sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-30 19:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,267 Commits 5 Branches 37 Tags 5.2 MiB
d1473e1f59
Commit Graph

247 Commits

Author SHA1 Message Date
Philip Whineray
370a6616f4 Honour the config directory set by configure 
Ensure that ipset_remove_all_tmp_sets() is defined before it can
be called in firehol_exit().
 2015-11-10 18:35:12 +00:00
Philip Whineray
d2ec651cdc Detect and use TAR_CMD 
A couple of other programs replaced
Allow unconfigured programs to detect iprange in-situ
 2015-11-10 07:26:59 +00:00
Philip Whineray
ea252883d8 Add perl script to detect plain command usage 
Update scripts with the problems found
In firehol, moved the iptables() and ipset() helpers to before they are

used, since this is how the detection script learns they are not a problem.
 2015-11-08 17:28:16 +00:00
Phil Whineray
1ea9a58bd4 Convert update-ipsets to new command system 2015-10-31 12:29:25 +00:00
Phil Whineray
f27eec2e91 Do not call version routine until we have SED_CMD 
Fix typo in case for version extraction
Extend kcov usage
 2015-10-28 20:34:01 +00:00
Phil Whineray
e723f3ba19 fireqos now has same command detection as firehol 
Update pre-commit script to detect entries missing from configure script
Update unittest to run fireqos without a PATH set
Update unittest with a view to running code coverage check
 2015-10-27 21:35:21 +00:00
Phil Whineray
9449e984d6 Added WC_CMD to command table 
Also, updated pre-commit script to ensure all used commands are
present in the table.
 2015-10-27 13:03:05 +00:00
Phil Whineray
070430762d Fixup commands not using _CMD variables 
Also fix remaining problems around autodetection
Both were exposed by the new unittest strategy
 2015-10-26 22:36:00 +00:00
Phil Whineray
4e1bf97891 Only update PATH whilst detecting commands 
Update the unit tests so that an empty path is given. Highlight any
command failures (i.e. not using the special variables) that are
emitted.
 2015-10-26 22:35:17 +00:00
Phil Whineray
f652298849 Resolve uname discrepancy 2015-10-26 07:11:44 +00:00
Phil Whineray
8ef0c9a984 Include options for commands, where required 
Put back uname - it is currently used before the variable is set up
 2015-10-25 08:51:24 +00:00
Phil Whineray
ab2259f49b Fix possible quoting problem and introduce test 2015-10-25 08:10:32 +00:00
Phil Whineray
c76f7626a2 Use UNAME_CMD when finding kernel version 2015-10-25 07:34:16 +00:00
Phil Whineray
41e3065cdc Always return TTY to sane defaults 2015-10-25 07:33:42 +00:00
Phil Whineray
e6c887acf5 Use efficient alternative to extract command path 2015-10-25 07:31:31 +00:00
Phil Whineray
d63e61c3c3 Validate that all commands exist and can execute 
We will output a message indicating what can be done if this occurs
 2015-10-23 13:56:05 +01:00
Costa Tsaousis (ktsaou)
f0c2da8736 fix to remove a space that was appended on all commands detected; added a check to make sure the autoconf configured commands still exist; #82 2015-10-22 22:19:17 +03:00
Phil Whineray
1de06a4dbf Allow configure script to set default AUTOSAVE 2015-10-21 20:44:17 +01:00
Phil Whineray
08425eaac0 Rework command detection routines 
Process is now table-driven and has the following features:
- Honours the value set in /etc/firehol/firehol-defaults.conf, if any
- Uses the value set by autoconf, if any
- Autodetects in preferred order, allowing optional parameters as needed

This takes out all the special cases. Commands that are only sometimes
required are detected up front but still only checked when needed.

Also:
- allow detection/preinstall of iprange
- only emit iprange command warnings when it would be used
- restore tty settings when Ctrl-C hit (echo is disabled otherwise)
 2015-10-21 20:44:17 +01:00
Sander Ruitenbeek
1f2c8fadee Fixed interface oneliner to snip out NONE after interface name (ex. sit0NONE). 2015-10-20 22:32:52 +02:00
Costa Tsaousis (ktsaou)
0b751c5db6 fixed bug in action sockets_suspects_trap and ipset_apply 2015-07-05 02:48:13 +03:00
Costa Tsaousis (ktsaou)
c7468eeeb9 rewrote the ipsets functionality so that: a) it optimizes netsets with iprange if present, b) it adapts the maxelem parameter for the updated ipset so that updating ipsets with big incremental updates does not fail, c) maintains compatibility with older ipset versions; side-effect: calling an ipset update without restarting the firewall now only support ipsets that are used in firehol.conf; if iprange is present, processing of ipsets is a lot faster 2015-06-15 02:33:08 +03:00
Costa Tsaousis
64bc7e62be added support for adapting ipsets maxelem when updating an ipset 2015-06-13 06:52:14 +03:00
Costa Tsaousis (ktsaou)
27b1751eb8 save in ipsets.conf the types and options of ipsets 2015-06-07 16:22:03 +03:00
Costa Tsaousis (ktsaou)
c9340661ff prevented a backup of all the ipsets in memory - because it takes too long when the system has many ipsets installed 2015-05-23 19:04:19 +03:00
Costa Tsaousis (ktsaou)
cc705b5818 added log() and loglimit() helpers to allow logging from ipsets globally 2015-05-20 02:03:58 +03:00
Phil Whineray
2d1351b279 Remove all reference to awk 2015-05-02 14:28:56 +01:00
Phil Whineray
4557d36cac Remove final use of awk 2015-05-02 14:28:56 +01:00
Costa Tsaousis (ktsaou)
a4f6a1a6c4 tproxy uses markdef() to allocate a mark; marks.conf is now saved only after successful firewall activation 2015-04-25 13:27:10 +03:00
Costa Tsaousis (ktsaou)
bad5465f6a ipset add support for comma as an IP separator 2015-04-25 13:03:07 +03:00
Costa Tsaousis (ktsaou)
ee9bdb4535 disabled spinner in explain mode 2015-04-25 01:20:41 +03:00
Costa Tsaousis (ktsaou)
665538ca24 allowed to define multiple "except" rules in statements that accept this keyword 2015-04-25 01:16:35 +03:00
Costa Tsaousis (ktsaou)
53cdfc6b1d fix for older versions of ipset 2015-04-24 21:31:32 +03:00
Costa Tsaousis (ktsaou)
2a8547d47d fix for older versions of ipset 2015-04-24 21:01:40 +03:00
Costa Tsaousis (ktsaou)
2647833260 fix for older versions of ipset 2015-04-24 20:57:20 +03:00
Costa Tsaousis (ktsaou)
323c25d320 fix for older versions of ipset 2015-04-24 20:56:24 +03:00
Costa Tsaousis (ktsaou)
d806def4ee fix for older versions of ipset 2015-04-24 20:55:04 +03:00
Costa Tsaousis (ktsaou)
503c76f0be ipset support for older machines: just set IPSET_RESTORE_SUPPORTS_FLUSH_SWAP_DESTROY=0; rule() now generates NAT rules with a protocol if a port has been specified 2015-04-24 20:39:09 +03:00
Costa Tsaousis (ktsaou)
f06c272d74 fix for emerging_block ipset 2015-04-02 06:35:42 +03:00
Costa Tsaousis (ktsaou)
d614fd7558 made STOP mode exit successfully; added support for restore option when specifying a filename on the command line 2015-03-23 17:19:49 +02:00
Costa Tsaousis (ktsaou)
18de85ffc8 services all and any are now simple services. service all now has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN 2015-03-13 11:59:51 +02:00
Costa Tsaousis (ktsaou)
d505ab0850 accept RELATED TCP ACK,RST packets on interface,router,master close() so that REJECT action works 2015-03-11 22:52:16 +02:00
Costa Tsaousis (ktsaou)
f1cde4907b pptp and sip added to ALL_SHOULD_ALSO_RUN to make "client all accept" work as expected 2015-03-08 19:11:43 +02:00
Phil Whineray
c7824f2659 Ensure empty firewall works 
Initialise a namespace even before we do anything so we still get
policy and dropped packet logging applied.
 2015-03-05 07:29:55 +00:00
Costa Tsaousis (ktsaou)
5670ea91d0 added state NEW to masquerade 2015-03-02 00:38:31 +02:00
Costa Tsaousis (ktsaou)
02c334649e reversed last commit - iptables does not allow inface in nat.POSTROUTING 2015-03-01 23:59:35 +02:00
Costa Tsaousis (ktsaou)
9d844c7785 allowed inface in SNAT and MASQUERADE 2015-03-01 23:53:46 +02:00
Phil Whineray
6f500b7269 Ensure ipv4 and ipv6 are used at the right time 2015-03-01 09:05:15 +00:00
Costa Tsaousis (ktsaou)
9bdf6d89d6 ENABLE_IPV4 and ENABLE_IPv6 can now be set in firehol.conf; fixed a bug where close_master() was not closing the firewall properly for both IPv4 and IPv6 - it was closing the same IPvX of the last interface or router - this bug seems to be there since the inclusion of IPv6 support 2015-03-01 04:16:16 +02:00
Costa Tsaousis (ktsaou)
d2984e6198 added action type "sockets_suspects_trap" as a shortcut to create TRAP_AND_DROP or TRAP_AND_REJECT type actions; removed -! from ipset options - they make ipset ignore the action without error - this option is only needed for "restore". 2015-02-28 00:31:32 +02:00