mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
More modularization
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4382 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2c9fc7149a
commit
fcc6baaf6e
253
Shorewall/clib.accounting
Normal file
253
Shorewall/clib.accounting
Normal file
@ -0,0 +1,253 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.tcrules
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# Process a record from the accounting file
|
||||
#
|
||||
process_accounting_rule() {
|
||||
rule=
|
||||
rule2=
|
||||
jumpchain=
|
||||
user1=
|
||||
|
||||
accounting_error() {
|
||||
error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user
|
||||
}
|
||||
|
||||
accounting_interface_error() {
|
||||
error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user
|
||||
}
|
||||
|
||||
accounting_interface_verify() {
|
||||
verify_interface $1 || accounting_interface_error $1
|
||||
}
|
||||
|
||||
jump_to_chain() {
|
||||
if ! havechain $jumpchain; then
|
||||
if ! createchain2 $jumpchain No; then
|
||||
accounting_error
|
||||
return 2
|
||||
fi
|
||||
fi
|
||||
|
||||
rule="$rule -j $jumpchain"
|
||||
}
|
||||
|
||||
do_ipp2p() {
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
|
||||
case $proto in
|
||||
*:*)
|
||||
proto=${proto#*:}
|
||||
;;
|
||||
*)
|
||||
proto=tcp
|
||||
;;
|
||||
esac
|
||||
|
||||
rule="$rule -p $proto -m ipp2p --${port:-ipp2p}"
|
||||
}
|
||||
|
||||
case $source in
|
||||
*:*)
|
||||
accounting_interface_verify ${source%:*}
|
||||
rule="$(source_ip_range ${source#*:}) $(match_source_dev ${source%:*})"
|
||||
;;
|
||||
*.*.*.*|+*|!+*)
|
||||
rule="$(source_ip_range $source)"
|
||||
;;
|
||||
-|all|any)
|
||||
;;
|
||||
*)
|
||||
if [ -n "$source" ]; then
|
||||
accounting_interface_verify $source
|
||||
rule="$(match_source_dev $source)"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$dest" ] && case $dest in
|
||||
*:*)
|
||||
accounting_interface_verify ${dest%:*}
|
||||
rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})"
|
||||
;;
|
||||
*.*.*.*|+*|!*)
|
||||
rule="$rule $(dest_ip_range $dest)"
|
||||
;;
|
||||
-|all|any)
|
||||
;;
|
||||
*)
|
||||
accounting_interface_verify $dest
|
||||
rule="$rule $(match_dest_dev $dest)"
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$proto" ] && case $proto in
|
||||
-|any|all)
|
||||
;;
|
||||
ipp2p|IPP2P|ipp2p:*|IPP2P:*)
|
||||
do_ipp2p
|
||||
;;
|
||||
*)
|
||||
rule="$rule -p $proto"
|
||||
;;
|
||||
esac
|
||||
|
||||
multiport=
|
||||
|
||||
[ -n "$port" ] && case $port in
|
||||
-|any|all)
|
||||
;;
|
||||
*)
|
||||
if [ -n "$MULTIPORT" ]; then
|
||||
rule="$rule -m multiport --dports $port"
|
||||
multiport=Yes
|
||||
else
|
||||
rule="$rule --dport $port"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$sport" ] && case $sport in
|
||||
-|any|all)
|
||||
;;
|
||||
*)
|
||||
if [ -n "$MULTIPORT" ]; then
|
||||
[ -n "$multiport" ] && rule="$rule --sports $sport" || rule="$rule -m multiport --sports $sport"
|
||||
else
|
||||
rule="$rule --sport $sport"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$user" ] && case $user in
|
||||
-|any|all)
|
||||
;;
|
||||
*)
|
||||
[ "$chain" != OUTPUT ] && \
|
||||
fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
|
||||
rule="$rule -m owner"
|
||||
user1="$user"
|
||||
|
||||
case "$user" in
|
||||
!*+*)
|
||||
if [ -n "${user#*+}" ]; then
|
||||
rule="$rule ! --cmd-owner ${user#*+} "
|
||||
fi
|
||||
user1=${user%+*}
|
||||
;;
|
||||
*+*)
|
||||
if [ -n "${user#*+}" ]; then
|
||||
rule="$rule --cmd-owner ${user#*+} "
|
||||
fi
|
||||
user1=${user%+*}
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$user1" in
|
||||
!*:*)
|
||||
if [ "$user1" != "!:" ]; then
|
||||
temp="${user1#!}"
|
||||
temp="${temp%:*}"
|
||||
[ -n "$temp" ] && rule="$rule ! --uid-owner $temp "
|
||||
temp="${user1#*:}"
|
||||
[ -n "$temp" ] && rule="$rule ! --gid-owner $temp "
|
||||
fi
|
||||
;;
|
||||
*:*)
|
||||
if [ "$user1" != ":" ]; then
|
||||
temp="${user1%:*}"
|
||||
[ -n "$temp" ] && rule="$rule --uid-owner $temp "
|
||||
temp="${user1#*:}"
|
||||
[ -n "$temp" ] && rule="$rule --gid-owner $temp "
|
||||
fi
|
||||
;;
|
||||
!*)
|
||||
[ "$user1" != "!" ] && rule="$rule ! --uid-owner ${user1#!} "
|
||||
;;
|
||||
*)
|
||||
[ -n "$user1" ] && rule="$rule --uid-owner $user1 "
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
|
||||
case $action in
|
||||
COUNT)
|
||||
;;
|
||||
DONE)
|
||||
rule="$rule -j RETURN"
|
||||
;;
|
||||
*:COUNT)
|
||||
rule2="$rule"
|
||||
jumpchain=${action%:*}
|
||||
jump_to_chain || return
|
||||
;;
|
||||
JUMP:*)
|
||||
jumpchain=${action#*:}
|
||||
jump_to_chain || return
|
||||
;;
|
||||
*)
|
||||
jumpchain=$action
|
||||
jump_to_chain || return
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "x${chain:=accounting}" = "x-" ] && chain=accounting
|
||||
|
||||
ensurechain1 $chain
|
||||
|
||||
if do_iptables -A $chain $(fix_bang $rule) ; then
|
||||
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
|
||||
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user $DONE
|
||||
save_progress_message_short " Accounting rule $action $chain $source $dest $proto $port $sport $user Added"
|
||||
else
|
||||
accounting_error
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Set up Accounting
|
||||
#
|
||||
setup_accounting() # $1 = Name of accounting file
|
||||
{
|
||||
|
||||
progress_message2 "$DOING Accounting..."
|
||||
|
||||
save_progress_message "Setting up Accounting..."
|
||||
|
||||
strip_file accounting $1
|
||||
|
||||
while read action chain source dest proto port sport user ; do
|
||||
expandv action chain source dest proto port sport user
|
||||
process_accounting_rule
|
||||
done < $TMP_DIR/accounting
|
||||
|
||||
if havechain accounting; then
|
||||
for chain in INPUT FORWARD OUTPUT; do
|
||||
run_iptables -I $chain -j accounting
|
||||
done
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
CLIB_ACCOUNTING_LOADED=Yes
|
80
Shorewall/clib.ecn
Normal file
80
Shorewall/clib.ecn
Normal file
@ -0,0 +1,80 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.ecn
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# ECN Chain to an interface
|
||||
#
|
||||
ecn_chain() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_ecn
|
||||
}
|
||||
|
||||
#
|
||||
# Setup ECN disabling rules
|
||||
#
|
||||
setup_ecn() # $1 = file name
|
||||
{
|
||||
local interfaces=""
|
||||
local hosts=
|
||||
local h
|
||||
|
||||
strip_file ecn $1
|
||||
|
||||
progress_message2 "$DOING $1..."
|
||||
|
||||
while read interface host; do
|
||||
expandv interface host
|
||||
list_search $interface $ALL_INTERFACES || \
|
||||
fatal_error "Unknown interface $interface"
|
||||
list_search $interface $interfaces || \
|
||||
interfaces="$interfaces $interface"
|
||||
[ "x$host" = "x-" ] && host=
|
||||
for h in $(separate_list ${host:-0.0.0.0/0}); do
|
||||
hosts="$hosts $interface:$h"
|
||||
done
|
||||
done < $TMP_DIR/ecn
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
progress_message "$DOING ECN control on${interfaces}..."
|
||||
|
||||
for interface in $interfaces; do
|
||||
chain=$(ecn_chain $interface)
|
||||
if havemanglechain $chain; then
|
||||
flushmangle $chain
|
||||
else
|
||||
createmanglechain $chain
|
||||
run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
|
||||
run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain
|
||||
fi
|
||||
done
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
h=${host#*:}
|
||||
run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove
|
||||
progress_message_and_save " ECN Disabled to $h through $interface"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
CLIB_ECN_LOADED=Yes
|
264
Shorewall/clib.maclist
Normal file
264
Shorewall/clib.maclist
Normal file
@ -0,0 +1,264 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.proxyarp
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# MAC Verification Chain for an interface
|
||||
#
|
||||
mac_chain() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_mac
|
||||
}
|
||||
|
||||
macrecent_target() # $1 - interface
|
||||
{
|
||||
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||
}
|
||||
|
||||
#
|
||||
# Set up MAC Verification
|
||||
#
|
||||
setup_mac_lists() {
|
||||
local interface
|
||||
local mac
|
||||
local addresses
|
||||
local address
|
||||
local chain
|
||||
local chain1
|
||||
local macpart
|
||||
local blob
|
||||
local hosts
|
||||
local ipsec
|
||||
local policy=
|
||||
|
||||
create_mac_chain()
|
||||
{
|
||||
case $MACLIST_TABLE in
|
||||
filter)
|
||||
createchain $1 no
|
||||
;;
|
||||
*)
|
||||
createmanglechain $1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
have_mac_chain()
|
||||
{
|
||||
local result
|
||||
|
||||
case $MACLIST_TABLE in
|
||||
filter)
|
||||
havechain $1 && result=0 || result=1
|
||||
;;
|
||||
*)
|
||||
havemanglechain $1 && result=0 || result=1
|
||||
;;
|
||||
esac
|
||||
|
||||
return $result
|
||||
}
|
||||
#
|
||||
# Generate the list of interfaces having MAC verification
|
||||
#
|
||||
maclist_interfaces=
|
||||
|
||||
for hosts in $maclist_hosts; do
|
||||
hosts=${hosts#*^}
|
||||
interface=${hosts%%:*}
|
||||
if ! list_search $interface $maclist_interfaces; then\
|
||||
if [ -z "$maclist_interfaces" ]; then
|
||||
maclist_interfaces=$interface
|
||||
else
|
||||
maclist_interfaces="$maclist_interfaces $interface"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
progress_message "$DOING MAC Verification on $maclist_interfaces..."
