Merge branch '4.5.12'

Conflicts:
	Shorewall/Perl/Shorewall/Chains.pm

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-10 17:21:02 -08:00
commit 20b551a1da
8 changed files with 148 additions and 107 deletions

View File

@ -278,7 +278,7 @@ sub create_arptables_load( $ ) {
'if [ $? != 0 ]; then', 'if [ $? != 0 ]; then',
qq( fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"), qq( fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"),
"fi\n", "fi\n",
"run_ip neigh flush nud noarp nud stale nud reachable\n", "run_ip neigh flush nud stale nud reachable\n",
); );
pop_indent; pop_indent;

View File

@ -407,7 +407,7 @@ use constant {
use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK }; use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 }; use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
our %dscpmap = ( CS0 => 0x00, our %dscpmap = ( CS0 => 0x00,
CS1 => 0x08, CS1 => 0x08,
@ -462,6 +462,9 @@ use constant { NULL_MODE => 0 , # Emitting neither shell commands nor iptables
CMD_MODE => 2 }; # Emitting shell commands. CMD_MODE => 2 }; # Emitting shell commands.
our $mode; our $mode;
#
# A reference to this rule is returned when we try to push a rule onto a 'complete' chain
#
our $dummyrule = { simple => 1, mode => CAT_MODE }; our $dummyrule = { simple => 1, mode => CAT_MODE };
# #
@ -664,9 +667,7 @@ sub initialize( $$$ ) {
%isocodes = (); %isocodes = ();
%nfobjects = (); %nfobjects = ();
%switches = (); %switches = ();
#
# Initialize this here so we can make it dynamic without moving the initialization
#
%terminating = ( ACCEPT => 1, %terminating = ( ACCEPT => 1,
DROP => 1, DROP => 1,
RETURN => 1, RETURN => 1,
@ -680,6 +681,7 @@ sub initialize( $$$ ) {
NOTRACK => 1, NOTRACK => 1,
REDIRECT => 1, REDIRECT => 1,
RAWDNAT => 1, RAWDNAT => 1,
RAWSNAT => 1,
REJECT => 1, REJECT => 1,
SAME => 1, SAME => 1,
SNAT => 1, SNAT => 1,
@ -1036,7 +1038,7 @@ sub push_rule( $$ ) {
push @{$chainref->{rules}}, $ruleref; push @{$chainref->{rules}}, $ruleref;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug; trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug;
$chainref->{complete} = 1 if $complete; $chainref->{complete} = 1 if $complete;
@ -1053,7 +1055,7 @@ sub add_trule( $$ ) {
assert( reftype $ruleref , $ruleref ); assert( reftype $ruleref , $ruleref );
push @{$chainref->{rules}}, $ruleref; push @{$chainref->{rules}}, $ruleref;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug; trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug;
@ -1233,7 +1235,7 @@ sub push_irule( $$$;@ ) {
if ( $jump ) { if ( $jump ) {
$ruleref->{jump} = $jump; $ruleref->{jump} = $jump;
$ruleref->{target} = $target; $ruleref->{target} = $target;
$chainref->{optflags} |= DONT_MOVE if $target eq 'RETURN'; $chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
$ruleref->{targetopts} = $targetopts if $targetopts; $ruleref->{targetopts} = $targetopts if $targetopts;
} else { } else {
$ruleref->{target} = ''; $ruleref->{target} = '';
@ -2850,6 +2852,7 @@ sub optimize_level4( $$ ) {
# The search continues until no short chains remain # The search continues until no short chains remain
# Chains with 'DONT_OPTIMIZE' are exempted from optimization # Chains with 'DONT_OPTIMIZE' are exempted from optimization
# #
while ( $progress ) { while ( $progress ) {
$progress = 0; $progress = 0;
$passes++; $passes++;
@ -2888,100 +2891,112 @@ sub optimize_level4( $$ ) {
delete_references $chainref; delete_references $chainref;
$progress = 1; $progress = 1;
} }
} elsif ( $numrules == 1) {
my $firstrule = $chainref->{rules}[0];
#
# Chain has a single rule
#
if ( $firstrule ->{simple} ) {
#
# Easy case -- the rule is a simple jump
#
if ( $chainref->{builtin} ) {
#
# A built-in chain. If the target is a user chain without 'dont_move',
# we can copy its rules to the built-in
#
if ( conditionally_copy_rules $chainref, $firstrule->{target} ) {
#
# Target was a user chain -- rules moved
#
$progress = 1;
} else {
#
# Target was a built-in. Ignore this chain in follow-on passes
#
$chainref->{optflags} |= DONT_OPTIMIZE;
}
} elsif ( ( $firstrule->{target} || '' ) eq 'RETURN' ) {
#
# A chain with a single 'RETURN' rule -- get rid of it
#
delete_chain_and_references( $chainref );
