Verify interface names; pretty up restore file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1352 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-05-22 16:53:04 +00:00
parent e12cb03fca
commit c1fdc0fc88
3 changed files with 119 additions and 31 deletions

View File

@ -11,3 +11,5 @@ Changes since 2.0.2
5) Backport bug fixes from stable (/var/lib/shorewall existence and 5) Backport bug fixes from stable (/var/lib/shorewall existence and
null common action). null common action).
6) Add lots of overhead to [re]start in order to catch typing errors.

View File

@ -103,6 +103,17 @@ save_command()
echo "$@" >> /var/lib/shorewall/restore-$$ echo "$@" >> /var/lib/shorewall/restore-$$
} }
#
# Write a progress_message command to /var/lib/shorewall/restore-$$
#
save_progress_message()
{
echo >> /var/lib/shorewall/restore-$$
echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$
echo >> /var/lib/shorewall/restore-$$
}
# #
# Save the passed command in the restore script then run it -- returns the status of the command # Save the passed command in the restore script then run it -- returns the status of the command
# If the command involves file redirection then it must be enclosed in quotes as in: # If the command involves file redirection then it must be enclosed in quotes as in:
@ -128,9 +139,10 @@ ensure_and_save_command()
} }
# #
# Append a file to /var/lib/shorewall/restore-$$ # Append a file in $STATEDIR to /var/lib/shorewall/restore-$$
# #
append_file() { append_file() # $1 = File Name
{
save_command "cat > $STATEDIR/$1 << __EOF__" save_command "cat > $STATEDIR/$1 << __EOF__"
cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
save_command __EOF__ save_command __EOF__
@ -571,7 +583,7 @@ known_interface() # $1 = interface name
match_source_dev() match_source_dev()
{ {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1" list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
else else
echo -i $1 echo -i $1
fi fi
@ -580,12 +592,17 @@ match_source_dev()
match_dest_dev() match_dest_dev()
{ {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1" list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
else else
echo -o $1 echo -o $1
fi fi
} }
verify_interface()
{
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
}
# #
# #
# Find hosts in a given zone # Find hosts in a given zone
@ -793,6 +810,13 @@ validate_interfaces_file() {
validate_hosts_file() { validate_hosts_file() {
local z hosts options r interface host option port ports local z hosts options r interface host option port ports
check_bridge_port()
{
list_search $1 $ports || ports="$ports $1"
list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
list_search $1 $all_ports || all_ports="$all_ports $1"
}
while read z hosts options; do while read z hosts options; do
expandv z hosts options expandv z hosts options
r="$z $hosts $options" r="$z $hosts $options"
@ -815,17 +839,14 @@ validate_hosts_file() {
*:*) *:*)
known_interface ${host%:*} && \ known_interface ${host%:*} && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
port=${host%%:*} check_bridge_port ${host%%:*}
list_search $port $ports || ports="$ports $port"
list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
;; ;;
*.*.*.*) *.*.*.*)
;; ;;
*) *)
known_interface $host && \ known_interface $host && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
list_search $host $ports || ports="$ports $host" check_bridge_port $host
list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
;; ;;
esac esac
@ -850,6 +871,8 @@ validate_hosts_file() {
fi fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
[ -n "$all_ports" ] && echo " Bridge ports are: $all_ports"
} }
# #
@ -1174,7 +1197,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
# #
setup_forwarding() { setup_forwarding() {
save_command "progress_message Restoring IP Forwarding..." save_progress_message "Restoring IP Forwarding..."
case "$IP_FORWARDING" in case "$IP_FORWARDING" in
[Oo][Nn]) [Oo][Nn])
@ -1196,7 +1219,7 @@ disable_ipv6() {
if [ -n "$foo" ]; then if [ -n "$foo" ]; then
if qt which ip6tables; then if qt which ip6tables; then
save_command "progress_message Disabling IPV6..." save_progress_message "Disabling IPV6..."
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
@ -1639,7 +1662,7 @@ setup_proxy_arp() {
> ${STATEDIR}/proxyarp > ${STATEDIR}/proxyarp
save_command "progress_message Restoring Proxy ARP..." save_progress_message "Restoring Proxy ARP..."
while read address interface external haveroute persistent; do while read address interface external haveroute persistent; do
expandv address interface external haveroute persistent expandv address interface external haveroute persistent
@ -1841,7 +1864,7 @@ setup_nat() {
# #
> ${STATEDIR}/nat > ${STATEDIR}/nat
save_command "progress_message Restoring one-to-one NAT..." save_progress_message "Restoring one-to-one NAT..."
while read external interface internal allints localnat; do while read external interface internal allints localnat; do
expandv external interface internal allints localnat expandv external interface internal allints localnat
@ -1998,10 +2021,8 @@ process_tc_rule()
chain=tcout chain=tcout
;; ;;
*) *)
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\"" verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
fi
r="$(match_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
esac esac
@ -2026,7 +2047,11 @@ process_tc_rule()
esac esac
fi fi
[ "x$dest" = "x-" ] || r="${r}-d $dest " if [ "x$dest" != "x-" ]; then
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
fi
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "
@ -2099,7 +2124,7 @@ setup_tc1() {
run_user_exit tcstart run_user_exit tcstart
save_command "progress_message Restoring Traffic Control..." save_progress_message "Restoring Traffic Control..."
save_command . $(find_file tcstart) save_command . $(find_file tcstart)
} }
@ -2123,6 +2148,8 @@ delete_tc()
} }
save_progress_message "Clearing Traffic Control/QOS"
run_user_exit tcclear run_user_exit tcclear
run_ip link list | \ run_ip link list | \
@ -2149,6 +2176,14 @@ process_accounting_rule() {
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
} }
accounting_interface_error() {
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
}
accounting_interface_verify() {
verify_interface $1 || accounting_interface_error $1
}
jump_to_chain() { jump_to_chain() {
if ! havechain $jumpchain; then if ! havechain $jumpchain; then
if ! createchain2 $jumpchain No; then if ! createchain2 $jumpchain No; then
@ -2162,6 +2197,7 @@ process_accounting_rule() {
case $source in case $source in
*:*) *:*)
accounting_interface_verify ${source%:*}
rule="-s ${source#*:} $(match_source_dev ${source%:*})" rule="-s ${source#*:} $(match_source_dev ${source%:*})"
;; ;;
*.*.*.*) *.*.*.*)
@ -2170,12 +2206,16 @@ process_accounting_rule() {
-|all|any) -|all|any)
;; ;;
*) *)
[ -n "$source" ] && rule="$(match_source_dev $source)" if [ -n "$source" ]; then
accounting_interface_verify $source
rule="$(match_source_dev $source)"
fi
;; ;;
esac esac
[ -n "$dest" ] && case $dest in [ -n "$dest" ] && case $dest in
*:*) *:*)
accounting_interface_verify ${dest%:*}
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
;; ;;
*.*.*.*) *.*.*.*)
@ -2184,6 +2224,7 @@ process_accounting_rule() {
-|all|any) -|all|any)
;; ;;
*) *)
accounting_interface_verify $dest
rule="$rule $(match_dest_dev $dest)" rule="$rule $(match_dest_dev $dest)"
;; ;;
esac esac
@ -2416,6 +2457,16 @@ add_an_action()
fi fi
} }
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
action_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -2424,6 +2475,7 @@ add_an_action()
-) -)
;; ;;
*:*) *:*)
action_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;; ;;
*.*.*) *.*.*)
@ -2433,7 +2485,10 @@ add_an_action()
cli=$(mac_match $client) cli=$(mac_match $client)
;; ;;
*) *)
[ -n "$client" ] && cli="$(match_source_dev $client)" if [ -n "$client" ]; then
action_interface_verify $client
cli="$(match_source_dev $client)"
fi
;; ;;
esac esac
@ -2452,7 +2507,10 @@ add_an_action()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;; ;;
*) *)
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)" if [ -n "$server" ]; then
action_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;; ;;
esac esac
@ -3096,6 +3154,16 @@ add_a_rule()
fi fi
} }
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
