forked from extern/shorewall_code
Commit after first successful compilation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8960 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3cf44b9640
commit
5834b574f2
@ -960,15 +960,10 @@ sub initialize_chain_table()
|
||||
'QUEUE!' => STANDARD,
|
||||
'NFQUEUE' => STANDARD + NFQ,
|
||||
'NFQUEUE!' => STANDARD + NFQ,
|
||||
'dropBcast' => BUILTIN + ACTION,
|
||||
'allowBcast' => BUILTIN + ACTION,
|
||||
'dropNotSyn' => BUILTIN + ACTION,
|
||||
'rejNotSyn' => BUILTIN + ACTION,
|
||||
'dropInvalid' => BUILTIN + ACTION,
|
||||
'allowInvalid' => BUILTIN + ACTION,
|
||||
'allowinUPnP' => BUILTIN + ACTION,
|
||||
'forwardUPnP' => BUILTIN + ACTION,
|
||||
'Limit' => BUILTIN + ACTION,
|
||||
);
|
||||
|
||||
for my $chain qw(OUTPUT PREROUTING) {
|
||||
@ -1990,6 +1985,8 @@ sub expand_rule( $$$$$$$$$$$ )
|
||||
} elsif ( $source =~ /^(.+?):\[(.+)\]\s+$/ ) {
|
||||
$iiface = $1;
|
||||
$inets = $2;
|
||||
} elsif ( $source =~ /:/ ) {
|
||||
$inets = $source;
|
||||
} elsif ( $source =~ /\+|~|\..*\./ ) {
|
||||
$inets = $source;
|
||||
} else {
|
||||
@ -2071,6 +2068,8 @@ sub expand_rule( $$$$$$$$$$$ )
|
||||
} elsif ( $dest =~ /^(.+?):\[(.+)\]\s+$/ ) {
|
||||
$diface = $1;
|
||||
$dnets = $2;
|
||||
} elsif ( $dest =~ /:/ ) {
|
||||
$dnets = $dest;
|
||||
} elsif ( $dest =~ /\+|~|\..*\./ ) {
|
||||
$dnets = $dest;
|
||||
} else {
|
||||
|
@ -71,6 +71,7 @@ sub reinitialize() {
|
||||
Shorewall::Accounting::initialize;
|
||||
Shorewall::Rules::initialize($family);
|
||||
Shorewall::Proxyarp::initialize;
|
||||
Shorewall::IPAddrs::initialize($family);
|
||||
}
|
||||
|
||||
#
|
||||
@ -162,18 +163,33 @@ sub generate_script_1() {
|
||||
''
|
||||
);
|
||||
|
||||
if ( $config{IPTABLES} ) {
|
||||
emit( qq(IPTABLES="$config{IPTABLES}"),
|
||||
'[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
|
||||
);
|
||||
} else {
|
||||
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
|
||||
'[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
|
||||
);
|
||||
}
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $config{IPTABLES} ) {
|
||||
emit( qq(IPTABLES="$config{IPTABLES}"),
|
||||
'[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
|
||||
);
|
||||
} else {
|
||||
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
|
||||
'[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
|
||||
);
|
||||
}
|
||||
|
||||
emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
|
||||
'[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
|
||||
emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
|
||||
'[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
|
||||
} else {
|
||||
if ( $config{IP6TABLES} ) {
|
||||
emit( qq(IP6TABLES="$config{IP6TABLES}"),
|
||||
'[ -x "$I6PTABLES" ] || startup_error "IP6TABLES=$IP6TABLES does not exist or is not executable"',
|
||||
);
|
||||
} else {
|
||||
emit( '[ -z "$IP6TABLES" ] && IP6TABLES=$(mywhich iptables) # /sbin/shorewall6 exports IP6TABLES',
|
||||
'[ -n "$IP6TABLES" -a -x "$IP6TABLES" ] || startup_error "Can\'t find ip6tables executable"'
|
||||
);
|
||||
}
|
||||
|
||||
emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
|
||||
'[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
|
||||
}
|
||||
|
||||
append_file 'params' if $config{EXPORTPARAMS};
|
||||
|
||||
@ -186,17 +202,31 @@ sub generate_script_1() {
|
||||
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
|
||||
);
|
||||
|
||||
emit ( '',
|
||||
'#',
|
||||
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
|
||||
'#',
|
||||
'qt1 $IPTABLES -N foox1234',
|
||||
'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
|
||||
'result=$?',
|
||||
'qt1 $IPTABLES -F foox1234',
|
||||
'qt1 $IPTABLES -X foox1234',
|
||||
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
|
||||
'' );
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit ( '',
|
||||
'#',
|
||||
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
|
||||
'#',
|
||||
'qt1 $IPTABLES -N foox1234',
|
||||
'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
|
||||
'result=$?',
|
||||
'qt1 $IPTABLES -F foox1234',
|
||||
'qt1 $IPTABLES -X foox1234',
|
||||
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
|
||||
'' );
|
||||
} else {
|
||||
emit ( '',
|
||||
'#',
|
||||
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
|
||||
'#',
|
||||
'qt1 $IP6TABLES -N foox1234',
|
||||
'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
|
||||
'result=$?',
|
||||
'qt1 $IP6TABLES -F foox1234',
|
||||
'qt1 $IP6TABLES -X foox1234',
|
||||
'[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall6 will run on this system"',
|
||||
'' );
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
|
||||
@ -213,7 +243,15 @@ sub compile_stop_firewall() {
|
||||
stop_firewall() {
|
||||
|
||||
deletechain() {
|
||||
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
|
||||
EOF
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit ' qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1';
|
||||
} else {
|
||||
emit ' qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1';
|
||||
}
|
||||
|
||||
emit <<'EOF';
|
||||
}
|
||||
|
||||
deleteallchains() {
|
||||
@ -324,9 +362,15 @@ EOF
|
||||
run_iptables -t raw -F
|
||||
run_iptables -t raw -X
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
EOF
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit ' qt1 $IPTABLES -t raw -P $chain ACCEPT';
|
||||
} else {
|
||||
emit ' qt1 $IP6TABLES -t raw -P $chain ACCEPT';
|
||||
}
|
||||
|
||||
emit ' done';
|
||||
}
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
@ -338,7 +382,8 @@ EOF
|
||||
EOF
|
||||
}
|
||||
|
||||
emit <<'EOF';
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit <<'EOF';
|
||||
if [ -f ${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
@ -350,6 +395,7 @@ EOF
|
||||
|
||||
rm -f ${VARDIR}/proxyarp
|
||||
EOF
|
||||
}
|
||||
|
||||
push_indent;
|
||||
|
||||
@ -446,26 +492,34 @@ EOF
|
||||
|
||||
emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
|
||||
|
||||
my $interfaces = find_interfaces_by_option 'dhcp';
|
||||
if ( $family == F_IPV4 ) {
|
||||
my $interfaces = find_interfaces_by_option 'dhcp';
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
|
||||
emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
||||
#
|
||||
# This might be a bridge
|
||||
#
|
||||
emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
|
||||
for my $interface ( @$interfaces ) {
|
||||
emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
|
||||
emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
||||
#
|
||||
# This might be a bridge
|
||||
#
|
||||
emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
|
||||
}
|
||||
} else {
|
||||
for my $interface ( all_bridges ) {
|
||||
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
|
||||
}
|
||||
}
|
||||
|
||||
emit '';
|
||||
|
||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
|
||||
'progress_message2 IP Forwarding Enabled' );
|
||||
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
|
||||
emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward',
|
||||
'progress_message2 IP Forwarding Disabled!'
|
||||
);
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
|
||||
'progress_message2 IP Forwarding Enabled' );
|
||||
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
|
||||
emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward',
|
||||
'progress_message2 IP Forwarding Disabled!'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
emit 'run_stopped_exit';
|
||||
@ -556,38 +610,49 @@ sub generate_script_2 () {
|
||||
|
||||
emit '';
|
||||
|
||||
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
|
||||
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
|
||||
'if [ -n "$addr" ]; then',
|
||||
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
|
||||
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
|
||||
' if in_network $addr $network; then',
|
||||
" error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
|
||||
' fi',
|
||||
' done',
|
||||
"fi\n" );
|
||||
}
|
||||
|
||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||
'',
|
||||
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
|
||||
'',
|
||||
'delete_proxyarp',
|
||||
''
|
||||
);
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
||||
' while read external interface; do',
|
||||
' del_ip_addr $external $interface',
|
||||
' done < ${VARDIR}/nat',
|
||||
if ( $family == F_IPV4 ) {
|
||||
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
|
||||
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
|
||||
'if [ -n "$addr" ]; then',
|
||||
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
|
||||
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
|
||||
' if in_network $addr $network; then',
|
||||
" error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
|
||||
' fi',
|
||||
' done',
|
||||
"fi\n" );
|
||||
}
|
||||
|
||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||
'',
|
||||
' rm -f ${VARDIR}/nat',
|
||||
"fi\n" );
|
||||
}
|
||||
'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall',
|
||||
'',
|
||||
'delete_proxyarp',
|
||||
''
|
||||
);
|
||||
|
||||
emit "delete_tc1\n" if $config{CLEAR_TC};
|
||||
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
||||
' while read external interface; do',
|
||||
' del_ip_addr $external $interface',
|
||||
' done < ${VARDIR}/nat',
|
||||
'',
|
||||
' rm -f ${VARDIR}/nat',
|
||||
"fi\n" );
|
||||
}
|
||||
|
||||
emit "delete_tc1\n" if $config{CLEAR_TC};
|
||||
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
|
||||
|
||||
} else {
|
||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||
'',
|
||||
'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
|
||||
''
|
||||
);
|
||||
|
||||
emit "delete_tc1\n" if $config{CLEAR_TC};
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
|
||||
@ -643,7 +708,11 @@ sub generate_script_3($) {
|
||||
|
||||
emit "}\n";
|
||||
|
||||
progress_message2 "Creating iptables-restore input...";
|
||||
if ( $family == F_IPV4 ) {
|
||||
progress_message2 "Creating iptables-restore input...";
|
||||
} else {
|
||||
progress_message2 "Creating ip6tables-restore input...";
|
||||
}
|
||||
create_netfilter_load;
|
||||
create_chainlist_reload( $_[0] );
|
||||
|
||||
@ -669,7 +738,7 @@ if [ $COMMAND = restore ]; then
|
||||
fi
|
||||
EOF
|
||||
pop_indent;
|
||||
setup_forwarding;
|
||||
setup_forwarding( $family );
|
||||
push_indent;
|
||||
emit<<'EOF';
|
||||
set_state "Started"
|
||||
@ -677,7 +746,7 @@ else
|
||||
if [ $COMMAND = refresh ]; then
|
||||
chainlist_reload
|
||||
EOF
|
||||
setup_forwarding;
|
||||
setup_forwarding( $family );
|
||||
emit<<'EOF';
|
||||
run_refreshed_exit
|
||||
do_iptables -N shorewall
|
||||
@ -687,7 +756,7 @@ EOF
|
||||
restore_dynamic_rules
|
||||
conditionally_flush_conntrack
|
||||
EOF
|
||||
setup_forwarding;
|
||||
setup_forwarding( $family );
|
||||
emit<<'EOF';
|
||||
run_start_exit
|
||||
do_iptables -N shorewall
|
||||
@ -720,7 +789,13 @@ EOF
|
||||
|
||||
emit "}\n";
|
||||
|
||||
copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
|
||||
unless ( $test ) {
|
||||
if ( $family == F_IPV4 ) {
|
||||
copy $globals{SHAREDIRPL} . 'prog.footer';
|
||||
} else {
|
||||
copy $globals{SHAREDIRPL} . 'prog.footer6';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
@ -926,7 +1001,11 @@ sub compiler {
|
||||
generate_matrix;
|
||||
|
||||
if ( $command eq 'check' ) {
|
||||
progress_message3 "Shorewall configuration verified";
|
||||
if ( $family == F_IPV4 ) {
|
||||
progress_message3 "Shorewall configuration verified";
|
||||
} else {
|
||||
progress_message3 "Shorewall6 configuration verified";
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# Finish the script.
