extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-30 03:23:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Accept ip ranges in drop, reject, logdrop and allow commands

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4742 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-27 22:00:48 +00:00
parent ff5bf57261
commit a22ec871ff
5 changed files with 139 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
Shorewall-lite/shorewall-lite
View File

@ -1128,6 +1128,39 @@ make_verbose() {
fi fi
} }
#
# Executor for drop,reject,... commands
#
block() # $1 = command, $2 = Finished, $3 = Original Command $4 - $n addresses
{
local chain=$1 finished=$2
shift 3
while [ $# -gt 0 ]; do
case $1 in
*-*)
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
;;
*)
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $chain || break 1
;;
esac
echo "$1 $finished"
shift
done
}
# #
# Execution begins here # Execution begins here
# #
@ -1477,18 +1510,10 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall_is_started ; then if shorewall_is_started ; then
mutex_on mutex_on
while [ $# -gt 1 ]; do block DROP Dropped $*
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
mutex_off mutex_off
else else
error_message "ERROR: Shorewall is not started" error_message "ERROR: Shorewall Lite is not started"
exit 2 exit 2
fi fi
;; ;;
@ -1497,18 +1522,10 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall_is_started ; then if shorewall_is_started ; then
mutex_on mutex_on
while [ $# -gt 1 ]; do block logdrop Dropped $*
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j logdrop || break 1
echo "$1 Dropped"
done
mutex_off mutex_off
else else
error_message "ERROR: Shorewall is not started" error_message "ERROR: Shorewall Lite is not started"
exit 2 exit 2
fi fi
;; ;;
@ -1517,18 +1534,10 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall_is_started ; then if shorewall_is_started ; then
mutex_on mutex_on
while [ $# -gt 1 ]; do block $COMMAND Rejected $*
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
echo "$1 Rejected"
done
mutex_off mutex_off
else else
error_message "ERROR: Shorewall is not started" error_message "ERROR: Shorewall Lite is not started"
exit 2 exit 2
fi fi
;; ;;
@ -1539,6 +1548,19 @@ case "$COMMAND" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
case $1 in
*-*)
if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
*)
if qt $IPTABLES -D dynamic -s $1 -j reject ||\ if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\ qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
@ -1548,10 +1570,12 @@ case "$COMMAND" in
else else
echo "$1 Not Dropped or Rejected" echo "$1 Not Dropped or Rejected"
fi fi
;;
esac
done done
mutex_off mutex_off
else else
error_message "ERROR: Shorewall is not started" error_message "ERROR: Shorewall Lite is not started"
exit 2 exit 2
fi fi
;; ;;

2
Shorewall/changelog.txt
View File

@ -12,6 +12,8 @@ Changes in 3.3.4
6) Suppress superfluous wildcard rules under OPTIMIZE > 0. 6) Suppress superfluous wildcard rules under OPTIMIZE > 0.
7) Support ip ranges in the drop, logdrop, reject, and allow commands.
Changes in 3.3.3 Changes in 3.3.3
1) Fix excluding in SUBNET column. 1) Fix excluding in SUBNET column.

16
Shorewall/lib.actions
View File

@ -25,22 +25,6 @@
# (either explicitly specified or defaulted). # (either explicitly specified or defaulted).
# #
#
# Function to create/find appropriate action chain -- callable in user scripts
# that want to invoke an action.
#
get_actionchain() # $1 = Action from a rule, including log level and tag if any
{
if list_search ${1%%:*} $ACTIONS; then
if ! list_search $1 $USEDACTIONS; then
createactionchain $1
USEDACTIONS="$USEDACTIONS $1"
fi
echo $(find_logactionchain $1)
fi
}
# #
# Add one Filter Rule from an action -- Helper function for the action file processor # Add one Filter Rule from an action -- Helper function for the action file processor
# #

3
Shorewall/releasenotes.txt
View File

@ -142,6 +142,9 @@ Other Changes in 3.3.4.
... ...
ACCEPT! all all icmp 8 ACCEPT! all all icmp 8
4) IP Address ranges are now allowed in the drop, reject, allow and
logdrop shorewall[-lite] commands.
Migration Considerations: Migration Considerations:
1) Shorewall supports the notion of "default actions". A default 1) Shorewall supports the notion of "default actions". A default

87
Shorewall/shorewall
View File

@ -1668,6 +1668,39 @@ make_verbose() {
fi fi
} }
#
# Executor for drop,reject,... commands
#
block() # $1 = command, $2 = Finished, $3 = Original Command $4 - $n addresses
{
local chain=$1 finished=$2
shift 3
while [ $# -gt 0 ]; do
case $1 in
*-*)
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
;;
*)
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $chain || break 1
;;
esac
echo "$1 $finished"
shift
done
}
# #
# Execution begins here # Execution begins here
# #
@ -2040,7 +2073,16 @@ case "$COMMAND" in
;; ;;
esac esac
done done
shift while [ $# -gt 1 ]; do
shift shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
;; ;;
*) *)
finished=1 finished=1
@ -2063,15 +2105,7 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall_is_started ; then if shorewall_is_started ; then
mutex_on mutex_on
while [ $# -gt 1 ]; do block DROP Dropped $*
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
mutex_off mutex_off
else else
error_message "ERROR: Shorewall is not started" error_message "ERROR: Shorewall is not started"
@ -2083,15 +2117,7 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall_is_started ; then if shorewall_is_started ; then
mutex_on mutex_on
while [ $# -gt 1 ]; do block logdrop Dropped $*
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j logdrop || break 1
echo "$1 Dropped"
done
mutex_off mutex_off
else else
error_message "ERROR: Shorewall is not started" error_message "ERROR: Shorewall is not started"
@ -2103,15 +2129,7 @@ case "$COMMAND" in
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall_is_started ; then if shorewall_is_started ; then
mutex_on mutex_on
while [ $# -gt 1 ]; do block $COMMAND Rejected $*
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
echo "$1 Rejected"
done
mutex_off mutex_off
else else
error_message "ERROR: Shorewall is not started" error_message "ERROR: Shorewall is not started"
@ -2125,6 +2143,19 @@ case "$COMMAND" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
case $1 in
*-*)
if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
*)
if qt $IPTABLES -D dynamic -s $1 -j reject ||\ if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\ qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
@ -2134,6 +2165,8 @@ case "$COMMAND" in
else else
echo "$1 Not Dropped or Rejected" echo "$1 Not Dropped or Rejected"
fi fi
;;
esac
done done
mutex_off mutex_off
else else