forked from extern/shorewall_code
Shorewall 2.2.0 Beta 1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1714 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
30bf899901
commit
6b28b09037
@ -47,9 +47,12 @@
|
|||||||
# Format the same as the SOURCE column.
|
# Format the same as the SOURCE column.
|
||||||
#
|
#
|
||||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
||||||
# number.
|
# number, or "ipp2p"
|
||||||
#
|
#
|
||||||
# DEST PORT Destination Port number
|
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
|
||||||
|
# this column must contain an ipp2p option ("iptables -m
|
||||||
|
# ipp2p --help") without the leading "--". If no option
|
||||||
|
# is given in this column, "ipp2p" is assumed.
|
||||||
#
|
#
|
||||||
# Service name from /etc/services or port number. May
|
# Service name from /etc/services or port number. May
|
||||||
# only be specified if the protocol is TCP or UDP (6
|
# only be specified if the protocol is TCP or UDP (6
|
||||||
|
@ -24,7 +24,9 @@
|
|||||||
# spi=<number> where <number> is the SPI of
|
# spi=<number> where <number> is the SPI of
|
||||||
# the SA used to encrypt/decrypt packets.
|
# the SA used to encrypt/decrypt packets.
|
||||||
#
|
#
|
||||||
# proto=ah|esp|ipcomp
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mss=<number> (sets the MSS field in TCP packets)
|
||||||
#
|
#
|
||||||
# mode=transport|tunnel
|
# mode=transport|tunnel
|
||||||
#
|
#
|
||||||
@ -49,7 +51,7 @@
|
|||||||
#
|
#
|
||||||
# If you wish to leave a column empty but need to make an entry
|
# If you wish to leave a column empty but need to make an entry
|
||||||
# in a following column, use "-".
|
# in a following column, use "-".
|
||||||
################################################################################
|
###################################################################################
