Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

This commit is contained in:
Tom Eastep 2015-03-06 14:10:13 -08:00
commit d6f8cda2d5
8 changed files with 141 additions and 59 deletions

View File

@ -387,7 +387,7 @@ do_save() {
status=0 status=0
if [ -f ${VARDIR}/firewall ]; then if [ -f ${VARDIR}/firewall ]; then
if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
cp -f ${VARDIR}/firewall $g_restorepath cp -f ${VARDIR}/firewall $g_restorepath
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
chmod +x $g_restorepath chmod +x $g_restorepath
@ -1224,6 +1224,15 @@ show_command() {
echo echo
show_bl; show_bl;
;; ;;
opens)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
if chain_exists dynamic; then
$g_tool -t filter -L dynamic $g_ipt_options | head -n2
$g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter
fi
;;
*) *)
case "$g_program" in case "$g_program" in
*-lite) *-lite)
@ -2080,49 +2089,68 @@ open_close_command() {
local command local command
local desc local desc
chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled" product_is_started || fatal_error "The $COMMAND command requires the firewall to be running"
chain_exists dynamic || fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
[ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic'
[ $# -ge 2 ] || fatal_error "Too few parameters" [ $# -ge 2 ] || fatal_error "Too few parameters"
[ $# -le 4 ] || fatal_error "Too many parameters" [ $# -le 4 ] || fatal_error "Too many parameters"
if [ $1 = all ]; then if [ $1 = all ]; then
desc="from *" command=dynamic
else else
command="$command -s $1" command="dynamic -s $1"
desc="from $1"
fi fi
if [ $2 = all ]; then if [ $2 != all ]; then
desc="$desc to *"
else
command="$command -d $2" command="$command -d $2"
desc="$desc to $2"
fi fi
desc="from $1 to $2"
if [ $# -ge 3 ]; then if [ $# -ge 3 ]; then
command="$command -p $3" command="$command -p $3"
case $3 in
[0-9]*)
desc="$desc protocol $3" desc="$desc protocol $3"
;;
*)
desc="$desc $3"
;;
esac
fi fi
if [ $# -eq 4 ]; then if [ $# -eq 4 ]; then
command="$command --dport $4" command="$command -m multiport --dports $4"
desc="$desc port $4"
fi
if $g_tool $command -j ACCEPT; then case $4 in
case $COMMAND in [0-9]*,)
open) desc="$desc ports $4"
echo "Firewall opened for connections $desc" ;;
[0-9]*)
desc="$desc port $4"
;; ;;
*) *)
echo "Firewall closed for connections $desc (may still be permitted by rules/policies)" desc="$desc $4"
;; ;;
esac esac
fi
command="$command -j ACCEPT"
if [ $COMMAND = open ]; then
if $g_tool -I $command ; then
echo "Firewall dynamically opened for connections $desc"
return 0 return 0
fi fi
else
if $g_tool -D $command 2> /dev/null; then
echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
return 0
fi
fatal_error "Connections $desc are not currently opened"
fi
} }
# #
@ -3721,6 +3749,7 @@ usage() # $1 = exit status
echo " [ show | list | ls ] [ -m ] log [<regex>]" echo " [ show | list | ls ] [ -m ] log [<regex>]"
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
echo " [ show | list | ls ] nfacct" echo " [ show | list | ls ] nfacct"
echo " [ show | list | ls ] opens"
echo " [ show | list | ls ] policies" echo " [ show | list | ls ] policies"
echo " [ show | list | ls ] routing" echo " [ show | list | ls ] routing"
echo " [ show | list | ls ] tc [ device ]" echo " [ show | list | ls ] tc [ device ]"

View File

@ -865,19 +865,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf <ulink url="/manpages/shorewall.conf.html">shorewall.conf
(5)</ulink>. The effect of the command is to temporarily open the (5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The firewall for connections matching the parameters.</para>
<replaceable>source</replaceable> and
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as <replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict <emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The the connection source or destination respectively. Otherwise, each
<replaceable>protocol</replaceable> may be specified either as a must contain a host or network address or a valid DNS name.</para>
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified <para>The <replaceable>protocol</replaceable> may be specified
numerically.</para> either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command> <para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same command, use the <command>close</command> command with the same
parameters.</para> parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address <para>Example: To open the firewall for SSH connections to address
192.168.1.1, the command would be:</para> 192.168.1.1, the command would be:</para>
@ -1157,6 +1160,16 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">opens</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
the 'dynamic' chain created through use of the <command>open
</command>command..</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">policies</emphasis></term> <term><emphasis role="bold">policies</emphasis></term>

View File

@ -7953,7 +7953,7 @@ else
fi fi
if chain_exists dynamic; then if chain_exists dynamic; then
$tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic $tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
else else
rm -f \${VARDIR}/.dynamic rm -f \${VARDIR}/.dynamic
fi fi

View File

@ -2418,7 +2418,7 @@ EOF
case $COMMAND in case $COMMAND in
stop|clear|restore) stop|clear|restore)
if chain_exists dynamic; then if chain_exists dynamic; then
${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic ${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
fi fi
;; ;;
*) *)
@ -2433,7 +2433,7 @@ EOF
case $COMMAND in case $COMMAND in
stop|clear|restore) stop|clear|restore)
if chain_exists dynamic; then if chain_exists dynamic; then
${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic ${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
fi fi
;; ;;
*) *)

View File

@ -1712,6 +1712,7 @@ usage() # $1 = exit status
echo " [ show | list | ls ] marks" echo " [ show | list | ls ] marks"
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing" echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
echo " [ show | list | ls ] nfacct" echo " [ show | list | ls ] nfacct"
echo " [ show | list | ls ] opens"
echo " [ show | list | ls ] policies" echo " [ show | list | ls ] policies"
echo " [ show | list | ls ] routing" echo " [ show | list | ls ] routing"
echo " [ show | list | ls ] tc [ device ]" echo " [ show | list | ls ] tc [ device ]"

View File

@ -1320,19 +1320,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf <ulink url="/manpages/shorewall.conf.html">shorewall.conf
(5)</ulink>. The effect of the command is to temporarily open the (5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The firewall for connections matching the parameters.</para>
<replaceable>source</replaceable> and
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as <replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict <emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The the connection source or destination respectively. Otherwise, each
<replaceable>protocol</replaceable> may be specified either as a must contain a host or network address or a valid DNS name.</para>
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified <para>The <replaceable>protocol</replaceable> may be specified
numerically.</para> either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command> <para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same command, use the <command>close</command> command with the same
parameters.</para> parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address <para>Example: To open the firewall for SSH connections to address
192.168.1.1, the command would be:</para> 192.168.1.1, the command would be:</para>
@ -1844,6 +1847,16 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">opens</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
the 'dynamic' chain created through use of the <command>open
</command>command..</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">policies</emphasis></term> <term><emphasis role="bold">policies</emphasis></term>

View File

@ -883,19 +883,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
(5)</ulink>. The effect of the command is to temporarily open the (5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The firewall for connections matching the parameters.</para>
<replaceable>source</replaceable> and
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as <replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict <emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The the connection source or destination respectively. Otherwise, each
<replaceable>protocol</replaceable> may be specified either as a must contain a host or network address or a valid DNS name.</para>
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified <para>The <replaceable>protocol</replaceable> may be specified
numerically.</para> either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command> <para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same command, use the <command>close</command> command with the same
parameters.</para> parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address <para>Example: To open the firewall for SSH connections to address
2001:470:b:227::1, the command would be:</para> 2001:470:b:227::1, the command would be:</para>
@ -1168,6 +1171,16 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">opens</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
the 'dynamic' chain created through use of the <command>open
</command>command..</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">nat</emphasis></term> <term><emphasis role="bold">nat</emphasis></term>

View File

@ -1231,19 +1231,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
(5)</ulink>. The effect of the command is to temporarily open the (5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The firewall for connections matching the parameters.</para>
<replaceable>source</replaceable> and
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as <replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict <emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The the connection source or destination respectively. Otherwise, each
<replaceable>protocol</replaceable> may be specified either as a must contain a host or network address or a valid DNS name.</para>
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified <para>The <replaceable>protocol</replaceable> may be specified
numerically.</para> either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command> <para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same command, use the <command>close</command> command with the same
parameters.</para> parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address <para>Example: To open the firewall for SSH connections to address
2001:470:b:227::1, the command would be:</para> 2001:470:b:227::1, the command would be:</para>
@ -1725,6 +1728,16 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">opens</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
the 'dynamic' chain created through use of the <command>open
</command>command..</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">policies</emphasis></term> <term><emphasis role="bold">policies</emphasis></term>