forked from extern/shorewall_code
Compare commits
12 Commits
4.6.6.2
...
4.6.7-base
| Author | SHA1 | Date | |
|---|---|---|---|
|
cdc2d52208 | ||
|
|
18c8f1f835 | ||
|
|
aff8623a44 | ||
|
|
361f5af3e0 | ||
|
|
b14e7c54f9 | ||
|
|
5d110616a5 | ||
|
|
c7cd0060f0 | ||
|
|
7ab055e61e | ||
|
|
758f3cf955 | ||
|
|
08a184d95b | ||
|
|
50a0103e89 | ||
|
|
28ac76bde4 |
@@ -649,6 +649,7 @@ our %opttype = ( rule => CONTROL,
|
||||
simple => CONTROL,
|
||||
matches => CONTROL,
|
||||
complex => CONTROL,
|
||||
t => CONTROL,
|
||||
|
||||
i => UNIQUE,
|
||||
s => UNIQUE,
|
||||
@@ -891,6 +892,8 @@ sub set_rule_option( $$$ ) {
|
||||
}
|
||||
} elsif ( $opttype == EXCLUSIVE ) {
|
||||
$ruleref->{$option} .= ",$value";
|
||||
} elsif ( $opttype == CONTROL ) {
|
||||
$ruleref->{$option} = $value;
|
||||
} elsif ( $opttype == UNIQUE ) {
|
||||
#
|
||||
# Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
|
||||
@@ -925,7 +928,7 @@ sub transform_rule( $;\$ ) {
|
||||
my $option;
|
||||
my $invert = '';
|
||||
|
||||
if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
|
||||
if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
|
||||
#
|
||||
# Normal case of single-character
|
||||
$invert = '!' if $1;
|
||||
@@ -955,7 +958,7 @@ sub transform_rule( $;\$ ) {
|
||||
|
||||
PARAM:
|
||||
{
|
||||
while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
|
||||
while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
|
||||
last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
|
||||
$input =~ s/^([^\s]+)\s*//;
|
||||
my $token = $1;
|
||||
|
||||
@@ -2049,7 +2049,7 @@ sub handle_stickiness( $ ) {
|
||||
$rule1 = clone_irule( $_ );
|
||||
|
||||
set_rule_target( $rule1, 'MARK', "--set-mark $mark" );
|
||||
set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );
|
||||
set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );
|
||||
|
||||
$rule2 = clone_irule( $_ );
|
||||
|
||||
@@ -2084,7 +2084,7 @@ sub handle_stickiness( $ ) {
|
||||
$rule1 = clone_irule $_;
|
||||
|
||||
set_rule_target( $rule1, 'MARK', "--set-mark $mark" );
|
||||
set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );
|
||||
set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );
|
||||
|
||||
$rule2 = clone_irule $_;
|
||||
|
||||
|
||||
@@ -225,6 +225,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
my $device = '';
|
||||
our $cmd;
|
||||
our $designator;
|
||||
our $ttl = 0;
|
||||
my $fw = firewall_zone;
|
||||
|
||||
sub handle_mark_param( $$ ) {
|
||||
@@ -333,7 +334,31 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub ipset_command() {
|
||||
my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
|
||||
|
||||
require_capability( 'IPSET_MATCH', "$cmd rules", '' );
|
||||
fatal_error "$cmd rules require a set name parameter" unless $params;
|
||||
|
||||
my ( $setname, $flags, $rest ) = split ':', $params, 3;
|
||||
fatal_error "Invalid ADD/DEL parameter ($params)" if $rest;
|
||||
$setname =~ s/^\+//;
|
||||
fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
|
||||
fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
|
||||
$target = join( ' ', 'SET --' . $xlate{$cmd} , $setname , $flags );
|
||||
}
|
||||
|
||||
my %commands = (
|
||||
ADD => {
|
||||
defaultchain => PREROUTING,
|
||||
allowedchains => ALLCHAINS,
|
||||
minparams => 1,
|
||||
maxparams => 1,
|
||||
function => sub() {
|
||||
ipset_command();
|
||||
}
|
||||
},
|
||||
|
||||
CHECKSUM => {
|
||||
defaultchain => 0,
|
||||
allowedchains => ALLCHAINS,
|
||||
@@ -396,6 +421,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
},
|
||||
},
|
||||
|
||||
DEL => {
|
||||
defaultchain => PREROUTING,
|
||||
allowedchains => ALLCHAINS,
|
||||
minparams => 1,
|
||||
maxparams => 1,
|
||||
function => sub() {
|
||||
ipset_command();
|
||||
}
|
||||
},
|
||||
|
||||
DIVERT => {
|
||||
defaultchain => REALPREROUTING,
|
||||
allowedchains => PREROUTING | REALPREROUTING,
|
||||
@@ -587,6 +622,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
