diff --git a/Shorewall-common/README.txt b/Shorewall-common/README.txt index ad417c474..cf2cb4fbc 100644 --- a/Shorewall-common/README.txt +++ b/Shorewall-common/README.txt @@ -1 +1 @@ -This is the Shorewall-common Development 4.1 branch of SVN. +This is the Shorewall-common Stable 4.0 branch of SVN. diff --git a/Shorewall-common/action.Drop b/Shorewall-common/action.Drop index 8cc92a6b8..770d0cedf 100644 --- a/Shorewall-common/action.Drop +++ b/Shorewall-common/action.Drop @@ -32,7 +32,7 @@ dropBcast # AllowICMPs - - icmp # -# Drop packets that in the INVALID state -- these are usually ICMP packets +# Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log. # dropInvalid diff --git a/Shorewall-common/action.Reject b/Shorewall-common/action.Reject index af66b9a40..9d0b0029c 100644 --- a/Shorewall-common/action.Reject +++ b/Shorewall-common/action.Reject @@ -16,7 +16,7 @@ ############################################################################### #TARGET SOURCE DEST PROTO # -# Don't log 'auth' REJECT +# Don't log 'auth' -- REJECT # Auth/REJECT # @@ -29,13 +29,13 @@ dropBcast # AllowICMPs - - icmp # -# Drop packets that in the INVALID state -- these are usually ICMP packets +# Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be # rejected). # dropInvalid # -# Reject Microsoft noise so that it doesn't clutter up the lot. +# Reject Microsoft noise so that it doesn't clutter up the log. # SMB/REJECT DropUPnP diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 9e79832ce..de474b74f 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,105 @@ +Changes in 4.0.4 + +1) Fix 'refresh' with light-weight shells. + +2) Various fixes for proxyarp. + +3) Fix 'refresh' run-time error. + +4) Cleaner behavior if module-init-tools not installed. + +5) Fix [re-]initialization problems in Shorewall::Tc. + +6) Make compile-time check for iptables-restore. + +Changes in 4.0.3 + +1) Streamline the checking for builtin chains in the accounting file. + +2) Don't try to write/restore /etc/iproute2/rt_tables if it isn't + writable. + +3) Allow Shorewall-perl compiler and libraries to be installed + anywhere. + +4) Add KEEP_RT_TABLES option. + +5) Other provider changes. + +6) Fix LOG target in Shorewall-shell. + +7) Faster log processing. + +8) Tweak handling of CLASSID in process_tc_rule(). + +9) Restore 3.4 'stop/clear/reset' behavior and make new behavior + optional. + +10) Add act_police to modules file. + +11) Add 'mss' interface option. + +12) Add TCPMSS_MATCH to show capabilities -f. + +13) Insure a space between log prefix and IN=. + +14) Provide ESTABLISHED,RELATED rules for inappropriate CONTINUE policy + +15) Add hashlimit match detection. + +16) Fix 'add' and 'delete' when interface name contains special char. + +17) Fix PREROUTING track fiasco. + +18) Add NFQUEUE support. + +19) Allow refresh of chains other than 'blacklst'. + +20) Allow INCLUDE in run-time extension scripts. + +21) Fix zone sort. + +Changes in 4.0.2 + +1) Another ECN fix in Shorewall-perl. + +2) Make 'state match' detection in Shorewall-perl quiet. + +3) Detect port range in list without XMULTIPORT. + +4) Move lockfile handling from 'firewall' to 'shorewall' and lib.cli. + +5) Don't detect routed networks and interfaces addresses during + 'restore'. + +6) Upcase some global variables in the generated script. + +7) Remove some 'chain_base' mapping. + +8) Eliminate a couple of global variables in the Chains module. + +9) Cosmetic change to generated script. + +10) Allow tc configuration on bridge ports. + +11) Fix add/delete problem when Shorewall-shell is not installed. + +12) Don't overwrite ${VARDIR}/chains and ${VARDIR}/zones during + 'refresh'. + +13) Correct some error messages. + +14) Correct calculations involving number of keys in a hash. + +15) Load xt_multiport. + +16) Apply Günter Niedermeier's patch for multiport. + +17) Honor the BROADCAST column when address type match is not + available. + +18) Fix accounting. + Changes in 4.0.1 1) Add EXPAND_POLICIES. diff --git a/Shorewall-common/ecn b/Shorewall-common/ecn index 70ff009a2..c01683c68 100644 --- a/Shorewall-common/ecn +++ b/Shorewall-common/ecn @@ -3,7 +3,8 @@ # # For information about entries in this file, type "man shorewall-ecn" # -# For additional information, see http://shorewall.net/Documentation.htm#ECN +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-ecn.html # ############################################################################### #INTERFACE HOST(S) diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index 3e0347ec5..f340c26e0 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.3 +VERSION=4.0.4 usage() # $1 = exit status { diff --git a/Shorewall-common/firewall b/Shorewall-common/firewall index b76b28722..892737b02 100755 --- a/Shorewall-common/firewall +++ b/Shorewall-common/firewall @@ -422,49 +422,14 @@ clear_firewall() { delete_proxy_arp() { if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do - case $COMMAND in - stop|clear) - qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface - ;; - *) - if [ -n "$STOPPING" ]; then - qt arp -i $external -d $address pub - qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface - else - qt arp -i $external -d $address pub - if [ -z "$haveroute" ];then - [ -n "$NOROUTE" ] || qt ip route del $address dev $interface - fi - fi - ;; - esac + qt arp -i $external -d $address pub + [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + interface=/proc/sys/net/ipv4/conf/$interface + [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp done < ${VARDIR}/proxyarp - - rm -f ${VARDIR}/proxyarp fi - [ -d ${VARDIR} ] && touch ${VARDIR}/proxyarp - - case $COMMAND in - stop|clear) - for f in /proc/sys/net/ipv4/conf/*; do - [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp - done - ;; - *) - if [ -n "$STOPPING" ]; then - for f in /proc/sys/net/ipv4/conf/*; do - [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp - done - else - for f in /proc/sys/net/ipv4/conf/*; do - [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp - done - fi - ;; - esac + rm -f ${VARDIR}/proxyarp } # diff --git a/Shorewall-common/hosts b/Shorewall-common/hosts index 12bb525f9..d68a030cf 100644 --- a/Shorewall-common/hosts +++ b/Shorewall-common/hosts @@ -3,7 +3,8 @@ # # For information about entries in this file, type "man shorewall-hosts" # -# For additional information, see http://shorewall.net/Documentation.htm#Hosts +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-hosts.html # ############################################################################### #ZONE HOST(S) OPTIONS diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index 9da7b3a94..62005fb02 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.3 +VERSION=4.0.4 usage() # $1 = exit status { diff --git a/Shorewall-common/interfaces b/Shorewall-common/interfaces index 2bc909bbe..af555d44f 100644 --- a/Shorewall-common/interfaces +++ b/Shorewall-common/interfaces @@ -3,8 +3,8 @@ # # For information about entries in this file, type "man shorewall-interfaces" # -# For additional information, see -# http://shorewall.net/Documentation.htm#Interfaces +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS diff --git a/Shorewall-common/masq b/Shorewall-common/masq index f30e85bf6..9b4f38dd1 100644 --- a/Shorewall-common/masq +++ b/Shorewall-common/masq @@ -3,7 +3,8 @@ # # For information about entries in this file, type "man shorewall-masq" # -# For additional information, see http://shorewall.net/Documentation.htm#Masq +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-masq.html # ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK diff --git a/Shorewall-common/modules b/Shorewall-common/modules index 8abd2afb4..2e29232cb 100644 --- a/Shorewall-common/modules +++ b/Shorewall-common/modules @@ -9,8 +9,8 @@ # dependency order. i.e., if M2 depends on M1 then you must load M1 # before you load M2. # -# For additional information, see -# http://shorewall.net/Documentation.htm#modules +# If you need to modify this file, copy it to /etc/shorewall and modify the +# copy. # ############################################################################### # diff --git a/Shorewall-common/policy b/Shorewall-common/policy index 8330cf7a3..a58443d48 100644 --- a/Shorewall-common/policy +++ b/Shorewall-common/policy @@ -3,7 +3,8 @@ # # For information about entries in this file, type "man shorewall-policy" # -# See http://shorewall.net/Documentation.htm#Policy for additional information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 6a79730a2..1917ffc4d 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,6 +1,6 @@ -Shorewall 4.0.1 +Shorewall 4.0 Patch release 4 ---------------------------------------------------------------------------- - R E L E A S E H I G H L I G H T S + R E L E A S E 4 . 0 H I G H L I G H T S ---------------------------------------------------------------------------- 1) This is the first Shorewall release that fully integrates the new Shorewall-perl compiler. See the "New Features" section below. @@ -25,106 +25,47 @@ Shorewall 4.0.1 Shorewall-perl compiler. This support utilizes the reduced-function physdev match support available in Linux kernel 2.6.20 and later. -Problems corrected in 4.0.1. +Problems Corrected in Shorewall 4.0.4 -1) The Shorewall Lite installer was producing an empty shorewall-lite - manpage. Since the installer runs as part of creating the RPM, the - RPM also suffered from this problem. The 4.0.0 Shorewall-lite - packages were re-uploaded with this problem corrected. +1) If no interface had the 'blacklist' option, then when using + Shorewall-perl, the 'start' and 'restart' command fail: -2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall - rather than /sbin/shorewall-lite. + ERROR: No filter chain found with name blacklst -3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall - clear" if Shorewall [Lite] was running. Now, the Shorewall Lite - uninstaller correctly does "shorewall-lite clear" and both - uninstallers only perform the 'clear' operation if the other - product is not installed. This prevents the removal of one of the - two products from clearing the firewall configuration established - by the other one. + New Shorewall-perl 4.0.3 packages were released that corrected this + problem; it is included here for completeness. -4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by - Shorewall-perl. If the zone type was changed to 'ipsec' or - 'ipsec4' and the 'ipsec' option removed from the hosts file entry, - the configuration worked properly. +2) If no interface had the 'blacklist' option, then when using + Shorewall-perl, the generated script would issue this harmless + message during 'shorewall refresh': -5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then - Shorewall-perl produced the following: + chainlist_reload: Not found - Compiling... - Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18. - ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18) +3) If /bin/sh was a light-weight shell such as ash or dash, then + 'shorewall refresh' failed. -6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was - locating the binary using the PATH environmental variable rather - than the PATH setting in shorewall.conf. If no PATH was available - when Shorewall-perl was run and IPTABLES was not set in - shorewall.conf, the following messages were issued: +4) During start/restart, the script generated by Shorewall-perl is + clearing the proxy_arp flag on all interfaces; that is not the + documented behavior. - Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054. - ERROR: Can't find iptables executable - ERROR: Shorewall restart failed +5) If the module-init-tools package was not installed and + /etc/shorewall/modules did not exist or was non-empty, then + Shorewall-perl would fail with the message: -7) If the "Mangle FORWARD Chain" capability was supported, entries in - the /etc/shorewall/ecn file would cause invalid iptables commands - to be generated. This problem occurred with both compilers. + ERROR: Can't run lsmod : /etc/shorewall/modules (line 0) -8) Shorewall now starts at reboot after an upgrade from shorewall < - 4.0.0. Previously, Shorewall was not started automatically at - reboot after an upgrade using the RPM. +6) Shorewall-perl now makes a compile-time check to insure that + iptables-restore exists and is executable. This check is made when + the compiler is being run by root and the -e option is not + given. -9) Shorewall-perl was generating invalid iptables-restore input when a - log level was specified with the dropBcast and allowBcast builtin - actions and when a log level followed by '!' was used with any - builtin actions. + Note that iptables-restore must reside in the same directory as the + iptables executable specified by IPTABLES in shorewall.conf or + located by the PATH in the event that IPTABLES is not specified. -10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of - time in rate-limiting specifications. +Other Changes in Shorewall 4.0.4 -11) Certain errors occurring during - start/restart/safe-start/safe-restart/try processing could cause - the lockfile to be left behind. This resulted in a 