From 86d6d6900e7e686f7b1d1489b17729754be239f6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 14 Mar 2015 08:54:30 -0700 Subject: [PATCH] Improve 'close' and 'show opens' commands - close accepts a rule number - list opens displays rule numbers Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 156 ++++++++++++------- Shorewall-lite/manpages/shorewall-lite.xml | 32 ++-- Shorewall/manpages/shorewall.xml | 30 ++-- Shorewall6-lite/manpages/shorewall6-lite.xml | 33 +++- Shorewall6/manpages/shorewall6.xml | 27 ++-- 5 files changed, 194 insertions(+), 84 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index b61c77e28..f650629d0 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1229,8 +1229,9 @@ show_command() { echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)" if chain_exists dynamic; then - $g_tool -t filter -L dynamic $g_ipt_options | head -n2 - $g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter + g_ipt_options="$g_ipt_options --line-numbers" + $g_tool -t filter -L dynamic $g_ipt_options | head -n2 + $g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter fi ;; *) @@ -2085,70 +2086,121 @@ delete_command() { fi } +open_close_setup() { + [ -n "$g_nolock" ] || mutex_on + + if ! product_is_started ; then + [ -n "$g_nolock" ] || mutex_off + fatal_error "The $COMMAND command requires the firewall to be running" + fi + + if ! chain_exists dynamic; then + [ -n "$g_nolock" ] || mutex_off + fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration" + fi +} + open_close_command() { local command local desc - product_is_started || fatal_error "The $COMMAND command requires the firewall to be running" - chain_exists dynamic || fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration" - - [ $# -ge 2 ] || fatal_error "Too few parameters" [ $# -le 4 ] || fatal_error "Too many parameters" - if [ $1 = all ]; then - command=dynamic - else - command="dynamic -s $1" - fi - - if [ $2 != all ]; then - command="$command -d $2" - fi - - desc="from $1 to $2" - - if [ $# -ge 3 ]; then - command="$command -p $3" - - case $3 in - [0-9]*) - desc="$desc protocol $3" - ;; - *) - desc="$desc $3" - ;; - esac - fi - - if [ $# -eq 4 ]; then - command="$command -m multiport --dports $4" - - case $4 in - [0-9]*,) - desc="$desc ports $4" - ;; - [0-9]*) - desc="$desc port $4" - ;; - *) - desc="$desc $4" - ;; - esac - fi - - command="$command -j ACCEPT" - if [ $COMMAND = open ]; then - if $g_tool -I $command ; then - echo "Firewall dynamically opened for connections $desc" - return 0 + [ $# -ge 2 ] || fatal_error "Too few parameters" + else + [ $# -ge 1 ] || fatal_error "Too few parameters" + fi + + if [ $# -eq 1 ]; then + # + # close + # + case $1 in + [0-9]*) + ;; + *) + fatal_error "Invalid Rule Number ($1)" + ;; + esac + + open_close_setup #Conditionally acquires mutex + + if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then + if $g_tool -D dynamic $1; then + [ -n "$g_nolock" ] || mutex_off + echo "Temporary open #$1 closed" + return 0 + fi + [ -n "$g_nolock" ] || mutex_off + return 2 + else + [ -n "$g_nolock" ] || mutex_off + fatal_error "$1 is not a valid temporary open number" fi else + if [ $1 = all ]; then + command=dynamic + else + command="dynamic -s $1" + fi + + if [ $2 != all ]; then + command="$command -d $2" + fi + + desc="from $1 to $2" + + if [ $# -ge 3 ]; then + command="$command -p $3" + + case $3 in + [0-9]*) + desc="$desc protocol $3" + ;; + *) + desc="$desc $3" + ;; + esac + fi + + if [ $# -eq 4 ]; then + command="$command -m multiport --dports $4" + + case $4 in + [0-9]*,) + desc="$desc ports $4" + ;; + [0-9]*) + desc="$desc port $4" + ;; + *) + desc="$desc $4" + ;; + esac + fi + + command="$command -j ACCEPT" + + open_close_setup #Conditionally acquires mutex + + if [ $COMMAND = open ]; then + if $g_tool -I $command ; then + [ -n "$g_nolock" ] || mutex_off + echo "Firewall dynamically opened for connections $desc" + return 0 + fi + [ -n "$g_nolock" ] || mutex_off + return 2 + fi + if $g_tool -D $command 2> /dev/null; then + [ -n "$g_nolock" ] || mutex_off echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)" return 0 fi + [ -n "$g_nolock" ] || mutex_off fatal_error "Connections $desc are not currently opened" fi } diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index 025d8f473..058c2a8b3 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -62,10 +62,16 @@ shorewall-lite - - source dest - protocol port - + | + + -options + + + open-number | + sourcedestprotocol + port + @@ -650,15 +656,23 @@ - close + close { + open-number | source dest [ protocol [ port - ] ] + ] ] } - Added in Shorewall 4.5.8. This command reverses the effect of - an earlier open command; the parameters must - match those given in that earlier command. + Added in Shorewall 4.5.8. This command closes a temporary open + created by the open command. In the first form, + an open-number specifies the open to be + closed. Open numbers are displayed in the num column of the output of the + shorewall-lite show opens command. + + When the second form of the command is used, the parameters + must match those given in the earlier open + command. diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index b922a523e..e3250def7 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -88,12 +88,16 @@ shorewall + | + -options - - source dest - protocol port - + + open-number | + sourcedestprotocol + port + @@ -944,15 +948,23 @@ - close + close { + open-number | source dest [ protocol [ port - ] ] + ] ] } - Added in Shorewall 4.5.8. This command reverses the effect of - an earlier open command; the parameters must - match those given in that earlier command. + Added in Shorewall 4.5.8. This command closes a temporary open + created by the open command. In the first form, + an open-number specifies the open to be + closed. Open numbers are displayed in the num column of the output of the + shorewall show opens command. + + When the second form of the command is used, the parameters + must match those given in the earlier open + command. diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index bfd7b6856..e2d2c3229 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -59,6 +59,21 @@ choice="plain"> + + shorewall6-lite + + | + + -options + + + open-number | + sourcedestprotocol + port + + + shorewall6-lite @@ -661,15 +676,23 @@ - close + close { + open-number | source dest [ protocol [ port - ] ] + ] ] } - Added in Shorewall 4.5.8. This command reverses the effect of - an earlier open command; the parameters must - match those given in that earlier command. + Added in Shorewall 4.5.8. This command closes a temporary open + created by the open command. In the first form, + an open-number specifies the open to be + closed. Open numbers are displayed in the num column of the output of the + shorewall6-lite show opens command. + + When the second form of the command is used, the parameters + must match those given in the earlier open + command. diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index f73ca2c8f..67ee39370 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -91,10 +91,11 @@ -options - - source dest - protocol port - + + open-number | + sourcedestprotocol + port + @@ -882,15 +883,23 @@ - close + close { + open-number | source dest [ protocol [ port - ] ] + ] ] } - Added in Shorewall 4.5.8. This command reverses the effect of - an earlier open command; the parameters must - match those given in that earlier command. + Added in Shorewall 4.5.8. This command closes a temporary open + created by the open command. In the first form, + an open-number specifies the open to be + closed. Open numbers are displayed in the num column of the output of the + shorewall6 show opens command. + + When the second form of the command is used, the parameters + must match those given in the earlier open + command.