|
||||
$restriction = DESTIFACE_DISALLOW;
|
||||
ensure_mangle_chain( $target );
|
||||
if (supplied $params) {
|
||||
$ttl = numeric_value( $params );
|
||||
fatal_error "The SAME timeout must be positive" unless $ttl;
|
||||
} else {
|
||||
$ttl = 300;
|
||||
}
|
||||
|
||||
$sticky++;
|
||||
},
|
||||
},
|
||||
@@ -601,7 +643,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
if ( supplied $params ) {
|
||||
handle_mark_param( '--save-mark --mask ' ,
|
||||
$config{TC_EXPERT} ? HIGHMARK : SMALLMARK );
|
||||
|
||||
} else {
|
||||
$target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} );
|
||||
}
|
||||
@@ -801,6 +842,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
do_dscp( $dscp ) .
|
||||
state_match( $state ) .
|
||||
do_time( $time ) .
|
||||
( $ttl ? "-t $ttl " : '' ) .
|
||||
$raw_matches ,
|
||||
$source ,
|
||||
$dest ,
|
||||
@@ -852,13 +894,17 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
our %tccmd;
|
||||
|
||||
unless ( %tccmd ) {
|
||||
%tccmd = ( SAVE => { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
|
||||
%tccmd = ( ADD => { match => sub ( $ ) { $_[0] =~ /^ADD/ }
|
||||
},
|
||||
DEL => { match => sub ( $ ) { $_[0] =~ /^DEL/ }
|
||||
},
|
||||
SAVE => { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
|
||||
} ,
|
||||
RESTORE => { match => sub ( $ ) { $_[0] eq 'RESTORE' },
|
||||
} ,
|
||||
CONTINUE => { match => sub ( $ ) { $_[0] eq 'CONTINUE' },
|
||||
} ,
|
||||
SAME => { match => sub ( $ ) { $_[0] eq 'SAME' },
|
||||
SAME => { match => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
|
||||
} ,
|
||||
IPMARK => { match => sub ( $ ) { $_[0] =~ /^IPMARK/ },
|
||||
} ,
|
||||
|
||||
@@ -132,6 +132,13 @@ sub setup_tunnels() {
|
||||
add_tunnel_rule $inchainref, p => 'tcp --dport 1723', @$source
|
||||
}
|
||||
|
||||
sub setup_one_tinc {
|
||||
my ( $inchainref, $outchainref, $kind, $source, $dest ) = @_;
|
||||
|
||||
add_tunnel_rule $inchainref, p => 'udp --dport 655', @$source;
|
||||
add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest;
|
||||
}
|
||||
|
||||
sub setup_one_openvpn {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest) = @_;
|
||||
|
||||
@@ -154,7 +161,7 @@ sub setup_tunnels() {
|
||||
}
|
||||
|
||||
add_tunnel_rule $inchainref, p => "$protocol --dport $port", @$source;
|
||||
add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
|
||||
add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
|
||||
}
|
||||
|
||||
sub setup_one_openvpn_client {
|
||||
@@ -263,6 +270,7 @@ sub setup_tunnels() {
|
||||
'6in4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
||||
'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, \@source, \@dest ] } ,
|
||||
'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, \@source, \@dest ] } ,
|
||||
'tinc' => { function => \&setup_one_tinc, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, \@source, \@dest ] } ,
|
||||
|
||||
@@ -123,6 +123,28 @@
|
||||
following.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.7. Causes addresses and/or port
|
||||
numbers to be added to the named
|
||||
<replaceable>ipset</replaceable>. The
|
||||
<replaceable>flags</replaceable> specify the address or tuple
|
||||
to be added to the set and must match the type of ipset
|
||||
involved. For example, for an iphash ipset, either the SOURCE
|
||||
or DESTINATION address can be added using
|
||||
<replaceable>flags</replaceable> <emphasis
|
||||
role="bold">src</emphasis> or <emphasis
|
||||
role="bold">dst</emphasis> respectively (see the -A command in
|
||||
ipset (8)).</para>
|
||||
|
||||
<para>ADD is non-terminating. Even if a packet matches the
|
||||
rule, it is passed on to the next rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CHECKSUM</emphasis></term>
|
||||
|
||||
@@ -214,6 +236,27 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.7. Causes an entry to be deleted
|
||||
from the named <replaceable>ipset</replaceable>. The
|
||||
<replaceable>flags</replaceable> specify the address or tuple
|
||||
to be deleted from the set and must match the type of ipset
|
||||
involved. For example, for an iphash ipset, either the SOURCE
|
||||
or DESTINATION address can be deleted using
|
||||
<replaceable>flags</replaceable> <emphasis
|
||||
role="bold">src</emphasis> or <emphasis
|
||||
role="bold">dst</emphasis> respectively (see the -D command in
|
||||
ipset (8)).</para>
|
||||
|
||||
<para>DEL is non-terminating. Even if a packet matches the
|
||||
rule, it is passed on to the next rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DIVERT</emphasis></term>
|
||||
|
||||
@@ -509,7 +552,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SAME</emphasis></term>
|
||||
<term><emphasis
|
||||
role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Some websites run applications that require multiple
|
||||
@@ -533,12 +577,16 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
connections to an individual remote system to all use the same
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If the firewall attempts a connection on TCP port 80 or 443
|
||||
and it has sent a packet on either of those ports in the last
|
||||
five minutes to the same remote system then the new connection
|
||||
will use the same provider as the connection over which that
|
||||
last packet was sent.</para>
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
||||
optional <replaceable>timeout</replaceable> parameter was
|
||||
added in Shorewall 4.6.7 and specifies a number of seconds .
|
||||
When not specified, a value of 300 seconds (5 minutes) is
|
||||
assumed. If the firewall attempts a connection on TCP port 80
|
||||
or 443 and it has sent a packet on either of those ports in
|
||||
the last <replaceable>timeout</replaceable> seconds to the
|
||||
same remote system then the new connection will use the same
|
||||
provider as the connection over which that last packet was
|
||||
sent.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -70,7 +70,8 @@
|
||||
<emphasis role="bold">openvpn</emphasis> - OpenVPN in point-to-point mode
|
||||
<emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
|
||||
<emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
|
||||
<emphasis role="bold">generic</emphasis> - Other tunnel type</programlisting>
|
||||
<emphasis role="bold">generic</emphasis> - Other tunnel type
|
||||
<emphasis role="bold">tinc</emphasis> - TINC (added in Shorewall 4.6.6)</programlisting>
|
||||
|
||||
<para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
|
||||
be followed by <emphasis role="bold">:ah</emphasis> to indicate that
|
||||
@@ -270,6 +271,19 @@
|
||||
generic:udp:4444 net 4.3.99.124</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 9:</term>
|
||||
|
||||
<listitem>
|
||||
<para>TINC tunnel where the remote gateways are not specified. If
|
||||
you wish to specify a list of gateways, you can do so in the GATEWAY
|
||||
column.</para>
|
||||
|
||||
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
|
||||
tinc net 0.0.0.0/0</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@@ -124,6 +124,28 @@
|
||||
following.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.7. Causes addresses and/or port
|
||||
numbers to be added to the named
|
||||
<replaceable>ipset</replaceable>. The
|
||||
<replaceable>flags</replaceable> specify the address or tuple
|
||||
to be added to the set and must match the type of ipset
|
||||
involved. For example, for an iphash ipset, either the SOURCE
|
||||
or DESTINATION address can be added using
|
||||
<replaceable>flags</replaceable> <emphasis
|
||||
role="bold">src</emphasis> or <emphasis
|
||||
role="bold">dst</emphasis> respectively (see the -A command in
|
||||
ipset (8)).</para>
|
||||
|
||||
<para>ADD is non-terminating. Even if a packet matches the
|
||||
rule, it is passed on to the next rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CHECKSUM</emphasis></term>
|
||||
|
||||
@@ -215,6 +237,27 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.7. Causes an entry to be deleted
|
||||
from the named <replaceable>ipset</replaceable>. The
|
||||
<replaceable>flags</replaceable> specify the address or tuple
|
||||
to be deleted from the set and must match the type of ipset
|
||||
involved. For example, for an iphash ipset, either the SOURCE
|
||||
or DESTINATION address can be deleted using
|
||||
<replaceable>flags</replaceable> <emphasis
|
||||
role="bold">src</emphasis> or <emphasis
|
||||
role="bold">dst</emphasis> respectively (see the -D command in
|
||||
ipset (8)).</para>
|
||||
|
||||
<para>DEL is non-terminating. Even if a packet matches the
|
||||
rule, it is passed on to the next rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DIVERT</emphasis></term>
|
||||
|
||||
@@ -510,7 +553,8 @@ INLINE eth0 - ; -p tcp -j MARK --set-mark
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SAME</emphasis></term>
|
||||
<term><emphasis
|
||||
role="bold">SAME[(<replaceable>timeout</replaceable>)]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Some websites run applications that require multiple
|
||||
@@ -534,12 +578,16 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
connections to an individual remote system to all use the same
|
||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If the firewall attempts a connection on TCP port 80 or 443
|
||||
and it has sent a packet on either of those ports in the last
|
||||
five minutes to the same remote system then the new connection
|
||||
will use the same provider as the connection over which that
|
||||
last packet was sent.</para>
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
||||
optional <replaceable>timeout</replaceable> parameter was
|
||||
added in Shorewall 4.6.7 and specifies a number of seconds .
|
||||
When not specified, a value of 300 seconds (5 minutes) is
|
||||
assumed. If the firewall attempts a connection on TCP port 80
|
||||
or 443 and it has sent a packet on either of those ports in
|
||||
the last <replaceable>timeout</replaceable> seconds to the
|
||||
same remote system then the new connection will use the same
|
||||
provider as the connection over which that last packet was
|
||||
sent.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -65,7 +65,8 @@
|
||||
<emphasis role="bold">openvpn</emphasis> - OpenVPN in point-to-point mode
|
||||
<emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
|
||||
<emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
|
||||
<emphasis role="bold">generic</emphasis> - Other tunnel type</programlisting>
|
||||
<emphasis role="bold">generic</emphasis> - Other tunnel type
|
||||
<emphasis role="bold">tinc</emphasis> - TINC (added in Shorewall 4.6.6)</programlisting>
|
||||
|
||||
<para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
|
||||
be followed by <emphasis role="bold">:ah</emphasis> to indicate that
|
||||
@@ -229,6 +230,19 @@
|
||||
generic:udp:4444 net 2001:cec792b4:1::44</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 9:</term>
|
||||
|
||||
<listitem>
|
||||
<para>TINC tunnel where the remote gateways are not specified. If
|
||||
you wish to specify a list of gateways, you can do so in the GATEWAY
|
||||
column.</para>
|
||||
|
||||
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
|
||||
tinc net ::/0</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@@ -2208,7 +2208,7 @@ shorewall status > /dev/null 2>&1 || shorewall start # Start Shorewall
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.4.10, there is a new <ulink
|
||||
url="Manpages/shorewall-init.html">Shorewall Init Package</ulink>
|
||||
url="manpages/shorewall-init.html">Shorewall Init Package</ulink>
|
||||
that is designed to handle this case.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
Reference in New Issue
Block a user