forked from extern/shorewall_code
Update for Shorewall 2.0.12
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1792 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
950b92d9d9
commit
c3268309ac
@ -470,7 +470,7 @@ MUTEX_TIMEOUT=60
|
||||
# A packet is said to be NEW if it is not part of or related to an already
|
||||
# established connection.
|
||||
#
|
||||
# The NETNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# SYN off or with ACK or RST on) that are not associated with an already
|
||||
# established connection.
|
||||
#
|
||||
|
||||
@ -1070,7 +1070,9 @@ case "$1" in
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
|
||||
chmod +x $RESTOREPATH
|
||||
echo " Currently-running Configuration Saved to $RESTOREPATH"
|
||||
else
|
||||
|
||||
@ -178,6 +178,16 @@ run_iptables2() {
|
||||
run_iptables $(fix_bang $@)
|
||||
}
|
||||
|
||||
#
|
||||
# Quietly run iptables
|
||||
#
|
||||
qt_iptables() {
|
||||
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
|
||||
qt iptables $@
|
||||
}
|
||||
|
||||
#
|
||||
# Run ip and if an error occurs, stop the firewall and quit
|
||||
#
|
||||
@ -5218,7 +5228,7 @@ add_common_rules() {
|
||||
|
||||
run_iptables -A $(input_chain $interface) -j $chain
|
||||
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
|
||||
run_iptables -A OUTPUT -j $(dynamic_out $interface)
|
||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||
done
|
||||
fi
|
||||
|
||||
@ -5594,6 +5604,25 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
[ -n "$aliases_to_add" ] && \
|
||||
echo "Adding IP Addresses..." && add_ip_aliases
|
||||
|
||||
for file in chains nat proxyarp zones; do
|
||||
append_file $file
|
||||
done
|
||||
|
||||
save_progress_message "Restoring Netfilter Configuration..."
|
||||
|
||||
save_command 'iptables-restore << __EOF__'
|
||||
|
||||
# 'shorewall save' appends the iptables-save output and '__EOF__'
|
||||
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$
|
||||
|
||||
> $RESTOREBASE
|
||||
|
||||
save_command "#"
|
||||
save_command "# Restore tail file generated by Shorewall $version - $(date)"
|
||||
save_command "#"
|
||||
save_command "date > $STATEDIR/restarted"
|
||||
|
||||
run_user_exit start
|
||||
|
||||
createchain shorewall no
|
||||
@ -5604,19 +5633,8 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
rm -rf $TMP_DIR
|
||||
|
||||
for file in chains nat proxyarp zones; do
|
||||
append_file $file
|
||||
done
|
||||
|
||||
save_command "date > $STATEDIR/restarted"
|
||||
|
||||
save_progress_message "Restoring Netfilter Configuration..."
|
||||
|
||||
save_command 'iptables-restore << __EOF__'
|
||||
|
||||
# 'shorewall save' appends the iptables-save output and '__EOF__'
|
||||
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-base
|
||||
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||
|
||||
}
|
||||
|
||||
@ -5673,6 +5691,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
|
||||
do_iptables() # $@ = command
|
||||
{
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
if ! iptables $@ ; then
|
||||
startup_error "Can't add $1 to zone $2"
|
||||
fi
|
||||
@ -5681,7 +5700,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Isolate interface and host parts
|
||||
#
|
||||
interface=${1%:*}
|
||||
interface=${1%%:*}
|
||||
host=${1#*:}
|
||||
|
||||
[ -z "$host" ] && host="0.0.0.0/0"
|
||||
@ -5756,7 +5775,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
chain=${zone}_dnat
|
||||
|
||||
if nat_chain_exists $chain; then
|
||||
do_iptables -t nat -A $(dynamic_in $interface) -s $host -j $chain
|
||||
do_iptables -t nat -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
|
||||
fi
|
||||
#
|
||||
# Insert new rules into the filter table for the passed interface
|
||||
@ -5764,7 +5783,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
do_iptables -A $(dynamic_in $interface) -s $host -j $chain
|
||||
do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
|
||||
else
|
||||
source_chain=$(dynamic_fwd $interface)
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
@ -5774,7 +5793,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
|
||||
do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -5783,7 +5802,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Add a rule to the dynamic out chain for the interface
|
||||
#
|
||||
do_iptables -A $(dynamic_out $interface) -d $host -j $chain
|
||||
do_iptables -A $(dynamic_out $interface) $(match_destination_hosts $host) -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
@ -5792,7 +5811,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain
|
||||
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -5838,7 +5857,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Isolate interface and host parts
|
||||
#
|
||||
interface=${1%:*}
|
||||
interface=${1%%:*}
|
||||
host=${1#*:}
|
||||
|
||||
[ -z "$host" ] && host="0.0.0.0/0"
|
||||
@ -5887,14 +5906,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Delete any nat table entries for the host(s)
|
||||
#
|
||||
qt iptables -t nat -D $(dynamic_in $interface) -s $host -j ${zone}_dnat
|
||||
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) -j ${zone}_dnat
|
||||
#
|
||||
# Delete rules rules the input chains for the passed interface
|
||||
#
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
qt iptables -D $(dynamic_in $interface) -s $host -j $chain
|
||||
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
|
||||
else
|
||||
source_chain=$(dynamic_fwd $interface)
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
@ -5904,13 +5923,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
|
||||
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
elif [ "$z2" = "$zone" ]; then
|
||||
if [ "$z1" = "$FW" ]; then
|
||||
qt iptables -D $(dynamic_out $interface) -d $host -j $chain
|
||||
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
@ -5919,7 +5938,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain
|
||||
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
@ -52,9 +52,9 @@ qt()
|
||||
#
|
||||
# Perform variable substitution on the passed argument and echo the result
|
||||
#
|
||||
expand() # $1 = contents of variable which may be the name of another variable
|
||||
expand() # $@ = contents of variable which may be the name of another variable
|
||||
{
|
||||
eval echo \"$1\"
|
||||
eval echo \"$@\"
|
||||
}
|
||||
|
||||
#
|
||||
@ -434,7 +434,7 @@ read_file() # $1 = file name, $2 = nest count
|
||||
while read first rest; do
|
||||
if [ "x$first" = "xINCLUDE" ]; then
|
||||
if [ $2 -lt 4 ]; then
|
||||
read_file $(find_file ${rest%#*}) $(($2 + 1))
|
||||
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
|
||||
else
|
||||
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
|
||||
fi
|
||||
@ -452,7 +452,7 @@ read_file() # $1 = file name, $2 = nest count
|
||||
# Function for including one file into another
|
||||
#
|
||||
INCLUDE() {
|
||||
. $(find_file $@)
|
||||
. $(find_file $(expand $@))
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@ -29,11 +29,11 @@
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<host>] <zone>
|
||||
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface[:host] zone - Adds the specified interface
|
||||
(and host if included) to the specified zone.
|
||||
shorewall add interface[:port][:host] zone - Adds the specified interface
|
||||
(and bridge port/host if included) to the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
@ -93,11 +93,11 @@ debug)
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<host>] <zone>
|
||||
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:host] zone - Deletes the specified
|
||||
interface (and host if included) from the specified zone.
|
||||
shorewall delete interface[:port][:host] zone - Deletes the specified
|
||||
interface (and bridge port/host if included) from the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
|
||||
@ -1 +1 @@
|
||||
2.0.11
|
||||
2.0.12
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.0.11
|
||||
VERSION=2.0.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.0.11
|
||||
VERSION=2.0.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.0.11
|
||||
%define version 2.0.12
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -141,6 +141,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.12-1
|
||||
* Mon Nov 22 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.11-1
|
||||
* Mon Oct 25 2004 Tom Eastep tom@shorewall.net
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.0.11
|
||||
VERSION=2.0.12
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user