From d83334a1d14798efab4c709d6af9a78e36594f8f Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 6 Mar 2009 20:25:59 +0000 Subject: [PATCH] Document dynamic zones; add 'list' command to list dynamic zone content git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9613 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/lib.cli | 32 ++++++++++++++++++++ Shorewall/releasenotes.txt | 61 +++++++++++++++++++++++++++++++++++++- Shorewall/shorewall | 11 +++++-- 4 files changed, 103 insertions(+), 3 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 9bb2f7093..52ec7a746 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in Shorewall 4.3.7 3) Fix DNAT- parsing of DEST column. +4) Implement dynamic zones + Changes in Shorewall 4.3.6 1) Add SAME tcrules target. diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index b541cf4ea..6e0351d4a 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1069,6 +1069,8 @@ add_command() { exit 2; fi + [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" + # # Normalize host list # @@ -1120,6 +1122,8 @@ delete_command() { exit 2; fi + [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" + # # Normalize host list # @@ -1161,6 +1165,34 @@ delete_command() { } +# +# 'list' command executor +# +find_sets() { + local junk + local setname + + ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done +} + +list_command() { + + local sets + local setname + + [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" + + sets=$(find_sets $1) + + for setname in $sets; do + echo "${setname#${1}_}:" + ipset -L $setname -n | awk 'BEGIN {prnt=0;}; \ + /^Members:/ {prnt=1; next; }; \ + /^Bindings:/ {prnt=0; }; \ + { if (prnt == 1) print " ", $1; };' + done +} + # # 'hits' commmand executor # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 0242ea2ed..8dc90312c 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -18,6 +18,9 @@ released late in 2009. that cause new connections to use the same provider as an existing connection of the same kind. +4) Dynamic Zone support is once again available for IPv4; ipset support is + required in your kernel and in iptables. + ---------------------------------------------------------------------------- M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -76,7 +79,63 @@ None. Shorewall6. When a successful start or restart is completed, the script that - executed the command copies itself to to /var/lib/shorewall[6/firewall. + executed the command copies itself to to + /var/lib/shorewall[6/firewall. + +2) Dynamic zone support is once again available for IPv4. This support + is built on top of ipsets so you must have installed the + xtable-addons. + + Note that the dynamic zone support built into Shorewall provides no + additional functionality over what is provided by simply defining a + zone in terms of an ipset (see + http://www1.shorewall.net/ipsets.html#Dynamic). + + You define a zone as having dynamic content in one of two ways: + + - By specifying nets=dynamic in the OPTIONS column of an entry for + the zone in /etc/shorewall/interfaces; or + + - By specifying :dynamic in the HOST(S) column of an + entry for the zone in /etc/shorewall/hosts. + + When there are any dynamic zones present in your configuration, + Shorewall will: + + a) Execute the following commands during 'shorewall start'. + + ipset -U :all: :all: + ipset -U :all: :default: + ipset -F + ipset -X + ipset -R < ${VARDIR}/ipsets.save + + where $VARDIR normally contains /var/lib/shorewall but may be + modified by /etc/shorewall/vardir. + + b) During 'start', 'restart' and 'restore' processing, Shorewall + will then attempt to create an ipset named _ + for each zone/interface pair that has been specified as + dynamic. The type of ipset created is 'iphash' so that only + individual IPv4 addresses may be added to the set. + + c) Execute the following commands during 'shorewall stop': + + if ipset -S > ${VARDIR}/ipsets.tmp; then + mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save + fi + + The 'shorewall add' and 'shorewall delete' commands are supported + with their original syntax: + + add [:] ... + + delete [:] ... + + In addition, a list command is supported that lists the dynamic + content of a zone. + + list ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3 diff --git a/Shorewall/shorewall b/Shorewall/shorewall index d8caea668..6a56bf74e 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1339,6 +1339,7 @@ usage() # $1 = exit status echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" + echo " list " echo " load [ -s ] [ -c ] [ -r ] [ ] " echo " logdrop
..." echo " logreject
..." @@ -1634,7 +1635,7 @@ case "$COMMAND" in shift check_command $@ ;; - show|list) + show) get_config Yes No Yes shift show_command $@ @@ -1750,7 +1751,13 @@ case "$COMMAND" in get_config shift add_command $@ - ;; + ;; + list) + get_config + shift; + [ $# -eq 1 ] || usage 1 + list_command $1 + ;; save) get_config [ -n "$debugging" ] && set -x