Changes for 2.2.0 Beta 7

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1803 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-04 23:37:19 +00:00
parent 884e405222
commit 594884732a
6 changed files with 121 additions and 64 deletions

View File

@ -609,7 +609,7 @@ usage() # $1 = exit status
echo " restart [ <directory> ]" echo " restart [ <directory> ]"
echo " restore [ <file name> ]" echo " restore [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]" echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
echo " start [ <directory> ]" echo " start [ <directory> ]"
echo " stop" echo " stop"
echo " status" echo " status"
@ -913,6 +913,24 @@ case "$1" in
echo echo
show_classifiers show_classifiers
;; ;;
zones)
[ $# -gt 2 ] && usage 1
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ -f $STATEDIR/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo
while read zone hosts; do
echo $zone
for host in $hosts; do
echo " $host"
done
done < $STATEDIR/zones
echo
else
echo " ERROR: $STATEDIR/zones does not exist" >&2
exit 1
fi
;;
*) *)
shift shift
@ -964,6 +982,10 @@ case "$1" in
echo "IP Configuration" echo "IP Configuration"
echo echo
ip addr ls ip addr ls
echo
echo "IP Stats"
echo
ip -stat link ls
if qt which brctl; then if qt which brctl; then
echo echo
@ -1143,6 +1165,8 @@ case "$1" in
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$ echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH" echo " Currently-running Configuration Saved to $RESTOREPATH"

View File

@ -181,6 +181,17 @@ run_iptables2() {
} }
#
# Quietly run iptables
#
qt_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
qt $IPTABLES $@
}
# #
# Run ip and if an error occurs, stop the firewall and quit # Run ip and if an error occurs, stop the firewall and quit
# #
@ -1756,9 +1767,14 @@ setup_ipsec() {
set_mss1() # $1 = chain, $2 = MSS set_mss1() # $1 = chain, $2 = MSS
{ {
eval local policy=\$${1}_policy eval local policy=\$${1}_policy
if [ "$policy" != NONE -a "$COMMAND" != add ]; then
ensurechain $1 if [ "$policy" != NONE ]; then
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2 case $COMMAND in
start|restart)
ensurechain $1
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
;;
esac
fi fi
} }
# #
@ -2066,8 +2082,9 @@ setup_mac_lists() {
setup_syn_flood_chain () setup_syn_flood_chain ()
# $1 = policy chain # $1 = policy chain
# $2 = synparams # $2 = synparams
# $3 = loglevel
{ {
local chain=$1 local chain=@$1
local limit=$2 local limit=$2
local limit_burst= local limit_burst=
@ -2078,9 +2095,11 @@ setup_syn_flood_chain ()
;; ;;
esac esac
run_iptables -N @$chain run_iptables -N $chain
run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN
run_iptables -A @$chain -j DROP [ -n "$3" ] && \
log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" ""
run_iptables -A $chain -j DROP
} }
# #
@ -5465,21 +5484,20 @@ determine_capabilities() {
PHYSDEV_MATCH= PHYSDEV_MATCH=
IPRANGE_MATCH= IPRANGE_MATCH=
if qt $IPTABLES -N fooX1234 ; then qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
if [ -n "$PKTTYPE" ]; then if [ -n "$PKTTYPE" ]; then
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
fi
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
fi fi
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
} }
report_capability() # $1 = Capability Name, $2 Capability Setting (if any) report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
@ -6106,7 +6124,7 @@ add_common_rules() {
run_iptables -A $(input_chain $interface) -j $chain run_iptables -A $(input_chain $interface) -j $chain
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
run_iptables -A OUTPUT -j $(dynamic_out $interface) run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done done
fi fi
@ -6126,7 +6144,7 @@ apply_policy_rules() {
eval loglevel=\$${chain}_loglevel eval loglevel=\$${chain}_loglevel
eval synparams=\$${chain}_synparams eval synparams=\$${chain}_synparams
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
if havechain $chain; then if havechain $chain; then
[ -n "$synparams" ] && \ [ -n "$synparams" ] && \
@ -6280,8 +6298,9 @@ activate_rules()
[ -n "$complex" ] && frwd_chain=${zone}_frwd [ -n "$complex" ] && frwd_chain=${zone}_frwd
echo $zone $source_hosts >> ${STATEDIR}/zones
if [ -n "$DYNAMIC_ZONES" ]; then if [ -n "$DYNAMIC_ZONES" ]; then
echo $zone $source_hosts >> ${STATEDIR}/zones
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
fi fi
@ -6541,9 +6560,28 @@ define_firewall() # $1 = Command (Start or Restart)
[ -n "$aliases_to_add" ] && \ [ -n "$aliases_to_add" ] && \
echo "Adding IP Addresses..." && add_ip_aliases echo "Adding IP Addresses..." && add_ip_aliases
for file in chains nat proxyarp zones; do
append_file $file
done
save_progress_message "Restoring Netfilter Configuration..."
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$
> $RESTOREBASE
save_command "#"
save_command "# Restore tail file generated by Shorewall $version - $(date)"
save_command "#"
save_command "date > $STATEDIR/restarted"
run_user_exit start run_user_exit start
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist [ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
createchain shorewall no createchain shorewall no
@ -6553,19 +6591,8 @@ define_firewall() # $1 = Command (Start or Restart)
rm -rf $TMP_DIR rm -rf $TMP_DIR
for file in chains nat proxyarp zones; do mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
append_file $file mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
done
save_command "date > $STATEDIR/restarted"
save_progress_message "Restoring Netfilter Configuration..."
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f $RESTOREBASE /var/lib/shorewall/restore-base
} }
@ -6622,6 +6649,9 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
do_iptables() # $@ = command do_iptables() # $@ = command
{ {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! $IPTABLES $@ ; then if ! $IPTABLES $@ ; then
startup_error "Can't add $1 to zone $2" startup_error "Can't add $1 to zone $2"
fi fi
@ -6630,7 +6660,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Isolate interface and host parts # Isolate interface and host parts
# #
interface=${1%:*} interface=${1%%:*}
host=${1#*:} host=${1#*:}
[ -z "$host" ] && host="0.0.0.0/0" [ -z "$host" ] && host="0.0.0.0/0"
@ -6735,7 +6765,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
else else
source_chain=$(dynamic_fwd $interface) source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -6745,7 +6775,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi fi
done done
fi fi
@ -6754,7 +6784,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Add a rule to the dynamic out chain for the interface # Add a rule to the dynamic out chain for the interface
# #
do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
@ -6763,7 +6793,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
fi fi
done done
fi fi
@ -6809,7 +6839,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Isolate interface and host parts # Isolate interface and host parts
# #
interface=${1%:*} interface=${1%%:*}
host=${1#*:} host=${1#*:}
[ -z "$host" ] && host="0.0.0.0/0" [ -z "$host" ] && host="0.0.0.0/0"
@ -6878,14 +6908,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Delete any nat table entries for the host(s) # Delete any nat table entries for the host(s)
# #
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j ${zone}_dnat
# #
# Delete rules rules the input chains for the passed interface # Delete rules rules the input chains for the passed interface
# #
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
else else
source_chain=$(dynamic_fwd $interface) source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -6895,13 +6925,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi fi
done done
fi fi
elif [ "$z2" = "$zone" ]; then elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then if [ "$z1" = "$FW" ]; then
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
@ -6910,7 +6940,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
fi fi
done done
fi fi

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall 2.1 -- /usr/share/shorewall/functions # Shorewall 2.2 -- /usr/share/shorewall/functions
# Function to truncate a string -- It uses 'cut -b -<n>' # Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and # rather than ${v:first:last} because light-weight shells like ash and
@ -73,9 +73,9 @@ qt()
# #
# Perform variable substitution on the passed argument and echo the result # Perform variable substitution on the passed argument and echo the result
# #
expand() # $1 = contents of variable which may be the name of another variable expand() # $@ = contents of variable which may be the name of another variable
{ {
eval echo \"$1\" eval echo \"$@\"
} }
# #
@ -459,7 +459,7 @@ read_file() # $1 = file name, $2 = nest count
while read first rest; do while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then if [ $2 -lt 4 ]; then
read_file $(find_file ${rest%#*}) $(($2 + 1)) read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
else else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi fi
@ -477,7 +477,7 @@ read_file() # $1 = file name, $2 = nest count
# Function for including one file into another # Function for including one file into another
# #
INCLUDE() { INCLUDE() {
. $(find_file $@) . $(find_file $(expand $@))
} }
# #

View File

@ -29,11 +29,11 @@
case $1 in case $1 in
add) add)
echo "add: add <interface>[:<host>] <zone> echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's. Adds a host or subnet to a dynamic zone usually used with VPN's.
shorewall add interface[:host] zone - Adds the specified interface shorewall add interface[:host] zone - Adds the specified interface
(and host if included) to the specified zone. (and bridge port/host if included) to the specified zone.
Example: Example:
@ -95,11 +95,11 @@ debug)
;; ;;
delete) delete)
echo "delete: delete <interface>[:<host>] <zone> echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's. Deletes a host or subnet from a dynamic zone usually used with VPN's.
shorewall delete interface[:host] zone - Deletes the specified shorewall delete interface[:port][:host] zone - Deletes the specified
interface (and host if included) from the specified zone. interface (and bridge port/host if included) from the specified zone.
Example: Example:
@ -219,7 +219,7 @@ save)
;; ;;
show) show)
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos] echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s). shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v) (iptables -L chain -n -v)
@ -238,6 +238,8 @@ show)
shorewall show tc - displays information about the traffic shorewall show tc - displays information about the traffic
control/shaping configuration. control/shaping configuration.
shorewall show zones - displays the contents of all zones.
When -x is given, that option is also passed to iptables to display actual packet and byte counts." When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;; ;;

View File

@ -1 +1 @@
2.2.0-Beta6 2.2.0-Beta7

View File

@ -1635,7 +1635,7 @@ alias ipt_pkttype off</programlisting>
url="http://www.cityofshoreline.com">the city where I live</ulink>) and url="http://www.cityofshoreline.com">the city where I live</ulink>) and
<quote>Fire<emphasis>wall</emphasis></quote>. The full name of the <quote>Fire<emphasis>wall</emphasis></quote>. The full name of the
product is actually <quote>Shoreline Firewall</quote> but product is actually <quote>Shoreline Firewall</quote> but
<quote>Shorewall</quote> is must more commonly used.</para> <quote>Shorewall</quote> is much more commonly used.</para>
</section> </section>
<section id="faq23"> <section id="faq23">
@ -1740,8 +1740,9 @@ alias ipt_pkttype off</programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Netfilter/iptables doesn't fully support IPSEC in the 2.6 <para>Netfilter/iptables doesn't fully support IPSEC in the 2.6
Kernels -- there are interim instructions linked from the <ulink Kernels -- kernel and iptables patches are available and the details
url="IPSEC.htm">Shorewall IPSEC page</ulink>.</para> may be found at the <ulink url="IPSEC-2.6.htm">Shorewall IPSEC-2.6
page</ulink>.</para>
</listitem> </listitem>
<listitem> <listitem>