forked from extern/shorewall_code
Significantly improve 'shorewall generate'
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3238 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d81f2ca29e
commit
af973cf234
@ -4047,6 +4047,8 @@ setup_accounting() # $1 = Name of accounting file
|
|||||||
|
|
||||||
echo "Setting up Accounting..."
|
echo "Setting up Accounting..."
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Restoring Accounting..."
|
||||||
|
|
||||||
strip_file accounting $1
|
strip_file accounting $1
|
||||||
|
|
||||||
while read action chain source dest proto port sport user ; do
|
while read action chain source dest proto port sport user ; do
|
||||||
@ -7472,6 +7474,8 @@ setup_blacklist() {
|
|||||||
if [ -n "$hosts" -a -f $f ]; then
|
if [ -n "$hosts" -a -f $f ]; then
|
||||||
echo "Setting up Blacklisting..."
|
echo "Setting up Blacklisting..."
|
||||||
|
|
||||||
|
[ $COMMAND = restore ] && save_progress_message "Restoring Blacklisting..."
|
||||||
|
|
||||||
strip_file blacklist $f
|
strip_file blacklist $f
|
||||||
|
|
||||||
createchain blacklst no
|
createchain blacklst no
|
||||||
@ -7801,6 +7805,8 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
echo "Deleting user chains..."
|
echo "Deleting user chains..."
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Deleting user chains..."
|
||||||
|
|
||||||
exists_INPUT=Yes
|
exists_INPUT=Yes
|
||||||
exists_OUTPUT=Yes
|
exists_OUTPUT=Yes
|
||||||
exists_FORWARD=Yes
|
exists_FORWARD=Yes
|
||||||
@ -7844,10 +7850,11 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
if [ -f $f ]; then
|
if [ -f $f ]; then
|
||||||
echo "Processing $f ..."
|
echo "Processing $f ..."
|
||||||
ipset -U :all: :all:
|
save_progress_message "Restoring IPSETS..."
|
||||||
run_ipset -F
|
run_and_save_command "ipset -U :all: :all:"
|
||||||
run_ipset -X
|
run_and_save_command "run_ipset -F"
|
||||||
run_ipset -R < $f
|
run_and_save_command "run_ipset -X"
|
||||||
|
run_and_save_command "run_ipset -R < $f"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_user_exit continue
|
run_user_exit continue
|
||||||
@ -7888,6 +7895,8 @@ initialize_netfilter () {
|
|||||||
if [ -f /var/lib/shorewall/save ]; then
|
if [ -f /var/lib/shorewall/save ]; then
|
||||||
echo "Restoring dynamic rules..."
|
echo "Restoring dynamic rules..."
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Restoring dynamic rules..."
|
||||||
|
|
||||||
if [ -f /var/lib/shorewall/save ]; then
|
if [ -f /var/lib/shorewall/save ]; then
|
||||||
while read target ignore1 ignore2 address rest; do
|
while read target ignore1 ignore2 address rest; do
|
||||||
case $target in
|
case $target in
|
||||||
@ -7905,6 +7914,8 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
echo "Creating Interface Chains..."
|
echo "Creating Interface Chains..."
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Creating Interface Chains..."
|
||||||
|
|
||||||
for interface in $ALL_INTERFACES; do
|
for interface in $ALL_INTERFACES; do
|
||||||
createchain $(forward_chain $interface) no
|
createchain $(forward_chain $interface) no
|
||||||
run_iptables -A $(forward_chain $interface) $state -j dynamic
|
run_iptables -A $(forward_chain $interface) $state -j dynamic
|
||||||
@ -7929,6 +7940,8 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# Populate the smurf chain
|
# Populate the smurf chain
|
||||||
#
|
#
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Restoring SMURF control..."
|
||||||
|
|
||||||
for address in $broadcasts ; do
|
for address in $broadcasts ; do
|
||||||
[ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address
|
[ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address
|
||||||
run_iptables -A smurfs $(source_ip_range $address) -j DROP
|
run_iptables -A smurfs $(source_ip_range $address) -j DROP
|
||||||
@ -7973,6 +7986,8 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# Process Black List
|
# Process Black List
|
||||||
#
|
#
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Restoring Black List..."
|
||||||
|
|
||||||
setup_blacklist
|
setup_blacklist
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7984,6 +7999,8 @@ add_common_rules() {
|
|||||||
|
|
||||||
echo "Adding Anti-smurf Rules"
|
echo "Adding Anti-smurf Rules"
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Adding Anti-smurf Jumps..."
|
||||||
|
|
||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
ipsec=${host%^*}
|
ipsec=${host%^*}
|
||||||
host=${host#*^}
|
host=${host#*^}
|
||||||
@ -8005,6 +8022,8 @@ add_common_rules() {
|
|||||||
|
|
||||||
echo "Adding rules for DHCP"
|
echo "Adding rules for DHCP"
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Restoring rules for DHCP..."
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for interface in $interfaces; do
|
||||||
if [ -n "$BRIDGING" ]; then
|
if [ -n "$BRIDGING" ]; then
|
||||||
is_bridge=$( brctl show $interface 2> /dev/null | grep ^$interface[[:space:]] )
|
is_bridge=$( brctl show $interface 2> /dev/null | grep ^$interface[[:space:]] )
|
||||||
@ -8023,6 +8042,8 @@ add_common_rules() {
|
|||||||
if [ -n "$hosts" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
echo "Enabling RFC1918 Filtering"
|
echo "Enabling RFC1918 Filtering"
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Restoring RFC1918 Filtering..."
|
||||||
|
|
||||||
strip_file rfc1918
|
strip_file rfc1918
|
||||||
|
|
||||||
createchain norfc1918 no
|
createchain norfc1918 no
|
||||||
@ -8114,6 +8135,8 @@ add_common_rules() {
|
|||||||
if [ -n "$hosts" ]; then
|
if [ -n "$hosts" ]; then
|
||||||
echo "Setting up TCP Flags checking..."
|
echo "Setting up TCP Flags checking..."
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Restoring TCP Flags checking..."
|
||||||
|
|
||||||
createchain tcpflags no
|
createchain tcpflags no
|
||||||
|
|
||||||
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
|
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
|
||||||
@ -8280,6 +8303,8 @@ add_common_rules() {
|
|||||||
if [ -n "$interfaces" ]; then
|
if [ -n "$interfaces" ]; then
|
||||||
echo "Setting up Accept Source Routing..."
|
echo "Setting up Accept Source Routing..."
|
||||||
|
|
||||||
|
save_progress_message "Restoring Source Routing..."
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for interface in $interfaces; do
|
||||||
file=/proc/sys/net/ipv4/conf/$interface/accept_source_route
|
file=/proc/sys/net/ipv4/conf/$interface/accept_source_route
|
||||||
if [ -f $file ]; then
|
if [ -f $file ]; then
|
||||||
@ -8299,6 +8324,8 @@ add_common_rules() {
|
|||||||
if [ -n "$interfaces" ]; then
|
if [ -n "$interfaces" ]; then
|
||||||
echo "Setting up UPnP..."
|
echo "Setting up UPnP..."
|
||||||
|
|
||||||
|
[ $COMMAND = generate ] && save_progress_message "Restoring UPnP..."
|
||||||
|
|
||||||
createnatchain UPnP
|
createnatchain UPnP
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for interface in $interfaces; do
|
||||||
@ -8739,8 +8766,10 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
|
|
||||||
echo "Activating Rules..."; activate_rules
|
echo "Activating Rules..."; activate_rules
|
||||||
|
|
||||||
[ -n "$ALIASES_TO_ADD" ] && \
|
if [ -n "$ALIASES_TO_ADD" ]; then
|
||||||
echo "Adding IP Addresses..." && add_ip_aliases
|
echo "Adding IP Addresses..."
|
||||||
|
add_ip_aliases
|
||||||
|
fi
|
||||||
|
|
||||||
for file in chains nat proxyarp zones; do
|
for file in chains nat proxyarp zones; do
|
||||||
append_file $file
|
append_file $file
|
||||||
@ -8885,7 +8914,9 @@ generate_firewall() # $1 = File Name
|
|||||||
|
|
||||||
save_load_kernel_modules
|
save_load_kernel_modules
|
||||||
|
|
||||||
echo "Initializing..."; initialize_netfilter
|
echo "Initializing..."
