forked from extern/shorewall_code
Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
e7315b8e0e | ||
|
|
c58611f7fb |
3
Shorewall-core/configure
vendored
3
Shorewall-core/configure
vendored
@@ -235,8 +235,7 @@ for on in \
|
||||
SPARSE \
|
||||
ANNOTATED \
|
||||
VARLIB \
|
||||
VARDIR \
|
||||
DEFAULT_PAGER
|
||||
VARDIR
|
||||
do
|
||||
echo "$on=${options[${on}]}"
|
||||
echo "$on=${options[${on}]}" >> shorewallrc
|
||||
|
||||
@@ -209,8 +209,7 @@ for ( qw/ HOST
|
||||
SPARSE
|
||||
ANNOTATED
|
||||
VARLIB
|
||||
VARDIR
|
||||
DEFAULT_PAGER / ) {
|
||||
VARDIR / ) {
|
||||
|
||||
my $val = $options{$_} || '';
|
||||
|
||||
|
||||
@@ -191,8 +191,6 @@ setup_logread() {
|
||||
else
|
||||
g_logread="logread"
|
||||
fi
|
||||
elif [ "$LOGFILE" = "systemd" ]; then
|
||||
g_logread="journalctl -r"
|
||||
elif [ -r $LOGFILE ]; then
|
||||
if qt mywhich tac; then
|
||||
g_logread="tac $LOGFILE"
|
||||
@@ -466,8 +464,7 @@ do_save() {
|
||||
if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
|
||||
cp -f ${VARDIR}/firewall $g_restorepath
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
|
||||
chmod 700 $g_restorepath
|
||||
chmod 600 ${g_restorepath}-iptables
|
||||
chmod +x $g_restorepath
|
||||
echo " Currently-running Configuration Saved to $g_restorepath"
|
||||
run_user_exit save
|
||||
else
|
||||
@@ -488,7 +485,6 @@ do_save() {
|
||||
if ${arptables}-save > ${VARDIR}/restore-$$; then
|
||||
if grep -q '^-A' ${VARDIR}/restore-$$; then
|
||||
mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
|
||||
chmod 600 ${g_restorepath}-arptables
|
||||
else
|
||||
rm -f ${VARDIR}/restore-$$
|
||||
fi
|
||||
@@ -535,7 +531,7 @@ do_save() {
|
||||
#
|
||||
# Don't save an 'empty' file
|
||||
#
|
||||
grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets && chmod 600 ${g_restorepath}-ipsets
|
||||
grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
@@ -2526,46 +2522,21 @@ hits_command() {
|
||||
# 'allow' command executor
|
||||
#
|
||||
allow_command() {
|
||||
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
|
||||
if product_is_started ; then
|
||||
local allowed
|
||||
local which
|
||||
which='-s'
|
||||
local range
|
||||
range='--src-range'
|
||||
local dynexists
|
||||
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
|
||||
case ${IPSET:=ipset} in
|
||||
*/*)
|
||||
if [ ! -x "$IPSET" ]; then
|
||||
fatal_error "IPSET=$IPSET does not exist or is not executable"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
IPSET="$(mywhich $IPSET)"
|
||||
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if chain_exists dynamic; then
|
||||
dynexists=Yes
|
||||
elif [ -z "$g_blacklistipset" ]; then
|
||||
if ! chain_exists dynamic; then
|
||||
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
|
||||
fi
|
||||
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
||||
allowed=''
|
||||
|
||||
case $1 in
|
||||
from)
|
||||
which='-s'
|
||||
@@ -2578,48 +2549,29 @@ allow_command() {
|
||||
continue
|
||||
;;
|
||||
*-*)
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
if qt $IPSET -D $g_blacklistipset $1; then
|
||||
allowed=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$dynexists" ]; then
|
||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||
then
|
||||
allowed=Yes
|
||||
fi
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
if qt $IPSET -D $g_blacklistipset $1; then
|
||||
allowed=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$dynexists" ]; then
|
||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logreject
|
||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logreject
|
||||
then
|
||||
allowed=Yes
|
||||
fi
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$allowed" ]; then
|
||||
progress_message2 "$1 Allowed"
|
||||
else
|
||||
error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
|
||||
fi
|
||||
done
|
||||
|
||||
[ -n "$g_nolock" ] || mutex_off
|
||||
else
|
||||
error_message "ERROR: $g_product is not started"
|
||||
@@ -3555,7 +3507,7 @@ blacklist_command() {
|
||||
;;
|
||||
esac
|
||||
|
||||
$IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -3900,8 +3852,6 @@ get_config() {
|
||||
|
||||
g_loopback=$(find_loopback_interfaces)
|
||||
|
||||
[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
|
||||
|
||||
if [ -n "$PAGER" -a -t 1 ]; then
|
||||
case $PAGER in
|
||||
/*)
|
||||
@@ -3909,7 +3859,7 @@ get_config() {
|
||||
[ -f "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
|
||||
;;
|
||||
*)
|
||||
g_pager=$(mywhich $PAGER 2> /dev/null)
|
||||
g_pager=$(mywhich pager 2> /dev/null)
|
||||
[ -n "$g_pager" ] || fatal_error "PAGER=$PAGER does not exist"
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -19,4 +19,3 @@ SERVICEFILE= #Unused on OS X
|
||||
SYSCONFDIR= #Unused on OS X
|
||||
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
|
||||
VARLIB=/var/lib #Unused on OS X
|
||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -20,4 +20,3 @@ SERVICEFILE= #Name of the file to install in $SYSTEMD.
|
||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -19,4 +19,3 @@ SERVICEFILE= #Unused on Cygwin
|
||||
SYSCONFDIR= #Unused on Cygwin
|
||||
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
|
||||
VARLIB=/var/lib #Unused on Cygwin
|
||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -21,4 +21,3 @@ SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (s
|
||||
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -21,4 +21,3 @@ SERVICEDIR= #Directory where .service files are installed (systems running sy
|
||||
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -21,4 +21,3 @@ SYSCONFDIR= #Directory where SysV init parameter fil
|
||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -21,4 +21,3 @@ SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.se
|
||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
VARLIB=/lib #Directory where product variable data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -21,4 +21,3 @@ SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter fil
|
||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -22,4 +22,3 @@ SYSCONFDIR= #Name of the directory where SysV ini
|
||||
ANNOTATED= #If non-empty, install annotated configuration files
|
||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -7,18 +7,17 @@ PREFIX=/usr #Top-level directory for s
|
||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
||||
LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts.
|
||||
PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory
|
||||
PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory
|
||||
SBINDIR=/usr/sbin #Directory where system administration programs are installed
|
||||
MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed.
|
||||
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
||||
INITFILE= #Name of the product's SysV init script
|
||||
INITFILE=$PRODUCT #Name of the product's SysV init script
|
||||
INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script
|
||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
||||
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
||||
SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
||||
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
|
||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
||||
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
|
||||
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
|
||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
VARLIB=/var/lib #Directory where persistent product data is stored.
|
||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
# Required-Stop: $local_fs
|
||||
# X-Stop-After: $network
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Initialize the firewall at boot time
|
||||
# Description: Place the firewall in a safe state at boot time prior to
|
||||
# bringing up the network
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall-lite
|
||||
@@ -92,11 +92,10 @@ shorewall_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall_stop () {
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall Lite firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -702,9 +702,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -337,7 +337,7 @@ our $VERSION = 'MODULEVERSION';
|
||||
# digest => SHA1 digest of the string representation of the chain's rules for use in optimization
|
||||
# level 8.
|
||||
# complete => The last rule in the chain is a -g or a simple -j to a terminating target
|
||||
# Suppresses adding additional rules to the end of the chain
|
||||
# Suppresses adding additional rules to the chain end of the chain
|
||||
# sections => { <section> = 1, ... } - Records sections that have been completed.
|
||||
# chainnumber => Numeric enumeration of the builtin chains (mangle table only).
|
||||
# allowedchains
|
||||
@@ -1337,14 +1337,7 @@ sub push_rule( $$ ) {
|
||||
push @{$chainref->{rules}}, $ruleref;
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
|
||||
|
||||
if ( $debug ) {
|
||||
if ( $ruleref->{comment} ) {
|
||||
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] -m comment --comment \"$ruleref->{comment}\"" );
|
||||
} else {
|
||||
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" );
|
||||
}
|
||||
}
|
||||
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
|
||||
|
||||
$chainref->{complete} = 1 if $complete;
|
||||
|
||||
@@ -2935,13 +2928,13 @@ sub initialize_chain_table($) {
|
||||
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
|
||||
#
|
||||
%targets = ('ACCEPT' => STANDARD,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT!' => STANDARD,
|
||||
'ADD' => STANDARD + SET,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'A_DROP' => STANDARD + AUDIT,
|
||||
'A_DROP!' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
@@ -3001,13 +2994,13 @@ sub initialize_chain_table($) {
|
||||
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
|
||||
#
|
||||
%targets = ('ACCEPT' => STANDARD,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT!' => STANDARD,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'DROP' => STANDARD,
|
||||
'DROP!' => STANDARD,
|
||||
'A_DROP' => STANDARD + AUDIT,
|
||||
@@ -3186,17 +3179,17 @@ sub delete_references( $ ) {
|
||||
#
|
||||
sub calculate_digest( $ ) {
|
||||
my $chainref = shift;
|
||||
my $rules = '';
|
||||
my $digest = '';
|
||||
|
||||
for ( @{$chainref->{rules}} ) {
|
||||
if ( $rules ) {
|
||||
$rules .= ' |' . format_rule( $chainref, $_, 1 );
|
||||
if ( $digest ) {
|
||||
$digest .= ' |' . format_rule( $chainref, $_, 1 );
|
||||
} else {
|
||||
$rules = format_rule( $chainref, $_, 1 );
|
||||
$digest = format_rule( $chainref, $_, 1 );
|
||||
}
|
||||
}
|
||||
|
||||
$chainref->{digest} = sha1_hex $rules;
|
||||
$chainref->{digest} = sha1_hex $digest;
|
||||
}
|
||||
|
||||
#
|
||||
@@ -3485,7 +3478,7 @@ sub optimize_level4( $$ ) {
|
||||
$progress = 1;
|
||||
} elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
|
||||
#
|
||||
# This case requires a new rule merging algorithm. Ignore this chain from
|
||||
# This case requires a new rule merging algorithm. Ignore this chain for
|
||||
# now on.
|
||||
#
|
||||
$chainref->{optflags} |= DONT_OPTIMIZE;
|
||||
@@ -3493,7 +3486,7 @@ sub optimize_level4( $$ ) {
|
||||
#
|
||||
# Replace references to this chain with the target and add the matches
|
||||
#
|
||||
$progress = 1 if replace_references1( $chainref, $firstrule );
|
||||
$progress = 1 if replace_references1 $chainref, $firstrule;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -3539,7 +3532,7 @@ sub optimize_level4( $$ ) {
|
||||
#empty builtin chain -- change it's policy
|
||||
#
|
||||
$chainref->{policy} = $target;
|
||||
trace( $chainref, 'P', undef, $target ) if $debug;
|
||||
trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
|
||||
$count++;
|
||||
}
|
||||
|
||||
@@ -3693,12 +3686,7 @@ sub optimize_level8( $$$ ) {
|
||||
if ( $chainref->{digest} eq $chainref1->{digest} ) {
|
||||
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
|
||||
$progress = 1;
|
||||
replace_references( $chainref1,
|
||||
$chainref->{name},
|
||||
undef, # Target Opts
|
||||
'', # Comment
|
||||
'', # Origin
|
||||
1 ); # Recalculate digests of modified chains
|
||||
replace_references $chainref1, $chainref->{name}, undef, '', '', 1;
|
||||
|
||||
unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) {
|
||||
#
|
||||
@@ -4024,7 +4012,7 @@ sub delete_duplicates {
|
||||
my $docheck;
|
||||
my $duplicate = 0;
|
||||
|
||||
if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
|
||||
if ( $baseref->{mode} == CAT_MODE ) {
|
||||
my $ports1;
|
||||
my @keys1 = sort( grep ! $skip{$_}, keys( %$baseref ) );
|
||||
my $rulenum = @_;
|
||||
@@ -5190,7 +5178,7 @@ sub do_time( $ ) {
|
||||
$result .= "--monthday $days ";
|
||||
} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
|
||||
$result .= "--$1 $2 ";
|
||||
} elsif ( $element =~ /^(utc|localtz|kerneltz|contiguous)$/ ) {
|
||||
} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
|
||||
$result .= "--$1 ";
|
||||
} else {
|
||||
fatal_error "Invalid time element ($element)";
|
||||
@@ -5232,8 +5220,6 @@ sub do_user( $ ) {
|
||||
|
||||
if ( supplied $2 ) {
|
||||
$user = $2;
|
||||
$user =~ s/:$//;
|
||||
|
||||
if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
|
||||
if ( supplied $2 ) {
|
||||
fatal_error "Invalid User Range ($user)" unless $3 >= $1;
|
||||
|
||||
@@ -165,7 +165,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
directive_callback
|
||||
add_ipset
|
||||
all_ipsets
|
||||
transfer_permissions
|
||||
|
||||
$product
|
||||
$Product
|
||||
@@ -577,7 +576,6 @@ our $max_format; # Max format value
|
||||
our $comment; # Current COMMENT
|
||||
our $comments_allowed; # True if [?]COMMENT is allowed in the current file
|
||||
our $nocomment; # When true, ignore [?]COMMENT in the current file
|
||||
our $sr_comment; # When true, $comment should only be applied to the current rule
|
||||
our $warningcount; # Used to suppress duplicate warnings about missing COMMENT support
|
||||
our $checkinline; # The -i option to check/compile/etc.
|
||||
our $directive_callback; # Function to call in compiler_directive
|
||||
@@ -732,7 +730,6 @@ sub initialize( $;$$) {
|
||||
# Contents of last COMMENT line.
|
||||
#
|
||||
$comment = '';
|
||||
$sr_comment = '';
|
||||
$warningcount = 0;
|
||||
#
|
||||
# Misc Globals
|
||||
@@ -897,7 +894,6 @@ sub initialize( $;$$) {
|
||||
PAGER => undef ,
|
||||
MINIUPNPD => undef ,
|
||||
VERBOSE_MESSAGES => undef ,
|
||||
ZERO_MARKS => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@@ -2159,47 +2155,6 @@ sub split_list3( $$ ) {
|
||||
@list2;
|
||||
}
|
||||
|
||||
#
|
||||
# This version spits a list on white-space with optional leading comma. It prevents double-quoted
|
||||
# strings from being split.
|
||||
#
|
||||
sub split_list4( $ ) {
|
||||
my ($list ) = @_;
|
||||
my @list1 = split( /,?\s+/, $list );
|
||||
my @list2;
|
||||
my $element = '';
|
||||
my $opencount = 0;
|
||||
|
||||
return @list1 unless $list =~ /"/;
|
||||
|
||||
@list1 = split( /(,?\s+)/, $list );
|
||||
|
||||
for ( my $i = 0; $i < @list1; $i += 2 ) {
|
||||
my $e = $list1[$i];
|
||||
|
||||
if ( $e =~ /[^\\]"/ ) {
|
||||
if ( $e =~ /[^\\]".*[^\\]"/ ) {
|
||||
fatal_error 'Unescaped embedded quote (' . join( $list1[$i - 1], $element, $e ) . ')' if $element ne '';
|
||||
push @list2, $e;
|
||||
} elsif ( $element ne '' ) {
|
||||
fatal_error 'Quoting Error (' . join( $list1[$i - 1], $element, $e ) . ')' unless $e =~ /"$/;
|
||||
push @list2, join( $list1[$i - 1], $element, $e );
|
||||
$element = '';
|
||||
} else {
|
||||
$element = $e;
|
||||
}
|
||||
} elsif ( $element ne '' ) {
|
||||
$element = join( $list1[$i - 1], $element, $e );
|
||||
} else {
|
||||
push @list2, $e;
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error "Mismatched_quotes ($list)" if $element ne '';
|
||||
|
||||
@list2;
|
||||
}
|
||||
|
||||
#
|
||||
# Splits the columns of a config file record
|
||||
#
|
||||
@@ -2269,8 +2224,6 @@ sub passed( $ ) {
|
||||
defined $val && $val ne '' && $val ne '-';
|
||||
}
|
||||
|
||||
sub clear_comment();
|
||||
|
||||
#
|
||||
# Pre-process a line from a configuration file.
|
||||
|
||||
@@ -2294,8 +2247,6 @@ sub split_line2( $$;$$$ ) {
|
||||
}
|
||||
|
||||
$inline_matches = '';
|
||||
|
||||
clear_comment if $sr_comment;
|
||||
#
|
||||
# First, see if there are double semicolons on the line; what follows will be raw iptables input
|
||||
#
|
||||
@@ -2402,37 +2353,18 @@ sub split_line2( $$;$$$ ) {
|
||||
$pairs =~ s/^\s*//;
|
||||
$pairs =~ s/\s*$//;
|
||||
|
||||
my @pairs = split_list4( $pairs );
|
||||
my @pairs = split( /,?\s+/, $pairs );
|
||||
|
||||
for ( @pairs ) {
|
||||
fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
|
||||
my ( $column, $value ) = ( lc( $1 ), $2 );
|
||||
|
||||
if ( $value =~ /"$/ ) {
|
||||
fatal_error "Invalid value ( $value )" unless $value =~ /^"(.*)"$/;
|
||||
$value = $1;
|
||||
}
|
||||
|
||||
if ( $column eq 'comment' ) {
|
||||
if ( $comments_allowed ) {
|
||||
if ( have_capability( 'COMMENTS' ) ) {
|
||||
$comment = $value;
|
||||
$sr_comment = 1;
|
||||
} else {
|
||||
warning_message '"comment" ignored -- requires comment support in iptables/Netfilter' unless $warningcount++;
|
||||
}
|
||||
} else {
|
||||
fatal_error '"comment" is not allowed in this file';
|
||||
}
|
||||
} else {
|
||||
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
|
||||
$column = $columnsref->{$column};
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
$value = $1 if $value =~ /^"([^"]+)"$/;
|
||||
$value =~ s/\\"/"/g;
|
||||
fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
|
||||
$line[$column] = $value;
|
||||
}
|
||||
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
|
||||
$column = $columnsref->{$column};
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
$value = $1 if $value =~ /^"([^"]+)"$/;
|
||||
fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
|
||||
fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
|
||||
$line[$column] = $value;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2462,7 +2394,6 @@ sub no_comment() {
|
||||
sub clear_comment() {
|
||||
$comment = '';
|
||||
$nocomment = 0;
|
||||
$sr_comment = '';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2558,8 +2489,7 @@ sub push_include() {
|
||||
$max_format,
|
||||
$comment,
|
||||
$nocomment,
|
||||
$section_function,
|
||||
$sr_comment ];
|
||||
$section_function ];
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2583,8 +2513,7 @@ sub pop_include() {
|
||||
$max_format,
|
||||
$comment,
|
||||
$nocomment,
|
||||
$section_function,
|
||||
$sr_comment ) = @$arrayref;
|
||||
$section_function ) = @$arrayref;
|
||||
} else {
|
||||
$currentfile = undef;
|
||||
$currentlinenumber = 'EOF';
|
||||
@@ -2953,7 +2882,6 @@ sub process_compiler_directive( $$$$ ) {
|
||||
if ( have_capability( 'COMMENTS' ) ) {
|
||||
( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
|
||||
$comment =~ s/\s*$//;
|
||||
$sr_comment = '';
|
||||
} else {
|
||||
directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
|
||||
}
|
||||
@@ -3307,7 +3235,6 @@ sub push_open( $;$$$$ ) {
|
||||
push @openstack, \@a;
|
||||
@includestack = ();
|
||||
$currentfile = undef;
|
||||
$sr_comment = '';
|
||||
open_file( $file , $max, $comments_allowed || $ca, $nc , $cf );
|
||||
}
|
||||
|
||||
@@ -3401,7 +3328,7 @@ sub embedded_shell( $ ) {
|
||||
sub embedded_perl( $ ) {
|
||||
my $multiline = shift;
|
||||
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
|
||||
$directive_callback->( 'PERL', $currentline ) if $directive_callback;
|
||||
|
||||
@@ -3854,10 +3781,8 @@ sub process_shorewallrc( $$ ) {
|
||||
$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
|
||||
}
|
||||
} elsif ( supplied $shorewallrc{VARLIB} ) {
|
||||
$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
|
||||
$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
|
||||
}
|
||||
|
||||
$shorewallrc{DEFAULT_PAGER} = '' unless supplied $shorewallrc{DEFAULT_PAGER};
|
||||
}
|
||||
|
||||
#
|
||||
@@ -5164,19 +5089,6 @@ sub update_default($$) {
|
||||
$config{$var} = $val unless defined $config{$var};
|
||||
}
|
||||
|
||||
#
|
||||
# Transfer the permissions from an old .bak file to a newly-created file
|
||||
#
|
||||
sub transfer_permissions( $$ ) {
|
||||
my ( $old, $new ) = @_;
|
||||
|
||||
my @stat = stat $old;
|
||||
|
||||
if ( @stat ) {
|
||||
fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
|
||||
}
|
||||
}
|
||||
|
||||
sub update_config_file( $ ) {
|
||||
my ( $annotate ) = @_;
|
||||
|
||||
@@ -5231,7 +5143,7 @@ sub update_config_file( $ ) {
|
||||
update_default( 'USE_DEFAULT_RT', 'No' );
|
||||
update_default( 'EXPORTMODULES', 'No' );
|
||||
update_default( 'RESTART', 'reload' );
|
||||
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
|
||||
update_default( 'PAGER', '' );
|
||||
|
||||
my $fn;
|
||||
|
||||
@@ -5326,7 +5238,6 @@ EOF
|
||||
|
||||
if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
|
||||
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
|
||||
transfer_permissions( "$configfile.bak", $configfile );
|
||||
} else {
|
||||
if ( rename "$configfile.bak", $configfile ) {
|
||||
progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
|
||||
@@ -6274,10 +6185,8 @@ sub get_configuration( $$$$ ) {
|
||||
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
||||
|
||||
} else {
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST' , 'Yes' );
|
||||
}
|
||||
} else {
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||
}
|
||||
|
||||
default_yes_no 'REQUIRE_INTERFACE' , '';
|
||||
@@ -6293,7 +6202,6 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes';
|
||||
default_yes_no 'MINIUPNPD' , '';
|
||||
default_yes_no 'VERBOSE_MESSAGES' , 'Yes';
|
||||
default_yes_no 'ZERO_MARKS' , '';
|
||||
|
||||
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
|
||||
|
||||
|
||||
@@ -200,7 +200,6 @@ sub remove_blacklist( $ ) {
|
||||
if ( $changed ) {
|
||||
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
|
||||
transfer_permissions( "$fn.bak", $fn );
|
||||
progress_message2 "\u$file file $fn saved in $fn.bak"
|
||||
}
|
||||
}
|
||||
@@ -309,7 +308,6 @@ sub convert_blacklist() {
|
||||
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
} else {
|
||||
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
print $blrules <<'EOF';
|
||||
#
|
||||
# Shorewall version 5.0 - Blacklist Rules File
|
||||
@@ -403,7 +401,6 @@ sub convert_routestopped() {
|
||||
open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
} else {
|
||||
open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
print $stoppedrules <<'EOF';
|
||||
#
|
||||
# Shorewall version 5 - Stopped Rules File
|
||||
@@ -869,30 +866,15 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
|
||||
|
||||
my ( $in, $out ) = split /:/, $setting;
|
||||
|
||||
if ( $in == 1 ) {
|
||||
#
|
||||
# src
|
||||
#
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
} elsif ( $in == 2 ) {
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
|
||||
if ( $out == 2 ) {
|
||||
#
|
||||
# dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
}
|
||||
|
||||
for ( option_chains( $interface ) ) {
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
|
||||
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -125,13 +125,6 @@ sub setup_route_marking() {
|
||||
my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';
|
||||
|
||||
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
|
||||
#
|
||||
# Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
|
||||
#
|
||||
|
||||
if ( $config{ZERO_MARKS} ) {
|
||||
add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
|
||||
}
|
||||
|
||||
if ( $config{RESTORE_ROUTEMARKS} ) {
|
||||
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
|
||||
@@ -693,7 +686,6 @@ sub process_a_provider( $ ) {
|
||||
interface => $interface ,
|
||||
physical => $physical ,
|
||||
optional => $optional ,
|
||||
wildcard => $interfaceref->{wildcard} || 0,
|
||||
gateway => $gateway ,
|
||||
gatewaycase => $gatewaycase ,
|
||||
shared => $shared ,
|
||||
@@ -809,10 +801,6 @@ sub add_a_provider( $$ ) {
|
||||
|
||||
push_indent;
|
||||
|
||||
emit( "if interface_is_up $physical; then" );
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $gatewaycase eq 'omitted' ) {
|
||||
if ( $tproxy ) {
|
||||
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
||||
@@ -830,19 +818,14 @@ sub add_a_provider( $$ ) {
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
} else {
|
||||
emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
|
||||
emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
|
||||
emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
}
|
||||
}
|
||||
|
||||
emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
|
||||
emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) );
|
||||
emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
|
||||
}
|
||||
|
||||
if ( ! $noautosrc ) {
|
||||
@@ -871,10 +854,8 @@ sub add_a_provider( $$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit( qq(fi\n),
|
||||
qq(echo 1 > \${VARDIR}/${physical}_disabled) );
|
||||
emit( qq(\n),
|
||||
qq(rm -f \${VARDIR}/${physical}_enabled) );
|
||||
|
||||
|
||||
pop_indent;
|
||||
@@ -1088,7 +1069,7 @@ CEOF
|
||||
emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
|
||||
}
|
||||
|
||||
emit( qq(rm -f \${VARDIR}/${physical}_disabled) );
|
||||
emit( qq( echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
|
||||
emit_started_message( '', 2, $pseudo, $table, $number );
|
||||
|
||||
pop_indent;
|
||||
@@ -1096,7 +1077,7 @@ CEOF
|
||||
unless ( $pseudo ) {
|
||||
emit( 'else' );
|
||||
emit( qq( echo $weight > \${VARDIR}/${physical}_weight) );
|
||||
emit( qq( rm -f \${VARDIR}/${physical}_disabled) ) if $persistent;
|
||||
emit( qq( echo 1 > \${VARDIR}/${physical}_enabled) ) if $persistent;
|
||||
emit_started_message( ' ', '', $pseudo, $table, $number );
|
||||
}
|
||||
|
||||
@@ -1190,7 +1171,7 @@ CEOF
|
||||
'if [ $COMMAND = disable ]; then',
|
||||
" do_persistent_${what}_${table}",
|
||||
"else",
|
||||
" echo 1 > \${VARDIR}/${physical}_disabled\n",
|
||||
" rm -f \${VARDIR}/${physical}_enabled\n",
|
||||
"fi\n",
|
||||
);
|
||||
}
|
||||
@@ -1695,7 +1676,7 @@ EOF
|
||||
emit ( " if [ ! -f \${VARDIR}/undo_${provider}_routing ]; then",
|
||||
" start_interface_$provider" );
|
||||
} elsif ( $providerref->{persistent} ) {
|
||||
emit ( " if [ -f \${VARDIR}/$providerref->{physical}_disabled ]; then",
|
||||
emit ( " if [ ! -f \${VARDIR}/$providerref->{physical}_enabled ]; then",
|
||||
" start_provider_$provider" );
|
||||
} else {
|
||||
emit ( " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
|
||||
@@ -1746,7 +1727,7 @@ EOF
|
||||
if ( $providerref->{pseudo} ) {
|
||||
emit( " if [ -f \${VARDIR}/undo_${provider}_routing ]; then" );
|
||||
} elsif ( $providerref->{persistent} ) {
|
||||
emit( " if [ ! -f \${VARDIR}/$providerref->{physical}_disabled ]; then" );
|
||||
emit( " if [ -f \${VARDIR}/$providerref->{physical}_enabled ]; then" );
|
||||
} else {
|
||||
emit( " if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
|
||||
}
|
||||
@@ -2132,31 +2113,9 @@ sub provider_realm( $ ) {
|
||||
#
|
||||
sub handle_optional_interfaces( $ ) {
|
||||
|
||||
my @interfaces;
|
||||
my $wildcards;
|
||||
my ( $interfaces, $wildcards ) = find_interfaces_by_option1 'optional';
|
||||
|
||||
#
|
||||
# First do the provider interfacess. Those that are real providers will never have wildcard physical
|
||||
# names but they might derive from wildcard interface entries. Optional interfaces which do not have
|
||||
# wildcard physical names are also included in the providers table.
|
||||
#
|
||||
for my $providerref ( grep $_->{optional} , sort { $a->{number} <=> $b->{number} } values %providers ) {
|
||||
push @interfaces, $providerref->{interface};
|
||||
$wildcards ||= $providerref->{wildcard};
|
||||
}
|
||||
|
||||
#
|
||||
# Now do the optional wild interfaces
|
||||
#
|
||||
for my $interface ( grep interface_is_optional($_) && ! $provider_interfaces{$_}, all_real_interfaces ) {
|
||||
push@interfaces, $interface;
|
||||
unless ( $wildcards ) {
|
||||
my $interfaceref = find_interface($interface);
|
||||
$wildcards = 1 if $interfaceref->{wildcard};
|
||||
}
|
||||
}
|
||||
|
||||
if ( @interfaces ) {
|
||||
if ( @$interfaces ) {
|
||||
my $require = $config{REQUIRE_INTERFACE};
|
||||
my $gencase = shift;
|
||||
|
||||
@@ -2167,7 +2126,7 @@ sub handle_optional_interfaces( $ ) {
|
||||
#
|
||||
# Clear the '_IS_USABLE' variables
|
||||
#
|
||||
emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @interfaces;
|
||||
emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
|
||||
|
||||
if ( $wildcards ) {
|
||||
#
|
||||
@@ -2184,76 +2143,74 @@ sub handle_optional_interfaces( $ ) {
|
||||
emit '';
|
||||
}
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
if ( my $provider = $provider_interfaces{ $interface } ) {
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc var_base( $physical );
|
||||
my $providerref = $providers{$provider};
|
||||
my $interfaceref = known_interface( $interface );
|
||||
my $wildbase = uc $interfaceref->{base};
|
||||
for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
|
||||
my $provider = $provider_interfaces{$interface};
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc var_base( $physical );
|
||||
my $providerref = $providers{$provider};
|
||||
|
||||
emit( "$physical)" ), push_indent if $wildcards;
|
||||
emit( "$physical)" ), push_indent if $wildcards;
|
||||
|
||||
if ( $provider eq $physical ) {
|
||||
#
|
||||
# Just an optional interface, or provider and interface are the same
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
} else {
|
||||
#
|
||||
# Provider
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
}
|
||||
|
||||
push_indent;
|
||||
if ( $providerref->{gatewaycase} eq 'detect' ) {
|
||||
emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
|
||||
} else {
|
||||
emit qq(if interface_is_usable $physical; then);
|
||||
}
|
||||
|
||||
emit( ' HAVE_INTERFACE=Yes' ) if $require;
|
||||
|
||||
emit( " SW_${base}_IS_USABLE=Yes" );
|
||||
emit( " SW_${wildbase}_IS_USABLE=Yes" ) if $interfaceref->{wildcard};
|
||||
emit( 'fi' );
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit( "fi\n" );
|
||||
|
||||
emit( ';;' ), pop_indent if $wildcards;
|
||||
if ( $provider eq $physical ) {
|
||||
#
|
||||
# Just an optional interface, or provider and interface are the same
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
} else {
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc var_base( $physical );
|
||||
my $case = $physical;
|
||||
my $wild = $case =~ s/\+$/*/;
|
||||
#
|
||||
# Provider
|
||||
#
|
||||
emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
|
||||
}
|
||||
|
||||
if ( $wildcards ) {
|
||||
emit( "$case)" );
|
||||
push_indent;
|
||||
if ( $providerref->{gatewaycase} eq 'detect' ) {
|
||||
emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
|
||||
} else {
|
||||
emit qq(if interface_is_usable $physical; then);
|
||||
}
|
||||
|
||||
emit( ' HAVE_INTERFACE=Yes' ) if $require;
|
||||
|
||||
emit( " SW_${base}_IS_USABLE=Yes" ,
|
||||
'fi' );
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit( "fi\n" );
|
||||
|
||||
emit( ';;' ), pop_indent if $wildcards;
|
||||
}
|
||||
|
||||
for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
|
||||
my $physical = get_physical $interface;
|
||||
my $base = uc var_base( $physical );
|
||||
my $case = $physical;
|
||||
my $wild = $case =~ s/\+$/*/;
|
||||
|
||||
if ( $wildcards ) {
|
||||
emit( "$case)" );
|
||||
push_indent;
|
||||
|
||||
if ( $wild ) {
|
||||
emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
|
||||
push_indent;
|
||||
|
||||
if ( $wild ) {
|
||||
emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
|
||||
push_indent;
|
||||
emit ( 'if interface_is_usable $interface; then' );
|
||||
} else {
|
||||
emit ( "if interface_is_usable $physical; then" );
|
||||
}
|
||||
emit ( 'if interface_is_usable $interface; then' );
|
||||
} else {
|
||||
emit ( "if interface_is_usable $physical; then" );
|
||||
}
|
||||
} else {
|
||||
emit ( "if interface_is_usable $physical; then" );
|
||||
}
|
||||
|
||||
emit ( ' HAVE_INTERFACE=Yes' ) if $require;
|
||||
emit ( " SW_${base}_IS_USABLE=Yes" ,
|
||||
'fi' );
|
||||
emit ( ' HAVE_INTERFACE=Yes' ) if $require;
|
||||
emit ( " SW_${base}_IS_USABLE=Yes" ,
|
||||
'fi' );
|
||||
|
||||
if ( $wildcards ) {
|
||||
pop_indent, emit( 'fi' ) if $wild;
|
||||
emit( ';;' );
|
||||
pop_indent;
|
||||
}
|
||||
if ( $wildcards ) {
|
||||
pop_indent, emit( 'fi' ) if $wild;
|
||||
emit( ';;' );
|
||||
pop_indent;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -369,18 +369,11 @@ sub setup_conntrack($) {
|
||||
my $conntrack;
|
||||
my $empty = 1;
|
||||
my $date = compiletime;
|
||||
my $fn1 = find_writable_file 'conntrack';
|
||||
|
||||
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
||||
|
||||
if ( -f $fn1 ) {
|
||||
open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
if ( $fn ) {
|
||||
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
} else {
|
||||
open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
#
|
||||
# Transfer permissions from the existing notrack file
|
||||
#
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
|
||||
print $conntrack <<'EOF';
|
||||
#
|
||||
@@ -403,6 +396,8 @@ EOF
|
||||
"# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
|
||||
"#\n" );
|
||||
|
||||
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
||||
|
||||
while ( read_a_line( PLAIN_READ ) ) {
|
||||
#
|
||||
# Don't copy the header comments from the old notrack file
|
||||
|
||||
@@ -295,7 +295,7 @@ our %validstates = ( NEW => 0,
|
||||
# known until the compiler has started.
|
||||
#
|
||||
# 2. The compiler can run multiple times in the same process so it has to be
|
||||
# able to re-initialize the state of its dependent modules.
|
||||
# able to re-initialize its dependent modules' state.
|
||||
#
|
||||
sub initialize( $ ) {
|
||||
$family = shift;
|
||||
@@ -345,11 +345,11 @@ sub initialize( $ ) {
|
||||
#
|
||||
$macro_nest_level = 0;
|
||||
#
|
||||
# All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions.std
|
||||
# All builtin actions plus those mentioned in /etc/shorewall[6]/actions and /usr/share/shorewall[6]/actions
|
||||
#
|
||||
%actions = ();
|
||||
#
|
||||
# Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
|
||||
# Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
|
||||
#
|
||||
%usedactions = ();
|
||||
|
||||
@@ -628,20 +628,29 @@ sub handle_nfqueue( $$ ) {
|
||||
#
|
||||
# Process an entry in the policy file.
|
||||
#
|
||||
sub process_a_policy1($$$$$$$) {
|
||||
sub process_a_policy() {
|
||||
|
||||
our %validpolicies;
|
||||
our @zonelist;
|
||||
|
||||
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
|
||||
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
|
||||
split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
|
||||
|
||||
$loglevel = '' if $loglevel eq '-';
|
||||
$synparams = '' if $synparams eq '-';
|
||||
$connlimit = '' if $connlimit eq '-';
|
||||
|
||||
fatal_error 'SOURCE must be specified' if $client eq '-';
|
||||
fatal_error 'DEST must be specified' if $server eq '-';
|
||||
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
|
||||
|
||||
my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
|
||||
$intrazone = $clientwild && $1;
|
||||
my $intrazone = $clientwild && $1;
|
||||
|
||||
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
|
||||
|
||||
my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
|
||||
$intrazone ||= ( $serverwild && $1 );
|
||||
$intrazone ||= $serverwild && $1;
|
||||
|
||||
fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
|
||||
|
||||
@@ -749,40 +758,6 @@ sub process_a_policy1($$$$$$$) {
|
||||
}
|
||||
}
|
||||
|
||||
sub process_a_policy() {
|
||||
|
||||
our %validpolicies;
|
||||
our @zonelist;
|
||||
|
||||
my ( $clients, $servers, $policy, $loglevel, $synparams, $connlimit ) =
|
||||
split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
|
||||
|
||||
$loglevel = '' if $loglevel eq '-';
|
||||
$synparams = '' if $synparams eq '-';
|
||||
$connlimit = '' if $connlimit eq '-';
|
||||
|
||||
my $intrazone;
|
||||
|
||||
if ( $intrazone = $clients =~ /.*,.*\+$/) {
|
||||
$clients =~ s/\+$//;
|
||||
}
|
||||
|
||||
if ( $servers =~ /.*,.*\+$/ ) {
|
||||
$servers =~ s/\+$//;
|
||||
$intrazone = 1;
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE must be specified' if $clients eq '-';
|
||||
fatal_error 'DEST must be specified' if $servers eq '-';
|
||||
fatal_error 'POLICY must be specified' if $policy eq '-';
|
||||
|
||||
for my $client ( split_list( $clients, 'zone' ) ) {
|
||||
for my $server ( split_list( $servers, 'zone' ) ) {
|
||||
process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Generate contents of the /var/lib/shorewall[6]/.policies file as 'here documents' in the generated script
|
||||
#
|
||||
@@ -1377,7 +1352,7 @@ sub new_action( $$$$$ ) {
|
||||
# Create and record a log action chain -- Log action chains have names
|
||||
# that are formed from the action name by prepending a "%" and appending
|
||||
# a 1- or 2-digit sequence number. In the functions that follow,
|
||||
# the $chain, $level and $tag variables serve as arguments to the user's
|
||||
# the $chain, $level and $tag variable serves as arguments to the user's
|
||||
# exit. We call the exit corresponding to the name of the action but we
|
||||
# set $chain to the name of the iptables chain where rules are to be added.
|
||||
# Similarly, $level and $tag contain the log level and log tag respectively.
|
||||
@@ -1558,7 +1533,7 @@ sub find_macro( $ )
|
||||
{
|
||||
my $macro = $_[0];
|
||||
|
||||
$macro =~ s/^macro\.//;
|
||||
$macro =~ s/^macro.//;
|
||||
|
||||
my $macrofile = find_file "macro.$macro";
|
||||
|
||||
@@ -2982,63 +2957,65 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
# And we need the dest zone for local/loopback/off-firewall/destonly checks
|
||||
#
|
||||
$destref = find_zone( $chainref->{destzone} ) if $chainref->{destzone};
|
||||
} elsif ( ! ( $actiontype & NATONLY ) ) {
|
||||
#
|
||||
# Check for illegal bridge port rule
|
||||
#
|
||||
if ( $destref->{type} & BPORT ) {
|
||||
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
|
||||
} else {
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
#
|
||||
# Check for illegal bridge port rule
|
||||
#
|
||||
if ( $destref->{type} & BPORT ) {
|
||||
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
|
||||
return 0 if $wildcard;
|
||||
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
|
||||
}
|
||||
}
|
||||
|
||||
$chain = rules_chain( ${sourcezone}, ${destzone} );
|
||||
#
|
||||
# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
|
||||
#
|
||||
( $chainref = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
|
||||
$chainref->{destzone} = $destzone;
|
||||
|
||||
my $policy = $chainref->{policy};
|
||||
|
||||
if ( $policy eq 'NONE' ) {
|
||||
return 0 if $wildcard;
|
||||
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
|
||||
fatal_error "Rules may not override a NONE policy";
|
||||
}
|
||||
}
|
||||
|
||||
$chain = rules_chain( ${sourcezone}, ${destzone} );
|
||||
#
|
||||
# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
|
||||
#
|
||||
( $chainref = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
|
||||
$chainref->{destzone} = $destzone;
|
||||
|
||||
my $policy = $chainref->{policy};
|
||||
|
||||
if ( $policy eq 'NONE' ) {
|
||||
return 0 if $wildcard;
|
||||
fatal_error "Rules may not override a NONE policy";
|
||||
}
|
||||
#
|
||||
# Handle Optimization level 1 when specified alone
|
||||
#
|
||||
if ( $optimize == 1 && $section == NEW_SECTION ) {
|
||||
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
|
||||
if ( $loglevel ne '' ) {
|
||||
return 0 if $target eq "${policy}:${loglevel}";
|
||||
} else {
|
||||
return 0 if $basictarget eq $policy;
|
||||
#
|
||||
# Handle Optimization level 1 when specified alone
|
||||
#
|
||||
if ( $optimize == 1 && $section == NEW_SECTION ) {
|
||||
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
|
||||
if ( $loglevel ne '' ) {
|
||||
return 0 if $target eq "${policy}:${loglevel}";
|
||||
} else {
|
||||
return 0 if $basictarget eq $policy;
|
||||
}
|
||||
}
|
||||
}
|
||||
#
|
||||
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
||||
#
|
||||
$chainref = ensure_rules_chain $chain;
|
||||
#
|
||||
# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
|
||||
#
|
||||
if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
|
||||
my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
|
||||
my $auxref = $filter_table->{$auxchain};
|
||||
#
|
||||
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
||||
#
|
||||
$chainref = ensure_rules_chain $chain;
|
||||
#
|
||||
# Handle rules in the BLACKLIST, ESTABLISHED, RELATED, INVALID and UNTRACKED sections
|
||||
#
|
||||
if ( $section & ( BLACKLIST_SECTION | ESTABLISHED_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
|
||||
my $auxchain = $section_functions{$section}->( $sourcezone, $destzone );
|
||||
my $auxref = $filter_table->{$auxchain};
|
||||
|
||||
unless ( $auxref ) {
|
||||
my $save_comment = push_comment;
|
||||
$auxref = new_chain 'filter', $auxchain;
|
||||
$auxref->{blacklistsection} = 1 if $blacklist;
|
||||
unless ( $auxref ) {
|
||||
my $save_comment = push_comment;
|
||||
$auxref = new_chain 'filter', $auxchain;
|
||||
$auxref->{blacklistsection} = 1 if $blacklist;
|
||||
|
||||
add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
|
||||
pop_comment( $save_comment );
|
||||
add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
|
||||
pop_comment( $save_comment );
|
||||
}
|
||||
|
||||
$chain = $auxchain;
|
||||
$chainref = $auxref;
|
||||
}
|
||||
|
||||
$chain = $auxchain;
|
||||
$chainref = $auxref;
|
||||
}
|
||||
}
|
||||
#
|
||||
@@ -3056,7 +3033,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
# Handle actions
|
||||
#
|
||||
my $actionchain; # Name of the action chain
|
||||
my $actionchain; #Name of the action chain
|
||||
|
||||
if ( $actiontype & ACTION ) {
|
||||
#
|
||||
@@ -3585,7 +3562,7 @@ sub perl_action_tcp_helper($$) {
|
||||
sub process_section ($) {
|
||||
my $sect = shift;
|
||||
#
|
||||
# split_line2 has already verified that there are exactly two tokens on the line
|
||||
# split_line1 has already verified that there are exactly two tokens on the line
|
||||
#
|
||||
fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
|
||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||
@@ -3729,7 +3706,7 @@ sub process_raw_rule ( ) {
|
||||
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
|
||||
|
||||
if ( @protos > 1 ) {
|
||||
fatal_error "Inversion not allowed in a PROTO list" if $protos =~ /!/;
|
||||
fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
|
||||
}
|
||||
|
||||
for $source ( @source ) {
|
||||
@@ -4196,8 +4173,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
},
|
||||
|
||||
CHECKSUM => {
|
||||
defaultchain => POSTROUTING,
|
||||
allowedchains => POSTROUTING | FORWARD | OUTPUT,
|
||||
defaultchain => 0,
|
||||
allowedchains => ALLCHAINS,
|
||||
minparams => 0,
|
||||
maxparams => 0 ,
|
||||
function => sub() {
|
||||
@@ -4322,7 +4299,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
},
|
||||
|
||||
DSCP => {
|
||||
defaultchain => POSTROUTING,
|
||||
defaultchain => 0,
|
||||
allowedchains => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
|
||||
minparams => 1,
|
||||
maxparams => 1,
|
||||
@@ -4772,6 +4749,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
unless ( ( $chain || $default_chain ) == OUTPUT ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
|
||||
if ( $dest ne '-' ) {
|
||||
if ( $dest eq $fw ) {
|
||||
fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
|
||||
@@ -4814,7 +4795,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
fatal_error "Duplicate STATE ($_)" if $state{$_}++;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Call the command's processing function
|
||||
#
|
||||
@@ -4825,23 +4805,12 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
if ( $chain == ACTIONCHAIN ) {
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
|
||||
$chainref->{allowedchains} &= $commandref->{allowedchains};
|
||||
$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
|
||||
} else {
|
||||
#
|
||||
# Inline within one of the standard chains
|
||||
#
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
||||
unless ( $chain == OUTPUT || $chain == POSTROUTING ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$resolve_chain->();
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
||||
unless ( $chain == OUTPUT || $chain == POSTROUTING ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
|
||||
$chainref = ensure_chain( 'mangle', $chainnames{$chain} );
|
||||
}
|
||||
|
||||
@@ -5007,13 +4976,6 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
$mark = $rest;
|
||||
} elsif ( supplied $2 ) {
|
||||
$mark = $2;
|
||||
if ( supplied $mark && $command eq 'IPMARK' ) {
|
||||
my @params = split ',', $mark;
|
||||
$params[1] = '0xff' unless supplied $params[1];
|
||||
$params[2] = '0x00' unless supplied $params[2];
|
||||
$params[3] = '0' unless supplied $params[3];
|
||||
$mark = join ',', @params;
|
||||
}
|
||||
} else {
|
||||
$mark = '';
|
||||
}
|
||||
@@ -5024,7 +4986,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
|
||||
$command = ( $command ? "$command($mark)" : $mark ) . $designator;
|
||||
my $line = ( $family == F_IPV6 ?
|
||||
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
|
||||
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );
|
||||
|
||||
@@ -350,10 +350,9 @@ sub process_simple_device() {
|
||||
|
||||
for ( my $i = 1; $i <= 3; $i++ ) {
|
||||
my $prio = 16 | $i;
|
||||
my $j = $i + 3;
|
||||
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
||||
emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
|
||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle $j flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||
emit '';
|
||||
}
|
||||
|
||||
@@ -2235,19 +2234,13 @@ sub convert_tos($$) {
|
||||
}
|
||||
}
|
||||
|
||||
sub open_mangle_for_output( $ ) {
|
||||
my ($fn ) = @_;
|
||||
sub open_mangle_for_output() {
|
||||
my ( $mangle, $fn1 );
|
||||
|
||||
if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
|
||||
open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
||||
} else {
|
||||
open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
||||
#
|
||||
# Transfer permissions from the existing tcrules file to the new mangle file
|
||||
#
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
|
||||
print $mangle <<'EOF';
|
||||
#
|
||||
# Shorewall version 4 - Mangle File
|
||||
@@ -2333,7 +2326,7 @@ sub setup_tc( $ ) {
|
||||
#
|
||||
# We are going to convert this tcrules file to the equivalent mangle file
|
||||
#
|
||||
( $mangle, $fn1 ) = open_mangle_for_output( $fn );
|
||||
( $mangle, $fn1 ) = open_mangle_for_output;
|
||||
|
||||
directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
|
||||
|
||||
@@ -2383,7 +2376,7 @@ sub setup_tc( $ ) {
|
||||
#
|
||||
# We are going to convert this tosfile to the equivalent mangle file
|
||||
#
|
||||
( $mangle, $fn1 ) = open_mangle_for_output( $fn );
|
||||
( $mangle, $fn1 ) = open_mangle_for_output;
|
||||
convert_tos( $mangle, $fn1 );
|
||||
close $mangle;
|
||||
}
|
||||
|
||||
@@ -337,7 +337,6 @@ sub initialize( $$ ) {
|
||||
arp_ignore => ENUM_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dbl => ENUM_IF_OPTION,
|
||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
detectnets => OBSOLETE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
@@ -388,7 +387,6 @@ sub initialize( $$ ) {
|
||||
%validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dbl => ENUM_IF_OPTION,
|
||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
@@ -1193,7 +1191,6 @@ sub process_interface( $$ ) {
|
||||
my %options;
|
||||
|
||||
$options{port} = 1 if $port;
|
||||
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
||||
|
||||
my $hostoptionsref = {};
|
||||
|
||||
@@ -1237,8 +1234,6 @@ sub process_interface( $$ ) {
|
||||
} else {
|
||||
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
|
||||
}
|
||||
} elsif ( $option eq 'nodbl' ) {
|
||||
$options{dbl} = '0:0';
|
||||
} else {
|
||||
$options{$option} = 1;
|
||||
$hostoptions{$option} = 1 if $hostopt;
|
||||
@@ -1261,11 +1256,6 @@ sub process_interface( $$ ) {
|
||||
} else {
|
||||
$options{arp_ignore} = 1;
|
||||
}
|
||||
} elsif ( $option eq 'dbl' ) {
|
||||
my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
|
||||
|
||||
fatal_error q(The 'dbl' option requires a value) unless defined $value;
|
||||
fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
|
||||
} else {
|
||||
assert( 0 );
|
||||
}
|
||||
@@ -1587,7 +1577,7 @@ sub known_interface($)
|
||||
name => $i ,
|
||||
number => $interfaceref->{number} ,
|
||||
physical => $physical ,
|
||||
base => $interfaceref->{base} ,
|
||||
base => var_base( $physical ) ,
|
||||
wildcard => $interfaceref->{wildcard} ,
|
||||
zones => $interfaceref->{zones} ,
|
||||
};
|
||||
@@ -1916,7 +1906,7 @@ sub verify_required_interfaces( $ ) {
|
||||
|
||||
my $returnvalue = 0;
|
||||
|
||||
my $interfaces = find_interfaces_by_option( 'wait');
|
||||
my $interfaces = find_interfaces_by_option 'wait';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
my $first = 1;
|
||||
@@ -1982,7 +1972,7 @@ sub verify_required_interfaces( $ ) {
|
||||
|
||||
}
|
||||
|
||||
$interfaces = find_interfaces_by_option( 'required' );
|
||||
$interfaces = find_interfaces_by_option 'required';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
|
||||
@@ -2170,7 +2160,7 @@ sub process_host( ) {
|
||||
#
|
||||
$interface = '%vserver%' if $type & VSERVER;
|
||||
|
||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
|
||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
|
||||
|
||||
progress_message " Host \"$currentline\" validated";
|
||||
|
||||
|
||||
@@ -41,7 +41,10 @@
|
||||
# --shorewallrc1=<path> # Path to export shorewallrc file.
|
||||
# --config_path=<path-list> # Search path for config files
|
||||
# --inline # Update alternative column specifications
|
||||
# --update # Update configuration to current release
|
||||
# --update # Update configuration to this release
|
||||
# --tcrules # Create mangle from tcrules
|
||||
# --routestopped # Create stoppedrules from routestopped
|
||||
# --notrack # Create conntrack from notrack
|
||||
#
|
||||
use strict;
|
||||
use FindBin;
|
||||
|
||||
@@ -599,15 +599,7 @@ debug_restore_input() {
|
||||
}
|
||||
|
||||
interface_enabled() {
|
||||
status=0
|
||||
|
||||
if [ -f ${VARDIR}/${1}_disabled ]; then
|
||||
status=1
|
||||
elif [ -f ${VARDIR}/${1}.status ]; then
|
||||
status=$(cat ${VARDIR}/${1}.status)
|
||||
fi
|
||||
|
||||
return $status
|
||||
return $(cat ${VARDIR}/$1.status)
|
||||
}
|
||||
|
||||
distribute_load() {
|
||||
@@ -686,10 +678,8 @@ interface_is_usable() # $1 = interface
|
||||
|
||||
if ! loopback_interface $1; then
|
||||
if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
|
||||
if [ "$COMMAND" != enable ]; then
|
||||
[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
|
||||
status=$?
|
||||
fi
|
||||
[ "$COMMAND" = enable ] || run_isusable_exit $1
|
||||
status=$?
|
||||
else
|
||||
status=1
|
||||
fi
|
||||
@@ -1006,16 +996,9 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
|
||||
|
||||
if [ -n "$route" ]; then
|
||||
if echo $route | grep -qF ' nexthop '; then
|
||||
if interface_is_up $3; then
|
||||
gateway="nexthop $gateway"
|
||||
else
|
||||
gateway="nexthop $gateway dead"
|
||||
fi
|
||||
|
||||
if eval echo $route \| fgrep -q \'$gateway\'; then
|
||||
eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
|
||||
run_ip route replace table $2 $route
|
||||
fi
|
||||
gateway="nexthop $gateway"
|
||||
eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
|
||||
run_ip route replace table $2 $route
|
||||
else
|
||||
dev=$(find_device $route)
|
||||
[ "$dev" = "$3" ] && run_ip route delete default table $2
|
||||
@@ -1112,10 +1095,8 @@ interface_is_usable() # $1 = interface
|
||||
|
||||
if [ "$1" != lo ]; then
|
||||
if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
|
||||
if [ "$COMMAND" != enable ]; then
|
||||
[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
|
||||
status=$?
|
||||
fi
|
||||
[ "$COMMAND" = enable ] || run_isusable_exit $1
|
||||
status=$?
|
||||
else
|
||||
status=1
|
||||
fi
|
||||
|
||||
@@ -128,14 +128,16 @@ ADD_SNAT_ALIASES=No
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=No
|
||||
@@ -170,8 +172,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
@@ -248,8 +248,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -139,14 +139,16 @@ ADD_SNAT_ALIASES=No
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=No
|
||||
@@ -181,8 +183,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
@@ -259,8 +259,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -136,14 +136,16 @@ ADD_SNAT_ALIASES=No
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=No
|
||||
@@ -178,8 +180,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
@@ -256,8 +256,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -139,14 +139,16 @@ ADD_SNAT_ALIASES=No
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=No
|
||||
@@ -181,8 +183,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
@@ -259,8 +259,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -128,14 +128,16 @@ ADD_SNAT_ALIASES=No
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=Yes
|
||||
@@ -170,8 +172,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=No
|
||||
@@ -248,8 +248,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall
|
||||
@@ -97,11 +97,10 @@ shorewall_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall_stop () {
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
@@ -146,7 +145,7 @@ case "$1" in
|
||||
restart)
|
||||
shorewall_restart
|
||||
;;
|
||||
force-reload|reload)
|
||||
force0reload|reload)
|
||||
shorewall_reload
|
||||
;;
|
||||
status)
|
||||
|
||||
@@ -316,8 +316,6 @@ get_config() {
|
||||
|
||||
g_loopback=$(find_loopback_interfaces)
|
||||
|
||||
[ -n "$PAGER" ] || PAGER=$DEFAULT_PAGER
|
||||
|
||||
if [ -n "$PAGER" -a -t 1 ]; then
|
||||
case $PAGER in
|
||||
/*)
|
||||
@@ -325,7 +323,7 @@ get_config() {
|
||||
[ -f "$g_pager" ] || fatal_error "PAGER $PAGER does not exist"
|
||||
;;
|
||||
*)
|
||||
g_pager=$(mywhich $PAGER 2> /dev/null)
|
||||
g_pager=$(mywhich pager 2> /dev/null)
|
||||
[ -n "$g_pager" ] || fatal_error "PAGER $PAGER not found"
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -306,72 +306,6 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.10. This option defined whether
|
||||
or not dynamic blacklisting is applied to packets entering the
|
||||
firewall through this interface and whether the source address
|
||||
and/or destination address is to be compared against the
|
||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||
<ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
|
||||
The default is determine by the setting of
|
||||
DYNAMIC_BLACKLIST:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=No</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">none</emphasis>
|
||||
(e.g., no dynamic blacklist checking).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=Yes</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">src</emphasis>
|
||||
(e.g., the source IP address is checked).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src-dst</emphasis> (e.g., the source IP
|
||||
addresses in checked against the ipset on input and the
|
||||
destination IP address is checked against the ipset on
|
||||
packets originating from the firewall and leaving
|
||||
through this interface).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The normal setting for this option will be <emphasis
|
||||
role="bold">dst</emphasis> or <emphasis
|
||||
role="bold">none</emphasis> for internal interfaces and
|
||||
<emphasis role="bold">src</emphasis> or <emphasis
|
||||
role="bold">src-dst</emphasis> for Internet-facing
|
||||
interfaces.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">destonly</emphasis></term>
|
||||
|
||||
@@ -414,7 +348,7 @@ loc eth2 -</programlisting>
|
||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
||||
firewall/bridging</ulink>, then you need to include
|
||||
DHCP-specific rules in <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||
DHCP uses UDP ports 67 and 68.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@@ -446,7 +380,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">loopback</emphasis></term>
|
||||
<term>loopback</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||
@@ -517,8 +451,8 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold"><emphasis
|
||||
role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
|
||||
<term><emphasis
|
||||
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
||||
@@ -559,10 +493,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||
blacklisting is disabled on the interface. Beginning with
|
||||
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
|
||||
equivalent to <emphasis
|
||||
role="bold">dbl=none</emphasis>.</para>
|
||||
blacklisting is disabled on the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -137,7 +137,7 @@
|
||||
<replaceable>action</replaceable> must be an action declared
|
||||
with the <option>mangle</option> option in <ulink
|
||||
url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
|
||||
If the action accepts parameters, they are specified as a
|
||||
If the action accepts paramaters, they are specified as a
|
||||
comma-separated list within parentheses following the
|
||||
<replaceable>action</replaceable> name.</para>
|
||||
</listitem>
|
||||
@@ -355,8 +355,7 @@ DIVERTHA - - tcp</programlisting>
|
||||
EF => 0x2e</programlisting>
|
||||
|
||||
<para>To indicate more than one class, add their hex values
|
||||
together and specify the result. By default, DSCP rules are
|
||||
placed in the POSTROUTING chain.</para>
|
||||
together and specify the result.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1255,17 +1254,6 @@ Normal-Service => 0x00</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>contiguous</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shoreawll 5.0.12. When <emphasis
|
||||
role="bold">timestop</emphasis> is smaller than <emphasis
|
||||
role="bold">timestart</emphasis> value, match this as a single
|
||||
time period instead of distinct intervals.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>utc</term>
|
||||
|
||||
@@ -1376,7 +1364,7 @@ Normal-Service => 0x00</programlisting>
|
||||
round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
|
||||
(Shorewall 4.5.9 and later).</para>
|
||||
|
||||
<programlisting>/etc/shorewall/mangle:
|
||||
<programlisting>/etc/shorewall/tcrules:
|
||||
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>This file determines what to do with a new connection request if
|
||||
we don't get a match from the /etc/shorewall/rules file . For each
|
||||
source/destination pair, the file is processed in order until a match is
|
||||
found ("all" will match any source or destination).</para>
|
||||
found ("all" will match any client or server).</para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
@@ -61,7 +61,7 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
||||
<emphasis>zone</emphasis>[,...[+]]|<emphasis
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
@@ -74,18 +74,12 @@
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
|
||||
separated by commas. As above, if '+' is specified after two or more
|
||||
zone names, then the policy overrides the implicit intra-zone ACCEPT
|
||||
policy if the same <replaceable>zone</replaceable> appears in both
|
||||
the SOURCE and DEST columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
<emphasis>zone</emphasis>[,...[+]]|<emphasis
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
@@ -101,12 +95,6 @@
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
|
||||
separated by commas. As above, if '+' is specified after two or more
|
||||
zone names, then the policy overrides the implicit intra-zone ACCEPT
|
||||
policy if the same <replaceable>zone</replaceable> appears in both
|
||||
the SOURCE and DEST columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -406,16 +406,6 @@
|
||||
are present.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<note>
|
||||
<para>The generated script will attempt to reenable a
|
||||
disabled persistent provider during execution of the
|
||||
<command>start</command>, <command>restart</command> and
|
||||
<command>reload</command> commands. When
|
||||
<option>persistent</option> is not specified, only the
|
||||
<command>enable</command> and <command>reenable</command>
|
||||
commands can reenable the provider.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -595,7 +595,8 @@
|
||||
<para>Added in Shorewall 4.5.9.3. Queues matching packets to a
|
||||
back end logging daemon via a netlink socket then continues to
|
||||
the next rule. See <ulink
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
||||
</para>
|
||||
|
||||
<para>The <replaceable>nflog-parameters</replaceable> are a
|
||||
comma-separated list of up to 3 numbers:</para>
|
||||
@@ -1682,17 +1683,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>contiguous</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shoreawll 5.0.12. When <emphasis
|
||||
role="bold">timestop</emphasis> is smaller than <emphasis
|
||||
role="bold">timestart</emphasis> value, match this as a single
|
||||
time period instead of distinct intervals.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>utc</term>
|
||||
|
||||
|
||||
@@ -307,9 +307,6 @@
|
||||
that were active when Shorewall stopped continue to work and
|
||||
all new connections from the firewall system itself are
|
||||
allowed.</para>
|
||||
|
||||
<para>Note that the routestopped file is not supported in
|
||||
Shorewall 5.0 and later versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -484,8 +481,8 @@
|
||||
|
||||
<para>ALL sends all packets through the blacklist chains.</para>
|
||||
|
||||
<para>Note: The ESTABLISHED state may not be specified if
|
||||
FASTACCEPT=Yes is specified.</para>
|
||||
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
|
||||
is specified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -580,14 +577,13 @@
|
||||
<listitem>
|
||||
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
||||
then Shorewall won't clear the current traffic control rules during
|
||||
[<command>re</command>]<command>start</command> or
|
||||
<command>reload</command>. This setting is intended for use by
|
||||
people who prefer to configure traffic shaping when the network
|
||||
interfaces come up rather than when the firewall is started. If that
|
||||
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
|
||||
not supply an /etc/shorewall/tcstart file. That way, your traffic
|
||||
shaping rules can still use the “fwmark” classifier based on packet
|
||||
marking defined in <ulink
|
||||
[re]start. This setting is intended for use by people who prefer to
|
||||
configure traffic shaping when the network interfaces come up rather
|
||||
than when the firewall is started. If that is what you want to do,
|
||||
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
||||
/etc/shorewall/tcstart file. That way, your traffic shaping rules
|
||||
can still use the “fwmark” classifier based on packet marking
|
||||
defined in <ulink
|
||||
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
|
||||
If not specified, CLEAR_TC=Yes is assumed.</para>
|
||||
</listitem>
|
||||
@@ -681,8 +677,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>If set to Yes (the default value), entries in the
|
||||
/etc/shorewall/rtrules files cause an 'ip rule del' command to be
|
||||
generated in addition to an 'ip rule add' command. Setting this
|
||||
/etc/shorewall/route_stopped files cause an 'ip rule del' command to
|
||||
be generated in addition to an 'ip rule add' command. Setting this
|
||||
option to No, causes the 'ip rule del' command to be omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -774,14 +770,13 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||
chain-based dynamic blacklisting using <command>shorewall
|
||||
drop</command>, <command>shorewall reject</command>,
|
||||
<command>shorewall logdrop</command> and <command>shorewall
|
||||
chain-based dynamic blacklisting using the <command>shorewall6
|
||||
drop</command>, <command>shorewall6 reject</command>,
|
||||
<command>shorewall6 logdrop</command> and <command>shorewall6
|
||||
logreject</command> is disabled. Default is <emphasis
|
||||
role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
|
||||
ipset-based dynamic blacklisting using the <command>shorewall
|
||||
blacklist</command> command is also supported. The name of the set
|
||||
(<replaceable>setname</replaceable>) and the level
|
||||
ipset-based dynamic blacklisting is also supported. The name of the
|
||||
set (<replaceable>setname</replaceable>) and the level
|
||||
(<replaceable>log_level</replaceable>), if any, at which blacklisted
|
||||
traffic is to be logged may also be specified. The default set name
|
||||
is SW_DBL4 and the default log level is <option>none</option> (no
|
||||
@@ -834,7 +829,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
helpers file from the administrative system into the script. When
|
||||
set to No or not specified, the compiler will not copy the modules
|
||||
or helpers file from <filename>/usr/share/shorewall</filename> but
|
||||
will copy those found in another location on the CONFIG_PATH.</para>
|
||||
will copy the found in another location on the CONFIG_PATH.</para>
|
||||
|
||||
<para>When compiling for direct use by Shorewall, causes the
|
||||
contents of the local module or helpers file to be copied into the
|
||||
@@ -868,7 +863,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
|
||||
<para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
|
||||
cleared the packet mark in the first rule in the mangle FORWARD
|
||||
chain. This behavior is maintained with the default setting of this
|
||||
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
|
||||
@@ -1359,7 +1354,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter tells the /sbin/shorewall program where to look
|
||||
@@ -1369,10 +1364,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||
If not assigned or if assigned an empty value, /var/log/messages is
|
||||
assumed. For further information, see <ulink
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
||||
Beginning with Shorewall 5.0.10.1, you may specify
|
||||
<option>systemd</option> to use <command>journelctl -r</command> to
|
||||
read the log.</para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2010,9 +2002,6 @@ LOG:info:,bar net fw</programlisting>
|
||||
When PAGER is given, the output of verbose <command>status</command>
|
||||
commands and the <command>dump</command> command are piped through
|
||||
the named program when the output file is a terminal.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, the default value of this
|
||||
option is the DEFAULT_PAGER setting in shorewallrc.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2202,18 +2191,18 @@ LOG:info:,bar net fw</programlisting>
|
||||
#TARGET SOURCE DEST PROTO
|
||||
Broadcast(DROP) - - -
|
||||
DROP - - 2
|
||||
INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
|
||||
INLINE - - 6 ; -j REJECT --reject-with tcp-reset
|
||||
?if __ENHANCED_REJECT
|
||||
INLINE - - 17 ;; -j REJECT
|
||||
INLINE - - 17 ; -j REJECT
|
||||
?if __IPV4
|
||||
INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
|
||||
INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
|
||||
INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
|
||||
INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
|
||||
?else
|
||||
INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
|
||||
INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
|
||||
INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
|
||||
INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
|
||||
?endif
|
||||
?else
|
||||
INLINE - - - ;; -j REJECT
|
||||
INLINE - - - ; -j REJECT
|
||||
?endif</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -2283,7 +2272,7 @@ INLINE - - - ;; -j REJECT
|
||||
restored unconditionally at the top of the mangle OUTPUT and
|
||||
PREROUTING chains, even if the saved mark is zero. When this option
|
||||
is set to <emphasis role="bold">No</emphasis>, the mark is restored
|
||||
only if it is non-zero. If you have problems with IPSEC ESP packets
|
||||
even when it is zero. If you have problems with IPSEC ESP packets
|
||||
not being routed correctly on output, try setting this option to
|
||||
<emphasis role="bold">No</emphasis>.</para>
|
||||
</listitem>
|
||||
@@ -2459,9 +2448,10 @@ INLINE - - - ;; -j REJECT
|
||||
|
||||
<listitem>
|
||||
<para>This option is used to specify the shell program to be used to
|
||||
interpret the compiled script. If not specified or specified as a
|
||||
null value, /bin/sh is assumed. Using a light-weight shell such as
|
||||
ash or dash can significantly improve performance.</para>
|
||||
run the Shorewall compiler and to interpret the compiled script. If
|
||||
not specified or specified as a null value, /bin/sh is assumed.
|
||||
Using a light-weight shell such as ash or dash can significantly
|
||||
improve performance.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2948,23 +2938,6 @@ INLINE - - - ;; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.12, this is a workaround for an issue
|
||||
where packet marks are not zeroed by the kernel. It should be set to
|
||||
No (the default) unless you find that incoming packets are being
|
||||
mis-routed for no apparent reasons.</para>
|
||||
|
||||
<caution>
|
||||
<para>Do not set this option to Yes if you have IPSEC software
|
||||
running on the firewall system.</para>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
|
||||
|
||||
@@ -964,9 +964,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall6-lite
|
||||
@@ -92,11 +92,10 @@ shorewall6_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall6_stop () {
|
||||
echo -n "Stopping \"Shorewall6 Lite firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall6 Lite firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -679,9 +679,7 @@
|
||||
<para>Re-enables receipt of packets from hosts previously
|
||||
blacklisted by a <command>drop</command>,
|
||||
<command>logdrop</command>, <command>reject</command>, or
|
||||
<command>logreject</command> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
<command>logreject</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -121,14 +121,16 @@ ACCOUNTING_TABLE=filter
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=No
|
||||
@@ -157,8 +159,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
@@ -219,8 +219,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -122,14 +122,16 @@ ACCOUNTING_TABLE=filter
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=No
|
||||
@@ -158,8 +160,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
@@ -220,8 +220,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -121,14 +121,16 @@ ACCOUNTING_TABLE=filter
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=No
|
||||
@@ -157,8 +159,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
@@ -219,8 +219,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -121,14 +121,16 @@ ACCOUNTING_TABLE=filter
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=No
|
||||
@@ -157,8 +159,6 @@ FORWARD_CLEAR_MARK=
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=Yes
|
||||
@@ -219,8 +219,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -121,14 +121,16 @@ ACCOUNTING_TABLE=filter
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
AUTOCOMMENT=Yes
|
||||
|
||||
AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BASIC_FILTERS=No
|
||||
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CHAIN_SCRIPTS=Yes
|
||||
@@ -157,8 +159,6 @@ FORWARD_CLEAR_MARK=Yes
|
||||
|
||||
HELPERS=
|
||||
|
||||
IGNOREUNKNOWNVARIABLES=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
INLINE_MATCHES=No
|
||||
@@ -219,8 +219,6 @@ WARNOLDCAPVERSION=Yes
|
||||
|
||||
WORKAROUNDS=No
|
||||
|
||||
ZERO_MARKS=No
|
||||
|
||||
ZONE2ZONE=-
|
||||
|
||||
###############################################################################
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall6
|
||||
@@ -97,11 +97,10 @@ shorewall6_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall6_stop () {
|
||||
echo -n "Stopping \"Shorewall6 firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall6 firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall6 firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -237,66 +237,6 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.10. This option defined whether
|
||||
or not dynamic blacklisting is applied to packets entering the
|
||||
firewall through this interface and whether the source address
|
||||
and/or destination address is to be compared against the
|
||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||
<ulink
|
||||
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
|
||||
The default is determine by the setting of
|
||||
DYNAMIC_BLACKLIST:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=No</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">none</emphasis>
|
||||
(e.g., no dynamic blacklist checking).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=Yes</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">src</emphasis>
|
||||
(e.g., the source IP address is checked against the
|
||||
ipset).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src-dst</emphasis> (e.g., the source IP
|
||||
addresses in checked against the ipset on input and the
|
||||
destination IP address is checked against the ipset on
|
||||
packets originating from the firewall and leaving
|
||||
through this interface).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">destonly</emphasis></term>
|
||||
|
||||
@@ -381,7 +321,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">loopback</emphasis></term>
|
||||
<term>loopback</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||
@@ -430,10 +370,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||
blacklisting is disabled on the interface. Beginning with
|
||||
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
|
||||
equivalent to <emphasis
|
||||
role="bold">dbl=none</emphasis>.</para>
|
||||
blacklisting is disabled on the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -138,7 +138,7 @@
|
||||
<replaceable>action</replaceable> must be an action declared
|
||||
with the <option>mangle</option> option in <ulink
|
||||
url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
|
||||
If the action accepts parameters, they are specified as a
|
||||
If the action accepts paramaters, they are specified as a
|
||||
comma-separated list within parentheses following the
|
||||
<replaceable>action</replaceable> name.</para>
|
||||
</listitem>
|
||||
@@ -356,8 +356,7 @@ DIVERTHA - - tcp</programlisting>
|
||||
EF => 0x2e</programlisting>
|
||||
|
||||
<para>To indicate more than one class, add their hex values
|
||||
together and specify the result. By default, DSCP rules are
|
||||
placed in the POSTROUTING chain.</para>
|
||||
together and specify the result.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -634,7 +633,7 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
||||
<listitem>
|
||||
<para>The third number specifies the number of log
|
||||
messages that should be buffered in the kernel before they
|
||||
are sent to user space. The default is 1.</para>
|
||||
are sent to user space. The default is 1. </para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
@@ -1331,17 +1330,6 @@ Normal-Service => 0x00</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>contiguous</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shoreawll 5.0.12. When <emphasis
|
||||
role="bold">timestop</emphasis> is smaller than <emphasis
|
||||
role="bold">timestart</emphasis> value, match this as a single
|
||||
time period instead of distinct intervals.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>utc</term>
|
||||
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
<para>This file determines what to do with a new connection request if
|
||||
we don't get a match from the /etc/shorewall6/rules file . For each
|
||||
source/destination pair, the file is processed in order until a match is
|
||||
found ("all" will match any source or destination).</para>
|
||||
found ("all" will match any client or server).</para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
@@ -61,7 +61,7 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
||||
<emphasis>zone</emphasis>[,...[+]]|<emphasis
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
@@ -74,18 +74,12 @@
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
|
||||
separated by commas. As above, if '+' is specified after two or more
|
||||
zone names, then the policy overrides the implicit intra-zone ACCEPT
|
||||
policy if the same <replaceable>zone</replaceable> appears in both
|
||||
the SOURCE and DEST columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
<emphasis>zone</emphasis>[,...[+]]|<emphasis
|
||||
<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">all+</emphasis></term>
|
||||
@@ -101,12 +95,6 @@
|
||||
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
|
||||
not override the implicit intra-zone ACCEPT policy while "all+"
|
||||
does.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
|
||||
separated by commas. As above, if '+' is specified after two or more
|
||||
zone names, then the policy overrides the implicit intra-zone ACCEPT
|
||||
policy if the same <replaceable>zone</replaceable> appears in both
|
||||
the SOURCE and DEST columns.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -377,16 +377,6 @@
|
||||
are present.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<note>
|
||||
<para>The generated script will attempt to reenable a
|
||||
disabled persistent provider during execution of the
|
||||
<command>start</command>, <command>restart</command> and
|
||||
<command>reload</command> commands. When
|
||||
<option>persistent</option> is not specified, only the
|
||||
<command>enable</command> and <command>reenable</command>
|
||||
commands can reenable the provider.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@@ -1547,17 +1547,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>contiguous</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shoreawll 5.0.12. When <emphasis
|
||||
role="bold">timestop</emphasis> is smaller than <emphasis
|
||||
role="bold">timestart</emphasis> value, match this as a single
|
||||
time period instead of distinct intervals.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>utc</term>
|
||||
|
||||
|
||||
@@ -239,9 +239,6 @@
|
||||
that were active when Shorewall stopped continue to work and
|
||||
all new connections from the firewall system itself are
|
||||
allowed.</para>
|
||||
|
||||
<para>Note that the routestopped file is not supported in
|
||||
Shorewall 5.0 and later versions.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -500,14 +497,13 @@
|
||||
<listitem>
|
||||
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
||||
then Shorewall6 won't clear the current traffic control rules during
|
||||
[<command>re</command>]<command>start</command> or
|
||||
<command>reload</command>. This setting is intended for use by
|
||||
people that prefer to configure traffic shaping when the network
|
||||
interfaces come up rather than when the firewall is started. If that
|
||||
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
|
||||
not supply an /etc/shorewall6/tcstart file. That way, your traffic
|
||||
shaping rules can still use the “fwmark” classifier based on packet
|
||||
marking defined in <ulink
|
||||
[re]start. This setting is intended for use by people that prefer to
|
||||
configure traffic shaping when the network interfaces come up rather
|
||||
than when the firewall is started. If that is what you want to do,
|
||||
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
||||
/etc/shorewall6/tcstart file. That way, your traffic shaping rules
|
||||
can still use the “fwmark” classifier based on packet marking
|
||||
defined in <ulink
|
||||
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).
|
||||
If not specified, CLEAR_TC=No is assumed.</para>
|
||||
|
||||
@@ -608,9 +604,10 @@
|
||||
|
||||
<listitem>
|
||||
<para>If set to Yes (the default value), entries in the
|
||||
/etc/shorewall6/rtrules file cause an 'ip rule del' command to be
|
||||
generated in addition to an 'ip rule add' command. Setting this
|
||||
option to No, causes the 'ip rule del' command to be omitted.</para>
|
||||
/etc/shorewall6/route_stopped files cause an 'ip rule del' command
|
||||
to be generated in addition to an 'ip rule add' command. Setting
|
||||
this option to No, causes the 'ip rule del' command to be
|
||||
omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -635,14 +632,13 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||
chain-based dynamic blacklisting using <command>shorewall6
|
||||
chain-based dynamic blacklisting using the <command>shorewall6
|
||||
drop</command>, <command>shorewall6 reject</command>,
|
||||
<command>shorewall6 logdrop</command> and <command>shorewall6
|
||||
logreject</command> is disabled. Default is <emphasis
|
||||
role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
|
||||
ipset-based dynamic blacklisting using <command>shorewall6
|
||||
blacklist</command> is also supported. The name of the set
|
||||
(<replaceable>setname</replaceable>) and the level
|
||||
ipset-based dynamic blacklisting is also supported. The name of the
|
||||
set (<replaceable>setname</replaceable>) and the level
|
||||
(<replaceable>log_level</replaceable>), if any, at which blacklisted
|
||||
traffic is to be logged may also be specified. The default set name
|
||||
is SW_DBL6 and the default log level is <option>none</option> (no
|
||||
@@ -695,7 +691,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
helpers file from the administrative system into the script. When
|
||||
set to No or not specified, the compiler will not copy the modules
|
||||
or helpers file from <filename>/usr/share/shorewall6</filename> but
|
||||
will copy those found in another location on the CONFIG_PATH.</para>
|
||||
will copy the found in another location on the CONFIG_PATH.</para>
|
||||
|
||||
<para>When compiling for direct use by Shorewall6, causes the
|
||||
contents of the local module or helpers file to be copied into the
|
||||
@@ -729,7 +725,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11. Traditionally, Shorewall has
|
||||
<para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
|
||||
cleared the packet mark in the first rule in the mangle FORWARD
|
||||
chain. This behavior is maintained with the default setting of this
|
||||
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
|
||||
@@ -1170,7 +1166,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter tells the /sbin/shorewall6 program where to
|
||||
@@ -1179,9 +1175,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">logwatch</emphasis>, <emphasis role="bold">show
|
||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||
If not assigned or if assigned an empty value, /var/log/messages is
|
||||
assumed. Beginning with Shorewall 5.0.10.1, you may specify
|
||||
<option>systemd</option> to use <command>journelctl -r</command> to
|
||||
read the log.</para>
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1735,9 +1729,6 @@ LOG:info:,bar net fw</programlisting>
|
||||
When PAGER is given, the output of verbose <command>status</command>
|
||||
commands and the <command>dump</command> command are piped through
|
||||
the named program when the output file is a terminal.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.12, the default value of this
|
||||
option is the DEFAULT_PAGER setting in shorewallrc.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1929,18 +1920,18 @@ LOG:info:,bar net fw</programlisting>
|
||||
#TARGET SOURCE DEST PROTO
|
||||
Broadcast(DROP) - - -
|
||||
DROP - - 2
|
||||
INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
|
||||
INLINE - - 6 ; -j REJECT --reject-with tcp-reset
|
||||
?if __ENHANCED_REJECT
|
||||
INLINE - - 17 ;; -j REJECT
|
||||
INLINE - - 17 ; -j REJECT
|
||||
?if __IPV4
|
||||
INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
|
||||
INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
|
||||
INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
|
||||
INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
|
||||
?else
|
||||
INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
|
||||
INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
|
||||
INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
|
||||
INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
|
||||
?endif
|
||||
?else
|
||||
INLINE - - - ;; -j REJECT
|
||||
INLINE - - - ; -j REJECT
|
||||
?endif</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -1989,7 +1980,7 @@ INLINE - - - ;; -j REJECT
|
||||
restored unconditionally at the top of the mangle OUTPUT and
|
||||
PREROUTING chains, even if the saved mark is zero. When this option
|
||||
is set to <emphasis role="bold">No</emphasis>, the mark is restored
|
||||
only if it is non-zero. If you have problems with IPSEC ESP packets
|
||||
even when it is zero. If you have problems with IPSEC ESP packets
|
||||
not being routed correctly on output, try setting this option to
|
||||
<emphasis role="bold">No</emphasis>.</para>
|
||||
</listitem>
|
||||
@@ -2605,23 +2596,6 @@ INLINE - - - ;; -j REJECT
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.12, this is a workaround for an issue
|
||||
where packet marks are not zeroed by the kernel. It should be set to
|
||||
No (the default) unless you find that incoming packets are being
|
||||
mis-routed for no apparent reasons.</para>
|
||||
|
||||
<caution>
|
||||
<para>Do not set this option to Yes if you have IPSEC software
|
||||
running on the firewall system.</para>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
|
||||
|
||||
@@ -932,9 +932,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -61,7 +61,7 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall6</emphasis>. This package
|
||||
requires the Shorewall package and adds those components needed to
|
||||
create an IPv6 firewall.</para>
|
||||
create an IPv6 fireawall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -26,8 +26,6 @@
|
||||
|
||||
<year>2011</year>
|
||||
|
||||
<year>2016</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@@ -91,9 +89,7 @@
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
|
||||
acting as a firewall/router for a small local network. For
|
||||
Redhat-specific install/configure information, see <ulink url="???">this
|
||||
article </ulink>contributed by Digimer.</para>
|
||||
acting as a firewall/router for a small local network</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -398,7 +398,7 @@ ACCEPT net $FW tcp 22</programlisting>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall6</emphasis>. This package
|
||||
requires the Shorewall package and adds those components needed to
|
||||
create an IPv6 firewall.</para>
|
||||
create an IPv6 fireawall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2016</year>
|
||||
<year>2001-2013</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@@ -35,9 +35,9 @@
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 5.0 and
|
||||
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
5.0.0 then please see the documentation for that
|
||||
4.3.5 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
@@ -774,17 +774,6 @@ DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</pro
|
||||
<programlisting>{ action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
|
||||
; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
|
||||
DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
|
||||
to individual rules using the <option>comment</option> keyword.</para>
|
||||
|
||||
<para>Example from the rules file:</para>
|
||||
|
||||
<programlisting> ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
|
||||
|
||||
<para>As shown in that example, when the comment contains whitespace, it
|
||||
must be enclosed in double quotes and any embedded double quotes must be
|
||||
escaped using a backslash ("\").</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@@ -1382,10 +1371,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
?COMMENT line in the rules file and the generated rule will show <emphasis
|
||||
role="bold">/* Allow SSH from home */</emphasis> when displayed through
|
||||
the Shorewall show and dump commands.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.11, the <link linkend="Pairs">alternate
|
||||
input format </link>allows attaching comments to individual rules in the
|
||||
files listed above.</para>
|
||||
</section>
|
||||
|
||||
<section id="CONFIG_PATH">
|
||||
@@ -2800,182 +2785,6 @@ redirect => 137</programlisting>
|
||||
above.</para>
|
||||
</section>
|
||||
|
||||
<section id="TIME">
|
||||
<title>TIME Columns</title>
|
||||
|
||||
<para>Several of the files include a TIME colum that allows you to specify
|
||||
times when the rule is to be applied. Contents of this column is a list of
|
||||
<replaceable>timeelement</replaceable>s separated by apersands
|
||||
(&).</para>
|
||||
|
||||
<para>Each <replaceable>timeelement</replaceable> is one of the
|
||||
following:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines the starting time of day.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines the ending time of day.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>contiguous</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shoreawll 5.0.12. When <emphasis
|
||||
role="bold">timestop</emphasis> is smaller than <emphasis
|
||||
role="bold">timestart</emphasis> value, match this as a single time
|
||||
period instead of distinct intervals. See the Examples below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>utc</term>
|
||||
|
||||
<listitem>
|
||||
<para>Times are expressed in Greenwich Mean Time.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>localtz</term>
|
||||
|
||||
<listitem>
|
||||
<para>Deprecated by the Netfilter team in favor of <emphasis
|
||||
role="bold">kerneltz</emphasis>. Times are expressed in Local Civil
|
||||
Time (default).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>kerneltz</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.2. Times are expressed in Local Kernel
|
||||
Time (requires iptables 1.4.12 or later).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>weekdays=ddd[,ddd]...</term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>ddd</replaceable> is one of
|
||||
<option>Mon</option>, <option>Tue</option>, <option>Wed</option>,
|
||||
<option>Thu</option>, <option>Fri</option>, <option>Sat</option> or
|
||||
<option>Sun</option></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>monthdays=dd[,dd],...</term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>dd</replaceable> is an ordinal day of the
|
||||
month</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines the starting date and time.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines the ending date and time.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>To match on weekends, use:</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>weekdays=Sat,Sun</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Or, to match (once) on a national holiday block:</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>datestart=2016-12-24&datestop=2016-12-27</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Since the stop time is actually inclusive, you would need the
|
||||
following stop time to not match the first second of the new
|
||||
day:</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>datestart=2016-12-24T17:00&datestop=2016-12-27T23:59:59</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>During Lunch Hour</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>The fourth Friday in the month:</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>weekdays=Fri&monthdays=22,23,24,25,26,27,28</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Matching across days might not do what is expected. For
|
||||
instance,</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>weekdays=Mon&timestart=23:00&timestop=01:00</para>
|
||||
|
||||
<para>Will match Monday, for one hour from midnight to 1 a.m., and
|
||||
then again for another hour from 23:00 onwards. If this is unwanted,
|
||||
e.g. if you would like 'match for two hours from Montay 23:00
|
||||
onwards' you need to also specify the <emphasis
|
||||
role="bold">contiguous</emphasis> option in the example above.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</section>
|
||||
|
||||
<section id="Switches">
|
||||
<title>Switches</title>
|
||||
|
||||
@@ -3118,8 +2927,8 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
role="bold">optional</emphasis> option in the OPTIONS column.</para>
|
||||
|
||||
<para>When an interface is marked as optional, Shorewall will determine
|
||||
the interface state at <command>start</command>, <command>reload</command>
|
||||
and <command>restart</command> and adjust its configuration
|
||||
the interface state at <command>start</command> and
|
||||
<command>restart</command> and adjust its configuration
|
||||
accordingly.</para>
|
||||
|
||||
<itemizedlist>
|
||||
@@ -3172,13 +2981,13 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
|
||||
<para>Shorewall allows you to have configuration directories other than
|
||||
<filename class="directory">/etc/shorewall</filename>. The shorewall
|
||||
<command>check</command>, <command>start</command>,
|
||||
<command>reload</command> and <command>restart</command> commands allow
|
||||
you to specify an alternate configuration directory and Shorewall will use
|
||||
the files in the alternate directory rather than the corresponding files
|
||||
in /etc/shorewall. The alternate directory need not contain a complete
|
||||
configuration; those files not in the alternate directory will be read
|
||||
from <filename class="directory">/etc/shorewall</filename>.<important>
|
||||
<command>check</command>, <command>start</command> and
|
||||
<command>restart</command> commands allow you to specify an alternate
|
||||
configuration directory and Shorewall will use the files in the alternate
|
||||
directory rather than the corresponding files in /etc/shorewall. The
|
||||
alternate directory need not contain a complete configuration; those files
|
||||
not in the alternate directory will be read from <filename
|
||||
class="directory">/etc/shorewall</filename>.<important>
|
||||
<para>Shorewall requires that the file
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> to always exist.
|
||||
Certain global settings are always obtained from that file. If you
|
||||
|
||||
@@ -297,8 +297,8 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Post the <filename>/tmp/shorewall_dump.txt</filename> file
|
||||
as an attachment compressed with gzip or bzip2.</para>
|
||||
<para>Post the <filename>/tmp/status.txt</filename> file as an
|
||||
attachment compressed with gzip or bzip2.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
Reference in New Issue
Block a user