Merge branch 'master' of ssh://judas_iscariote@shorewall.git.sourceforge.net/gitroot/shorewall

This commit is contained in:
Cristian Rodríguez 2009-06-21 18:58:27 -04:00
commit 1967f9cbb4
25 changed files with 738 additions and 123 deletions

View File

@ -97,6 +97,9 @@ sub generate_script_1() {
# Functions to execute the various user exits (extension scripts)
################################################################################
EOF
my $lib = find_file 'lib.private';
copy1 $lib, emit "\n" if -f $lib;
for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed restored findgw/ {
emit "\nrun_${exit}_exit() {";

View File

@ -79,6 +79,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
push_indent
pop_indent
copy
copy1
create_temp_aux_config
finalize_aux_config
set_shorewall_dir
@ -1088,6 +1089,8 @@ sub copy1( $ ) {
close IF;
}
$lastlineblank = 0;
}
#

View File

@ -115,7 +115,7 @@ sub do_ipsec_options($)
#
sub process_one_masq( )
{
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
if ( $interfacelist eq 'COMMENT' ) {
process_comment;
@ -183,6 +183,7 @@ sub process_one_masq( )
# Handle Mark
#
$baserule .= do_test( $mark, 0xFF) if $mark ne '-';
$baserule .= do_user( $user ) if $user ne '-';
for my $fullinterface (split_list $interfacelist, 'interface' ) {
my $rule = '';

View File

@ -116,7 +116,15 @@ sub setup_route_marking() {
my $mark = $providerref->{mark};
my $base = uc chain_base $interface;
add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
if ( $providerref->{optional} ) {
if ( $providerref->{shared} ) {
add_command( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
} else {
add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
}
incr_cmd_level( $chainref );
}
unless ( $marked_interfaces{$interface} ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
@ -391,20 +399,23 @@ sub add_a_provider( ) {
my $realm = '';
if ( $optional && ! $shared ) {
start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
$provider_interfaces{$interface} = $table;
}
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
if ( $shared ) {
fatal_error "Interface $interface is associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
$realm = "realm $number";
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
} elsif ( $gatewaycase eq 'detect' ) {
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ) unless $optional;
} else {
start_provider( $table, $number, "if interface_is_usable $interface; then" ) unless $optional;
if ( $optional ) {
start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
} elsif ( $gatewaycase eq 'detect' ) {
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
} else {
start_provider( $table, $number, "if interface_is_usable $interface; then" );
}
$provider_interfaces{$interface} = $table;
emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
}
@ -800,7 +811,7 @@ sub handle_optional_interfaces() {
if ( $provider ) {
#
# This is a provider -- get the provider table entry
# This interface is associated with a non-shared provider -- get the provider table entry
#
my $providerref = $providers{$provider};
@ -811,7 +822,7 @@ sub handle_optional_interfaces() {
}
} else {
#
# Not a provider
# Not a provider interface
#
emit qq(if interface_is_usable $interface; then);
}

View File

@ -14,6 +14,14 @@ Changes in Shorewall 4.4.0-Beta2
5) Add 'upnpclient' interface option.
6) Fix handling of optional interfaces.
7) Add 'iptrace' and 'noiptrace' command.
8) Add 'USER/GROUP' column to masq file.
9) Added lib.private.
Changes in Shorewall 4.4.0-Beta1
1) Correct typo in Shorewall6 two-interface sample shorewall.conf.

View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - lib.private File
#
# /etc/shorewall/lib.private
#
# Use this file to declare shell functions to be called in the other
# run-time extension scripts. The file will be copied into the generated
# firewall script.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

View File

@ -7,5 +7,6 @@
# http://www.shorewall.net/manpages/shorewall-masq.html
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -576,6 +576,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
#
# Install the private library file
#
run_install $OWNERSHIP -m 0644 configfiles/lib.private ${PREFIX}/usr/share/shorewall/configfiles/lib.private
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then
run_install $OWNERSHIP -m 0600 configfiles/lib.private ${PREFIX}/etc/shorewall/lib.private
echo "Private library file installed as ${PREFIX}/etc/shorewall/lib.private"
fi
#
# Install the Started file
#
run_install $OWNERSHIP -m 0644 configfiles/started ${PREFIX}/usr/share/shorewall/configfiles/started

View File

@ -149,6 +149,41 @@ None.
that, like all aspects of UPnP, this is a security hole so use this
option at your own risk.
2) 'iptrace' and 'noiptrace' commands have been added to both
/sbin/shorewall and /sbin/shorewall6.
These are low-level debugging commands that cause
iptables/ip6tables TRACE log messages to be generated. See 'man
iptables' and 'man ip6tables' for details.
The syntax for the commands is:
iptrace <iptables/ip6tables match expression>
noiptrace <iptables/ip6tables match expression>
iptrace starts the trace; noiptrace turns it off.
The match expression must be an expression that is legal in both
the raw table OUTPUT and PREROUTING chains.
Examaple:
To trace all packets desinted for IP address 206.124.146.176:
shorewall iptrace -d 206.124.146.176
To turn that trace off:
shorewall noiptrace -d 206.124.146.176
3) A USER/GROUP column has been added to /etc/shorewall/masq. The
column works similarly to USER/GROUP columns in other Shorewall
configuration files. Only locally-generated traffic is matched.
4) A new extension script, 'lib.private' has been added. This file is
intended to include declarations of shell functions that will be
called by the other run-time extension scripts.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4
----------------------------------------------------------------------------

View File

@ -1454,10 +1454,12 @@ usage() # $1 = exit status
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>"
echo " iptrace <iptables match expression>"
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
echo " noiptrace <iptables match expression>"
echo " refresh [ <chain>... ]"
echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@ -2012,6 +2014,26 @@ case "$COMMAND" in
shift
safe_commands $@
;;
iptrace)
get_config
shift
if shorewall_is_started ; then
$IPTABLES -t raw -A PREROUTING $@ -j TRACE
$IPTABLES -t raw -A OUTPUT $@ -j TRACE
else
fatal_error "Shorewall is not started"
fi
;;
noiptrace)
get_config
shift
if shorewall_is_started ; then
$IPTABLES -t raw -D PREROUTING $@ -j TRACE
$IPTABLES -t raw -D OUTPUT $@ -j TRACE
else
fatal_error "Shorewall is not started"
fi
;;
*)
usage 1
;;

View File

@ -1371,10 +1371,12 @@ usage() # $1 = exit status
echo " export [ <directory1> ] [<user>@]<system>[:<directory2>]"
echo " forget [ <file name> ]"
echo " help"
echo " iptrace <ip6tables match expression>"
echo " load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
echo " noiptrace <ip6tables match expression>"
echo " refresh [ <chain>... ]"
echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@ -1857,7 +1859,26 @@ case "$COMMAND" in
shift
safe_commands $@
;;
*)
iptrace)
get_config
shift
if shorewall_is_started ; then
$IP6TABLES -t raw -A PREROUTING $@ -j TRACE
$IP6TABLES -t raw -A OUTPUT $@ -j TRACE
else
fatal_error "Shorewall6 is not started"
fi
;;
noiptrace)
get_config
shift
if shorewall_is_started ; then
$IP6TABLES -t raw -D PREROUTING $@ -j TRACE
$IP6TABLES -t raw -D OUTPUT $@ -j TRACE
else
fatal_error "Shorewall6 is not started"
fi
;; *)
usage 1
;;

View File

@ -1321,9 +1321,10 @@ fi</programlisting></para>
in the preceding section.</para>
<para>Like many Open Source products, LSM is poorly documented. It's
main configuration file is normally kept in /etc/lsm/lsm.conf, but the
file's name is passed as an argument to the lsm program so you can
name it anything you want.</para>
main configuration file is normally kept in
<filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
as an argument to the lsm program so you can name it anything you
want.</para>
<para>The sample <filename>lsm.conf</filename> included with the
product shows some of the possibilities for configuration. One feature
@ -1332,50 +1333,86 @@ fi</programlisting></para>
configuration file.</para>
<para>I personally use LSM here at shorewall.net (configuration is
described <link linkend="Complete">below</link>). Here are my relevant
configuration files:</para>
described <link linkend="Complete">below</link>). I have set things up
so that Shorewall [re]starts lsm during processing of the
<command>start</command> and <command>restore</command> commands. I
don't have Shorewall restart lsm during Shorewall
<command>restart</command> because I restart Shorewall much more often
than the average user is likely to do. I have Shorewall start lsm
because I have a dynamic IP address from one of my providers
(Comcast); Shorewall detects the default gateway to that provider and
creates a secondary configuration file
(<filename>/etc/lsm/shorewall.conf</filename>) that contains the link
configurations. That file is included by
<filename>/etc/lsm/lsm.conf</filename>.B</para>
<para>Below are my relevant configuration files.</para>
<warning>
<para>These files only work with Shorewall-perl 4.4 Beta 2 and
later.</para>
</warning>
<para><filename>/etc/shorewall/isusable</filename>:</para>
<para>Note that <filename>/etc/lsm/script </filename>writes
a<filename> ${VARDIR}/xxx.status</filename> file when the status of an
interface changes.</para>
<programlisting>local status=0
[ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)
return $status</programlisting>
<para><filename>/etc/shorewall/started</filename>:</para>
<para><filename>/etc/shorewall/lib.private</filename>:</para>
<programlisting>###############################################################################
# My 'restored' script calls this one if there is no lsm process running
# Create /etc/lsm/shorewall.conf
# Remove the current interface status files
# Start lsm
###############################################################################
if [ "$COMMAND" = start -o "$COMMAND" = restore ]; then
start_lsm() {
killall lsm 2&gt; /dev/null
cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
connection {
name=Avvanta
checkip=206.124.146.254
device=eth0
device=$EXT_IF
ttl=2
}
connection {
name=Comcast
checkip=$ETH3_GATEWAY
device=eth3
checkip=${ETH0_GATEWAY:-71.231.152.1}
device=$COM_IF
ttl=1
}
EOF
rm -f ${VARDIR}/*.status
rm -f /etc/shorewall/*.status
/usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
fi</programlisting>
}</programlisting>
<para>eth3 has a dynamic IP address so I need to use the
Shorewall-detected gateway address ($ETH3_GATEWAY).</para>
Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
value in the event that detection fails.</para>
<para><filename>/etc/shorewall/started</filename>:</para>
<programlisting>##################################################################################
# [re]start lsm if this is a 'start' command or if lsm isn't running
##################################################################################
if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
start_lsm
fi</programlisting>
<para><filename>/etc/shorewall/restored</filename>:</para>
<programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
run_started_exit
<programlisting>##################################################################################
# Start lsm if it isn't running
##################################################################################
if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
start_lsm
fi</programlisting>
<para><filename>/etc/lsm/lsm.conf</filename>:</para>

View File

@ -51,7 +51,18 @@
stored in the <emphasis>skb</emphasis> (socket buffer) structure used by
the Linux kernel to track packets; the mark value is not part of the
packet itself and cannot be seen with <command>tcpdump</command>,
<command>ethereal</command> or any other packet sniffing program.</para>
<command>ethereal</command> or any other packet sniffing program. They can
be seen in an iptables/ip6tables trace -- see the
<command>iptrace</command> command in <ulink
url="manpages/shorewall.html">shorewal</ulink>(8) and <ulink
url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
<para>Example (output has been folded for display ):</para>
<programlisting>[11692.096077] TRACE: mangle:tcout:return:3 IN= OUT=eth0 SRC=172.20.1.130
DST=206.124.146.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7212 SEQ=3 UID=0
GID=1000 <emphasis role="bold">MARK=0x10082</emphasis></programlisting>
<para>Each active connection (even those that are not yet in ESTABLISHED
state) has a mark value that is distinct from the packet marks. Connection

189
docs/Shorewall-4.xml Normal file
View File

@ -0,0 +1,189 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall Version 4</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2007</year>
<year>2009</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section id="Intro">
<title>Introduction</title>
<para>Shorewall version 4.0 represented a substantial shift in direction
for Shorewall. Up until then</para>
<itemizedlist>
<listitem>
<para>Shorewall had been written entirely in Bourne Shell.</para>
</listitem>
<listitem>
<para>Shorewall had run the <command>iptables</command> utility to add
each Netfilter rule.</para>
</listitem>
</itemizedlist>
<para>Shorewall version 4.0 offered you a choice. You could continue to
use the existing shell-based implementation or you could use a new
implementation of the Shorewall compiler written in the Perl programming
language. The new compiler:</para>
<itemizedlist>
<listitem>
<para>had a small disk footprint</para>
</listitem>
<listitem>
<para>was very fast.</para>
</listitem>
<listitem>
<para>generateed a firewall script that uses
<command>iptables-restore</command>; so the script was very
fast.</para>
</listitem>
<listitem>
<para>generated better and more consistent error messages.</para>
</listitem>
<listitem>
<para>did a much more thorough job of checking the configuration to
avoid run-time errors.</para>
</listitem>
<listitem>
<para>supported creating either Ipv4 or Ipv6 firewalls (Shorewall
4.2.4 and later).</para>
</listitem>
</itemizedlist>
<para><ulink url="Shorewall-perl.html#Install">Both compilers could be
installed on your system</ulink> and you could <ulink
url="Shorewall-perl.html#CompilerSelection">use whichever one suited you
in a particular case</ulink>.</para>
</section>
<section id="Install">
<title>Shorewall 4.4</title>
<para>Shorewall 4.4 (currently in Beta testing) discontinues the
availability of the legacy shell-based compiler. All users must migrate to
the perl-based compiler before or during an upgrade to Shorewall version
4.4. We highly recommend that current users of the shell-based compiler
migrate before upgrading to 4.4 so that both compilers are available
during the migration.</para>
<para>Shorewall 4.4 contains four packages:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Shorewall</emphasis> - Everything needed
to create an IPv4 firewall.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall-lite</emphasis>- Can run scripts
generated by Shorewall on another system.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall6</emphasis> - The utilities for
creating and operating an Ipv6 firewall. Requires Shorewall.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall6-lite</emphasis> - Ipv6
equivalent of Shorewall Lite. Can run scripts generated by Shoreall on
another system.</para>
</listitem>
</itemizedlist>
</section>
<section id="Prereqs">
<title>Prerequisites for using the Shorewall Version 4.2/4.4 Perl-based
Compiler</title>
<itemizedlist>
<listitem>
<para>Perl (I use Perl 5.8.10 but other 5.8 versions should work
fine). <note>
<para>If you want to be able to use DNS names in your Shorewall6
configuration files, then Perl 5.10 is required together with the
Perl <emphasis role="bold">Socket6</emphasis> module.</para>
</note></para>
</listitem>
<listitem>
<para>Perl <emphasis role="bold">Cwd</emphasis> Module</para>
</listitem>
<listitem>
<para>Perl <emphasis role="bold">File::Basename</emphasis>
Module</para>
</listitem>
<listitem>
<para>Perl <emphasis role="bold">File::Temp</emphasis> Module</para>
</listitem>
<listitem>
<para>Perl <emphasis role="bold">Getopt::Long</emphasis> Module</para>
</listitem>
<listitem>
<para>Perl <emphasis role="bold">Carp</emphasis> Module</para>
</listitem>
<listitem>
<para>Perl <emphasis role="bold">FindBin</emphasis> Module</para>
</listitem>
<listitem>
<para>Perl <emphasis role="bold">Scalar::Util </emphasis>Module</para>
</listitem>
</itemizedlist>
<para>Please note that there are <ulink url="IPv6Support.html">additional
requirements</ulink> if you plan to install and use Shorewall6.</para>
</section>
<section id="Incompatibilities">
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
Compiler</title>
<para>The Shorewall Perl-based compiler is not 100% compatible with the
Shorewall shell-based version. See <ulink url="Shorewall-perl.html">this
document</ulink> for details.</para>
</section>
</article>

View File

@ -108,9 +108,10 @@
</listitem>
<listitem>
<para>DYNAMIC_ZONES=Yes is not supported. <ulink
url="ipsets.html#Dynamic">Use an ipset </ulink>to define your
dytnamic zones.</para>
<para>DYNAMIC_ZONES=Yes is not supported in Shorewall-perl 4.2.
<ulink url="ipsets.html#Dynamic">Use an ipset </ulink>to define your
dytnamic zones. In Shorewall 4.4, dynamic zone support based on
ipsets was added to Shorewall.</para>
</listitem>
<listitem>
@ -534,6 +535,20 @@ DNAT- net loc:192.168.1.3 tcp 21</programl
<para>you instead want:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT- net 192.168.1.3 tcp 21</programlisting></para>
</listitem>
<listitem>
<para>Supplying an interface name in the SOURCE column of
/etc/shorewall/masq is deprecated as of Shorewall 4.4. Entering the
name of an interface there will result in a compile-time
warning:</para>
<para>WARNING: Using an interface as the masq SOURCE requires the
interface to be up and configured when Shorewall
starts/restarts</para>
<para>To avoid this warning, replace interface names by the
corresponding network addresses (e.g., 192.168.144.0/24).</para>
</listitem>
</orderedlist>
</section>
@ -545,10 +560,100 @@ DNAT- net 192.168.1.3 tcp 21</programl
environment. The best way to work around this limitation is to install
Shorewall-perl on an administrative system and employ Shorewall-lite on
your embedded systems. Shorewall-perl will run on Windows under <ulink
url="http://www.cygwin.com/">Cygwin</ulink>.</para>
url="http://www.cygwin.com/">Cygwin</ulink>. Install using the
install.sh script.</para>
</section>
</section>
<section id="Install">
<title>Installing Shorewall Version 4.0 or 4.2</title>
<para>Shorewall 4.2 contains six packages, four of which are also included
in Shorewall 4.0:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Shorewall-shell</emphasis> - the old
shell-based compiler and related components.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall-perl</emphasis> - the new
Perl-based compiler.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall-common</emphasis> - the part of
Shorewall common to both compilers.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall-lite</emphasis>- same as the 3.4
version of Shorewall Lite. Can run scripts generated by either
Shorewall-perl or Shorewall-shell.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall6</emphasis> - The utilities for
creating and operating an Ipv6 firewall. Requires Shorewall-perl and
Shorewall-common. Introduced in Shorewall 4.2.4.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall6-lite</emphasis> - Ipv6
equivalent of Shorewall Lite. Can run scripts generated by
Shoreall-perl 4.2.4 and later.</para>
</listitem>
</itemizedlist>
<para>If you upgrade to Shorewall Version 4.0 or 4.2, you must install
Shorewall-shell and/or Shorewall-perl; in fact, if you are using the
tarball for your installation, you must install Shorewall-shell and/or
Shorewall-perl <emphasis role="bold">before</emphasis> you upgrade
Shorewall. See the <ulink url="upgrade_issues.htm">upgrade issues</ulink>
for details.</para>
</section>
<section id="CompilerSelection">
<title>Compiler Selection (Shorewall 4.0-4.2)</title>
<para>If you only install one compiler, then that compiler will be
used.</para>
<para>If you install both compilers, then the compiler actually used for
IPv4 depends on the SHOREWALL_COMPILER setting in
<filename>shorewall.conf</filename>.</para>
<para>The value of this new option can be either 'perl' or 'shell'.</para>
<para>If you add 'SHOREWALL_COMPILER=perl' to
<filename>/etc/shorewall/shorewall.conf</filename> then by default, the
new compiler will be used on the system. If you add it to
<filename>shorewall.conf</filename> in a separate directory (such as a
Shorewall-lite export directory) then the new compiler will only be used
when you compile from that directory.</para>
<para>If you only install one compiler, it is suggested that you do not
set SHOREWALL_COMPILER.</para>
<para>If both compilers are installed, you can select the compiler to use
on the command line using the 'C option:<simplelist>
<member>'-C shell' means use the shell compiler</member>
<member>'-C perl' means use the perl compiler</member>
</simplelist>The -C option overrides the setting in
shorewall.conf.</para>
<para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting></para>
<para>When the Shorewall-perl compiler has been selected, the
<filename>params</filename> file is processed using the shell
<option>-a</option> option which causes all variables set within the file
to be exported automatically by the shell. The Shorewall-perl compiler
uses the current environmental variables to perform variable expansion
within the other Shorewall configuration files.</para>
</section>
<section id="Modules">
<title>The Shorewall Perl Modules</title>

View File

@ -69,6 +69,13 @@
<para>The following scripts can be supplied:</para>
<itemizedlist>
<listitem>
<para><filename>lib.private</filename> -- Intended to contain
declarations of shell functions to be called by other run-time
extension scripts. See<ulink url="MultiISP.html#lsm"> this
article</ulink> for an example of its use.</para>
</listitem>
<listitem>
<para><filename>compile</filename> -- Invoked by the rules compiler
early in the compilation process. Must be written in Perl.</para>
@ -184,6 +191,15 @@ esac</programlisting><caution>
completion of a successful <command>shorewall restore</command> and
<command>shorewall-lite restore</command>.</para>
</listitem>
<listitem>
<para>findgw -- This script is invoked when Shorewall is attempting to
discover the gateway through a dynamic interface. The script is most
often used when the interface is managed by dhclient which has no
standardized location/name for its lease database. Scripts for use
with dhclient on several distributions are available at <ulink
url="http://www.shorewall.net/pub/shorewall/contrib/findgw/">http://www.shorewall.net/pub/shorewall/contrib/findgw/</ulink></para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">If your version of Shorewall doesn't have the

