Changes for 2.2.0 Beta 7

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1803 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-04 23:37:19 +00:00
parent 884e405222
commit 594884732a
6 changed files with 121 additions and 64 deletions

View File

@ -609,7 +609,7 @@ usage() # $1 = exit status
echo " restart [ <directory> ]"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
echo " start [ <directory> ]"
echo " stop"
echo " status"
@ -913,6 +913,24 @@ case "$1" in
echo
show_classifiers
;;
zones)
[ $# -gt 2 ] && usage 1
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ -f $STATEDIR/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo
while read zone hosts; do
echo $zone
for host in $hosts; do
echo " $host"
done
done < $STATEDIR/zones
echo
else
echo " ERROR: $STATEDIR/zones does not exist" >&2
exit 1
fi
;;
*)
shift
@ -964,6 +982,10 @@ case "$1" in
echo "IP Configuration"
echo
ip addr ls
echo
echo "IP Stats"
echo
ip -stat link ls
if qt which brctl; then
echo
@ -1143,6 +1165,8 @@ case "$1" in
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"

View File

@ -181,6 +181,17 @@ run_iptables2() {
}
#
# Quietly run iptables
#
qt_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
qt $IPTABLES $@
}
#
# Run ip and if an error occurs, stop the firewall and quit
#
@ -1756,9 +1767,14 @@ setup_ipsec() {
set_mss1() # $1 = chain, $2 = MSS
{
eval local policy=\$${1}_policy
if [ "$policy" != NONE -a "$COMMAND" != add ]; then
if [ "$policy" != NONE ]; then
case $COMMAND in
start|restart)
ensurechain $1
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
;;
esac
fi
}
#
@ -2066,8 +2082,9 @@ setup_mac_lists() {
setup_syn_flood_chain ()
# $1 = policy chain
# $2 = synparams
# $3 = loglevel
{
local chain=$1
local chain=@$1
local limit=$2
local limit_burst=
@ -2078,9 +2095,11 @@ setup_syn_flood_chain ()
;;
esac
run_iptables -N @$chain
run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
run_iptables -A @$chain -j DROP
run_iptables -N $chain
run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN
[ -n "$3" ] && \
log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" ""
run_iptables -A $chain -j DROP
}
#
@ -5465,7 +5484,7 @@ determine_capabilities() {
PHYSDEV_MATCH=
IPRANGE_MATCH=
if qt $IPTABLES -N fooX1234 ; then
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
@ -5479,7 +5498,6 @@ determine_capabilities() {
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
fi
}
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
@ -6106,7 +6124,7 @@ add_common_rules() {
run_iptables -A $(input_chain $interface) -j $chain
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
run_iptables -A OUTPUT -j $(dynamic_out $interface)
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done
fi
@ -6126,7 +6144,7 @@ apply_policy_rules() {
eval loglevel=\$${chain}_loglevel
eval synparams=\$${chain}_synparams
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
if havechain $chain; then
[ -n "$synparams" ] && \
@ -6280,8 +6298,9 @@ activate_rules()
[ -n "$complex" ] && frwd_chain=${zone}_frwd
if [ -n "$DYNAMIC_ZONES" ]; then
echo $zone $source_hosts >> ${STATEDIR}/zones
if [ -n "$DYNAMIC_ZONES" ]; then
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
fi
@ -6541,6 +6560,25 @@ define_firewall() # $1 = Command (Start or Restart)
[ -n "$aliases_to_add" ] && \
echo "Adding IP Addresses..." && add_ip_aliases
for file in chains nat proxyarp zones; do
append_file $file
done
save_progress_message "Restoring Netfilter Configuration..."
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$
> $RESTOREBASE
save_command "#"
save_command "# Restore tail file generated by Shorewall $version - $(date)"
save_command "#"
save_command "date > $STATEDIR/restarted"
run_user_exit start
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
@ -6553,19 +6591,8 @@ define_firewall() # $1 = Command (Start or Restart)
rm -rf $TMP_DIR
for file in chains nat proxyarp zones; do
append_file $file
done
save_command "date > $STATEDIR/restarted"
save_progress_message "Restoring Netfilter Configuration..."
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f $RESTOREBASE /var/lib/shorewall/restore-base
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
}
@ -6622,6 +6649,9 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
do_iptables() # $@ = command
{
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! $IPTABLES $@ ; then
startup_error "Can't add $1 to zone $2"
fi
@ -6630,7 +6660,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
#
# Isolate interface and host parts
#
interface=${1%:*}
interface=${1%%:*}
host=${1#*:}
[ -z "$host" ] && host="0.0.0.0/0"
@ -6735,7 +6765,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
else
source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\"
@ -6745,7 +6775,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi
done
fi
@ -6754,7 +6784,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
#
# Add a rule to the dynamic out chain for the interface
#
do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
@ -6763,7 +6793,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
fi
done
fi
@ -6809,7 +6839,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
#
# Isolate interface and host parts
#
interface=${1%:*}
interface=${1%%:*}
host=${1#*:}
[ -z "$host" ] && host="0.0.0.0/0"
@ -6878,14 +6908,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
#
# Delete any nat table entries for the host(s)
#
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j ${zone}_dnat
#
# Delete rules rules the input chains for the passed interface
#
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
else
source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\"
@ -6895,13 +6925,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi
done
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
@ -6910,7 +6940,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
fi
done
fi

View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall 2.1 -- /usr/share/shorewall/functions
# Shorewall 2.2 -- /usr/share/shorewall/functions
# Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and
@ -73,9 +73,9 @@ qt()
#
# Perform variable substitution on the passed argument and echo the result
#
expand() # $1 = contents of variable which may be the name of another variable
expand() # $@ = contents of variable which may be the name of another variable
{
eval echo \"$1\"
eval echo \"$@\"
}
#
@ -459,7 +459,7 @@ read_file() # $1 = file name, $2 = nest count
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file $(find_file ${rest%#*}) $(($2 + 1))
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
@ -477,7 +477,7 @@ read_file() # $1 = file name, $2 = nest count
# Function for including one file into another
#
INCLUDE() {
. $(find_file $@)
. $(find_file $(expand $@))
}
#

View File

@ -29,11 +29,11 @@
case $1 in
add)
echo "add: add <interface>[:<host>] <zone>
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's.
shorewall add interface[:host] zone - Adds the specified interface
(and host if included) to the specified zone.
(and bridge port/host if included) to the specified zone.
Example:
@ -95,11 +95,11 @@ debug)
;;
delete)
echo "delete: delete <interface>[:<host>] <zone>
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's.
shorewall delete interface[:host] zone - Deletes the specified
interface (and host if included) from the specified zone.
shorewall delete interface[:port][:host] zone - Deletes the specified
interface (and bridge port/host if included) from the specified zone.
Example:
@ -219,7 +219,7 @@ save)
;;
show)
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
@ -238,6 +238,8 @@ show)
shorewall show tc - displays information about the traffic
control/shaping configuration.
shorewall show zones - displays the contents of all zones.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;

View File

@ -1 +1 @@
2.2.0-Beta6
2.2.0-Beta7

View File

@ -1635,7 +1635,7 @@ alias ipt_pkttype off</programlisting>
url="http://www.cityofshoreline.com">the city where I live</ulink>) and
<quote>Fire<emphasis>wall</emphasis></quote>. The full name of the
product is actually <quote>Shoreline Firewall</quote> but
<quote>Shorewall</quote> is must more commonly used.</para>
<quote>Shorewall</quote> is much more commonly used.</para>
</section>
<section id="faq23">
@ -1740,8 +1740,9 @@ alias ipt_pkttype off</programlisting>
<itemizedlist>
<listitem>
<para>Netfilter/iptables doesn't fully support IPSEC in the 2.6
Kernels -- there are interim instructions linked from the <ulink
url="IPSEC.htm">Shorewall IPSEC page</ulink>.</para>
Kernels -- kernel and iptables patches are available and the details
may be found at the <ulink url="IPSEC-2.6.htm">Shorewall IPSEC-2.6
page</ulink>.</para>
</listitem>
<listitem>