From 384c179dd6aecc79d0644a772ae055a7c90b5e42 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 06:12:43 -0800 Subject: [PATCH 01/10] Avoid duplicate echo command in generated script. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 233cf42dc..41c6a5ada 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -867,7 +867,6 @@ CEOF emit "fi\n"; } else { - emit( qq(echo 0 > \${VARDIR}/${physical}.status) ); emit( qq(progress_message "Provider $table ($number) Started") ); } From e12bc47546c639a89d7aafc3ef427419ba4e3fc9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 07:03:41 -0800 Subject: [PATCH 02/10] Remove duplicate interface names in generated case statement. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 41c6a5ada..c419fcfe6 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -221,10 +221,21 @@ sub copy_and_edit_table( $$$$ ) { my ( $duplicate, $number, $copy, $realm) = @_; my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : ''; + my %copied; + my @copy; + # + # Remove duplicates + # + for ( split ',', $copy ) { + unless ( $copied{$_} ) { + push @copy, $_; + $copied{$_} = 1; + } + } # # Map physical names in $copy to logical names # - $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) ); + $copy = join( '|' , map( physical_name($_) , @copy ) ); # # Shell and iptables use a different wildcard character # From ec5e1b54c15e5a39c7c02f97938d6ca3f59da4e6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 07:56:42 -0800 Subject: [PATCH 03/10] Correct COPY description in the multi-ISP document. Signed-off-by: Tom Eastep --- docs/MultiISP.xml | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 726b20bd4..ad3b84d5f 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -279,9 +279,10 @@ Gives the name or number of a routing table to duplicate. May be 'main' or the name or number of a previously declared - provider. For most applications, you want to specify 'main' here. - This field should be be specified as '-' when USE_DEFAULT_RT=Yes - in shorewall.conf + provider. This field should be be specified as '-' when + USE_DEFAULT_RT=Yes in shorewall.conf. When + USE_DEFAULT_RT=No (not recommended), this column is normally + specified as . @@ -563,16 +564,12 @@ COPY - A comma-separated list of interface names. Wildcards - specified using an asterisk ("*") are permitted (e.g., tun* - ). - - When you specify an existing table in the DUPLICATE column, - Shorewall copies all routes through the interface specified in the - INTERFACE column plus the interfaces listed in this column. - Normally, you will list all interfaces on your firewall in this - column except those Internet interfaces specified in the INTERFACE - column of entries in this file. + A comma-separated list of other interfaces on your firewall. + Wildcards specified using an asterisk ("*") are permitted (e.g., + tun* ). Usually used only when DUPLICATE is . + Only copy routes through INTERFACE and through interfaces listed + here. If you only wish to copy routes through INTERFACE, enter + in this column. Beginning with Shorewall 4.4.15, provider routing tables From 7f2c933cb369384c9bf48c407237ad98415e4b99 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 11:04:23 -0800 Subject: [PATCH 04/10] Copy blackhole routes to secondary tables. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index c419fcfe6..3c5915753 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -269,6 +269,9 @@ sub copy_and_edit_table( $$$$ ) { } emit ( ' ;;', + ' *)', + " [ \$net = blackhole ] && run_ip route add table $number \$net \$route $realm", + ' ;;', ' esac', ' ;;', ' esac', From ace9a4910692b9b04132cc4573a491ca3f24eecd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 11:48:09 -0800 Subject: [PATCH 05/10] Allow addition of blackhole routes. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 9 ++++++++- Shorewall/manpages/shorewall-routes.xml | 8 ++++++-- Shorewall6/manpages/shorewall6-routes.xml | 8 ++++++-- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 3c5915753..54788c25b 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1104,7 +1104,11 @@ sub add_a_route( ) { fatal_error 'DEST must be specified' if $dest eq '-'; $dest = validate_net ( $dest, 0 ); - validate_address ( $gateway, 1 ) if $gateway ne '-'; + if ( $gateway eq 'blackhole' ) { + fatal_error q('blackhole' routes may not specify a DEVICE) unless $device eq '-'; + } else { + validate_address ( $gateway, 1 ) if $gateway ne '-'; + } my $providerref = $providers{$provider}; my $number = $providerref->{number}; @@ -1117,6 +1121,9 @@ sub add_a_route( ) { if ( $device ne '-' ) { push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number); emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; + } elsif ( $gateway eq 'blackhole' ) { + push @$routes, qq(run_ip route add blackhole $dest table $number); + emit qq(echo "\$IP -$family route del blackhole $dest table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } else { push @$routes, qq(run_ip route add $dest via $gateway table $number); emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; diff --git a/Shorewall/manpages/shorewall-routes.xml b/Shorewall/manpages/shorewall-routes.xml index e033ffa2d..f8e653a7e 100644 --- a/Shorewall/manpages/shorewall-routes.xml +++ b/Shorewall/manpages/shorewall-routes.xml @@ -53,6 +53,9 @@ If specified, gives the IP address of the gateway to the DEST. + + Beginning with Shorewall 4.5.15, you may specify blackhole in + this column to create a route. @@ -62,8 +65,9 @@ Specifies the device route. If neither DEVICE nor GATEWAY is given, then the INTERFACE specified for the PROVIDER in shorewall-providers - (5). + url="shorewall-providers.html">shorewall-providers (5). This + column must be omitted if is specified in + the GATEWAY column. diff --git a/Shorewall6/manpages/shorewall6-routes.xml b/Shorewall6/manpages/shorewall6-routes.xml index a3077f473..1db3850e4 100644 --- a/Shorewall6/manpages/shorewall6-routes.xml +++ b/Shorewall6/manpages/shorewall6-routes.xml @@ -53,6 +53,9 @@ If specified, gives the IP address of the gateway to the DEST. + + Beginning with Shorewall 4.5.15, you may specify blackhole in + this column to create a route. @@ -62,8 +65,9 @@ Specifies the device route. If neither DEVICE nor GATEWAY is given, then the INTERFACE specified for the PROVIDER in shorewall6-providers - (5). + url="shorewall6-providers.html">shorewall6-providers (5). + This column must be omitted if is + specified in the GATEWAY column. From 7da10ff9234dd01ea4d6f6143c719faf1794ebca Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Mar 2013 06:52:16 -0800 Subject: [PATCH 06/10] Additional change to copy blackhole routes. - Add 'blackhole' to the outer case statement - Add RFC1918 blackhole routes before starting providers. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 54788c25b..f19f60988 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -252,6 +252,9 @@ sub copy_and_edit_table( $$$$ ) { emit ( ' case $net in', ' default)', ' ;;', + ' blackhole)', + " run_ip route add table $number blackhole \$route $realm", + ' ;;', ' *)', ' case $(find_device $route) in', " $copy)" ); @@ -269,9 +272,6 @@ sub copy_and_edit_table( $$$$ ) { } emit ( ' ;;', - ' *)', - " [ \$net = blackhole ] && run_ip route add table $number \$net \$route $realm", - ' ;;', ' esac', ' ;;', ' esac', @@ -1456,6 +1456,8 @@ sub setup_providers() { start_providers; + setup_null_routing if $config{NULL_ROUTE_RFC1918}; + emit ''; emit "start_$providers{$_}->{what}_$_" for @providers; @@ -1464,7 +1466,6 @@ sub setup_providers() { finish_providers; - setup_null_routing if $config{NULL_ROUTE_RFC1918}; emit "\nrun_ip route flush cache"; pop_indent; From c4f0be96acbe3b872d7762ea2b8f233b41eb807a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Mar 2013 07:32:56 -0800 Subject: [PATCH 07/10] Require that interfaces in the COPY column be known. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index f19f60988..3262630bb 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -228,6 +228,7 @@ sub copy_and_edit_table( $$$$ ) { # for ( split ',', $copy ) { unless ( $copied{$_} ) { + fatal_error "Unknown interface ($_)" unless known_interface($_); push @copy, $_; $copied{$_} = 1; } From 6f9a1ba29db05606087a004f9ca4ffde177f41db Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Mar 2013 17:18:57 -0800 Subject: [PATCH 08/10] Don't allow routes to be added to non-Provider tables. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 3262630bb..ee7987498 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1116,23 +1116,19 @@ sub add_a_route( ) { my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device ); my $routes = $providerref->{routes}; - fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE; + fatal_error "You may not add routes to the $provider table" if $number == UNSPEC_TABLE || $number >= DEFAULT_TABLE; if ( $gateway ne '-' ) { if ( $device ne '-' ) { push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number); - emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } elsif ( $gateway eq 'blackhole' ) { push @$routes, qq(run_ip route add blackhole $dest table $number); - emit qq(echo "\$IP -$family route del blackhole $dest table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } else { push @$routes, qq(run_ip route add $dest via $gateway table $number); - emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } } else { fatal_error "You must specify a device for this route" unless $physical; push @$routes, qq(run_ip route add $dest dev $physical table $number); - emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } progress_message " Route \"$currentline\" $done"; From 8eacbe287bb2d0c6d59be1612ed3417482072671 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Mar 2013 18:11:59 -0800 Subject: [PATCH 09/10] Correction to MULTIPORT patch Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 03efdb744..d7111e597 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4371,7 +4371,7 @@ sub do_iproto( $$$ ) } $ports = validate_port_list $pname , $ports; - push @output, multiport => ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " ); + push @output, multiport => ( $srcndst ? "${invert}--ports ${ports} " : "${invert}--dports ${ports} " ); $multiport = 1; } else { fatal_error "Missing DEST PORT" unless supplied $ports; From 50030bcc2da262b2bb3c7336d9e7f147ed1ba705 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 8 Mar 2013 06:55:12 -0800 Subject: [PATCH 10/10] Revert "Don't allow routes to be added to non-Provider tables." This reverts commit 6f9a1ba29db05606087a004f9ca4ffde177f41db. --- Shorewall/Perl/Shorewall/Providers.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index ee7987498..3262630bb 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1116,19 +1116,23 @@ sub add_a_route( ) { my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device ); my $routes = $providerref->{routes}; - fatal_error "You may not add routes to the $provider table" if $number == UNSPEC_TABLE || $number >= DEFAULT_TABLE; + fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE; if ( $gateway ne '-' ) { if ( $device ne '-' ) { push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number); + emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } elsif ( $gateway eq 'blackhole' ) { push @$routes, qq(run_ip route add blackhole $dest table $number); + emit qq(echo "\$IP -$family route del blackhole $dest table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } else { push @$routes, qq(run_ip route add $dest via $gateway table $number); + emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } } else { fatal_error "You must specify a device for this route" unless $physical; push @$routes, qq(run_ip route add $dest dev $physical table $number); + emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } progress_message " Route \"$currentline\" $done";