From 927aa5f0e8f932eb9401cb55b224b527d90e466f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Jun 2009 09:39:35 -0700 Subject: [PATCH 01/18] Additional fix up of optional interface handling. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 37 +++++++++++++++++---------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 6bd21b2e1..ff04bbfef 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -116,7 +116,15 @@ sub setup_route_marking() { my $mark = $providerref->{mark}; my $base = uc chain_base $interface; - add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; + if ( $providerref->{optional} ) { + if ( $providerref->{shared} ) { + add_command( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) ); + } else { + add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); + } + + incr_cmd_level( $chainref ); + } unless ( $marked_interfaces{$interface} ) { add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; @@ -391,22 +399,25 @@ sub add_a_provider( ) { my $realm = ''; - if ( $optional && ! $shared ) { - start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); - $provider_interfaces{$interface} = $table; - } - + fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; + if ( $shared ) { - fatal_error "Interface $interface is associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); $realm = "realm $number"; start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) ); - } elsif ( $gatewaycase eq 'detect' ) { - start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ) unless $optional; } else { - start_provider( $table, $number, "if interface_is_usable $interface; then" ) unless $optional; + if ( $optional ) { + start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); + } elsif ( $gatewaycase eq 'detect' ) { + start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ); + } else { + start_provider( $table, $number, "if interface_is_usable $interface; then" ); + } + + $provider_interfaces{$interface} = $table; + emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none'; - } + } if ( $mark ne '-' ) { emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; @@ -800,7 +811,7 @@ sub handle_optional_interfaces() { if ( $provider ) { # - # This is a provider -- get the provider table entry + # This interface is associated with a non-shared provider -- get the provider table entry # my $providerref = $providers{$provider}; @@ -811,7 +822,7 @@ sub handle_optional_interfaces() { } } else { # - # Not a provider + # Not a provider interface # emit qq(if interface_is_usable $interface; then); } From fe1978b864cbd4f1e6fbc644ee3a03894ac862bb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Jun 2009 09:47:25 -0700 Subject: [PATCH 02/18] Add link to Shorewall-perl end-of-life notice to the home page --- web/shorewall_index.htm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index e33e28f95..cc5c255e7 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,7 +47,9 @@ -
2009-06-14
+
2009-06-17
+

