diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 185201413..d8fb2ad03 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -56,3 +56,7 @@ Changes since 1.4.6 25) Redesign the accounting facility to make it simpler and more flexible. +26) Add Henry Wang's fix for LOGRATE/LOGBURST and enhance to resolve + conflict between that facility and rate-limited logging rules. + +27) Add User Set capability. diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 7b97163f7..9612a3e6b 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -138,6 +138,8 @@ restore_file /etc/shorewall/accounting restore_file /etc/shorewall/usersets +restore_file /etc/shorewall/users + if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then restore_file /usr/lib/shorewall/version oldversion="`cat /usr/lib/shorewall/version`" diff --git a/Shorewall/firewall b/Shorewall/firewall index 21ec45feb..01aa9031f 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1934,13 +1934,32 @@ process_user_set_entry() { local acceptchain=`accept_chain $userset` local dropchain=`drop_chain $userset` local rejectchain=`reject_chain $userset` - local rule="-m owner" + + list_search $userset $usersets && \ + fatal_error "Duplicate Uset Set: $userset" + usersets="$usersets $userset" + + createchain $acceptchain No + createchain $dropchain No + createchain $rejectchain No + + [ "x$reject" = "x-" ] && reject="" + eval ${userset}_reject="$reject" + [ "x$accept" = "x-" ] && accept="" + eval ${userset}_accept="$accept" + [ "x$drop" = "x-" ] && drop="" + eval ${userset}_drop="$drop" +} - if ! havechain $acceptchain; then - createchain $acceptchain No - createchain $dropchain No - createchain $rejectchain No - fi +process_user_entry() { + local acceptchain=`accept_chain $userset` + local dropchain=`drop_chain $userset` + local rejectchain=`reject_chain $userset` + local rule="-m owner" + local level= + + list_search $userset $usersets || \ + fatal_error "Unknown Uset Set: $userset" [ "x$user" = "x-" ] && user= @@ -1950,24 +1969,41 @@ process_user_set_entry() { [ -n "$user" ] && rule="$rule --uid-owner $user" || user='*' [ -n "$group" ] && rule="$rule --gid-owner $group" || group='*' + eval level=\$${userset}_accept + [ -n "$level" ] && \ + log_rule $level $acceptchain ACCEPT $rule run_iptables -A $acceptchain $rule -j ACCEPT + + eval level=\$${userset}_drop + [ -n "$level" ] && \ + log_rule $level $dropchain DROP $rule run_iptables -A $dropchain $rule -j DROP + + eval level=\$${userset}_reject + [ -n "$level" ] && \ + log_rule $level $rejectchain REJECT $rule run_iptables -A $rejectchain $rule -j reject echo " User $user:$group added to user set $userset" } setup_usersets() # $1 = Name of usersets file -{ - +{ echo "Setting up User Sets..." strip_file usersets $1 - while read userset user group ; do - expandv userset user group + while read userset reject accept drop; do + expandv userset reject accept drop process_user_set_entry done < $TMP_DIR/usersets + + strip_file users + + while read userset user group ; do + expandv userset user group + process_user_entry + done < $TMP_DIR/users } # @@ -2084,7 +2120,7 @@ refresh_tc() { # by this function # cport = Source Port Specification # multiport = String to invoke multiport match if appropriate -# ratelimit = Optional rate limiting clause +# ratelimit = Optional rate limiting clause # add_nat_rule() { local chain @@ -2172,7 +2208,7 @@ add_nat_rule() { else for adr in `separate_list $addr`; do if [ -n "$loglevel" ]; then - log_rule $loglevel $OUTPUT $logtarget -t nat \ + log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \ `fix_bang $proto $cli $sports -d $adr $multiport $dports` fi @@ -2558,6 +2594,9 @@ process_rule() # $1 = target [ -n "$userset" ] && \ fatal_error "A user set may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\"" esac + + [ -n "$loglevel" ] && \ + fatal_error "Logging may not be specified on a rule with a User Set: rule \"$rule\"" else case $target in ACCEPT|LOG) diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 0fdbb2137..613322ec6 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -573,7 +573,17 @@ if [ -f ${PREFIX}/etc/shorewall/usersets ]; then else run_install -o $OWNER -g $GROUP -m 0600 usersets ${PREFIX}/etc/shorewall/usersets echo - echo "User sets file installed as ${PREFIX}/etc/shorewall/usersets" + echo "User Sets file installed as ${PREFIX}/etc/shorewall/usersets" +fi +# +# Install the User file +# +if [ -f ${PREFIX}/etc/shorewall/users ]; then + backup_file /etc/shorewall/users +else + run_install -o $OWNER -g $GROUP -m 0600 users ${PREFIX}/etc/shorewall/users + echo + echo "Users file installed as ${PREFIX}/etc/shorewall/users" fi # # Backup the version file diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index fcc230a5d..05bef2958 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -26,6 +26,8 @@ Problems Corrected since version 1.4.6: "shorewall monitor" on the "Dynamic Chains" page (previously named "Dynamic Chain"). +6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again. + Migration Issues: 1) Once you have installed this version of Shorewall, you must @@ -34,7 +36,9 @@ Migration Issues: 2) To maintain strict compatibility with previous versions, current uses of "shorewall drop" and "shorewall reject" should be replaced - with "shorewall dropall" and "shorewall rejectall". + with "shorewall dropall" and "shorewall rejectall". + +3) IP Traffic Accounting is changed from Snapshot 20030813. New Features: @@ -135,38 +139,34 @@ New Features: will use all listed addresses/ranges in round-robin fashion. 7) An /etc/shorewall/accounting file has been added to allow for - traffic accounting. The file has two sections. + traffic accounting.. - The first section of the file is optional and allows aggregation of - counter chains into other counter chains. It does this by allowing - you to create an accounting chain hierarchy. See - http://shorewall.net/Accounting.html for a description of this - section. + The accounting rules are placed in a chain called "accounting" and + can thus be displayed using "shorewall show accounting". - The second section of the file has the following columns: + The file has the following columns: - ACTION - What to do when a match is found. + ACTION - What to do when a match is found. Possible + values are: - COUNT - Simply count the match and - continue trying to match the - packet with the following - accounting rules - DONE - Count the match and don't - attempt to match any - following accounting rules. - - The name of a chain that is - to be jumped to. Shorewall - will create the chain - automatically if it was not - created by a CHAIN entry in - the first section of the - file. If the name of - the chain is followed by - ":DONE" then after control - returns from the named chain, - the packet will not be - matched against any of the - following accounting rules. + COUNT - Simply count the match and continue + trying to match the packet with the + following accounting rules. + + DONE - Count the match and don't attempt to + match any following accounting rules. + + - The name of a chain to jump to. + Shorewall will create the chain + automatically. If the name of the + chain is followed by ":COUNT" then + a COUNT rule matching this rule + will automatically be added to + + + CHAIN - The name of the chain where the accounting + rule is to be added. If empty or "-" then + the "accounting" chain is assumed. SOURCE - Packet Source @@ -193,8 +193,8 @@ New Features: number. May only be specified if the protocol is TCP or UDP (6 or 17). - In all columns except the first, the values "-","any" and "all" are - treated as wild-cards. + In all columns except ACTION and CHAIN, the values "-","any" and + "all" are treated as wild-cards. The accounting rules are evaluated in the Netfilter 'filter' table. This is the same environment where the 'rules' file rules are @@ -202,51 +202,9 @@ New Features: inbound packets and SNAT has not yet occurred on outbound ones. The accounting rules are placed in a chain called "accounting" and - can thus be displayed using "shorewall show accounting". It should - be noted that where the ACTION is :DONE then the entry - generates two rules in "accounting"; the first is a jump to the - named chain and the second is a RETURN rule which causes the - accounting chain to be exited. + can thus be displayed using "shorewall show accounting". - Examples: - - COUNT eth0 eth1 # Count traffic going through the - # router from eth0 to eth1 - COUNT eth0:206.124.146.177 # Count traffic from my - # server arriving on - # eth0 - DONE eth0 eth1:192.168.1.24 - # Count traffic entering - # eth0 and going to host - # 192.168.1.24 on - # eth1. Don't check for - # any more matches. - Example using CHAIN: - - # This example shows how you can aggretate two counters. The - # counters being aggregated are input and output counters on - # the device 'ppp0'. The CHAIN declarations go in the first - # section of the /etc/shorewall/accounting file. - - CHAIN tunnel # Create a chain called 'tunnel' - CHAIN tunnelin tunnel # Create a chain called - # 'tunnelin' with all - # traffic sent to - # 'tunnelin' being sent - # on to 'tunnel' - CHAIN tunnelout tunnel # Create a chain called - # 'tunnelout' with all - # traffic sent to - # 'tunnelout' being sent - # on to 'tunnel' - # any more matches - tunnelin ppp0 # send all traffic from - # ppp0 to the chain called - # 'tunnelin' - tunnelout any ppp0 # send all traffic to - # ppp0 to the chain called - # 'tunnelout' - + See http://shorewall.net/Accounting.html for examples. 8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist. @@ -285,6 +243,9 @@ New Features: where , and are as above. + You may not place a rate limit in both the ACTION and RATE LIMIT + columns. + Let's take an example: ACCEPT<2/sec:4> net dmz tcp 80 @@ -305,3 +266,7 @@ New Features: 10) Multiple chains may now be displayed in one "shorewall show" command (e.g., shorewall show INPUT FORWARD OUTPUT). + +11) Output rules (those with $FW as the SOURCE) may now be limited to + a set of local users and/or groups. See + http://shorewall.net/UserSets.html for details. diff --git a/Shorewall/rules b/Shorewall/rules index d2b90efbe..390a68226 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -233,11 +233,13 @@ # REJECT. # # The format of the column is a comma separated list of -# user set names defined in the /etc/shorewall/usersets file. +# user set names defined in the /etc/shorewall/usersets +# file. # # When this column is non-empty, the rule applies only # if the program generating the output is running under -# the effective and/or specified. +# the effective and/or specified. A log +# level may not be given in the ACTION column. # # Example: Accept SMTP requests from the DMZ to the internet # diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index e526b7cd3..63c9bcbe2 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -100,6 +100,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn %attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting %attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets +%attr(0600,root,root) %config(noreplace) /etc/shorewall/users %attr(0544,root,root) /sbin/shorewall %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall @@ -108,6 +109,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Sat Aug 23 2003 Tom Eastep +- Added /etc/shorewall/users * Thu Aug 21 2003 Tom Eastep - Changed version to 1.4.6_20030821-1 - Added /etc/shorewall/usersets diff --git a/Shorewall/users b/Shorewall/users new file mode 100644 index 000000000..8e82f3d8a --- /dev/null +++ b/Shorewall/users @@ -0,0 +1,25 @@ +# +# Shorewall version 1.4 - Users File +# +# /etc/shorewall/users +# +# This file is used to associate local users and/or groups to Shorewall +# "User Sets". +# Columns are: +# +# USERSET The name of a user set defined in +# /etc/shorewall/usersets. +# +# USER A Linux user name or number defined in /etc/passwd. +# +# GROUP A linux group name or number defined in /etc/groups. +# +# The GROUP may be omitted. If it is supplied, then the USER may be +# entered as "-" in which case all members of the specified group are +# included in the USERSET. +# +################################################################################ +#USERSET USER GROUP +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + diff --git a/Shorewall/usersets b/Shorewall/usersets index a2c62ff47..f147d01c3 100644 --- a/Shorewall/usersets +++ b/Shorewall/usersets @@ -1,28 +1,29 @@ # -# Shorewall version 1.4 - User Sets File +# Shorewall version 1.4 - Users Sets File # # /etc/shorewall/usersets # -# This file is used to define Shorewall "User Sets". A user set is a -# list of , or names and can be used to -# control access by individual users to other network hosts from the -# firewall system. +# A user set is a list of , or names and can +# be used to control access by individual users to other network hosts +# from the firewall system. # # Columns are: # # USERSET The name of a user set. May be up to 6 characters in # length and must be a valid shell identifier. # -# USER A Linux user name or number defined in /etc/passwd. +# REJECT The log level for REJECT rules that match a user in this +# userset. # -# GROUP A linux group name or number defined in /etc/groups. +# ACCEPT The log level for ACCEPT rules that match a user in this +# userset. # -# The GROUP may be omitted. If it is supplied, then the USER may be -# entered as "-" in which case all members of the specified group are -# included in the USERSET. +# DROP The log level for DROP rules that match a user in this +# userset. # -################################################################################ -#USERSET USER GROUP +# To omit one of the last three columns yet supply a value to one of the +# following ones, enter "-". +# +#USERSET REJECT ACCEPT DROP # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -