extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Deimplement ipset binding support

Browse Source
This commit is contained in:
Tom Eastep 2009-05-28 07:22:48 -07:00
parent d0d999488b
commit 7418e27308
6 changed files with 14 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1797,28 +1797,19 @@ sub iprange_match() {
} }
# #
# Get set flags (ipsets). # Get set flags (ipsets) -- Given that ipset no longer supports binding,
# This function simply constructs the proper
# --set specification.
# #
sub get_set_flags( $$ ) { sub get_set_flags( $$ ) {
my ( $setname, $option ) = @_; my ( $setname, $option ) = @_;
my $options = $option;
$setname =~ s/^!//; # Caller has already taken care of leading ! $setname =~ s/^!//; # Caller has already taken care of leading !
if ( $setname =~ /^(.*)\[([1-6])\]$/ ) {
$setname = $1;
my $count = $2;
$options .= ",$option" while --$count > 0;
} elsif ( $setname =~ /^(.*)\[(.*)\]$/ ) {
$setname = $1;
$options = $2;
}
$setname =~ s/^\+//; $setname =~ s/^\+//;
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/; fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/;
"--set $setname $options " "--set $setname $option "
} }
# #

2
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -356,8 +356,6 @@ sub generate_script_3($) {
'', '',
'if [ "$COMMAND" = start ]; then' , 'if [ "$COMMAND" = start ]; then' ,
' if [ -f ${VARDIR}/ipsets.save ]; then' , ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' $IPSET -U :all: :all:' ,
' $IPSET -U :all: :default:' ,
' $IPSET -F' , ' $IPSET -F' ,
' $IPSET -X' , ' $IPSET -X' ,
' $IPSET -R < ${VARDIR}/ipsets.save' , ' $IPSET -R < ${VARDIR}/ipsets.save' ,

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -2589,7 +2589,7 @@ sub generate_aux_config() {
emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#"; emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#";
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) {
conditionally_add_option $option; conditionally_add_option $option;
} }

3
Shorewall/changelog.txt
View File

@ -4,6 +4,9 @@ Changes in Shorewall 4.3.12
2) Add HFSC support. 2) Add HFSC support.
3) Delete support for ipset binding. Jozsef has removed the capability
from ipset.
Changes in Shorewall 4.3.11 Changes in Shorewall 4.3.11
1) Reduce the number of arguments passed in may cases. 1) Reduce the number of arguments passed in may cases.

9
Shorewall/releasenotes.txt
View File

@ -81,12 +81,15 @@ released late in 2009.
class Ids in numeric sequence. In 4.3.9, that didn't work correctly class Ids in numeric sequence. In 4.3.9, that didn't work correctly
because Shorewall was generating the sequence "..8,9,10,11..." when because Shorewall was generating the sequence "..8,9,10,11..." when
the correct sequence was "...8,9,a,b,...". Shorewall now treats the correct sequence was "...8,9,a,b,...". Shorewall now treats
class IDs as hex, like 'tc' and 'iptables' do. class IDs as hex, as do 'tc' and 'iptables'.
This should only be an issue if you have more than 9 interfaces This should only be an issue if you have more than 9 interfaces
defined in /etc/shorewall/tcdevices and if you use class IDs in defined in /etc/shorewall/tcdevices and if you use class IDs in
/etc/shorewall/tcrules. You will need to renumber the class IDs for /etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need
devices 10 and greater. to renumber the class IDs for devices 10 and greater.
6) Jozsef Kadlecsik has removed the set binding capability from ipset
3.1. As a consequence, Shorewall 4.3 no longer supports set binding.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 12 P R O B L E M S C O R R E C T E D I N 4 . 3 . 12

64
docs/ipsets.xml
View File

@ -92,31 +92,6 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>The name of the set may optionally followed by:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>a number from 1 to 6 enclosed in square brackets ([]) -- this
number indicates the maximum number of ipset binding levels that are
to be matched. Depending on the context where the ipset name is used,
either all "src" or all "dst" matches will be used.</para>
<para>Example: "+Mirrors[4]"</para>
</listitem>
<listitem>
<para>a series of "src" and "dst" options separated by commas and
enclosed in square brackets ([]). These will be passed directly to
iptables in the generated --set clause. See the ipset documentation
for details.</para>
<para>Example: "+Mirrors[src,dst,src]"</para>
<para>Note that "+Mirrors[4]" used in the SOURCE column of the rules
file is equivalent to "+Mirrors[src,src,src,src]".</para>
</listitem>
</orderedlist>
<para>To generate a negative match, prefix the "+" with "!" as in <para>To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".</para> "!+Mirrors".</para>
@ -144,14 +119,6 @@ ACCEPT +sshok $FW tcp 22</programlisting></para>
<filename>/etc/shorewall/init (it works for me; your mileage may <filename>/etc/shorewall/init (it works for me; your mileage may
vary)</filename>:</para> vary)</filename>:</para>
<programlisting>if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R &lt; /etc/shorewall/ipsets
fi</programlisting>
<para>The file <filename>/etc/shorewall/ipsets</filename> will <para>The file <filename>/etc/shorewall/ipsets</filename> will
normally be produced using the <command>ipset -S</command> normally be produced using the <command>ipset -S</command>
command.</para> command.</para>
@ -176,37 +143,6 @@ fi</programlisting>
<para>As a consequence, scripts generated by the Perl-based compiler will <para>As a consequence, scripts generated by the Perl-based compiler will
ignore <filename>/etc/shorewall/ipsets</filename> and will issue a warning ignore <filename>/etc/shorewall/ipsets</filename> and will issue a warning
if you set SAVE_IPSETS=Yes in <filename>shorewall.conf</filename></para> if you set SAVE_IPSETS=Yes in <filename>shorewall.conf</filename></para>
<para>Example (Note -- this example is applicable to ipset versions up to
and including 2.4. In 2.5, the binding feature of ipsets is scheduled for
removal in favor of different set types that include both IP addresses and
port numbers. Check your ipset documentation):</para>
<para><filename>/etc/shorewall/blacklist</filename>:</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
+Blacklist[src,dst]
+Blacklistnets[src,dst]</programlisting>
<para>Create the blacklist ipsets using:</para>
<programlisting><command>ipset -N Blacklist iphash
ipset -N Blacklistnets nethash</command></programlisting>
<para>Add entries:</para>
<programlisting><command>ipset -A Blacklist 206.124.146.177
ipset -A Blacklistnets 206.124.147.0/24</command></programlisting>
<para>To allow entries for individual ports:</para>
<programlisting><command>ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</command></programlisting>
<para>Now only port 25 will be blocked from 206.124.146.177.</para>
</section> </section>
<section id="Dynamic"> <section id="Dynamic">