forked from extern/shorewall_code
Bridging Changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
8925f25168
commit
74219e2e3a
@ -99,6 +99,8 @@ report () { # $* = message
|
||||
#
|
||||
run_iptables() {
|
||||
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
|
||||
if ! iptables $@ ; then
|
||||
[ -z "$stopping" ] && { stop_firewall; exit 2; }
|
||||
fi
|
||||
@ -423,6 +425,84 @@ first_chains() #$1 = interface
|
||||
echo ${c}_fwd ${c}_in
|
||||
}
|
||||
|
||||
#
|
||||
# Horrible hack to work around an iptables bug
|
||||
#
|
||||
physdev_echo()
|
||||
{
|
||||
if [ -f $TMP_DIR/physdev ]; then
|
||||
echo $@
|
||||
else
|
||||
echo -m physdev $@
|
||||
> $TMP_DIR/physdev
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# We allow hosts to be specified by IP address or by physdev. These two functions
|
||||
# are used to produce the proper match in a netfilter rule.
|
||||
#
|
||||
match_source_hosts()
|
||||
{
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
case $1 in
|
||||
*:*)
|
||||
physdev_echo "--physdev-in ${1%:*} -s ${1#*:}"
|
||||
;;
|
||||
*.*.*.*)
|
||||
echo -s $1
|
||||
;;
|
||||
*)
|
||||
physdev_echo "--physdev-in $1"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
echo -s $1
|
||||
fi
|
||||
}
|
||||
|
||||
match_dest_hosts()
|
||||
{
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
case $1 in
|
||||
*:*)
|
||||
physdev_echo "--physdev-out ${1%:*} -d ${1#*:}"
|
||||
;;
|
||||
*.*.*.*)
|
||||
echo -d $1
|
||||
;;
|
||||
*)
|
||||
physdev_echo "--physdev-out $1"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
echo -d $1
|
||||
fi
|
||||
}
|
||||
#
|
||||
# Similarly, the source or destination in a rule can be qualified by a device name. If
|
||||
# the device is defined in /etc/shorewall/interfaces then a normal interface match is
|
||||
# generated (-i or -o); otherwise, a physdev match is generated.
|
||||
#
|
||||
match_source_dev()
|
||||
{
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
list_search $1 $all_interfaces && echo -i $1 || physdev_echo "--physdev-in $1"
|
||||
else
|
||||
echo -i $1
|
||||
fi
|
||||
}
|
||||
|
||||
match_dest_dev()
|
||||
{
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
list_search $1 $all_interfaces && echo -o $1 || physdev_echo "--physdev-out $1"
|
||||
else
|
||||
echo -o $1
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
#
|
||||
# Find hosts in a given zone
|
||||
#
|
||||
@ -436,7 +516,7 @@ find_hosts() # $1 = host zone
|
||||
while read z hosts options; do
|
||||
if [ "x$(expand $z)" = "x$1" ]; then
|
||||
expandv hosts
|
||||
interface=${hosts%:*}
|
||||
interface=${hosts%%:*}
|
||||
addresses=${hosts#*:}
|
||||
for address in $(separate_list $addresses); do
|
||||
echo $interface:$address
|
||||
@ -459,6 +539,18 @@ determine_interfaces() {
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if an interface has a given option
|
||||
#
|
||||
interface_has_option() # $1 = interface, #2 = option
|
||||
{
|
||||
local options
|
||||
|
||||
eval options=\$$(chain_base $1)_options
|
||||
|
||||
list_search $2 $options
|
||||
}
|
||||
|
||||
#
|
||||
# Determine the defined hosts in each zone and generate report
|
||||
#
|
||||
@ -471,8 +563,7 @@ determine_hosts() {
|
||||
eval interfaces=\$${zone}_interfaces
|
||||
|
||||
for interface in $interfaces; do
|
||||
eval options=\$$(chain_base $interface)_options
|
||||
if list_search detectnets $options; then
|
||||
if interface_has_option $interface detectnets; then
|
||||
subnets=$(get_routed_subnets $interface)
|
||||
else
|
||||
subnets=0.0.0.0/0
|
||||
@ -612,7 +703,8 @@ validate_hosts_file() {
|
||||
r="$z $hosts $options"
|
||||
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||
|
||||
interface=${hosts%:*}
|
||||
interface=${hosts%%:*}
|
||||
