diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 04d48c61b..08341ed0a 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -9,6 +9,8 @@ Changes in 2.5.3 4) Implement find_interface_by_mac() +5) Allow exclusion lists in actions. + Changes in 2.5.2 1) Allow port lists in /etc/sorewall/accounting. diff --git a/Shorewall/firewall b/Shorewall/firewall index a9e25cc26..01350b840 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -3682,6 +3682,8 @@ refresh_tc() { # add_an_action() { + local chain1 + do_ports() { if [ -n "$port" ]; then dports="--dport" @@ -3712,6 +3714,20 @@ add_an_action() verify_interface $1 || interface_error $1 } + handle_exclusion() + { + build_exclusion_chain chain1 filter "$excludesource" "$excludedest" + + run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain1 + + cli= + proto= + sports= + multiport= + dports= + user= + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -3766,6 +3782,8 @@ add_an_action() proto=$protocol servport=$serverport multiport= + chain1=$chain + user="$userandgroup" [ x$port = x- ] && port= [ x$cport = x- ] && cport= @@ -3798,26 +3816,30 @@ add_an_action() esac if [ $COMMAND != check ]; then + if [ -n "${excludesource}${excludedest}" ]; then + handle_exclusion + fi + if [ -n "${serv}" ]; then for serv1 in $(separate_list $serv); do for srv in $(firewall_ip_range $serv1); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ + log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \ $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target + run_iptables2 -A $chain1 $proto $multiport $cli $sports \ + $(dest_ip_range $srv) $dports $ratelimit $user -j $target done done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ + log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \ $(fix_bang $proto $sports $multiport $cli $dest_interface $dports) fi - run_iptables2 -A $chain $proto $multiport $cli $dest_interface $sports \ - $dports $ratelimit $userandgroup -j $target + run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \ + $dports $ratelimit $user -j $target fi fi } @@ -3950,6 +3972,42 @@ process_action() # $1 = chain (Chain to add the rules to) ;; esac + excludesource= + + case ${clients:=-} in + *!*!*) + fatal_error "Invalid SOURCE in rule \"$rule\"" + ;; + !*) + if [ $(list_count $clients) -gt 1 ]; then + excludesource=${clients#!} + clients= + fi + ;; + *!*) + excludesource=${clients#*!} + clients=${clients%!*} + ;; + esac + + excludedest= + + case ${servers:=-} in + *!*!*) + fatal_error "Invalid DEST in rule \"$rule\"" + ;; + !*) + if [ $(list_count $servers) -gt 1 ]; then + excludedest=${servers#*!} + servers= + fi + ;; + *!*) + excludedest=${servers#*!} + servers=${servers%!*} + ;; + esac + # Generate Netfilter rule(s) [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} @@ -3964,8 +4022,8 @@ process_action() # $1 = chain (Chain to add the rules to) # 16 ports are listed (port ranges count as two ports) - use multiport match. # multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do + for client in $(separate_list $clients); do + for server in $(separate_list $servers); do # # add_an_action() modifies these so we must set their values each time # @@ -3986,8 +4044,8 @@ process_action() # $1 = chain (Chain to add the rules to) # 16 ports are listed - use multiport match. # multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do + for client in $(separate_list $clients); do + for server in $(separate_list $servers); do # # add_an_action() modifies these so we must set their values each time # @@ -4001,8 +4059,8 @@ process_action() # $1 = chain (Chain to add the rules to) # MULTIPORT is disabled or the rule isn't compatible with multiport match # multioption= - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do + for client in $(separate_list $clients); do + for server in $(separate_list $servers); do for port in $(separate_list ${ports:=-}); do for cport in $(separate_list ${cports:=-}); do add_an_action diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 77c91df98..c8174c298 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -6,7 +6,8 @@ New Features in Shorewall 2.5.3 1) You may now specify "!" followed by a list of addresses in the SOURCE and DEST columns of entries in /etc/shorewall/tcrules and - Shorewall will generate the rule that you expect. + in action files and Shorewall will generate the rule that you + expect. 2) Tunnel types "openvpnserver" and "openvpnclient" have been added to reflect the introduction of client and server OpenVPN @@ -41,49 +42,6 @@ Problems Corrected in 2.5.2: 2) The packet type match capability is now correctly reported when PKTTYPE=No in /etc/shorewall/shorewall.conf. -New Features in Shorewall 2.5.2 - -1) A new FASTACCEPT option has been added to shorewall.conf. - - Normally, Shorewall accepting ESTABLISHED/RELATED packets until - these packets reach the chain in which the original connection was - accepted. So for packets going from the 'loc' zone to the 'net' - zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net' - chain. - - If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are - accepted early in the INPUT, FORWARD and OUTPUT chains. If you set - FASTACCEPT=Yes then you may not specify ESTABLISHED policies in - /etc/shorewall/policy (see above). - -2) Shorewall not generates an error if the 'norfc1918' option is - specified for an interface with an RFC 1918 address. - -3) You may now specify "!" followed by a list of addresses in the - SOURCE and DEST columns of entries in /etc/shorewall/rules and - Shorewall will generate the rule that you expect. - - Example 1: - - #ACTION SOURCE DEST PROTO DEST PORT(S) - ACCEPT loc:!192.168.1.0/24,10.0.0.0/8 \ - net tcp 80 - - That rule would allow loc->net HTTP access except for the local - networks 192.168.1.0/24 and 10.0.0.0/8. - - Example 2: - - #ACTION SOURCE DEST PROTO DEST PORT(S) - ACCEPT loc:192.168.1.0/24!192.168.1.3,192.168.1.10 \ - net tcp 80 - - This rule allows loc->net HTTP access to the 192.168.1.0/24 - network except for hosts 192.168.1.3 and 192.168.1.10. - -4) /proc/version has been added to the output of the "shorewall dump" - command. - Problems Corrected in 2.5.1: 1) Shorewall is no longer dependent on the 'which' utility. @@ -417,10 +375,11 @@ New Features in Shorewall 2.5.* specified for an interface with an RFC 1918 address. 10) You may now specify "!" followed by a list of addresses in the - SOURCE and DEST columns of entries in /etc/shorewall/rules and - Shorewall will generate the rule that you expect. + SOURCE and DEST columns of entries in /etc/shorewall/rules, + /etc/shorewall/tcrules and in action files and Shorewall will + generate the rule that you expect. - Example: + Example 1 (/etc/shorewall/rules): #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc:!192.168.1.0/24,10.0.0.0/8 net tcp 80 @@ -428,6 +387,15 @@ New Features in Shorewall 2.5.* That rule would allow loc->net HTTP access except for the local networks 192.168.1.0/24 and 10.0.0.0/8. + Example 2 (/etc/shorewall/rules): + + #ACTION SOURCE DEST PROTO DEST PORT(S) + ACCEPT loc:10.0.0.0/24!10.0.0.4,10.0.0.22 \ + net tcp 80 + + That rule would allow loc->net HTTP access from the local + network 10.0.0.0/24 except for hosts 10.0.0.4 and 10.0.0.22. + 11) You may now specify "!" followed by a list of addresses in the SOURCE and DEST columns of entries in /etc/shorewall/tcrules and Shorewall will generate the rule that you expect.