forked from extern/shorewall_code
Compare commits
29 Commits
5.0.9-Beta
...
5.0.10-bas
| Author | SHA1 | Date | |
|---|---|---|---|
|
a02c745a83 | ||
|
|
094fd8129c | ||
|
|
544be8c937 | ||
|
|
47557aa4f7 | ||
|
|
93ee4432de | ||
|
|
8c543ca6f8 | ||
|
|
e71fb3249a | ||
|
|
56b6db1a3d | ||
|
|
ea56d4ed19 | ||
|
|
c65721a139 | ||
|
|
f979ccb16d | ||
|
|
24b396bc67 | ||
|
|
cd0837beb5 | ||
|
|
4869f61a25 | ||
|
|
6eb8416c2b | ||
|
0925636995 | ||
|
|
cd4e9654d8 | ||
|
|
cd01df4200 | ||
|
|
7798c52a19 | ||
|
|
2809d6896c | ||
|
|
1d066bdfa4 | ||
|
|
9b7088158b | ||
|
|
625d763372 | ||
|
|
82169a0bfd | ||
|
|
0d16b2820a | ||
|
|
d4df67966d | ||
|
|
f16bb887f3 | ||
|
|
64fb662bb1 | ||
|
|
ce20e5592b |
@@ -2522,21 +2522,46 @@ hits_command() {
|
|||||||
# 'allow' command executor
|
# 'allow' command executor
|
||||||
#
|
#
|
||||||
allow_command() {
|
allow_command() {
|
||||||
|
|
||||||
[ -n "$g_debugging" ] && set -x
|
[ -n "$g_debugging" ] && set -x
|
||||||
[ $# -eq 1 ] && missing_argument
|
[ $# -eq 1 ] && missing_argument
|
||||||
|
|
||||||
if product_is_started ; then
|
if product_is_started ; then
|
||||||
|
local allowed
|
||||||
local which
|
local which
|
||||||
which='-s'
|
which='-s'
|
||||||
local range
|
local range
|
||||||
range='--src-range'
|
range='--src-range'
|
||||||
|
local dynexists
|
||||||
|
|
||||||
if ! chain_exists dynamic; then
|
if [ -n "$g_blacklistipset" ]; then
|
||||||
|
|
||||||
|
case ${IPSET:=ipset} in
|
||||||
|
*/*)
|
||||||
|
if [ ! -x "$IPSET" ]; then
|
||||||
|
fatal_error "IPSET=$IPSET does not exist or is not executable"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
IPSET="$(mywhich $IPSET)"
|
||||||
|
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
if chain_exists dynamic; then
|
||||||
|
dynexists=Yes
|
||||||
|
elif [ -z "$g_blacklistipset" ]; then
|
||||||
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
|
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$g_nolock" ] || mutex_on
|
[ -n "$g_nolock" ] || mutex_on
|
||||||
|
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
|
|
||||||
|
allowed=''
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
from)
|
from)
|
||||||
which='-s'
|
which='-s'
|
||||||
@@ -2549,29 +2574,48 @@ allow_command() {
|
|||||||
continue
|
continue
|
||||||
;;
|
;;
|
||||||
*-*)
|
*-*)
|
||||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
if [ -n "$g_blacklistipset" ]; then
|
||||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
if qt $IPSET -D $g_blacklistipset $1; then
|
||||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
allowed=Yes
|
||||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$dynexists" ]; then
|
||||||
|
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||||
|
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||||
|
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||||
|
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||||
then
|
then
|
||||||
echo "$1 Allowed"
|
allowed=Yes
|
||||||
else
|
fi
|
||||||
echo "$1 Not Dropped or Rejected"
|
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
if [ -n "$g_blacklistipset" ]; then
|
||||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
if qt $IPSET -D $g_blacklistipset $1; then
|
||||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
allowed=Yes
|
||||||
qt $g_tool -D dynamic $which $1 -j logreject
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$dynexists" ]; then
|
||||||
|
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||||
|
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||||
|
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||||
|
qt $g_tool -D dynamic $which $1 -j logreject
|
||||||
then
|
then
|
||||||
echo "$1 Allowed"
|
allowed=Yes
|
||||||
else
|
fi
|
||||||
echo "$1 Not Dropped or Rejected"
|
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
if [ -n "$allowed" ]; then
|
||||||
|
progress_message2 "$1 Allowed"
|
||||||
|
else
|
||||||
|
error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
[ -n "$g_nolock" ] || mutex_off
|
[ -n "$g_nolock" ] || mutex_off
|
||||||
else
|
else
|
||||||
error_message "ERROR: $g_product is not started"
|
error_message "ERROR: $g_product is not started"
|
||||||
@@ -3507,7 +3551,7 @@ blacklist_command() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
$IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
@@ -4560,6 +4604,11 @@ shorewall_cli() {
|
|||||||
# It's a shell function -- call it
|
# It's a shell function -- call it
|
||||||
#
|
#
|
||||||
$@
|
$@
|
||||||
|
elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
|
||||||
|
#
|
||||||
|
# It's a shell function -- call it
|
||||||
|
#
|
||||||
|
$@
|
||||||
else
|
else
|
||||||
#
|
#
|
||||||
# It isn't a function visible to this script -- try
|
# It isn't a function visible to this script -- try
|
||||||
|
|||||||
@@ -776,7 +776,7 @@ mutex_on()
|
|||||||
error_message "WARNING: Stale lockfile ${lockf} removed"
|
error_message "WARNING: Stale lockfile ${lockf} removed"
|
||||||
elif [ $lockpid -eq $$ ]; then
|
elif [ $lockpid -eq $$ ]; then
|
||||||
return 0
|
return 0
|
||||||
elif ! qt ps p ${lockpid}; then
|
elif ! ps | grep -v grep | qt grep ${lockpid}; then
|
||||||
rm -f ${lockf}
|
rm -f ${lockf}
|
||||||
error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
|
error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
|
||||||
fi
|
fi
|
||||||
@@ -788,10 +788,8 @@ mutex_on()
|
|||||||
echo $$ > ${lockf}
|
echo $$ > ${lockf}
|
||||||
chmod u-w ${lockf}
|
chmod u-w ${lockf}
|
||||||
elif qt mywhich lock; then
|
elif qt mywhich lock; then
|
||||||
lock -${MUTEX_TIMEOUT} -r1 ${lockf}
|
lock ${lockf}
|
||||||
chmod u+w ${lockf}
|
chmod u=r ${lockf}
|
||||||
echo $$ > ${lockf}
|
|
||||||
chmod u-w ${lockf}
|
|
||||||
else
|
else
|
||||||
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
||||||
sleep 1
|
sleep 1
|
||||||
@@ -813,6 +811,7 @@ mutex_on()
|
|||||||
#
|
#
|
||||||
mutex_off()
|
mutex_off()
|
||||||
{
|
{
|
||||||
|
[ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
|
||||||
rm -f ${LOCKFILE:=${VARDIR}/lock}
|
rm -f ${LOCKFILE:=${VARDIR}/lock}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -7,15 +7,15 @@ PREFIX=/usr #Top-level directory for s
|
|||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
CONFDIR=/etc #Directory where subsystem configurations are installed
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
||||||
LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts.
|
LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts.
|
||||||
PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory
|
PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory
|
||||||
SBINDIR=/usr/sbin #Directory where system administration programs are installed
|
SBINDIR=/usr/sbin #Directory where system administration programs are installed
|
||||||
MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed.
|
MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed.
|
||||||
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
||||||
INITFILE=$PRODUCT #Name of the product's SysV init script
|
INITFILE= #Name of the product's SysV init script
|
||||||
INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script
|
INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script
|
||||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
ANNOTATED= #If non-zero, annotated configuration files are installed
|
||||||
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
|
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
||||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
||||||
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
|
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
|
||||||
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
|
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
|
||||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||||
|
|||||||
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
|
|||||||
|
|
||||||
if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
|
if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
|
||||||
if [ -n "${DESTDIR}" ]; then
|
if [ -n "${DESTDIR}" ]; then
|
||||||
mkdir ${DESTDIR}${ETC}/default
|
mkdir -p ${DESTDIR}${ETC}/default
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
|
[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
|
||||||
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
|
|||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ $configure -eq 1 -a -n "$first_install" ]; then
|
if [ $configure -eq 1 -a -n "$first_install" ]; then
|
||||||
if [ $HOST = debian ]; then
|
if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
|
||||||
if [ -n "${DESTDIR}" ]; then
|
if [ -n "${DESTDIR}" ]; then
|
||||||
mkdir -p ${DESTDIR}/etc/rcS.d
|
mkdir -p ${DESTDIR}/etc/rcS.d
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
|
install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
|
||||||
echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ${SHAREDIR} != /usr/share ]; then
|
if [ ${SHAREDIR} != /usr/share ]; then
|
||||||
|
|||||||
@@ -702,7 +702,9 @@
|
|||||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||||
role="bold">logdrop</emphasis>, <emphasis
|
role="bold">logdrop</emphasis>, <emphasis
|
||||||
role="bold">reject</emphasis>, or <emphasis
|
role="bold">reject</emphasis>, or <emphasis
|
||||||
role="bold">logreject</emphasis> command.</para>
|
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||||
|
5.0.10, this command can also re-enable addresses blacklisted using
|
||||||
|
the <command>blacklist</command> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
|
|||||||
|
|
||||||
emit "exec 3>\${VARDIR}/.arptables-input";
|
emit "exec 3>\${VARDIR}/.arptables-input";
|
||||||
|
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
|
||||||
unless ( $test ) {
|
unless ( $test ) {
|
||||||
emit_unindented '#';
|
emit_unindented '#';
|
||||||
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
|
|||||||
#
|
#
|
||||||
sub preview_arptables_load() {
|
sub preview_arptables_load() {
|
||||||
|
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
|
||||||
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||||
|
|
||||||
|
|||||||
@@ -5220,6 +5220,8 @@ sub do_user( $ ) {
|
|||||||
|
|
||||||
if ( supplied $2 ) {
|
if ( supplied $2 ) {
|
||||||
$user = $2;
|
$user = $2;
|
||||||
|
$user =~ s/:$//;
|
||||||
|
|
||||||
if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
|
if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
|
||||||
if ( supplied $2 ) {
|
if ( supplied $2 ) {
|
||||||
fatal_error "Invalid User Range ($user)" unless $3 >= $1;
|
fatal_error "Invalid User Range ($user)" unless $3 >= $1;
|
||||||
@@ -8575,7 +8577,7 @@ sub create_netfilter_load( $ ) {
|
|||||||
|
|
||||||
enter_cat_mode;
|
enter_cat_mode;
|
||||||
|
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
|
||||||
unless ( $test ) {
|
unless ( $test ) {
|
||||||
emit_unindented '#';
|
emit_unindented '#';
|
||||||
@@ -8683,7 +8685,7 @@ sub preview_netfilter_load() {
|
|||||||
|
|
||||||
enter_cat_mode1;
|
enter_cat_mode1;
|
||||||
|
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
|
||||||
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
|
||||||
|
|
||||||
@@ -8919,7 +8921,7 @@ sub create_stop_load( $ ) {
|
|||||||
enter_cat_mode;
|
enter_cat_mode;
|
||||||
|
|
||||||
unless ( $test ) {
|
unless ( $test ) {
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
emit_unindented '#';
|
emit_unindented '#';
|
||||||
emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
|
emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
|
||||||
emit_unindented '#';
|
emit_unindented '#';
|
||||||
|
|||||||
@@ -90,7 +90,7 @@ sub generate_script_1( $ ) {
|
|||||||
if ( $test ) {
|
if ( $test ) {
|
||||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
|
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
|
||||||
} else {
|
} else {
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
|
||||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
|
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
|
||||||
|
|
||||||
@@ -600,7 +600,7 @@ EOF
|
|||||||
# Generate info_command()
|
# Generate info_command()
|
||||||
#
|
#
|
||||||
sub compile_info_command() {
|
sub compile_info_command() {
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
|
||||||
emit( "\n",