} else {
#
# Replace all references to this chain with references to the target
#
replace_references $chainref, $firstrule->{target}, $firstrule->{targetopts};
$progress = 1;
}
} elsif ( $firstrule->{target} ) {
#
# Not so easy -- the rule contains matches
#
if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
#
# This case requires a new rule merging algorithm. Ignore this chain for
# now on.
#
$chainref->{optflags} |= DONT_OPTIMIZE;
} else {
#
# Replace references to this chain with the target and add the matches
#
$progress = 1 if replace_references1 $chainref, $firstrule;
}
}
} else { } else {
# #
# Chain has more than one rule. If the last rule is a simple jump, then delete # The chain has rules -- determine if it is terminating
# all immediately preceding rules that have the same target
# #
my $rulesref = $chainref->{rules}; my $name = $chainref->{name};
my $lastref = $rulesref->[-1]; my $lastref = $chainref->{rules}[-1];
if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) { unless ( $chainref->{optflags} & RETURNS || $terminating{$name} ) {
my $target = $lastref->{target}; $progress = 1 if $terminating{$name} = ( ( $terminating{$lastref->{target} || ''} ) || ( $lastref->{jump} || '' ) eq 'g' );
my $count = 0; }
my $rule = @$rulesref - 1;
pop @$rulesref; #Pop the last simple rule if ( $numrules == 1) {
#
# Chain has a single rule
#
my $firstrule = $lastref;
while ( @$rulesref ) { if ( $firstrule ->{simple} ) {
my $rule1ref = $rulesref->[-1];
last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts};
trace ( $chainref, 'D', $rule, $rule1ref ) if $debug;
pop @$rulesref;
$progress = 1;
$count++;
$rule--;
}
if ( @$rulesref || ! $chainref->{builtin} || $target !~ /^(?:ACCEPT|DROP|REJECT)$/ ) {
push @$rulesref, $lastref; # Restore the last simple rule
} else {
# #
#empty builtin chain -- change it's policy # Easy case -- the rule is a simple jump
# #
$chainref->{policy} = $target; if ( $chainref->{builtin} ) {
trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug; #
$count++; # A built-in chain. If the target is a user chain without 'dont_move',
# we can copy its rules to the built-in
#
if ( conditionally_copy_rules $chainref, $firstrule->{target} ) {
#
# Target was a user chain -- rules moved
#
$progress = 1;
} else {
#
# Target was a built-in. Ignore this chain in follow-on passes
#
$chainref->{optflags} |= DONT_OPTIMIZE;
}
} elsif ( ( $firstrule->{target} || '' ) eq 'RETURN' ) {
#
# A chain with a single 'RETURN' rule -- get rid of it
#
delete_chain_and_references( $chainref );
} else {
#
# Replace all references to this chain with references to the target
#
replace_references $chainref, $firstrule->{target}, $firstrule->{targetopts};
$progress = 1;
}
} elsif ( $firstrule->{target} ) {
#
# Not so easy -- the rule contains matches
#
if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
#
# This case requires a new rule merging algorithm. Ignore this chain for
# now on.
#
$chainref->{optflags} |= DONT_OPTIMIZE;
} else {
#
# Replace references to this chain with the target and add the matches
#
$progress = 1 if replace_references1 $chainref, $firstrule;
}
} }
} else {
#
# Chain has more than one rule. If the last rule is a simple jump, then delete
# all immediately preceding rules that have the same target
#
my $rulesref = $chainref->{rules};
progress_message " $count $target rules deleted from chain $chainref->{name}" if $count; if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
my $target = $lastref->{target};
my $count = 0;
my $rule = @$rulesref - 1;
pop @$rulesref; #Pop the last simple rule
while ( @$rulesref ) {
my $rule1ref = $rulesref->[-1];
last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts};
trace ( $chainref, 'D', $rule, $rule1ref ) if $debug;
pop @$rulesref;
$progress = 1;
$count++;
$rule--;
}
if ( @$rulesref || ! $chainref->{builtin} || $target !~ /^(?:ACCEPT|DROP|REJECT)$/ ) {
push @$rulesref, $lastref; # Restore the last simple rule
} else {
#
#empty builtin chain -- change it's policy
#
$chainref->{policy} = $target;
trace( $chainref, 'P', undef, 'ACCEPT' ) if $debug;
$count++;
}
progress_message " $count $target rules deleted from chain $name" if $count;
}
} }
} }
} }

View File

@ -724,8 +724,6 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
} }
} }
set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
expand_rule( $nonat_chain , expand_rule( $nonat_chain ,
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
$rule , $rule ,

View File

@ -2475,8 +2475,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
if ( $actiontype & ACTION ) { if ( $actiontype & ACTION ) {
$action = $usedactions{$normalized_target}{name}; $action = $usedactions{$normalized_target}{name};
$loglevel = ''; $loglevel = '';
} else {
set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
} }
if ( $origdest ) { if ( $origdest ) {

View File

@ -216,8 +216,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
delete_tc1() delete_tc1()
{ {
clear_one_tc() { clear_one_tc() {
$TC qdisc del dev $1 root 2> /dev/null $TC qdisc del dev ${1%@*} root 2> /dev/null
$TC qdisc del dev $1 ingress 2> /dev/null $TC qdisc del dev ${1%@*} ingress 2> /dev/null
} }

View File

@ -1051,10 +1051,10 @@ Normal-Service =&gt; 0x00</programlisting>
role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term> role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>
<listitem> <listitem>
<para>Optional - packet Length. This field, if present allow you to <para>Optional - packet payload length. This field, if present allow
match the length of a packet against a specific value or range of you to match the length of a packet payload (Layer 4 data ) against
values. You must have iptables length support for this to work. A a specific value or range of values. You must have iptables length
range is specified in the form support for this to work. A range is specified in the form
<emphasis>min</emphasis>:<emphasis>max</emphasis> where either <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
<emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both) <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is

View File

@ -913,10 +913,10 @@ Normal-Service =&gt; 0x00</programlisting>
role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term> role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>
<listitem> <listitem>
<para>Optional packet Length. This field, if present allow you to <para>Optional - packet payload length. This field, if present allow
match the length of a packet against a specific value or range of you to match the length of a packet payload (Layer 4 data ) against
values. You must have ip6tables length support for this to work. A a specific value or range of values. You must have iptables length
range is specified in the form support for this to work. A range is specified in the form
<emphasis>min</emphasis>:<emphasis>max</emphasis> where either <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
<emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both) <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is

View File

@ -142,10 +142,16 @@
</listitem> </listitem>
<listitem> <listitem>
<para><filename>/etc/shorewall/blacklist</filename> - lists <para><filename>/etc/shorewall/blacklist</filename> - Deprecated in
favor of <filename>/etc/shorewall/blrules</filename>. Lists
blacklisted IP/subnet/MAC addresses.</para> blacklisted IP/subnet/MAC addresses.</para>
</listitem> </listitem>
<listitem>
<para><filename>/etc/shorewall/blrules</filename> — Added in
Shorewall 4.5.0. Define blacklisting and whitelisting.</para>
</listitem>
<listitem> <listitem>
<para><filename>/etc/shorewall/init</filename> - commands that you <para><filename>/etc/shorewall/init</filename> - commands that you
wish to execute at the beginning of a <quote>shorewall start</quote> wish to execute at the beginning of a <quote>shorewall start</quote>
@ -258,6 +264,11 @@
start/restart when LOAD_HELPERS_ONLY=Yes in start/restart when LOAD_HELPERS_ONLY=Yes in
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
</listitem> </listitem>
<listitem>
<para><filename>/usr/share/arprules</filename> — Added in Shorewall
4.5.12. Allows specification of arptables rules.</para>
</listitem>
</itemizedlist></para> </itemizedlist></para>
<para><emphasis role="bold">If you need to change a file in <para><emphasis role="bold">If you need to change a file in
@ -297,6 +308,12 @@
<programlisting># This is a comment <programlisting># This is a comment
ACCEPT net $FW tcp www #This is an end-of-line comment</programlisting> ACCEPT net $FW tcp www #This is an end-of-line comment</programlisting>
</example> </example>
<important>
<para>If a comment ends with a backslash ("\"), the next line will also
be treated as a comment. See <link linkend="Continuation">Line
Continuation</link> below.</para>
</important>
</section> </section>
<section id="Names"> <section id="Names">
@ -516,6 +533,19 @@ ACCEPT net:\
continuation line does not end with a comma or colon, the leading white continuation line does not end with a comma or colon, the leading white
space in the last line is not ignored.</para> space in the last line is not ignored.</para>
</example> </example>
<important>
<para>A trailing backslash is not ignored in a comment. So the continued
rule above can be commented out with a single '#' as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<emphasis role="bold">#</emphasis>ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
206.124.146.180\
dmz tcp 873</programlisting>
</important>
</section> </section>
<section id="Pairs"> <section id="Pairs">