From 7418e273083db2ef7758d6fb70bc20fc323a56c7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 May 2009 07:22:48 -0700 Subject: [PATCH] Deimplement ipset binding support --- Shorewall/Perl/Shorewall/Chains.pm | 17 ++------ Shorewall/Perl/Shorewall/Compiler.pm | 2 - Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/changelog.txt | 3 ++ Shorewall/releasenotes.txt | 9 ++-- docs/ipsets.xml | 64 ---------------------------- 6 files changed, 14 insertions(+), 83 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 95e472538..527b4bc61 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1797,28 +1797,19 @@ sub iprange_match() { } # -# Get set flags (ipsets). +# Get set flags (ipsets) -- Given that ipset no longer supports binding, +# This function simply constructs the proper +# --set specification. # sub get_set_flags( $$ ) { my ( $setname, $option ) = @_; - my $options = $option; $setname =~ s/^!//; # Caller has already taken care of leading ! - - if ( $setname =~ /^(.*)\[([1-6])\]$/ ) { - $setname = $1; - my $count = $2; - $options .= ",$option" while --$count > 0; - } elsif ( $setname =~ /^(.*)\[(.*)\]$/ ) { - $setname = $1; - $options = $2; - } - $setname =~ s/^\+//; fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/; - "--set $setname $options " + "--set $setname $option " } # diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index b10df7506..70775e417 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -356,8 +356,6 @@ sub generate_script_3($) { '', 'if [ "$COMMAND" = start ]; then' , ' if [ -f ${VARDIR}/ipsets.save ]; then' , - ' $IPSET -U :all: :all:' , - ' $IPSET -U :all: :default:' , ' $IPSET -F' , ' $IPSET -X' , ' $IPSET -R < ${VARDIR}/ipsets.save' , diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 7873c845c..4865d403d 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -2589,7 +2589,7 @@ sub generate_aux_config() { emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#"; - for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { + for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) { conditionally_add_option $option; } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 33cf4941d..3122ba979 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,9 @@ Changes in Shorewall 4.3.12 2) Add HFSC support. +3) Delete support for ipset binding. Jozsef has removed the capability + from ipset. + Changes in Shorewall 4.3.11 1) Reduce the number of arguments passed in may cases. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 0d0c8edd1..7b4684a76 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -81,12 +81,15 @@ released late in 2009. class Ids in numeric sequence. In 4.3.9, that didn't work correctly because Shorewall was generating the sequence "..8,9,10,11..." when the correct sequence was "...8,9,a,b,...". Shorewall now treats - class IDs as hex, like 'tc' and 'iptables' do. + class IDs as hex, as do 'tc' and 'iptables'. This should only be an issue if you have more than 9 interfaces defined in /etc/shorewall/tcdevices and if you use class IDs in - /etc/shorewall/tcrules. You will need to renumber the class IDs for - devices 10 and greater. + /etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need + to renumber the class IDs for devices 10 and greater. + +6) Jozsef Kadlecsik has removed the set binding capability from ipset + 3.1. As a consequence, Shorewall 4.3 no longer supports set binding. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 3 . 12 diff --git a/docs/ipsets.xml b/docs/ipsets.xml index 8817f3685..9482e447c 100644 --- a/docs/ipsets.xml +++ b/docs/ipsets.xml @@ -92,31 +92,6 @@ - The name of the set may optionally followed by: - - - - a number from 1 to 6 enclosed in square brackets ([]) -- this - number indicates the maximum number of ipset binding levels that are - to be matched. Depending on the context where the ipset name is used, - either all "src" or all "dst" matches will be used. - - Example: "+Mirrors[4]" - - - - a series of "src" and "dst" options separated by commas and - enclosed in square brackets ([]). These will be passed directly to - iptables in the generated --set clause. See the ipset documentation - for details. - - Example: "+Mirrors[src,dst,src]" - - Note that "+Mirrors[4]" used in the SOURCE column of the rules - file is equivalent to "+Mirrors[src,src,src,src]". - - - To generate a negative match, prefix the "+" with "!" as in "!+Mirrors". @@ -144,14 +119,6 @@ ACCEPT +sshok $FW tcp 22 /etc/shorewall/init (it works for me; your mileage may vary): - if [ "$COMMAND" = start ]; then - ipset -U :all: :all: - ipset -U :all: :default: - ipset -F - ipset -X - ipset -R < /etc/shorewall/ipsets -fi - The file /etc/shorewall/ipsets will normally be produced using the ipset -S command. @@ -176,37 +143,6 @@ fi As a consequence, scripts generated by the Perl-based compiler will ignore /etc/shorewall/ipsets and will issue a warning if you set SAVE_IPSETS=Yes in shorewall.conf - - Example (Note -- this example is applicable to ipset versions up to - and including 2.4. In 2.5, the binding feature of ipsets is scheduled for - removal in favor of different set types that include both IP addresses and - port numbers. Check your ipset documentation): - - /etc/shorewall/blacklist: - - #ADDRESS/SUBNET PROTOCOL PORT -+Blacklist[src,dst] -+Blacklistnets[src,dst] - - Create the blacklist ipsets using: - - ipset -N Blacklist iphash -ipset -N Blacklistnets nethash - - Add entries: - - ipset -A Blacklist 206.124.146.177 -ipset -A Blacklistnets 206.124.147.0/24 - - To allow entries for individual ports: - - ipset -N SMTP portmap --from 1 --to 31 -ipset -A SMTP 25 - -ipset -A Blacklist 206.124.146.177 -ipset -B Blacklist 206.124.146.177 -b SMTP - - Now only port 25 will be blocked from 206.124.146.177.