|
emit( "\n",
|
||||||
"#",
|
"#",
|
||||||
|
|||||||
@@ -84,6 +84,8 @@ our @EXPORT = qw(
|
|||||||
require_capability
|
require_capability
|
||||||
report_used_capabilities
|
report_used_capabilities
|
||||||
kernel_version
|
kernel_version
|
||||||
|
|
||||||
|
compiletime
|
||||||
);
|
);
|
||||||
|
|
||||||
our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
|
our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
|
||||||
@@ -163,6 +165,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
|||||||
directive_callback
|
directive_callback
|
||||||
add_ipset
|
add_ipset
|
||||||
all_ipsets
|
all_ipsets
|
||||||
|
transfer_permissions
|
||||||
|
|
||||||
$product
|
$product
|
||||||
$Product
|
$Product
|
||||||
@@ -681,6 +684,8 @@ our %ipsets; # All required IPsets
|
|||||||
#
|
#
|
||||||
our %filecache;
|
our %filecache;
|
||||||
|
|
||||||
|
our $compiletime;
|
||||||
|
|
||||||
sub process_shorewallrc($$);
|
sub process_shorewallrc($$);
|
||||||
sub add_variables( \% );
|
sub add_variables( \% );
|
||||||
#
|
#
|
||||||
@@ -737,7 +742,7 @@ sub initialize( $;$$) {
|
|||||||
TC_SCRIPT => '',
|
TC_SCRIPT => '',
|
||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
KLUDGEFREE => '',
|
KLUDGEFREE => '',
|
||||||
VERSION => "5.0.1",
|
VERSION => "5.0.9-Beta2",
|
||||||
CAPVERSION => 50004 ,
|
CAPVERSION => 50004 ,
|
||||||
BLACKLIST_LOG_TAG => '',
|
BLACKLIST_LOG_TAG => '',
|
||||||
RELATED_LOG_TAG => '',
|
RELATED_LOG_TAG => '',
|
||||||
@@ -1172,6 +1177,12 @@ sub initialize( $;$$) {
|
|||||||
%shorewallrc1 = %shorewallrc unless $shorewallrc1;
|
%shorewallrc1 = %shorewallrc unless $shorewallrc1;
|
||||||
|
|
||||||
add_variables %shorewallrc1;
|
add_variables %shorewallrc1;
|
||||||
|
|
||||||
|
$compiletime = `date`;
|
||||||
|
|
||||||
|
chomp $compiletime;
|
||||||
|
|
||||||
|
$compiletime =~ s/ +/ /g;
|
||||||
}
|
}
|
||||||
|
|
||||||
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
|
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
|
||||||
@@ -1184,6 +1195,10 @@ sub all_ipsets() {
|
|||||||
sort keys %ipsets;
|
sort keys %ipsets;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub compiletime() {
|
||||||
|
$compiletime;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create 'currentlineinfo'
|
# Create 'currentlineinfo'
|
||||||
#
|
#
|
||||||
@@ -3880,9 +3895,10 @@ my %logoptions = ( tcp_sequence => '--log-tcp-sequence',
|
|||||||
|
|
||||||
sub validate_level( $;$ ) {
|
sub validate_level( $;$ ) {
|
||||||
my ( $rawlevel, $option ) = @_;
|
my ( $rawlevel, $option ) = @_;
|
||||||
my $level = uc $rawlevel;
|
my $level;
|
||||||
|
|
||||||
if ( supplied ( $level ) ) {
|
if ( supplied ( $rawlevel ) ) {
|
||||||
|
$level = uc $rawlevel;
|
||||||
$level =~ s/!$//;
|
$level =~ s/!$//;
|
||||||
my $value = $level;
|
my $value = $level;
|
||||||
my $qualifier;
|
my $qualifier;
|
||||||
@@ -5074,6 +5090,19 @@ sub update_default($$) {
|
|||||||
$config{$var} = $val unless defined $config{$var};
|
$config{$var} = $val unless defined $config{$var};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Transfer the permissions from an old .bak file to a newly-created file
|
||||||
|
#
|
||||||
|
sub transfer_permissions( $$ ) {
|
||||||
|
my ( $old, $new ) = @_;
|
||||||
|
|
||||||
|
my @stat = stat $old;
|
||||||
|
|
||||||
|
if ( @stat ) {
|
||||||
|
fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sub update_config_file( $ ) {
|
sub update_config_file( $ ) {
|
||||||
my ( $annotate ) = @_;
|
my ( $annotate ) = @_;
|
||||||
|
|
||||||
@@ -5223,6 +5252,7 @@ EOF
|
|||||||
|
|
||||||
if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
|
if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
|
||||||
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
|
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
|
||||||
|
transfer_permissions( "$configfile.bak", $configfile );
|
||||||
} else {
|
} else {
|
||||||
if ( rename "$configfile.bak", $configfile ) {
|
if ( rename "$configfile.bak", $configfile ) {
|
||||||
progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
|
progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
|
||||||
@@ -5737,6 +5767,24 @@ sub get_configuration( $$$$ ) {
|
|||||||
$ENV{PATH} = $default_path;
|
$ENV{PATH} = $default_path;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
|
||||||
|
|
||||||
|
fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
|
||||||
|
|
||||||
|
close_file;
|
||||||
|
|
||||||
|
warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
|
||||||
|
|
||||||
|
if ( $family == F_IPV6 ) {
|
||||||
|
open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
|
||||||
|
|
||||||
|
fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
|
||||||
|
|
||||||
|
close_file;
|
||||||
|
|
||||||
|
warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
|
||||||
|
}
|
||||||
|
|
||||||
my $have_capabilities;
|
my $have_capabilities;
|
||||||
|
|
||||||
if ( $export || $> != 0 ) {
|
if ( $export || $> != 0 ) {
|
||||||
@@ -6152,8 +6200,10 @@ sub get_configuration( $$$$ ) {
|
|||||||
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
default_yes_no( 'DYNAMIC_BLACKLIST' , 'Yes' );
|
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||||
}
|
}
|
||||||
|
|
||||||
default_yes_no 'REQUIRE_INTERFACE' , '';
|
default_yes_no 'REQUIRE_INTERFACE' , '';
|
||||||
|
|||||||
@@ -200,6 +200,7 @@ sub remove_blacklist( $ ) {
|
|||||||
if ( $changed ) {
|
if ( $changed ) {
|
||||||
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||||
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
|
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
|
||||||
|
transfer_permissions( "$fn.bak", $fn );
|
||||||
progress_message2 "\u$file file $fn saved in $fn.bak"
|
progress_message2 "\u$file file $fn saved in $fn.bak"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -302,12 +303,13 @@ sub convert_blacklist() {
|
|||||||
if ( @rules ) {
|
if ( @rules ) {
|
||||||
my $fn1 = find_writable_file( 'blrules' );
|
my $fn1 = find_writable_file( 'blrules' );
|
||||||
my $blrules;
|
my $blrules;
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
|
||||||
if ( -f $fn1 ) {
|
if ( -f $fn1 ) {
|
||||||
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||||
} else {
|
} else {
|
||||||
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||||
|
transfer_permissions( $fn, $fn1 );
|
||||||
print $blrules <<'EOF';
|
print $blrules <<'EOF';
|
||||||
#
|
#
|
||||||
# Shorewall version 5.0 - Blacklist Rules File
|
# Shorewall version 5.0 - Blacklist Rules File
|
||||||
@@ -393,7 +395,7 @@ sub convert_routestopped() {
|
|||||||
my ( @allhosts, %source, %dest , %notrack, @rule );
|
my ( @allhosts, %source, %dest , %notrack, @rule );
|
||||||
|
|
||||||
my $seq = 0;
|
my $seq = 0;
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
|
||||||
my ( $stoppedrules, $fn1 );
|
my ( $stoppedrules, $fn1 );
|
||||||
|
|
||||||
@@ -401,6 +403,7 @@ sub convert_routestopped() {
|
|||||||
open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||||
} else {
|
} else {
|
||||||
open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||||
|
transfer_permissions( $fn, $fn1 );
|
||||||
print $stoppedrules <<'EOF';
|
print $stoppedrules <<'EOF';
|
||||||
#
|
#
|
||||||
# Shorewall version 5 - Stopped Rules File
|
# Shorewall version 5 - Stopped Rules File
|
||||||
@@ -421,7 +424,7 @@ EOF
|
|||||||
|
|
||||||
first_entry(
|
first_entry(
|
||||||
sub {
|
sub {
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
progress_message2 "$doing $fn...";
|
progress_message2 "$doing $fn...";
|
||||||
print( $stoppedrules
|
print( $stoppedrules
|
||||||
"#\n" ,
|
"#\n" ,
|
||||||
@@ -649,9 +652,15 @@ sub create_docker_rules() {
|
|||||||
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
|
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
|
||||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
|
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
|
||||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
|
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
|
||||||
add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
|
|
||||||
decr_cmd_level( $chainref );
|
decr_cmd_level( $chainref );
|
||||||
add_commands( $chainref, 'fi' );
|
add_commands( $chainref, 'fi' );
|
||||||
|
|
||||||
|
my $outputref;
|
||||||
|
add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
|
||||||
|
incr_cmd_level( $outputref );
|
||||||
|
add_ijump( $outputref, j => 'DOCKER' );
|
||||||
|
decr_cmd_level( $outputref );
|
||||||
|
add_commands( $outputref, 'fi' );
|
||||||
}
|
}
|
||||||
|
|
||||||
add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
|
add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
|
||||||
@@ -860,13 +869,30 @@ sub add_common_rules ( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
|
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
|
||||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
|
||||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
my ( $in, $out ) = split /:/, $setting;
|
||||||
|
|
||||||
|
if ( $in == 1 ) {
|
||||||
|
#
|
||||||
|
# src
|
||||||
|
#
|
||||||
|
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||||
|
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||||
|
} elsif ( $in == 2 ) {
|
||||||
|
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $out == 2 ) {
|
||||||
|
#
|
||||||
|
# dst
|
||||||
|
#
|
||||||
|
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( option_chains( $interface ) ) {
|
for ( option_chains( $interface ) ) {
|
||||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
|
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
|
||||||
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -368,12 +368,19 @@ sub setup_conntrack($) {
|
|||||||
if ( $convert ) {
|
if ( $convert ) {
|
||||||
my $conntrack;
|
my $conntrack;
|
||||||
my $empty = 1;
|
my $empty = 1;
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
|
my $fn1 = find_writable_file 'conntrack';
|
||||||
|
|
||||||
if ( $fn ) {
|
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
||||||
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
|
|
||||||
|
if ( -f $fn1 ) {
|
||||||
|
open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||||
} else {
|
} else {
|
||||||
open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
|
open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||||
|
#
|
||||||
|
# Transfer permissions from the existing notrack file
|
||||||
|
#
|
||||||
|
transfer_permissions( $fn, $fn1 );
|
||||||
|
|
||||||
print $conntrack <<'EOF';
|
print $conntrack <<'EOF';
|
||||||
#
|
#
|
||||||
@@ -396,8 +403,6 @@ EOF
|
|||||||
"# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
|
"# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
|
||||||
"#\n" );
|
"#\n" );
|
||||||
|
|
||||||
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
|
||||||
|
|
||||||
while ( read_a_line( PLAIN_READ ) ) {
|
while ( read_a_line( PLAIN_READ ) ) {
|
||||||
#
|
#
|
||||||
# Don't copy the header comments from the old notrack file
|
# Don't copy the header comments from the old notrack file
|
||||||
|
|||||||
@@ -4749,10 +4749,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( ( $chain || $default_chain ) == OUTPUT ) {
|
|
||||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $dest ne '-' ) {
|
if ( $dest ne '-' ) {
|
||||||
if ( $dest eq $fw ) {
|
if ( $dest eq $fw ) {
|
||||||
fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
|
fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
|
||||||
@@ -4795,6 +4791,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
fatal_error "Duplicate STATE ($_)" if $state{$_}++;
|
fatal_error "Duplicate STATE ($_)" if $state{$_}++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Call the command's processing function
|
# Call the command's processing function
|
||||||
#
|
#
|
||||||
@@ -4805,12 +4802,23 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
if ( $chain == ACTIONCHAIN ) {
|
if ( $chain == ACTIONCHAIN ) {
|
||||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
|
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
|
||||||
$chainref->{allowedchains} &= $commandref->{allowedchains};
|
$chainref->{allowedchains} &= $commandref->{allowedchains};
|
||||||
|
$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
|
||||||
} else {
|
} else {
|
||||||
|
#
|
||||||
|
# Inline within one of the standard chains
|
||||||
|
#
|
||||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
||||||
|
unless ( $chain == OUTPUT || $chain == POSTROUTING ) {
|
||||||
|
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$resolve_chain->();
|
$resolve_chain->();
|
||||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
||||||
|
unless ( $chain == OUTPUT || $chain == POSTROUTING ) {
|
||||||
|
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||||
|
}
|
||||||
|
|
||||||
$chainref = ensure_chain( 'mangle', $chainnames{$chain} );
|
$chainref = ensure_chain( 'mangle', $chainnames{$chain} );
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4976,6 +4984,13 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
|||||||
$mark = $rest;
|
$mark = $rest;
|
||||||
} elsif ( supplied $2 ) {
|
} elsif ( supplied $2 ) {
|
||||||
$mark = $2;
|
$mark = $2;
|
||||||
|
if ( supplied $mark && $command eq 'IPMARK' ) {
|
||||||
|
my @params = split ',', $mark;
|
||||||
|
$params[1] = '0xff' unless supplied $params[1];
|
||||||
|
$params[2] = '0x00' unless supplied $params[2];
|
||||||
|
$params[3] = '0' unless supplied $params[3];
|
||||||
|
$mark = join ',', @params;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$mark = '';
|
$mark = '';
|
||||||
}
|
}
|
||||||
@@ -4986,7 +5001,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$command = ( $command ? "$command($mark)" : $mark ) . $designator;
|
$command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
|
||||||
my $line = ( $family == F_IPV6 ?
|
my $line = ( $family == F_IPV6 ?
|
||||||
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
|
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
|
||||||
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );
|
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );
|
||||||
|
|||||||
@@ -352,7 +352,7 @@ sub process_simple_device() {
|
|||||||
my $prio = 16 | $i;
|
my $prio = 16 | $i;
|
||||||
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
||||||
emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
|
emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
|
||||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||||
emit '';
|
emit '';
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2166,7 +2166,7 @@ sub convert_tos($$) {
|
|||||||
if ( my $fn = open_file 'tos' ) {
|
if ( my $fn = open_file 'tos' ) {
|
||||||
first_entry(
|
first_entry(
|
||||||
sub {
|
sub {
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
progress_message2 "Converting $fn...";
|
progress_message2 "Converting $fn...";
|
||||||
print( $mangle
|
print( $mangle
|
||||||
"#\n" ,
|
"#\n" ,
|
||||||
@@ -2234,13 +2234,19 @@ sub convert_tos($$) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub open_mangle_for_output() {
|
sub open_mangle_for_output( $ ) {
|
||||||
|
my ($fn ) = @_;
|
||||||
my ( $mangle, $fn1 );
|
my ( $mangle, $fn1 );
|
||||||
|
|
||||||
if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
|
if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
|
||||||
open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
||||||
} else {
|
} else {
|
||||||
open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
||||||
|
#
|
||||||
|
# Transfer permissions from the existing tcrules file to the new mangle file
|
||||||
|
#
|
||||||
|
transfer_permissions( $fn, $fn1 );
|
||||||
|
|
||||||
print $mangle <<'EOF';
|
print $mangle <<'EOF';
|
||||||
#
|
#
|
||||||
# Shorewall version 4 - Mangle File
|
# Shorewall version 4 - Mangle File
|
||||||
@@ -2326,13 +2332,13 @@ sub setup_tc( $ ) {
|
|||||||
#
|
#
|
||||||
# We are going to convert this tcrules file to the equivalent mangle file
|
# We are going to convert this tcrules file to the equivalent mangle file
|
||||||
#
|
#
|
||||||
( $mangle, $fn1 ) = open_mangle_for_output;
|
( $mangle, $fn1 ) = open_mangle_for_output( $fn );
|
||||||
|
|
||||||
directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
|
directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
|
||||||
|
|
||||||
first_entry(
|
first_entry(
|
||||||
sub {
|
sub {
|
||||||
my $date = localtime;
|
my $date = compiletime;
|
||||||
progress_message2 "Converting $fn...";
|
progress_message2 "Converting $fn...";
|
||||||
print( $mangle
|
print( $mangle
|
||||||
"#\n" ,
|
"#\n" ,
|
||||||
@@ -2376,7 +2382,7 @@ sub setup_tc( $ ) {
|
|||||||
#
|
#
|
||||||
# We are going to convert this tosfile to the equivalent mangle file
|
# We are going to convert this tosfile to the equivalent mangle file
|
||||||
#
|
#
|
||||||
( $mangle, $fn1 ) = open_mangle_for_output;
|
( $mangle, $fn1 ) = open_mangle_for_output( $fn );
|
||||||
convert_tos( $mangle, $fn1 );
|
convert_tos( $mangle, $fn1 );
|
||||||
close $mangle;
|
close $mangle;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -337,6 +337,7 @@ sub initialize( $$ ) {
|
|||||||
arp_ignore => ENUM_IF_OPTION,
|
arp_ignore => ENUM_IF_OPTION,
|
||||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
|
dbl => ENUM_IF_OPTION,
|
||||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
detectnets => OBSOLETE_IF_OPTION,
|
detectnets => OBSOLETE_IF_OPTION,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
@@ -387,6 +388,7 @@ sub initialize( $$ ) {
|
|||||||
%validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION,
|
%validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION,
|
||||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
|
dbl => ENUM_IF_OPTION,
|
||||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||||
@@ -1191,6 +1193,7 @@ sub process_interface( $$ ) {
|
|||||||
my %options;
|
my %options;
|
||||||
|
|
||||||
$options{port} = 1 if $port;
|
$options{port} = 1 if $port;
|
||||||
|
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
||||||
|
|
||||||
my $hostoptionsref = {};
|
my $hostoptionsref = {};
|
||||||
|
|
||||||
@@ -1234,6 +1237,8 @@ sub process_interface( $$ ) {
|
|||||||
} else {
|
} else {
|
||||||
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
|
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
|
||||||
}
|
}
|
||||||
|
} elsif ( $option eq 'nodbl' ) {
|
||||||
|
$options{dbl} = '0:0';
|
||||||
} else {
|
} else {
|
||||||
$options{$option} = 1;
|
$options{$option} = 1;
|
||||||
$hostoptions{$option} = 1 if $hostopt;
|
$hostoptions{$option} = 1 if $hostopt;
|
||||||
@@ -1256,6 +1261,11 @@ sub process_interface( $$ ) {
|
|||||||
} else {
|
} else {
|
||||||
$options{arp_ignore} = 1;
|
$options{arp_ignore} = 1;
|
||||||
}
|
}
|
||||||
|
} elsif ( $option eq 'dbl' ) {
|
||||||
|
my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
|
||||||
|
|
||||||
|
fatal_error q(The 'dbl' option requires a value) unless defined $value;
|
||||||
|
fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
|
||||||
} else {
|
} else {
|
||||||
assert( 0 );
|
assert( 0 );
|
||||||
}
|
}
|
||||||
@@ -1906,7 +1916,7 @@ sub verify_required_interfaces( $ ) {
|
|||||||
|
|
||||||
my $returnvalue = 0;
|
my $returnvalue = 0;
|
||||||
|
|
||||||
my $interfaces = find_interfaces_by_option 'wait';
|
my $interfaces = find_interfaces_by_option( 'wait');
|
||||||
|
|
||||||
if ( @$interfaces ) {
|
if ( @$interfaces ) {
|
||||||
my $first = 1;
|
my $first = 1;
|
||||||
@@ -1972,7 +1982,7 @@ sub verify_required_interfaces( $ ) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$interfaces = find_interfaces_by_option 'required';
|
$interfaces = find_interfaces_by_option( 'required' );
|
||||||
|
|
||||||
if ( @$interfaces ) {
|
if ( @$interfaces ) {
|
||||||
|
|
||||||
@@ -2160,7 +2170,7 @@ sub process_host( ) {
|
|||||||
#
|
#
|
||||||
$interface = '%vserver%' if $type & VSERVER;
|
$interface = '%vserver%' if $type & VSERVER;
|
||||||
|
|
||||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
|
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
|
||||||
|
|
||||||
progress_message " Host \"$currentline\" validated";
|
progress_message " Host \"$currentline\" validated";
|
||||||
|
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ AUTOCOMMENT=Yes
|
|||||||
|
|
||||||
AUTOHELPERS=Yes
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=Yes
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
|||||||
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
|
|||||||
|
|
||||||
AUTOHELPERS=Yes
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=Yes
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
|||||||
@@ -144,7 +144,7 @@ AUTOCOMMENT=Yes
|
|||||||
|
|
||||||
AUTOHELPERS=Yes
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=Yes
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
|||||||
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
|
|||||||
|
|
||||||
AUTOHELPERS=Yes
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=Yes
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
|||||||
@@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
|
run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
|
||||||
echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
|
if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
|
||||||
|
|||||||
@@ -493,13 +493,13 @@ compiler() {
|
|||||||
|
|
||||||
case "$g_doing" in
|
case "$g_doing" in
|
||||||
Compiling|Checking)
|
Compiling|Checking)
|
||||||
progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
|
progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
|
||||||
;;
|
;;
|
||||||
Updating)
|
Updating)
|
||||||
progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
|
progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
|
[ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
#
|
#
|
||||||
|
|||||||
@@ -306,6 +306,72 @@ loc eth2 -</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 5.0.10. This option defined whether
|
||||||
|
or not dynamic blacklisting is applied to packets entering the
|
||||||
|
firewall through this interface and whether the source address
|
||||||
|
and/or destination address is to be compared against the
|
||||||
|
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||||
|
<ulink
|
||||||
|
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
|
||||||
|
The default is determine by the setting of
|
||||||
|
DYNAMIC_BLACKLIST:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>DYNAMIC_BLACKLIST=No</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Default is <emphasis role="bold">none</emphasis>
|
||||||
|
(e.g., no dynamic blacklist checking).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>DYNAMIC_BLACKLIST=Yes</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Default is <emphasis role="bold">src</emphasis>
|
||||||
|
(e.g., the source IP address is checked).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Default is <emphasis
|
||||||
|
role="bold">src</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Default is <emphasis
|
||||||
|
role="bold">src-dst</emphasis> (e.g., the source IP
|
||||||
|
addresses in checked against the ipset on input and the
|
||||||
|
destination IP address is checked against the ipset on
|
||||||
|
packets originating from the firewall and leaving
|
||||||
|
through this interface).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>The normal setting for this option will be <emphasis
|
||||||
|
