extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 09:33:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Accept ip ranges in drop, reject, logdrop and allow commands

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4742 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-27 22:00:48 +00:00
parent ff5bf57261
commit a22ec871ff
5 changed files with 139 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
Shorewall-lite/shorewall-lite
View File

@ -1128,6 +1128,39 @@ make_verbose() {
fi
}
#
# Executor for drop,reject,... commands
#
block() # $1 = command, $2 = Finished, $3 = Original Command $4 - $n addresses
{
local chain=$1 finished=$2
shift 3
while [ $# -gt 0 ]; do
case $1 in
*-*)
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
;;
*)
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $chain || break 1
;;
esac
echo "$1 $finished"
shift
done
}
#
# Execution begins here
#
@ -1477,18 +1510,10 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
block DROP Dropped $*
mutex_off
else
error_message "ERROR: Shorewall is not started"
error_message "ERROR: Shorewall Lite is not started"
exit 2
fi
;;
@ -1497,18 +1522,10 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j logdrop || break 1
echo "$1 Dropped"
done
block logdrop Dropped $*
mutex_off
else
error_message "ERROR: Shorewall is not started"
error_message "ERROR: Shorewall Lite is not started"
exit 2
fi
;;
@ -1517,18 +1534,10 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
echo "$1 Rejected"
done
block $COMMAND Rejected $*
mutex_off
else
error_message "ERROR: Shorewall is not started"
error_message "ERROR: Shorewall Lite is not started"
exit 2
fi
;;
@ -1539,19 +1548,34 @@ case "$COMMAND" in
mutex_on
while [ $# -gt 1 ]; do
shift
if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
qt $IPTABLES -D dynamic -s $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
case $1 in
*-*)
if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
*)
if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
qt $IPTABLES -D dynamic -s $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
esac
done
mutex_off
else
error_message "ERROR: Shorewall is not started"
error_message "ERROR: Shorewall Lite is not started"
exit 2
fi
;;

2
Shorewall/changelog.txt
View File

@ -12,6 +12,8 @@ Changes in 3.3.4
6) Suppress superfluous wildcard rules under OPTIMIZE > 0.
7) Support ip ranges in the drop, logdrop, reject, and allow commands.
Changes in 3.3.3
1) Fix excluding in SUBNET column.

16
Shorewall/lib.actions
View File

@ -25,22 +25,6 @@
# (either explicitly specified or defaulted).
#
#
# Function to create/find appropriate action chain -- callable in user scripts
# that want to invoke an action.
#
get_actionchain() # $1 = Action from a rule, including log level and tag if any
{
if list_search ${1%%:*} $ACTIONS; then
if ! list_search $1 $USEDACTIONS; then
createactionchain $1
USEDACTIONS="$USEDACTIONS $1"
fi
echo $(find_logactionchain $1)
fi
}
#
# Add one Filter Rule from an action -- Helper function for the action file processor
#

3
Shorewall/releasenotes.txt
View File

@ -142,6 +142,9 @@ Other Changes in 3.3.4.
...
ACCEPT! all all icmp 8
4) IP Address ranges are now allowed in the drop, reject, allow and
logdrop shorewall[-lite] commands.
Migration Considerations:
1) Shorewall supports the notion of "default actions". A default

107
Shorewall/shorewall
View File

@ -1668,6 +1668,39 @@ make_verbose() {
fi
}
#
# Executor for drop,reject,... commands
#
block() # $1 = command, $2 = Finished, $3 = Original Command $4 - $n addresses
{
local chain=$1 finished=$2
shift 3
while [ $# -gt 0 ]; do
case $1 in
*-*)
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
;;
*)
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $chain || break 1
;;
esac
echo "$1 $finished"
shift
done
}
#
# Execution begins here
#
@ -2040,7 +2073,16 @@ case "$COMMAND" in
;;
esac
done
shift
shift while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
;;
*)
finished=1
@ -2063,15 +2105,7 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
block DROP Dropped $*
mutex_off
else
error_message "ERROR: Shorewall is not started"
@ -2083,15 +2117,7 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j logdrop || break 1
echo "$1 Dropped"
done
block logdrop Dropped $*
mutex_off
else
error_message "ERROR: Shorewall is not started"
@ -2103,15 +2129,7 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
echo "$1 Rejected"
done
block $COMMAND Rejected $*
mutex_off
else
error_message "ERROR: Shorewall is not started"
@ -2125,15 +2143,30 @@ case "$COMMAND" in
mutex_on
while [ $# -gt 1 ]; do
shift
if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
qt $IPTABLES -D dynamic -s $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
case $1 in
*-*)
if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
*)
if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
qt $IPTABLES -D dynamic -s $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
esac
done
mutex_off
else