mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-08 22:58:50 +01:00
Bring trunk up to date with branches/4.0/
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7312 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a06ad0e518
commit
6141995184
@ -1 +1 @@
|
||||
This is the Shorewall-common Development 4.1 branch of SVN.
|
||||
This is the Shorewall-common Stable 4.0 branch of SVN.
|
||||
|
@ -32,7 +32,7 @@ dropBcast
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that in the INVALID state -- these are usually ICMP packets
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log.
|
||||
#
|
||||
dropInvalid
|
||||
|
@ -16,7 +16,7 @@
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' REJECT
|
||||
# Don't log 'auth' -- REJECT
|
||||
#
|
||||
Auth/REJECT
|
||||
#
|
||||
@ -29,13 +29,13 @@ dropBcast
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that in the INVALID state -- these are usually ICMP packets
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||
# rejected).
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Reject Microsoft noise so that it doesn't clutter up the lot.
|
||||
# Reject Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB/REJECT
|
||||
DropUPnP
|
||||
|
@ -1,3 +1,105 @@
|
||||
Changes in 4.0.4
|
||||
|
||||
1) Fix 'refresh' with light-weight shells.
|
||||
|
||||
2) Various fixes for proxyarp.
|
||||
|
||||
3) Fix 'refresh' run-time error.
|
||||
|
||||
4) Cleaner behavior if module-init-tools not installed.
|
||||
|
||||
5) Fix [re-]initialization problems in Shorewall::Tc.
|
||||
|
||||
6) Make compile-time check for iptables-restore.
|
||||
|
||||
Changes in 4.0.3
|
||||
|
||||
1) Streamline the checking for builtin chains in the accounting file.
|
||||
|
||||
2) Don't try to write/restore /etc/iproute2/rt_tables if it isn't
|
||||
writable.
|
||||
|
||||
3) Allow Shorewall-perl compiler and libraries to be installed
|
||||
anywhere.
|
||||
|
||||
4) Add KEEP_RT_TABLES option.
|
||||
|
||||
5) Other provider changes.
|
||||
|
||||
6) Fix LOG target in Shorewall-shell.
|
||||
|
||||
7) Faster log processing.
|
||||
|
||||
8) Tweak handling of CLASSID in process_tc_rule().
|
||||
|
||||
9) Restore 3.4 'stop/clear/reset' behavior and make new behavior
|
||||
optional.
|
||||
|
||||
10) Add act_police to modules file.
|
||||
|
||||
11) Add 'mss' interface option.
|
||||
|
||||
12) Add TCPMSS_MATCH to show capabilities -f.
|
||||
|
||||
13) Insure a space between log prefix and IN=.
|
||||
|
||||
14) Provide ESTABLISHED,RELATED rules for inappropriate CONTINUE policy
|
||||
|
||||
15) Add hashlimit match detection.
|
||||
|
||||
16) Fix 'add' and 'delete' when interface name contains special char.
|
||||
|
||||
17) Fix PREROUTING track fiasco.
|
||||
|
||||
18) Add NFQUEUE support.
|
||||
|
||||
19) Allow refresh of chains other than 'blacklst'.
|
||||
|
||||
20) Allow INCLUDE in run-time extension scripts.
|
||||
|
||||
21) Fix zone sort.
|
||||
|
||||
Changes in 4.0.2
|
||||
|
||||
1) Another ECN fix in Shorewall-perl.
|
||||
|
||||
2) Make 'state match' detection in Shorewall-perl quiet.
|
||||
|
||||
3) Detect port range in list without XMULTIPORT.
|
||||
|
||||
4) Move lockfile handling from 'firewall' to 'shorewall' and lib.cli.
|
||||
|
||||
5) Don't detect routed networks and interfaces addresses during
|
||||
'restore'.
|
||||
|
||||
6) Upcase some global variables in the generated script.
|
||||
|
||||
7) Remove some 'chain_base' mapping.
|
||||
|
||||
8) Eliminate a couple of global variables in the Chains module.
|
||||
|
||||
9) Cosmetic change to generated script.
|
||||
|
||||
10) Allow tc configuration on bridge ports.
|
||||
|
||||
11) Fix add/delete problem when Shorewall-shell is not installed.
|
||||
|
||||
12) Don't overwrite ${VARDIR}/chains and ${VARDIR}/zones during
|
||||
'refresh'.
|
||||
|
||||
13) Correct some error messages.
|
||||
|
||||
14) Correct calculations involving number of keys in a hash.
|
||||
|
||||
15) Load xt_multiport.
|
||||
|
||||
16) Apply Günter Niedermeier's patch for multiport.
|
||||
|
||||
17) Honor the BROADCAST column when address type match is not
|
||||
available.
|
||||
|
||||
18) Fix accounting.
|
||||
|
||||
Changes in 4.0.1
|
||||
|
||||
1) Add EXPAND_POLICIES.
|
||||
|
@ -3,7 +3,8 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-ecn"
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#ECN
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-ecn.html
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.0.3
|
||||
VERSION=4.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -422,49 +422,14 @@ clear_firewall() {
|
||||
delete_proxy_arp() {
|
||||
if [ -f ${VARDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
case $COMMAND in
|
||||
stop|clear)
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
;;
|
||||
*)
|
||||
if [ -n "$STOPPING" ]; then
|
||||
qt arp -i $external -d $address pub
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
else
|
||||
qt arp -i $external -d $address pub
|
||||
if [ -z "$haveroute" ];then
|
||||
[ -n "$NOROUTE" ] || qt ip route del $address dev $interface
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
interface=/proc/sys/net/ipv4/conf/$interface
|
||||
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
|
||||
done < ${VARDIR}/proxyarp
|
||||
|
||||
rm -f ${VARDIR}/proxyarp
|
||||
fi
|
||||
|
||||
[ -d ${VARDIR} ] && touch ${VARDIR}/proxyarp
|
||||
|
||||
case $COMMAND in
|
||||
stop|clear)
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
|
||||
done
|
||||
;;
|
||||
*)
|
||||
if [ -n "$STOPPING" ]; then
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
|
||||
done
|
||||
else
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
|
||||
done
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
rm -f ${VARDIR}/proxyarp
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -3,7 +3,8 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-hosts"
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-hosts.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE HOST(S) OPTIONS
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.0.3
|
||||
VERSION=4.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -3,8 +3,8 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-interfaces"
|
||||
#
|
||||
# For additional information, see
|
||||
# http://shorewall.net/Documentation.htm#Interfaces
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-interfaces.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
|
@ -3,7 +3,8 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-masq"
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-masq.html
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||
|
@ -9,8 +9,8 @@
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# For additional information, see
|
||||
# http://shorewall.net/Documentation.htm#modules
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
|
@ -3,7 +3,8 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-policy"
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-policy.html
|
||||
#
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
|
@ -1,6 +1,6 @@
|
||||
Shorewall 4.0.1
|
||||
Shorewall 4.0 Patch release 4
|
||||
----------------------------------------------------------------------------
|
||||
R E L E A S E H I G H L I G H T S
|
||||
R E L E A S E 4 . 0 H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
1) This is the first Shorewall release that fully integrates the new
|
||||
Shorewall-perl compiler. See the "New Features" section below.
|
||||
@ -25,106 +25,47 @@ Shorewall 4.0.1
|
||||
Shorewall-perl compiler. This support utilizes the reduced-function
|
||||
physdev match support available in Linux kernel 2.6.20 and later.
|
||||
|
||||
Problems corrected in 4.0.1.
|
||||
Problems Corrected in Shorewall 4.0.4
|
||||
|
||||
1) The Shorewall Lite installer was producing an empty shorewall-lite
|
||||
manpage. Since the installer runs as part of creating the RPM, the
|
||||
RPM also suffered from this problem. The 4.0.0 Shorewall-lite
|
||||
packages were re-uploaded with this problem corrected.
|
||||
1) If no interface had the 'blacklist' option, then when using
|
||||
Shorewall-perl, the 'start' and 'restart' command fail:
|
||||
|
||||
2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
|
||||
rather than /sbin/shorewall-lite.
|
||||
ERROR: No filter chain found with name blacklst
|
||||
|
||||
3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
|
||||
clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
|
||||
uninstaller correctly does "shorewall-lite clear" and both
|
||||
uninstallers only perform the 'clear' operation if the other
|
||||
product is not installed. This prevents the removal of one of the
|
||||
two products from clearing the firewall configuration established
|
||||
by the other one.
|
||||
New Shorewall-perl 4.0.3 packages were released that corrected this
|
||||
problem; it is included here for completeness.
|
||||
|
||||
4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
|
||||
Shorewall-perl. If the zone type was changed to 'ipsec' or
|
||||
'ipsec4' and the 'ipsec' option removed from the hosts file entry,
|
||||
the configuration worked properly.
|
||||
2) If no interface had the 'blacklist' option, then when using
|
||||
Shorewall-perl, the generated script would issue this harmless
|
||||
message during 'shorewall refresh':
|
||||
|
||||
5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
|
||||
Shorewall-perl produced the following:
|
||||
chainlist_reload: Not found
|
||||
|
||||
Compiling...
|
||||
Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
|
||||
ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
|
||||
3) If /bin/sh was a light-weight shell such as ash or dash, then
|
||||
'shorewall refresh' failed.
|
||||
|
||||
6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
|
||||
locating the binary using the PATH environmental variable rather
|
||||
than the PATH setting in shorewall.conf. If no PATH was available
|
||||
when Shorewall-perl was run and IPTABLES was not set in
|
||||
shorewall.conf, the following messages were issued:
|
||||
4) During start/restart, the script generated by Shorewall-perl is
|
||||
clearing the proxy_arp flag on all interfaces; that is not the
|
||||
documented behavior.
|
||||
|
||||
Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
|
||||
ERROR: Can't find iptables executable
|
||||
ERROR: Shorewall restart failed
|
||||
5) If the module-init-tools package was not installed and
|
||||
/etc/shorewall/modules did not exist or was non-empty, then
|
||||
Shorewall-perl would fail with the message:
|
||||
|
||||
7) If the "Mangle FORWARD Chain" capability was supported, entries in
|
||||
the /etc/shorewall/ecn file would cause invalid iptables commands
|
||||
to be generated. This problem occurred with both compilers.
|
||||
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
|
||||
|
||||
8) Shorewall now starts at reboot after an upgrade from shorewall <
|
||||
4.0.0. Previously, Shorewall was not started automatically at
|
||||
reboot after an upgrade using the RPM.
|
||||
6) Shorewall-perl now makes a compile-time check to insure that
|
||||
iptables-restore exists and is executable. This check is made when
|
||||
the compiler is being run by root and the -e option is not
|
||||
given.
|
||||
|
||||
9) Shorewall-perl was generating invalid iptables-restore input when a
|
||||
log level was specified with the dropBcast and allowBcast builtin
|
||||
actions and when a log level followed by '!' was used with any
|
||||
builtin actions.
|
||||
Note that iptables-restore must reside in the same directory as the
|
||||
iptables executable specified by IPTABLES in shorewall.conf or
|
||||
located by the PATH in the event that IPTABLES is not specified.
|
||||
|
||||
10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
|
||||
time in rate-limiting specifications.
|
||||
Other Changes in Shorewall 4.0.4
|
||||
|
||||
11) Certain errors occurring during
|
||||
start/restart/safe-start/safe-restart/try processing could cause
|
||||
the lockfile to be left behind. This resulted in a 60-second delay
|
||||
the next time one of these commands was run.
|
||||
|
||||
Other changes in Shorewall 4.0.1.
|
||||
|
||||
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
|
||||
option is recognized by Shorewall-perl and is ignored by
|
||||
Shorewall-shell.
|
||||
|
||||
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
|
||||
contains 'all', a single policy chain is created and the policy is
|
||||
enforced in that chain. For example, if the policy entry is
|
||||
|
||||
#SOURCE DEST POLICY LOG
|
||||
# LEVEL
|
||||
net all DROP info
|
||||
|
||||
then the chain name is 'net2all' which is also the chain named in
|
||||
Shorewall log messages generated as a result of the policy. If
|
||||
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
|
||||
chain for each pair of zones covered by the policy. This makes the
|
||||
resulting log messages easier to interpret since the chain in the
|
||||
messages will have a name of the form 'a2b' where 'a' is the SOURCE
|
||||
zone and 'b' is the DEST zone. See
|
||||
http://linuxman.wikispaces.com/PPPPPPS for more information.
|
||||
|
||||
2) The Shorewall-perl dependency on the "Address Type Match"
|
||||
capability has been relaxed. This allows Shorewall 4.0.1 to be used
|
||||
on releases like RHEL4 that don't support that capability.
|
||||
|
||||
3) Shorewall-perl now detects dead policy file entries that result
|
||||
when an entry is masked by an earlier entry. Example:
|
||||
|
||||
all all REJECT info
|
||||
loc net ACCEPT
|
||||
|
||||
4) Recent kernels are apparently hard to configure and we have been
|
||||
seeing a lot of problem reports where the root cause is the lack of
|
||||
state match support in the kernel. This problem is difficult to
|
||||
diagnose when using Shorewall-perl so the generated shell program
|
||||
now checks specifically for this problem and terminates with an
|
||||
error if the capability doesn't exist.
|
||||
None.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
@ -712,6 +653,7 @@ Migration Considerations:
|
||||
- Perl File::Basename Module
|
||||
- Perl File::Temp Module
|
||||
- Perl Getopt::Long Module
|
||||
- Perl FindBin Module
|
||||
------------------------------------------------------------------------
|
||||
U S I N G T H E N E W C O M P I L E R
|
||||
------------------------------------------------------------------------
|
||||
@ -871,6 +813,12 @@ Migration Considerations:
|
||||
supplimented with a stack trace. Requires the Carp Perl
|
||||
module.
|
||||
|
||||
--refresh=<chainlist>
|
||||
|
||||
If given, the compiled script's 'refresh' command will refresh
|
||||
the chains in the comma-separated <chainlist> rather than
|
||||
'blacklst'.
|
||||
|
||||
Example (compiles the configuration in the current directory
|
||||
generating a script named 'firewall' and using VERBOSITY
|
||||
2).
|
||||
@ -893,7 +841,7 @@ Migration Considerations:
|
||||
use lib '/usr/share/shorewall-perl';
|
||||
use Shorewall::Compiler;
|
||||
|
||||
compiler $filename, $directory, $verbose, $options
|
||||
compiler $filename, $directory, $verbose, $options $chains
|
||||
|
||||
The arguments to the compiler function are as follows:
|
||||
|
||||
@ -913,6 +861,10 @@ Migration Considerations:
|
||||
EXPORT = 0x01
|
||||
TIMESTAMP = 0x02
|
||||
|
||||
$chains - A comma-separated list of chains that the
|
||||
generated script's 'refresh' command will
|
||||
reload.
|
||||
|
||||
The compiler raises an exception with 'die' if it encounters an
|
||||
error; $@ contains the 'ERROR' messages describing the problem.
|
||||
|
||||
@ -988,3 +940,400 @@ Migration Considerations:
|
||||
To use this feature with Shorewall-lite, all packages involved
|
||||
(compiler, shorewall-common and shorewall-lite) must be version
|
||||
4.0.0-RC2 or later.
|
||||
|
||||
Problems corrected in 4.0.1.
|
||||
|
||||
1) The Shorewall Lite installer was producing an empty shorewall-lite
|
||||
manpage. Since the installer runs as part of creating the RPM, the
|
||||
RPM also suffered from this problem. The 4.0.0 Shorewall-lite
|
||||
packages were re-uploaded with this problem corrected.
|
||||
|
||||
2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
|
||||
rather than /sbin/shorewall-lite.
|
||||
|
||||
3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
|
||||
clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
|
||||
uninstaller correctly does "shorewall-lite clear" and both
|
||||
uninstallers only perform the 'clear' operation if the other
|
||||
product is not installed. This prevents the removal of one of the
|
||||
two products from clearing the firewall configuration established
|
||||
by the other one.
|
||||
|
||||
4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
|
||||
Shorewall-perl. If the zone type was changed to 'ipsec' or
|
||||
'ipsec4' and the 'ipsec' option removed from the hosts file entry,
|
||||
the configuration worked properly.
|
||||
|
||||
5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
|
||||
Shorewall-perl produced the following:
|
||||
|
||||
Compiling...
|
||||
Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
|
||||
ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
|
||||
|
||||
6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
|
||||
locating the binary using the PATH environmental variable rather
|
||||
than the PATH setting in shorewall.conf. If no PATH was available
|
||||
when Shorewall-perl was run and IPTABLES was not set in
|
||||
shorewall.conf, the following messages were issued:
|
||||
|
||||
Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
|
||||
ERROR: Can't find iptables executable
|
||||
ERROR: Shorewall restart failed
|
||||
|
||||
7) If the "Mangle FORWARD Chain" capability was supported, entries in
|
||||
the /etc/shorewall/ecn file would cause invalid iptables commands
|
||||
to be generated. This problem occurred with both compilers.
|
||||
|
||||
8) Shorewall now starts at reboot after an upgrade from shorewall <
|
||||
4.0.0. Previously, Shorewall was not started automatically at
|
||||
reboot after an upgrade using the RPM.
|
||||
|
||||
9) Shorewall-perl was generating invalid iptables-restore input when a
|
||||
log level was specified with the dropBcast and allowBcast builtin
|
||||
actions and when a log level followed by '!' was used with any
|
||||
builtin actions.
|
||||
|
||||
10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
|
||||
time in rate-limiting specifications.
|
||||
|
||||
11) Certain errors occurring during
|
||||
start/restart/safe-start/safe-restart/try processing could cause
|
||||
the lockfile to be left behind. This resulted in a 60-second delay
|
||||
the next time one of these commands was run.
|
||||
|
||||
Other changes in Shorewall 4.0.1.
|
||||
|
||||
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
|
||||
option is recognized by Shorewall-perl and is ignored by
|
||||
Shorewall-shell.
|
||||
|
||||
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
|
||||
contains 'all', a single policy chain is created and the policy is
|
||||
enforced in that chain. For example, if the policy entry is
|
||||
|
||||
#SOURCE DEST POLICY LOG
|
||||
# LEVEL
|
||||
net all DROP info
|
||||
|
||||
then the chain name is 'net2all' which is also the chain named in
|
||||
Shorewall log messages generated as a result of the policy. If
|
||||
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
|
||||
chain for each pair of zones covered by the policy. This makes the
|
||||
resulting log messages easier to interpret since the chain in the
|
||||
messages will have a name of the form 'a2b' where 'a' is the SOURCE
|
||||
zone and 'b' is the DEST zone. See
|
||||
http://linuxman.wikispaces.com/PPPPPPS for more information.
|
||||
|
||||
2) The Shorewall-perl dependency on the "Address Type Match"
|
||||
capability has been relaxed. This allows Shorewall 4.0.1 to be used
|
||||
on releases like RHEL4 that don't support that capability.
|
||||
|
||||
3) Shorewall-perl now detects dead policy file entries that result
|
||||
when an entry is masked by an earlier entry. Example:
|
||||
|
||||
all all REJECT info
|
||||
loc net ACCEPT
|
||||
|
||||
4) Recent kernels are apparently hard to configure and we have been
|
||||
seeing a lot of problem reports where the root cause is the lack of
|
||||
state match support in the kernel. This problem is difficult to
|
||||
diagnose when using Shorewall-perl so the generated shell program
|
||||
now checks specifically for this problem and terminates with an
|
||||
error if the capability doesn't exist.
|
||||
|
||||
Problems corrected in 4.0.2
|
||||
|
||||
1) The Shorewall-perl compiler was still generating invalid
|
||||
iptables-restore input from entries in /etc/shorewall/ecn.
|
||||
|
||||
2) When using Shorewall-perl, unless an interface was specified as
|
||||
'optional' in the interfaces file, the 'restore' command would
|
||||
fail if the routes through the interface or the addresses on the
|
||||
interface could not be detected.
|
||||
|
||||
Route detection occurs when the interface is named in the SOURCE
|
||||
column of the masq file. Address detection occurs when
|
||||
DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
|
||||
or REDIRECT rule or when 'maclist' is specified for the interface.
|
||||
|
||||
Since the 'restore' command doesn't use the detected information,
|
||||
detection is now skipped if the command is 'restore'.
|
||||
|
||||
3) It was not previously possible to define traffic shaping on a
|
||||
bridge port; the generated script complained that the
|
||||
interface was not up and configured.
|
||||
|
||||
4) When Shorewall-shell was not installed, certain options in
|
||||
/etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
|
||||
'add' and 'delete' commands to fail with a missing library error.
|
||||
|
||||
OPTION FILE
|
||||
maclist interfaces,hosts
|
||||
proxyarp interfaces
|
||||
|
||||
5) The /var/lib/shorewall/zones file was being overwritten during
|
||||
processing of the 'refresh' command by a script generated with
|
||||
Shorewall-perl. The result was that hosts previously added to
|
||||
dynamic zones could not be deleted after the 'refresh'.
|
||||
|
||||
6) If the file named as the output file in a Shorewall-perl 'compile'
|
||||
command was a symbolic link, the generated error message
|
||||
erroneously stated that the file's parent directory was a symbolic
|
||||
link.
|
||||
|
||||
As part of this change, cosmetic changes were made to a number of
|
||||
other error messages.
|
||||
|
||||
7) Some intra-zone rules were missing when a zone involved multiple
|
||||
interfaces or when a zone included both IPSEC and non-IPSEC
|
||||
networks.
|
||||
|
||||
8) Shorewall was not previously loading the xt_multiport kernel
|
||||
module.
|
||||
|
||||
9) The Russian and French translations no longer have English headings
|
||||
on notes, cautions, etc..
|
||||
|
||||
10) Previously, using a port list in the DEST PORT(S) column of the
|
||||
rules file or in an action file could cause an invalid iptables
|
||||
command to be generated by Shorewall-shell.
|
||||
|
||||
11) If there were no bridges in a configuration, Shorewall-perl would
|
||||
ignore the CHAIN column in /etc/shorewall/accounting.
|
||||
|
||||
Other changes in 4.0.2
|
||||
|
||||
1) Shorewall-perl now detects when a port range is included in a list
|
||||
of ports and iptables/kernel support for Extended Multi-port Match
|
||||
is not available. This avoids an iptables-restore failure at
|
||||
run-time.
|
||||
|
||||
2) Most chains created by Shorewall-shell have names that can be
|
||||
embedded within shell variable names. This is a workaround for
|
||||
limitations in the shell programming language which has no
|
||||
equivalent to Perl hashes. Often chain names must have the name of
|
||||
a network interface encoded in them. Given that interface names can
|
||||
contain characters that are invalid in a shell variable name,
|
||||
Shorewall-shell performs a name mapping which was carried forward to
|
||||
Shorewall-perl:
|
||||
|
||||
- Trailing '+' is dropped.
|
||||
- The characters ".", "-", "%' and "@" are translated to "_".
|
||||
|
||||
This mapping has been elminated in the 4.0.2 release of Shorewall-
|
||||
perl. So where before you would see chain "eth0_0_in", you may now
|
||||
see the same chain named "eth0.0_in". Similarly, a chain previously
|
||||
named "ppp_fwd" may now be called "ppp+_fwd".
|
||||
|
||||
3) Shorewall-perl now uses the contents of the BROADCAST column in
|
||||
/etc/shorewall/interfaces when the Address Type match capability is
|
||||
not available.
|
||||
|
||||
Problems Corrected in 4.0.3
|
||||
|
||||
1) Using the LOG target in the rules file could result in two LOG
|
||||
rules being generated by Shorewall-shell. Additionally, using an IP
|
||||
address range in a rule that performed logging could result in an
|
||||
invalid iptables command.
|
||||
|
||||
2) Shorewall now loads the act_police kernel module needed by traffic
|
||||
shaping.
|
||||
|
||||
3) Previously, "shorewall show -f capabilities" and "shorecap" omitted
|
||||
the "TCPMSS Match" capability. This made it appear to a compiler
|
||||
using a capabilities file that the TCPMSS Match capability was not
|
||||
available.
|
||||
|
||||
4) Previously, Shorewall would truncate long log prefixes to 29
|
||||
characters. This resulted in there being no space between the log
|
||||
prefix and the IN= part of the message.
|
||||
|
||||
Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
|
||||
|
||||
Beginning with this release, Shorewall will truncate the prefix to
|
||||
28 bytes and add a trailing space.
|
||||
|
||||
Example: fw2net:LOG:HTTPSou IN= OUT=eth0
|
||||
|
||||
5) Previously, if:
|
||||
|
||||
- FASTACCEPT=No
|
||||
- The policy from Z1 to Z2 was CONTINUE
|
||||
- Neither Z1 nor Z2 had parent zones
|
||||
- There were no Z1->Z2 rules
|
||||
|
||||
then connections from Z2->Z1 would fail even if there were
|
||||
rules/policies allowing them. This has been
|
||||
corrected.
|
||||
|
||||
6) The 'shorewall add' and 'shorewall delete' command would fail when:
|
||||
|
||||
- The running configuration was compiled with Shorewall-perl.
|
||||
- The name of the interface specified in the command contained an
|
||||
embedded special character such as '.' or '-'.
|
||||
|
||||
This problem was the result of the change in Shorewall 4.0.2 that
|
||||
removed the legacy mapping of interface names when embedding such
|
||||
names in a Netfilter chain name. To correct the problem, the
|
||||
pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.
|
||||
|
||||
5) A bug in Shorewall-shell prevented proper handling of PREROUTING
|
||||
marks when HIGH_ROUTE_MARKS=No and the track option was specified
|
||||
in /etc/shorewall/providers.
|
||||
|
||||
6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
|
||||
the params file would fail at script execution time with "INCLUDE:
|
||||
not found". This has been corrected.
|
||||
|
||||
7) Shorewall-perl was mis-sorting the zone list when zones were nested
|
||||
more than one deep.
|
||||
|
||||
8) Stale references to http://www.shorewall.net/Documentation.htm have
|
||||
been removed from the config files (including samples). That URL
|
||||
has been replaced by the online manpages.
|
||||
|
||||
Other Changes in 4.0.3
|
||||
|
||||
1) A script generated by Shorewall-perl now tries to modify/restore
|
||||
/etc/iproute2/rt_tables only if the file is writable. This prevents
|
||||
run-time errors when /etc is mounted read-only.
|
||||
|
||||
A new KEEP_RT_TABLES option has been added to shorewall.conf. When
|
||||
set to Yes, this option prevents Shorewall from altering the
|
||||
/etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
|
||||
recognized by Shorewall-perl and is ignored by Shorewall-shell.
|
||||
|
||||
2) Shorewall-perl now requires the FindBin Perl module.
|
||||
|
||||
3) When an optional provider is not available, a script generated by
|
||||
Shorewall-perl will no longer add the corresponding
|
||||
routing rules.
|
||||
|
||||
4) A new 'isusable' extension script has been added. This script
|
||||
allows you to extend the availability test that Shorewall performs
|
||||
on optional providers.
|
||||
|
||||
Here's an example that uses ping to ensure that the default
|
||||
gateways through eth0 and eth1 are reachable:
|
||||
|
||||
case $1 in
|
||||
eth0)
|
||||
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
|
||||
return
|
||||
;;
|
||||
eth1)
|
||||
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
|
||||
return
|
||||
;;
|
||||
*)
|
||||
# Assume we don't need to do any additional testing
|
||||
# for this interface beyond Shorewall's
|
||||
return 0
|
||||
;;
|
||||
esac
|
||||
|
||||
Additional information is available at
|
||||
http://www.shorewall.net/shorewall_extension_scripts.htm.
|
||||
|
||||
5) Processing of the message log in the 'show log', 'logwatch' and
|
||||
'dump' commands has been speeded up thanks to a suggestion by
|
||||
Andrew Suffield.
|
||||
|
||||
6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear'
|
||||
commands were processed by the generated script from the
|
||||
last successful 'start', 'restart' or 'refresh' command. This had
|
||||
the side effect that updates to the /etc/shorewall/routestopped
|
||||
file did not take effect until one of those three commands was
|
||||
successfully processed.
|
||||
|
||||
Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
|
||||
the default and the 4.0 behavior is enabled using the '-f' command
|
||||
option.
|
||||
|
||||
Example: shorewall stop -f
|
||||
|
||||
7) An 'mss' option has been added to the interfaces file. This option
|
||||
is only recognized by Shorewall-perl and causes Shorewall to set
|
||||
the MSS field in forwarded TCP SYN packets going in or out the
|
||||
interface to the value that you specify.
|
||||
|
||||
Example:
|
||||
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn ppp0 - mss=1400
|
||||
|
||||
The mss option only affects incoming traffic that has not been
|
||||
decrypted by IPSEC and outgoing traffic that will not subsequently
|
||||
be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
|
||||
'mss' option in /etc/shorewall/zones.
|
||||
|
||||
8) Shorewall now detects the presence of the 'hashlimit match'
|
||||
capability. There is no builtin support yet for hashlimit but
|
||||
detection allows extension scripts for user-supplied actions to
|
||||
determine if the capability exists.
|
||||
|
||||
With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
|
||||
capability exists.
|
||||
|
||||
With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
|
||||
a boolean context if the capability exists. Shorewall-perl users
|
||||
may also code the following in their extension script:
|
||||
|
||||
use Shorewall::Config;
|
||||
|
||||
require_capability( 'HASHLIMIT_MATCH', #Capability
|
||||
'My hashlimit action' , #Feature requiring
|
||||
#capability
|
||||
's' ); #Feature is singular
|
||||
#(if plural, pass the
|
||||
empty string)
|
||||
|
||||
That call would procduce the following fatal error if the
|
||||
capability isn't available:
|
||||
|
||||
ERROR: My hashlimit action requires the Hashlimit match capability
|
||||
in your kernel and iptables
|
||||
|
||||
9) NFQUEUE support has been added to Shorewall-perl.
|
||||
|
||||
NFQUEUE may appear in actions, macros, rules and as a policy.
|
||||
When NFQUEUE is used by itself, queue number zero is assumed. To
|
||||
specify a queue number, follow NFQUEUE by a slash ("/") and the
|
||||
queue number.
|
||||
|
||||
Examples (/etc/shorewall/rules):
|
||||
|
||||
NFQUEUE loc net tcp #Queue number 0
|
||||
NFQUEUE/22 loc net udp #Queue number 22
|
||||
NFQUEUE/22:info loc net gre #With logging
|
||||
|
||||
An NFQUEUE_DEFAULT option has been added to shorewall.conf for
|
||||
specifying the default action to use with NFQUEUE policies.
|
||||
|
||||
Use of NFQUEUE requires the NFQUEUE Target capability in your
|
||||
kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
|
||||
then you must install Shorewall-lite 4.0.3 in order to build a
|
||||
capabilities file that includes NFQUEUE Target. If your
|
||||
capabilities file was generated by a Shorewall/Shorewall-lite
|
||||
version earlier that 4.0.3, you will receive a warning during
|
||||
compilation.
|
||||
|
||||
10) The 'refresh' command can now refresh chains other than 'blacklst'.
|
||||
|
||||
The syntax of the command is now:
|
||||
|
||||
shorewall refresh [ <chain> ... ]
|
||||
|
||||
If no <chain> is given then 'blacklst' is assumed. Otherwise, the
|
||||
Shorewall-perl compiler compiles a script whose 'refresh' command
|
||||
refreshes the listed <chain>(s).
|
||||
|
||||
The listed chains are assumed to be in the filter table. You can
|
||||
refresh chains in other tables by prefixing the chain name with the
|
||||
table name followed by ":" (e.g., nat:net_dnat). Chain names which
|
||||
follow are assumed to be in that table until the end of the list or
|
||||
until an entry in the list names another table.
|
||||
|
||||
This feature requires Shorewall-perl 4.0.3 as well as
|
||||
Shorewall-common 4.0.3.
|
||||
|
@ -3,8 +3,10 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-routestopped"
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-routestopped.html
|
||||
#
|
||||
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
|
@ -3,7 +3,8 @@
|
||||
#
|
||||
# For information on the settings in this file, type "man shorewall-rules"
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Rules for additional information.
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-rules.html
|
||||
#
|
||||
############################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
|
@ -180,15 +180,6 @@ get_config() {
|
||||
|
||||
export IPTABLES
|
||||
|
||||
#
|
||||
# See if we have a real version of "tail" -- use separate redirection so
|
||||
# that ash (aka /bin/sh on LRP) doesn't crap
|
||||
#
|
||||
if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
|
||||
realtail="Yes"
|
||||
else
|
||||
realtail=""
|
||||
fi
|
||||
#
|
||||
# Compile by non-root needs no restore file
|
||||
#
|
||||
@ -340,10 +331,11 @@ compiler() {
|
||||
shift
|
||||
|
||||
options="--verbose $VERBOSE ";
|
||||
[ -n "$EXPORT" ] && options="$options --export ";
|
||||
[ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR ";
|
||||
[ -n "$TIMESTAMP" ] && options="$options --timestamp " ;
|
||||
[ -n "$debugging" ] && options="$options --debug " ;
|
||||
[ -n "$EXPORT" ] && options="$options --export "
|
||||
[ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "
|
||||
[ -n "$TIMESTAMP" ] && options="$options --timestamp "
|
||||
[ -n "$debugging" ] && options="$options --debug "
|
||||
[ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS"
|
||||
[ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed"
|
||||
#
|
||||
# Run the appropriate params file
|
||||
@ -358,6 +350,7 @@ compiler() {
|
||||
;;
|
||||
shell)
|
||||
[ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed"
|
||||
[ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains"
|
||||
$command $SHOREWALL_SHELL $sc $@
|
||||
;;
|
||||
*)
|
||||
@ -779,13 +772,15 @@ refresh_command() {
|
||||
esac
|
||||
done
|
||||
|
||||
case $# in
|
||||
0)
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
if [ $# -gt 0 ]; then
|
||||
REFRESHCHAINS=$1
|
||||
shift
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
REFRESHCHAINS="$REFRESHCHAINS,$1"
|
||||
shift
|
||||
done
|
||||
fi
|
||||
|
||||
shorewall_is_started || fatal_error "Shorewall is not running"
|
||||
|
||||
@ -1298,7 +1293,7 @@ usage() # $1 = exit status
|
||||
echo " logdrop <address> ..."
|
||||
echo " logreject <address> ..."
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " refresh [ -C {shell|perl} ]"
|
||||
echo " refresh [ -C {shell|perl} ] [ <chain>... ]"
|
||||
echo " reject <address> ..."
|
||||
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -C {shell|perl} ] [ <directory> ] <system>"
|
||||
echo " reset"
|
||||
@ -1483,7 +1478,7 @@ export PRODUCT="Shorewall"
|
||||
FIREWALL=$SHAREDIR/firewall
|
||||
LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
|
||||
VERSION_FILE=$SHAREDIR/version
|
||||
HELP=$SHAREDIR/help
|
||||
REFRESHCHAINS=
|
||||
|
||||
for library in $LIBRARIES; do
|
||||
if [ -f $library ]; then
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-common
|
||||
%define version 4.0.3
|
||||
%define version 4.0.4
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -240,6 +240,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
|
||||
|
||||
%changelog
|
||||
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.4-1
|
||||
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.3-1
|
||||
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
|
||||
|
@ -3,8 +3,8 @@
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-tunnels"
|
||||
#
|
||||
# See http://shorewall.net/Documentation.htm#Tunnels for additional
|
||||
# information.
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-tunnels.html
|
||||
#
|
||||
###############################################################################
|
||||
#TYPE ZONE GATEWAY GATEWAY
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.0.3
|
||||
VERSION=4.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -3,7 +3,8 @@
|
||||
#
|
||||
# For information about this file, type "man shorewall-zones"
|
||||
#
|
||||
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
|
||||
# The manpage is also online at
|
||||
# http://www.shorewall.net/manpages/shorewall-zones.html
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE TYPE OPTIONS IN OUT
|
||||
|
@ -1 +1 @@
|
||||
This is the Shorewall-lite Development 4.1 branch of SVN.
|
||||
This is the Shorewall-lite Stable 4.0 branch of SVN.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.0.2
|
||||
VERSION=4.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.0.2
|
||||
VERSION=4.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -93,9 +93,9 @@ get_config() {
|
||||
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
|
||||
|
||||
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
|
||||
LOGREAD="logread"
|
||||
LOGREAD="logread | tac"
|
||||
elif [ -f $LOGFILE ]; then
|
||||
LOGREAD="cat $LOGFILE"
|
||||
LOGREAD="tac $LOGFILE"
|
||||
else
|
||||
echo "LOGFILE ($LOGFILE) does not exist!" >&2
|
||||
exit 2
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.0.2
|
||||
%define version 4.0.4
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
@ -98,6 +98,10 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.4-1
|
||||
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.3-1
|
||||
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.2-1
|
||||
* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.0.2
|
||||
VERSION=4.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,2 +1,2 @@
|
||||
This is the Shorewall-perl Development 4.1 branch of SVN.
|
||||
This is the Shorewall-perl Stable 4.0 branch of SVN.
|
||||
|
||||
|
@ -35,7 +35,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_accounting );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.01;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
@ -70,7 +70,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
sub accounting_error() {
|
||||
warning_message "Invalid Accounting rule";
|
||||
fatal_error "Invalid Accounting rule";
|
||||
}
|
||||
|
||||
sub jump_to_chain( $ ) {
|
||||
@ -112,8 +112,10 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
|
||||
$source = ALLIPv4 if $source eq 'any' || $source eq 'all';
|
||||
|
||||
if ( @bridges ) {
|
||||
if ( $source =~ /^$firewall_zone:?(.*)$/ ) {
|
||||
if ( have_bridges ) {
|
||||
my $fw = firewall_zone;
|
||||
|
||||
if ( $source =~ /^$fw:?(.*)$/ ) {
|
||||
$source = $1 ? $1 : ALLIPv4;
|
||||
$restriction = OUTPUT_RESTRICT;
|
||||
$chain = 'accountout' unless $chain and $chain ne '-';
|
||||
@ -192,9 +194,9 @@ sub setup_accounting() {
|
||||
}
|
||||
}
|
||||
|
||||
$comment = '';
|
||||
clear_comment;
|
||||
|
||||
if ( @bridges ) {
|
||||
if ( have_bridges ) {
|
||||
if ( $filter_table->{accounting} ) {
|
||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
||||
|
@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
|
||||
%macros
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
#
|
||||
# Used Actions. Each action that is actually used has an entry with value 1.
|
||||
@ -651,7 +651,7 @@ sub process_action3( $$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$comment = '';
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
sub process_actions3 () {
|
||||
|
@ -53,6 +53,7 @@ our @EXPORT = qw( STANDARD
|
||||
ALL_RESTRICT
|
||||
|
||||
process_comment
|
||||
clear_comment
|
||||
incr_cmd_level
|
||||
decr_cmd_level
|
||||
add_command
|
||||
@ -61,7 +62,6 @@ our @EXPORT = qw( STANDARD
|
||||
add_file
|
||||
add_rule
|
||||
insert_rule
|
||||
insert_rule_nice
|
||||
chain_base
|
||||
forward_chain
|
||||
input_chain
|
||||
@ -116,26 +116,22 @@ our @EXPORT = qw( STANDARD
|
||||
get_interface_bcasts
|
||||
set_global_variables
|
||||
create_netfilter_load
|
||||
create_blacklist_reload
|
||||
create_chainlist_reload
|
||||
|
||||
@policy_chains
|
||||
%chain_table
|
||||
$nat_table
|
||||
$mangle_table
|
||||
$filter_table
|
||||
$section
|
||||
%sections
|
||||
$comment
|
||||
%targets
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.04';
|
||||
|
||||
#
|
||||
# Chain Table
|
||||
#
|
||||
# @policy_chains is a list of references to policy chains in the filter table
|
||||
#
|
||||
# %chain_table { <table> => { <chain1> => { name => <chain name>
|
||||
# table => <table name>
|
||||
# is_policy => 0|1
|
||||
@ -166,7 +162,6 @@ our $VERSION = 4.03;
|
||||
#
|
||||
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
|
||||
#
|
||||
our @policy_chains;
|
||||
our %chain_table;
|
||||
our $nat_table;
|
||||
our $mangle_table;
|
||||
@ -234,7 +229,6 @@ our $mode;
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@policy_chains = ();
|
||||
%chain_table = ( raw => {} ,
|
||||
mangle => {},
|
||||
nat => {},
|
||||
@ -335,6 +329,14 @@ sub process_comment() {
|
||||
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Clear the $comment variable
|
||||
#
|
||||
sub clear_comment() {
|
||||
$comment = '';
|
||||
}
|
||||
|
||||
#
|
||||
# Functions to manipulate cmdlevel
|
||||
#
|
||||
@ -731,8 +733,8 @@ sub finish_section ( $ ) {
|
||||
$sections{$section} = 1;
|
||||
}
|
||||
|
||||
for my $zone ( @zones ) {
|
||||
for my $zone1 ( @zones ) {
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
|
||||
if ( $chainref->{referenced} ) {
|
||||
finish_chain_section $chainref, $sections;
|
||||
@ -760,7 +762,7 @@ sub set_mss1( $$ ) {
|
||||
sub set_mss( $$$ ) {
|
||||
my ( $zone, $mss, $direction) = @_;
|
||||
|
||||
for my $z ( @zones ) {
|
||||
for my $z ( all_zones ) {
|
||||
if ( $direction eq '_in' ) {
|
||||
set_mss1 "${zone}2${z}" , $mss;
|
||||
} elsif ( $direction eq '_out' ) {
|
||||
@ -776,8 +778,8 @@ sub set_mss( $$$ ) {
|
||||
# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate.
|
||||
#
|
||||
sub setup_zone_mss() {
|
||||
for my $zone ( @zones ) {
|
||||
my $zoneref = $zones{$zone};
|
||||
for my $zone ( all_zones ) {
|
||||
my $zoneref = find_zone( $zone );
|
||||
|
||||
set_mss( $zone, $zoneref->{options}{in_out}{mss}, '' ) if $zoneref->{options}{in_out}{mss};
|
||||
set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss};
|
||||
@ -1104,7 +1106,7 @@ sub do_tos( $ ) {
|
||||
#
|
||||
sub match_source_dev( $ ) {
|
||||
my $interface = shift;
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
my $interfaceref = find_interface( $interface );
|
||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
|
||||
} else {
|
||||
@ -1117,7 +1119,7 @@ sub match_source_dev( $ ) {
|
||||
#
|
||||
sub match_dest_dev( $ ) {
|
||||
my $interface = shift;
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
my $interfaceref = find_interface( $interface );
|
||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
|
||||
} else {
|
||||
@ -1240,7 +1242,7 @@ sub match_orig_dest ( $ ) {
|
||||
sub match_ipsec_in( $$ ) {
|
||||
my ( $zone , $hostref ) = @_;
|
||||
my $match = '-m policy --dir in --pol ';
|
||||
my $zoneref = $zones{$zone};
|
||||
my $zoneref = find_zone( $zone );
|
||||
my $optionsref = $zoneref->{options};
|
||||
|
||||
if ( $zoneref->{type} eq 'ipsec4' ) {
|
||||
@ -1258,7 +1260,7 @@ sub match_ipsec_in( $$ ) {
|
||||
sub match_ipsec_out( $$ ) {
|
||||
my ( $zone , $hostref ) = @_;
|
||||
my $match = '-m policy --dir out --pol ';
|
||||
my $zoneref = $zones{$zone};
|
||||
my $zoneref = find_zone( $zone );
|
||||
my $optionsref = $zoneref->{options};
|
||||
|
||||
if ( $zoneref->{type} eq 'ipsec4' ) {
|
||||
@ -1537,7 +1539,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
|
||||
incr_cmd_level $chainref;
|
||||
} else {
|
||||
fatal_error "Source Interface ($iiface) not allowed when the source zone is $firewall_zone" if $restriction & OUTPUT_RESTRICT;
|
||||
fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT;
|
||||
$rule .= match_source_dev( $iiface );
|
||||
}
|
||||
}
|
||||
@ -1598,7 +1600,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
incr_cmd_level $chainref;
|
||||
} else {
|
||||
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
|
||||
fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT;
|
||||
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
|
||||
|
||||
if ( $iiface ) {
|
||||
my $bridge = port_to_bridge( $diface );
|
||||
@ -2013,52 +2015,109 @@ sub create_netfilter_load() {
|
||||
}
|
||||
|
||||
#
|
||||
# Generate the netfilter input for refreshing the blacklist
|
||||
# Generate the netfilter input for refreshing a list of chains
|
||||
#
|
||||
sub create_blacklist_reload() {
|
||||
sub create_chainlist_reload($) {
|
||||
|
||||
my $chains = $_[0];
|
||||
|
||||
my @chains = split ',', $chains;
|
||||
|
||||
unless ( @chains ) {
|
||||
@chains = qw( blacklst ) if $filter_table->{blacklst};
|
||||
}
|
||||
|
||||
$mode = NULL_MODE;
|
||||
|
||||
emit( 'blacklist_reload()',
|
||||
emit( 'chainlist_reload()',
|
||||
'{'
|
||||
);
|
||||
|
||||
push_indent;
|
||||
|
||||
save_progress_message "Preparing iptables-restore input...";
|
||||
if ( @chains ) {
|
||||
if ( @chains == 1 ) {
|
||||
progress_message2 "Compiling iptables-restore input for chain @chains...";
|
||||
save_progress_message "Preparing iptables-restore input for chain @chains...";
|
||||
} else {
|
||||
progress_message2 "Compiling iptables-restore input for chain $chains...";
|
||||
save_progress_message "Preparing iptables-restore input for chains $chains...";
|
||||
}
|
||||
|
||||
emit '';
|
||||
emit '';
|
||||
|
||||
emit 'exec 3>${VARDIR}/.iptables-restore-input';
|
||||
emit 'exec 3>${VARDIR}/.iptables-restore-input';
|
||||
|
||||
enter_cat_mode;
|
||||
enter_cat_mode;
|
||||
|
||||
my $table = 'filter';
|
||||
|
||||
my %chains;
|
||||
|
||||
for my $chain ( @chains ) {
|
||||
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
||||
|
||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
|
||||
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain};
|
||||
|
||||
$chains{$table} = [] unless $chains{$table};
|
||||
|
||||
push @{$chains{$table}}, $chain;
|
||||
}
|
||||
|
||||
emit_unindented '*filter';
|
||||
emit_unindented ':blacklst - [0:0]';
|
||||
#
|
||||
# Emit the Blacklist rules
|
||||
#
|
||||
emitr $_ for ( @{$filter_table->{blacklst}{rules}} );
|
||||
#
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
for $table qw(nat mangle filter) {
|
||||
next unless $chains{$table};
|
||||
|
||||
emit_unindented 'COMMIT';
|
||||
emit_unindented "*$table";
|
||||
|
||||
enter_cmd_mode;
|
||||
#
|
||||
# Now generate the actual iptables-restore command
|
||||
#
|
||||
emit( 'exec 3>&-',
|
||||
'',
|
||||
'progress_message2 "Running iptables-restore..."',
|
||||
'',
|
||||
'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
|
||||
'if [ $? != 0 ]; then',
|
||||
' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
|
||||
"fi\n"
|
||||
);
|
||||
my $tableref=$chain_table{$table};
|
||||
|
||||
@chains = sort @{$chains{$table}};
|
||||
|
||||
for my $chain ( @chains ) {
|
||||
my $chainref = $tableref->{$chain};
|
||||
emit_unindented ":$chainref->{name} $chainref->{policy} [0:0]" if $chainref->{builtin};
|
||||
}
|
||||
|
||||
for my $chain ( @chains ) {
|
||||
my $chainref = $tableref->{$chain};
|
||||
emit_unindented ":$chainref->{name} - [0:0]" unless $chainref->{builtin};
|
||||
}
|
||||
|
||||
for my $chain ( @chains ) {
|
||||
my $chainref = $tableref->{$chain};
|
||||
my @rules = @{$chainref->{rules}};
|
||||
|
||||
@rules = () unless @rules;
|
||||
#
|
||||
# Emit the chain rules
|
||||
#
|
||||
emitr $_ for ( @rules );
|
||||
}
|
||||
#
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
|
||||
emit_unindented 'COMMIT';
|
||||
}
|
||||
|
||||
enter_cmd_mode;
|
||||
#
|
||||
# Now generate the actual iptables-restore command
|
||||
#
|
||||
emit( 'exec 3>&-',
|
||||
'',
|
||||
'progress_message2 "Running iptables-restore..."',
|
||||
'',
|
||||
'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
|
||||
'if [ $? != 0 ]; then',
|
||||
' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
|
||||
"fi\n"
|
||||
);
|
||||
} else {
|
||||
emit('true');
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
|
||||
|
@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
|
||||
our @EXPORT_OK = qw( $export );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.04';
|
||||
|
||||
our $export;
|
||||
|
||||
@ -58,6 +58,7 @@ sub reinitialize() {
|
||||
Shorewall::Config::initialize;
|
||||
Shorewall::Chains::initialize;
|
||||
Shorewall::Zones::initialize;
|
||||
Shorewall::Policy::initialize;
|
||||
Shorewall::Nat::initialize;
|
||||
Shorewall::Providers::initialize;
|
||||
Shorewall::Tc::initialize;
|
||||
@ -138,17 +139,16 @@ sub generate_script_1() {
|
||||
'[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"',
|
||||
qq(VERSION="$globals{VERSION}") ,
|
||||
qq(PATH="$config{PATH}") ,
|
||||
'TERMINATOR=fatal_error'
|
||||
'TERMINATOR=fatal_error' ,
|
||||
''
|
||||
);
|
||||
|
||||
if ( $config{IPTABLES} ) {
|
||||
emit( qq(IPTABLES="$config{IPTABLES}"),
|
||||
'',
|
||||
'[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
|
||||
);
|
||||
} else {
|
||||
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables 2> /dev/null)',
|
||||
'',
|
||||
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
|
||||
'[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
|
||||
);
|
||||
}
|
||||
@ -328,11 +328,9 @@ EOF
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
interface=/proc/sys/net/ipv4/conf/$interface
|
||||
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
|
||||
done < ${VARDIR}/proxyarp
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
|
||||
done
|
||||
fi
|
||||
|
||||
rm -f ${VARDIR}/proxyarp
|
||||
@ -596,7 +594,7 @@ sub generate_script_2 () {
|
||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
||||
# than those related to writing to the object file.
|
||||
#
|
||||
sub generate_script_3() {
|
||||
sub generate_script_3($) {
|
||||
|
||||
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
|
||||
dump_proxy_arp;
|
||||
@ -629,7 +627,7 @@ sub generate_script_3() {
|
||||
|
||||
progress_message2 "Creating iptables-restore input...";
|
||||
create_netfilter_load;
|
||||
create_blacklist_reload;
|
||||
create_chainlist_reload( $_[0] );
|
||||
|
||||
emit "#\n# Start/Restart the Firewall\n#";
|
||||
emit 'define_firewall() {';
|
||||
@ -647,14 +645,14 @@ setup_routing_and_traffic_shaping
|
||||
if [ $COMMAND = restore ]; then
|
||||
iptables_save_file=${VARDIR}/$(basename $0)-iptables
|
||||
if [ -f $iptables_save_file ]; then
|
||||
iptables-restore < $iptables_save_file
|
||||
cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux
|
||||
else
|
||||
fatal_error "$iptables_save_file does not exist"
|
||||
fi
|
||||
set_state "Started"
|
||||
else
|
||||
if [ $COMMAND = refresh ]; then
|
||||
blacklist_reload
|
||||
chainlist_reload
|
||||
run_refreshed_exit
|
||||
$IPTABLES -N shorewall
|
||||
set_state "Started"
|
||||
@ -701,9 +699,9 @@ EOF
|
||||
# If the first argument is non-null, it names the script file to generate.
|
||||
# Otherwise, this is a 'check' command and no script is produced.
|
||||
#
|
||||
sub compiler( $$$$ ) {
|
||||
sub compiler( $$$$$ ) {
|
||||
|
||||
my ( $objectfile, $directory, $verbosity, $options ) = @_;
|
||||
my ( $objectfile, $directory, $verbosity, $options , $chains ) = @_;
|
||||
|
||||
$export = 0;
|
||||
|
||||
@ -723,7 +721,7 @@ sub compiler( $$$$ ) {
|
||||
#
|
||||
get_configuration( $export );
|
||||
|
||||
report_capabilities if $verbose > 1;
|
||||
report_capabilities;
|
||||
|
||||
require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" , 's' );
|
||||
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
|
||||
@ -731,7 +729,7 @@ sub compiler( $$$$ ) {
|
||||
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
|
||||
require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT};
|
||||
|
||||
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
|
||||
set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
|
||||
|
||||
initialize_chain_table;
|
||||
|
||||
@ -865,7 +863,7 @@ sub compiler( $$$$ ) {
|
||||
#
|
||||
# Finish the script.
|
||||
#
|
||||
generate_script_3;
|
||||
generate_script_3( $chains );
|
||||
finalize_object ( $export );
|
||||
#
|
||||
# And generate the auxilary config file
|
||||
|
@ -34,10 +34,13 @@ use strict;
|
||||
use warnings;
|
||||
use File::Basename;
|
||||
use File::Temp qw/ tempfile tempdir /;
|
||||
use Cwd 'abs_path';
|
||||
use Cwd qw(abs_path getcwd);
|
||||
use autouse 'Carp' => qw(longmess confess);
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
#
|
||||
# Imported variables should be treated as read-only by importers
|
||||
#
|
||||
our @EXPORT = qw(
|
||||
create_temp_object
|
||||
finalize_object
|
||||
@ -47,6 +50,7 @@ our @EXPORT = qw(
|
||||
save_progress_message_short
|
||||
set_timestamp
|
||||
set_verbose
|
||||
set_command
|
||||
progress_message
|
||||
progress_message2
|
||||
progress_message3
|
||||
@ -55,7 +59,6 @@ our @EXPORT = qw(
|
||||
copy
|
||||
create_temp_aux_config
|
||||
finalize_aux_config
|
||||
|
||||
warning_message
|
||||
fatal_error
|
||||
set_shorewall_dir
|
||||
@ -85,15 +88,13 @@ our @EXPORT = qw(
|
||||
$command
|
||||
$doing
|
||||
$done
|
||||
$verbose
|
||||
|
||||
$currentline
|
||||
%config
|
||||
%globals
|
||||
%capabilities );
|
||||
|
||||
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.04';
|
||||
|
||||
#
|
||||
# describe the current command, it's present progressive, and it's completion.
|
||||
@ -147,7 +148,38 @@ our %capabilities;
|
||||
#
|
||||
# Capabilities
|
||||
#
|
||||
our %capdesc;
|
||||
our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
MANGLE_ENABLED => 'Packet Mangling',
|
||||
MULTIPORT => 'Multi-port Match' ,
|
||||
XMULTIPORT => 'Extended Multi-port Match',
|
||||
CONNTRACK_MATCH => 'Connection Tracking Match',
|
||||
USEPKTTYPE => 'Packet Type Match',
|
||||
POLICY_MATCH => 'Policy Match',
|
||||
PHYSDEV_MATCH => 'Physdev Match',
|
||||
LENGTH_MATCH => 'Packet length Match',
|
||||
IPRANGE_MATCH => 'IP Range Match',
|
||||
RECENT_MATCH => 'Recent Match',
|
||||
OWNER_MATCH => 'Owner Match',
|
||||
IPSET_MATCH => 'Ipset Match',
|
||||
CONNMARK => 'CONNMARK Target',
|
||||
XCONNMARK => 'Extended CONNMARK Target',
|
||||
CONNMARK_MATCH => 'Connmark Match',
|
||||
XCONNMARK_MATCH => 'Extended Connmark Match',
|
||||
RAW_TABLE => 'Raw Table',
|
||||
IPP2P_MATCH => 'IPP2P Match',
|
||||
CLASSIFY_TARGET => 'CLASSIFY Target',
|
||||
ENHANCED_REJECT => 'Extended Reject',
|
||||
KLUDGEFREE => 'Repeat match',
|
||||
MARK => 'MARK Target',
|
||||
XMARK => 'Extended Mark Target',
|
||||
MANGLE_FORWARD => 'Mangle FORWARD Chain',
|
||||
COMMENTS => 'Comments',
|
||||
ADDRTYPE => 'Address Type Match',
|
||||
TCPMSS_MATCH => 'TCPMSS Match',
|
||||
HASHLIMIT_MATCH => 'Hashlimit Match',
|
||||
NFQUEUE_TARGET => 'NFQUEUE Target',
|
||||
CAPVERSION => 'Capability Version',
|
||||
);
|
||||
#
|
||||
# Directories to search for configuration files
|
||||
#
|
||||
@ -198,7 +230,7 @@ sub initialize() {
|
||||
ORIGINAL_POLICY_MATCH => '',
|
||||
LOGPARMS => '',
|
||||
TC_SCRIPT => '',
|
||||
VERSION => '4.0.3',
|
||||
VERSION => '4.0.4',
|
||||
CAPVERSION => 40003 ,
|
||||
);
|
||||
#
|
||||
@ -335,41 +367,6 @@ sub initialize() {
|
||||
CAPVERSION => undef,
|
||||
);
|
||||
#
|
||||
# Capabilities
|
||||
#
|
||||
%capdesc = ( NAT_ENABLED => 'NAT',
|
||||
MANGLE_ENABLED => 'Packet Mangling',
|
||||
MULTIPORT => 'Multi-port Match' ,
|
||||
XMULTIPORT => 'Extended Multi-port Match',
|
||||
CONNTRACK_MATCH => 'Connection Tracking Match',
|
||||
USEPKTTYPE => 'Packet Type Match',
|
||||
POLICY_MATCH => 'Policy Match',
|
||||
PHYSDEV_MATCH => 'Physdev Match',
|
||||
LENGTH_MATCH => 'Packet length Match',
|
||||
IPRANGE_MATCH => 'IP Range Match',
|
||||
RECENT_MATCH => 'Recent Match',
|
||||
OWNER_MATCH => 'Owner Match',
|
||||
IPSET_MATCH => 'Ipset Match',
|
||||
CONNMARK => 'CONNMARK Target',
|
||||
XCONNMARK => 'Extended CONNMARK Target',
|
||||
CONNMARK_MATCH => 'Connmark Match',
|
||||
XCONNMARK_MATCH => 'Extended Connmark Match',
|
||||
RAW_TABLE => 'Raw Table',
|
||||
IPP2P_MATCH => 'IPP2P Match',
|
||||
CLASSIFY_TARGET => 'CLASSIFY Target',
|
||||
ENHANCED_REJECT => 'Extended Reject',
|
||||
KLUDGEFREE => 'Repeat match',
|
||||
MARK => 'MARK Target',
|
||||
XMARK => 'Extended Mark Target',
|
||||
MANGLE_FORWARD => 'Mangle FORWARD Chain',
|
||||
COMMENTS => 'Comments',
|
||||
ADDRTYPE => 'Address Type Match',
|
||||
TCPMSS_MATCH => 'TCPMSS Match',
|
||||
HASHLIMIT_MATCH => 'Hashlimit Match',
|
||||
NFQUEUE_TARGET => 'NFQUEUE Target',
|
||||
CAPVERSION => 'Capability Version',
|
||||
);
|
||||
#
|
||||
# Directories to search for configuration files
|
||||
#
|
||||
@config_path = ();
|
||||
@ -401,7 +398,8 @@ INIT {
|
||||
#
|
||||
sub warning_message
|
||||
{
|
||||
my $currentlineinfo = $currentfile ? " : $currentfilename (line $currentlinenumber)" : '';
|
||||
my $linenumber = $currentlinenumber || 1;
|
||||
my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : '';
|
||||
|
||||
if ( $debug ) {
|
||||
print STDERR longmess( " WARNING: @_$currentlineinfo" );
|
||||
@ -414,7 +412,8 @@ sub warning_message
|
||||
# Issue fatal error message and die
|
||||
#
|
||||
sub fatal_error {
|
||||
my $currentlineinfo = $currentfile ? " : $currentfilename (line $currentlinenumber)" : '';
|
||||
my $linenumber = $currentlinenumber || 1;
|
||||
my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : '';
|
||||
confess " ERROR: @_$currentlineinfo" if $debug;
|
||||
die " ERROR: @_$currentlineinfo\n";
|
||||
}
|
||||
@ -480,12 +479,18 @@ sub set_verbose( $ ) {
|
||||
$verbose = shift;
|
||||
}
|
||||
|
||||
#
|
||||
# Set $command, $doing and $done
|
||||
#
|
||||
sub set_command( $$$ ) {
|
||||
($command, $doing, $done) = @_;
|
||||
}
|
||||
|
||||
#
|
||||
# Print the current TOD to STDOUT.
|
||||
#
|
||||
sub timestamp() {
|
||||
my ($sec, $min, $hr) = ( localtime ) [0,1,2];
|
||||
printf '%02d:%02d:%02d ', $hr, $min, $sec;
|
||||
printf '%02d:%02d:%02d ', ( localtime ) [2,1,0];
|
||||
}
|
||||
|
||||
#
|
||||
@ -649,7 +654,7 @@ sub finalize_aux_config() {
|
||||
}
|
||||
|
||||
#
|
||||
# Set $globals{CONFIG_PATH}
|
||||
# Set $config{CONFIG_PATH}
|
||||
#
|
||||
sub set_config_path( $ ) {
|
||||
$config{CONFIG_PATH} = shift;
|
||||
@ -839,9 +844,12 @@ sub read_a_line() {
|
||||
while ( $currentfile ) {
|
||||
|
||||
$currentline = '';
|
||||
$currentlinenumber = 0;
|
||||
|
||||
while ( <$currentfile> ) {
|
||||
|
||||
$currentlinenumber = $. unless $currentlinenumber;
|
||||
|
||||
chomp;
|
||||
#
|
||||
# Continuation
|
||||
@ -856,7 +864,6 @@ sub read_a_line() {
|
||||
#
|
||||
$currentline = '', next if $currentline =~ /^\s*$/;
|
||||
|
||||
$currentlinenumber = $.;
|
||||
#
|
||||
# Expand Shell Variables using %ENV
|
||||
#
|
||||
@ -883,6 +890,8 @@ sub read_a_line() {
|
||||
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
|
||||
$currentfile = undef;
|
||||
do_open_file $filename;
|
||||
} else {
|
||||
$currentlinenumber = 0;
|
||||
}
|
||||
|
||||
$currentline = '';
|
||||
@ -1026,17 +1035,19 @@ sub report_capabilities() {
|
||||
}
|
||||
}
|
||||
|
||||
print "Shorewall has detected the following capabilities:\n";
|
||||
if ( $verbose > 1 ) {
|
||||
print "Shorewall has detected the following capabilities:\n";
|
||||
|
||||
for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
|
||||
report_capability $cap;
|
||||
for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
|
||||
report_capability $cap;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Search the current PATH for the passed executable
|
||||
#
|
||||
sub mywhich( $ ) {
|
||||
sub which( $ ) {
|
||||
my $prog = $_[0];
|
||||
|
||||
for my $dir ( split /:/, $config{PATH} ) {
|
||||
@ -1050,7 +1061,7 @@ sub mywhich( $ ) {
|
||||
# Load the kernel modules defined in the 'modules' file.
|
||||
#
|
||||
sub load_kernel_modules( ) {
|
||||
my $moduleloader = mywhich 'modprobe' ? 'modprobe' : 'insmod';
|
||||
my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
|
||||
|
||||
my $modulesdir = $config{MODULESDIR};
|
||||
|
||||
@ -1063,7 +1074,7 @@ sub load_kernel_modules( ) {
|
||||
|
||||
my @moduledirectories = split /:/, $modulesdir;
|
||||
|
||||
if ( @moduledirectories && open_file 'modules' ) {
|
||||
if ( $moduleloader && open_file 'modules' ) {
|
||||
my %loadedmodules;
|
||||
|
||||
progress_message "Loading Modules...";
|
||||
@ -1114,9 +1125,9 @@ sub qt( $ ) {
|
||||
#
|
||||
# Determine which optional facilities are supported by iptables/netfilter
|
||||
#
|
||||
sub determine_capabilities() {
|
||||
sub determine_capabilities( $ ) {
|
||||
|
||||
my $iptables = $config{IPTABLES};
|
||||
my $iptables = $_[0];
|
||||
my $pid = $$;
|
||||
my $sillyname = "fooX$pid";
|
||||
|
||||
@ -1173,7 +1184,7 @@ sub determine_capabilities() {
|
||||
|
||||
$capabilities{RAW_TABLE} = qt( "$iptables -t raw -L -n" );
|
||||
|
||||
if ( mywhich 'ipset' ) {
|
||||
if ( which 'ipset' ) {
|
||||
qt( "ipset -X $sillyname" );
|
||||
|
||||
if ( qt( "ipset -N $sillyname iphash" ) ) {
|
||||
@ -1243,8 +1254,10 @@ sub ensure_config_path() {
|
||||
}
|
||||
|
||||
if ( $shorewall_dir ) {
|
||||
$shorewall_dir = getcwd if $shorewall_dir =~ m|(\./*)+|;
|
||||
$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
|
||||
unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
|
||||
$config{CONFIG_PATH} = join ':', @config_path;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1287,32 +1300,10 @@ sub process_shorewall_conf() {
|
||||
}
|
||||
}
|
||||
|
||||
sub get_capabilities( $ ) {
|
||||
my $export = $_[0];
|
||||
|
||||
if ( ! $export && $> == 0 ) { # $> == $EUID
|
||||
unless ( $config{IPTABLES} ) {
|
||||
fatal_error "Can't find iptables executable" unless $config{IPTABLES} = mywhich 'iptables';
|
||||
} else {
|
||||
fatal_error "\$IPTABLES=$config{IPTABLES} does not exist or is not executable" unless -x $config{IPTABLES};
|
||||
}
|
||||
|
||||
load_kernel_modules;
|
||||
|
||||
unless ( open_file 'capabilities' ) {
|
||||
determine_capabilities;
|
||||
}
|
||||
} else {
|
||||
unless ( open_file 'capabilities' ) {
|
||||
fatal_error "The -e flag requires a capabilities file" if $export;
|
||||
fatal_error "Compiling under non-root uid requires a capabilities file";
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# If we successfully called open_file above, then this loop will read the capabilities file.
|
||||
# Otherwise, the first call to read_a_line() below will return false
|
||||
#
|
||||
#
|
||||
# Process the records in the capabilities file
|
||||
#
|
||||
sub read_capabilities() {
|
||||
while ( read_a_line1 ) {
|
||||
if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
|
||||
my ($var, $val) = ($1, $2);
|
||||
@ -1334,6 +1325,42 @@ sub get_capabilities( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Get the system's capabilities, either by probing or by reading a capabilities file
|
||||
#
|
||||
sub get_capabilities( $ ) {
|
||||
my $export = $_[0];
|
||||
|
||||
if ( ! $export && $> == 0 ) { # $> == $EUID
|
||||
my $iptables = $config{IPTABLES};
|
||||
|
||||
if ( $iptables ) {
|
||||
fatal_error "IPTABLES=$iptables does not exist or is not executable" unless -x $iptables;
|
||||
} else {
|
||||
fatal_error "Can't find iptables executable" unless $iptables = which 'iptables';
|
||||
}
|
||||
|
||||
my $iptables_restore=$iptables . '-restore';
|
||||
|
||||
fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
|
||||
|
||||
load_kernel_modules;
|
||||
|
||||
if ( open_file 'capabilities' ) {
|
||||
read_capabilities;
|
||||
} else {
|
||||
determine_capabilities $iptables;
|
||||
}
|
||||
} else {
|
||||
unless ( open_file 'capabilities' ) {
|
||||
fatal_error "The -e compiler option requires a capabilities file" if $export;
|
||||
fatal_error "Compiling under non-root uid requires a capabilities file";
|
||||
}
|
||||
|
||||
read_capabilities;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# - Read the shorewall.conf file
|
||||
# - Read the capabilities file, if any
|
||||
|
@ -33,7 +33,7 @@ use warnings;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( %protocols %services );
|
||||
our @EXPORT_OK = qw();
|
||||
our $VERSION = 4.00;
|
||||
our $VERSION = '4.00';
|
||||
|
||||
our %protocols = (
|
||||
ip => 0,
|
||||
|
@ -36,12 +36,11 @@ our @EXPORT = qw( ALLIPv4
|
||||
validate_host
|
||||
validate_range
|
||||
ip_range_explicit
|
||||
|
||||
@allipv4
|
||||
@rfc1918_networks
|
||||
allipv4
|
||||
rfc1918_neworks
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
#
|
||||
# Some IPv4 useful stuff
|
||||
@ -161,4 +160,12 @@ sub validate_host( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub allipv4() {
|
||||
@allipv4;
|
||||
}
|
||||
|
||||
sub rfc1918_networks() {
|
||||
@rfc1918_networks
|
||||
}
|
||||
|
||||
1;
|
||||
|
@ -36,7 +36,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
|
||||
our @EXPORT_OK = ();
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
our @addresses_to_add;
|
||||
our %addresses_to_add;
|
||||
@ -169,7 +169,7 @@ sub setup_one_masq($$$$$$$)
|
||||
#
|
||||
( my $interface = $fullinterface ) =~ s/:.*//;
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
||||
fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root};
|
||||
|
||||
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
|
||||
#
|
||||
@ -305,7 +305,7 @@ sub setup_masq()
|
||||
}
|
||||
}
|
||||
|
||||
$comment = '';
|
||||
clear_comment;
|
||||
|
||||
}
|
||||
|
||||
@ -417,7 +417,7 @@ sub setup_nat() {
|
||||
|
||||
}
|
||||
|
||||
$comment = '';
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -34,7 +34,28 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
# @policy_chains is a list of references to policy chains in the filter table
|
||||
|
||||
our @policy_chains;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
# the compiler to run multiple times in the same process. The
|
||||
# initialize() function does globals initialization for this
|
||||
# module and is called from an INIT block below. The function is
|
||||
# also called by Shorewall::Compiler::compiler at the beginning of
|
||||
# the second and subsequent calls to that function.
|
||||
#
|
||||
|
||||
sub initialize() {
|
||||
@policy_chains = ();
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
#
|
||||
# Convert a chain into a policy chain.
|
||||
@ -104,20 +125,36 @@ sub set_policy_chain($$$$$)
|
||||
#
|
||||
# Process the policy file
|
||||
#
|
||||
use constant { OPTIONAL => 1 };
|
||||
|
||||
sub add_or_modify_policy_chain( $$ ) {
|
||||
my ( $zone, $zone1 ) = @_;
|
||||
my $chain = "${zone}2${zone1}";
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
if ( $chainref ) {
|
||||
unless( $chainref->{is_policy} ) {
|
||||
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||
push @policy_chains, $chainref;
|
||||
}
|
||||
} else {
|
||||
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||
}
|
||||
}
|
||||
|
||||
sub print_policy($$$$) {
|
||||
my ( $source, $dest, $policy , $chain ) = @_;
|
||||
unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
|
||||
if ( $policy eq 'CONTINUE' ) {
|
||||
my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) );
|
||||
warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
|
||||
}
|
||||
progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
|
||||
}
|
||||
}
|
||||
|
||||
sub validate_policy()
|
||||
{
|
||||
sub print_policy($$$$)
|
||||
{
|
||||
my ( $source, $dest, $policy , $chain ) = @_;
|
||||
unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
|
||||
if ( $policy eq 'CONTINUE' ) {
|
||||
my ( $sourceref, $destref ) = @zones{$source,$dest};
|
||||
warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
|
||||
}
|
||||
progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
|
||||
}
|
||||
}
|
||||
|
||||
my %validpolicies = (
|
||||
ACCEPT => undef,
|
||||
REJECT => undef,
|
||||
@ -136,8 +173,6 @@ sub validate_policy()
|
||||
|
||||
my $zone;
|
||||
|
||||
use constant { OPTIONAL => 1 };
|
||||
|
||||
for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
|
||||
my $action = $config{$option};
|
||||
next if $action eq 'none';
|
||||
@ -157,14 +192,15 @@ sub validate_policy()
|
||||
$default_actions{$map{$option}} = $action;
|
||||
}
|
||||
|
||||
for $zone ( @zones ) {
|
||||
for $zone ( all_zones ) {
|
||||
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
|
||||
|
||||
if ( $config{IMPLICIT_CONTINUE} && ( @{$zones{$zone}{parents}} ) ) {
|
||||
for my $zone1 ( @zones ) {
|
||||
next if $zone eq $zone1;
|
||||
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
|
||||
push @policy_chains, ( new_policy_chain $zone1, $zone, 'CONTINUE', OPTIONAL );
|
||||
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
unless( $zone eq $zone1 ) {
|
||||
add_or_modify_policy_chain( $zone, $zone1 );
|
||||
add_or_modify_policy_chain( $zone1, $zone );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -187,11 +223,11 @@ sub validate_policy()
|
||||
|
||||
my $clientwild = ( "\L$client" eq 'all' );
|
||||
|
||||
fatal_error "Undefined zone $client" unless $clientwild || $zones{$client};
|
||||
fatal_error "Undefined zone $client" unless $clientwild || defined_zone( $client );
|
||||
|
||||
my $serverwild = ( "\L$server" eq 'all' );
|
||||
|
||||
fatal_error "Undefined zone $server" unless $serverwild || $zones{$server};
|
||||
fatal_error "Undefined zone $server" unless $serverwild || defined_zone( $server );
|
||||
|
||||
( $policy , my ( $default, $remainder ) ) = split( /:/, $policy, 3 );
|
||||
|
||||
@ -230,13 +266,13 @@ sub validate_policy()
|
||||
fatal_error "NONE policy not allowed with \"all\""
|
||||
if $clientwild || $serverwild;
|
||||
fatal_error "NONE policy not allowed to/from firewall zone"
|
||||
if ( $zones{$client}{type} eq 'firewall' ) || ( $zones{$server}{type} eq 'firewall' );
|
||||
if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' );
|
||||
}
|
||||
|
||||
unless ( $clientwild || $serverwild ) {
|
||||
if ( $zones{$server}{type} eq 'bport4' ) {
|
||||
if ( zone_type( $server ) eq 'bport4' ) {
|
||||
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
|
||||
unless $zones{$client}{bridge} eq $zones{$server}{bridge} || single_interface( $client ) eq $zones{$server}{bridge};
|
||||
unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
|
||||
}
|
||||
}
|
||||
|
||||
@ -275,20 +311,20 @@ sub validate_policy()
|
||||
|
||||
if ( $clientwild ) {
|
||||
if ( $serverwild ) {
|
||||
for my $zone ( @zones , 'all' ) {
|
||||
for my $zone1 ( @zones , 'all' ) {
|
||||
for my $zone ( all_zones , 'all' ) {
|
||||
for my $zone1 ( all_zones , 'all' ) {
|
||||
set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
|
||||
print_policy $zone, $zone1, $policy, $chain;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for my $zone ( @zones ) {
|
||||
for my $zone ( all_zones ) {
|
||||
set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
|
||||
print_policy $zone, $server, $policy, $chain;
|
||||
}
|
||||
}
|
||||
} elsif ( $serverwild ) {
|
||||
for my $zone ( @zones , 'all' ) {
|
||||
for my $zone ( all_zones , 'all' ) {
|
||||
set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
|
||||
print_policy $client, $zone, $policy, $chain;
|
||||
}
|
||||
@ -382,8 +418,8 @@ sub apply_policy_rules() {
|
||||
}
|
||||
}
|
||||
|
||||
for my $zone ( @zones ) {
|
||||
for my $zone1 ( @zones ) {
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $chainref = $filter_table->{"${zone}2${zone1}"};
|
||||
|
||||
if ( $chainref->{referenced} ) {
|
||||
|
@ -42,7 +42,7 @@ our @EXPORT = qw(
|
||||
setup_forwarding
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = 4.01;
|
||||
our $VERSION = '4.01';
|
||||
|
||||
#
|
||||
# ARP Filtering
|
||||
|
@ -35,7 +35,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_providers @routemarked_interfaces);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
use constant { LOCAL_NUMBER => 255,
|
||||
MAIN_NUMBER => 254,
|
||||
|
@ -35,7 +35,7 @@ our @EXPORT = qw(
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = 4.01;
|
||||
our $VERSION = '4.01';
|
||||
|
||||
our @proxyarp;
|
||||
|
||||
|
@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
|
||||
dump_rule_chains
|
||||
);
|
||||
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
#
|
||||
# Keep track of chains for the /var/lib/shorewall[-lite]/chains file
|
||||
@ -125,7 +125,7 @@ sub process_tos() {
|
||||
|
||||
fatal_error "Invalid SOURCE" if defined $remainder;
|
||||
|
||||
if ( $srczone eq $firewall_zone ) {
|
||||
if ( $srczone eq firewall_zone ) {
|
||||
$chainref = $outtosref;
|
||||
$src = $source || '-';
|
||||
$restriction = OUTPUT_RESTRICT;
|
||||
@ -519,7 +519,7 @@ sub add_common_rules() {
|
||||
|
||||
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
||||
|
||||
for $interface ( @interfaces ) {
|
||||
for $interface ( all_interfaces ) {
|
||||
for $chain ( @{first_chains $interface} ) {
|
||||
add_rule new_standard_chain( $chain ) , "$state -j dynamic";
|
||||
}
|
||||
@ -593,7 +593,7 @@ sub add_common_rules() {
|
||||
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
|
||||
}
|
||||
|
||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if $interfaces{$interface}{options}{bridge};
|
||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
|
||||
}
|
||||
}
|
||||
|
||||
@ -649,7 +649,7 @@ sub add_common_rules() {
|
||||
}
|
||||
|
||||
if ( $config{DYNAMIC_ZONES} ) {
|
||||
for $interface ( @interfaces) {
|
||||
for $interface ( all_interfaces ) {
|
||||
for $chain ( @{dynamic_chains $interface} ) {
|
||||
new_standard_chain $chain;
|
||||
}
|
||||
@ -713,7 +713,7 @@ sub setup_mac_lists( $ ) {
|
||||
my $chainref = new_chain $table , mac_chain $interface;
|
||||
|
||||
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
|
||||
if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp};
|
||||
if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' );
|
||||
|
||||
if ( $ttl ) {
|
||||
my $chain1ref = new_chain $table, macrecent_target $interface;
|
||||
@ -782,7 +782,7 @@ sub setup_mac_lists( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$comment = '';
|
||||
clear_comment;
|
||||
#
|
||||
# Generate jumps from the input and forward chains
|
||||
#
|
||||
@ -806,7 +806,7 @@ sub setup_mac_lists( $ ) {
|
||||
my $chain = $chainref->{name};
|
||||
|
||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||
my $variable = get_interface_addresses $interfaces{$interface}{bridge};
|
||||
my $variable = get_interface_addresses source_port_to_bridge( $interface );
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
add_commands( $chainref,
|
||||
@ -815,8 +815,8 @@ sub setup_mac_lists( $ ) {
|
||||
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
|
||||
'done' );
|
||||
} else {
|
||||
my $bridge = $interfaces{$interface}{bridge};
|
||||
my $bridgeref = $interfaces{$bridge};
|
||||
my $bridge = source_port_to_bridge( $interface );
|
||||
my $bridgeref = find_interface( $bridge );
|
||||
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do" );
|
||||
@ -1001,9 +1001,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
#
|
||||
if ( $actiontype & REDIRECT ) {
|
||||
if ( $dest eq '-' ) {
|
||||
$dest = "$firewall_zone";
|
||||
$dest = "firewall_zone";
|
||||
} else {
|
||||
$dest = join( '', $firewall_zone, '::', $dest );
|
||||
$dest = join( '', firewall_zone, '::', $dest );
|
||||
}
|
||||
} elsif ( $action eq 'REJECT' ) {
|
||||
$action = 'reject';
|
||||
@ -1017,6 +1017,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
#
|
||||
my $sourcezone;
|
||||
my $destzone;
|
||||
my $sourceref;
|
||||
my $destref;
|
||||
|
||||
if ( $source =~ /^(.+?):(.*)/ ) {
|
||||
$sourcezone = $1;
|
||||
@ -1035,22 +1037,22 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
fatal_error "Missing source zone" if $sourcezone eq '-';
|
||||
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
|
||||
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
|
||||
fatal_error "Missing destination zone" if $destzone eq '-';
|
||||
fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone};
|
||||
fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
|
||||
|
||||
my $restriction = NO_RESTRICT;
|
||||
|
||||
if ( $sourcezone eq $firewall_zone ) {
|
||||
$restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
|
||||
if ( $sourcezone eq firewall_zone ) {
|
||||
$restriction = $destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
|
||||
} else {
|
||||
$restriction = INPUT_RESTRICT if $destzone eq $firewall_zone;
|
||||
$restriction = INPUT_RESTRICT if $destzone eq firewall_zone;
|
||||
}
|
||||
#
|
||||
# Check for illegal bridge port rule
|
||||
#
|
||||
if ( $zones{$destzone}->{type} eq 'bport4' ) {
|
||||
unless ( $zones{$sourcezone}{bridge} eq $zones{$destzone}{bridge} || single_interface( $sourcezone ) eq $zones{$destzone}{bridge} ) {
|
||||
if ( $destref->{type} eq 'bport4' ) {
|
||||
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
|
||||
return 1 if $wildcard;
|
||||
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
|
||||
}
|
||||
@ -1135,8 +1137,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
if ( $origdest eq '' || $origdest eq '-' ) {
|
||||
$origdest = ALLIPv4;
|
||||
} elsif ( $origdest eq 'detect' ) {
|
||||
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne $firewall_zone ) {
|
||||
my $interfacesref = $zones{$sourcezone}{interfaces};
|
||||
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
|
||||
my $interfacesref = $sourceref->{interfaces};
|
||||
my @interfaces = keys %$interfacesref;
|
||||
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
|
||||
} else {
|
||||
@ -1146,7 +1148,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
} else {
|
||||
if ( $action eq 'SAME' ) {
|
||||
fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
|
||||
fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq $firewall_zone;
|
||||
fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone;
|
||||
$target = '-j SAME ';
|
||||
for my $serv ( split /,/, $server ) {
|
||||
$target .= "--to $serv ";
|
||||
@ -1160,8 +1162,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
|
||||
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne $firewall_zone ) {
|
||||
my $interfacesref = $zones{$sourcezone}{interfaces};
|
||||
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
|
||||
my $interfacesref = $sourceref->{interfaces};
|
||||
my @interfaces = keys %$interfacesref;
|
||||
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
|
||||
} else {
|
||||
@ -1173,7 +1175,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
#
|
||||
# And generate the nat table rule(s)
|
||||
#
|
||||
expand_rule ( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ),
|
||||
expand_rule ( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ),
|
||||
PREROUTE_RESTRICT ,
|
||||
$rule ,
|
||||
$source ,
|
||||
@ -1205,12 +1207,12 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
$origdest = '' unless $origdest and $origdest ne '-';
|
||||
|
||||
if ( $origdest eq 'detect' ) {
|
||||
my $interfacesref = $zones{$sourcezone}{interfaces};
|
||||
my $interfacesref = $sourceref->{interfaces};
|
||||
my $interfaces = "@$interfacesref";
|
||||
$origdest = $interfaces ? "detect:$interfaces" : ALLIPv4;
|
||||
}
|
||||
|
||||
expand_rule( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
|
||||
expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
|
||||
PREROUTE_RESTRICT ,
|
||||
$rule ,
|
||||
$source ,
|
||||
@ -1312,11 +1314,11 @@ sub process_rule ( $$$$$$$$$$ ) {
|
||||
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
|
||||
|
||||
if ( $source eq 'all' ) {
|
||||
for my $zone ( @zones ) {
|
||||
if ( $includesrcfw || ( $zones{$zone}{type} ne 'firewall' ) ) {
|
||||
for my $zone ( all_zones ) {
|
||||
if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) {
|
||||
if ( $dest eq 'all' ) {
|
||||
for my $zone1 ( @zones ) {
|
||||
if ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall' ) ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) {
|
||||
if ( $intrazone || ( $zone ne $zone1 ) ) {
|
||||
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
||||
}
|
||||
@ -1324,7 +1326,7 @@ sub process_rule ( $$$$$$$$$$ ) {
|
||||
}
|
||||
} else {
|
||||
my $destzone = (split( /:/, $dest, 2 ) )[0];
|
||||
$destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
|
||||
$destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
|
||||
if ( $intrazone || ( $zone ne $destzone ) ) {
|
||||
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
||||
}
|
||||
@ -1332,9 +1334,9 @@ sub process_rule ( $$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
} elsif ( $dest eq 'all' ) {
|
||||
for my $zone ( @zones ) {
|
||||
for my $zone ( all_zones ) {
|
||||
my $sourcezone = ( split( /:/, $source, 2 ) )[0];
|
||||
if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
|
||||
if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
|
||||
process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
||||
}
|
||||
}
|
||||
@ -1392,7 +1394,7 @@ sub process_rules() {
|
||||
}
|
||||
}
|
||||
|
||||
$comment = '';
|
||||
clear_comment;
|
||||
$section = 'DONE';
|
||||
}
|
||||
|
||||
@ -1481,6 +1483,7 @@ sub generate_matrix() {
|
||||
my $exclusion_seq = 1;
|
||||
my %chain_exclusions;
|
||||
my %policy_exclusions;
|
||||
my @interfaces = ( all_interfaces );
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface );
|
||||
@ -1503,9 +1506,9 @@ sub generate_matrix() {
|
||||
#
|
||||
# Special processing for complex zones
|
||||
#
|
||||
for my $zone ( grep $zones{$_}{options}{complex} , @zones ) {
|
||||
for my $zone ( complex_zones ) {
|
||||
my $frwd_ref = new_standard_chain "${zone}_frwd";
|
||||
my $zoneref = $zones{$zone};
|
||||
my $zoneref = find_zone( $zone );
|
||||
my $exclusions = $zoneref->{exclusions};
|
||||
|
||||
if ( @$exclusions ) {
|
||||
@ -1549,11 +1552,11 @@ sub generate_matrix() {
|
||||
#
|
||||
# Main source-zone matrix-generation loop
|
||||
#
|
||||
for my $zone ( grep ( $zones{$_}{type} ne 'firewall' , @zones ) ) {
|
||||
my $zoneref = $zones{$zone};
|
||||
for my $zone ( non_firewall_zones ) {
|
||||
my $zoneref = find_zone( $zone );
|
||||
my $source_hosts_ref = $zoneref->{hosts};
|
||||
my $chain1 = rules_target $firewall_zone , $zone;
|
||||
my $chain2 = rules_target $zone, $firewall_zone;
|
||||
my $chain1 = rules_target firewall_zone , $zone;
|
||||
my $chain2 = rules_target $zone, firewall_zone;
|
||||
my $chain3 = rules_target $zone, $zone;
|
||||
my $complex = $zoneref->{options}{complex} || 0;
|
||||
my $type = $zoneref->{type};
|
||||
@ -1571,8 +1574,8 @@ sub generate_matrix() {
|
||||
}
|
||||
|
||||
if ( $config{DYNAMIC_ZONES} ) {
|
||||
push @rule_chains , [ $firewall_zone , $zone , $chain1 ] if $chain1;
|
||||
push @rule_chains , [ $zone , $firewall_zone , $chain2 ];
|
||||
push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
|
||||
push @rule_chains , [ $zone , firewall_zone , $chain2 ];
|
||||
}
|
||||
|
||||
#
|
||||
@ -1623,7 +1626,7 @@ sub generate_matrix() {
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
|
||||
} else {
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
my $interfaceref = find_interface( $interface );
|
||||
my $chain = output_chain $interface;
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
@ -1654,8 +1657,8 @@ sub generate_matrix() {
|
||||
my @temp_zones;
|
||||
|
||||
ZONE1:
|
||||
for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) {
|
||||
my $zone1ref = $zones{$zone1};
|
||||
for my $zone1 ( non_firewall_zones ) {
|
||||
my $zone1ref = find_zone( $zone1 );
|
||||
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
|
||||
|
||||
next if $policy eq 'NONE';
|
||||
@ -1695,7 +1698,7 @@ sub generate_matrix() {
|
||||
$last_chain = '';
|
||||
}
|
||||
} else {
|
||||
@dest_zones = grep $zones{$_}{type} ne 'firewall' , @zones ;
|
||||
@dest_zones = non_firewall_zones ;
|
||||
}
|
||||
#
|
||||
# Here it is -- THE BIG UGLY!!!!!!!!!!!!
|
||||
@ -1705,7 +1708,7 @@ sub generate_matrix() {
|
||||
#
|
||||
ZONE1:
|
||||
for my $zone1 ( @dest_zones ) {
|
||||
my $zone1ref = $zones{$zone1};
|
||||
my $zone1ref = find_zone( $zone1 );
|
||||
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
|
||||
|
||||
next if $policy eq 'NONE';
|
||||
@ -1841,11 +1844,12 @@ sub generate_matrix() {
|
||||
for my $interface ( @interfaces ) {
|
||||
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface;
|
||||
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface;
|
||||
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless $interfaces{$interface}{options}{port};
|
||||
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
||||
addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
|
||||
}
|
||||
|
||||
my $chainref = $filter_table->{"${firewall_zone}2${firewall_zone}"};
|
||||
my $fw = firewall_zone;
|
||||
my $chainref = $filter_table->{"${fw}2${fw}"};
|
||||
|
||||
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
||||
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
|
||||
@ -1854,8 +1858,8 @@ sub generate_matrix() {
|
||||
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
|
||||
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
|
||||
|
||||
complete_standard_chain $filter_table->{INPUT} , 'all' , $firewall_zone;
|
||||
complete_standard_chain $filter_table->{OUTPUT} , $firewall_zone , 'all';
|
||||
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone;
|
||||
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all';
|
||||
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all';
|
||||
|
||||
if ( $config{LOGALLNEW} ) {
|
||||
@ -1913,7 +1917,7 @@ sub setup_mss( ) {
|
||||
}
|
||||
|
||||
for ( @$interfaces ) {
|
||||
my $mss = $interfaces{$_}{options}{mss};
|
||||
my $mss = get_interface_option( $_, 'mss' );
|
||||
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
|
||||
add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
|
||||
add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
|
||||
|
@ -39,7 +39,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tc );
|
||||
our @EXPORT_OK = qw( process_tc_rule initialize );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.04';
|
||||
|
||||
our %tcs = ( T => { chain => 'tcpost',
|
||||
connmark => 0,
|
||||
@ -150,7 +150,7 @@ our %tcdevices;
|
||||
our @tcclasses;
|
||||
our %tcclasses;
|
||||
|
||||
our $prefix = '1';
|
||||
our $prefix;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
@ -168,6 +168,11 @@ sub initialize() {
|
||||
%tcdevices = ();
|
||||
@tcclasses = ();
|
||||
%tcclasses = ();
|
||||
$prefix = '1';
|
||||
}
|
||||
|
||||
INIT {
|
||||
initialize;
|
||||
}
|
||||
|
||||
sub process_tc_rule( $$$$$$$$$$ ) {
|
||||
@ -185,13 +190,14 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
||||
my $connmark = 0;
|
||||
my $classid = 0;
|
||||
my $device = '';
|
||||
my $fw = firewall_zone;
|
||||
|
||||
if ( $source ) {
|
||||
if ( $source eq $firewall_zone ) {
|
||||
if ( $source eq $fw ) {
|
||||
$chain = 'tcout';
|
||||
$source = '';
|
||||
} else {
|
||||
$chain = 'tcout' if $source =~ s/^($firewall_zone)://;
|
||||
$chain = 'tcout' if $source =~ s/^($fw)://;
|
||||
}
|
||||
}
|
||||
|
||||
@ -200,7 +206,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
||||
|
||||
if ( $tcsref ) {
|
||||
if ( $chain eq 'tcout' ) {
|
||||
fatal_error "Invalid chain designator for source $firewall_zone" unless $tcsref->{fw};
|
||||
fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
|
||||
}
|
||||
|
||||
$chain = $tcsref->{chain} if $tcsref->{chain};
|
||||
@ -609,8 +615,8 @@ sub setup_tc() {
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$comment = '';
|
||||
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
for ( @deferred_rules ) {
|
||||
|
@ -33,13 +33,15 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tunnels );
|
||||
our @EXPORT_OK = ( );
|
||||
our $VERSION = 4.00;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
#
|
||||
# Here starts the tunnel stuff -- we really should get rid of this crap...
|
||||
#
|
||||
sub setup_tunnels() {
|
||||
|
||||
our $fw = firewall_zone;
|
||||
|
||||
sub setup_one_ipsec {
|
||||
my ($inchainref, $outchainref, $kind, $source, $dest, $gatewayzones) = @_;
|
||||
|
||||
@ -79,11 +81,10 @@ sub setup_tunnels() {
|
||||
|
||||
unless ( $gatewayzones eq '-' ) {
|
||||
for my $zone ( split /,/, $gatewayzones ) {
|
||||
fatal_error "Unknown zone ($zone)" unless $zones{$zone};
|
||||
my $type = $zones{$zone}{type};
|
||||
my $type = zone_type( $zone );
|
||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
|
||||
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
||||
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
||||
$inchainref = ensure_filter_chain "${zone}2${fw}", 1;
|
||||
$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
|
||||
|
||||
unless ( $capabilities{POLICY_MATCH} ) {
|
||||
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
@ -225,14 +226,12 @@ sub setup_tunnels() {
|
||||
sub setup_one_tunnel($$$$) {
|
||||
my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
|
||||
|
||||
fatal_error "Unknown zone ($zone)" unless $zones{$zone};
|
||||
|
||||
my $zonetype = $zones{$zone}{type};
|
||||
my $zonetype = zone_type( $zone );
|
||||
|
||||
fatal_error "Invalid zone ($zone) for tunnel ZONE" if $zonetype eq 'firewall' || $zonetype eq 'bport4';
|
||||
|
||||
my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
|
||||
my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
|
||||
my $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
|
||||
my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
|
||||
|
||||
my $source = match_source_net $gateway;
|
||||
my $dest = match_dest_net $gateway;
|
||||
@ -286,7 +285,7 @@ sub setup_tunnels() {
|
||||
}
|
||||
}
|
||||
|
||||
$comment = '';
|
||||
clear_comment;
|
||||
}
|
||||
|
||||
1;
|
||||
|
@ -41,9 +41,19 @@ our @EXPORT = qw( NOTHING
|
||||
determine_zones
|
||||
zone_report
|
||||
dump_zone_contents
|
||||
find_zone
|
||||
firewall_zone
|
||||
defined_zone
|
||||
zone_type
|
||||
all_zones
|
||||
complex_zones
|
||||
non_firewall_zones
|
||||
single_interface
|
||||
validate_interfaces_file
|
||||
all_interfaces
|
||||
find_interface
|
||||
known_interface
|
||||
have_bridges
|
||||
port_to_bridge
|
||||
source_port_to_bridge
|
||||
interface_is_optional
|
||||
@ -51,16 +61,10 @@ our @EXPORT = qw( NOTHING
|
||||
get_interface_option
|
||||
validate_hosts_file
|
||||
find_hosts_by_option
|
||||
|
||||
@zones
|
||||
%zones
|
||||
$firewall_zone
|
||||
%interfaces
|
||||
@interfaces
|
||||
@bridges );
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = 4.03;
|
||||
our $VERSION = '4.03';
|
||||
|
||||
#
|
||||
# IPSEC Option types
|
||||
@ -312,24 +316,24 @@ sub determine_zones()
|
||||
|
||||
fatal_error "No firewall zone defined" unless $firewall_zone;
|
||||
|
||||
my $pushed = 1;
|
||||
my %ordered;
|
||||
|
||||
while ( $pushed )
|
||||
PUSHED:
|
||||
{
|
||||
$pushed = 0;
|
||||
ZONE:
|
||||
for my $zone ( @z ) {
|
||||
unless ( $ordered{$zone} ) {
|
||||
for my $child ( @{$zones{$zone}{children}} ) {
|
||||
next ZONE unless $ordered{$child};
|
||||
for ( @{$zones{$zone}{children}} ) {
|
||||
next ZONE unless $ordered{$_};
|
||||
}
|
||||
$ordered{$zone} = 1;
|
||||
push @zones, $zone;
|
||||
$pushed = 1;
|
||||
redo PUSHED;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fatal_error "Internal error in determine_zones()" unless scalar @zones == scalar @z;
|
||||
}
|
||||
|
||||
#
|
||||
@ -504,6 +508,44 @@ sub add_group_to_zone($$$$$)
|
||||
ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' };
|
||||
}
|
||||
|
||||
#
|
||||
# Verify that the passed zone name represents a declared zone. Return a
|
||||
# reference to its zone table entry.
|
||||
#
|
||||
sub find_zone( $ ) {
|
||||
my $zone = $_[0];
|
||||
|
||||
my $zoneref = $zones{$zone};
|
||||
|
||||
fatal_error "Unknown zone" unless $zoneref;
|
||||
|
||||
$zoneref;
|
||||
}
|
||||
|
||||
sub zone_type( $ ) {
|
||||
find_zone( $_[0] )->{type};
|
||||
}
|
||||
|
||||
sub defined_zone( $ ) {
|
||||
$zones{$_[0]};
|
||||
}
|
||||
|
||||
sub all_zones() {
|
||||
@zones;
|
||||
}
|
||||
|
||||
sub non_firewall_zones() {
|
||||
grep ( $zones{$_}{type} ne 'firewall' , @zones );
|
||||
}
|
||||
|
||||
sub complex_zones() {
|
||||
grep( $zones{$_}{options}{complex} , @zones );
|
||||
}
|
||||
|
||||
sub firewall_zone() {
|
||||
$firewall_zone;
|
||||
}
|
||||
|
||||
#
|
||||
# Return a list of networks routed out of the passed interface
|
||||
#
|
||||
@ -724,7 +766,7 @@ sub validate_interfaces_file( $ )
|
||||
fatal_error "No routes found through 'detectnets' interface $interface" unless @networks || $options{optional};
|
||||
delete $options{maclist} unless @networks;
|
||||
} else {
|
||||
@networks = @allipv4;
|
||||
@networks = allipv4;
|
||||
}
|
||||
|
||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
|
||||
@ -782,6 +824,32 @@ sub known_interface($)
|
||||
0;
|
||||
}
|
||||
|
||||
#
|
||||
# Return the interfaces list
|
||||
#
|
||||
sub all_interfaces() {
|
||||
@interfaces;
|
||||
}
|
||||
|
||||
#
|
||||
# Return a reference to the interfaces table entry for an interface
|
||||
#
|
||||
sub find_interface( $ ) {
|
||||
my $interface = $_[0];
|
||||
my $interfaceref = $interfaces{ $interface };
|
||||
|
||||
fatal_error "Unknown Interface ($interface)" unless $interfaceref;
|
||||
|
||||
$interfaceref;
|
||||
}
|
||||
|
||||
#
|
||||
# Returns true if there are bridges defined in the config
|
||||
#
|
||||
sub have_bridges() {
|
||||
@bridges > 0;
|
||||
}
|
||||
|
||||
#
|
||||
# Return the bridge associated with the passed interface. If the interface is not a bridge port,
|
||||
# return ''
|
||||
|
@ -123,8 +123,11 @@ use warnings;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( %protocols %services );
|
||||
our @EXPORT_OK = qw();
|
||||
our $VERSION = '1.00';
|
||||
EOF
|
||||
|
||||
print "our \$VERSION = '$globals{VERSION}';\n";
|
||||
|
||||
print <<'EOF';
|
||||
our %protocols = (
|
||||
EOF
|
||||
|
||||
|
@ -32,6 +32,7 @@
|
||||
# --directory=<directory> # Directory where configuration resides (default is /etc/shorewall)
|
||||
# --timestamp # Timestamp all progress messages
|
||||
# --debug # Print stack trace on warnings and fatal error.
|
||||
# --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
|
||||
#
|
||||
use strict;
|
||||
use FindBin;
|
||||
@ -40,7 +41,7 @@ use Shorewall::Compiler;
|
||||
use Getopt::Long;
|
||||
|
||||
sub usage() {
|
||||
print STDERR "usage: compiler.pl [ --export ] [ --directory=<directory> ] [ --verbose={0-2} ] [ --timestamp ] [ -- debuging ] [ <filename> ]\n";
|
||||
print STDERR "usage: compiler.pl [ --export ] [ --directory=<directory> ] [ --verbose={0-2} ] [ --timestamp ] [ -- debuging ] [ --refresh=<chainlist> ] [ <filename> ]\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
@ -52,6 +53,7 @@ my $shorewall_dir = '';
|
||||
my $verbose = 0;
|
||||
my $timestamp = '';
|
||||
my $debug = 0;
|
||||
my $chains = '';
|
||||
|
||||
Getopt::Long::Configure ('bundling');
|
||||
|
||||
@ -63,7 +65,9 @@ my $result = GetOptions('export' => \$export,
|
||||
'v=i' => \$verbose,
|
||||
'timestamp' => \$timestamp,
|
||||
't' => \$timestamp,
|
||||
'debug' => \$debug
|
||||
'debug' => \$debug,
|
||||
'r=s' => \$chains,
|
||||
'refresh=s' => \$chains
|
||||
);
|
||||
|
||||
usage unless $result && @ARGV < 2;
|
||||
@ -74,4 +78,4 @@ $options |= EXPORT if $export;
|
||||
$options |= TIMESTAMP if $timestamp;
|
||||
$options |= DEBUG if $debug;
|
||||
|
||||
compiler $ARGV[0], $shorewall_dir, $verbose, $options;
|
||||
compiler $ARGV[0], $shorewall_dir, $verbose, $options, $chains;
|
||||
|
@ -1,788 +0,0 @@
|
||||
--- ../Shorewall-common/lib.base 2007-07-22 06:29:50.000000000 -0700
|
||||
+++ prog.header 2007-07-22 06:29:50.000000000 -0700
|
||||
@@ -1,48 +1,27 @@
|
||||
-#!/bin/sh
|
||||
-#
|
||||
-# Shorewall 4.0 -- /usr/share/shorewall/lib.base
|
||||
-#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
-# Complete documentation is available at http://shorewall.net
|
||||
+# Options are:
|
||||
#
|
||||
-# This program is free software; you can redistribute it and/or modify
|
||||
-# it under the terms of Version 2 of the GNU General Public License
|
||||
-# as published by the Free Software Foundation.
|
||||
-#
|
||||
-# This program is distributed in the hope that it will be useful,
|
||||
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-# GNU General Public License for more details.
|
||||
-#
|
||||
-# You should have received a copy of the GNU General Public License
|
||||
-# along with this program; if not, write to the Free Software
|
||||
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
-#
|
||||
-# This library contains the code common to all Shorewall components.
|
||||
-#
|
||||
-# - It is copied into the compiled script with the -e compiler flag is specified to
|
||||
-# shorewall-shell.
|
||||
-# - It is loaded by /sbin/shorewall.
|
||||
-# - It is loaded by /usr/share/shorewall/firewall.
|
||||
-# - It is loaded by /usr/share/shorewall-shell/compiler.
|
||||
-# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
|
||||
-# and /usr/share/shorewall-lite/shorecap.
|
||||
-# - It is released as part of Shorewall Perl where it is copied into the compiled script
|
||||
-# by the compiler.
|
||||
-#
|
||||
-
|
||||
-SHOREWALL_LIBVERSION=40000
|
||||
-SHOREWALL_CAPVERSION=30405
|
||||
-
|
||||
-[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
-[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
-[ -n "${CONFDIR:=/etc/shorewall}" ]
|
||||
-SHELLSHAREDIR=/usr/share/shorewall-shell
|
||||
-PERLSHAREDIR=/usr/share/shorewall-perl
|
||||
-
|
||||
+# -n Don't alter Routing
|
||||
+# -v and -q Standard Shorewall Verbosity control
|
||||
+#
|
||||
+# Commands are:
|
||||
+#
|
||||
+# start Starts the firewall
|
||||
+# refresh Refresh the firewall
|
||||
+# restart Restarts the firewall
|
||||
+# reload Reload the firewall
|
||||
+# clear Removes all firewall rules
|
||||
+# stop Stops the firewall
|
||||
+# status Displays firewall status
|
||||
+# version Displays the version of Shorewall that
|
||||
+# generated this program
|
||||
+#
|
||||
+################################################################################
|
||||
+# Functions imported from /usr/share/shorewall/lib.base
|
||||
+################################################################################
|
||||
#
|
||||
# Message to stderr
|
||||
#
|
||||
@@ -111,20 +90,6 @@
|
||||
}
|
||||
|
||||
#
|
||||
-# Undo the effect of 'separate_list()'
|
||||
-#
|
||||
-combine_list()
|
||||
-{
|
||||
- local f o=
|
||||
-
|
||||
- for f in $* ; do
|
||||
- o="${o:+$o,}$f"
|
||||
- done
|
||||
-
|
||||
- echo $o
|
||||
-}
|
||||
-
|
||||
-#
|
||||
# Suppress all output for a command
|
||||
#
|
||||
qt()
|
||||
@@ -310,83 +275,6 @@
|
||||
}
|
||||
|
||||
#
|
||||
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
|
||||
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
|
||||
-# the first argument. Example "shorewall nolock refresh"
|
||||
-#
|
||||
-# This function uses the lockfile utility from procmail if it exists.
|
||||
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
|
||||
-# behavior of lockfile.
|
||||
-#
|
||||
-mutex_on()
|
||||
-{
|
||||
- local try=0
|
||||
- local lockf=${LOCKFILE:=${VARDIR}/lock}
|
||||
-
|
||||
- MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
|
||||
-
|
||||
- if [ $MUTEX_TIMEOUT -gt 0 ]; then
|
||||
-
|
||||
- [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
||||
-
|
||||
- if qt mywhich lockfile; then
|
||||
- lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
|
||||
- else
|
||||
- while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
||||
- sleep 1
|
||||
- try=$((${try} + 1))
|
||||
- done
|
||||
-
|
||||
- if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
|
||||
- # Create the lockfile
|
||||
- echo $$ > ${lockf}
|
||||
- else
|
||||
- echo "Giving up on lock file ${lockf}" >&2
|
||||
- fi
|
||||
- fi
|
||||
- fi
|
||||
-}
|
||||
-
|
||||
-#
|
||||
-# Call this function to release mutual exclusion
|
||||
-#
|
||||
-mutex_off()
|
||||
-{
|
||||
- rm -f ${LOCKFILE:=${VARDIR}/lock}
|
||||
-}
|
||||
-
|
||||
-#
|
||||
-# Load an optional library
|
||||
-#
|
||||
-lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found
|
||||
-{
|
||||
- local lib=${SHAREDIR}/lib.$1
|
||||
- local loaded
|
||||
-
|
||||
- eval loaded=\$LIB_${1}_LOADED
|
||||
-
|
||||
- if [ -z "$loaded" ]; then
|
||||
- [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
|
||||
-
|
||||
- if [ -f $lib ]; then
|
||||
- progress_message "Loading library $lib..."
|
||||
- . $lib
|
||||
- eval LIB_${1}_LOADED=Yes
|
||||
- else
|
||||
- startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed"
|
||||
- fi
|
||||
- fi
|
||||
-}
|
||||
-
|
||||
-#
|
||||
-# Determine if an optional library is available
|
||||
-#
|
||||
-lib_avail() # $1 = Name of the Library
|
||||
-{
|
||||
- [ -f ${SHAREDIR}/lib.$1 ]
|
||||
-}
|
||||
-
|
||||
-#
|
||||
# Note: The following set of IP address manipulation functions have anomalous
|
||||
# behavior when the shell only supports 32-bit signed arithmetic and
|
||||
# the IP address is 128.0.0.0 or 128.0.0.1.
|
||||
@@ -395,32 +283,6 @@
|
||||
LEFTSHIFT='<<'
|
||||
|
||||
#
|
||||
-# Validate an IP address
|
||||
-#
|
||||
-valid_address() {
|
||||
- local x y
|
||||
- local ifs=$IFS
|
||||
-
|
||||
- IFS=.
|
||||
-
|
||||
- for x in $1; do
|
||||
- case $x in
|
||||
- [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
|
||||
- [ $x -lt 256 ] || { IFS=$ifs; return 2; }
|
||||
- ;;
|
||||
- *)
|
||||
- IFS=$ifs
|
||||
- return 2
|
||||
- ;;
|
||||
- esac
|
||||
- done
|
||||
-
|
||||
- IFS=$ifs
|
||||
-
|
||||
- return 0
|
||||
-}
|
||||
-
|
||||
-#
|
||||
# Convert an IP address in dot quad format to an integer
|
||||
#
|
||||
decodeaddr() {
|
||||
@@ -456,88 +318,6 @@
|
||||
}
|
||||
|
||||
#
|
||||
-# Enumerate the members of an IP range -- When using a shell supporting only
|
||||
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
|
||||
-#
|
||||
-# Comes in two flavors:
|
||||
-#
|
||||
-# ip_range() - produces a mimimal list of network/host addresses that spans
|
||||
-# the range.
|
||||
-#
|
||||
-# ip_range_explicit() - explicitly enumerates the range.
|
||||
-#
|
||||
-ip_range() {
|
||||
- local first last l x y z vlsm
|
||||
-
|
||||
- case $1 in
|
||||
- !*)
|
||||
- #
|
||||
- # Let iptables complain if it's a range
|
||||
- #
|
||||
- echo $1
|
||||
- return
|
||||
- ;;
|
||||
- [0-9]*.*.*.*-*.*.*.*)
|
||||
- ;;
|
||||
- *)
|
||||
- echo $1
|
||||
- return
|
||||
- ;;
|
||||
- esac
|
||||
-
|
||||
- first=$(decodeaddr ${1%-*})
|
||||
- last=$(decodeaddr ${1#*-})
|
||||
-
|
||||
- if [ $first -gt $last ]; then
|
||||
- fatal_error "Invalid IP address range: $1"
|
||||
- fi
|
||||
-
|
||||
- l=$(( $last + 1 ))
|
||||
-
|
||||
- while [ $first -le $last ]; do
|
||||
- vlsm=
|
||||
- x=31
|
||||
- y=2
|
||||
- z=1
|
||||
-
|
||||
- while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
|
||||
- vlsm=/$x
|
||||
- x=$(( $x - 1 ))
|
||||
- z=$y
|
||||
- y=$(( $y * 2 ))
|
||||
- done
|
||||
-
|
||||
- echo $(encodeaddr $first)$vlsm
|
||||
- first=$(($first + $z))
|
||||
- done
|
||||
-}
|
||||
-
|
||||
-ip_range_explicit() {
|
||||
- local first last
|
||||
-
|
||||
- case $1 in
|
||||
- [0-9]*.*.*.*-*.*.*.*)
|
||||
- ;;
|
||||
- *)
|
||||
- echo $1
|
||||
- return
|
||||
- ;;
|
||||
- esac
|
||||
-
|
||||
- first=$(decodeaddr ${1%-*})
|
||||
- last=$(decodeaddr ${1#*-})
|
||||
-
|
||||
- if [ $first -gt $last ]; then
|
||||
- fatal_error "Invalid IP address range: $1"
|
||||
- fi
|
||||
-
|
||||
- while [ $first -le $last ]; do
|
||||
- echo $(encodeaddr $first)
|
||||
- first=$(($first + 1))
|
||||
- done
|
||||
-}
|
||||
-
|
||||
-#
|
||||
# Netmask from CIDR
|
||||
#
|
||||
ip_netmask() {
|
||||
@@ -588,60 +368,6 @@
|
||||
}
|
||||
|
||||
#
|
||||
-# Netmask to VLSM
|
||||
-#
|
||||
-ip_vlsm() {
|
||||
- local mask=$(decodeaddr $1)
|
||||
- local vlsm=0
|
||||
- local x=$(( 128 << 24 )) # 0x80000000
|
||||
-
|
||||
- while [ $(( $x & $mask )) -ne 0 ]; do
|
||||
- [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
|
||||
- vlsm=$(($vlsm + 1))
|
||||
- done
|
||||
-
|
||||
- if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
|
||||
- echo "Invalid net mask: $1" >&2
|
||||
- else
|
||||
- echo $vlsm
|
||||
- fi
|
||||
-}
|
||||
-
|
||||
-
|
||||
-#
|
||||
-# Chain name base for an interface -- replace all periods with underscores in the passed name.
|
||||
-# The result is echoed (less trailing "+").
|
||||
-#
|
||||
-chain_base() #$1 = interface
|
||||
-{
|
||||
- local c=${1%%+}
|
||||
-
|
||||
- while true; do
|
||||
- case $c in
|
||||
- @*)
|
||||
- c=at_${c#@}
|
||||
- ;;
|
||||
- *.*)
|
||||
- c="${c%.*}_${c##*.}"
|
||||
- ;;
|
||||
- *-*)
|
||||
- c="${c%-*}_${c##*-}"
|
||||
- ;;
|
||||
- *%*)
|
||||
- c="${c%\%*}_${c##*%}"
|
||||
- ;;
|
||||
- *@*)
|
||||
- c="${c%@*}_${c##*@}"
|
||||
- ;;
|
||||
- *)
|
||||
- echo ${c:=common}
|
||||
- return
|
||||
- ;;
|
||||
- esac
|
||||
- done
|
||||
-}
|
||||
-
|
||||
-#
|
||||
# Query NetFilter about the existence of a filter chain
|
||||
#
|
||||
chain_exists() # $1 = chain name
|
||||
@@ -879,21 +605,6 @@
|
||||
}
|
||||
|
||||
#
|
||||
-# Set default config path
|
||||
-#
|
||||
-ensure_config_path() {
|
||||
- local F=${SHAREDIR}/configpath
|
||||
- if [ -z "$CONFIG_PATH" ]; then
|
||||
- [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
|
||||
- . $F
|
||||
- fi
|
||||
-
|
||||
- if [ -n "$SHOREWALL_DIR" ]; then
|
||||
- [ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
|
||||
- fi
|
||||
-}
|
||||
-
|
||||
-#
|
||||
# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
|
||||
#
|
||||
find_file()
|
||||
@@ -918,54 +629,6 @@
|
||||
}
|
||||
|
||||
#
|
||||
-# Get fully-qualified name of file
|
||||
-#
|
||||
-resolve_file() # $1 = file name
|
||||
-{
|
||||
- local pwd=$PWD
|
||||
-
|
||||
- case $1 in
|
||||
- /*)
|
||||
- echo $1
|
||||
- ;;
|
||||
- .)
|
||||
- echo $pwd
|
||||
- ;;
|
||||
- ./*)
|
||||
- echo ${pwd}${1#.}
|
||||
- ;;
|
||||
- ..)
|
||||
- cd ..
|
||||
- echo $PWD
|
||||
- cd $pwd
|
||||
- ;;
|
||||
- ../*)
|
||||
- cd ..
|
||||
- resolve_file ${1#../}
|
||||
- cd $pwd
|
||||
- ;;
|
||||
- *)
|
||||
- echo $pwd/$1
|
||||
- ;;
|
||||
- esac
|
||||
-}
|
||||
-
|
||||
-#
|
||||
-# Perform variable substitution on the passed argument and echo the result
|
||||
-#
|
||||
-expand() # $@ = contents of variable which may be the name of another variable
|
||||
-{
|
||||
- eval echo \"$@\"
|
||||
-}
|
||||
-
|
||||
-#
|
||||
-# Function for including one file into another
|
||||
-#
|
||||
-INCLUDE() {
|
||||
- . $(find_file $(expand $@))
|
||||
-}
|
||||
-
|
||||
-#
|
||||
# Set the Shorewall state
|
||||
#
|
||||
set_state () # $1 = state
|
||||
@@ -974,200 +637,6 @@
|
||||
}
|
||||
|
||||
#
|
||||
-# Determine which optional facilities are supported by iptables/netfilter
|
||||
-#
|
||||
-determine_capabilities() {
|
||||
- qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||
- qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||
-
|
||||
- CONNTRACK_MATCH=
|
||||
- MULTIPORT=
|
||||
- XMULTIPORT=
|
||||
- POLICY_MATCH=
|
||||
- PHYSDEV_MATCH=
|
||||
- IPRANGE_MATCH=
|
||||
- RECENT_MATCH=
|
||||
- OWNER_MATCH=
|
||||
- IPSET_MATCH=
|
||||
- CONNMARK=
|
||||
- XCONNMARK=
|
||||
- CONNMARK_MATCH=
|
||||
- XCONNMARK_MATCH=
|
||||
- RAW_TABLE=
|
||||
- IPP2P_MATCH=
|
||||
- LENGTH_MATCH=
|
||||
- CLASSIFY_TARGET=
|
||||
- ENHANCED_REJECT=
|
||||
- USEPKTTYPE=
|
||||
- KLUDGEFREE=
|
||||
- MARK=
|
||||
- XMARK=
|
||||
- MANGLE_FORWARD=
|
||||
- COMMENTS=
|
||||
- ADDRTYPE=
|
||||
- TCPMSS_MATCH=
|
||||
-
|
||||
- qt $IPTABLES -N fooX1234
|
||||
- qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
- qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
-
|
||||
- if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
|
||||
- PHYSDEV_MATCH=Yes
|
||||
- fi
|
||||
-
|
||||
- if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
|
||||
- IPRANGE_MATCH=Yes
|
||||
- if [ -z "${KLUDGEFREE}" ]; then
|
||||
- qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
|
||||
- fi
|
||||
- fi
|
||||
-
|
||||
- qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
- qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
||||
-
|
||||
- if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then
|
||||
- CONNMARK_MATCH=Yes
|
||||
- qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
|
||||
- fi
|
||||
-
|
||||
- qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
|
||||
- qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
|
||||
- qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
|
||||
-
|
||||
- qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
|
||||
-
|
||||
- if [ -n "$MANGLE_ENABLED" ]; then
|
||||
- qt $IPTABLES -t mangle -N fooX1234
|
||||
-
|
||||
- if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
|
||||
- MARK=Yes
|
||||
- qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
|
||||
- fi
|
||||
-
|
||||
- if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
|
||||
- CONNMARK=Yes
|
||||
- qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
|
||||
- fi
|
||||
-
|
||||
- qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
|
||||
- qt $IPTABLES -t mangle -F fooX1234
|
||||
- qt $IPTABLES -t mangle -X fooX1234
|
||||
- qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
|
||||
- fi
|
||||
-
|
||||
- qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
|
||||
-
|
||||
- if qt mywhich ipset; then
|
||||
- qt ipset -X fooX1234 # Just in case something went wrong the last time
|
||||
-
|
||||
- if qt ipset -N fooX1234 iphash ; then
|
||||
- if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
|
||||
- qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
|
||||
- IPSET_MATCH=Yes
|
||||
- fi
|
||||
- qt ipset -X fooX1234
|
||||
- fi
|
||||
- fi
|
||||
-
|
||||
- qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
||||
- qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
||||
- qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
||||
-
|
||||
- qt $IPTABLES -F fooX1234
|
||||
- qt $IPTABLES -X fooX1234
|
||||
-
|
||||
- CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
-}
|
||||
-
|
||||
-report_capabilities() {
|
||||
- report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
||||
- {
|
||||
- local setting=
|
||||
-
|
||||
- [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
||||
-
|
||||
- echo " " $1: $setting
|
||||
- }
|
||||
-
|
||||
- if [ $VERBOSE -gt 1 ]; then
|
||||
- echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||
- report_capability "NAT" $NAT_ENABLED
|
||||
- report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||
- report_capability "Multi-port Match" $MULTIPORT
|
||||
- [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||
- report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||
- report_capability "Packet Type Match" $USEPKTTYPE
|
||||
- report_capability "Policy Match" $POLICY_MATCH
|
||||
- report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
- report_capability "Packet length Match" $LENGTH_MATCH
|
||||
- report_capability "IP range Match" $IPRANGE_MATCH
|
||||
- report_capability "Recent Match" $RECENT_MATCH
|
||||
- report_capability "Owner Match" $OWNER_MATCH
|
||||
- report_capability "Ipset Match" $IPSET_MATCH
|
||||
- report_capability "CONNMARK Target" $CONNMARK
|
||||
- [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
||||
- report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
- [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
||||
- report_capability "Raw Table" $RAW_TABLE
|
||||
- report_capability "IPP2P Match" $IPP2P_MATCH
|
||||
- report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||
- report_capability "Extended REJECT" $ENHANCED_REJECT
|
||||
- report_capability "Repeat match" $KLUDGEFREE
|
||||
- report_capability "MARK Target" $MARK
|
||||
- [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
|
||||
- report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
|
||||
- report_capability "Comments" $COMMENTS
|
||||
- report_capability "Address Type Match" $ADDRTYPE
|
||||
- report_capability "TCPMSS Match" $TCPMSS_MATCH
|
||||
- fi
|
||||
-
|
||||
- [ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
-
|
||||
-}
|
||||
-
|
||||
-report_capabilities1() {
|
||||
- report_capability1() # $1 = Capability
|
||||
- {
|
||||
- eval echo $1=\$$1
|
||||
- }
|
||||
-
|
||||
- echo "#"
|
||||
- echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
|
||||
- echo "#"
|
||||
- report_capability1 NAT_ENABLED
|
||||
- report_capability1 MANGLE_ENABLED
|
||||
- report_capability1 MULTIPORT
|
||||
- report_capability1 XMULTIPORT
|
||||
- report_capability1 CONNTRACK_MATCH
|
||||
- report_capability1 USEPKTTYPE
|
||||
- report_capability1 POLICY_MATCH
|
||||
- report_capability1 PHYSDEV_MATCH
|
||||
- report_capability1 LENGTH_MATCH
|
||||
- report_capability1 IPRANGE_MATCH
|
||||
- report_capability1 RECENT_MATCH
|
||||
- report_capability1 OWNER_MATCH
|
||||
- report_capability1 IPSET_MATCH
|
||||
- report_capability1 CONNMARK
|
||||
- report_capability1 XCONNMARK
|
||||
- report_capability1 CONNMARK_MATCH
|
||||
- report_capability1 XCONNMARK_MATCH
|
||||
- report_capability1 RAW_TABLE
|
||||
- report_capability1 IPP2P_MATCH
|
||||
- report_capability1 CLASSIFY_TARGET
|
||||
- report_capability1 ENHANCED_REJECT
|
||||
- report_capability1 KLUDGEFREE
|
||||
- report_capability1 MARK
|
||||
- report_capability1 XMARK
|
||||
- report_capability1 MANGLE_FORWARD
|
||||
- report_capability1 COMMENTS
|
||||
- report_capability1 ADDRTYPE
|
||||
-
|
||||
- echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
-}
|
||||
-
|
||||
-#
|
||||
# Delete IP address
|
||||
#
|
||||
del_ip_addr() # $1 = address, $2 = interface
|
||||
@@ -1286,82 +755,6 @@
|
||||
cut -b -${1}
|
||||
}
|
||||
|
||||
-#
|
||||
-# Add a logging rule.
|
||||
-#
|
||||
-do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
|
||||
-{
|
||||
- local level=$1
|
||||
- local chain=$2
|
||||
- local displayChain=$3
|
||||
- local disposition=$4
|
||||
- local rulenum=
|
||||
- local limit=
|
||||
- local tag=
|
||||
- local command=
|
||||
- local prefix
|
||||
- local base=$(chain_base $displayChain)
|
||||
- local pf
|
||||
-
|
||||
- limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
|
||||
- tag=${6:+$6 }
|
||||
- command=${7:--A}
|
||||
-
|
||||
- shift 7
|
||||
-
|
||||
- if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
|
||||
- displayChain=$tag
|
||||
- tag=
|
||||
- fi
|
||||
-
|
||||
- if [ -n "$LOGRULENUMBERS" ]; then
|
||||
- #
|
||||
- # Hack for broken printf on some lightweight shells
|
||||
- #
|
||||
- [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf)
|
||||
-
|
||||
- eval rulenum=\$${base}_logrules
|
||||
-
|
||||
- rulenum=${rulenum:-1}
|
||||
-
|
||||
- prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}"
|
||||
-
|
||||
- rulenum=$(($rulenum + 1))
|
||||
- eval ${base}_logrules=$rulenum
|
||||
- else
|
||||
- prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}"
|
||||
- fi
|
||||
-
|
||||
- if [ ${#prefix} -gt 29 ]; then
|
||||
- prefix=`echo "$prefix" | truncate 29`
|
||||
- error_message "WARNING: Log Prefix shortened to \"$prefix\""
|
||||
- fi
|
||||
-
|
||||
- case $level in
|
||||
- ULOG)
|
||||
- $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
- ;;
|
||||
- *)
|
||||
- $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
- ;;
|
||||
- esac
|
||||
-
|
||||
- if [ $? -ne 0 ] ; then
|
||||
- [ -z "$STOPPING" ] && { stop_firewall; exit 2; }
|
||||
- fi
|
||||
-}
|
||||
-
|
||||
-do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
|
||||
-{
|
||||
- local level=$1
|
||||
- local chain=$2
|
||||
- local disposition=$3
|
||||
-
|
||||
- shift 3
|
||||
-
|
||||
- do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
|
||||
-}
|
||||
-
|
||||
delete_tc1()
|
||||
{
|
||||
clear_one_tc() {
|
||||
@@ -1496,65 +889,6 @@
|
||||
|
||||
echo echo
|
||||
}
|
||||
-
|
||||
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
|
||||
-#
|
||||
-# None - No mktemp
|
||||
-# BSD - BSD mktemp (Mandrake)
|
||||
-# STD - mktemp.org mktemp
|
||||
-#
|
||||
-find_mktemp() {
|
||||
- local mktemp=`mywhich mktemp 2> /dev/null`
|
||||
-
|
||||
- if [ -n "$mktemp" ]; then
|
||||
- if qt mktemp -V ; then
|
||||
- MKTEMP=STD
|
||||
- else
|
||||
- MKTEMP=BSD
|
||||
- fi
|
||||
- else
|
||||
- MKTEMP=None
|
||||
- fi
|
||||
-}
|
||||
-
|
||||
-#
|
||||
-# create a temporary file. If a directory name is passed, the file will be created in
|
||||
-# that directory. Otherwise, it will be created in a temporary directory.
|
||||
-#
|
||||
-mktempfile() {
|
||||
-
|
||||
- [ -z "$MKTEMP" ] && find_mktemp
|
||||
-
|
||||
- if [ $# -gt 0 ]; then
|
||||
- case "$MKTEMP" in
|
||||
- BSD)
|
||||
- mktemp $1/shorewall.XXXXXX
|
||||
- ;;
|
||||
- STD)
|
||||
- mktemp -p $1 shorewall.XXXXXX
|
||||
- ;;
|
||||
- None)
|
||||
- > $1/shorewall-$$ && echo $1/shorewall-$$
|
||||
- ;;
|
||||
- *)
|
||||
- error_message "ERROR:Internal error in mktempfile"
|
||||
- ;;
|
||||
- esac
|
||||
- else
|
||||
- case "$MKTEMP" in
|
||||
- BSD)
|
||||
- mktemp /tmp/shorewall.XXXXXX
|
||||
- ;;
|
||||
- STD)
|
||||
- mktemp -t shorewall.XXXXXX
|
||||
- ;;
|
||||
- None)
|
||||
- rm -f /tmp/shorewall-$$
|
||||
- > /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||
- ;;
|
||||
- *)
|
||||
- error_message "ERROR:Internal error in mktempfile"
|
||||
- ;;
|
||||
- esac
|
||||
- fi
|
||||
-}
|
||||
+################################################################################
|
||||
+# End of functions imported from /usr/share/shorewall/lib.base
|
||||
+################################################################################
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.0.3
|
||||
VERSION=4.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -6,11 +6,9 @@ delete_proxyarp() {
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
interface=/proc/sys/net/ipv4/conf/$interface
|
||||
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
|
||||
done < ${VARDIR}/proxyarp
|
||||
|
||||
for f in /proc/sys/net/ipv4/conf/*; do
|
||||
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
|
||||
done
|
||||
fi
|
||||
|
||||
rm -f ${VARDIR}/proxyarp
|
||||
|
@ -636,6 +636,21 @@ set_state () # $1 = state
|
||||
echo "$1 ($(date))" > ${VARDIR}/state
|
||||
}
|
||||
|
||||
#
|
||||
# Perform variable substitution on the passed argument and echo the result
|
||||
#
|
||||
expand() # $@ = contents of variable which may be the name of another variable
|
||||
{
|
||||
eval echo \"$@\"
|
||||
}
|
||||
|
||||
#
|
||||
# Function for including one file into another
|
||||
#
|
||||
INCLUDE() {
|
||||
. $(find_file $(expand $@))
|
||||
}
|
||||
|
||||
#
|
||||
# Delete IP address
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-perl
|
||||
%define version 4.0.3
|
||||
%define version 4.0.4
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall Perl-based compiler.
|
||||
@ -72,6 +72,8 @@ fi
|
||||
%doc COPYING releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.4-1
|
||||
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.3-1
|
||||
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
|
||||
|
@ -1 +1 @@
|
||||
This is the Shorewall-shell Development 4.1 branch of SVN.
|
||||
This is the Shorewall-shell Stable 4.0 branch of SVN.
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.0.3
|
||||
VERSION=4.0.4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-shell
|
||||
%define version 4.0.3
|
||||
%define version 4.0.4
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -81,6 +81,8 @@ fi
|
||||
%doc COPYING INSTALL
|
||||
|
||||
%changelog
|
||||
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.4-1
|
||||
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.3-1
|
||||
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
|
||||
|
Loading…
Reference in New Issue
Block a user