mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-15 14:16:46 +02:00
Merge branch '4.6.3'
This commit is contained in:
Tom Eastep
commit
d97d45f4ad
@ -1470,10 +1470,22 @@ do_dump_command() {
|
|||||||
$g_tool -t rawpost -L $g_ipt_options
|
$g_tool -t rawpost -L $g_ipt_options
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
local count
|
||||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
local max
|
||||||
|
|
||||||
heading "Conntrack Table ($count out of $max)"
|
if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
|
||||||
|
count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||||
|
max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||||
|
|
||||||
|
heading "Conntrack Table ($count out of $max)"
|
||||||
|
elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
|
||||||
|
count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
|
||||||
|
max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
|
||||||
|
|
||||||
|
heading "Conntrack Table ($count out of $max)"
|
||||||
|
else
|
||||||
|
heading "Conntrack Table"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $g_family -eq 4 ]; then
|
if [ $g_family -eq 4 ]; then
|
||||||
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
|
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
|
||||||
@ -3583,7 +3595,6 @@ usage() # $1 = exit status
|
|||||||
echo " start [ -f ] [ -p ] [ <directory> ]"
|
echo " start [ -f ] [ -p ] [ <directory> ]"
|
||||||
echo " stop"
|
echo " stop"
|
||||||
echo " status [ -i ]"
|
echo " status [ -i ]"
|
||||||
echo " run <function> [ function ... ]"
|
|
||||||
echo " version [ -a ]"
|
echo " version [ -a ]"
|
||||||
echo
|
echo
|
||||||
exit $1
|
exit $1
|
||||||
|
|||||||
@ -63,18 +63,19 @@ shorewall_start () {
|
|||||||
for PRODUCT in $PRODUCTS; do
|
for PRODUCT in $PRODUCTS; do
|
||||||
setstatedir
|
setstatedir
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
|
if [ -x ${STATEDIR}/firewall ]; then
|
||||||
#
|
#
|
||||||
# Run in a sub-shell to avoid name collisions
|
# Run in a sub-shell to avoid name collisions
|
||||||
#
|
#
|
||||||
(
|
(
|
||||||
if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
|
if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
|
||||||
${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
|
${STATEDIR}/firewall ${OPTIONS} stop || exit 1
|
||||||
else
|
else
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
)
|
)
|
||||||
else
|
else
|
||||||
|
echo ERROR: ${STATEDIR}/firewall does not exist or is not executable!
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -95,8 +96,8 @@ shorewall_stop () {
|
|||||||
for PRODUCT in $PRODUCTS; do
|
for PRODUCT in $PRODUCTS; do
|
||||||
setstatedir
|
setstatedir
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
|
if [ -x ${STATEDIR}/firewall ]; then
|
||||||
${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
|
${STATEDIR}/firewall ${OPTIONS} clear || exit 1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|||||||
@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
|
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
|
||||||
|
|
||||||
$acctable = $config{ACCOUNTING_TABLE};
|
|
||||||
|
|
||||||
$jumpchainref = 0;
|
$jumpchainref = 0;
|
||||||
|
|
||||||
$asection = LEGACY if $asection < 0;
|
$asection = LEGACY if $asection < 0;
|
||||||
@ -453,6 +451,8 @@ sub setup_accounting() {
|
|||||||
|
|
||||||
set_section_function( &process_section );
|
set_section_function( &process_section );
|
||||||
|
|
||||||
|
$acctable = $config{ACCOUNTING_TABLE};
|
||||||
|
|
||||||
first_entry "$doing $fn...";
|
first_entry "$doing $fn...";
|
||||||
|
|
||||||
my $nonEmpty = 0;
|
my $nonEmpty = 0;
|
||||||
|
|||||||
@ -308,13 +308,14 @@ sub generate_script_2() {
|
|||||||
|
|
||||||
set_global_variables(1);
|
set_global_variables(1);
|
||||||
|
|
||||||
handle_optional_interfaces(0);
|
|
||||||
|
|
||||||
if ( $global_variables & NOT_RESTORE ) {
|
if ( $global_variables & NOT_RESTORE ) {
|
||||||
|
handle_optional_interfaces(0);
|
||||||
emit ';;';
|
emit ';;';
|
||||||
pop_indent;
|
pop_indent;
|
||||||
pop_indent;
|
pop_indent;
|
||||||
emit ( 'esac' );
|
emit ( 'esac' );
|
||||||
|
} else {
|
||||||
|
handle_optional_interfaces(1);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
emit( 'true' ) unless handle_optional_interfaces(1);
|
emit( 'true' ) unless handle_optional_interfaces(1);
|
||||||
|
|||||||
@ -994,7 +994,7 @@ sub add_common_rules ( $$ ) {
|
|||||||
for my $hostref ( @$list ) {
|
for my $hostref ( @$list ) {
|
||||||
$interface = $hostref->[0];
|
$interface = $hostref->[0];
|
||||||
my $ipsec = $hostref->[1];
|
my $ipsec = $hostref->[1];
|
||||||
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
|
my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
|
||||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||||
|
|
||||||
for $chain ( option_chains $interface ) {
|
for $chain ( option_chains $interface ) {
|
||||||
@ -1118,7 +1118,8 @@ sub add_common_rules ( $$ ) {
|
|||||||
for my $hostref ( @$list ) {
|
for my $hostref ( @$list ) {
|
||||||
my $interface = $hostref->[0];
|
my $interface = $hostref->[0];
|
||||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||||
my @policy = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
|
my $ipsec = $hostref->[1];
|
||||||
|
my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
|
||||||
|
|
||||||
