extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-30 06:28:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-2.0.2c

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1348 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-05-21 18:52:52 +00:00
parent 71b75b6291
commit c44a5af689
4 changed files with 125 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
Lrp2/usr/share/shorewall/firewall
View File

@ -51,11 +51,6 @@ my_mutex_off() {
[ -n "$have_mutex" ] && { mutex_off; have_mutex=; } [ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
} }
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
# #
# Message to stderr # Message to stderr
# #
@ -136,9 +131,9 @@ ensure_and_save_command()
# Append a file to /var/lib/shorewall/restore-$$ # Append a file to /var/lib/shorewall/restore-$$
# #
append_file() { append_file() {
save_command "cat > $STATEDIR/$1 << EOF" save_command "cat > $STATEDIR/$1 << __EOF__"
cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
save_command EOF save_command __EOF__
} }
# #
@ -576,7 +571,7 @@ known_interface() # $1 = interface name
match_source_dev() match_source_dev()
{ {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1" list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
else else
echo -i $1 echo -i $1
fi fi
@ -585,12 +580,17 @@ match_source_dev()
match_dest_dev() match_dest_dev()
{ {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1" list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
else else
echo -o $1 echo -o $1
fi fi
} }
verify_interface()
{
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
}
# #
# #
# Find hosts in a given zone # Find hosts in a given zone
@ -798,6 +798,13 @@ validate_interfaces_file() {
validate_hosts_file() { validate_hosts_file() {
local z hosts options r interface host option port ports local z hosts options r interface host option port ports
check_bridge_port()
{
list_search $1 $ports || ports="$ports $1"
list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
list_search $1 $all_ports || all_ports="$all_ports $1"
}
while read z hosts options; do while read z hosts options; do
expandv z hosts options expandv z hosts options
r="$z $hosts $options" r="$z $hosts $options"
@ -820,17 +827,14 @@ validate_hosts_file() {
*:*) *:*)
known_interface ${host%:*} && \ known_interface ${host%:*} && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
port=${host%%:*} check_bridge_port ${host%%:*}
list_search $port $ports || ports="$ports $port"
list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
;; ;;
*.*.*.*) *.*.*.*)
;; ;;
*) *)
known_interface $host && \ known_interface $host && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
list_search $host $ports || ports="$ports $host" check_bridge_port $host
list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
;; ;;
esac esac
@ -855,6 +859,8 @@ validate_hosts_file() {
fi fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
[ -n "$all_ports" ] && echo " Bridge ports are: $all_ports"
} }
# #
@ -1178,6 +1184,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
# #
setup_forwarding() { setup_forwarding() {
save_command "progress_message Restoring IP Forwarding..."
case "$IP_FORWARDING" in case "$IP_FORWARDING" in
[Oo][Nn]) [Oo][Nn])
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
@ -1198,6 +1207,7 @@ disable_ipv6() {
if [ -n "$foo" ]; then if [ -n "$foo" ]; then
if qt which ip6tables; then if qt which ip6tables; then
save_command "progress_message Disabling IPV6..."
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
@ -1640,6 +1650,8 @@ setup_proxy_arp() {
> ${STATEDIR}/proxyarp > ${STATEDIR}/proxyarp
save_command "progress_message Restoring Proxy ARP..."
while read address interface external haveroute persistent; do while read address interface external haveroute persistent; do
expandv address interface external haveroute persistent expandv address interface external haveroute persistent
setup_one_proxy_arp setup_one_proxy_arp
@ -1840,6 +1852,8 @@ setup_nat() {
# #
> ${STATEDIR}/nat > ${STATEDIR}/nat
save_command "progress_message Restoring one-to-one NAT..."
while read external interface internal allints localnat; do while read external interface internal allints localnat; do
expandv external interface internal allints localnat expandv external interface internal allints localnat
@ -1995,10 +2009,8 @@ process_tc_rule()
chain=tcout chain=tcout
;; ;;
*) *)
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\"" verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
fi
r="$(match_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
esac esac
@ -2023,7 +2035,11 @@ process_tc_rule()
esac esac
fi fi
[ "x$dest" = "x-" ] || r="${r}-d $dest " if [ "x$dest" != "x-" ]; then
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
fi
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "
@ -2095,6 +2111,8 @@ setup_tc1() {
run_iptables -t mangle -A OUTPUT -j tcout run_iptables -t mangle -A OUTPUT -j tcout
run_user_exit tcstart run_user_exit tcstart
save_command "progress_message Restoring Traffic Control..."
save_command . $(find_file tcstart) save_command . $(find_file tcstart)
} }
@ -2144,6 +2162,14 @@ process_accounting_rule() {
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
} }
accounting_interface_error() {
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
}
accounting_interface_verify() {
verify_interface $1 || accounting_interface_error $1
}
jump_to_chain() { jump_to_chain() {
if ! havechain $jumpchain; then if ! havechain $jumpchain; then
if ! createchain2 $jumpchain No; then if ! createchain2 $jumpchain No; then
@ -2157,6 +2183,7 @@ process_accounting_rule() {
case $source in case $source in
*:*) *:*)
accounting_interface_verify ${source%:*}
rule="-s ${source#*:} $(match_source_dev ${source%:*})" rule="-s ${source#*:} $(match_source_dev ${source%:*})"
;; ;;
*.*.*.*) *.*.*.*)
@ -2165,12 +2192,16 @@ process_accounting_rule() {
-|all|any) -|all|any)
;; ;;
*) *)
[ -n "$source" ] && rule="$(match_source_dev $source)" if [ -n "$source" ]; then
accounting_interface_verify $source
