Update for 2.2.3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2025 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-03 12:09:14 +01:00 · 2005-04-06 17:45:04 +00:00 · 2005-04-06 17:45:04 +00:00 · 05601aeb63
commit 05601aeb63
parent 1b1d13b4aa
8 changed files with 175 additions and 81 deletions
--- a/Lrp2/etc/shorewall/continue
+++ b/Lrp2/etc/shorewall/continue
@ -0,0 +1,6 @@
+############################################################################
+# Shorewall 2.2 -- /etc/shorewall/continue
+#
+# Add commands below that you want to be executed after shorewall has
+# cleared any existing Netfilter rules and has enabled existing connections.
+#
--- a/Lrp2/etc/shorewall/policy
+++ b/Lrp2/etc/shorewall/policy
@ -25,6 +25,8 @@
 #			DROP		- Ignore the connection request
 #			REJECT		- For TCP, send RST. For all other, send
 #					  "port unreachable" ICMP.
+#			QUEUE		- Send the request to a user-space
+#					  application using the QUEUE target.
 #			CONTINUE	- Pass the connection request past
 #					  any other rules that it might also
 #					  match (where the source or destination
--- a/Lrp2/etc/shorewall/routestopped
+++ b/Lrp2/etc/shorewall/routestopped
@ -5,7 +5,8 @@
 # /etc/shorewall/routestopped
 #
 #	This file is used to define the hosts that are accessible when the
-#	firewall is stopped
+#	firewall is stopped or when it is in the process of being
+#	[re]started.
 #
 # Columns must be separated by white space and are:
 #
--- a/Lrp2/etc/shorewall/shorewall.conf
+++ b/Lrp2/etc/shorewall/shorewall.conf
@ -760,6 +760,30 @@ DROPINVALID=No
 #          'conntrack state' match.

 RFC1918_STRICT=No
+
+#
+# MACLIST caching
+#
+# If your iptables and kernel support the "Recent Match" (see the output of
+# "shorewall check" near the top), you can cache the results of a 'maclist'
+# file lookup and thus reduce the overhead associated with MAC Verification
+# (/etc/shorewall/maclist).
+#
+# When a new connection arrives from a 'maclist' interface, the packet passes
+# through then list of entries for that interface in /etc/shorewall/maclist. If
+# there is a match then the source IP address is added to the 'Recent' set for
+# that interface. Subsequent connection attempts from that IP address occuring
+# within $MACLIST_TTL seconds will be accepted without having to scan all of
+# the entries. After $MACLIST_TTL from the first accepted connection request,
+# the next connection request from that IP address will be checked against
+# the entire list.
+# 
+# If MACLIST_TTL is not specified or is specified as empty (e.g, 
+# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
+# be cached.
+
+MACLIST_TTL=
+
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
--- a/Lrp2/sbin/shorewall
+++ b/Lrp2/sbin/shorewall
@ -1014,6 +1014,7 @@ case "$1" in
 	    done
 	done

+	if [ -n "$(ip rule ls)" ]; then
 	    echo
 	    echo "Routing Rules"
 	    echo
@ -1025,6 +1026,12 @@ case "$1" in
 		echo
 		ip route ls table $table
 	    done
+	else
+	    echo
+	    echo "Routing Table"
+	    echo
+	    ip route ls
+	fi

 	echo
 	echo "ARP"
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@ -464,6 +464,11 @@ mac_chain() # $1 = interface
   echo $(chain_base $1)_mac
 }

+macrecent_target() # $1 - interface
+{
+    [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
+}
+
 #
 # Functions for creating dynamic zone rules
 #
@ -1095,7 +1100,7 @@ validate_policy()
 	esac

 	case $policy in
-	ACCEPT|REJECT|DROP|CONTINUE)
+	ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
 	    ;;
 	NONE)
 	    [ "$client" = "$FW" -o "$server" = "$FW" ] && \
@ -1390,6 +1395,58 @@ disable_ipv6_1() {
    fi
 }

+#
+# Process the routestopped file either adding or deleting rules
+#
+
+process_routestopped() # $1 = command
+{
+    local hosts= interface host host1 options networks
+
+    while read interface host options; do
+	expandv interface host options
+	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
+	for h in $(separate_list $host); do
+	    hosts="$hosts $interface:$h"
+	done
+
+	routeback=
+
+	if [ -n "$options" ]; then
+	    for option in $(separate_list $options); do
+		case $option in
+		    routeback)
+			if [ -n "$routeback" ]; then
+			    error_message "Warning: Duplicate routestopped option ignored: routeback"
+			else
+			    routeback=Yes
+			    for h in $(separate_list $host); do
+				run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
+			    done
+			fi
+			;;
+		    *)
+			error_message "Warning: Unknown routestopped option ignored: $option"
+			;;
+		esac
+	    done
+	fi
+		    
+    done < $TMP_DIR/routestopped
+
+    for host in $hosts; do
+	interface=${host%:*}
+	networks=${host#*:}
+	$IPTABLES $1 INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
+	[ -z "$ADMINISABSENTMINDED" ] && \
+	    run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+
+	for host1 in $hosts; do
+	    [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
+	done
+    done
+}
+
 #
 # Stop the Firewall
 #
@ -1465,50 +1522,9 @@ stop_firewall() {

    hosts=

-    strip_file routestopped
+    [ -f $TMP_DIR/routestopped ] || strip_file routestopped

-    while read interface host options; do
-	expandv interface host options
-	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
-	for h in $(separate_list $host); do
-	    hosts="$hosts $interface:$h"
-	done
-
-	routeback=
-
-	if [ -n "$options" ]; then
-	    for option in $(separate_list $options); do
-		case $option in
-		    routeback)
-			if [ -n "$routeback" ]; then
-			    error_message "Warning: Duplicate option ignored: routeback"
-			else
-			    routeback=Yes
-			    for h in $(separate_list $host); do
-				$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
-			    done
-			fi
-			;;
-		    *)
-			error_message "Warning: Unknown option ignored: $option"
-			;;
-		esac
-	    done
-	fi
-		    
-    done < $TMP_DIR/routestopped
-
-    for host in $hosts; do
-	interface=${host%:*}
-	networks=${host#*:}
-	$IPTABLES -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
-	[ -z "$ADMINISABSENTMINDED" ] && \
-	    $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
-
-	for host1 in $hosts; do
-	    [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
-	done
-    done
+    process_routestopped -A

    $IPTABLES -A INPUT  -i lo -j ACCEPT
    [ -z "$ADMINISABSENTMINDED" ] && \
@ -1989,6 +2005,7 @@ setup_mac_lists() {
    local addresses
    local address
    local chain
+    local chain1
    local macpart
    local blob
    local hosts
@ -2013,10 +2030,19 @@ setup_mac_lists() {

    progress_message "Setting up MAC Verification on $maclist_interfaces..."
    #
-    # Be sure that they are all ethernet interfaces
+    # Create chains.
    #
    for interface in $maclist_interfaces; do
-	createchain $(mac_chain $interface) no
+	chain=$(mac_chain $interface)
+	createchain $chain no
+	
+	if [ -n "$MACLIST_TTL" ]; then
+	    chain1=$(macrecent_target $interface)
+	    createchain $chain1 no
+	    run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
+	    run_iptables -A $chain1 -m recent --update                        --name $chain -j ACCEPT
+	    run_iptables -A $chain1 -m recent --set                           --name $chain -j ACCEPT
+	fi
    done
    #
    # Process the maclist file producing the verification rules
@ -2036,6 +2062,7 @@ setup_mac_lists() {
 	fi

 	chain=$(mac_chain $interface)
+	chain1=$(macrecent_target $interface)

 	if ! havechain $chain ; then
 	    fatal_error "No hosts on $interface have the maclist option specified"
@ -2044,10 +2071,10 @@ setup_mac_lists() {
 	macpart=$(mac_match $mac)

 	if [ -z "$addresses" ]; then
-	    run_iptables -A $chain $macpart $physdev_part -j RETURN
+	    run_iptables -A $chain $macpart $physdev_part -j $chain1
 	else
 	    for address in $(separate_list $addresses) ; do
-		run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
+		run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
 	    done
 	fi
    done < $TMP_DIR/maclist
@ -2057,6 +2084,7 @@ setup_mac_lists() {
    #
    for interface in $maclist_interfaces; do
 	chain=$(mac_chain $interface)
+	chain1=$(macrecent_target $interface)

 	blob=$(ip link show $interface 2> /dev/null)

@ -2065,11 +2093,11 @@ setup_mac_lists() {

 	ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
 	    if [ -n "$broadcast" ]; then
-		run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
+		run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
 	    fi

-	    run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
-	    run_iptables -A $chain -s $address -d 224.0.0.0/4     -j RETURN
+	    run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
+	    run_iptables -A $chain -s $address -d 224.0.0.0/4     -j $chain1
 	done

 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
@ -3462,14 +3490,14 @@ process_actions1() {
 		    [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
 		    xaction=${xaction%:*}
 		    case $temp in
-			ACCEPT|REJECT|DROP)
+			ACCEPT|REJECT|DROP|QUEUE)
 			    eval ${temp}_common=$xaction
 			    if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
 				USEDACTIONS="$USEDACTIONS $xaction"
 			    fi
 			    ;;
 			*)
-			    startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
+			    startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
 			    ;;
 		    esac
 	    esac
@ -4778,6 +4806,9 @@ policy_rules() # $1 = chain to add rules to
 	    [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common    
 	    target=reject
 	    ;;
+	QUEUE)
+	    [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common    
+	    ;;
 	CONTINUE)
 	    target=
 	    ;;
@ -4843,7 +4874,7 @@ default_policy() # $1 = client $2 = server
 	    # depends on the policy
 	    #
 	    case $policy in
-	    ACCEPT)
+	    ACCEPT|QUEUE)
 		if [ -n "$synparams" ]; then
 		    #
 		    # To avoid double-counting SYN packets, enforce the policy
@ -5589,6 +5620,7 @@ determine_capabilities() {
    POLICY_MATCH=
    PHYSDEV_MATCH=
    IPRANGE_MATCH=
+    RECENT_MATCH=

    qt $IPTABLES -N fooX1234
    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@ -5597,7 +5629,7 @@ determine_capabilities() {
    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
-
+    qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes

    if [ -n "$PKTTYPE" ]; then
 	qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@ -5627,6 +5659,7 @@ report_capabilities() {
    report_capability "Policy Match" $POLICY_MATCH
    report_capability "Physdev Match" $PHYSDEV_MATCH
    report_capability "IP range Match" $IPRANGE_MATCH
+    report_capability "Recent Match" $RECENT_MATCH
 }

 #
@ -5678,7 +5711,7 @@ initialize_netfilter () {
    run_user_exit init

    #
-    # The some files might be large so strip them while the firewall is still running
+    # Some files might be large so strip them while the firewall is still running
    # (restart command). This reduces the length of time that the firewall isn't
    # accepting new connections.
    #
@ -5721,6 +5754,16 @@ initialize_netfilter () {
    setcontinue INPUT
    setcontinue OUTPUT

+    run_user_exit continue
+
+    f=$(find_file routestopped)
+
+    echo "Processing $f ..."
+
+    strip_file routestopped $f
+
+    process_routestopped -A
+
    [ -n "$DISABLE_IPV6" ] && disable_ipv6

    #
@ -5729,10 +5772,6 @@ initialize_netfilter () {
    run_iptables -A INPUT  -i lo -j ACCEPT
    run_iptables -A OUTPUT -o lo -j ACCEPT

-    accounting_file=$(find_file accounting)
-
-    [ -f $accounting_file ] && setup_accounting $accounting_file
-
    #
    # Allow DNS lookups during startup for FQDNs
    #
@ -5756,6 +5795,10 @@ initialize_netfilter () {
 	run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
    fi

+    accounting_file=$(find_file accounting)
+
+    [ -f $accounting_file ] && setup_accounting $accounting_file
+
    if [ -z "$NEWNOTSYN" ]; then
 	createchain newnotsyn no

@ -6332,7 +6375,7 @@ activate_rules()
 	shift

 	if havenatchain $destchain ; then
-	    run_iptables -t nat -A $sourcechain $@ -j $destchain
+	    run_iptables2 -t nat -A $sourcechain $@ -j $destchain
 	else
 	    [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]      && -rm -f $TMP_DIR/physdev
 	    [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
@ -6350,7 +6393,7 @@ activate_rules()
 	shift

 	if havenatchain $destchain; then
-	    eval run_iptables -t nat -I $sourcechain \
+	    eval run_iptables2 -t nat -I $sourcechain \
 		\$${sourcechain}_rule $@ -j $destchain
 	    eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
 	else 
@ -6410,7 +6453,7 @@ activate_rules()
 		    interface=${host%%:*}
 		    networks=${host#*:}
 		    
-		    run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
+		    run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
 		done
 	    fi
 	fi
@ -6439,7 +6482,7 @@ activate_rules()
 	    interface=${host%%:*}
 	    networks=${host#*:}

-	    run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
+	    run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1

 	    #
 	    # Add jumps from the builtin chains for DNAT and SNAT rules
@ -6447,10 +6490,10 @@ activate_rules()
 	    addrulejump PREROUTING  $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
 	    addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)

-	    run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
+	    run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2

 	    if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
-                run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
+                run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
 	    fi

 	    case $networks in
@ -6515,7 +6558,7 @@ activate_rules()
 		    # routeback was specified for this host group
 		    #
 		    if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
-			run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain			
+			run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain			
 		    fi
 		done
 	    else
@ -6530,7 +6573,7 @@ activate_rules()
 			networks1=${host1#*:}

 			if [ "$host" != "$host1" ] || list_search $host $routeback; then
-			    run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
+			    run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
 			fi
 		    done
 		done
@ -6578,6 +6621,8 @@ activate_rules()
 	run_iptables -D $chain -p udp --dport 53 -j ACCEPT
    done
 
+    process_routestopped -D
+
    if [ -n "$LOGALLNEW" ]; then
 	for table in mangle nat filter; do
 	    case $table in
@ -7240,6 +7285,7 @@ do_initialize() {
    LOGALLNEW=
    DROPINVALID=
    RFC1918_STRICT=
+    MACLIST_TTL=

    RESTOREBASE=
    TMP_DIR=
@ -7436,6 +7482,12 @@ do_initialize() {
    LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
    DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
    RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
+
+    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
+
+    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
+	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
+    fi
    #
    # Strip the files that we use often
    #
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@ -1 +1 @@
-2.2.2
+2.2.3
--- a/Lrp2/var/lib/lrpkg/shorwall.conf
+++ b/Lrp2/var/lib/lrpkg/shorwall.conf
@ -23,3 +23,5 @@
 /etc/shorewall/stopped		Stopped   Commands executed after stop
 /etc/shorewall/accounting	Account   Traffic Accounting Rules
 /etc/shorewall/actions		Actions   Define user actions
+/etc/shorewall/continue		Continue  Commands executed early in [re]start
+
 @ -1 +1 @@
 .2.2
 .2.3