forked from extern/shorewall_code
Back out all post 3.2 changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4229 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
91626f050a
commit
3f9c8996bb
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 3.4 - Accounting File
|
||||
# Shorewall version 3.2 - Accounting File
|
||||
#
|
||||
# /etc/shorewall/accounting
|
||||
#
|
||||
|
@ -1,5 +1,282 @@
|
||||
Changes in 3.3.1
|
||||
Changes in 3.2.1
|
||||
|
||||
1) Once again, remove dynamic zones.
|
||||
1) Change the detection of physdev match to use
|
||||
--physdev-out. Preparation for removal of physdev-out match
|
||||
capability.
|
||||
|
||||
2) Lay the groundwork for rewriting the compiler in Perl
|
||||
2) Add missing edits to configuration parameters in firewall script.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 Final
|
||||
|
||||
1) Avoid extraneous double quotes in log rules generated at run-time.
|
||||
|
||||
Changes in 3.2.0 RC 6
|
||||
|
||||
1) Correct generation of the balanced default route.
|
||||
|
||||
2) Allow 'detect' in the ADDRESS column of the masq file.
|
||||
|
||||
3) Correct some permission problems.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 RC 5
|
||||
|
||||
1) Fix DOA 'LITEDIR' problem in /sbin/shorewall.
|
||||
|
||||
2) Stop the compiler from running iptables.
|
||||
|
||||
3) Avoid problem with ash.
|
||||
|
||||
4) Make the 'try' command use the correct SHOREWALL_SHELL.
|
||||
|
||||
5) Don't defer Action/chain extension script processing until
|
||||
run-time.
|
||||
|
||||
6) Run extension script for policy chains.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 RC 4
|
||||
|
||||
1) Fix permissions on Limit file.
|
||||
|
||||
2) Make progress messages product-specific.
|
||||
|
||||
3) Add 'reload' command.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 RC 3
|
||||
|
||||
1) Remove hard directory references from compiled programs.
|
||||
|
||||
2) Fix /nat <-> /proxyarp typo.
|
||||
|
||||
3) Avoid use of symbolic link for /sbin/shorewall
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 RC 2
|
||||
|
||||
1) Update versions.
|
||||
|
||||
2) Rationalize the use of IPTABLES and LOGFORMAT.
|
||||
|
||||
3) Allow Shorewall/Shorewall-lite coexistance under RPM
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 RC 1
|
||||
|
||||
1) Update versions.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 Beta 8
|
||||
|
||||
1) Issue more helpful BRIDGING=No error messages.
|
||||
|
||||
2) Implement "all-" in rules file.
|
||||
|
||||
3) Add xmodules file.
|
||||
|
||||
4) Detect devices in tcdevices entries.
|
||||
|
||||
5) Fix for white-space in log prefix.
|
||||
|
||||
6) Fix rule parsing of single excluded MAC address.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 Beta 7
|
||||
|
||||
1) Fix mark/mask validation.
|
||||
|
||||
2) Restore traffic control to 'refresh'.
|
||||
|
||||
3) Detect MTU for entries in /etc/shorewall/tcdevices.
|
||||
|
||||
4) Avoid fatal error after missing forwardUPnP rule warning.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 Beta 6
|
||||
|
||||
1) Fix tc "notfound" errors when 'restart' is run out of ip-up.local.
|
||||
|
||||
2) Allow 'detectnets' to work.
|
||||
|
||||
3) Add TOS column to tcrules.
|
||||
|
||||
4) Fix 'proxyarp' interface attribute handling.
|
||||
|
||||
5) Fix default route generation in providers handling.
|
||||
|
||||
6) Change interraction of 'track' and PREROUTING marking.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 Beta 5
|
||||
|
||||
1) Fix compilation problem on LEAF Bering.
|
||||
|
||||
2) Remove traffic shaping code from the 'firewall' script to avoid
|
||||
unmaintainable code duplication.
|
||||
|
||||
3) Fix DETECT_DNAT_IPADDRS=No bug.
|
||||
|
||||
4) Handle absense of mangle FORWARD chain.
|
||||
|
||||
5) Rename the rtrules file to route_rules.
|
||||
|
||||
6) Fix deletion of SNAT ip addresses.
|
||||
|
||||
7) Accomodate ancient kernel's with no FORWARD or POSTROUTING in mangle.
|
||||
|
||||
8) Clear SUBSYSLOCK on Debian/Ubuntu installs.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 Beta 4
|
||||
|
||||
1) Fix 'routeback' with bridge ports.
|
||||
|
||||
2) Add support for explicit routing rules.
|
||||
|
||||
3) Fix mktempdir problem.
|
||||
|
||||
4) Implement HIGH_ROUTE_MARKS
|
||||
|
||||
Changes in 3.2.0 Beta 3
|
||||
|
||||
1) Correct handling of verbosity in the 'try' command.
|
||||
|
||||
2) Add IMPLICIT_CONTINUE option to shorewall.conf.
|
||||
|
||||
3) Fix SAME/ADD_SNAT_ALIASES interaction.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.2.0 Beta 2
|
||||
|
||||
1) Make "shorewall start -f" work correctly.
|
||||
|
||||
2) Remove SUBSYSLOCK code from default and debian footers.
|
||||
|
||||
3) Add 'refreshed' extension script.
|
||||
|
||||
4) Implement 'logdrop' and 'logreject'
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Changes in 3.1.x. and 3.2.x
|
||||
|
||||
1) Removal of dynamic zones.
|
||||
|
||||
2) Implement 'generate' command.
|
||||
|
||||
3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq).
|
||||
|
||||
4) Add back dynamic zones.
|
||||
|
||||
5) Allow remote compiles.
|
||||
|
||||
6) Change output of 'generate' to always be the file name entered (do not
|
||||
prepend /var/lib/shorewall/)
|
||||
|
||||
7) Remove some restrictions on remote compiles.
|
||||
|
||||
8) Add error checking to generated script.
|
||||
|
||||
9) Merge Fabio Longerai's 'length' patch.
|
||||
|
||||
10) Add the "-p" option to the compile command.
|
||||
|
||||
11) Fix 'check' bug in setup_masq
|
||||
|
||||
12) Break compiler/firewall into two files
|
||||
|
||||
13) Make Shoreall quiet for a change.
|
||||
|
||||
14) Make "Compile-and-go" the only mode of operation.
|
||||
|
||||
15) Remove -p
|
||||
|
||||
16) Apply Tuomo's patches for IPSEC and Noecho.
|
||||
|
||||
17) Fix bridging
|
||||
|
||||
18) Fix QUEUE when used in the ESTABLISHED section.
|
||||
|
||||
19) Apply Ed Suominen's patch to tcrules.
|
||||
-------------------------------------------------------------------------------
|
||||
3.1.5
|
||||
|
||||
20) Speed up compilation by rewriting 'fix_bang()'.
|
||||
|
||||
21) Correct GATEWAY handling in the providers file.
|
||||
|
||||
22) Remove sub-zone exclusion from DNAT/REDIRECT.
|
||||
|
||||
23) Add compiled-program/library versioning scheme.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
3.1.6
|
||||
|
||||
24) Apply Steven Springl's help patch.
|
||||
|
||||
25) Fix 'allow/drop/reject' while Shorewall not running.
|
||||
|
||||
26) Implement bi-directional macros.
|
||||
|
||||
27) Fix TC bridge port handling.
|
||||
|
||||
28) Fix/document "check -e"
|
||||
|
||||
29) Automatically use capabilities file when non-root.
|
||||
|
||||
30) Correct typo in help file ("help drop").
|
||||
|
||||
31) Added 'tcpsyn'
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
3.1.7
|
||||
|
||||
32) Change 'tcpsyn' to 'tcp:syn'
|
||||
|
||||
33) Remove superfluous rules in MAC validation.
|
||||
|
||||
34) Correct Makefile.
|
||||
|
||||
35) Add -t option
|
||||
|
||||
36) Restore log messages.
|
||||
|
||||
37) Fix "shorewall capabilities" with VERBOSITY < 2.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
3.1.8
|
||||
|
||||
38) Remove compile-time running of extension scripts.
|
||||
|
||||
39) Correctly handle interfaces named 'inet'.
|
||||
|
||||
40) SUBSYSLOCK functionality restored.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
3.1.9
|
||||
|
||||
41) Fix Provider route generation when a specific gateway is specified.
|
||||
|
||||
42) Be sure that restore file name is preserved regardless of 'set --' in
|
||||
define_firewall().)
|
||||
|
||||
43) Add Simon's redhat prog files.
|
||||
|
||||
44) Add 'delete_nat' to compiled program.
|
||||
|
||||
45) Move 'shorecap' to /usr/share/shorewall
|
||||
|
||||
46) Add debian prog files.
|
||||
|
||||
47) Correct syntax error in validate_policy()
|
||||
-------------------------------------------------------------------------------
|
||||
3.2.0 Beta 1.
|
||||
|
||||
48) Streamlined some code in setup_tc1()
|
||||
|
||||
49) Process /etc/shorewall/params at run-time.
|
||||
|
||||
50) Add new modules to /etc/shorewall/modules.
|
||||
|
||||
51) Make default behavior of "compile" distribution-neutral.
|
||||
|
@ -613,6 +613,31 @@ macrecent_target() # $1 - interface
|
||||
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||
}
|
||||
|
||||
#
|
||||
# Functions for creating dynamic zone rules
|
||||
#
|
||||
dynamic_fwd() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_dynf
|
||||
}
|
||||
|
||||
dynamic_in() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_dyni
|
||||
}
|
||||
|
||||
dynamic_out() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_dyno
|
||||
}
|
||||
|
||||
dynamic_chains() #$1 = interface
|
||||
{
|
||||
local c=$(chain_base $1)
|
||||
|
||||
echo ${c}_dyni ${c}_dynf ${c}_dyno
|
||||
}
|
||||
|
||||
#
|
||||
# DNAT Chain from a zone
|
||||
#
|
||||
@ -7321,6 +7346,22 @@ __EOF__
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "$DYNAMIC_ZONES" ]; then
|
||||
progress_message "$DOING Dynamic Zone Chains..."
|
||||
|
||||
for interface in $ALL_INTERFACES; do
|
||||
for chain in $(dynamic_chains $interface); do
|
||||
createchain $chain no
|
||||
done
|
||||
|
||||
chain=$(dynamic_in $interface)
|
||||
createnatchain $chain
|
||||
|
||||
run_iptables -A $(input_chain $interface) -j $chain
|
||||
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
|
||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||
done
|
||||
fi
|
||||
#
|
||||
# UPnP
|
||||
#
|
||||
@ -7452,6 +7493,12 @@ activate_rules()
|
||||
addnatjump POSTROUTING $(snat_chain $interface) -o $interface
|
||||
done
|
||||
#
|
||||
# Add jumps for dynamic nat chains
|
||||
#
|
||||
[ -n "$DYNAMIC_ZONES" ] && for interface in $ALL_INTERFACES ; do
|
||||
addrulejump PREROUTING $(dynamic_in $interface) -i $interface
|
||||
done
|
||||
#
|
||||
# Add jumps from the builtin chains to the nat chains
|
||||
#
|
||||
addnatjump PREROUTING nat_in
|
||||
@ -7482,8 +7529,10 @@ activate_rules()
|
||||
|
||||
if [ -n "$is_ipsec" ]; then
|
||||
eval source_hosts=\$${zone}_hosts
|
||||
[ -n "$DYNAMIC_ZONES" ] && create_zone_dyn_chain $zone $frwd_chain
|
||||
else
|
||||
eval source_hosts=\$${zone}_ipsec_hosts
|
||||
[ -n "$DYNAMIC_ZONES" -a -n "$source_hosts" ] && create_zone_dyn_chain $zone $frwd_chain
|
||||
fi
|
||||
|
||||
for host in $source_hosts; do
|
||||
@ -7509,6 +7558,11 @@ activate_rules()
|
||||
|
||||
echo $zone $type $source_hosts >> $STATEDIR/zones
|
||||
|
||||
if [ -n "$DYNAMIC_ZONES" ]; then
|
||||
echo "$FW $zone $chain1" >> $STATEDIR/chains
|
||||
echo "$zone $FW $chain2" >> $STATEDIR/chains
|
||||
fi
|
||||
|
||||
need_broadcast=
|
||||
|
||||
for host in $source_hosts; do
|
||||
@ -7558,6 +7612,8 @@ activate_rules()
|
||||
|
||||
[ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
|
||||
|
||||
[ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains
|
||||
|
||||
if [ $zone = $zone1 ]; then
|
||||
#
|
||||
# Try not to generate superfluous intra-zone rules
|
||||
@ -8438,12 +8494,126 @@ __EOF__
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the value for a parameter that defaults to Yes
|
||||
#
|
||||
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
|
||||
{
|
||||
local val="$2"
|
||||
|
||||
if [ -z "$val" ]; then
|
||||
echo "Yes"
|
||||
else case $val in
|
||||
[Yy][Ee][Ss])
|
||||
echo "Yes"
|
||||
;;
|
||||
[Nn][Oo])
|
||||
echo ""
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($val) for $1"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the value for a parameter that defaults to No
|
||||
#
|
||||
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
|
||||
{
|
||||
local val="$2"
|
||||
|
||||
if [ -z "$val" ]; then
|
||||
echo ""
|
||||
else case $val in
|
||||
[Yy][Ee][Ss])
|
||||
echo "Yes"
|
||||
;;
|
||||
[Nn][Oo])
|
||||
echo ""
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($val) for $1"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Initialize this program
|
||||
#
|
||||
do_initialize() {
|
||||
|
||||
# Run all utility programs using the C locale
|
||||
#
|
||||
# Thanks to Vincent Planchenault for this tip #
|
||||
|
||||
export LC_ALL=C
|
||||
|
||||
# Make sure umask is sane
|
||||
umask 077
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
|
||||
#
|
||||
# Establish termination function
|
||||
#
|
||||
TERMINATOR=fatal_error
|
||||
#
|
||||
# Clear all configuration variables
|
||||
#
|
||||
VERSION=
|
||||
IPTABLES=
|
||||
FW=
|
||||
SUBSYSLOCK=
|
||||
ALLOWRELATED=Yes
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
LOGPARMS=
|
||||
LOGLIMIT=
|
||||
ADD_IP_ALIASES=
|
||||
ADD_SNAT_ALIASES=
|
||||
TC_ENABLED=
|
||||
BLACKLIST_DISPOSITION=
|
||||
BLACKLIST_LOGLEVEL=
|
||||
CLAMPMSS=
|
||||
ROUTE_FILTER=
|
||||
LOG_MARTIANS=
|
||||
DETECT_DNAT_IPADDRS=
|
||||
MUTEX_TIMEOUT=
|
||||
FORWARDPING=
|
||||
MACLIST_DISPOSITION=
|
||||
MACLIST_LOG_LEVEL=
|
||||
TCP_FLAGS_DISPOSITION=
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
LOGFORMAT=
|
||||
LOGRULENUMBERS=
|
||||
ADMINISABSENTMINDED=
|
||||
BLACKLISTNEWONLY=
|
||||
MODULE_SUFFIX=
|
||||
ACTIONS=
|
||||
USEDACTIONS=
|
||||
SMURF_LOG_LEVEL=
|
||||
DISABLE_IPV6=
|
||||
BRIDGING=
|
||||
DYNAMIC_ZONES=
|
||||
PKTTYPE=
|
||||
USEPKTYPE=
|
||||
RETAIN_ALIASES=
|
||||
DELAYBLACKLISTLOAD=
|
||||
LOGTAGONLY=
|
||||
LOGALLNEW=
|
||||
RFC1918_STRICT=
|
||||
MACLIST_TTL=
|
||||
SAVE_IPSETS=
|
||||
RESTOREFILE=
|
||||
MAPOLDACTIONS=
|
||||
IMPLICIT_CONTINUE=
|
||||
HIGH_ROUTE_MARKS=
|
||||
|
||||
OUTPUT=
|
||||
TMP_DIR=
|
||||
@ -8452,6 +8622,7 @@ do_initialize() {
|
||||
IPSECMARK=256
|
||||
PROVIDERS=
|
||||
CRITICALHOSTS=
|
||||
IPSECFILE=
|
||||
EXCLUSION_SEQ=1
|
||||
STOPPING=
|
||||
HAVE_MUTEX=
|
||||
@ -8459,8 +8630,6 @@ do_initialize() {
|
||||
SECTION=ESTABLISHED
|
||||
SECTIONS=
|
||||
ALL_PORTS=
|
||||
ACTIONS=
|
||||
USEDACTIONS=
|
||||
|
||||
SHAREDIR=/usr/share/shorewall
|
||||
VARDIR=/var/lib/shorewall
|
||||
@ -8484,11 +8653,236 @@ do_initialize() {
|
||||
|
||||
trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
|
||||
|
||||
ensure_config_path
|
||||
|
||||
VERSION_FILE=$SHAREDIR/version
|
||||
|
||||
[ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)
|
||||
|
||||
run_user_exit params
|
||||
|
||||
config=$(find_file shorewall.conf)
|
||||
|
||||
if [ -f $config ]; then
|
||||
if [ -r $config ]; then
|
||||
progress_message "Processing $config..."
|
||||
. $config
|
||||
else
|
||||
fatal_error "Cannot read $config (Hint: Are you root?)"
|
||||
fi
|
||||
else
|
||||
fatal_error "$config does not exist!"
|
||||
fi
|
||||
|
||||
#
|
||||
# Restore CONFIG_PATH if the shorewall.conf file cleared it
|
||||
#
|
||||
ensure_config_path
|
||||
#
|
||||
# Determine the capabilities of the installed iptables/netfilter
|
||||
# We load the kernel modules here to accurately determine
|
||||
# capabilities when module autoloading isn't enabled.
|
||||
#
|
||||
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
||||
|
||||
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
|
||||
|
||||
if [ -z "$EXPORT" -a "$(whoami)" = root ]; then
|
||||
|
||||
load_kernel_modules
|
||||
|
||||
if [ -z "$IPTABLES" ]; then
|
||||
IPTABLES=$(mywhich iptables 2> /dev/null)
|
||||
|
||||
[ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
|
||||
else
|
||||
[ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
||||
fi
|
||||
determine_capabilities
|
||||
|
||||
else
|
||||
f=$(find_file capabilities)
|
||||
|
||||
[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
|
||||
fi
|
||||
|
||||
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
|
||||
[ -n "$ALLOWRELATED" ] || \
|
||||
fatal_error "ALLOWRELATED=No is not supported"
|
||||
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
|
||||
|
||||
if [ -n "${LOGRATE}${LOGBURST}" ]; then
|
||||
LOGLIMIT="--match limit"
|
||||
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
|
||||
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
|
||||
fi
|
||||
|
||||
if [ -n "$IP_FORWARDING" ]; then
|
||||
case "$IP_FORWARDING" in
|
||||
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
IP_FORWARDING=On
|
||||
fi
|
||||
|
||||
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
|
||||
|
||||
case "$CLAMPMSS" in
|
||||
[0-9]*)
|
||||
;;
|
||||
*)
|
||||
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
|
||||
;;
|
||||
esac
|
||||
|
||||
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
|
||||
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
|
||||
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
|
||||
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
|
||||
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
fatal_error "FORWARDPING=Yes is no longer supported"
|
||||
|
||||
maclist_target=reject
|
||||
|
||||
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
||||
case $MACLIST_DISPOSITION in
|
||||
REJECT)
|
||||
;;
|
||||
DROP)
|
||||
maclist_target=DROP
|
||||
;;
|
||||
ACCEPT)
|
||||
maclist_target=RETURN
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
fi
|
||||
|
||||
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
|
||||
case $TCP_FLAGS_DISPOSITION in
|
||||
REJECT|ACCEPT|DROP)
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
fi
|
||||
|
||||
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
|
||||
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
|
||||
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
|
||||
|
||||
if [ -n "$LOGFORMAT" ]; then
|
||||
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
|
||||
LOGRULENUMBERS=Yes
|
||||
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
|
||||
if [ $? -ne 0 ]; then
|
||||
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
|
||||
fi
|
||||
else
|
||||
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
|
||||
if [ $? -ne 0 ]; then
|
||||
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
|
||||
fi
|
||||
fi
|
||||
|
||||
[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
|
||||
else
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
fi
|
||||
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
|
||||
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
|
||||
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
|
||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
||||
[ -n "$DYNAMIC_ZONES" -a -n "$EXPORT" ] && fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option"
|
||||
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
|
||||
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
|
||||
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
|
||||
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
|
||||
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
|
||||
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
|
||||
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
|
||||
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
|
||||
[ -n "$XMARK" ] || XCONNMARK=
|
||||
|
||||
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
|
||||
|
||||
case ${IPSECFILE:=ipsec} in
|
||||
ipsec|zones)
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
|
||||
;;
|
||||
esac
|
||||
|
||||
case ${MACLIST_TABLE:=filter} in
|
||||
filter)
|
||||
;;
|
||||
mangle)
|
||||
[ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
