extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add TCPMSS Match detection and fix bug in maclist handling

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6560 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-16 14:27:02 +00:00
parent 9d512c2514
commit 108ee0be91
8 changed files with 204 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 4.0.0 Beta 6
1) Validate the DISPOSITION in /etc/shorewall/maclist entries.
Changes in 4.0.0 Beta 5
1) Fix undefined function call when both an input interface and an

3
Shorewall-common/lib.base
View File

@ -998,6 +998,7 @@ determine_capabilities() {
MANGLE_FORWARD=
COMMENTS=
ADDRTYPE=
TCPMSS_MATCH=
qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -1065,6 +1066,7 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
@ -1109,6 +1111,7 @@ report_capabilities() {
report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
report_capability "Comments" $COMMENTS
report_capability "Address Type Match" $ADDRTYPE
report_capability "TCPMSS Match" $TCPMSS_MATCH
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=

205
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.0.0 Beta 5
Shorewall 4.0.0 Beta 6
----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S
----------------------------------------------------------------------------
@ -15,115 +15,15 @@ Shorewall 4.0.0 Beta 5
You must install Shorewall and at least one of the compiler packages
(you may install them both).
Problems corrected in 4.0.0 Beta 5.
Problems corrected in 4.0.0 Beta 6.
1) With Shorewall-perl, if a bridge port was used to qualify the SOURCE
in a rule where there was also a DEST interface, then the following
diagnostic was produced:
1) With Shorewall-perl, an invalid DISPOSITION in an
/etc/shorewall/maclist entry would cause Perl error messages to be
issued.
Undefined subroutine &Shorewall::Chains::source_port_to_bridge called
at /usr/share/shorewall-perl/Shorewall/Chains.pm line 1521, <$currentfile>
line 363.
Other changes in Shorewall 4.0.0 Beta 6
2) 'shorewall dump', 'shorewall show log' and 'shorewall logwatch'
work again.
3) The 'mss' zone option and the CLAMPMSS=<number> option in
shorewall.conf could previously *increase* the MSS in a
packet; this possibility has been eliminated.
Other changes in Shorewall 4.0.0 Beta 5.
1) The Perl compiler is now externalized. Both the compiler.pl program
and the Perl Module interface are documented.
The compiler program is /usr/share/shorewall-perl/compiler.pl:
compiler.pl [ <option> ... ] [ <filename> ]
If a <filename> is given, then the configuration will be compiled
output placed in the named file. If <filename> is not given, then
the configuration will simply be syntax checked.
Options are:
-v <verbosity>
--verbosity=<verbosity>
The <verbosity> is a number between 0 and 2 and corresponds to
the VERBOSITY setting in shorewall.conf. This setting controls
the verbosity of the compiler itself.
-e
--export
If given, the configuration will be compiled for export to
another system.
-d <directory>
--directory=<directory>
If this option is omitted, the configuration in /etc/shorewall
is compiled/checked. Otherwise, the configuration in the named
directory will be compiled/checked.
-t
--timestamp
If given, each progress message issued by the compiler and by
the compiled program will be timestamped.
Example (compiles the configuration in the current directory
generating a script named 'firewall' and using VERBOSITY
2).
/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
Note: For compatibility with Shorewall 3.4.2 and later 3.4
releases, options not passed on the run-line get their values from
environmental variables:
Option Variable
--verbosity VERBOSE
--export EXPORT
--directory SHOREWALL_DIR
--timestamp TIMESTAMP
The Perl Module is externalized as follows:
use lib '/usr/share/shorewall-perl';
use Shorewall::Compiler;
compiler $filename, $directory, $verbose, $options
The arguments to the compiler function are as follows:
$filename - Name of the compiled script to be created.
If the arguments evaluates to false, the
configuration is syntax checked
$directory - The directory containing the configuration.
If passed as '', then /etc/shorewall/ is assumed.
$verbose - The verbosity level (0-2).
$options - A bitmap of options. Shorewall::Compiler
exports two constants to help building this
argument:
EXPORT = 0x01
TIMESTAMP = 0x02
The compiler raises an exception with 'die' if it encounters an
error; $@ contains the 'ERROR' messages describing the problem.
The compiler function can be called repeatedly with different
inputs.
2) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
classes generated by /etc/shorewall/tcclasses.
None.
Migration Considerations:
@ -649,6 +549,97 @@ Migration Considerations:
Shorewall-perl 4.0.0-Beta1
gateway:/bulk/backup #
14) The Perl compiler is externalized. Both the compiler.pl program
and the Perl Module interface are documented.
The compiler program is /usr/share/shorewall-perl/compiler.pl:
compiler.pl [ <option> ... ] [ <filename> ]
If a <filename> is given, then the configuration will be compiled
output placed in the named file. If <filename> is not given, then
the configuration will simply be syntax checked.
Options are:
-v <verbosity>
--verbosity=<verbosity>
The <verbosity> is a number between 0 and 2 and corresponds to
the VERBOSITY setting in shorewall.conf. This setting controls
the verbosity of the compiler itself.
-e
--export
If given, the configuration will be compiled for export to
another system.
-d <directory>
--directory=<directory>
If this option is omitted, the configuration in /etc/shorewall
is compiled/checked. Otherwise, the configuration in the named
directory will be compiled/checked.
-t
--timestamp
If given, each progress message issued by the compiler and by
the compiled program will be timestamped.
Example (compiles the configuration in the current directory
generating a script named 'firewall' and using VERBOSITY
2).
/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
Note: For compatibility with Shorewall 3.4.2 and later 3.4
releases, options not passed on the run-line get their values from
environmental variables:
Option Variable
--verbosity VERBOSE
--export EXPORT
--directory SHOREWALL_DIR
--timestamp TIMESTAMP
The Perl Module is externalized as follows:
use lib '/usr/share/shorewall-perl';
use Shorewall::Compiler;
compiler $filename, $directory, $verbose, $options
The arguments to the compiler function are as follows:
$filename - Name of the compiled script to be created.
If the arguments evaluates to false, the
configuration is syntax checked
$directory - The directory containing the configuration.
If passed as '', then /etc/shorewall/ is assumed.
$verbose - The verbosity level (0-2).
$options - A bitmap of options. Shorewall::Compiler
exports two constants to help building this
argument:
EXPORT = 0x01
TIMESTAMP = 0x02
The compiler raises an exception with 'die' if it encounters an
error; $@ contains the 'ERROR' messages describing the problem.
The compiler function can be called repeatedly with different
inputs.
15) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
classes generated by /etc/shorewall/tcclasses.
----------------------------------------------------------------------------
P R E R E Q U I S I T E S
----------------------------------------------------------------------------

2
Shorewall-common/shorewall.conf
View File

@ -1,5 +1,5 @@
###############################################################################
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
# /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]

3
Shorewall-perl/Shorewall/Chains.pm
View File

@ -709,7 +709,8 @@ sub set_mss1( $$ ) {
my $chainref = ensure_chain 'filter', $chain;
if ( $chainref->{policy} ne 'NONE' ) {
insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss: -j TCPMSS --set-mss $mss"
my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
}
}

2
Shorewall-perl/Shorewall/Config.pm
View File

@ -299,6 +299,7 @@ sub initialize() {
MANGLE_FORWARD => 'Mangle FORWARD Chain',
COMMENTS => 'Comments',
ADDRTYPE => 'Address Type Match',
TCPMSS_MATCH => 'TCP MSS',
);
#
# Directories to search for configuration files
@ -857,6 +858,7 @@ sub determine_capabilities() {
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
qt( "$iptables -F $sillyname" );
qt( "$iptables -X $sillyname" );

4
Shorewall-perl/Shorewall/Rules.pm
View File

@ -730,7 +730,7 @@ sub setup_mac_lists( $ ) {
my $targetref = $maclist_targets{$disposition};
fatal_error "Invalid DISPOSITION ( $disposition)" if ( $table eq 'mangle' ) && ! $targetref->{mangle};
fatal_error "Invalid DISPOSITION ( $disposition)" if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
unless ( $maclist_interfaces{$interface} ) {
next if get_interface_option( $interface, 'optional' ) && get_interface_option( $interface, 'detectnets' );
@ -1792,7 +1792,7 @@ sub setup_mss( $ ) {
if ( "\L$clampmss" eq 'yes' ) {
$option = '--clamp-mss-to-pmtu';
} else {
$match = "-m tcpmss --mss $clampmss: ";
$match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
$option = '--set-mss $clampmss';
}

