mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-26 07:29:05 +01:00
Allow user:group in USER SET column of rules file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@744 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
6074472053
commit
9f14855704
@ -80,3 +80,6 @@ Changes since 1.4.6
|
|||||||
|
|
||||||
35) Correct rules file comment.
|
35) Correct rules file comment.
|
||||||
|
|
||||||
|
36) Extend USER SET column in /etc/shorewall/rules to allow user:group.
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -2308,6 +2308,8 @@ add_nat_rule() {
|
|||||||
# servport = Port the server listens on
|
# servport = Port the server listens on
|
||||||
# chain = The canonical chain for this rule
|
# chain = The canonical chain for this rule
|
||||||
# ratelimit = Optional rate limiting clause
|
# ratelimit = Optional rate limiting clause
|
||||||
|
# userandgroup= -m owner clause
|
||||||
|
# userset = User set name
|
||||||
#
|
#
|
||||||
add_a_rule()
|
add_a_rule()
|
||||||
{
|
{
|
||||||
@ -2454,15 +2456,15 @@ add_a_rule()
|
|||||||
for adr in `separate_list $addr`; do
|
for adr in `separate_list $addr`; do
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
|
||||||
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
|
$userandgroup `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables2 -A $chain $proto $ratelimit $multiport $state $cli $sports \
|
run_iptables2 -A $chain $proto $ratelimit $multiport $state $cli $sports \
|
||||||
-d $srv $dports -m conntrack --ctorigdst $adr -j $target
|
-d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
||||||
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
|
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2473,12 +2475,12 @@ add_a_rule()
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
||||||
`fix_bang $proto $sports $multiport $state $cli $dports`
|
`fix_bang $proto $sports $multiport $state $cli $dports`
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
|
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
|
||||||
$dports $ratelimit -j $target
|
$dports $ratelimit $userandgroup -j $target
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -2492,13 +2494,13 @@ add_a_rule()
|
|||||||
|
|
||||||
if [ $command != check ]; then
|
if [ $command != check ]; then
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
||||||
`fix_bang $proto $multiport $dest_interface $state $cli $sports $dports`
|
`fix_bang $proto $multiport $dest_interface $state $cli $sports $dports`
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $logtarget != LOG ]; then
|
if [ $logtarget != LOG ]; then
|
||||||
run_iptables2 -A $chain $proto $multiport $dest_interface $state \
|
run_iptables2 -A $chain $proto $multiport $dest_interface $state \
|
||||||
$cli $sports $dports $ratelimit -j $target
|
$cli $sports $dports $ratelimit $userandgroup -j $target
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -2526,6 +2528,7 @@ process_rule() # $1 = target
|
|||||||
local address="$7"
|
local address="$7"
|
||||||
local ratelimit="$8"
|
local ratelimit="$8"
|
||||||
local userset="$9"
|
local userset="$9"
|
||||||
|
local userandgroup=
|
||||||
local rule="`echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userset`"
|
local rule="`echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userset`"
|
||||||
|
|
||||||
# Function Body - isolate rate limit
|
# Function Body - isolate rate limit
|
||||||
@ -2578,6 +2581,26 @@ process_rule() # $1 = target
|
|||||||
[ "x$address" = "x-" ] && address=
|
[ "x$address" = "x-" ] && address=
|
||||||
|
|
||||||
if [ -n "$userset" ]; then
|
if [ -n "$userset" ]; then
|
||||||
|
case "$userset" in
|
||||||
|
*:*)
|
||||||
|
case $target in
|
||||||
|
ACCEPT|REJECT|DROP)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ "$userset" != ":" ]; then
|
||||||
|
userandgroup="-m owner"
|
||||||
|
temp="${userset%:*}"
|
||||||
|
[ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp"
|
||||||
|
temp="${userset#*:}"
|
||||||
|
[ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp"
|
||||||
|
fi
|
||||||
|
userset=
|
||||||
|
;;
|
||||||
|
*)
|
||||||
if ! havechain `accept_chain $userset`; then
|
if ! havechain `accept_chain $userset`; then
|
||||||
fatal_error "Unknown user set $userset: rule \"$rule\""
|
fatal_error "Unknown user set $userset: rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
@ -2593,12 +2616,13 @@ process_rule() # $1 = target
|
|||||||
target=`reject_chain $userset`
|
target=`reject_chain $userset`
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$userset" ] && \
|
|
||||||
fatal_error "A user set may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
|
fatal_error "A user set may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
|
||||||
esac
|
esac
|
||||||
|
|
||||||
[ -n "$loglevel" ] && \
|
[ -n "$loglevel" ] && \
|
||||||
fatal_error "Logging may not be specified on a rule with a User Set: rule \"$rule\""
|
fatal_error "Logging may not be specified on a rule with a User Set: rule \"$rule\""
|
||||||
|
;;
|
||||||
|
esac
|
||||||
else
|
else
|
||||||
case $target in
|
case $target in
|
||||||
ACCEPT|LOG)
|
ACCEPT|LOG)
|
||||||
|
|||||||
@ -232,13 +232,18 @@
|
|||||||
# the firewall itself and the ACTION is ACCEPT, DROP or
|
# the firewall itself and the ACTION is ACCEPT, DROP or
|
||||||
# REJECT.
|
# REJECT.
|
||||||
#
|
#
|
||||||
# The colume may contain a user set name defined in the
|
# The column may contain a user set name defined in the
|
||||||
# /etc/shorewall/usersets file.
|
# /etc/shorewall/usersets file or it may contain:
|
||||||
|
#
|
||||||
|
# [<user name or number>]:[<group name or number>]
|
||||||
#
|
#
|
||||||
# When this column is non-empty, the rule applies only
|
# When this column is non-empty, the rule applies only
|
||||||
# if the program generating the output is running under
|
# if the program generating the output is running under
|
||||||
# the effective <user> and/or <group> specified. A log
|
# the effective <user>(s) and/or <group>(s) specified.
|
||||||
# level may not be given in the ACTION column.
|
# When a user set name is given, a log level may not be
|
||||||
|
# present in the ACTION column; logging for such rules is
|
||||||
|
# controlled by the user set's entry in
|
||||||
|
# /etc/shorewall/usersets.
|
||||||
#
|
#
|
||||||
# Example: Accept SMTP requests from the DMZ to the internet
|
# Example: Accept SMTP requests from the DMZ to the internet
|
||||||
#
|
#
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user