forked from extern/shorewall_code
Changes for 2.1.6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1564 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
414356a535
commit
79c7f644b2
@ -15,9 +15,9 @@
|
|||||||
# Encrypted hosts are designated using the 'ipsec'
|
# Encrypted hosts are designated using the 'ipsec'
|
||||||
# option in /etc/shorewall/hosts.
|
# option in /etc/shorewall/hosts.
|
||||||
#
|
#
|
||||||
# OPTIONS A comma-separated list of options as follows:
|
# OPTIONS, A comma-separated list of options as follows:
|
||||||
# reqid=<number> where <number> is specified
|
# IN OPTIONS, reqid=<number> where <number> is specified
|
||||||
# using setkey(8) using the 'unique:<number>
|
# OUT OPTIONS using setkey(8) using the 'unique:<number>
|
||||||
# option for the SPD level.
|
# option for the SPD level.
|
||||||
#
|
#
|
||||||
# spi=<number> where <number> is the SPI of
|
# spi=<number> where <number> is the SPI of
|
||||||
@ -35,8 +35,16 @@
|
|||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
# mode=transport,reqid=44
|
# mode=transport,reqid=44
|
||||||
|
#
|
||||||
|
# The options in the OPTIONS column are applied to both incoming
|
||||||
|
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||||
|
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||||
|
# applied to outgoing traffic.
|
||||||
|
#
|
||||||
|
# If you wish to leave a column empty but need to make an entry
|
||||||
|
# in a following column, use "-".
|
||||||
################################################################################
|
################################################################################
|
||||||
#ZONE IPSEC OPTIONS
|
#ZONE IPSEC OPTIONS IN OUT
|
||||||
# ONLY
|
# ONLY OPTIONS OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
|
||||||
|
@ -564,7 +564,7 @@ usage() # $1 = exit status
|
|||||||
echo "where <command> is one of:"
|
echo "where <command> is one of:"
|
||||||
echo " add <interface>[:<host>] <zone>"
|
echo " add <interface>[:<host>] <zone>"
|
||||||
echo " allow <address> ..."
|
echo " allow <address> ..."
|
||||||
echo " check"
|
echo " check [ <directory> ]"
|
||||||
echo " clear"
|
echo " clear"
|
||||||
echo " delete <interface>[:<host>] <zone>"
|
echo " delete <interface>[:<host>] <zone>"
|
||||||
echo " drop <address> ..."
|
echo " drop <address> ..."
|
||||||
@ -578,15 +578,17 @@ usage() # $1 = exit status
|
|||||||
echo " refresh"
|
echo " refresh"
|
||||||
echo " reject <address> ..."
|
echo " reject <address> ..."
|
||||||
echo " reset"
|
echo " reset"
|
||||||
echo " restart"
|
echo " restart [ <directory> ]"
|
||||||
echo " restore [ <file name> ]"
|
echo " restore [ <file name> ]"
|
||||||
echo " save [ <file name> ]"
|
echo " save [ <file name> ]"
|
||||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
||||||
echo " start"
|
echo " start [ <directory> ]"
|
||||||
echo " stop"
|
echo " stop"
|
||||||
echo " status"
|
echo " status"
|
||||||
echo " try <directory> [ <timeout> ]"
|
echo " try <directory> [ <timeout> ]"
|
||||||
echo " version"
|
echo " version"
|
||||||
|
echo
|
||||||
|
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -761,8 +763,30 @@ esac
|
|||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
[ $# -ne 1 ] && usage 1
|
case $# in
|
||||||
|
1)
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
|
||||||
|
|
||||||
|
if [ ! -d $2 ]; then
|
||||||
|
if [ -e $2 ]; then
|
||||||
|
echo "$2 is not a directory" >&2 && exit 2
|
||||||
|
else
|
||||||
|
echo "Directory $2 does not exist" >&2 && exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
SHOREWALL_DIR=$2
|
||||||
|
export SHOREWALL_DIR
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
get_config
|
get_config
|
||||||
|
|
||||||
if [ -n "$FAST" ]; then
|
if [ -n "$FAST" ]; then
|
||||||
|
|
||||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||||
@ -779,11 +803,36 @@ case "$1" in
|
|||||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
stop|restart|reset|clear|refresh|check)
|
stop|reset|clear|refresh)
|
||||||
[ $# -ne 1 ] && usage 1
|
[ $# -ne 1 ] && usage 1
|
||||||
get_config
|
get_config
|
||||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||||
;;
|
;;
|
||||||
|
check|restart)
|
||||||
|
case $# in
|
||||||
|
1)
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||||
|
|
||||||
|
if [ ! -d $2 ]; then
|
||||||
|
if [ -e $2 ]; then
|
||||||
|
echo "$2 is not a directory" >&2 && exit 2
|
||||||
|
else
|
||||||
|
echo "Directory $2 does not exist" >&2 && exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
SHOREWALL_DIR=$2
|
||||||
|
export SHOREWALL_DIR
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
get_config
|
||||||
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||||
|
;;
|
||||||
add|delete)
|
add|delete)
|
||||||
[ $# -ne 3 ] && usage 1
|
[ $# -ne 3 ] && usage 1
|
||||||
get_config
|
get_config
|
||||||
|
@ -613,12 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
|
|||||||
{
|
{
|
||||||
eval local is_ipsec=\$${1}_is_ipsec
|
eval local is_ipsec=\$${1}_is_ipsec
|
||||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||||
eval local options=\"\$${1}_ipsec_options\"
|
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
|
||||||
|
|
||||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||||
echo "-m policy --pol ipsec --dir in $options"
|
echo "-m policy --pol ipsec --dir in $options"
|
||||||
elif [ -n "$POLICY_MATCH" ]; then
|
elif [ -n "$POLICY_MATCH" ]; then
|
||||||
echo "-m policy --pol none --dir in $options"
|
echo "-m policy --pol none --dir in"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -629,12 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
