Update of /cvsroot/leaf/src/bering-uclibc/apps/shorewall
In directory sc8-pr-cvs6.sourceforge.net:/tmp/cvs-serv15636
Modified Files:
compiler shorewall-config.diff
Log Message:
new compiler script from 3.2.5 errata
fixed truncation in rules
Index: shorewall-config.diff
===================================================================
RCS file: /cvsroot/leaf/src/bering-uclibc/apps/shorewall/shorewall-config.diff,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** shorewall-config.diff 22 Jul 2006 10:49:59 -0000 1.1
--- shorewall-config.diff 31 Oct 2006 11:46:24 -0000 1.2
***************
*** 44,52 ****
SECTION NEW
+# Accept DNS connections from the firewall to the network
! +# and from the local network to the firewall (in case dnsmasq is
+DNS/ACCEPT fw net
+DNS/ACCEPT loc fw
+
! +# Accept SSH connections from the local network for administrati
+#
+SSH/ACCEPT loc fw
--- 44,52 ----
SECTION NEW
+# Accept DNS connections from the firewall to the network
! +# and from the local network to the firewall (in case dnsmasq is
running)
+DNS/ACCEPT fw net
+DNS/ACCEPT loc fw
+
! +# Accept SSH connections from the local network for administration
+#
+SSH/ACCEPT loc fw
Index: compiler
===================================================================
RCS file: /cvsroot/leaf/src/bering-uclibc/apps/shorewall/compiler,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** compiler 4 Oct 2006 17:23:26 -0000 1.1
--- compiler 31 Oct 2006 11:46:24 -0000 1.2
***************
*** 422,426 ****
setup_providers()
{
! local table number mark duplicate interface gateway options provider
address copy route loose addresses rulenum rulebase echobin=$(mywhich echo)
balance save_indent="$INDENT" mask= first=Yes save_indent1=
copy_table() {
--- 422,426 ----
setup_providers()
{
! local table number mark duplicate interface gateway options provider
address copy route loose addresses rulenum rulebase balance
save_indent="$INDENT" mask= first=Yes save_indent1=
copy_table() {
***************
*** 746,749 ****
--- 746,750 ----
eval number=\$${table}_number
indent >&3 << __EOF__
+ echobin=\$(mywhich echo)
\${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables
__EOF__
***************
*** 1371,1375 ****
# Set up MAC Verification
#
! setup_mac_lists() {
local interface
local mac
--- 1372,1377 ----
# Set up MAC Verification
#
! setup_mac_lists() # $1 = Phase Number
! {
local interface
local mac
***************
*** 1384,1388 ****
local policy=
! create_mac_chain()
{
case $MACLIST_TABLE in
--- 1386,1390 ----
local policy=
! create_mac_chain()
{
case $MACLIST_TABLE in
***************
*** 1428,1475 ****
done
! progress_message "$DOING MAC Verification on $maclist_interfaces..."
#
# Create chains.
#
! for interface in $maclist_interfaces; do
! chain=$(mac_chain $interface)
! create_mac_chain $chain
! #
! # If we're using the mangle table and the interface is DHCP-enabled
then we need to accept DHCP broadcasts from 0.0.0.0
! #
! if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp;
then
! run_iptables -t mangle -A $chain -s 0.0.0.0 -d 255.255.255.255 -p
udp --dport 67:68 -j RETURN
! fi
!
! if [ -n "$MACLIST_TTL" ]; then
! chain1=$(macrecent_target $interface)
! create_mac_chain $chain1
! run_iptables -A $chain -t $MACLIST_TABLE -m recent --rcheck
--seconds $MACLIST_TTL --name $chain -j RETURN
! run_iptables -A $chain -t $MACLIST_TABLE
-j $chain1
! run_iptables -A $chain -t $MACLIST_TABLE -m recent --update
--name $chain -j RETURN
! run_iptables -A $chain -t $MACLIST_TABLE -m recent --set
--name $chain
! fi
! done
!
