extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-22 18:51:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

First working dynamic zone implementation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9612 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-03-06 17:00:38 +00:00
parent f788e4ecb3
commit a7126b6b4c
4 changed files with 197 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -542,8 +542,8 @@ EOF
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
if ( @ipsets ) { if ( @ipsets ) {
emit <<EOF emit <<'EOF'
if [ -n "$(which ipset)" ]; then if [ -n "$(mywhich ipset)" ]; then
if ipset -S > ${VARDIR}/ipsets.tmp; then if ipset -S > ${VARDIR}/ipsets.tmp; then
mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
fi fi
@ -649,8 +649,8 @@ sub generate_script_2($) {
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
if ( @ipsets ) { if ( @ipsets ) {
emit ( 'if "$COMMAND" = start; then' , emit ( 'if [ "$COMMAND" = start ]; then' ,
' if [ -n "$(which ipset)"; then' , ' if [ -n "$(mywhich ipset)" ]; then' ,
' ipset -U :all: :all:' , ' ipset -U :all: :all:' ,
' ipset -U :all: :default:' , ' ipset -U :all: :default:' ,
' ipset -F' , ' ipset -F' ,
@ -659,9 +659,9 @@ sub generate_script_2($) {
emit ( " qt ipset -L $_ || ipset -N $_ iphash" ) for @ipsets; emit ( " qt ipset -L $_ || ipset -N $_ iphash" ) for @ipsets;
emit ( ' fi' , emit ( ' else' ,
'else' , ' fatal_error "The ipset utility cannot be located"' ,
' fatal_error "The ipset utility cannot be located"' , ' fi' ,
'fi', 'fi',
'' ); '' );
} }

4
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -806,7 +806,7 @@ sub validate_interfaces_file( $ )
require_capability( 'IPSET_MATCH', 'Dynamic nets', ''); require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
$value = "+${zone}_${interface}"; $value = "+${zone}_${interface}";
$hostoptions{dynamic} = 1; $hostoptions{dynamic} = 1;
$ipsets{$value} = 1; $ipsets{"${zone}_${interface}"} = 1;
} }
# #
# Convert into a Perl array reference # Convert into a Perl array reference
@ -1126,7 +1126,7 @@ sub validate_hosts_file()
require_capability( 'IPSET_MATCH', 'Dynamic nets', ''); require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
$hosts = "+${zone}_${interface}"; $hosts = "+${zone}_${interface}";
$optionsref->{dynamic} = 1; $optionsref->{dynamic} = 1;
$ipsets{$hosts} = 1; $ipsets{"${zone}_${interface}"} = 1;
} }

183
Shorewall/lib.cli
View File

@ -830,13 +830,6 @@ restore_command() {
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ] ; then
echo Restoring Ipsets...
iptables -F
iptables -X
$SHOREWALL_SHELL ${RESTOREPATH}-ipsets
fi
progress_message3 "Restoring Shorewall..." progress_message3 "Restoring Shorewall..."
$SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE" $SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE"
@ -992,6 +985,182 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
done done
} }
#
# Replace commas with spaces and echo the result
#
separate_list() {
local list
list="$@"
local part
local newlist
local firstpart
local lastpart
local enclosure
case "$list" in
*,|,*|*,,*|*[[:space:]]*)
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
#
# The 'TERMINATOR' function will be set by the 'firewall' script to
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
[ -n "$TERMINATOR" ] && \
$TERMINATOR "Invalid comma-separated list \"$@\""
echo "WARNING -- invalid comma-separated list \"$@\"" >&2
;;
*\[*\]*)
#
# Where we need to embed comma-separated lists within lists, we enclose them
# within square brackets.
#
firstpart=${list%%\[*}
lastpart=${list#*\[}
enclosure=${lastpart%%\]*}
lastpart=${lastpart#*\]}
case $lastpart in
\,*)
case $firstpart in
*\,)
echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})"
;;
*)
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
;;
esac
;;
*)
case $firstpart in
*\,)
echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
;;
*)
echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
;;
esac
;;
esac
return
;;
esac
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
}
#
# add command executor
#
add_command() {
local interface host hostlist zone ipset
if ! shorewall_is_started ; then
echo "Shorewall Not Started" >&2
exit 2;
fi
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
[ "$host" = "$1" ] && host=
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
zone=$1
for host in $hostlist; do
interface=${host%:*}
ipset=${zone}_${interface};
if ! qt ipset -L $ipset -n; then
fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
fi
host=${host#*:}
if ipset -A $ipset $host; then
echo "Host $interface:$host added to zone $zone"
else
fatal_error "Unable to add $interface:$host to zone $zone"
fi
done
}
#
# delete command executor
#
delete_command() {
local interface host hostent hostlist zone ipset
if ! shorewall_is_started ; then
echo "Shorewall Not Started" >&2
exit 2;
fi
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
[ "$host" = "$1" ] && host=
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
zone=$1
for hostent in $hostlist; do
interface=${hostent%:*}
ipset=${zone}_${interface};
if ! qt ipset -L $ipset -n; then
fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
fi
host=${hostent#*:}
if ipset -D $ipset $host; then
echo "Host $hostend deleted from zone $zone"
else
echo " WARNING: Unable to delete host $hostent to zone $zone" >&2
fi
done
}
# #
# 'hits' commmand executor # 'hits' commmand executor
# #

12
Shorewall/shorewall
View File

@ -1324,10 +1324,12 @@ usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
echo " check [ -e ] [ <directory> ]" echo " check [ -e ] [ <directory> ]"
echo " clear [ -f ]" echo " clear [ -f ]"
echo " compile [ -e ] [ <directory name> ] <path name>" echo " compile [ -e ] [ <directory name> ] <path name>"
echo " delete <interface>[:<host-list>] ... <zone>"
echo " drop <address> ..." echo " drop <address> ..."
echo " dump [ -x ]" echo " dump [ -x ]"
echo " export [ <directory1> ] [<user>@]<system>[:<directory2>]" echo " export [ <directory1> ] [<user>@]<system>[:<directory2>]"
@ -1739,6 +1741,16 @@ case "$COMMAND" in
get_config get_config
allow_command $@ allow_command $@
;; ;;
add)
get_config
shift
add_command $@
;;
delete)
get_config
shift
add_command $@
;;
save) save)
get_config get_config
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x