extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 2.2.4

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2065 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-23 16:30:47 +00:00
parent e3a21c0865
commit 9174ac0fa3
30 changed files with 269 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Lrp2/etc/shorewall/actions
View File

@ -8,7 +8,7 @@
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain. If
# they must meet the requirements of a Netfilter chain. If
# you intend to log from the action then the name must be
# no longer than 11 character in length. Names must also
# meet the requirements for a Bourne Shell identifier (must
@ -22,7 +22,10 @@
# last such action will be taken.
#
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
# itself, the associated policy will have no common action.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
#ACTION

3
Lrp2/etc/shorewall/blacklist
View File

@ -38,6 +38,9 @@
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Lrp2/etc/shorewall/continue
View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

2
Lrp2/etc/shorewall/ecn
View File

@ -15,6 +15,8 @@
# 0.0.0.0/0 is assumed. If your kernel and iptables
# include iprange match support then IP address ranges
# are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
##############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Lrp2/etc/shorewall/hosts
View File

@ -135,5 +135,7 @@
# /etc/shorewall/ipsec file then you do NOT
# need to specify the 'ipsec' option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

2
Lrp2/etc/shorewall/init
View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

2
Lrp2/etc/shorewall/initdone
View File

@ -5,3 +5,5 @@
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
#

3
Lrp2/etc/shorewall/interfaces
View File

@ -201,6 +201,9 @@
# connections.
#
# net ppp0 -
#
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#

8
Lrp2/etc/shorewall/maclist
View File

@ -1,6 +1,11 @@
#
# Shorewall 2.2 - MAC list file
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# /etc/shorewall/maclist
#
# Columns are:
@ -18,6 +23,9 @@
# list of host and/or subnet addresses. If your kernel
# and iptables have iprange match support then IP
# address ranges are also allowed.
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

16
Lrp2/etc/shorewall/masq
View File

@ -86,6 +86,20 @@
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
@ -195,6 +209,8 @@
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 eth1

1
Lrp2/etc/shorewall/modules
View File

@ -7,6 +7,7 @@
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
# For additional information, see http://shorewall.net/Documentation.htm#modules
loadmodule ip_tables
loadmodule iptable_filter

2
Lrp2/etc/shorewall/nat
View File

@ -38,6 +38,8 @@
#
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
#
# For additional information, see http://shorewall.net/NAT.htm
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES

2
Lrp2/etc/shorewall/policy
View File

@ -75,6 +75,8 @@
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL

2
Lrp2/etc/shorewall/proxyarp
View File

@ -39,6 +39,8 @@
#
# #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Lrp2/etc/shorewall/routestopped
View File

@ -31,6 +31,10 @@
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
##############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

22
Lrp2/etc/shorewall/rules
View File

@ -42,6 +42,16 @@
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
@ -102,11 +112,14 @@
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
@ -147,7 +160,10 @@
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
# itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
@ -352,6 +368,4 @@ ACCEPT fw net icmp
# allow loc to fw tcp/80 for weblet to work
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
# uncomment to use dnsmasq's dhcpd in your LAN
#ACCEPT loc fw udp 67,68
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Lrp2/etc/shorewall/start
View File

@ -4,7 +4,9 @@
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
for file in /etc/shorewall/start.d/* ; do
run_user_exit $file
done

5
Lrp2/etc/shorewall/stop
View File

@ -4,7 +4,8 @@
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
for file in /etc/shorewall/stop.d/* ; do
run_user_exit $file
run_user_exit $file
done

2
Lrp2/etc/shorewall/stopped
View File

@ -4,3 +4,5 @@
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

2
Lrp2/etc/shorewall/tcrules
View File

@ -147,6 +147,8 @@
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)

4
Lrp2/etc/shorewall/tunnels
View File

@ -108,6 +108,10 @@
#
# generic:udp:4444 net 4.3.99.124
#
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Lrp2/etc/shorewall/zones
View File

