forked from extern/shorewall_code
Allow exclusion lists in Actions
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2518 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
474e042d47
commit
c88858382c
@ -9,6 +9,8 @@ Changes in 2.5.3
|
||||
|
||||
4) Implement find_interface_by_mac()
|
||||
|
||||
5) Allow exclusion lists in actions.
|
||||
|
||||
Changes in 2.5.2
|
||||
|
||||
1) Allow port lists in /etc/sorewall/accounting.
|
||||
|
@ -3682,6 +3682,8 @@ refresh_tc() {
|
||||
#
|
||||
add_an_action()
|
||||
{
|
||||
local chain1
|
||||
|
||||
do_ports() {
|
||||
if [ -n "$port" ]; then
|
||||
dports="--dport"
|
||||
@ -3712,6 +3714,20 @@ add_an_action()
|
||||
verify_interface $1 || interface_error $1
|
||||
}
|
||||
|
||||
handle_exclusion()
|
||||
{
|
||||
build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
|
||||
|
||||
run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain1
|
||||
|
||||
cli=
|
||||
proto=
|
||||
sports=
|
||||
multiport=
|
||||
dports=
|
||||
user=
|
||||
}
|
||||
|
||||
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
||||
|
||||
cli=
|
||||
@ -3766,6 +3782,8 @@ add_an_action()
|
||||
proto=$protocol
|
||||
servport=$serverport
|
||||
multiport=
|
||||
chain1=$chain
|
||||
user="$userandgroup"
|
||||
|
||||
[ x$port = x- ] && port=
|
||||
[ x$cport = x- ] && cport=
|
||||
@ -3798,26 +3816,30 @@ add_an_action()
|
||||
esac
|
||||
|
||||
if [ $COMMAND != check ]; then
|
||||
if [ -n "${excludesource}${excludedest}" ]; then
|
||||
handle_exclusion
|
||||
fi
|
||||
|
||||
if [ -n "${serv}" ]; then
|
||||
for serv1 in $(separate_list $serv); do
|
||||
for srv in $(firewall_ip_range $serv1); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||
fi
|
||||
|
||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
|
||||
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports $ratelimit $user -j $target
|
||||
done
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
|
||||
fi
|
||||
|
||||
run_iptables2 -A $chain $proto $multiport $cli $dest_interface $sports \
|
||||
$dports $ratelimit $userandgroup -j $target
|
||||
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \
|
||||
$dports $ratelimit $user -j $target
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@ -3950,6 +3972,42 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
;;
|
||||
esac
|
||||
|
||||
excludesource=
|
||||
|
||||
case ${clients:=-} in
|
||||
*!*!*)
|
||||
fatal_error "Invalid SOURCE in rule \"$rule\""
|
||||
;;
|
||||
!*)
|
||||
if [ $(list_count $clients) -gt 1 ]; then
|
||||
excludesource=${clients#!}
|
||||
clients=
|
||||
fi
|
||||
;;
|
||||
*!*)
|
||||
excludesource=${clients#*!}
|
||||
clients=${clients%!*}
|
||||
;;
|
||||
esac
|
||||
|
||||
excludedest=
|
||||
|
||||
case ${servers:=-} in
|
||||
*!*!*)
|
||||
fatal_error "Invalid DEST in rule \"$rule\""
|
||||
;;
|
||||
!*)
|
||||
if [ $(list_count $servers) -gt 1 ]; then
|
||||
excludedest=${servers#*!}
|
||||
servers=
|
||||
fi
|
||||
;;
|
||||
*!*)
|
||||
excludedest=${servers#*!}
|
||||
servers=${servers%!*}
|
||||
;;
|
||||
esac
|
||||
|
||||
# Generate Netfilter rule(s)
|
||||
|
||||
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
|
||||
@ -3964,8 +4022,8 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
for client in $(separate_list $clients); do
|
||||
for server in $(separate_list $servers); do
|
||||
#
|
||||
# add_an_action() modifies these so we must set their values each time
|
||||
#
|
||||
@ -3986,8 +4044,8 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
# 16 ports are listed - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
for client in $(separate_list $clients); do
|
||||
for server in $(separate_list $servers); do
|
||||
#
|
||||
# add_an_action() modifies these so we must set their values each time
|
||||
#
|
||||
@ -4001,8 +4059,8 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
# MULTIPORT is disabled or the rule isn't compatible with multiport match
|
||||
#
|
||||
multioption=
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
for client in $(separate_list $clients); do
|
||||
for server in $(separate_list $servers); do
|
||||
for port in $(separate_list ${ports:=-}); do
|
||||
for cport in $(separate_list ${cports:=-}); do
|
||||
add_an_action
|
||||
|
@ -6,7 +6,8 @@ New Features in Shorewall 2.5.3
|
||||
|
||||
1) You may now specify "!" followed by a list of addresses in the
|
||||
SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
|
||||
Shorewall will generate the rule that you expect.
