extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 17:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '4.6.3'

Browse Source
This commit is contained in:
Tom Eastep 2014-09-23 07:10:17 -07:00
commit d97d45f4ad
9 changed files with 63 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Shorewall-core/lib.cli
View File

@ -1470,10 +1470,22 @@ do_dump_command() {
$g_tool -t rawpost -L $g_ipt_options
fi
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
local count
local max
heading "Conntrack Table ($count out of $max)"
if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
heading "Conntrack Table ($count out of $max)"
elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
heading "Conntrack Table ($count out of $max)"
else
heading "Conntrack Table"
fi
if [ $g_family -eq 4 ]; then
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
@ -3583,7 +3595,6 @@ usage() # $1 = exit status
echo " start [ -f ] [ -p ] [ <directory> ]"
echo " stop"
echo " status [ -i ]"
echo " run <function> [ function ... ]"
echo " version [ -a ]"
echo
exit $1

11
Shorewall-init/shorewall-init
View File

@ -63,18 +63,19 @@ shorewall_start () {
for PRODUCT in $PRODUCTS; do
setstatedir
if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
if [ -x ${STATEDIR}/firewall ]; then
#
# Run in a sub-shell to avoid name collisions
#
(
if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
${STATEDIR}/firewall ${OPTIONS} stop || exit 1
else
exit 1
fi
)
else
echo ERROR: ${STATEDIR}/firewall does not exist or is not executable!
exit 1
fi
done
@ -95,8 +96,8 @@ shorewall_stop () {
for PRODUCT in $PRODUCTS; do
setstatedir
if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
if [ -x ${STATEDIR}/firewall ]; then
${STATEDIR}/firewall ${OPTIONS} clear || exit 1
fi
done

4
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
$acctable = $config{ACCOUNTING_TABLE};
$jumpchainref = 0;
$asection = LEGACY if $asection < 0;
@ -453,6 +451,8 @@ sub setup_accounting() {
set_section_function( &process_section );
$acctable = $config{ACCOUNTING_TABLE};
first_entry "$doing $fn...";
my $nonEmpty = 0;

5
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -308,13 +308,14 @@ sub generate_script_2() {
set_global_variables(1);
handle_optional_interfaces(0);
if ( $global_variables & NOT_RESTORE ) {
handle_optional_interfaces(0);
emit ';;';
pop_indent;
pop_indent;
emit ( 'esac' );
} else {
handle_optional_interfaces(1);
}
} else {
emit( 'true' ) unless handle_optional_interfaces(1);

7
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -994,7 +994,7 @@ sub add_common_rules ( $$ ) {
for my $hostref ( @$list ) {
$interface = $hostref->[0];
my $ipsec = $hostref->[1];
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
my $target = source_exclusion( $hostref->[3], $chainref );
for $chain ( option_chains $interface ) {
@ -1118,7 +1118,8 @@ sub add_common_rules ( $$ ) {
for my $hostref ( @$list ) {
my $interface = $hostref->[0];
my $target = source_exclusion( $hostref->[3], $chainref );
my @policy = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
my $ipsec = $hostref->[1];
my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
for $chain ( option_chains $interface ) {
add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@ -1289,7 +1290,7 @@ sub setup_mac_lists( $ ) {
for my $hostref ( @$maclist_hosts ) {
my $interface = $hostref->[0];
my $ipsec = $hostref->[1];
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
my @source = imatch_source_net $hostref->[2];
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

13
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -460,6 +460,9 @@ sub process_a_provider( $ ) {
fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
#
# Switch to the logical name if a physical name was passed
#
my $physical;
if ( $interface eq $interfaceref->{name} ) {
@ -1293,9 +1296,11 @@ sub start_providers() {
emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
}
emit_unindented "EOF\n";
emit_unindented 'EOF';
emit "fi\n";
emit( 'else',
' error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
"fi\n" );
}
emit ( '#',
@ -1892,8 +1897,10 @@ sub handle_optional_interfaces( $ ) {
if ( @$interfaces ) {
my $require = $config{REQUIRE_INTERFACE};
my $gencase = shift;
verify_required_interfaces( shift );
verify_required_interfaces( $gencase );
emit '' if $gencase;
emit( 'HAVE_INTERFACE=', '' ) if $require;
#

24
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -2121,14 +2121,26 @@ sub have_ipsec() {
sub find_hosts_by_option( $ ) {
my $option = $_[0];
my @hosts;
my %done;
for my $interface ( @interfaces ) {
my $value = $interfaces{$interface}{options}{$option};
if ( ! $interfaces{$interface}{zone} && $value ) {
push @hosts, [ $interface, '', ALLIP , [], $value ];
$done{$interface} = 1;
}
}
for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
for my $host ( @{$arrayref} ) {
if ( my $value = $host->{options}{$option} ) {
for my $net ( @{$host->{hosts}} ) {
push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
my $ipsec = $host->{ipsec};
unless ( $done{$interface} ) {
if ( my $value = $host->{options}{$option} ) {
for my $net ( @{$host->{hosts}} ) {
push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
}
}
}
}
@ -2136,12 +2148,6 @@ sub find_hosts_by_option( $ ) {
}
}
for my $interface ( @interfaces ) {
if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
push @hosts, [ $interface, 'none', ALLIP , [] ];
}
}
\@hosts;
}

5
docs/Events.xml
View File

@ -705,8 +705,9 @@ Knock net $FW tcp 22,1599-1601
<section id="Stateful">
<title>Stateful Port Knocking (knock with a sequence of ports)</title>
<para>Gerhard Wiesinger has contributed a Perl module that allows you to
define portknocking sequences. Download <ulink
<para><ulink url="http://www.wiesinger.com/">Gerhard Wiesinger</ulink>
has contributed a Perl module that allows you to define portknocking
sequences. Download <ulink
url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
module</ulink> and copy it into your site_perl directory.</para>

5
docs/MultiISP.xml
View File

@ -2123,6 +2123,11 @@ net eth1 detect <emphasis role="bold">optional</emphasis><
later.</para>
</warning>
<para><filename>/etc/shorewall/params:</filename></para>
<programlisting>EXT_IF=eth0
COM_IF=eth1</programlisting>
<para><filename>/etc/shorewall/isusable</filename>:</para>
<programlisting>local status=0