|
||||
#
|
||||
# Create chains.
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=$(mac_chain $interface)
|
||||
create_mac_chain $chain
|
||||
#
|
||||
# If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0
|
||||
#
|
||||
if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
|
||||
run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN
|
||||
fi
|
||||
|
||||
if [ -n "$MACLIST_TTL" ]; then
|
||||
chain1=$(macrecent_target $interface)
|
||||
create_mac_chain $chain1
|
||||
run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
|
||||
run_iptables -A $chain -t $MACLIST_TABLE -j $chain1
|
||||
run_iptables -A $chain -t $MACLIST_TABLE -m recent --update --name $chain -j RETURN
|
||||
run_iptables -A $chain -t $MACLIST_TABLE -m recent --set --name $chain
|
||||
fi
|
||||
done
|
||||
|
||||
#
|
||||
# Process the maclist file producing the verification rules
|
||||
#
|
||||
while read disposition interface mac addresses; do
|
||||
expandv disposition interface mac addresses
|
||||
|
||||
level=
|
||||
|
||||
case $disposition in
|
||||
ACCEPT:*)
|
||||
level=${disposition#*:}
|
||||
disposition=ACCEPT
|
||||
target=RETURN
|
||||
;;
|
||||
ACCEPT)
|
||||
target=RETURN
|
||||
;;
|
||||
REJECT:*)
|
||||
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
|
||||
target=reject
|
||||
disposition=REJECT
|
||||
;;
|
||||
REJECT)
|
||||
[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
|
||||
target=reject
|
||||
;;
|
||||
DROP:*)
|
||||
level=${disposition#*:}
|
||||
disposition=DROP
|
||||
target=DROP
|
||||
;;
|
||||
DROP)
|
||||
target=DROP
|
||||
;;
|
||||
*)
|
||||
addresses="$mac"
|
||||
mac="$interface"
|
||||
interface="$disposition"
|
||||
disposition=ACCEPT
|
||||
target=RETURN
|
||||
;;
|
||||
esac
|
||||
|
||||
physdev_part=
|
||||
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
case $interface in
|
||||
*:*)
|
||||
physdev_part="-m physdev --physdev-in ${interface#*:}"
|
||||
interface=${interface%:*}
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
|
||||
|
||||
if ! have_mac_chain $chain ; then
|
||||
fatal_error "No hosts on $interface have the maclist option specified"
|
||||
fi
|
||||
|
||||
if [ x${mac:=-} = x- ]; then
|
||||
if [ -z "$addresses" ]; then
|
||||
fatal_error "You must specify a MAC address or an IP address"
|
||||
else
|
||||
macpart=
|
||||
fi
|
||||
else
|
||||
macpart=$(mac_match $mac)
|
||||
fi
|
||||
|
||||
if [ -z "$addresses" ]; then
|
||||
[ -n "$level" ] && \
|
||||
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
|
||||
run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j $target
|
||||
else
|
||||
for address in $(separate_list $addresses) ; do
|
||||
[ -n "$level" ] && \
|
||||
log_rule_limit $level $chain $(mac_chain $interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address $physdev_part
|
||||
run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address $physdev_part -j $target
|
||||
done
|
||||
fi
|
||||
done < $TMP_DIR/maclist
|
||||
#
|
||||
# Must take care of our own broadcasts and multicasts then terminate the verification
|
||||
# chains
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
|
||||
[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
|
||||
indent >&3 << __EOF__
|
||||
|
||||
blob=\$(ip link show $interface 2> /dev/null)
|
||||
|
||||
[ -z "\$blob" ] && \
|
||||
fatal_error "Interface $interface must be up before Shorewall can start"
|
||||
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||
address=\${address%/*}
|
||||
if [ -n "\$broadcast" ]; then
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d \$broadcast -j RETURN
|
||||
fi
|
||||
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 255.255.255.255 -j RETURN
|
||||
run_iptables -t $MACLIST_TABLE -A $chain -s \$address -d 224.0.0.0/4 -j RETURN
|
||||
done
|
||||
|
||||
__EOF__
|
||||
fi
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||
log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
|
||||
fi
|
||||
|
||||
if [ $MACLIST_DISPOSITION != ACCEPT ]; then
|
||||
run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
|
||||
fi
|
||||
done
|
||||
#
|
||||
# Generate jumps from the input and forward chains
|
||||
#
|
||||
for hosts in $maclist_hosts; do
|
||||
ipsec=${hosts%^*}
|
||||
hosts=${hosts#*^}
|
||||
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
|
||||
interface=${hosts%%:*}
|
||||
hosts=${hosts#*:}
|
||||
case $MACLIST_TABLE in
|
||||
filter)
|
||||
for chain in $(first_chains $interface) ; do
|
||||
run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
|
||||
$policy -j $(mac_chain $interface)
|
||||
done
|
||||
;;
|
||||
*)
|
||||
run_iptables -t mangle -A PREROUTING -i $interface $(match_source_hosts $hosts) -m state --state NEW \
|
||||
$policy -j $(mac_chain $interface)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
CLIB_MACLIST_LOADED=Yes
|
313
Shorewall/clib.macros
Normal file
313
Shorewall/clib.macros
Normal file
@ -0,0 +1,313 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.macros
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# This function maps old action names into their new macro equivalents
|
||||
#
|
||||
map_old_action() # $1 = Potential Old Action
|
||||
{
|
||||
local macro= aktion
|
||||
|
||||
if [ -n "$MAPOLDACTIONS" ]; then
|
||||
case $1 in
|
||||
*/*)
|
||||
echo $1
|
||||
return
|
||||
;;
|
||||
*)
|
||||
if [ -f $(find_file $1) ]; then
|
||||
echo $1
|
||||
return
|
||||
fi
|
||||
|
||||
case $1 in
|
||||
Allow*)
|
||||
macro=${1#*w}
|
||||
aktion=ACCEPT
|
||||
;;
|
||||
Drop*)
|
||||
macro=${1#*p}
|
||||
aktion=DROP
|
||||
;;
|
||||
Reject*)
|
||||
macro=${1#*t}
|
||||
aktion=REJECT
|
||||
;;
|
||||
*)
|
||||
echo $1
|
||||
return
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
|
||||
if [ -f $(find_file macro.$macro) ]; then
|
||||
echo $macro/$aktion
|
||||
return
|
||||
fi
|
||||
fi
|
||||
|
||||
echo $1
|
||||
}
|
||||
|
||||
#
|
||||
# Combine a source/dest from the macro body with one from the macro invocation
|
||||
#
|
||||
merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest from invocation
|
||||
{
|
||||
case $2 in
|
||||
-)
|
||||
echo ${1}
|
||||
;;
|
||||
*.*.*|+*|~*|!~*)
|
||||
#
|
||||
# Value in the invocation is an address -- put it behind the value from the macro
|
||||
#
|
||||
echo ${1}:${2}
|
||||
;;
|
||||
*)
|
||||
echo ${2}:${1}
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
verify_macro_from_action() {
|
||||
temp=$(map_old_action $temp)
|
||||
|
||||
case $temp in
|
||||
*/*)
|
||||
param=${temp#*/}
|
||||
case $param in
|
||||
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
|
||||
;;
|
||||
*)
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
|
||||
fatal_error "Invalid Macro Parameter in rule \"$rule\""
|
||||
;;
|
||||
esac
|
||||
temp=${temp%%/*}
|
||||
;;
|
||||
esac
|
||||
|
||||
f1=macro.${temp}
|
||||
fn=$(find_file $f1)
|
||||
|
||||
if [ ! -f $TMP_DIR/$f1 ]; then
|
||||
#
|
||||
# We must only verify macros once to ensure that they don't invoke any non-standard actions
|
||||
#
|
||||
if [ -f $fn ]; then
|
||||
strip_file $f1 $fn
|
||||
|
||||
progress_message " ..Expanding Macro $fn..."
|
||||
|
||||
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||||
expandv mtarget
|
||||
temp="${mtarget%%:*}"
|
||||
case "$temp" in
|
||||
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
|
||||
;;
|
||||
*)
|
||||
rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec"
|
||||
fatal_error "Invalid TARGET in rule \"$rule\""
|
||||
esac
|
||||
done < $TMP_DIR/$f1
|
||||
|
||||
progress_message " ..End Macro"
|
||||
else
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
|
||||
fatal_error "Invalid TARGET in rule \"$rule\""
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
expand_macro_in_action() {
|
||||
|
||||
xtarget1=$(map_old_action $xtarget1)
|
||||
|
||||
case $xtarget1 in
|
||||
*/*)
|
||||
param=${xtarget1#*/}
|
||||
xtarget1=${xtarget1%%/*}
|
||||
;;
|
||||
esac
|
||||
|
||||
progress_message "..Expanding Macro $(find_file macro.$xtarget1)..."
|
||||
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||||
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
|
||||
|
||||
mtarget=$(merge_levels $xaction2 $mtarget)
|
||||
|
||||
case $mtarget in
|
||||
PARAM|PARAM:*)
|
||||
[ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$mclients" ]; then
|
||||
case $mclients in
|
||||
-|SOURCE)
|
||||
mclients=${xclients}
|
||||
;;
|
||||
DEST)
|
||||
mclients=${xservers}
|
||||
;;
|
||||
*)
|
||||
mclients=$(merge_macro_source_dest $mclients $xclients)
|
||||
;;
|
||||
esac
|
||||
else
|
||||
mclients=${xclients}
|
||||
fi
|
||||
|
||||
if [ -n "$mservers" ]; then
|
||||
case $mservers in
|
||||
-|DEST)
|
||||
mservers=${xservers}
|
||||
;;
|
||||
SOURCE)
|
||||
mservers=${xclients}
|
||||
;;
|
||||
*)
|
||||
mservers=$(merge_macro_source_dest $mservers $xservers)
|
||||
;;
|
||||
esac
|
||||
else
|
||||
mservers=${xserverss}
|
||||
fi
|
||||
|
||||
[ -n "$xprotocol" ] && [ "x${xprotocol}" != x- ] && mprotocol=$xprotocol
|
||||
[ -n "$xports" ] && [ "x${xports}" != x- ] && mports=$xports
|
||||
[ -n "$xcports" ] && [ "x${xcports}" != x- ] && mcports=$xcports
|
||||
[ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit
|
||||
[ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec
|
||||
|
||||
rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}"
|
||||
process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec
|
||||
done < $TMP_DIR/macro.$xtarget1
|
||||
progress_message "..End Macro"
|
||||
}
|
||||
|
||||
#
|
||||
# Process a macro invocation in the rules file
|
||||
#
|
||||
|
||||
process_macro() # $1 = target
|
||||
# $2 = param
|
||||
# $2 = clients
|
||||
# $3 = servers
|
||||
# $4 = protocol
|
||||
# $5 = ports
|
||||
# $6 = cports
|
||||
# $7 = address
|
||||
# $8 = ratelimit
|
||||
# $9 = userspec
|
||||
{
|
||||
local itarget="$1"
|
||||
local param="$2"
|
||||
local iclients="$3"
|
||||
local iservers="$4"
|
||||
local iprotocol="$5"
|
||||
local iports="$6"
|
||||
local icports="$7"
|
||||
local iaddress="$8"
|
||||
local iratelimit="$9"
|
||||
local iuserspec="${10}"
|
||||
|
||||
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
|
||||
|
||||
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
|
||||
expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec
|
||||
|
||||
mtarget=$(merge_levels $itarget $mtarget)
|
||||
|
||||
case $mtarget in
|
||||
PARAM|PARAM:*)
|
||||
[ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation"
|
||||
;;
|
||||
esac
|
||||
|
||||
case ${mtarget%%:*} in
|
||||
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
|
||||
;;
|
||||
*)
|
||||
if list_search ${mtarget%%:*} $ACTIONS; then
|
||||
if ! list_search $mtarget $USEDACTIONS; then
|
||||
createactionchain $mtarget
|
||||
USEDACTIONS="$USEDACTIONS $mtarget"
|
||||
fi
|
||||
|
||||
mtarget=$(find_logactionchain $mtarget)
|
||||
else
|
||||
fatal_error "Invalid Action in rule \"$mtarget ${mclients:--} ${mservers:--} ${mprotocol:--} ${mports:--} ${mcports:--} ${xaddress:--} ${mratelimit:--} ${muserspec:--}\""
