From: Michael Tremer Date: Wed, 8 Aug 2012 12:55:33 +0000 (+0000) Subject: Introduce concept of firewall zones. X-Git-Tag: 005~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fedddef113d66abebf93593d6f6cae140c740b2;p=network.git Introduce concept of firewall zones. --- diff --git a/firewall b/firewall index 2fa3db38..a1f1a17d 100755 --- a/firewall +++ b/firewall @@ -70,6 +70,91 @@ function cli_config() { fi } +function cli_zone() { + if cli_help_requested $@; then + cli_show_man firewall-zone + exit ${EXIT_OK} + fi + + if zone_name_is_valid ${1}; then + local zone=${1} + local action=${2} + shift 2 + + # Check if the given zone exists. + if ! zone_exists ${zone}; then + error "Zone '${zone}' does not exist." + cli_run_help firewall zone + + exit ${EXIT_ERROR} + fi + + # Process the given action. + case "${action}" in + edit) + cli_zone_edit ${zone} $@ + ;; + status|"") + cli_zone_status ${zone} $@ + ;; + + # Print the raw configuration settings. + show) + firewall_zone_print ${zone} $@ + + exit ${EXIT_ERROR} + ;; + *) + error "Unrecognized action: ${action}" + cli_run_help firewall zone + + exit ${EXIT_ERROR} + ;; + esac + else + local action=${1} + shift + + case "${action}" in + reset) + firewall_zone_reset $@ + exit $? + ;; + + *) + error "Unrecognized action: ${action}" + cli_run_help firewall zone + + exit ${EXIT_ERROR} + ;; + esac + fi +} + +# Show firewall zone conifguration. +function cli_zone_status() { + local zone=${1} + assert isset zone + + ( + firewall_zone_read ${zone} + + cli_headline 1 "Zone ${zone} (policy ${POLICY})" + cli_print_fmt1 1 "Masquerade" "$(cli_print_bool ${MASQUERADE})" + + cli_space + ) + + exit ${EXIT_OK} +} + +# Edit firewall zone configuration. +function cli_zone_edit() { + firewall_zone_edit $@ + + exit ${EXIT_OK} +} + # Parse the command line while [ $# -gt 0 ]; do case "${1}" in @@ -107,6 +192,10 @@ case "${action}" in cli_config $@ ;; + zone) + cli_zone $@ + ;; + ""|help|--help|-h) cli_usage root exit ${EXIT_OK} diff --git a/functions.cli b/functions.cli index 11ec88ce..f1ede003 100644 --- a/functions.cli +++ b/functions.cli @@ -31,6 +31,13 @@ function cli_help_requested() { return ${EXIT_ERROR} } +function cli_run_help() { + local command="$@" + + print "Run \"${command} help\" to get more information." + return ${EXIT_OK} +} + function cli_device_headline() { local device=${1} assert isset device diff --git a/functions.firewall-zones b/functions.firewall-zones new file mode 100644 index 00000000..70251988 --- /dev/null +++ b/functions.firewall-zones @@ -0,0 +1,147 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2012 IPFire Network Development Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# + +FIREWALL_ZONE_SETTINGS="MASQUERADE POLICY" + +function firewall_zone_create() { + local zone=${1} + assert isset zone + + # Do nothing if the zone configuration already exists. + firewall_zone_exists ${zone} && return ${EXIT_OK} + + # Write defaults to the file. + ( + firewall_zone_read ${zone} + firewall_zone_write ${zone} + ) + + return ${EXIT_OK} +} + +function firewall_zone_config() { + local zone=${1} + assert isset zone + + print "$(zone_dir ${zone})/fwsettings" + return ${EXIT_OK} +} + +function firewall_zone_exists() { + local file=$(firewall_zone_config $@) + + [ -r "${file}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} +} + +function firewall_zone_defaults() { + local zone=${1} + assert isset zone + + # Default policy. + POLICY="DROP" + + # Don't masquerade by default (IPv4 only). + MASQUERADE="false" +} + +function firewall_zone_read() { + local zone=${1} + assert isset zone + + local file=$(firewall_zone_config ${zone}) + assert isset file + + # Load default settings. + firewall_zone_defaults ${zone} + + config_read ${file} ${FIREWALL_ZONE_SETTINGS} + return ${EXIT_OK} +} + +function firewall_zone_write() { + local zone=${1} + assert isset zone + + local file=$(firewall_zone_config ${zone}) + assert isset file + + config_write ${file} ${FIREWALL_ZONE_SETTINGS} + return ${EXIT_OK} +} + +function firewall_zone_print() { + local zone=${1} + assert isset zone + + ( + firewall_zone_read ${zone} + config_print ${FIREWALL_ZONE_SETTINGS} + ) + + return ${EXIT_OK} +} + +function firewall_zone_edit() { + local zone=${1} + shift + + assert firewall_zone_exists ${zone} + + ( + # Read current settings. + firewall_zone_read ${zone} + + while [ $# -gt 0 ]; do + case "${1}" in + --masquerade=*) + MASQUERADE=$(cli_get_val ${1}) + ;; + --policy=*) + POLICY=$(cli_get_val ${1}) + ;; + *) + warning "Unknown option: ${1}" + ;; + esac + shift + done + + # Write updated settings. + firewall_zone_write ${zone} + ) +} + +function firewall_zone_reset() { + local zone=${1} + assert isset zone + + local file=$(firewall_zone_config ${zone}) + assert isset file + + # Remove the configuration file. + rm -f ${file} + + # Recreate it. + firewall_zone_create ${zone} + + return ${EXIT_OK} +} diff --git a/functions.zone b/functions.zone index 6c1874e3..574ae35c 100644 --- a/functions.zone +++ b/functions.zone @@ -45,7 +45,9 @@ function zone_match() { function zone_name_is_valid() { local zone=${1} - assert isset zone + + # Don't accept empty strings. + [ -z "${zone}" ] && return ${EXIT_FALSE} [[ ${zone} =~ $(zone_match) ]] }