extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-25 12:13:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Back out first round of modularization

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4445 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-08-27 17:27:48 +00:00
parent ed05232184
commit 473f7d7361
16 changed files with 7684 additions and 2793 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/README.txt
View File

@ -1 +1 @@
This is the Shorewall Development 3.3 branch of CVS. This is the Shorewall Stable 3.2 branch of CVS.

350
Shorewall/changelog.txt
View File

@ -1,22 +1,354 @@
Changes in 3.3.0 Changes in 3.2.4
1) Remove dynamic zone capability. 1) Move 'do_initialize()' to functions.
2) Fixed output of 'hits' command under busybox 1.2.0. 2) Move common config file parsing to functions.
3) Remove requirement for extended marks with 'track'. 3) Fix handling of 'start' command with directory name.
4) Fixed output of 'hits' with spaces as delimiters in /etc/services. --------------------------------------------------------------------------------
Changes in 3.2.3
5) Fixed modules/xmodules snafu. 1) Add 'export' command.
6) Correct handling of CONFIG_PATH when EXPORT=Yes. 2) Apply Cedric Schieli's patch for the functions file.
7) Merge shorewall.conf handling changes. 3) Implement TC_EXPERT.
8) Re-implement the 'try' command. 4) Correct 'del_ip_addr' screwup.
5) Make 'detectnets' fatal with default route.
6) Make 'check -e' behave properly with TC
7) Fix SUBSYSLOCK.
8) Fix mss= and the firewall zone.
9) Add Natanael Copa's fix for BusyBox ash.
10) Ensure that interface is UP and configured in multi-ISP 'optional'
detection.
11) Fix "shorewall add" command
12) Fix "shorewall refresh" so that subsequent "shorewall save" works
correctly.
13 Fix DETECT_DNAT_IPADDRS=Yes address detection bug.
--------------------------------------------------------------------------------
Changes in 3.2.2
1) Correct handling of shorewall.conf options in exported scripts.
2) Avoid creating empty files /nat and /proxyarp.
3) Add -f option to 'show' command.
4) Avoid enabling deferred output hook processing during capabilities
probe.
5) Add -n option to install.sh
6) Add -s option to "shorewall [re]load"
7) Add 'optional' option to providers file.
8) Add 'reset' command to prog.footer.
--------------------------------------------------------------------------------
Changes in 3.2.1
1) Change the detection of physdev match to use
--physdev-out. Preparation for removal of physdev-out match
capability.
2) Add missing edits to configuration parameters in firewall script.
3) Fix 'hits' formatting under BusyBox 1.2.0.
4) Remove requirement for extended marks with 'track'.
5) Fixed output of 'hits' with spaces as delimiters in /etc/services.
6) Fixed modules/xmodules snafu.
7) Fix version in shorewall.conf.
8) Add /usr/share/shorewall-lite: to the front of CONFIG_PATH in
/usr/share/shorewall/configfiles/shorewall.conf.
-------------------------------------------------------------------------------
Changes in 3.2.0 Final
1) Avoid extraneous double quotes in log rules generated at run-time.
Changes in 3.2.0 RC 6
1) Correct generation of the balanced default route.
2) Allow 'detect' in the ADDRESS column of the masq file.
3) Correct some permission problems.
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 5
1) Fix DOA 'LITEDIR' problem in /sbin/shorewall.
2) Stop the compiler from running iptables.
3) Avoid problem with ash.
4) Make the 'try' command use the correct SHOREWALL_SHELL.
5) Don't defer Action/chain extension script processing until
run-time.
6) Run extension script for policy chains.
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 4
1) Fix permissions on Limit file.
2) Make progress messages product-specific.
3) Add 'reload' command.
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 3
1) Remove hard directory references from compiled programs.
2) Fix /nat <-> /proxyarp typo.
3) Avoid use of symbolic link for /sbin/shorewall
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 2
1) Update versions.
2) Rationalize the use of IPTABLES and LOGFORMAT.
3) Allow Shorewall/Shorewall-lite coexistance under RPM
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 1
1) Update versions.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 8
1) Issue more helpful BRIDGING=No error messages.
2) Implement "all-" in rules file.
3) Add xmodules file.
4) Detect devices in tcdevices entries.
5) Fix for white-space in log prefix.
6) Fix rule parsing of single excluded MAC address.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 7
1) Fix mark/mask validation.
2) Restore traffic control to 'refresh'.
3) Detect MTU for entries in /etc/shorewall/tcdevices.
4) Avoid fatal error after missing forwardUPnP rule warning.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 6
1) Fix tc "notfound" errors when 'restart' is run out of ip-up.local.
2) Allow 'detectnets' to work.
3) Add TOS column to tcrules.
4) Fix 'proxyarp' interface attribute handling.
5) Fix default route generation in providers handling.
6) Change interraction of 'track' and PREROUTING marking.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 5
1) Fix compilation problem on LEAF Bering.
2) Remove traffic shaping code from the 'firewall' script to avoid
unmaintainable code duplication.
3) Fix DETECT_DNAT_IPADDRS=No bug.
4) Handle absense of mangle FORWARD chain.
5) Rename the rtrules file to route_rules.
6) Fix deletion of SNAT ip addresses.
7) Accomodate ancient kernel's with no FORWARD or POSTROUTING in mangle.
8) Clear SUBSYSLOCK on Debian/Ubuntu installs.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 4
1) Fix 'routeback' with bridge ports.
2) Add support for explicit routing rules.
3) Fix mktempdir problem.
4) Implement HIGH_ROUTE_MARKS
Changes in 3.2.0 Beta 3
1) Correct handling of verbosity in the 'try' command.
2) Add IMPLICIT_CONTINUE option to shorewall.conf.
3) Fix SAME/ADD_SNAT_ALIASES interaction.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 2
1) Make "shorewall start -f" work correctly.
2) Remove SUBSYSLOCK code from default and debian footers.
3) Add 'refreshed' extension script.
4) Implement 'logdrop' and 'logreject'
-------------------------------------------------------------------------------
Changes in 3.1.x. and 3.2.x
1) Removal of dynamic zones.
2) Implement 'generate' command.
3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq).
4) Add back dynamic zones.
5) Allow remote compiles.
6) Change output of 'generate' to always be the file name entered (do not
prepend /var/lib/shorewall/)
7) Remove some restrictions on remote compiles.
8) Add error checking to generated script.
9) Merge Fabio Longerai's 'length' patch.
10) Add the "-p" option to the compile command.
11) Fix 'check' bug in setup_masq
12) Break compiler/firewall into two files
13) Make Shoreall quiet for a change.
14) Make "Compile-and-go" the only mode of operation.
15) Remove -p
16) Apply Tuomo's patches for IPSEC and Noecho.
17) Fix bridging
18) Fix QUEUE when used in the ESTABLISHED section.
19) Apply Ed Suominen's patch to tcrules.
-------------------------------------------------------------------------------
3.1.5
20) Speed up compilation by rewriting 'fix_bang()'.
21) Correct GATEWAY handling in the providers file.
22) Remove sub-zone exclusion from DNAT/REDIRECT.
23) Add compiled-program/library versioning scheme.
-------------------------------------------------------------------------------
3.1.6
24) Apply Steven Springl's help patch.
25) Fix 'allow/drop/reject' while Shorewall not running.
26) Implement bi-directional macros.
27) Fix TC bridge port handling.
28) Fix/document "check -e"
29) Automatically use capabilities file when non-root.
30) Correct typo in help file ("help drop").
31) Added 'tcpsyn'
-------------------------------------------------------------------------------
3.1.7
32) Change 'tcpsyn' to 'tcp:syn'
33) Remove superfluous rules in MAC validation.
34) Correct Makefile.
35) Add -t option
36) Restore log messages.
37) Fix "shorewall capabilities" with VERBOSITY < 2.
-------------------------------------------------------------------------------
3.1.8
38) Remove compile-time running of extension scripts.
39) Correctly handle interfaces named 'inet'.
40) SUBSYSLOCK functionality restored.
-------------------------------------------------------------------------------
3.1.9
41) Fix Provider route generation when a specific gateway is specified.
42) Be sure that restore file name is preserved regardless of 'set --' in
define_firewall().)
43) Add Simon's redhat prog files.
44) Add 'delete_nat' to compiled program.
45) Move 'shorecap' to /usr/share/shorewall
46) Add debian prog files.
47) Correct syntax error in validate_policy()
-------------------------------------------------------------------------------
3.2.0 Beta 1.
48) Streamlined some code in setup_tc1()
49) Process /etc/shorewall/params at run-time.
50) Add new modules to /etc/shorewall/modules.
51) Make default behavior of "compile" distribution-neutral.

4120
Shorewall/compiler
View File

File diff suppressed because it is too large Load Diff

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=3.3.0 VERSION=3.2.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

1582
Shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

3130
Shorewall/functions
View File

File diff suppressed because it is too large Load Diff

46
Shorewall/help
View File

@ -28,6 +28,28 @@
case $1 in case $1 in
add)
echo "add: add <interface>[:<host-list>] ... <zone>
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
shorewall add interface:host-list ... zone - Adds the specified interface
(and host-list if included) to the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1.
See also \"help host\""
;;
address|host) address|host)
echo "<$1>: echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in May be either a host IP address such as 192.168.1.4 or a network address in
@ -88,7 +110,7 @@ debug)
If you include the keyword debug as the first argument to any If you include the keyword debug as the first argument to any
of these commands: of these commands:
start|stop|restart|reset|clear|refresh|check|compile start|stop|restart|reset|clear|refresh|check|add|delete|compile
then a shell trace of the command is produced. For example: then a shell trace of the command is produced. For example:
@ -100,6 +122,28 @@ debug)
The word 'trace' is a synonym for 'debug'." The word 'trace' is a synonym for 'debug'."
;; ;;
delete)
echo "delete: delete <interface>[:<host-list>] ... <zone>
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
shorewall delete interface[:host-list] ... zone - Deletes the specified
interfaces (and host list if included) from the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
192.0.2.24 from interface ipsec0 from zone vpn1
See also \"help host\""
;;
drop) drop)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored Causes packets from the specified <address> to be ignored

