forked from extern/shorewall_code
Preparation for 'generate' command
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3236 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e3bf8645b0
commit
d145351222
@ -151,6 +151,21 @@ append_file() # $1 = File Name
|
||||
save_command __EOF__
|
||||
}
|
||||
|
||||
#
|
||||
# Run iptables -- we define this so that it may be overloaded in the compiler
|
||||
#
|
||||
do_iptables() {
|
||||
$IPTABLES $@
|
||||
}
|
||||
|
||||
#
|
||||
# Run iptables quietly -- we define this so that it may be overloaded in the compiler
|
||||
#
|
||||
qt_iptables() {
|
||||
$IPTABLES $@
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Run iptables and if an error occurs, stop the firewall and quit
|
||||
#
|
||||
@ -342,14 +357,6 @@ havechain() # $1 = name of chain
|
||||
eval test \"\$exists_${c}\" = Yes
|
||||
}
|
||||
|
||||
#
|
||||
# Query NetFilter about the existence of a mangle chain
|
||||
#
|
||||
mangle_chain_exists() # $1 = chain name
|
||||
{
|
||||
qt $IPTABLES -t mangle -L $1 -n
|
||||
}
|
||||
|
||||
#
|
||||
# Ensure that a chain exists (create it if it doesn't)
|
||||
#
|
||||
@ -378,6 +385,39 @@ addrule2() # $1 = chain name, remainder of arguments specify the rule
|
||||
run_iptables2 -A $@
|
||||
}
|
||||
|
||||
#
|
||||
# Create a mangle chain
|
||||
#
|
||||
# Create a variable exists_mangle_${1} and set its value to Yes to indicate that
|
||||
# the chain now exists.
|
||||
#
|
||||
createmanglechain() # $1 = chain name
|
||||
{
|
||||
run_iptables -t mangle -N $1
|
||||
|
||||
eval exists_mangle_${1}=Yes
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if a mangle chain exists
|
||||
#
|
||||
# When we create a chain "chain", we create a variable named exists_nat_chain
|
||||
# and set its value to Yes. This function tests for the "exists_" variable
|
||||
# corresponding to the passed chain having the value of "Yes".
|
||||
#
|
||||
havemanglechain() # $1 = name of chain
|
||||
{
|
||||
eval test \"\$exists_mangle_${1}\" = Yes
|
||||
}
|
||||
|
||||
#
|
||||
# Ensure that a mangle chain exists (create it if it doesn't)
|
||||
#
|
||||
ensuremanglechain() # $1 = chain name
|
||||
{
|
||||
havemanglechain $1 || createmanglechain $1
|
||||
}
|
||||
|
||||
#
|
||||
# Create a nat chain
|
||||
#
|
||||
@ -1797,22 +1837,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
||||
|
||||
case $level in
|
||||
ULOG)
|
||||
if ! $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ; then
|
||||
if [ -z "$STOPPING" ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix \"$prefix\"\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
run_iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
;;
|
||||
*)
|
||||
if ! $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"; then
|
||||
if [ -z "$STOPPING" ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix \"$prefix\"\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
run_iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1946,7 +1974,7 @@ process_routestopped() # $1 = command
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
$IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
do_iptables $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" -o $COMMAND != stop ] && \
|
||||
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
|
||||
@ -2015,8 +2043,8 @@ enable_critical_hosts()
|
||||
for host in $CRITICALHOSTS; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
done
|
||||
}
|
||||
|
||||
@ -2029,8 +2057,8 @@ disable_critical_hosts()
|
||||
for host in $CRITICALHOSTS; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
$IPTABLES -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
$IPTABLES -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
do_iptables -D INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
do_iptables -D OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
done
|
||||
}
|
||||
|
||||
@ -2761,7 +2789,7 @@ setup_mac_lists() {
|
||||
createchain $1 no
|
||||
;;
|
||||
*)
|
||||
run_iptables -t mangle -N $1
|
||||
createmanglechain $1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
@ -2775,7 +2803,7 @@ setup_mac_lists() {
|
||||
havechain $1 && result=0 || result=1
|
||||
;;
|
||||
*)
|
||||
mangle_chain_exists $1 && result=0 || result=1
|
||||
havemanglechain $1 && result=0 || result=1
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3119,10 +3147,10 @@ setup_ecn() # $1 = file name
|
||||
|
||||
for interface in $interfaces; do
|
||||
chain=$(ecn_chain $interface)
|
||||
if mangle_chain_exists $chain; then
|
||||
if havemanglechain $chain; then
|
||||
flushmangle $chain
|
||||
else
|
||||
run_iptables -t mangle -N $chain
|
||||
createmanglechain $chain
|
||||
run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
|
||||
run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain
|
||||
fi
|
||||
@ -3674,10 +3702,10 @@ setup_tc1() {
|
||||
# Create the TC mangle chains
|
||||
#
|
||||
|
||||
run_iptables -t mangle -N tcpre
|
||||
run_iptables -t mangle -N tcfor
|
||||
run_iptables -t mangle -N tcout
|
||||
run_iptables -t mangle -N tcpost
|
||||
createmanglechain tcpre
|
||||
createmanglechain tcfor
|
||||
createmanglechain tcout
|
||||
createmanglechain tcpost
|
||||
#
|
||||
# Process the TC Rules File
|
||||
#
|
||||
@ -3968,7 +3996,7 @@ process_accounting_rule() {
|
||||
|
||||
ensurechain1 $chain
|
||||
|
||||
if $IPTABLES -A $chain $(fix_bang $rule) ; then
|
||||
if do_iptables -A $chain $(fix_bang $rule) ; then
|
||||
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
|
||||
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
|
||||
else
|
||||
@ -4110,7 +4138,7 @@ refresh_tc() {
|
||||
|
||||
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
|
||||
|
||||
if mangle_chain_exists $chain; then
|
||||
if qt $IPTABLES -t mangle -L $chain -n ; then
|
||||
#
|
||||
# Flush the TC mangle chains
|
||||
#
|
||||
@ -6685,8 +6713,8 @@ process_tos() # $1 = name of tos file
|
||||
strip_file tos $1
|
||||
|
||||
if [ -s $TMP_DIR/tos ] ; then
|
||||
run_iptables -t mangle -N pretos
|
||||
run_iptables -t mangle -N outtos
|
||||
createmanglechain pretos
|
||||
createmanglechain outtos
|
||||
|
||||
while read src dst protocol sport dport tos; do
|
||||
expandv src dst protocol sport dport tos
|
||||
@ -6928,7 +6956,7 @@ setup_routes()
|
||||
|
||||
run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark
|
||||
run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0 -j CONNMARK --restore-mark
|
||||
run_iptables -t mangle -N routemark
|
||||
createmanglechain routemark
|
||||
|
||||
for interface in $ROUTEMARK_INTERFACES ; do
|
||||
|
||||
@ -7692,7 +7720,7 @@ initialize_netfilter () {
|
||||
if [ -n "$NAT_ENABLED" ]; then
|
||||
delete_nat
|
||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||
qt $IPTABLES -t nat -P $chain ACCEPT
|
||||
qt_iptables -t nat -P $chain ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
@ -7702,7 +7730,7 @@ initialize_netfilter () {
|
||||
run_iptables -t mangle -F
|
||||
run_iptables -t mangle -X
|
||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||
qt $IPTABLES -t mangle -P $chain ACCEPT
|
||||
qt_iptables -t mangle -P $chain ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
@ -7710,7 +7738,7 @@ initialize_netfilter () {
|
||||
run_iptables -t raw -F
|
||||
run_iptables -t raw -X
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt $IPTABLES -t raw -P $chain ACCEPT
|
||||
qt_iptables -t raw -P $chain ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
@ -7854,13 +7882,8 @@ add_common_rules() {
|
||||
# Reject Rules -- Don't respond to broadcasts with an ICMP
|
||||
#
|
||||
if [ -n "$USEPKTTYPE" ]; then
|
||||
qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
drop_broadcasts
|
||||
fi
|
||||
run_iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||
run_iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||
else
|
||||
drop_broadcasts
|
||||
fi
|
||||
@ -7876,11 +7899,10 @@ add_common_rules() {
|
||||
#
|
||||
# Not all versions of iptables support these so don't complain if they don't work
|
||||
#
|
||||
qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
||||
if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then
|
||||
#
|
||||
# In case the above doesn't work
|
||||
#
|
||||
if [ -n "$ENHANCED_REJECT" ]; THEN
|
||||
run_iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
||||
run_iptables -A reject -j REJECT --reject-with icmp-host-prohibited
|
||||
else
|
||||
run_iptables -A reject -j REJECT
|
||||
fi
|
||||
|
||||
@ -7932,7 +7954,7 @@ add_common_rules() {
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
is_bridge=$( brctl show $interface 2> /dev/null | grep ^$interface[[:space:]] )
|
||||
[ -n "$is_bridge" ] && \
|
||||
$IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
do_iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
fi
|
||||
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT
|
||||
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
|
||||
@ -7973,8 +7995,8 @@ add_common_rules() {
|
||||
#
|
||||
# Also add a chain to log and drop any RFC1918 packets that we find
|
||||
#
|
||||
run_iptables -t mangle -N man1918
|
||||
run_iptables -t mangle -N rfc1918
|
||||
createmanglechain man1918
|
||||
createmanglechain rfc1918
|
||||
log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle
|
||||
run_iptables -t mangle -A rfc1918 -j DROP
|
||||
fi
|
||||
@ -9132,7 +9154,7 @@ do_initialize() {
|
||||
# Give Usage Information
|
||||
#
|
||||
usage() {
|
||||
echo "Usage: $0 [debug] {start|stop|reset|restart|refresh|clear|{add|delete} <interface>[:hosts] zone}}"
|
||||
echo "Usage: $0 [debug] {start|stop|reset|restart|refresh|clear|generate <filename>}"
|
||||
exit 1
|
||||
}
|
||||
|
||||
@ -9247,6 +9269,12 @@ case "$COMMAND" in
|
||||
check_config
|
||||
;;
|
||||
|
||||
generate)
|
||||
[ $# -ne 2 ] && usage
|
||||
. /usr/share/shorewall/compiler
|
||||
compile $2
|
||||
;;
|
||||
|
||||
call)
|
||||
#
|
||||
# Undocumented way to call functions in /usr/share/shorewall/firewall directly
|
||||
|
@ -898,6 +898,7 @@ determine_capabilities() {
|
||||
RAW_TABLE=
|
||||
IPP2P_MATCH=
|
||||
CLASSIFY_TARGET=
|
||||
ENHANCED_REJECT=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
@ -910,6 +911,7 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
|
||||
|
||||
qt $IPTABLES -t mangle -N fooX1234
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes
|
||||
@ -965,6 +967,7 @@ report_capabilities() {
|
||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
report_capability "Raw Table" $RAW_TABLE
|
||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||
report_capability "Enhanced REJECT" $ENHANCED_REJECT
|
||||
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user