extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-02 19:49:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Changes for 1.3.5

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@152 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-07-24 14:09:55 +00:00
parent 142f3d2960
commit 6e238a6e4e
6 changed files with 168 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
Lrp/etc/init.d/shorewall
View File

@ -435,7 +435,7 @@ determine_hosts() {
done done
} }
recalculate_hosts() recalculate_interfaces()
{ {
interfaces= interfaces=
@ -457,12 +457,18 @@ determine_hosts() {
hosts=`find_hosts $zone` hosts=`find_hosts $zone`
hosts=`echo $hosts` # Remove extra trash hosts=`echo $hosts` # Remove extra trash
if [ -n "$hosts" ]; then if [ -n "MERGE_HOSTS" ]; then
####################################################################
# Zone will be the union of its host and interface definitions
#
do_a_zone
recalculate_interfaces
elif [ -n "$hosts" ]; then
#################################################################### ####################################################################
# Zone is defined in terms of hosts -- derive the interface list # Zone is defined in terms of hosts -- derive the interface list
# from the host list # from the host list
# #
recalculate_hosts recalculate_interfacess
else else
#################################################################### ####################################################################
# If no hosts are defined for a zone then the zone consists of any # If no hosts are defined for a zone then the zone consists of any
@ -658,6 +664,14 @@ validate_rule() {
case "$logtarget" in case "$logtarget" in
REJECT) REJECT)
target=reject target=reject
[ -n "$servport" ] && \
startup_error "Error: server port may not be specified in a REJECT rule;"\
"rule: \"$rule\""
;;
ACCEPT)
[ -n "$servport" ] && \
startup_error "Error: server port may not be specified in an ACCEPT rule;"\
"rule: \"$rule\""
;; ;;
REDIRECT) REDIRECT)
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
@ -747,6 +761,8 @@ validate_rule() {
else else
clientzone="${clients%:*}" clientzone="${clients%:*}"
clients="${clients#*:}" clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \
startup_error "Error: Empty source zone or qualifier: rule \"$rule\""
fi fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then if [ "$clientzone" = "${clientzone%\!*}" ]; then
@ -782,8 +798,12 @@ validate_rule() {
if [ "$servers" != "${servers%:*}" ] ; then if [ "$servers" != "${servers%:*}" ] ; then
serverport="${servers#*:}" serverport="${servers#*:}"
servers="${servers%:*}" servers="${servers%:*}"
[ -z "$serverzone" -o -z "$serverport" ] && \
startup_error "Error: Empty destination zone or server port: rule \"$rule\""
else else
serverport= serverport=
[ -z "$serverzone" -o -z "$servers" ] && \
startup_error "Error: Empty destination zone or qualifier: rule \"$rule\""
fi fi
fi fi
############################################################################ ############################################################################
@ -1297,31 +1317,8 @@ setup_nat() {
fi fi
if [ -n "$ADD_IP_ALIASES" ]; then if [ -n "$ADD_IP_ALIASES" ]; then
# list_search $external $aliases_to_add || \
# Folks feel uneasy if they don't see all of the same aliases_to_add="$aliases_to_add $external $interface"
# decoration on these IP addresses that they see when their
# distro's net config tool adds them. In an attempt to reduce
# the anxiety level, we have the following code which sets
# the VLSM and BRD from the primary address
#
# Get all of the lines that contain inet addresses with broadcast
#
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
if [ -n "$val" ] ; then
#
# Hack off the leading 'inet <ip addr>' (actually cut off the
# "/" as well but add it back in).
#
val="/${val#*/}"
#
# Now get the VLSM, "brd" and the broadcast address
#
val=${val%% scope*}
fi
run_ip addr add ${external}${val} dev $interface
echo "$external $interface" >> ${STATEDIR}/nat
fi fi
echo " Host $internal NAT $external on $interface" echo " Host $internal NAT $external on $interface"
@ -1678,10 +1675,16 @@ add_a_rule()
case "$logtarget" in case "$logtarget" in
REJECT) REJECT)
target=reject target=reject
[ -n "$servport" ] && \
fatal_error "Error: server port may not be specified in a REJECT rule;"\
"rule: \"$rule\""
;; ;;
REDIRECT) REDIRECT)
[ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\"" " specify a server IP; rule: \"$rule\""
[ -n "$servport" ] && \
startup_error "Error: server port may not be specified in an ACCEPT rule;" \
"rule: \"$rule\""
servport=${servport:=$port} servport=${servport:=$port}
;; ;;
DNAT) DNAT)
@ -1790,6 +1793,8 @@ process_rule() {
else else
clientzone="${clients%:*}" clientzone="${clients%:*}"
clients="${clients#*:}" clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \
fatal_error "Error: Empty source zone or qualifier: rule \"$rule\""
fi fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then if [ "$clientzone" = "${clientzone%\!*}" ]; then
@ -1822,8 +1827,12 @@ process_rule() {
if [ "$servers" != "${servers%:*}" ] ; then if [ "$servers" != "${servers%:*}" ] ; then
serverport="${servers#*:}" serverport="${servers#*:}"
servers="${servers%:*}" servers="${servers%:*}"
[ -z "$serverzone" -o -z "$serverport" ] && \
fatal_error "Error: Empty destination zone or server port: rule \"$rule\""
else else
serverport= serverport=
[ -z "$serverzone" -o -z "$servers" ] && \
startup_error "Error: Empty destination zone or qualifier: rule \"$rule\""
fi fi
fi fi
@ -2403,16 +2412,8 @@ setup_masq()
esac esac
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
qt ip addr del $address dev $interface list_search $address $aliases_to_add || \
aliases_to_add="$aliases_to_add $external $address"
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
if [ -n "$val" ] ; then
val="/${val#*/}"
val=${val%% scope*}
fi
run_ip addr add ${address}${val} dev $interface
echo "$address $interface" >> ${STATEDIR}/nat
fi fi
destination=$destnet destination=$destnet
@ -2574,6 +2575,49 @@ verify_os_version() {
esac esac
} }
################################################################################
# Add IP Aliases #
################################################################################
add_ip_aliases() # $* = addresses and devices
{
do_one()
{
#
# Folks feel uneasy if they don't see all of the same
# decoration on these IP addresses that they see when their
# distro's net config tool adds them. In an attempt to reduce
# the anxiety level, we have the following code which sets
# the VLSM and BRD from the primary address
#
# Get all of the lines that contain inet addresses with broadcast
#
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
if [ -n "$val" ] ; then
#
# Hack off the leading 'inet <ip addr>' (actually cut off the
# "/" as well but add it back in).
#
val="/${val#*/}"
#
# Now get the VLSM, "brd" and the broadcast address
#
val=${val%% scope*}
fi
run_ip addr add ${external}${val} dev $interface
echo "$external $interface" >> ${STATEDIR}/nat
echo " IP Address $external added to interface $interface"
}
while [ $# -gt 0 ]; do
external=$1
interface=$2
shift;shift
do_one
done
}
################################################################################ ################################################################################
# Load kernel modules required for Shorewall # # Load kernel modules required for Shorewall #
################################################################################ ################################################################################
@ -3143,10 +3187,16 @@ define_firewall() # $1 = Command (Start or Restart)
activate_rules activate_rules
[ -n "$aliases_to_add" ] && \
echo "Adding IP Addresses..." && \
add_ip_aliases $aliases_to_add
run_user_exit start run_user_exit start
createchain shorewall no createchain shorewall no
date > /var/lib/shorewall/restarted
report "Shorewall ${1}ed" report "Shorewall ${1}ed"
rm -rf $TMP_DIR rm -rf $TMP_DIR
@ -3322,10 +3372,13 @@ do_initialize() {
NAT_BEFORE_RULES= NAT_BEFORE_RULES=
MULTIPORT= MULTIPORT=
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MERGE_HOSTS=
MUTEX_TIMEOUT=
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
nonat_seq=1 nonat_seq=1
aliases_to_add=
TMP_DIR=/tmp/shorewall-$$ TMP_DIR=/tmp/shorewall-$$
rm -rf $TMP_DIR rm -rf $TMP_DIR
@ -3396,6 +3449,7 @@ do_initialize() {
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
} }
################################################################################ ################################################################################
@ -3469,6 +3523,7 @@ case "$command" in
reset) reset)
iptables -L -n -Z -v iptables -L -n -Z -v
report "Shorewall Counters Reset" report "Shorewall Counters Reset"
date > /var/lib/shorewall/restarted
;; ;;
refresh) refresh)