iface=$(chain_base $interface)
|
||||
|
||||
list_search $interface $all_interfaces || \
|
||||
startup_error "Unknown interface ($interface) in record \"$r\""
|
||||
@ -620,6 +712,21 @@ validate_hosts_file() {
|
||||
hosts=${hosts#*:}
|
||||
|
||||
for host in $(separate_list $hosts); do
|
||||
[ -n "$BRIDGING" ] && case $host in
|
||||
*:*)
|
||||
eval ${iface}_is_bridge=Yes
|
||||
list_search ${host%:*} $all_interfaces && \
|
||||
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
||||
;;
|
||||
*.*.*.*)
|
||||
;;
|
||||
*)
|
||||
eval ${iface}_is_bridge=Yes
|
||||
list_search $host $all_interfaces && \
|
||||
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
||||
;;
|
||||
esac
|
||||
|
||||
for option in $(separate_list $options); do
|
||||
case $option in
|
||||
maclist|-)
|
||||
@ -838,7 +945,7 @@ find_hosts_by_option() # $1 = option
|
||||
expandv options
|
||||
if list_search $1 $(separate_list $options); then
|
||||
expandv hosts
|
||||
interface=${hosts%:*}
|
||||
interface=${hosts%%:*}
|
||||
addresses=${hosts#*:}
|
||||
for address in $(separate_list $addresses); do
|
||||
echo $interface:$address
|
||||
@ -847,8 +954,7 @@ find_hosts_by_option() # $1 = option
|
||||
done < $TMP_DIR/hosts
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
eval options=\$$(chain_base $interface)_options
|
||||
list_search $1 $options && \
|
||||
interface_has_option $interface $option && \
|
||||
echo ${interface}:0.0.0.0/0
|
||||
done
|
||||
}
|
||||
@ -984,7 +1090,7 @@ disable_ipv6() {
|
||||
ip6tables -P INPUT DROP
|
||||
ip6tables -P OUTPUT DROP
|
||||
else
|
||||
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system has no ip6tables"
|
||||
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1049,12 +1155,35 @@ stop_firewall() {
|
||||
|
||||
strip_file routestopped
|
||||
|
||||
while read interface host; do
|
||||
expandv interface host
|
||||
while read interface host options; do
|
||||
expandv interface host options
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
||||
for h in $(separate_list $host); do
|
||||
hosts="$hosts $interface:$h"
|
||||
done
|
||||
|
||||
routeback=
|
||||
|
||||
if [ -n $options ]; then
|
||||
for option in $(separate_list $options); do
|
||||
case $option in
|
||||
routeback)
|
||||
if [ -n "$routeback" ]; then
|
||||
error_message "Warning: Duplicate option ignored: routeback"
|
||||
else
|
||||
routeback=Yes
|
||||
for h in $(separate_list $host); do
|
||||
iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT
|
||||
done
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Unknown option ignored: $option"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/routestopped
|
||||
|
||||
for host in $hosts; do
|
||||
@ -1065,7 +1194,7 @@ stop_firewall() {
|
||||
iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT
|
||||
|
||||
for host1 in $hosts; do
|
||||
iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT
|
||||
[ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT
|
||||
done
|
||||
done
|
||||
|
||||
@ -1077,6 +1206,10 @@ stop_firewall() {
|
||||
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
#
|
||||
# This might be a bridge
|
||||
#
|
||||
iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
|
||||
done
|
||||
|
||||
setup_forwarding
|
||||
@ -1415,7 +1548,7 @@ setup_mac_lists() {
|
||||
maclist_interfaces=
|
||||
|
||||
for hosts in $maclist_hosts; do
|
||||
interface=${hosts%:*}
|
||||
interface=${hosts%%:*}
|
||||
if ! list_search $interface $maclist_interfaces; then\
|
||||
if [ -z "$maclist_interfaces" ]; then
|
||||
maclist_interfaces=$interface
|
||||
@ -1447,6 +1580,17 @@ setup_mac_lists() {
|
||||
while read interface mac addresses; do
|
||||
expandv interface mac addresses
|
||||
|
||||
physdev_part=
|
||||
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
case $interface in
|
||||
*:*)
|
||||
physdev_part="-m physdev --physdev-in ${interface#*:}"
|
||||
interface=${interface%:*}
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
chain=$(mac_chain $interface)
|
||||
|
||||
if ! havechain $chain ; then
|
||||
@ -1456,10 +1600,10 @@ setup_mac_lists() {
|
||||
macpart=$(mac_match $mac)
|
||||
|
||||
if [ -z "$addresses" ]; then
|
||||
run_iptables -A $chain $macpart -j RETURN
|
||||
run_iptables -A $chain $macpart $physdev_part -j RETURN
|
||||
else
|
||||
for address in $(separate_list $addresses) ; do
|
||||
run_iptables2 -A $chain $macpart -s $address -j RETURN
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
|
||||
done
|
||||
fi
|
||||
done < $TMP_DIR/maclist
|
||||
@ -1494,10 +1638,10 @@ setup_mac_lists() {
|
||||
# Generate jumps from the input and forward chains
|
||||
#
|
||||
for hosts in $maclist_hosts; do
|
||||
interface=${hosts%:*}
|
||||
interface=${hosts%%:*}
|
||||
hosts=${hosts#*:}
|
||||
for chain in $(first_chains $interface) ; do
|
||||
run_iptables -A $chain -s $hosts -m state --state NEW \
|
||||
run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
|
||||
-j $(mac_chain $interface)
|
||||
done
|
||||
done
|
||||
@ -1692,11 +1836,11 @@ process_tc_rule()
|
||||
chain=tcout
|
||||
;;
|
||||
*)
|
||||
if ! list_search $source $all_interfaces; then
|
||||
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
|
||||
fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
fi
|
||||
|
||||
r="-i $source "
|
||||
r="$(select_source_dev) $source "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@ -1852,7 +1996,7 @@ process_accounting_rule() {
|
||||
|
||||
case $source in
|
||||
*:*)
|
||||
rule="-s ${source#*:} -i ${source%:*}"
|
||||
rule="-s ${source#*:} $(match_source_dev ${source%:*})"
|
||||
;;
|
||||
*.*.*.*)
|
||||
rule="-s $source"
|
||||
@ -1860,13 +2004,13 @@ process_accounting_rule() {
|
||||
-|all|any)
|
||||
;;
|
||||
*)
|
||||
[ -n "$source" ] && rule="-i $source"
|
||||
[ -n "$source" ] && rule="$(match_source_dev $source)"
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$dest" ] && case $dest in
|
||||
*:*)
|
||||
rule="$rule -d ${dest#*:} -o ${dest%:*}"
|
||||
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
|
||||
;;
|
||||
*.*.*.*)
|
||||
rule="$rule -d $dest"
|
||||
@ -1874,7 +2018,7 @@ process_accounting_rule() {
|
||||
-|all|any)
|
||||
;;
|
||||
*)
|
||||
rule="$rule -o $dest"
|
||||
rule="$rule $(match_dest_dev $dest)"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1959,7 +2103,6 @@ setup_accounting() # $1 = Name of accounting file
|
||||
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Check the configuration
|
||||
#
|
||||
@ -2113,7 +2256,7 @@ add_an_action()
|
||||
-)
|
||||
;;
|
||||
*:*)
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
cli="-s $client"
|
||||
@ -2122,7 +2265,7 @@ add_an_action()
|
||||
cli=$(mac_match $client)
|
||||
;;
|
||||
*)
|
||||
[ -n "$client" ] && cli="-i $client"
|
||||
[ -n "$client" ] && cli="$(match_source_dev $client)"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2141,7 +2284,7 @@ add_an_action()
|
||||
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
|
||||
;;
|
||||
*)
|
||||
[ -n "$server" ] && dest_interface="-o $server"
|
||||
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2321,7 +2464,7 @@ process_action() # $1 = action
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
#
|
||||
# add_a_rule() modifies these so we must set their values each time
|
||||
# add_an_action() modifies these so we must set their values each time
|
||||
#
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
@ -2673,7 +2816,7 @@ add_nat_rule() {
|
||||
for z in $(separate_list $excludezones); do
|
||||
eval hosts=\$${z}_hosts
|
||||
for host in $hosts; do
|
||||
addnatrule $chain -s ${host#*:} -j RETURN
|
||||
addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN
|
||||
done
|
||||
done
|
||||
|
||||
@ -2723,7 +2866,7 @@ add_nat_rule() {
|
||||
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
|
||||
|
||||
[ $COMMAND = check ] || addnatrule $(snat_chain $dest) \
|
||||
-s ${source_host#*:} $proto $sports $multiport \
|
||||
$(match_source_hosts ${source_host#*:}) $proto $sports $multiport \
|
||||
-d $serv $dports -j SNAT --to-source $snat
|
||||
done
|
||||
fi
|
||||
@ -2784,7 +2927,7 @@ add_a_rule()
|
||||
-)
|
||||
;;
|
||||
*:*)
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
cli="-s $client"
|
||||
@ -2793,7 +2936,7 @@ add_a_rule()
|
||||
cli=$(mac_match $client)
|
||||
;;
|
||||
*)
|
||||
[ -n "$client" ] && cli="-i $client"
|
||||
[ -n "$client" ] && cli="$(match_source_dev $client)"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2812,7 +2955,7 @@ add_a_rule()
|
||||
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
|
||||
;;
|
||||
*)
|
||||
[ -n "$server" ] && dest_interface="-o $server"
|
||||
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2879,7 +3022,7 @@ add_a_rule()
|
||||
# Complain if the rule is really a policy
|
||||
|
||||
case $logtarget in
|
||||
ACCEPT|DROP|REJECT)
|
||||
ACCEPT|DROP|REJECT|CONTINUE)
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then
|
||||
error_message "Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
@ -3371,7 +3514,7 @@ process_tos_rule() {
|
||||
#
|
||||
# Assume that this is a device name
|
||||
#
|
||||
src="-i $src"
|
||||
src="$(match_source_dev $src)"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -4441,6 +4584,11 @@ add_common_rules() {
|
||||
echo "Adding rules for DHCP"
|
||||
|
||||
for interface in $interfaces; do
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
eval is_bridge=\$$(chain_base $interface)_is_bridge
|
||||
[ -n "$is_bridge" ] && \
|
||||
iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
fi
|
||||
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT
|
||||
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
|
||||
done
|
||||
@ -4698,8 +4846,11 @@ activate_rules()
|
||||
shift
|
||||
shift
|
||||
|
||||
havenatchain $destchain && \
|
||||
if havenatchain $destchain ; then
|
||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
||||
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
|
||||
rm -f #TMP_DIR/physdev
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
@ -4716,6 +4867,8 @@ activate_rules()
|
||||
eval run_iptables -t nat -I $sourcechain \
|
||||
\$${sourcechain}_rule $@ -j $destchain
|
||||
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
||||
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
|
||||
rm -f $TMP_DIR/physdev
|
||||
fi
|
||||
}
|
||||
|
||||
@ -4754,28 +4907,31 @@ activate_rules()
|
||||
need_broadcast=
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
interface=${host%%:*}
|
||||
subnet=${host#*:}
|
||||
|
||||
run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1
|
||||
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $subnet) -j $chain1
|
||||
|
||||
#
|
||||
# Add jumps from the builtin chains for DNAT and SNAT rules
|
||||
#
|
||||
addrulejump PREROUTING $(dnat_chain $zone) -i $interface -s $subnet
|
||||
addrulejump POSTROUTING $(snat_chain $zone) -o $interface -d $subnet
|
||||
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $subnet)
|
||||
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $subnet)
|
||||
|
||||
run_iptables -A $(input_chain $interface) -s $subnet -j $chain2
|
||||
run_iptables -A $(input_chain $interface) $(match_source_hosts $subnet) -j $chain2
|
||||
|
||||
[ -n "$complex" ] && \
|
||||
run_iptables -A $(forward_chain $interface) -s $subnet -j $frwd_chain
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $subnet) -j $frwd_chain
|
||||
|
||||
case $subnet in
|
||||
*.*.*.*)
|
||||
if [ "$subnet" != 0.0.0.0/0 ]; then
|
||||
if ! list_search $interface $need_broadcast ; then
|
||||
eval options=\$$(chain_base $interface)_options
|
||||
list_search detectnets $options && need_broadcast="$need_broadcast $interface"
|
||||
interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface"
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
|
||||
@ -4804,29 +4960,29 @@ activate_rules()
|
||||
|
||||
if [ -n "$complex" ]; then
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
interface1=${host1%%:*}
|
||||
subnet1=${host1#*:}
|
||||
if [ $(list_count1 $source_hosts) -eq 1 -a "$source_hosts" = "$host1" ]; then
|
||||
if list_search $host1 $routeback; then
|
||||
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
|
||||
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $subnet1) -j $chain
|
||||
fi
|
||||
else
|
||||
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
|
||||
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $subnet1) -j $chain
|
||||
fi
|
||||
done
|
||||
else
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
interface=${host%%:*}
|
||||
subnet=${host#*:}
|
||||
|
||||
chain1=$(forward_chain $interface)
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
interface1=${host1%%:*}
|
||||
subnet1=${host1#*:}
|
||||
|
||||
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
||||
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
|
||||
run_iptables -A $chain1 $(match_source_hosts $subnet) -o $interface1 $(match_dest_hosts $subnet1) -j $chain
|
||||
fi
|
||||
done
|
||||
done
|
||||
@ -5178,11 +5334,11 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
fi
|
||||
|
||||
for h in $dest_hosts; do
|
||||
iface=${h%:*}
|
||||
iface=${h%%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain
|
||||
do_iptables -I $source_chain $rulenum -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
done
|
||||
@ -5205,7 +5361,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
for h in $source_hosts; do
|
||||
iface=${h%:*}
|
||||
iface=${h%%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
base=$(chain_base $iface)
|
||||
@ -5221,7 +5377,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
fi
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
do_iptables -I $(forward_chain $iface) $rulenum -s $hosts -o $interface -d $host -j $chain
|
||||
do_iptables -I $(forward_chain $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
@ -5328,11 +5484,11 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
|
||||
for h in $dest_hosts $delhost; do
|
||||
iface=${h%:*}
|
||||
iface=${h%%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain
|
||||
qt iptables -D $source_chain -s $host -o $iface $(match_source_hosts $hosts) -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -5343,11 +5499,11 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
for h in $source_hosts; do
|
||||
iface=${h%:*}
|
||||
iface=${h%%:*}
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt iptables -D $(forward_chain $iface) -s $hosts -o $interface -d $host -j $chain
|
||||
qt iptables -D $(forward_chain $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -5463,6 +5619,7 @@ do_initialize() {
|
||||
USEDACTIONS=
|
||||
SMURF_LOG_LEVEL=
|
||||
DISABLE_IPV6=
|
||||
BRIDGING=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
@ -5613,6 +5770,7 @@ do_initialize() {
|
||||
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
|
||||
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
|
||||
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
|
||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz"
