during
# a subsequent "shorewall restore".
SAVE_IPSETS=No
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################