7
Lrp/etc/shorewall/rules
View File

@ -71,14 +71,15 @@
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the # ":". If omitted, the firewall will not modifiy the
# destination port. # destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
# #
# Example: loc:192.168.1.3:3128 specifies a local # Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port # server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer # 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services. # and not as a name from /etc/services.
# #
# if the RESULT is REDIRECT, this column needs only to # if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
@ -92,6 +93,8 @@
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied. # entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain

49
Lrp/etc/shorewall/shorewall.conf
View File

@ -228,8 +228,6 @@ NAT_BEFORE_RULES=Yes
MULTIPORT=No MULTIPORT=No
MULTIPORT=No
# DNAT IP Address Detection # DNAT IP Address Detection
# #
# Normally when Shorewall encounters the following rule: # Normally when Shorewall encounters the following rule:
@ -261,4 +259,51 @@ MULTIPORT=No
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
# Merge Hosts File
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
# entirely in the hosts file. This is counter-intuitive and has caused
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
# net eth0
# loc eth1
# - ppp+
#
# Hosts:
#
# loc ppp+:192.168.1.0/24
# wrk ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is assumed.
MERGE_HOSTS=Yes
#
# Mutex Timeout
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number
# of seconds corresponding to the value of this variable, programs will assume
# that the last program to hold the lock died without releasing the lock.
#
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart" command.
MUTEX_TIMEOUT=60
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

12
Lrp/sbin/shorewall
View File

@ -432,6 +432,14 @@ usage() # $1 = exit status
exit $1 exit $1
} }
#################################################################################
# Display the time that the counters were last reset #
#################################################################################
show_reset() {
[ -f /var/lib/shorewall/restarted ] && \
echo -e "Counters reset `cat /var/lib/shorewall/restarted`\\n"
}
################################################################################# #################################################################################
# Execution begins here # # Execution begins here #
################################################################################# #################################################################################
@ -533,10 +541,12 @@ case "$1" in
;; ;;
nat) nat)
echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n"
show_reset
iptables -t nat -L -n -v iptables -t nat -L -n -v
;; ;;
tos|mangle) tos|mangle)
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
show_reset
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
;; ;;
log) log)
@ -551,6 +561,7 @@ case "$1" in
;; ;;
*) *)
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
show_reset
iptables -L $2 -n -v iptables -L $2 -n -v
;; ;;
esac esac
@ -569,6 +580,7 @@ case "$1" in
get_config get_config
clear clear
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
iptables -L -n -v iptables -L -n -v
echo echo

15
Lrp/var/lib/shorewall/functions
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- /etc/shorewall/functions # Shorewall 1.3 -- /var/lib/shorewall/functions
# #
# Suppress all output for a command # Suppress all output for a command
@ -92,6 +92,8 @@ determine_zones()
############################################################################### ###############################################################################
get_statedir() get_statedir()
{ {
MUTEX_TIMEOUT=
local config=`find_file shorewall.conf` local config=`find_file shorewall.conf`
if [ -f $config ]; then if [ -f $config ]; then
@ -116,15 +118,19 @@ get_statedir()
mutex_on() mutex_on()
{ {
local try=0 local try=0
local max=15 local max=
local int=2 local int=1
local lockf=$STATEDIR/lock local lockf=$STATEDIR/lock
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
max=${MUTEX_TIMEOUT}
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
if qt which lockfile; then if qt which lockfile; then
lockfile -030 -r1 ${lockf} || exit 2 lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
else else
while [ -f ${lockf} -a ${try} -lt ${max} ] ; do while [ -f ${lockf} -a ${try} -lt ${max} ] ; do
sleep ${int} sleep ${int}
@ -136,7 +142,6 @@ mutex_on()
echo $$ > ${lockf} echo $$ > ${lockf}
else else
echo "Giving up on lock file ${lockf}" >&2 echo "Giving up on lock file ${lockf}" >&2
exit 2
fi fi
fi fi
} }

2
Lrp/var/lib/shorewall/version
View File

@ -1 +1 @@
1.3.4 1.3.5