extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-14 19:54:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow exclusion lists in Actions

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2518 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-17 21:00:33 +00:00
parent 474e042d47
commit c88858382c
3 changed files with 87 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -9,6 +9,8 @@ Changes in 2.5.3
4) Implement find_interface_by_mac()
5) Allow exclusion lists in actions.
Changes in 2.5.2
1) Allow port lists in /etc/sorewall/accounting.

82
Shorewall/firewall
View File

@ -3682,6 +3682,8 @@ refresh_tc() {
#
add_an_action()
{
local chain1
do_ports() {
if [ -n "$port" ]; then
dports="--dport"
@ -3712,6 +3714,20 @@ add_an_action()
verify_interface $1 || interface_error $1
}
handle_exclusion()
{
build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain1
cli=
proto=
sports=
multiport=
dports=
user=
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli=
@ -3766,6 +3782,8 @@ add_an_action()
proto=$protocol
servport=$serverport
multiport=
chain1=$chain
user="$userandgroup"
[ x$port = x- ] && port=
[ x$cport = x- ] && cport=
@ -3798,26 +3816,30 @@ add_an_action()
esac
if [ $COMMAND != check ]; then
if [ -n "${excludesource}${excludedest}" ]; then
handle_exclusion
fi
if [ -n "${serv}" ]; then
for serv1 in $(separate_list $serv); do
for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi
run_iptables2 -A $chain $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $user -j $target
done
done
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
fi
run_iptables2 -A $chain $proto $multiport $cli $dest_interface $sports \
$dports $ratelimit $userandgroup -j $target
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \
$dports $ratelimit $user -j $target
fi
fi
}
@ -3950,6 +3972,42 @@ process_action() # $1 = chain (Chain to add the rules to)
;;
esac
excludesource=
case ${clients:=-} in
*!*!*)
fatal_error "Invalid SOURCE in rule \"$rule\""
;;
!*)
if [ $(list_count $clients) -gt 1 ]; then
excludesource=${clients#!}
clients=
fi
;;
*!*)
excludesource=${clients#*!}
clients=${clients%!*}
;;
esac
excludedest=
case ${servers:=-} in
*!*!*)
fatal_error "Invalid DEST in rule \"$rule\""
;;
!*)
if [ $(list_count $servers) -gt 1 ]; then
excludedest=${servers#*!}
servers=
fi
;;
*!*)
excludedest=${servers#*!}
servers=${servers%!*}
;;
esac
# Generate Netfilter rule(s)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
@ -3964,8 +4022,8 @@ process_action() # $1 = chain (Chain to add the rules to)
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
for client in $(separate_list $clients); do
for server in $(separate_list $servers); do
#
# add_an_action() modifies these so we must set their values each time
#
@ -3986,8 +4044,8 @@ process_action() # $1 = chain (Chain to add the rules to)
# 16 ports are listed - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
for client in $(separate_list $clients); do
for server in $(separate_list $servers); do
#
# add_an_action() modifies these so we must set their values each time
#
@ -4001,8 +4059,8 @@ process_action() # $1 = chain (Chain to add the rules to)
# MULTIPORT is disabled or the rule isn't compatible with multiport match
#
multioption=
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
for client in $(separate_list $clients); do
for server in $(separate_list $servers); do
for port in $(separate_list ${ports:=-}); do
for cport in $(separate_list ${cports:=-}); do
add_an_action

62
Shorewall/releasenotes.txt
View File

@ -6,7 +6,8 @@ New Features in Shorewall 2.5.3
1) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
Shorewall will generate the rule that you expect.
in action files and Shorewall will generate the rule that you
expect.
2) Tunnel types "openvpnserver" and "openvpnclient" have been added
to reflect the introduction of client and server OpenVPN
@ -41,49 +42,6 @@ Problems Corrected in 2.5.2:
2) The packet type match capability is now correctly reported when
PKTTYPE=No in /etc/shorewall/shorewall.conf.
New Features in Shorewall 2.5.2
1) A new FASTACCEPT option has been added to shorewall.conf.
Normally, Shorewall accepting ESTABLISHED/RELATED packets until
these packets reach the chain in which the original connection was
accepted. So for packets going from the 'loc' zone to the 'net'
zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
chain.
If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
FASTACCEPT=Yes then you may not specify ESTABLISHED policies in
/etc/shorewall/policy (see above).
2) Shorewall not generates an error if the 'norfc1918' option is
specified for an interface with an RFC 1918 address.
3) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/rules and
Shorewall will generate the rule that you expect.
Example 1:
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:!192.168.1.0/24,10.0.0.0/8 \
net tcp 80
That rule would allow loc->net HTTP access except for the local
networks 192.168.1.0/24 and 10.0.0.0/8.
Example 2:
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:192.168.1.0/24!192.168.1.3,192.168.1.10 \
net tcp 80
This rule allows loc->net HTTP access to the 192.168.1.0/24
network except for hosts 192.168.1.3 and 192.168.1.10.
4) /proc/version has been added to the output of the "shorewall dump"
command.
Problems Corrected in 2.5.1:
1) Shorewall is no longer dependent on the 'which' utility.
@ -417,10 +375,11 @@ New Features in Shorewall 2.5.*
specified for an interface with an RFC 1918 address.
10) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/rules and
Shorewall will generate the rule that you expect.
SOURCE and DEST columns of entries in /etc/shorewall/rules,
/etc/shorewall/tcrules and in action files and Shorewall will
generate the rule that you expect.
Example:
Example 1 (/etc/shorewall/rules):
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:!192.168.1.0/24,10.0.0.0/8 net tcp 80
@ -428,6 +387,15 @@ New Features in Shorewall 2.5.*
That rule would allow loc->net HTTP access except for the local
networks 192.168.1.0/24 and 10.0.0.0/8.
Example 2 (/etc/shorewall/rules):
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc:10.0.0.0/24!10.0.0.4,10.0.0.22 \
net tcp 80
That rule would allow loc->net HTTP access from the local
network 10.0.0.0/24 except for hosts 10.0.0.4 and 10.0.0.22.
11) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
Shorewall will generate the rule that you expect.