extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-11 16:18:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Bring trunk up to date with branch/4.0

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7668 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-11-15 23:24:54 +00:00
parent 5989c4d349
commit 4db0dc2667
111 changed files with 1518 additions and 1021 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/Makefile
View File

@ -1,5 +1,5 @@
# Shorewall Makefile to restart if config-files are newer than last restart
VARDIR=/var/lib/shorewall
VARDIR=$(shell /sbin/shorewall show vardir)
CONFDIR=/etc/shorewall
RESTOREFILE?=.restore
all: $(VARDIR)/${RESTOREFILE}

26
Shorewall-common/changelog.txt
View File

@ -1,3 +1,29 @@
Changes in 4.0.6
1) Fix hyphenated service names in DNAT/REDIRECT rules.
2) Fix long dest ports list bug.
3) Fix many day-one bugs in REDIRECT port handling.
4) Add support for '--physdev-is-bridged'.
5) Add support for embedded shell and Perl scripts.
6) Add support for manual chains.
7) Don't require GATEWAY in tunnels file.
8) Fix HIGH_ROUTE_MARKS fsck-up.
9) Fix Makefiles for VARDIR
10) Add -t option to hits command.
11) Add DONT_LOAD option
12) Add support for --random.
Changes in 4.0.5
1) Delete 'detectnets' from Shorewall-perl

2
Shorewall-common/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.0.5
VERSION=4.0.6
usage() # $1 = exit status
{

2
Shorewall-common/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.5
VERSION=4.0.6
usage() # $1 = exit status
{

8
Shorewall-common/lib.base
View File

@ -35,7 +35,7 @@
#
SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40003
SHOREWALL_CAPVERSION=40006
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -212,7 +212,7 @@ loadmodule() # $1 = module name, $2 - * arguments
local modulefile
local suffix
if ! list_search $modulename $MODULES ; then
if ! list_search $modulename $MODULES $DONT_LOAD ; then
shift
for suffix in $MODULE_SUFFIX ; do
@ -983,6 +983,7 @@ determine_capabilities() {
XMULTIPORT=
POLICY_MATCH=
PHYSDEV_MATCH=
PHYSDEV_BRIDGE=
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
@ -1020,6 +1021,7 @@ determine_capabilities() {
if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
if [ -z "${KLUDGEFREE}" ]; then
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
fi
@ -1112,6 +1114,7 @@ report_capabilities() {
report_capability "Packet Type Match" $USEPKTTYPE
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
report_capability "Packet length Match" $LENGTH_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
@ -1157,6 +1160,7 @@ report_capabilities1() {
report_capability1 USEPKTTYPE
report_capability1 POLICY_MATCH
report_capability1 PHYSDEV_MATCH
report_capability1 PHYSDEV_BRIDGE
report_capability1 LENGTH_MATCH
report_capability1 IPRANGE_MATCH
report_capability1 RECENT_MATCH

56
Shorewall-common/lib.cli
View File

@ -541,6 +541,9 @@ show_command() {
$IPTABLES -t $table -L $IPT_OPTIONS
fi
;;
vardir)
echo $VARDIR;
;;
*)
if [ "$PRODUCT" = Shorewall ]; then
case $1 in
@ -916,28 +919,59 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
# 'hits' commmand executor
#
hits_command() {
local finished=0 today=
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
t*)
today=$(date +'^%b %_d.*')
option=${option#t}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
[ $# -eq 0 ] || usage 1
clear_term
echo "$PRODUCT $version Hits at $HOSTNAME - $(date)"
echo
timeout=30
if [ $( $LOGREAD | grep -c 'IN=.* OUT=' ) -gt 0 ] ; then
echo " HITS IP DATE"
if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then
echo " HITS IP DATE"
echo " ---- --------------- ------"
$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn | \
while read count address month day; do
$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn | while read count address month day; do
printf '%7d %-15s %3s %2d\n' $count $address $month $day
done
echo ""
echo " HITS IP PORT"
echo " HITS IP PORT"
echo " ---- --------------- -----"
$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
t
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count address port; do
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
printf '%7d %-15s %d\n' $count $address $port
done
@ -945,8 +979,7 @@ hits_command() {
echo " HITS DATE"
echo " ---- ------"
$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | \
while read count month day; do
$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
printf '%7d %3s %2d\n' $count $month $day
done
@ -954,8 +987,7 @@ hits_command() {
echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------"
$LOGREAD | grep 'IN=.* OUT=.*DPT' | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do
$LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
# List all services defined for the given port
srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
srv=$(echo $srv | sed 's/ /,/g')

2
Shorewall-common/lib.config
View File

@ -1746,6 +1746,7 @@ do_initialize() {
EXPORTPARAMS=
KEEP_TC_RULES=
DELETE_THEN_ADD=
DONT_LOAD=
#
# Packet Disposition
#
@ -1830,6 +1831,7 @@ do_initialize() {
# capabilities when module autoloading isn't enabled.
#
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )"
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

4
Shorewall-common/macro.AllowICMPs
View File

@ -6,8 +6,8 @@
# This macro ACCEPTs needed ICMP types
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Amanda
View File

@ -8,8 +8,8 @@
# files from those nodes.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 10080
#
# You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6,

4
Shorewall-common/macro.Auth
View File

@ -6,7 +6,7 @@
# This macro handles Auth (identd) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.BitTorrent
View File

@ -6,8 +6,8 @@
# This macro handles BitTorrent traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 6881:6889
#
# It may also be necessary to allow UDP traffic:

4
Shorewall-common/macro.CVS
View File

@ -6,7 +6,7 @@
# This macro handles connections to the CVS pserver.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 2401
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.DNS
View File

@ -6,8 +6,8 @@
# This macro handles DNS traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 53
PARAM - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Distcc
View File

@ -6,7 +6,7 @@
# This macro handles connections to the Distributed Compiler service.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 3632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Drop
View File

@ -11,8 +11,8 @@
# Drop net all
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#
# Don't log 'auth' REJECT
#

4
Shorewall-common/macro.DropDNSrep
View File

@ -6,7 +6,7 @@
# This macro silently drops DNS UDP replies
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.DropUPnP
View File

@ -6,7 +6,7 @@
# This macro silently drops UPnP probes on UDP port 1900
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Edonkey
View File

@ -28,8 +28,8 @@
# applications such as aMule WebServer or aMuleCMD.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.FTP
View File

@ -6,7 +6,7 @@
# This macro handles FTP traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Finger
View File

@ -7,7 +7,7 @@
# your finger information to internet.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 79
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.GRE
View File

@ -6,8 +6,8 @@
# This macro (bi-directional) handles Generic Routing Encapsulation traffic (RFC 1701)
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - 47 # GRE
PARAM DEST SOURCE 47 # GRE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Gnutella
View File

@ -6,8 +6,8 @@
# This macro handles Gnutella traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 6346
PARAM - - udp 6346
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.HTTP
View File

@ -6,7 +6,7 @@
# This macro handles plaintext HTTP (WWW) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.HTTPS
View File

@ -6,7 +6,7 @@
# This macro handles HTTPS (WWW over SSL) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.ICQ
View File

@ -6,7 +6,7 @@
# This macro handles ICQ, now called AOL Instant Messenger (or AIM).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5190
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.IMAP
View File