187
Shorewall/install.sh
View File

@ -22,19 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=3.3.0 VERSION=3.2.3
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
while [ $# -gt 1 ]; do
shift
[ "x$e" = "x$1" ] && return 0
done
return 1
}
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -43,11 +31,6 @@ usage() # $1 = exit status
echo " $ME -v" echo " $ME -v"
echo " $ME -h" echo " $ME -h"
echo " $ME -n" echo " $ME -n"
echo " $ME -c"
echo " $ME -l <library> [ ... ]"
echo " $ME -L <compiler library> [ ... ]"
echo " $ME -m"
echo " $ME -s"
exit $1 exit $1
} }
@ -149,7 +132,9 @@ install_file_with_backup() # $1 = source $2 = target $3 = mode $4 = (optional) b
# DEST is the SysVInit script directory # DEST is the SysVInit script directory
# INIT is the name of the script in the $DEST directory # INIT is the name of the script in the $DEST directory
# RUNLEVELS is the chkconfig parmeters for firewall # RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument
# #
ARGS=""
if [ -z "$DEST" ] ; then if [ -z "$DEST" ] ; then
DEST="/etc/init.d" DEST="/etc/init.d"
@ -172,10 +157,6 @@ if [ -z "$GROUP" ] ; then
fi fi
NOBACKUP= NOBACKUP=
NOCONFIGFILES=
XLIBS=
XCLIBS=
NOMACROS=
while [ $# -gt 0 ] ; do while [ $# -gt 0 ] ; do
case "$1" in case "$1" in
@ -189,43 +170,12 @@ while [ $# -gt 0 ] ; do
-n) -n)
NOBACKUP=Yes NOBACKUP=Yes
;; ;;
-c)
NOCONFIGFILES=Yes
;;
-m)
NOMACROS=Yes
;;
-l)
while [ $# -gt 1 ]; do
case $2 in
-*)
break
;;
*)
XLIBS="$XLIBS $2"
shift
;;
esac
done
;;
-L)
while [ $# -gt 1 ]; do
case $2 in
-*)
break
;;
*)
XCLIBS="$XCLIBS $2"
shift
;;
esac
done
;;
*) *)
usage 1 usage 1
;; ;;
esac esac
shift shift
ARGS="yes"
done done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@ -304,34 +254,33 @@ echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
# #
mkdir -p ${PREFIX}/etc/shorewall mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/share/shorewall mkdir -p ${PREFIX}/usr/share/shorewall
[ -n "$NOCONFIGFILES" ] || mkdir -p ${PREFIX}/usr/share/shorewall/configfiles mkdir -p ${PREFIX}/usr/share/shorewall/configfiles
mkdir -p ${PREFIX}/var/lib/shorewall mkdir -p ${PREFIX}/var/lib/shorewall
chmod 755 ${PREFIX}/etc/shorewall chmod 755 ${PREFIX}/etc/shorewall
chmod 755 ${PREFIX}/usr/share/shorewall chmod 755 ${PREFIX}/usr/share/shorewall
[ -n "$NOCONFIGFILES" ] || chmod 755 ${PREFIX}/usr/share/shorewall/configfiles chmod 755 ${PREFIX}/usr/share/shorewall/configfiles
if [ -z "$NOCONFIGFILES" ]; then #
# # Install the config file
# Install the config file #
# run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf
run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf
qt mywhich perl && perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf qt mywhich perl && perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf
fi
if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf run_install $OWNERSHIP -m 0644 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf" echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi fi
if [ -n "$ARCHLINUX" ] ; then if [ -n "$ARCHLINUX" ] ; then
sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall/shorewall.conf sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall/shorewall.conf
fi fi
# #
# Install the zones file # Install the zones file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall/configfiles/zones run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall/configfiles/zones
if [ ! -f ${PREFIX}/etc/shorewall/zones ]; then if [ ! -f ${PREFIX}/etc/shorewall/zones ]; then
run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall/zones
@ -364,7 +313,7 @@ echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
# #
# Install the policy file # Install the policy file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall/configfiles/policy run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall/configfiles/policy
if [ ! -f ${PREFIX}/etc/shorewall/policy ]; then if [ ! -f ${PREFIX}/etc/shorewall/policy ]; then
run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall/policy
@ -373,7 +322,7 @@ fi
# #
# Install the interfaces file # Install the interfaces file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall/configfiles/interfaces run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall/configfiles/interfaces
if [ ! -f ${PREFIX}/etc/shorewall/interfaces ]; then if [ ! -f ${PREFIX}/etc/shorewall/interfaces ]; then
run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
@ -382,7 +331,7 @@ fi
# #
# Install the ipsec file # Install the ipsec file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 ipsec ${PREFIX}/usr/share/shorewall/configfiles/ipsec run_install $OWNERSHIP -m 0644 ipsec ${PREFIX}/usr/share/shorewall/configfiles/ipsec
if [ ! -f ${PREFIX}/etc/shorewall/ipsec ]; then if [ ! -f ${PREFIX}/etc/shorewall/ipsec ]; then
run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
@ -392,7 +341,7 @@ fi
# #
# Install the hosts file # Install the hosts file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall/configfiles/hosts run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall/configfiles/hosts
if [ ! -f ${PREFIX}/etc/shorewall/hosts ]; then if [ ! -f ${PREFIX}/etc/shorewall/hosts ]; then
run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
@ -401,7 +350,7 @@ fi
# #
# Install the rules file # Install the rules file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall/configfiles/rules run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall/configfiles/rules
if [ ! -f ${PREFIX}/etc/shorewall/rules ]; then if [ ! -f ${PREFIX}/etc/shorewall/rules ]; then
run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall/rules
@ -410,7 +359,7 @@ fi
# #
# Install the NAT file # Install the NAT file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 nat ${PREFIX}/usr/share/shorewall/configfiles/nat run_install $OWNERSHIP -m 0644 nat ${PREFIX}/usr/share/shorewall/configfiles/nat
if [ ! -f ${PREFIX}/etc/shorewall/nat ]; then if [ ! -f ${PREFIX}/etc/shorewall/nat ]; then
run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat run_install $OWNERSHIP -m 0600 nat ${PREFIX}/etc/shorewall/nat
@ -419,7 +368,7 @@ fi
# #
# Install the NETMAP file # Install the NETMAP file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 netmap ${PREFIX}/usr/share/shorewall/configfiles/netmap run_install $OWNERSHIP -m 0644 netmap ${PREFIX}/usr/share/shorewall/configfiles/netmap
if [ ! -f ${PREFIX}/etc/shorewall/netmap ]; then if [ ! -f ${PREFIX}/etc/shorewall/netmap ]; then
run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap run_install $OWNERSHIP -m 0600 netmap ${PREFIX}/etc/shorewall/netmap
@ -428,7 +377,7 @@ fi
# #
# Install the Parameters file # Install the Parameters file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall/configfiles/params run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall/configfiles/params
if [ ! -f ${PREFIX}/etc/shorewall/params ]; then if [ ! -f ${PREFIX}/etc/shorewall/params ]; then
run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall/params run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall/params
@ -437,7 +386,7 @@ fi
# #
# Install the proxy ARP file # Install the proxy ARP file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 proxyarp ${PREFIX}/usr/share/shorewall/configfiles/proxyarp run_install $OWNERSHIP -m 0644 proxyarp ${PREFIX}/usr/share/shorewall/configfiles/proxyarp
if [ ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then if [ ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then
run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp run_install $OWNERSHIP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
@ -446,7 +395,7 @@ fi
# #
# Install the Stopped Routing file # Install the Stopped Routing file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall/configfiles/routestopped run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall/configfiles/routestopped
if [ ! -f ${PREFIX}/etc/shorewall/routestopped ]; then if [ ! -f ${PREFIX}/etc/shorewall/routestopped ]; then
run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
@ -455,7 +404,7 @@ fi
# #
# Install the Mac List file # Install the Mac List file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall/configfiles/maclist run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall/configfiles/maclist
if [ ! -f ${PREFIX}/etc/shorewall/maclist ]; then if [ ! -f ${PREFIX}/etc/shorewall/maclist ]; then
run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
@ -464,7 +413,7 @@ fi
# #
# Install the Masq file # Install the Masq file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 masq ${PREFIX}/usr/share/shorewall/configfiles/masq run_install $OWNERSHIP -m 0644 masq ${PREFIX}/usr/share/shorewall/configfiles/masq
if [ ! -f ${PREFIX}/etc/shorewall/masq ]; then if [ ! -f ${PREFIX}/etc/shorewall/masq ]; then
run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq run_install $OWNERSHIP -m 0600 masq ${PREFIX}/etc/shorewall/masq
@ -482,7 +431,7 @@ echo "Xmodules file installed as ${PREFIX}/usr/share/shorewall/xmodules"
# #
# Install the TC Rules file # Install the TC Rules file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall/configfiles/tcrules run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall/configfiles/tcrules
if [ ! -f ${PREFIX}/etc/shorewall/tcrules ]; then if [ ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
@ -492,7 +441,7 @@ fi
# #
# Install the TOS file # Install the TOS file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall/configfiles/tos run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall/configfiles/tos
if [ ! -f ${PREFIX}/etc/shorewall/tos ]; then if [ ! -f ${PREFIX}/etc/shorewall/tos ]; then
run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall/tos
@ -501,7 +450,7 @@ fi
# #
# Install the Tunnels file # Install the Tunnels file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall/configfiles/tunnels run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall/configfiles/tunnels
if [ ! -f ${PREFIX}/etc/shorewall/tunnels ]; then if [ ! -f ${PREFIX}/etc/shorewall/tunnels ]; then
run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
@ -510,7 +459,7 @@ fi
# #
# Install the blacklist file # Install the blacklist file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall/configfiles/blacklist run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall/configfiles/blacklist
if [ ! -f ${PREFIX}/etc/shorewall/blacklist ]; then if [ ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
@ -529,7 +478,7 @@ delete_file ${PREFIX}/usr/share/shorewall/tcstart
# #
# Install the Providers file # Install the Providers file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall/configfiles/providers run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall/configfiles/providers
if [ ! -f ${PREFIX}/etc/shorewall/providers ]; then if [ ! -f ${PREFIX}/etc/shorewall/providers ]; then
run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers
@ -539,7 +488,7 @@ fi
# #
# Install the Route Rules file # Install the Route Rules file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall/configfiles/route_rules run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall/configfiles/route_rules
if [ ! -f ${PREFIX}/etc/shorewall/route_rules ]; then if [ ! -f ${PREFIX}/etc/shorewall/route_rules ]; then
run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall/route_rules run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall/route_rules
@ -549,7 +498,7 @@ fi
# #
# Install the tcclasses file # Install the tcclasses file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall/configfiles/tcclasses run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall/configfiles/tcclasses
if [ ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then if [ ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then
run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall/tcclasses run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall/tcclasses
@ -559,7 +508,7 @@ fi
# #
# Install the tcdevices file # Install the tcdevices file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall/configfiles/tcdevices run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall/configfiles/tcdevices
if [ ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then if [ ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then
run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall/tcdevices run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall/tcdevices
@ -579,7 +528,7 @@ echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/config
# #
# Install the init file # Install the init file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall/configfiles/init run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall/configfiles/init
if [ ! -f ${PREFIX}/etc/shorewall/init ]; then if [ ! -f ${PREFIX}/etc/shorewall/init ]; then
run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall/init
@ -588,7 +537,7 @@ fi
# #
# Install the initdone file # Install the initdone file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 initdone ${PREFIX}/usr/share/shorewall/configfiles/initdone run_install $OWNERSHIP -m 0644 initdone ${PREFIX}/usr/share/shorewall/configfiles/initdone
if [ ! -f ${PREFIX}/etc/shorewall/initdone ]; then if [ ! -f ${PREFIX}/etc/shorewall/initdone ]; then
run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone run_install $OWNERSHIP -m 0600 initdone ${PREFIX}/etc/shorewall/initdone
@ -597,7 +546,7 @@ fi
# #
# Install the start file # Install the start file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall/configfiles/start run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall/configfiles/start
if [ ! -f ${PREFIX}/etc/shorewall/start ]; then if [ ! -f ${PREFIX}/etc/shorewall/start ]; then
run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall/start
@ -606,7 +555,7 @@ fi
# #
# Install the stop file # Install the stop file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall/configfiles/stop run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall/configfiles/stop
if [ ! -f ${PREFIX}/etc/shorewall/stop ]; then if [ ! -f ${PREFIX}/etc/shorewall/stop ]; then
run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall/stop
@ -615,7 +564,7 @@ fi
# #
# Install the stopped file # Install the stopped file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall/configfiles/stopped run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall/configfiles/stopped
if [ ! -f ${PREFIX}/etc/shorewall/stopped ]; then if [ ! -f ${PREFIX}/etc/shorewall/stopped ]; then
run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall/stopped
@ -624,7 +573,7 @@ fi
# #
# Install the ECN file # Install the ECN file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 ecn ${PREFIX}/usr/share/shorewall/configfiles/ecn run_install $OWNERSHIP -m 0644 ecn ${PREFIX}/usr/share/shorewall/configfiles/ecn
if [ ! -f ${PREFIX}/etc/shorewall/ecn ]; then if [ ! -f ${PREFIX}/etc/shorewall/ecn ]; then
run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn run_install $OWNERSHIP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
@ -633,7 +582,7 @@ fi
# #
# Install the Accounting file # Install the Accounting file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall/configfiles/accounting run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall/configfiles/accounting
if [ ! -f ${PREFIX}/etc/shorewall/accounting ]; then if [ ! -f ${PREFIX}/etc/shorewall/accounting ]; then
run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
@ -642,7 +591,7 @@ fi
# #
# Install the Continue file # Install the Continue file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 continue ${PREFIX}/usr/share/shorewall/configfiles/continue run_install $OWNERSHIP -m 0644 continue ${PREFIX}/usr/share/shorewall/configfiles/continue
if [ ! -f ${PREFIX}/etc/shorewall/continue ]; then if [ ! -f ${PREFIX}/etc/shorewall/continue ]; then
run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue run_install $OWNERSHIP -m 0600 continue ${PREFIX}/etc/shorewall/continue
@ -651,7 +600,7 @@ fi
# #
# Install the Started file # Install the Started file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall/configfiles/started run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall/configfiles/started
if [ ! -f ${PREFIX}/etc/shorewall/started ]; then if [ ! -f ${PREFIX}/etc/shorewall/started ]; then
run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started
@ -666,7 +615,7 @@ echo "Standard actions file installed as ${PREFIX}/etc/shorewall/actions.std"
# #
# Install the Actions file # Install the Actions file
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall/configfiles/actions run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall/configfiles/actions
if [ ! -f ${PREFIX}/etc/shorewall/actions ]; then if [ ! -f ${PREFIX}/etc/shorewall/actions ]; then
run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall/actions run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall/actions
@ -676,9 +625,10 @@ fi
# #
# Install the Makefile # Install the Makefile
# #
[ -n "$NOCONFIGFILES" ] || run_install $OWNERSHIP -m 0644 Makefile ${PREFIX}/usr/share/shorewall/configfiles/Makefile run_install $OWNERSHIP -m 0644 Makefile ${PREFIX}/usr/share/shorewall/configfiles/Makefile
run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile
echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile" echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile"
# #
# Install the Action files # Install the Action files
# #
@ -686,50 +636,17 @@ for f in action.* ; do
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644 install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done done
#
install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0644 install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0644
echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit" echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit"
# #
# Install the Compiler Library files # Install the Macro files
# #
for f in clib.* ; do for f in macro.* ; do
case $f in install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
*.\*) echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
;;
*)
if ! list_search ${f#clib.} $XCLIBS ; then
install_file $f ${PREFIX}/usr/share/shorewall/$f 0555
echo "Compiler library ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f"
fi
;;
esac
done done
# #
# Install the Common Library files
#
for f in lib.* ; do
if ! list_search ${f#lib.} $XLIBS ; then
install_file $f ${PREFIX}/usr/share/shorewall/$f 0555
echo "Library ${f#*.} installed as ${PREFIX}/usr/share/shorewall/$f"
fi
done
if [ -z "$NOMACROS" ]; then
#
# Install the Macro files
#
for f in macro.* ; do
case $f in
*.\*)
;;
*)
install_file $f ${PREFIX}/usr/share/shorewall/$f 0644
echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
;;
esac
done
fi
#
# Install the program skeleton files # Install the program skeleton files
# #
for f in prog.* ; do for f in prog.* ; do

24
Shorewall/prog.footer
View File

@ -2,7 +2,7 @@
# Give Usage Information # Give Usage Information
# #
usage() { usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|restart|status|version ]" echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1 exit $1
} }
################################################################################ ################################################################################
@ -11,14 +11,11 @@ usage() {
initialize initialize
# #
# Start trace if first arg is "debug" or "trace" (the awkward code works around # Start trace if first arg is "debug" or "trace"
# a bug in BusyBox ash on some distros).
# #
if [ $# -gt 1 ]; then if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
if [ "$1" = "debug" ] || [ "$1" = "trace" ]; then set -x
set -x shift
shift
fi
fi fi
finished=0 finished=0
@ -114,6 +111,17 @@ case "$COMMAND" in
fi fi
progress_message3 "done." progress_message3 "done."
;; ;;
refresh)
if shorewall_is_started; then
progress_message3 "Refreshing $PRODUCT...."
refresh_firewall
status=$?
progress_message3 "done."
else
echo "$PRODUCT is not running" >&2
status=2
fi
;;
restore) restore)
restore_firewall restore_firewall
status=$? status=$?

1
Shorewall/prog.header
View File

@ -15,6 +15,7 @@
# Commands are: # Commands are:
# #
# start Starts the firewall # start Starts the firewall
# refresh Refresh the firewall
# restart Restarts the firewall # restart Restarts the firewall
# reload Reload the firewall # reload Reload the firewall
# clear Removes all firewall rules # clear Removes all firewall rules