60-second delay - the next time one of these commands was run. - -Other changes in Shorewall 4.0.1. - -1) A new EXPAND_POLICIES option is added to shorewall.conf. The - option is recognized by Shorewall-perl and is ignored by - Shorewall-shell. - - Normally, when the SOURCE or DEST columns in shorewall-policy(5) - contains 'all', a single policy chain is created and the policy is - enforced in that chain. For example, if the policy entry is - - #SOURCE DEST POLICY LOG - # LEVEL - net all DROP info - - then the chain name is 'net2all' which is also the chain named in - Shorewall log messages generated as a result of the policy. If - EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate - chain for each pair of zones covered by the policy. This makes the - resulting log messages easier to interpret since the chain in the - messages will have a name of the form 'a2b' where 'a' is the SOURCE - zone and 'b' is the DEST zone. See - http://linuxman.wikispaces.com/PPPPPPS for more information. - -2) The Shorewall-perl dependency on the "Address Type Match" - capability has been relaxed. This allows Shorewall 4.0.1 to be used - on releases like RHEL4 that don't support that capability. - -3) Shorewall-perl now detects dead policy file entries that result - when an entry is masked by an earlier entry. Example: - - all all REJECT info - loc net ACCEPT - -4) Recent kernels are apparently hard to configure and we have been - seeing a lot of problem reports where the root cause is the lack of - state match support in the kernel. This problem is difficult to - diagnose when using Shorewall-perl so the generated shell program - now checks specifically for this problem and terminates with an - error if the capability doesn't exist. +None. Migration Considerations: @@ -712,6 +653,7 @@ Migration Considerations: - Perl File::Basename Module - Perl File::Temp Module - Perl Getopt::Long Module + - Perl FindBin Module ------------------------------------------------------------------------ U S I N G T H E N E W C O M P I L E R ------------------------------------------------------------------------ @@ -871,6 +813,12 @@ Migration Considerations: supplimented with a stack trace. Requires the Carp Perl module. + --refresh= + + If given, the compiled script's 'refresh' command will refresh + the chains in the comma-separated rather than + 'blacklst'. + Example (compiles the configuration in the current directory generating a script named 'firewall' and using VERBOSITY 2). @@ -893,7 +841,7 @@ Migration Considerations: use lib '/usr/share/shorewall-perl'; use Shorewall::Compiler; - compiler $filename, $directory, $verbose, $options + compiler $filename, $directory, $verbose, $options $chains The arguments to the compiler function are as follows: @@ -913,6 +861,10 @@ Migration Considerations: EXPORT = 0x01 TIMESTAMP = 0x02 + $chains - A comma-separated list of chains that the + generated script's 'refresh' command will + reload. + The compiler raises an exception with 'die' if it encounters an error; $@ contains the 'ERROR' messages describing the problem. @@ -988,3 +940,400 @@ Migration Considerations: To use this feature with Shorewall-lite, all packages involved (compiler, shorewall-common and shorewall-lite) must be version 4.0.0-RC2 or later. + +Problems corrected in 4.0.1. + +1) The Shorewall Lite installer was producing an empty shorewall-lite + manpage. Since the installer runs as part of creating the RPM, the + RPM also suffered from this problem. The 4.0.0 Shorewall-lite + packages were re-uploaded with this problem corrected. + +2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall + rather than /sbin/shorewall-lite. + +3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall + clear" if Shorewall [Lite] was running. Now, the Shorewall Lite + uninstaller correctly does "shorewall-lite clear" and both + uninstallers only perform the 'clear' operation if the other + product is not installed. This prevents the removal of one of the + two products from clearing the firewall configuration established + by the other one. + +4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by + Shorewall-perl. If the zone type was changed to 'ipsec' or + 'ipsec4' and the 'ipsec' option removed from the hosts file entry, + the configuration worked properly. + +5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then + Shorewall-perl produced the following: + + Compiling... + Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18. + ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18) + +6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was + locating the binary using the PATH environmental variable rather + than the PATH setting in shorewall.conf. If no PATH was available + when Shorewall-perl was run and IPTABLES was not set in + shorewall.conf, the following messages were issued: + + Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054. + ERROR: Can't find iptables executable + ERROR: Shorewall restart failed + +7) If the "Mangle FORWARD Chain" capability was supported, entries in + the /etc/shorewall/ecn file would cause invalid iptables commands + to be generated. This problem occurred with both compilers. + +8) Shorewall now starts at reboot after an upgrade from shorewall < + 4.0.0. Previously, Shorewall was not started automatically at + reboot after an upgrade using the RPM. + +9) Shorewall-perl was generating invalid iptables-restore input when a + log level was specified with the dropBcast and allowBcast builtin + actions and when a log level followed by '!' was used with any + builtin actions. + +10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of + time in rate-limiting specifications. + +11) Certain errors occurring during + start/restart/safe-start/safe-restart/try processing could cause + the lockfile to be left behind. This resulted in a 60-second delay + the next time one of these commands was run. + +Other changes in Shorewall 4.0.1. + +1) A new EXPAND_POLICIES option is added to shorewall.conf. The + option is recognized by Shorewall-perl and is ignored by + Shorewall-shell. + + Normally, when the SOURCE or DEST columns in shorewall-policy(5) + contains 'all', a single policy chain is created and the policy is + enforced in that chain. For example, if the policy entry is + + #SOURCE DEST POLICY LOG + # LEVEL + net all DROP info + + then the chain name is 'net2all' which is also the chain named in + Shorewall log messages generated as a result of the policy. If + EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate + chain for each pair of zones covered by the policy. This makes the + resulting log messages easier to interpret since the chain in the + messages will have a name of the form 'a2b' where 'a' is the SOURCE + zone and 'b' is the DEST zone. See + http://linuxman.wikispaces.com/PPPPPPS for more information. + +2) The Shorewall-perl dependency on the "Address Type Match" + capability has been relaxed. This allows Shorewall 4.0.1 to be used + on releases like RHEL4 that don't support that capability. + +3) Shorewall-perl now detects dead policy file entries that result + when an entry is masked by an earlier entry. Example: + + all all REJECT info + loc net ACCEPT + +4) Recent kernels are apparently hard to configure and we have been + seeing a lot of problem reports where the root cause is the lack of + state match support in the kernel. This problem is difficult to + diagnose when using Shorewall-perl so the generated shell program + now checks specifically for this problem and terminates with an + error if the capability doesn't exist. + +Problems corrected in 4.0.2 + +1) The Shorewall-perl compiler was still generating invalid + iptables-restore input from entries in /etc/shorewall/ecn. + +2) When using Shorewall-perl, unless an interface was specified as + 'optional' in the interfaces file, the 'restore' command would + fail if the routes through the interface or the addresses on the + interface could not be detected. + + Route detection occurs when the interface is named in the SOURCE + column of the masq file. Address detection occurs when + DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT + or REDIRECT rule or when 'maclist' is specified for the interface. + + Since the 'restore' command doesn't use the detected information, + detection is now skipped if the command is 'restore'. + +3) It was not previously possible to define traffic shaping on a + bridge port; the generated script complained that the + interface was not up and configured. + +4) When Shorewall-shell was not installed, certain options in + /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the + 'add' and 'delete' commands to fail with a missing library error. + + OPTION FILE + maclist interfaces,hosts + proxyarp interfaces + +5) The /var/lib/shorewall/zones file was being overwritten during + processing of the 'refresh' command by a script generated with + Shorewall-perl. The result was that hosts previously added to + dynamic zones could not be deleted after the 'refresh'. + +6) If the file named as the output file in a Shorewall-perl 'compile' + command was a symbolic link, the generated error message + erroneously stated that the file's parent directory was a symbolic + link. + + As part of this change, cosmetic changes were made to a number of + other error messages. + +7) Some intra-zone rules were missing when a zone involved multiple + interfaces or when a zone included both IPSEC and non-IPSEC + networks. + +8) Shorewall was not previously loading the xt_multiport kernel + module. + +9) The Russian and French translations no longer have English headings + on notes, cautions, etc.. + +10) Previously, using a port list in the DEST PORT(S) column of the + rules file or in an action file could cause an invalid iptables + command to be generated by Shorewall-shell. + +11) If there were no bridges in a configuration, Shorewall-perl would + ignore the CHAIN column in /etc/shorewall/accounting. + +Other changes in 4.0.2 + +1) Shorewall-perl now detects when a port range is included in a list + of ports and iptables/kernel support for Extended Multi-port Match + is not available. This avoids an iptables-restore failure at + run-time. + +2) Most chains created by Shorewall-shell have names that can be + embedded within shell variable names. This is a workaround for + limitations in the shell programming language which has no + equivalent to Perl hashes. Often chain names must have the name of + a network interface encoded in them. Given that interface names can + contain characters that are invalid in a shell variable name, + Shorewall-shell performs a name mapping which was carried forward to + Shorewall-perl: + + - Trailing '+' is dropped. + - The characters ".", "-", "%' and "@" are translated to "_". + + This mapping has been elminated in the 4.0.2 release of Shorewall- + perl. So where before you would see chain "eth0_0_in", you may now + see the same chain named "eth0.0_in". Similarly, a chain previously + named "ppp_fwd" may now be called "ppp+_fwd". + +3) Shorewall-perl now uses the contents of the BROADCAST column in + /etc/shorewall/interfaces when the Address Type match capability is + not available. + +Problems Corrected in 4.0.3 + +1) Using the LOG target in the rules file could result in two LOG + rules being generated by Shorewall-shell. Additionally, using an IP + address range in a rule that performed logging could result in an + invalid iptables command. + +2) Shorewall now loads the act_police kernel module needed by traffic + shaping. + +3) Previously, "shorewall show -f capabilities" and "shorecap" omitted + the "TCPMSS Match" capability. This made it appear to a compiler + using a capabilities file that the TCPMSS Match capability was not + available. + +4) Previously, Shorewall would truncate long log prefixes to 29 + characters. This resulted in there being no space between the log + prefix and the IN= part of the message. + + Example: fw2net:LOG:HTTPSoutIN= OUT=eth0 + + Beginning with this release, Shorewall will truncate the prefix to + 28 bytes and add a trailing space. + + Example: fw2net:LOG:HTTPSou IN= OUT=eth0 + +5) Previously, if: + + - FASTACCEPT=No + - The policy from Z1 to Z2 was CONTINUE + - Neither Z1 nor Z2 had parent zones + - There were no Z1->Z2 rules + + then connections from Z2->Z1 would fail even if there were + rules/policies allowing them. This has been + corrected. + +6) The 'shorewall add' and 'shorewall delete' command would fail when: + + - The running configuration was compiled with Shorewall-perl. + - The name of the interface specified in the command contained an + embedded special character such as '.' or '-'. + + This problem was the result of the change in Shorewall 4.0.2 that + removed the legacy mapping of interface names when embedding such + names in a Netfilter chain name. To correct the problem, the + pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes. + +5) A bug in Shorewall-shell prevented proper handling of PREROUTING + marks when HIGH_ROUTE_MARKS=No and the track option was specified + in /etc/shorewall/providers. + +6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in + the params file would fail at script execution time with "INCLUDE: + not found". This has been corrected. + +7) Shorewall-perl was mis-sorting the zone list when zones were nested + more than one deep. + +8) Stale references to http://www.shorewall.net/Documentation.htm have + been removed from the config files (including samples). That URL + has been replaced by the online manpages. + +Other Changes in 4.0.3 + +1) A script generated by Shorewall-perl now tries to modify/restore + /etc/iproute2/rt_tables only if the file is writable. This prevents + run-time errors when /etc is mounted read-only. + + A new KEEP_RT_TABLES option has been added to shorewall.conf. When + set to Yes, this option prevents Shorewall from altering the + /etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only + recognized by Shorewall-perl and is ignored by Shorewall-shell. + +2) Shorewall-perl now requires the FindBin Perl module. + +3) When an optional provider is not available, a script generated by + Shorewall-perl will no longer add the corresponding + routing rules. + +4) A new 'isusable' extension script has been added. This script + allows you to extend the availability test that Shorewall performs + on optional providers. + + Here's an example that uses ping to ensure that the default + gateways through eth0 and eth1 are reachable: + + case $1 in + eth0) + ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1 + return + ;; + eth1) + ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1 + return + ;; + *) + # Assume we don't need to do any additional testing + # for this interface beyond Shorewall's + return 0 + ;; + esac + + Additional information is available at + http://www.shorewall.net/shorewall_extension_scripts.htm. + +5) Processing of the message log in the 'show log', 'logwatch' and + 'dump' commands has been speeded up thanks to a suggestion by + Andrew Suffield. + +6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear' + commands were processed by the generated script from the + last successful 'start', 'restart' or 'refresh' command. This had + the side effect that updates to the /etc/shorewall/routestopped + file did not take effect until one of those three commands was + successfully processed. + + Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as + the default and the 4.0 behavior is enabled using the '-f' command + option. + + Example: shorewall stop -f + +7) An 'mss' option has been added to the interfaces file. This option + is only recognized by Shorewall-perl and causes Shorewall to set + the MSS field in forwarded TCP SYN packets going in or out the + interface to the value that you specify. + + Example: + + #ZONE INTERFACE BROADCAST OPTIONS + vpn ppp0 - mss=1400 + + The mss option only affects incoming traffic that has not been + decrypted by IPSEC and outgoing traffic that will not subsequently + be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the + 'mss' option in /etc/shorewall/zones. + +8) Shorewall now detects the presence of the 'hashlimit match' + capability. There is no builtin support yet for hashlimit but + detection allows extension scripts for user-supplied actions to + determine if the capability exists. + + With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the + capability exists. + + With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in + a boolean context if the capability exists. Shorewall-perl users + may also code the following in their extension script: + + use Shorewall::Config; + + require_capability( 'HASHLIMIT_MATCH', #Capability + 'My hashlimit action' , #Feature requiring + #capability + 's' ); #Feature is singular + #(if plural, pass the + empty string) + + That call would procduce the following fatal error if the + capability isn't available: + + ERROR: My hashlimit action requires the Hashlimit match capability + in your kernel and iptables + +9) NFQUEUE support has been added to Shorewall-perl. + + NFQUEUE may appear in actions, macros, rules and as a policy. + When NFQUEUE is used by itself, queue number zero is assumed. To + specify a queue number, follow NFQUEUE by a slash ("/") and the + queue number. + + Examples (/etc/shorewall/rules): + + NFQUEUE loc net tcp #Queue number 0 + NFQUEUE/22 loc net udp #Queue number 22 + NFQUEUE/22:info loc net gre #With logging + + An NFQUEUE_DEFAULT option has been added to shorewall.conf for + specifying the default action to use with NFQUEUE policies. + + Use of NFQUEUE requires the NFQUEUE Target capability in your + kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite, + then you must install Shorewall-lite 4.0.3 in order to build a + capabilities file that includes NFQUEUE Target. If your + capabilities file was generated by a Shorewall/Shorewall-lite + version earlier that 4.0.3, you will receive a warning during + compilation. + +10) The 'refresh' command can now refresh chains other than 'blacklst'. + + The syntax of the command is now: + + shorewall refresh [ ... ] + + If no is given then 'blacklst' is assumed. Otherwise, the + Shorewall-perl compiler compiles a script whose 'refresh' command + refreshes the listed (s). + + The listed chains are assumed to be in the filter table. You can + refresh chains in other tables by prefixing the chain name with the + table name followed by ":" (e.g., nat:net_dnat). Chain names which + follow are assumed to be in that table until the end of the list or + until an entry in the list names another table. + + This feature requires Shorewall-perl 4.0.3 as well as + Shorewall-common 4.0.3. diff --git a/Shorewall-common/routestopped b/Shorewall-common/routestopped index 19767c4e8..91fb28c9c 100644 --- a/Shorewall-common/routestopped +++ b/Shorewall-common/routestopped @@ -3,8 +3,10 @@ # # For information about entries in this file, type "man shorewall-routestopped" # -# See http://shorewall.net/Documentation.htm#Routestopped and -# http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-routestopped.html +# +# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional # information. # ############################################################################### diff --git a/Shorewall-common/rules b/Shorewall-common/rules index 3532db1b0..ed90106e4 100644 --- a/Shorewall-common/rules +++ b/Shorewall-common/rules @@ -3,7 +3,8 @@ # # For information on the settings in this file, type "man shorewall-rules" # -# See http://shorewall.net/Documentation.htm#Rules for additional information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-rules.html # ############################################################################################################################ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall index 821a3f2e1..072be5b86 100755 --- a/Shorewall-common/shorewall +++ b/Shorewall-common/shorewall @@ -180,15 +180,6 @@ get_config() { export IPTABLES - # - # See if we have a real version of "tail" -- use separate redirection so - # that ash (aka /bin/sh on LRP) doesn't crap - # - if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then - realtail="Yes" - else - realtail="" - fi # # Compile by non-root needs no restore file # @@ -340,10 +331,11 @@ compiler() { shift options="--verbose $VERBOSE "; - [ -n "$EXPORT" ] && options="$options --export "; - [ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "; - [ -n "$TIMESTAMP" ] && options="$options --timestamp " ; - [ -n "$debugging" ] && options="$options --debug " ; + [ -n "$EXPORT" ] && options="$options --export " + [ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR " + [ -n "$TIMESTAMP" ] && options="$options --timestamp " + [ -n "$debugging" ] && options="$options --debug " + [ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS" [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed" # # Run the appropriate params file @@ -358,6 +350,7 @@ compiler() { ;; shell) [ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed" + [ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains" $command $SHOREWALL_SHELL $sc $@ ;; *) @@ -779,13 +772,15 @@ refresh_command() { esac done - case $# in - 0) - ;; - *) - usage 1 - ;; - esac + if [ $# -gt 0 ]; then + REFRESHCHAINS=$1 + shift + + while [ $# -gt 0 ]; do + REFRESHCHAINS="$REFRESHCHAINS,$1" + shift + done + fi shorewall_is_started || fatal_error "Shorewall is not running" @@ -1298,7 +1293,7 @@ usage() # $1 = exit status echo " logdrop
..." echo " logreject
..." echo " logwatch []" - echo " refresh [ -C {shell|perl} ]" + echo " refresh [ -C {shell|perl} ] [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ -C {shell|perl} ] [ ] " echo " reset" @@ -1483,7 +1478,7 @@ export PRODUCT="Shorewall" FIREWALL=$SHAREDIR/firewall LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli" VERSION_FILE=$SHAREDIR/version -HELP=$SHAREDIR/help +REFRESHCHAINS= for library in $LIBRARIES; do if [ -f $library ]; then diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index b173c3c05..3d6951380 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.0.3 +%define version 4.0.4 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -240,6 +240,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Wed Sep 05 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.4-1 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.3-1 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/tunnels b/Shorewall-common/tunnels index 8ce8ab58d..d38eda2b5 100644 --- a/Shorewall-common/tunnels +++ b/Shorewall-common/tunnels @@ -3,8 +3,8 @@ # # For information about entries in this file, type "man shorewall-tunnels" # -# See http://shorewall.net/Documentation.htm#Tunnels for additional -# information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-tunnels.html # ############################################################################### #TYPE ZONE GATEWAY GATEWAY diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index 94657084b..4e8ab18f6 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.3 +VERSION=4.0.4 usage() # $1 = exit status { diff --git a/Shorewall-common/zones b/Shorewall-common/zones index d5c30a0b2..d5164e93e 100644 --- a/Shorewall-common/zones +++ b/Shorewall-common/zones @@ -3,7 +3,8 @@ # # For information about this file, type "man shorewall-zones" # -# For more information, see http://www.shorewall.net/Documentation.htm#Zones +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT diff --git a/Shorewall-lite/README.txt b/Shorewall-lite/README.txt index 559e49156..3d9b39eca 100644 --- a/Shorewall-lite/README.txt +++ b/Shorewall-lite/README.txt @@ -1 +1 @@ -This is the Shorewall-lite Development 4.1 branch of SVN. +This is the Shorewall-lite Stable 4.0 branch of SVN. diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 4bd40e734..8b91879dd 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.2 +VERSION=4.0.4 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 4896a058d..3ab7763a1 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.2 +VERSION=4.0.4 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 2e343c7ae..884be10f0 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -93,9 +93,9 @@ get_config() { [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then - LOGREAD="logread" + LOGREAD="logread | tac" elif [ -f $LOGFILE ]; then - LOGREAD="cat $LOGFILE" + LOGREAD="tac $LOGFILE" else echo "LOGFILE ($LOGFILE) does not exist!" >&2 exit 2 diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index ff613f226..2aa11dc60 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.0.2 +%define version 4.0.4 %define release 1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,6 +98,10 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Wed Sep 05 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.4-1 +* Mon Aug 13 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.3-1 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.2-1 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index bf04d0f89..2968cd0ab 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.2 +VERSION=4.0.4 usage() # $1 = exit status { diff --git a/Shorewall-perl/README.txt b/Shorewall-perl/README.txt index 388f1ee33..fe6c514c9 100644 --- a/Shorewall-perl/README.txt +++ b/Shorewall-perl/README.txt @@ -1,2 +1,2 @@ -This is the Shorewall-perl Development 4.1 branch of SVN. +This is the Shorewall-perl Stable 4.0 branch of SVN. diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index 1c29e06b9..a954cc13c 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_accounting ); our @EXPORT_OK = qw( ); -our $VERSION = 4.01; +our $VERSION = '4.03'; # # Initialize globals -- we take this novel approach to globals initialization to allow @@ -70,7 +70,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { } sub accounting_error() { - warning_message "Invalid Accounting rule"; + fatal_error "Invalid Accounting rule"; } sub jump_to_chain( $ ) { @@ -112,8 +112,10 @@ sub process_accounting_rule( $$$$$$$$$ ) { $source = ALLIPv4 if $source eq 'any' || $source eq 'all'; - if ( @bridges ) { - if ( $source =~ /^$firewall_zone:?(.*)$/ ) { + if ( have_bridges ) { + my $fw = firewall_zone; + + if ( $source =~ /^$fw:?(.*)$/ ) { $source = $1 ? $1 : ALLIPv4; $restriction = OUTPUT_RESTRICT; $chain = 'accountout' unless $chain and $chain ne '-'; @@ -192,9 +194,9 @@ sub setup_accounting() { } } - $comment = ''; + clear_comment; - if ( @bridges ) { + if ( have_bridges ) { if ( $filter_table->{accounting} ) { for my $chain ( qw/INPUT FORWARD/ ) { insert_rule $filter_table->{$chain}, 1, '-j accounting'; diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index ccc7d6451..55856beac 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels %macros ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.03; +our $VERSION = '4.03'; # # Used Actions. Each action that is actually used has an entry with value 1. @@ -651,7 +651,7 @@ sub process_action3( $$$$$ ) { } } - $comment = ''; + clear_comment; } sub process_actions3 () { diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 460606ada..97b259961 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -53,6 +53,7 @@ our @EXPORT = qw( STANDARD ALL_RESTRICT process_comment + clear_comment incr_cmd_level decr_cmd_level add_command @@ -61,7 +62,6 @@ our @EXPORT = qw( STANDARD add_file add_rule insert_rule - insert_rule_nice chain_base forward_chain input_chain @@ -116,26 +116,22 @@ our @EXPORT = qw( STANDARD get_interface_bcasts set_global_variables create_netfilter_load - create_blacklist_reload + create_chainlist_reload - @policy_chains %chain_table $nat_table $mangle_table $filter_table $section %sections - $comment %targets ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.03; +our $VERSION = '4.04'; # # Chain Table # -# @policy_chains is a list of references to policy chains in the filter table -# # %chain_table { => { => { name => # table =>
# is_policy => 0|1 @@ -166,7 +162,6 @@ our $VERSION = 4.03; # # 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. # -our @policy_chains; our %chain_table; our $nat_table; our $mangle_table; @@ -234,7 +229,6 @@ our $mode; # sub initialize() { - @policy_chains = (); %chain_table = ( raw => {} , mangle => {}, nat => {}, @@ -335,6 +329,14 @@ sub process_comment() { warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; } } + +# +# Clear the $comment variable +# +sub clear_comment() { + $comment = ''; +} + # # Functions to manipulate cmdlevel # @@ -731,8 +733,8 @@ sub finish_section ( $ ) { $sections{$section} = 1; } - for my $zone ( @zones ) { - for my $zone1 ( @zones ) { + for my $zone ( all_zones ) { + for my $zone1 ( all_zones ) { my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; if ( $chainref->{referenced} ) { finish_chain_section $chainref, $sections; @@ -760,7 +762,7 @@ sub set_mss1( $$ ) { sub set_mss( $$$ ) { my ( $zone, $mss, $direction) = @_; - for my $z ( @zones ) { + for my $z ( all_zones ) { if ( $direction eq '_in' ) { set_mss1 "${zone}2${z}" , $mss; } elsif ( $direction eq '_out' ) { @@ -776,8 +778,8 @@ sub set_mss( $$$ ) { # Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate. # sub setup_zone_mss() { - for my $zone ( @zones ) { - my $zoneref = $zones{$zone}; + for my $zone ( all_zones ) { + my $zoneref = find_zone( $zone ); set_mss( $zone, $zoneref->{options}{in_out}{mss}, '' ) if $zoneref->{options}{in_out}{mss}; set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss}; @@ -1104,7 +1106,7 @@ sub do_tos( $ ) { # sub match_source_dev( $ ) { my $interface = shift; - my $interfaceref = $interfaces{$interface}; + my $interfaceref = find_interface( $interface ); if ( $interfaceref && $interfaceref->{options}{port} ) { "-i $interfaceref->{bridge} -m physdev --physdev-in $interface "; } else { @@ -1117,7 +1119,7 @@ sub match_source_dev( $ ) { # sub match_dest_dev( $ ) { my $interface = shift; - my $interfaceref = $interfaces{$interface}; + my $interfaceref = find_interface( $interface ); if ( $interfaceref && $interfaceref->{options}{port} ) { "-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; } else { @@ -1240,7 +1242,7 @@ sub match_orig_dest ( $ ) { sub match_ipsec_in( $$ ) { my ( $zone , $hostref ) = @_; my $match = '-m policy --dir in --pol '; - my $zoneref = $zones{$zone}; + my $zoneref = find_zone( $zone ); my $optionsref = $zoneref->{options}; if ( $zoneref->{type} eq 'ipsec4' ) { @@ -1258,7 +1260,7 @@ sub match_ipsec_in( $$ ) { sub match_ipsec_out( $$ ) { my ( $zone , $hostref ) = @_; my $match = '-m policy --dir out --pol '; - my $zoneref = $zones{$zone}; + my $zoneref = find_zone( $zone ); my $optionsref = $zoneref->{options}; if ( $zoneref->{type} eq 'ipsec4' ) { @@ -1537,7 +1539,7 @@ sub expand_rule( $$$$$$$$$$ ) incr_cmd_level $chainref; } else { - fatal_error "Source Interface ($iiface) not allowed when the source zone is $firewall_zone" if $restriction & OUTPUT_RESTRICT; + fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT; $rule .= match_source_dev( $iiface ); } } @@ -1598,7 +1600,7 @@ sub expand_rule( $$$$$$$$$$ ) incr_cmd_level $chainref; } else { fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); - fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT; + fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; if ( $iiface ) { my $bridge = port_to_bridge( $diface ); @@ -2013,52 +2015,109 @@ sub create_netfilter_load() { } # -# Generate the netfilter input for refreshing the blacklist +# Generate the netfilter input for refreshing a list of chains # -sub create_blacklist_reload() { +sub create_chainlist_reload($) { + + my $chains = $_[0]; + + my @chains = split ',', $chains; + + unless ( @chains ) { + @chains = qw( blacklst ) if $filter_table->{blacklst}; + } $mode = NULL_MODE; - emit( 'blacklist_reload()', + emit( 'chainlist_reload()', '{' ); push_indent; - save_progress_message "Preparing iptables-restore input..."; + if ( @chains ) { + if ( @chains == 1 ) { + progress_message2 "Compiling iptables-restore input for chain @chains..."; + save_progress_message "Preparing iptables-restore input for chain @chains..."; + } else { + progress_message2 "Compiling iptables-restore input for chain $chains..."; + save_progress_message "Preparing iptables-restore input for chains $chains..."; + } - emit ''; + emit ''; - emit 'exec 3>${VARDIR}/.iptables-restore-input'; + emit 'exec 3>${VARDIR}/.iptables-restore-input'; - enter_cat_mode; + enter_cat_mode; + + my $table = 'filter'; + + my %chains; + + for my $chain ( @chains ) { + ( $table , $chain ) = split ':', $chain if $chain =~ /:/; + + fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; + fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain}; + + $chains{$table} = [] unless $chains{$table}; + + push @{$chains{$table}}, $chain; + } - emit_unindented '*filter'; - emit_unindented ':blacklst - [0:0]'; - # - # Emit the Blacklist rules - # - emitr $_ for ( @{$filter_table->{blacklst}{rules}} ); - # - # Commit