for $chain ( option_chains $interface ) {
|
for $chain ( option_chains $interface ) {
|
||||||
add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
|
add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
|
||||||
@ -1289,7 +1290,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
for my $hostref ( @$maclist_hosts ) {
|
for my $hostref ( @$maclist_hosts ) {
|
||||||
my $interface = $hostref->[0];
|
my $interface = $hostref->[0];
|
||||||
my $ipsec = $hostref->[1];
|
my $ipsec = $hostref->[1];
|
||||||
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
|
my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
|
||||||
my @source = imatch_source_net $hostref->[2];
|
my @source = imatch_source_net $hostref->[2];
|
||||||
|
|
||||||
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
|
||||||
|
|||||||
@ -460,6 +460,9 @@ sub process_a_provider( $ ) {
|
|||||||
|
|
||||||
fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
|
fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Switch to the logical name if a physical name was passed
|
||||||
|
#
|
||||||
my $physical;
|
my $physical;
|
||||||
|
|
||||||
if ( $interface eq $interfaceref->{name} ) {
|
if ( $interface eq $interfaceref->{name} ) {
|
||||||
@ -1293,9 +1296,11 @@ sub start_providers() {
|
|||||||
emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
|
emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
|
||||||
}
|
}
|
||||||
|
|
||||||
emit_unindented "EOF\n";
|
emit_unindented 'EOF';
|
||||||
|
|
||||||
emit "fi\n";
|
emit( 'else',
|
||||||
|
' error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
|
||||||
|
"fi\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
emit ( '#',
|
emit ( '#',
|
||||||
@ -1892,8 +1897,10 @@ sub handle_optional_interfaces( $ ) {
|
|||||||
|
|
||||||
if ( @$interfaces ) {
|
if ( @$interfaces ) {
|
||||||
my $require = $config{REQUIRE_INTERFACE};
|
my $require = $config{REQUIRE_INTERFACE};
|
||||||
|
my $gencase = shift;
|
||||||
|
|
||||||
verify_required_interfaces( shift );
|
verify_required_interfaces( $gencase );
|
||||||
|
emit '' if $gencase;
|
||||||
|
|
||||||
emit( 'HAVE_INTERFACE=', '' ) if $require;
|
emit( 'HAVE_INTERFACE=', '' ) if $require;
|
||||||
#
|
#
|
||||||
|
|||||||
@ -2121,14 +2121,26 @@ sub have_ipsec() {
|
|||||||
sub find_hosts_by_option( $ ) {
|
sub find_hosts_by_option( $ ) {
|
||||||
my $option = $_[0];
|
my $option = $_[0];
|
||||||
my @hosts;
|
my @hosts;
|
||||||
|
my %done;
|
||||||
|
|
||||||
|
for my $interface ( @interfaces ) {
|
||||||
|
my $value = $interfaces{$interface}{options}{$option};
|
||||||
|
if ( ! $interfaces{$interface}{zone} && $value ) {
|
||||||
|
push @hosts, [ $interface, '', ALLIP , [], $value ];
|
||||||
|
$done{$interface} = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
|
for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
|
||||||
while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
|
while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
|
||||||
while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
|
while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
|
||||||
for my $host ( @{$arrayref} ) {
|
for my $host ( @{$arrayref} ) {
|
||||||
if ( my $value = $host->{options}{$option} ) {
|
my $ipsec = $host->{ipsec};
|
||||||
for my $net ( @{$host->{hosts}} ) {
|
unless ( $done{$interface} ) {
|
||||||
push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
|
if ( my $value = $host->{options}{$option} ) {
|
||||||
|
for my $net ( @{$host->{hosts}} ) {
|
||||||
|
push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2136,12 +2148,6 @@ sub find_hosts_by_option( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $interface ( @interfaces ) {
|
|
||||||
if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
|
|
||||||
push @hosts, [ $interface, 'none', ALLIP , [] ];
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
\@hosts;
|
\@hosts;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -705,8 +705,9 @@ Knock net $FW tcp 22,1599-1601
|
|||||||
<section id="Stateful">
|
<section id="Stateful">
|
||||||
<title>Stateful Port Knocking (knock with a sequence of ports)</title>
|
<title>Stateful Port Knocking (knock with a sequence of ports)</title>
|
||||||
|
|
||||||
<para>Gerhard Wiesinger has contributed a Perl module that allows you to
|
<para><ulink url="http://www.wiesinger.com/">Gerhard Wiesinger</ulink>
|
||||||
define portknocking sequences. Download <ulink
|
has contributed a Perl module that allows you to define portknocking
|
||||||
|
sequences. Download <ulink
|
||||||
url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
|
url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
|
||||||
module</ulink> and copy it into your site_perl directory.</para>
|
module</ulink> and copy it into your site_perl directory.</para>
|
||||||
|
|
||||||
|
|||||||
@ -2123,6 +2123,11 @@ net eth1 detect <emphasis role="bold">optional</emphasis><
|
|||||||
later.</para>
|
later.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/params:</filename></para>
|
||||||
|
|
||||||
|
<programlisting>EXT_IF=eth0
|
||||||
|
COM_IF=eth1</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/isusable</filename>:</para>
|
<para><filename>/etc/shorewall/isusable</filename>:</para>
|
||||||
|
|
||||||
<programlisting>local status=0
|
<programlisting>local status=0
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user