901
Shorewall/releasenotes.txt
View File

@ -1,65 +1,846 @@
Shorewall 3.3.0 Shorewall 3.2.4
Note to users upgrading from Shorewall 2.x or 3.0
Most problems associated with upgrades come from two causes:
- The user didn't read and follow the migration considerations in these
release notes.
- The user mis-handled the /etc/shorewall/shorewall.conf file during
upgrade. Shorewall is designed to allow the default behavior of
the product to evolve over time. To make this possible, the design
assumes that you will not replace your current shorewall.conf file
during upgrades. If you feel absolutely compelled to have the latest
comments and options in your shorewall.conf then you must proceed
carefully.
While you are at it, if you have a file named /etc/shorewall/rfc1918 then
please check that file. If it has addresses listed that are NOT in one of
these three ranges, then please rename the file to
/etc/shorewall/rfc1918.old.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
If you have a file named /etc/shorewall/modules, please remove
it. The default modules file is now located in /usr/share/shorewall/
(see the "Migration Considerations" below).
Please see the "Migration Considerations" below for additional upgrade
information.
Problems Corrected in 3.2.4
Note to users upgrading from Shorewall 2.x or 3.0 1) Previously, the directory name in the command "shorewall start
<directory name>" was being dropped by "/sbin/shorewall".
Most problems associated with upgrades come from two causes: Other changes in 3.2.4
- The user didn't read and follow the migration considerations in these None.
release notes.
- The user mis-handled the /etc/shorewall/shorewall.conf file during Migration Considerations:
upgrade. Shorewall is designed to allow the default behavior of
the product to evolve over time. To make this possible, the design 1) If you are upgrading from Shorewall 2.x, it is essential that you read
assumes that you will not replace your current shorewall.conf file the Shorewall 3.0.8 (or later) release notes:
during upgrades. If you feel absolutely compelled to have the latest
comments and options in your shorewall.conf then you must proceed http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.8/releasenotes.txt
carefully.
2) A number of macros have been split into two. The macros affected are:
IMAP LDAP NNTP POP3 SMTP
Each of these macros now handles only traffic on the native (plaintext)
port. There is a corresponding macro with S added to the end of the
name for the SSL version of the same protocol. Thus each macro results
in the insertion of only one port per invocation.
The Web macro has not been split, but two new macros, HTTP and HTTPS have
been created. The Web macro is deprecated in favour of these new macros,
and may be removed from future Shorewall releases.
These changes have been made to ensure no unexpected ports are opened due
to the use of macros.
3) In previous Shorewall releases, DNAT and REDIRECT rules supported a
special syntax for exclusion of a sub-zone from the effect of the rule.
Example:
Z2 is a subzone of Z1:
DNAT Z1!Z2 loc:192.168.1.4 ...
That feature has never worked correctly when Z2 is a dynamic zone.
Furthermore, now that Shorewall supports exclusion lists, the capability
is redundant since the above rule can now be written in the form:
DNAT Z1:!<list of exclusions> loc:192.168.1.4 ...
Beginning with Shorewall 3.2.0, the special exclusion syntax will no
longer be supported.
4) Important if you use the QUEUE target.
In the /etc/shorewall/rules file and in actions, you may now specify
'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also
requires that the SYN flag is set and the RST, FIN and ACK flags be
off ("--syn" is added to the iptables rule).
As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target.
5) Extension Scripts may require change
In previous releases, extension scripts were executed during [re]start
by using the Bourne Shell "." operator. In addition to executing commands
during [re]start, these scripts had to "save" the commands to be executed
during "shorewall restore".
This clumsiness has been eliminated in Shorewall 3.2. In Shorewall 3.2,
extension scripts are copied in-line into the compiled program and are
executed in-line during "start", "restart" and "restore". This
applies to all extension scripts except those associated with a
chain or action -- those extension scripts continue to be processed
at compile time.
This new approach has two implications for existing scripts.
a) It is no longer necessary to save the commands; so functions like
'save_command', 'run_and_save_command' and 'ensure_and_save_command'
need no longer be called. For convenience, the generated program will
supply functions with these names:
save_command() - does nothing
run_and_save_command() - runs the passed command
ensure_and_save_command() - runs the passed command and
stops/restores the firewall if the
command fails.
These functions should provide for transparent migration of
scripts that use them until you can get around to eliminating
their use completely.
b) When the extension script is copied into the compiled program, it
is indented to line up with the surrounding code. If you have 'awk'
installed on your system, the Shorewall compiler will correctly handle
line continuation (last character on the line = "\"). If you do not
have awk, it will not be possible to use line-continuation in your
extension scripts.
In no case is it possible to continue a quoted string over multiple lines
without having additional whitespace inserted into the string.
6) Beginning with this release, the way in which packet marking in the
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
has changed in two ways:
a) Packets arriving on a tracked interface are now passed to the PREROUTING
marking chain so that they may be marked with a mark other than the
'track' mark (the connection still retains the 'track' mark).
b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
in the PREROUTING chain (i.e., you can specify a mark value of zero).
7) Kernel version 2.6.16 introduces 'xtables', a new common packet
filtering and connection tracking facility that supports both IPv4
and IPv6. Because a different set of kernel modules must be loaded
for xtables, Shorewall now includes two 'modules' files:
a) /usr/share/shorewall/modules -- the former
/etc/shorewall/modules
b) /usr/share/shorewall/xmodules -- a new file that support
xtables.
If you wish to use the new file, then simply execute this command:
cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules
8) Previously, CLASSIFY tcrules were always processed out of the
POSTROUTING chain. Beginning with this release, they are processed
out of the POSTROUTING chain *except* when the SOURCE is
$FW[:<address>] in which case the rule is processed out of the
OUTPUT chain.
With correctly-coded rulesets, this change should have no
effect. Users having incorrectly-coded tcrules may need to change
them.
Example:
#MARK/ SOURCE DEST PROTO DEST SOURCE
#CLASSIFY PORTS(S) PORT(S)
1:110 $FW eth3 tcp - 22
While the user may have expected this rule to only affect traffic
from the firewall itself, the rule was really equivalent to this one:
#MARK/ SOURCE DEST PROTO DEST SOURCE
#CLASSIFY PORTS(S) PORT(S)
1:110 0.0.0.0/0 eth3 tcp - 22
So after this change, the second rule will be required rather than
the first if that is what was really wanted.
New Features:
1) Shorewall has always been very noisy (lots of messages). No longer.
You set the default level of verbosity using the VERBOSITY option in
shorewall.conf. If you don't set it (as would be the case if you use your
old shorewall.conf file) then VERBOSITY defaults to a value of 2 which
results in behavior compatible with previous Shorewall versions.
A value of 1 suppresses some of the output (like the old -q option did)
while a value of 0 makes Shorewall almost silent. A value of -1
suppresses all output except warning and error messages.
The value specified in the 3.2 shorewall.conf is 1. So you can make
Shorewall as verbose as previously using a single -v and you can make it
almost silent by using a single -q.
If VERBOSITY is set at 2, you can still make a command nearly
silent by using two "q"s (e.g., shorewall -qq restart).
In summary, each "q" subtracts one from VERBOSITY while each "v" adds one
to VERBOSITY.
The "shorewall show log", "shorewall logwatch" and "shorewall dump"
commands require VERBOSITY to be greater than or equal to 3 to
display MAC addresses.This is consistent with the previous
implementation which required a single -v to enable MAC display but
means that if you set VERBOSITY=0 in shorewall.conf, then you will
need to include -vvv in commands that display log records in order
to have MACs displayed.
To make the display of MAC addresses less cumbersome, a '-m' option has
been added to the "show" and logwatch commands:
shorewall show -m log
shorewall logwatch -m
2) A new 'shorewall compile' command has been added.
shorewall compile [ -e ] [ <config directory> ] <script file>
where:
-e Allows the generated script to run
on a system with Shorewall Lite installed.
Generates an error if the configuration uses
an option that would prevent the generated
script from running on a system other than
where the 'compile' command is running (see
additional consideration a) below).
<config directory> Is an optional directory to be searched for
configuration files prior to those listed
in CONFIG_PATH in
/etc/shorewall/shorewall.conf.
<script file> Is the name of the output file.
The 'compile' command processes the configuration and generates a
script file which may then be executed to configure the firewall.
The generated script supports the following commands:
start - starts the firewall
stop - stops the firewall
clear - clears the firewall (removes all iptables rules)
restart - restarts the firewall
status - displays the firewall status
version - displays the version of shorewall used to create the
script
The generated script contains error checking and will terminate if an
important command fails. Before terminating:
a) The script will check for the existence of the restore script
specified by the RESTOREFILE variable in shorewall.conf. If that
restore script exists, it is executed.
b) If the restore script doesn't exist but Shorewall appears to be
installed on the system, the equivalent of an
"/sbin/shorewall stop" command is executed.
Some additional considerations:
a) When you run 'compile' on one system and then run the generated script
on another system under Shorewall Lite, there are certain limitations.
1) A compatible version of Shorewall Lite must be running on the remote
system. Going forward, the goal is that any minor version of
the current major version will be compatible. So if the
program is compiled using Shorewall 3.2.x, any 3.2.y version
or 3.p.q version (where p > 2) of Shorewall Lite will be compatible.
2) The 'detectnets' interface option is not allowed.
3) DYNAMIC_ZONES=Yes is not allowed.
4) You must supply the file /etc/shorewall/capabilities to provide
the compiler with knowledge of the capabilities of the system