@ -7,7 +7,7 @@
# see macro.IMAPS.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 143
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.IMAPS
View File

@ -7,7 +7,7 @@
# (not recommended), see macro.IMAP.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 993
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.IPIP
View File

@ -6,8 +6,8 @@
# This macro (bidirectional) handles IPIP capsulation traffic
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - 94 # IPIP
PARAM DEST SOURCE 94 # IPIP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.IPP
View File

@ -6,7 +6,7 @@
# This macro handles Internet Printing Protocol (IPP).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.IPPserver
View File

@ -23,8 +23,8 @@
# IPPserver/ACCEPT $FW loc
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM SOURCE DEST tcp 631
PARAM DEST SOURCE udp 631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.IPsec
View File

@ -6,8 +6,8 @@
# This macro (bidirectional) handles IPsec traffic
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 500 500 # IKE
PARAM - - 50 # ESP
PARAM DEST SOURCE udp 500 500 # IKE

4
Shorewall-common/macro.IPsecah
View File

@ -7,8 +7,8 @@
# This is insecure. You should use ESP with encryption for security.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 500 500 # IKE
PARAM - - 51 # AH
PARAM DEST SOURCE udp 500 500 # IKE

4
Shorewall-common/macro.IPsecnat
View File

@ -6,8 +6,8 @@
# This macro (bidirectional) handles IPsec traffic and Nat-Traversal
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 500 # IKE
PARAM - - udp 4500 # NAT-T
PARAM - - 50 # ESP

4
Shorewall-common/macro.JabberPlain
View File

@ -6,7 +6,7 @@
# This macro accepts Jabberd intercommunication traffic
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#TARGET SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5269
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.JabberSecure
View File

@ -6,7 +6,7 @@
# This macro accepts Jabber traffic (plaintext).
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#TARGET SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5222
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Jabberd
View File

@ -6,7 +6,7 @@
# This macro accepts Jabber traffic (ssl).
#
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#TARGET SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5223
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Jetdirect
View File

@ -6,7 +6,7 @@
# This macro handles HP Jetdirect printing.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 9100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.L2TP
View File

@ -6,8 +6,8 @@
# This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic (RFC 2661)
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 1701 # L2TP
PARAM DEST SOURCE udp 1701 # L2TP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.LDAP
View File

@ -11,7 +11,7 @@
# Consult your LDAP server documentation for details.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 389
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.LDAPS
View File

@ -11,7 +11,7 @@
# Consult your LDAP server documentation for details.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 636
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.MySQL
View File

@ -6,7 +6,7 @@
# This macro handles connections to the MySQL server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 3306
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.NNTP
View File

@ -7,7 +7,7 @@
# encrypted NNTP, see macro.NNTPS.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 119
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.NNTPS
View File

@ -7,7 +7,7 @@
# plaintext NNTP, see macro.NNTP.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.NTP
View File

@ -7,7 +7,7 @@
# For broadcast NTP traffic, use NTPbrd Macro.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.NTPbrd
View File

@ -11,8 +11,8 @@
# Netfilter doesn't track connections for broadcast traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.PCA
View File

@ -6,8 +6,8 @@
# This macro handles PCAnywere (tm)
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 5632
PARAM - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.POP3
View File

@ -7,7 +7,7 @@
# see macro.POP3S.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 110
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.POP3S
View File

@ -7,7 +7,7 @@
# see macro.POP3.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 995 # Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Ping
View File

@ -6,7 +6,7 @@
# This macro handles 'ping' requests.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.PostgreSQL
View File

@ -6,7 +6,7 @@
# This macro handles connections to the PostgreSQL server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5432
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Printer
View File

@ -6,7 +6,7 @@
# This macro handles Line Printer protocol printing.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 515
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.RDP
View File

@ -6,7 +6,7 @@
# This macro handles Microsoft RDP (Remote Desktop) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 3389
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Rdate
View File

@ -10,7 +10,7 @@
# use Time macro instead.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Reject
View File

@ -12,8 +12,8 @@
#
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#
# Don't log 'auth' REJECT
#

4
Shorewall-common/macro.Rsync
View File

@ -6,7 +6,7 @@
# This macro handles connections to the rsync server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.SMB
View File

@ -10,8 +10,8 @@
# between hosts you fully trust.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137

4
Shorewall-common/macro.SMBBI
View File

@ -10,8 +10,8 @@
# allow SMB traffic between hosts you fully trust.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137

4
Shorewall-common/macro.SMBswat
View File

@ -7,7 +7,7 @@
# (SWAT).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 901
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.SMTP
View File

@ -14,7 +14,7 @@
# the POP3 or IMAP macros.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.SMTPS
View File

@ -11,7 +11,7 @@
# the POP3(S) or IMAP(S) macros.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 465
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.SNMP
View File

@ -6,8 +6,8 @@
# This macro handles SNMP traffic (including traps).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 161:162
PARAM - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.SPAMD
View File

@ -6,7 +6,7 @@
# This macro handles Spam Assassin SPAMD traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 783
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.SSH
View File

@ -6,7 +6,7 @@
# This macro handles secure shell (SSH) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.SVN
View File

@ -7,7 +7,7 @@
#
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 3690
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall-common/macro.SixXS
View File

@ -6,7 +6,7 @@
# This macro handles SixXS -- An IPv6 Deployment and Tunnel Broken
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 3874 # Used for retrieving the tunnel information (eg by AICCU)
PARAM - - udp 3740 # Used for signaling where the current IPv4 endpoint

4
Shorewall-common/macro.Submission
View File

@ -6,7 +6,7 @@
# This macro handles mail message submission traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 587
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Syslog
View File

@ -6,7 +6,7 @@
# This macro handles syslog UDP traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 514
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.TFTP
View File

@ -8,7 +8,7 @@
# Internet.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 69
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Telnet
View File

@ -7,7 +7,7 @@
# internet, telnet is inappropriate; use SSH instead
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Telnets
View File

@ -7,7 +7,7 @@
# For traffic over the internet, SSH might be more practical.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 992
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Time
View File

@ -8,7 +8,7 @@
# you shouldn't be using this. NTP is a superior alternative.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Trcrt
View File

@ -6,8 +6,8 @@
# This macro handles Traceroute (for up to 30 hops).
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 33434:33524 # UDP Traceroute
PARAM - - icmp 8 # ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.VNC
View File

@ -6,7 +6,7 @@
# This macro handles VNC traffic for VNC display's 0 - 9.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.VNCL
View File

@ -7,7 +7,7 @@
# mode.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Web
View File

@ -8,8 +8,8 @@
# is recommended.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 80 # HTTP (plaintext)
PARAM - - tcp 443 # HTTPS (over SSL)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Webmin
View File

@ -6,7 +6,7 @@
# This macro handles Webmin traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 10000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall-common/macro.Whois
View File

@ -6,7 +6,7 @@
# This macro handles whois (nicname) traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 43
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

992
Shorewall-common/releasenotes.txt
View File

File diff suppressed because it is too large Load Diff

9
Shorewall-common/shorewall
View File

@ -62,6 +62,7 @@
# shorewall show tc Display traffic control info
# shorewall show classifiers Display classifiers
# shorewall show capabilities Display iptables/kernel capabilities
# shorewall show vardir Display the VARDIR setting.
# shorewall version Display the installed version id
# shorewall check [ -e ] [ <directory> ] Dry-run compilation.
# shorewall try <directory> [ <timeout> ] Try a new configuration and if
@ -1283,7 +1284,7 @@ usage() # $1 = exit status
echo " export [ -C {shell|perl} ] [ <directory1> ] [<user>@]<system>[:<directory2>]"
echo " forget [ <file name> ]"
echo " help"
echo " hits"
echo " hits [ -t ]"
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>"
@ -1298,7 +1299,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ -C {shell|perl} ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]"
echo " start [ -f ] [ -n ] [ -C {shell|perl} ] [ <directory> ]"
echo " stop [ -f ]"
echo " status"
@ -1633,8 +1634,8 @@ case "$COMMAND" in
hits)
get_config Yes No Yes
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
hits_command
shift
hits_command $@
;;
version)
shift

13
Shorewall-common/shorewall-common.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-common
%define version 4.0.5
%define version 4.0.6
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -153,6 +153,9 @@ fi
%attr(0644,root,root) /usr/share/shorewall/macro.IPsec
%attr(0644,root,root) /usr/share/shorewall/macro.IPsecah
%attr(0644,root,root) /usr/share/shorewall/macro.IPsecnat
%attr(0644,root,root) /usr/share/shorewall/macro.Jabberd
%attr(0644,root,root) /usr/share/shorewall/macro.JabberPlain
%attr(0644,root,root) /usr/share/shorewall/macro.JabberSecure
%attr(0644,root,root) /usr/share/shorewall/macro.Jetdirect
%attr(0644,root,root) /usr/share/shorewall/macro.L2TP
%attr(0644,root,root) /usr/share/shorewall/macro.LDAP
@ -240,6 +243,14 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog
* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-1
* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC3
* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC2
* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC1
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net

2
Shorewall-common/shorewall.conf
View File

@ -171,6 +171,8 @@ DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################

2
Shorewall-common/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.5
VERSION=4.0.6
usage() # $1 = exit status
{

5
Shorewall-lite/Makefile
View File

@ -1,12 +1,11 @@
# Shorewall Lite Makefile to restart if firewall script is newer than last restart
VARDIR=/var/lib/shorewall-lite
VARDIR=$(shell /sbin/shorewall-lite show vardir)
SHAREDIR=/usr/share/shorewall-lite
RESTOREFILE?=.restore
include $(SHAREDIR)/configpath
all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(LITEDIR)/firewall
$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
@/sbin/shorewall-lite -q save >/dev/null; \
if \
/sbin/shorewall-lite -q restart >/dev/null 2>&1; \

2
Shorewall-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.0.5
VERSION=4.0.6
usage() # $1 = exit status
{

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.5
VERSION=4.0.6
usage() # $1 = exit status
{

9
Shorewall-lite/shorewall-lite
View File

@ -49,6 +49,7 @@
# shorewall-lite show tc Display traffic control info
# shorewall-lite show classifiers Display classifiers
# shorewall-lite show capabilities Display iptables/kernel capabilities
# shorewall-lite show vardir Display VARDIR setting
# shorewall-lite version Display the installed version id
# shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
# messages.
@ -356,7 +357,7 @@ usage() # $1 = exit status
echo " dump [ -x ]"
echo " forget [ <file name> ]"
echo " help"
echo " hits"
echo " hits [ -t ]"
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>"
@ -368,7 +369,7 @@ usage() # $1 = exit status
echo " restart [ -n ]"
echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|ip|log|mangle|nat|routing|tc|zones} ]"
echo " show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|ip|log|mangle|nat|routing|tc|vardir|zones} ]"
echo " start [ -f ] [ -n ]"
echo " stop"
echo " status"
@ -597,8 +598,8 @@ case "$COMMAND" in
;;
hits)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
hits_command
shift
hits_command $@
;;
version)
echo $version Lite

10
Shorewall-lite/shorewall-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-lite
%define version 4.0.5
%define version 4.0.6
%define release 1
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,6 +98,14 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-1
* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC3
* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC2
* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC1
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.5
VERSION=4.0.6
usage() # $1 = exit status
{

15
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -25,17 +25,17 @@
#
package Shorewall::Accounting;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::IPAddrs;
use Shorewall::Zones;
use Shorewall::Chains;
use Shorewall::Chains qw(:DEFAULT :internal);
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( );
our $VERSION = 4.0.3;
our $VERSION = 4.0.6;
#
# Initialize globals -- we take this novel approach to globals initialization to allow
@ -174,19 +174,14 @@ sub process_accounting_rule( $$$$$$$$$ ) {
sub setup_accounting() {
my $first_entry = 1;
my $fn = open_file 'accounting';
first_entry "$doing $fn...";
while ( read_a_line ) {
my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
if ( $action eq 'COMMENT' ) {
process_comment;
} else {

12
Shorewall-perl/Shorewall/Actions.pm
View File

@ -25,9 +25,9 @@
#
package Shorewall::Actions;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
use Shorewall::Chains;
use Shorewall::Chains qw(:DEFAULT :internal);
use strict;
@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
%macros
);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.0.4;
our $VERSION = 4.0.6;
#
# Used Actions. Each action that is actually used has an entry with value 1.
@ -400,7 +400,7 @@ sub process_macro1 ( $$ ) {
$targettype = 0 unless defined $targettype;
fatal_error "Invalid target ($mtarget)"
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ ) );
unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
}
progress_message " ..End Macro $macrofile";
@ -418,7 +418,7 @@ sub process_action1 ( $$ ) {
my $targettype = $targets{$target};
if ( defined $targettype ) {
return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & ( LOGRULE | NFQ ) );
return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
@ -640,7 +640,7 @@ sub process_action3( $$$$$ ) {
if ( $action2type & ACTION ) {
$target2 = (find_logactionchain ( $target = $target2 ))->{name};
} else {
fatal_error "Internal Error" unless $action2type == MACRO || $action2type & ( LOGRULE | NFQ );
fatal_error "Internal Error" unless $action2type == MACRO || $action2type & ( LOGRULE | NFQ | CHAIN );
}
}

