Update for Shorewall 2.0.12

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1792 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-01 21:23:21 +00:00
parent 950b92d9d9
commit c3268309ac
10 changed files with 66 additions and 43 deletions

View File

@ -470,7 +470,7 @@ MUTEX_TIMEOUT=60
# A packet is said to be NEW if it is not part of or related to an already # A packet is said to be NEW if it is not part of or related to an already
# established connection. # established connection.
# #
# The NETNOTSYN option determines the handling of non-SYN packets (those with # The NEWNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already # SYN off or with ACK or RST on) that are not associated with an already
# established connection. # established connection.
# #

View File

@ -1070,7 +1070,9 @@ case "$1" in
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$ echo __EOF__ >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH [ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH" echo " Currently-running Configuration Saved to $RESTOREPATH"
else else

View File

@ -178,6 +178,16 @@ run_iptables2() {
run_iptables $(fix_bang $@) run_iptables $(fix_bang $@)
} }
#
# Quietly run iptables
#
qt_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
qt iptables $@
}
# #
# Run ip and if an error occurs, stop the firewall and quit # Run ip and if an error occurs, stop the firewall and quit
# #
@ -5218,7 +5228,7 @@ add_common_rules() {
run_iptables -A $(input_chain $interface) -j $chain run_iptables -A $(input_chain $interface) -j $chain
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
run_iptables -A OUTPUT -j $(dynamic_out $interface) run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done done
fi fi
@ -5594,6 +5604,25 @@ define_firewall() # $1 = Command (Start or Restart)
[ -n "$aliases_to_add" ] && \ [ -n "$aliases_to_add" ] && \
echo "Adding IP Addresses..." && add_ip_aliases echo "Adding IP Addresses..." && add_ip_aliases
for file in chains nat proxyarp zones; do
append_file $file
done
save_progress_message "Restoring Netfilter Configuration..."
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$
> $RESTOREBASE
save_command "#"
save_command "# Restore tail file generated by Shorewall $version - $(date)"
save_command "#"
save_command "date > $STATEDIR/restarted"
run_user_exit start run_user_exit start
createchain shorewall no createchain shorewall no
@ -5604,19 +5633,8 @@ define_firewall() # $1 = Command (Start or Restart)
rm -rf $TMP_DIR rm -rf $TMP_DIR
for file in chains nat proxyarp zones; do mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
append_file $file mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
done
save_command "date > $STATEDIR/restarted"
save_progress_message "Restoring Netfilter Configuration..."
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f $RESTOREBASE /var/lib/shorewall/restore-base
} }
@ -5673,6 +5691,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
do_iptables() # $@ = command do_iptables() # $@ = command
{ {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
if ! iptables $@ ; then if ! iptables $@ ; then
startup_error "Can't add $1 to zone $2" startup_error "Can't add $1 to zone $2"
fi fi
@ -5681,7 +5700,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Isolate interface and host parts # Isolate interface and host parts
# #
interface=${1%:*} interface=${1%%:*}
host=${1#*:} host=${1#*:}
[ -z "$host" ] && host="0.0.0.0/0" [ -z "$host" ] && host="0.0.0.0/0"
@ -5756,7 +5775,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
chain=${zone}_dnat chain=${zone}_dnat
if nat_chain_exists $chain; then if nat_chain_exists $chain; then
do_iptables -t nat -A $(dynamic_in $interface) -s $host -j $chain do_iptables -t nat -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
fi fi
# #
# Insert new rules into the filter table for the passed interface # Insert new rules into the filter table for the passed interface
@ -5764,7 +5783,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
do_iptables -A $(dynamic_in $interface) -s $host -j $chain do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
else else
source_chain=$(dynamic_fwd $interface) source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -5774,7 +5793,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain
fi fi
done done
fi fi
@ -5783,7 +5802,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Add a rule to the dynamic out chain for the interface # Add a rule to the dynamic out chain for the interface
# #
do_iptables -A $(dynamic_out $interface) -d $host -j $chain do_iptables -A $(dynamic_out $interface) $(match_destination_hosts $host) -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
@ -5792,7 +5811,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain
fi fi
done done
fi fi
@ -5838,7 +5857,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Isolate interface and host parts # Isolate interface and host parts
# #
interface=${1%:*} interface=${1%%:*}
host=${1#*:} host=${1#*:}
[ -z "$host" ] && host="0.0.0.0/0" [ -z "$host" ] && host="0.0.0.0/0"
@ -5887,14 +5906,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Delete any nat table entries for the host(s) # Delete any nat table entries for the host(s)
# #
qt iptables -t nat -D $(dynamic_in $interface) -s $host -j ${zone}_dnat qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) -j ${zone}_dnat
# #
# Delete rules rules the input chains for the passed interface # Delete rules rules the input chains for the passed interface
# #
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
qt iptables -D $(dynamic_in $interface) -s $host -j $chain qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
else else
source_chain=$(dynamic_fwd $interface) source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -5904,13 +5923,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain
fi fi
done done
fi fi
elif [ "$z2" = "$zone" ]; then elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then if [ "$z1" = "$FW" ]; then
qt iptables -D $(dynamic_out $interface) -d $host -j $chain qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
@ -5919,7 +5938,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain
fi fi
done done
fi fi

View File

@ -52,9 +52,9 @@ qt()
# #
# Perform variable substitution on the passed argument and echo the result # Perform variable substitution on the passed argument and echo the result
# #
expand() # $1 = contents of variable which may be the name of another variable expand() # $@ = contents of variable which may be the name of another variable
{ {
eval echo \"$1\" eval echo \"$@\"
} }
# #
@ -434,7 +434,7 @@ read_file() # $1 = file name, $2 = nest count
while read first rest; do while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then if [ $2 -lt 4 ]; then
read_file $(find_file ${rest%#*}) $(($2 + 1)) read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
else else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi fi
@ -452,7 +452,7 @@ read_file() # $1 = file name, $2 = nest count
# Function for including one file into another # Function for including one file into another
# #
INCLUDE() { INCLUDE() {
. $(find_file $@) . $(find_file $(expand $@))
} }
# #

View File

@ -29,11 +29,11 @@
case $1 in case $1 in
add) add)
echo "add: add <interface>[:<host>] <zone> echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's. Adds a host or subnet to a dynamic zone usually used with VPN's.
shorewall add interface[:host] zone - Adds the specified interface shorewall add interface[:port][:host] zone - Adds the specified interface
(and host if included) to the specified zone. (and bridge port/host if included) to the specified zone.
Example: Example:
@ -93,11 +93,11 @@ debug)
;; ;;
delete) delete)
echo "delete: delete <interface>[:<host>] <zone> echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's. Deletes a host or subnet from a dynamic zone usually used with VPN's.
shorewall delete interface[:host] zone - Deletes the specified shorewall delete interface[:port][:host] zone - Deletes the specified
interface (and host if included) from the specified zone. interface (and bridge port/host if included) from the specified zone.
Example: Example:

View File

@ -1 +1 @@
2.0.11 2.0.12

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.0.11 VERSION=2.0.12
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.0.11 VERSION=2.0.12
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 2.0.11 %define version 2.0.12
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -141,6 +141,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.12-1
* Mon Nov 22 2004 Tom Eastep tom@shorewall.net * Mon Nov 22 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.11-1 - Updated to 2.0.11-1
* Mon Oct 25 2004 Tom Eastep tom@shorewall.net * Mon Oct 25 2004 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.11 VERSION=2.0.12
usage() # $1 = exit status usage() # $1 = exit status
{ {