From 05601aeb6336b8a731bdea7fdf3181b8828a5cc7 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 6 Apr 2005 17:45:04 +0000 Subject: [PATCH] Update for 2.2.3 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2025 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp2/etc/shorewall/continue | 6 + Lrp2/etc/shorewall/policy | 2 + Lrp2/etc/shorewall/routestopped | 3 +- Lrp2/etc/shorewall/shorewall.conf | 24 ++++ Lrp2/sbin/shorewall | 25 ++-- Lrp2/usr/share/shorewall/firewall | 192 +++++++++++++++++++----------- Lrp2/usr/share/shorewall/version | 2 +- Lrp2/var/lib/lrpkg/shorwall.conf | 2 + 8 files changed, 175 insertions(+), 81 deletions(-) create mode 100644 Lrp2/etc/shorewall/continue diff --git a/Lrp2/etc/shorewall/continue b/Lrp2/etc/shorewall/continue new file mode 100644 index 000000000..e608ca4ed --- /dev/null +++ b/Lrp2/etc/shorewall/continue @@ -0,0 +1,6 @@ +############################################################################ +# Shorewall 2.2 -- /etc/shorewall/continue +# +# Add commands below that you want to be executed after shorewall has +# cleared any existing Netfilter rules and has enabled existing connections. +# diff --git a/Lrp2/etc/shorewall/policy b/Lrp2/etc/shorewall/policy index 9fabca289..bb08500c0 100644 --- a/Lrp2/etc/shorewall/policy +++ b/Lrp2/etc/shorewall/policy @@ -25,6 +25,8 @@ # DROP - Ignore the connection request # REJECT - For TCP, send RST. For all other, send # "port unreachable" ICMP. +# QUEUE - Send the request to a user-space +# application using the QUEUE target. # CONTINUE - Pass the connection request past # any other rules that it might also # match (where the source or destination diff --git a/Lrp2/etc/shorewall/routestopped b/Lrp2/etc/shorewall/routestopped index df8ea4582..d59da15be 100644 --- a/Lrp2/etc/shorewall/routestopped +++ b/Lrp2/etc/shorewall/routestopped @@ -5,7 +5,8 @@ # /etc/shorewall/routestopped # # This file is used to define the hosts that are accessible when the -# firewall is stopped +# firewall is stopped or when it is in the process of being +# [re]started. # # Columns must be separated by white space and are: # diff --git a/Lrp2/etc/shorewall/shorewall.conf b/Lrp2/etc/shorewall/shorewall.conf index b04a17898..a1e6ccde2 100755 --- a/Lrp2/etc/shorewall/shorewall.conf +++ b/Lrp2/etc/shorewall/shorewall.conf @@ -760,6 +760,30 @@ DROPINVALID=No # 'conntrack state' match. RFC1918_STRICT=No + +# +# MACLIST caching +# +# If your iptables and kernel support the "Recent Match" (see the output of +# "shorewall check" near the top), you can cache the results of a 'maclist' +# file lookup and thus reduce the overhead associated with MAC Verification +# (/etc/shorewall/maclist). +# +# When a new connection arrives from a 'maclist' interface, the packet passes +# through then list of entries for that interface in /etc/shorewall/maclist. If +# there is a match then the source IP address is added to the 'Recent' set for +# that interface. Subsequent connection attempts from that IP address occuring +# within $MACLIST_TTL seconds will be accepted without having to scan all of +# the entries. After $MACLIST_TTL from the first accepted connection request, +# the next connection request from that IP address will be checked against +# the entire list. +# +# If MACLIST_TTL is not specified or is specified as empty (e.g, +# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not +# be cached. + +MACLIST_TTL= + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Lrp2/sbin/shorewall b/Lrp2/sbin/shorewall index 3e75a61ea..85079da45 100755 --- a/Lrp2/sbin/shorewall +++ b/Lrp2/sbin/shorewall @@ -1014,17 +1014,24 @@ case "$1" in done done - echo - echo "Routing Rules" - echo - ip rule ls - ip rule ls | while read rule; do - table=${rule##* } + if [ -n "$(ip rule ls)" ]; then echo - echo "Table $table:" + echo "Routing Rules" echo - ip route ls table $table - done + ip rule ls + ip rule ls | while read rule; do + table=${rule##* } + echo + echo "Table $table:" + echo + ip route ls table $table + done + else + echo + echo "Routing Table" + echo + ip route ls + fi echo echo "ARP" diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index 38569020d..304a8558a 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -464,6 +464,11 @@ mac_chain() # $1 = interface echo $(chain_base $1)_mac } +macrecent_target() # $1 - interface +{ + [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN +} + # # Functions for creating dynamic zone rules # @@ -1095,7 +1100,7 @@ validate_policy() esac case $policy in - ACCEPT|REJECT|DROP|CONTINUE) + ACCEPT|REJECT|DROP|CONTINUE|QUEUE) ;; NONE) [ "$client" = "$FW" -o "$server" = "$FW" ] && \ @@ -1390,6 +1395,58 @@ disable_ipv6_1() { fi } +# +# Process the routestopped file either adding or deleting rules +# + +process_routestopped() # $1 = command +{ + local hosts= interface host host1 options networks + + while read interface host options; do + expandv interface host options + [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 + for h in $(separate_list $host); do + hosts="$hosts $interface:$h" + done + + routeback= + + if [ -n "$options" ]; then + for option in $(separate_list $options); do + case $option in + routeback) + if [ -n "$routeback" ]; then + error_message "Warning: Duplicate routestopped option ignored: routeback" + else + routeback=Yes + for h in $(separate_list $host); do + run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT + done + fi + ;; + *) + error_message "Warning: Unknown routestopped option ignored: $option" + ;; + esac + done + fi + + done < $TMP_DIR/routestopped + + for host in $hosts; do + interface=${host%:*} + networks=${host#*:} + $IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + [ -z "$ADMINISABSENTMINDED" ] && \ + run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + + for host1 in $hosts; do + [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT + done + done +} + # # Stop the Firewall # @@ -1465,50 +1522,9 @@ stop_firewall() { hosts= - strip_file routestopped + [ -f $TMP_DIR/routestopped ] || strip_file routestopped - while read interface host options; do - expandv interface host options - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 - for h in $(separate_list $host); do - hosts="$hosts $interface:$h" - done - - routeback= - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback) - if [ -n "$routeback" ]; then - error_message "Warning: Duplicate option ignored: routeback" - else - routeback=Yes - for h in $(separate_list $host); do - $IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT - done - fi - ;; - *) - error_message "Warning: Unknown option ignored: $option" - ;; - esac - done - fi - - done < $TMP_DIR/routestopped - - for host in $hosts; do - interface=${host%:*} - networks=${host#*:} - $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - - for host1 in $hosts; do - [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done - done + process_routestopped -A $IPTABLES -A INPUT -i lo -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ @@ -1989,6 +2005,7 @@ setup_mac_lists() { local addresses local address local chain + local chain1 local macpart local blob local hosts @@ -2013,10 +2030,19 @@ setup_mac_lists() { progress_message "Setting up MAC Verification on $maclist_interfaces..." # - # Be sure that they are all ethernet interfaces + # Create chains. # for interface in $maclist_interfaces; do - createchain $(mac_chain $interface) no + chain=$(mac_chain $interface) + createchain $chain no + + if [ -n "$MACLIST_TTL" ]; then + chain1=$(macrecent_target $interface) + createchain $chain1 no + run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1 + run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT + run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT + fi done # # Process the maclist file producing the verification rules @@ -2036,6 +2062,7 @@ setup_mac_lists() { fi chain=$(mac_chain $interface) + chain1=$(macrecent_target $interface) if ! havechain $chain ; then fatal_error "No hosts on $interface have the maclist option specified" @@ -2044,10 +2071,10 @@ setup_mac_lists() { macpart=$(mac_match $mac) if [ -z "$addresses" ]; then - run_iptables -A $chain $macpart $physdev_part -j RETURN + run_iptables -A $chain $macpart $physdev_part -j $chain1 else for address in $(separate_list $addresses) ; do - run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN + run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1 done fi done < $TMP_DIR/maclist @@ -2057,6 +2084,7 @@ setup_mac_lists() { # for interface in $maclist_interfaces; do chain=$(mac_chain $interface) + chain1=$(macrecent_target $interface) blob=$(ip link show $interface 2> /dev/null) @@ -2065,11 +2093,11 @@ setup_mac_lists() { ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do if [ -n "$broadcast" ]; then - run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN + run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1 fi - run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN - run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN + run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1 + run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1 done if [ -n "$MACLIST_LOG_LEVEL" ]; then @@ -3462,14 +3490,14 @@ process_actions1() { [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp" xaction=${xaction%:*} case $temp in - ACCEPT|REJECT|DROP) + ACCEPT|REJECT|DROP|QUEUE) eval ${temp}_common=$xaction if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then USEDACTIONS="$USEDACTIONS $xaction" fi ;; *) - startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT" + startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE" ;; esac esac @@ -4778,6 +4806,9 @@ policy_rules() # $1 = chain to add rules to [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common target=reject ;; + QUEUE) + [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common + ;; CONTINUE) target= ;; @@ -4843,7 +4874,7 @@ default_policy() # $1 = client $2 = server # depends on the policy # case $policy in - ACCEPT) + ACCEPT|QUEUE) if [ -n "$synparams" ]; then # # To avoid double-counting SYN packets, enforce the policy @@ -5589,6 +5620,7 @@ determine_capabilities() { POLICY_MATCH= PHYSDEV_MATCH= IPRANGE_MATCH= + RECENT_MATCH= qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes @@ -5597,7 +5629,7 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes - + qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes if [ -n "$PKTTYPE" ]; then qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= @@ -5627,6 +5659,7 @@ report_capabilities() { report_capability "Policy Match" $POLICY_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH report_capability "IP range Match" $IPRANGE_MATCH + report_capability "Recent Match" $RECENT_MATCH } # @@ -5678,7 +5711,7 @@ initialize_netfilter () { run_user_exit init # - # The some files might be large so strip them while the firewall is still running + # Some files might be large so strip them while the firewall is still running # (restart command). This reduces the length of time that the firewall isn't # accepting new connections. # @@ -5721,6 +5754,16 @@ initialize_netfilter () { setcontinue INPUT setcontinue OUTPUT + run_user_exit continue + + f=$(find_file routestopped) + + echo "Processing $f ..." + + strip_file routestopped $f + + process_routestopped -A + [ -n "$DISABLE_IPV6" ] && disable_ipv6 # @@ -5729,10 +5772,6 @@ initialize_netfilter () { run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT - accounting_file=$(find_file accounting) - - [ -f $accounting_file ] && setup_accounting $accounting_file - # # Allow DNS lookups during startup for FQDNs # @@ -5756,6 +5795,10 @@ initialize_netfilter () { run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option fi + accounting_file=$(find_file accounting) + + [ -f $accounting_file ] && setup_accounting $accounting_file + if [ -z "$NEWNOTSYN" ]; then createchain newnotsyn no @@ -6332,7 +6375,7 @@ activate_rules() shift if havenatchain $destchain ; then - run_iptables -t nat -A $sourcechain $@ -j $destchain + run_iptables2 -t nat -A $sourcechain $@ -j $destchain else [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange @@ -6350,7 +6393,7 @@ activate_rules() shift if havenatchain $destchain; then - eval run_iptables -t nat -I $sourcechain \ + eval run_iptables2 -t nat -I $sourcechain \ \$${sourcechain}_rule $@ -j $destchain eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) else @@ -6358,7 +6401,7 @@ activate_rules() [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange fi - } + } # # Add jumps to early SNAT chains @@ -6410,7 +6453,7 @@ activate_rules() interface=${host%%:*} networks=${host#*:} - run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain + run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain done fi fi @@ -6439,7 +6482,7 @@ activate_rules() interface=${host%%:*} networks=${host#*:} - run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 + run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 # # Add jumps from the builtin chains for DNAT and SNAT rules @@ -6447,10 +6490,10 @@ activate_rules() addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) - run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 + run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then - run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain + run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain fi case $networks in @@ -6515,7 +6558,7 @@ activate_rules() # routeback was specified for this host group # if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then - run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain + run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain fi done else @@ -6530,7 +6573,7 @@ activate_rules() networks1=${host1#*:} if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain + run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain fi done done @@ -6577,7 +6620,9 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done - + + process_routestopped -D + if [ -n "$LOGALLNEW" ]; then for table in mangle nat filter; do case $table in @@ -7240,6 +7285,7 @@ do_initialize() { LOGALLNEW= DROPINVALID= RFC1918_STRICT= + MACLIST_TTL= RESTOREBASE= TMP_DIR= @@ -7436,6 +7482,12 @@ do_initialize() { LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) + + [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= + + if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + fi # # Strip the files that we use often # diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version index b1b25a5ff..585940699 100644 --- a/Lrp2/usr/share/shorewall/version +++ b/Lrp2/usr/share/shorewall/version @@ -1 +1 @@ -2.2.2 +2.2.3 diff --git a/Lrp2/var/lib/lrpkg/shorwall.conf b/Lrp2/var/lib/lrpkg/shorwall.conf index 4ad7b9d67..cfb9243f1 100644 --- a/Lrp2/var/lib/lrpkg/shorwall.conf +++ b/Lrp2/var/lib/lrpkg/shorwall.conf @@ -23,3 +23,5 @@ /etc/shorewall/stopped Stopped Commands executed after stop /etc/shorewall/accounting Account Traffic Accounting Rules /etc/shorewall/actions Actions Define user actions +/etc/shorewall/continue Continue Commands executed early in [re]start +