where the script is to be run. See below.
5) If your /etc/shorewall/params file contains code other than simple
assignment statements with contant values, then you should move
that code to /etc/shorewall/init. That way, the code will be
executed on the target system when the compiled script is run and
not on the local system at compile time.
b) If you run the "shorewall compile" or "shorewall check" commands under
a user other than 'root', then you must supply
/etc/shorewall/capabilities.
c) To aid in building /etc/shorewall/capabilities, a 'shorecap' program
is provided in the Shorewall Lite package and is installed in
/usr/share/shorewall-lite/shorecap when you install Shorewall Lite.
For instructions about running shorecap, see the comments at the
top of the program file (it's a simple shell script).
The "shorewall start" and "shorewall restart" commands have been
rewritten to use compilation. They both compile a temporary program
then run it. This results in a slightly longer elapsed time than the
similar commands required under earlier versions of Shorewall but new
connections are blocked for a much smaller percentage of that time.
If an error is found during the compilation phase, /sbin/shorewall
terminates and the Shorewall state is unchanged.
Under Shorewall 3.1.5, "shorewall restart" takes roughly 16.5 seconds
on my firewall:
real 0m16.599s
user 0m6.292s
sys 0m9.885s
Of the elapsed 16.5 seconds, new connections are disabled less than
3.5 seconds. Here are some numbers for comparison:
A) shorewall restart (Shorewall 3.0.4)
real 0m17.540s
user 0m5.956s
sys 0m10.737s
B) ./foo restart # foo created using "shorewall compile"
real 0m3.297s
user 0m1.444s
sys 0m1.728s
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
# "shorewall save"
real 0m1.164s
user 0m0.556s
sys 0m0.608s
D) shorewall restore (shorewall 3.1.5)
real 0m1.637s
user 0m0.728s
sys 0m0.584s
The time difference between B and C reflects the difference between
"iptables-restore" and multiple executions of "iptables". The time
difference between C and D results from the fact that the "restore"
command in Shorewall 3.1 runs the compiled program in a way that
turns all iptables commands into no-ops then invokes
iptables-restore. The system is a 1.4Ghz Celeron with 512MB RAM.
As a final part of this change, the "check" command now compiles the
current configuration and writes the compiled output to /dev/null. So
"check" performs all of the same validation that compile does. Note that
there is still no guarantee that the generated script won't encounter
run-time errors.
2) The /etc/shorewall/maclist file has a new column layout. The first column
is now DISPOSITION. This column determines what to do with matching
packets and can have the value ACCEPT or DROP (if MACLIST_TABLE=filter, it
can also contain REJECT). This change is upward compatible so your existing
maclist file can still be used.
ACCEPT, DROP and REJECT may be optionally followed by a log level to
cause the packet to be logged.
4) In macro files, you can now use the reserved words SOURCE and DEST
in the columns of the same names. When Shorewall expands the
macro, it will substitute the SOURCE from the macro invocation for
SOURCE and the DEST from the invocation for DEST. This allows you
to write macros that act in both directions (from source to destination
and from destination to source).
Example:
macro.FOO:
PARAM SOURCE DEST udp 500
PARAM DEST SOURCE udp 500
/etc/shorewall/rules:
FOO/ACCEPT fw net
Resulting rules:
ACCEPT fw net udp 500
ACCEPT net fw udp 500
This new feature has been used to implement the SMBBI macro.
SMBBI is the same as the SMB macro with the exception that
it passes SMB traffic in both directions whereas SMB only
passes that traffic in one direction.
5) In the /etc/shorewall/rules file and in actions, you may now specify
'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also
requires that the SYN flag is set and the RST, FIN and ACK flags be
off ("--syn" is added to the iptables rule).
As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target.
6) /sbin/shorewall now supports a "-t" option that causes all progress
messages to be timestamped.
Example (VERBOSITY=0 in shorewall.conf):
gateway:/etc/shorewall # shorewall -t restart
07:08:51 Compiling...
07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart
07:09:05 Restarting Shorewall....
07:09:08 done.
gateway:/etc/shorewall #
7) A 'refreshed' extension script has been added -- it is executed after
"shorewall refresh" has finished.
8) Two new dynamic blacklisting commands have been added:
logdrop -- like 'drop' but causes the dropped packets to be logged.
logreject -- like 'reject' but causes the rejected packets to be
logged.
Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
last "shorewall [re]start"; otherwise, they are logged at the 'info'
log level.
9) A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When
this option is set to "Yes", it causes subzones to be treated differently
with respect to policies.
Subzones are defined by following their name with ":" and a list of parent
zones (in /etc/shorewall/zones). Normally, you want to have a set of
special rules for the subzone and if a connection doesn't match any of
those subzone-specific rules then you want the parent zone rules and
policies to be applied. With IMPLICIT_CONTINUE=Yes, that happens
automatically.
If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
subzones are not subject to this special treatment.
With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
by including an explicit policy (one that does not specify "all" in either
the SOURCE or the DEST columns).
Example:
/etc/shorewall/zones:
prnt ipv4
chld:prnt ipv4
Traffic to/from the 'chld' zone will first pass through the applicable
'chld' rules and if none of those rules match then it will be passed through
the appropriate 'prnt' rules. If the connection request does not match
any of the 'prnt' rules then the relevant 'prnt' policy is applied.
If you want the fw->chld policy to be ACCEPT, simply add this entry to
/etc/shorewall/policy:
$FW chld ACCEPT
Traffic from all other zones to 'chld' will be subject to the implicit
CONTINUE policy.
10) Shorewall now includes support for explicit routing rules when the
/etc/shorewall/providers file is used. A new file,
/etc/shorewall/route_rules can be used to add routing rules based on
packet source and/or destination.
The file has the following columns:
SOURCE(optonal) An ip address (network or host) that
matches the source IP address in a packet.
May also be specified as an interface
name optionally followed by ":" and an
address. If the define 'lo' is specified,
the packet must originate from the firewall
itself.
DEST(optional) An ip address (network or host) that
matches the destination IP address in a packet.
If you choose to omit either SOURCE or DEST,
place "-" in the column. Note that you
may not omit both SOURCE and DEST.
PROVIDER The provider to route the traffic through.
May be expressed either as the provider name
or the provider number. You may also specify
the 'main' routing table here, either by
name or by number (254).
PRIORITY
The rule's priority which determines the order
in which the rules are processed.
1000-1999 Before Shorewall-generated
'MARK' rules
11000- 11999 After 'MARK' rules but before
Shorewall-generated rules for
provider interfaces.
26000-26999 After provider interface rules but
before 'default' rule.
Rules with equal priority are applied in
the order in which they appear in the file.
Example 1: You want all traffic coming in on eth1 to be routed to the ISP1
provider:
#PROVIDER PRIORITY SOURCE DEST
ISP1 1000 eth1
Example 2: You use OpenVPN (routed setup /tunX) in combination with multiple
providers. In this case you have to set up a rule to ensure that
the OpenVPN traffic is routed back through the tunX interface(s)
rather than through any of the providers. 10.8.0.0/24 is the
subnet choosen in your OpenVPN configuration (server 10.8.0.0
255.255.255.0)
#SOURCE DEST PROVIDER PRIORITY
- 10.8.0.0/24 main 1000
11) Prior to now, it has not been possible to use connection marking in
/etc/shorewall/tcrules if you have a multi-ISP configuration that uses the
'track' option.
Beginning with this release, you may now set HIGH_ROUTE_MARKS=Yes in
shorewall.conf to effectively divide the packet mark and connection mark
into two 8-bit mark fields.
When you do this:
a) The MARK field in the providers file must have a value that is
less than 65536 and that is a multiple of 256 (using hex
representation, the values are 0x0100-0xFF00 with the low-order
8 bits being zero).
b) You may only set those mark values in the PREROUTING chain.
c) Marks used for traffic shaping must still be in the range of 1-255
and may still not be set in the PREROUTING chain.
d) When you SAVE or RESTORE in tcrules, only the TC mark value is
saved or restored. Shorewall handles saving and restoring the
routing (provider) marks.
12) A TOS column has been added to /etc/shorewall/tcrules. This allows marking
based on the contents of the TOS field in the packet header.
13) Beginning with this release, the way in which packet marking in the
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
has changed in two ways:
a) Packets *arriving* on a tracked interface are now passed to the PREROUTING
marking chain so that they may be marked with a mark other than the
'track' mark (the connection still retains the 'track' mark).
b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
in the PREROUTING chain (i.e., you can specify a mark value of zero).
14) Shorewall will now attempt to detect the MTU of devices listed in
/etc/shorewall/tcdevices and will use the detected MTU in setting
up traffic shaping.
15) In /etc/shorewall/rules, the values "all-" and "all+-" may now be
used for zone names. "all-" means "All zones except the firewall";
"all+-" means "All zones except the firewall" and intra-zone
traffic is included.
16) Kernel version 2.6.16 introduces 'xtables', a new common packet
filtering and connection tracking facility that supports both IPv4
and IPv6. Because a different set of kernel modules must be loaded
for xtables, Shorewall now includes two 'modules' files:
a) /usr/share/shorewall/modules -- the former
/etc/shorewall/modules
b) /usr/share/shorewall/xmodules -- a new file that support
xtables.
If you wish to use the new file, then simply execute this command:
cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules
17) Shorewall now checks to see if devices in /etc/shorewall/tcdevices
exist. If a device does not exist, a warning message is issued and
that device's entries in /etc/shorewall/tcclasses are ignored. This
applies to "shorewall start", "shorewall restart" and "shorewall
refresh".
18) "load" and "reload" commands have been added. These commands allow
a non-root user with ssh access to a remote system running
Shorewall Lite to compile a firewall script on the local system and
to install that script on the remote system.
Syntax is:
shorewall [re]load [ <directory> ] <system>
If <directory> is omitted, the current working directory is
assumed.
The command is equivalent to:
/sbin/shorewall compile -e <directory> firewall &&\
