extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 16:54:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Minor Code reorganization -- move code inline from "initialize_netfilter()"

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4487 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-08-30 20:33:14 +00:00
parent d9a327100e
commit cf8cc1a899
1 changed files with 224 additions and 236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

460
Shorewall/compiler
View File

@ -3463,241 +3463,6 @@ validate_blacklist() {
done < $TMP_DIR/blacklist
}
#
# Perform Initialization
# - Delete all old rules
# - Delete all user chains
# - Set the POLICY on all standard chains and add a rule to allow packets
# that are part of established connections
# - Determine the zones
#
initialize_netfilter () {
setup_mss()
{
case $CLAMPMSS in
Yes)
option="--clamp-mss-to-pmtu"
;;
*)
option="--set-mss $CLAMPMSS"
;;
esac
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
}
report_capabilities
if [ -n "$BRIDGING" ]; then
[ -n "$PHYSDEV_MATCH" ] || fatal_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
fatal_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
fatal_error "RFC1918_STRICT=Yes requires Connection Tracking match"
progress_message2 "Determining Zones..."
determine_zones
if [ $VERBOSE -ge 1 ]; then
display_list "IPv4 Zones:" $IPV4_ZONES
[ -n "$IPSEC_ZONES" ] && \
display_list "IPSEC Zones:" $IPSEC_ZONES
display_list "Firewall Zone:" $FW
fi
progress_message2 "Validating interfaces file..."
validate_interfaces_file
progress_message2 "Validating hosts file..."
validate_hosts_file
define_builtin_actions
if [ -n "$USE_ACTIONS" ]; then
progress_message2 "Pre-processing Actions..."
process_actions1
fi
progress_message2 "Validating Policy file..."
validate_policy
progress_message2 "Determining Hosts in Zones..."
determine_interfaces
determine_hosts
append_file init
strip_file rules
strip_file maclist
TERMINATOR=fatal_error
deletechain shorewall
if [ -n "$NAT_ENABLED" ]; then
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt_iptables -t nat -P $chain ACCEPT
done
fi
delete_proxy_arp
if [ -n "$MANGLE_ENABLED" ]; then
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt_iptables -t mangle -P $chain ACCEPT
done
fi
if [ -n "$RAW_TABLE" ]; then
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt_iptables -t raw -P $chain ACCEPT
done
fi
[ -n "$CLEAR_TC" ] && delete_tc
progress_message2 "Deleting user chains..."
save_progress_message "Deleting user chains..."
exists_INPUT=Yes
exists_OUTPUT=Yes
exists_FORWARD=Yes
process_criticalhosts
if [ -n "$CRITICALHOSTS" ]; then
setpolicy INPUT ACCEPT
setpolicy OUTPUT ACCEPT
setpolicy FORWARD DROP
deleteallchains
enable_critical_hosts
setpolicy INPUT DROP
setpolicy OUTPUT DROP
[ -n "$CLAMPMSS" ] && setup_mss
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
else
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
deleteallchains
[ -n "$CLAMPMSS" ] && setup_mss
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
fi
f=$(find_file ipsets)
if [ -f $f ]; then
progress_message2 "Processing $f ..."
save_progress_message "Restoring IPSETS..."
save_command "ipset -U :all: :all:"
save_command "ipset -F"
save_command "ipset -X"
save_command "ipset -R < $f"
fi
append_file continue
f=$(find_file routestopped)
progress_message2 "$DOING $f ..."
strip_file routestopped $f
process_routestopped -A
if [ -n "$DISABLE_IPV6" ]; then
save_command disable_ipv6
fi
save_progress_message "Enabling Loopback and DNS Lookups"
#
# Enable the Loopback interface for now
#
run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT
#
# Allow DNS lookups during startup for FQDNs
#
for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
done
strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting)
createchain reject no
createchain dynamic no
createchain logdrop no
createchain logreject no
createchain smurfs no
log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP
log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT
run_iptables -A logdrop -j DROP
run_iptables -A logreject -j reject
indent >&3 << __EOF__
if [ -f \${VARDIR}/save ]; then
progress_message2 "Setting up dynamic rules..."
while read target ignore1 ignore2 address rest; do
case \$target in
DROP|reject|logdrop|logreject)
run_iptables -A dynamic -s \$address -j \$target
;;
esac
done < \${VARDIR}/save
fi
__EOF__
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
progress_message2 "Creating Interface Chains..."
save_progress_message "Creating Interface Chains..."
for interface in $ALL_INTERFACES; do
for chain in $(input_chain $interface) $(forward_chain $interface); do
createchain $chain no
run_iptables -A $chain $state -j dynamic
done
done
}
#
# Construct zone-independent rules
#
@ -4814,6 +4579,20 @@ compile_firewall() # $1 = File Name
local INDENT=""
local checking=
setup_mss()
{
case $CLAMPMSS in
Yes)
option="--clamp-mss-to-pmtu"
;;
*)
option="--set-mss $CLAMPMSS"
;;
esac
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
}
outfile=$1 dir=
#
# Overload a function from the library
@ -5145,7 +4924,216 @@ __EOF__
progress_message2 "Initializing..."
save_progress_message "Initializing..."
initialize_netfilter
report_capabilities
if [ -n "$BRIDGING" ]; then
[ -n "$PHYSDEV_MATCH" ] || fatal_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
fatal_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
fatal_error "RFC1918_STRICT=Yes requires Connection Tracking match"
progress_message2 "Determining Zones..."
determine_zones
if [ $VERBOSE -ge 1 ]; then
display_list "IPv4 Zones:" $IPV4_ZONES
[ -n "$IPSEC_ZONES" ] && \
display_list "IPSEC Zones:" $IPSEC_ZONES
display_list "Firewall Zone:" $FW
fi
progress_message2 "Validating interfaces file..."
validate_interfaces_file
progress_message2 "Validating hosts file..."
validate_hosts_file
define_builtin_actions
if [ -n "$USE_ACTIONS" ]; then
progress_message2 "Pre-processing Actions..."
process_actions1
fi
progress_message2 "Validating Policy file..."
validate_policy
progress_message2 "Determining Hosts in Zones..."
determine_interfaces
determine_hosts
append_file init
strip_file rules
strip_file maclist
TERMINATOR=fatal_error
deletechain shorewall
if [ -n "$NAT_ENABLED" ]; then
delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do
qt_iptables -t nat -P $chain ACCEPT
done
fi
delete_proxy_arp
if [ -n "$MANGLE_ENABLED" ]; then
run_iptables -t mangle -F
run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt_iptables -t mangle -P $chain ACCEPT
done
fi
if [ -n "$RAW_TABLE" ]; then
run_iptables -t raw -F
run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do
qt_iptables -t raw -P $chain ACCEPT
done
fi
[ -n "$CLEAR_TC" ] && delete_tc
progress_message2 "Deleting user chains..."
save_progress_message "Deleting user chains..."
exists_INPUT=Yes
exists_OUTPUT=Yes
exists_FORWARD=Yes
process_criticalhosts
if [ -n "$CRITICALHOSTS" ]; then
setpolicy INPUT ACCEPT
setpolicy OUTPUT ACCEPT
setpolicy FORWARD DROP
deleteallchains
enable_critical_hosts
setpolicy INPUT DROP
setpolicy OUTPUT DROP
[ -n "$CLAMPMSS" ] && setup_mss
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
else
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
deleteallchains
[ -n "$CLAMPMSS" ] && setup_mss
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
fi
f=$(find_file ipsets)
if [ -f $f ]; then
progress_message2 "Processing $f ..."
save_progress_message "Restoring IPSETS..."
save_command "ipset -U :all: :all:"
save_command "ipset -F"
save_command "ipset -X"
save_command "ipset -R < $f"
fi
append_file continue
f=$(find_file routestopped)
progress_message2 "$DOING $f ..."
strip_file routestopped $f
process_routestopped -A
if [ -n "$DISABLE_IPV6" ]; then
save_command disable_ipv6
fi
save_progress_message "Enabling Loopback and DNS Lookups"
#
# Enable the Loopback interface for now
#
run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT
#
# Allow DNS lookups during startup for FQDNs
#
for chain in INPUT OUTPUT FORWARD; do
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
done
strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting)
createchain reject no
createchain dynamic no
createchain logdrop no
createchain logreject no
createchain smurfs no
log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP
log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT
run_iptables -A logdrop -j DROP
run_iptables -A logreject -j reject
indent >&3 << __EOF__
if [ -f \${VARDIR}/save ]; then
progress_message2 "Setting up dynamic rules..."
while read target ignore1 ignore2 address rest; do
case \$target in
DROP|reject|logdrop|logreject)
run_iptables -A dynamic -s \$address -j \$target
;;
esac
done < \${VARDIR}/save
fi
__EOF__
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
progress_message2 "Creating Interface Chains..."
save_progress_message "Creating Interface Chains..."
for interface in $ALL_INTERFACES; do
for chain in $(input_chain $interface) $(forward_chain $interface); do
createchain $chain no
run_iptables -A $chain $state -j dynamic
done
done
if strip_file_and_lib_load proxyarp proxyarp; then
progress_message2 "$DOING Proxy ARP"