From cf8cc1a899e92bba65d91437b6ff024c016ca3a6 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 30 Aug 2006 20:33:14 +0000 Subject: [PATCH] Minor Code reorganization -- move code inline from "initialize_netfilter()" git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4487 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 460 ++++++++++++++++++++++----------------------- 1 file changed, 224 insertions(+), 236 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index a36b423bb..e5dac7d19 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -3463,241 +3463,6 @@ validate_blacklist() { done < $TMP_DIR/blacklist } -# -# Perform Initialization -# - Delete all old rules -# - Delete all user chains -# - Set the POLICY on all standard chains and add a rule to allow packets -# that are part of established connections -# - Determine the zones -# -initialize_netfilter () { - setup_mss() - { - case $CLAMPMSS in - Yes) - option="--clamp-mss-to-pmtu" - ;; - *) - option="--set-mss $CLAMPMSS" - ;; - esac - - run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option - } - - report_capabilities - - if [ -n "$BRIDGING" ]; then - [ -n "$PHYSDEV_MATCH" ] || fatal_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" - fi - - [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= - - if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - fatal_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" - fi - - [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ - fatal_error "RFC1918_STRICT=Yes requires Connection Tracking match" - - progress_message2 "Determining Zones..." - - determine_zones - - if [ $VERBOSE -ge 1 ]; then - display_list "IPv4 Zones:" $IPV4_ZONES - [ -n "$IPSEC_ZONES" ] && \ - display_list "IPSEC Zones:" $IPSEC_ZONES - display_list "Firewall Zone:" $FW - fi - - progress_message2 "Validating interfaces file..." - - validate_interfaces_file - - progress_message2 "Validating hosts file..." - - validate_hosts_file - - define_builtin_actions - - if [ -n "$USE_ACTIONS" ]; then - progress_message2 "Pre-processing Actions..." - process_actions1 - fi - - progress_message2 "Validating Policy file..." - - validate_policy - - progress_message2 "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - append_file init - - strip_file rules - strip_file maclist - - TERMINATOR=fatal_error - - deletechain shorewall - - if [ -n "$NAT_ENABLED" ]; then - delete_nat - for chain in PREROUTING POSTROUTING OUTPUT; do - qt_iptables -t nat -P $chain ACCEPT - done - fi - - delete_proxy_arp - - if [ -n "$MANGLE_ENABLED" ]; then - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt_iptables -t mangle -P $chain ACCEPT - done - fi - - if [ -n "$RAW_TABLE" ]; then - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt_iptables -t raw -P $chain ACCEPT - done - fi - - [ -n "$CLEAR_TC" ] && delete_tc - - progress_message2 "Deleting user chains..." - - save_progress_message "Deleting user chains..." - - exists_INPUT=Yes - exists_OUTPUT=Yes - exists_FORWARD=Yes - - process_criticalhosts - - if [ -n "$CRITICALHOSTS" ]; then - - setpolicy INPUT ACCEPT - setpolicy OUTPUT ACCEPT - setpolicy FORWARD DROP - - deleteallchains - - enable_critical_hosts - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - - [ -n "$CLAMPMSS" ] && setup_mss - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - else - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP - - deleteallchains - - [ -n "$CLAMPMSS" ] && setup_mss - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - fi - - f=$(find_file ipsets) - - if [ -f $f ]; then - progress_message2 "Processing $f ..." - save_progress_message "Restoring IPSETS..." - save_command "ipset -U :all: :all:" - save_command "ipset -F" - save_command "ipset -X" - save_command "ipset -R < $f" - fi - - append_file continue - - f=$(find_file routestopped) - - progress_message2 "$DOING $f ..." - - strip_file routestopped $f - - process_routestopped -A - - if [ -n "$DISABLE_IPV6" ]; then - save_command disable_ipv6 - fi - - save_progress_message "Enabling Loopback and DNS Lookups" - - # - # Enable the Loopback interface for now - # - run_iptables -A INPUT -i lo -j ACCEPT - run_iptables -A OUTPUT -o lo -j ACCEPT - - # - # Allow DNS lookups during startup for FQDNs - # - - for chain in INPUT OUTPUT FORWARD; do - run_iptables -A $chain -p udp --dport 53 -j ACCEPT - done - - strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting) - - createchain reject no - createchain dynamic no - createchain logdrop no - createchain logreject no - createchain smurfs no - - log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP - log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT - - run_iptables -A logdrop -j DROP - run_iptables -A logreject -j reject - - indent >&3 << __EOF__ - -if [ -f \${VARDIR}/save ]; then - progress_message2 "Setting up dynamic rules..." - while read target ignore1 ignore2 address rest; do - case \$target in - DROP|reject|logdrop|logreject) - run_iptables -A dynamic -s \$address -j \$target - ;; - esac - done < \${VARDIR}/save -fi -__EOF__ - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - progress_message2 "Creating Interface Chains..." - - save_progress_message "Creating Interface Chains..." - - for interface in $ALL_INTERFACES; do - for chain in $(input_chain $interface) $(forward_chain $interface); do - createchain $chain no - run_iptables -A $chain $state -j dynamic - done - done -} - # # Construct zone-independent rules # @@ -4814,6 +4579,20 @@ compile_firewall() # $1 = File Name local INDENT="" local checking= + setup_mss() + { + case $CLAMPMSS in + Yes) + option="--clamp-mss-to-pmtu" + ;; + *) + option="--set-mss $CLAMPMSS" + ;; + esac + + run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option + } + outfile=$1 dir= # # Overload a function from the library @@ -5145,7 +4924,216 @@ __EOF__ progress_message2 "Initializing..." save_progress_message "Initializing..." - initialize_netfilter + report_capabilities + + if [ -n "$BRIDGING" ]; then + [ -n "$PHYSDEV_MATCH" ] || fatal_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" + fi + + [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= + + if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then + fatal_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + fi + + [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ + fatal_error "RFC1918_STRICT=Yes requires Connection Tracking match" + + progress_message2 "Determining Zones..." + + determine_zones + + if [ $VERBOSE -ge 1 ]; then + display_list "IPv4 Zones:" $IPV4_ZONES + [ -n "$IPSEC_ZONES" ] && \ + display_list "IPSEC Zones:" $IPSEC_ZONES + display_list "Firewall Zone:" $FW + fi + + progress_message2 "Validating interfaces file..." + + validate_interfaces_file + + progress_message2 "Validating hosts file..." + + validate_hosts_file + + define_builtin_actions + + if [ -n "$USE_ACTIONS" ]; then + progress_message2 "Pre-processing Actions..." + process_actions1 + fi + + progress_message2 "Validating Policy file..." + + validate_policy + + progress_message2 "Determining Hosts in Zones..." + + determine_interfaces + determine_hosts + + append_file init + + strip_file rules + strip_file maclist + + TERMINATOR=fatal_error + + deletechain shorewall + + if [ -n "$NAT_ENABLED" ]; then + delete_nat + for chain in PREROUTING POSTROUTING OUTPUT; do + qt_iptables -t nat -P $chain ACCEPT + done + fi + + delete_proxy_arp + + if [ -n "$MANGLE_ENABLED" ]; then + run_iptables -t mangle -F + run_iptables -t mangle -X + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt_iptables -t mangle -P $chain ACCEPT + done + fi + + if [ -n "$RAW_TABLE" ]; then + run_iptables -t raw -F + run_iptables -t raw -X + for chain in PREROUTING OUTPUT; do + qt_iptables -t raw -P $chain ACCEPT + done + fi + + [ -n "$CLEAR_TC" ] && delete_tc + + progress_message2 "Deleting user chains..." + + save_progress_message "Deleting user chains..." + + exists_INPUT=Yes + exists_OUTPUT=Yes + exists_FORWARD=Yes + + process_criticalhosts + + if [ -n "$CRITICALHOSTS" ]; then + + setpolicy INPUT ACCEPT + setpolicy OUTPUT ACCEPT + setpolicy FORWARD DROP + + deleteallchains + + enable_critical_hosts + + setpolicy INPUT DROP + setpolicy OUTPUT DROP + + [ -n "$CLAMPMSS" ] && setup_mss + + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT + else + + setpolicy INPUT DROP + setpolicy OUTPUT DROP + setpolicy FORWARD DROP + + deleteallchains + + [ -n "$CLAMPMSS" ] && setup_mss + + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT + fi + + f=$(find_file ipsets) + + if [ -f $f ]; then + progress_message2 "Processing $f ..." + save_progress_message "Restoring IPSETS..." + save_command "ipset -U :all: :all:" + save_command "ipset -F" + save_command "ipset -X" + save_command "ipset -R < $f" + fi + + append_file continue + + f=$(find_file routestopped) + + progress_message2 "$DOING $f ..." + + strip_file routestopped $f + + process_routestopped -A + + if [ -n "$DISABLE_IPV6" ]; then + save_command disable_ipv6 + fi + + save_progress_message "Enabling Loopback and DNS Lookups" + + # + # Enable the Loopback interface for now + # + run_iptables -A INPUT -i lo -j ACCEPT + run_iptables -A OUTPUT -o lo -j ACCEPT + + # + # Allow DNS lookups during startup for FQDNs + # + + for chain in INPUT OUTPUT FORWARD; do + run_iptables -A $chain -p udp --dport 53 -j ACCEPT + done + + strip_file_and_lib_load accounting accounting && setup_accounting $(find_file accounting) + + createchain reject no + createchain dynamic no + createchain logdrop no + createchain logreject no + createchain smurfs no + + log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP + log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT + + run_iptables -A logdrop -j DROP + run_iptables -A logreject -j reject + + indent >&3 << __EOF__ + +if [ -f \${VARDIR}/save ]; then + progress_message2 "Setting up dynamic rules..." + while read target ignore1 ignore2 address rest; do + case \$target in + DROP|reject|logdrop|logreject) + run_iptables -A dynamic -s \$address -j \$target + ;; + esac + done < \${VARDIR}/save +fi +__EOF__ + + [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= + + progress_message2 "Creating Interface Chains..." + + save_progress_message "Creating Interface Chains..." + + for interface in $ALL_INTERFACES; do + for chain in $(input_chain $interface) $(forward_chain $interface); do + createchain $chain no + run_iptables -A $chain $state -j dynamic + done + done if strip_file_and_lib_load proxyarp proxyarp; then progress_message2 "$DOING Proxy ARP"