|
||||
;; *)
|
||||
fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
|
||||
;;
|
||||
esac
|
||||
|
||||
TC_SCRIPT=
|
||||
|
||||
if [ -n "$TC_ENABLED" ] ; then
|
||||
case "$TC_ENABLED" in
|
||||
[Yy][Ee][Ss])
|
||||
TC_ENABLED=
|
||||
TC_SCRIPT=$(find_file tcstart)
|
||||
[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
|
||||
;;
|
||||
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
|
||||
TC_ENABLED=Yes
|
||||
;;
|
||||
[Nn][Oo])
|
||||
TC_ENABLED=
|
||||
;;
|
||||
esac
|
||||
else
|
||||
TC_ENABLED=Yes
|
||||
fi
|
||||
|
||||
if [ -n "$TC_ENABLED" ];then
|
||||
[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
|
||||
fi
|
||||
|
||||
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
strip_file interfaces
|
||||
strip_file hosts
|
||||
#
|
||||
# Check out the user's shell
|
||||
#
|
||||
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
|
||||
|
||||
temp=$(decodeaddr 192.168.1.1)
|
||||
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
|
||||
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
|
||||
fi
|
||||
|
||||
if [ -z "$KLUDGEFREE" ]; then
|
||||
rm -f $TMP_DIR/physdev
|
||||
@ -8512,12 +8906,14 @@ usage() {
|
||||
#
|
||||
# Start trace if first arg is "debug"
|
||||
#
|
||||
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; env >&2; }
|
||||
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
|
||||
|
||||
NOLOCK=
|
||||
|
||||
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
|
||||
|
||||
trap "exit 2" 1 2 3 4 5 6 9
|
||||
|
||||
COMMAND="$1"
|
||||
|
||||
case "$COMMAND" in
|
||||
|
@ -383,6 +383,31 @@ macrecent_target() # $1 - interface
|
||||
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||
}
|
||||
|
||||
#
|
||||
# Functions for creating dynamic zone rules
|
||||
#
|
||||
dynamic_fwd() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_dynf
|
||||
}
|
||||
|
||||
dynamic_in() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_dyni
|
||||
}
|
||||
|
||||
dynamic_out() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_dyno
|
||||
}
|
||||
|
||||
dynamic_chains() #$1 = interface
|
||||
{
|
||||
local c=$(chain_base $1)
|
||||
|
||||
echo ${c}_dyni ${c}_dynf ${c}_dyno
|
||||
}
|
||||
|
||||
#
|
||||
# DNAT Chain from a zone
|
||||
#
|
||||
@ -1300,6 +1325,95 @@ clear_firewall() {
|
||||
logger "Shorewall Cleared"
|
||||
}
|
||||
|
||||
#
|
||||
# Process the ipsec information in the zones file
|
||||
#
|
||||
setup_ipsec() {
|
||||
local zone using_ipsec=
|
||||
|
||||
do_options() # $1 = _in, _out or "" - $2 = option list
|
||||
{
|
||||
local option opts newoptions= val
|
||||
|
||||
[ x${2} = x- ] && return
|
||||
|
||||
opts=$(separate_list $2)
|
||||
|
||||
for option in $opts; do
|
||||
val=${option#*=}
|
||||
|
||||
case $option in
|
||||
mss=[0-9]*) ;;
|
||||
strict) newoptions="$newoptions --strict" ;;
|
||||
next) newoptions="$newoptions --next" ;;
|
||||
reqid=*) newoptions="$newoptions --reqid $val" ;;
|
||||
spi=*) newoptions="$newoptions --spi $val" ;;
|
||||
proto=*) newoptions="$newoptions --proto $val" ;;
|
||||
mode=*) newoptions="$newoptions --mode $val" ;;
|
||||
tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
|
||||
tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
|
||||
reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
|
||||
spi!=*) newoptions="$newoptions ! --spi $val" ;;
|
||||
proto!=*) newoptions="$newoptions ! --proto $val" ;;
|
||||
mode!=*) newoptions="$newoptions ! --mode $val" ;;
|
||||
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
|
||||
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
|
||||
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -n "$newoptions" ]; then
|
||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||
eval ${zone}_is_complex=Yes
|
||||
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
|
||||
fi
|
||||
}
|
||||
|
||||
case $IPSECFILE in
|
||||
zones)
|
||||
f=zones
|
||||
progress_message "Setting up IPSEC..."
|
||||
;;
|
||||
*)
|
||||
f=$IPSECFILE
|
||||
strip_file $f
|
||||
progress_message "Processing $f..."
|
||||
using_ipsec=Yes
|
||||
;;
|
||||
esac
|
||||
|
||||
while read zone type options in_options out_options mss; do
|
||||
expandv zone type options in_options out_options mss
|
||||
|
||||
if [ -n "$using_ipsec" ]; then
|
||||
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
|
||||
fi
|
||||
|
||||
if [ -n "$type" ]; then
|
||||
if [ -n "$using_ipsec" ]; then
|
||||
case $type in
|
||||
No|no)
|
||||
;;
|
||||
Yes|yes)
|
||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||
eval ${zone}_is_ipsec=Yes
|
||||
eval ${zone}_is_complex=Yes
|
||||
eval ${zone}_type=ipsec4
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid IPSEC column contents"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
do_options "" $options
|
||||
do_options "_in" $in_options
|
||||
do_options "_out" $out_options
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/$f
|
||||
}
|
||||
|
||||
#
|
||||
# Delete existing Proxy ARP
|
||||
#
|
||||
@ -1369,6 +1483,34 @@ delete_nat() {
|
||||
[ -d $STATEDIR ] && touch $STATEDIR/nat
|
||||
}
|
||||
|
||||
#
|
||||
# Setup Network Mapping (NETMAP)
|
||||
#
|
||||
setup_netmap() {
|
||||
|
||||
while read type net1 interface net2 ; do
|
||||
expandv type net1 interface net2
|
||||
|
||||
list_search $interface $ALL_INTERFACES || \
|
||||
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
|
||||
|
||||
case $type in
|
||||
DNAT)
|
||||
addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2
|
||||
;;
|
||||
SNAT)
|
||||
addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
|
||||
;;
|
||||
esac
|
||||
|
||||
progress_message " Network $net1 on $interface mapped to $net2 ($type)"
|
||||
|
||||
done < $TMP_DIR/netmap
|
||||
}
|
||||
|
||||
#
|
||||
# Setup ECN disabling rules
|
||||
#
|
||||
@ -1693,6 +1835,368 @@ refresh_firewall()
|
||||
rm -rf $TMP_DIR
|
||||
}
|
||||
|
||||
#
|
||||
# Add a host or networks to a zone
|
||||
#
|
||||
add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
|
||||
{
|
||||
local interface host zone z h z1 z2 chain
|
||||
local dhcp_interfaces blacklist_interfaces maclist_interfaces
|
||||
local tcpflags_interfaces newhostlist=
|
||||
local rulenum source_chain dest_hosts iface hosts hostlist=
|
||||
|
||||
nat_chain_exists() # $1 = chain name
|
||||
{
|
||||
qt $IPTABLES -t nat -L $1 -n
|
||||
}
|
||||
|
||||
do_iptables() # $@ = command
|
||||
{
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
|
||||
if ! $IPTABLES $@ ; then
|
||||
error_message "ERROR: Can't add $newhost to zone $zone"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Load $zones
|
||||
#
|
||||
determine_zones
|
||||
#
|
||||
# Validate Interfaces File
|
||||
#
|
||||
validate_interfaces_file
|
||||
#
|
||||
# Validate Hosts File
|
||||
#
|
||||
validate_hosts_file
|
||||
#
|
||||
# Validate IPSec File
|
||||
#
|
||||
f=$(find_file $IPSECFILE)
|
||||
|
||||
[ -f $f ] && setup_ipsec $f
|
||||
#
|
||||
# Normalize host list
|
||||
#
|
||||
while [ $# -gt 1 ]; do
|
||||
interface=${1%%:*}
|
||||
host=${1#*:}
|
||||
#
|
||||
# Be sure that the interface was dynamic at last [re]start
|
||||
#
|
||||
if ! chain_exists $(input_chain $interface) ; then
|
||||
startup_error "Unknown interface $interface"
|
||||
fi
|
||||
|
||||
if ! chain_exists $(dynamic_in $interface) ; then
|
||||
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
|
||||
fi
|
||||
|
||||
if [ -z "$host" ]; then
|
||||
hostlist="$hostlist $interface:0.0.0.0/0"
|
||||
else
|
||||
for h in $(separate_list $host); do
|
||||
hostlist="$hostlist $interface:$h"
|
||||
done
|
||||
fi
|
||||
|
||||
shift
|
||||
done
|
||||
#
|
||||
# Validate Zone
|
||||
#
|
||||
zone=$1
|
||||
|
||||
validate_zone $zone || startup_error "Unknown zone: $zone"
|
||||
|
||||
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
|
||||
|
||||
#
|
||||
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
|
||||
#
|
||||
[ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
|
||||
[ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
|
||||
#
|
||||
# Check for duplicates and create a new zone state file
|
||||
#
|
||||
> ${VARDIR}/zones_$$
|
||||
|
||||
while read z type hosts; do
|
||||
if [ "$z" = "$zone" ]; then
|
||||
for h in $hostlist; do
|
||||
list_search $h $hosts
|
||||
if [ "$?" -gt 0 ]; then
|
||||
newhostlist="$newhostlist $h"
|
||||
else
|
||||
error_message "$h already in zone $zone"
|
||||
fi
|
||||
done
|
||||
|
||||
[ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist"
|
||||
fi
|
||||
|
||||
eval ${z}_hosts=\"$hosts\"
|
||||
|
||||
echo "$z $type $hosts" >> ${VARDIR}/zones_$$
|
||||
done < ${VARDIR}/zones
|
||||
|
||||
mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
|
||||
|
||||
TERMINATOR=fatal_error
|
||||
#
|
||||
# Create a new Zone state file
|
||||
#
|
||||
for newhost in $newhostlist; do
|
||||
#
|
||||
# Isolate interface and host parts
|
||||
#
|
||||
interface=${newhost%%:*}
|
||||
host=${newhost#*:}
|
||||
#
|
||||
# If the zone passed in the command has a dnat chain then insert a rule in
|
||||
# the nat table PREROUTING chain to jump to that chain when the source
|
||||
# matches the new host(s)#
|
||||
#
|
||||
chain=${zone}_dnat
|
||||
|
||||
if nat_chain_exists $chain; then
|
||||
do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain
|
||||
fi
|
||||
#
|
||||
# Insert new rules into the filter table for the passed interface
|
||||
#
|
||||
while read z1 z2 chain; do
|
||||
[ "$z1" = "$z2" ] && op="-I" || op="-A"
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain
|
||||
else
|
||||
source_chain=$(dynamic_fwd $interface)
|
||||
if is_ipsec_host $z1 $newhost ; then
|
||||
do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
|
||||
else
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
|
||||
for h in $dest_hosts; do
|
||||
iface=${h%%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
elif [ "$z2" = "$zone" ]; then
|
||||
if [ "$z1" = "$FW" ]; then
|
||||
#
|
||||
# Add a rule to the dynamic out chain for the interface
|
||||
#
|
||||
do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
for h in $source_hosts; do
|
||||