Attention Shorewall-shell users
+

Current Shorewall Releases

From 08cfa6d19ad01a5e79e462640bda3db01b49bb50 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Jun 2009 11:21:58 -0700 Subject: [PATCH 03/18] More documentation updates --- docs/Shorewall-4.xml | 182 ++++++++++++++++++++++++++++++++++++ docs/Shorewall-perl.xml | 113 +++++++++++++++++++++- manpages/shorewall-masq.xml | 9 +- 3 files changed, 296 insertions(+), 8 deletions(-) create mode 100644 docs/Shorewall-4.xml diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml new file mode 100644 index 000000000..c901560b7 --- /dev/null +++ b/docs/Shorewall-4.xml @@ -0,0 +1,182 @@ + + +
+ + + + Shorewall Version 4 + + + + Tom + + Eastep + + + + + + + 2007 + + 2009 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Introduction + + Shorewall version 4.0 represented a substantial shift in direction + for Shorewall. Up until then + + + + Shorewall had been written entirely in Bourne Shell. + + + + Shorewall had run the iptables utility to add + each Netfilter rule. + + + + Shorewall version 4.0 offered you a choice. You could continue to + use the existing shell-based implementation or you could use a new + implementation of the Shorewall compiler written in the Perl programming + language. The new compiler: + + + + had a small disk footprint + + + + was very fast. + + + + generateed a firewall script that uses + iptables-restore; so the script was very + fast. + + + + generated better and more consistent error messages. + + + + did a much more thorough job of checking the configuration to + avoid run-time errors. + + + + supported creating either Ipv4 or Ipv6 firewalls (Shorewall + 4.2.4 and later). + + + + Both compilers could be installed on your system and you could + use whichever one + suited you in a particular case. +
+ +
+ Shorewall 4.4 + + Shorewall 4.4 discontinues the availability of the legacy + shell-based compiler. All users must migrate to the perl-based compiler + before or during an upgrade to Shorewall version 4.4 + + Shorewall 4.4 contains four packages: + + + + Shorewall - Everything needed + to create an IPv4 firewall. + + + + Shorewall-lite- Can run scripts + generated by Shorewall on another system. + + + + Shorewall6 - The utilities for + creating and operating an Ipv6 firewall. Requires Shorewall. + + + + Shorewall6-lite - Ipv6 + equivalent of Shorewall Lite. Can run scripts generated by Shoreall on + another system. + + +
+ +
+ Prerequisites for using the Shorewall Version 4.4 Perl-based + Compiler + + + + Perl (I use Perl 5.8.10 but other 5.8 versions should work + fine). + If you want to be able to use DNS names in your Shorewall6 + configuration files, then Perl 5.10 is required together with the + Perl Socket6 module. + + + + + Perl Cwd Module + + + + Perl File::Basename + Module + + + + Perl File::Temp Module + + + + Perl Getopt::Long Module + + + + Perl Carp Module + + + + Perl FindBin Module + + + + Perl Scalar::Util Module + + +
+ +
+ Incompatibilities Introduced in the Shorewall Version 4 Perl-based + Compiler + + The Shorewall Perl-based compiler is not 100% compatible with the + Shorewall shell-based version. See this + document for details. +
+
diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml index 4c794b6b0..9623df87f 100644 --- a/docs/Shorewall-perl.xml +++ b/docs/Shorewall-perl.xml @@ -108,9 +108,10 @@ - DYNAMIC_ZONES=Yes is not supported. Use an ipset to define your - dytnamic zones. + DYNAMIC_ZONES=Yes is not supported in Shorewall-perl 4.2. + Use an ipset to define your + dytnamic zones. In Shorewall 4.4, dynamic zone support based on + ipsets was added to Shorewall. @@ -534,6 +535,20 @@ DNAT- net loc:192.168.1.3 tcp 21you instead want:#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT- net 192.168.1.3 tcp 21 + + + Supplying an interface name in the SOURCE column of + /etc/shorewall/masq is deprecated as of Shorewall 4.4. Entering the + name of an interface there will result in a compile-time + warning: + + WARNING: Using an interface as the masq SOURCE requires the + interface to be up and configured when Shorewall + starts/restarts + + To avoid this warning, replace interface names by the + corresponding network addresses (e.g., 192.168.144.0/24). + @@ -545,10 +560,100 @@ DNAT- net 192.168.1.3 tcp 21Cygwin. + url="http://www.cygwin.com/">Cygwin. Install using the + install.sh script. +
+ Installing Shorewall Version 4.0 or 4.2 + + Shorewall 4.2 contains six packages, four of which are also included + in Shorewall 4.0: + + + + Shorewall-shell - the old + shell-based compiler and related components. + + + + Shorewall-perl - the new + Perl-based compiler. + + + + Shorewall-common - the part of + Shorewall common to both compilers. + + + + Shorewall-lite- same as the 3.4 + version of Shorewall Lite. Can run scripts generated by either + Shorewall-perl or Shorewall-shell. + + + + Shorewall6 - The utilities for + creating and operating an Ipv6 firewall. Requires Shorewall-perl and + Shorewall-common. Introduced in Shorewall 4.2.4. + + + + Shorewall6-lite - Ipv6 + equivalent of Shorewall Lite. Can run scripts generated by + Shoreall-perl 4.2.4 and later. + + + + If you upgrade to Shorewall Version 4.0 or 4.2, you must install + Shorewall-shell and/or Shorewall-perl; in fact, if you are using the + tarball for your installation, you must install Shorewall-shell and/or + Shorewall-perl before you upgrade + Shorewall. See the upgrade issues + for details. +
+ +
+ Compiler Selection (Shorewall 4.0-4.2) + + If you only install one compiler, then that compiler will be + used. + + If you install both compilers, then the compiler actually used for + IPv4 depends on the SHOREWALL_COMPILER setting in + shorewall.conf. + + The value of this new option can be either 'perl' or 'shell'. + + If you add 'SHOREWALL_COMPILER=perl' to + /etc/shorewall/shorewall.conf then by default, the + new compiler will be used on the system. If you add it to + shorewall.conf in a separate directory (such as a + Shorewall-lite export directory) then the new compiler will only be used + when you compile from that directory. + + If you only install one compiler, it is suggested that you do not + set SHOREWALL_COMPILER. + + If both compilers are installed, you can select the compiler to use + on the command line using the 'C option: + '-C shell' means use the shell compiler + + '-C perl' means use the perl compiler + The -C option overrides the setting in + shorewall.conf. + + Example:shorewall restart -C perl + + When the Shorewall-perl compiler has been selected, the + params file is processed using the shell + option which causes all variables set within the file + to be exported automatically by the shell. The Shorewall-perl compiler + uses the current environmental variables to perform variable expansion + within the other Shorewall configuration files. +
+
The Shorewall Perl Modules diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index e7882bc04..e2b20290d 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -119,10 +119,11 @@ Set of hosts that you wish to masquerade. You can specify this as an address (net or host) or as an - interface. If you give the name of an - interface, the interface must be up before you start the firewall - (Shorewall will use your main routing table to determine the - appropriate addresses to masquerade). + interface (use of an interface is deprecated). + If you give the name of an interface, the interface must be up + before you start the firewall and the Shorewall rules compiler will + warn you of that fact. (Shorewall will use your main routing table + to determine the appropriate addresses to masquerade). In order to exclude a address of the specified SOURCE, you may append an exclusion ("!" and a comma-separated From dcb4ca61a532ad4eb18e25ae79453622e27135be Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Jun 2009 12:03:05 -0700 Subject: [PATCH 04/18] Add iptrace/noiptrace commands --- Shorewall/changelog.txt | 4 +++ Shorewall/releasenotes.txt | 27 +++++++++++++++++++ Shorewall/shorewall | 22 ++++++++++++++++ Shorewall6/shorewall6 | 23 +++++++++++++++- manpages/shorewall-masq.xml | 11 ++++---- manpages/shorewall.xml | 52 +++++++++++++++++++++++++++++++++++++ manpages6/shorewall6.xml | 51 +++++++++++++++++++++++++++++++++--- 7 files changed, 180 insertions(+), 10 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ab5ab250e..b824d79ab 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -14,6 +14,10 @@ Changes in Shorewall 4.4.0-Beta2 5) Add 'upnpclient' interface option. +6) Fix handling of optional interfaces. + +7) Add 'iptrace' and 'noiptrace' command. + Changes in Shorewall 4.4.0-Beta1 1) Correct typo in Shorewall6 two-interface sample shorewall.conf. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 851ec8454..8d42aa75a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -149,6 +149,33 @@ None. that, like all aspects of UPnP, this is a security hole so use this option at your own risk. +2) 'iptrace' and 'noiptrace' commands have been added to both + /sbin/shorewall and /sbin/shorewall6. + + These are low-level debugging commands that cause + iptables/ip6tables TRACE log messages to be generated. See 'man + iptables' and 'man ip6tables' for details. + + The syntax for the commands is: + + iptrace + noiptrace + + iptrace starts the trace; noiptrace turns it off. + + The match expression must be an expression that is legal in both + the raw table OUTPUT and PREROUTING chains. + + Examaple: + + To trace all packets desinted for IP address 206.124.146.176: + + shorewall iptrace -d 206.124.146.176 + + To turn that trace off: + + shorewall noiptrace -d 206.124.146.176 + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 ---------------------------------------------------------------------------- diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 2c45658bb..5c62e37c7 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1454,10 +1454,12 @@ usage() # $1 = exit status echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" + echo " iptrace " echo " load [ -s ] [ -c ] [ -r ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" + echo " noiptrace " echo " refresh [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ ] " @@ -2012,6 +2014,26 @@ case "$COMMAND" in shift safe_commands $@ ;; + iptrace) + get_config + shift + if shorewall_is_started ; then + $IPTABLES -t raw -A PREROUTING $@ -j TRACE + $IPTABLES -t raw -A OUTPUT $@ -j TRACE + else + fatal_error "Shorewall is not started" + fi + ;; + noiptrace) + get_config + shift + if shorewall_is_started ; then + $IPTABLES -t raw -D PREROUTING $@ -j TRACE + $IPTABLES -t raw -D OUTPUT $@ -j TRACE + else + fatal_error "Shorewall is not started" + fi + ;; *) usage 1 ;; diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index 63f3cf763..ece124db5 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -1371,10 +1371,12 @@ usage() # $1 = exit status echo " export [ ] [@][:]" echo " forget [ ]" echo " help" + echo " iptrace " echo " load [ -s ] [ -c ] [ -r ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" + echo " noiptrace " echo " refresh [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ ] " @@ -1857,7 +1859,26 @@ case "$COMMAND" in shift safe_commands $@ ;; - *) + iptrace) + get_config + shift + if shorewall_is_started ; then + $IP6TABLES -t raw -A PREROUTING $@ -j TRACE + $IP6TABLES -t raw -A OUTPUT $@ -j TRACE + else + fatal_error "Shorewall6 is not started" + fi + ;; + noiptrace) + get_config + shift + if shorewall_is_started ; then + $IP6TABLES -t raw -D PREROUTING $@ -j TRACE + $IP6TABLES -t raw -D OUTPUT $@ -j TRACE + else + fatal_error "Shorewall6 is not started" + fi + ;; *) usage 1 ;; diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index e2b20290d..ad9c2a78f 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -119,11 +119,12 @@ Set of hosts that you wish to masquerade. You can specify this as an address (net or host) or as an - interface (use of an interface is deprecated). - If you give the name of an interface, the interface must be up - before you start the firewall and the Shorewall rules compiler will - warn you of that fact. (Shorewall will use your main routing table - to determine the appropriate addresses to masquerade). + interface (use of an + interface is deprecated). If you give the name + of an interface, the interface must be up before you start the + firewall and the Shorewall rules compiler will warn you of that + fact. (Shorewall will use your main routing table to determine the + appropriate addresses to masquerade). In order to exclude a address of the specified SOURCE, you may append an exclusion ("!" and a comma-separated diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 337dd37ee..18d97b860 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -219,6 +219,19 @@ choice="plain">address1address2 + + shorewall + + | + + -options + + + + iptables match + expression + + shorewall @@ -279,6 +292,19 @@ address + + shorewall + + | + + -options + + + + iptables match + expression + + shorewall @@ -835,6 +861,19 @@ + + iptrace + + + This is a low-level debugging command that causes iptables + TRACE log records to be created. See iptables(8) for details. + + The iptables match expression must + be one or more matches that may appear in both the raw table OUTPUT + and raw table PREROUTING chains. + + + load @@ -919,6 +958,19 @@ + + noiptrace + + + This is a low-level debugging command that cancels a trace + started by a preceding iptrace command. + + The iptables match expression must + be one given in the iptrace command being + cancelled. + + + refresh diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index 56a79bbd3..cac783ddc 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -144,6 +144,19 @@ + + shorewall6 + + | + + -options + + + + iptables match + expression + + shorewall6 @@ -204,6 +217,19 @@ address + + shorewall6 + + | + + -options + + + + iptables match + expression + + shorewall6 @@ -670,12 +696,16 @@ - hits + iptrace - Generates several reports from Shorewall6 log messages in the - current log file. If the option is included, the - reports are restricted to log messages generated today. + This is a low-level debugging command that causes iptables + TRACE log records to be created. See ip6tables(8) for + details. + + The iptables match expression must + be one or more matches that may appear in both the raw table OUTPUT + and raw table PREROUTING chains. @@ -763,6 +793,19 @@ + + noiptrace + + + This is a low-level debugging command that cancels a trace + started by a preceding iptrace command. + + The iptables match expression must + be one given in the iptrace command being + cancelled. + + + refresh From f11efc73190d4bdf91fb1c3e2eb5464dbbe63af1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Jun 2009 12:42:13 -0700 Subject: [PATCH 05/18] Clarify the -a version option --- manpages/shorewall.xml | 6 +++--- manpages6/shorewall6.xml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 18d97b860..7622cda50 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -1402,9 +1402,9 @@ version - Displays Shorewall's version. If the - option is included, the versions of Shorewall-shell and/or - Shorewall-perl will also be displayed. + Displays Shorewall's version. The option + is included for compatibility with earlier Shorewall releases and is + ignored. diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index cac783ddc..f49ae243a 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -1206,7 +1206,7 @@ Displays Shorewall6's version. If the - option is included, the version of Shorewall-perl will also be + option is included, the version of Shorewall will also be displayed. From d21c927d29af95bcbe0961189a5e742fe1261ad7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Jun 2009 13:40:02 -0700 Subject: [PATCH 06/18] Refer to shorewall(8) for packet mark display --- docs/PacketMarking.