extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-09 01:04:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Integrate iptables-save/iptables-restore

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1286 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-04-29 03:27:47 +00:00
parent 6e51b83380
commit 53fb6f1b4c
7 changed files with 126 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall2/changelog.txt
View File

@ -28,3 +28,6 @@ Changes since 2.0.1
13) Fix init.debian.sh. 13) Fix init.debian.sh.
14) Implement the -q option. 14) Implement the -q option.
15) Add saved configuration support (iptables-save/iptables-restore
integration).

43
Shorewall2/firewall
View File

@ -99,6 +99,14 @@ report () { # $* = message
logger "$@" logger "$@"
} }
#
# Write the passed args to /var/lib/shorewall/restore-$$
#
save_command()
{
echo "$@" >> /var/lib/shorewall/restore-$$
}
# #
# Run iptables and if an error occurs, stop the firewall and quit # Run iptables and if an error occurs, stop the firewall and quit
# #
@ -509,6 +517,7 @@ match_dest_hosts()
echo -d $1 echo -d $1
fi fi
} }
# #
# Similarly, the source or destination in a rule can be qualified by a device name. If # Similarly, the source or destination in a rule can be qualified by a device name. If
# the device is defined in /etc/shorewall/interfaces then a normal interface match is # the device is defined in /etc/shorewall/interfaces then a normal interface match is
@ -1152,9 +1161,9 @@ setup_forwarding() {
# #
disable_ipv6() { disable_ipv6() {
if qt which ip6tables; then if qt which ip6tables; then
ip6tables -P FORWARD DROP ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
else else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi fi
@ -1176,6 +1185,14 @@ stop_firewall() {
;; ;;
*) *)
set +x set +x
if [ -f /var/lib/shorewall/restore -a -f /var/lib/shorewall/iptsave ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
my_mutex_off
kill $$
exit 2
fi
;; ;;
esac esac
@ -1563,6 +1580,7 @@ setup_proxy_arp() {
if [ -z "$haveroute" ]; then if [ -z "$haveroute" ]; then
run_ip route replace $address dev $interface run_ip route replace $address dev $interface
save_command ip route replace $address dev $interface
[ -n "$persistent" ] && haveroute=yes [ -n "$persistent" ] && haveroute=yes
fi fi
@ -1571,6 +1589,10 @@ setup_proxy_arp() {
echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
save_command arp -i $external -Ds $address $external pub
eval save_command echo 1 '\>' /proc/sys/net/ipv4/conf/$interface/proxy_arp
eval save_command echo 0 '\>' /proc/sys/net/ipv4/conf/$external/proxy_arp
echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp
progress_message " Host $address connected to $interface added to ARP on $external" progress_message " Host $address connected to $interface added to ARP on $external"
@ -1784,6 +1806,7 @@ setup_nat() {
if [ -n "$ADD_IP_ALIASES" ]; then if [ -n "$ADD_IP_ALIASES" ]; then
qt ip addr del $external dev $iface qt ip addr del $external dev $iface
save_command qt ip addr del $external dev $iface
fi fi
if [ "x$allints" = "xYes" -o "$xallints" = "xyes" ]; then if [ "x$allints" = "xYes" -o "$xallints" = "xyes" ]; then
@ -4055,8 +4078,9 @@ setup_masq()
for address in $(separate_list $addresses); do for address in $(separate_list $addresses); do
for addr in $(ip_range_explicit $address) ; do for addr in $(ip_range_explicit $address) ; do
if ! list_search $addr $aliases_to_add; then if ! list_search $addr $aliases_to_add; then
save_command qt ip addr del $addr dev $interface
aliases_to_add="$aliases_to_add $addr $fullinterface" aliases_to_add="$aliases_to_add $addr $fullinterface"
case $fullinterface in case $fullinterface in
*:*) *:*)
fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 ))
;; ;;
@ -4383,6 +4407,7 @@ add_ip_aliases()
{ {
val=$(address_details) val=$(address_details)
run_ip addr add ${external}${val} dev $interface $label run_ip addr add ${external}${val} dev $interface $label
save_command ip addr add ${external}${val} dev $interface $label
echo "$external $interface" >> ${STATEDIR}/nat echo "$external $interface" >> ${STATEDIR}/nat
[ -n "$label" ] && label="with $label" [ -n "$label" ] && label="with $label"
progress_message " IP Address $external added to interface $interface $label" progress_message " IP Address $external added to interface $interface $label"
@ -4925,6 +4950,7 @@ add_common_rules() {
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter [ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
run_ip route flush cache run_ip route flush cache
save_command ip route flush cache
fi fi
if [ -n "$DYNAMIC_ZONES" ]; then if [ -n "$DYNAMIC_ZONES" ]; then
@ -5309,6 +5335,12 @@ define_firewall() # $1 = Command (Start or Restart)
report "Shorewall ${1}ed" report "Shorewall ${1}ed"
rm -rf $TMP_DIR rm -rf $TMP_DIR
save_command "iptables-restore < /var/lib/shorewall/iptsave"
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-new
chmod +x /var/lib/shorewall/restore-new
} }
# #
@ -5908,6 +5940,9 @@ do_initialize() {
fi fi
rm -f $TMP_DIR/physdev rm -f $TMP_DIR/physdev
echo '#bin/sh' > /var/lib/shorewall/restore-$$
echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
} }
# #