View File

@ -119,9 +119,11 @@
<listitem>
<para>Set of hosts that you wish to masquerade. You can specify this
as an <emphasis>address</emphasis> (net or host) or as an
<emphasis>interface</emphasis>. If you give the name of an
interface, the interface must be up before you start the firewall
(Shorewall will use your main routing table to determine the
<emphasis>interface</emphasis> (use of an
<emphasis>interface</emphasis> is deprecated). If you give the name
of an interface, the interface must be up before you start the
firewall and the Shorewall rules compiler will warn you of that
fact. (Shorewall will use your main routing table to determine the
appropriate addresses to masquerade).</para>
<para>In order to exclude a address of the specified SOURCE, you may
@ -384,6 +386,67 @@
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
[<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
<listitem>
<para>Only locally-generated connections will match if this column
is non-empty.</para>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>#program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -266,10 +266,7 @@
<para>This lets you define a classifier for the given
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
combination of the IP packet's TOS/Precedence/DiffSrv octet
(aka the TOS byte). Please note that classifiers override all
mark settings, so if you define a classifer for a class, all
traffic having that mark will go in it regardless of any mark
set on the packet by a firewall/mangle filter.</para>
(aka the TOS byte). </para>
</listitem>
</varlistentry>

View File

@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tos</refentrytitle>
@ -26,38 +28,11 @@
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> -
{<emphasis>zone</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>|<emphasis role="bold">$FW</emphasis>}
(Shorewall-shell)</term>
<listitem>
<para>Name of a <replaceable>zone</replaceable> declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5), <emphasis
role="bold">all</emphasis> or <emphasis
role="bold">$FW</emphasis>.</para>
<para>If not <emphasis role="bold">all</emphasis> or <emphasis
role="bold">$FW</emphasis>, may optionally be followed by ":" and an
IP address, a MAC address, a subnet specification or the name of an
interface.</para>
<para>Example: loc:192.168.2.3</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
role="bold">$FW</emphasis>} (Shorewall-perl)</term>
role="bold">$FW</emphasis>}</term>
<listitem>
<para>If <emphasis role="bold">all</emphasis>, may optionally be
@ -73,29 +48,10 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
{<emphasis>zone</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>} (Shorewall-shell)</term>
<listitem>
<para>Name of a zone declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) or <emphasis
role="bold">all</emphasis>.</para>
<para>If not <emphasis role="bold">all</emphasis>, may optionally be
followed by ":" and an IP address or a subnet specification</para>
<para>Example: loc:192.168.2.3</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>:<emphasis>address</emphasis>}
(Shorewall-perl)</term>
role="bold">all</emphasis>:<emphasis>address</emphasis>}</term>
<listitem>
<para>Example: 192.168.2.3</para>

View File

@ -219,6 +219,19 @@
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
@ -279,6 +292,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>noiptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
@ -835,6 +861,25 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that causes iptables
TRACE log records to be created. See iptables(8) for details.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
Shorewall has no control over where the messages go; consult your
logging daemon's documentation.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">load</emphasis></term>
@ -919,6 +964,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noiptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that cancels a trace
started by a preceding <command>iptrace</command> command.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being
cancelled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">refresh</emphasis></term>
@ -1350,9 +1408,9 @@
<term><emphasis role="bold">version</emphasis></term>
<listitem>
<para>Displays Shorewall's version. If the <option>-a</option>
option is included, the versions of Shorewall-shell and/or
Shorewall-perl will also be displayed.</para>
<para>Displays Shorewall's version. The <option>-a</option> option
is included for compatibility with earlier Shorewall releases and is
ignored.</para>
</listitem>
</varlistentry>
</variablelist>

View File

@ -260,10 +260,7 @@
<para>This lets you define a classifier for the given
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
combination of the IP packet's TOS/Precedence/DiffSrv octet
(aka the TOS byte). Please note that classifiers override all
mark settings, so if you define a classifer for a class, all
traffic having that mark will go in it regardless of any mark
set on the packet by a firewall/mangle filter.</para>
(aka the TOS byte).</para>
</listitem>
</varlistentry>

View File

@ -144,6 +144,19 @@
<arg choice="plain"><option>help</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -204,6 +217,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>noiptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -670,12 +696,22 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hits</emphasis></term>
<term><emphasis role="bold">iptrace</emphasis></term>
<listitem>
<para>Generates several reports from Shorewall6 log messages in the
current log file. If the <option>-t</option> option is included, the
reports are restricted to log messages generated today.</para>
<para>This is a low-level debugging command that causes iptables
TRACE log records to be created. See ip6tables(8) for
details.</para>
<para>The <replaceable>ip6tables match expression</replaceable> must
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
Shorewall has no control over where the messages go; consult your
logging daemon's documentation.</para>
</listitem>
</varlistentry>
@ -763,6 +799,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noiptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that cancels a trace
started by a preceding <command>iptrace</command> command.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being
cancelled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">refresh</emphasis></term>
@ -1163,7 +1212,7 @@
<listitem>
<para>Displays Shorewall6's version. If the <option>-a</option>
option is included, the version of Shorewall-perl will also be
option is included, the version of Shorewall will also be
displayed.</para>
</listitem>
</varlistentry>

View File

@ -23,9 +23,13 @@ license is included in the section entitled <span
href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>".
</p>
<p>June 14, 2009<br>
<p>June 18, 2009<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><span style="font-weight: bold;">2009-06-18 Shorewall 4.2.10<br>
</span><span style="font-weight: bold;"></span></p>
<pre>Problems corrected in Shorewall 4.2.10<br><br>1) A 'large quantum' warning log message during restart has been<br> eliminated. The log message occurred when an interface with a large<br> OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.<br><br>2) When a REJECT rule included a log entry, the disposition in the log<br> message was incorrectly shown as 'reject' rather than 'REJECT'.<br><br>3) When 'forward' was specified on one or more interfaces in<br> /etc/shorewall6/interfaces, the progress message "Compiling<br> Interface forwarding..." was issued multiple times. Now, only one<br> instance of the message is generated.<br><br>4) A typing error in the IPv6 two-interface sample shorewall6.conf<br> file has been corrected. This error prevented the compiler from<br> being able to find macros in /usr/share/shorewall/.<br><br>Known Problems Remaining:<br><br>1) When exclusion is used in an entry in /etc/shorewall/hosts, then<br> Shorewall-shell produces an invalid iptables rule if any of the <br> following OPTIONS are also specified in the entry: <br><br> blacklist<br> maclist<br> norfc1918<br> tcpflags<br><br>2) Shorewall-shell generates inversion rules which produce<br> warnings with iptables 1.4.3. <br><br> Example:<br><br> iptables -A lan2fw -p 6 --dport 999 -s ! 192.168.20.1 -j ACCEPT<br><br> with iptables 1.4.3.1 the following information message is produced:<br><br> Using intrapositioned negation (`--option ! this`) is deprecated in<br> favor of extrapositioned (`! --option this`).<br><br> We don't intend to fix this. It's time to migrate to Shorewall-perl<br> anyway.<br><br>New Features in Shorewall 4.2.10<br><br>1) Shorewall's suppport for dynamic gateways on interfaces managed by<br> dhclient works on OpenSuSE systems but not on some other<br> distributions.<br><br> In order to generalize support for learning the gateway for dynamic<br> interfaces, a new 'findgw' extension script (user exit) has been<br> added.<br><br> The exit will be invoked in a function that has a single argument:<br><br> $1 = &lt;name of an interface&gt;<br><br> If the function can determine the gateway for the passed interface,<br> it should write the gateway to standard out. Here is a sample<br> /etc/shorewall/findgw that works with dhclient (dhcp3) in Debian<br> Lenny:<br><br> if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then<br> grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\<br> tail -n 1 |\<br> while read j1 j2 gateway; do\<br> echo $gateway | sed 's/;//';\<br> done<br> fi<br><br> The same code works on Ubuntu Jaunty if you replace the first '.'<br> with '-' and replace '.leases' with '.lease' (don't you just love<br> the consistency between distributions?).<br><br> That code also works on CentOS if you replace 'dhcp3' by<br> 'dhclient'.<br><br> 'findgw' files that have been customized for various distributions<br> may be found at<br> http://www.shorewall.net/pub/shorewall/contrib/findgw.<br></pre>
<p><strong></strong></p>
<p><strong>2009-06-13 Shorewall 4.4.0 Beta 1</strong></p>
<pre>Read the details at <a
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt">http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt</a><br><strong></strong></pre>

View File

@ -38,7 +38,7 @@
</tbody>
</table>
<p> </p>
<hr><span style="font-weight: bold;">2009-06-14</span>
<hr><span style="font-weight: bold;">2009-06-19</span>
<h2><a name="Which"></a>Package Information</h2>
<p><b>Before trying to install, we strongly urge you to read and print
a
@ -66,7 +66,8 @@ shake out the bugs in the next stable release. <span
</ul>
For additional information, see this article about the <a
href="ReleaseModel.html">Shorewall Release Model</a>.
<p>In Shorewall version 4.0.*, there are four related
<p>In Shorewall version <span style="font-weight: bold;">4.0.*</span>,
there are four related
packages:</p>
<ul>
<li><span style="font-weight: bold;">Shorewall-shell</span> -- the
@ -87,7 +88,8 @@ light-weight Shorewall version that will run
compiled firewall scripts generated on a system with one of the
compiler packages installed.</li>
</ul>
In Shorewall version 4.2.*, there are two additional
In Shorewall version <span style="font-weight: bold;">4.2.*</span>,
there are two additional
packages that provide IPv6 support:<br>
<ul>
<li><span style="font-weight: bold;">Shorewall6</span> -- Provides
@ -101,7 +103,8 @@ run compiled firewall scripts generated on a system with Shorewall6
installed.<br>
</li>
</ul>
In Shorewall version 4.4.*, the Shorewall-common, Shorewall-shell and
In Shorewall version <span style="font-weight: bold;">4.4.*</span>,
the Shorewall-common, Shorewall-shell and
Shorewall-perl packages are discontinued and replaced with a single <span
style="font-weight: bold;">Shorewall</span> package which combined the
functions of Shorewall-common and Shorewall-perl. The shell-based
@ -137,6 +140,11 @@ or both of the compilers on a single <em>administrative</em> system
and install Shorewall-lite and/or Shorewall6-lite on the firewalls.
Doing so will allow for
centralized administration and configuration of the firewalls.</li>
<li>When RPM is used to install Shorewall, the compiler
(shorewall-shell
and/or shorewall-perl) and shorewall-common must be installed in a
single execution of the
rpm utility.</li>
</ul>
<li>If you are installing Shorewall 4.4 or later:</li>
<ul>
@ -153,11 +161,6 @@ configuration of the firewalls.<br>
</li>
</ul>
</ul>
<p>When RPM is used to install Shorewall, the compiler (shorewall-shell
and/or shorewall-perl) and shorewall-common must be installed in a
single execution of the
rpm utility.<br>
</p>
<p>Here are the <a href="Install.htm">installation instructions</a>.</p>
<h2><a name="Distros"></a>Distribution-specific Download Sites</h2>
<p>Once you've printed the appropriate QuickStart Guide, download the
@ -215,7 +218,7 @@ stable release are available from the package maintainer's <a
<li>If you run <a style="font-weight: bold;" href="Ubuntu">Ubuntu,</a>
Benjamin Montgomery maintains a <a
href="https://launchpad.net/%7Ebmonty/+archive/ppa">repository for
Hardy Heron</a>.<br>
Hardy Heron and Jaunty Jackalope</a>.<br>
</li>
<li>
<p style="margin-bottom: 0in;">If you run <a

View File

@ -47,7 +47,9 @@
</tr>
</tbody>
</table>
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-06-14</span><br>
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-06-20</span><br>
<h3><a href="Notices.html#Shell-EOL">Attention Shorewall-shell users</a><br>
</h3>
<h3><a name="Releases"></a>Current Shorewall Releases</h3>
<table style="text-align: left; width: 100%;" border="0" cellpadding="2"
cellspacing="0">
@ -58,13 +60,13 @@
Stable Release</span><br>
</div>
</td>
<td style="vertical-align: top;"><span style="font-weight: bold;">4.2.9</span>
<td style="vertical-align: top;"><span style="font-weight: bold;">4.2.10</span>
(includes <a href="IPv6Support.html">IPv6 support.</a>)</td>
<td style="vertical-align: top;"><a
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.9/releasenotes.txt">Release
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/releasenotes.txt">Release
notes</a> </td>
<td style="vertical-align: top;"><a
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.9/known_problems.txt">Known
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/known_problems.txt">Known
Problems</a></td>
</tr>
<tr>
@ -91,14 +93,14 @@ Release</span><br>
</div>
</td>
<td style="vertical-align: top;"><span style="font-weight: bold;">4.4.0
Beta 1</span><br>
Beta 2</span><br>
</td>
<td style="vertical-align: top;"><a
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt">Release
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/releasenotes.txt">Release
Notes<br>
</a> </td>
<td style="vertical-align: top;"><a
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/known_problems.txt">Known
href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/known_problems.txt">Known
Problems</a> </td>
</tr>
</tbody>