role="bold">dst</emphasis> or <emphasis
|
||||||
|
role="bold">none</emphasis> for internal interfaces and
|
||||||
|
<emphasis role="bold">src</emphasis> or <emphasis
|
||||||
|
role="bold">src-dst</emphasis> for Internet-facing
|
||||||
|
interfaces.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">destonly</emphasis></term>
|
<term><emphasis role="bold">destonly</emphasis></term>
|
||||||
|
|
||||||
@@ -348,7 +414,7 @@ loc eth2 -</programlisting>
|
|||||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
||||||
firewall/bridging</ulink>, then you need to include
|
firewall/bridging</ulink>, then you need to include
|
||||||
DHCP-specific rules in <ulink
|
DHCP-specific rules in <ulink
|
||||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
|
||||||
DHCP uses UDP ports 67 and 68.</para>
|
DHCP uses UDP ports 67 and 68.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
@@ -380,7 +446,7 @@ loc eth2 -</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>loopback</term>
|
<term><emphasis role="bold">loopback</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||||
@@ -451,8 +517,8 @@ loc eth2 -</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis role="bold"><emphasis
|
||||||
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
|
role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
||||||
@@ -493,7 +559,10 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||||
blacklisting is disabled on the interface.</para>
|
blacklisting is disabled on the interface. Beginning with
|
||||||
|
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
|
||||||
|
equivalent to <emphasis
|
||||||
|
role="bold">dbl=none</emphasis>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@@ -964,7 +964,9 @@
|
|||||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||||
role="bold">logdrop</emphasis>, <emphasis
|
role="bold">logdrop</emphasis>, <emphasis
|
||||||
role="bold">reject</emphasis>, or <emphasis
|
role="bold">reject</emphasis>, or <emphasis
|
||||||
role="bold">logreject</emphasis> command.</para>
|
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||||
|
5.0.10, this command can also re-enable addresses blacklisted using
|
||||||
|
the <command>blacklist</command> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@@ -679,7 +679,9 @@
|
|||||||
<para>Re-enables receipt of packets from hosts previously
|
<para>Re-enables receipt of packets from hosts previously
|
||||||
blacklisted by a <command>drop</command>,
|
blacklisted by a <command>drop</command>,
|
||||||
<command>logdrop</command>, <command>reject</command>, or
|
<command>logdrop</command>, <command>reject</command>, or
|
||||||
<command>logreject</command> command.</para>
|
<command>logreject</command> command. Beginning with Shorewall
|
||||||
|
5.0.10, this command can also re-enable addresses blacklisted using
|
||||||
|
the <command>blacklist</command> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
|||||||
|
|
||||||
AUTOHELPERS=Yes
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=Yes
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
|||||||
@@ -130,7 +130,7 @@ AUTOCOMMENT=Yes
|
|||||||
|
|
||||||
AUTOHELPERS=Yes
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=Yes
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
|||||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
|||||||
|
|
||||||
AUTOHELPERS=Yes
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=Yes
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
|||||||
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
|
|||||||
|
|
||||||
AUTOHELPERS=Yes
|
AUTOHELPERS=Yes
|
||||||
|
|
||||||
AUTOMAKE=No
|
AUTOMAKE=Yes
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||||
|
|
||||||
|
|||||||
@@ -237,6 +237,66 @@ loc eth2 -</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis
|
||||||
|
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 5.0.10. This option defined whether
|
||||||
|
or not dynamic blacklisting is applied to packets entering the
|
||||||
|
firewall through this interface and whether the source address
|
||||||
|
and/or destination address is to be compared against the
|
||||||
|
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||||
|
<ulink
|
||||||
|
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
|
||||||
|
The default is determine by the setting of
|
||||||
|
DYNAMIC_BLACKLIST:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>DYNAMIC_BLACKLIST=No</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Default is <emphasis role="bold">none</emphasis>
|
||||||
|
(e.g., no dynamic blacklist checking).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>DYNAMIC_BLACKLIST=Yes</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Default is <emphasis role="bold">src</emphasis>
|
||||||
|
(e.g., the source IP address is checked against the
|
||||||
|
ipset).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Default is <emphasis
|
||||||
|
role="bold">src</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Default is <emphasis
|
||||||
|
role="bold">src-dst</emphasis> (e.g., the source IP
|
||||||
|
addresses in checked against the ipset on input and the
|
||||||
|
destination IP address is checked against the ipset on
|
||||||
|
packets originating from the firewall and leaving
|
||||||
|
through this interface).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">destonly</emphasis></term>
|
<term><emphasis role="bold">destonly</emphasis></term>
|
||||||
|
|
||||||
@@ -321,7 +381,7 @@ loc eth2 -</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>loopback</term>
|
<term><emphasis role="bold">loopback</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||||
@@ -370,7 +430,10 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||||
blacklisting is disabled on the interface.</para>
|
blacklisting is disabled on the interface. Beginning with
|
||||||
|
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
|
||||||
|
equivalent to <emphasis
|
||||||
|
role="bold">dbl=none</emphasis>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@@ -1658,7 +1658,7 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">route</emphasis>, <emphasis
|
<term><emphasis role="bold">route</emphasis>, <emphasis
|
||||||
role="bold">ipv6-route</emphasis> or <emphasis
|
role="bold">ipv6-route</emphasis> or <emphasis
|
||||||
role="bold">41</emphasis></term>
|
role="bold">43</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>IPv6 Route extension header.</para>
|
<para>IPv6 Route extension header.</para>
|
||||||
|
|||||||
@@ -932,7 +932,9 @@
|
|||||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||||
role="bold">logdrop</emphasis>, <emphasis
|
role="bold">logdrop</emphasis>, <emphasis
|
||||||
role="bold">reject</emphasis>, or <emphasis
|
role="bold">reject</emphasis>, or <emphasis
|
||||||
role="bold">logreject</emphasis> command.</para>
|
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||||
|
5.0.10, this command can also re-enable addresses blacklisted using
|
||||||
|
the <command>blacklist</command> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|||||||
@@ -95,6 +95,11 @@ rsyncok eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
|
|||||||
<para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
|
<para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
|
||||||
specified, a single ipset is created; the ipset has the same name as the
|
specified, a single ipset is created; the ipset has the same name as the
|
||||||
zone.</para>
|
zone.</para>
|
||||||
|
|
||||||
|
<para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
|
||||||
|
a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
|
||||||
|
Making a dynamic zone a sub-zone of multiple other zones is also
|
||||||
|
supported.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Adding">
|
<section id="Adding">
|
||||||
|
|||||||
@@ -301,8 +301,8 @@
|
|||||||
|
|
||||||
<para>COMMENT, FORMAT and SECTION Lines now require the leading question
|
<para>COMMENT, FORMAT and SECTION Lines now require the leading question
|
||||||
mark ("?"). In earlier releases, the question mark was optional. The
|
mark ("?"). In earlier releases, the question mark was optional. The
|
||||||
<command>shorewall[6] update -D</command> command will insert the
|
<command>shorewall[6] update -D</command> command in Shorewall 4.6 will
|
||||||
question marks for you.</para>
|
insert the question marks for you.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@@ -359,7 +359,7 @@
|
|||||||
|
|
||||||
<para>It is strongly recommended that you first upgrade your installation
|
<para>It is strongly recommended that you first upgrade your installation
|
||||||
to a 4.6 release that supports the <option>-A</option> option to the
|
to a 4.6 release that supports the <option>-A</option> option to the
|
||||||
<command>update</command> command; 4.6.13 is preferred.</para>
|
<command>update</command> command; 4.6.13.2 or later is preferred.</para>
|
||||||
|
|
||||||
<para>Once you are on that release, execute the <command>shorewall update
|
<para>Once you are on that release, execute the <command>shorewall update
|
||||||
-A</command> command (and <command>shorewall6 update -A</command> if you
|
-A</command> command (and <command>shorewall6 update -A</command> if you
|
||||||
@@ -374,11 +374,11 @@
|
|||||||
likely won't start or work correctly until you do.</para>
|
likely won't start or work correctly until you do.</para>
|
||||||
|
|
||||||
<para>The <command>update</command> command in Shorewall 5 has many fewer
|
<para>The <command>update</command> command in Shorewall 5 has many fewer
|
||||||
options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
|
options. The <option>-b</option>, <option>-t</option>,
|
||||||
and <option>-s </option>options have been removed -- the updates triggered
|
<option>-n</option>, <option>-D</option> and <option>-s </option>options
|
||||||
by those options are now performed unconditionally. The <option>-i
|
have been removed -- the updates triggered by those options are now
|
||||||
</option>and <option>-A </option>options have been retained - both enable
|
performed unconditionally. The <option>-i </option>and <option>-A
|
||||||
checking for issues that could result if INLINE_MATCHES were to be set to
|
</option>options have been retained - both enable checking for issues that
|
||||||
Yes.</para>
|
could result if INLINE_MATCHES were to be set to Yes.</para>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
|
|||||||
@@ -48,7 +48,7 @@
|
|||||||
<section id="Intro">
|
<section id="Intro">
|
||||||
<title>Introduction</title>
|
<title>Introduction</title>
|
||||||
|
|
||||||
<para>Shorewall supports two different types of blackliisting; rule-based,
|
<para>Shorewall supports two different types of blacklisting; rule-based,
|
||||||
static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
|
static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
|
||||||
controls the degree of blacklist filtering.</para>
|
controls the degree of blacklist filtering.</para>
|
||||||
|
|
||||||
|
|||||||
@@ -18,7 +18,7 @@
|
|||||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2013</year>
|
<year>2001-2016</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@@ -35,9 +35,9 @@
|
|||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
<para><emphasis role="bold">This article applies to Shorewall 5.0 and
|
||||||
later. If you are running a version of Shorewall earlier than Shorewall
|
later. If you are running a version of Shorewall earlier than Shorewall
|
||||||
4.3.5 then please see the documentation for that
|
5.0.0 then please see the documentation for that
|
||||||
release.</emphasis></para>
|
release.</emphasis></para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user