Shorewall 2.0.3 Beta 1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1396 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-06-12 16:39:54 +00:00
parent 1fc8ddbc82
commit 68571cbbdc
9 changed files with 360 additions and 129 deletions

View File

@ -258,6 +258,24 @@ MODULESDIR=
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
#
# RESTORE SCRIPT
#
# This option determines the script to be run in the following cases:
#
# shorewall -f start
# shorewall restore
# shorewall save
# shorewall forget
# Failure of shorewall start or shorewall restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
RESTOREFILE=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################

View File

@ -76,14 +76,17 @@
# listed address(es)
# shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and
# shorewall save [ <file> ] Save the list of "rejected" and
# "dropped" addresses so that it will
# be automatically reinstated the
# next time that Shorewall starts.
# Save the current state so that 'shorewall
# restore' can be used.
#
# shorewall forget Discard the data saved by 'shorewall save'
# shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
#
# shorewall restore [ <file> ] Restore the state of the firewall from
# previously saved information.
#
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
#
@ -131,6 +134,19 @@ showchain() # $1 = name of chain
fi
}
#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
case $RESTOREFILE in
*/*)
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
exit 2
;;
esac
}
#
# Set the configuration variables from shorewall.conf
#
@ -160,11 +176,17 @@ get_config() {
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
exit 2
fi
fi
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
validate_restorefile RESTOREFILE
export RESTOREFILE
}
#
@ -535,7 +557,7 @@ help()
#
usage() # $1 = exit status
{
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>"
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..."
@ -543,7 +565,7 @@ usage() # $1 = exit status
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..."
echo " forget"
echo " forget [ <file name> ]"
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -554,8 +576,8 @@ usage() # $1 = exit status
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " restore"
echo " save"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
@ -735,11 +757,14 @@ case "$1" in
[ $# -ne 1 ] && usage 1
get_config
if [ -n "$FAST" ]; then
if [ -f /var/lib/shorewall/restore ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
$RESTOREPATH
date > $STATEDIR/restarted
echo Shorewall restored
echo Shorewall restored from $RESTOREPATH
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
@ -963,28 +988,57 @@ case "$1" in
;;
save)
[ -n "$debugging" ] && set -x
[ $# -ne 1 ] && usage 1
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo EOF >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
chmod +x /var/lib/shorewall/restore
echo " Currently-running Configuration Saved"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
fi
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
else
echo "Error Saving the Dynamic Rules"
case $RESTOREFILE in
save|restore-base)
echo " ERROR: Reserved file name: save"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
else
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
fi
else
echo "Error Saving the Dynamic Rules"
fi
;;
esac
fi
else
echo "Shorewall isn't started"
@ -992,9 +1046,28 @@ case "$1" in
mutex_off
;;
forget)
rm -f /var/lib/shorewall/restore
rm -f /var/lib/shorewall/save
echo " Previously saved information discarded"
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH is not a restore script"
fi
;;
ipcalc)
[ -n "$debugging" ] && set -x
@ -1032,12 +1105,26 @@ case "$1" in
esac
;;
restore)
if [ -f /var/lib/shorewall/restore ]; then
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
else
echo "File /var/lib/shorewall/restore: file not found"
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
exit 2
fi
;;

View File

@ -10,6 +10,6 @@ RejectAuth
dropBcast
DropSMB
DropUPnP
dropNonSyn
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -10,6 +10,6 @@ RejectAuth
dropBcast
RejectSMB
DropUPnP
dropNonSyn
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -6,6 +6,13 @@
#
# dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION

View File

@ -51,11 +51,6 @@ my_mutex_off() {
[ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
}
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
#
# Message to stderr
#
@ -108,6 +103,17 @@ save_command()
echo "$@" >> /var/lib/shorewall/restore-$$
}
#
# Write a progress_message command to /var/lib/shorewall/restore-$$
#
save_progress_message()
{
echo >> /var/lib/shorewall/restore-$$
echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$
echo >> /var/lib/shorewall/restore-$$
}
#
# Save the passed command in the restore script then run it -- returns the status of the command
# If the command involves file redirection then it must be enclosed in quotes as in:
@ -133,12 +139,13 @@ ensure_and_save_command()
}
#
# Append a file to /var/lib/shorewall/restore-$$
# Append a file in $STATEDIR to /var/lib/shorewall/restore-$$
#
append_file() {
save_command "cat > $STATEDIR/$1 << EOF"
append_file() # $1 = File Name
{
save_command "cat > $STATEDIR/$1 << __EOF__"
cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
save_command EOF
save_command __EOF__
}
#
@ -576,7 +583,7 @@ known_interface() # $1 = interface name
match_source_dev()
{
if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1"
list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
else
echo -i $1
fi
@ -585,12 +592,17 @@ match_source_dev()
match_dest_dev()
{
if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1"
list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
else
echo -o $1
fi
}
verify_interface()
{
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
}
#
#
# Find hosts in a given zone
@ -765,7 +777,7 @@ validate_interfaces_file() {
if [ -z "$found_obsolete_option" ]; then
found_obsolete_option=yes
error_message \
"Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
"WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
error_message \
" PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
sleep 5
@ -798,6 +810,13 @@ validate_interfaces_file() {
validate_hosts_file() {
local z hosts options r interface host option port ports
check_bridge_port()
{
list_search $1 $ports || ports="$ports $1"
list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
list_search $1 $all_ports || all_ports="$all_ports $1"
}
while read z hosts options; do
expandv z hosts options
r="$z $hosts $options"
@ -820,17 +839,14 @@ validate_hosts_file() {
*:*)
known_interface ${host%:*} && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
port=${host%%:*}
list_search $port $ports || ports="$ports $port"
list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
check_bridge_port ${host%%:*}
;;
*.*.*.*)
;;
*)
known_interface $host && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
list_search $host $ports || ports="$ports $host"
list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
check_bridge_port $host
;;
esac
@ -855,6 +871,8 @@ validate_hosts_file() {
fi
done < $TMP_DIR/hosts
[ -n "$all_ports" ] && echo " Bridge ports are: $all_ports"
}
#
@ -1178,6 +1196,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
#
setup_forwarding() {
save_progress_message "Restoring IP Forwarding..."
case "$IP_FORWARDING" in
[Oo][Nn])
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
@ -1198,6 +1219,7 @@ disable_ipv6() {
if [ -n "$foo" ]; then
if qt which ip6tables; then
save_progress_message "Disabling IPV6..."
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
@ -1226,10 +1248,15 @@ stop_firewall() {
;;
*)
set +x
if [ -f /var/lib/shorewall/restore ]; then
[ -z "$RESTOREFILE" ] && RESTOREFILE=restore
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
$RESTOREPATH
echo "Shorewall restored from $RESTOREPATH"
my_mutex_off
kill $$
exit 2
@ -1640,6 +1667,8 @@ setup_proxy_arp() {
> ${STATEDIR}/proxyarp
save_progress_message "Restoring Proxy ARP..."
while read address interface external haveroute persistent; do
expandv address interface external haveroute persistent
setup_one_proxy_arp
@ -1840,6 +1869,8 @@ setup_nat() {
#
> ${STATEDIR}/nat
save_progress_message "Restoring one-to-one NAT..."
while read external interface internal allints localnat; do
expandv external interface internal allints localnat
@ -1995,10 +2026,8 @@ process_tc_rule()
chain=tcout
;;
*)
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\""
fi
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source "
;;
esac
@ -2023,7 +2052,11 @@ process_tc_rule()
esac
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
if [ "x$dest" != "x-" ]; then
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
fi
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
@ -2095,6 +2128,8 @@ setup_tc1() {
run_iptables -t mangle -A OUTPUT -j tcout
run_user_exit tcstart
save_progress_message "Restoring Traffic Control..."
save_command . $(find_file tcstart)