234
Shorewall-perl/Shorewall/Chains.pm
View File

@ -27,116 +27,127 @@
package Shorewall::Chains;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
use Shorewall::IPAddrs;
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( STANDARD
NATRULE
BUILTIN
NONAT
NATONLY
REDIRECT
ACTION
MACRO
LOGRULE
NFQ
NO_RESTRICT
PREROUTE_RESTRICT
INPUT_RESTRICT
OUTPUT_RESTRICT
POSTROUTE_RESTRICT
ALL_RESTRICT
process_comment
clear_comment
incr_cmd_level
decr_cmd_level
add_command
add_commands
mark_referenced
our @EXPORT = qw(
add_rule
insert_rule
chain_base
forward_chain
input_chain
output_chain
masq_chain
syn_flood_chain
mac_chain
macrecent_target
dynamic_fwd
dynamic_in
dynamic_out
dynamic_chains
dnat_chain
snat_chain
ecn_chain
first_chains
new_chain
ensure_chain
ensure_filter_chain
ensure_mangle_chain
new_standard_chain
new_builtin_chain
initialize_chain_table
finish_section
setup_zone_mss
newexclusionchain
clearrule
validate_portrange
do_proto
mac_match
verify_mark
verify_small_mark
validate_mark
do_test
do_ratelimit
do_user
do_tos
match_source_dev
match_dest_dev
iprange_match
match_source_net
match_dest_net
match_orig_dest
match_ipsec_in
match_ipsec_out
new_manual_chain
ensure_manual_chain
log_rule_limit
log_rule
expand_rule
addnatjump
insertnatjump
get_interface_address
get_interface_addresses
get_interface_bcasts
set_global_variables
create_netfilter_load
create_chainlist_reload
%chain_table
$nat_table
$mangle_table
$filter_table
$section
%sections
%targets
);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.0.5;
our %EXPORT_TAGS = (
internal => [ qw( STANDARD
NATRULE
BUILTIN
NONAT
NATONLY
REDIRECT
ACTION
MACRO
LOGRULE
NFQ
CHAIN
NO_RESTRICT
PREROUTE_RESTRICT
INPUT_RESTRICT
OUTPUT_RESTRICT
POSTROUTE_RESTRICT
ALL_RESTRICT
add_command
add_commands
process_comment
clear_comment
incr_cmd_level
decr_cmd_level
chain_base
forward_chain
input_chain
output_chain
masq_chain
syn_flood_chain
mac_chain
macrecent_target
dynamic_fwd
dynamic_in
dynamic_out
dynamic_chains
dnat_chain
snat_chain
ecn_chain
first_chains
mark_referenced
ensure_chain
ensure_mangle_chain
new_standard_chain
new_builtin_chain
ensure_filter_chain
initialize_chain_table
finish_section
setup_zone_mss
newexclusionchain
clearrule
validate_port
proto_name
do_proto
mac_match
verify_mark
verify_small_mark
validate_mark
do_test
do_ratelimit
do_user
do_tos
match_source_dev
match_dest_dev
iprange_match
match_source_net
match_dest_net
match_orig_dest
match_ipsec_in
match_ipsec_out
log_rule
expand_rule
addnatjump
insertnatjump
get_interface_address
get_interface_addresses
get_interface_bcasts
set_global_variables
create_netfilter_load
create_chainlist_reload
$section
%sections
%targets
) ],
);
Exporter::export_ok_tags('internal');
our $VERSION = 4.0.6;
#
# Chain Table
#
# %chain_table { <table> => { <chain1> => { name => <chain name>
# table => <table name>
# is_policy => 0|1
# is_optional => 0|1
# referenced => 0|1 -- If 1, will be written to the iptables-restore-input.
# builtin => 0|1 -- If 1, one of Netfilter's built-in chains.
# is_policy => undef|1 -- if 1, this is a policy chain
# is_optional => undef|1 -- See below.
# referenced => undef|1 -- If 1, will be written to the iptables-restore-input.
# builtin => undef|1 -- If 1, one of Netfilter's built-in chains.
# manual => undef|1 -- If 1, a manual chain.
# log => <logging rule number for use when LOGRULENUMBERS>
# policy => <policy>
# policychain => <name of policy chain> -- self-reference if this is a policy chain
@ -156,7 +167,7 @@ our $VERSION = 4.0.5;
# }
#
# 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are optional.
# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with is_optional == 1.
#
# Only 'referenced' chains get written to the iptables-restore input.
#
@ -186,6 +197,7 @@ use constant { STANDARD => 1, #defined by Netfilter
MACRO => 128, #A Macro
LOGRULE => 256, #'LOG'
NFQ => 512, #'NFQUEUE'
CHAIN => 1024, #Manual Chain
};
our %targets;
@ -423,6 +435,7 @@ sub add_rule($$;$)
if ( ++$count == 15 ) {
if ( $separator eq ':' ) {
unshift @ports, $port, ':';
chop $newports;
last;
} else {
$newports .= $port;
@ -676,6 +689,22 @@ sub new_standard_chain($) {
$chainref;
}
sub new_manual_chain($) {
my $chain = $_[0];
fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
$targets{$chain} = CHAIN;
( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
$chainref->{referenced} = 1;
$chainref;
}
sub ensure_manual_chain($) {
my $chain = $_[0];
my $chainref = $filter_table->{$chain} || new_manual_chain($chain);
fatal_error "$chain exists and is not a manual chain" unless $chainref->{manual};
$chainref;
}
#
# Add all builtin chains to the chain table
#
@ -869,25 +898,6 @@ sub validate_portpair( $$ ) {
}
sub validate_portrange( $$ ) {
my ($proto, $portpair) = @_;
if ( $portpair =~ tr/-/-/ > 1 || substr( $portpair, 0, 1 ) eq '-' || substr( $portpair, -1, 1 ) eq '-' ) {
fatal_error "Invalid port range ($portpair)";
}
my @ports = split /-/, $portpair, 2;
$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
if ( @ports == 2 ) {
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
}
join '-', @ports;
}
sub validate_port_list( $$ ) {
my $result = '';
my ( $proto, $list ) = @_;
@ -1208,7 +1218,11 @@ sub match_dest_dev( $ ) {
my $interface = shift;
my $interfaceref = find_interface( $interface );
if ( $interfaceref && $interfaceref->{options}{port} ) {
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
if ( $capabilities{PHYSDEV_BRIDGE} ) {
"-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
} else {
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
}
} else {
"-o $interface ";
}

13
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -24,8 +24,8 @@
package Shorewall::Compiler;
require Exporter;
use Shorewall::Config;
use Shorewall::Chains;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Chains qw(:DEFAULT :internal);
use Shorewall::Zones;
use Shorewall::Policy;
use Shorewall::Nat;
@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
our @EXPORT_OK = qw( $export );
our $VERSION = 4.0.4;
our $VERSION = 4.0.6;
our $export;
@ -133,6 +133,8 @@ sub generate_script_1() {
propagateconfig;
my @dont_load = split /,/, $config{DONT_LOAD};
emit ( '[ -n "${COMMAND:=restart}" ]',
'[ -n "${VERBOSE:=0}" ]',
qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
@ -140,6 +142,7 @@ sub generate_script_1() {
qq(VERSION="$globals{VERSION}") ,
qq(PATH="$config{PATH}") ,
'TERMINATOR=fatal_error' ,
qq(DONT_LOAD="@dont_load") ,
''
);
@ -735,6 +738,10 @@ sub compiler( $$$$$ ) {
generate_script_1;
}
#
# Allow user to load Perl modules
#
run_user_exit1 'compile';
#
# Process the zones file.
#

442
Shorewall-perl/Shorewall/Config.pm
View File

@ -36,65 +36,73 @@ use File::Basename;
use File::Temp qw/ tempfile tempdir /;
use Cwd qw(abs_path getcwd);
use autouse 'Carp' => qw(longmess confess);
use Scalar::Util 'reftype';
our @ISA = qw(Exporter);
#
# Imported variables should be treated as read-only by importers
#
our @EXPORT = qw(
create_temp_object
finalize_object
emit
emit_unindented
save_progress_message
save_progress_message_short
set_timestamp
set_verbose
set_command
warning_message
fatal_error
progress_message
progress_message2
progress_message3
push_indent
pop_indent
copy
create_temp_aux_config
finalize_aux_config
warning_message
fatal_error
set_shorewall_dir
set_debug
find_file
split_line
split_line1
split_line2
open_file
close_file
push_open
pop_open
read_a_line
validate_level
qt
ensure_config_path
get_configuration
require_capability
report_capabilities
propagateconfig
append_file
run_user_exit
run_user_exit1
run_user_exit2
generate_aux_config
);
$command
$doing
$done
$currentline
%config
%globals
%capabilities );
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
our $VERSION = 4.0.5;
our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
finalize_object
emit
emit_unindented
save_progress_message
save_progress_message_short
set_timestamp
set_verbose
set_command
push_indent
pop_indent
copy
create_temp_aux_config
finalize_aux_config
set_shorewall_dir
set_debug
find_file
split_line
split_line1
split_line2
first_entry
open_file
close_file
push_open
pop_open
read_a_line
validate_level
qt
ensure_config_path
get_configuration
require_capability
report_capabilities
propagateconfig
append_file
run_user_exit
run_user_exit1
run_user_exit2
generate_aux_config
$command
$doing
$done
$currentline
%config
%globals
%capabilities
) ] );
Exporter::export_ok_tags('internal');
our $VERSION = 4.0.6;
#
# describe the current command, it's present progressive, and it's completion.
@ -156,6 +164,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match',
PHYSDEV_MATCH => 'Physdev Match',
PHYSDEV_BRIDGE => 'Physdev-is-bridged support',
LENGTH_MATCH => 'Packet length Match',
IPRANGE_MATCH => 'IP Range Match',
RECENT_MATCH => 'Recent Match',
@ -197,6 +206,10 @@ our $currentline; # Current config file line image
our $currentfile; # File handle reference
our $currentfilename; # File NAME
our $currentlinenumber; # Line number
our $scriptfile; # File Handle Reference to current temporary file being written by an in-line Perl script
our $scriptfilename; # Name of that file.
our @tempfiles; # Files that need unlinking at END
our $first_entry; # Message to output or function to call on first non-blank line of a file
our $shorewall_dir; # Shorewall Directory
@ -230,8 +243,8 @@ sub initialize() {
ORIGINAL_POLICY_MATCH => '',
LOGPARMS => '',
TC_SCRIPT => '',
VERSION => '4.0.5',
CAPVERSION => 40003 ,
VERSION => '4.0.6',
CAPVERSION => 40006 ,
);
#
# From shorewall.conf file
@ -324,6 +337,7 @@ sub initialize() {
KEEP_RT_TABLES => undef,
DELETE_THEN_ADD => undef,
MULTICAST => undef,
DONT_LOAD => '',
#
# Packet Disposition
#
@ -344,6 +358,7 @@ sub initialize() {
USEPKTTYPE => undef,
POLICY_MATCH => undef,
PHYSDEV_MATCH => undef,
PHYSDEV_BRIDGE => undef,
LENGTH_MATCH => undef,
IPRANGE_MATCH => undef,
RECENT_MATCH => undef,
@ -385,6 +400,7 @@ sub initialize() {
$currentfile = undef; # File handle reference
$currentfilename = ''; # File NAME
$currentlinenumber = 0; # Line number
$first_entry = 0; # Message to output or function to call on first non-blank file entry
$shorewall_dir = ''; #Shorewall Directory
@ -403,11 +419,15 @@ sub warning_message
my $linenumber = $currentlinenumber || 1;
my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : '';
$| = 1;
if ( $debug ) {
print STDERR longmess( " WARNING: @_$currentlineinfo" );
} else {
print STDERR " WARNING: @_$currentlineinfo\n";
}
$| = 0;
}
#
@ -416,10 +436,17 @@ sub warning_message
sub fatal_error {
my $linenumber = $currentlinenumber || 1;
my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : '';
$| = 1;
confess " ERROR: @_$currentlineinfo" if $debug;
die " ERROR: @_$currentlineinfo\n";
}
sub fatal_error1 {
$| = 1;
confess " ERROR: @_" if $debug;
die " ERROR: @_\n";
}
#
# Write the arguments to the object file (if any) with the current indentation.
#
@ -792,6 +819,19 @@ sub open_file( $ ) {
do_open_file $fname if -f $fname && -s _;
}
#
# Pop the include stack
#
sub pop_include() {
my $arrayref = pop @includestack;
if ( $arrayref ) {
( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
} else {
$currentfile = undef;
}
}
#
# This function is normally called below in read_a_line() when EOF is reached. Clients of the
# module may also call the function to close the file before EOF
@ -799,15 +839,14 @@ sub open_file( $ ) {
sub close_file() {
if ( $currentfile ) {
close $currentfile;
my $result = close $currentfile;
my $arrayref = pop @includestack;
pop_include;
fatal_error "SHELL Script failed" unless $result;
$first_entry = 0;
if ( $arrayref ) {
( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
} else {
$currentfile = undef;
}
}
}
@ -828,13 +867,143 @@ sub push_open( $ ) {
sub pop_open() {
@includestack = @{pop @openstack};
pop_include;
}
my $arrayref = pop @includestack;
sub shorewall {
unless ( $scriptfile ) {
fatal_error "shorewall() may not be called in this context" unless $currentfile;
if ( $arrayref ) {
( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
} else {
$dir ||= '/tmp/';
eval {
( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir );
};
fatal_error "Unable to create temporary file in directory $dir" if $@;
}
print $scriptfile "@_\n";
}
#
# We don't announce that we are checking/compiling a file until we determine that the file contains
# at least one non-blank, non-commentary line.
#
# The argument to this function may be either a scalar or a function reference. When the first
# non-blank/non-commentary line is reached:
#
# - if a function reference was passed to first_entry(), that function is called
# - otherwise, the argument to first_entry() is passed to progress_message2().
#
# We do this processing in read_a_line() rather than in the higher-level routines because
# Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
# until we get back to the caller of read_a_line(), we could issue error messages about parsing and
# running scripts in the file before we'd even indicated that we are processing it.
#
sub first_entry( $ ) {
$first_entry = $_[0];
my $reftype = reftype $first_entry;
if ( $reftype ) {
fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
}
}
sub embedded_shell( $ ) {
my $multiline = shift;
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
if ( $multiline ) {
#
# Multi-line script
#
fatal_error "Invalid BEGIN SHELL directive" unless $currentline =~ /^\s*$/;
$command .= "\n";
my $last = 0;
while ( <$currentfile> ) {
$currentlinenumber++;
last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
$command .= $_;
}
fatal_error ( "Missing END SHELL" ) unless $last;
fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/;
}
$command .= q(');
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
$currentfilename = "SHELL\@$currentfilename:$currentlinenumber";
$currentline = '';
$currentlinenumber = 0;
}
sub embedded_perl( $ ) {
my $multiline = shift;
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
if ( $multiline ) {
#
# Multi-line script
#
fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/;
$command .= "\n";
my $last = 0;
while ( <$currentfile> ) {
$currentlinenumber++;
last if $last = s/^\s*END(\s+PERL)?\s*;?//;
$command .= $_;
}
fatal_error ( "Missing END PERL" ) unless $last;
fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/;
}
unless (my $return = eval $command ) {
if ( $@ ) {
#
# Perl found the script offensive or the script itself died
#
$@ =~ s/, <\$currentfile> line \d+//g;
fatal_error1 "$@";
}
unless ( defined $return ) {
fatal_error "Perl Script failed: $!" if $!;
fatal_error "Perl Script failed";
}
fatal_error "Perl Script Returned False";
}
if ( $scriptfile ) {
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
close $scriptfile or fatal_error "Internal Error in embedded_perl()";
$scriptfile = undef;
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
$scriptfilename = '';
$currentfilename = "PERL\@$currentfilename:$linenumber";
$currentline = '';
$currentlinenumber = 0;
}
}
@ -844,6 +1013,7 @@ sub pop_open() {
# - Ignore blank or comment-only lines.
# - Remove trailing comments.
# - Handle Line Continuation
# - Handle embedded SHELL and PERL scripts
# - Expand shell variables from $ENV.
# - Handle INCLUDE <filename>
#
@ -871,40 +1041,57 @@ sub read_a_line() {
# Ignore ( concatenated ) Blank Lines
#
$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
#
# Expand Shell Variables using %ENV
# Line not blank -- Handle any first-entry message/capabilities check
#
# $1 $2 $3 - $4
while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
my $val = $ENV{$3};
$val = '' unless defined $val;
$currentline = join( '', $1 , $val , $4 );
if ( $first_entry ) {
reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
$first_entry = 0;
}
if ( $currentline =~ /^\s*INCLUDE\s/ ) {
my @line = split ' ', $currentline;
fatal_error "Invalid INCLUDE command" if @line != 2;
fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
my $filename = find_file $line[1];
fatal_error "INCLUDE file $filename not found" unless -f $filename;
fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
if ( -s _ ) {
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
do_open_file $filename;
} else {
$currentlinenumber = 0;
}
$currentline = '';
#
# Must check for shell/perl before doing variable expansion
#
if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
embedded_shell( $1 );
} elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
embedded_perl( $1 );
} else {
return 1;
my $count = 0;
#
# Expand Shell Variables using %ENV
#
# $1 $2 $3 - $4
while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
my $val = $ENV{$3};
$val = '' unless defined $val;
$currentline = join( '', $1 , $val , $4 );
fatal_error "Variable Expansion Loop" if ++$count > 100;
}
if ( $currentline =~ /^\s*INCLUDE\s/ ) {
my @line = split ' ', $currentline;
fatal_error "Invalid INCLUDE command" if @line != 2;
fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
my $filename = find_file $line[1];
fatal_error "INCLUDE file $filename not found" unless -f $filename;
fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
if ( -s _ ) {
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
do_open_file $filename;
} else {
$currentlinenumber = 0;
}
$currentline = '';
} else {
return 1;
}
}
}
@ -1085,6 +1272,10 @@ sub load_kernel_modules( ) {
if ( $moduleloader && open_file 'modules' ) {
my %loadedmodules;
for ( split /,/, $config{DONT_LOAD} ) {
$loadedmodules{$_} = 1;
}
progress_message "Loading Modules...";
open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod";
@ -1155,7 +1346,8 @@ sub determine_capabilities( $ ) {
$capabilities{POLICY_MATCH} = qt( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
$capabilities{PHYSDEV_MATCH} = 1;
$capabilities{PHYSDEV_MATCH} = 1;
$capabilities{PHYSDEV_BRIDGE} = qt( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
unless ( $capabilities{KLUDGEFREE} ) {
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
}
@ -1389,12 +1581,20 @@ sub get_configuration( $ ) {
my $export = $_[0];
our ( $once, @originalinc );
@originalinc = @INC unless $once++;
ensure_config_path;
process_shorewall_conf;
ensure_config_path;
@INC = @originalinc;
unshift @INC, @config_path;
default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
default 'MODULE_PREFIX', 'o gz ko o.gz ko.gz';
@ -1641,10 +1841,17 @@ sub run_user_exit( $ ) {
if ( -f $file ) {
progress_message "Processing $file...";
unless (my $return = eval `cat $file` ) {
my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
unless (my $return = eval $command ) {
fatal_error "Couldn't parse $file: $@" if $@;
fatal_error "Couldn't do $file: $!" unless defined $return;
fatal_error "Couldn't run $file";
unless ( defined $return ) {
fatal_error "Couldn't do $file: $!" if $!;
fatal_error "Couldn't do $file";
}
fatal_error "$file returned a false value";
}
}
}
@ -1662,14 +1869,21 @@ sub run_user_exit1( $ ) {
if ( read_a_line ) {
close_file;
unless (my $return = eval `cat $file` ) {
fatal_error "Couldn't parse $file: $@" if $@;
fatal_error "Couldn't do $file: $!" unless defined $return;
fatal_error "Couldn't run $file";
}
}
my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`;
pop_open;
unless (my $return = eval $command ) {
fatal_error "Couldn't parse $file: $@" if $@;
unless ( defined $return ) {
fatal_error "Couldn't do $file: $!" if $!;
fatal_error "Couldn't do $file";
}
fatal_error "$file returned a false value";
}
} else {
pop_open;
}
}
}
@ -1688,8 +1902,13 @@ sub run_user_exit2( $$ ) {
unless (my $return = eval `cat $file` ) {
fatal_error "Couldn't parse $file: $@" if $@;
fatal_error "Couldn't do $file: $!" unless defined $return;
fatal_error "Couldn't run $file";
unless ( defined $return ) {
fatal_error "Couldn't do $file: $!" if $!;
fatal_error "Couldn't do $file";
}
fatal_error "$file returned a false value";
}
}
@ -1733,10 +1952,17 @@ sub generate_aux_config() {
}
END {
if ( $object ) {
close $object;
unlink $tempfile;
}
#
# Close files first in case we're running under Cygwin
#
close $object if $object;
close $scriptfile if $scriptfile;
#
# Unlink temporary files
#
unlink $tempfile if $tempfile;
unlink $scriptfilename if $scriptfilename;
unlink $_ for @tempfiles;
}
1;

119
Shorewall-perl/Shorewall/Nat.pm
View File

@ -25,10 +25,10 @@
#
package Shorewall::Nat;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::IPAddrs;
use Shorewall::Zones;
use Shorewall::Chains;
use Shorewall::Chains qw(:DEFAULT :internal);
use Shorewall::IPAddrs;
use strict;
@ -36,7 +36,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
our @EXPORT_OK = ();
our $VERSION = 4.0.3;
our $VERSION = 4.0.6;
our @addresses_to_add;
our %addresses_to_add;
@ -188,49 +188,60 @@ sub setup_one_masq($$$$$$$)
my $detectaddress = 0;
my $exceptionrule = '';
my $randomize = '';
#
# Parse the ADDRESSES column
#
if ( $addresses ne '-' ) {
if ( $addresses =~ /^SAME:nodst:/ ) {
$target = '-j SAME --nodst ';
$addresses =~ s/.*://;
for my $addr ( split /,/, $addresses ) {
$target .= "--to $addr ";
}
} elsif ( $addresses =~ /^SAME:/ ) {
$target = '-j SAME ';
$addresses =~ s/.*://;
for my $addr ( split /,/, $addresses ) {
$target .= "--to $addr ";
}
} elsif ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface;
$target = "-j SNAT --to-source $variable";
if ( interface_is_optional $interface ) {
add_commands( $chainref,
'',
"if [ \"$variable\" != 0.0.0.0 ]; then" );
incr_cmd_level( $chainref );
$detectaddress = 1;
}
if ( $addresses eq 'random' ) {
$randomize = '--random ';
} else {
my $addrlist = '';
for my $addr ( split /,/, $addresses ) {
if ( $addr =~ /^.*\..*\..*\./ ) {
$target = '-j SNAT ';
$addrlist .= "--to-source $addr ";
$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
} else {
$addr =~ s/^://;
$addrlist .= "--to-ports $addr ";
$exceptionrule = do_proto( $proto, '', '' );
}
}
$addresses =~ s/:random$// and $randomize = '--random ';
$target .= $addrlist;
if ( $addresses =~ /^SAME:nodst:/ ) {
fatal_error "':random' is not supported by the SAME target" if $randomize;
$target = '-j SAME --nodst ';
$addresses =~ s/.*://;
for my $addr ( split /,/, $addresses ) {
$target .= "--to $addr ";
}
} elsif ( $addresses =~ /^SAME:/ ) {
fatal_error "':random' is not supported by the SAME target" if $randomize;
$target = '-j SAME ';
$addresses =~ s/.*://;
for my $addr ( split /,/, $addresses ) {
$target .= "--to $addr ";
}
} elsif ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface;
$target = "-j SNAT --to-source $variable";
if ( interface_is_optional $interface ) {
add_commands( $chainref,
'',
"if [ \"$variable\" != 0.0.0.0 ]; then" );
incr_cmd_level( $chainref );
$detectaddress = 1;
}
} else {
my $addrlist = '';
for my $addr ( split /,/, $addresses ) {
if ( $addr =~ /^.*\..*\..*\./ ) {
$target = '-j SNAT ';
$addrlist .= "--to-source $addr ";
$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
} else {
$addr =~ s/^://;
$addrlist .= "--to-ports $addr ";
$exceptionrule = do_proto( $proto, '', '' );
}
}
$target .= $addrlist;
}
}
$target .= $randomize;
} else {
$add_snat_aliases = 0;
}
@ -284,18 +295,12 @@ sub setup_one_masq($$$$$$$)
#
sub setup_masq()
{
my $first_entry = 1;
my $fn = open_file 'masq';
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' , 's' );
$first_entry = 0;
}
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
if ( $fullinterface eq 'COMMENT' ) {
@ -395,18 +400,12 @@ sub do_one_nat( $$$$$ )
#
sub setup_nat() {
my $first_entry = 1;
my $fn = open_file 'nat';
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty nat file', 's' );
$first_entry = 0;
}
my ( $external, $interface, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
if ( $external eq 'COMMENT' ) {
@ -425,17 +424,11 @@ sub setup_nat() {
#
sub setup_netmap() {
my $first_entry = 1;
my $fn = open_file 'netmap';
while ( read_a_line ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
if ( $first_entry ) {
progress_message2 "$doing $fn...";
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' , 's' );
$first_entry = 0;
}
while ( read_a_line ) {
my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file';

13
Shorewall-perl/Shorewall/Policy.pm
View File

@ -24,9 +24,9 @@
#
package Shorewall::Policy;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
use Shorewall::Chains;
use Shorewall::Chains qw( :DEFAULT :internal) ;
use Shorewall::Actions;
use strict;
@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( );
our $VERSION = 4.0.5;
our $VERSION = 4.0.6;
# @policy_chains is a list of references to policy chains in the filter table
@ -207,15 +207,10 @@ sub validate_policy()
my $fn = open_file 'policy';
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $client, $server, $policy, $loglevel, $synparams ) = split_line 3, 5, 'policy file';
$loglevel = '' if $loglevel eq '-';

5
Shorewall-perl/Shorewall/Proc.pm
View File

@ -27,9 +27,8 @@
#
package Shorewall::Proc;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
use Shorewall::Chains;
use strict;
@ -42,7 +41,7 @@ our @EXPORT = qw(
setup_forwarding
);
our @EXPORT_OK = qw( );
our $VERSION = 4.0.1;
our $VERSION = 4.0.6;
#
# ARP Filtering

20
Shorewall-perl/Shorewall/Providers.pm
View File

@ -25,17 +25,17 @@
#
package Shorewall::Providers;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::IPAddrs;
use Shorewall::Zones;
use Shorewall::Chains;
use Shorewall::Chains qw(:DEFAULT :internal);
use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_providers @routemarked_interfaces);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.0.3;
our $VERSION = 4.0.6;
use constant { LOCAL_NUMBER => 255,
MAIN_NUMBER => 254,
@ -83,8 +83,7 @@ INIT {
# Set up marking for 'tracked' interfaces. Unlike in Shorewall 3.x, we add these rules unconditionally, even if the associated interface isn't up.
#
sub setup_route_marking() {
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' );
@ -96,7 +95,7 @@ sub setup_route_marking() {
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
add_rule $chainref, " -i $interface -j MARK $mark_op $mark";
add_rule $chainref, " -i $interface -j MARK --set-mark $mark";
}
add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@ -476,17 +475,12 @@ sub setup_providers() {
if ( $fn ) {
my $first_entry = 0;
first_entry "$doing $fn...";
emit '';
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
add_an_rtrule( $source, $dest, $provider , $priority );

4
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -23,7 +23,7 @@
#
package Shorewall::Proxyarp;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
use strict;
@ -35,7 +35,7 @@ our @EXPORT = qw(
);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.0.1;
our $VERSION = 4.0.6;
our @proxyarp;

134
Shorewall-perl/Shorewall/Rules.pm
View File

@ -24,10 +24,10 @@
#
package Shorewall::Rules;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::IPAddrs;
use Shorewall::Zones;
use Shorewall::Chains;
use Shorewall::Chains qw(:DEFAULT :internal);
use Shorewall::Actions;
use Shorewall::Policy;
use Shorewall::Proc;
@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
dump_rule_chains
);
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our $VERSION = 4.0.5;
our $VERSION = 4.0.6;
#
# Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@ -95,20 +95,17 @@ sub process_tos() {
if ( my $fn = open_file 'tos' ) {
my $first_entry = 1;
my ( $pretosref, $outtosref );
first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$pretosref = ensure_chain 'mangle' , $chain;
$outtosref = ensure_chain 'mangle' , 'outtos';
$first_entry = 0;
}
my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry';
$first_entry = 0;
fatal_error "A value must be supplied in the TOS column" if $tos eq '-';
if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
@ -166,15 +163,10 @@ sub setup_ecn()
if ( my $fn = open_file 'ecn' ) {
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry';
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@ -229,15 +221,10 @@ sub setup_rfc1918_filteration( $ ) {
my $fn = open_file 'rfc1918';
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $networks, $target ) = split_line 2, 2, 'rfc1918 file';
my $s_target;
@ -297,6 +284,8 @@ sub setup_blacklist() {
if ( my $fn = open_file 'blacklist' ) {
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
@ -307,7 +296,6 @@ sub setup_blacklist() {
last BLACKLIST;
}
progress_message2 "$doing $fn...";
$first_entry = 0;
}
@ -353,17 +341,12 @@ sub process_criticalhosts() {
my $fn = open_file 'routestopped';
my $first_entry = 1;
first_entry "$doing $fn for critical hosts...";
while ( read_a_line ) {
my $routeback = 0;
if ( $first_entry ) {
progress_message2 "$doing $fn for critical hosts...";
$first_entry = 0;
}
my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@ -399,17 +382,12 @@ sub process_routestopped() {
my $fn = open_file 'routestopped';
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
my $routeback = 0;
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@ -724,15 +702,10 @@ sub setup_mac_lists( $ ) {
my $fn = open_file 'maclist';
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file';
if ( $disposition eq 'COMMENT' ) {
@ -937,7 +910,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
if ( $actiontype == MACRO ) {
#
# Will call process_rule1() recursively for each rule in the macro body
# process_macro() will call process_rule1() recursively for each rule in the macro body
#
fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
@ -975,7 +948,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
}
#
# We can now dispense with the postfix characters
# We can now dispense with the postfix character
#
$action =~ s/[\+\-!]$//;
#
@ -992,7 +965,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
#
if ( $actiontype & REDIRECT ) {
if ( $dest eq '-' ) {
$dest = firewall_zone;
$dest = join( '', firewall_zone, '::' , $ports =~ /[:,]/ ? '' : $ports );
} else {
$dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /:/;
}
@ -1050,6 +1023,11 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
}
}
#
# For compatibility with older Shorewall versions
#
$origdest = ALLIPv4 if $origdest eq 'all';
#
# Take care of chain
#
@ -1079,17 +1057,13 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
#
$chainref = ensure_filter_chain $chain, 1;
#
# For compatibility with older Shorewall versions
#
$origdest = ALLIPv4 if $origdest eq 'all';
#
# Generate Fixed part of the rule
#
$rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) );
unless ( $section eq 'NEW' ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT;
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
$rule .= "-m state --state $section "
}
@ -1098,23 +1072,42 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
#
if ( $actiontype & NATRULE ) {
my ( $server, $serverport );
fatal_error "$target rules not allowed in the $section SECTION" if $section ne 'NEW';
my $randomize = $dest =~ s/:random$// ? '--random ' : '';
require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
#
# Isolate server port
# Isolate server port
#
if ( $dest =~ /^(.*)(:(.+))$/ ) {
$server = $1;
$serverport = validate_portrange $proto, $3;
#
# Server IP and Port
#
$server = $1; # May be empty
$serverport = $3; # Not Empty due to RE
if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
#
# Server Port Range
#
fatal_error "Invalid port range ($serverport)" unless $1 < $2;
my @ports = ( $1, $2 );
$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
( $ports = $serverport ) =~ tr/-/:/;
} else {
$serverport = $ports = validate_port( proto_name( $proto ), $serverport );
}
} elsif ( $dest eq ':' ) {
#
# Rule with no server IP or port ( zone:: )
#
$server = $serverport = '';
} else {
#
# Simple server IP address (may be empty or "-")
#
$server = $dest;
$serverport = '';
}
#
# After DNAT, dest port will be the server port. Capture it here because $serverport gets modified below.
#
my $servport = $serverport ne '' ? $serverport : $ports;
#
# Generate the target
#
@ -1122,7 +1115,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
if ( $actiontype & REDIRECT ) {
fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
$target = '-j REDIRECT --to-port ' . $servport;
$target = '-j REDIRECT ';
$target .= "--to-port $serverport " if $serverport;
if ( $origdest eq '' || $origdest eq '-' ) {
$origdest = ALLIPv4;
} elsif ( $origdest eq 'detect' ) {
@ -1142,6 +1136,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
if ( $action eq 'SAME' ) {
fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone;
fatal_error "':random' is not supported by the SAME target" if $randomize;
warning_message 'Netfilter support for SAME is being dropped in early 2008';
$target = '-j SAME ';
for my $serv ( split /,/, $server ) {
$target .= "--to $serv ";
@ -1165,6 +1161,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
}
}
$target .= $randomize;
#
# And generate the nat table rule(s)
#
@ -1180,14 +1178,13 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$serverport ? do_proto( $proto, '', '' ) : '' );
#
# After NAT:
# - the destination port will be the server port
# - the destination IP will be the server IP
# - the destination port will be the server port ($ports) -- we did that above
# - the destination IP will be the server IP ($dest)
# - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
# - the target will be ACCEPT.
#
unless ( $actiontype & NATONLY ) {
$servport =~ tr/-/:/ if $servport ne '-';
$rule = join( '', do_proto( $proto, $servport, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
$rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
$loglevel = '';
$dest = $server;
$action = 'ACCEPT';
@ -1348,15 +1345,10 @@ sub process_rules() {
my $fn = open_file 'rules';
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line2 1, 10, 'rules file';
if ( $target eq 'COMMENT' ) {
@ -1398,7 +1390,7 @@ sub process_rules() {
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
#
# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
#
sub generate_matrix() {
#
@ -1468,7 +1460,7 @@ sub generate_matrix() {
}
#
# Generate_Matrix() Starts Here
# G e n e r a t e _ M a t r i x ( ) S t a r t s H e r e
#
start_matrix;

32
Shorewall-perl/Shorewall/Tc.pm
View File

@ -29,9 +29,9 @@
#
package Shorewall::Tc;
require Exporter;
use Shorewall::Config;
use Shorewall::Config qw(:DEFAULT :internal);
use Shorewall::Zones;
use Shorewall::Chains;
use Shorewall::Chains qw(:DEFAULT :internal);
use Shorewall::Providers;
use strict;
@ -39,7 +39,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize );
our $VERSION = 4.0.5;
our $VERSION = 4.0.6;
our %tcs = ( T => { chain => 'tcpost',
connmark => 0,
@ -269,8 +269,6 @@ sub process_tc_rule( $$$$$$$$$$ ) {
fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) <= 0xFF && $config{HIGH_ROUTE_MARKS};
$target =~ s/set-mark/or-mark/ if numeric_value( $cmd ) > 0xFF && ( $chain eq 'tcpre' || $chain eq 'tcout' );
}
}
@ -408,15 +406,10 @@ sub setup_traffic_shaping() {
my $fn = open_file 'tcdevices';
if ( $fn ) {
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $device, $inband, $outband ) = split_line 3, 3, 'tcdevices';
fatal_error "Invalid tcdevices entry" if $outband eq '-';
@ -427,15 +420,10 @@ sub setup_traffic_shaping() {
$fn = open_file 'tcclasses';
if ( $fn ) {
my $first_entry = 1;
first_entry "$doing $fn...";
while ( read_a_line ) {
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
}
my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
@ -550,8 +538,6 @@ sub setup_traffic_shaping() {
#
sub setup_tc() {
my $first_entry = 1;
if ( $capabilities{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre';
ensure_mangle_chain 'tcout';
@ -595,13 +581,9 @@ sub setup_tc() {
if ( my $fn = open_file 'tcrules' ) {
while ( read_a_line ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
if ( $first_entry ) {
progress_message2 "$doing $fn...";
require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's' );
$first_entry = 0;
}
while ( read_a_line ) {
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line1 2, 10, 'tcrules file';

Some files were not shown because too many files have changed in this diff Show More