|
|||||||
{
|
{
|
||||||
eval local is_ipsec=\$${1}_is_ipsec
|
eval local is_ipsec=\$${1}_is_ipsec
|
||||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||||
eval local options=\"\$${1}_ipsec_options\"
|
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
|
||||||
|
|
||||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||||
echo "-m policy --pol ipsec --dir out $options"
|
echo "-m policy --pol ipsec --dir out $options"
|
||||||
elif [ -n "$POLICY_MATCH" ]; then
|
elif [ -n "$POLICY_MATCH" ]; then
|
||||||
echo "-m policy --pol none --dir out $options"
|
echo "-m policy --pol none --dir out"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1636,47 +1636,36 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
|
|
||||||
setup_ipsec() {
|
setup_ipsec() {
|
||||||
|
|
||||||
do_options() {
|
do_options() # $1 = _in, _out or "" - $2 = option list
|
||||||
local option newoptions=
|
{
|
||||||
|
local option opts newoptions=
|
||||||
|
|
||||||
options=$(separate_list $options)
|
[ x${2} = x- ] && return
|
||||||
|
|
||||||
for option in $options; do
|
opts=$(separate_list $2)
|
||||||
|
|
||||||
|
for option in $opts; do
|
||||||
case $option in
|
case $option in
|
||||||
reqid=*)
|
reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;;
|
||||||
newoptions="$newoptions --reqid ${option#*=}"
|
spi=*) newoptions="$newoptions --spi ${option#*=}" ;;
|
||||||
;;
|
proto=*) newoptions="$newoptions --proto ${option#*=}" ;;
|
||||||
spi=*)
|
mode=*) newoptions="$newoptions --mode ${option#*=}" ;;
|
||||||
newoptions="$newoptions --spi ${option#*=}"
|
tunnel-src=*) newoptions="$newoptions --tunnel-src ${option#*=}" ;;
|
||||||
;;
|
tunnel-dst=*) newoptions="$newoptions --tunnel-dst ${option#*=}" ;;
|
||||||
proto=*)
|
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
||||||
newoptions="$newoptions --proto ${option#*=}"
|
|
||||||
;;
|
|
||||||
mode=*)
|
|
||||||
newoptions="$newoptions --mode ${option#*=}"
|
|
||||||
;;
|
|
||||||
tunnel-src=*)
|
|
||||||
newoptions="$newoptions --tunnel-src ${option#*=}"
|
|
||||||
;;
|
|
||||||
tunnel-dst=*)
|
|
||||||
newoptions="$newoptions --tunnel-dst ${option#*=}"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
fatal_error "Invalid option \"$option\" for zone $zone"
|
|
||||||
;;
|
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$newoptions" ]; then
|
if [ -n "$newoptions" ]; then
|
||||||
eval ${zone}_is_complex=Yes
|
eval ${zone}_is_complex=Yes
|
||||||
eval ${zone}_ipsec_options=\"${newoptions# }\"
|
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
strip_file ipsec $1
|
strip_file ipsec $1
|
||||||
|
|
||||||
while read zone ipsec options; do
|
while read zone ipsec options in_options out_options; do
|
||||||
expandv zone ipsec options
|
expandv zone ipsec options in_options out_options
|
||||||
|
|
||||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||||
|
|
||||||
@ -1694,7 +1683,9 @@ setup_ipsec() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
do_options
|
do_options "" $options
|
||||||
|
do_options "_in" $in_options
|
||||||
|
do_options "_out" $out_options
|
||||||
|
|
||||||
done < $TMP_DIR/ipsec
|
done < $TMP_DIR/ipsec
|
||||||
}
|
}
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Shorewall help subsystem - V2.0 - 2/14/2004
|
# Shorewall help subsystem - V2.1
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
@ -60,7 +60,7 @@ allow)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
check)
|
check)
|
||||||
echo "check: check [ -c <configuration-directory> ]
|
echo "check: check [ <configuration-directory> ]
|
||||||
Performs a cursory validation of the zones, interfaces, hosts,
|
Performs a cursory validation of the zones, interfaces, hosts,
|
||||||
rules and policy files. Use this if you are unsure of any edits
|
rules and policy files. Use this if you are unsure of any edits
|
||||||
you have made to the shorewall configuration. See the try command
|
you have made to the shorewall configuration. See the try command
|
||||||
@ -187,7 +187,7 @@ reset)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
restart)
|
restart)
|
||||||
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
|
echo "restart: [ -q ] restart [ <configuration-directory> ]
|
||||||
Restart is the same as a shorewall stop && shorewall start.
|
Restart is the same as a shorewall stop && shorewall start.
|
||||||
Existing connections are maintained.
|
Existing connections are maintained.
|
||||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||||
@ -240,13 +240,14 @@ show)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
start)
|
start)
|
||||||
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
|
echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
|
||||||
Start shorewall. Existing connections through shorewall managed
|
Start shorewall. Existing connections through shorewall managed
|
||||||
interfaces are untouched. New connections will be allowed only
|
interfaces are untouched. New connections will be allowed only
|
||||||
if they are allowed by the firewall rules or policies.
|
if they are allowed by the firewall rules or policies.
|
||||||
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
||||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
||||||
in shorewall.conf will be restored if that saved configuration exists"
|
in shorewall.conf will be restored if that saved configuration exists. In that
|
||||||
|
case, a <configuration-directory> may not be specified".
|
||||||
;;
|
;;
|
||||||
|
|
||||||
stop)
|
stop)
|
||||||
|
@ -1 +1 @@
|
|||||||
2.1.5
|
2.1.6
|
||||||
|
Loading…
Reference in New Issue
Block a user