rule_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -3104,6 +3172,7 @@ add_a_rule()
-) -)
;; ;;
*:*) *:*)
rule_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;; ;;
*.*.*) *.*.*)
@ -3113,7 +3182,10 @@ add_a_rule()
cli=$(mac_match $client) cli=$(mac_match $client)
;; ;;
*) *)
[ -n "$client" ] && cli="$(match_source_dev $client)" if [ -n "$client" ]; then
rule_interface_verify $client
cli="$(match_source_dev $client)"
fi
;; ;;
esac esac
@ -3133,7 +3205,8 @@ add_a_rule()
;; ;;
*) *)
if [ -n "$server" ]; then if [ -n "$server" ]; then
[ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget" [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
rule_interface_verify $server
dest_interface="$(match_dest_dev $server)" dest_interface="$(match_dest_dev $server)"
fi fi
;; ;;
@ -3713,6 +3786,11 @@ process_tos_rule() {
# #
# Assume that this is a device name # Assume that this is a device name
# #
if ! verify_interface $src ; then
error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
return
fi
src="$(match_source_dev $src)" src="$(match_source_dev $src)"
;; ;;
esac esac
@ -4290,7 +4368,7 @@ setup_masq()
strip_file masq $1 strip_file masq $1
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_command "progress_message Restoring Masquerading/SNAT..." [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
while read fullinterface networks addresses proto ports; do while read fullinterface networks addresses proto ports; do
expandv fullinterface networks addresses proto ports expandv fullinterface networks addresses proto ports
@ -4512,7 +4590,7 @@ add_ip_aliases()
set -- $aliases_to_add set -- $aliases_to_add
save_command "progress_message Restoring IP Addresses..." save_progress_message "Restoring IP Addresses..."
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
external=$1 external=$1
@ -4547,7 +4625,7 @@ load_kernel_modules() {
if [ "$command" != check ]; then if [ "$command" != check ]; then
save_command "progress_message Loading kernel modules..." save_progress_message "Loading kernel modules..."
save_command "reload_kernel_modules <<__EOF__" save_command "reload_kernel_modules <<__EOF__"
while read command; do while read command; do
@ -5023,7 +5101,7 @@ add_common_rules() {
# #
# ARP Filtering # ARP Filtering
# #
save_command "progress_message Restoring ARP filtering..." save_progress_message "Restoring ARP filtering..."
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
run_and_save_command "echo 0 > $f" run_and_save_command "echo 0 > $f"
@ -5052,7 +5130,7 @@ add_common_rules() {
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..." echo "Setting up Kernel Route Filtering..."
save_command "progress_message Restoring Route Filtering..." save_progress_message "Restoring Route Filtering..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
run_and_save_command "echo 0 > $f" run_and_save_command "echo 0 > $f"
@ -5207,7 +5285,7 @@ activate_rules()
# Add jumps for dynamic nat chains # Add jumps for dynamic nat chains
# #
[ -n "$DYNAMIC_ZONES" ] && for interface in $all_interfaces ; do [ -n "$DYNAMIC_ZONES" ] && for interface in $all_interfaces ; do
addrulejump PREROUTING $(dynamic_in $interface) addrulejump PREROUTING $(dynamic_in $interface) -i $interface
done done
# #
# Add jumps from the builtin chains to the nat chains # Add jumps from the builtin chains to the nat chains
@ -5476,7 +5554,7 @@ define_firewall() # $1 = Command (Start or Restart)
save_command "date > $STATEDIR/restarted" save_command "date > $STATEDIR/restarted"
save_command "progress_message Restoring Netfilter Configuration..." save_progress_message "Restoring Netfilter Configuration..."
save_command 'iptables-restore << __EOF__' save_command 'iptables-restore << __EOF__'

View File

@ -18,3 +18,11 @@ None.
New Features: New Features:
1) "!" is now allowed in accounting rules. 1) "!" is now allowed in accounting rules.
2) Interface names appearing within the configuration are now
verified. Interface names must match the name of an entry in
/etc/shorewall/interfaces (or if bridging is enabled, they must
match the name of an entry in /etc/shorewall/interfaces or the name
of a bridge port appearing in /etc/shorewall/hosts).