9
Shorewall2/help
View File

@ -185,6 +185,12 @@ restart)
If \"-q\" is specified, less detain is displayed making it easier to spot warnings" If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;; ;;
Restore)
echo "restore: restore
Restore Shorewall to it's last state saved using the 'save' command
Existing connections are maintained.
;;
save) save)
echo "save: save echo "save: save
The dynamic data is stored in /var/lib/shorewall/save The dynamic data is stored in /var/lib/shorewall/save
@ -215,11 +221,12 @@ show)
;; ;;
start) start)
echo "start: [ -q ] [ -c <configuration-directory> ] start echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
Start shorewall. Existing connections through shorewall managed Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies. if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings" If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
If \"-f\" is specified, the last saved configuraton if any will be restored"
;; ;;
stop) stop)

2
Shorewall2/init.debian.sh
View File

@ -83,7 +83,7 @@ wait_for_pppd () {
shorewall_start () { shorewall_start () {
echo -n "Starting \"Shorewall firewall\": " echo -n "Starting \"Shorewall firewall\": "
wait_for_pppd wait_for_pppd
$SRWL start >> $INITLOG 2>&1 && echo "done." || echo_notdone $SRWL -f start >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0 return 0
} }

7
Shorewall2/init.sh
View File

@ -62,7 +62,12 @@ command="$1"
case "$command" in case "$command" in
stop|start|restart|status) start)
exec /sbin/shorewall -f start
;;
stop|restart|status)
exec /sbin/shorewall $@ exec /sbin/shorewall $@
;; ;;

42
Shorewall2/releasenotes.txt
View File

@ -23,12 +23,40 @@ Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
New Features: New Features:
1) The previous implementation of dynamic zones was difficult to 1) Shorewall has now been integrated with
iptables-save/iptables-restore to provide very fast start and
restart. The elements of this integration are as follows:
a) The 'shorewall save' command now saved the current configuration
in addition to the current dynamic blacklist. If you have
dynamic zones, you will want to issue 'shorewall save' when the
zones are empty or the current contents of the zones will be
restored by the 'shorewall restore' and 'shorewall -f start'
commands.
b) The 'shorewall restore' command has been added. This command
restores the configuration at the time of the last 'save'.
c) The -f (fast) option has been added to 'shorewall start'. When
specified (e.g. 'shorewall -f start'), shorewall will perform a
'shorewall restore' if there is a saved configuration. If there
is no saved configuration, a normal 'shorewall start' is
performed.
d) The /etc/init.d/shorewall script now translates the 'start'
command into 'shorewall -f start' so that fast restart is
possible.
WARNING: iptables 1.2.9 is broken with respect to iptables-save;
you must patch iptables with the iptables patch availale from the
Shorewall errata page.
2) The previous implementation of dynamic zones was difficult to
maintain. I have changed the code to make dynamic zones optional maintain. I have changed the code to make dynamic zones optional
under the control of the DYNAMIC_ZONES option in under the control of the DYNAMIC_ZONES option in
/etc/shorewall/shorewall.conf. /etc/shorewall/shorewall.conf.
2) In earlier Shorewall 2.0 releases, Shorewall searches in order the 3) In earlier Shorewall 2.0 releases, Shorewall searches in order the
following directories for configuration files. following directories for configuration files.
a) The directory specified in a 'try' command or specified using a) The directory specified in a 'try' command or specified using
@ -60,19 +88,19 @@ New Features:
/usr/share/shorewall/configpath. You can customize this file to /usr/share/shorewall/configpath. You can customize this file to
have a default that differs from mine. have a default that differs from mine.
3) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column 4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
would only take effect if the ALL INTERFACES column also contained would only take effect if the ALL INTERFACES column also contained
Yes or yes. Now, the LOCAL columns contents are treated Yes or yes. Now, the LOCAL columns contents are treated
independently of the contents of the ALL INTERFACES column. independently of the contents of the ALL INTERFACES column.
4) The folks at Mandrake have created yet another kernel module 5) The folks at Mandrake have created yet another kernel module
naming convention (module names end in "ko.gz"). As a consequence, naming convention (module names end in "ko.gz"). As a consequence,
beginning with this release, if MODULE_PREFIX isn't specified in beginning with this release, if MODULE_PREFIX isn't specified in
shorewall.conf, then the default value is "o gz ko o.gz ko.gz". shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
5) An updated bogons file is included in this release. 7) An updated bogons file is included in this release.
6) In /etc/shorewall/rules and in action files generated from 7) In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can /usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and characters and is specified by following the log level with ":" and
@ -90,7 +118,7 @@ New Features:
characters; if a larger prefix is generated, Shorewall will issue a characters; if a larger prefix is generated, Shorewall will issue a
warning message and will truncate the prefix to 29 characters. warning message and will truncate the prefix to 29 characters.
7) A new "-q" option has been added to /sbin/shorewall commands. It 8) A new "-q" option has been added to /sbin/shorewall commands. It
causes the start, restart, check and refresh commands to produce causes the start, restart, check and refresh commands to produce
much less output so that warning messages are more visible (when much less output so that warning messages are more visible (when
testing this change, I discovered a bug where a bogus warning testing this change, I discovered a bug where a bogus warning

35
Shorewall2/shorewall
View File

@ -549,6 +549,7 @@ usage() # $1 = exit status
echo " reject <address> ..." echo " reject <address> ..."
echo " reset" echo " reset"
echo " restart" echo " restart"
echo " restore"
echo " save" echo " save"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]" echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start" echo " start"
@ -588,6 +589,8 @@ fi
SHOREWALL_DIR= SHOREWALL_DIR=
QUIET= QUIET=
IPT_OPTIONS="-nv" IPT_OPTIONS="-nv"
FAST=
done=0 done=0
while [ $done -eq 0 ]; do while [ $done -eq 0 ]; do
@ -624,6 +627,10 @@ while [ $done -eq 0 ]; do
QUIET=Yes QUIET=Yes
option=${option#q} option=${option#q}
;; ;;
f*)
FAST=Yes
option=${option#f}
;;
*) *)
usage 1 usage 1
;; ;;
@ -719,7 +726,18 @@ case $(echo -n "Testing") in
esac esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start)
[ $# -ne 1 ] && usage 1
get_config
if [ -f /var/lib/shorewall/restore -a -f /var/lib/shorewall/iptsave ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
;;
stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
get_config get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
@ -937,11 +955,16 @@ case "$1" in
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
mutex_on mutex_on
if qt iptables -L shorewall -n; then if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved" echo "Dynamic Rules Saved"
if iptables-save > /var/lib/shorewall/iptsave; then
mv -f /var/lib/shorewall/restore-new /var/lib/shorewall/restore
echo "Last Started Configuration Saved"
fi
else else
echo "Error Saving the Dynamic Rules" echo "Error Saving the Dynamic Rules"
fi fi
@ -985,6 +1008,16 @@ case "$1" in
;; ;;
esac esac
;; ;;
restore)
if [ -f /var/lib/shorewall/restore ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
else
echo "File /var/lib/shorewall/restore: file not found"
exit 2
fi
;;
call) call)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
# #