Document dynamic zones; add 'list' command to list dynamic zone content

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9613 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-25 09:03:30 +01:00 · 2009-03-06 20:25:59 +00:00 · 2009-03-06 20:25:59 +00:00 · d83334a1d1
commit d83334a1d1
parent a7126b6b4c
4 changed files with 103 additions and 3 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -6,6 +6,8 @@ Changes in Shorewall 4.3.7

 3)  Fix DNAT- parsing of DEST column.

+4)  Implement dynamic zones
+
 Changes in Shorewall 4.3.6

 1)  Add SAME tcrules target.
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@ -1069,6 +1069,8 @@ add_command() {
 	exit 2;
    fi

+    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+
    #
    # Normalize host list
    #
@ -1120,6 +1122,8 @@ delete_command() {
 	exit 2;
    fi

+    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+
    #
    # Normalize host list
    #
@ -1161,6 +1165,34 @@ delete_command() {
 	
 }

+#
+# 'list' command executor
+#
+find_sets() {
+    local junk
+    local setname
+
+    ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
+}
+
+list_command() {
+
+    local sets
+    local setname
+
+    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+
+    sets=$(find_sets $1)
+
+    for setname in $sets; do
+	echo "${setname#${1}_}:"
+	ipset -L $setname -n | awk 'BEGIN        {prnt=0;}; \
+                                    /^Members:/  {prnt=1; next; }; \
+                                    /^Bindings:/ {prnt=0; }; \
+                                                 { if (prnt == 1) print "   ", $1; };'
+    done
+}
+
 #
 # 'hits' commmand executor
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -18,6 +18,9 @@ released late in 2009.
   that cause new connections to use the same provider as an existing
   connection of the same kind.

+4) Dynamic Zone support is once again available for IPv4; ipset support is
+   required in your kernel and in iptables.
+
 ----------------------------------------------------------------------------
                    M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
@ -76,7 +79,63 @@ None.
    Shorewall6.

    When a successful start or restart is completed, the script that
-    executed the command copies itself to to /var/lib/shorewall[6/firewall.
+    executed the command copies itself to to
+    /var/lib/shorewall[6/firewall.
+
+2)  Dynamic zone support is once again available for IPv4. This support 
+    is built on top of ipsets so you must have installed the
+    xtable-addons.
+
+    Note that the dynamic zone support built into Shorewall provides no
+    additional functionality over what is provided by simply defining a
+    zone in terms of an ipset (see
+    http://www1.shorewall.net/ipsets.html#Dynamic). 
+
+    You define a zone as having dynamic content in one of two ways:
+
+    - By specifying nets=dynamic in the OPTIONS column of an entry for
+      the zone in /etc/shorewall/interfaces; or
+
+    - By specifying <interface>:dynamic in the HOST(S) column of an
+      entry for the zone in /etc/shorewall/hosts.
+
+    When there are any dynamic zones present in your configuration, 
+    Shorewall will:
+
+    a) Execute the following commands during 'shorewall start'.
+
+           ipset -U :all: :all:
+	   ipset -U :all: :default:
+	   ipset -F
+	   ipset -X   
+	   ipset -R < ${VARDIR}/ipsets.save
+
+       where $VARDIR normally contains /var/lib/shorewall but may be
+       modified by /etc/shorewall/vardir.
+
+    b) During 'start', 'restart' and 'restore' processing, Shorewall
+       will then attempt to create an ipset named <zone>_<interface>
+       for each zone/interface pair that has been specified as
+       dynamic. The type of ipset created is 'iphash' so that only
+       individual IPv4 addresses may be added to the set.
+
+    c) Execute the following commands during 'shorewall stop':
+
+           if ipset -S > ${VARDIR}/ipsets.tmp; then
+              mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
+	   fi
+
+    The 'shorewall add' and 'shorewall delete' commands are supported
+    with their original syntax:
+
+           add <interface>[:<host-list>] ... <zone>
+
+           delete <interface>[:<host-list>] ... <zone>
+
+    In addition, a list command is supported that lists the dynamic
+    content of a zone.
+
+    	    list <zone>

 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   IN   4 . 3
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -1339,6 +1339,7 @@ usage() # $1 = exit status
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
    echo "   ipdecimal { <address> | <integer> }"
    echo "   iprange <address>-<address>"
+    echo "   list <zone>"
    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
@ -1634,7 +1635,7 @@ case "$COMMAND" in
 	shift
 	check_command $@
 	;;
-    show|list)
+    show)
 	get_config Yes No Yes
    	shift
    	show_command $@
@ -1751,6 +1752,12 @@ case "$COMMAND" in
 	shift
 	add_command $@
 	;;
+    list)
+	get_config
+	shift;
+	[ $# -eq 1 ] || usage 1
+	list_command $1
+	;;
    save)
 	get_config
 	[ -n "$debugging" ] && set -x