iface=${h%%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
if is_ipsec_host $z1 $h; then
|
||||
do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
|
||||
else
|
||||
do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done < ${VARDIR}/chains
|
||||
|
||||
progress_message "$newhost added to zone $zone"
|
||||
|
||||
done
|
||||
|
||||
rm -rf $TMP_DIR
|
||||
}
|
||||
|
||||
#
|
||||
# Delete a host or networks from a zone
|
||||
#
|
||||
delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
{
|
||||
local interface host zone z h z1 z2 chain delhost
|
||||
local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces
|
||||
local rulenum source_chain dest_hosts iface hosts hostlist=
|
||||
|
||||
#
|
||||
# Load $zones
|
||||
#
|
||||
determine_zones
|
||||
#
|
||||
# Validate Interfaces File
|
||||
#
|
||||
validate_interfaces_file
|
||||
#
|
||||
# Validate Hosts File
|
||||
#
|
||||
validate_hosts_file
|
||||
#
|
||||
# Validate IPSec File
|
||||
#
|
||||
f=$(find_file ipsec)
|
||||
|
||||
[ -f $f ] && setup_ipsec $f
|
||||
|
||||
#
|
||||
# Normalize host list
|
||||
#
|
||||
while [ $# -gt 1 ]; do
|
||||
interface=${1%%:*}
|
||||
host=${1#*:}
|
||||
#
|
||||
# Be sure that the interface was dynamic at last [re]start
|
||||
#
|
||||
if ! chain_exists $(input_chain $interface) ; then
|
||||
startup_error "Unknown interface $interface"
|
||||
fi
|
||||
|
||||
if ! chain_exists $(dynamic_in $interface) ; then
|
||||
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
|
||||
fi
|
||||
|
||||
if [ -z "$host" ]; then
|
||||
hostlist="$hostlist $interface:0.0.0.0/0"
|
||||
else
|
||||
for h in $(separate_list $host); do
|
||||
hostlist="$hostlist $interface:$h"
|
||||
done
|
||||
fi
|
||||
|
||||
shift
|
||||
done
|
||||
#
|
||||
# Validate Zone
|
||||
#
|
||||
zone=$1
|
||||
|
||||
validate_zone $zone || startup_error "Unknown zone: $zone"
|
||||
|
||||
[ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone"
|
||||
|
||||
#
|
||||
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
|
||||
#
|
||||
[ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
|
||||
[ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
|
||||
#
|
||||
# Delete the passed hosts from the zone state file
|
||||
#
|
||||
> ${VARDIR}/zones_$$
|
||||
|
||||
while read z hosts; do
|
||||
if [ "$z" = "$zone" ]; then
|
||||
temp=$hosts
|
||||
hosts=
|
||||
|
||||
for host in $hostlist; do
|
||||
found=
|
||||
for h in $temp; do
|
||||
if [ "$h" = "$host" ]; then
|
||||
found=Yes
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
[ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone"
|
||||
done
|
||||
|
||||
for h in $temp; do
|
||||
found=
|
||||
for host in $hostlist; do
|
||||
if [ "$h" = "$host" ]; then
|
||||
found=Yes
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
[ -n "$found" ] || hosts="$hosts $h"
|
||||
done
|
||||
fi
|
||||
|
||||
eval ${z}_hosts=\"$hosts\"
|
||||
|
||||
echo "$z $hosts" >> ${VARDIR}/zones_$$
|
||||
done < ${VARDIR}/zones
|
||||
|
||||
mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
|
||||
|
||||
TERMINATOR=fatal_error
|
||||
|
||||
for delhost in $hostlist; do
|
||||
interface=${delhost%%:*}
|
||||
host=${delhost#*:}
|
||||
#
|
||||
# Delete any nat table entries for the host(s)
|
||||
#
|
||||
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat
|
||||
#
|
||||
# Delete rules rules the input chains for the passed interface
|
||||
#
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain
|
||||
else
|
||||
source_chain=$(dynamic_fwd $interface)
|
||||
if is_ipsec_host $z1 $delhost ; then
|
||||
qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
|
||||
else
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
|
||||
[ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist"
|
||||
|
||||
for h in $dest_hosts; do
|
||||
iface=${h%%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
elif [ "$z2" = "$zone" ]; then
|
||||
if [ "$z1" = "$FW" ]; then
|
||||
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
for h in $source_hosts; do
|
||||
iface=${h%%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
if is_ipsec_host $z1 $h; then
|
||||
qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
|
||||
else
|
||||
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done < ${VARDIR}/chains
|
||||
|
||||
progress_message "$delhost removed from zone $zone"
|
||||
|
||||
done
|
||||
|
||||
rm -rf $TMP_DIR
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the value for a parameter that defaults to Yes
|
||||
#
|
||||
@ -1799,6 +2303,7 @@ do_initialize() {
|
||||
SMURF_LOG_LEVEL=
|
||||
DISABLE_IPV6=
|
||||
BRIDGING=
|
||||
DYNAMIC_ZONES=
|
||||
PKTTYPE=
|
||||
USEPKTYPE=
|
||||
RETAIN_ALIASES=
|
||||
@ -2002,6 +2507,7 @@ do_initialize() {
|
||||
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
|
||||
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
|
||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
||||
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
|
||||
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
|
||||
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
|
||||
@ -2012,6 +2518,11 @@ do_initialize() {
|
||||
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
|
||||
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
|
||||
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
|
||||
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
|
||||
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
|
||||
[ -n "$XMARK" ] || XCONNMARK=
|
||||
|
||||
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
|
||||
|
||||
case ${IPSECFILE:=ipsec} in
|
||||
ipsec|zones)
|
||||
@ -2162,6 +2673,36 @@ case "$COMMAND" in
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
add)
|
||||
[ $# -lt 3 ] && usage
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
if ! shorewall_is_started ; then
|
||||
echo "Shorewall Not Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
exit 2;
|
||||
fi
|
||||
shift
|
||||
add_to_zone $@
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
delete)
|
||||
[ $# -lt 3 ] && usage
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
if ! shorewall_is_started ; then
|
||||
echo "Shorewall Not Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
exit 2;
|
||||
fi
|
||||
shift
|
||||
delete_from_zone $@
|
||||
my_mutex_off
|
||||
;;
|
||||
|
||||
call)
|
||||
#
|
||||
# Undocumented way to call functions in ${SHAREDIR}/firewall directly
|
||||
|
@ -28,6 +28,28 @@
|
||||
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<host-list>] ... <zone>
|
||||
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface:host-list ... zone - Adds the specified interface
|
||||
(and host-list if included) to the specified zone.
|
||||
|
||||
A host-list is a comma-separated list whose elements are:
|
||||
|
||||
A host or network address
|
||||
The name of a bridge port
|
||||
The name of a bridge port followed by a colon (":") and a host or
|
||||
network address.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
|
||||
from interface ipsec0 to the zone vpn1.
|
||||
|
||||
See also \"help host\""
|
||||
;;
|
||||
|
||||
address|host)
|
||||
echo "<$1>:
|
||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
||||
@ -100,6 +122,28 @@ debug)
|
||||
The word 'trace' is a synonym for 'debug'."
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<host-list>] ... <zone>
|
||||
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:host-list] ... zone - Deletes the specified
|
||||
interfaces (and host list if included) from the specified zone.
|
||||
|
||||
A host-list is a comma-separated list whose elements are:
|
||||
|
||||
A host or network address
|
||||
The name of a bridge port
|
||||
The name of a bridge port followed by a colon (":") and a host or
|
||||
network address.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
|
||||
192.0.2.24 from interface ipsec0 from zone vpn1
|
||||
|
||||
See also \"help host\""
|
||||
;;
|
||||
|
||||
drop)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be ignored
|
||||
|
@ -1,4 +1,4 @@
|
||||
Shorewall 3.3.0
|
||||
Shorewall 3.2.1
|
||||
|
||||
Note to users upgrading from Shorewall 2.x or 3.0
|
||||
|
||||
@ -31,17 +31,561 @@ Note to users upgrading from Shorewall 2.x or 3.0
|
||||
Please see the "Migration Considerations" below for additional upgrade
|
||||
information.
|
||||
|
||||
Problems corrected in 3.3.0
|
||||
Problems Corrected in 3.2.1
|
||||
|
||||
None.
|
||||
|
||||
Migration Issues.
|
||||
|
||||
1) Support for dynamic zones has been removed from Shorewall
|
||||
(/sbin/shorewall add and delete commands). Use ipsets to define
|
||||
your dynamic zones as described at
|
||||
http://www.shorewall.net/DynamicZones.html.
|
||||
|
||||
New Features.
|
||||
Other changes in 3.2.1
|
||||
|
||||
None.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
1) If you are upgrading from Shorewall 2.x, it is essential that you read
|
||||
the Shorewall 3.0.8 (or later) release notes:
|
||||
|
||||
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.8/releasenotes.txt
|
||||
|
||||
2) A number of macros have been split into two. The macros affected are:
|
||||
|
||||
IMAP LDAP NNTP POP3 SMTP
|
||||
|
||||
Each of these macros now handles only traffic on the native (plaintext)
|
||||
port. There is a corresponding macro with S added to the end of the
|
||||
name for the SSL version of the same protocol. Thus each macro results
|
||||
in the insertion of only one port per invocation.
|
||||
|
||||
The Web macro has not been split, but two new macros, HTTP and HTTPS have
|
||||
been created. The Web macro is deprecated in favour of these new macros,
|
||||
and may be removed from future Shorewall releases.
|
||||
|
||||
These changes have been made to ensure no unexpected ports are opened due
|
||||
to the use of macros.
|
||||
|
||||
3) In previous Shorewall releases, DNAT and REDIRECT rules supported a
|
||||
special syntax for exclusion of a sub-zone from the effect of the rule.
|
||||
|
||||
Example:
|
||||
|
||||
Z2 is a subzone of Z1:
|
||||
|
||||
DNAT Z1!Z2 loc:192.168.1.4 ...
|
||||
|
||||
That feature has never worked correctly when Z2 is a dynamic zone.
|
||||
Furthermore, now that Shorewall supports exclusion lists, the capability
|
||||
is redundant since the above rule can now be written in the form:
|
||||
|
||||
DNAT Z1:!<list of exclusions> loc:192.168.1.4 ...
|
||||
|
||||
Beginning with Shorewall 3.2.0, the special exclusion syntax will no
|
||||
longer be supported.
|
||||
|
||||
4) Important if you use the QUEUE target.
|
||||
|
||||
In the /etc/shorewall/rules file and in actions, you may now specify
|
||||
'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also
|
||||
requires that the SYN flag is set and the RST, FIN and ACK flags be
|
||||
off ("--syn" is added to the iptables rule).
|
||||
|
||||
As part of this change, Shorewall no longer adds the "--syn" option
|
||||
to TCP rules that specify QUEUE as their target.
|
||||
|
||||
5) Extension Scripts may require change
|
||||
|
||||
In previous releases, extension scripts were executed during [re]start
|
||||
by using the Bourne Shell "." operator. In addition to executing commands
|
||||
during [re]start, these scripts had to "save" the commands to be executed
|
||||
during "shorewall restore".
|
||||
|
||||
This clumsiness has been eliminated in Shorewall 3.2. In Shorewall 3.2,
|
||||
extension scripts are copied in-line into the compiled program and are
|
||||
executed in-line during "start", "restart" and "restore". This
|
||||
applies to all extension scripts except those associated with a
|
||||
chain or action -- those extension scripts continue to be processed
|
||||
at compile time.
|
||||
|
||||
This new approach has two implications for existing scripts.
|
||||
|
||||
a) It is no longer necessary to save the commands; so functions like
|
||||
'save_command', 'run_and_save_command' and 'ensure_and_save_command'
|
||||
need no longer be called. For convenience, the generated program will
|
||||
supply functions with these names:
|
||||
|
||||
save_command() - does nothing
|
||||
run_and_save_command() - runs the passed command
|
||||
ensure_and_save_command() - runs the passed command and
|
||||
stops/restores the firewall if the
|
||||
command fails.
|
||||
|
||||
These functions should provide for transparent migration of
|
||||
scripts that use them until you can get around to eliminating
|
||||
their use completely.
|
||||
|
||||
b) When the extension script is copied into the compiled program, it
|
||||
is indented to line up with the surrounding code. If you have 'awk'
|
||||
installed on your system, the Shorewall compiler will correctly handle
|
||||
line continuation (last character on the line = "\"). If you do not
|
||||
have awk, it will not be possible to use line-continuation in your
|
||||
extension scripts.
|
||||
|
||||
In no case is it possible to continue a quoted string over multiple lines
|
||||
without having additional whitespace inserted into the string.
|
||||
|
||||
6) Beginning with this release, the way in which packet marking in the
|
||||
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
|
||||
has changed in two ways:
|
||||
|
||||
a) Packets arriving on a tracked interface are now passed to the PREROUTING
|
||||
marking chain so that they may be marked with a mark other than the
|
||||
'track' mark (the connection still retains the 'track' mark).
|
||||
|
||||
b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
|
||||
in the PREROUTING chain (i.e., you can specify a mark value of zero).
|
||||
|
||||
7) Kernel version 2.6.16 introduces 'xtables', a new common packet
|
||||
filtering and connection tracking facility that supports both IPv4
|
||||
and IPv6. Because a different set of kernel modules must be loaded
|
||||
for xtables, Shorewall now includes two 'modules' files:
|
||||
|
||||
a) /usr/share/shorewall/modules -- the former
|
||||
/etc/shorewall/modules
|
||||
|
||||
b) /usr/share/shorewall/xmodules -- a new file that support
|
||||
xtables.
|
||||
|
||||
If you wish to use the new file, then simply execute this command:
|
||||
|
||||
cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules
|
||||
|
||||
New Features:
|
||||
|
||||
1) Shorewall has always been very noisy (lots of messages). No longer.
|
||||
|
||||
You set the default level of verbosity using the VERBOSITY option in
|
||||
shorewall.conf. If you don't set it (as would be the case of you use your
|
||||
old shorewall.conf file) then VERBOSITY defaults to a value of 2 which
|
||||
results in behavior compatible with previous Shorewall versions.
|
||||
A value of 1 suppresses some of the output (like the old -q option did)
|
||||
while a value of 0 makes Shorewall almost silent. A value of -1
|
||||
suppresses all output except warning and error messages.
|
||||
|
||||
The value specified in the 3.2 shorewall.conf is 1. So you can make
|
||||
Shorewall as verbose as previously using a single -v and you can make it
|
||||
almost silent by using a single -q.
|
||||
|
||||
If VERBOSITY is set at 2, you can still make a command nearly
|
||||
silent by using two "q"s (e.g., shorewall -qq restart).
|
||||
|
||||
In summary, each "q" subtracts one from VERBOSITY while each "v" adds one
|
||||
to VERBOSITY.
|
||||
|
||||
The "shorewall show log", "shorewall logwatch" and "shorewall dump"
|
||||
commands require VERBOSITY to be greater than or equal to 3 to
|
||||
display MAC addresses.This is consistent with the previous
|
||||
implementation which required a single -v to enable MAC display but
|
||||
means that if you set VERBOSITY=0 in shorewall.conf, then you will
|
||||
need to include -vvv in commands that display log records in order
|
||||
to have MACs displayed.
|
||||
|
||||
To make the display of MAC addresses less cumbersome, a '-m' option has
|
||||
been added to the "show" and logwatch commands:
|
||||
|
||||
shorewall show -m log
|
||||
shorewall logwatch -m
|
||||
|
||||
2) A new 'shorewall compile' command has been added.
|
||||
|
||||
shorewall compile [ -e ] [ <config directory> ] <script file>
|
||||
|
||||
where:
|
||||
|
||||
-e Allows the generated script to run
|
||||
on a system with Shorewall Lite installed.
|
||||
Generates an error if the configuration uses
|
||||
an option that would prevent the generated
|
||||
script from running on a system other than
|
||||
where the 'compile' command is running (see
|
||||
additional consideration a) below).
|
||||
|
||||
<config directory> Is an optional directory to be searched for
|
||||
configuration files prior to those listed
|
||||
in CONFIG_PATH in
|
||||
/etc/shorewall/shorewall.conf.
|
||||
<script file> Is the name of the output file.
|
||||
|
||||
The 'compile' command processes the configuration and generates a
|
||||
script file which may then be executed (either directly or using the
|
||||
'shorewall restore' command) to configure the firewall.
|
||||
|
||||
The generated script contains error checking and will terminate if an
|
||||
important command fails. Before terminating:
|
||||
|
||||
a) The script will check for the existence of the restore script
|
||||
specified by the RESTOREFILE variable in shorewall.conf. If that
|
||||
restore script exists, it is executed.
|
||||
|
||||
b) If the restore script doesn't exist but Shorewall appears to be
|
||||
installed on the system, the equivalent of an
|
||||
"/sbin/shorewall stop" command is executed.
|
||||
|
||||
Some additional considerations:
|
||||
|
||||
a) When you run 'compile' on one system and then run the generated script
|
||||
on another system under Shorewall Lite, there are certain limitations.
|
||||
|
||||
1) A compatible version of Shorewall Lite must be running on the remote
|
||||
system. Going forward, the goal is that any minor version of
|
||||
the current major version will be compatible. So if the
|
||||
program is compiled using Shorewall 3.2.x, any 3.2.y version
|
||||
or 3.p.q version (where p > 2) of Shorewall Lite will be compatible.
|
||||
2) The 'detectnets' interface option is not allowed.
|
||||
3) DYNAMIC_ZONES=Yes is not allowed.
|
||||
4) You must supply the file /etc/shorewall/capabilities to provide
|
||||
the compiler with knowledge of the capabilities of the system
|
||||
where the script is to be run. See below.
|
||||
5) If your /etc/shorewall/params file contains code other than simple
|
||||
assignment statements with contant values, then you should move
|
||||
that code to /etc/shorewall/init. That way, the code will be
|
||||
executed on the target system when the compiled script is run and
|
||||
not on the local system at compile time.
|
||||
|
||||
b) If you run the "shorewall compile" or "shorewall check" commands under
|
||||
a user other than 'root', then you must supply
|
||||
/etc/shorewall/capabilities.
|
||||
|
||||
c) To aid in building /etc/shorewall/capabilities, a 'shorecap' program
|
||||
is provided in the Shorewall Lite package and is installed in
|
||||
/usr/share/shorewall-lite/shorecap when you install Shorewall Lite.
|
||||
|
||||
For instructions about running shorecap, see the comments at the
|
||||
top of the program file (it's a simple shell script).
|
||||
|
||||
The "shorewall start" and "shorewall restart" commands have been
|
||||
rewritten to use compilation. They both compile a temporary program
|
||||
then run it. This results in a slightly longer elapsed time than the
|
||||
similar commands required under earlier versions of Shorewall but new
|
||||
connections are blocked for a much smaller percentage of that time.
|
||||
|
||||
If an error is found during the compilation phase, /sbin/shorewall
|
||||
terminates and the Shorewall state is unchanged.
|
||||
|
||||
Under Shorewall 3.1.5, "shorewall restart" takes roughly 16.5 seconds
|
||||
on my firewall:
|
||||
|
||||
real 0m16.599s
|
||||
user 0m6.292s
|
||||
sys 0m9.885s
|
||||
|
||||
Of the elapsed 16.5 seconds, new connections are disabled less than
|
||||
3.5 seconds. Here are some numbers for comparison:
|
||||
|
||||
A) shorewall restart (Shorewall 3.0.4)
|
||||
|
||||
real 0m17.540s
|
||||
user 0m5.956s
|
||||
sys 0m10.737s
|
||||
|
||||
B) ./foo restart # foo created using "shorewall compile"
|
||||
|
||||
real 0m3.297s
|
||||
user 0m1.444s
|
||||
sys 0m1.728s
|
||||
|
||||
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
|
||||
# "shorewall save"
|
||||
|
||||
real 0m1.164s
|
||||
user 0m0.556s
|
||||
sys 0m0.608s
|
||||
|
||||
D) shorewall restore (shorewall 3.1.5)
|
||||
|
||||
real 0m1.637s
|
||||
user 0m0.728s
|
||||
sys 0m0.584s
|
||||
|
||||
The time difference between B and C reflects the difference between
|
||||
"iptables-restore" and multiple executions of "iptables". The time
|
||||
difference between C and D results from the fact that the "restore"
|
||||
command in Shorewall 3.1 runs the compiled program in a way that
|
||||
turns all iptables commands into no-ops then invokes
|
||||
iptables-restore. The system is a 1.4Ghz Celeron with 512MB RAM.
