holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Break 'run_iptables' into two functions - only run_iptables2 checks for \!

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@369 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-18 21:26:03 +00:00
parent fa843d4139
commit 852217c510
1 changed files with 41 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
Shorewall/firewall
View File

@ -167,21 +167,26 @@ fix_bang() {
# #
run_iptables() { run_iptables() {
if ! iptables $@ ; then
[ -z "$stopping" ] && { stop_firewall; exit 2; }
fi
}
#
# Version of 'run_iptables' that inserts white space after "!" in the arg list
#
run_iptables2() {
if [ "x${*%!*}" = "x$*" ]; then if [ "x${*%!*}" = "x$*" ]; then
# #
# No "!" in the command -- just execute it # No "!" in the command -- just execute it
# #
if ! iptables $@ ; then run_iptables $@
[ -z "$stopping" ] && { stop_firewall; exit 2; }
fi
return return
fi fi
# #
# Need to insert white space before each "!" # Need to insert white space before each "!"
# #
if ! iptables `fix_bang $@`; then run_iptables `fix_bang $@`
[ -z "$stopping" ] && { stop_firewall; exit 2; }
fi
} }
# #
@ -318,7 +323,7 @@ ensurenatchain() # $1 = chain name
addnatrule() # $1 = chain name, remainder of arguments specify the rule addnatrule() # $1 = chain name, remainder of arguments specify the rule
{ {
ensurenatchain $1 ensurenatchain $1
run_iptables -t nat -A $@ run_iptables2 -t nat -A $@
} }
# #
@ -1539,7 +1544,7 @@ setup_mac_lists() {
run_iptables -A $chain $macpart -j RETURN run_iptables -A $chain $macpart -j RETURN
else else
for address in `separate_list $addresses` ; do for address in `separate_list $addresses` ; do
run_iptables -A $chain $macpart -s $address -j RETURN run_iptables2 -A $chain $macpart -s $address -j RETURN
done done
fi fi
done < $TMP_DIR/maclist done < $TMP_DIR/maclist
@ -1951,7 +1956,7 @@ add_nat_rule() {
# Generate nat table rules # Generate nat table rules
if [ "$source" = "$FW" ]; then if [ "$source" = "$FW" ]; then
run_iptables -t nat -A OUTPUT $proto $sports -d $addr \ run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \
$multiport $dports -j $target1 $multiport $dports -j $target1
else else
chain=`dnat_chain $source` chain=`dnat_chain $source`
@ -2161,11 +2166,11 @@ add_a_rule()
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then if [ "$loglevel" = ULOG ]; then
run_iptables -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j ULOG $LOGPARMS \ $state $cli $sports $serv $dports -j ULOG $LOGPARMS \
--ulog-prefix "Shorewall:$chain:$logtarget:" \ --ulog-prefix "Shorewall:$chain:$logtarget:" \
else else
run_iptables -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
$state $cli $sports $serv $dports -j LOG $LOGPARMS \ $state $cli $sports $serv $dports -j LOG $LOGPARMS \
--log-prefix "Shorewall:$chain:$logtarget:" \ --log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel --log-level $loglevel
@ -2173,7 +2178,7 @@ add_a_rule()
fi fi
run_iptables -A $chain $proto $multiport $state $cli $sports \ run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target $serv $dports -j $target
fi fi
else else
@ -2186,18 +2191,18 @@ add_a_rule()
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
if [ "$loglevel" = ULOG ]; then if [ "$loglevel" = ULOG ]; then
run_iptables -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j ULOG \ $dest_interface $state $cli $sports $dports -j ULOG \
$LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:" $LOGPARMS --ulog-prefix "Shorewall:$chain:$logtarget:"
else else
run_iptables -A $chain $proto $multiport \ run_iptables2 -A $chain $proto $multiport \
$dest_interface $state $cli $sports $dports -j LOG \ $dest_interface $state $cli $sports $dports -j LOG \
$LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \ $LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \
--log-level $loglevel --log-level $loglevel
fi fi
fi fi
run_iptables -A $chain $proto $multiport $dest_interface $state \ run_iptables2 -A $chain $proto $multiport $dest_interface $state \
$cli $sports $dports -j $target $cli $sports $dports -j $target
fi fi
} }
@ -2548,24 +2553,24 @@ process_tos_rule() {
case $srczone in case $srczone in
$FW) $FW)
run_iptables -t mangle -A outtos \ run_iptables2 -t mangle -A outtos \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $tos