scp firewall root@<system>:/var/lib/shorewall-lite/ &&\
ssh root@<system> '/sbin/shorewall-lite [re]start' # Note 1
In other words, the configuration in the specified (or defaulted)
directory is compiled to a file called firewall in that
directory. If compilation succeeds, then 'firewall' is copied to the
(usually remote) <system> using scp. If the copy succeeds,
Shorewall Lite on <system> is started or restarted via ssh (
load causes Shorewall Lite to be started and 'reload' causes
Shorewall Lite to be re-started)
Note 1: In Shorewall Lite 3.2.0 RC4, the 'firewall' script has moved
from /usr/share/shorewall-lite/ to /var/lib/shorewall-lite in
packages from shorewall.net. The package maintainers for the
various distributions are free to choose the directory where the
script will be stored under their distribution by altering the
value of LITEDIR in /usr/share/shorewall/configpath. You can run the
"shorewall show config" command to see how your distribution
defines LITEDIR.
Problems corrected in 3.2.1
1) The output formatting of the 'hits' command under BusyBox 1.2.0 has
been corrected.
2) Shorewall no longer requires extended MARK support to use the 'track'
provider option when HIGH_ROUTE_MARKS=No.
3) The output of the 'hits' command was previously scrambled if
/etc/services contained spaces as column delimiters rather than
tabs.
4) The /usr/share/shorewall/xmodules file was previously just a copy
of /usr/share/shorewall/modules.
5) The version number in the comments at the top of shorewall.conf has
been corrected.
6) The script generated when the -e option is given to the 'compile'
command is setting CONFIG_PATH to the value given in the remote
firewall's shorewall.conf processed at compile time. This is
generally incorrect and results in the inability to load any kernel
modules on the firewall during 'shorewall-lite [re]start'.
Problems Corrected in 3.2.2
1) Previously, the "shorewall stop" command would create empty files
named /nat and /proxyarp.
2) Scripts compiled for export did not support the 'reset' command. As
a result, on firewall systems running Shorewall Lite the command
"shorewall-lite reset" failed.
Other changes in 3.2.2
1) The way in which options in /etc/shorewall-lite/shorewall.conf are
handled has been changed. Previously, problems would occur if
options were set differently in the shorewall.conf file located in
a firewall's export directory on the administrative system and in
/etc/shorewall-lite/shorewall.conf on the firewall system.
To eliminate those problems, both Shorewall and Shorewall Lite have
been modified. Now, settings in /etc/shorewall-lite/shorewall.conf
override settings from the export directory. Any variable not set
(or set to the empty value) in /etc/shorewall-lite/shorewall.conf
will get its value from the shorewall.conf file in the firewall's
export directory (see
http://www.shorewall.conf/CompiledPrograms.html for a description
of "export directories").
The "shorewall compile -e" and "shorewall [re]load" commands now
create two files -- the script file and an auxiliary configuration
file. The name of the auxiliary configuration file is formed by
appending ".conf" to the name of the firewall script. So, the
"[re]load" command now creates both 'firewall' and 'firewall.conf'
and the command copies both files to /var/lib/shorewall-lite/ on
the firewall system.
The shorewall.conf file released with Shorewall Lite now sets no
option values. So by default, the options that the firewall
system will use are determined entirely by the shorewall.conf file
in the export directory.
If you are upgrading from an earlier 3.2 release, I recommend that
you modify your /etc/shorewall-lite/shorewall.conf file(s) to set
all variables to the empty value (e.g., IPTABLES= ). This will
allow your Shorewall Lite installation(s) to conform to the new
option convention. Both the administrative system and the firewalls
must be running 3.2.2 or later and each firewall's configuration
must be recompiled and re-exported for changes to take effect.
2) The 'shorewall show capabilites' command now accepts a '-f' (file)
option (e.g., shorewall show -f capabilities). When '-f' is given,
the output is the same as the output from the 'shorecap' program
that is included in Shorewall Lite and can be used to generate a
capabilities file for use during compilation.
WARNING: The output is only meaningful when the command is run by
root.
3) The manner in which Shorewall determines the presence of the
'physdev match' capability has been modified to accomodate the
upcoming kernel change that will remove much of the functionality
of the match.
4) The install.sh script now supports a -n option:
./install.sh -n
When -n is given, no backup of the current configuration is
performed. This is used primarily by Shorewall developers as it
allows repeated installs of the same version without destroying
the backup of the prior version.
5) The "shorewall [re]load" command(s) now support a -s option:
Example:
shorewall reload -s gateway
The option causes the configuration on the firewall to be saved if
[re]start is successfull.
6) A new 'optional' option has been added to
/etc/shorewall/providers. If this option is specified, if the
interface specified in the INTERFACES column isn't up and
configured with an IPv4 address then a warning message is issued
and the provider is not configured.
While you are at it, if you have a file named /etc/shorewall/rfc1918 then Problems Corrected in 3.2.3
please check that file. If it has addresses listed that are NOT in one of
these three ranges, then please rename the file to 1) A problem in 'install.sh' resulted in sandbox violations on
/etc/shorewall/rfc1918.old. Gentoo and, when Shorewall is installed using an RPM, the problem
caused an incorrect copy of shorewall.conf to be installed in
10.0.0.0 - 10.255.255.255 /usr/share/shorewall/configfiles/.
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255 2) A typo in the functions file caused startup errors when the user's
distribution did not support a true mktemp program (such as
If you have a file named /etc/shorewall/modules, please remove Bering Uclibc). Patch courtesy of Cédric Schieli.
it. The default modules file is now located in /usr/share/shorewall/
(see the "Migration Considerations" below). 3) Several erroneous references to ip_addr_del() were made in
/var/lib/shorewall/compiler and in the code that it generates.
Please see the "Migration Considerations" below for additional upgrade
information. a) These should have been references to del_ip_addr()
b) One of the calls also had an incorrect parameter list.
Problems Corrected in 3.3.0
4) Previously, "shorewall check -e" would erroneously attempt to
None. detect interfaces configured for traffic shaping.
Other changes in 3.3.0 5) SUBSYSLOCK functionality has been restored.
1) Support for dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf and 6) In prior versions, setting 'mss=' in /etc/shorewall/zones did not
the /sbin/shorewall "add" and "delete" commands) has been affect traffic to/from the firewall zone. That has been corrected.
removed. Please use ipsets to implement dynamic zones as described
in http://www.shorewall.net/DynamicZones.html. 7) When /sbin/shorewall was run under BusyBox ash, shell errors would
occur if certain command options were given.
2) The 'try' command has been re-implemented. The command now does the
following: 8) Previously, the 'optional' provider option did not detect the case
where the interface was DOWN but still had a configured IP
- shorewall save address. Shorewall was detecting such interfaces as UP and later
- shorewall restart <specified directory> 'ip replace route' commands would fail.
- if the restart is not successful, the configuration is
automatically restored It should also be clarified that the 'optional' option is intended
- otherwise, if a timeout is given then to detect cases where a provider interface is in a state that would
- sleep for the number of seconds specified and cause 'shorewall [re]start' to fail; it is not intended to
- shorewall restore determine whether communication is possible using the interface.
Migration Considerations: 9) Previously, the "shorewall add" command would fail with error
messages indicating that the commands "chain_exists" and
1) Support for dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf and "verify_hosts_file" could not be found.
the /sbin/shorewall "add" and "delete" commands) has been
removed. Please use ipsets to implement dynamic zones as described 10) Using earlier Shorewall versions, the following sequence of
in http://www.shorewall.net/DynamicZones.html. commands produced inconsistant results:
New Features: a) shorewall [re] start
b) Modify /etc/shorewall/tcdevices and/or /etc/shorewall/tcclasses
None. c) shorewall refresh
d) shorewall save
e) shorewall restore (or reboot and shorewall start -f during boot
up)
After that series of commands, the state of traffic shaping was as
it was after step a) rather than as it was after step c). The fix
involved re-implementing 'shorewall refresh' as a compile/execute
procedure similar to [re]start. While the entire configuration is
recompiled, only ecn, blacklisting, tcrules and traffic control
will be updated in the running configuration.
11) DNAT rules generated under DETECT_DNAT_IPADDRS=Yes may have been
incorrect with the result that the rules didn't work at all.
Other changes in 3.2.3
1) A 'shorewall export' command has been added.
shorewall export [ <directory1> ] [user@]<system>:[<directory2>]
If <directory1> is omitted, then the current working directory is
assumed.
Causes the shorewall configuration in <directory1> to be compiled
into a program called '<directory1>/firewall'. If compilation is
successful, the '<directory1>/firewall' script is copied via scp
to the specified <system>.
Example:
shorewall export admin@gateway:
This command would compile the configuration in the current working
directory then copy the 'firewall' (and 'firewall.conf') files to
admin's home directory on system 'gateway'.
2) Normally, Shorewall tries to protect users from themselves by
preventing PREROUTING and OUTPUT tcrules from being applied to
packets that have been marked by the 'track' option in
/etc/shorewall/providers.
If you really know what you are doing and understand packet marking
thoroughly, you can set TC_EXPERT=Yes in shorewall.conf and
Shorewall will not include these cautionary checks.
3) Previously, CLASSIFY tcrules were always processed out of the
POSTROUTING chain. Beginning with this release, they are processed
out of the POSTROUTING chain *except* when the SOURCE is
$FW[:<address>] in which case the rule is processed out of the
OUTPUT chain.
See the Migration Considerations section for further information.
4) Previously, if you specified 'detectnets' on an interface with a
default route, Shorewall would ignore the default route with a
warning message. This could lead to systems that were inaccessible
from the net, even from systems listed in the 'routestopped' file.
Specifying 'detectnets' on an interface with a default route now
generates a fatal error.

