Deimplement original 'netnotsyn' handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2766 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-22 23:53:30 +01:00 · 2005-10-01 15:55:41 +00:00 · 2005-10-01 15:55:41 +00:00 · 2b6a9bb843
commit 2b6a9bb843
parent 314b4ffd36
7 changed files with 32 additions and 143 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -8,6 +8,8 @@ Changes in 2.5.7

 4) Rename 'plain' to 'ipv4'

+5) Deimplement NEWNOTSYN
+
 Changes in 2.5.6

 1) Finish install/fallback cleanup.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -243,8 +243,6 @@ finish_chain_section() # $1 = canonical chain $2 = state list
    [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT

    if list_search RELATED $(separate_list $2) ; then
-	[ -z "$NEWNOTSYN" ]  && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
-
 	if is_policy_chain $1 ; then
 	    if eval test -n \"\$${1}_synparams\" ; then
 		if [ $SECTION = DONE ]; then
@ -295,7 +293,7 @@ finish_section() # $1 = Section(s)
 # variable exists_${1} and set its value to Yes to indicate that the chain now
 # exists.
 #
-createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
+createchain() # $1 = chain name, $2 = If "yes", do section-end processing
 {
    local c=$(chain_base $1)

@ -310,9 +308,6 @@ createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
 		finish_chain_section $1 ESTABLISHED
 		;;
 	esac
-
-	[ -z "$NEWNOTSYN" ] && \
-	    run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
    fi

    eval exists_${c}=Yes
@ -1167,7 +1162,7 @@ validate_interfaces_file() {
 	    case $option in
 		-)
 		    ;;
-		dhcp|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
+		dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
 		    ;;
 		norfc1918)
 		    addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1)
@ -1483,7 +1478,7 @@ validate_hosts_file() {

 	   for option in $(separate_list $options) ; do
 	       case $option in
-		   maclist|norfc1918|blacklist|tcpflags|nosmurfs|newnotsyn|-)
+		   maclist|norfc1918|blacklist|tcpflags|nosmurfs|-)
 		       ;;
 		   ipsec)
 		       [ -n "$POLICY_MATCH" ] || \
@ -4546,7 +4541,7 @@ map_old_action() # $1 = Potential Old Action
 #
 process_actions1() {

-    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
+    ACTIONS="dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"

    USEDACTIONS=

@ -4787,15 +4782,6 @@ process_actions3() {
 		    fi
 		fi
 		;;
-	    dropNonSyn)
-		error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
-
-		if [ "$COMMAND" != check ]; then
-		    [ -n "$xlevel" ] && \
-			log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
-		    run_iptables -A $xchain -p tcp ! --syn -j DROP
-		fi
-		;;
 	    dropNotSyn)
 		if [ "$COMMAND" != check ]; then
 		    [ -n "$xlevel" ] && \
@ -7408,30 +7394,6 @@ initialize_netfilter () {

    [ -f $accounting_file ] && setup_accounting $accounting_file

-    if [ -z "$NEWNOTSYN" ]; then
-	createchain newnotsyn no
-
-	for host in $(find_hosts_by_option newnotsyn); do
-	    ipsec=${host%^*}
-	    host=${host#*^}
-	    [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
-	    interface=${host%%:*}
-	    network=${host#*:}
-	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags ACK ACK -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags RST RST -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags FIN FIN -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -j RETURN
-	done
-
-	run_user_exit newnotsyn
-
-	if [ -n "$LOGNEWNOTSYN" ]; then
-	    log_rule $LOGNEWNOTSYN newnotsyn DROP
-	fi
-
-	run_iptables -A newnotsyn -j DROP
-    fi
-
    createchain reject	no
    createchain dynamic no
    createchain smurfs no
@ -8857,8 +8819,6 @@ do_initialize() {
    LOG_MARTIANS=
    DETECT_DNAT_IPADDRS=
    MUTEX_TIMEOUT=
-    NEWNOTSYN=
-    LOGNEWNOTSYN=
    FORWARDPING=
    MACLIST_DISPOSITION=
    MACLIST_LOG_LEVEL=
@ -9017,8 +8977,6 @@ do_initialize() {
    [ -n "$FORWARDPING" ] && \
 	startup_error "FORWARDPING=Yes is no longer supported"

-    NEWNOTSYN=$(added_param_value_yes NEWNOTSYN $NEWNOTSYN)
-
    maclist_target=reject