|
||||
|
@ -469,7 +469,7 @@ sub initialize( $ ) {
|
||||
MODULE_SUFFIX => undef,
|
||||
MACLIST_TABLE => undef,
|
||||
MACLIST_TTL => undef,
|
||||
MAPOLDACTIONS => 'Yes',
|
||||
MAPOLDACTIONS => '',
|
||||
FASTACCEPT => undef,
|
||||
IMPLICIT_CONTINUE => undef,
|
||||
HIGH_ROUTE_MARKS => undef,
|
||||
@ -1677,14 +1677,19 @@ sub determine_capabilities( $ ) {
|
||||
my $pid = $$;
|
||||
my $sillyname = "fooX$pid";
|
||||
my $sillyname1 = "foo1X$pid";
|
||||
|
||||
$capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" );
|
||||
|
||||
$capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
|
||||
|
||||
$capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
|
||||
|
||||
|
||||
qt1( "$iptables -N $sillyname" );
|
||||
qt1( "$iptables -N $sillyname1" );
|
||||
|
||||
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
|
||||
if ( $family == F_IPV4 ) {
|
||||
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
|
||||
} else {
|
||||
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst ::1 -j ACCEPT" );
|
||||
}
|
||||
|
||||
if ( $capabilities{CONNTRACK_MATCH} ) {
|
||||
$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
|
||||
@ -1707,10 +1712,19 @@ sub determine_capabilities( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
|
||||
$capabilities{IPRANGE_MATCH} = 1;
|
||||
unless ( $capabilities{KLUDGEFREE} ) {
|
||||
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
|
||||
$capabilities{IPRANGE_MATCH} = 1;
|
||||
unless ( $capabilities{KLUDGEFREE} ) {
|
||||
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if ( qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -j ACCEPT" ) ) {
|
||||
$capabilities{IPRANGE_MATCH} = 1;
|
||||
unless ( $capabilities{KLUDGEFREE} ) {
|
||||
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1994,7 +2008,13 @@ sub get_configuration( $ ) {
|
||||
|
||||
check_trivalue ( 'IP_FORWARDING', 'on' );
|
||||
check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
|
||||
check_trivalue ( 'LOG_MARTIANS', 'on' ); fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on' && $family == F_IPV6;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
check_trivalue ( 'LOG_MARTIANS', 'on' );
|
||||
} else {
|
||||
check_trivalue ( 'LOG_MARTIANS', 'ff' );
|
||||
fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on';
|
||||
}
|
||||
|
||||
default 'STARTUP_LOG' , '';
|
||||
|
||||
@ -2338,7 +2358,7 @@ sub generate_aux_config() {
|
||||
|
||||
emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#";
|
||||
|
||||
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
|
||||
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) {
|
||||
conditionally_add_option $option;
|
||||
}
|
||||
|
||||
|
@ -69,6 +69,7 @@ our @EXPORT = qw( ALLIPv4
|
||||
validate_portpair
|
||||
validate_port_list
|
||||
validate_icmp
|
||||
validate_icmp6
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.3.0;
|
||||
|
@ -197,16 +197,44 @@ sub setup_source_routing() {
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_forwarding() {
|
||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||
emit ' echo 1 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit ' progress_message2 IP Forwarding Enabled';
|
||||
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
|
||||
emit ' echo 0 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit ' progress_message2 IP Forwarding Disabled!';
|
||||
}
|
||||
sub setup_forwarding( $ ) {
|
||||
my $family = shift;
|
||||
|
||||
emit '';
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||
emit ' echo 1 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit ' progress_message2 IP Forwarding Enabled';
|
||||
} elsif ( $config{IP_FORWARDING} eq 'off' ) {
|
||||
emit ' echo 0 > /proc/sys/net/ipv4/ip_forward';
|
||||
emit ' progress_message2 IP Forwarding Disabled!';
|
||||
emit '';
|
||||
}
|
||||
} else {
|
||||
my $interfaces = find_interfaces_by_option 'forward';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
progress_message2 "$doing Interface forwarding...";
|
||||
|
||||
push_indent;
|
||||
push_indent;
|
||||
|
||||
save_progress_message 'Setting up IPv6 Interface Forwarding...';
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
|
||||
my $value = get_interface_option $interface, 'forward';
|
||||
|
||||
emit ( "if [ -f $file ]; then" ,
|
||||
" echo $value > $file" );
|
||||
emit ( 'else' ,
|
||||
" error_message \"WARNING: Cannot set IPv4 forwarding on $interface\"" ) unless interface_is_optional( $interface);
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
pop_indent;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
|
||||
setup_mss
|
||||
);
|
||||
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
|
||||
our $VERSION = 4.1.5;
|
||||
our $VERSION = 4.3.0;
|
||||
|
||||
#
|
||||
# Set to one if we find a SECTION
|
||||
|
@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
|
||||
single_interface
|
||||
validate_interfaces_file
|
||||
all_interfaces
|
||||
all_bridges
|
||||
interface_number
|
||||
find_interface
|
||||
known_interface
|
||||
@ -618,7 +619,7 @@ sub validate_interfaces_file( $ )
|
||||
} else {
|
||||
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
maclist => SIMPLE_IF_OPTION,
|
||||
nosmurfs => SIMPLE_IF_OPTION,
|
||||
optional => SIMPLE_IF_OPTION,
|
||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||
sourceroute => BINARY_IF_OPTION,
|
||||
@ -864,6 +865,13 @@ sub all_interfaces() {
|
||||
@interfaces;
|
||||
}
|
||||
|
||||
#
|
||||
# Return a list of bridges
|
||||
#
|
||||
sub all_bridges() {
|
||||
grep ( $interfaces{$_}{options}{bridge} , @interfaces );
|
||||
}
|
||||
|
||||
#
|
||||
# Return a reference to the interfaces table entry for an interface
|
||||
#
|
||||
@ -966,13 +974,9 @@ sub validate_hosts_file()
|
||||
} else {
|
||||
%validoptions = (
|
||||
blacklist => 1,
|
||||
maclist => 1,
|
||||
nosmurfs => 1,
|
||||
routeback => 1,
|
||||
tcpflags => 1,
|
||||
broadcast => 1,
|
||||
destonly => 1,
|
||||
sourceonly => 1,
|
||||
);
|
||||
}
|
||||
|
||||
|
200
Shorewall-perl/prog.footer6
Normal file
200
Shorewall-perl/prog.footer6
Normal file
@ -0,0 +1,200 @@
|
||||
#
|
||||
# Give Usage Information
|
||||
#
|
||||
usage() {
|
||||
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
|
||||
exit $1
|
||||
}
|
||||
################################################################################
|
||||
# E X E C U T I O N B E G I N S H E R E #
|
||||
################################################################################
|
||||
#
|
||||
# Start trace if first arg is "debug" or "trace"
|
||||
#
|
||||
if [ $# -gt 1 ]; then
|
||||
if [ "x$1" = "xtrace" ]; then
|
||||
set -x
|
||||
shift
|
||||
elif [ "x$1" = "xdebug" ]; then
|
||||
DEBUG=Yes
|
||||
shift
|
||||
fi
|
||||
fi
|
||||
|
||||
initialize
|
||||
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
case $option in
|
||||
-*)
|
||||
option=${option#-}
|
||||
|
||||
[ -z "$option" ] && usage 1
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
v*)
|
||||
VERBOSE=$(($VERBOSE + 1 ))
|
||||
option=${option#v}
|
||||
;;
|
||||
q*)
|
||||
VERBOSE=$(($VERBOSE - 1 ))
|
||||
option=${option#q}
|
||||
;;
|
||||
n*)
|
||||
NOROUTES=Yes
|
||||
option=${option#n}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
finished=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
COMMAND="$1"
|
||||
|
||||
[ -n "${PRODUCT:=Shorewall6}" ]
|
||||
|
||||
case "$COMMAND" in
|
||||
start)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if shorewall6_is_started; then
|
||||
error_message "$PRODUCT is already Running"
|
||||
status=0
|
||||
else
|
||||
progress_message3 "Starting $PRODUCT...."
