Add USER/GROUP column to /etc/shorewall/masq

2025-02-23 13:11:36 +01:00 · 2009-06-19 08:00:26 -07:00 · 2009-06-19 08:00:26 -07:00 · 117116eb4e
commit 117116eb4e
parent eb5fc2c415
7 changed files with 80 additions and 7 deletions
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@ -115,7 +115,7 @@ sub do_ipsec_options($)
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@ -183,6 +183,7 @@ sub process_one_masq( )
    # Handle Mark
    #
    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
+    $baserule .= do_user( $user )      if $user ne '-';

    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -18,6 +18,8 @@ Changes in Shorewall 4.4.0-Beta2

 7)  Add 'iptrace' and 'noiptrace' command.

+8)  Add 'USER/GROUP' column to masq file.
+
 Changes in Shorewall 4.4.0-Beta1

 1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@ -7,5 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#											GROUP
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -176,6 +176,10 @@ None.

 	   shorewall noiptrace -d 206.124.146.176

+3)  A USER/GROUP column has been added to /etc/shorewall/masq. The
+    column works similarly to USER/GROUP columns in other Shorewall
+    configuration files. Only locally-generated traffic is matched.
+	
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   IN   4 . 4
 ----------------------------------------------------------------------------
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@ -386,6 +386,67 @@
          </variablelist>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
+        [<emphasis
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+
+        <listitem>
+          <para>Only locally-generated connections will match if this column
+          is non-empty.</para>
+
+          <para>When this column is non-empty, the rule applies only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>+upnpd</term>
+
+              <listitem>
+                <para>#program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/web/News.htm
+++ b/web/News.htm
@ -23,9 +23,13 @@ license is included in the section entitled <span
 href="GnuCopyright.htm" target="_self">GNU Free Documentation
 License</a></span>".
 </p>
-<p>June 14, 2009<br>
+<p>June 18, 2009<br>
 </p>
 <hr style="width: 100%; height: 2px;">
+<p><span style="font-weight: bold;">2009-06-18 Shorewall 4.2.10<br>
+</span><span style="font-weight: bold;"></span></p>
+<pre>Problems corrected in Shorewall 4.2.10<br><br>1)  A 'large quantum' warning log message during restart has been<br>    eliminated. The log message occurred when an interface with a large<br>    OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.<br><br>2)  When a REJECT rule included a log entry, the disposition in the log<br>    message was incorrectly shown as 'reject' rather than 'REJECT'.<br><br>3)  When 'forward' was specified on one or more interfaces in<br>    /etc/shorewall6/interfaces, the progress message "Compiling<br>    Interface forwarding..." was issued multiple times. Now, only one<br>    instance of the message is generated.<br><br>4)  A typing error in the IPv6 two-interface sample shorewall6.conf<br>    file has been corrected. This error prevented the compiler from<br>    being able to find macros in /usr/share/shorewall/.<br><br>Known Problems Remaining:<br><br>1)  When exclusion is used in an entry in /etc/shorewall/hosts, then<br>    Shorewall-shell produces an invalid iptables rule if any of the <br>    following OPTIONS are also specified in the entry:    <br><br>        blacklist<br>        maclist<br>        norfc1918<br>        tcpflags<br><br>2)  Shorewall-shell generates inversion rules which produce<br>    warnings with iptables 1.4.3.  <br><br>    Example:<br><br>        iptables -A  lan2fw  -p 6  --dport 999  -s ! 192.168.20.1  -j ACCEPT<br><br>    with iptables 1.4.3.1 the following information message is produced:<br><br>    Using intrapositioned negation (`--option ! this`) is deprecated in<br>    favor of extrapositioned (`! --option this`).<br><br>    We don't intend to fix this. It's time to migrate to Shorewall-perl<br>    anyway.<br><br>New Features in Shorewall 4.2.10<br><br>1)  Shorewall's suppport for dynamic gateways on interfaces managed by<br>    dhclient works on OpenSuSE systems but not on some other<br>    distributions.<br><br>    In order to generalize support for learning the gateway for dynamic<br>    interfaces, a new 'findgw' extension script (user exit) has been<br>    added.<br><br>    The exit will be invoked in a function that has a single argument:<br><br>        $1 = &lt;name of an interface&gt;<br><br>    If the function can determine the gateway for the passed interface,<br>    it should write the gateway to standard out. Here is a sample<br>    /etc/shorewall/findgw that works with dhclient (dhcp3) in Debian<br>    Lenny:<br><br>    if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then<br>       grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\<br>          tail -n 1 |\<br>          while read j1 j2 gateway; do\<br>              echo $gateway | sed 's/;//';\<br>          done<br>    fi<br><br>    The same code works on Ubuntu Jaunty if you replace the first '.'<br>    with '-' and replace '.leases' with '.lease' (don't you just love<br>    the consistency between distributions?).<br><br>    That code also works on CentOS if you replace 'dhcp3' by<br>    'dhclient'.<br><br>    'findgw' files that have been customized for various distributions<br>    may be found at<br>    http://www.shorewall.net/pub/shorewall/contrib/findgw.<br></pre>
+<p><strong></strong></p>
 <p><strong>2009-06-13 Shorewall 4.4.0 Beta 1</strong></p>
 <pre>Read the details at <a
 href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt">http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt</a><br><strong></strong></pre>
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@ -47,7 +47,7 @@
    </tr>
  </tbody>
 </table>
-<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-06-17</span><br>
+<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-06-18</span><br>
 <h3><a href="Notices.html#Shell-EOL">Attention Shorewall-shell users</a><br>
 </h3>
 <h3><a name="Releases"></a>Current Shorewall Releases</h3>
@ -60,13 +60,13 @@
 Stable Release</span><br>
      </div>
      </td>
-      <td style="vertical-align: top;"><span style="font-weight: bold;">4.2.9</span>
+      <td style="vertical-align: top;"><span style="font-weight: bold;">4.2.10</span>
 (includes <a href="IPv6Support.html">IPv6 support.</a>)</td>
      <td style="vertical-align: top;"><a
- href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.9/releasenotes.txt">Release
+ href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/releasenotes.txt">Release
 notes</a> </td>
      <td style="vertical-align: top;"><a
- href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.9/known_problems.txt">Known
+ href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/known_problems.txt">Known
 Problems</a></td>
    </tr>
    <tr>