|
||||||
|
save_progress_message "Initializing..."
|
||||||
|
initialize_netfilter
|
||||||
|
|
||||||
echo "Compiling Proxy ARP"; setup_proxy_arp
|
echo "Compiling Proxy ARP"; setup_proxy_arp
|
||||||
#
|
#
|
||||||
@ -8904,30 +8935,58 @@ generate_firewall() # $1 = File Name
|
|||||||
setup_ipsec
|
setup_ipsec
|
||||||
|
|
||||||
maclist_hosts=$(find_hosts_by_option maclist)
|
maclist_hosts=$(find_hosts_by_option maclist)
|
||||||
[ -n "$maclist_hosts" ] && setup_mac_lists
|
|
||||||
|
|
||||||
echo "Compiling $(find_file rules)..."; process_rules
|
if [ -n "$maclist_hosts" ]; then
|
||||||
|
save_progress_message "Restoring MAC Filtration..."
|
||||||
|
setup_mac_lists
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Compiling $(find_file rules)..."
|
||||||
|
save_progress_message "Restoring Rules..."
|
||||||
|
process_rules
|
||||||
|
|
||||||
tunnels=$(find_file tunnels)
|
tunnels=$(find_file tunnels)
|
||||||
[ -f $tunnels ] && \
|
if [ -f $tunnels ]; then
|
||||||
echo "Compiling $tunnels..." && setup_tunnels $tunnels
|
echo "Compiling $tunnels..."
|
||||||
|
save_progress_message "Restoring Tunnels..."
|
||||||
|
setup_tunnels $tunnels
|
||||||
|
fi
|
||||||
|
|
||||||
|
save_progress_message "Restoring Actions..."
|
||||||
|
|
||||||
echo "Compiling Actions..."; process_actions2
|
echo "Compiling Actions..."; process_actions2
|
||||||
process_actions3
|
process_actions3
|
||||||
|
|
||||||
|
save_progress_message "Applying Policies..."
|
||||||
|
|
||||||
echo "Compiling $(find_file policy)..."; apply_policy_rules
|
echo "Compiling $(find_file policy)..."; apply_policy_rules
|
||||||
|
|
||||||
masq=$(find_file masq)
|
masq=$(find_file masq)
|
||||||
[ -f $masq ] && setup_masq $masq
|
if [ -f $masq ]; then
|
||||||
|
save_progress_message "Restoring Masquerading/SNAT..."
|
||||||
|
setup_masq $masq
|
||||||
|
fi
|
||||||
|
|
||||||
tos=$(find_file tos)
|
tos=$(find_file tos)
|
||||||
[ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos
|
if [ -f $tos -a -n "$MANGLE_ENABLED" ]; then
|
||||||
|
save_progress_message "Restoring TOS..."
|
||||||
|
process_tos $tos
|
||||||
|
fi
|
||||||
|
|
||||||
ecn=$(find_file ecn)
|
ecn=$(find_file ecn)
|
||||||
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
|
if [ -f $ecn -a -n "$MANGLE_ENABLED" ]; then
|
||||||
|
save_progress_message "Restoring ECN..."
|
||||||
|
setup_ecn $ecn
|
||||||
|
fi
|
||||||
|
|
||||||
[ -n "$MANGLE_ENABLED" ] && setup_tc
|
if [ -n "$MANGLE_ENABLED" ]; then
|
||||||
|
save_progress_message "Restoring TC Rules..."
|
||||||
|
setup_tc
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Compiling Rule Activation..."; activate_rules
|
echo "Compiling Rule Activation..."
|
||||||
|
save_progress_message "Activating Rules..."
|
||||||
|
activate_rules
|
||||||
|
|
||||||
[ -n "$ALIASES_TO_ADD" ] && \
|
[ -n "$ALIASES_TO_ADD" ] && \
|
||||||
echo "Adding IP Addresses..." && add_ip_aliases
|
echo "Adding IP Addresses..." && add_ip_aliases
|
||||||
|
Loading…
Reference in New Issue
Block a user