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index 4fa9a358d..f269fc720 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -51,7 +51,11 @@ stored in the skb (socket buffer) structure used by the Linux kernel to track packets; the mark value is not part of the packet itself and cannot be seen with tcpdump, - ethereal or any other packet sniffing program. + ethereal or any other packet sniffing program. They can + be seen in an iptables/ip6tables trace -- see the + iptrace command in shorewal(8) and shorewall6(8). Each active connection (even those that are not yet in ESTABLISHED state) has a mark value that is distinct from the packet marks. Connection From eb5fc2c415cae3438910d386bcba828846aa0a6e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Jun 2009 16:46:20 -0700 Subject: [PATCH 07/18] Document 'findgw' in the extension script doc --- docs/PacketMarking.xml | 7 +++++++ docs/shorewall_extension_scripts.xml | 9 +++++++++ manpages/shorewall.xml | 6 ++++++ manpages6/shorewall6.xml | 8 +++++++- 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index f269fc720..eb30ad4d1 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -57,6 +57,13 @@ url="manpages/shorewall.html">shorewal(8) and shorewall6(8). + Example (output has been folded for display ): + + [11692.096077] TRACE: mangle:tcout:return:3 IN= OUT=eth0 SRC=172.20.1.130 + DST=206.124.146.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 + ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7212 SEQ=3 UID=0 + GID=1000 MARK=0x10082 + Each active connection (even those that are not yet in ESTABLISHED state) has a mark value that is distinct from the packet marks. Connection mark values can be seen using the shorewall show diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 082f80433..93ce87f96 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -184,6 +184,15 @@ esac completion of a successful shorewall restore and shorewall-lite restore. + + + findgw -- This script is invoked when Shorewall is attempting to + discover the gateway through a dynamic interface. The script is most + often used when the interface is managed by dhclient which has no + standardized location/name for its lease database. Scripts for use + with dhclient on several distributions are available at http://www.shorewall.net/pub/shorewall/contrib/findgw/ + If your version of Shorewall doesn't have the diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 7622cda50..876a84f7b 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -871,6 +871,12 @@ The iptables match expression must be one or more matches that may appear in both the raw table OUTPUT and raw table PREROUTING chains. + + The trace records are written to the kernel's log buffer with + faciility = kernel and priority = warning, and they are routed from + there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- + Shorewall has no control over where the messages go; consult your + logging daemon's documentation. diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index f49ae243a..b2509fd7e 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -703,9 +703,15 @@ TRACE log records to be created. See ip6tables(8) for details. - The iptables match expression must + The ip6tables match expression must be one or more matches that may appear in both the raw table OUTPUT and raw table PREROUTING chains. + + The trace records are written to the kernel's log buffer with + faciility = kernel and priority = warning, and they are routed from + there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- + Shorewall has no control over where the messages go; consult your + logging daemon's documentation. From 117116eb4e5255e2a639a196bfc85079c0eaa5e7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Jun 2009 08:00:26 -0700 Subject: [PATCH 08/18] Add USER/GROUP column to /etc/shorewall/masq --- Shorewall/Perl/Shorewall/Nat.pm | 3 +- Shorewall/changelog.txt | 2 ++ Shorewall/configfiles/masq | 3 +- Shorewall/releasenotes.txt | 4 +++ manpages/shorewall-masq.xml | 61 +++++++++++++++++++++++++++++++++ web/News.htm | 6 +++- web/shorewall_index.htm | 8 ++--- 7 files changed, 80 insertions(+), 7 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 0c8990cae..549687c91 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -115,7 +115,7 @@ sub do_ipsec_options($) # sub process_one_masq( ) { - my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file'; + my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file'; if ( $interfacelist eq 'COMMENT' ) { process_comment; @@ -183,6 +183,7 @@ sub process_one_masq( ) # Handle Mark # $baserule .= do_test( $mark, 0xFF) if $mark ne '-'; + $baserule .= do_user( $user ) if $user ne '-'; for my $fullinterface (split_list $interfacelist, 'interface' ) { my $rule = ''; diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b824d79ab..c39f6dc34 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -18,6 +18,8 @@ Changes in Shorewall 4.4.0-Beta2 7) Add 'iptrace' and 'noiptrace' command. +8) Add 'USER/GROUP' column to masq file. + Changes in Shorewall 4.4.0-Beta1 1) Correct typo in Shorewall6 two-interface sample shorewall.conf. diff --git a/Shorewall/configfiles/masq b/Shorewall/configfiles/masq index 9b4f38dd1..c045d8170 100644 --- a/Shorewall/configfiles/masq +++ b/Shorewall/configfiles/masq @@ -7,5 +7,6 @@ # http://www.shorewall.net/manpages/shorewall-masq.html # ############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK +#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ +# GROUP #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 8d42aa75a..5e8a9893e 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -175,6 +175,10 @@ None. To turn that trace off: shorewall noiptrace -d 206.124.146.176 + +3) A USER/GROUP column has been added to /etc/shorewall/masq. The + column works similarly to USER/GROUP columns in other Shorewall + configuration files. Only locally-generated traffic is matched. ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index ad9c2a78f..b763a36e6 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -386,6 +386,67 @@ + + + USER/GROUP (Optional) - + [!][user-name-or-number][:group-name-or-number][+program-name] + + + Only locally-generated connections will match if this column + is non-empty. + + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + user and/or group + specified (or is NOT running under that id if "!" is given). + + Examples: + + + + joe + + + program must be run by joe + + + + + :kids + + + program must be run by a member of the 'kids' + group + + + + + !:kids + + + program must not be run by a member of the 'kids' + group + + + + + +upnpd + + + #program named upnpd + + + The ability to specify a program name was removed from + Netfilter in kernel version 2.6.14. + + + + + + diff --git a/web/News.htm b/web/News.htm index b9cc43bce..7e8f69dae 100644 --- a/web/News.htm +++ b/web/News.htm @@ -23,9 +23,13 @@ license is included in the section entitled GNU Free Documentation License".

-

June 14, 2009
+

June 18, 2009

+

2009-06-18 Shorewall 4.2.10
+

+
Problems corrected in Shorewall 4.2.10

1)  A 'large quantum' warning log message during restart has been
    eliminated. The log message occurred when an interface with a large
    OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.

2)  When a REJECT rule included a log entry, the disposition in the log
    message was incorrectly shown as 'reject' rather than 'REJECT'.

3)  When 'forward' was specified on one or more interfaces in
    /etc/shorewall6/interfaces, the progress message "Compiling
    Interface forwarding..." was issued multiple times. Now, only one
    instance of the message is generated.

4)  A typing error in the IPv6 two-interface sample shorewall6.conf
    file has been corrected. This error prevented the compiler from
    being able to find macros in /usr/share/shorewall/.

Known Problems Remaining:

1)  When exclusion is used in an entry in /etc/shorewall/hosts, then
    Shorewall-shell produces an invalid iptables rule if any of the 
    following OPTIONS are also specified in the entry:    

        blacklist
        maclist
        norfc1918
        tcpflags

2)  Shorewall-shell generates inversion rules which produce
    warnings with iptables 1.4.3.  

    Example:

        iptables -A  lan2fw  -p 6  --dport 999  -s ! 192.168.20.1  -j ACCEPT

    with iptables 1.4.3.1 the following information message is produced:

    Using intrapositioned negation (`--option ! this`) is deprecated in
    favor of extrapositioned (`! --option this`).

    We don't intend to fix this. It's time to migrate to Shorewall-perl
    anyway.

New Features in Shorewall 4.2.10

1)  Shorewall's suppport for dynamic gateways on interfaces managed by
    dhclient works on OpenSuSE systems but not on some other
    distributions.

    In order to generalize support for learning the gateway for dynamic
    interfaces, a new 'findgw' extension script (user exit) has been
    added.

    The exit will be invoked in a function that has a single argument:

        $1 = <name of an interface>

    If the function can determine the gateway for the passed interface,
    it should write the gateway to standard out. Here is a sample
    /etc/shorewall/findgw that works with dhclient (dhcp3) in Debian
    Lenny:

    if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
       grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\
          tail -n 1 |\
          while read j1 j2 gateway; do\
              echo $gateway | sed 's/;//';\
          done
    fi

    The same code works on Ubuntu Jaunty if you replace the first '.'
    with '-' and replace '.leases' with '.lease' (don't you just love
    the consistency between distributions?).

    That code also works on CentOS if you replace 'dhcp3' by
    'dhclient'.

    'findgw' files that have been customized for various distributions
    may be found at
    http://www.shorewall.net/pub/shorewall/contrib/findgw.
+

2009-06-13 Shorewall 4.4.0 Beta 1

Read the details at http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index cc5c255e7..4e2c97adb 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,7 +47,7 @@
-
2009-06-17
+
2009-06-18

Attention Shorewall-shell users

Current Shorewall Releases

@@ -60,13 +60,13 @@ Stable Release
- 4.2.9 + 4.2.10 (includes IPv6 support.) Release + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/releasenotes.txt">Release notes Known + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/known_problems.txt">Known Problems From e2abf20371ba4cf2ecac74e571cde1d175fff4bd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Jun 2009 11:05:00 -0700 Subject: [PATCH 09/18] Update Ubuntu Package Info --- web/download.htm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/download.htm b/web/download.htm index 97ece8490..12f96b2f4 100644 --- a/web/download.htm +++ b/web/download.htm @@ -38,7 +38,7 @@

-
2009-06-14 +
2009-06-19

Package Information

Before trying to install, we strongly urge you to read and print a @@ -215,7 +215,7 @@ stable release are available from the package maintainer's If you run Ubuntu, Benjamin Montgomery maintains a repository for -Hardy Heron.
+Hardy Heron and Jaunty Jackalope.

  • If you run Date: Fri, 19 Jun 2009 13:00:58 -0700 Subject: [PATCH 10/18] Some documentation updates --- docs/MultiISP.xml | 23 ++++++++++++++++++----- web/download.htm | 9 ++++++--- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 7105ce4d8..3406e3346 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1321,9 +1321,10 @@ fi in the preceding section. Like many Open Source products, LSM is poorly documented. It's - main configuration file is normally kept in /etc/lsm/lsm.conf, but the - file's name is passed as an argument to the lsm program so you can - name it anything you want. + main configuration file is normally kept in + /etc/lsm/lsm.conf, but the file's name is passed + as an argument to the lsm program so you can name it anything you + want. The sample lsm.conf included with the product shows some of the possibilities for configuration. One feature @@ -1332,8 +1333,20 @@ fi configuration file. I personally use LSM here at shorewall.net (configuration is - described below). Here are my relevant - configuration files: + described below). I have set things up + so that Shorewall [re]starts lsm during processing of the + start and restore commands. I + don't have Shorewall restart lsm during Shorewall + restart because I restart Shorewall much more often + than the average user is likely to do. I have Shorewall start lsm + because I have a dynamic IP address from one of my providers + (Comcast); Shorewall detects the default gateway to that provider and + creates a secondary configuration file + (/etc/lsm/shorewall.conf) that contains the link + configurations. That file is included by + /etc/lsm/lsm.conf. + + Here are my relevant configuration files: /etc/shorewall/isusable: diff --git a/web/download.htm b/web/download.htm index 12f96b2f4..b4e31e031 100644 --- a/web/download.htm +++ b/web/download.htm @@ -66,7 +66,8 @@ shake out the bugs in the next stable release. For additional information, see this article about the Shorewall Release Model. -

    In Shorewall version 4.0.*, there are four related +

    In Shorewall version 4.0.*, +there are four related packages:

    • Shorewall-shell -- the @@ -87,7 +88,8 @@ light-weight Shorewall version that will run compiled firewall scripts generated on a system with one of the compiler packages installed.
    -In Shorewall version 4.2.*, there are two additional +In Shorewall version 4.2.*, +there are two additional packages that provide IPv6 support:
    • Shorewall6 -- Provides @@ -101,7 +103,8 @@ run compiled firewall scripts generated on a system with Shorewall6 installed.
    -In Shorewall version 4.4.*, the Shorewall-common, Shorewall-shell and +In Shorewall version 4.4.*, +the Shorewall-common, Shorewall-shell and Shorewall-perl packages are discontinued and replaced with a single Shorewall package which combined the functions of Shorewall-common and Shorewall-perl. The shell-based From 793ecd5c73722b4a3c2db52f8398e93fd9f6e191 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Jun 2009 13:05:35 -0700 Subject: [PATCH 11/18] Add version warning about LSM documentation --- docs/MultiISP.xml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 3406e3346..079166f42 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1344,9 +1344,14 @@ fi creates a secondary configuration file (/etc/lsm/shorewall.conf) that contains the link configurations. That file is included by - /etc/lsm/lsm.conf. + /etc/lsm/lsm.conf.B - Here are my relevant configuration files: + Below are my relevant configuration files. + + + These files only work with Shorewall-perl 4.2 and + later. + /etc/shorewall/isusable: From 01d046fac95db2ea62589f12bed43e322b482ecf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Jun 2009 14:39:45 -0700 Subject: [PATCH 12/18] Add lib.user extension script --- Shorewall/Perl/Shorewall/Compiler.pm | 3 +++ Shorewall/Perl/Shorewall/Config.pm | 3 +++ Shorewall/changelog.txt | 2 ++ Shorewall/configfiles/lib.user | 14 ++++++++++++++ Shorewall/releasenotes.txt | 4 ++++ docs/MultiISP.xml | 9 +++++++-- docs/shorewall_extension_scripts.xml | 6 ++++++ 7 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 Shorewall/configfiles/lib.user diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 02dffb08f..4e97913f7 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -97,6 +97,9 @@ sub generate_script_1() { # Functions to execute the various user exits (extension scripts) ################################################################################ EOF + my $lib = find_file 'lib.user'; + + copy1 $lib, emit "\n" if -f $lib; for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed restored findgw/ { emit "\nrun_${exit}_exit() {"; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 3940d2b5e..ecc231ca6 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -79,6 +79,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object push_indent pop_indent copy + copy1 create_temp_aux_config finalize_aux_config set_shorewall_dir @@ -1088,6 +1089,8 @@ sub copy1( $ ) { close IF; } + + $lastlineblank = 0; } # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c39f6dc34..b0f9ed64e 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -20,6 +20,8 @@ Changes in Shorewall 4.4.0-Beta2 8) Add 'USER/GROUP' column to masq file. +9) Added lib.user. + Changes in Shorewall 4.4.0-Beta1 1) Correct typo in Shorewall6 two-interface sample shorewall.conf. diff --git a/Shorewall/configfiles/lib.user b/Shorewall/configfiles/lib.user new file mode 100644 index 000000000..234bd7ce0 --- /dev/null +++ b/Shorewall/configfiles/lib.user @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - lib.user File +# +# /etc/shorewall/lib.user +# +# Use this file to declare shell functions to be called in the other +# run-time extension scripts. The file will be copied into the generated +# firewall script. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 5e8a9893e..ec78fbe23 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -179,6 +179,10 @@ None. 3) A USER/GROUP column has been added to /etc/shorewall/masq. The column works similarly to USER/GROUP columns in other Shorewall configuration files. Only locally-generated traffic is matched. + +4) A new extension script, 'lib.user' has been added. This file is + intended to include declarations of shell functions that are called + by the other run-time extension scripts. ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 079166f42..290f6f09c 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1355,6 +1355,10 @@ fi /etc/shorewall/isusable: + Note that /etc/lsm/script writes + a ${VARDIR}/xxx.status file when the status of an + interface changes. + local status=0 [ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status) @@ -1378,7 +1382,7 @@ connection { connection { name=Comcast - checkip=$ETH3_GATEWAY + checkip=${ETH3_GATEWAY:-71.227.156.1} device=eth3 ttl=1 } @@ -1388,7 +1392,8 @@ EOF fi eth3 has a dynamic IP address so I need to use the - Shorewall-detected gateway address ($ETH3_GATEWAY). + Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default + value in the event that detection fails. /etc/shorewall/restored: diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 93ce87f96..06e849136 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -69,6 +69,12 @@ The following scripts can be supplied: + + lib.user -- Intended to contain + declarations of shell functions to be called by other run-time + extension scripts. + + compile -- Invoked by the rules compiler early in the compilation process. Must be written in Perl. From f991e28308be28924b8e2352387e5db64027d602 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Jun 2009 15:06:56 -0700 Subject: [PATCH 13/18] Remove Shorewall-shell syntax from the tos manpage --- Shorewall/releasenotes.txt | 4 +-- manpages/shorewall-tos.xml | 54 ++++---------------------------------- web/download.htm | 10 +++---- 3 files changed, 12 insertions(+), 56 deletions(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index ec78fbe23..b8082658f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -181,8 +181,8 @@ None. configuration files. Only locally-generated traffic is matched. 4) A new extension script, 'lib.user' has been added. This file is - intended to include declarations of shell functions that are called - by the other run-time extension scripts. + intended to include declarations of shell functions that will be + called by the other run-time extension scripts. ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 diff --git a/manpages/shorewall-tos.xml b/manpages/shorewall-tos.xml index cdab1e293..d8a87e0a9 100644 --- a/manpages/shorewall-tos.xml +++ b/manpages/shorewall-tos.xml @@ -1,4 +1,6 @@ + shorewall-tos @@ -26,38 +28,11 @@ The columns in the file are as follows. - - SOURCE - - {zone[:address]|all|$FW} - (Shorewall-shell) - - - Name of a zone declared in shorewall-zones(5), all or $FW. - - If not all or $FW, may optionally be followed by ":" and an - IP address, a MAC address, a subnet specification or the name of an - interface. - - Example: loc:192.168.2.3 - - MAC addresses must be prefixed with "~" and use "-" as a - separator. - - Example: ~00-A0-C9-15-39-78 - - - SOURCE - {all|address]|all:address|$FW} (Shorewall-perl) + role="bold">$FW} If all, may optionally be @@ -73,29 +48,10 @@ - - DEST - - {zone[:address]|all} (Shorewall-shell) - - - Name of a zone declared in shorewall-zones(5) or all. - - If not all, may optionally be - followed by ":" and an IP address or a subnet specification - - Example: loc:192.168.2.3 - - - DEST - {all|address]|all:address} - (Shorewall-perl) + role="bold">all:address} Example: 192.168.2.3 @@ -213,4 +169,4 @@ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5) - \ No newline at end of file + diff --git a/web/download.htm b/web/download.htm index b4e31e031..55333344e 100644 --- a/web/download.htm +++ b/web/download.htm @@ -140,6 +140,11 @@ or both of the compilers on a single administrative system and install Shorewall-lite and/or Shorewall6-lite on the firewalls. Doing so will allow for centralized administration and configuration of the firewalls.
    • +
  • When RPM is used to install Shorewall, the compiler +(shorewall-shell +and/or shorewall-perl) and shorewall-common must be installed in a +single execution of the +rpm utility.
  • If you are installing Shorewall 4.4 or later:
      • @@ -156,11 +161,6 @@ configuration of the firewalls.
    -