|
||||
|
||||
#
|
||||
@ -5629,6 +5787,8 @@ do_initialize() {
|
||||
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
|
||||
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
|
||||
fi
|
||||
|
||||
rm -f $TMP_DIR/physdev
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -12,21 +12,28 @@
|
||||
#
|
||||
# ZONE - The name of a zone defined in /etc/shorewall/zones
|
||||
#
|
||||
# HOST(S) - The name of an interface followed by a colon (":") and
|
||||
# HOST(S) - The name of an interface defined in the
|
||||
# /etc/shorewall/interfaces file followed by a colon (":") and
|
||||
# a comma-separated list whose elements are either:
|
||||
#
|
||||
# a) The IP address of a host
|
||||
# b) A subnetwork in the form
|
||||
# <subnet-address>/<mask width>
|
||||
#
|
||||
# The interface must be defined in the
|
||||
# /etc/shorewall/interfaces file.
|
||||
# c) A physical port name; only allowed when the
|
||||
# interface names a bridge created by the
|
||||
# brctl addbr command. This port must not
|
||||
# be defined in /etc/shorewall/interfaces and may
|
||||
# optionally followed by a colon (":") and a
|
||||
# host or network IP.
|
||||
# See http://www.shorewall.net/Bridge.html for details.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# eth1:192.168.1.3
|
||||
# eth2:192.168.2.0/24
|
||||
# eth3:192.168.2.0/24,192.168.3.1
|
||||
# br0:eth4
|
||||
# br0:eth0:192.168.1.16/28
|
||||
#
|
||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||
# options are:
|
||||
|
@ -46,10 +46,19 @@
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP or used by
|
||||
# a DHCP server running on the firewall or
|
||||
# you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP clients.
|
||||
# dhcp - Specify this option when any of
|
||||
# the following are true:
|
||||
# 1. the interface gets its IP address
|
||||
# via DHCP
|
||||
# 2. the interface is used by
|
||||
# a DHCP server running on the firewall
|
||||
# 3. you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP
|
||||
# clients.
|
||||
# 4. the interface is a bridge with
|
||||
# a DHCP server on one port and DHCP
|
||||
# clients on another port.
|
||||
#
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
@ -58,6 +67,7 @@
|
||||
# enabled in shorewall.conf, packets
|
||||
# whose destination addresses are
|
||||
# reserved by RFC 1918 are also rejected.
|
||||
#
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
@ -65,12 +75,14 @@
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
#
|
||||
# maclist - Connection requests from this interface
|
||||
# are compared against the contents of
|
||||
# /etc/shorewall/maclist. If this option
|
||||
# is specified, the interface must be
|
||||
# an ethernet NIC and must be up before
|
||||
# Shorewall is started.
|
||||
#
|
||||
# tcpflags - Packets arriving on this interface are
|
||||
# checked for certain illegal combinations
|
||||
# of TCP flags. Packets found to have
|
||||
@ -79,6 +91,7 @@
|
||||
# TCP_FLAGS_DISPOSITION after having been
|
||||
# logged according to the setting of
|
||||
# TCP_FLAGS_LOG_LEVEL.
|
||||
#
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
@ -127,7 +140,7 @@
|
||||
# hosts routed through the interface.
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE!
|
||||
# INTERNET INTERFACE.
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
|
@ -5,7 +5,10 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE Network interface to a host
|
||||
# INTERFACE Network interface to a host. If the interface
|
||||
# names a bridge, it may be optionally followed by
|
||||
# a colon (":") and a physical port name (e.g.,
|
||||
# br0:eth4).
|
||||
#
|
||||
# MAC MAC address of the host -- you do not need to use
|
||||
# the Shorewall format for MAC addresses here
|
||||
|
@ -14,12 +14,18 @@
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
# OPTIONS - (Optional) A comma-separated list of
|
||||
# options. The currently-supported options are:
|
||||
#
|
||||
# routeback - Set up a rule to ACCEPT traffic from
|
||||
# these hosts back to themselves.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# INTERFACE HOST(S)
|
||||
# INTERFACE HOST(S) OPTIONS
|
||||
# eth2 192.168.1.0/24
|
||||
# eth0 192.0.2.44
|
||||
# br0 - routeback
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
#INTERFACE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -524,6 +524,18 @@ MODULE_SUFFIX=
|
||||
# firewall system. This requires that you have ip6tables installed.
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
#
|
||||
# BRIDGING
|
||||
#
|
||||
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
|
||||
# then set BRIDGING=Yes. Your kernel must have the physdev match option
|
||||
# enabled; that option is available through Patch-O-Matic for 2.4 kernels and
|
||||
# is included as a standard part of the 2.6 series kernels. If not
|
||||
# specified or specified as empty (BRIDGING="") then "No" is assumed.
|
||||
#
|
||||
|
||||
BRIDGING=No
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
@ -534,6 +546,7 @@ DISABLE_IPV6=Yes
|
||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||
# DROP is assumed.
|
||||
#
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user