Make 'track' the default

2024-11-22 07:33:43 +01:00 · 2009-10-20 12:24:28 -07:00 · 2009-10-20 12:24:28 -07:00 · 49f361124e
commit 49f361124e
parent c4af105ee4
9 changed files with 89 additions and 14 deletions
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -100,6 +100,7 @@ sub generate_script_1() {
 EOF

 	copy1 $lib;
+	emit "/n";
    }

    emit <<'EOF';
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@ -316,12 +316,14 @@ sub add_a_provider( ) {

    }

-    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
+    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,1,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
+	    } elsif ( $option eq 'notrack' ) {
+		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1621,7 +1621,7 @@ sub add_interface_jumps {

 # Generate the rules matrix.
 #
-# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse.
+# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
 #
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
@ -1683,10 +1683,17 @@ sub generate_matrix() {
 	my $zoneref = find_zone( $zone );

 	next if @zones <= 2 && ! $zoneref->{options}{complex};
-
+	#
+	# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
+	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );

 	if ( $capabilities{POLICY_MATCH} ) {
+	    #
+	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
+	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
+	    #
 	    my $type       = $zoneref->{type};
 	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -16,6 +16,8 @@ Changes in Shorewall 4.4.3

 8)  Remove superfluous variables from generated script

+9)  Make 'track' the default.
+
 Changes in Shorewall 4.4.2

 1)  BUGFIX: Correct detection of Persistent SNAT support
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -169,6 +169,10 @@ Shorewall 4.4.3
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.

+13) Because the 'track' provider option is so useful, it is now the
+    default. If, for some reason, you don't want 'track' then specify
+    'notrack' for the provider.
+
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 3
 ----------------------------------------------------------------------------
@ -218,6 +222,10 @@ None.
    On non-Debian systems, new installs will now log all Shorewall 
    commands to /var/log/shorewall-init.log.

+2)  Because the 'track' provider option is so useful, it is now the
+    default. If, for some reason, you don't want 'track' then specify
+    'notrack' for the provider.
+
 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 0
 ----------------------------------------------------------------------------
--- a/docs/LennyToSqueeze.xml
+++ b/docs/LennyToSqueeze.xml
@ -700,6 +700,15 @@ NONAT           loc             -               tcp     80</programlisting>
      earlier.</para>
    </section>

+    <section>
+      <title>/etc/shorewall/providers</title>
+
+      <para>Beginnins with Shorewall 4.4.3, the <option>track</option> option
+      is now the default. If, for some reason, you don't want the
+      <option>track</option> option then specify
+      <option>notrack</option>.</para>
+    </section>
+
    <section id="extension">
      <title>Extension Scripts</title>

--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -143,11 +143,12 @@
      Shorewall can set up the correct marking rules for you.</para>

      <para>When you use the <emphasis role="bold">track</emphasis> option in
-      <filename>/etc/shorewall/providers</filename>, connections from the
-      Internet are automatically routed back out of the correct interface and
-      through the correct ISP gateway. This works whether the connection is
-      handled by the firewall itself or if it is routed or port-forwarded to a
-      system behind the firewall.</para>
+      <filename>/etc/shorewall/providers</filename> (which is the default,
+      beginning with Shorewall 4.4.3), connections from the Internet are
+      automatically routed back out of the correct interface and through the
+      correct ISP gateway. This works whether the connection is handled by the
+      firewall itself or if it is routed or port-forwarded to a system behind
+      the firewall.</para>

      <para>Shorewall will set up the routing and will update the
      <filename>/etc/iproute2/rt_tables</filename> to include the table names
@ -163,7 +164,8 @@
          <listitem>
            <para>Packet marking for traffic control purposes may not be done
            in the PREROUTING table for connections involving providers with
-            'track' specified (see below).</para>
+            'track' specified (see below -- note that 'track' defaults to on
+            beginning with Shorewall 4.4.3).</para>
          </listitem>

          <listitem>
@ -329,9 +331,14 @@
                <term>track</term>

                <listitem>
-                  <para>If specified, connections FROM this interface are to
-                  be tracked so that responses may be routed back out this
-                  same interface.</para>
+                  <para><important>
+                      <para>Beginning with Shorwall 4.3.3, <emphasis
+                      role="bold">track</emphasis> is the default. To disable
+                      this option, you must specify <emphasis
+                      role="bold">notrack</emphasis> (see below).</para>
+                    </important>If specified, connections FROM this interface
+                  are to be tracked so that responses may be routed back out
+                  this same interface.</para>

                  <para>You want to specify 'track' if Internet hosts will be
                  connecting to local servers through this provider. Any time
@ -350,7 +357,8 @@
                  support</emphasis>).</para>

                  <important>
-                    <para>If you are using
+                    <para>If you are running a version of Shorewall earlier
+                    than 4.4.3 and are using
                    <filename>/etc/shorewall/providers</filename> because you
                    have multiple Internet connections, we recommend that you
                    specify <emphasis role="bold">track</emphasis> even if you
@ -441,6 +449,16 @@
                </listitem>
              </varlistentry>

+              <varlistentry>
+                <term>notrack</term>
+
+                <listitem>
+                  <para>Added in Shorewall 4.4.3. This option turns off the
+                  <emphasis role="bold">track</emphasis> option which is now
+                  the default.</para>
+                </listitem>
+              </varlistentry>
+
              <varlistentry>
                <term>optional</term>

@ -1410,7 +1428,7 @@ fi</programlisting></para>

        <para>It is the responsibility of the script to perform any action
        needed in reaction to the connection state change. The default script
-        supplied with LSM composes an email and sends it to $5. </para>
+        supplied with LSM composes an email and sends it to $5.</para>

        <para>I personally use LSM here at shorewall.net (configuration is
        described <link linkend="Complete">below</link>). I have set things up
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@ -163,6 +163,11 @@
                <para>You want to specify <option>track</option> if internet
                hosts will be connecting to local servers through this
                provider.</para>
+
+                <para>Beginning with Shorewall 4.4.3, <option>track</option>
+                is the default. If, for some reason, you don't want
+                <option>track</option> then specify <option>notrack</option>
+                (see below).</para>
              </listitem>
            </varlistentry>

@ -194,6 +199,15 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">notrack</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified, turns off
+                <option>track</option> which is now the default.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">optional
              (deprecated)</emphasis></term>
--- a/manpages6/shorewall6-providers.xml
+++ b/manpages6/shorewall6-providers.xml
@ -152,6 +152,11 @@
                <para>You want to specify <option>track</option> if internet
                hosts will be connecting to local servers through this
                provider.</para>
+
+                <para>Beginning with Shorewall 4.4.3, <option>track</option>
+                is the default. If, for some reason, you don't want
+                <option>track</option> then specify <option>notrack</option>
+                (see below).</para>
              </listitem>
            </varlistentry>

@ -167,6 +172,15 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">notrack</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified, turns off
+                <option>track</option> which is now the default.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">optional</emphasis></term>