;; ;;
all|ALL) all|ALL)
run_iptables -t mangle -A outtos \ run_iptables2 -t mangle -A outtos \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $tos
run_iptables -t mangle -A pretos \ run_iptables -t mangle -A pretos \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $tos
;; ;;
*) *)
if [ -n "$src" ]; then if [ -n "$src" ]; then
run_iptables -t mangle -A pretos $src \ run_iptables2 -t mangle -A pretos $src \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $tos
else else
eval interfaces=\$${srczone}_interfaces eval interfaces=\$${srczone}_interfaces
for interface in $interfaces; do for interface in $interfaces; do
run_iptables -t mangle -A pretos -i $interface \ run_iptables2 -t mangle -A pretos -i $interface \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $tos
done done
fi fi
@ -2964,17 +2969,17 @@ setup_intrazone() # $1 = zone
# #
add_blacklist_rule() { add_blacklist_rule() {
if [ -n "$BLACKLIST_LOGLEVEL" ]; then if [ -n "$BLACKLIST_LOGLEVEL" ]; then
run_iptables -A blacklst $source $proto $dport -j \ run_iptables2 -A blacklst $source $proto $dport -j \
ULOG $LOGPARMS --ulog-prefix \ ULOG $LOGPARMS --ulog-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" "Shorewall:blacklst:$BLACKLIST_DISPOSITION:"
else else
run_iptables -A blacklst $source $proto $dport -j \ run_iptables2 -A blacklst $source $proto $dport -j \
LOG $LOGPARMS --log-prefix \ LOG $LOGPARMS --log-prefix \
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \ "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
--log-level $BLACKLIST_LOGLEVEL --log-level $BLACKLIST_LOGLEVEL
fi fi
run_iptables -A blacklst $source $proto $dport -j $disposition run_iptables2 -A blacklst $source $proto $dport -j $disposition
} }
# #
@ -3291,7 +3296,7 @@ initialize_netfilter () {
while read target ignore1 ignore2 address rest; do while read target ignore1 ignore2 address rest; do
case $target in case $target in
DROP|reject) DROP|reject)
run_iptables -A dynamic -s $address -j $target run_iptables2 -A dynamic -s $address -j $target
;; ;;
*) *)
;; ;;
@ -3372,16 +3377,15 @@ add_common_rules() {
if [ -n "$LOGUNCLEAN" ]; then if [ -n "$LOGUNCLEAN" ]; then
if [ "$LOGUNCLEAN" = ULOG ]; then if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="$LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:" logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-ip-options" logoptions="$logoptions --log-ip-options"
run_iptables -A badpkt -p tcp -j ULOG $logoptions --log-tcp-options
run_iptables -A badpkt -p ! tcp -j ULOG $logoptions
else else
logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A badpkt -p ! tcp -j LOG $logoptions
fi fi
run_iptables -A badpkt -p tcp $logoptions --log-tcp-options
run_iptables -A badpkt -p ! tcp $logoptions
fi fi
run_iptables -A badpkt -j DROP run_iptables -A badpkt -j DROP
@ -3403,18 +3407,18 @@ add_common_rules() {
createchain logpkt no createchain logpkt no
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
if [ "$LOGUNCLEAN" = ULOG ]; then if [ "$LOGUNCLEAN" = ULOG ]; then
logoptions="$LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:" logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-ip-options" logoptions="$logoptions --log-ip-options"
run_iptables -A logpkt -p tcp -j ULOG $logoptions --log-tcp-options
run_iptables -A logpkt -p ! tcp -j ULOG $logoptions
else else
logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:" logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A logpkt -p ! tcp -j LOG $logoptions
fi fi
run_iptables -A logpkt -p tcp $logoptions --log-tcp-options
run_iptables -A logpkt -p ! tcp $logoptions
echo "Mangled/Invalid Packet Logging enabled on:" echo "Mangled/Invalid Packet Logging enabled on:"
for interface in $interfaces; do for interface in $interfaces; do
@ -3476,13 +3480,13 @@ add_common_rules() {
;; ;;
esac esac
run_iptables -A rfc1918 -s $subnet -j $target run_iptables2 -A rfc1918 -s $subnet -j $target
# #
# If packet mangling is enabled, trap packets with an # If packet mangling is enabled, trap packets with an
# RFC1918 destination # RFC1918 destination
# #
if [ -n "$MANGLE_ENABLED" ]; then if [ -n "$MANGLE_ENABLED" ]; then
run_iptables -t mangle -A man1918 -d $subnet -j $target run_iptables2 -t mangle -A man1918 -d $subnet -j $target
fi fi
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918