105
Shorewall/shorewall
View File

@ -31,6 +31,8 @@
# #
# Commands are: # Commands are:
# #
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
# shorewall dump Dumps all Shorewall-related information # shorewall dump Dumps all Shorewall-related information
# for problem analysis # for problem analysis
# shorewall start Starts the firewall # shorewall start Starts the firewall
@ -117,7 +119,7 @@
# #
fatal_error() # $@ = Message fatal_error() # $@ = Message
{ {
echo " ERROR: $@" >&2 echo " $@" >&2
exit 2 exit 2
} }
@ -584,7 +586,7 @@ start_command() {
fi fi
fi fi
SHOREWALL_DIR=$ SHOREWALL_DIR=$1
export SHOREWALL_DIR export SHOREWALL_DIR
;; ;;
*) *)
@ -841,6 +843,68 @@ restart_command() {
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
} }
#
# Refresh Command Executor
#
refresh_command() {
local finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
*)
usage 1
;;
esac
if ! shorewall_is_started ; then
error_message "ERROR: Shorewall is not running"
exit 2
fi
if [ -z "$STARTUP_ENABLED" ]; then
error_message "ERROR: Startup is disabled"
exit 2
fi
export NOROUTES
[ -n "$nolock" ] || mutex_on
progress_message3 "Compiling..."
if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.refresh; then
$SHOREWALL_SHELL ${VARDIR}/.refresh $debugging refresh
fi
[ -n "$nolock" ] || mutex_off
}
# #
# Show Command Executor # Show Command Executor
# #
@ -1456,10 +1520,12 @@ usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
echo " check [ -e ] [ <directory> ]" echo " check [ -e ] [ <directory> ]"
echo " clear" echo " clear"
echo " compile [ -e ] [ <directory name> ] <path name>" echo " compile [ -e ] [ <directory name> ] <path name>"
echo " delete <interface>[:<host-list>] ... <zone>"
echo " drop <address> ..." echo " drop <address> ..."
echo " dump [ -x ]" echo " dump [ -x ]"
echo " export [ <directory1> ] [<user>@]<system>:[<directory2>]" echo " export [ <directory1> ] [<user>@]<system>:[<directory2>]"
@ -1563,14 +1629,13 @@ make_verbose() {
} }
# #
# Execution begins here # Execution begins here
# #
debugging= debugging=
if [ $# -gt 0 ] && [ "x$1" = "xdebug" ] || [ "x$1" = "xtrace" ]; then if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
debugging=debug debugging=debug
shift shift
fi
fi fi
nolock= nolock=
@ -1686,7 +1751,7 @@ HELP=$SHAREDIR/help
if [ -f $FUNCTIONS ]; then if [ -f $FUNCTIONS ]; then
. $FUNCTIONS . $FUNCTIONS
else else
echo " ERROR: $FUNCTIONS does not exist!" >&2 echo "$FUNCTIONS does not exist!" >&2
exit 2 exit 2
fi fi
@ -1757,7 +1822,7 @@ case "$COMMAND" in
shift shift
start_command $@ start_command $@
;; ;;
stop|reset|clear|refresh) stop|reset|clear)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
export NOROUTES export NOROUTES
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
@ -1770,10 +1835,18 @@ case "$COMMAND" in
shift shift
restart_command $@ restart_command $@
;; ;;
refresh)
shift
refresh_command $@
;;
check) check)
shift shift
check_command $@ check_command $@
;; ;;
add|delete)
[ $# -lt 3 ] && usage 1
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
;;
show|list) show|list)
shift shift
show_command $@ show_command $@
@ -1880,13 +1953,15 @@ case "$COMMAND" in
VERBOSE=$(make_verbose) VERBOSE=$(make_verbose)
[ -n "$NOROUTES" ] && NOROUTES=-n [ -n "$NOROUTES" ] && NOROUTES=-n
export -n CONFIG_PATH export -n CONFIG_PATH
if $0 $debugging $VERBOSE save; then if ! $0 $debugging $VERBOSE -c $2 restart; then
if $0 $debugging $VERBOSE restart $2 ; then if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
if [ $# -eq 3 ]; then $0 $VERBOSE $NOROUTES start
sleep $3
$0 $VERBOSE $NOROUTES restore
fi
fi fi
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 $VERBOSE $NOROUTES start
elif [ $# -eq 3 ]; then
sleep $3
$0 $VERBOSE $NOROUTES restart
fi fi
;; ;;
logwatch) logwatch)

2
Shorewall/shorewall.conf
View File

@ -461,7 +461,7 @@ RETAIN_ALIASES=No
# See http://shorewall.net/traffic_shaping.htm for more information. # See http://shorewall.net/traffic_shaping.htm for more information.
TC_ENABLED=Internal TC_ENABLED=Internal
# #
# TRAFFIC SHAPING EXPERT # TRAFFIC SHAPING EXPERT
# #

19
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 3.3.0 %define version 3.2.3
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -110,23 +110,10 @@ fi
%attr(0644,root,root) /usr/share/shorewall/action.Limit %attr(0644,root,root) /usr/share/shorewall/action.Limit
%attr(0644,root,root) /usr/share/shorewall/action.Reject %attr(0644,root,root) /usr/share/shorewall/action.Reject
%attr(0644,root,root) /usr/share/shorewall/action.template %attr(0644,root,root) /usr/share/shorewall/action.template
%attr(0555,root,root) /usr/share/shorewall/clib.accounting
%attr(0555,root,root) /usr/share/shorewall/clib.ecn
%attr(0555,root,root) /usr/share/shorewall/clib.maclist
%attr(0555,root,root) /usr/share/shorewall/clib.macros
%attr(0555,root,root) /usr/share/shorewall/clib.nat
%attr(0555,root,root) /usr/share/shorewall/clib.providers
%attr(0555,root,root) /usr/share/shorewall/clib.proxyarp
%attr(0555,root,root) /usr/share/shorewall/clib.tcrules
%attr(0555,root,root) /usr/share/shorewall/clib.tos
%attr(0555,root,root) /usr/share/shorewall/clib.tunnels
%attr(0555,root,root) /usr/share/shorewall/compiler %attr(0555,root,root) /usr/share/shorewall/compiler
%attr(0444,root,root) /usr/share/shorewall/functions %attr(0444,root,root) /usr/share/shorewall/functions
%attr(0555,root,root) /usr/share/shorewall/firewall %attr(0555,root,root) /usr/share/shorewall/firewall
%attr(0555,root,root) /usr/share/shorewall/help %attr(0555,root,root) /usr/share/shorewall/help
%attr(0555,root,root) /usr/share/shorewall/lib.base
%attr(0555,root,root) /usr/share/shorewall/lib.tc
%attr(0555,root,root) /usr/share/shorewall/lib.tcrules
%attr(0644,root,root) /usr/share/shorewall/Limit %attr(0644,root,root) /usr/share/shorewall/Limit
%attr(0644,root,root) /usr/share/shorewall/macro.AllowICMPs %attr(0644,root,root) /usr/share/shorewall/macro.AllowICMPs
%attr(0644,root,root) /usr/share/shorewall/macro.Amanda %attr(0644,root,root) /usr/share/shorewall/macro.Amanda
@ -222,8 +209,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog %changelog
* Wed Aug 09 2006 Tom Eastep tom@shorewall.net * Fri Aug 25 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.0-1 - Updated to 3.2.3-1
* Wed Aug 02 2006 Tom Eastep tom@shorewall.net * Wed Aug 02 2006 Tom Eastep tom@shorewall.net
- Updated to 3.2.2-1 - Updated to 3.2.2-1
* Fri Jul 21 2006 Tom Eastep tom@shorewall.net * Fri Jul 21 2006 Tom Eastep tom@shorewall.net

4
Shorewall/started
View File

@ -15,9 +15,7 @@
# option. # option.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. Note though that the "ensure_and_save_command" function # information.
# should not be used in this script because Shorewall is already running
# when this function is called.
# #
############################################################################### ###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=3.3.0 VERSION=3.2.3
usage() # $1 = exit status usage() # $1 = exit status
{ {