|
||||||
#ZONE IPSEC OPTIONS IN OUT
|
#ZONE IPSEC OPTIONS IN OUT
|
||||||
# ONLY OPTIONS OPTIONS
|
# ONLY OPTIONS OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -130,6 +130,18 @@ LOGTAGONLY=No
|
|||||||
LOGRATE=
|
LOGRATE=
|
||||||
LOGBURST=
|
LOGBURST=
|
||||||
|
|
||||||
|
#
|
||||||
|
# LOG ALL NEW
|
||||||
|
#
|
||||||
|
# This option should only be used when you are trying to analyze a problem.
|
||||||
|
# It causes all packets in the Netfilter NEW state to be logged as the
|
||||||
|
# first rule in each builtin chain. To use this option, set LOGALLNEW to
|
||||||
|
# the log level that you want these packets logged at (e.g.,
|
||||||
|
# LOGALLNEW=debug).
|
||||||
|
#
|
||||||
|
|
||||||
|
LOGALLNEW=
|
||||||
|
|
||||||
#
|
#
|
||||||
# BLACKLIST LOG LEVEL
|
# BLACKLIST LOG LEVEL
|
||||||
#
|
#
|
||||||
|
@ -29,6 +29,22 @@
|
|||||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||||
# /etc/shorewall/shorewall.conf.
|
# /etc/shorewall/shorewall.conf.
|
||||||
#
|
#
|
||||||
|
# If your kernel and iptables include CONNMARK support
|
||||||
|
# then you can also mark the connection rather than
|
||||||
|
# the packet.
|
||||||
|
#
|
||||||
|
# The mark value may be optionally followed by "/"
|
||||||
|
# and a mask value (used to determine those bits of
|
||||||
|
# the connection mark to actually be set). The
|
||||||
|
# mark and optional mask are then followed by one of:
|
||||||
|
#
|
||||||
|
# C - Mark the connection in the chain determined
|
||||||
|
# by the setting of MARK_IN_FORWARD_CHAIN
|
||||||
|
#
|
||||||
|
# CF: Mark the conneciton in the FORWARD chain
|
||||||
|
#
|
||||||
|
# CP: Mark the connection in the PREROUTING chain.
|
||||||
|
#
|
||||||
# b) A classification of the form <major>:<minor> where
|
# b) A classification of the form <major>:<minor> where
|
||||||
# <major> and <minor> are integers. Corresponds to
|
# <major> and <minor> are integers. Corresponds to
|
||||||
# the 'class' specification in these traffic shaping
|
# the 'class' specification in these traffic shaping
|
||||||
@ -41,7 +57,21 @@
|
|||||||
# - htb
|
# - htb
|
||||||
# - prio
|
# - prio
|
||||||
#
|
#
|
||||||
# Marking always occurs in the POSTROUTING chain.
|
# Classify always occurs in the POSTROUTING chain.
|
||||||
|
#
|
||||||
|
# c) RESTORE[/mask] -- restore the packet's mark from the
|
||||||
|
# connection's mark using the supplied mask if any.
|
||||||
|
# Your kernel and iptables must include CONNMARK support.
|
||||||
|
# As in a) above, may be followed by ":P" or ":F
|
||||||
|
#
|
||||||
|
# c) SAVE[/mask] -- save the packet's mark to the
|
||||||
|
# connection's mark using the supplied mask if any.
|
||||||
|
# Your kernel and iptables must include CONNMARK support.
|
||||||
|
# As in a) above, may be followed by ":P" or ":F
|
||||||
|
#
|
||||||
|
# d) CONTINUE -- don't process any more marking rules in
|
||||||
|
# the table. As in a) above, may be followed by ":P" or
|
||||||
|
# ":F".
|
||||||
#
|
#
|
||||||
# SOURCE Source of the packet. A comma-separated list of
|
# SOURCE Source of the packet. A comma-separated list of
|
||||||
# interface names, IP addresses, MAC addresses
|
# interface names, IP addresses, MAC addresses
|
||||||
@ -62,14 +92,20 @@
|
|||||||
# iptables include iprange match support, IP address
|
# iptables include iprange match support, IP address
|
||||||
# ranges are also allowed.
|
# ranges are also allowed.
|
||||||
#
|
#
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
# or "all".
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
#
|
#
|
||||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
# names (from /etc/services), port numbers or port
|
# names (from /etc/services), port numbers or port
|
||||||
# ranges; if the protocol is "icmp", this column is
|
# ranges; if the protocol is "icmp", this column is
|
||||||
# interpreted as the destination icmp-type(s).
|
# interpreted as the destination icmp-type(s).
|
||||||
#
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example "bit"
|
||||||
|
# for bit-torrent). If no PORT is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
# entered if any of the following field is supplied.
|
# entered if any of the following field is supplied.
|
||||||
# In that case, it is suggested that this field contain
|
# In that case, it is suggested that this field contain
|
||||||
@ -92,9 +128,21 @@
|
|||||||
# [<user name or number>]:[<group name or number>]
|
# [<user name or number>]:[<group name or number>]
|
||||||
#
|
#
|
||||||
# The colon is optionnal when specifying only a user.
|
# The colon is optionnal when specifying only a user.
|
||||||
# Examples : john: / john / :users / john:users
|
# Examples : john: / john / :users / john:users
|
||||||
#
|
#
|
||||||
|
# TEST Defines a test on the existing packet or connection mark.
|
||||||
|
# The rule will match only if the test returns true. Tests
|
||||||
|
# have the format [!]<value>[/<mask>][:C]
|
||||||
|
#
|
||||||
|
# Where:
|
||||||
|
#
|
||||||
|
# ! Inverts the test (not equal)
|
||||||
|
# <value> Value of the packet or connection mark.
|
||||||
|
# <mask> A mask to be applied to the mark before
|
||||||
|
# testing
|
||||||
|
# :C Designates a connection mark. If omitted,
|
||||||
|
# the packet mark's value is tested.
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -765,6 +765,17 @@ find_hosts() # $1 = host zone
|
|||||||
done < $TMP_DIR/hosts
|
done < $TMP_DIR/hosts
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Check for duplicate zone definitions
|
||||||
|
#
|
||||||
|
check_duplicate_zones() {
|
||||||
|
local localzones=
|
||||||
|
|
||||||
|
for zone in $zones; do
|
||||||
|
list_search $zone $localzones && startup_error "Zone $zone is defined more than once"
|
||||||
|
localzones="$localzones $zone"
|
||||||
|
done
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# Determine the interfaces on the firewall
|
# Determine the interfaces on the firewall
|
||||||
#
|
#
|
||||||
@ -1241,7 +1252,7 @@ run_user_exit() # $1 = file name
|
|||||||
#
|
#
|
||||||
# Add a logging rule.
|
# Add a logging rule.
|
||||||
#
|
#
|
||||||
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $... = predicates for the rule
|
log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
|
||||||
{
|
{
|
||||||
local level=$1
|
local level=$1
|
||||||
local chain=$2
|
local chain=$2
|
||||||
@ -1250,10 +1261,11 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
|||||||
local rulenum=
|
local rulenum=
|
||||||
local limit="${5:-$LOGLIMIT}"
|
local limit="${5:-$LOGLIMIT}"
|
||||||
local tag=${6:+$6 }
|
local tag=${6:+$6 }
|
||||||
|
local command=${7:--A}
|
||||||
local prefix
|
local prefix
|
||||||
local base=$(chain_base $displayChain)
|
local base=$(chain_base $displayChain)
|
||||||
|
|
||||||
shift;shift;shift;shift;shift
|
shift;shift;shift;shift;shift;shift;shift
|
||||||
|
|
||||||
if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
|
if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
|
||||||
displayChain=$tag
|
displayChain=$tag
|
||||||
@ -1280,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
|||||||
|
|
||||||
case $level in
|
case $level in
|
||||||
ULOG)
|
ULOG)
|
||||||
iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -1300,7 +1312,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
|
|||||||
|
|
||||||
shift;shift;shift
|
shift;shift;shift
|
||||||
|
|
||||||
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" $@
|
log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1733,32 +1745,71 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
done < $TMP_DIR/tunnels
|
done < $TMP_DIR/tunnels
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Process the ipsec file
|
||||||
|
#
|
||||||
setup_ipsec() {
|
setup_ipsec() {
|
||||||
|
#
|
||||||
|
# Add a --set-mss rule to the passed chain
|
||||||
|
#
|
||||||
|
set_mss1() # $1 = chain, $2 = MSS
|
||||||
|
{
|
||||||
|
eval local policy=\$${1}_policy
|
||||||
|
if [ "$policy" != NONE ]; then
|
||||||
|
ensurechain $1
|
||||||
|
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# Set up rules to set MSS to and/or from zone "$zone"
|
||||||
|
#
|
||||||
|
set_mss() # $1 = MSS value, $2 = _in, _out or ""
|
||||||
|
{
|
||||||
|
if [ $COMMAND != check ]; then
|
||||||
|
for z in $zones; do
|
||||||
|
case $2 in
|
||||||
|
_in)
|
||||||
|
set_mss1 ${zone}2${z} $1
|
||||||
|
;;
|
||||||
|
_out)
|
||||||
|
set_mss1 ${z}2${zone} $1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
set_mss1 ${z}2${zone} $1
|
||||||
|
set_mss1 ${zone}2${z} $1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
do_options() # $1 = _in, _out or "" - $2 = option list
|
do_options() # $1 = _in, _out or "" - $2 = option list
|
||||||
{
|
{
|
||||||
local option opts newoptions=
|
local option opts newoptions= val
|
||||||
|
|
||||||
[ x${2} = x- ] && return
|
[ x${2} = x- ] && return
|
||||||
|
|
||||||
opts=$(separate_list $2)
|
opts=$(separate_list $2)
|
||||||
|
|
||||||
for option in $opts; do
|
for option in $opts; do
|
||||||
|
val=${option#*=}
|
||||||
|
|
||||||
case $option in
|
case $option in
|
||||||
|
mss=[0-9]*) set_mss $val $1 ;;
|
||||||
strict) newoptions="$newoptions --strict" ;;
|
strict) newoptions="$newoptions --strict" ;;
|
||||||
next) newoptions="$newoptions --next" ;;
|
next) newoptions="$newoptions --next" ;;
|
||||||
reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;;
|
reqid=*) newoptions="$newoptions --reqid $val" ;;
|
||||||
spi=*) newoptions="$newoptions --spi ${option#*=}" ;;
|
spi=*) newoptions="$newoptions --spi $val" ;;
|
||||||
proto=*) newoptions="$newoptions --proto ${option#*=}" ;;
|
proto=*) newoptions="$newoptions --proto $val" ;;
|
||||||
mode=*) newoptions="$newoptions --mode ${option#*=}" ;;
|
mode=*) newoptions="$newoptions --mode $val" ;;
|
||||||
tunnel-src=*) newoptions="$newoptions --tunnel-src ${option#*=}" ;;
|
tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
|
||||||
tunnel-dst=*) newoptions="$newoptions --tunnel-dst ${option#*=}" ;;
|
tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
|
||||||
reqid!=*) newoptions="$newoptions ! --reqid ${option#*=}" ;;
|
reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
|
||||||
spi!=*) newoptions="$newoptions ! --spi ${option#*=}" ;;
|
spi!=*) newoptions="$newoptions ! --spi $val" ;;
|
||||||
proto!=*) newoptions="$newoptions ! --proto ${option#*=}" ;;
|
proto!=*) newoptions="$newoptions ! --proto $val" ;;
|
||||||
mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;;
|
mode!=*) newoptions="$newoptions ! --mode $val" ;;
|
||||||
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;;
|
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
|
||||||
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;;
|
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
|
||||||
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
@ -1771,8 +1822,8 @@ setup_ipsec() {
|
|||||||
|
|
||||||
strip_file ipsec $1
|
strip_file ipsec $1
|
||||||
|
|
||||||
while read zone ipsec options in_options out_options; do
|
while read zone ipsec options in_options out_options mss; do
|
||||||
expandv zone ipsec options in_options out_options
|
expandv zone ipsec options in_options out_options mss
|
||||||
|
|
||||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||||
|
|
||||||
@ -1793,7 +1844,7 @@ setup_ipsec() {
|
|||||||
do_options "" $options
|
do_options "" $options
|
||||||
do_options "_in" $in_options
|
do_options "_in" $in_options
|
||||||
do_options "_out" $out_options
|
do_options "_out" $out_options
|
||||||
|
|
||||||
done < $TMP_DIR/ipsec
|
done < $TMP_DIR/ipsec
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2242,7 +2293,7 @@ setup_ecn() # $1 = file name
|
|||||||
#
|
#
|
||||||
process_tc_rule()
|
process_tc_rule()
|
||||||
{
|
{
|
||||||
chain=$MARKING_CHAIN
|
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
|
||||||
|
|
||||||
verify_designator() {
|
verify_designator() {
|
||||||
[ "$chain" = tcout ] && \
|
[ "$chain" = tcout ] && \
|
||||||
@ -2292,11 +2343,20 @@ process_tc_rule()
|
|||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
|
||||||
|
|
||||||
[ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) "
|
[ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) "
|
||||||
[ "x$proto" = "x-" ] && proto=all
|
|
||||||
[ "x$proto" = "x" ] && proto=all
|
if [ "x$proto" = xipp2p ]; then
|
||||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
[ "x$port" = "x-" ] && port="ipp2p"
|
||||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
r="${r}-p tcp -m ipp2p --${port} "
|
||||||
|
else
|
||||||
|
[ "x$proto" = "x-" ] && proto=all
|
||||||
|
[ "x$proto" = "x" ] && proto=all
|
||||||
|
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||||
|
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||||
|
fi
|
||||||
|
|
||||||
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
||||||
|
|
||||||
case $chain in
|
case $chain in
|
||||||
@ -2304,7 +2364,7 @@ process_tc_rule()
|
|||||||
run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
|
run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
|
run_iptables2 -t mangle -A $chain $r -j $target $mark
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -2315,16 +2375,71 @@ process_tc_rule()
|
|||||||
p|P)
|
p|P)
|
||||||
verify_designator tcpre
|
verify_designator tcpre
|
||||||
;;
|
;;
|
||||||
|
cp|CP)
|
||||||
|
verify_designator tcpre
|
||||||
|
target="CONNMARK --set-mark"
|
||||||
|
;;
|
||||||
f|F)
|
f|F)
|
||||||
verify_designator tcfor
|
verify_designator tcfor
|
||||||
;;
|
;;
|
||||||
|
cf|CF)
|
||||||
|
verify_designator tcfor
|
||||||
|
target="CONNMARK --set-mark"
|
||||||
|
;;
|
||||||
|
c|C)
|
||||||
|
target="CONNMARK --set-mark"
|
||||||
|
mark=${mark%:*}
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
chain=tcpost
|
chain=tcpost
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
case $mark in
|
||||||
|
SAVE)
|
||||||
|
target="CONNMARK --save-mark"
|
||||||
|
mark=
|
||||||
|
;;
|
||||||
|
SAVE/*)
|
||||||
|
target="CONNMARK --save-mark --mask"
|
||||||
|
mark=${mark#*/}
|
||||||
|
;;
|
||||||
|
RESTORE)
|
||||||
|
target="CONNMARK --restore-mark"
|
||||||
|
mark=
|
||||||
|
;;
|
||||||
|
RESTORE/*)
|
||||||
|
target="CONNMARK --restore-mark --mask"
|
||||||
|
mark=${mark#*/}
|
||||||
|
;;
|
||||||
|
CONTINUE)
|
||||||
|
target=RETURN
|
||||||
|
mark=
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
case $testval in
|
||||||
|
-)
|
||||||
|
;;
|
||||||
|
!*:C)
|
||||||
|
marktest="connmark ! "
|
||||||
|
testval=${testval%:*}
|
||||||
|
testval=${testval#!}
|
||||||
|
;;
|
||||||
|
*:C)
|
||||||
|
marktest="connmark "
|
||||||
|
testval=${testval%:*}
|
||||||
|
;;
|
||||||
|
!*)
|
||||||
|
marktest="mark ! "
|
||||||
|
testval=${testval#!}
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
[ -n "$testval" ] && marktest="mark "
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
for source in $(separate_list ${sources:=-}); do
|
for source in $(separate_list ${sources:=-}); do
|
||||||
for dest in $(separate_list ${dests:=-}); do
|
for dest in $(separate_list ${dests:=-}); do
|
||||||
for port in $(separate_list ${ports:=-}); do
|
for port in $(separate_list ${ports:=-}); do
|
||||||
@ -2355,9 +2470,9 @@ setup_tc1() {
|
|||||||
#
|
#
|
||||||
strip_file tcrules
|
strip_file tcrules
|
||||||
|
|
||||||
while read mark sources dests proto ports sports user; do
|
while read mark sources dests proto ports sports user testval; do
|
||||||
expandv mark sources dests proto ports sports user
|
expandv mark sources dests proto ports sports user testval
|
||||||
rule=$(echo "$mark $sources $dests $proto $ports $sports $user")
|
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval")
|
||||||
process_tc_rule
|
process_tc_rule
|
||||||
done < $TMP_DIR/tcrules
|
done < $TMP_DIR/tcrules
|
||||||
#
|
#
|
||||||
@ -2506,6 +2621,10 @@ process_accounting_rule() {
|
|||||||
[ -n "$proto" ] && case $proto in
|
[ -n "$proto" ] && case $proto in
|
||||||
-|any|all)
|
-|any|all)
|
||||||
;;
|
;;
|
||||||
|
ipp2p)
|
||||||
|
rule="$rule -p tcp -m ipp2p --${port:-ipp2p}"
|
||||||
|
port=
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
rule="$rule -p $proto"
|
rule="$rule -p $proto"
|
||||||
;;
|
;;
|
||||||
@ -2631,6 +2750,7 @@ check_config() {
|
|||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
|
check_dupliate_zones
|
||||||
|
|
||||||
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
|
[ -z "$zones" ] && startup_error "ERROR: No Zones Defined"
|
||||||
|
|
||||||
@ -2859,7 +2979,7 @@ add_an_action()
|
|||||||
for serv1 in $(separate_list $serv); do
|
for serv1 in $(separate_list $serv); do
|
||||||
for srv in $(firewall_ip_range $serv1); do
|
for srv in $(firewall_ip_range $serv1); do
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \
|
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports)
|
$(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2869,7 +2989,7 @@ add_an_action()
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \
|
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
|
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3379,8 +3499,8 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ -n "$xlevel" ]; then
|
if [ -n "$xlevel" ]; then
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
|
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
|
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -3394,7 +3514,7 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -d $address
|
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -3411,8 +3531,8 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ -n "$xlevel" ]; then
|
if [ -n "$xlevel" ]; then
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
|
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
|
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -3426,7 +3546,7 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address
|
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -3440,28 +3560,28 @@ process_actions3() {
|
|||||||
|
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
dropNotSyn)
|
dropNotSyn)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
rejNotSyn)
|
rejNotSyn)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
dropInvalid)
|
dropInvalid)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -m state --state INVALID
|
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID
|
||||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -3612,7 +3732,7 @@ add_nat_rule() {
|
|||||||
else
|
else
|
||||||
for adr in $(separate_list $addr); do
|
for adr in $(separate_list $addr); do
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
|
log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \
|
||||||
$(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports)
|
$(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3643,7 +3763,7 @@ add_nat_rule() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat
|
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat
|
||||||
fi
|
fi
|
||||||
|
|
||||||
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
|
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
|
||||||
@ -3651,7 +3771,7 @@ add_nat_rule() {
|
|||||||
for adr in $(separate_list $addr); do
|
for adr in $(separate_list $addr); do
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
ensurenatchain $chain
|
ensurenatchain $chain
|
||||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \
|
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \
|
||||||
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
|
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3806,6 +3926,12 @@ add_a_rule()
|
|||||||
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
|
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
|
||||||
proto=
|
proto=
|
||||||
;;
|
;;
|
||||||
|
ipp2p)
|
||||||
|
sport="-m ipp2p --${port:-ipp2p}"
|
||||||
|
port=
|
||||||
|
proto=tcp
|
||||||
|
do_ports
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$port" ] && \
|
[ -n "$port" ] && \
|
||||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||||
@ -3858,7 +3984,7 @@ add_a_rule()
|
|||||||
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
||||||
for adr in $(separate_list $addr); do
|
for adr in $(separate_list $addr); do
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \
|
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
|
||||||
$userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
$userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3867,7 +3993,7 @@ add_a_rule()
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
|
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3883,7 +4009,7 @@ add_a_rule()
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
|
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $cli $dports)
|
$(fix_bang $proto $sports $multiport $cli $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3907,7 +4033,7 @@ add_a_rule()
|
|||||||
|
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
|
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -4823,12 +4949,12 @@ setup_masq()
|
|||||||
|
|
||||||
source="$networks"
|
source="$networks"
|
||||||
|
|
||||||
case $networks in
|
case $source in
|
||||||
*.*.*)
|
*.*.*)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
networks=$(get_routed_networks $networks)
|
networks=$(get_routed_networks $networks)
|
||||||
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface $networks"
|
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\""
|
||||||
networks="$networks"
|
networks="$networks"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -5387,6 +5513,7 @@ initialize_netfilter () {
|
|||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
|
check_duplicate_zones
|
||||||
|
|
||||||
[ -z "$zones" ] && startup_error "No Zones Defined"
|
[ -z "$zones" ] && startup_error "No Zones Defined"
|
||||||
|
|
||||||
@ -6083,6 +6210,7 @@ activate_rules()
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add jumps to early SNAT chains
|
# Add jumps to early SNAT chains
|
||||||
#
|
#
|
||||||
@ -6112,19 +6240,20 @@ activate_rules()
|
|||||||
# Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain.
|
# Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain.
|
||||||
#
|
#
|
||||||
for zone in $zones; do
|
for zone in $zones; do
|
||||||
if eval test -n \$${zone}_is_complex ; then
|
if eval test -n \"\$${zone}_is_complex\" ; then
|
||||||
frwd_chain=${zone}_frwd
|
frwd_chain=${zone}_frwd
|
||||||
createchain $frwd_chain No
|
createchain $frwd_chain No
|
||||||
|
|
||||||
if [ -n "$POLICY_MATCH" ]; then
|
if [ -n "$POLICY_MATCH" ]; then
|
||||||
eval source_hosts=\$${zone}_hosts
|
eval is_ipsec=\$${zone}_is_ipsec
|
||||||
|
|
||||||
|
[ -n "$is_ipsec" ] && eval source_hosts=\$${zone}_hosts || eval source_hosts=\$${zone}_ipsec_hosts
|
||||||
|
|
||||||
for host in $source_hosts; do
|
for host in $source_hosts; do
|
||||||
interface=${host%%:*}
|
interface=${host%%:*}
|
||||||
networks=${host#*:}
|
networks=${host#*:}
|
||||||
|
|
||||||
is_ipsec_host $zone $host && \
|
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -6138,6 +6267,8 @@ activate_rules()
|
|||||||
|
|
||||||
eval complex=\$${zone}_is_complex
|
eval complex=\$${zone}_is_complex
|
||||||
|
|
||||||
|
[ -n "$complex" ] && frwd_chain=${zone}_frwd
|
||||||
|
|
||||||
if [ -n "$DYNAMIC_ZONES" ]; then
|
if [ -n "$DYNAMIC_ZONES" ]; then
|
||||||
echo $zone $source_hosts >> ${STATEDIR}/zones
|
echo $zone $source_hosts >> ${STATEDIR}/zones
|
||||||
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
||||||
@ -6288,6 +6419,26 @@ activate_rules()
|
|||||||
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if [ -n "$LOGALLNEW" ]; then
|
||||||
|
for table in mangle nat filter; do
|
||||||
|
case $table in
|
||||||
|
mangle)
|
||||||
|
chains="PREROUTING INPUT FORWARD POSTROUTING"
|
||||||
|
;;
|
||||||
|
nat)
|
||||||
|
chains="PREROUTING POSTROUTING OUTPUT"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
chains="INPUT FORWARD OUTPUT"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
for chain in $chains; do
|
||||||
|
log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table
|
||||||
|
done
|
||||||
|
done
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -6869,6 +7020,7 @@ do_initialize() {
|
|||||||
RETAIN_ALIASES=
|
RETAIN_ALIASES=
|
||||||
DELAYBLACKLISTLOAD=
|
DELAYBLACKLISTLOAD=
|
||||||
LOGTAGONLY=
|
LOGTAGONLY=
|
||||||
|
LOGALLNEW=
|
||||||
|
|
||||||
RESTOREBASE=
|
RESTOREBASE=
|
||||||
TMP_DIR=
|
TMP_DIR=
|
||||||
|
@ -1 +1 @@
|
|||||||
2.1.11
|
2.2.0-Beta1
|
||||||
|
Loading…
Reference in New Issue
Block a user