From e54563d9c1aadef4d4380fa263d0805809763e40 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Jan 2013 13:53:03 -0800 Subject: [PATCH 1/8] Don't append rules that can't be matched. Also, delete chains whose only rule is a -j RETURN Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 123 ++++++++++++++++++++++------- 1 file changed, 94 insertions(+), 29 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 995f3bd5a..6cafe3223 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -293,6 +293,8 @@ our $VERSION = 'MODULEVERSION'; # digest => string representation of the chain's rules for use in optimization # level 8. # accepted => A 'ESTABLISHED,RELATED' ACCEPT rule has been added to this chain. +# complete => The last rule in the chain is a -g or a simple -j to a terminating target +# Suppresses adding additional rules to the chain end of the chain # } , # => ... # } @@ -340,28 +342,31 @@ our %nfobjects; # # Target Types # -use constant { STANDARD => 1, #defined by Netfilter - NATRULE => 2, #Involves NAT - BUILTIN => 4, #A built-in action - NONAT => 8, #'NONAT' or 'ACCEPT+' - NATONLY => 16, #'DNAT-' or 'REDIRECT-' - REDIRECT => 32, #'REDIRECT' - ACTION => 64, #An action (may be built-in) - MACRO => 128, #A Macro - LOGRULE => 256, #'LOG','NFLOG' - NFQ => 512, #'NFQUEUE' - CHAIN => 1024, #Manual Chain - SET => 2048, #SET - AUDIT => 4096, #A_ACCEPT, etc - HELPER => 8192, #CT:helper - NFLOG => 16384, #NFLOG or ULOG - INLINE => 32768, #Inline action +use constant { STANDARD => 0x1, #defined by Netfilter + NATRULE => 0x2, #Involves NAT + BUILTIN => 0x4, #A built-in action + NONAT => 0x8, #'NONAT' or 'ACCEPT+' + NATONLY => 0x10, #'DNAT-' or 'REDIRECT-' + REDIRECT => 0x20, #'REDIRECT' + ACTION => 0x40, #An action (may be built-in) + MACRO => 0x80, #A Macro + LOGRULE => 0x100, #'LOG','NFLOG' + NFQ => 0x200, #'NFQUEUE' + CHAIN => 0x400, #Manual Chain + SET => 0x800, #SET + AUDIT => 0x1000, #A_ACCEPT, etc + HELPER => 0x2000, #CT:helper + NFLOG => 0x4000, #NFLOG or ULOG + INLINE => 0x8000, #Inline action }; # # Valid Targets -- value is a combination of one or more of the above # our %targets; - +# +# Terminating builtins +# +our %terminating; # # expand_rule() restrictions # @@ -373,6 +378,7 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i an ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed DESTIFACE_DISALLOW => 32, # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message }; + # # See initialize() below for additional comments on these variables # @@ -456,6 +462,11 @@ use constant { NULL_MODE => 0 , # Emitting neither shell commands nor iptables CMD_MODE => 2 }; # Emitting shell commands. our $mode; +# +# A reference to this rule is returned when we try to push a rule onto a 'complete' chain +# +our $dummyrule = { simple => 1, mode => CAT_MODE }; + # # Address Family # @@ -656,7 +667,29 @@ sub initialize( $$$ ) { %isocodes = (); %nfobjects = (); %switches = (); - + # + # Initialize this here so we can make it dynamic without moving the initialization + # + %terminating = ( ACCEPT => 1, + DROP => 1, + RETURN => 1, + QUEUE => 1, + CLASSIFY => 1, + CT => 1, + DNAT => 1, + MASQUERADE => 1, + NETMAP => 1, + NFQUEUE => 1, + NOTRACK => 1, + REDIRECT => 1, + RAWDNAT => 1, + RAWSNAT => 1, + REJECT => 1, + SAME => 1, + SNAT => 1, + TPROXY => 1, + reject => 1, + ); # # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined. # @@ -723,10 +756,12 @@ sub set_rule_option( $$$ ) { } } -sub transform_rule( $ ) { - my $input = $_[0]; +sub transform_rule( $;\$ ) { + my ( $input, $completeref ) = @_; my $ruleref = { mode => CAT_MODE, target => '' }; my $simple = 1; + my $target = ''; + my $jump = ''; $input =~ s/^\s*//; @@ -748,9 +783,9 @@ sub transform_rule( $ ) { } if ( $option eq 'j' or $option eq 'g' ) { - $ruleref->{jump} = $option; + $ruleref->{jump} = $jump = $option; $input =~ s/([^\s]+)\s*//; - $ruleref->{target} = $1; + $ruleref->{target} = $target = $1; $option = 'targetopts'; } else { $simple = 0; @@ -782,7 +817,9 @@ sub transform_rule( $ ) { set_rule_option( $ruleref, $option, $params ); } - $ruleref->{simple} = $simple; + if ( ( $ruleref->{simple} = $simple ) && $completeref ) { + $$completeref = 1 if $jump eq 'g' || $terminating{$target}; + } $ruleref; } @@ -992,16 +1029,22 @@ sub add_commands ( $$;@ ) { # sub push_rule( $$ ) { my $chainref = $_[0]; - my $ruleref = transform_rule( $_[1] ); + + return $dummyrule if $chainref->{complete}; + + my $complete = 0; + my $ruleref = transform_rule( $_[1], $complete ); $ruleref->{comment} = "$comment" if $comment; $ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel}; push @{$chainref->{rules}}, $ruleref; $chainref->{referenced} = 1; - $chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; + $chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug; + $chainref->{complete} = 1 if $complete; + $ruleref; } @@ -1014,6 +1057,7 @@ sub add_trule( $$ ) { assert( reftype $ruleref , $ruleref ); push @{$chainref->{rules}}, $ruleref; $chainref->{referenced} = 1; + $chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug; @@ -1109,6 +1153,8 @@ sub add_rule($$;$) { assert( ! reftype $rule , $rule ); + return $dummyrule if $chainref->{complete}; + $iprangematch = 0; # # Pre-processing the port lists as was done in Shorewall-shell results in port-list @@ -1947,6 +1993,8 @@ sub ensure_chain($$) sub add_jump( $$$;$$$ ) { my ( $fromref, $to, $goto_ok, $predicate, $expandports, $index ) = @_; + return $dummyrule if $fromref->{complete}; + $predicate |= ''; my $toref; @@ -1988,6 +2036,7 @@ sub add_jump( $$$;$$$ ) { # sub add_expanded_jump( $$$$ ) { my ( $chainref, $toref, $goto, $rule ) = @_; + return $dummyrule if $chainref->{complete}; our $splitcount = 0; add_jump( $chainref, $toref, $goto, $rule, 1 ); add_reference( $chainref, $toref ) while --$splitcount > 0; @@ -1996,7 +2045,10 @@ sub add_expanded_jump( $$$$ ) { sub add_ijump( $$$;@ ) { my ( $fromref, $jump, $to, @matches ) = @_; + return $dummyrule if $fromref->{complete}; + my $toref; + my $ruleref; # # The second argument may be a scalar (chain name or builtin target) or a chain reference # @@ -2017,10 +2069,16 @@ sub add_ijump( $$$;@ ) { $toref->{referenced} = 1; add_reference $fromref, $toref; $jump = 'j' unless have_capability 'GOTO_TARGET'; - push_irule ($fromref, $jump => $to, @matches ); + $ruleref = push_irule ($fromref, $jump => $to, @matches ); } else { - push_irule( $fromref, 'j' => $to, @matches ); + $ruleref = push_irule( $fromref, 'j' => $to, @matches ); } + + if ( $ruleref->{simple} ) { + $fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to}; + } + + $ruleref; } sub insert_ijump( $$$$;@ ) { @@ -2764,7 +2822,7 @@ sub check_optimization( $ ) { # # Perform Optimization # -# When an unreferenced chain is found, itis deleted unless its 'dont_delete' flag is set. +# When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set. sub optimize_level0() { for my $table ( qw/raw rawpost mangle nat filter/ ) { next if $family == F_IPV6 && $table eq 'nat'; @@ -2834,7 +2892,7 @@ sub optimize_level4( $$ ) { delete_references $chainref; $progress = 1; } - } elsif ( $numrules == 1 ) { + } elsif ( $numrules == 1) { my $firstrule = $chainref->{rules}[0]; # # Chain has a single rule @@ -2859,6 +2917,11 @@ sub optimize_level4( $$ ) { # $chainref->{optflags} |= DONT_OPTIMIZE; } + } elsif ( ( $firstrule->{target} || '' ) eq 'RETURN' ) { + # + # A chain with a single 'RETURN' rule -- get rid of it + # + delete_chain_and_references( $chainref ); } else { # # Replace all references to this chain with references to the target @@ -6390,6 +6453,8 @@ sub expand_rule( $$$$$$$$$$;$ ) $logname, # Name of chain to name in log messages ) = @_; + return '' if $chainref->{complete}; + my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = ( '', '', '', '', '', '', '', '', '', '' ); my $chain = $chainref->{name}; From 011dd2c90118817c3e1b20b7c222308e23d2f09f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Jan 2013 15:25:53 -0800 Subject: [PATCH 2/8] Add a RETURNS flag to optflags indicating that there is RETURN in the chain. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 8 ++++---- Shorewall/Perl/Shorewall/Nat.pm | 2 -- Shorewall/Perl/Shorewall/Rules.pm | 2 -- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 6cafe3223..71049e53a 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -407,7 +407,7 @@ use constant { use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK }; -use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 }; +use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 }; our %dscpmap = ( CS0 => 0x00, CS1 => 0x08, @@ -1040,7 +1040,7 @@ sub push_rule( $$ ) { push @{$chainref->{rules}}, $ruleref; $chainref->{referenced} = 1; - $chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; + $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug; $chainref->{complete} = 1 if $complete; @@ -1057,7 +1057,7 @@ sub add_trule( $$ ) { assert( reftype $ruleref , $ruleref ); push @{$chainref->{rules}}, $ruleref; $chainref->{referenced} = 1; - $chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; + $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug; @@ -1237,7 +1237,7 @@ sub push_irule( $$$;@ ) { if ( $jump ) { $ruleref->{jump} = $jump; $ruleref->{target} = $target; - $chainref->{optflags} |= DONT_MOVE if $target eq 'RETURN'; + $chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN'; $ruleref->{targetopts} = $targetopts if $targetopts; } else { $ruleref->{target} = ''; diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index d9730e1d7..2c5a6b4c1 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -724,8 +724,6 @@ sub handle_nonat_rule( $$$$$$$$$$ ) { } } - set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN'; - expand_rule( $nonat_chain , PREROUTE_RESTRICT , $rule , diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 122535d2a..95c0a1f47 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2475,8 +2475,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { if ( $actiontype & ACTION ) { $action = $usedactions{$normalized_target}{name}; $loglevel = ''; - } else { - set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN'; } if ( $origdest ) { From 1fd3a6a5221cc8ba6af41075f82cfcf1532b04df Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Jan 2013 16:32:24 -0800 Subject: [PATCH 3/8] Detect terminating chains - no RETURN Rules - last rule is terminating Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 185 +++++++++++++++-------------- 1 file changed, 98 insertions(+), 87 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 71049e53a..1f1fa5c08 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -667,9 +667,7 @@ sub initialize( $$$ ) { %isocodes = (); %nfobjects = (); %switches = (); - # - # Initialize this here so we can make it dynamic without moving the initialization - # + %terminating = ( ACCEPT => 1, DROP => 1, RETURN => 1, @@ -2854,6 +2852,7 @@ sub optimize_level4( $$ ) { # The search continues until no short chains remain # Chains with 'DONT_OPTIMIZE' are exempted from optimization # + while ( $progress ) { $progress = 0; $passes++; @@ -2892,100 +2891,112 @@ sub optimize_level4( $$ ) { delete_references $chainref; $progress = 1; } - } elsif ( $numrules == 1) { - my $firstrule = $chainref->{rules}[0]; - # - # Chain has a single rule - # - if ( $firstrule ->{simple} ) { - # - # Easy case -- the rule is a simple jump - # - if ( $chainref->{builtin} ) { - # - # A built-in chain. If the target is a user chain without 'dont_move', - # we can copy its rules to the built-in - # - if ( conditionally_copy_rules $chainref, $firstrule->{target} ) { - # - # Target was a user chain -- rules moved - # - $progress = 1; - } else { - # - # Target was a built-in. Ignore this chain in follow-on passes - # - $chainref->{optflags} |= DONT_OPTIMIZE; - } - } elsif ( ( $firstrule->{target} || '' ) eq 'RETURN' ) { - # - # A chain with a single 'RETURN' rule -- get rid of it - # - delete_chain_and_references( $chainref ); - } else { - # - # Replace all references to this chain with references to the target - # - replace_references $chainref, $firstrule->{target}, $firstrule->{targetopts}; - $progress = 1; - } - } elsif ( $firstrule->{target} ) { - # - # Not so easy -- the rule contains matches - # - if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) { - # - # This case requires a new rule merging algorithm. Ignore this chain for - # now on. - # - $chainref->{optflags} |= DONT_OPTIMIZE; - } else { - # - # Replace references to this chain with the target and add the matches - # - $progress = 1 if replace_references1 $chainref, $firstrule; - } - } } else { # - # Chain has more than one rule. If the last rule is a simple jump, then delete - # all immediately preceding rules that have the same target + # The chain has rules -- determine if it is terminating # - my $rulesref = $chainref->{rules}; - my $lastref = $rulesref->[-1]; + my $name = $chainref->{name}; + my $lastref = $chainref->{rules}[-1]; - if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) { - my $target = $lastref->{target}; - my $count = 0; - my $rule = @$rulesref - 1; + unless ( $terminating{$name} ) { + $progress = 1 if $terminating{$name} = ( ( $terminating{$lastref->{target} || ''} ) || ( $lastref->{jump} || '' ) eq 'g' ); + } - pop @$rulesref; #Pop the last simple rule + if ( $numrules == 1) { + # + # Chain has a single rule + # + my $firstrule = $lastref; - while ( @$rulesref ) { - my $rule1ref = $rulesref->[-1]; - - last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts}; - - trace ( $chainref, 'D', $rule, $rule1ref ) if $debug; - - pop @$rulesref; - $progress = 1; - $count++; - $rule--; - } - - if ( @$rulesref || ! $chainref->{builtin} || $target !