rule="$(match_source_dev $source)"
fi
;; ;;
esac esac
[ -n "$dest" ] && case $dest in [ -n "$dest" ] && case $dest in
*:*) *:*)
accounting_interface_verify ${dest%:*}
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
;; ;;
*.*.*.*) *.*.*.*)
@ -2179,6 +2210,7 @@ process_accounting_rule() {
-|all|any) -|all|any)
;; ;;
*) *)
accounting_interface_verify $dest
rule="$rule $(match_dest_dev $dest)" rule="$rule $(match_dest_dev $dest)"
;; ;;
esac esac
@ -2233,8 +2265,8 @@ process_accounting_rule() {
ensurechain1 $chain ensurechain1 $chain
if iptables -A $chain $rule ; then if iptables -A $chain $(fix_bang $rule) ; then
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added
else else
accounting_error accounting_error
@ -2411,6 +2443,16 @@ add_an_action()
fi fi
} }
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
action_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -2419,6 +2461,7 @@ add_an_action()
-) -)
;; ;;
*:*) *:*)
action_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;; ;;
*.*.*) *.*.*)
@ -2428,7 +2471,10 @@ add_an_action()
cli=$(mac_match $client) cli=$(mac_match $client)
;; ;;
*) *)
[ -n "$client" ] && cli="$(match_source_dev $client)" if [ -n "$client" ]; then
action_interface_verify $client
cli="$(match_source_dev $client)"
fi
;; ;;
esac esac
@ -2447,7 +2493,10 @@ add_an_action()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;; ;;
*) *)
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)" if [ -n "$server" ]; then
action_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;; ;;
esac esac
@ -3091,6 +3140,16 @@ add_a_rule()
fi fi
} }
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
rule_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -3099,6 +3158,7 @@ add_a_rule()
-) -)
;; ;;
*:*) *:*)
rule_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;; ;;
*.*.*) *.*.*)
@ -3108,7 +3168,10 @@ add_a_rule()
cli=$(mac_match $client) cli=$(mac_match $client)
;; ;;
*) *)
[ -n "$client" ] && cli="$(match_source_dev $client)" if [ -n "$client" ]; then
rule_interface_verify $client
cli="$(match_source_dev $client)"
fi
;; ;;
esac esac
@ -3128,7 +3191,8 @@ add_a_rule()
;; ;;
*) *)
if [ -n "$server" ]; then if [ -n "$server" ]; then
[ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget" [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
rule_interface_verify $server
dest_interface="$(match_dest_dev $server)" dest_interface="$(match_dest_dev $server)"
fi fi
;; ;;
@ -3708,6 +3772,11 @@ process_tos_rule() {
# #
# Assume that this is a device name # Assume that this is a device name
# #
if ! verify_interface $src ; then
error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
return
fi
src="$(match_source_dev $src)" src="$(match_source_dev $src)"
;; ;;
esac esac
@ -4285,7 +4354,7 @@ setup_masq()
strip_file masq $1 strip_file masq $1
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_command "progress_message Restoring Masquerading/SNAT..."
while read fullinterface networks addresses proto ports; do while read fullinterface networks addresses proto ports; do
expandv fullinterface networks addresses proto ports expandv fullinterface networks addresses proto ports
@ -4507,6 +4576,8 @@ add_ip_aliases()
set -- $aliases_to_add set -- $aliases_to_add
save_command "progress_message Restoring IP Addresses..."
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
external=$1 external=$1
interface=$2 interface=$2
@ -4539,7 +4610,9 @@ load_kernel_modules() {
. $modules . $modules
if [ "$command" != check ]; then if [ "$command" != check ]; then
save_command "reload_kernel_modules <<EOF"
save_command "progress_message Loading kernel modules..."
save_command "reload_kernel_modules <<__EOF__"
while read command; do while read command; do
case "$command" in case "$command" in
@ -4549,7 +4622,7 @@ load_kernel_modules() {
esac esac
done < $modules done < $modules
save_command EOF save_command __EOF__
fi fi
fi fi
} }
@ -5014,6 +5087,8 @@ add_common_rules() {
# #
# ARP Filtering # ARP Filtering
# #
save_command "progress_message Restoring ARP filtering..."
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
run_and_save_command "echo 0 > $f" run_and_save_command "echo 0 > $f"
done done
@ -5041,6 +5116,8 @@ add_common_rules() {
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..." echo "Setting up Kernel Route Filtering..."
save_command "progress_message Restoring Route Filtering..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
run_and_save_command "echo 0 > $f" run_and_save_command "echo 0 > $f"
done done
@ -5194,7 +5271,7 @@ activate_rules()
# Add jumps for dynamic nat chains # Add jumps for dynamic nat chains
# #
[ -n "$DYNAMIC_ZONES" ] && for interface in $all_interfaces ; do [ -n "$DYNAMIC_ZONES" ] && for interface in $all_interfaces ; do
addrulejump PREROUTING $(dynamic_in $interface) addrulejump PREROUTING $(dynamic_in $interface) -i $interface
done done
# #
# Add jumps from the builtin chains to the nat chains # Add jumps from the builtin chains to the nat chains
@ -5405,7 +5482,8 @@ define_firewall() # $1 = Command (Start or Restart)
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
echo '#bin/sh' > /var/lib/shorewall/restore-$$ echo '#bin/sh' > /var/lib/shorewall/restore-$$
echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$ save_command "# Restore base file generated $(date)"
save_command ". /usr/share/shorewall/functions"
save_command "MODULESDIR=\"$MODULESDIR\"" save_command "MODULESDIR=\"$MODULESDIR\""
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
@ -5462,7 +5540,9 @@ define_firewall() # $1 = Command (Start or Restart)
save_command "date > $STATEDIR/restarted" save_command "date > $STATEDIR/restarted"
save_command 'iptables-restore << EOF' save_command "progress_message Restoring Netfilter Configuration..."
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and 'EOF' # 'shorewall save' appends the iptables-save output and 'EOF'
@ -5938,7 +6018,7 @@ do_initialize() {
determine_capabilities determine_capabilities
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw [ -z "$FW" ] && FW=fw