|
||||
|
||||
As a final part of this change, the "check" command now compiles the
|
||||
current configuration and writes the compiled output to /dev/null. So
|
||||
"check" performs all of the same validation that compile does. Note that
|
||||
there is still no guarantee that the generated script won't encounter
|
||||
run-time errors.
|
||||
|
||||
2) The /etc/shorewall/maclist file has a new column layout. The first column
|
||||
is now DISPOSITION. This column determines what to do with matching
|
||||
packets and can have the value ACCEPT or DROP (if MACLIST_TABLE=filter, it
|
||||
can also contain REJECT). This change is upward compatible so your existing
|
||||
maclist file can still be used.
|
||||
|
||||
ACCEPT, DROP and REJECT may be optionally followed by a log level to
|
||||
cause the packet to be logged.
|
||||
|
||||
4) In macro files, you can now use the reserved words SOURCE and DEST
|
||||
in the columns of the same names. When Shorewall expands the
|
||||
macro, it will substitute the SOURCE from the macro invocation for
|
||||
SOURCE and the DEST from the invocation for DEST. This allows you
|
||||
to write macros that act in both directions (from source to destination
|
||||
and from destination to source).
|
||||
|
||||
Example:
|
||||
|
||||
macro.FOO:
|
||||
|
||||
PARAM SOURCE DEST udp 500
|
||||
PARAM DEST SOURCE udp 500
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
FOO/ACCEPT fw net
|
||||
|
||||
Resulting rules:
|
||||
|
||||
ACCEPT fw net udp 500
|
||||
ACCEPT net fw udp 500
|
||||
|
||||
This new feature has been used to implement the SMBBI macro.
|
||||
SMBBI is the same as the SMB macro with the exception that
|
||||
it passes SMB traffic in both directions whereas SMB only
|
||||
passes that traffic in one direction.
|
||||
|
||||
5) In the /etc/shorewall/rules file and in actions, you may now specify
|
||||
'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also
|
||||
requires that the SYN flag is set and the RST, FIN and ACK flags be
|
||||
off ("--syn" is added to the iptables rule).
|
||||
|
||||
As part of this change, Shorewall no longer adds the "--syn" option
|
||||
to TCP rules that specify QUEUE as their target.
|
||||
|
||||
6) /sbin/shorewall now supports a "-t" option that causes all progress
|
||||
messages to be timestamped.
|
||||
|
||||
Example (VERBOSITY=0 in shorewall.conf):
|
||||
|
||||
gateway:/etc/shorewall # shorewall -t restart
|
||||
07:08:51 Compiling...
|
||||
07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart
|
||||
07:09:05 Restarting Shorewall....
|
||||
07:09:08 done.
|
||||
gateway:/etc/shorewall #
|
||||
|
||||
7) A 'refreshed' extension script has been added -- it is executed after
|
||||
"shorewall refresh" has finished.
|
||||
|
||||
8) Two new dynamic blacklisting commands have been added:
|
||||
|
||||
logdrop -- like 'drop' but causes the dropped packets to be logged.
|
||||
|
||||
logreject -- like 'reject' but causes the rejected packets to be
|
||||
logged.
|
||||
|
||||
Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
|
||||
last "shorewall [re]start"; otherwise, they are logged at the 'info'
|
||||
log level.
|
||||
|
||||
9) A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When
|
||||
this option is set to "Yes", it causes subzones to be treated differently
|
||||
with respect to policies.
|
||||
|
||||
Subzones are defined by following their name with ":" and a list of parent
|
||||
zones (in /etc/shorewall/zones). Normally, you want to have a set of
|
||||
special rules for the subzone and if a connection doesn't match any of
|
||||
those subzone-specific rules then you want the parent zone rules and
|
||||
policies to be applied. With IMPLICIT_CONTINUE=Yes, that happens
|
||||
automatically.
|
||||
|
||||
If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
|
||||
subzones are not subject to this special treatment.
|
||||
|
||||
With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
|
||||
by including an explicit policy (one that does not specify "all" in either
|
||||
the SOURCE or the DEST columns).
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
prnt ipv4
|
||||
chld:prnt ipv4
|
||||
|
||||
Traffic to/from the 'chld' zone will first pass through the applicable
|
||||
'chld' rules and if none of those rules match then it will be passed through
|
||||
the appropriate 'prnt' rules. If the connection request does not match
|
||||
any of the 'prnt' rules then the relevant 'prnt' policy is applied.
|
||||
|
||||
If you want the fw->chld policy to be ACCEPT, simply add this entry to
|
||||
/etc/shorewall/policy:
|
||||
|
||||
$FW chld ACCEPT
|
||||
|
||||
Traffic from all other zones to 'chld' will be subject to the implicit
|
||||
CONTINUE policy.
|
||||
|
||||
10) Shorewall now includes support for explicit routing rules when the
|
||||
/etc/shorewall/providers file is used. A new file,
|
||||
/etc/shorewall/route_rules can be used to add routing rules based on
|
||||
packet source and/or destination.
|
||||
|
||||
The file has the following columns:
|
||||
|
||||
SOURCE(optonal) An ip address (network or host) that
|
||||
matches the source IP address in a packet.
|
||||
May also be specified as an interface
|
||||
name optionally followed by ":" and an
|
||||
address. If the define 'lo' is specified,
|
||||
the packet must originate from the firewall
|
||||
itself.
|
||||
|
||||
DEST(optional) An ip address (network or host) that
|
||||
matches the destination IP address in a packet.
|
||||
|
||||
If you choose to omit either SOURCE or DEST,
|
||||
place "-" in the column. Note that you
|
||||
may not omit both SOURCE and DEST.
|
||||
|
||||
PROVIDER The provider to route the traffic through.
|
||||
May be expressed either as the provider name
|
||||
or the provider number. You may also specify
|
||||
the 'main' routing table here, either by
|
||||
name or by number (254).
|
||||
|
||||
PRIORITY
|
||||
The rule's priority which determines the order
|
||||
in which the rules are processed.
|
||||
|
||||
1000-1999 Before Shorewall-generated
|
||||
'MARK' rules
|
||||
|
||||
11000- 11999 After 'MARK' rules but before
|
||||
Shorewall-generated rules for
|
||||
provider interfaces.
|
||||
|
||||
26000-26999 After provider interface rules but
|
||||
before 'default' rule.
|
||||
|
||||
Rules with equal priority are applied in
|
||||
the order in which they appear in the file.
|
||||
|
||||
Example 1: You want all traffic coming in on eth1 to be routed to the ISP1
|
||||
provider:
|
||||
|
||||
#PROVIDER PRIORITY SOURCE DEST
|
||||
ISP1 1000 eth1
|
||||
|
||||
Example 2: You use OpenVPN (routed setup /tunX) in combination with multiple
|
||||
providers. In this case you have to set up a rule to ensure that
|
||||
the OpenVPN traffic is routed back through the tunX interface(s)
|
||||
rather than through any of the providers. 10.8.0.0/24 is the
|
||||
subnet choosen in your OpenVPN configuration (server 10.8.0.0
|
||||
255.255.255.0)
|
||||
|
||||
#SOURCE DEST PROVIDER PRIORITY
|
||||
- 10.8.0.0/24 main 1000
|
||||
|
||||
11) Prior to now, it has not been possible to use connection marking in
|
||||
/etc/shorewall/tcrules if you have a multi-ISP configuration that uses the
|
||||
'track' option.
|
||||
|
||||
Beginning with this release, you may now set HIGH_ROUTE_MARKS=Yes in
|
||||
shorewall.conf to effectively divide the packet mark and connection mark
|
||||
into two 8-bit mark fields.
|
||||
|
||||
When you do this:
|
||||
|
||||
a) The MARK field in the providers file must have a value that is
|
||||
less than 65536 and that is a multiple of 256 (using hex
|
||||
representation, the values are 0x0100-0xFF00 with the low-order
|
||||
8 bits being zero).
|
||||
|
||||
b) You may only set those mark values in the PREROUTING chain.
|
||||
|
||||
c) Marks used for traffic shaping must still be in the range of 1-255
|
||||
and may still not be set in the PREROUTING chain.
|
||||
|
||||
d) When you SAVE or RESTORE in tcrules, only the TC mark value is
|
||||
saved or restored. Shorewall handles saving and restoring the
|
||||
routing (provider) marks.
|
||||
|
||||
12) A TOS column has been added to /etc/shorewall/tcrules. This allows marking
|
||||
based on the contents of the TOS field in the packet header.
|
||||
|
||||
13) Beginning with this release, the way in which packet marking in the
|
||||
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
|
||||
has changed in two ways:
|
||||
|
||||
a) Packets *arriving* on a tracked interface are now passed to the PREROUTING
|
||||
marking chain so that they may be marked with a mark other than the
|
||||
'track' mark (the connection still retains the 'track' mark).
|
||||
|
||||
b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
|
||||
in the PREROUTING chain (i.e., you can specify a mark value of zero).
|
||||
|
||||
14) Shorewall will now attempt to detect the MTU of devices listed in
|
||||
/etc/shorewall/tcdevices and will use the detected MTU in setting
|
||||
up traffic shaping.
|
||||
|
||||
15) In /etc/shorewall/rules, the values "all-" and "all+-" may now be
|
||||
used for zone names. "all-" means "All zones except the firewall";
|
||||
"all+-" means "All zones except the firewall" and intra-zone
|
||||
traffic is included.
|
||||
|
||||
16) Kernel version 2.6.16 introduces 'xtables', a new common packet
|
||||
filtering and connection tracking facility that supports both IPv4
|
||||
and IPv6. Because a different set of kernel modules must be loaded
|
||||
for xtables, Shorewall now includes two 'modules' files:
|
||||
|
||||
a) /usr/share/shorewall/modules -- the former
|
||||
/etc/shorewall/modules
|
||||
|
||||
b) /usr/share/shorewall/xmodules -- a new file that support
|
||||
xtables.
|
||||
|
||||
If you wish to use the new file, then simply execute this command:
|
||||
|
||||
cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules
|
||||
|
||||
17) Shorewall now checks to see if devices in /etc/shorewall/tcdevices
|
||||
exist. If a device does not exist, a warning message is issued and
|
||||
that device's entries in /etc/shorewall/tcclasses are ignored. This
|
||||
applies to "shorewall start", "shorewall restart" and "shorewall
|
||||
refresh".
|
||||
|
||||
18) "load" and "reload" commands have been added. These commands allow
|
||||
a non-root user with ssh access to a remote system running
|
||||
Shorewall Lite to compile a firewall script on the local system and
|
||||
to install that script on the remote system.
