Add conversion of notrack to conntrack

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-08-08 16:46:58 -07:00
parent 8657682dfd
commit 0d635632e3
28 changed files with 156 additions and 63 deletions

View File

@ -3931,7 +3931,7 @@ usage() # $1 = exit status
echo " status [ -i ]" echo " status [ -i ]"
echo " stop" echo " stop"
ecko " try <directory> [ <timeout> ]" ecko " try <directory> [ <timeout> ]"
ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]" ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
echo " version [ -a ]" echo " version [ -a ]"
echo echo
exit $1 exit $1
@ -3985,6 +3985,7 @@ shorewall_cli() {
g_loopback= g_loopback=
g_compiled= g_compiled=
g_routestopped= g_routestopped=
g_notrack=
VERBOSE= VERBOSE=
VERBOSITY=1 VERBOSITY=1

View File

@ -592,8 +592,8 @@ EOF
# #
sub compiler { sub compiler {
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped ) = my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 , 0 ); ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 , 0 , 0 );
$export = 0; $export = 0;
$test = 0; $test = 0;
@ -845,7 +845,7 @@ sub compiler {
# #
# Process the conntrack file # Process the conntrack file
# #
setup_conntrack; setup_conntrack( $notrack );
# #
# Add Tunnel rules. # Add Tunnel rules.
# #

View File

@ -36,7 +36,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_conntrack ); our @EXPORT = qw( setup_conntrack );
our @EXPORT_OK = qw( handle_helper_rule ); our @EXPORT_OK = qw( handle_helper_rule );
our $VERSION = 'MODULEVERSION'; our $VERSION = '4.6_10';
our %valid_ctevent = ( new => 1, our %valid_ctevent = ( new => 1,
related => 1, related => 1,
@ -56,7 +56,7 @@ sub initialize($) {
} }
# #
# Conntrack # Notrack
# #
sub process_conntrack_rule( $$$$$$$$$$ ) { sub process_conntrack_rule( $$$$$$$$$$ ) {
@ -275,52 +275,131 @@ sub process_format( $ ) {
$file_format = $format; $file_format = $format;
} }
sub setup_conntrack() { sub setup_conntrack($) {
my $convert = shift;
my $fn;
my @files = $convert ? ( qw/notrack conntrack/ ) : ( 'conntrack' );
my $fn = open_file( 'conntrack', 3 , 1 ); for my $name ( qw/notrack conntrack/ ) {
if ( $fn ) { $fn = open_file( $name, 3 , 1 );
my $action; if ( $fn ) {
first_entry( "$doing $fn..." ); my $action;
while ( read_a_line( NORMAL_READ ) ) { my $empty = 1;
my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }; first_entry( "$doing $fn..." );
for my $proto ( split_list $protos, 'Protocol' ) { while ( read_a_line( NORMAL_READ ) ) {
if ( $file_format < 3 ) { my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-'; if ( $file_format == 1 ) {
for my $zone ( $1 ? off_firewall_zones : all_zones ) { ( $source, $dest, $protos, $ports, $sports, $user, $switch ) =
process_conntrack_rule( undef , split_line1( 'Conntrack File',
undef, { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
$action, $action = 'NOTRACK';
$zone . ( $2 || ''),
$dest,
$proto,
$ports,
$sports,
$user ,
$switch );
}
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
} elsif ( $action =~ s/:O$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} elsif ( $action =~ s/:OP$// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else { } else {
$action =~ s/:P$//; ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ); }
$empty = 0;
for my $proto ( split_list $protos, 'Protocol' ) {
if ( $file_format < 3 ) {
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
for my $zone ( $1 ? off_firewall_zones : all_zones ) {
process_conntrack_rule( undef ,
undef,
$action,
$zone . ( $2 || ''),
$dest,
$proto,
$ports,
$sports,
$user ,
$switch );
}
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
} elsif ( $action =~ s/:O$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} elsif ( $action =~ s/:OP$// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else {
$action =~ s/:P$//;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
} }
} }
if ( $name eq 'notrack') {
if ( $empty ) {
if ( unlink( $fn ) ) {
warning_message "Empty notrack file ($fn) removed";
} else {
warning_message "Unable to remove empty notrack file ($fn): $!";
}
$convert = undef;
}
}
} elsif ( $name eq 'notrack' ) {
$convert = undef;
} }
} }
if ( $convert ) {
my $conntrack;
my $empty = 1;
if ( $fn ) {
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
} else {
open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
print $conntrack <<'EOF';
#
# Shorewall version 5 - conntrack File
#
# For information about entries in this file, type "man shorewall-conntrack"
#
##############################################################################################################
EOF
print $conntrack '?' . "FORMAT 3";
print $conntrack <<'EOF';
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
EOF
}
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
while ( read_a_line( PLAIN_READ ) ) {
#
# Don't copy the header comments from the old notrack file
#
next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
if ( $empty ) {
#
# First non-commentary line
#
$empty = undef;
print $conntrack '?' . "format 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
}
print $conntrack "$currentline\n";
}
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
progress_message2 "notrack file $fn saved in $fn.bak"
}
} }
1; 1;

View File

@ -3140,7 +3140,7 @@ sub process_secmark_rule() {
} }
# #
# Process the tcrules file and setup traffic shaping # Process the mangle file and setup traffic shaping
# #
sub setup_tc( $ ) { sub setup_tc( $ ) {
$tcrules = $_[0]; $tcrules = $_[0];
@ -3222,6 +3222,8 @@ sub setup_tc( $ ) {
close $mangle, directive_callback( 0 ); close $mangle, directive_callback( 0 );
} }
} elsif ( my $fn = find_file( 'tcrules' ) ) {
warning_message "The tcrules file is no longer supported -- use the '$product update -t' to convert $fn to an equivalent 'mangle' file";
} }
if ( my $fn = open_file( 'mangle', 1, 1 ) ) { if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

View File

@ -43,6 +43,7 @@
# --inline # Update alternative column specifications # --inline # Update alternative column specifications
# --tcrules # Create mangle from tcrules # --tcrules # Create mangle from tcrules
# --routestopped # Create stoppedrules from routestopped # --routestopped # Create stoppedrules from routestopped
# --notrack # Create conntrack from notrack
# #
use strict; use strict;
use FindBin; use FindBin;
@ -79,6 +80,7 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
[ --inline ] [ --inline ]
[ --tcrules ] [ --tcrules ]
[ --routestopped ] [ --routestopped ]
[ --notrack ]
_EOF_ _EOF_
exit shift @_; exit shift @_;
@ -110,6 +112,7 @@ my $shorewallrc1 = '';
my $inline = 0; my $inline = 0;
my $tcrules = 0; my $tcrules = 0;
my $routestopped = 0; my $routestopped = 0;
my $notrack = 0;
Getopt::Long::Configure ('bundling'); Getopt::Long::Configure ('bundling');
@ -145,6 +148,7 @@ my $result = GetOptions('h' => \$help,
'inline' => \$inline, 'inline' => \$inline,
'tcrules' => \$tcrules, 'tcrules' => \$tcrules,
'routestopped' => \$routestopped, 'routestopped' => \$routestopped,
'notrack' => \$notrack,
'config_path=s' => \$config_path, 'config_path=s' => \$config_path,
'shorewallrc=s' => \$shorewallrc, 'shorewallrc=s' => \$shorewallrc,
'shorewallrc1=s' => \$shorewallrc1, 'shorewallrc1=s' => \$shorewallrc1,
@ -176,4 +180,5 @@ compiler( script => $ARGV[0] || '',
inline => $inline, inline => $inline,
tcrules => $tcrules, tcrules => $tcrules,
routestopped => $routestopped, routestopped => $routestopped,
notrack => $notrack
); );

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Actions File # Shorewall version 5 - Actions File
# #
# /etc/shorewall/actions # /etc/shorewall/actions
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Blacklist Rules File # Shorewall version 5 - Blacklist Rules File
# #
# For information about entries in this file, type "man shorewall-blrules" # For information about entries in this file, type "man shorewall-blrules"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - conntrack File # Shorewall version 5 - conntrack File
# #
# For information about entries in this file, type "man shorewall-conntrack" # For information about entries in this file, type "man shorewall-conntrack"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Findgw File # Shorewall version 5 - Findgw File
# #
# /etc/shorewall/findgw # /etc/shorewall/findgw
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Init File # Shorewall version 5 - Init File
# #
# /etc/shorewall/init # /etc/shorewall/init
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Interfaces File # Shorewall version 5 - Interfaces File
# #
# For information about entries in this file, type "man shorewall-interfaces" # For information about entries in this file, type "man shorewall-interfaces"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - lib.private File # Shorewall version 5 - lib.private File
# #
# /etc/shorewall/lib.private # /etc/shorewall/lib.private
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Mangle File # Shorewall version 5 - Mangle File
# #
# For information about entries in this file, type "man shorewall-mangle" # For information about entries in this file, type "man shorewall-mangle"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Nat File # Shorewall version 5 - Nat File
# #
# For information about entries in this file, type "man shorewall-nat" # For information about entries in this file, type "man shorewall-nat"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Params File # Shorewall version 5 - Params File
# #
# /etc/shorewall/params # /etc/shorewall/params
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Providers File # Shorewall version 5 - Providers File
# #
# For information about entries in this file, type "man shorewall-providers" # For information about entries in this file, type "man shorewall-providers"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - refresh File # Shorewall version 5 - refresh File
# #
# /etc/shorewall/refresh # /etc/shorewall/refresh
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Restored File # Shorewall version 5 - Restored File
# #
# /etc/shorewall/restored # /etc/shorewall/restored
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Routestopped File # Shorewall version 5 - Routestopped File
# #
# This file is deprecated in favor of the stoppedrules file # This file is deprecated in favor of the stoppedrules file
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Rules File # Shorewall version 5 - Rules File
# #
# For information on the settings in this file, type "man shorewall-rules" # For information on the settings in this file, type "man shorewall-rules"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Secmarks File # Shorewall version 5 - Secmarks File
# #
# For information about entries in this file, type "man shorewall-secmarks" # For information about entries in this file, type "man shorewall-secmarks"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Start File # Shorewall version 5 - Start File
# #
# /etc/shorewall/start # /etc/shorewall/start
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Stop File # Shorewall version 5 - Stop File
# #
# /etc/shorewall/stop # /etc/shorewall/stop
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - tcclear File # Shorewall version 5 - tcclear File
# #
# /etc/shorewall/tcclear # /etc/shorewall/tcclear
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Tcfilters File # Shorewall version 5 - Tcfilters File
# #
# For information about entries in this file, type "man shorewall-tcfilters" # For information about entries in this file, type "man shorewall-tcfilters"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Tcpri File # Shorewall version 5 - Tcpri File
# #
# For information about entries in this file, type "man shorewall-tcpri" # For information about entries in this file, type "man shorewall-tcpri"
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Tunnels File # Shorewall version 5 - Tunnels File
# #
# For information about entries in this file, type "man shorewall-tunnels" # For information about entries in this file, type "man shorewall-tunnels"
# #

View File

@ -439,6 +439,7 @@ compiler() {
[ -n "$g_tcrules" ] && options="$options --tcrules" [ -n "$g_tcrules" ] && options="$options --tcrules"
[ -n "$g_inline" ] && options="$options --inline" [ -n "$g_inline" ] && options="$options --inline"
[ -n "$g_routestopped" ] && options="$options --routestopped" [ -n "$g_routestopped" ] && options="$options --routestopped"
[ -n "$g_notrack" ] && options="$options --notrack"
if [ -n "$PERL" ]; then if [ -n "$PERL" ]; then
if [ ! -x "$PERL" ]; then if [ ! -x "$PERL" ]; then
@ -849,12 +850,17 @@ update_command() {
g_routestopped=Yes g_routestopped=Yes
option=${option#s} option=${option#s}
;; ;;
n*)
g_notrack=Yes
option=${option#n}
;;
A*) A*)
g_inline=Yes g_inline=Yes
g_convert=Yes g_convert=Yes
g_directives=Yes g_directives=Yes
g_tcrules=Yes g_tcrules=Yes
g_routestopped=Yes g_routestopped=Yes
g_notrack=Yes
option=${option#A} option=${option#A}
;; ;;
*) *)