2
Lrp2/usr/share/shorewall/version
View File

@ -1 +1 @@
2.0.2b 2.0.2c

2
Lrp2/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
2.0.2b 2.0.2c

13
Shorewall-docs2/errata.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-17</pubdate> <pubdate>2004-05-21</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -111,6 +111,11 @@
<para>If <filename>/var/lib/shorewall</filename> does not exist, <para>If <filename>/var/lib/shorewall</filename> does not exist,
<command>shorewall start</command> fails.</para> <command>shorewall start</command> fails.</para>
</listitem> </listitem>
<listitem>
<para>DNAT rules work incorrectly with dynamic zones in that the
source interface is not included in the nat table DNAT rule.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>These problems are corrected by the <filename>firewall</filename> <para>These problems are corrected by the <filename>firewall</filename>
@ -120,7 +125,8 @@
as described above.</para> as described above.</para>
<para>The first two problems are also corrected in Shorewall version <para>The first two problems are also corrected in Shorewall version
2.0.2a while all four problems are corrected in 2.0.2b.</para> 2.0.2a, the first four problems are corrected in 2.0.2b and all five
problems are corrected in 2.0.2c.</para>
</section> </section>
<section> <section>
@ -237,7 +243,8 @@
<appendix> <appendix>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory><revision><revnumber>1.16</revnumber><date>2004-05-17</date><authorinitials>TE</authorinitials><revremark>Added <para><revhistory><revision><revnumber>1.17</revnumber><date>2004-05-21</date><authorinitials>TE</authorinitials><revremark>Added
DNAT dynamic zone bug.</revremark></revision><revision><revnumber>1.16</revnumber><date>2004-05-17</date><authorinitials>TE</authorinitials><revremark>Added
null common action bug.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-05-16</date><authorinitials>TE</authorinitials><revremark>Added null common action bug.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-05-16</date><authorinitials>TE</authorinitials><revremark>Added
2.0.2 bugs</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add 2.0.2 bugs</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
link to Netfilter CVS</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-05-04</date><authorinitials>TE</authorinitials><revremark>Add link to Netfilter CVS</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-05-04</date><authorinitials>TE</authorinitials><revremark>Add