|
||||
define_firewall
|
||||
status=$?
|
||||
[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
|
||||
progress_message3 "done."
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
progress_message3 "Stopping $PRODUCT...."
|
||||
stop_firewall
|
||||
status=0
|
||||
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
|
||||
progress_message3 "done."
|
||||
;;
|
||||
reset)
|
||||
if ! shorewall6_is_started ; then
|
||||
error_message "$PRODUCT is not running"
|
||||
status=2
|
||||
elif [ $# -eq 1 ]; then
|
||||
$IP6TABLES -Z
|
||||
$IP6TABLES -t mangle -Z
|
||||
date > ${VARDIR}/restarted
|
||||
status=0
|
||||
progress_message3 "$PRODUCT Counters Reset"
|
||||
else
|
||||
shift
|
||||
status=0
|
||||
for chain in $@; do
|
||||
if chain_exists $chain; then
|
||||
if qt $IP6TABLES -Z $chain; then
|
||||
progress_message3 "Filter $chain Counters Reset"
|
||||
else
|
||||
error_message "ERROR: Reset of chain $chain failed"
|
||||
status=2
|
||||
break
|
||||
fi
|
||||
else
|
||||
error_message "WARNING: Filter Chain $chain does not exist"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
;;
|
||||
restart)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if shorewall6_is_started; then
|
||||
progress_message3 "Restarting $PRODUCT...."
|
||||
else
|
||||
error_message "$PRODUCT is not running"
|
||||
progress_message3 "Starting $PRODUCT...."
|
||||
fi
|
||||
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
|
||||
fi
|
||||
progress_message3 "done."
|
||||
;;
|
||||
refresh)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if shorewall6_is_started; then
|
||||
progress_message3 "Refreshing $PRODUCT...."
|
||||
define_firewall
|
||||
status=$?
|
||||
progress_message3 "done."
|
||||
else
|
||||
echo "$PRODUCT is not running" >&2
|
||||
status=2
|
||||
fi
|
||||
;;
|
||||
restore)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
|
||||
fi
|
||||
;;
|
||||
clear)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
progress_message3 "Clearing $PRODUCT...."
|
||||
clear_firewall
|
||||
status=0
|
||||
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
|
||||
progress_message3 "done."
|
||||
;;
|
||||
status)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
if shorewall6_is_started; then
|
||||
echo "$PRODUCT is running"
|
||||
status=0
|
||||
else
|
||||
echo "$PRODUCT is stopped"
|
||||
status=4
|
||||
fi
|
||||
|
||||
if [ -f ${VARDIR}/state ]; then
|
||||
state="$(cat ${VARDIR}/state)"
|
||||
case $state in
|
||||
Stopped*|Clear*)
|
||||
status=3
|
||||
;;
|
||||
esac
|
||||
else
|
||||
state=Unknown
|
||||
fi
|
||||
echo "State:$state"
|
||||
echo
|
||||
;;
|
||||
version)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
echo $VERSION
|
||||
status=0
|
||||
;;
|
||||
help)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
usage 0
|
||||
;;
|
||||
*)
|
||||
usage 2
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $status
|
@ -110,7 +110,7 @@ do_iptables()
|
||||
local status
|
||||
|
||||
while [ 1 ]; do
|
||||
$IPTABLES $@
|
||||
$IP6TABLES $@
|
||||
status=$?
|
||||
[ $status -ne 4 ] && return $status;
|
||||
done
|
||||
@ -180,32 +180,32 @@ debug_restore_input() {
|
||||
#
|
||||
# Clear the ruleset
|
||||
#
|
||||
qt1 $IPTABLES -t mangle -F
|
||||
qt1 $IPTABLES -t mangle -X
|
||||
qt1 $IP6TABLES -t mangle -F
|
||||
qt1 $IP6TABLES -t mangle -X
|
||||
|
||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||
qt1 $IPTABLES -t mangle -P $chain ACCEPT
|
||||
qt1 $IP6TABLES -t mangle -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $IPTABLES -t raw -F
|
||||
qt1 $IPTABLES -t raw -X
|
||||
qt1 $IP6TABLES -t raw -F
|
||||
qt1 $IP6TABLES -t raw -X
|
||||
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t raw -P $chain ACCEPT
|
||||
qt1 $IP6TABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||
qt1 $IPTABLES -t nat -P $chain ACCEPT
|
||||
qt1 $IP6TABLES -t nat -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $IPTABLES -t filter -F
|
||||
qt1 $IPTABLES -t filter -X
|
||||
qt1 $IP6TABLES -t filter -F
|
||||
qt1 $IP6TABLES -t filter -X
|
||||
|
||||
for chain in INPUT FORWARD OUTPUT; do
|
||||
qt1 $IPTABLES -t filter -P $chain -P ACCEPT
|
||||
qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
|
||||
done
|
||||
|
||||
while read first second rest; do
|
||||
@ -214,10 +214,10 @@ debug_restore_input() {
|
||||
#
|
||||
# We can't call run_iptables() here because the rules may contain quoted strings
|
||||
#
|
||||
eval $IPTABLES -t $table $first $second $rest
|
||||
eval $IP6TABLES -t $table $first $second $rest
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
|
||||
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
@ -232,7 +232,7 @@ debug_restore_input() {
|
||||
fi
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
|
||||
error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
|
@ -131,7 +131,7 @@ qt1()
|
||||
#
|
||||
# Determine if Shorewall is "running"
|
||||
#
|
||||
shorewall_is_started() {
|
||||
shorewall6_is_started() {
|
||||
qt1 $IP6TABLES -L shorewall -n
|
||||
}
|
||||
|
||||
@ -562,82 +562,6 @@ INCLUDE() {
|
||||
. $(find_file $(expand $@))
|
||||
}
|
||||
|
||||
#
|
||||
# Delete IP address
|
||||
#
|
||||
del_ip_addr() # $1 = address, $2 = interface
|
||||
{
|
||||
[ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2
|
||||
}
|
||||
|
||||
# Add IP Aliases
|
||||
#
|
||||
add_ip_aliases() # $* = List of addresses
|
||||
{
|
||||
local local
|
||||
local addresses
|
||||
local external
|
||||
local interface
|
||||
local inet
|
||||
local cidr
|
||||
local rest
|
||||
local val
|
||||
local arping
|
||||
arping=$(mywhich arping)
|
||||
|
||||
address_details()
|
||||
{
|
||||
#
|
||||
# Folks feel uneasy if they don't see all of the same
|
||||
# decoration on these IP addresses that they see when their
|
||||
# distro's net config tool adds them. In an attempt to reduce
|
||||
# the anxiety level, we have the following code which sets
|
||||
# the VLSM and BRD from an existing address in the same networks
|
||||
#
|
||||
# Get all of the lines that contain inet addresses with broadcast
|
||||
#
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
|
||||
case $cidr in
|
||||
*/*)
|
||||
if in_network $external $cidr; then
|
||||
echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
|
||||
break
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
do_one()
|
||||
{
|
||||
val=$(address_details)
|
||||
|
||||
ip addr add ${external}${val} dev $interface $label
|
||||
[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
|
||||
echo "$external $interface" >> $VARDIR/nat
|
||||
[ -n "$label" ] && label="with $label"
|
||||
progress_message " IP Address $external added to interface $interface $label"
|
||||
}
|
||||
|
||||
progress_message "Adding IP Addresses..."
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
external=$1
|
||||
interface=$2
|
||||
label=
|
||||
|
||||
if [ "$interface" != "${interface%:*}" ]; then
|
||||
label="${interface#*:}"
|
||||
interface="${interface%:*}"
|
||||
label="label $interface:$label"
|
||||
fi
|
||||
|
||||
shift 2
|
||||
|
||||
list_search $external $(find_interface_addresses $interface) || do_one
|
||||
done
|
||||
}
|
||||
|
||||
detect_gateway() # $1 = interface
|
||||
{
|
||||
local interface
|
||||
@ -660,33 +584,6 @@ detect_gateway() # $1 = interface
|
||||
[ -n "$gateway" ] && echo $gateway
|
||||
}
|
||||
|
||||
#
|
||||
# Disable IPV6
|
||||
#
|
||||
disable_ipv6() {
|
||||
local foo
|
||||
foo="$(ip -f inet6 addr list 2> /dev/null)"
|
||||
|
||||
if [ -n "$foo" ]; then
|
||||
if qt mywhich ip6tables; then
|
||||
ip6tables -P FORWARD DROP
|
||||
ip6tables -P INPUT DROP
|
||||
ip6tables -P OUTPUT DROP
|
||||
ip6tables -F
|
||||
ip6tables -X
|
||||
ip6tables -A OUTPUT -o lo -j ACCEPT
|
||||
ip6tables -A INPUT -i lo -j ACCEPT
|
||||
else
|
||||
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Function to truncate a string -- It uses 'cut -b -<n>'
|
||||
# rather than ${v:first:last} because light-weight shells like ash and
|
||||
# dash do not support that form of expansion.
|
||||
#
|
||||
|
||||
truncate() # $1 = length
|
||||
{
|
||||
cut -b -${1}
|
||||
|
@ -24,13 +24,9 @@
|
||||
#
|
||||
Auth/REJECT
|
||||
#
|
||||
# Don't log broadcasts
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
AllowICMPs - - ipv6-icmp
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log.
|
||||
@ -40,7 +36,6 @@ dropInvalid
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB/DROP
|
||||
DropUPnP
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
|
@ -20,14 +20,9 @@
|
||||
#
|
||||
Auth/REJECT
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
AllowICMPs - - ipv6-icmp
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||
@ -38,7 +33,6 @@ dropInvalid
|
||||
# Reject Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB/REJECT
|
||||
DropUPnP
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
|
@ -696,7 +696,7 @@ set_state () # $1 = state
|
||||
# Determine which optional facilities are supported by iptables/netfilter
|
||||
#
|
||||
determine_capabilities() {
|
||||
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||
qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||
|
||||
CONNTRACK_MATCH=
|
||||
NEW_CONNTRACK_MATCH=
|
||||
|
@ -11,6 +11,9 @@
|
||||
|
||||
COMMENT Needed ICMP types
|
||||
|
||||
ACCEPT - - icmp fragmentation-needed
|
||||
ACCEPT - - icmp time-exceeded
|
||||
ACCEPT - - ipv6-icmp packet-too-big
|
||||
ACCEPT - - ipv6-icmp time-exceeded
|
||||
ACCEPT - - ipv6-icmp router-solicitation
|
||||
ACCEPT - - ipv6-icmp neighbour-solicitation
|
||||
ACCEPT - - ipv6-icmp neighbour-advertisement
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,12 +1,12 @@
|
||||
#
|
||||
# Shorewall version 4 - Ping Macro
|
||||
# Shorewall6 version 4 - Ping Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.Ping
|
||||
# /usr/share/shorewall6/macro.Ping
|
||||
#
|
||||
# This macro handles 'ping' requests.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - icmp 8
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - ipv6-icmp 128
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
Loading…
Reference in New Issue
Block a user