From 108ee0be919d8f160d3e7a4fc748c997aa343574 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 16 Jun 2007 14:27:02 +0000
Subject: [PATCH] Add TCPMSS Match detection and fix bug in maclist handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6560 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt       |   4 +
 Shorewall-common/lib.base            |   3 +
 Shorewall-common/releasenotes.txt    | 207 +++++++++++++--------------
 Shorewall-common/shorewall.conf      |   2 +-
 Shorewall-perl/Shorewall/Chains.pm   |   3 +-
 Shorewall-perl/Shorewall/Config.pm   |   6 +-
 Shorewall-perl/Shorewall/Rules.pm    |   4 +-
 docs/shorewall_extension_scripts.xml | 102 +++++++++++--
 8 files changed, 204 insertions(+), 127 deletions(-)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index 0cf3b702a..4b1b4c38d 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -1,3 +1,7 @@
+Changes in 4.0.0 Beta 6
+
+1)  Validate the DISPOSITION in /etc/shorewall/maclist entries.
+
 Changes in 4.0.0 Beta 5
 
 1)  Fix undefined function call when both an input interface and an
diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base
index fc611e9b8..63abfdda6 100644
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@@ -998,6 +998,7 @@ determine_capabilities() {
     MANGLE_FORWARD=
     COMMENTS=
     ADDRTYPE=
+    TCPMSS_MATCH=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -1065,6 +1066,7 @@ determine_capabilities() {
 
     qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
+    qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
 
     qt $IPTABLES -F fooX1234
     qt $IPTABLES -X fooX1234
@@ -1109,6 +1111,7 @@ report_capabilities() {
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
+	report_capability "TCPMSS Match" $TCPMSS_MATCH
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index e3f38ff39..41f1fe190 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 4.0.0 Beta 5
+Shorewall 4.0.0 Beta 6
 ----------------------------------------------------------------------------
                    R E L E A S E  H I G H L I G H T S
 ----------------------------------------------------------------------------
@@ -15,115 +15,15 @@ Shorewall 4.0.0 Beta 5
 You must install Shorewall and at least one of the compiler packages
 (you may install them both).
 
-Problems corrected in 4.0.0 Beta 5.
+Problems corrected in 4.0.0 Beta 6.
 
-1)  With Shorewall-perl, if a bridge port was used to qualify the SOURCE
-    in a rule where there was also a DEST interface, then the following
-    diagnostic was produced:
+1)  With Shorewall-perl, an invalid DISPOSITION in an
+    /etc/shorewall/maclist entry would cause Perl error messages to be
+    issued.
 
-    Undefined subroutine &Shorewall::Chains::source_port_to_bridge called 
-    at /usr/share/shorewall-perl/Shorewall/Chains.pm line 1521, <$currentfile> 
-    line 363.
+Other changes in Shorewall 4.0.0 Beta 6
 
-2)  'shorewall dump', 'shorewall show log' and 'shorewall logwatch'
-    work again.
-
-3)  The 'mss' zone option and the CLAMPMSS=<number> option in
-    shorewall.conf could previously *increase* the MSS in a
-    packet; this possibility has been eliminated.
-
-Other changes in Shorewall 4.0.0 Beta 5.
-
-1)  The Perl compiler is now externalized. Both the compiler.pl program
-    and the Perl Module interface are documented.
-
-    The compiler program is /usr/share/shorewall-perl/compiler.pl:
-
-	compiler.pl [ <option> ... ] [ <filename> ]
-
-    If a <filename> is given, then the configuration will be compiled
-    output placed in the named file. If <filename> is not given, then
-    the configuration will simply be syntax checked.
-
-    Options are:
-
-    -v <verbosity>
-    --verbosity=<verbosity>
-    
-	The <verbosity> is a number between 0 and 2 and corresponds to
-	the VERBOSITY setting in shorewall.conf. This setting controls
-	the verbosity of the compiler itself.
-
-    -e
-    --export
-
-	If given, the configuration will be compiled for export to
-	another system.
-
-    -d <directory>
-    --directory=<directory>
-
-	If this option is omitted, the configuration in /etc/shorewall
-	is compiled/checked. Otherwise, the configuration in the named
-	directory will be compiled/checked.
-
-    -t
-    --timestamp
-
-	If given, each progress message issued by the compiler and by
-	the compiled program will be timestamped.
-
-    Example (compiles the configuration in the current directory 
-             generating a script named 'firewall' and using VERBOSITY
-             2).
-
-       /usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
-
-    Note: For compatibility with Shorewall 3.4.2 and later 3.4
-    releases, options not passed on the run-line get their values from
-    environmental variables:
-
-	   Option                 Variable
-
-	   --verbosity		  VERBOSE
-	   --export		  EXPORT
-	   --directory		  SHOREWALL_DIR
-	   --timestamp		  TIMESTAMP
-
-    The Perl Module is externalized as follows:
-
-	use lib '/usr/share/shorewall-perl';
-	use Shorewall::Compiler;
-	
-	    compiler $filename, $directory, $verbose, $options
-
-    The arguments to the compiler function are as follows:
-
-	$filename -   Name of the compiled script to be created.
-                      If the arguments evaluates to false, the
-                      configuration is syntax checked
-		      
-        $directory -  The directory containing the configuration.
-		      If passed as '', then /etc/shorewall/ is assumed.
-
-	$verbose -    The verbosity level (0-2).
-
-	$options -    A bitmap of options. Shorewall::Compiler
-                      exports two constants to help building this
-		      argument:
-
-			EXPORT    = 0x01
-			TIMESTAMP = 0x02
-
-    The compiler raises an exception with 'die' if it encounters an
-    error; $@ contains the 'ERROR' messages describing the problem.
-    
-    The compiler function can be called repeatedly with different
-    inputs.
-
-2)  When TC_ENABLED=Internal, Shorewall-perl now validates classids in
-    the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
-    classes generated by /etc/shorewall/tcclasses.
+None.
 
 Migration Considerations:
 
@@ -647,7 +547,98 @@ Migration Considerations:
     4.0.0-Beta1
     Shorewall-shell 4.0.0-Beta1
     Shorewall-perl 4.0.0-Beta1
-    gateway:/bulk/backup # 
+    gateway:/bulk/backup #
+
+14) The Perl compiler is externalized. Both the compiler.pl program
+    and the Perl Module interface are documented.
+
+    The compiler program is /usr/share/shorewall-perl/compiler.pl:
+
+	compiler.pl [ <option> ... ] [ <filename> ]
+
+    If a <filename> is given, then the configuration will be compiled
+    output placed in the named file. If <filename> is not given, then
+    the configuration will simply be syntax checked.
+
+    Options are:
+
+    -v <verbosity>
+    --verbosity=<verbosity>
+    
+	The <verbosity> is a number between 0 and 2 and corresponds to
+	the VERBOSITY setting in shorewall.conf. This setting controls
+	the verbosity of the compiler itself.
+
+    -e
+    --export
+
+	If given, the configuration will be compiled for export to
+	another system.
+
+    -d <directory>
+    --directory=<directory>
+
+	If this option is omitted, the configuration in /etc/shorewall
+	is compiled/checked. Otherwise, the configuration in the named
+	directory will be compiled/checked.
+
+    -t
+    --timestamp
+
+	If given, each progress message issued by the compiler and by
+	the compiled program will be timestamped.
+
+    Example (compiles the configuration in the current directory 
+             generating a script named 'firewall' and using VERBOSITY
+             2).
+
+       /usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
+
+    Note: For compatibility with Shorewall 3.4.2 and later 3.4
+    releases, options not passed on the run-line get their values from
+    environmental variables:
+
+	   Option                 Variable
+
+	   --verbosity		  VERBOSE
+	   --export		  EXPORT
+	   --directory		  SHOREWALL_DIR
+	   --timestamp		  TIMESTAMP
+
+    The Perl Module is externalized as follows:
+
+	use lib '/usr/share/shorewall-perl';
+	use Shorewall::Compiler;
+	
+	    compiler $filename, $directory, $verbose, $options
+
+    The arguments to the compiler function are as follows:
+
+	$filename -   Name of the compiled script to be created.
+                      If the arguments evaluates to false, the
+                      configuration is syntax checked
+		      
+        $directory -  The directory containing the configuration.
+		      If passed as '', then /etc/shorewall/ is assumed.
+
+	$verbose -    The verbosity level (0-2).
+
+	$options -    A bitmap of options. Shorewall::Compiler
+                      exports two constants to help building this
+		      argument:
+
+			EXPORT    = 0x01
+			TIMESTAMP = 0x02
+
+    The compiler raises an exception with 'die' if it encounters an
+    error; $@ contains the 'ERROR' messages describing the problem.
+    
+    The compiler function can be called repeatedly with different
+    inputs.
+
+15) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
+    the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
+    classes generated by /etc/shorewall/tcclasses.
 