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$mclients" ]; then
|
||||
case $mclients in
|
||||
-|SOURCE)
|
||||
mclients=${iclients}
|
||||
;;
|
||||
DEST)
|
||||
mclients=${iservers}
|
||||
;;
|
||||
*)
|
||||
mclients=$(merge_macro_source_dest $mclients $iclients)
|
||||
;;
|
||||
esac
|
||||
else
|
||||
mclients=${iclients}
|
||||
fi
|
||||
|
||||
if [ -n "$mservers" ]; then
|
||||
case $mservers in
|
||||
-|DEST)
|
||||
mservers=${iservers}
|
||||
;;
|
||||
SOURCE)
|
||||
mservers=${iclients}
|
||||
;;
|
||||
*)
|
||||
mservers=$(merge_macro_source_dest $mservers $iservers)
|
||||
;;
|
||||
esac
|
||||
else
|
||||
mservers=${iservers}
|
||||
fi
|
||||
|
||||
[ -n "$iprotocol" ] && [ "x${iprotocol}" != x- ] && mprotocol=$iprotocol
|
||||
[ -n "$iports" ] && [ "x${iports}" != x- ] && mports=$iports
|
||||
[ -n "$icports" ] && [ "x${icports}" != x- ] && mcports=$icports
|
||||
[ -n "$iratelimit" ] && [ "x${iratelimit}" != x- ] && mratelimit=$iratelimit
|
||||
[ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec
|
||||
|
||||
rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}"
|
||||
process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec
|
||||
|
||||
done < $TMP_DIR/macro.${itarget%%:*}
|
||||
|
||||
progress_message "..End Macro"
|
||||
|
||||
}
|
||||
|
||||
CLIB_MACROS_LOADED=Yes
|
417
Shorewall/clib.providers
Normal file
417
Shorewall/clib.providers
Normal file
@ -0,0 +1,417 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.providers
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# Process the providers file
|
||||
#
|
||||
setup_providers()
|
||||
{
|
||||
local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase echobin=$(mywhich echo) balance save_indent="$INDENT" mask= first=Yes save_indent1=
|
||||
|
||||
copy_table() {
|
||||
indent >&3 << __EOF__
|
||||
ip route show table $duplicate | while read net route; do
|
||||
case \$net in
|
||||
default|nexthop)
|
||||
;;
|
||||
*)
|
||||
run_ip route add table $number \$net \$route
|
||||
;;
|
||||
esac
|
||||
done
|
||||
__EOF__
|
||||
}
|
||||
|
||||
copy_and_edit_table() {
|
||||
indent >&3 << __EOF__
|
||||
ip route show table $duplicate | while read net route; do
|
||||
case \$net in
|
||||
default|nexthop)
|
||||
;;
|
||||
*)
|
||||
case \$(find_device \$route) in
|
||||
`echo $copy\) | sed 's/ /|/g'`
|
||||
run_ip route add table $number \$net \$route
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
__EOF__
|
||||
}
|
||||
|
||||
balance_default_route() # $1 = weight
|
||||
{
|
||||
balance=yes
|
||||
|
||||
save_command
|
||||
if [ -n "$first" ]; then
|
||||
if [ -n "$gateway" ] ; then
|
||||
save_command "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $1\""
|
||||
else
|
||||
save_command "DEFAULT_ROUTE=\"nexthop dev $interface weight $1\""
|
||||
fi
|
||||
|
||||
first=
|
||||
else
|
||||
if [ -n "$gateway" ] ; then
|
||||
save_command "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $1\""
|
||||
else
|
||||
save_command "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $1\""
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
add_a_provider() {
|
||||
local t n iface option optional=
|
||||
|
||||
[ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables"
|
||||
|
||||
for t in $PROVIDERS local main default unspec; do
|
||||
if [ "$t" = "$table" ]; then
|
||||
fatal_error "Duplicate Provider: $table, provider: \"$provider\""
|
||||
fi
|
||||
|
||||
eval n=\$${t}_number
|
||||
#
|
||||
# The following is because the %$#@ shell doesn't accept hex numbers in '-eq' tests
|
||||
#
|
||||
if [ $(($n)) -eq $(($number)) ]; then
|
||||
fatal_error "Duplicate Provider number: $number, provider: \"$provider\""
|
||||
fi
|
||||
done
|
||||
|
||||
eval ${table}_number=$number
|
||||
|
||||
indent >&3 << __EOF__
|
||||
#
|
||||
# Add Provider $table ($number)
|
||||
#
|
||||
__EOF__
|
||||
save_command "if [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then"
|
||||
save_indent1="$INDENT"
|
||||
INDENT="$INDENT "
|
||||
|
||||
iface=$(chain_base $interface)
|
||||
|
||||
save_command "${iface}_up=Yes"
|
||||
|
||||
save_command "qt ip route flush table $number"
|
||||
|
||||
if [ "x${duplicate:=-}" != x- ]; then
|
||||
if [ "x${copy:=-}" != "x-" ]; then
|
||||
if [ "x${copy}" = xnone ]; then
|
||||
copy=$interface
|
||||
else
|
||||
copy="$interface $(separate_list $copy)"
|
||||
fi
|
||||
copy_and_edit_table
|
||||
else
|
||||
copy_table
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "x$gateway" = xdetect ] ; then
|
||||
gateway='$gateway'
|
||||
indent >&3 << __EOF__
|
||||
gateway=\$(detect_gateway $interface)
|
||||
|
||||
if [ -n "\$gateway" ]; then
|
||||
run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number
|
||||
run_ip route add default via \$gateway dev $interface table $number
|
||||
else
|
||||
fatal_error "Unable to detect the gateway through interface $interface"
|
||||
fi
|
||||
|
||||
__EOF__
|
||||
elif [ "x$gateway" != "x-" -a -n "$gateway" ]; then
|
||||
indent >&3 << __EOF__
|
||||
run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number
|
||||
run_ip route add default via $gateway dev $interface table $number
|
||||
__EOF__
|
||||
else
|
||||
gateway=
|
||||
save_command "run_ip route add default dev $interface table $number"
|
||||
fi
|
||||
|
||||
if [ x${mark} != x- ]; then
|
||||
verify_mark $mark
|
||||
|
||||
if [ $(($mark)) -lt 256 ]; then
|
||||
if [ -n "$HIGH_ROUTE_MARKS" ]; then
|
||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes"
|
||||
fi
|
||||
elif [ -z "$HIGH_ROUTE_MARKS" ]; then
|
||||
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No"
|
||||
fi
|
||||
|
||||
eval ${table}_mark=$mark
|
||||
|
||||
save_command "qt ip rule del fwmark $mark"
|
||||
save_command "run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number"
|
||||
fi
|
||||
|
||||
loose=
|
||||
|
||||
for option in $(separate_list $options); do
|
||||
case $option in
|
||||
-)
|
||||
;;
|
||||
track)
|
||||
list_search $interface $ROUTEMARK_INTERFACES && \
|
||||
fatal_error "Interface $interface is tracked through an earlier provider"
|
||||
[ x${mark} = x- ] && fatal_error "The 'track' option requires a numeric value in the MARK column - Provider \"$provider\""
|
||||
eval ${iface}_routemark=$mark
|
||||
ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface"
|
||||
;;
|
||||
balance=*)
|
||||
balance_default_route ${option#*=}
|
||||
;;
|
||||
balance)
|
||||
balance_default_route 1
|
||||
;;
|
||||
loose)
|
||||
loose=Yes
|
||||
;;
|
||||
optional)
|
||||
optional=Yes
|
||||
;;
|
||||
*)
|
||||
error_message "WARNING: Invalid option ($option) ignored in provider \"$provider\""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
rulenum=0
|
||||
|
||||
if [ -z "$loose" ]; then
|
||||
rulebase=$(( 20000 + ( 256 * ($number-1) ) ))
|
||||
indent >&3 << __EOF__
|
||||
|
||||
rulenum=0
|
||||
|
||||
find_interface_addresses $interface | while read address; do
|
||||
qt ip rule del from \$address
|
||||
run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number
|
||||
rulenum=\$((\$rulenum + 1))
|
||||
done
|
||||
__EOF__
|
||||
else
|
||||
indent >&3 << __EOF__
|
||||
|
||||
find_interface_addresses $interface | while read address; do
|
||||
qt ip rule del from \$address
|
||||
done
|
||||
__EOF__
|
||||
fi
|
||||
|
||||
indent >&3 << __EOF__
|
||||
|
||||
progress_message " Provider $table ($number) Added"
|
||||
|
||||
__EOF__
|
||||
|
||||
INDENT="$save_indent1"
|
||||
save_command else
|
||||
|
||||
if [ -n "$optional" ]; then
|
||||
save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\""
|
||||
save_command " ${iface}_up="
|
||||
else
|
||||
save_command " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\""
|
||||
fi
|
||||
|
||||
save_command fi
|
||||
save_command
|
||||
|
||||
}
|
||||
|
||||
verify_provider()
|
||||
{
|
||||
local p n
|
||||
|
||||
for p in $PROVIDERS main; do
|
||||
[ "$p" = "$1" ] && return 0
|
||||
eval n=\$${p}_number}
|
||||
[ "$n" = "$1" ] && return 0
|
||||
done
|
||||
|
||||
fatal_error "Unknown provider $1 in route rule \"$rule\""
|
||||
}
|
||||
|
||||
add_an_rtrule()
|
||||
{
|
||||
verify_provider $provider
|
||||
|
||||
[ "x$source" = x- ] && source=
|
||||
[ "x$dest" = x- ] && dest= || dest="to $dest"
|
||||
|
||||
[ -n "${source}${dest}" ] || fatal_error "You must specify either the source or destination in an rt rule: \"$rule\""
|
||||
|
||||
[ -n "$source" ] && case $source in
|
||||
*:*)
|
||||
source="iif ${source%:*} from ${source#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
source="from $source"
|
||||
;;
|
||||
*)
|
||||
source="iif $source"
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$priority" in
|
||||
[0-9][0-9][0-9][0-9]|[0-9][0-9][0-9][0-9][0-9])
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid priority ($priority) in rule \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
priority="priority $priority"
|
||||
|
||||
save_command "qt ip rule del $source $dest $priority"
|
||||
save_command "run_ip rule add $source $dest $priority table $provider"
|
||||
|
||||
progress_message "Routing rule \"$rule\" $DONE"
|
||||
}
|
||||
|
||||
local_number=255
|
||||
main_number=254
|
||||
default_number=253
|
||||
unspec_number=0
|
||||
|
||||
strip_file providers $1
|
||||
|
||||
if [ -s $TMP_DIR/providers ]; then
|
||||
balance=
|
||||
|
||||
progress_message2 "$DOING $1..."
|
||||
save_command
|
||||
save_command "if [ -z \"\$NOROUTES\" ]; then"
|
||||
INDENT="$INDENT "
|
||||
save_progress_message "Adding Providers..."
|
||||
save_command "DEFAULT_ROUTE="
|
||||
|
||||
while read table number mark duplicate interface gateway options copy; do
|
||||
expandv table number mark duplicate interface gateway options copy
|
||||
provider="$table $number $mark $duplicate $interface $gateway $options $copy"
|
||||
add_a_provider
|
||||
PROVIDERS="$PROVIDERS $table"
|
||||
progress_message "Provider $provider $DONE"
|
||||
done < $TMP_DIR/providers
|
||||
|
||||
if [ -n "$PROVIDERS" ]; then
|
||||
if [ -n "$balance" ]; then
|
||||
save_command "if [ -n \"\$DEFAULT_ROUTE\" ]; then"
|
||||
save_command " run_ip route replace default scope global \$DEFAULT_ROUTE"
|
||||
save_command " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\""
|
||||
save_command "else"
|
||||
save_command " error_message \"WARNING: No Default route added (all 'balance' providers are down)\""
|
||||
save_command "fi"
|
||||
save_command
|
||||
fi
|
||||
|
||||
cat >&3 << __EOF__
|
||||
${INDENT}cat > /etc/iproute2/rt_tables <<EOF
|
||||
#
|
||||
# reserved values
|
||||
#
|
||||
255 local
|
||||
254 main
|
||||
253 default
|
||||
0 unspec
|
||||
#
|
||||
# local
|
||||
#
|
||||
EOF
|
||||
__EOF__
|
||||
for table in $PROVIDERS; do
|
||||
eval number=\$${table}_number
|
||||
indent >&3 << __EOF__
|
||||
\${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables
|
||||
__EOF__
|
||||
done
|
||||
|
||||
f=$(find_file route_rules)
|
||||
|
||||
if [ -f $f ]; then
|
||||
strip_file route_rules $f
|
||||
|
||||
if [ -s $TMP_DIR/route_rules ]; then
|
||||
progress_message2 "$DOING $f..."
