Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

This commit is contained in:
Tom Eastep 2015-03-06 14:10:13 -08:00
commit d6f8cda2d5
8 changed files with 141 additions and 59 deletions

View File

@ -387,7 +387,7 @@ do_save() {
status=0
if [ -f ${VARDIR}/firewall ]; then
if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
if $iptables_save | iptablesbug | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
cp -f ${VARDIR}/firewall $g_restorepath
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
chmod +x $g_restorepath
@ -1224,6 +1224,15 @@ show_command() {
echo
show_bl;
;;
opens)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
if chain_exists dynamic; then
$g_tool -t filter -L dynamic $g_ipt_options | head -n2
$g_tool -t filter -L dynamic $g_ipt_options | fgrep ACCEPT | $output_filter
fi
;;
*)
case "$g_program" in
*-lite)
@ -2080,49 +2089,68 @@ open_close_command() {
local command
local desc
chain_exists dynamic || fatal_error "The $COMMAND command requires the firewall to be running with DYNAMIC_BLACKLIST enabled"
[ $COMMAND = open ] && command='-I dynamic' || command='-D dynamic'
product_is_started || fatal_error "The $COMMAND command requires the firewall to be running"
chain_exists dynamic || fatal_error "The $COMMAND command requires DYNAMIC_BLACKLIST=Yes in the running configuration"
[ $# -ge 2 ] || fatal_error "Too few parameters"
[ $# -le 4 ] || fatal_error "Too many parameters"
if [ $1 = all ]; then
desc="from *"
command=dynamic
else
command="$command -s $1"
desc="from $1"
command="dynamic -s $1"
fi
if [ $2 = all ]; then
desc="$desc to *"
else
if [ $2 != all ]; then
command="$command -d $2"
desc="$desc to $2"
fi
desc="from $1 to $2"
if [ $# -ge 3 ]; then
command="$command -p $3"
case $3 in
[0-9]*)
desc="$desc protocol $3"
;;
*)
desc="$desc $3"
;;
esac
fi
if [ $# -eq 4 ]; then
command="$command --dport $4"
desc="$desc port $4"
fi
command="$command -m multiport --dports $4"
if $g_tool $command -j ACCEPT; then
case $COMMAND in
open)
echo "Firewall opened for connections $desc"
case $4 in
[0-9]*,)
desc="$desc ports $4"
;;
[0-9]*)
desc="$desc port $4"
;;
*)
echo "Firewall closed for connections $desc (may still be permitted by rules/policies)"
desc="$desc $4"
;;
esac
fi
command="$command -j ACCEPT"
if [ $COMMAND = open ]; then
if $g_tool -I $command ; then
echo "Firewall dynamically opened for connections $desc"
return 0
fi
else
if $g_tool -D $command 2> /dev/null; then
echo "Firewall dynamically closed for connections $desc (may still be permitted by rules/policies)"
return 0
fi
fatal_error "Connections $desc are not currently opened"
fi
}
#
@ -3721,6 +3749,7 @@ usage() # $1 = exit status
echo " [ show | list | ls ] [ -m ] log [<regex>]"
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
echo " [ show | list | ls ] nfacct"
echo " [ show | list | ls ] opens"
echo " [ show | list | ls ] policies"
echo " [ show | list | ls ] routing"
echo " [ show | list | ls ] tc [ device ]"

View File

@ -865,19 +865,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
firewall for connections matching the parameters.</para>
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
the connection source or destination respectively. Otherwise, each
must contain a host or network address or a valid DNS name.</para>
<para>The <replaceable>protocol</replaceable> may be specified
either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address
192.168.1.1, the command would be:</para>
@ -1157,6 +1160,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">opens</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
the 'dynamic' chain created through use of the <command>open
</command>command..</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">policies</emphasis></term>

View File

@ -7953,7 +7953,7 @@ else
fi
if chain_exists dynamic; then
$tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
$tool -S dynamic | tail -n +2 | fgrep -v -- '-j ACCEPT' > \${VARDIR}/.dynamic
else
rm -f \${VARDIR}/.dynamic
fi

View File

@ -2418,7 +2418,7 @@ EOF
case $COMMAND in
stop|clear|restore)
if chain_exists dynamic; then
${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
${IPTABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
fi
;;
*)
@ -2433,7 +2433,7 @@ EOF
case $COMMAND in
stop|clear|restore)
if chain_exists dynamic; then
${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
${IP6TABLES}-save -t filter | grep '^-A dynamic' | fgrep -v -- '-j ACCEPT' > ${VARDIR}/.dynamic
fi
;;
*)

View File

@ -1712,6 +1712,7 @@ usage() # $1 = exit status
echo " [ show | list | ls ] marks"
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
echo " [ show | list | ls ] nfacct"
echo " [ show | list | ls ] opens"
echo " [ show | list | ls ] policies"
echo " [ show | list | ls ] routing"
echo " [ show | list | ls ] tc [ device ]"

View File

@ -1320,19 +1320,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
firewall for connections matching the parameters.</para>
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
the connection source or destination respectively. Otherwise, each
must contain a host or network address or a valid DNS name.</para>
<para>The <replaceable>protocol</replaceable> may be specified
either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address
192.168.1.1, the command would be:</para>
@ -1844,6 +1847,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">opens</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
the 'dynamic' chain created through use of the <command>open
</command>command..</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">policies</emphasis></term>

View File

@ -883,19 +883,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
firewall for connections matching the parameters.</para>
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
the connection source or destination respectively. Otherwise, each
must contain a host or network address or a valid DNS name.</para>
<para>The <replaceable>protocol</replaceable> may be specified
either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address
2001:470:b:227::1, the command would be:</para>
@ -1168,6 +1171,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">opens</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
the 'dynamic' chain created through use of the <command>open
</command>command..</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nat</emphasis></term>

View File

@ -1231,19 +1231,22 @@
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
(5)</ulink>. The effect of the command is to temporarily open the
firewall for connections matching the parameters. The
<replaceable>source</replaceable> and
firewall for connections matching the parameters.</para>
<para>The <replaceable>source</replaceable> and
<replaceable>dest</replaceable> parameters may each be specified as
<emphasis role="bold">all</emphasis> if you don't wish to restrict
the connection source or destination respectively. The
<replaceable>protocol</replaceable> may be specified either as a
number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> must be specified
numerically.</para>
the connection source or destination respectively. Otherwise, each
must contain a host or network address or a valid DNS name.</para>
<para>The <replaceable>protocol</replaceable> may be specified
either as a number or as a name listed in /etc/protocols. The
<replaceable>port</replaceable> may be specified numerically or as a
name listed in /etc/services.</para>
<para>To reverse the effect of a successful <command>open</command>
command, use the <command>close</command> command with the same
parameters.</para>
parameters or simply restart the firewall.</para>
<para>Example: To open the firewall for SSH connections to address
2001:470:b:227::1, the command would be:</para>
@ -1725,6 +1728,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">opens</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
the 'dynamic' chain created through use of the <command>open
</command>command..</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">policies</emphasis></term>