|
||||
in action files and Shorewall will generate the rule that you
|
||||
expect.
|
||||
|
||||
2) Tunnel types "openvpnserver" and "openvpnclient" have been added
|
||||
to reflect the introduction of client and server OpenVPN
|
||||
@ -41,49 +42,6 @@ Problems Corrected in 2.5.2:
|
||||
2) The packet type match capability is now correctly reported when
|
||||
PKTTYPE=No in /etc/shorewall/shorewall.conf.
|
||||
|
||||
New Features in Shorewall 2.5.2
|
||||
|
||||
1) A new FASTACCEPT option has been added to shorewall.conf.
|
||||
|
||||
Normally, Shorewall accepting ESTABLISHED/RELATED packets until
|
||||
these packets reach the chain in which the original connection was
|
||||
accepted. So for packets going from the 'loc' zone to the 'net'
|
||||
zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
|
||||
chain.
|
||||
|
||||
If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
|
||||
accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
|
||||
FASTACCEPT=Yes then you may not specify ESTABLISHED policies in
|
||||
/etc/shorewall/policy (see above).
|
||||
|
||||
2) Shorewall not generates an error if the 'norfc1918' option is
|
||||
specified for an interface with an RFC 1918 address.
|
||||
|
||||
3) You may now specify "!" followed by a list of addresses in the
|
||||
SOURCE and DEST columns of entries in /etc/shorewall/rules and
|
||||
Shorewall will generate the rule that you expect.
|
||||
|
||||
Example 1:
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc:!192.168.1.0/24,10.0.0.0/8 \
|
||||
net tcp 80
|
||||
|
||||
That rule would allow loc->net HTTP access except for the local
|
||||
networks 192.168.1.0/24 and 10.0.0.0/8.
|
||||
|
||||
Example 2:
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc:192.168.1.0/24!192.168.1.3,192.168.1.10 \
|
||||
net tcp 80
|
||||
|
||||
This rule allows loc->net HTTP access to the 192.168.1.0/24
|
||||
network except for hosts 192.168.1.3 and 192.168.1.10.
|
||||
|
||||
4) /proc/version has been added to the output of the "shorewall dump"
|
||||
command.
|
||||
|
||||
Problems Corrected in 2.5.1:
|
||||
|
||||
1) Shorewall is no longer dependent on the 'which' utility.
|
||||
@ -417,10 +375,11 @@ New Features in Shorewall 2.5.*
|
||||
specified for an interface with an RFC 1918 address.
|
||||
|
||||
10) You may now specify "!" followed by a list of addresses in the
|
||||
SOURCE and DEST columns of entries in /etc/shorewall/rules and
|
||||
Shorewall will generate the rule that you expect.
|
||||
SOURCE and DEST columns of entries in /etc/shorewall/rules,
|
||||
/etc/shorewall/tcrules and in action files and Shorewall will
|
||||
generate the rule that you expect.
|
||||
|
||||
Example:
|
||||
Example 1 (/etc/shorewall/rules):
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc:!192.168.1.0/24,10.0.0.0/8 net tcp 80
|
||||
@ -428,6 +387,15 @@ New Features in Shorewall 2.5.*
|
||||
That rule would allow loc->net HTTP access except for the local
|
||||
networks 192.168.1.0/24 and 10.0.0.0/8.
|
||||
|
||||
Example 2 (/etc/shorewall/rules):
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc:10.0.0.0/24!10.0.0.4,10.0.0.22 \
|
||||
net tcp 80
|
||||
|
||||
That rule would allow loc->net HTTP access from the local
|
||||
network 10.0.0.0/24 except for hosts 10.0.0.4 and 10.0.0.22.
|
||||
|
||||
11) You may now specify "!" followed by a list of addresses in the
|
||||
SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
|
||||
Shorewall will generate the rule that you expect.
|
||||
|
Loading…
Reference in New Issue
Block a user