|
||||
|
||||
save_command
|
||||
|
||||
while read source dest provider priority; do
|
||||
expandv source dest provider priority
|
||||
rule="$source $dest $priority $provider"
|
||||
add_an_rtrule
|
||||
done < $TMP_DIR/route_rules
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
save_command "run_ip route flush cache"
|
||||
INDENT="$save_indent"
|
||||
save_command "fi"
|
||||
save_command
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Set up Routing
|
||||
#
|
||||
setup_routes()
|
||||
{
|
||||
local mask=0xFF mark_op="--set-mark" save_indent="$INDENT"
|
||||
|
||||
[ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 && mark_op="--or-mark"
|
||||
|
||||
run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
|
||||
run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
|
||||
createmanglechain routemark
|
||||
|
||||
if [ -n "$ROUTEMARK_INTERFACES" ]; then
|
||||
for interface in $ROUTEMARK_INTERFACES ; do
|
||||
iface=$(chain_base $interface)
|
||||
eval mark_value=\$${iface}_routemark
|
||||
|
||||
save_command
|
||||
save_command "if [ -n \"\$${iface}_up\" ]; then"
|
||||
INDENT="$INDENT "
|
||||
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
|
||||
run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value
|
||||
INDENT="$save_indent"
|
||||
save_command "fi"
|
||||
done
|
||||
|
||||
save_command
|
||||
fi
|
||||
|
||||
run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask
|
||||
|
||||
}
|
||||
|
||||
CLIB_PROVIDERS_LOADED=Yes
|
154
Shorewall/clib.proxyarp
Normal file
154
Shorewall/clib.proxyarp
Normal file
@ -0,0 +1,154 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.proxyarp
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# Setup Proxy ARP
|
||||
#
|
||||
setup_proxy_arp() {
|
||||
|
||||
local setlist= resetlist=
|
||||
|
||||
print_error() {
|
||||
error_message "Invalid value for HAVEROUTE - ($haveroute)"
|
||||
error_message "Entry \"$address $interface $external $haveroute\" ignored"
|
||||
}
|
||||
|
||||
print_error1() {
|
||||
error_message "Invalid value for PERSISTENT - ($persistent)"
|
||||
error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored"
|
||||
}
|
||||
|
||||
print_warning() {
|
||||
error_message "PERSISTENT setting ignored - ($persistent)"
|
||||
error_message "Entry \"$address $interface $external $haveroute $persistent\""
|
||||
}
|
||||
|
||||
setup_one_proxy_arp() {
|
||||
|
||||
case $haveroute in
|
||||
[Nn][Oo])
|
||||
haveroute=
|
||||
;;
|
||||
[Yy][Ee][Ss])
|
||||
;;
|
||||
*)
|
||||
if [ -n "$haveroute" ]; then
|
||||
print_error
|
||||
return
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
case $persistent in
|
||||
[Nn][Oo])
|
||||
persistent=
|
||||
;;
|
||||
[Yy][Ee][Ss])
|
||||
[ -z "$haveroute" ] || print_warning
|
||||
;;
|
||||
*)
|
||||
if [ -n "$persistent" ]; then
|
||||
print_error1
|
||||
return
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$haveroute" ]; then
|
||||
save_command "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"
|
||||
[ -n "$persistent" ] && haveroute=yes
|
||||
fi
|
||||
|
||||
indent >&3 << __EOF__
|
||||
if ! arp -i $external -Ds $address $external pub; then
|
||||
fatal_error "Command \"arp -i $external -Ds $address $external pub\" failed"
|
||||
fi
|
||||
|
||||
progress_message " Host $address connected to $interface added to ARP on $external"
|
||||
|
||||
__EOF__
|
||||
echo $address $interface $external $haveroute >> $STATEDIR/proxyarp
|
||||
|
||||
progress_message " Host $address connected to $interface added to ARP on $external"
|
||||
}
|
||||
|
||||
> $STATEDIR/proxyarp
|
||||
|
||||
save_progress_message "Setting up Proxy ARP..."
|
||||
|
||||
while read address interface external haveroute persistent; do
|
||||
expandv address interface external haveroute persistent
|
||||
list_search $interface $setlist || setlist="$setlist $interface"
|
||||
list_search $external $resetlist || list_search $external $setlist || resetlist="$resetlist $external"
|
||||
setup_one_proxy_arp
|
||||
done < $TMP_DIR/proxyarp
|
||||
|
||||
for interface in $resetlist; do
|
||||
list_search $interface $setlist || \
|
||||
save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
|
||||
done
|
||||
|
||||
for interface in $setlist; do
|
||||
save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
|
||||
done
|
||||
|
||||
interfaces=$(find_interfaces_by_option proxyarp)
|
||||
|
||||
for interface in $interfaces; do
|
||||
indent >&3 << __EOF__
|
||||
if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then
|
||||
echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||
else
|
||||
error_message "WARNING: Unable to enable proxy ARP on $interface"
|
||||
fi
|
||||
|
||||
__EOF__
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Delete existing Proxy ARP
|
||||
#
|
||||
delete_proxy_arp() {
|
||||
indent >&3 << __EOF__
|
||||
if [ -f \${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i \$external -d \$address pub
|
||||
[ -z "\$haveroute" -a -z "\$NOROUTE" ] && qt ip route del \$address dev \$interface
|
||||
done < \${VARDIR}/proxyarp
|
||||
|
||||
rm -f \${VARDIR}/proxyarp
|
||||
fi
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
|
||||
done
|
||||
|
||||
__EOF__
|
||||
|
||||
[ -d $STATEDIR ] && touch $STATEDIR/proxyarp
|
||||
|
||||
}
|
||||
|
||||
CLIB_PROXYARP_LOADED=Yes
|
134
Shorewall/clib.tcrules
Normal file
134
Shorewall/clib.tcrules
Normal file
@ -0,0 +1,134 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.tcrules
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# Generate a command to run tc
|
||||
#
|
||||
run_tc() {
|
||||
save_command run_tc $@
|
||||
}
|
||||
|
||||
#
|
||||
# Setup queuing and classes
|
||||
#
|
||||
setup_tc1() {
|
||||
local mark_part=
|
||||
#
|
||||
# Create the TC mangle chains
|
||||
#
|
||||
|
||||
createmanglechain tcpre
|
||||
|
||||
if [ -n "$MANGLE_FORWARD" ]; then
|
||||
createmanglechain tcfor
|
||||
createmanglechain tcpost
|
||||
fi
|
||||
|
||||
createmanglechain tcout
|
||||
#
|
||||
# Process the TC Rules File
|
||||
#
|
||||
strip_file tcrules
|
||||
|
||||
while read mark sources dests proto ports sports user testval length tos; do
|
||||
expandv mark sources dests proto ports sports user testval length tos
|
||||
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")
|
||||
process_tc_rule
|
||||
done < $TMP_DIR/tcrules
|
||||
#
|
||||
# Link to the TC mangle chains from the main chains
|
||||
#
|
||||
|
||||
#
|
||||
# Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
|
||||
# packets that are not part of a marked connection to the 'tcpre/tcout' chains.
|
||||
#
|
||||
if [ -n "$ROUTEMARK_INTERFACES" -a -z "$TC_EXPERT" ]; then
|
||||
mark_part="-m mark --mark 0/0xFF00"
|
||||
#
|
||||
# But let marks in tcpre override those assigned by 'track'
|
||||
#
|
||||
for interface in $ROUTEMARK_INTERFACES; do
|
||||
run_iptables -t mangle -A PREROUTING -i $interface -j tcpre
|
||||
done
|
||||
fi
|
||||
|
||||
run_iptables -t mangle -A PREROUTING $mark_part -j tcpre
|
||||
run_iptables -t mangle -A OUTPUT $mark_part -j tcout
|
||||
|
||||
if [ -n "$MANGLE_FORWARD" ]; then
|
||||
run_iptables -t mangle -A FORWARD -j tcfor
|
||||
run_iptables -t mangle -A POSTROUTING -j tcpost
|
||||
fi
|
||||
|
||||
if [ -n "$HIGH_ROUTE_MARKS" ]; then
|
||||
for chain in INPUT FORWARD; do
|
||||
run_iptables -t mangle -I $chain -j MARK --and-mark 0xFF
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "$TC_SCRIPT" ]; then
|
||||
save_progress_message "Setting up Traffic Control..."
|
||||
append_file $TC_SCRIPT
|
||||
elif [ -n "$TC_ENABLED" ]; then
|
||||
setup_traffic_shaping
|
||||
fi
|
||||
}
|
||||
|
||||
setup_tc() {
|
||||
|
||||
progress_message2 "$DOING Traffic Control Rules..."
|
||||
|
||||
setup_tc1
|
||||
}
|
||||
|
||||
#
|
||||
# Clear Traffic Shaping
|
||||
#
|
||||
delete_tc()
|
||||
{
|
||||
clear_one_tc() {
|
||||
save_command "tc qdisc del dev $1 root 2> /dev/null"
|
||||
save_command "tc qdisc del dev $1 ingress 2> /dev/null"
|
||||
|
||||
}
|
||||
|
||||
save_progress_message "Clearing Traffic Control/QOS"
|
||||
|
||||
append_file tcclear
|
||||
|
||||
indent >&3 << __EOF__
|
||||
ip link list | while read inx interface details; do
|
||||
case \$inx in
|
||||
[0-9]*)
|
||||
qt tc qdisc del dev \${interface%:} root
|
||||
qt tc qdisc del dev \${interface%:} ingress
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
__EOF__
|
||||
}
|
||||
|
||||
CLIB_TCRULES_LOADED=Yes
|
218
Shorewall/clib.tos
Normal file
218
Shorewall/clib.tos
Normal file
@ -0,0 +1,218 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.tos
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# Process a record from the tos file
|
||||
#
|
||||
# The caller has loaded the column contents from the record into the following
|
||||
# variables:
|
||||
#
|
||||
# src dst protocol sport dport tos
|
||||
#
|
||||
# and has loaded a space-separated list of their values in "rule".
|
||||
#
|
||||
process_tos_rule() {
|
||||
#
|
||||
# Parse the contents of the 'src' variable
|
||||
#
|
||||
if [ "$src" = "${src%:*}" ]; then
|
||||
srczone="$src"
|
||||
src=
|
||||
else
|
||||
srczone="${src%:*}"
|
||||
src="${src#*:}"
|
||||
fi
|
||||
|
||||
source=
|
||||
#
|
||||
# Validate the source zone
|
||||
#
|
||||
if validate_zone $srczone; then
|
||||
source=$srczone
|
||||
elif [ "$srczone" = "all" ]; then
|
||||
source="all"
|
||||
else
|
||||
error_message "WARNING: Undefined Source Zone - rule \"$rule\" ignored"
|
||||
return
|
||||
fi
|
||||
|
||||
[ -n "$src" ] && case "$src" in
|
||||
*.*.*|+*|!+*)
|
||||
#
|
||||
# IP Address or networks
|
||||
#
|
||||
src="$(source_ip_range $src)"
|
||||
;;
|
||||
~*|!~*)
|
||||
src=$(mac_match $src)
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# Assume that this is a device name
|
||||
#
|
||||
if ! verify_interface $src ; then
|
||||
error_message "WARNING: Unknown Interface in rule \"$rule\" ignored"
|
||||
return
|
||||
fi
|
||||
|
||||
src="$(match_source_dev $src)"
|
||||
;;
|
||||
esac
|
||||
|
||||
#
|
||||
# Parse the contents of the 'dst' variable
|
||||
#
|
||||
if [ "$dst" = "${dst%:*}" ]; then
|
||||
dstzone="$dst"
|
||||
dst=
|
||||
else
|
||||
dstzone="${dst%:*}"
|
||||
dst="${dst#*:}"
|
||||
fi
|
||||
|
||||
dest=
|
||||
#
|
||||
# Validate the destination zone
|
||||
#
|
||||
if validate_zone $dstzone; then
|
||||
dest=$dstzone
|
||||
elif [ "$dstzone" = "all" ]; then
|
||||
dest="all"
|
||||
else
|
||||
error_message \
|
||||
"WARNING: Undefined Destination Zone - rule \"$rule\" ignored"
|
||||
return
|
||||
fi
|
||||
|
||||
[ -n "$dst" ] && case "$dst" in
|
||||
*.*.*|+*|!+*)
|
||||
#
|
||||
# IP Address or networks
|
||||
#
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# Assume that this is a device name
|
||||
#
|
||||
error_message \
|
||||
"WARNING: Invalid Destination - rule \"$rule\" ignored"
|
||||
return
|
||||
;;
|
||||
esac
|
||||
|
||||
#
|
||||
# Setup PROTOCOL and PORT variables
|
||||
#
|
||||
sports=""
|
||||
dports=""
|
||||
|
||||
case $protocol in
|
||||
tcp|udp|TCP|UDP|6|17)
|
||||
[ -n "$sport" ] && [ "x${sport}" != "x-" ] && \
|
||||
sports="--sport $sport"
|
||||
[ -n "$dport" ] && [ "x${dport}" != "x-" ] && \
|
||||
dports="--dport $dport"
|
||||
;;
|
||||
icmp|ICMP|0)
|
||||
[ -n "$dport" ] && [ "x${dport}" != "x-" ] && \
|
||||
dports="--icmp-type $dport"
|
||||
;;
|
||||
all|ALL)
|
||||
protocol=
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
||||
protocol="${protocol:+-p $protocol}"
|
||||
|
||||
tos="-j TOS --set-tos $tos"
|
||||
|
||||
case "$dstzone" in
|
||||
all|ALL)
|
||||
dst=0.0.0.0/0
|
||||
;;
|
||||
*)
|
||||
[ -z "$dst" ] && eval dst=\$${dstzone}_hosts
|
||||
;;
|
||||
esac
|
||||
|
||||
for dest in $dst; do
|
||||
dest="$(dest_ip_range $dest)"
|
||||
|
||||
case $srczone in
|
||||
$FW)
|
||||
run_iptables2 -t mangle -A outtos \
|
||||
$protocol $dest $dports $sports $tos
|
||||
;;
|
||||
all|ALL)
|
||||
run_iptables2 -t mangle -A outtos \
|
||||
$protocol $dest $dports $sports $tos
|
||||
run_iptables2 -t mangle -A pretos \
|
||||
$protocol $dest $dports $sports $tos
|
||||
;;
|
||||
*)
|
||||
if [ -n "$src" ]; then
|
||||
run_iptables2 -t mangle -A pretos $src \
|
||||
$protocol $dest $dports $sports $tos
|
||||
else
|
||||
eval interfaces=\$${srczone}_interfaces
|
||||
|
||||
for interface in $interfaces; do
|
||||
run_iptables2 -t mangle -A pretos -i $interface \
|
||||
$protocol $dest $dports $sports $tos
|
||||
done
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
progress_message " Rule \"$rule\" $DONE."
