Make SAVE_IPSETS more rational

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2089 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-06 20:10:11 +00:00
parent a0b560d576
commit 58f5be2670
5 changed files with 84 additions and 41 deletions

View File

@ -3,3 +3,6 @@ Changes in 2.3.0
1) Implement support for --cmd-owner
2) Implement support for ipsets.
3) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
Shorewall configuration directories.

View File

@ -1550,6 +1550,7 @@ stop_firewall() {
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
@ -2996,6 +2997,8 @@ check_config() {
validate_policy
validate_blacklist
echo "Pre-validating Actions..."
process_actions1
@ -5562,11 +5565,13 @@ setup_masq()
# $dport = destination port selector
#
add_blacklist_rule() {
if [ -n "$BLACKLIST_LOGLEVEL" ]; then
log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport)
if [ "$COMMAND" != check ]; then
if [ -n "$BLACKLIST_LOGLEVEL" ]; then
log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport)
fi
run_iptables2 -A blacklst $source $proto $dport -j $disposition
fi
run_iptables2 -A blacklst $source $proto $dport -j $disposition
}
#
@ -5642,7 +5647,11 @@ process_blacklist_rec() {
addr="$addr $protocol"
fi
progress_message " $addr added to Black List"
if [ "$COMMAND" = check ]; then
progress_message " $addr" Verified
else
progress_message " $addr added to Black List"
fi
done
}
@ -5714,6 +5723,25 @@ refresh_blacklist() {
fi
}
#
# Verify the Black List
#
validate_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION
echo "Checking Black List..."
strip_file blacklist $f
[ "$disposition" = REJECT ] && disposition=reject
while read networks protocol ports; do
expandv networks protocol ports
process_blacklist_rec
done < $TMP_DIR/blacklist
}
#
# Verify that kernel has netfilter support
#
@ -5906,18 +5934,6 @@ report_capabilities() {
report_capability "Owner Match" $OWNER_MATCH
}
#
# Restore ipset contents
#
restore_ipset_contents() {
local ipset_script=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets
if [ -x $ipset_script ]; then
progress_message "Restoring IPSET contents..."
$ipset_script || stop_firewall
fi
}
#
# Perform Initialization
# - Delete all old rules
@ -6015,7 +6031,15 @@ initialize_netfilter () {
setcontinue INPUT
setcontinue OUTPUT
[ -n "$SAVE_IPSETS" ] && restore_ipset_contents
f=$(find_file ipsets)
if [ -f $f ]; then
echo "Processing $f ..."
ipset -U :all: :all:
run_ipset -F
run_ipset -X
run_ipset -R < $f
fi
run_user_exit continue

View File

@ -159,7 +159,7 @@ find_file()
# Replace commas with spaces and echo the result
#
separate_list() {
local list
local list="$@"
local part
local newlist
local firstpart
@ -173,7 +173,7 @@ separate_list() {
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
case "$@" in
case "$list" in
*,|,*|*,,*|*[[:space:]]*)
[ -n "$terminator" ] && \
$terminator "Invalid comma-separated list \"$@\""
@ -184,10 +184,10 @@ separate_list() {
# Where we need to embed comma-separated lists within lists, we enclose them
# within square brackets
#
firstpart=${@%%[*}
lastpart=${@#*[}
enclosure=${lastpart%]*}
lastpart=${lastpart#*]}
firstpart=${list%%\[*}
lastpart=${list#*\[}
enclosure=${lastpart%\]*}
lastpart=${lastpart#*\]}
case $lastpart in
\,*)
echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"

View File

@ -39,7 +39,7 @@ New Features in version 2.3.0
2) Support has been added for ipsets
(see http://people.netfilter.org/kadlec/ipset/).
In most places where an host or network address may be used, you may
In most places where a host or network address may be used, you may
also use the name of an ipset prefaced by "+".
Example: "+Mirrors"
@ -82,23 +82,15 @@ New Features in version 2.3.0
Shorewall can automatically manage the contents of your ipsets for
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
then:
A) "shorewall save" will save the contents of your ipsets. The file
then "shorewall save" will save the contents of your ipsets. The file
where the sets are saved is formed by taking the name where the
Shorewall configuration is stored and appending "-ipsets". So if you
enter the command "shorewall save standard" then your Shorewall
configuration will be saved in /var/lib/shorewall/standard and your
ipset contents will be saved in /var/lib/shorewall/standard-ipsets.
B) During "shorewall [re]start", shorewall will restore the ipset
contents from the file specifed in RESTOREFILE
(shorewall.conf). Again "-ipsets" is appended so if you have
RESTOREFILE=standard in shorewall.conf then your ipset contents will
be restored from /var/lib/shorewall/standard-ipsets.
Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
and "shorewall start" commands will restore the ipset contents
and "shorewall restore" commands will restore the ipset contents
corresponding to the Shorewall configuration restored provided that
the saved Shorewall configuration specified exists.
@ -107,6 +99,24 @@ New Features in version 2.3.0
/var/lib/shorewall/standard exists and is executable and that
/var/lib/shorewall/standard-ipsets exists and is executable.
Also regardless of the setting of SAVE_IPSETS, the "shorewall forget"
command will purge the saved ipset information (if any) associated
with the saved shorewall configuration being removed.
You can also associate ipset contents with Shorewall configuration
directories using the following command:
ipset -S > <config directory>/ipsets
Example:
ipset -S > /etc/shorewall/ipsets
When you start or restart Shorewall (including using the 'try'
command) from the configuration directory, your ipsets will be
configured from the saved ipsets file. Once again, this behavior is
independent of the setting of SAVE_IPSETS.
Ipsets are well suited for large blacklists. You can maintain your
blacklist using the 'ipset' utility without ever having to restart
or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
@ -115,8 +125,8 @@ New Features in version 2.3.0
Example /etc/shorewall/blacklist:
#ADDRESS/SUBNET PROTOCOL PORT
+Blacklist[2]
+Blacklistnets[2]
+Blacklist[src,dst]
+Blacklistnets[src,dst]
Create the blacklist ipsets using:

View File

@ -1223,8 +1223,10 @@ case "$1" in
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
case $SAVE_IPSETS in
[Yy]es)
rm -f ${RESTOREPATH}-ipsets
case ${SAVE_IPSETS:-No} in
[Yy][Ee][Ss])
RESTOREPATH=${RESTOREPATH}-ipsets
echo "#!/bin/sh" >> /var/lib/shorewall/restore-$$
echo "ipset -U :all: :all:" >> /var/lib/shorewall/restore-$$
@ -1237,6 +1239,11 @@ case "$1" in
chmod +x $RESTOREPATH
echo " Current Ipset Contents Saved to $RESTOREPATH"
;;
[Nn][Oo])
;
*)
echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved"
;;
esac
else
rm -f /var/lib/shorewall/restore-$$
@ -1335,8 +1342,7 @@ case "$1" in
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ] ; then
echo Restoring Ipsets...
iptables -F