}
@ -2118,6 +2153,8 @@ delete_tc()
}
save_progress_message "Clearing Traffic Control/QOS"
run_user_exit tcclear
run_ip link list | \
@ -2144,6 +2181,14 @@ process_accounting_rule() {
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
}
accounting_interface_error() {
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
}
accounting_interface_verify() {
verify_interface $1 || accounting_interface_error $1
}
jump_to_chain() {
if ! havechain $jumpchain; then
if ! createchain2 $jumpchain No; then
@ -2157,6 +2202,7 @@ process_accounting_rule() {
case $source in
*:*)
accounting_interface_verify ${source%:*}
rule="-s ${source#*:} $(match_source_dev ${source%:*})"
;;
*.*.*.*)
@ -2165,12 +2211,16 @@ process_accounting_rule() {
-|all|any)
;;
*)
[ -n "$source" ] && rule="$(match_source_dev $source)"
if [ -n "$source" ]; then
accounting_interface_verify $source
rule="$(match_source_dev $source)"
fi
;;
esac
[ -n "$dest" ] && case $dest in
*:*)
accounting_interface_verify ${dest%:*}
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
;;
*.*.*.*)
@ -2179,6 +2229,7 @@ process_accounting_rule() {
-|all|any)
;;
*)
accounting_interface_verify $dest
rule="$rule $(match_dest_dev $dest)"
;;
esac
@ -2233,8 +2284,8 @@ process_accounting_rule() {
ensurechain1 $chain
if iptables -A $chain $rule ; then
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
if iptables -A $chain $(fix_bang $rule) ; then
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added
else
accounting_error
@ -2409,6 +2460,16 @@ add_an_action()
fi
}
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
action_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli=
@ -2417,6 +2478,7 @@ add_an_action()
-)
;;
*:*)
action_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;;
*.*.*)
@ -2426,7 +2488,10 @@ add_an_action()
cli=$(mac_match $client)
;;
*)
[ -n "$client" ] && cli="$(match_source_dev $client)"
if [ -n "$client" ]; then
action_interface_verify $client
cli="$(match_source_dev $client)"
fi
;;
esac
@ -2445,7 +2510,10 @@ add_an_action()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
if [ -n "$server" ]; then
action_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;;
esac
@ -2496,9 +2564,8 @@ add_an_action()
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi
[ "$logtarget" = LOG ] || \
run_iptables2 -A $action $proto $multiport $cli $sports \
-d $srv $dports $ratelimit $userandgroup -j $target
run_iptables2 -A $action $proto $multiport $cli $sports \
-d $srv $dports $ratelimit $userandgroup -j $target
done
done
else
@ -2507,9 +2574,8 @@ add_an_action()
$(fix_bang $proto $sports $multiport $cli $dports)
fi
[ "$logtarget" = LOG ] || \
run_iptables2 -A $action $proto $multiport $cli $sports \
$dports $ratelimit $userandgroup -j $target
run_iptables2 -A $action $proto $multiport $cli $sports \
$dports $ratelimit $userandgroup -j $target
fi
fi
}
@ -2682,33 +2748,9 @@ createactionchain() # $1 = chain name
#
process_actions1() {
#
# Add the builtin actions
#
add_builtin_actions() {
if [ "$COMMAND" != check ]; then
createchain dropBcast no
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
fi
createchain dropNonSyn no
run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
fi
ACTIONS="dropBcast dropNonSyn"
USEDACTIONS="dropBcast dropNonSyn"
}
add_builtin_actions
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
USEDACTIONS=
strip_file actions
@ -2821,6 +2863,10 @@ process_actions2() {
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
}
log_action() {
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
}
#
# Generate the transitive closure of $USEDACTIONS
#
@ -2844,7 +2890,38 @@ process_actions2() {
#
for xaction in $USEDACTIONS; do
case $xaction in
dropNonSyn|dropBcast)
dropBcast)
if [ "$COMMAND" != check ]; then
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
fi
fi
;;
dropNonSyn)
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
;;
dropNotSyn)
[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
;;
rejNotSyn)
[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
;;
logNotSyn)
log_action logNotSyn LOG
;;
rLogNotSyn)
log_action rLogNotSyn REJECT
;;
dLogNotSyn)
log_action dLogNotSyn DROP
;;
*)
f=action.$xaction
@ -3091,6 +3168,16 @@ add_a_rule()
fi
}
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
rule_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli=
@ -3099,6 +3186,7 @@ add_a_rule()
-)
;;
*:*)
rule_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;;
*.*.*)
@ -3108,7 +3196,10 @@ add_a_rule()
cli=$(mac_match $client)
;;
*)
[ -n "$client" ] && cli="$(match_source_dev $client)"
if [ -n "$client" ]; then
rule_interface_verify $client
cli="$(match_source_dev $client)"
fi
;;
esac
@ -3128,7 +3219,8 @@ add_a_rule()
;;
*)
if [ -n "$server" ]; then
[ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget"
[ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
rule_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;;
@ -3708,6 +3800,11 @@ process_tos_rule() {
#
# Assume that this is a device name
#
if ! verify_interface $src ; then
error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
return
fi
src="$(match_source_dev $src)"
;;
esac
@ -4285,7 +4382,7 @@ setup_masq()
strip_file masq $1
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:"
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
while read fullinterface networks addresses proto ports; do
expandv fullinterface networks addresses proto ports
@ -4507,6 +4604,8 @@ add_ip_aliases()
set -- $aliases_to_add
save_progress_message "Restoring IP Addresses..."
while [ $# -gt 0 ]; do
external=$1
interface=$2
@ -4529,7 +4628,7 @@ add_ip_aliases()
#
load_kernel_modules()
{
local save_modules_dir=$MODULESDIR
save_modules_dir=$MODULESDIR
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
@ -4537,7 +4636,7 @@ load_kernel_modules()
modules=$(find_file modules)
if [ -f $modules -a -d $MODULESDIR ]; then
echo "Loading Modules..."
progress_message "Loading Modules..."
. $modules
fi
@ -4547,12 +4646,10 @@ load_kernel_modules()
save_load_kernel_modules()
{
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
modules=$(find_file modules)
save_command "reload_kernel_modules <<EOF"
save_progress_message "Loading kernel modules..."
save_command "reload_kernel_modules <<__EOF__"
while read command; do
case "$command" in
@ -4562,7 +4659,7 @@ save_load_kernel_modules()
esac
done < $modules
save_command EOF
save_command __EOF__
}
@ -4721,7 +4818,7 @@ initialize_netfilter () {
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -j RETURN
run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN
done
run_user_exit newnotsyn
@ -5028,6 +5125,8 @@ add_common_rules() {
#
# ARP Filtering
#
save_progress_message "Restoring ARP filtering..."
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
run_and_save_command "echo 0 > $f"
done
@ -5055,6 +5154,8 @@ add_common_rules() {
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..."
save_progress_message "Restoring Route Filtering..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
run_and_save_command "echo 0 > $f"
done
@ -5419,7 +5520,10 @@ define_firewall() # $1 = Command (Start or Restart)
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
echo '#bin/sh' > /var/lib/shorewall/restore-$$
echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
save_command "#"
save_command "# Restore base file generated by Shorewall $version - $(date)"
save_command "#"
save_command ". /usr/share/shorewall/functions"
save_command "MODULESDIR=\"$MODULESDIR\""
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
@ -5476,9 +5580,11 @@ define_firewall() # $1 = Command (Start or Restart)
save_command "date > $STATEDIR/restarted"
save_command 'iptables-restore << EOF'
save_progress_message "Restoring Netfilter Configuration..."
# 'shorewall save' appends the iptables-save output and 'EOF'
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base
@ -5948,10 +6054,10 @@ do_initialize() {
ensure_config_path
#
# Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules so that capabilities can be
# accurately detected when kernel module autoloading is not
# enabled.
# We load the kernel modules here to acurately determine
# capabilities when module autoloading isn't enabled.
#
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
load_kernel_modules
determine_capabilities

View File

@ -33,6 +33,14 @@ list_count() {
list_count1 $(separate_list $1)
}
#
# Conditionally produce message
#
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
#
# Suppress all output for a command
#

View File

@ -117,9 +117,9 @@ drop)
;;
forget)
echo "forget: forget
Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those
files are created by the 'shorewall save' command
echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\""
;;
@ -194,18 +194,22 @@ restart)
;;
restore)
echo "restore: restore
Restore Shorewall to its last state saved using the 'save' command
Existing connections are maintained.
echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
See also \"help save\" and \"help forget\""
;;
save)
echo "save: save
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore'
and 'shorewall -f start' commands.
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
@ -240,8 +244,9 @@ start)
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings
If \"-f\" is specified, the last saved configuraton if any will be restored"
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists"
;;
stop)

View File

@ -1 +1 @@
2.0.2f
2.0.3-Beta1