 ----------------------------------------------------------------------------
                       P R E R E Q U I S I T E S
diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf
index 8ede51b12..78eb0177d 100644
--- a/Shorewall-common/shorewall.conf
+++ b/Shorewall-common/shorewall.conf
@@ -1,5 +1,5 @@
 ###############################################################################
-#  /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
+#  /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index b9b88d7bf..92c085993 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -709,7 +709,8 @@ sub set_mss1( $$ ) {
     my $chainref = ensure_chain 'filter', $chain;
 
     if ( $chainref->{policy} ne 'NONE' ) {
-	insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss: -j TCPMSS --set-mss $mss"
+	my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
+	insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
     }
 }
 
diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm
index 3bc7a30fc..fdb6e9378 100644
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@@ -299,6 +299,7 @@ sub initialize() {
 		 MANGLE_FORWARD  => 'Mangle FORWARD Chain',
 		 COMMENTS        => 'Comments',
 		 ADDRTYPE        => 'Address Type Match',
+		 TCPMSS_MATCH    => 'TCP MSS',
 	       );
     #
     # Directories to search for configuration files
@@ -855,8 +856,9 @@ sub determine_capabilities() {
 	}
     }
 
-    $capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
-    $capabilities{ADDRTYPE}   = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
+    $capabilities{USEPKTTYPE}   = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
+    $capabilities{ADDRTYPE}     = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
+    $capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); 
 
     qt( "$iptables -F $sillyname" );
     qt( "$iptables -X $sillyname" );
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 5e228c398..80f522b77 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -730,7 +730,7 @@ sub setup_mac_lists( $ ) {
 
 		my $targetref = $maclist_targets{$disposition};
 
-		fatal_error "Invalid DISPOSITION ( $disposition)" if ( $table eq 'mangle' ) && ! $targetref->{mangle};
+		fatal_error "Invalid DISPOSITION ( $disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
 
 		unless ( $maclist_interfaces{$interface} ) {
 		    next if get_interface_option( $interface, 'optional' ) && get_interface_option( $interface, 'detectnets' );
@@ -1792,7 +1792,7 @@ sub setup_mss( $ ) {
     if ( "\L$clampmss" eq 'yes' ) {
 	$option = '--clamp-mss-to-pmtu';
     } else {
-	$match  = "-m tcpmss --mss $clampmss: ";
+	$match  = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
 	$option = '--set-mss $clampmss';
     }
     
diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml
index 68b1d1fff..098b4752f 100644
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -101,7 +101,8 @@
 
     <listitem>
       <para>refresh -- invoked while the firewall is being refreshed but
-      before the blacklst chains have been rebuilt.</para>
+      before the blacklst chains have been rebuilt (Not used by Shorewall
+      Perl).</para>
     </listitem>
 
     <listitem>
@@ -109,7 +110,8 @@
       traffic while Shorewall is [re]starting. Any rules added in this script
       should be deleted in your <emphasis>start</emphasis> script. This script
       is invoked earlier in the [re]start process than is the
-      <emphasis>initdone</emphasis> script described above.</para>
+      <emphasis>initdone</emphasis> script described above (Not used by
+      Shorewall Perl).</para>
     </listitem>
 
