forked from extern/shorewall_code
Make SAVE_IPSETS more rational
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2089 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a0b560d576
commit
58f5be2670
@ -3,3 +3,6 @@ Changes in 2.3.0
|
||||
1) Implement support for --cmd-owner
|
||||
|
||||
2) Implement support for ipsets.
|
||||
|
||||
3) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
||||
Shorewall configuration directories.
|
||||
|
@ -1550,6 +1550,7 @@ stop_firewall() {
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
if [ -x ${RESTOREPATH}-ipsets ]; then
|
||||
echo Restoring Ipsets...
|
||||
#
|
||||
@ -2996,6 +2997,8 @@ check_config() {
|
||||
|
||||
validate_policy
|
||||
|
||||
validate_blacklist
|
||||
|
||||
echo "Pre-validating Actions..."
|
||||
|
||||
process_actions1
|
||||
@ -5562,11 +5565,13 @@ setup_masq()
|
||||
# $dport = destination port selector
|
||||
#
|
||||
add_blacklist_rule() {
|
||||
if [ -n "$BLACKLIST_LOGLEVEL" ]; then
|
||||
log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
if [ -n "$BLACKLIST_LOGLEVEL" ]; then
|
||||
log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport)
|
||||
fi
|
||||
|
||||
run_iptables2 -A blacklst $source $proto $dport -j $disposition
|
||||
fi
|
||||
|
||||
run_iptables2 -A blacklst $source $proto $dport -j $disposition
|
||||
}
|
||||
|
||||
#
|
||||
@ -5642,7 +5647,11 @@ process_blacklist_rec() {
|
||||
addr="$addr $protocol"
|
||||
fi
|
||||
|
||||
progress_message " $addr added to Black List"
|
||||
if [ "$COMMAND" = check ]; then
|
||||
progress_message " $addr" Verified
|
||||
else
|
||||
progress_message " $addr added to Black List"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
@ -5714,6 +5723,25 @@ refresh_blacklist() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Verify the Black List
|
||||
#
|
||||
validate_blacklist() {
|
||||
local f=$(find_file blacklist)
|
||||
local disposition=$BLACKLIST_DISPOSITION
|
||||
|
||||
echo "Checking Black List..."
|
||||
|
||||
strip_file blacklist $f
|
||||
|
||||
[ "$disposition" = REJECT ] && disposition=reject
|
||||
|
||||
while read networks protocol ports; do
|
||||
expandv networks protocol ports
|
||||
process_blacklist_rec
|
||||
done < $TMP_DIR/blacklist
|
||||
}
|
||||
|
||||
#
|
||||
# Verify that kernel has netfilter support
|
||||
#
|
||||
@ -5906,18 +5934,6 @@ report_capabilities() {
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
}
|
||||
|
||||
#
|
||||
# Restore ipset contents
|
||||
#
|
||||
restore_ipset_contents() {
|
||||
local ipset_script=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets
|
||||
|
||||
if [ -x $ipset_script ]; then
|
||||
progress_message "Restoring IPSET contents..."
|
||||
$ipset_script || stop_firewall
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Perform Initialization
|
||||
# - Delete all old rules
|
||||
@ -6015,7 +6031,15 @@ initialize_netfilter () {
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
[ -n "$SAVE_IPSETS" ] && restore_ipset_contents
|
||||
f=$(find_file ipsets)
|
||||
|
||||
if [ -f $f ]; then
|
||||
echo "Processing $f ..."
|
||||
ipset -U :all: :all:
|
||||
run_ipset -F
|
||||
run_ipset -X
|
||||
run_ipset -R < $f
|
||||
fi
|
||||
|
||||
run_user_exit continue
|
||||
|
||||
|
@ -159,7 +159,7 @@ find_file()
|
||||
# Replace commas with spaces and echo the result
|
||||
#
|
||||
separate_list() {
|
||||
local list
|
||||
local list="$@"
|
||||
local part
|
||||
local newlist
|
||||
local firstpart
|
||||
@ -173,7 +173,7 @@ separate_list() {
|
||||
# either 'startup_error' or 'fatal_error' depending on the command and
|
||||
# command phase
|
||||
#
|
||||
case "$@" in
|
||||
case "$list" in
|
||||
*,|,*|*,,*|*[[:space:]]*)
|
||||
[ -n "$terminator" ] && \
|
||||
$terminator "Invalid comma-separated list \"$@\""
|
||||
@ -184,10 +184,10 @@ separate_list() {
|
||||
# Where we need to embed comma-separated lists within lists, we enclose them
|
||||
# within square brackets
|
||||
#
|
||||
firstpart=${@%%[*}
|
||||
lastpart=${@#*[}
|
||||
enclosure=${lastpart%]*}
|
||||
lastpart=${lastpart#*]}
|
||||
firstpart=${list%%\[*}
|
||||
lastpart=${list#*\[}
|
||||
enclosure=${lastpart%\]*}
|
||||
lastpart=${lastpart#*\]}
|
||||
case $lastpart in
|
||||
\,*)
|
||||
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
|
||||
|
@ -39,7 +39,7 @@ New Features in version 2.3.0
|
||||
2) Support has been added for ipsets
|
||||
(see http://people.netfilter.org/kadlec/ipset/).
|
||||
|
||||
In most places where an host or network address may be used, you may
|
||||
In most places where a host or network address may be used, you may
|
||||
also use the name of an ipset prefaced by "+".
|
||||
|
||||
Example: "+Mirrors"
|
||||
@ -82,23 +82,15 @@ New Features in version 2.3.0
|
||||
|
||||
Shorewall can automatically manage the contents of your ipsets for
|
||||
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
|
||||
then:
|
||||
|
||||
A) "shorewall save" will save the contents of your ipsets. The file
|
||||
then "shorewall save" will save the contents of your ipsets. The file
|
||||
where the sets are saved is formed by taking the name where the
|
||||
Shorewall configuration is stored and appending "-ipsets". So if you
|
||||
enter the command "shorewall save standard" then your Shorewall
|
||||
configuration will be saved in /var/lib/shorewall/standard and your
|
||||
ipset contents will be saved in /var/lib/shorewall/standard-ipsets.
|
||||
|
||||
B) During "shorewall [re]start", shorewall will restore the ipset
|
||||
contents from the file specifed in RESTOREFILE
|
||||
(shorewall.conf). Again "-ipsets" is appended so if you have
|
||||
RESTOREFILE=standard in shorewall.conf then your ipset contents will
|
||||
be restored from /var/lib/shorewall/standard-ipsets.
|
||||
|
||||
Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
|
||||
and "shorewall start" commands will restore the ipset contents
|
||||
and "shorewall restore" commands will restore the ipset contents
|
||||
corresponding to the Shorewall configuration restored provided that
|
||||
the saved Shorewall configuration specified exists.
|
||||
|
||||
@ -107,6 +99,24 @@ New Features in version 2.3.0
|
||||
/var/lib/shorewall/standard exists and is executable and that
|
||||
/var/lib/shorewall/standard-ipsets exists and is executable.
|
||||
|
||||
Also regardless of the setting of SAVE_IPSETS, the "shorewall forget"
|
||||
command will purge the saved ipset information (if any) associated
|
||||
with the saved shorewall configuration being removed.
|
||||
|
||||
You can also associate ipset contents with Shorewall configuration
|
||||
directories using the following command:
|
||||
|
||||
ipset -S > <config directory>/ipsets
|
||||
|
||||
Example:
|
||||
|
||||
ipset -S > /etc/shorewall/ipsets
|
||||
|
||||
When you start or restart Shorewall (including using the 'try'
|
||||
command) from the configuration directory, your ipsets will be
|
||||
configured from the saved ipsets file. Once again, this behavior is
|
||||
independent of the setting of SAVE_IPSETS.
|
||||
|
||||
Ipsets are well suited for large blacklists. You can maintain your
|
||||
blacklist using the 'ipset' utility without ever having to restart
|
||||
or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
|
||||
@ -115,8 +125,8 @@ New Features in version 2.3.0
|
||||
Example /etc/shorewall/blacklist:
|
||||
|
||||
#ADDRESS/SUBNET PROTOCOL PORT
|
||||
+Blacklist[2]
|
||||
+Blacklistnets[2]
|
||||
+Blacklist[src,dst]
|
||||
+Blacklistnets[src,dst]
|
||||
|
||||
Create the blacklist ipsets using:
|
||||
|
||||
|
@ -1223,8 +1223,10 @@ case "$1" in
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
|
||||
case $SAVE_IPSETS in
|
||||
[Yy]es)
|
||||
rm -f ${RESTOREPATH}-ipsets
|
||||
|
||||
case ${SAVE_IPSETS:-No} in
|
||||
[Yy][Ee][Ss])
|
||||
RESTOREPATH=${RESTOREPATH}-ipsets
|
||||
echo "#!/bin/sh" >> /var/lib/shorewall/restore-$$
|
||||
echo "ipset -U :all: :all:" >> /var/lib/shorewall/restore-$$
|
||||
@ -1237,6 +1239,11 @@ case "$1" in
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Current Ipset Contents Saved to $RESTOREPATH"
|
||||
;;
|
||||
[Nn][Oo])
|
||||
;
|
||||
*)
|
||||
echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
rm -f /var/lib/shorewall/restore-$$
|
||||
@ -1335,8 +1342,7 @@ case "$1" in
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
|
||||
if [ -x $RESTOREPATH ]; then
|
||||
if [ -x ${RESTOREPATH}-ipsets ] ; then
|
||||
echo Restoring Ipsets...
|
||||
iptables -F
|
||||
|
Loading…
Reference in New Issue
Block a user