! #
! # Process the maclist file producing the verification rules
! #
! while read disposition interface mac addresses; do
! expandv disposition interface mac addresses
!
! level=
! case $disposition in
! ACCEPT:*)
! level=${disposition#*:}
! disposition=ACCEPT
! target=RETURN
! ;;
! ACCEPT)
! target=RETURN
! ;;
! REJECT:*)
! [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION =
REJECT is incompatible with MACLIST_TABLE=mangle"
! target=reject
disposition=REJECT
;;
--- 1430,1477 ----
done
! progress_message "$DOING MAC Verification on $maclist_interfaces -- Phase
$1..."
#
# Create chains.
#
! if [ $1 -eq 1 ]; then
! for interface in $maclist_interfaces; do
! chain=$(mac_chain $interface)
! create_mac_chain $chain
! #
! # If we're using the mangle table and the interface is
DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0
! #
! if [ $MACLIST_TABLE = mangle ] && interface_has_option
$interface dhcp; then
! run_iptables -t mangle -A $chain -s 0.0.0.0 -d
255.255.255.255 -p udp --dport 67:68 -j RETURN
! fi
!
! if [ -n "$MACLIST_TTL" ]; then
! chain1=$(macrecent_target $interface)
! create_mac_chain $chain1
! run_iptables -A $chain -t $MACLIST_TABLE -m recent
--rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
! run_iptables -A $chain -t $MACLIST_TABLE
-j $chain1
! run_iptables -A $chain -t $MACLIST_TABLE -m recent
--update --name $chain -j RETURN
! run_iptables -A $chain -t $MACLIST_TABLE -m recent --set
--name $chain
! fi
! done
! #
! # Process the maclist file producing the verification rules
! #
! while read disposition interface mac addresses; do
! expandv disposition interface mac addresses
! level=
!
! case $disposition in
! ACCEPT:*)
! level=${disposition#*:}
! disposition=ACCEPT
! target=RETURN
! ;;
! ACCEPT)
! target=RETURN
! ;;
! REJECT:*)
! [ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION =
REJECT is incompatible with MACLIST_TABLE=mangle"
! target=reject
disposition=REJECT
;;
***************
*** 1493,1547 ****
target=RETURN
;;
- esac
-
- physdev_part=
-
- if [ -n "$BRIDGING" ]; then
- case $interface in
- *:*)
- physdev_part="-m physdev --physdev-in ${interface#*:}"
- interface=${interface%:*}
- ;;
esac
- fi
-
- [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) ||
chain=$(mac_chain $interface)
! if ! have_mac_chain $chain ; then
! fatal_error "No hosts on $interface have the maclist option
specified"
! fi
! if [ x${mac:=-} = x- ]; then
! if [ -z "$addresses" ]; then
! fatal_error "You must specify a MAC address or an IP address"
! else
! macpart=
fi
- else
- macpart=$(mac_match $mac)
- fi
! if [ -z "$addresses" ]; then
! [ -n "$level" ] && \
! log_rule_limit $level $chain $(mac_chain $interface)
$disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
! run_iptables -A $chain -t $MACLIST_TABLE $macpart $physdev_part -j
$target
! else
! for address in $(separate_list $addresses) ; do
! [ -n "$level" ] && \
! log_rule_limit $level $chain $(mac_chain $interface)
$disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s $address
$physdev_part
! run_iptables2 -A $chain -t $MACLIST_TABLE $macpart -s $address
$physdev_part -j $target
! done
! fi
! done < $TMP_DIR/maclist
! #
! # Must take care of our own broadcasts and multicasts then terminate the
verification
! # chains
! #
! for interface in $maclist_interfaces; do
! [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) ||
chain=$(mac_chain $interface)
! if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
! indent >&3 << __EOF__
blob=\$(ip link show $interface 2> /dev/null)
--- 1495,1573 ----
target=RETURN
;;
esac
! physdev_part=
! if [ -n "$BRIDGING" ]; then
! case $interface in
! *:*)
! physdev_part="-m physdev --physdev-in ${interface#*:}"
! interface=${interface%:*}
! ;;
! esac
fi
! [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) ||
chain=$(mac_chain $interface)
!
! if ! have_mac_chain $chain ; then
! fatal_error "No hosts on $interface have the maclist option
specified"
! fi
!
! if [ x${mac:=-} = x- ]; then
! if [ -z "$addresses" ]; then
! fatal_error "You must specify a MAC address or an IP
address"
! else
! macpart=
! fi
! else
! macpart=$(mac_match $mac)
! fi
! if [ -z "$addresses" ]; then
! [ -n "$level" ] && \
! log_rule_limit $level $chain $(mac_chain $interface)
$disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart $physdev_part
! run_iptables -A $chain -t $MACLIST_TABLE $macpart
$physdev_part -j $target
! else
! for address in $(separate_list $addresses) ; do
! [ -n "$level" ] && \
! log_rule_limit $level $chain $(mac_chain
$interface) $disposition "$LOGLIMIT" "" -A -t $MACLIST_TABLE $macpart -s
$address $physdev_part
! run_iptables2 -A $chain -t $MACLIST_TABLE $macpart
-s $address $physdev_part -j $target
! done
! fi
! done < $TMP_DIR/maclist
! #
! # Generate jumps from the input and forward chains
! #
! [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" ||
policy=
!
! for hosts in $maclist_hosts; do
! ipsec=${hosts%^*}
! hosts=${hosts#*^}
! interface=${hosts%%:*}
! hosts=${hosts#*:}
! case $MACLIST_TABLE in
! filter)
! for chain in $(first_chains $interface) ; do
! run_iptables -A $chain $(match_source_hosts $hosts) -m
state --state NEW \
! $policy -j $(mac_chain $interface)
! done
! ;;
! *)
! run_iptables -t mangle -A PREROUTING -i $interface
$(match_source_hosts $hosts) -m state --state NEW \
! $policy -j $(mac_chain $interface)
! ;;
! esac
! done
! else
! #
! # Must take care of our own broadcasts and multicasts then terminate
the verification
! # chains
! #
! for interface in $maclist_interfaces; do
! [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) ||
chain=$(mac_chain $interface)
!
! if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT
]; then
! indent >&3 << __EOF__
blob=\$(ip link show $interface 2> /dev/null)
***************
*** 1561,1596 ****
__EOF__
! fi
! if [ -n "$MACLIST_LOG_LEVEL" ]; then
! log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface)
$MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
! fi
! if [ $MACLIST_DISPOSITION != ACCEPT ]; then
! run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
! fi
! done
! #
! # Generate jumps from the input and forward chains
! #
! for hosts in $maclist_hosts; do
! ipsec=${hosts%^*}
! hosts=${hosts#*^}
! [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" ||
policy=
! interface=${hosts%%:*}
! hosts=${hosts#*:}
! case $MACLIST_TABLE in
! filter)
! for chain in $(first_chains $interface) ; do
! run_iptables -A $chain $(match_source_hosts $hosts) -m
state --state NEW \
! $policy -j $(mac_chain $interface)
! done
! ;;
! *)
! run_iptables -t mangle -A PREROUTING -i $interface
$(match_source_hosts $hosts) -m state --state NEW \
! $policy -j $(mac_chain $interface)
! ;;
! esac
! done
}
--- 1587,1605 ----
__EOF__
! fi
! CHAIN=$chain
! append_file maclog
!
! if [ -n "$MACLIST_LOG_LEVEL" ]; then
! log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain
$interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
! fi
!
! if [ $MACLIST_DISPOSITION != ACCEPT ]; then
! run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
! fi
! done
! fi
}
***************
*** 1874,1893 ****
rate=$1
rateunit=$( echo $rate | sed -e 's/[0-9]*//')
! rate=$( echo $rate | sed -e 's/[a-z]*//g')
case $rateunit in
! kbit)
rate=$rate
;;
! mbit)
rate=$(expr $rate \* 1024)
;;
! mbps)
rate=$(expr $rate \* 8192)
;;
! kbps)
rate=$(expr $rate \* 8)
;;
*)
rate=$(expr $rate / 128)
;;
--- 1883,1903 ----
rate=$1
rateunit=$( echo $rate | sed -e 's/[0-9]*//')
! rate=$( echo $rate | sed -e 's/[a-zA-Z]*//g')
case $rateunit in
! kbit|Kbit)
rate=$rate
;;
! mbit|Mbit)
rate=$(expr $rate \* 1024)
;;
! mbps|Mbps)
rate=$(expr $rate \* 8192)
;;
! kbps|Kbps)
rate=$(expr $rate \* 8)
;;
*)
+ [ -n "$rateunit" ] && fatal_error "Invalid Rate ($1)"
rate=$(expr $rate / 128)
;;
***************
*** 1964,1967 ****
--- 1974,1979 ----
esac
list_search $device $devices && fatal_error "Interface $device is
defined more than once in tcdevices"
+ inband=$(rate_to_kbit $inband)
+ outband=$(rate_to_kbit $outband)
tc_all_devices="$tc_all_devices $device"
done < $TMP_DIR/tcdevices
***************
*** 2208,2212 ****
}
! add_a_tc_rule() {
r=
--- 2220,2224 ----
}
! add_a_tc_rule() {
r=
***************
*** 2327,2330 ****
--- 2339,2356 ----
}
+ #
+ # E x e c u t i o n B e g i n s H e r e
+ #
+ case $sources in
+ $FW|$FW:*)
+ chain=tcout
+ ;;
+ esac
+
+ case $sources in
+ $FW|$FW:*)
+ chain=tcout
+ ;;
+ esac
if [ "$mark" != "${mark%:*}" ]; then
***************
*** 2386,2389 ****
--- 2412,2435 ----
mark=
;;
+ \|*)
+ [ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
+ [ -n "$did_connmark" ] && fatal_error "OR not valid with :C[FP]"
+ target="MARK --or-mark"
+ mark=${mark#|}
+ validate_mark $mark
+ if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n
"$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+ fatal_error "Marks < 256 may not be set in the PREROUTING chain
when HIGH_ROUTE_MARKS=Yes"
+ fi
+ ;;
+ \&*)
+ [ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
+ [ -n "$did_connmark" ] && fatal_error "AND not valid with :C[FP]"
+ target="MARK --and-mark"
+ mark=${mark#&}
+ validate_mark $mark
+ if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n
"$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+ fatal_error "Marks < 256 may not be set in the PREROUTING chain
when HIGH_ROUTE_MARKS=Yes"
+ fi
+ ;;
*)
if [ "$chain" != tcpost ]; then
***************
*** 2543,2547 ****
if [ -n "$HIGH_ROUTE_MARKS" ]; then
! for chain in INPUT FORWARD; do
run_iptables -t mangle -I $chain -j MARK --and-mark 0xFF
done
--- 2589,2593 ----
if [ -n "$HIGH_ROUTE_MARKS" ]; then
! for chain in INPUT FORWARD POSTROUTING; do
run_iptables -t mangle -I $chain -j MARK --and-mark 0xFF
done
***************
*** 8101,8106 ****
if [ -n "$maclist_hosts" ]; then
! save_progress_message "Setting up MAC Filtration..."
! setup_mac_lists
fi
--- 8147,8152 ----
if [ -n "$maclist_hosts" ]; then
! save_progress_message "Setting up MAC Filtration -- Phase 1..."
! setup_mac_lists 1
fi
***************
*** 8121,8124 ****
--- 8167,8175 ----
process_actions3
+ if [ -n "$maclist_hosts" ]; then
+ save_progress_message "Setting up MAC Filtration -- Phase 2..."
+ setup_mac_lists 2
+ fi
+
save_progress_message "Applying Policies..."
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
leaf-cvs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-cvs-commits