    if [ -n "$MACLIST_DISPOSITION" ] ; then
--- a/Shorewall/hosts
+++ b/Shorewall/hosts
@ -89,7 +89,7 @@
 #
 #			blacklist    - This option only makes sense for ports
 #				       on a bridge.
-# 
+#
 #				       Check packets arriving on this port
 #				       against the /etc/shorewall/blacklist
 #				       file.
@ -105,7 +105,7 @@
 #
 #			nosmurfs     - This option only makes sense for ports
 #				       on a bridge.
-#				
+#
 #				       Filter packets for smurfs
 #				       (packets with a broadcast
 #				       address as the source).
@ -115,16 +115,6 @@
 #				       shorewall.conf. After logging, the
 #				       packets are dropped.
 #
-#			newnotsyn    - TCP packets that don't have the SYN
-#				       flag set and which are not part of an
-#				       established connection will be accepted
-#				       from these hosts, even if
-#				       NEWNOTSYN=No has been specified in
-#				       /etc/shorewall/shorewall.conf.
-#
-#				       This option has no effect if
-#				       NEWNOTSYN=Yes.
-#
 #			ipsec	     - The zone is accessed via a
 #				       kernel 2.6 ipsec SA. Note that if the
 #				       zone named in the ZONE column is
--- a/Shorewall/interfaces
+++ b/Shorewall/interfaces
@ -113,27 +113,6 @@
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
 #
-#			newnotsyn    - TCP packets that don't have the SYN
-#				       flag set and which are not part of an
-#				       established connection will be accepted
-#				       from this interface, even if
-#				       NEWNOTSYN=No has been specified in
-#				       /etc/shorewall/shorewall.conf. In other
-#				       words, packets coming in on this
-#				       interface are processed as if
-#				       NEWNOTSYN=Yes had been specified in
-#					/etc/shorewall/shorewall.conf.
-#
-#				       This option has no effect if
-#				       NEWNOTSYN=Yes.
-#
-#				       It is the opinion of the author that
-#				       NEWNOTSYN=No creates more problems than
-#				       it solves and I recommend against using
-#				       that setting in shorewall.conf (hence
-#				       making the use of the 'newnotsyn'
-#				       interface option unnecessary).
-#
 #			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow
 #				       filtering traffic arriving on this
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -20,6 +20,11 @@ New Features in 2.5.7:
   "IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC",
   "ipsec4" and "IPSEC4" are recognized synonyms for "ipsec".

+3) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
+   removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
+   and /etc/shorewall/hosts. See the Migration Considerations for
+   instructions if you wish to block "new-not-syn" TCP packets.
+
 Migration Considerations:

 1) The "monitor" command has been eliminated.
@ -200,6 +205,23 @@ Migration Considerations:
    scripts like WonderShaper should see no change provided that
    execute permission is placed on /etc/shorewall/tcstart.

+11) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been
+    removed as have the 'newnotsyn' options in /etc/shorewall/interfaces
+    and /etc/shorewall/hosts.
+
+    TCP new-not-syn packets may be blocked using the 'dropNonSyn' or
+    'rejNonSyn' built-in actions.
+
+    Example: Reject all new-not-syn packets from the net and log them at
+             the 'info' level.
+
+	#ACTION          SOURCE           DEST           PROTO
+	SECTION NEW
+	rejNonSyn:info   net              all            tcp
+
+    Note that the rule is added at the front of the NEW section of the
+    rules file.
+
 New Features in Shorewall 2.5.*

 1) Error and warning messages are made easier to spot by using
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -165,23 +165,6 @@ LOGALLNEW=

 BLACKLIST_LOGLEVEL=

-#
-# LOGGING 'New not SYN' rejects
-#
-# This variable only has an effect when NEWNOTSYN=No (see below).
-#
-# When a TCP packet that does not have the SYN flag set and the ACK and RST
-# flags clear then unless the packet is part of an established connection,
-# it will be rejected by the firewall. If you want these rejects logged,
-# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
-#
-# See the comment at the top of this section for a description of log levels
-#
-# Example: LOGNEWNOTSYN=debug
-#
-
-LOGNEWNOTSYN=info
-
 #
 # MAC List Log Level
 #
@ -558,52 +541,6 @@ DETECT_DNAT_IPADDRS=No

 MUTEX_TIMEOUT=60

-#
-# NEWNOTSYN
-#
-# TCP connections are established using the familiar three-way "handshake":
-#
-#	CLIENT			SERVER
-#
-#	SYN-------------------->
-#	     <------------------SYN,ACK
-#	ACK-------------------->
-#
-# The first packet in that exchange (packet with the SYN flag on and the ACK
-# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
-# A packet is said to be NEW if it is not part of or related to an already
-# established connection.
-#
-# The NEWNOTSYN option determines the handling of non-SYN packets (those with
-# SYN off or with ACK or RST on) that are not associated with an already
-# established connection.
-#
-# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
-# part of an already established connection will be dropped by the
-# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
-# logged before they are dropped.
-#
-# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
-# dropped but will pass through the normal rule/policy processing.
-#
-# Users with a High-availability setup with two firewall's and one acting
-# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
-# also need to select NEWNOTSYN=Yes.
-#
-# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
-# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
-# network or host basis using the same option in /etc/shorewall/hosts.
-#
-# I find that NEWNOTSYN=No tends to result in lots of "stuck"
-# connections because any network timeout during TCP session tear down
-# results in retries being dropped (Netfilter has removed the
-# connection from the conntrack table but the end-points haven't
-# completed shutting down the connection).  I therefore have chosen
-# NEWNOTSYN=Yes as the default value.
-#
-
-NEWNOTSYN=Yes
-
 #
 # FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
 #
--- a/Shorewall/tcstart
+++ b/Shorewall/tcstart
@ -2,6 +2,7 @@

 # tcstart from tc4shorewall       Version 0.5
 # (c) 2005 Arne Bernin <arne@ucbering.de>
+# Modified by Tom Eastep for integration into the Shorewall distribution
 # published under GPL Version 2

 created_tmp_dir=
@ -86,7 +87,7 @@ setup_traffic_shaping()
 	fi
    }

-	# get given outbandwidth for device
+    # get given outbandwidth for device
    get_outband_for_dev() {
 	local device inband outband
 	while read device inband outband; do