102
docs/shorewall_extension_scripts.xml
View File

@ -101,7 +101,8 @@
<listitem>
<para>refresh -- invoked while the firewall is being refreshed but
before the blacklst chains have been rebuilt.</para>
before the blacklst chains have been rebuilt (Not used by Shorewall
Perl).</para>
</listitem>
<listitem>
@ -109,7 +110,8 @@
traffic while Shorewall is [re]starting. Any rules added in this script
should be deleted in your <emphasis>start</emphasis> script. This script
is invoked earlier in the [re]start process than is the
<emphasis>initdone</emphasis> script described above.</para>
<emphasis>initdone</emphasis> script described above (Not used by
Shorewall Perl).</para>
</listitem>
<listitem>
@ -284,17 +286,17 @@
<listitem>
<para><emphasis role="bold">Shorewall version 3.2.9 (3.4.0 RC2) and
later.</emphasis> When compiling your firewall configuration, Shorewall
copies most extension scripts directly into the "compiled" program where
they are executed in-line during processing of the start, restart and
restore commands. When copying a script, Shorewall indents the script to
match the surrounding code; if you have 'awk' installed on the system
where the configuration is being compiled, Shorewall can correctly
handle line continuation in your script ("\" as the last character on a
line). If you do not have awk, you may not use line continuation in your
scripts. Also beware that quoted strings continued from one line to
another will have extra whitespace inserted as a result of
indentation.</para>
later (Shorewall-shell).</emphasis> When compiling your firewall
configuration, Shorewall copies most extension scripts directly into the
"compiled" program where they are executed in-line during processing of
the start, restart and restore commands. When copying a script,
Shorewall indents the script to match the surrounding code; if you have
'awk' installed on the system where the configuration is being compiled,
Shorewall can correctly handle line continuation in your script ("\" as
the last character on a line). If you do not have awk, you may not use
line continuation in your scripts. Also beware that quoted strings
continued from one line to another will have extra whitespace inserted
as a result of indentation.</para>
<note>
<para>The <filename>/etc/shorewall/params</filename> script is
@ -332,5 +334,79 @@
script.</para>
</note>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall-perl</emphasis>. Because the
compiler is now written in Perl, your compile-time extension scripts
from earlier versions will no longer work. Compile-time extension
scripts are executed using the Perl 'eval `cat &lt;file&gt;`' mechanism.
Be sure that each script returns a 'true' value; otherwise, the compiler
will assume that the script failed and will abort the
compilation.</para>
<para>All scripts will need to begin with the following
line:<programlisting>use Shorewall::Chains;</programlisting> For more
complex scripts, you may need to 'use' other Shorewall Perl modules --
browse <filename
class="directory">/usr/share/shorewall-perl/Shorewall/</filename> to see
what's available.</para>
<para>When a script is invoked, the $chainref scalar variable will hold
a reference to a chain table entry.<simplelist>
<member>$chainref-&gt;{name} contains the name of the chain</member>
<member>$chainref-&gt;{table} holds the table name</member>
</simplelist>To add a rule to the chain:<programlisting>add_rule( $chainref, &lt;the rule&gt; );</programlisting>Where<simplelist>
<member>&lt;the rule&gt; is a scalar argument holding the rule text.
Do not include "-A &lt;chain name&gt;"</member>
</simplelist>Example:<programlisting>add_rule( $chainref, '-j ACCEPT' );</programlisting>To
insert a rule into the chain:<programlisting> insert_rule( $chainref, &lt;rulenum&gt;, &lt;the rule&gt; );</programlisting>The
log_rule_limit function works like it does in the shell compiler with
two exceptions:<itemizedlist>
<listitem>
<para>You pass the chain reference rather than the name of the
chain.</para>
</listitem>
<listitem>
<para>The commands are 'add' and 'insert' rather than '-A' and
'-I'.</para>
</listitem>
<listitem>
<para>There is only a single "pass as-is to iptables" argument (so
you must quote that part).</para>
</listitem>
</itemizedlist>Example:<programlisting>log_rule_limit(
'info' ,
$chainref ,
$chainref-&gt;{name},
'DROP' ,
'', #Limit
'' , #Log tag
'add', #Command
'-p tcp' #Pass as-is
);</programlisting>Some run-time scripts have been converted to
compile time scripts:<simplelist>
<member>initdone</member>
<member>maclog</member>
</simplelist>Note that in the 'initdone' script, there is no default
chain ($chainref). You can objtain a reference to a standard chain
by:<programlisting>my $chainref = $chain_table{&lt;table&gt;}{&lt;chain name&gt;};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting>Some
run-time scripts are simply eliminated because they no longer make any
sense under Shorewall-perl:<itemizedlist>
<listitem>
<para>continue - This script was designed to allow you to add
special temporary rules during [re]start. Shorewall-perl doesn't
need such rules.</para>
</listitem>
<listitem>
<para>refresh - The <command>refresh</command> command is the same
as <command>restart</command></para>
</listitem>
</itemizedlist></para>
</listitem>
</itemizedlist>
</article>