@ -4,6 +4,8 @@
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#

31
Lrp2/sbin/shorewall
View File

@ -58,6 +58,7 @@
# shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall show capabilities Display iptables/kernel capabilities
# shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
@ -353,11 +354,18 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1"
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
if [ -n "$VERBOSE" ]; then
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
tail $options
else
grep "${LOGFORMAT}" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host $LOGFORMAT"/" "/ | \
sed 's/MAC=.* SRC=/SRC=/' | \
tail $options
fi
}
#
@ -595,7 +603,7 @@ help()
#
usage() # $1 = exit status
{
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
echo " allow <address> ..."
@ -616,14 +624,13 @@ usage() # $1 = exit status
echo " restart [ <directory> ]"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
echo " show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]"
echo " start [ <directory> ]"
echo " stop"
echo " status"
echo " try <directory> [ <timeout> ]"
echo " version"
echo
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
exit $1
}
@ -664,6 +671,7 @@ SHOREWALL_DIR=
QUIET=
IPT_OPTIONS="-nv"
FAST=
VERBOSE=
done=0
@ -705,6 +713,10 @@ while [ $done -eq 0 ]; do
FAST=Yes
option=${option#f}
;;
v*)
VERBOSE=Yes
option=${option#v}
;;
*)
usage 1
;;
@ -938,6 +950,9 @@ case "$1" in
exit 1
fi
;;
capabilities)
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
;;
*)
shift

2
Lrp2/usr/share/shorewall/action.AllowICMPs
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
#
# ACCEPT needed ICMP types
#

3
Lrp2/usr/share/shorewall/action.template
View File

@ -11,6 +11,9 @@
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Columns are:
#
#

6
Lrp2/usr/share/shorewall/actions.std
View File

@ -1,6 +1,8 @@
#
# Shorewall 2.2 /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
@ -12,6 +14,10 @@
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID
# #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
#
#ACTION

2
Lrp2/usr/share/shorewall/bogons
View File

@ -44,11 +44,9 @@
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
73.0.0.0/8 logdrop # Reserved
74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved

181
Lrp2/usr/share/shorewall/firewall
View File

@ -937,7 +937,7 @@ validate_interfaces_file() {
for option in $options; do
case $option in
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
;;
detectnets)
[ -n "$wildcard" ] && \
@ -975,13 +975,21 @@ validate_hosts_file() {
r="$z $hosts $options"
validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\""
interface=${hosts%%:*}
iface=$(chain_base $interface)
case $hosts in
*:*)
list_search $interface $ALL_INTERFACES || \
startup_error "Unknown interface ($interface) in record \"$r\""
interface=${hosts%%:*}
iface=$(chain_base $interface)
hosts=${hosts#*:}
list_search $interface $ALL_INTERFACES || \
startup_error "Unknown interface ($interface) in record \"$r\""
hosts=${hosts#*:}
;;
*)
fatal_error "Invalid HOST(S) column contents: $hosts"
;;
esac
eval ports=\$${iface}_ports
eval zports=\$${z}_ports
@ -2826,6 +2834,12 @@ check_config() {
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
echo "Determining Zones..."
determine_zones
@ -3473,7 +3487,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
#
process_actions1() {
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
USEDACTIONS=
strip_file actions
@ -3544,6 +3559,15 @@ process_actions1() {
process_actions2() {
local interfaces="$(find_interfaces_by_option upnp)"
if [ -n "$interfaces" ]; then
if ! list_search forwardUPnP $USEDACTIONS; then
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
USEDACTIONS="$USEDACTIONS forwardUPnP"
fi
fi
progress_message " Generating Transitive Closure of Used-action List..."
changed=Yes
@ -3695,6 +3719,26 @@ process_actions3() {
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi
;;
forwardUPnP)
;;
allowinUPnP)
if [ "$COMMAND" != check ]; then
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
fi
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
fi
;;
allowoutUPnP)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
fi
;;
*)
#
# Not a builtin
@ -3802,7 +3846,14 @@ add_nat_rule() {
# Select target
if [ -n "$serv" ]; then
if [ "$logtarget" = SAME ]; then
[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
serv1=
for srv in $(separate_list $serv); do
serv1="$serv1 --to ${srv}"
done
target1="SAME $serv1"
elif [ -n "$serv" ]; then
servport="${servport:+:$servport}"
serv1=
for srv in $(separate_list $serv); do
@ -4065,9 +4116,9 @@ add_a_rule()
servport=${servport:=$port}
natrule=Yes
;;
DNAT)
DNAT|SAME)
[ -n "$serv" ] || \
fatal_error "DNAT rules require a server address; rule: \"$rule\""
fatal_error "$logtarget rules require a server address; rule: \"$rule\""
natrule=Yes
;;
LOG)
@ -4084,7 +4135,7 @@ add_a_rule()
if [ -n "$natrule" ]; then
add_nat_rule
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
fi
if [ -z "$dnat_only" ]; then
@ -4139,7 +4190,7 @@ add_a_rule()
[ -n "$addr" ] && fatal_error \
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\""
" a DNAT, SAME or REDIRECT: \"$rule\""
if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then
@ -4289,7 +4340,7 @@ process_rule() # $1 = target
CONTINUE)
target=RETURN
;;
DNAT*)
DNAT*|SAME*)
target=ACCEPT
address=${address:=detect}
;;
@ -4322,8 +4373,13 @@ process_rule() # $1 = target
excludezones="${clientzone#*!}"
clientzone="${clientzone%!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error "Exclude list only allowed with DNAT or REDIRECT"
case $logtarget in
DNAT|REDIRECT|SAME)
;;
*)
fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
;;
esac
fi
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
@ -4386,7 +4442,7 @@ process_rule() # $1 = target
protocol=${protocol:=all}
case $logtarget in
DNAT*)
DNAT*|SAME)
if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
@ -4540,7 +4596,7 @@ process_rules()
}
do_it() {
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
expandv xprotocol xports xcports xaddress xratelimit xuserspec
if [ "x$xclients" = xall ]; then
xclients="$zones $FW"
@ -4548,13 +4604,13 @@ process_rules()
xservers="$zones $FW"
fi
process_wildcard_rule
continue
return
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
return
fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
@ -4562,10 +4618,16 @@ process_rules()
}
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
expandv xtarget
expandv xtarget xclients xservers
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
progress_message " Rule \"$rule\" ignored."
continue
fi
case "${xtarget%%:*}" in
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
do_it
;;
*)
@ -4971,7 +5033,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
[ -n "$chain" ] && { echo $chain; return; }
fatal_error "No appropriate chain for zone $1 to zone $2"
fatal_error "No policy defined for zone $1 to zone $2"
}
#
@ -5116,6 +5178,8 @@ setup_masq()
[ "x$addresses" = x- ] && addresses=
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
for address in $(separate_list $addresses); do
address=${address%:)}
@ -5262,17 +5326,35 @@ setup_masq()
target=MASQUERADE
if [ -n "$addresses" ]; then
for address in $(separate_list $addresses); do
case $address in
*.*.*.*)
target=SNAT
addrlist="$addrlist --to-source $address"
;;
*)
addrlist="$addrlist --to-ports ${address#:}"
;;
esac
done
case "$addresses" in
SAME:nodst:*)
target="SAME --nodst"
addresses=${addresses#SAME:nodst:}
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
;;
SAME:*)
target="SAME"
addresses=${addresses#SAME:}
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
;;
*)
for address in $(separate_list $addresses); do
case $address in
*.*.*.*)
target=SNAT
addrlist="$addrlist --to-source $address"
;;
*)
addrlist="$addrlist --to-ports ${address#:}"
;;
esac
done
;;
esac
fi
if [ -n "$networks" ]; then
@ -5621,6 +5703,7 @@ determine_capabilities() {
PHYSDEV_MATCH=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -5630,6 +5713,7 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
if [ -n "$PKTTYPE" ]; then
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@ -5660,6 +5744,7 @@ report_capabilities() {
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
}
#
@ -5678,6 +5763,11 @@ initialize_netfilter () {
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
@ -6290,6 +6380,20 @@ add_common_rules() {
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done
fi
#
# UPnP
#
interfaces=$(find_interfaces_by_option upnp)
if [ -n "$interfaces" ]; then
echo "Setting up UPnP..."
createnatchain UPnP
for interface in $interfaces; do
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
done
fi
setup_forwarding
}
@ -6767,6 +6871,7 @@ define_firewall() # $1 = Command (Start or Restart)
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
run_user_exit started
}
#
@ -7482,12 +7587,6 @@ do_initialize() {
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
#
# Strip the files that we use often
#
@ -7672,6 +7771,10 @@ case "$COMMAND" in
EMPTY=
$@
;;
capabilities)
do_initialize
report_capabilities
;;
*)
usage
;;

4
Lrp2/usr/share/shorewall/help
View File

@ -5,7 +5,7 @@
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
@ -254,6 +254,8 @@ show)
shorewall show zones - displays the contents of all zones.
shorewall show capabilities - displays your kernel/iptables capabilities
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;

2
Lrp2/usr/share/shorewall/version
View File

@ -1 +1 @@
2.2.3
2.2.4