extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve 'close' and 'show opens' commands

Browse Source 
- close accepts a rule number
- list opens displays rule numbers

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-03-14 08:54:30 -07:00
parent d7a1ca41f9
commit 86d6d6900e
5 changed files with 194 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
Shorewall-core/lib.cli
View File

@ -1229,8 +1229,9 @@ show_command() {
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)" echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
if chain_exists dynamic; then if chain_exists dynamic; then
$g_tool -t filter -L dynamic $g_ipt_options | head -n2 g_ipt_options="$g_ipt_options --line-numbers"
$g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter $g_tool -t filter -L dynamic $g_ipt_options | head -n2
$g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter
fi fi
;; ;;
*) *)
@ -2085,70 +2086,121 @@ delete_command() {
fi fi
} }
open_close_setup() {
[ -n "$g_nolock" ] || mutex_on
if ! product_is_started ; then
[ -n "$g_nolock" ] || mutex_off
fatal_error "The $COMMAND command requires the firewall to be running"
fi
if ! chain_exists dynamic; then
[ -n "$g_nolock" ] || mutex_off
fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
fi
}
open_close_command() { open_close_command() {
local command local command
local desc local desc
product_is_started || fatal_error "The $COMMAND command requires the firewall to be running"
chain_exists dynamic || fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
[ $# -ge 2 ] || fatal_error "Too few parameters"
[ $# -le 4 ] || fatal_error "Too many parameters" [ $# -le 4 ] || fatal_error "Too many parameters"
if [ $1 = all ]; then
command=dynamic
else
command="dynamic -s $1"
fi
if [ $2 != all ]; then
command="$command -d $2"
fi
desc="from $1 to $2"
if [ $# -ge 3 ]; then
command="$command -p $3"
case $3 in
[0-9]*)
desc="$desc protocol $3"
;;
*)
desc="$desc $3"
;;
esac
fi
if [ $# -eq 4 ]; then
command="$command -m multiport --dports $4"
case $4 in
[0-9]*,)
desc="$desc ports $4"
;;
[0-9]*)
desc="$desc port $4"
;;
*)
desc="$desc $4"
;;
esac
fi
command="$command -j ACCEPT"
if [ $COMMAND = open ]; then if [ $COMMAND = open ]; then
if $g_tool -I $command ; then [ $# -ge 2 ] || fatal_error "Too few parameters"
echo "Firewall dynamically opened for connections $desc" else
return 0 [ $# -ge 1 ] || fatal_error "Too few parameters"
fi
if [ $# -eq 1 ]; then
#
# close <rule number>
#
case $1 in
[0-9]*)
;;
*)
fatal_error "Invalid Rule Number ($1)"
;;
esac
open_close_setup #Conditionally acquires mutex
if $g_tool -L dynamic --line-numbers | grep -q "^$1 .* ACCEPT "; then
if $g_tool -D dynamic $1; then
[ -n "$g_nolock" ] || mutex_off
echo "Temporary open #$1 closed"
return 0
fi
[ -n "$g_nolock" ] || mutex_off
return 2
else
[ -n "$g_nolock" ] || mutex_off
fatal_error "$1 is not a valid temporary open number"
fi fi
else else
if [ $1 = all ]; then
command=dynamic
else
command="dynamic -s $1"
fi
if [ $2 != all ]; then
command="$command -d $2"
fi
desc="from $1 to $2"
if [ $# -ge 3 ]; then
command="$command -p $3"
case $3 in
[0-9]*)
desc="$desc protocol $3"
;;
*)
desc="$desc $3"
;;
esac
fi
if [ $# -eq 4 ]; then
command="$command -m multiport --dports $4"
case $4 in
[0-9]*,)
desc="$desc ports $4"
;;
[0-9]*)
desc="$desc port $4"
;;
*)
desc="$desc $4"
;;
esac
fi
command="$command -j ACCEPT"
open_close_setup #Conditionally acquires mutex
if [ $COMMAND = open ]; then
if $g_tool -I $command ; then
[ -n "$g_nolock" ] || mutex_off
echo "Firewall dynamically opened for connections $desc"
return 0
fi
[ -n "$g_nolock" ] || mutex_off
return 2
fi
if $g_tool -D $command 2> /dev/null; then if $g_tool -D $command 2> /dev/null; then
[ -n "$g_nolock" ] || mutex_off
echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)" echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
return 0 return 0
fi fi
[ -n "$g_nolock" ] || mutex_off
fatal_error "Connections $desc are not currently opened" fatal_error "Connections $desc are not currently opened"
fi fi
} }

32
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -62,10 +62,16 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall-lite</command> <command>shorewall-lite</command>
<arg choice="plain"><option>close</option><replaceable> <arg
source</replaceable><replaceable> dest</replaceable><arg> choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
</arg> </arg></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>close</option><arg choice="req">
<replaceable>open-number</replaceable> |
<replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
<replaceable>port</replaceable> </arg></arg></arg><replaceable>
</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -650,15 +656,23 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">close</emphasis> <term><emphasis role="bold">close</emphasis> {
<replaceable>open-number</replaceable> |
<replaceable>source</replaceable> <replaceable>dest</replaceable> [ <replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable> <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term> ] ] }</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.8. This command reverses the effect of <para>Added in Shorewall 4.5.8. This command closes a temporary open
an earlier <command>open</command> command; the parameters must created by the <command>open</command> command. In the first form,
match those given in that earlier command.</para> an <replaceable>open-number</replaceable> specifies the open to be
closed. Open numbers are displayed in the <emphasis
role="bold">num</emphasis> column of the output of the
<command>shorewall-lite show opens </command>command.</para>
<para>When the second form of the command is used, the parameters
must match those given in the earlier <command>open</command>
command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

30
Shorewall/manpages/shorewall.xml
View File

@ -88,12 +88,16 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall</command> <command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>close</option><replaceable> <arg choice="plain"><option>close</option><arg choice="req">
source</replaceable><replaceable> dest</replaceable><arg> <replaceable>open-number</replaceable> |
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable> <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
</arg> </arg></arg> <replaceable>port</replaceable> </arg></arg></arg><replaceable>
</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -944,15 +948,23 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">close</emphasis> <term><emphasis role="bold">close</emphasis> {
<replaceable>open-number</replaceable> |
<replaceable>source</replaceable> <replaceable>dest</replaceable> [ <replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable> <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term> ] ] }</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.8. This command reverses the effect of <para>Added in Shorewall 4.5.8. This command closes a temporary open
an earlier <command>open</command> command; the parameters must created by the <command>open</command> command. In the first form,
match those given in that earlier command.</para> an <replaceable>open-number</replaceable> specifies the open to be
closed. Open numbers are displayed in the <emphasis
role="bold">num</emphasis> column of the output of the
<command>shorewall show opens </command>command.</para>
<para>When the second form of the command is used, the parameters
must match those given in the earlier <command>open</command>
command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

33
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -59,6 +59,21 @@
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg> choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>close</option><arg choice="req">
<replaceable>open-number</replaceable> |
<replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
<replaceable>port</replaceable> </arg></arg></arg><replaceable>
</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6-lite</command> <command>shorewall6-lite</command>
@ -661,15 +676,23 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">close</emphasis> <term><emphasis role="bold">close</emphasis> {
<replaceable>open-number</replaceable> |
<replaceable>source</replaceable> <replaceable>dest</replaceable> [ <replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable> <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term> ] ] }</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.8. This command reverses the effect of <para>Added in Shorewall 4.5.8. This command closes a temporary open
an earlier <command>open</command> command; the parameters must created by the <command>open</command> command. In the first form,
match those given in that earlier command.</para> an <replaceable>open-number</replaceable> specifies the open to be
closed. Open numbers are displayed in the <emphasis
role="bold">num</emphasis> column of the output of the
<command>shorewall6-lite show opens </command>command.</para>
<para>When the second form of the command is used, the parameters
must match those given in the earlier <command>open</command>
command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

27
Shorewall6/manpages/shorewall6.xml
View File

@ -91,10 +91,11 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>close</option><replaceable> <arg choice="plain"><option>close</option><arg choice="req">
source</replaceable><replaceable> dest</replaceable><arg> <replaceable>open-number</replaceable> |
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable> <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
</arg> </arg></arg> <replaceable>port</replaceable> </arg></arg></arg><replaceable>
</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -882,15 +883,23 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">close</emphasis> <term><emphasis role="bold">close</emphasis> {
<replaceable>open-number</replaceable> |
<replaceable>source</replaceable> <replaceable>dest</replaceable> [ <replaceable>source</replaceable> <replaceable>dest</replaceable> [
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable> <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
] ]</term> ] ] }</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.8. This command reverses the effect of <para>Added in Shorewall 4.5.8. This command closes a temporary open
an earlier <command>open</command> command; the parameters must created by the <command>open</command> command. In the first form,
match those given in that earlier command.</para> an <replaceable>open-number</replaceable> specifies the open to be
closed. Open numbers are displayed in the <emphasis
role="bold">num</emphasis> column of the output of the
<command>shorewall6 show opens </command>command.</para>
<para>When the second form of the command is used, the parameters
must match those given in the earlier <command>open</command>
command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>