|
||||
save_progress_message "Rule \"$rule\" Added."
|
||||
}
|
||||
|
||||
#
|
||||
# Process the tos file
|
||||
#
|
||||
process_tos() # $1 = name of tos file
|
||||
{
|
||||
progress_message2 "$DOING $1..."
|
||||
|
||||
strip_file tos $1
|
||||
|
||||
if [ -s $TMP_DIR/tos ] ; then
|
||||
createmanglechain pretos
|
||||
createmanglechain outtos
|
||||
|
||||
while read src dst protocol sport dport tos; do
|
||||
expandv src dst protocol sport dport tos
|
||||
rule="$(echo $src $dst $protocol $sport $dport $tos)"
|
||||
process_tos_rule
|
||||
done < $TMP_DIR/tos
|
||||
|
||||
run_iptables -t mangle -A PREROUTING -j pretos
|
||||
run_iptables -t mangle -A OUTPUT -j outtos
|
||||
fi
|
||||
}
|
||||
|
||||
CLIB_TOS_LOADED=Yes
|
655
Shorewall/clib.tunnels
Normal file
655
Shorewall/clib.tunnels
Normal file
@ -0,0 +1,655 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.tunnels
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# Process the ipsec information in the zones file
|
||||
#
|
||||
setup_ipsec() {
|
||||
local zone using_ipsec=
|
||||
#
|
||||
# Add a --set-mss rule to the passed chain
|
||||
#
|
||||
set_mss1() # $1 = chain, $2 = MSS
|
||||
{
|
||||
eval local policy=\$${1}_policy
|
||||
|
||||
if [ "$policy" != NONE ]; then
|
||||
ensurechain $1
|
||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
||||
fi
|
||||
}
|
||||
#
|
||||
# Set up rules to set MSS to and/or from zone "$zone"
|
||||
#
|
||||
set_mss() # $1 = MSS value, $2 = _in, _out or ""
|
||||
{
|
||||
for z in $ZONES; do
|
||||
case $2 in
|
||||
_in)
|
||||
set_mss1 ${zone}2${z} $1
|
||||
;;
|
||||
_out)
|
||||
set_mss1 ${z}2${zone} $1
|
||||
;;
|
||||
*)
|
||||
set_mss1 ${z}2${zone} $1
|
||||
set_mss1 ${zone}2${z} $1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
do_options() # $1 = _in, _out or "" - $2 = option list
|
||||
{
|
||||
local option newoptions= val
|
||||
|
||||
[ x${2} = x- ] && return
|
||||
|
||||
for option in $(separate_list $2); do
|
||||
val=${option#*=}
|
||||
|
||||
case $option in
|
||||
mss=[0-9]*) set_mss $val $1 ;;
|
||||
strict) newoptions="$newoptions --strict" ;;
|
||||
next) newoptions="$newoptions --next" ;;
|
||||
reqid=*) newoptions="$newoptions --reqid $val" ;;
|
||||
spi=*) newoptions="$newoptions --spi $val" ;;
|
||||
proto=*) newoptions="$newoptions --proto $val" ;;
|
||||
mode=*) newoptions="$newoptions --mode $val" ;;
|
||||
tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
|
||||
tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
|
||||
reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
|
||||
spi!=*) newoptions="$newoptions ! --spi $val" ;;
|
||||
proto!=*) newoptions="$newoptions ! --proto $val" ;;
|
||||
mode!=*) newoptions="$newoptions ! --mode $val" ;;
|
||||
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
|
||||
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
|
||||
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -n "$newoptions" ]; then
|
||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||
eval ${zone}_is_complex=Yes
|
||||
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
|
||||
fi
|
||||
}
|
||||
|
||||
case $IPSECFILE in
|
||||
zones)
|
||||
f=zones
|
||||
progress_message2 "$DOING IPSEC..."
|
||||
;;
|
||||
*)
|
||||
f=$IPSECFILE
|
||||
strip_file $f
|
||||
progress_message2 "$DOING $f..."
|
||||
using_ipsec=Yes
|
||||
;;
|
||||
esac
|
||||
|
||||
while read zone type options in_options out_options mss; do
|
||||
expandv zone type options in_options out_options mss
|
||||
|
||||
if [ -n "$using_ipsec" ]; then
|
||||
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
|
||||
fi
|
||||
|
||||
if [ -n "$type" ]; then
|
||||
if [ -n "$using_ipsec" ]; then
|
||||
case $type in
|
||||
No|no)
|
||||
;;
|
||||
Yes|yes)
|
||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||
eval ${zone}_is_ipsec=Yes
|
||||
eval ${zone}_is_complex=Yes
|
||||
eval ${zone}_type=ipsec4
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid IPSEC column contents"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
do_options "" $options
|
||||
do_options "_in" $in_options
|
||||
do_options "_out" $out_options
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/$f
|
||||
}
|
||||
|
||||
#
|
||||
# Set up tunnels
|
||||
#
|
||||
setup_tunnels() # $1 = name of tunnels file
|
||||
{
|
||||
local inchain
|
||||
local outchain
|
||||
local source
|
||||
local dest
|
||||
|
||||
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
|
||||
{
|
||||
local kind=$1 noah=
|
||||
|
||||
case $kind in
|
||||
*:*)
|
||||
noah=${kind#*:}
|
||||
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
||||
kind=${kind%:*}
|
||||
;;
|
||||
esac
|
||||
|
||||
[ $kind = IPSEC ] && kind=ipsec
|
||||
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
addrule2 $inchain -p 50 $source -j ACCEPT
|
||||
addrule2 $outchain -p 50 $dest -j ACCEPT
|
||||
|
||||
if [ -z "$noah" ]; then
|
||||
run_iptables -A $inchain -p 51 $source -j ACCEPT
|
||||
run_iptables -A $outchain -p 51 $dest -j ACCEPT
|
||||
fi
|
||||
|
||||
run_iptables -A $outchain -p udp $dest --dport 500 $options
|
||||
|
||||
if [ $kind = ipsec ]; then
|
||||
run_iptables -A $inchain -p udp $source --dport 500 $options
|
||||
else
|
||||
run_iptables -A $inchain -p udp $source --dport 500 $options
|
||||
run_iptables -A $inchain -p udp $source --dport 4500 $options
|
||||
fi
|
||||
|
||||
for z in $(separate_list $2); do
|
||||
if validate_zone $z; then
|
||||
if [ -z "$POLICY_MATCH" ]; then
|
||||
addrule ${z}2${FW} -p 50 $source -j ACCEPT
|
||||
addrule ${FW}2${z} -p 50 $dest -j ACCEPT
|
||||
if [ -z "$noah" ]; then
|
||||
addrule ${z}2${FW} -p 51 $source -j ACCEPT
|
||||
addrule ${FW}2${z} -p 51 $dest -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
if [ $kind = ipsec ]; then
|
||||
addrule ${z}2${FW} -p udp $source --dport 500 $options
|
||||
addrule ${FW}2${z} -p udp $dest --dport 500 $options
|
||||
else
|
||||
addrule ${z}2${FW} -p udp $source --dport 500 $options
|
||||
addrule ${FW}2${z} -p udp $dest --dport 500 $options
|
||||
addrule ${z}2${FW} -p udp $source --dport 4500 $options
|
||||
addrule ${FW}2${z} -p udp $dest --dport 4500 $options
|
||||
fi
|
||||
else
|
||||
fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
|
||||
fi
|
||||
done
|
||||
|
||||
progress_message_and_save " IPSEC tunnel to $gateway defined."
|
||||
}
|
||||
|
||||
setup_one_other() # $1 = TYPE, $2 = protocol
|
||||
{
|
||||
addrule2 $inchain -p $2 $source -j ACCEPT
|
||||
addrule2 $outchain -p $2 $dest -j ACCEPT
|
||||
|
||||
progress_message_and_save " $1 tunnel to $gateway compiled."
|
||||
}
|
||||
|
||||
setup_pptp_client()
|
||||
{
|
||||
addrule2 $outchain -p 47 $dest -j ACCEPT
|
||||
addrule2 $inchain -p 47 $source -j ACCEPT
|
||||
addrule2 $outchain -p tcp --dport 1723 $dest -j ACCEPT
|
||||
|
||||
progress_message_and_save " PPTP tunnel to $gateway defined."
|
||||
}
|
||||
|
||||
setup_pptp_server()
|
||||
{
|
||||
addrule2 $inchain -p 47 $source -j ACCEPT
|
||||
addrule2 $outchain -p 47 $dest -j ACCEPT
|
||||
addrule2 $inchain -p tcp --dport 1723 $source -j ACCEPT
|
||||
|
||||
progress_message_and_save " PPTP server defined."
|
||||
}
|
||||
|
||||
setup_one_openvpn() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
protocol=${1%:*}
|
||||
protocol=${protocol#*:}
|
||||
p=${1##*:}
|
||||
;;
|
||||
*:tcp|*:udp|*:TCP|*:UDP)
|
||||
protocol=${1#*:}
|
||||
;;
|
||||
*:*)
|
||||
p=${1#*:}
|
||||
;;
|
||||
esac
|
||||
|
||||
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
|
||||
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
|
||||
|
||||
progress_message_and_save " OPENVPN tunnel to $gateway:$protocol:$p defined."
|
||||
}
|
||||
|
||||
setup_one_openvpn_server() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
protocol=${1%:*}
|
||||
protocol=${protocol#*:}
|
||||
p=${1##*:}
|
||||
;;
|
||||
*:tcp|*:udp|*:TCP|*:UDP)
|
||||
protocol=${1#*:}
|
||||
;;
|
||||
*:*)
|
||||
p=${1#*:}
|
||||
;;
|
||||
esac
|
||||
#
|
||||
# Set up ipsec tunnels
|
||||
#
|
||||
setup_tunnels() # $1 = name of tunnels file
|
||||
{
|
||||
local inchain
|
||||
local outchain
|
||||
local source
|
||||
local dest
|
||||
|
||||
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
|
||||
{
|
||||
local kind=$1 noah=
|
||||
|
||||
case $kind in
|
||||
*:*)
|
||||
noah=${kind#*:}
|
||||
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
||||
kind=${kind%:*}
|
||||
;;
|
||||
esac
|
||||
|
||||
[ $kind = IPSEC ] && kind=ipsec
|
||||
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
addrule2 $inchain -p 50 $source -j ACCEPT
|
||||
addrule2 $outchain -p 50 $dest -j ACCEPT
|
||||
|
||||
if [ -z "$noah" ]; then
|
||||
run_iptables -A $inchain -p 51 $source -j ACCEPT
|
||||
run_iptables -A $outchain -p 51 $dest -j ACCEPT
|
||||
fi
|
||||
|
||||
run_iptables -A $outchain -p udp $dest --dport 500 $options
|
||||
|
||||
if [ $kind = ipsec ]; then
|
||||
run_iptables -A $inchain -p udp $source --dport 500 $options
|
||||
else
|
||||
run_iptables -A $inchain -p udp $source --dport 500 $options
|
||||
run_iptables -A $inchain -p udp $source --dport 4500 $options
|
||||
fi
|
||||
|
||||
for z in $(separate_list $2); do
|
||||
if validate_zone $z; then
|
||||
if [ -z "$POLICY_MATCH" ]; then
|
||||
addrule ${z}2${FW} -p 50 $source -j ACCEPT
|
||||
addrule ${FW}2${z} -p 50 $dest -j ACCEPT
|
||||
if [ -z "$noah" ]; then
|
||||
addrule ${z}2${FW} -p 51 $source -j ACCEPT
|
||||
addrule ${FW}2${z} -p 51 $dest -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
if [ $kind = ipsec ]; then
|
||||
addrule ${z}2${FW} -p udp $source --dport 500 $options
|
||||
addrule ${FW}2${z} -p udp $dest --dport 500 $options
|
||||
else
|
||||
addrule ${z}2${FW} -p udp $source --dport 500 $options
|
||||
addrule ${FW}2${z} -p udp $dest --dport 500 $options
|
||||
addrule ${z}2${FW} -p udp $source --dport 4500 $options
|
||||
addrule ${FW}2${z} -p udp $dest --dport 4500 $options
|
||||
fi
|
||||
else
|
||||
fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
|
||||
fi
|
||||
done
|
||||
|
||||
progress_message_and_save " IPSEC tunnel to $gateway defined."
|
||||
}
|
||||
|
||||
setup_one_other() # $1 = TYPE, $2 = protocol
|
||||
{
|
||||
addrule2 $inchain -p $2 $source -j ACCEPT
|
||||
addrule2 $outchain -p $2 $dest -j ACCEPT
|
||||
|
||||
progress_message_and_save " $1 tunnel to $gateway compiled."
|
||||
}
|
||||
|
||||
setup_pptp_client()
|
||||
{
|
||||
addrule2 $outchain -p 47 $dest -j ACCEPT
|
||||
addrule2 $inchain -p 47 $source -j ACCEPT
|
||||
addrule2 $outchain -p tcp --dport 1723 $dest -j ACCEPT
|
||||
|
||||
progress_message_and_save " PPTP tunnel to $gateway defined."
|
||||
}
|
||||
|
||||
setup_pptp_server()
|
||||
{
|
||||
addrule2 $inchain -p 47 $source -j ACCEPT
|
||||
addrule2 $outchain -p 47 $dest -j ACCEPT
|
||||
addrule2 $inchain -p tcp --dport 1723 $source -j ACCEPT
|
||||
|
||||
progress_message_and_save " PPTP server defined."
|
||||
}
|
||||
|
||||
setup_one_openvpn() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
protocol=${1%:*}
|
||||
protocol=${protocol#*:}
|
||||
p=${1##*:}
|
||||
;;
|
||||
*:tcp|*:udp|*:TCP|*:UDP)
|
||||
protocol=${1#*:}
|
||||
;;
|
||||
*:*)
|
||||
p=${1#*:}
|
||||
;;
|
||||
esac
|
||||
|
||||
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
|
||||
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
|
||||
|
||||
progress_message_and_save " OPENVPN tunnel to $gateway:$protocol:$p defined."
|
||||
}
|
||||
|
||||
setup_one_openvpn_server() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
protocol=${1%:*}
|
||||
protocol=${protocol#*:}
|
||||
p=${1##*:}
|
||||
;;
|
||||
*:tcp|*:udp|*:TCP|*:UDP)
|
||||
protocol=${1#*:}
|
||||
;;
|
||||
*:*)
|
||||
p=${1#*:}
|
||||
;;
|
||||
esac
|
||||
|
||||
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
|
||||
addrule2 $outchain -p $protocol $dest --sport $p -j ACCEPT
|
||||
|
||||
progress_message_and_save " OPENVPN server tunnel from $gateway:$protocol:$p defined."
|
||||
}
|
||||
|
||||
setup_one_openvpn_client() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
protocol=${1%:*}
|
||||
protocol=${protocol#*:}
|
||||
p=${1##*:}
|
||||
;;
|
||||
*:tcp|*:udp|*:TCP|*:UDP)
|
||||
protocol=${1#*:}
|
||||
;;
|
||||
*:*)
|
||||
p=${1#*:}
|
||||
;;
|
||||
esac
|
||||
|
||||
addrule2 $inchain -p $protocol $source --sport $p -j ACCEPT
|
||||
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
|
||||
|
||||
progress_message_and_save " OPENVPN client tunnel to $gateway:$protocol:$p defined."
|
||||
}
|
||||
|
||||
setup_one_generic() # $1 = kind:protocol[:port]
|
||||
{
|
||||
local protocol
|
||||
local p=
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
p=${1##*:}
|
||||
protocol=${1%:*}
|
||||
protocol=${protocol#*:}
|
||||
;;
|
||||
*:*)
|
||||
protocol=${1#*:}
|
||||
;;
|
||||
*)
|
||||
protocol=udp
|
||||
p=5000
|
||||
;;
|
||||
esac
|
||||
|
||||
p=${p:+--dport $p}
|
||||
|
||||
addrule2 $inchain -p $protocol $source $p -j ACCEPT
|
||||
addrule2 $outchain -p $protocol $dest $p -j ACCEPT
|
||||
|
||||
progress_message_and_save " GENERIC tunnel to $1:$p defined."
|
||||
}
|
||||
|
||||
strip_file tunnels $1
|
||||
|
||||
while read kind z gateway z1; do
|
||||
expandv kind z gateway z1
|
||||
tunnel="$(echo $kind $z $gateway $z1)"
|
||||
if validate_zone $z; then
|
||||
inchain=${z}2${FW}
|
||||
outchain=${FW}2${z}
|
||||
gateway=${gateway:-0.0.0.0/0}
|
||||
source=$(source_ip_range $gateway)
|
||||
dest=$(dest_ip_range $gateway)
|
||||
|
||||
case $kind in
|
||||
ipsec|IPSEC|ipsec:*|IPSEC:*)
|
||||
setup_one_ipsec $kind $z1
|
||||
;;
|
||||
ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
|
||||
setup_one_ipsec $kind $z1
|
||||
;;
|
||||
ipip|IPIP)
|
||||
setup_one_other IPIP 4
|
||||
;;
|
||||
gre|GRE)
|
||||
setup_one_other GRE 47
|
||||
;;
|
||||
6to4|6TO4)
|
||||
setup_one_other 6to4 41
|
||||
;;
|
||||
pptpclient|PPTPCLIENT)
|
||||
setup_pptp_client
|
||||
;;
|
||||
pptpserver|PPTPSERVER)
|
||||
setup_pptp_server
|
||||
;;
|
||||
openvpn|OPENVPN|openvpn:*|OPENVPN:*)
|
||||
setup_one_openvpn $kind
|
||||
;;
|
||||
openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*)
|
||||
setup_one_openvpn_client $kind
|
||||
;;
|
||||
openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*)
|
||||
setup_one_openvpn_server $kind
|
||||
;;
|
||||
generic:*|GENERIC:*)
|
||||
setup_one_generic $kind
|
||||
;;
|
||||
*)
|
||||
error_message "WARNING: Tunnels of type $kind are not supported:" \
|
||||
"Tunnel \"$tunnel\" Ignored"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
error_message "ERROR: Invalid gateway zone ($z)" \
|
||||
" -- Tunnel \"$tunnel\" Ignored"
|
||||
fi
|
||||
done < $TMP_DIR/tunnels
|
||||
}
|
||||
|
||||
|
||||
addrule2 $inchain -p $protocol $source --dport $p -j ACCEPT
|
||||
addrule2 $outchain -p $protocol $dest --sport $p -j ACCEPT
|
||||
|
||||
progress_message_and_save " OPENVPN server tunnel from $gateway:$protocol:$p defined."
|
||||
}
|
||||
|
||||
setup_one_openvpn_client() # $1 = kind[:port]
|
||||
{
|
||||
local protocol=udp
|
||||
local p=1194
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
protocol=${1%:*}
|
||||
protocol=${protocol#*:}
|
||||
p=${1##*:}
|
||||
;;
|
||||
*:tcp|*:udp|*:TCP|*:UDP)
|
||||
protocol=${1#*:}
|
||||
;;
|
||||
*:*)
|
||||
p=${1#*:}
|
||||
;;
|
||||
esac
|
||||
|
||||
addrule2 $inchain -p $protocol $source --sport $p -j ACCEPT
|
||||
addrule2 $outchain -p $protocol $dest --dport $p -j ACCEPT
|
||||
|
||||
progress_message_and_save " OPENVPN client tunnel to $gateway:$protocol:$p defined."
|
||||
}
|
||||
|
||||
setup_one_generic() # $1 = kind:protocol[:port]
|
||||
{
|
||||
local protocol
|
||||
local p=
|
||||
|
||||
case $1 in
|
||||
*:*:*)
|
||||
p=${1##*:}
|
||||
protocol=${1%:*}
|
||||
protocol=${protocol#*:}
|
||||
;;
|
||||
*:*)
|
||||
protocol=${1#*:}
|
||||
;;
|
||||
*)
|
||||
protocol=udp
|
||||
p=5000
|
||||
;;
|
||||
esac
|
||||
|
||||
p=${p:+--dport $p}
|
||||
|
||||
addrule2 $inchain -p $protocol $source $p -j ACCEPT
|
||||
addrule2 $outchain -p $protocol $dest $p -j ACCEPT
|
||||
|
||||
progress_message_and_save " GENERIC tunnel to $1:$p defined."
|
||||
}
|
||||
|
||||
strip_file tunnels $1
|
||||
|
||||
while read kind z gateway z1; do
|
||||
expandv kind z gateway z1
|
||||
tunnel="$(echo $kind $z $gateway $z1)"
|
||||
if validate_zone $z; then
|
||||
inchain=${z}2${FW}
|
||||
outchain=${FW}2${z}
|
||||
gateway=${gateway:-0.0.0.0/0}
|
||||
source=$(source_ip_range $gateway)
|
||||
dest=$(dest_ip_range $gateway)
|
||||
|
||||
case $kind in
|
||||
ipsec|IPSEC|ipsec:*|IPSEC:*)
|
||||
setup_one_ipsec $kind $z1
|
||||
;;
|
||||
ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*)
|
||||
setup_one_ipsec $kind $z1
|
||||
;;
|
||||
ipip|IPIP)
|
||||
setup_one_other IPIP 4
|
||||
;;
|
||||
gre|GRE)
|
||||
setup_one_other GRE 47
|
||||
;;
|
||||
6to4|6TO4)
|
||||
setup_one_other 6to4 41
|
||||
;;
|
||||
pptpclient|PPTPCLIENT)
|
||||
setup_pptp_client
|
||||
;;
|
||||
pptpserver|PPTPSERVER)
|
||||
setup_pptp_server
|
||||
;;
|
||||
openvpn|OPENVPN|openvpn:*|OPENVPN:*)
|
||||
setup_one_openvpn $kind
|
||||
;;
|
||||
openvpnclient|OPENVPNCLIENT|openvpnclient:*|OPENVPNCLIENT:*)
|
||||
setup_one_openvpn_client $kind
|
||||
;;
|
||||
openvpnserver|OPENVPNSERVER|openvpnserver:*|OPENVPNSERVER:*)
|
||||
setup_one_openvpn_server $kind
|
||||
;;
|
||||
generic:*|GENERIC:*)
|
||||
setup_one_generic $kind
|
||||
;;
|
||||
*)
|
||||
error_message "WARNING: Tunnels of type $kind are not supported:" \
|
||||
"Tunnel \"$tunnel\" Ignored"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
error_message "ERROR: Invalid gateway zone ($z)" \
|
||||
" -- Tunnel \"$tunnel\" Ignored"
|
||||
fi
|
||||
done < $TMP_DIR/tunnels
|
||||
}
|
||||
|
||||
CLIB_TUNNELS_LOADED=Yes
|
@ -628,7 +628,6 @@ fi
|
||||
run_install $OWNERSHIP -m 0644 Makefile ${PREFIX}/usr/share/shorewall/configfiles/Makefile
|
||||
run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile
|
||||
echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile"
|
||||
|
||||
#
|
||||
# Install the Action files
|
||||
#
|
||||
@ -636,10 +635,24 @@ for f in action.* ; do
|
||||
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
|
||||
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
|
||||
done
|
||||
|
||||
#
|
||||
install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0644
|
||||
echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit"
|
||||
#
|
||||
# Install the Compiler Library files
|
||||
#
|
||||
for f in clib.* ; do
|
||||
install_file $f ${PREFIX}/usr/share/shorewall/$f 0555
|
||||
echo "Compiler library ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f"
|
||||
done
|
||||
#
|
||||
# Install the Common Library files
|
||||
#
|
||||
for f in lib.* ; do
|
||||
install_file $f ${PREFIX}/usr/share/shorewall/$f 0555
|
||||
echo "Library ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f"
|
||||
done
|
||||
#
|
||||
# Install the Macro files
|
||||
#
|
||||
for f in macro.* ; do
|
||||
|
1578
Shorewall/lib.base
Normal file
1578
Shorewall/lib.base
Normal file
File diff suppressed because it is too large
Load Diff
336
Shorewall/lib.tc
Normal file
336
Shorewall/lib.tc
Normal file
@ -0,0 +1,336 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/lib.tc
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# tcstart from tc4shorewall Version 0.5
|
||||
# (c) 2005 Arne Bernin <arne@ucbering.de>
|
||||
# Modified by Tom Eastep for integration into the Shorewall distribution
|
||||
# published under GPL Version 2#
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# Arne Bernin's 'tc4shorewall'
|
||||
#
|
||||
setup_traffic_shaping()
|
||||
{
|
||||
local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1 last_device=
|
||||
r2q=10
|
||||
|
||||
rate_to_kbit() {
|
||||
local rateunit rate
|
||||
rate=$1
|
||||
rateunit=$( echo $rate | sed -e 's/[0-9]*//')
|
||||
rate=$( echo $rate | sed -e 's/[a-z]*//g')
|
||||
|
||||
case $rateunit in
|
||||
kbit)
|
||||
rate=$rate
|
||||
;;
|
||||
mbit)
|
||||
rate=$(expr $rate \* 1024)
|
||||
;;
|
||||
mbps)
|
||||
rate=$(expr $rate \* 8192)
|
||||
;;
|
||||
kbps)
|
||||
rate=$(expr $rate \* 8)
|
||||
;;
|
||||
*)
|
||||
rate=$(expr $rate / 128)
|
||||
;;
|
||||
esac
|
||||
echo $rate
|
||||
}
|
||||
|
||||
calculate_quantum() {
|
||||
local rate=$(rate_to_kbit $1)
|
||||
echo $(( $rate * ( 128 / $r2q ) ))
|
||||
}
|
||||
|
||||
# get given outbandwidth for device
|
||||
get_outband_for_dev() {
|
||||
local device inband outband
|
||||
while read device inband outband; do
|
||||
expandv device inband outband
|
||||
tcdev="$device $inband $outband"
|
||||
if [ "$1" = "$device" ] ; then
|
||||
echo $outband
|
||||
return
|
||||
fi
|
||||
done < $TMP_DIR/tcdevices
|
||||
}
|
||||
|
||||
check_tcclasses_options() {
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
case $1 in
|
||||
default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
|
||||
;;
|
||||
tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f])
|
||||
;;
|
||||
*)
|
||||
echo $1
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
get_defmark_for_dev() {
|
||||
local searchdev searchmark device ceil prio options
|
||||
searchdev=$1
|
||||
|
||||
while read device mark rate ceil prio options; do
|
||||
expandv device mark rate ceil prio options
|
||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||
tcdev="$device $mark $rate $ceil $prio $options"
|
||||
if [ "$searchdev" = "$device" ] ; then
|
||||
list_search "default" $options && echo $mark &&return 0
|
||||
fi
|
||||
done < $TMP_DIR/tcclasses
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
check_defmark_for_dev() {
|
||||
get_defmark_for_dev $1 >/dev/null
|
||||
}
|
||||
|
||||
validate_tcdevices_file() {
|
||||
progress_message2 "Validating $devfile..."
|
||||
local device local device inband outband
|
||||
while read device inband outband; do
|
||||
expandv device inband outband
|
||||
tcdev="$device $inband $outband"
|
||||
check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
|
||||
case $interface in
|
||||
*:*|+)
|
||||
fatal_error "Invalid Interface Name: $interface"
|
||||
;;
|
||||
esac
|
||||
list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices"
|
||||
tc_all_devices="$tc_all_devices $device"
|
||||
done < $TMP_DIR/tcdevices
|
||||
}
|
||||
|
||||
validate_tcclasses_file() {
|
||||
progress_message2 "Validating $classfile..."
|
||||
local classlist device mark rate ceil prio bandw wrongopt allopts opt
|
||||
allopts=""
|
||||
while read device mark rate ceil prio options; do
|
||||
expandv device mark rate ceil prio options
|
||||
tcdev="$device $mark $rate $ceil $prio $options"
|
||||
ratew=$(get_outband_for_dev $device)
|
||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||
for opt in $options; do
|
||||
case $opt in
|
||||
tos=0x??)
|
||||
opt="$opt/0xff"
|
||||
;;
|
||||
esac
|
||||
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
|
||||
allopts="$allopts $device-$opt"
|
||||
done
|
||||
wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
|
||||
if [ -z "$ratew" ] ; then
|
||||
fatal_error "device $device seems not to be configured in tcdevices"
|
||||
fi
|
||||
list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses"
|
||||
#
|
||||
# Convert HEX/OCTAL mark representation to decimal
|
||||
#
|
||||
mark=$(($mark))
|
||||
verify_mark $mark
|
||||
[ $mark -lt 256 ] || fatal_error "Invalid Mark Value"
|
||||
classlist="$classlist $device-$mark"
|
||||
done < $TMP_DIR/tcclasses
|
||||
}
|
||||
|
||||
add_root_tc() {
|
||||
local defmark dev indent
|
||||
|
||||
dev=$(chain_base $device)
|
||||
|
||||
if [ "$COMMAND" = compile ]; then
|
||||
save_command "if qt ip link ls dev $device; then"
|
||||
indent="$INDENT"
|
||||
INDENT="$INDENT "
|
||||
save_command ${dev}_exists=Yes
|
||||
save_command qt tc qdisc del dev $device root
|
||||
save_command qt tc qdisc del dev $device ingress
|
||||
elif ! qt ip link ls dev $device; then
|
||||
error_message "WARNING: Device $device not found -- traffic-shaping configuration skipped"
|
||||
return 1
|
||||
fi
|
||||
|
||||
defmark=$(get_defmark_for_dev $device)
|
||||
|
||||
run_tc qdisc add dev $device root handle $devnum: htb default 1$defmark
|
||||
|
||||
if [ "$COMMAND" = compile ]; then
|
||||
save_command "${dev}_mtu=\$(get_device_mtu $device)"
|
||||
run_tc "class add dev $device parent $devnum: classid $devnum:1 htb rate $outband mtu \$${dev}_mtu"
|
||||
else
|
||||
run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $outband mtu $(get_device_mtu $device)
|
||||
fi
|
||||
|
||||
run_tc qdisc add dev $device handle ffff: ingress
|
||||
run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1
|
||||
eval ${dev}_devnum=$devnum
|
||||
devnum=$(($devnum + 1))
|
||||
|
||||
if [ "$COMMAND" = compile ]; then
|
||||
save_progress_message_short " TC Device $tcdev defined."
|
||||
INDENT="$indent"
|
||||
save_command else
|
||||
INDENT="$INDENT "
|
||||
save_command error_message "\"WARNING: Device $device not found -- traffic-shaping configuration skipped\""
|
||||
save_command "${dev}_exists="
|
||||
INDENT="$indent"
|
||||
save_command "fi"
|
||||
save_command
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
add_tc_class() {
|
||||
local full classid tospair tosmask quantum indent
|
||||
|
||||
dev=$(chain_base $device)
|
||||
|
||||
if [ "$COMMAND" = compile ]; then
|
||||
save_command "if [ -n \"\$${dev}_exists\" ] ; then"
|
||||
indent="$INDENT"
|
||||
INDENT="$INDENT "
|
||||
else
|
||||
qt ip link ls dev $device || return 1
|
||||
fi
|
||||
|
||||
full=$(get_outband_for_dev $device)
|
||||
full=$(rate_to_kbit $full)
|
||||
|
||||
if [ -z "$prio" ] ; then
|
||||
prio=1
|
||||
fi
|
||||
|
||||
case $rate in
|
||||
*full*)
|
||||
rate=$(echo $rate | sed -e "s/full/$full/")
|
||||
rate="$(($rate))kbit"
|
||||
;;
|
||||
esac
|
||||
|
||||
case $ceil in
|
||||
*full*)
|
||||
ceil=$(echo $ceil | sed -e "s/full/$full/")
|
||||
ceil="$(($ceil))kbit"
|
||||
;;
|
||||
esac
|
||||
|
||||
eval devnum=\$${dev}_devnum
|
||||
#
|
||||
# Convert HEX/OCTAL mark representation to decimal
|
||||
#
|
||||
mark=$(($mark))
|
||||
|
||||
classid=$devnum:1$mark
|
||||
|
||||
[ -n "$devnum" ] || fatal_error "Device $device not defined in $devfile"
|
||||
|
||||
quantum=$(calculate_quantum $rate)
|
||||
|
||||
if [ "$COMMAND" = compile ]; then
|
||||
save_command "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum"
|
||||
run_tc "class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio mtu \$${dev}_mtu quantum \$quantum"
|
||||
else
|
||||
[ "$last_device" = $device ] || mtu=$(get_device_mtu $device)
|
||||
[ $mtu -gt $quantum ] && quantum=$mtu
|
||||
run_tc class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio mtu $mtu quantum $quantum
|
||||
fi
|
||||
|
||||
run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10
|
||||
# add filters
|
||||
if [ -n "$CLASSIFY_TARGET" ]; then
|
||||
run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark/0xFF -j CLASSIFY --set-class $classid
|
||||
else
|
||||
run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
|
||||
fi
|
||||
#options
|
||||
list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid
|
||||
list_search "tos-minimize-delay" $options && options="$options tos=0x10/0x10"
|
||||
list_search "tos-maximize-throughput" $options && options="$options tos=0x08/0x08"
|
||||
list_search "tos-maximize-reliability" $options && options="$options tos=0x04/0x04"
|
||||
list_search "tos-minimize-cost" $options && options="$options tos=0x02/0x02"
|
||||
list_search "tos-normal-service" $options && options="$options tos=0x00/0x1e"
|
||||
|
||||
for tospair in $(list_walk "tos=" $options) ; do
|
||||
case $tospair in
|
||||
*/*)
|
||||
tosmask=${tospair##*/}
|
||||
;;
|
||||
*)
|
||||
tosmask=0xff
|
||||
;;
|
||||
esac
|
||||
run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid
|
||||
done
|
||||
|
||||
if [ "$COMMAND" = compile ]; then
|
||||
save_progress_message_short " TC Class $tcdev defined."
|
||||
INDENT="$indent"
|
||||
save_command fi
|
||||
save_command
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
strip_file tcdevices $devfile
|
||||
strip_file tcclasses $classfile
|
||||
|
||||
validate_tcdevices_file
|
||||
validate_tcclasses_file
|
||||
|
||||
if [ -s $TMP_DIR/tcdevices ]; then
|
||||
[ $COMMAND = compile ] && save_progress_message "Setting up Traffic Control..."
|
||||
progress_message2 "$DOING $devfile..."
|
||||
|
||||
while read device inband outband; do
|
||||
expandv device inband outband
|
||||
tcdev="$device $inband $outband"
|
||||
add_root_tc && progress_message " TC Device $tcdev defined."
|
||||
done < $TMP_DIR/tcdevices
|
||||
fi
|
||||
|
||||
if [ -s $TMP_DIR/tcclasses ]; then
|
||||
progress_message2 "$DOING $classfile..."
|
||||
|
||||
while read device mark rate ceil prio options; do
|
||||
expandv device mark rate ceil prio options
|
||||
tcdev="$device $mark $rate $ceil $prio $options"
|
||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||
add_tc_class && progress_message " TC Class $tcdev defined."
|
||||
last_device=$device
|
||||
done < $TMP_DIR/tcclasses
|
||||
fi
|
||||
}
|
390
Shorewall/lib.tcrules
Normal file
390
Shorewall/lib.tcrules
Normal file
@ -0,0 +1,390 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/lib.tcrules
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# tcstart from tc4shorewall Version 0.5
|
||||
# (c) 2005 Arne Bernin <arne@ucbering.de>
|
||||
# Modified by Tom Eastep for integration into the Shorewall distribution
|
||||
# published under GPL Version 2#
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
#
|
||||
# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
|
||||
# default marking chain
|
||||
#
|
||||
process_tc_rule()
|
||||
{
|
||||
local did_connmark=
|
||||
|
||||
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
|
||||
|
||||
verify_designator() {
|
||||
[ "$chain" = tcout ] && \
|
||||
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
|
||||
chain=$1
|
||||
mark="${mark%:*}"
|
||||
}
|
||||
|
||||
do_ipp2p()
|
||||
{
|
||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
||||
[ "x$port" = "x-" ] && port="ipp2p"
|
||||
|
||||
case $proto in
|
||||
*:*)
|
||||
proto=${proto#*:}
|
||||
;;
|
||||
*)
|
||||
proto=tcp
|
||||
;;
|
||||
esac
|
||||
|
||||
r="${r}-p $proto -m ipp2p --${port} "
|
||||
}
|
||||
|
||||
verify_small_mark()
|
||||
{
|
||||
verify_mark $1
|
||||
[ $(($1)) -lt 256 ] || fatal_error "Mark Value ($1) too larg, rule \"$rule\""
|
||||
}
|
||||
|
||||
do_connmark()
|
||||
{
|
||||
target="CONNMARK --set-mark"
|
||||
mark=$mark/0xff
|
||||
did_connmark=Yes
|
||||
}
|
||||
|
||||
validate_mark()
|
||||
{
|
||||
case $1 in
|
||||
*/*)
|
||||
verify_mark ${1%/*}
|
||||
verify_mark ${1#*/}
|
||||
;;
|
||||
*)
|
||||
verify_mark $1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
add_a_tc_rule() {
|
||||
r=
|
||||
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case $source in
|
||||
$FW:*)
|
||||
chain=tcout
|
||||
r="$(source_ip_range ${source#*:}) "
|
||||
;;
|
||||
*:*)
|
||||
interface=${source%:*}
|
||||
verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\""
|
||||
r="$(match_source_dev $interface) $(source_ip_range ${source#*:}) "
|
||||
;;
|
||||
*.*.*|+*|!+*)
|
||||
r="$(source_ip_range $source) "
|
||||
;;
|
||||
~*|!~*)
|
||||
r="$(mac_match $source) "
|
||||
;;
|
||||
$FW)
|
||||
chain=tcout
|
||||
;;
|
||||
*)
|
||||
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
r="$(match_source_dev $source) "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "x${user:--}" != "x-" ]; then
|
||||
|
||||
[ "$chain" != tcout ] && \
|
||||
fatal_error "Invalid use of a user/group: rule \"$rule\""
|
||||
|
||||
r="$r-m owner"
|
||||
|
||||
case "$user" in
|
||||
*+*)
|
||||
r="$r --cmd-owner ${user#*+} "
|
||||
user=${user%+*}
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$user" in
|
||||
*:*)
|
||||
temp="${user%:*}"
|
||||
[ -n "$temp" ] && r="$r --uid-owner $temp "
|
||||
temp="${user#*:}"
|
||||
[ -n "$temp" ] && r="$r --gid-owner $temp "
|
||||
;;
|
||||
*)
|
||||
[ -n "$user" ] && r="$r --uid-owner $user "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
|
||||
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
|
||||
|
||||
if [ "x$dest" != "x-" ]; then
|
||||
case $dest in
|
||||
*:*)
|
||||
[ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\""
|
||||
interface=${dest%:*}
|
||||
verify_interface $interface || fatal_error "Unknown interface $interface in rule \"$rule\""
|
||||
r="$(match_dest_dev $interface) $(dest_ip_range ${dest#*:}) "
|
||||
;;
|
||||
*.*.*|+*|!+*)
|
||||
r="${r}$(dest_ip_range $dest) "
|
||||
;;
|
||||
*)
|
||||
[ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain - rule \"$rule\""
|
||||
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||
r="${r}$(match_dest_dev $dest) "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "x${length:=-}" != "x-" ]; then
|
||||
[ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
|
||||
r="${r}-m length --length ${length} "
|
||||
fi
|
||||
|
||||
if [ "x${tos:=-}" != "x-" ]; then
|
||||
r="${r}-m tos --tos ${tos} "
|
||||
fi
|
||||
|
||||
multiport=
|
||||
|
||||
case $proto in
|
||||
ipp2p|IPP2P|ipp2p:*|IPP2P:*)
|
||||
do_ipp2p
|
||||
;;
|
||||
icmp|ICMP|1)
|
||||
r="${r}-p icmp "
|
||||
[ "x$port" = "x-" ] || r="${r}--icmp-type $port"
|
||||
;;
|
||||
*)
|
||||
[ "x$proto" = "x-" ] && proto=all
|
||||
[ "x$proto" = "x" ] && proto=all
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
||||
|
||||
if [ -n "${excludesources}${excludedests}" ]; then
|
||||
build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
|
||||
|
||||
run_iptables2 -t mangle -A $chain $r -j $chain1
|
||||
|
||||
run_iptables -t mangle -A $chain1 -j $target $mark
|
||||
else
|
||||
run_iptables2 -t mangle -A $chain $r -j $target $mark
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
if [ "$mark" != "${mark%:*}" ]; then
|
||||
case "${mark#*:}" in
|
||||
p|P)
|
||||
verify_designator tcpre
|
||||
;;
|
||||
cp|CP)
|
||||
verify_designator tcpre
|
||||
do_connmark
|
||||
;;
|
||||
f|F)
|
||||
verify_designator tcfor
|
||||
;;
|
||||
cf|CF)
|
||||
verify_designator tcfor
|
||||
do_connmark
|
||||
;;
|
||||
c|C)
|
||||
mark=${mark%:*}
|
||||
do_connmark
|
||||
;;
|
||||
*)
|
||||
chain=tcpost
|
||||
target="CLASSIFY --set-class"
|
||||
;;
|
||||
esac
|
||||
|
||||
fi
|
||||
|
||||
mask=0xffff
|
||||
|
||||
case $mark in
|
||||
SAVE)
|
||||
[ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]"
|
||||
target="CONNMARK --save-mark --mask 0xFF"
|
||||
mark=
|
||||
;;
|
||||
SAVE/*)
|
||||
[ -n "$did_connmark" ] && fatal_error "SAVE not valid with :C[FP]"
|
||||
target="CONNMARK --save-mark --mask"
|
||||
mark=${mark#*/}
|
||||
verify_small_mark $mark
|
||||
;;
|
||||
RESTORE)
|
||||
[ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]"
|
||||
target="CONNMARK --restore-mark --mask 0xFF"
|
||||
mark=
|
||||
;;
|
||||
RESTORE/*)
|
||||
[ -n "$did_connmark" ] && fatal_error "RESTORE not valid with :C[FP]"
|
||||
target="CONNMARK --restore-mark --mask"
|
||||
mark=${mark#*/}
|
||||
verify_small_mark $mark
|
||||
;;
|
||||
CONTINUE)
|
||||
[ -n "$did_connmark" ] && fatal_error "CONTINUE not valid with :C[FP]"
|
||||
target=RETURN
|
||||
mark=
|
||||
;;
|
||||
*)
|
||||
if [ "$chain" != tcpost ]; then
|
||||
validate_mark $mark
|
||||
if [ $((${mark%/*})) -gt 255 ]; then
|
||||
case $chain in
|
||||
tcpre|tcout)
|
||||
target="MARK --or-mark"
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid mark value ($mark) in rule \"$rule\""
|
||||
;;
|
||||
esac
|
||||
elif [ $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
|
||||
fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
case $testval in
|
||||
-)
|
||||
;;
|
||||
!*:C)
|
||||
marktest="connmark ! "
|
||||
testval=${testval%:*}
|
||||
testval=${testval#!}
|
||||
;;
|
||||
*:C)
|
||||
marktest="connmark "
|
||||
testval=${testval%:*}
|
||||
;;
|
||||
!*)
|
||||
marktest="mark ! "
|
||||
testval=${testval#!}
|
||||
;;
|
||||
*)
|
||||
[ -n "$testval" ] && marktest="mark "
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$marktest" ] ; then
|
||||
case $testval in
|
||||
*/*)
|
||||
verify_mark ${testval%/*}
|
||||
verify_mark ${testval#*/}
|
||||
;;
|
||||
*)
|
||||
verify_mark $testval
|
||||
testval=$testval/$mask
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
excludesources=
|
||||
|
||||
case ${sources:=-} in
|
||||
*!*!*)
|
||||
fatal_error "Invalid SOURCE in rule \"$rule\""
|
||||
;;
|
||||
!*)
|
||||
if [ $(list_count $sources) -gt 1 ]; then
|
||||
excludesources=${sources#!}
|
||||
sources=-
|
||||
fi
|
||||
;;
|
||||
*!*)
|
||||
excludesources=${sources#*!}
|
||||
sources=${sources%!*}
|
||||
;;
|
||||
esac
|
||||
|
||||
excludedests=
|
||||
|
||||
case ${dests:=-} in
|
||||
*!*!*)
|
||||
fatal_error "Invalid DEST in rule \"$rule\""
|
||||
;;
|
||||
!*)
|
||||
if [ $(list_count $dests) -gt 1 ]; then
|
||||
excludedests=${dests#*!}
|
||||
dests=-
|
||||
fi
|
||||
;;
|
||||
*!*)
|
||||
excludedests=${dests#*!}
|
||||
dests=${dests%!*}
|
||||
;;
|
||||
esac
|
||||
|
||||
for source in $(separate_list $sources); do
|
||||
for dest in $(separate_list $dests); do
|
||||
for port in $(separate_list ${ports:=-}); do
|
||||
for sport in $(separate_list ${sports:=-}); do
|
||||
add_a_tc_rule
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
progress_message " TC Rule \"$rule\" $DONE"
|
||||
[ $COMMAND = compile ] && save_progress_message " TC Rule \"$rule\" Added"
|
||||
}
|
||||
|
||||
delete_tc1()
|
||||
{
|
||||
clear_one_tc() {
|
||||
tc qdisc del dev $1 root 2> /dev/null
|
||||
tc qdisc del dev $1 ingress 2> /dev/null
|
||||
|
||||
}
|
||||
|
||||
run_user_exit tcclear
|
||||
|
||||
run_ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
clear_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
@ -110,10 +110,22 @@ fi
|
||||
%attr(0644,root,root) /usr/share/shorewall/action.Limit
|
||||
%attr(0644,root,root) /usr/share/shorewall/action.Reject
|
||||
%attr(0644,root,root) /usr/share/shorewall/action.template
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.accounting
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.ecn
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.maclist
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.macros
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.providers
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.proxyarp
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.tcrules
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.tos
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.tunnels
|
||||
%attr(0555,root,root) /usr/share/shorewall/compiler
|
||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||
%attr(0555,root,root) /usr/share/shorewall/firewall
|
||||
%attr(0555,root,root) /usr/share/shorewall/help
|
||||
%attr(0555,root,root) /usr/share/shorewall/lib.base
|
||||
%attr(0555,root,root) /usr/share/shorewall/lib.tc
|
||||
%attr(0555,root,root) /usr/share/shorewall/lib.tcrules
|
||||
%attr(0644,root,root) /usr/share/shorewall/Limit
|
||||
%attr(0644,root,root) /usr/share/shorewall/macro.AllowICMPs
|
||||
%attr(0644,root,root) /usr/share/shorewall/macro.Amanda
|
||||
|
Loading…
Reference in New Issue
Block a user