extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-18 23:20:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixes for iprange implementation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1614 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-09 20:18:49 +00:00
parent 2ff3d930a6
commit 6f48c5e030
3 changed files with 74 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -71,3 +71,5 @@ Changes since 2.0.3
34) Add CLASSIFY support. 34) Add CLASSIFY support.
35) Fix iprange support so that ranges in both source and destination work.

82
Shorewall2/firewall
View File

@ -153,7 +153,8 @@ append_file() # $1 = File Name
# #
run_iptables() { run_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! iptables $@ ; then if ! iptables $@ ; then
if [ -z "$stopping" ]; then if [ -z "$stopping" ]; then
@ -507,6 +508,20 @@ first_chains() #$1 = interface
echo ${c}_fwd ${c}_in echo ${c}_fwd ${c}_in
} }
#
# Horrible hack to work around an iptables limitation
#
iprange_echo()
{
if [ -f $TMP_DIR/iprange ]; then
echo $@
else
echo "-m iprange $@"
> $TMP_DIR/iprange
fi
}
# #
# Source IP range # Source IP range
# #
@ -514,7 +529,7 @@ source_ip_range() # $1 = Address or Address Range
{ {
case $1 in case $1 in
*.*.*.*-*.*.*.*) *.*.*.*-*.*.*.*)
echo "-m iprange --src-range $1" iprange_echo "--src-range $1"
;; ;;
*) *)
echo "-s $1" echo "-s $1"
@ -529,7 +544,7 @@ dest_ip_range() # $1 = Address or Address Range
{ {
case $1 in case $1 in
*.*.*.*-*.*.*.*) *.*.*.*-*.*.*.*)
echo "-m iprange --dst-range $1" iprange_echo "--dst-range $1"
;; ;;
*) *)
echo "-d $1" echo "-d $1"
@ -537,8 +552,35 @@ dest_ip_range() # $1 = Address or Address Range
esac esac
} }
both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
{
local prefix= match=
case $1 in
*.*.*.*-*.*.*.*)
prefix="-m iprange"
match="--src-range $1"
;;
*)
match="-s $1"
;;
esac
case $2 in
*.*.*.*-*.*.*.*)
prefix="-m iprange"
match="$match --dst-range $2"
;;
*)
match="$match -d $2"
;;
esac
echo "$prefix $match"
}
# #
# Horrible hack to work around an iptables bug # Horrible hack to work around an iptables limitation
# #
physdev_echo() physdev_echo()
{ {
@ -1391,7 +1433,7 @@ stop_firewall() {
else else
routeback=Yes routeback=Yes
for h in $(separate_list $host); do for h in $(separate_list $host); do
iptables -A FORWARD -i $interface -s $h -o $interface $(dest_ip_range $h) -j ACCEPT iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done done
fi fi
;; ;;
@ -1407,12 +1449,12 @@ stop_firewall() {
for host in $hosts; do for host in $hosts; do
interface=${host%:*} interface=${host%:*}
networks=${host#*:} networks=${host#*:}
iptables -A INPUT -i $interface -s $networks -j ACCEPT iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do for host1 in $hosts; do
[ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} $(dest_ip_range ${host1#*:}) -j ACCEPT [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done done
done done
@ -1518,13 +1560,13 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT
fi fi
run_iptables -A $outchain -p udp -d $1 --dport 500 $options run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
if [ $kind = ipsec ]; then if [ $kind = ipsec ]; then
run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 500 $options
else else
run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 500 $options
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 4500 $options
fi fi
for z in $(separate_list $3); do for z in $(separate_list $3); do
@ -2712,7 +2754,7 @@ add_an_action()
;; ;;
*:*) *:*)
action_interface_verify ${client%:*} action_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})"
;; ;;
*.*.*) *.*.*)
cli="-s $client" cli="-s $client"
@ -4873,7 +4915,7 @@ setup_masq()
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for s in $networks; do for s in $networks; do
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(dest_ip_range $destnet) $(source_ip_range $s) $proto $ports -j $newchain addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports -j $newchain
done done
done done
else else
@ -4919,7 +4961,7 @@ setup_masq()
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for network in $networks; do for network in $networks; do
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(source_ip_range $network) $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist
done done
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
@ -5914,8 +5956,9 @@ activate_rules()
if havenatchain $destchain ; then if havenatchain $destchain ; then
run_iptables -t nat -A $sourcechain $@ -j $destchain run_iptables -t nat -A $sourcechain $@ -j $destchain
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then else
rm -f $TMP_DIR/physdev [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi fi
} }
@ -5933,8 +5976,10 @@ activate_rules()
eval run_iptables -t nat -I $sourcechain \ eval run_iptables -t nat -I $sourcechain \
\$${sourcechain}_rule $@ -j $destchain \$${sourcechain}_rule $@ -j $destchain
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then else
rm -f $TMP_DIR/physdev [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi fi
} }
# #
@ -6892,6 +6937,7 @@ do_initialize() {
fi fi
rm -f $TMP_DIR/physdev rm -f $TMP_DIR/physdev
rm -f $TMP_DIR/iprange
} }
# #

9
Shorewall2/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 2.1.8 Shorewall 2.1.9
---------------------------------------------------------------------- ----------------------------------------------------------------------
Problems Corrected since 2.0.3 Problems Corrected since 2.0.3
@ -51,6 +51,13 @@ Problems corrected since 2.1.7
automatically at boot. This feature was inadvertently removed in automatically at boot. This feature was inadvertently removed in
Shorewall 2.1.3. Shorewall 2.1.3.
Problems corrected since 2.1.8
1) IP ranges in the routestopped and tunnels files now work.
2) Rules where an IP range appears in both the source and destination
now work correctly.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.1: Issues when migrating from Shorewall 2.0 to Shorewall 2.1: