From 5834b574f2c3ffed990c151c7b255e2dbfb4b7a8 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 9 Dec 2008 21:55:39 +0000 Subject: [PATCH] Commit after first successful compilation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8960 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 9 +- Shorewall-perl/Shorewall/Compiler.pm | 233 ++++++++++++++++++--------- Shorewall-perl/Shorewall/Config.pm | 42 +++-- Shorewall-perl/Shorewall/IPAddrs.pm | 1 + Shorewall-perl/Shorewall/Proc.pm | 46 ++++-- Shorewall-perl/Shorewall/Rules.pm | 2 +- Shorewall-perl/Shorewall/Zones.pm | 14 +- Shorewall-perl/prog.footer6 | 200 +++++++++++++++++++++++ Shorewall-perl/prog.functions6 | 28 ++-- Shorewall-perl/prog.header6 | 105 +----------- Shorewall6/action.Drop | 7 +- Shorewall6/action.Reject | 8 +- Shorewall6/lib.base | 2 +- Shorewall6/macro.AllowICMPs | 7 +- Shorewall6/macro.Ping | 10 +- 15 files changed, 467 insertions(+), 247 deletions(-) create mode 100644 Shorewall-perl/prog.footer6 diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 3f8dcbcea..01592aaea 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -960,15 +960,10 @@ sub initialize_chain_table() 'QUEUE!' => STANDARD, 'NFQUEUE' => STANDARD + NFQ, 'NFQUEUE!' => STANDARD + NFQ, - 'dropBcast' => BUILTIN + ACTION, - 'allowBcast' => BUILTIN + ACTION, 'dropNotSyn' => BUILTIN + ACTION, 'rejNotSyn' => BUILTIN + ACTION, 'dropInvalid' => BUILTIN + ACTION, 'allowInvalid' => BUILTIN + ACTION, - 'allowinUPnP' => BUILTIN + ACTION, - 'forwardUPnP' => BUILTIN + ACTION, - 'Limit' => BUILTIN + ACTION, ); for my $chain qw(OUTPUT PREROUTING) { @@ -1990,6 +1985,8 @@ sub expand_rule( $$$$$$$$$$$ ) } elsif ( $source =~ /^(.+?):\[(.+)\]\s+$/ ) { $iiface = $1; $inets = $2; + } elsif ( $source =~ /:/ ) { + $inets = $source; } elsif ( $source =~ /\+|~|\..*\./ ) { $inets = $source; } else { @@ -2071,6 +2068,8 @@ sub expand_rule( $$$$$$$$$$$ ) } elsif ( $dest =~ /^(.+?):\[(.+)\]\s+$/ ) { $diface = $1; $dnets = $2; + } elsif ( $dest =~ /:/ ) { + $dnets = $dest; } elsif ( $dest =~ /\+|~|\..*\./ ) { $dnets = $dest; } else { diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 717f118b5..f96ec1bf8 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -71,6 +71,7 @@ sub reinitialize() { Shorewall::Accounting::initialize; Shorewall::Rules::initialize($family); Shorewall::Proxyarp::initialize; + Shorewall::IPAddrs::initialize($family); } # @@ -162,18 +163,33 @@ sub generate_script_1() { '' ); - if ( $config{IPTABLES} ) { - emit( qq(IPTABLES="$config{IPTABLES}"), - '[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"', - ); - } else { - emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES', - '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"' - ); - } + if ( $family == F_IPV4 ) { + if ( $config{IPTABLES} ) { + emit( qq(IPTABLES="$config{IPTABLES}"), + '[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"', + ); + } else { + emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES', + '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"' + ); + } - emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', - '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); + emit( 'IPTABLES_RESTORE=${IPTABLES}-restore', + '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); + } else { + if ( $config{IP6TABLES} ) { + emit( qq(IP6TABLES="$config{IP6TABLES}"), + '[ -x "$I6PTABLES" ] || startup_error "IP6TABLES=$IP6TABLES does not exist or is not executable"', + ); + } else { + emit( '[ -z "$IP6TABLES" ] && IP6TABLES=$(mywhich iptables) # /sbin/shorewall6 exports IP6TABLES', + '[ -n "$IP6TABLES" -a -x "$IP6TABLES" ] || startup_error "Can\'t find ip6tables executable"' + ); + } + + emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore', + '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' ); + } append_file 'params' if $config{EXPORTPARAMS}; @@ -186,17 +202,31 @@ sub generate_script_1() { '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' ); - emit ( '', - '#', - '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', - '#', - 'qt1 $IPTABLES -N foox1234', - 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', - 'result=$?', - 'qt1 $IPTABLES -F foox1234', - 'qt1 $IPTABLES -X foox1234', - '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', - '' ); + if ( $family == F_IPV4 ) { + emit ( '', + '#', + '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', + '#', + 'qt1 $IPTABLES -N foox1234', + 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', + 'result=$?', + 'qt1 $IPTABLES -F foox1234', + 'qt1 $IPTABLES -X foox1234', + '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', + '' ); + } else { + emit ( '', + '#', + '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', + '#', + 'qt1 $IP6TABLES -N foox1234', + 'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', + 'result=$?', + 'qt1 $IP6TABLES -F foox1234', + 'qt1 $IP6TABLES -X foox1234', + '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall6 will run on this system"', + '' ); + } pop_indent; @@ -213,7 +243,15 @@ sub compile_stop_firewall() { stop_firewall() { deletechain() { - qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 +EOF + + if ( $family == F_IPV4 ) { + emit ' qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1'; + } else { + emit ' qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1'; + } + + emit <<'EOF'; } deleteallchains() { @@ -324,9 +362,15 @@ EOF run_iptables -t raw -F run_iptables -t raw -X for chain in PREROUTING OUTPUT; do - qt1 $IPTABLES -t raw -P $chain ACCEPT - done EOF + + if ( $family == F_IPV4 ) { + emit ' qt1 $IPTABLES -t raw -P $chain ACCEPT'; + } else { + emit ' qt1 $IP6TABLES -t raw -P $chain ACCEPT'; + } + + emit ' done'; } if ( $capabilities{NAT_ENABLED} ) { @@ -338,7 +382,8 @@ EOF EOF } - emit <<'EOF'; + if ( $family == F_IPV4 ) { + emit <<'EOF'; if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub @@ -350,6 +395,7 @@ EOF rm -f ${VARDIR}/proxyarp EOF + } push_indent; @@ -446,26 +492,34 @@ EOF emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED}; - my $interfaces = find_interfaces_by_option 'dhcp'; + if ( $family == F_IPV4 ) { + my $interfaces = find_interfaces_by_option 'dhcp'; - for my $interface ( @$interfaces ) { - emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"; - emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED}; - # - # This might be a bridge - # - emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"; + for my $interface ( @$interfaces ) { + emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"; + emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED}; + # + # This might be a bridge + # + emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"; + } + } else { + for my $interface ( all_bridges ) { + emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT"; + } } emit ''; - if ( $config{IP_FORWARDING} eq 'on' ) { - emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward', - 'progress_message2 IP Forwarding Enabled' ); - } elsif ( $config{IP_FORWARDING} eq 'off' ) { - emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward', - 'progress_message2 IP Forwarding Disabled!' - ); + if ( $family == F_IPV4 ) { + if ( $config{IP_FORWARDING} eq 'on' ) { + emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward', + 'progress_message2 IP Forwarding Enabled' ); + } elsif ( $config{IP_FORWARDING} eq 'off' ) { + emit( 'echo 0 > /proc/sys/net/ipv4/ip_forward', + 'progress_message2 IP Forwarding Disabled!' + ); + } } emit 'run_stopped_exit'; @@ -556,38 +610,49 @@ sub generate_script_2 () { emit ''; - for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { - emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", - 'if [ -n "$addr" ]; then', - ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', - ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', - ' if in_network $addr $network; then', - " error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", - ' fi', - ' done', - "fi\n" ); - } - - emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', - '', - 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', - '', - 'delete_proxyarp', - '' - ); - - if ( $capabilities{NAT_ENABLED} ) { - emit( 'if [ -f ${VARDIR}/nat ]; then', - ' while read external interface; do', - ' del_ip_addr $external $interface', - ' done < ${VARDIR}/nat', + if ( $family == F_IPV4 ) { + for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { + emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", + 'if [ -n "$addr" ]; then', + ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', + ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', + ' if in_network $addr $network; then', + " error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", + ' fi', + ' done', + "fi\n" ); + } + + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', '', - ' rm -f ${VARDIR}/nat', - "fi\n" ); - } + 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', + '', + 'delete_proxyarp', + '' + ); - emit "delete_tc1\n" if $config{CLEAR_TC}; - emit "disable_ipv6\n" if $config{DISABLE_IPV6}; + if ( $capabilities{NAT_ENABLED} ) { + emit( 'if [ -f ${VARDIR}/nat ]; then', + ' while read external interface; do', + ' del_ip_addr $external $interface', + ' done < ${VARDIR}/nat', + '', + ' rm -f ${VARDIR}/nat', + "fi\n" ); + } + + emit "delete_tc1\n" if $config{CLEAR_TC}; + emit "disable_ipv6\n" if $config{DISABLE_IPV6}; + + } else { + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', + '', + 'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall', + '' + ); + + emit "delete_tc1\n" if $config{CLEAR_TC}; + } pop_indent; @@ -643,7 +708,11 @@ sub generate_script_3($) { emit "}\n"; - progress_message2 "Creating iptables-restore input..."; + if ( $family == F_IPV4 ) { + progress_message2 "Creating iptables-restore input..."; + } else { + progress_message2 "Creating ip6tables-restore input..."; + } create_netfilter_load; create_chainlist_reload( $_[0] ); @@ -669,7 +738,7 @@ if [ $COMMAND = restore ]; then fi EOF pop_indent; - setup_forwarding; + setup_forwarding( $family ); push_indent; emit<<'EOF'; set_state "Started" @@ -677,7 +746,7 @@ else if [ $COMMAND = refresh ]; then chainlist_reload EOF - setup_forwarding; + setup_forwarding( $family ); emit<<'EOF'; run_refreshed_exit do_iptables -N shorewall @@ -687,7 +756,7 @@ EOF restore_dynamic_rules conditionally_flush_conntrack EOF - setup_forwarding; + setup_forwarding( $family ); emit<<'EOF'; run_start_exit do_iptables -N shorewall @@ -720,7 +789,13 @@ EOF emit "}\n"; - copy $globals{SHAREDIRPL} . 'prog.footer' unless $test; + unless ( $test ) { + if ( $family == F_IPV4 ) { + copy $globals{SHAREDIRPL} . 'prog.footer'; + } else { + copy $globals{SHAREDIRPL} . 'prog.footer6'; + } + } } # @@ -926,7 +1001,11 @@ sub compiler { generate_matrix; if ( $command eq 'check' ) { - progress_message3 "Shorewall configuration verified"; + if ( $family == F_IPV4 ) { + progress_message3 "Shorewall configuration verified"; + } else { + progress_message3 "Shorewall6 configuration verified"; + } } else { # # Finish the script. diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index e17e1b041..5f7d173c3 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -469,7 +469,7 @@ sub initialize( $ ) { MODULE_SUFFIX => undef, MACLIST_TABLE => undef, MACLIST_TTL => undef, - MAPOLDACTIONS => 'Yes', + MAPOLDACTIONS => '', FASTACCEPT => undef, IMPLICIT_CONTINUE => undef, HIGH_ROUTE_MARKS => undef, @@ -1677,14 +1677,19 @@ sub determine_capabilities( $ ) { my $pid = $$; my $sillyname = "fooX$pid"; my $sillyname1 = "foo1X$pid"; - - $capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ); + + $capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4; + $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" ); - + qt1( "$iptables -N $sillyname" ); qt1( "$iptables -N $sillyname1" ); - $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); + if ( $family == F_IPV4 ) { + $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); + } else { + $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst ::1 -j ACCEPT" ); + } if ( $capabilities{CONNTRACK_MATCH} ) { $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" ); @@ -1707,10 +1712,19 @@ sub determine_capabilities( $ ) { } } - if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) { - $capabilities{IPRANGE_MATCH} = 1; - unless ( $capabilities{KLUDGEFREE} ) { - $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" ); + if ( $family == F_IPV4 ) { + if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) { + $capabilities{IPRANGE_MATCH} = 1; + unless ( $capabilities{KLUDGEFREE} ) { + $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" ); + } + } + } else { + if ( qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -j ACCEPT" ) ) { + $capabilities{IPRANGE_MATCH} = 1; + unless ( $capabilities{KLUDGEFREE} ) { + $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range ::1-::2 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" ); + } } } @@ -1994,7 +2008,13 @@ sub get_configuration( $ ) { check_trivalue ( 'IP_FORWARDING', 'on' ); check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6; - check_trivalue ( 'LOG_MARTIANS', 'on' ); fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on' && $family == F_IPV6; + + if ( $family == F_IPV4 ) { + check_trivalue ( 'LOG_MARTIANS', 'on' ); + } else { + check_trivalue ( 'LOG_MARTIANS', 'ff' ); + fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on'; + } default 'STARTUP_LOG' , ''; @@ -2338,7 +2358,7 @@ sub generate_aux_config() { emit "#\n# Shorewall auxiliary configuration file created by Shorewall-perl version $globals{VERSION} - $date\n#"; - for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { + for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE SAVE_IPSETS) { conditionally_add_option $option; } diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index b51f3db9d..da1f13343 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -69,6 +69,7 @@ our @EXPORT = qw( ALLIPv4 validate_portpair validate_port_list validate_icmp + validate_icmp6 ); our @EXPORT_OK = qw( ); our $VERSION = 4.3.0; diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index 09b41c905..3ce45b919 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -197,16 +197,44 @@ sub setup_source_routing() { } } -sub setup_forwarding() { - if ( $config{IP_FORWARDING} eq 'on' ) { - emit ' echo 1 > /proc/sys/net/ipv4/ip_forward'; - emit ' progress_message2 IP Forwarding Enabled'; - } elsif ( $config{IP_FORWARDING} eq 'off' ) { - emit ' echo 0 > /proc/sys/net/ipv4/ip_forward'; - emit ' progress_message2 IP Forwarding Disabled!'; - } +sub setup_forwarding( $ ) { + my $family = shift; - emit ''; + if ( $family == F_IPV4 ) { + if ( $config{IP_FORWARDING} eq 'on' ) { + emit ' echo 1 > /proc/sys/net/ipv4/ip_forward'; + emit ' progress_message2 IP Forwarding Enabled'; + } elsif ( $config{IP_FORWARDING} eq 'off' ) { + emit ' echo 0 > /proc/sys/net/ipv4/ip_forward'; + emit ' progress_message2 IP Forwarding Disabled!'; + emit ''; + } + } else { + my $interfaces = find_interfaces_by_option 'forward'; + + if ( @$interfaces ) { + progress_message2 "$doing Interface forwarding..."; + + push_indent; + push_indent; + + save_progress_message 'Setting up IPv6 Interface Forwarding...'; + + for my $interface ( @$interfaces ) { + my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding"; + my $value = get_interface_option $interface, 'forward'; + + emit ( "if [ -f $file ]; then" , + " echo $value > $file" ); + emit ( 'else' , + " error_message \"WARNING: Cannot set IPv4 forwarding on $interface\"" ) unless interface_is_optional( $interface); + emit "fi\n"; + } + + pop_indent; + pop_indent; + } + } } 1; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index c1a817261..a695adedf 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos setup_mss ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = 4.1.5; +our $VERSION = 4.3.0; # # Set to one if we find a SECTION diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 61bd14ec6..17d3dc7cb 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING single_interface validate_interfaces_file all_interfaces + all_bridges interface_number find_interface known_interface @@ -618,7 +619,7 @@ sub validate_interfaces_file( $ ) } else { %validoptions = ( blacklist => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION, - maclist => SIMPLE_IF_OPTION, + nosmurfs => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, sourceroute => BINARY_IF_OPTION, @@ -864,6 +865,13 @@ sub all_interfaces() { @interfaces; } +# +# Return a list of bridges +# +sub all_bridges() { + grep ( $interfaces{$_}{options}{bridge} , @interfaces ); +} + # # Return a reference to the interfaces table entry for an interface # @@ -966,13 +974,9 @@ sub validate_hosts_file() } else { %validoptions = ( blacklist => 1, - maclist => 1, nosmurfs => 1, routeback => 1, tcpflags => 1, - broadcast => 1, - destonly => 1, - sourceonly => 1, ); } diff --git a/Shorewall-perl/prog.footer6 b/Shorewall-perl/prog.footer6 new file mode 100644 index 000000000..90dbd05bc --- /dev/null +++ b/Shorewall-perl/prog.footer6 @@ -0,0 +1,200 @@ +# +# Give Usage Information +# +usage() { + echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]" + exit $1 +} +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ +# +# Start trace if first arg is "debug" or "trace" +# +if [ $# -gt 1 ]; then + if [ "x$1" = "xtrace" ]; then + set -x + shift + elif [ "x$1" = "xdebug" ]; then + DEBUG=Yes + shift + fi +fi + +initialize + +finished=0 + +while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + [ -z "$option" ] && usage 1 + + while [ -n "$option" ]; do + case $option in + v*) + VERBOSE=$(($VERBOSE + 1 )) + option=${option#v} + ;; + q*) + VERBOSE=$(($VERBOSE - 1 )) + option=${option#q} + ;; + n*) + NOROUTES=Yes + option=${option#n} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac +done + +COMMAND="$1" + +[ -n "${PRODUCT:=Shorewall6}" ] + +case "$COMMAND" in + start) + [ $# -ne 1 ] && usage 2 + if shorewall6_is_started; then + error_message "$PRODUCT is already Running" + status=0 + else + progress_message3 "Starting $PRODUCT...." + define_firewall + status=$? + [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK + progress_message3 "done." + fi + ;; + stop) + [ $# -ne 1 ] && usage 2 + progress_message3 "Stopping $PRODUCT...." + stop_firewall + status=0 + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." + ;; + reset) + if ! shorewall6_is_started ; then + error_message "$PRODUCT is not running" + status=2 + elif [ $# -eq 1 ]; then + $IP6TABLES -Z + $IP6TABLES -t mangle -Z + date > ${VARDIR}/restarted + status=0 + progress_message3 "$PRODUCT Counters Reset" + else + shift + status=0 + for chain in $@; do + if chain_exists $chain; then + if qt $IP6TABLES -Z $chain; then + progress_message3 "Filter $chain Counters Reset" + else + error_message "ERROR: Reset of chain $chain failed" + status=2 + break + fi + else + error_message "WARNING: Filter Chain $chain does not exist" + fi + done + fi + ;; + restart) + [ $# -ne 1 ] && usage 2 + if shorewall6_is_started; then + progress_message3 "Restarting $PRODUCT...." + else + error_message "$PRODUCT is not running" + progress_message3 "Starting $PRODUCT...." + fi + + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi + progress_message3 "done." + ;; + refresh) + [ $# -ne 1 ] && usage 2 + if shorewall6_is_started; then + progress_message3 "Refreshing $PRODUCT...." + define_firewall + status=$? + progress_message3 "done." + else + echo "$PRODUCT is not running" >&2 + status=2 + fi + ;; + restore) + [ $# -ne 1 ] && usage 2 + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi + ;; + clear) + [ $# -ne 1 ] && usage 2 + progress_message3 "Clearing $PRODUCT...." + clear_firewall + status=0 + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." + ;; + status) + [ $# -ne 1 ] && usage 2 + echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)" + echo + if shorewall6_is_started; then + echo "$PRODUCT is running" + status=0 + else + echo "$PRODUCT is stopped" + status=4 + fi + + if [ -f ${VARDIR}/state ]; then + state="$(cat ${VARDIR}/state)" + case $state in + Stopped*|Clear*) + status=3 + ;; + esac + else + state=Unknown + fi + echo "State:$state" + echo + ;; + version) + [ $# -ne 1 ] && usage 2 + echo $VERSION + status=0 + ;; + help) + [ $# -ne 1 ] && usage 2 + usage 0 + ;; + *) + usage 2 + ;; +esac + +exit $status diff --git a/Shorewall-perl/prog.functions6 b/Shorewall-perl/prog.functions6 index 9126fa5fe..396c72e22 100644 --- a/Shorewall-perl/prog.functions6 +++ b/Shorewall-perl/prog.functions6 @@ -110,7 +110,7 @@ do_iptables() local status while [ 1 ]; do - $IPTABLES $@ + $IP6TABLES $@ status=$? [ $status -ne 4 ] && return $status; done @@ -180,32 +180,32 @@ debug_restore_input() { # # Clear the ruleset # - qt1 $IPTABLES -t mangle -F - qt1 $IPTABLES -t mangle -X + qt1 $IP6TABLES -t mangle -F + qt1 $IP6TABLES -t mangle -X for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt1 $IPTABLES -t mangle -P $chain ACCEPT + qt1 $IP6TABLES -t mangle -P $chain ACCEPT done - qt1 $IPTABLES -t raw -F - qt1 $IPTABLES -t raw -X + qt1 $IP6TABLES -t raw -F + qt1 $IP6TABLES -t raw -X for chain in PREROUTING OUTPUT; do - qt1 $IPTABLES -t raw -P $chain ACCEPT + qt1 $IP6TABLES -t raw -P $chain ACCEPT done run_iptables -t nat -F run_iptables -t nat -X for chain in PREROUTING POSTROUTING OUTPUT; do - qt1 $IPTABLES -t nat -P $chain ACCEPT + qt1 $IP6TABLES -t nat -P $chain ACCEPT done - qt1 $IPTABLES -t filter -F - qt1 $IPTABLES -t filter -X + qt1 $IP6TABLES -t filter -F + qt1 $IP6TABLES -t filter -X for chain in INPUT FORWARD OUTPUT; do - qt1 $IPTABLES -t filter -P $chain -P ACCEPT + qt1 $IP6TABLES -t filter -P $chain -P ACCEPT done while read first second rest; do @@ -214,10 +214,10 @@ debug_restore_input() { # # We can't call run_iptables() here because the rules may contain quoted strings # - eval $IPTABLES -t $table $first $second $rest + eval $IP6TABLES -t $table $first $second $rest if [ $? -ne 0 ]; then - error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed" + error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed" stop_firewall exit 2 fi @@ -232,7 +232,7 @@ debug_restore_input() { fi if [ $? -ne 0 ]; then - error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed" + error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed" stop_firewall exit 2 fi diff --git a/Shorewall-perl/prog.header6 b/Shorewall-perl/prog.header6 index e92a111ff..0730bcdd0 100644 --- a/Shorewall-perl/prog.header6 +++ b/Shorewall-perl/prog.header6 @@ -131,7 +131,7 @@ qt1() # # Determine if Shorewall is "running" # -shorewall_is_started() { +shorewall6_is_started() { qt1 $IP6TABLES -L shorewall -n } @@ -562,82 +562,6 @@ INCLUDE() { . $(find_file $(expand $@)) } -# -# Delete IP address -# -del_ip_addr() # $1 = address, $2 = interface -{ - [ $(find_first_interface_address_if_any $2) = $1 ] || qt ip addr del $1 dev $2 -} - -# Add IP Aliases -# -add_ip_aliases() # $* = List of addresses -{ - local local - local addresses - local external - local interface - local inet - local cidr - local rest - local val - local arping - arping=$(mywhich arping) - - address_details() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same networks - # - # Get all of the lines that contain inet addresses with broadcast - # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do - case $cidr in - */*) - if in_network $external $cidr; then - echo "/${cidr#*/} brd $(broadcastaddress $cidr)" - break - fi - ;; - esac - done - } - - do_one() - { - val=$(address_details) - - ip addr add ${external}${val} dev $interface $label - [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external - echo "$external $interface" >> $VARDIR/nat - [ -n "$label" ] && label="with $label" - progress_message " IP Address $external added to interface $interface $label" - } - - progress_message "Adding IP Addresses..." - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - shift 2 - - list_search $external $(find_interface_addresses $interface) || do_one - done -} - detect_gateway() # $1 = interface { local interface @@ -660,33 +584,6 @@ detect_gateway() # $1 = interface [ -n "$gateway" ] && echo $gateway } -# -# Disable IPV6 -# -disable_ipv6() { - local foo - foo="$(ip -f inet6 addr list 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt mywhich ip6tables; then - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - ip6tables -F - ip6tables -X - ip6tables -A OUTPUT -o lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - -# Function to truncate a string -- It uses 'cut -b -' -# rather than ${v:first:last} because light-weight shells like ash and -# dash do not support that form of expansion. -# - truncate() # $1 = length { cut -b -${1} diff --git a/Shorewall6/action.Drop b/Shorewall6/action.Drop index 770d0cedf..b3717dbd3 100644 --- a/Shorewall6/action.Drop +++ b/Shorewall6/action.Drop @@ -24,13 +24,9 @@ # Auth/REJECT # -# Don't log broadcasts -# -dropBcast -# # ACCEPT critical ICMP types # -AllowICMPs - - icmp +AllowICMPs - - ipv6-icmp # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log. @@ -40,7 +36,6 @@ dropInvalid # Drop Microsoft noise so that it doesn't clutter up the log. # SMB/DROP -DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. # diff --git a/Shorewall6/action.Reject b/Shorewall6/action.Reject index 9d0b0029c..53b07d7a3 100644 --- a/Shorewall6/action.Reject +++ b/Shorewall6/action.Reject @@ -20,14 +20,9 @@ # Auth/REJECT # -# Drop Broadcasts so they don't clutter up the log -# (broadcasts must *not* be rejected). -# -dropBcast -# # ACCEPT critical ICMP types # -AllowICMPs - - icmp +AllowICMPs - - ipv6-icmp # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be @@ -38,7 +33,6 @@ dropInvalid # Reject Microsoft noise so that it doesn't clutter up the log. # SMB/REJECT -DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. # diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index ba1bbc71c..a531e0663 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -696,7 +696,7 @@ set_state () # $1 = state # Determine which optional facilities are supported by iptables/netfilter # determine_capabilities() { - qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= CONNTRACK_MATCH= NEW_CONNTRACK_MATCH= diff --git a/Shorewall6/macro.AllowICMPs b/Shorewall6/macro.AllowICMPs index 81a9729dd..afcd588b4 100644 --- a/Shorewall6/macro.AllowICMPs +++ b/Shorewall6/macro.AllowICMPs @@ -11,6 +11,9 @@ COMMENT Needed ICMP types -ACCEPT - - icmp fragmentation-needed -ACCEPT - - icmp time-exceeded +ACCEPT - - ipv6-icmp packet-too-big +ACCEPT - - ipv6-icmp time-exceeded +ACCEPT - - ipv6-icmp router-solicitation +ACCEPT - - ipv6-icmp neighbour-solicitation +ACCEPT - - ipv6-icmp neighbour-advertisement #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall6/macro.Ping b/Shorewall6/macro.Ping index dad8b3a9a..e6b3fd18a 100644 --- a/Shorewall6/macro.Ping +++ b/Shorewall6/macro.Ping @@ -1,12 +1,12 @@ # -# Shorewall version 4 - Ping Macro +# Shorewall6 version 4 - Ping Macro # -# /usr/share/shorewall/macro.Ping +# /usr/share/shorewall6/macro.Ping # # This macro handles 'ping' requests. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP -PARAM - - icmp 8 +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - ipv6-icmp 128 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE