From 3ee26da51cb8896e124720360371368966b0d91c Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 22 Aug 2003 15:27:08 +0000 Subject: [PATCH] Henry Yang's patch plus fix LOGRATE/ratelimit conflict on rules file logging git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@723 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/fallback.sh | 4 +++- Shorewall/firewall | 43 ++++++++++++++++++++++++++-------------- Shorewall/functions | 3 ++- Shorewall/install.sh | 18 +++++++++++++---- Shorewall/shorewall.spec | 6 +++++- Shorewall/uninstall.sh | 5 +++-- Shorewall/usersets | 28 ++++++++++++++++++++++++++ 7 files changed, 83 insertions(+), 24 deletions(-) create mode 100644 Shorewall/usersets diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index cedcaf2f5..7b97163f7 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.6-20030813 +VERSION=1.4.6-20030821 usage() # $1 = exit status { @@ -136,6 +136,8 @@ restore_file /etc/shorewall/ecn restore_file /etc/shorewall/accounting +restore_file /etc/shorewall/usersets + if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then restore_file /usr/lib/shorewall/version oldversion="`cat /usr/lib/shorewall/version`" diff --git a/Shorewall/firewall b/Shorewall/firewall index 8b409bdc7..21ec45feb 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -952,14 +952,15 @@ run_user_exit() # $1 = file name # # Add a logging rule. # -log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule +log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $... = predicates for the rule { local level=$1 local chain=$2 local disposition=$3 local rulenum= + local limit=${4:-$LOGLIMIT} - shift;shift;shift + shift;shift;shift;shift if [ -n "$LOGRULENUMBERS" ]; then eval rulenum=\$${chain}_logrules @@ -968,10 +969,10 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo case $level in ULOG) - eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' + eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' ;; *) - eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' + eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $rulenum $disposition`"' ;; esac @@ -985,10 +986,10 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo else case $level in ULOG) - eval iptables -A $chain $@ -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' + eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' ;; *) - eval iptables -A $chain $@ -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' + eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"`printf "$LOGFORMAT" $chain $disposition`"' ;; esac @@ -998,6 +999,17 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo fi } +log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule +{ + local level=$1 + local chain=$2 + local disposition=$3 + + shift;shift;shift + + log_rule_limit $level $chain $disposition "$LOGLIMIT" $@ +} + # # Stop the Firewall # @@ -2191,7 +2203,7 @@ add_nat_rule() { done if [ -n "$loglevel" ]; then - log_rule $loglevel $chain $logtarget $ratelimit -t nat + log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat fi addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection @@ -2199,7 +2211,7 @@ add_nat_rule() { for adr in `separate_list $addr`; do if [ -n "$loglevel" ]; then ensurenatchain $chain - log_rule $loglevel $chain $logtarget $ratelimit -t nat \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \ `fix_bang $proto $cli $sports -d $adr $multiport $dports` fi @@ -2403,7 +2415,7 @@ add_a_rule() if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in `separate_list $addr`; do if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule $loglevel $chain $logtarget $ratelimit -m conntrack --ctorigdst $adr \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \ `fix_bang $proto $sports $multiport $state $cli -d $srv $dports` fi @@ -2412,7 +2424,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule $loglevel $chain $logtarget $ratelimit \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" \ `fix_bang $proto $sports $multiport $state $cli -d $srv $dports` fi @@ -2423,7 +2435,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule $loglevel $chain $logtarget $ratelimit \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" \ `fix_bang $proto $sports $multiport $state $cli $dports` fi @@ -2442,7 +2454,7 @@ add_a_rule() if [ $command != check ]; then if [ -n "$loglevel" ]; then - log_rule $loglevel $chain $logtarget $ratelimit \ + log_rule_limit $loglevel $chain $logtarget "$ratelimit" \ `fix_bang $proto $multiport $dest_interface $state $cli $sports $dports` fi @@ -4936,6 +4948,7 @@ do_initialize() { LOGRATE= LOGBURST= LOGPARMS= + LOGLIMIT= ADD_IP_ALIASES= ADD_SNAT_ALIASES= TC_ENABLED= @@ -5018,9 +5031,9 @@ do_initialize() { TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`" if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGPARMS="--match limit" - [ -n "$LOGRATE" ] && LOGPARMS="$LOGPARMS --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGPARMS="$LOGPARMS --limit-burst $LOGBURST" + LOGLIMIT="--match limit" + [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" + [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" fi if [ -n "$IP_FORWARDING" ]; then diff --git a/Shorewall/functions b/Shorewall/functions index a562197d6..ddbded61d 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -381,7 +381,8 @@ ip_vlsm() { # -# Chain name base for an interface -- remove all periods from the passed name. +# Chain name base for an interface -- replace all periods with underscores in the passed name. +# The result is echoed (less "+" and anything following). # chain_base() #$1 = interface { diff --git a/Shorewall/install.sh b/Shorewall/install.sh index afa857e99..0fdbb2137 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.6-20030813 +VERSION=1.4.6-20030821 usage() # $1 = exit status { @@ -553,19 +553,29 @@ if [ -f ${PREFIX}/etc/shorewall/ecn ]; then else run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn echo - echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" + echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" fi -## +# # Install the Accounting file # if [ -f ${PREFIX}/etc/shorewall/accounting ]; then backup_file /etc/shorewall/accounting else - run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/accounting + run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting echo echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting" fi # +# Install the User Sets file +# +if [ -f ${PREFIX}/etc/shorewall/usersets ]; then + backup_file /etc/shorewall/usersets +else + run_install -o $OWNER -g $GROUP -m 0600 usersets ${PREFIX}/etc/shorewall/usersets + echo + echo "User sets file installed as ${PREFIX}/etc/shorewall/usersets" +fi +# # Backup the version file # if [ -z "$PREFIX" ]; then diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index be251cb00..e526b7cd3 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.6_20030813 +%define version 1.4.6_20030821 %define release 1 %define prefix /usr @@ -99,6 +99,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped %attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn %attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting +%attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets %attr(0544,root,root) /sbin/shorewall %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall @@ -107,6 +108,9 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Thu Aug 21 2003 Tom Eastep +- Changed version to 1.4.6_20030821-1 +- Added /etc/shorewall/usersets * Wed Aug 13 2003 Tom Eastep - Changed version to 1.4.6_20030813-1 * Sat Aug 09 2003 Tom Eastep diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index b796fdf68..288f41e83 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.6-20030813 +VERSION=1.4.6-20030821 usage() # $1 = exit status { @@ -99,7 +99,8 @@ if [ -n "$FIREWALL" ]; then rm -f ${FIREWALL}-*.bkout fi -remove_file /sbin/shorewall +rm -f /sbin/shorewall +rm -f /sbin/shorewall-*.bkout if [ -n "$VERSION" ]; then restore_file /etc/rc.d/rc.local diff --git a/Shorewall/usersets b/Shorewall/usersets new file mode 100644 index 000000000..a2c62ff47 --- /dev/null +++ b/Shorewall/usersets @@ -0,0 +1,28 @@ +# +# Shorewall version 1.4 - User Sets File +# +# /etc/shorewall/usersets +# +# This file is used to define Shorewall "User Sets". A user set is a +# list of , or names and can be used to +# control access by individual users to other network hosts from the +# firewall system. +# +# Columns are: +# +# USERSET The name of a user set. May be up to 6 characters in +# length and must be a valid shell identifier. +# +# USER A Linux user name or number defined in /etc/passwd. +# +# GROUP A linux group name or number defined in /etc/groups. +# +# The GROUP may be omitted. If it is supplied, then the USER may be +# entered as "-" in which case all members of the specified group are +# included in the USERSET. +# +################################################################################ +#USERSET USER GROUP +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +