forked from extern/shorewall_code
Compare commits
5 Commits
5.0.13-RC1
...
5.0.12
| Author | SHA1 | Date | |
|---|---|---|---|
|
dce3e740a4 | ||
|
|
09c528468b | ||
|
|
6b20fb42d4 | ||
|
d2cd9b5b71 | ||
|
|
05dc3db3c1 |
@@ -3555,40 +3555,10 @@ blacklist_command() {
|
||||
;;
|
||||
esac
|
||||
|
||||
if $IPSET -A $g_blacklistipset $@ -exist; then
|
||||
local message
|
||||
|
||||
progress_message2 "$1 Blacklisted"
|
||||
|
||||
if [ -n "$g_disconnect" ]; then
|
||||
message="$(conntrack -D -s $1 2>&1)"
|
||||
if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
|
||||
if [ $VERBOSITY -gt 1 ]; then
|
||||
echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /, " src " ); }; { print; }'
|
||||
else
|
||||
echo "$message" | head -n1 | sed '/^.*: //; s/ / src /'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $g_disconnect = src-dst ]; then
|
||||
message="$(conntrack -D -d $1 2>&1)"
|
||||
if [ -n "$message" -a $VERBOSITY -gt 0 ]; then
|
||||
if [ $VERBOSITY -gt 1 ]; then
|
||||
echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /, " dst " ); }; { print; }'
|
||||
else
|
||||
echo "$message" | head -n1 | sed '/^.*: //; s/ / dst /'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
else
|
||||
error_message "ERROR: Address $1 not blacklisted"
|
||||
return 1
|
||||
fi
|
||||
$IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
save_command() {
|
||||
local finished
|
||||
finished=0
|
||||
@@ -3791,68 +3761,6 @@ verify_firewall_script() {
|
||||
fi
|
||||
}
|
||||
|
||||
setup_dbl() {
|
||||
local original
|
||||
|
||||
original=$DYNAMIC_BLACKLIST
|
||||
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
*:*,)
|
||||
fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
ipset*,disconnect*)
|
||||
if qt mywhich conntrack; then
|
||||
g_disconnect=src
|
||||
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
|
||||
else
|
||||
fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
ipset*,src-dst*)
|
||||
#
|
||||
# This utility doesn't need to know about 'src-dst'
|
||||
#
|
||||
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
|
||||
|
||||
[ -n "$g_disconnect" ] && g_disconnect=src-dst
|
||||
;;
|
||||
esac
|
||||
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
ipset*,timeout*)
|
||||
#
|
||||
# This utility doesn't need to know about 'timeout=nnn'
|
||||
#
|
||||
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
|
||||
;;
|
||||
esac
|
||||
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
[Nn]o)
|
||||
DYNAMIC_BLACKLIST='';
|
||||
;;
|
||||
[Yy]es)
|
||||
;;
|
||||
ipset|ipset::*|ipset-only|ipset-only::*)
|
||||
g_blacklistipset=SW_DBL$g_family
|
||||
;;
|
||||
ipset:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# The remaining functions are used by the Lite cli - they are overloaded by
|
||||
# the Standard CLI by loading lib.cli-std
|
||||
@@ -4012,7 +3920,35 @@ get_config() {
|
||||
fi
|
||||
|
||||
if [ -n "$DYNAMIC_BLACKLIST" ]; then
|
||||
setup_dbl
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
[Nn]o)
|
||||
DYNAMIC_BLACKLIST='';
|
||||
;;
|
||||
[Yy]es)
|
||||
;;
|
||||
ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
|
||||
g_blacklistipset=SW_DBL$g_family
|
||||
;;
|
||||
ipset:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
lib=$(find_file lib.cli-user)
|
||||
@@ -4358,7 +4294,6 @@ shorewall_cli() {
|
||||
g_compiled=
|
||||
g_pager=
|
||||
g_blacklistipset=
|
||||
g_disconnect=
|
||||
|
||||
VERBOSE=
|
||||
VERBOSITY=1
|
||||
|
||||
@@ -724,23 +724,6 @@
|
||||
<replaceable>address</replaceable> along with any
|
||||
<replaceable>option</replaceable>s are passed to the <command>ipset
|
||||
add</command> command.</para>
|
||||
|
||||
<para>If the <option>disconnect</option> option is specified in the
|
||||
DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
|
||||
determines the amount of information displayed:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If the effective verbosity is > 0, then a message
|
||||
giving the number of conntrack flows deleted by the command is
|
||||
displayed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the effective verbosity is > 1, then the conntrack
|
||||
table entries deleted by the command are also displayed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -8266,63 +8266,36 @@ EOF
|
||||
sub ensure_ipsets( @ ) {
|
||||
my $set;
|
||||
|
||||
if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
|
||||
shift;
|
||||
|
||||
emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then));
|
||||
|
||||
if ( @_ > 1 ) {
|
||||
push_indent;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit( q( #),
|
||||
q( # Set the timeout for the dynamic blacklisting ipset),
|
||||
q( #),
|
||||
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
|
||||
} else {
|
||||
emit( q( #),
|
||||
q( # Set the timeout for the dynamic blacklisting ipset),
|
||||
q( #),
|
||||
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit( qq( fi\n) );
|
||||
|
||||
emit( "for set in @_; do" );
|
||||
$set = '$set';
|
||||
} else {
|
||||
$set = $_[0];
|
||||
}
|
||||
|
||||
if ( @_ ) {
|
||||
if ( @_ > 1 ) {
|
||||
push_indent;
|
||||
emit( "for set in @_; do" );
|
||||
$set = '$set';
|
||||
} else {
|
||||
$set = $_[0];
|
||||
}
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( have_capability 'IPSET_V5' ) {
|
||||
emit ( qq( if ! qt \$IPSET list $set -n; then) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
||||
qq( \$IPSET create $set hash:net family inet timeout 0 counters) ,
|
||||
qq( fi) );
|
||||
} else {
|
||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
|
||||
qq( \$IPSET -N $set iphash) ,
|
||||
qq( fi) );
|
||||
}
|
||||
} else {
|
||||
emit ( qq( if ! qt \$IPSET list $set -n; then) ,
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( have_capability 'IPSET_V5' ) {
|
||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
||||
qq( \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
|
||||
qq( \$IPSET -N $set hash:net family inet timeout 0 counters) ,
|
||||
qq( fi) );
|
||||
} else {
|
||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
|
||||
qq( \$IPSET -N $set iphash) ,
|
||||
qq( fi) );
|
||||
}
|
||||
} else {
|
||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
||||
qq( \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
|
||||
qq( fi) );
|
||||
}
|
||||
|
||||
if ( @_ > 1 ) {
|
||||
emit 'done';
|
||||
pop_indent;
|
||||
}
|
||||
if ( @_ > 1 ) {
|
||||
emit 'done';
|
||||
pop_indent;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -8500,21 +8473,10 @@ sub create_load_ipsets() {
|
||||
'if [ "$COMMAND" = start ]; then' ); ##################### Start Command ##################
|
||||
|
||||
if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
|
||||
emit( ' if [ -f ${VARDIR}/ipsets.save ]; then' );
|
||||
|
||||
if ( my $set = $globals{DBL_IPSET} ) {
|
||||
emit( ' #',
|
||||
' # Update the dynamic blacklisting ipset timeout value',
|
||||
' #',
|
||||
qq( awk '/create $set/ { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
|
||||
' zap_ipsets',
|
||||
' $IPSET restore < ${VARDIR}/ipsets.temp',
|
||||
' fi' );
|
||||
} else {
|
||||
emit( ' zap_ipsets',
|
||||
' $IPSET -R < ${VARDIR}/ipsets.save',
|
||||
' fi' );
|
||||
}
|
||||
emit( ' if [ -f ${VARDIR}/ipsets.save ]; then',
|
||||
' zap_ipsets',
|
||||
' $IPSET -R < ${VARDIR}/ipsets.save',
|
||||
' fi' );
|
||||
}
|
||||
|
||||
if ( @ipsets ) {
|
||||
|
||||
@@ -754,8 +754,6 @@ sub initialize( $;$$) {
|
||||
RPFILTER_LOG_TAG => '',
|
||||
INVALID_LOG_TAG => '',
|
||||
UNTRACKED_LOG_TAG => '',
|
||||
DBL_IPSET => '',
|
||||
DBL_TIMEOUT => 0,
|
||||
POSTROUTING => 'POSTROUTING',
|
||||
);
|
||||
#
|
||||
@@ -900,7 +898,6 @@ sub initialize( $;$$) {
|
||||
MINIUPNPD => undef ,
|
||||
VERBOSE_MESSAGES => undef ,
|
||||
ZERO_MARKS => undef ,
|
||||
FIREWALL => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@@ -6256,23 +6253,9 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
||||
if ( $val =~ /^ipset/ ) {
|
||||
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
|
||||
|
||||
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
|
||||
|
||||
( $key , my @options ) = split_list( $key, 'option' );
|
||||
|
||||
for ( @options ) {
|
||||
unless ( $simple_options{$_} ) {
|
||||
if ( $_ =~ s/^timeout=(\d+)$// ) {
|
||||
$globals{DBL_TIMEOUT} = $1;
|
||||
} else {
|
||||
fatal_error "Invalid ipset option ($_)";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
|
||||
|
||||
if ( supplied( $set ) ) {
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
|
||||
@@ -6280,7 +6263,7 @@ sub get_configuration( $$$$ ) {
|
||||
$set = 'SW_DBL' . $family;
|
||||
}
|
||||
|
||||
add_ipset( $globals{DBL_IPSET} = $set );
|
||||
add_ipset( $set );
|
||||
|
||||
$level = validate_level( $level );
|
||||
|
||||
|
||||
@@ -309,14 +309,27 @@ sub balance_default_route( $$$$ ) {
|
||||
emit '';
|
||||
|
||||
if ( $first_default_route ) {
|
||||
if ( $gateway ) {
|
||||
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $gateway ) {
|
||||
emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
|
||||
} else {
|
||||
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
|
||||
}
|
||||
} else {
|
||||
emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
|
||||
#
|
||||
# IPv6 doesn't support multi-hop routes
|
||||
#
|
||||
if ( $gateway ) {
|
||||
emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
|
||||
} else {
|
||||
emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
|
||||
}
|
||||
}
|
||||
|
||||
$first_default_route = 0;
|
||||
} else {
|
||||
fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
|
||||
|
||||
if ( $gateway ) {
|
||||
emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
|
||||
} else {
|
||||
@@ -333,14 +346,27 @@ sub balance_fallback_route( $$$$ ) {
|
||||
emit '';
|
||||
|
||||
if ( $first_fallback_route ) {
|
||||
if ( $gateway ) {
|
||||
emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $gateway ) {
|
||||
emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
|
||||
} else {
|
||||
emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
|
||||
}
|
||||
} else {
|
||||
emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
|
||||
#
|
||||
# IPv6 doesn't support multi-hop routes
|
||||
#
|
||||
if ( $gateway ) {
|
||||
emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
|
||||
} else {
|
||||
emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
|
||||
}
|
||||
}
|
||||
|
||||
$first_fallback_route = 0;
|
||||
} else {
|
||||
fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
|
||||
|
||||
if ( $gateway ) {
|
||||
emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
|
||||
} else {
|
||||
@@ -516,6 +542,7 @@ sub process_a_provider( $ ) {
|
||||
$track = 0;
|
||||
} elsif ( $option =~ /^balance=(\d+)$/ ) {
|
||||
fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
|
||||
fatal_error 'The balance setting must be non-zero' unless $1;
|
||||
$balance = $1;
|
||||
} elsif ( $option eq 'balance' || $option eq 'primary') {
|
||||
@@ -538,6 +565,7 @@ sub process_a_provider( $ ) {
|
||||
$mtu = "mtu $1 ";
|
||||
} elsif ( $option =~ /^fallback=(\d+)$/ ) {
|
||||
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
|
||||
$default = $1;
|
||||
$default_balance = 0;
|
||||
fatal_error 'fallback must be non-zero' unless $default;
|
||||
@@ -799,10 +827,18 @@ sub add_a_provider( $$ ) {
|
||||
emit( qq([ -z "$address" ] && return\n) );
|
||||
|
||||
if ( $hostroute ) {
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
emit qq(echo "\$IP route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
} else {
|
||||
emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
|
||||
emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu} > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing );
|
||||
emit qq(echo "\$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
}
|
||||
}
|
||||
|
||||
emit( "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm" );
|
||||
@@ -923,8 +959,14 @@ CEOF
|
||||
$address = get_interface_address $interface unless $address;
|
||||
|
||||
if ( $hostroute ) {
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu});
|
||||
emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
} else {
|
||||
emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu});
|
||||
emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm);
|
||||
}
|
||||
}
|
||||
|
||||
emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
|
||||
@@ -938,8 +980,13 @@ CEOF
|
||||
my $id = $providers{default}->{id};
|
||||
emit '';
|
||||
if ( $gateway ) {
|
||||
emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
|
||||
emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute;
|
||||
emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
|
||||
} else {
|
||||
emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
|
||||
emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
|
||||
}
|
||||
emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
|
||||
emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
|
||||
} else {
|
||||
@@ -1015,12 +1062,23 @@ CEOF
|
||||
$tbl = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
|
||||
$weight = $balance ? $balance : $default;
|
||||
|
||||
if ( $gateway ) {
|
||||
emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $gateway ) {
|
||||
emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
|
||||
} else {
|
||||
emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
|
||||
}
|
||||
} else {
|
||||
emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
|
||||
#
|
||||
# IPv6 doesn't support multi-hop routes
|
||||
#
|
||||
if ( $gateway ) {
|
||||
emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
|
||||
} else {
|
||||
emit qq(add_gateway "dev $physical $realm" ) . $tbl;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
} else {
|
||||
$weight = 1;
|
||||
}
|
||||
|
||||
@@ -1110,7 +1168,7 @@ CEOF
|
||||
$via = "dev $physical";
|
||||
}
|
||||
|
||||
$via .= " weight $weight" unless $weight < 0;
|
||||
$via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
|
||||
$via .= " $realm" if $realm;
|
||||
|
||||
emit( qq(delete_gateway "$via" $tbl $physical) );
|
||||
@@ -1459,7 +1517,12 @@ sub finish_providers() {
|
||||
|
||||
if ( $balancing ) {
|
||||
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
|
||||
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
|
||||
} else {
|
||||
emit ( " qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
|
||||
emit ( " run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
|
||||
}
|
||||
|
||||
if ( $config{USE_DEFAULT_RT} ) {
|
||||
emit ( " while qt \$IP -$family route del default table $main; do",
|
||||
@@ -1512,7 +1575,12 @@ sub finish_providers() {
|
||||
|
||||
if ( $fallback ) {
|
||||
emit ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
|
||||
emit( " run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit( " run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
|
||||
} else {
|
||||
emit( " qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
|
||||
emit( " run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
|
||||
}
|
||||
|
||||
emit( " progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
|
||||
'else',
|
||||
|
||||
@@ -1119,8 +1119,6 @@ sub process_interface( $$ ) {
|
||||
|
||||
my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
|
||||
|
||||
fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
|
||||
|
||||
fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
|
||||
|
||||
if ( supplied $port ) {
|
||||
@@ -1195,7 +1193,7 @@ sub process_interface( $$ ) {
|
||||
my %options;
|
||||
|
||||
$options{port} = 1 if $port;
|
||||
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
||||
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
||||
|
||||
my $hostoptionsref = {};
|
||||
|
||||
@@ -1318,7 +1316,7 @@ sub process_interface( $$ ) {
|
||||
fatal_error "The '$option' option requires a value" unless defined $value;
|
||||
|
||||
if ( $option eq 'physical' ) {
|
||||
fatal_error "Invalid interface name ($interface)" if $interface =~ /[()\[\]\*\?%]/;
|
||||
fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
|
||||
fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
|
||||
|
||||
fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
|
||||
|
||||
@@ -23,12 +23,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -34,12 +34,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -31,12 +31,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -34,12 +34,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -23,12 +23,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -336,7 +336,35 @@ get_config() {
|
||||
fi
|
||||
|
||||
if [ -n "$DYNAMIC_BLACKLIST" ]; then
|
||||
setup_dbl
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
[Nn]o)
|
||||
DYNAMIC_BLACKLIST='';
|
||||
;;
|
||||
[Yy]es)
|
||||
;;
|
||||
ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
|
||||
g_blacklistipset=SW_DBL$g_family
|
||||
;;
|
||||
ipset:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
lib=$(find_file lib.cli-user)
|
||||
@@ -1444,12 +1472,6 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
option=
|
||||
shift
|
||||
;;
|
||||
D)
|
||||
[ $# -gt 1 ] || fatal_error "Missing directory name"
|
||||
g_shorewalldir=$2
|
||||
option=
|
||||
shift
|
||||
;;
|
||||
T*)
|
||||
g_confess=Yes
|
||||
option=${option#T}
|
||||
@@ -1473,7 +1495,7 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
|
||||
case $# in
|
||||
0)
|
||||
[ -n "$g_shorewalldir" ] || g_shorewalldir='.'
|
||||
missing_argument
|
||||
;;
|
||||
1)
|
||||
g_shorewalldir="."
|
||||
@@ -1508,11 +1530,6 @@ remote_reload_command() # $* = original arguments less the command.
|
||||
get_config No
|
||||
|
||||
g_haveconfig=Yes
|
||||
|
||||
if [ -z "$system" ]; then
|
||||
system=$FIREWALL
|
||||
[ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
|
||||
fi
|
||||
else
|
||||
fatal_error "$g_shorewalldir/$g_program.conf does not exist"
|
||||
fi
|
||||
|
||||
@@ -653,12 +653,12 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold"><emphasis
|
||||
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
|
||||
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -768,7 +768,8 @@
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>||<emphasis
|
||||
role="bold">ipset</emphasis>[<emphasis
|
||||
role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
role="bold">-only</emphasis>][,<emphasis
|
||||
role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||
@@ -784,61 +785,12 @@
|
||||
(<replaceable>log_level</replaceable>), if any, at which blacklisted
|
||||
traffic is to be logged may also be specified. The default set name
|
||||
is SW_DBL4 and the default log level is <option>none</option> (no
|
||||
logging). If <option>ipset-only</option> is given, then chain-based
|
||||
logging). if <option>ipset-only</option> is given, then chain-based
|
||||
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
|
||||
had been specified.</para>
|
||||
|
||||
<para>Possible <replaceable>option</replaceable>s are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>src-dst</term>
|
||||
|
||||
<listitem>
|
||||
<para>Normally, only packets whose source address matches an
|
||||
entry in the ipset are dropped. If <option>src-dst</option> is
|
||||
included, then packets whose destination address matches an
|
||||
entry in the ipset are also dropped. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>disconnect</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>The <option>disconnect</option> option was added in
|
||||
Shorewall 5.0.13 and requires that the conntrack utility be
|
||||
installed on the firewall system. When an address is
|
||||
blacklisted using the <command>blacklist</command> command,
|
||||
all connections originating from that address are
|
||||
disconnected. if the <option>src-dst</option> option was also
|
||||
specified, then all connections to that address are also
|
||||
disconnected.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>timeout</option>=<replaceable>seconds</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.13. Normally, Shorewall creates
|
||||
the dynamic blacklisting ipset with timeout 0 which means that
|
||||
entries are permanent. If you want entries in the set that are
|
||||
not accessed for a period of time to be deleted from the set,
|
||||
you may specify that period using this option. Note that the
|
||||
<command>blacklist</command> command can override the ipset's
|
||||
timeout setting.</para>
|
||||
|
||||
<important>
|
||||
<para>Once the dynamic blacklisting ipset has been created,
|
||||
changing this option setting requires a complete restart of
|
||||
the firewall; <command>shorewall restart</command> if
|
||||
RESTART=restart, otherwise <command>shorewall stop
|
||||
&& shorewall start</command></para>
|
||||
</important>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
had been specified. Normally, only packets whose source address
|
||||
matches an entry in the ipsec are dropped. If
|
||||
<option>src-dst</option> is included, then packets whose destination
|
||||
address matches an entry in the ipset are also dropped.</para>
|
||||
|
||||
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
||||
of the blacklist will be preserved over
|
||||
@@ -911,20 +863,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This option was added in Shorewall 5.0.13 and may be used on
|
||||
an administrative system in directories containing the
|
||||
configurations of remote firewalls. The contents of the variable are
|
||||
the default value for the <replaceable>system</replaceable>
|
||||
parameter to the <command>remote-reload</command> and
|
||||
<command>remote-restart</command> commands.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
@@ -59,9 +59,7 @@
|
||||
|
||||
<arg choice="plain"><option>blacklist</option></arg>
|
||||
|
||||
<arg
|
||||
choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
|
||||
...</arg></arg>
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -451,9 +449,9 @@
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -475,9 +473,9 @@
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -499,9 +497,9 @@
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -988,23 +986,6 @@
|
||||
<replaceable>address</replaceable> along with any
|
||||
<replaceable>option</replaceable>s are passed to the <command>ipset
|
||||
add</command> command.</para>
|
||||
|
||||
<para>If the <option>disconnect</option> option is specified in the
|
||||
DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
|
||||
determines the amount of information displayed:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If the effective verbosity is > 0, then a message
|
||||
giving the number of conntrack flows deleted by the command is
|
||||
displayed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the effective verbosity is > 1, then the conntrack
|
||||
table entries deleted by the command are also displayed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1631,8 +1612,8 @@
|
||||
<term><emphasis role="bold">remote-start</emphasis>
|
||||
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ [ -D ] <replaceable>directory</replaceable> ]
|
||||
[ <replaceable>system</replaceable> ]</term>
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was renamed from <command>load</command> in
|
||||
@@ -1658,13 +1639,7 @@
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<replaceable>system</replaceable> using scp. If the copy succeeds,
|
||||
Shorewall Lite on <replaceable>system</replaceable> is started via
|
||||
ssh. Beginning with Shorewall 5.0.13, if
|
||||
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
||||
option setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
||||
that case, if you want to specify a
|
||||
<replaceable>directory</replaceable>, then the <option>-D</option>
|
||||
option must be given.</para>
|
||||
ssh.</para>
|
||||
|
||||
<para>If <emphasis role="bold">-s</emphasis> is specified and the
|
||||
<emphasis role="bold">start</emphasis> command succeeds, then the
|
||||
@@ -1699,9 +1674,9 @@
|
||||
<term><emphasis role="bold">remote-reload
|
||||
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
||||
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
||||
[-<option>T</option>] [-<option>i</option>] [ [ -D ]
|
||||
<replaceable>directory</replaceable> ] [
|
||||
<replaceable>system</replaceable> ]</term>
|
||||
[-<option>T</option>] [-<option>i</option>] [
|
||||
<replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was added in Shorewall 5.0.0.</para>
|
||||
@@ -1725,14 +1700,8 @@
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<emphasis>system</emphasis> using scp. If the copy succeeds,
|
||||
Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
|
||||
Beginning with Shorewall 5.0.13, if
|
||||
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
||||
option setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
||||
that case, if you want to specify a
|
||||
<replaceable>directory</replaceable>, then the <option>-D</option>
|
||||
option must be given.</para>
|
||||
Shorewall Lite on <emphasis>system</emphasis> is restarted via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <emphasis role="bold">-s</emphasis> is specified and the
|
||||
<emphasis role="bold">restart</emphasis> command succeeds, then the
|
||||
@@ -1767,9 +1736,9 @@
|
||||
<term><emphasis role="bold">remote-restart
|
||||
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
||||
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
||||
[-<option>T</option>] [-<option>i</option>] [ [ -D ]
|
||||
<replaceable>directory</replaceable> ] [
|
||||
<replaceable>system</replaceable> ]</term>
|
||||
[-<option>T</option>] [-<option>i</option>] [
|
||||
<replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was renamed from <command>reload</command> in
|
||||
@@ -1794,14 +1763,8 @@
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<emphasis>system</emphasis> using scp. If the copy succeeds,
|
||||
Shorewall Lite on <emphasis>system</emphasis> is restarted via ssh.
|
||||
Beginning with Shorewall 5.0.13, if
|
||||
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
||||
option setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
||||
that case, if you want to specify a
|
||||
<replaceable>directory</replaceable>, then the <option>-D</option>
|
||||
option must be given.</para>
|
||||
Shorewall Lite on <emphasis>system</emphasis> is restarted via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <emphasis role="bold">-s</emphasis> is specified and the
|
||||
<emphasis role="bold">restart</emphasis> command succeeds, then the
|
||||
|
||||
@@ -701,23 +701,6 @@
|
||||
The <replaceable>address</replaceable> along with any
|
||||
<replaceable>option</replaceable>s are passed to the <command>ipset
|
||||
add</command> command.</para>
|
||||
|
||||
<para>If the <option>disconnect</option> option is specified in the
|
||||
DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
|
||||
determines the amount of information displayed:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If the effective verbosity is > 0, then a message
|
||||
giving the number of conntrack flows deleted by the command is
|
||||
displayed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the effective verbosity is > 1, then the conntrack
|
||||
table entries deleted by the command are also displayed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -24,12 +24,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -25,12 +25,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -24,12 +24,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -24,12 +24,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -24,12 +24,6 @@ VERBOSITY=1
|
||||
|
||||
PAGER=
|
||||
|
||||
###############################################################################
|
||||
# F I R E W A L L
|
||||
###############################################################################
|
||||
|
||||
FIREWALL=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
@@ -159,40 +159,26 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">balance[=<replaceable>weight</replaceable>]</emphasis></term>
|
||||
<term><emphasis role="bold">balance</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.25. The providers that have
|
||||
<option>balance</option> specified will get outbound traffic
|
||||
load-balanced among them. By default, all interfaces with
|
||||
<option>balance</option> specified will have the same weight
|
||||
(1). Beginning with Shorewall 5.0.13, you can change the
|
||||
weight of an interface by specifying
|
||||
<option>balance=</option><replaceable>weight</replaceable>
|
||||
where <replaceable>weight</replaceable> is the weight of the
|
||||
route out of this interface. Prior to Shorewall 5.0.13, only
|
||||
one provider can specify this option.</para>
|
||||
<para>Added in Shorewall 4.4.25. Causes a default route to
|
||||
this provider's gateway to be added to the <emphasis
|
||||
role="bold">main</emphasis> routing table (USE_DEFAULT_RT=No)
|
||||
or to the <emphasis role="bold">balance</emphasis> routing
|
||||
table (USE_DEFAULT_RT=Yes). Only one provider can specify this
|
||||
option.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
|
||||
<term><emphasis role="bold">fallback</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.25. Indicates that a default
|
||||
route through the provider should be added to the default
|
||||
routing table (table 253). If a
|
||||
<replaceable>weight</replaceable> is given, a balanced route
|
||||
is added with the weight of this provider equal to the
|
||||
specified <replaceable>weight</replaceable>. If the option is
|
||||
given without a <replaceable>weight</replaceable>, an separate
|
||||
default route is added through the provider's gateway; the
|
||||
route has a metric equal to the provider's NUMBER. Prior to
|
||||
Shorewall 5.0.13, at most one provider can specify this option
|
||||
and a <replaceable>weight</replaceable> may not be
|
||||
given.</para>
|
||||
<para>Added in Shorewall 4.4.25. Causes a default route to
|
||||
this provider's gateway to be added to the <emphasis
|
||||
role="bold">default</emphasis> routing table.At most one
|
||||
provider can specify this option.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -630,7 +630,7 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold"><emphasis
|
||||
role="bold">NFQUEUE!</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
|
||||
role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber1</replaceable>[,<replaceable>queuenumber2</replaceable>][,bypass]]|bypass)]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||
|
||||
@@ -629,7 +629,8 @@
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>||<emphasis
|
||||
role="bold">ipset</emphasis>[<emphasis
|
||||
role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
role="bold">-only</emphasis>][,<emphasis
|
||||
role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||
@@ -647,59 +648,10 @@
|
||||
is SW_DBL6 and the default log level is <option>none</option> (no
|
||||
logging). if <option>ipset-only</option> is given, then chain-based
|
||||
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
|
||||
had been specified. </para>
|
||||
|
||||
<para>Possible <replaceable>option</replaceable>s are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>src-dst</term>
|
||||
|
||||
<listitem>
|
||||
<para>Normally, only packets whose source address matches an
|
||||
entry in the ipset are dropped. If <option>src-dst</option> is
|
||||
included, then packets whose destination address matches an
|
||||
entry in the ipset are also dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>disconnect</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>The <option>disconnect</option> option was added in
|
||||
Shorewall 5.0.13 and requires that the conntrack utility be
|
||||
installed on the firewall system. When an address is
|
||||
blacklisted using the <command>blacklist</command> command,
|
||||
all connections originating from that address are
|
||||
disconnected. if the <option>src-dst</option> option was also
|
||||
specified, then all connections to that address are also
|
||||
disconnected.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>timeout</option>=<replaceable>seconds</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.13. Normally, Shorewall creates
|
||||
the dynamic blacklisting ipset with timeout 0 which means that
|
||||
entries are permanent. If you want entries in the set that are
|
||||
not accessed for a period of time to be deleted from the set,
|
||||
you may specify that period using this option. Note that the
|
||||
<command>blacklist</command> command can override the ipset's
|
||||
timeout setting.</para>
|
||||
|
||||
<important>
|
||||
<para>Once the dynamic blacklisting ipset has been created,
|
||||
changing this option setting requires a complete restart of
|
||||
the firewall; <command>shorewall6 restart</command> if
|
||||
RESTART=restart, otherwise <command>shorewall6 stop
|
||||
&& shorewall6 start</command></para>
|
||||
</important>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
had been specified. Normally, only packets whose source address
|
||||
matches an entry in the ipsec are dropped. If
|
||||
<option>src-dst</option> is included, then packets whose destination
|
||||
address matches an entry in the ipset are also dropped.</para>
|
||||
|
||||
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
||||
of the blacklist will be preserved over
|
||||
@@ -772,20 +724,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">FIREWALL</emphasis>=[<emphasis>dnsname-or-ip-address</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This option was added in Shorewall 5.0.13 and may be used on
|
||||
an administrative system in directories containing the
|
||||
configurations of remote firewalls. The contents of the variable are
|
||||
the default value for the <replaceable>system</replaceable>
|
||||
parameter to the <command>remote-reload</command> and
|
||||
<command>remote-restart</command> commands.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
@@ -44,6 +44,8 @@
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>allow</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -56,9 +58,7 @@
|
||||
|
||||
<arg choice="plain"><option>blacklist</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>address</replaceable><arg
|
||||
choice="plain"><arg><replaceable>option
|
||||
...</replaceable></arg></arg></arg>
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -403,9 +403,9 @@
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="opt"><replaceable>system</replaceable></arg>
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -427,9 +427,9 @@
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="opt"><replaceable>system</replaceable></arg>
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -451,9 +451,9 @@
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="opt"><replaceable>system</replaceable></arg>
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@@ -954,23 +954,6 @@
|
||||
The <replaceable>address</replaceable> along with any
|
||||
<replaceable>option</replaceable>s are passed to the <command>ipset
|
||||
add</command> command.</para>
|
||||
|
||||
<para>If the <option>disconnect</option> option is specified in the
|
||||
DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
|
||||
determines the amount of information displayed:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If the effective verbosity is > 0, then a message
|
||||
giving the number of conntrack flows deleted by the command is
|
||||
displayed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the effective verbosity is > 1, then the conntrack
|
||||
table entries deleted by the command are also displayed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1565,11 +1548,9 @@
|
||||
<term><emphasis role="bold">remote-reload
|
||||
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
||||
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
||||
[-<option>T</option>] [-<option>i</option>] [ [ -D ]
|
||||
<replaceable>directory</replaceable> ] [
|
||||
<replaceable>system</replaceable> ]</term>
|
||||
|
||||
<term/>
|
||||
[-<option>T</option>] [-<option>i</option>] [
|
||||
<replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was added in Shorewall 5.0.0.</para>
|
||||
@@ -1593,14 +1574,8 @@
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<emphasis>system</emphasis> using scp. If the copy succeeds,
|
||||
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via ssh.
|
||||
Beginning with Shorewall 5.0.13, if
|
||||
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
||||
option setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
||||
that case, if you want to specify a
|
||||
<replaceable>directory</replaceable>, then the <option>-D</option>
|
||||
option must be given.</para>
|
||||
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <option>-s</option> is specified and the
|
||||
<command>restart</command> command succeeds, then the remote
|
||||
@@ -1635,9 +1610,9 @@
|
||||
<term><emphasis role="bold">remote- restart
|
||||
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
||||
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
||||
[-<option>T</option>] [-<option>i</option>] [ [ -D ]
|
||||
<replaceable>directory</replaceable> ] [
|
||||
<replaceable>system</replaceable> ]</term>
|
||||
[-<option>T</option>] [-<option>i</option>] [
|
||||
<replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was renamed from <command>reload</command> in
|
||||
@@ -1665,14 +1640,6 @@
|
||||
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
|
||||
ssh.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.13, if
|
||||
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
||||
option setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
||||
that case, if you want to specify a
|
||||
<replaceable>directory</replaceable>, then the <option>-D</option>
|
||||
option must be given.</para>
|
||||
|
||||
<para>If <option>-s</option> is specified and the
|
||||
<command>restart</command> command succeeds, then the remote
|
||||
Shorewall6-lite configuration is saved by executing
|
||||
@@ -1706,8 +1673,8 @@
|
||||
<term><emphasis role="bold">remote-start </emphasis>
|
||||
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ [-D ] <replaceable>directory</replaceable> ] [
|
||||
<replaceable>system</replaceable> ]</term>
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was added in Shorewall 5.0.0.</para>
|
||||
@@ -1732,13 +1699,7 @@
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<replaceable>system</replaceable> using scp. If the copy succeeds,
|
||||
Shorewall6 Lite on <replaceable>system</replaceable> is started via
|
||||
ssh. Beginning with Shorewall 5.0.13, if
|
||||
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
||||
option setting in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
||||
that case, if you want to specify a
|
||||
<replaceable>directory</replaceable>, then the <option>-D</option>
|
||||
option must be given.</para>
|
||||
ssh.</para>
|
||||
|
||||
<para>If <option>-s</option> is specified and the <emphasis
|
||||
role="bold">start</emphasis> command succeeds, then the remote
|
||||
|
||||
@@ -766,7 +766,7 @@ fi</programlisting>
|
||||
provider interfaces as <emphasis role="bold">optional</emphasis> (<ulink
|
||||
url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>)
|
||||
then <link linkend="LinkMonitor">install and configure
|
||||
FOOLSM</link>.</para>
|
||||
LSM</link>.</para>
|
||||
|
||||
<para><ulink url="Shorewall-init.html">Shorewall-init</ulink> provides
|
||||
for handling links that go hard down and are later brought back
|
||||
@@ -926,7 +926,7 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Example2">
|
||||
<title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
|
||||
<title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
|
||||
|
||||
<para>This section shows the differences in configuring the above
|
||||
example with USE_DEFAULT_RT=Yes. The changes are confined to the
|
||||
@@ -1937,8 +1937,8 @@ if [ $2 != down ]; then
|
||||
[ -f /var/lib/shorewall/eth0.info ] && . /var/lib/shorewall/eth0.info
|
||||
|
||||
if [ "$GATEWAYS" != "$ETH0_GATEWAY" -o "$IPADDR" != "$ETH0_ADDRESS" ]; then
|
||||
logger -p daemon.info "eth0 IP configuration changed - restarting foolsm and Shorewall"
|
||||
killall foolsm
|
||||
logger -p daemon.info "eth0 IP configuration changed - restarting lsm and Shorewall"
|
||||
killall lsm
|
||||
/sbin/shorewall restart
|
||||
fi
|
||||
fi
|
||||
@@ -1953,9 +1953,9 @@ fi
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>It assumes the use of <link linkend="lsm">FOOLSM</link>;
|
||||
If you aren't using foolsm, you can change the log message and
|
||||
remove the 'killall foolsm'</para>
|
||||
<para>It assumes the use of <link linkend="lsm">LSM</link>; If
|
||||
you aren't using lSM, you can change the log message and remove
|
||||
the 'killall lsm'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -2090,9 +2090,9 @@ ComcastC 2 - - eth0 detect loose,fallback,load=0.33
|
||||
<section id="LinkMonitor">
|
||||
<title>Gateway Monitoring and Failover</title>
|
||||
|
||||
<para>There is an option (FOOLSM) available for monitoring the status of
|
||||
provider links and taking action when a failure occurs. FOOLSM assumes
|
||||
that each provider has a unique nexthop gateway.</para>
|
||||
<para>There is an option (LSM) available for monitoring the status of
|
||||
provider links and taking action when a failure occurs. LSM assumes that
|
||||
each provider has a unique nexthop gateway.</para>
|
||||
|
||||
<para>You specify the <option>optional</option> option in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
@@ -2102,7 +2102,7 @@ net eth0 detect <emphasis role="bold">optional</emphasis>
|
||||
net eth1 detect <emphasis role="bold">optional</emphasis></programlisting>
|
||||
|
||||
<section id="lsm">
|
||||
<title>Link Status Monitor (FOOLSM)</title>
|
||||
<title>Link Status Monitor (LSM)</title>
|
||||
|
||||
<para><ulink url="http://lsm.foobar.fi/">Link Status Monitor</ulink>
|
||||
was written by Mika Ilmaranta <ilmis at nullnet.fi> and performs
|
||||
@@ -2116,25 +2116,19 @@ net eth1 detect <emphasis role="bold">optional</emphasis><
|
||||
file</ulink>) before installing LSM.</para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
<para>To avoid an achronym clash with <emphasis>Linux Security
|
||||
Module</emphasis>, the Link Status Monitor is now called
|
||||
<emphasis>foolsm</emphasis>.</para>
|
||||
</important>
|
||||
<para>Like many Open Source products, LSM is poorly documented. It's
|
||||
main configuration file is normally kept in
|
||||
<filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
|
||||
as an argument to the lsm program so you can name it anything you
|
||||
want.</para>
|
||||
|
||||
<para>Like many Open Source products, FOOLSM is poorly documented.
|
||||
It's main configuration file is normally kept in
|
||||
<filename>/etc/foolsm/foolsm.conf</filename>, but the file's name is
|
||||
passed as an argument to the foolsm program so you can name it
|
||||
anything you want.</para>
|
||||
|
||||
<para>The sample <filename>foolsm.conf</filename> included with the
|
||||
<para>The sample <filename>lsm.conf</filename> included with the
|
||||
product shows some of the possibilities for configuration. One feature
|
||||
that is not mentioned in the sample is that an "include" directive is
|
||||
supported. This allows additional files to be sourced in from the main
|
||||
configuration file.</para>
|
||||
|
||||
<para>FOOLSM monitors the status of the links defined in its
|
||||
<para>LSM monitors the status of the links defined in its
|
||||
configuration file and runs a user-provided script when the status of
|
||||
a link changes. The script name is specified in the
|
||||
<firstterm>eventscript</firstterm> option in the configuration file.
|
||||
@@ -2181,33 +2175,33 @@ net eth1 detect <emphasis role="bold">optional</emphasis><
|
||||
|
||||
<para>It is the responsibility of the script to perform any action
|
||||
needed in reaction to the connection state change. The default script
|
||||
supplied with FOOLSM composes an email and sends it to $5.</para>
|
||||
supplied with LSM composes an email and sends it to $5.</para>
|
||||
|
||||
<para>I personally use FOOLSM here at shorewall.net (configuration is
|
||||
<para>I personally use LSM here at shorewall.net (configuration is
|
||||
described <link linkend="Complete">below</link>). I have set things up
|
||||
so that:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Shorewall [re]starts foolsm during processing of the
|
||||
<para>Shorewall [re]starts lsm during processing of the
|
||||
<command>start</command> and <command>restore</command> commands.
|
||||
I don't have Shorewall restart foolsm during Shorewall
|
||||
I don't have Shorewall restart lsm during Shorewall
|
||||
<command>restart</command> because I restart Shorewall much more
|
||||
often than the average user is likely to do.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall starts foolsm because I have a dynamic IP address
|
||||
<para>Shorewall starts lsm because I have a dynamic IP address
|
||||
from one of my providers (Comcast); Shorewall detects the default
|
||||
gateway to that provider and creates a secondary configuration
|
||||
file (<filename>/etc/foolsm/shorewall.conf</filename>) that
|
||||
contains the link configurations. That file is included by
|
||||
<filename>/etc/foolsm/foolsm.conf</filename>.</para>
|
||||
file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
|
||||
the link configurations. That file is included by
|
||||
<filename>/etc/lsm/lsm.conf</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The script run by FOOLSM during state change
|
||||
(<filename>/etc/foolsm/script) </filename>writes a<filename>
|
||||
<para>The script run by LSM during state change
|
||||
(<filename>/etc/lsm/script) </filename>writes a<filename>
|
||||
${VARDIR}/xxx.status</filename> file when the status of an
|
||||
interface changes. Those files are read by the
|
||||
<filename>isusable</filename> extension script (see below).</para>
|
||||
@@ -2230,7 +2224,7 @@ COM_IF=eth1</programlisting>
|
||||
|
||||
<programlisting>local status=0
|
||||
#
|
||||
# Read the status file (if any) created by /etc/foolsm/script
|
||||
# Read the status file (if any) created by /etc/lsm/script
|
||||
#
|
||||
[ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
|
||||
|
||||
@@ -2239,22 +2233,22 @@ return $status</programlisting>
|
||||
<para><filename>/etc/shorewall/lib.private</filename>:</para>
|
||||
|
||||
<programlisting>###############################################################################
|
||||
# Create /etc/foolsm/shorewall.conf
|
||||
# Create /etc/lsm/shorewall.conf
|
||||
# Remove the current interface status files
|
||||
# Start foolsm
|
||||
# Start lsm
|
||||
###############################################################################
|
||||
start_foolsm() {
|
||||
start_lsm() {
|
||||
#
|
||||
# Kill any existing foolsm process(es)
|
||||
# Kill any existing lsm process(es)
|
||||
#
|
||||
killall foolsm 2> /dev/null
|
||||
killall lsm 2> /dev/null
|
||||
#
|
||||
# Create the Shorewall-specific part of the FOOLSM configuration. This file is
|
||||
# included by /etc/foolsm/foolsm.conf
|
||||
# Create the Shorewall-specific part of the LSM configuration. This file is
|
||||
# included by /etc/lsm/lsm.conf
|
||||
#
|
||||
# Avvanta has a static gateway while Comcast's is dynamic
|
||||
#
|
||||
cat <<EOF > /etc/foolsm/shorewall.conf
|
||||
cat <<EOF > /etc/lsm/shorewall.conf
|
||||
connection {
|
||||
name=Avvanta
|
||||
checkip=206.124.146.254
|
||||
@@ -2270,9 +2264,14 @@ connection {
|
||||
}
|
||||
EOF
|
||||
#
|
||||
# Run FOOLSM -- by default, it forks into the background
|
||||
# Since LSM assumes that interfaces start in the 'up' state, remove any
|
||||
# existing status files that might have an interface in the down state
|
||||
#
|
||||
/usr/sbin/foolsm -c /etc/foolsm/foolsm.conf >> /var/log/foolsm
|
||||
rm -f /var/lib/shorewall/*.status
|
||||
#
|
||||
# Run LSM -- by default, it forks into the background
|
||||
#
|
||||
/usr/sbin/lsm -c /etc/lsm/lsm.conf >> /var/log/lsm
|
||||
}</programlisting>
|
||||
|
||||
<para>eth0 has a dynamic IP address so I need to use the
|
||||
@@ -2287,22 +2286,22 @@ EOF
|
||||
<para><filename>/etc/shorewall/started</filename>:</para>
|
||||
|
||||
<programlisting>##################################################################################
|
||||
# [re]start foolsm if this is a 'start' command or if foolsm isn't running
|
||||
# [re]start lsm if this is a 'start' command or if lsm isn't running
|
||||
##################################################################################
|
||||
if [ "$COMMAND" = start -o -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
|
||||
start_foolsm
|
||||
if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
|
||||
start_lsm
|
||||
fi</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/restored</filename>:</para>
|
||||
|
||||
<programlisting>##################################################################################
|
||||
# Start foolsm if it isn't running
|
||||
# Start lsm if it isn't running
|
||||
##################################################################################
|
||||
if [ -z "$(ps ax | grep 'foolsm ' | grep -v 'grep ' )" ]; then
|
||||
start_foolsm
|
||||
if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
|
||||
start_lsm
|
||||
fi</programlisting>
|
||||
|
||||
<para><filename>/etc/foolsm/foolsm.conf</filename>:</para>
|
||||
<para><filename>/etc/lsm/lsm.conf</filename>:</para>
|
||||
|
||||
<programlisting>#
|
||||
# Defaults for the connection entries
|
||||
@@ -2310,7 +2309,7 @@ fi</programlisting>
|
||||
defaults {
|
||||
name=defaults
|
||||
checkip=127.0.0.1
|
||||
eventscript=/etc/foolsm/script
|
||||
eventscript=/etc/lsm/script
|
||||
max_packet_loss=20
|
||||
max_successive_pkts_lost=7
|
||||
min_packet_loss=5
|
||||
@@ -2323,11 +2322,10 @@ defaults {
|
||||
ttl=0
|
||||
}
|
||||
|
||||
include /etc/foolsm/shorewall.conf</programlisting>
|
||||
include /etc/lsm/shorewall.conf</programlisting>
|
||||
|
||||
<para><filename>/etc/foolsm/script</filename> (Shorewall 4.4.23 and
|
||||
later - note that this script must be executable by
|
||||
root)<programlisting>#!/bin/sh
|
||||
<para><filename>/etc/lsm/script</filename> (Shorewall 4.4.23 and later
|
||||
- note that this script must be executable by root)<programlisting>#!/bin/sh
|
||||
#
|
||||
# (C) 2009 Mika Ilmaranta <ilmis@nullnet.fi>
|
||||
# (C) 2009 Tom Eastep <teastep@shorewall.net>
|
||||
@@ -2384,7 +2382,7 @@ cons_wait = ${CONS_WAIT} consecutive packets waiting for reply
|
||||
cons_miss = ${CONS_MISS} consecutive packets that have timed out
|
||||
avg_rtt = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
|
||||
|
||||
Your FOOLSM Daemon
|
||||
Your LSM Daemon
|
||||
|
||||
EOM
|
||||
|
||||
@@ -2396,7 +2394,7 @@ else
|
||||
${VARDIR}/firewall disable ${DEVICE}
|
||||
fi
|
||||
|
||||
$TOOL show routing >> /var/log/foolsm
|
||||
$TOOL show routing >> /var/log/lsm
|
||||
|
||||
exit 0
|
||||
|
||||
@@ -2459,7 +2457,7 @@ cons_wait = ${CONS_WAIT} consecutive packets waiting for reply
|
||||
cons_miss = ${CONS_MISS} consecutive packets that have timed out
|
||||
avg_rtt = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
|
||||
|
||||
Your FOOLSM Daemon
|
||||
Your LSM Daemon
|
||||
|
||||
EOM
|
||||
|
||||
@@ -2468,9 +2466,9 @@ EOM
|
||||
# [ ${STATE} = up ] && state=0 || state=1
|
||||
# echo $state > ${VARDIR}/${DEVICE}.status
|
||||
|
||||
<emphasis role="bold">$TOOL restart -f >> /var/log/foolsm 2>&1</emphasis>
|
||||
<emphasis role="bold">$TOOL restart -f >> /var/log/lsm 2>&1</emphasis>
|
||||
|
||||
$TOOL show routing >> /var/log/foolsm
|
||||
$TOOL show routing >> /var/log/lsm
|
||||
|
||||
exit 0
|
||||
|
||||
|
||||
@@ -239,9 +239,9 @@
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>If your kernel has NFLOG target support (and most vendor-supplied
|
||||
kernels do), you may also specify a log level of NFLOG (must be all
|
||||
caps). When NFLOG is used, Shorewall will direct Netfilter to log the
|
||||
<para>If your kernel has ULOG target support (and most vendor-supplied
|
||||
kernels do), you may also specify a log level of ULOG (must be all
|
||||
caps). When ULOG is used, Shorewall will direct Netfilter to log the
|
||||
related messages via the ULOG target which will send them to a process
|
||||
called <quote>ulogd</quote>. The ulogd program is included in most
|
||||
distributions and is also available from <ulink
|
||||
@@ -250,7 +250,7 @@
|
||||
file.</para>
|
||||
|
||||
<note>
|
||||
<para>The NFLOG logging mechanism is <emphasis
|
||||
<para>The ULOG logging mechanism is <emphasis
|
||||
role="underline">completely separate</emphasis> from syslog. Once you
|
||||
switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
|
||||
have absolutely no effect on your Shorewall logging (except for
|
||||
@@ -259,11 +259,11 @@
|
||||
|
||||
<para>You will need to change all instances of log levels (usually
|
||||
<quote>info</quote>) in your Shorewall configuration files to
|
||||
<quote>NFLOG</quote> - this includes entries in the policy, rules and
|
||||
<quote>ULOG</quote> - this includes entries in the policy, rules and
|
||||
shorewall.conf files. Here's what I had at one time:</para>
|
||||
|
||||
<programlisting>gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE'
|
||||
params:LOG=NFOG
|
||||
params:LOG=ULOG
|
||||
policy:loc $FW REJECT $LOG
|
||||
policy:net all DROP $LOG 10/sec:40
|
||||
policy:all all REJECT $LOG
|
||||
@@ -287,8 +287,9 @@ gateway:/etc/shorewall# </programl
|
||||
<quote><command>logwatch</command></quote> and
|
||||
<quote><command>dump</command></quote> commands.</para>
|
||||
|
||||
<para>The NFLOG target is a successor to ULOG. Both ULOG and NFLOG may
|
||||
be followed by a list of up to three numbers in parentheses.</para>
|
||||
<para>The NFLOG target, a successor to ULOG, is supported shorewall.
|
||||
Both ULOG and NFLOG may be followed by a list of up to three numbers in
|
||||
parentheses.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@@ -341,11 +342,6 @@ stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:
|
||||
[firewall]
|
||||
file="/var/log/firewall"
|
||||
sync=1</programlisting>
|
||||
|
||||
<note>
|
||||
<para>This sample config file assumes that NFLOG is being used in
|
||||
logging rules and policies.</para>
|
||||
</note>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -474,7 +470,7 @@ sync=1</programlisting>
|
||||
<para><ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
|
||||
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> have a
|
||||
number of options whose values are log levels. Beginning with Shorewall
|
||||
number of options whose values are log levels. Beginnint with Shorewall
|
||||
5.0.0, these specifcations may include a log tag as described <link
|
||||
linkend="LogTags">above</link>.</para>
|
||||
</section>
|
||||
|
||||
Reference in New Issue
Block a user