    When RPM is used to install Shorewall, the compiler (shorewall-shell -and/or shorewall-perl) and shorewall-common must be installed in a -single execution of the -rpm utility.
    -

    Here are the installation instructions.

    Distribution-specific Download Sites

    Once you've printed the appropriate QuickStart Guide, download the From bd55a545b56bfc2ab92ec0aa258fda251fbac23c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 20 Jun 2009 09:35:08 -0700 Subject: [PATCH 14/18] Rename lib.user to lib.private --- Shorewall/Perl/Shorewall/Compiler.pm | 2 +- Shorewall/changelog.txt | 2 +- .../configfiles/{lib.user => lib.private} | 4 +- Shorewall/install.sh | 9 +++++ Shorewall/releasenotes.txt | 2 +- docs/MultiISP.xml | 38 +++++++++++++------ docs/shorewall_extension_scripts.xml | 5 ++- 7 files changed, 43 insertions(+), 19 deletions(-) rename Shorewall/configfiles/{lib.user => lib.private} (85%) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 4e97913f7..b61feffb4 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -97,7 +97,7 @@ sub generate_script_1() { # Functions to execute the various user exits (extension scripts) ################################################################################ EOF - my $lib = find_file 'lib.user'; + my $lib = find_file 'lib.private'; copy1 $lib, emit "\n" if -f $lib; diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b0f9ed64e..55ba7613f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -20,7 +20,7 @@ Changes in Shorewall 4.4.0-Beta2 8) Add 'USER/GROUP' column to masq file. -9) Added lib.user. +9) Added lib.private. Changes in Shorewall 4.4.0-Beta1 diff --git a/Shorewall/configfiles/lib.user b/Shorewall/configfiles/lib.private similarity index 85% rename from Shorewall/configfiles/lib.user rename to Shorewall/configfiles/lib.private index 234bd7ce0..a83fba6f5 100644 --- a/Shorewall/configfiles/lib.user +++ b/Shorewall/configfiles/lib.private @@ -1,7 +1,7 @@ # -# Shorewall version 4 - lib.user File +# Shorewall version 4 - lib.private File # -# /etc/shorewall/lib.user +# /etc/shorewall/lib.private # # Use this file to declare shell functions to be called in the other # run-time extension scripts. The file will be copied into the generated diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 32cab1332..d7a11fcbc 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -576,6 +576,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting" fi # +# Install the private library file +# +run_install $OWNERSHIP -m 0644 configfiles/lib.private ${PREFIX}/usr/share/shorewall/configfiles/lib.private + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then + run_install $OWNERSHIP -m 0600 configfiles/lib.private ${PREFIX}/etc/shorewall/lib.private + echo "Private library file installed as ${PREFIX}/etc/shorewall/lib.private" +fi +# # Install the Started file # run_install $OWNERSHIP -m 0644 configfiles/started ${PREFIX}/usr/share/shorewall/configfiles/started diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b8082658f..7656186d7 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -180,7 +180,7 @@ None. column works similarly to USER/GROUP columns in other Shorewall configuration files. Only locally-generated traffic is matched. -4) A new extension script, 'lib.user' has been added. This file is +4) A new extension script, 'lib.private' has been added. This file is intended to include declarations of shell functions that will be called by the other run-time extension scripts. diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 290f6f09c..9f376280b 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1349,7 +1349,7 @@ fi Below are my relevant configuration files. - These files only work with Shorewall-perl 4.2 and + These files only work with Shorewall-perl 4.4 Beta 2 and later. @@ -1357,7 +1357,7 @@ fi Note that /etc/lsm/script writes a ${VARDIR}/xxx.status file when the status of an - interface changes. + interface changes. local status=0 @@ -1365,40 +1365,54 @@ fi return $status - /etc/shorewall/started: + /etc/shorewall/lib.private: ############################################################################### -# My 'restored' script calls this one if there is no lsm process running +# Create /etc/lsm/shorewall.conf +# Remove the current interface status files +# Start lsm ############################################################################### -if [ "$COMMAND" = start -o "$COMMAND" = restore ]; then +start_lsm() { killall lsm 2> /dev/null cat <<EOF > /etc/lsm/shorewall.conf connection { name=Avvanta checkip=206.124.146.254 - device=eth0 + device=$EXT_IF ttl=2 } connection { name=Comcast - checkip=${ETH3_GATEWAY:-71.227.156.1} - device=eth3 + checkip=${ETH0_GATEWAY:-71.231.152.1} + device=$COM_IF ttl=1 } EOF - rm -f ${VARDIR}/*.status + rm -f /etc/shorewall/*.status /usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm -fi +} eth3 has a dynamic IP address so I need to use the Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default value in the event that detection fails. + /etc/shorewall/started: + + ################################################################################## +# [re]start lsm if this is a 'start' command or if lsm isn't running +################################################################################## +if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then + start_lsm +fi + /etc/shorewall/restored: - if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then - run_started_exit + ################################################################################## +# Start lsm if it isn't running +################################################################################## +if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then + start_lsm fi /etc/lsm/lsm.conf: diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index 06e849136..acb46567d 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -70,9 +70,10 @@ - lib.user -- Intended to contain + lib.private -- Intended to contain declarations of shell functions to be called by other run-time - extension scripts. + extension scripts. See this + article for an example of its use. From 5044c70230ddde1f3a583bae734ddea7171ce96b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 20 Jun 2009 17:37:09 -0700 Subject: [PATCH 15/18] Remove bizarre sentence from tcclasses man pages --- manpages/shorewall-tcclasses.xml | 5 +---- manpages6/shorewall6-tcclasses.xml | 5 +---- web/shorewall_index.htm | 8 ++++---- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/manpages/shorewall-tcclasses.xml b/manpages/shorewall-tcclasses.xml index 040fb54cf..f3af8188d 100644 --- a/manpages/shorewall-tcclasses.xml +++ b/manpages/shorewall-tcclasses.xml @@ -266,10 +266,7 @@ This lets you define a classifier for the given value/mask combination of the IP packet's TOS/Precedence/DiffSrv octet - (aka the TOS byte). Please note that classifiers override all - mark settings, so if you define a classifer for a class, all - traffic having that mark will go in it regardless of any mark - set on the packet by a firewall/mangle filter. + (aka the TOS byte). diff --git a/manpages6/shorewall6-tcclasses.xml b/manpages6/shorewall6-tcclasses.xml index ac0d258f3..50187ac47 100644 --- a/manpages6/shorewall6-tcclasses.xml +++ b/manpages6/shorewall6-tcclasses.xml @@ -260,10 +260,7 @@ This lets you define a classifier for the given value/mask combination of the IP packet's TOS/Precedence/DiffSrv octet - (aka the TOS byte). Please note that classifiers override all - mark settings, so if you define a classifer for a class, all - traffic having that mark will go in it regardless of any mark - set on the packet by a firewall/mangle filter. + (aka the TOS byte). diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 4e2c97adb..a33db488c 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,7 +47,7 @@ -

    2009-06-18
    +
    2009-06-20

    Attention Shorewall-shell users

    Current Shorewall Releases

    @@ -93,14 +93,14 @@ Release
    4.4.0 -Beta 1
    +Beta 2
    Release + href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/releasenotes.txt">Release Notes
     Known + href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/known_problems.txt">Known Problems From d745f3bfc5f4cd0a8f140bb479ad79192803efb8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 21 Jun 2009 08:31:19 -0700 Subject: [PATCH 16/18] Tweak Shorewall-4/Shorewall-perl Docs --- docs/Shorewall-4.xml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml index c901560b7..81b149162 100644 --- a/docs/Shorewall-4.xml +++ b/docs/Shorewall-4.xml @@ -88,9 +88,10 @@ - Both compilers could be installed on your system and you could - use whichever one - suited you in a particular case. + Both compilers could be + installed on your system and you could use whichever one suited you + in a particular case.
    @@ -127,7 +128,7 @@
    - Prerequisites for using the Shorewall Version 4.4 Perl-based + <title>Prerequisites for using the Shorewall Version 4.2/4.4 Perl-based Compiler @@ -169,6 +170,9 @@ Perl Scalar::Util Module + + Please note that there are additional + requirements if you plan to install and use Shorewall6.
    From a01c1a13196da83e18276b0f795724a9ff84b02f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 21 Jun 2009 08:33:02 -0700 Subject: [PATCH 17/18] Tweak Shorewall-4/Shorewall-perl Docs -- take 2 --- docs/Shorewall-4.xml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml index 81b149162..56ff29278 100644 --- a/docs/Shorewall-4.xml +++ b/docs/Shorewall-4.xml @@ -97,9 +97,10 @@
    Shorewall 4.4 - Shorewall 4.4 discontinues the availability of the legacy - shell-based compiler. All users must migrate to the perl-based compiler - before or during an upgrade to Shorewall version 4.4 + Shorewall 4.4 (currently in Beta testing) discontinues the + availability of the legacy shell-based compiler. All users must migrate to + the perl-based compiler before or during an upgrade to Shorewall version + 4.4 Shorewall 4.4 contains four packages: From 14d07265eeb6922b55745d3a530add63716f5d87 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 21 Jun 2009 08:51:05 -0700 Subject: [PATCH 18/18] Add recommendation to migrate before upgrade --- docs/Shorewall-4.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml index 56ff29278..c74ad1d20 100644 --- a/docs/Shorewall-4.xml +++ b/docs/Shorewall-4.xml @@ -100,7 +100,9 @@ Shorewall 4.4 (currently in Beta testing) discontinues the availability of the legacy shell-based compiler. All users must migrate to the perl-based compiler before or during an upgrade to Shorewall version - 4.4 + 4.4. We highly recommend that current users of the shell-based compiler + migrate before upgrading to 4.4 so that both compilers are available + during the migration. Shorewall 4.4 contains four packages: