diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 472ec4371..4f26c389b 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -3,3 +3,6 @@ Changes in 2.3.0 1) Implement support for --cmd-owner 2) Implement support for ipsets. + +3) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in + Shorewall configuration directories. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 48e345cba..d689ae968 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1550,6 +1550,7 @@ stop_firewall() { RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then + if [ -x ${RESTOREPATH}-ipsets ]; then echo Restoring Ipsets... # @@ -2996,6 +2997,8 @@ check_config() { validate_policy + validate_blacklist + echo "Pre-validating Actions..." process_actions1 @@ -5562,11 +5565,13 @@ setup_masq() # $dport = destination port selector # add_blacklist_rule() { - if [ -n "$BLACKLIST_LOGLEVEL" ]; then - log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport) + if [ "$COMMAND" != check ]; then + if [ -n "$BLACKLIST_LOGLEVEL" ]; then + log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport) + fi + + run_iptables2 -A blacklst $source $proto $dport -j $disposition fi - - run_iptables2 -A blacklst $source $proto $dport -j $disposition } # @@ -5642,7 +5647,11 @@ process_blacklist_rec() { addr="$addr $protocol" fi - progress_message " $addr added to Black List" + if [ "$COMMAND" = check ]; then + progress_message " $addr" Verified + else + progress_message " $addr added to Black List" + fi done } @@ -5714,6 +5723,25 @@ refresh_blacklist() { fi } +# +# Verify the Black List +# +validate_blacklist() { + local f=$(find_file blacklist) + local disposition=$BLACKLIST_DISPOSITION + + echo "Checking Black List..." + + strip_file blacklist $f + + [ "$disposition" = REJECT ] && disposition=reject + + while read networks protocol ports; do + expandv networks protocol ports + process_blacklist_rec + done < $TMP_DIR/blacklist +} + # # Verify that kernel has netfilter support # @@ -5906,18 +5934,6 @@ report_capabilities() { report_capability "Owner Match" $OWNER_MATCH } -# -# Restore ipset contents -# -restore_ipset_contents() { - local ipset_script=/var/lib/shorewall/${RESTOREFILE:-restore}-ipsets - - if [ -x $ipset_script ]; then - progress_message "Restoring IPSET contents..." - $ipset_script || stop_firewall - fi -} - # # Perform Initialization # - Delete all old rules @@ -6015,7 +6031,15 @@ initialize_netfilter () { setcontinue INPUT setcontinue OUTPUT - [ -n "$SAVE_IPSETS" ] && restore_ipset_contents + f=$(find_file ipsets) + + if [ -f $f ]; then + echo "Processing $f ..." + ipset -U :all: :all: + run_ipset -F + run_ipset -X + run_ipset -R < $f + fi run_user_exit continue diff --git a/Shorewall2/functions b/Shorewall2/functions index 941b5cf61..c5debba45 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -159,7 +159,7 @@ find_file() # Replace commas with spaces and echo the result # separate_list() { - local list + local list="$@" local part local newlist local firstpart @@ -173,7 +173,7 @@ separate_list() { # either 'startup_error' or 'fatal_error' depending on the command and # command phase # - case "$@" in + case "$list" in *,|,*|*,,*|*[[:space:]]*) [ -n "$terminator" ] && \ $terminator "Invalid comma-separated list \"$@\"" @@ -184,10 +184,10 @@ separate_list() { # Where we need to embed comma-separated lists within lists, we enclose them # within square brackets # - firstpart=${@%%[*} - lastpart=${@#*[} - enclosure=${lastpart%]*} - lastpart=${lastpart#*]} + firstpart=${list%%\[*} + lastpart=${list#*\[} + enclosure=${lastpart%\]*} + lastpart=${lastpart#*\]} case $lastpart in \,*) echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})" diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index a3451ccb3..922d6d188 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -39,7 +39,7 @@ New Features in version 2.3.0 2) Support has been added for ipsets (see http://people.netfilter.org/kadlec/ipset/). - In most places where an host or network address may be used, you may + In most places where a host or network address may be used, you may also use the name of an ipset prefaced by "+". Example: "+Mirrors" @@ -82,23 +82,15 @@ New Features in version 2.3.0 Shorewall can automatically manage the contents of your ipsets for you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf - then: - - A) "shorewall save" will save the contents of your ipsets. The file + then "shorewall save" will save the contents of your ipsets. The file where the sets are saved is formed by taking the name where the Shorewall configuration is stored and appending "-ipsets". So if you enter the command "shorewall save standard" then your Shorewall configuration will be saved in /var/lib/shorewall/standard and your ipset contents will be saved in /var/lib/shorewall/standard-ipsets. - B) During "shorewall [re]start", shorewall will restore the ipset - contents from the file specifed in RESTOREFILE - (shorewall.conf). Again "-ipsets" is appended so if you have - RESTOREFILE=standard in shorewall.conf then your ipset contents will - be restored from /var/lib/shorewall/standard-ipsets. - Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" - and "shorewall start" commands will restore the ipset contents + and "shorewall restore" commands will restore the ipset contents corresponding to the Shorewall configuration restored provided that the saved Shorewall configuration specified exists. @@ -107,6 +99,24 @@ New Features in version 2.3.0 /var/lib/shorewall/standard exists and is executable and that /var/lib/shorewall/standard-ipsets exists and is executable. + Also regardless of the setting of SAVE_IPSETS, the "shorewall forget" + command will purge the saved ipset information (if any) associated + with the saved shorewall configuration being removed. + + You can also associate ipset contents with Shorewall configuration + directories using the following command: + + ipset -S > /ipsets + + Example: + + ipset -S > /etc/shorewall/ipsets + + When you start or restart Shorewall (including using the 'try' + command) from the configuration directory, your ipsets will be + configured from the saved ipsets file. Once again, this behavior is + independent of the setting of SAVE_IPSETS. + Ipsets are well suited for large blacklists. You can maintain your blacklist using the 'ipset' utility without ever having to restart or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be @@ -115,8 +125,8 @@ New Features in version 2.3.0 Example /etc/shorewall/blacklist: #ADDRESS/SUBNET PROTOCOL PORT - +Blacklist[2] - +Blacklistnets[2] + +Blacklist[src,dst] + +Blacklistnets[src,dst] Create the blacklist ipsets using: diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index ea188fcc5..55aa0e8c5 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -1223,8 +1223,10 @@ case "$1" in chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" - case $SAVE_IPSETS in - [Yy]es) + rm -f ${RESTOREPATH}-ipsets + + case ${SAVE_IPSETS:-No} in + [Yy][Ee][Ss]) RESTOREPATH=${RESTOREPATH}-ipsets echo "#!/bin/sh" >> /var/lib/shorewall/restore-$$ echo "ipset -U :all: :all:" >> /var/lib/shorewall/restore-$$ @@ -1237,6 +1239,11 @@ case "$1" in chmod +x $RESTOREPATH echo " Current Ipset Contents Saved to $RESTOREPATH" ;; + [Nn][Oo]) + ; + *) + echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" + ;; esac else rm -f /var/lib/shorewall/restore-$$ @@ -1335,8 +1342,7 @@ case "$1" in RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - if [ -x $RESTOREPATH ]; then - + if [ -x $RESTOREPATH ]; then if [ -x ${RESTOREPATH}-ipsets ] ; then echo Restoring Ipsets... iptables -F