     <listitem>
@@ -284,17 +286,17 @@
 
     <listitem>
       <para><emphasis role="bold">Shorewall version 3.2.9 (3.4.0 RC2) and
-      later.</emphasis> When compiling your firewall configuration, Shorewall
-      copies most extension scripts directly into the "compiled" program where
-      they are executed in-line during processing of the start, restart and
-      restore commands. When copying a script, Shorewall indents the script to
-      match the surrounding code; if you have 'awk' installed on the system
-      where the configuration is being compiled, Shorewall can correctly
-      handle line continuation in your script ("\" as the last character on a
-      line). If you do not have awk, you may not use line continuation in your
-      scripts. Also beware that quoted strings continued from one line to
-      another will have extra whitespace inserted as a result of
-      indentation.</para>
+      later (Shorewall-shell).</emphasis> When compiling your firewall
+      configuration, Shorewall copies most extension scripts directly into the
+      "compiled" program where they are executed in-line during processing of
+      the start, restart and restore commands. When copying a script,
+      Shorewall indents the script to match the surrounding code; if you have
+      'awk' installed on the system where the configuration is being compiled,
+      Shorewall can correctly handle line continuation in your script ("\" as
+      the last character on a line). If you do not have awk, you may not use
+      line continuation in your scripts. Also beware that quoted strings
+      continued from one line to another will have extra whitespace inserted
+      as a result of indentation.</para>
 
       <note>
         <para>The <filename>/etc/shorewall/params</filename> script is
@@ -332,5 +334,79 @@
         script.</para>
       </note>
     </listitem>
+
+    <listitem>
+      <para><emphasis role="bold">Shorewall-perl</emphasis>. Because the
+      compiler is now written in Perl, your compile-time extension scripts
+      from earlier versions will no longer work. Compile-time extension
+      scripts are executed using the Perl 'eval `cat &lt;file&gt;`' mechanism.
+      Be sure that each script returns a 'true' value; otherwise, the compiler
+      will assume that the script failed and will abort the
+      compilation.</para>
+
+      <para>All scripts will need to begin with the following
+      line:<programlisting>use Shorewall::Chains;</programlisting> For more
+      complex scripts, you may need to 'use' other Shorewall Perl modules --
+      browse <filename
+      class="directory">/usr/share/shorewall-perl/Shorewall/</filename> to see
+      what's available.</para>
+
+      <para>When a script is invoked, the $chainref scalar variable will hold
+      a reference to a chain table entry.<simplelist>
+          <member>$chainref-&gt;{name} contains the name of the chain</member>
+
+          <member>$chainref-&gt;{table} holds the table name</member>
+        </simplelist>To add a rule to the chain:<programlisting>add_rule( $chainref, &lt;the rule&gt; );</programlisting>Where<simplelist>
+          <member>&lt;the rule&gt; is a scalar argument holding the rule text.
+          Do not include "-A &lt;chain name&gt;"</member>
+        </simplelist>Example:<programlisting>add_rule( $chainref, '-j ACCEPT' );</programlisting>To
+      insert a rule into the chain:<programlisting> insert_rule( $chainref, &lt;rulenum&gt;, &lt;the rule&gt; );</programlisting>The
+      log_rule_limit function works like it does in the shell compiler with
+      two exceptions:<itemizedlist>
+          <listitem>
+            <para>You pass the chain reference rather than the name of the
+            chain.</para>
+          </listitem>
+
+          <listitem>
+            <para>The commands are 'add' and 'insert' rather than '-A' and
+            '-I'.</para>
+          </listitem>
+
+          <listitem>
+            <para>There is only a single "pass as-is to iptables" argument (so
+            you must quote that part).</para>
+          </listitem>
+        </itemizedlist>Example:<programlisting>log_rule_limit(
+               'info' , 
+               $chainref ,            
+               $chainref-&gt;{name},
+               'DROP' , 
+               '',      #Limit
+               '' ,     #Log tag
+               'add',   #Command
+               '-p tcp' #Pass as-is
+               );</programlisting>Some run-time scripts have been converted to
+      compile time scripts:<simplelist>
+          <member>initdone</member>
+
+          <member>maclog</member>
+        </simplelist>Note that in the 'initdone' script, there is no default
+      chain ($chainref). You can objtain a reference to a standard chain
+      by:<programlisting>my $chainref = $chain_table{&lt;table&gt;}{&lt;chain name&gt;};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting>Some
+      run-time scripts are simply eliminated because they no longer make any
+      sense under Shorewall-perl:<itemizedlist>
+          <listitem>
+            <para>continue - This script was designed to allow you to add
+            special temporary rules during [re]start. Shorewall-perl doesn't
+            need such rules.</para>
+          </listitem>
+
+          <listitem>
+            <para>refresh - The <command>refresh</command> command is the same
+            as <command>restart</command></para>
+          </listitem>
+        </itemizedlist></para>
+    </listitem>
   </itemizedlist>
 </article>
\ No newline at end of file