~ /^(?:ACCEPT|DROP|REJECT)$/ ) { - push @$rulesref, $lastref; # Restore the last simple rule - } else { + if ( $firstrule ->{simple} ) { # - #empty builtin chain -- change it's policy + # Easy case -- the rule is a simple jump # - $chainref->{policy} = $target; - trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug; - $count++; + if ( $chainref->{builtin} ) { + # + # A built-in chain. If the target is a user chain without 'dont_move', + # we can copy its rules to the built-in + # + if ( conditionally_copy_rules $chainref, $firstrule->{target} ) { + # + # Target was a user chain -- rules moved + # + $progress = 1; + } else { + # + # Target was a built-in. Ignore this chain in follow-on passes + # + $chainref->{optflags} |= DONT_OPTIMIZE; + } + } elsif ( ( $firstrule->{target} || '' ) eq 'RETURN' ) { + # + # A chain with a single 'RETURN' rule -- get rid of it + # + delete_chain_and_references( $chainref ); + } else { + # + # Replace all references to this chain with references to the target + # + replace_references $chainref, $firstrule->{target}, $firstrule->{targetopts}; + $progress = 1; + } + } elsif ( $firstrule->{target} ) { + # + # Not so easy -- the rule contains matches + # + if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) { + # + # This case requires a new rule merging algorithm. Ignore this chain for + # now on. + # + $chainref->{optflags} |= DONT_OPTIMIZE; + } else { + # + # Replace references to this chain with the target and add the matches + # + $progress = 1 if replace_references1 $chainref, $firstrule; + } } + } else { + # + # Chain has more than one rule. If the last rule is a simple jump, then delete + # all immediately preceding rules that have the same target + # + my $rulesref = $chainref->{rules}; - progress_message " $count $target rules deleted from chain $chainref->{name}" if $count; + if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) { + my $target = $lastref->{target}; + my $count = 0; + my $rule = @$rulesref - 1; + + pop @$rulesref; #Pop the last simple rule + + while ( @$rulesref ) { + my $rule1ref = $rulesref->[-1]; + + last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts}; + + trace ( $chainref, 'D', $rule, $rule1ref ) if $debug; + + pop @$rulesref; + $progress = 1; + $count++; + $rule--; + } + + if ( @$rulesref || ! $chainref->{builtin} || $target !~ /^(?:ACCEPT|DROP|REJECT)$/ ) { + push @$rulesref, $lastref; # Restore the last simple rule + } else { + # + #empty builtin chain -- change it's policy + # + $chainref->{policy} = $target; + trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug; + $count++; + } + + progress_message " $count $target rules deleted from chain $name" if $count; + } } } } From 975fb8992ef7255f1570d0ef6a926ac5101023e1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 9 Jan 2013 08:00:59 -0800 Subject: [PATCH 4/8] Add warnings about line continuation vs. comments Signed-off-by: Tom Eastep --- docs/configuration_file_basics.xml | 32 +++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index dfef73b20..fc70b3f45 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -142,10 +142,16 @@ - /etc/shorewall/blacklist - lists + /etc/shorewall/blacklist - Deprecated in + favor of /etc/shorewall/blrules. Lists blacklisted IP/subnet/MAC addresses. + + /etc/shorewall/blrules — Added in + Shorewall 4.5.0. Define blacklisting and whitelisting. + + /etc/shorewall/init - commands that you wish to execute at the beginning of a shorewall start @@ -258,6 +264,11 @@ start/restart when LOAD_HELPERS_ONLY=Yes in shorewall.conf. + + + /usr/share/arprules — Added in Shorewall + 4.5.12. Allows specification of arptables rules. + If you need to change a file in @@ -297,6 +308,12 @@ # This is a comment ACCEPT net $FW tcp www #This is an end-of-line comment + + + If a comment ends with a backslash ("\"), the next line will also + be treated as a comment. See Line + Continuation below. +
@@ -516,6 +533,19 @@ ACCEPT net:\ continuation line does not end with a comma or colon, the leading white space in the last line is not ignored. + + + A trailing backslash is not ignored in a comment. So the continued + rule above can be commented out with a single '#' as follows: + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +#ACCEPT net:\ + 206.124.146.177,\ + 206.124.146.178,\ + 206.124.146.180\ + dmz tcp 873 +
From 199bce925f9b174406c97a25b39130ae300f33da Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 9 Jan 2013 12:54:29 -0800 Subject: [PATCH 5/8] Don't add chains with RETURNs to %terminating. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 1f1fa5c08..f16b53fca 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2898,7 +2898,7 @@ sub optimize_level4( $$ ) { my $name = $chainref->{name}; my $lastref = $chainref->{rules}[-1]; - unless ( $terminating{$name} ) { + unless ( $chainref->{optflags} & RETURNS || $terminating{$name} ) { $progress = 1 if $terminating{$name} = ( ( $terminating{$lastref->{target} || ''} ) || ( $lastref->{jump} || '' ) eq 'g' ); } From 15ca9edf8ae81f547f7aaaa7a7795c45719cf580 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 9 Jan 2013 14:09:07 -0800 Subject: [PATCH 6/8] Allow delete_tc1() to work on devices which an @ suffix in their reported names. Signed-off-by: Tom Eastep --- Shorewall/Perl/lib.core | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/lib.core b/Shorewall/Perl/lib.core index 9d48337a2..923806a87 100644 --- a/Shorewall/Perl/lib.core +++ b/Shorewall/Perl/lib.core @@ -216,8 +216,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message delete_tc1() { clear_one_tc() { - $TC qdisc del dev $1 root 2> /dev/null - $TC qdisc del dev $1 ingress 2> /dev/null + $TC qdisc del dev ${1%@*} root 2> /dev/null + $TC qdisc del dev ${1%@*} ingress 2> /dev/null } From f41b2fbffc4bd1a5f41d8186a9259479913c0c66 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 9 Jan 2013 16:22:38 -0800 Subject: [PATCH 7/8] Clarify the LENGTH column of the tcrules file. Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-tcrules.xml | 8 ++++---- Shorewall6/manpages/shorewall6-tcrules.xml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index a6bc173fa..a2f8d4aa0 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -1051,10 +1051,10 @@ Normal-Service => 0x00 role="bold">:[max]] - Optional - packet Length. This field, if present allow you to - match the length of a packet against a specific value or range of - values. You must have iptables length support for this to work. A - range is specified in the form + Optional - packet payload length. This field, if present allow + you to match the length of a packet payload (Layer 4 data ) against + a specific value or range of values. You must have iptables length + support for this to work. A range is specified in the form min:max where either min or max (but not both) may be omitted. If min is omitted, then 0 is diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index c545b3695..6ac580ee4 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -913,10 +913,10 @@ Normal-Service => 0x00 role="bold">:[max]] - Optional packet Length. This field, if present allow you to - match the length of a packet against a specific value or range of - values. You must have ip6tables length support for this to work. A - range is specified in the form + Optional - packet payload length. This field, if present allow + you to match the length of a packet payload (Layer 4 data ) against + a specific value or range of values. You must have iptables length + support for this to work. A range is specified in the form min:max where either min or max (but not both) may be omitted. If min is omitted, then 0 is From 76a63fb7e8dc6d90f1cba5637f112660b52e4058 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 10 Jan 2013 17:14:40 -0800 Subject: [PATCH 8/8] Don't flush 'noarp' ARP entries = doing so kills the loopback interface Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/ARP.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/ARP.pm b/Shorewall/Perl/Shorewall/ARP.pm index 1fcad2c62..77f6457e3 100644 --- a/Shorewall/Perl/Shorewall/ARP.pm +++ b/Shorewall/Perl/Shorewall/ARP.pm @@ -278,7 +278,7 @@ sub create_arptables_load( $ ) { 'if [ $? != 0 ]; then', qq( fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"), "fi\n", - "run_ip neigh flush nud noarp nud stale nud reachable\n", + "run_ip neigh flush nud stale nud reachable\n", ); pop_indent;