Document dynamic zones; add 'list' command to list dynamic zone content

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9613 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -6,6 +6,8 @@ Changes in Shorewall 4.3.7
 
 3)  Fix DNAT- parsing of DEST column.
 
+4)  Implement dynamic zones
+
 Changes in Shorewall 4.3.6
 
 1)  Add SAME tcrules target.

Shorewall/lib.cli

@@ -1069,6 +1069,8 @@ add_command() {
 	exit 2;
     fi
 
+    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+
     #
     # Normalize host list
     #
@@ -1120,6 +1122,8 @@ delete_command() {
 	exit 2;
     fi
 
+    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+
     #
     # Normalize host list
     #
@@ -1161,6 +1165,34 @@ delete_command() {
 	
 }
 
+#
+# 'list' command executor
+#
+find_sets() {
+    local junk
+    local setname
+
+    ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
+}
+
+list_command() {
+
+    local sets
+    local setname
+
+    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+
+    sets=$(find_sets $1)
+
+    for setname in $sets; do
+	echo "${setname#${1}_}:"
+	ipset -L $setname -n | awk 'BEGIN        {prnt=0;}; \
+                                    /^Members:/  {prnt=1; next; }; \
+                                    /^Bindings:/ {prnt=0; }; \
+                                                 { if (prnt == 1) print "   ", $1; };'
+    done
+}
+
 #
 # 'hits' commmand executor
 #

Shorewall/releasenotes.txt

@@ -18,6 +18,9 @@ released late in 2009.
    that cause new connections to use the same provider as an existing
    connection of the same kind.
 
+4) Dynamic Zone support is once again available for IPv4; ipset support is
+   required in your kernel and in iptables.
+
 ----------------------------------------------------------------------------
                     M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
@@ -76,7 +79,63 @@ None.
     Shorewall6.
 
     When a successful start or restart is completed, the script that
-    executed the command copies itself to to /var/lib/shorewall[6/firewall.
+    executed the command copies itself to to
+    /var/lib/shorewall[6/firewall.
+
+2)  Dynamic zone support is once again available for IPv4. This support 
+    is built on top of ipsets so you must have installed the
+    xtable-addons.
+
+    Note that the dynamic zone support built into Shorewall provides no
+    additional functionality over what is provided by simply defining a
+    zone in terms of an ipset (see
+    http://www1.shorewall.net/ipsets.html#Dynamic). 
+
+    You define a zone as having dynamic content in one of two ways:
+
+    - By specifying nets=dynamic in the OPTIONS column of an entry for
+      the zone in /etc/shorewall/interfaces; or
+
+    - By specifying <interface>:dynamic in the HOST(S) column of an
+      entry for the zone in /etc/shorewall/hosts.
+
+    When there are any dynamic zones present in your configuration, 
+    Shorewall will:
+
+    a) Execute the following commands during 'shorewall start'.
+
+           ipset -U :all: :all:
+	   ipset -U :all: :default:
+	   ipset -F
+	   ipset -X   
+	   ipset -R < ${VARDIR}/ipsets.save
+
+       where $VARDIR normally contains /var/lib/shorewall but may be
+       modified by /etc/shorewall/vardir.
+
+    b) During 'start', 'restart' and 'restore' processing, Shorewall
+       will then attempt to create an ipset named <zone>_<interface>
+       for each zone/interface pair that has been specified as
+       dynamic. The type of ipset created is 'iphash' so that only
+       individual IPv4 addresses may be added to the set.
+
+    c) Execute the following commands during 'shorewall stop':
+
+           if ipset -S > ${VARDIR}/ipsets.tmp; then
+              mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
+	   fi
+
+    The 'shorewall add' and 'shorewall delete' commands are supported
+    with their original syntax:
+
+           add <interface>[:<host-list>] ... <zone>
+
+           delete <interface>[:<host-list>] ... <zone>
+
+    In addition, a list command is supported that lists the dynamic
+    content of a zone.
+
+    	    list <zone>
 
 ----------------------------------------------------------------------------
                  N E W   F E A T U R E S   IN   4 . 3

Shorewall/shorewall

@@ -1339,6 +1339,7 @@ usage() # $1 = exit status
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
+    echo "   list <zone>"
     echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
@@ -1634,7 +1635,7 @@ case "$COMMAND" in
 	shift
 	check_command $@
 	;;
-    show|list)
+    show)
 	get_config Yes No Yes
     	shift
     	show_command $@
@@ -1751,6 +1752,12 @@ case "$COMMAND" in
 	shift
 	add_command $@
 	;;
+    list)
+	get_config
+	shift;
+	[ $# -eq 1 ] || usage 1
+	list_command $1
+	;;
     save)
 	get_config
 	[ -n "$debugging" ] && set -x