|
||||
|
||||
Syntax is:
|
||||
|
||||
shorewall [re]load [ <directory> ] <system>
|
||||
|
||||
If <directory> is omitted, the current working directory is
|
||||
assumed.
|
||||
|
||||
The command is equivalent to:
|
||||
|
||||
/sbin/shorewall compile -e <directory> firewall &&\
|
||||
scp firewall root@<system>:/var/lib/shorewall-lite/ &&\
|
||||
ssh root@<system> '/sbin/shorewall-lite [re]start' # Note 1
|
||||
|
||||
In other words, the configuration in the specified (or defaulted)
|
||||
directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then 'firewall' is copied to the
|
||||
(usually remote) <system> using scp. If the copy succeeds,
|
||||
Shorewall Lite on <system> is started or restarted via ssh (
|
||||
load causes Shorewall Lite to be started and 'reload' causes
|
||||
Shorewall Lite to be re-started)
|
||||
|
||||
Note 1: In Shorewall Lite 3.2.0 RC4, the 'firewall' script has moved
|
||||
from /usr/share/shorewall-lite/ to /var/lib/shorewall-lite in
|
||||
packages from shorewall.net. The package maintainers for the
|
||||
various distributions are free to choose the directory where the
|
||||
script will be stored under their distribution by altering the
|
||||
value of LITEDIR in /usr/share/shorewall/configpath. You can run the
|
||||
"shorewall show config" command to see how your distribution
|
||||
defines LITEDIR.
|
||||
|
@ -31,6 +31,8 @@
|
||||
#
|
||||
# Commands are:
|
||||
#
|
||||
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
|
||||
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
|
||||
# shorewall dump Dumps all Shorewall-related information
|
||||
# for problem analysis
|
||||
# shorewall start Starts the firewall
|
||||
@ -283,464 +285,6 @@ get_config() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the value for a parameter that defaults to Yes
|
||||
#
|
||||
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
|
||||
{
|
||||
local val="$2"
|
||||
|
||||
if [ -z "$val" ]; then
|
||||
echo "Yes"
|
||||
else case $val in
|
||||
[Yy][Ee][Ss])
|
||||
echo "Yes"
|
||||
;;
|
||||
[Nn][Oo])
|
||||
echo ""
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($val) for $1"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the value for a parameter that defaults to No
|
||||
#
|
||||
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
|
||||
{
|
||||
local val="$2"
|
||||
|
||||
if [ -z "$val" ]; then
|
||||
echo ""
|
||||
else case $val in
|
||||
[Yy][Ee][Ss])
|
||||
echo "Yes"
|
||||
;;
|
||||
[Nn][Oo])
|
||||
echo ""
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($val) for $1"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
#
|
||||
# Process the shell-style configuration files that set variables needed by the compiler
|
||||
# To allow the compiler to be rewritten in a language other than Bourne Shell, we need
|
||||
# to pass all of those setting to the compiler in environmental variables
|
||||
#
|
||||
do_initialize() {
|
||||
#
|
||||
# Generate a sequence of 'export' commands corresponding to the variables set in
|
||||
# the user's params file.
|
||||
#
|
||||
export_params() {
|
||||
f=$(find_file params)
|
||||
|
||||
if [ -f $f ]; then
|
||||
read_file $f 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | while read line; do
|
||||
case $line in
|
||||
*=*)
|
||||
echo export ${line%=*}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# Run all utility programs using the C locale
|
||||
#
|
||||
# Thanks to Vincent Planchenault for this tip #
|
||||
|
||||
export LC_ALL=C
|
||||
|
||||
# Make sure umask is sane
|
||||
umask 077
|
||||
|
||||
#
|
||||
# Establish termination function
|
||||
#
|
||||
TERMINATOR=fatal_error
|
||||
#
|
||||
# Clear all configuration variables
|
||||
#
|
||||
IPTABLES=
|
||||
FW=
|
||||
SUBSYSLOCK=
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
LOGPARMS=
|
||||
LOGLIMIT=
|
||||
ADD_IP_ALIASES=
|
||||
ADD_SNAT_ALIASES=
|
||||
TC_ENABLED=
|
||||
BLACKLIST_DISPOSITION=
|
||||
BLACKLIST_LOGLEVEL=
|
||||
CLAMPMSS=
|
||||
ROUTE_FILTER=
|
||||
LOG_MARTIANS=
|
||||
DETECT_DNAT_IPADDRS=
|
||||
MUTEX_TIMEOUT=
|
||||
FORWARDPING=
|
||||
MACLIST_DISPOSITION=
|
||||
MACLIST_LOG_LEVEL=
|
||||
TCP_FLAGS_DISPOSITION=
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
LOGFORMAT=
|
||||
LOGRULENUMBERS=
|
||||
ADMINISABSENTMINDED=
|
||||
BLACKLISTNEWONLY=
|
||||
MODULE_SUFFIX=
|
||||
SMURF_LOG_LEVEL=
|
||||
DISABLE_IPV6=
|
||||
BRIDGING=
|
||||
PKTTYPE=
|
||||
RETAIN_ALIASES=
|
||||
DELAYBLACKLISTLOAD=
|
||||
LOGTAGONLY=
|
||||
LOGALLNEW=
|
||||
RFC1918_STRICT=
|
||||
MACLIST_TTL=
|
||||
SAVE_IPSETS=
|
||||
RESTOREFILE=
|
||||
MAPOLDACTIONS=
|
||||
IMPLICIT_CONTINUE=
|
||||
HIGH_ROUTE_MARKS=
|
||||
IPSECFILE=
|
||||
CLEAR_TC=
|
||||
FASTACCEPT=
|
||||
|
||||
run_user_exit params
|
||||
|
||||
config=$(find_file shorewall.conf)
|
||||
|
||||
if [ -f $config ]; then
|
||||
if [ -r $config ]; then
|
||||
progress_message "Processing $config..."
|
||||
. $config
|
||||
else
|
||||
fatal_error "Cannot read $config (Hint: Are you root?)"
|
||||
fi
|
||||
else
|
||||
fatal_error "$config does not exist!"
|
||||
fi
|
||||
|
||||
#
|
||||
# Restore CONFIG_PATH if the shorewall.conf file cleared it
|
||||
#
|
||||
ensure_config_path
|
||||
#
|
||||
# Determine the capabilities of the installed iptables/netfilter
|
||||
# We load the kernel modules here to accurately determine
|
||||
# capabilities when module autoloading isn't enabled.
|
||||
#
|
||||
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
||||
|
||||
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
|
||||
|
||||
if [ -z "$EXPORT" -a "$(whoami)" = root ]; then
|
||||
|
||||
load_kernel_modules
|
||||
|
||||
if [ -z "$IPTABLES" ]; then
|
||||
IPTABLES=$(mywhich iptables 2> /dev/null)
|
||||
|
||||
[ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
|
||||
else
|
||||
[ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
||||
fi
|
||||
determine_capabilities
|
||||
|
||||
else
|
||||
f=$(find_file capabilities)
|
||||
|
||||
[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
|
||||
fi
|
||||
|
||||
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
|
||||
|
||||
if [ -n "${LOGRATE}${LOGBURST}" ]; then
|
||||
LOGLIMIT="--match limit"
|
||||
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
|
||||
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
|
||||
fi
|
||||
|
||||
if [ -n "$IP_FORWARDING" ]; then
|
||||
case "$IP_FORWARDING" in
|
||||
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
IP_FORWARDING=On
|
||||
fi
|
||||
|
||||
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
|
||||
|
||||
case "$CLAMPMSS" in
|
||||
[0-9]*)
|
||||
;;
|
||||
*)
|
||||
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
|
||||
;;
|
||||
esac
|
||||
|
||||
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
|
||||
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
|
||||
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
|
||||
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
|
||||
|
||||
maclist_target=reject
|
||||
|
||||
if [ -n "$MACLIST_DISPOSITION" ] ; then
|
||||
case $MACLIST_DISPOSITION in
|
||||
REJECT)
|
||||
;;
|
||||
DROP)
|
||||
maclist_target=DROP
|
||||
;;
|
||||
ACCEPT)
|
||||
maclist_target=RETURN
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
fi
|
||||
|
||||
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
|
||||
case $TCP_FLAGS_DISPOSITION in
|
||||
REJECT|ACCEPT|DROP)
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
fi
|
||||
|
||||
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
|
||||
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
|
||||
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
|
||||
|
||||
if [ -n "$LOGFORMAT" ]; then
|
||||
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
|
||||
LOGRULENUMBERS=Yes
|
||||
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
|
||||
if [ $? -ne 0 ]; then
|
||||
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
|
||||
fi
|
||||
else
|
||||
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
|
||||
if [ $? -ne 0 ]; then
|
||||
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
|
||||
fi
|
||||
fi
|
||||
|
||||
[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
|
||||
else
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
fi
|
||||
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
|
||||
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
|
||||
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
|
||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
|
||||
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
|
||||
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
|
||||
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
|
||||
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
|
||||
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
|
||||
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
|
||||
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
|
||||
[ -n "$XMARK" ] || XCONNMARK=
|
||||
|
||||
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
|
||||
|
||||
case ${IPSECFILE:=ipsec} in
|
||||
ipsec|zones)
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
|
||||
;;
|
||||
esac
|
||||
|
||||
case ${MACLIST_TABLE:=filter} in
|
||||
filter)
|
||||
;;
|
||||
mangle)
|
||||
[ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
|
||||
;; *)
|
||||
fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
|
||||
;;
|
||||
esac
|
||||
|
||||
TC_SCRIPT=
|
||||
|
||||
if [ -n "$TC_ENABLED" ] ; then
|
||||
case "$TC_ENABLED" in
|
||||
[Yy][Ee][Ss])
|
||||
TC_ENABLED=
|
||||
TC_SCRIPT=$(find_file tcstart)
|
||||
[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
|
||||
;;
|
||||
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
|
||||
TC_ENABLED=Yes
|
||||
;;
|
||||
[Nn][Oo])
|
||||
TC_ENABLED=
|
||||
;;
|
||||
esac
|
||||
else
|
||||
TC_ENABLED=Yes
|
||||
fi
|
||||
|
||||
if [ -n "$TC_ENABLED" ];then
|
||||
[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
|
||||
fi
|
||||
|
||||
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
|
||||
|
||||
#
|
||||
# Check out the user's shell
|
||||
#
|
||||
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
|
||||
|
||||
temp=$(decodeaddr 192.168.1.1)
|
||||
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
|
||||
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
|
||||
fi
|
||||
#
|
||||
# Export variables set in shorewall.conf
|
||||
#
|
||||
|
||||
# Logging
|
||||
|
||||
export LOGFORMAT
|
||||
export LOGTAGONLY
|
||||
export LOGRATE
|
||||
export LOGBURST
|
||||
export LOGALLNEW
|
||||
export BLACKLIST_LOGLEVEL
|
||||
export MACLIST_LOG_LEVEL
|
||||
export TCP_FLAGS_LOG_LEVEL
|
||||
export RFC1918_LOG_LEVEL
|
||||
export SMURF_LOG_LEVEL
|
||||
export LOG_MARTIANS
|
||||
|
||||
# Files and directories
|
||||
|
||||
export IPTABLES
|
||||
export SHOREWALL_SHELL
|
||||
export SUBSYSLOCK
|
||||
export MODULESDIR
|
||||
export CONFIG_PATH
|
||||
export RESTOREFILE
|
||||
export IPSECFILE
|
||||
|
||||
# Firewall options
|
||||
|
||||
export FW
|
||||
export IP_FORWARDING
|
||||
export ADD_IP_ALIASES
|
||||
export ADD_SNAT_ALIASES
|
||||
export RETAIN_ALIASES
|
||||
export TC_ENABLED
|
||||
export CLEAR_TC
|
||||
export MARK_IN_FORWARD_CHAIN
|
||||
export CLAMPMSS
|
||||
export ROUTE_FILTER
|
||||
export DETECT_DNAT_IPADDRS
|
||||
export MUTEX_TIMEOUT
|
||||
export ADMINISABSENTMINDED
|
||||
export BLACKLISTNEWONLY
|
||||
export DELAYBLACKLISTLOAD
|
||||
export MODULE_SUFFIX
|
||||
export DISABLE_IPV6
|
||||
export BRIDGING
|
||||
export PKTTYPE
|
||||
export RFC1918_STRICT
|
||||
export MACLIST_TABLE
|
||||
export MACLIST_TTL
|
||||
export SAVE_IPSETS
|
||||
export MAPOLDACTIONS
|
||||
export FASTACCEPT
|
||||
export IMPLICIT_CONTINUE
|
||||
export HIGH_ROUTE_MARKS
|
||||
|
||||
# Packet Disposition
|
||||
|
||||
export BLACKLIST_DISPOSITION
|
||||
export MACLIST_DISPOSITION
|
||||
export TCP_FLAGS_DISPOSITION
|
||||
|
||||
# Generated values
|
||||
|
||||
export LOGPARMS
|
||||
export LOGLIMIT
|
||||
export LOGRULENUMBERS
|
||||
export VERSION
|
||||
|
||||
#
|
||||
# Export capabilities
|
||||
#
|
||||
export NAT_ENABLED
|
||||
export MANGLE_ENABLED
|
||||
export CONNTRACK_MATCH
|
||||
export MULTIPORT
|
||||
export XMULTIPORT
|
||||
export POLICY_MATCH
|
||||
export PHYSDEV_MATCH
|
||||
export IPRANGE_MATCH
|
||||
export RECENT_MATCH
|
||||
export OWNER_MATCH
|
||||
export IPSET_MATCH
|
||||
export CONNMARK
|
||||
export XCONNMARK
|
||||
export CONNMARK_MATCH
|
||||
export XCONNMARK_MATCH
|
||||
export RAW_TABLE
|
||||
export IPP2P_MATCH
|
||||
export LENGTH_MATCH
|
||||
export CLASSIFY_TARGET
|
||||
export ENHANCED_REJECT
|
||||
export USEPKTTYPE
|
||||
export KLUDGEFREE
|
||||
export MARK
|
||||
export XMARK
|
||||
export MANGLE_FORWARD
|
||||
#
|
||||
# Export user's params
|
||||
#
|
||||
$(export_params)
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Give Usage Information
|
||||
#
|
||||
usage() {
|
||||
echo "Usage: $0 [debug] check|compile <filename>}"
|
||||
exit 1
|
||||
}
|
||||
|
||||
#
|
||||
# Clear descriptor 1 if it is a terminal
|
||||
#
|
||||
@ -928,7 +472,7 @@ save_config() {
|
||||
f=${VARDIR}/restore-$$
|
||||
|
||||
echo "#!/bin/sh" > $f
|
||||
echo "#This ipset restore file generated $(date) by Shorewall $VERSION" >> $f
|
||||
echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f
|
||||
echo >> $f
|
||||
echo ". ${SHAREDIR}/functions" >> $f
|
||||
echo >> $f
|
||||
@ -976,17 +520,15 @@ save_config() {
|
||||
# Start Command Executor
|
||||
#
|
||||
start_command() {
|
||||
local finished=0 shell=$SHOREWALL_SHELL
|
||||
local finished=0
|
||||
|
||||
do_it() {
|
||||
[ -n "$nolock" ] || mutex_on
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
do_initialize
|
||||
|
||||
if $shell ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then
|
||||
$SHOREWALL_SHELL ${VARDIR}/.start $debugging start
|
||||
if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then
|
||||
${VARDIR}/.start $debugging start
|
||||
fi
|
||||
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
@ -1097,7 +639,7 @@ start_command() {
|
||||
# Compile Command Executor
|
||||
#
|
||||
compile_command() {
|
||||
local finished=0 shell=$SHOREWALL_SHELL
|
||||
local finished=0
|
||||
|
||||
while [ $finished -eq 0 ]; do
|
||||
[ $# -eq 0 ] && usage 1
|
||||
@ -1161,15 +703,13 @@ compile_command() {
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
do_initialize
|
||||
|
||||
exec $shell ${SHAREDIR}/compiler $debugging compile $file
|
||||
exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging compile $file
|
||||
}
|
||||
#
|
||||
# Check Command Executor
|
||||
#
|
||||
check_command() {
|
||||
local finished=0 shell=$SHOREWALL_SHELL
|
||||
local finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -1226,16 +766,14 @@ check_command() {
|
||||
|
||||
progress_message3 "Checking..."
|
||||
|
||||
do_initialize
|
||||
|
||||
exec $shell ${SHAREDIR}/compiler $debugging $nolock check
|
||||
exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock check
|
||||
}
|
||||
|
||||
#
|
||||
# Restart Command Executor
|
||||
#
|
||||
restart_command() {
|
||||
local finished=0 shell=$SHOREWALL_SHELL
|
||||
local finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
@ -1299,9 +837,7 @@ restart_command() {
|
||||
|
||||
progress_message3 "Compiling..."
|
||||
|
||||
do_initialize
|
||||
|
||||
if $shell ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then
|
||||
if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then
|
||||
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
|
||||
fi
|
||||
|
||||
@ -1355,27 +891,27 @@ show_command() {
|
||||
case "$1" in
|
||||
connections)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "Shorewall-$VERSION Connections at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
;;
|
||||
nat)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "Shorewall-$VERSION NAT Table at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "Shorewall-$VERSION Mangle Table at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "Shorewall-$VERSION Log at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
@ -1383,20 +919,20 @@ show_command() {
|
||||
;;
|
||||
tc)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "Shorewall-$VERSION Traffic Control at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_tc
|
||||
;;
|
||||
classifiers)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "Shorewall-$VERSION Clasifiers at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
if [ -f ${VARDIR}/zones ]; then
|
||||
echo "Shorewall-$VERSION Zones at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
|
||||
echo
|
||||
while read zone type hosts; do
|
||||
echo "$zone ($type)"
|
||||
@ -1446,7 +982,7 @@ show_command() {
|
||||
echo "LITEDIR is $LITEDIR"
|
||||
;;
|
||||
*)
|
||||
echo "Shorewall-$VERSION $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
if [ $# -gt 0 ]; then
|
||||
@ -1497,7 +1033,7 @@ dump_command() {
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 0 ] || usage 1
|
||||
clear_term
|
||||
echo "Shorewall-$VERSION Dump at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Dump at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
@ -1790,7 +1326,7 @@ reload_command()
|
||||
#
|
||||
help()
|
||||
{
|
||||
[ -x $HELP ] && { export version=$VERSION; exec $HELP $*; }
|
||||
[ -x $HELP ] && { export version; exec $HELP $*; }
|
||||
echo "Help subsystem is not installed at $HELP"
|
||||
}
|
||||
|
||||
@ -1801,10 +1337,12 @@ usage() # $1 = exit status
|
||||
{
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host-list>] ... <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " check [ -e ] [ <directory> ]"
|
||||
echo " clear"
|
||||
echo " compile [ -e ] [ <directory name> ] <path name>"
|
||||
echo " delete <interface>[:<host-list>] ... <zone>"
|
||||
echo " drop <address> ..."
|
||||
echo " dump [ -x ]"
|
||||
echo " forget [ <file name> ]"
|
||||
@ -2066,7 +1604,7 @@ if [ ! -f $FIREWALL ]; then
|
||||
fi
|
||||
|
||||
if [ -f $VERSION_FILE ]; then
|
||||
VERSION=$(cat $VERSION_FILE)
|
||||
version=$(cat $VERSION_FILE)
|
||||
else
|
||||
echo " ERROR: Shorewall is not properly installed" >&2
|
||||
echo " The file $VERSION_FILE does not exist" >&2
|
||||
@ -2117,6 +1655,10 @@ case "$COMMAND" in
|
||||
shift
|
||||
check_command $@
|
||||
;;
|
||||
add|delete)
|
||||
[ $# -lt 3 ] && usage 1
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
|
||||
;;
|
||||
show|list)
|
||||
shift
|
||||
show_command $@
|
||||
@ -2141,7 +1683,7 @@ case "$COMMAND" in
|
||||
;;
|
||||
status)
|
||||
[ $# -eq 1 ] || usage 1
|
||||
echo "Shorewall-$VERSION Status at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
if shorewall_is_started ; then
|
||||
echo "Shorewall is running"
|
||||
@ -2173,7 +1715,7 @@ case "$COMMAND" in
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
clear_term
|
||||
echo "Shorewall-$VERSION Hits at $HOSTNAME - $(date)"
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||
echo
|
||||
|
||||
timeout=30
|
||||
@ -2213,7 +1755,7 @@ case "$COMMAND" in
|
||||
fi
|
||||
;;
|
||||
version)
|
||||
echo $VERSION
|
||||
echo $version
|
||||
;;
|
||||
try)
|
||||
[ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\""
|
||||
|
@ -710,6 +710,14 @@ DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
#
|
||||
# DYNAMIC ZONES
|
||||
#
|
||||
# If you need to be able to add and delete hosts from zones dynamically then
|
||||
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
||||
#
|
||||
# USE PKTTYPE MATCH
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user