mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 23:59:01 +01:00
Document dynamic zones; add 'list' command to list dynamic zone content
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9613 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a7126b6b4c
commit
d83334a1d1
@ -6,6 +6,8 @@ Changes in Shorewall 4.3.7
|
||||
|
||||
3) Fix DNAT- parsing of DEST column.
|
||||
|
||||
4) Implement dynamic zones
|
||||
|
||||
Changes in Shorewall 4.3.6
|
||||
|
||||
1) Add SAME tcrules target.
|
||||
|
@ -1069,6 +1069,8 @@ add_command() {
|
||||
exit 2;
|
||||
fi
|
||||
|
||||
[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
|
||||
|
||||
#
|
||||
# Normalize host list
|
||||
#
|
||||
@ -1120,6 +1122,8 @@ delete_command() {
|
||||
exit 2;
|
||||
fi
|
||||
|
||||
[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
|
||||
|
||||
#
|
||||
# Normalize host list
|
||||
#
|
||||
@ -1161,6 +1165,34 @@ delete_command() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# 'list' command executor
|
||||
#
|
||||
find_sets() {
|
||||
local junk
|
||||
local setname
|
||||
|
||||
ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
|
||||
}
|
||||
|
||||
list_command() {
|
||||
|
||||
local sets
|
||||
local setname
|
||||
|
||||
[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
|
||||
|
||||
sets=$(find_sets $1)
|
||||
|
||||
for setname in $sets; do
|
||||
echo "${setname#${1}_}:"
|
||||
ipset -L $setname -n | awk 'BEGIN {prnt=0;}; \
|
||||
/^Members:/ {prnt=1; next; }; \
|
||||
/^Bindings:/ {prnt=0; }; \
|
||||
{ if (prnt == 1) print " ", $1; };'
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# 'hits' commmand executor
|
||||
#
|
||||
|
@ -18,6 +18,9 @@ released late in 2009.
|
||||
that cause new connections to use the same provider as an existing
|
||||
connection of the same kind.
|
||||
|
||||
4) Dynamic Zone support is once again available for IPv4; ipset support is
|
||||
required in your kernel and in iptables.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
M I G R A T I O N I S S U E S
|
||||
----------------------------------------------------------------------------
|
||||
@ -76,7 +79,63 @@ None.
|
||||
Shorewall6.
|
||||
|
||||
When a successful start or restart is completed, the script that
|
||||
executed the command copies itself to to /var/lib/shorewall[6/firewall.
|
||||
executed the command copies itself to to
|
||||
/var/lib/shorewall[6/firewall.
|
||||
|
||||
2) Dynamic zone support is once again available for IPv4. This support
|
||||
is built on top of ipsets so you must have installed the
|
||||
xtable-addons.
|
||||
|
||||
Note that the dynamic zone support built into Shorewall provides no
|
||||
additional functionality over what is provided by simply defining a
|
||||
zone in terms of an ipset (see
|
||||
http://www1.shorewall.net/ipsets.html#Dynamic).
|
||||
|
||||
You define a zone as having dynamic content in one of two ways:
|
||||
|
||||
- By specifying nets=dynamic in the OPTIONS column of an entry for
|
||||
the zone in /etc/shorewall/interfaces; or
|
||||
|
||||
- By specifying <interface>:dynamic in the HOST(S) column of an
|
||||
entry for the zone in /etc/shorewall/hosts.
|
||||
|
||||
When there are any dynamic zones present in your configuration,
|
||||
Shorewall will:
|
||||
|
||||
a) Execute the following commands during 'shorewall start'.
|
||||
|
||||
ipset -U :all: :all:
|
||||
ipset -U :all: :default:
|
||||
ipset -F
|
||||
ipset -X
|
||||
ipset -R < ${VARDIR}/ipsets.save
|
||||
|
||||
where $VARDIR normally contains /var/lib/shorewall but may be
|
||||
modified by /etc/shorewall/vardir.
|
||||
|
||||
b) During 'start', 'restart' and 'restore' processing, Shorewall
|
||||
will then attempt to create an ipset named <zone>_<interface>
|
||||
for each zone/interface pair that has been specified as
|
||||
dynamic. The type of ipset created is 'iphash' so that only
|
||||
individual IPv4 addresses may be added to the set.
|
||||
|
||||
c) Execute the following commands during 'shorewall stop':
|
||||
|
||||
if ipset -S > ${VARDIR}/ipsets.tmp; then
|
||||
mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
|
||||
fi
|
||||
|
||||
The 'shorewall add' and 'shorewall delete' commands are supported
|
||||
with their original syntax:
|
||||
|
||||
add <interface>[:<host-list>] ... <zone>
|
||||
|
||||
delete <interface>[:<host-list>] ... <zone>
|
||||
|
||||
In addition, a list command is supported that lists the dynamic
|
||||
content of a zone.
|
||||
|
||||
list <zone>
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S IN 4 . 3
|
||||
|
@ -1339,6 +1339,7 @@ usage() # $1 = exit status
|
||||
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
||||
echo " ipdecimal { <address> | <integer> }"
|
||||
echo " iprange <address>-<address>"
|
||||
echo " list <zone>"
|
||||
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
|
||||
echo " logdrop <address> ..."
|
||||
echo " logreject <address> ..."
|
||||
@ -1634,7 +1635,7 @@ case "$COMMAND" in
|
||||
shift
|
||||
check_command $@
|
||||
;;
|
||||
show|list)
|
||||
show)
|
||||
get_config Yes No Yes
|
||||
shift
|
||||
show_command $@
|
||||
@ -1750,7 +1751,13 @@ case "$COMMAND" in
|
||||
get_config
|
||||
shift
|
||||
add_command $@
|
||||
;;
|
||||
;;
|
||||
list)
|
||||
get_config
|
||||
shift;
|
||||
[ $# -eq 1 ] || usage 1
|
||||
list_command $1
|
||||
;;
|
||||
save)
|
||||
get_config
|
||||
[ -n "$debugging" ] && set -x
|
||||
|
Loading…
Reference in New Issue
Block a user