the changes to the table - # - enter_cat_mode unless $mode == CAT_MODE; + for $table qw(nat mangle filter) { + next unless $chains{$table}; - emit_unindented 'COMMIT'; + emit_unindented "*$table"; - enter_cmd_mode; - # - # Now generate the actual iptables-restore command - # - emit( 'exec 3>&-', - '', - 'progress_message2 "Running iptables-restore..."', - '', - 'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux', - 'if [ $? != 0 ]; then', - ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', - "fi\n" - ); + my $tableref=$chain_table{$table}; + + @chains = sort @{$chains{$table}}; + + for my $chain ( @chains ) { + my $chainref = $tableref->{$chain}; + emit_unindented ":$chainref->{name} $chainref->{policy} [0:0]" if $chainref->{builtin}; + } + + for my $chain ( @chains ) { + my $chainref = $tableref->{$chain}; + emit_unindented ":$chainref->{name} - [0:0]" unless $chainref->{builtin}; + } + + for my $chain ( @chains ) { + my $chainref = $tableref->{$chain}; + my @rules = @{$chainref->{rules}}; + + @rules = () unless @rules; + # + # Emit the chain rules + # + emitr $_ for ( @rules ); + } + # + # Commit the changes to the table + # + enter_cat_mode unless $mode == CAT_MODE; + + emit_unindented 'COMMIT'; + } + + enter_cmd_mode; + # + # Now generate the actual iptables-restore command + # + emit( 'exec 3>&-', + '', + 'progress_message2 "Running iptables-restore..."', + '', + 'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux', + 'if [ $? != 0 ]; then', + ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', + "fi\n" + ); + } else { + emit('true'); + } pop_indent; diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index e7e7a2e79..174c93b85 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -41,7 +41,7 @@ use Shorewall::Proxyarp; our @ISA = qw(Exporter); our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG ); our @EXPORT_OK = qw( $export ); -our $VERSION = 4.03; +our $VERSION = '4.04'; our $export; @@ -58,6 +58,7 @@ sub reinitialize() { Shorewall::Config::initialize; Shorewall::Chains::initialize; Shorewall::Zones::initialize; + Shorewall::Policy::initialize; Shorewall::Nat::initialize; Shorewall::Providers::initialize; Shorewall::Tc::initialize; @@ -138,17 +139,16 @@ sub generate_script_1() { '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"', qq(VERSION="$globals{VERSION}") , qq(PATH="$config{PATH}") , - 'TERMINATOR=fatal_error' + 'TERMINATOR=fatal_error' , + '' ); if ( $config{IPTABLES} ) { emit( qq(IPTABLES="$config{IPTABLES}"), - '', '[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"', ); } else { - emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables 2> /dev/null)', - '', + emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES', '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"' ); } @@ -328,11 +328,9 @@ EOF while read address interface external haveroute; do qt arp -i $external -d $address pub [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + interface=/proc/sys/net/ipv4/conf/$interface + [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp done < ${VARDIR}/proxyarp - - for f in /proc/sys/net/ipv4/conf/*; do - [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp - done fi rm -f ${VARDIR}/proxyarp @@ -596,7 +594,7 @@ sub generate_script_2 () { # Note: This function is not called when $command eq 'check'. So it must have no side effects other # than those related to writing to the object file. # -sub generate_script_3() { +sub generate_script_3($) { emit 'cat > ${VARDIR}/proxyarp << __EOF__'; dump_proxy_arp; @@ -629,7 +627,7 @@ sub generate_script_3() { progress_message2 "Creating iptables-restore input..."; create_netfilter_load; - create_blacklist_reload; + create_chainlist_reload( $_[0] ); emit "#\n# Start/Restart the Firewall\n#"; emit 'define_firewall() {'; @@ -647,14 +645,14 @@ setup_routing_and_traffic_shaping if [ $COMMAND = restore ]; then iptables_save_file=${VARDIR}/$(basename $0)-iptables if [ -f $iptables_save_file ]; then - iptables-restore < $iptables_save_file + cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux else fatal_error "$iptables_save_file does not exist" fi set_state "Started" else if [ $COMMAND = refresh ]; then - blacklist_reload + chainlist_reload run_refreshed_exit $IPTABLES -N shorewall set_state "Started" @@ -701,9 +699,9 @@ EOF # If the first argument is non-null, it names the script file to generate. # Otherwise, this is a 'check' command and no script is produced. # -sub compiler( $$$$ ) { +sub compiler( $$$$$ ) { - my ( $objectfile, $directory, $verbosity, $options ) = @_; + my ( $objectfile, $directory, $verbosity, $options , $chains ) = @_; $export = 0; @@ -723,7 +721,7 @@ sub compiler( $$$$ ) { # get_configuration( $export ); - report_capabilities if $verbose > 1; + report_capabilities; require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" , 's' ); require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; @@ -731,7 +729,7 @@ sub compiler( $$$$ ) { require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT}; - ( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile; + set_command( 'check', 'Checking', 'Checked' ) unless $objectfile; initialize_chain_table; @@ -865,7 +863,7 @@ sub compiler( $$$$ ) { # # Finish the script. # - generate_script_3; + generate_script_3( $chains ); finalize_object ( $export ); # # And generate the auxilary config file diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 85d63141e..3051932f1 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -34,10 +34,13 @@ use strict; use warnings; use File::Basename; use File::Temp qw/ tempfile tempdir /; -use Cwd 'abs_path'; +use Cwd qw(abs_path getcwd); use autouse 'Carp' => qw(longmess confess); our @ISA = qw(Exporter); +# +# Imported variables should be treated as read-only by importers +# our @EXPORT = qw( create_temp_object finalize_object @@ -47,6 +50,7 @@ our @EXPORT = qw( save_progress_message_short set_timestamp set_verbose + set_command progress_message progress_message2 progress_message3 @@ -55,7 +59,6 @@ our @EXPORT = qw( copy create_temp_aux_config finalize_aux_config - warning_message fatal_error set_shorewall_dir @@ -85,15 +88,13 @@ our @EXPORT = qw( $command $doing $done - $verbose - $currentline %config %globals %capabilities ); our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path ); -our $VERSION = 4.03; +our $VERSION = '4.04'; # # describe the current command, it's present progressive, and it's completion. @@ -147,7 +148,38 @@ our %capabilities; # # Capabilities # -our %capdesc; +our %capdesc = ( NAT_ENABLED => 'NAT', + MANGLE_ENABLED => 'Packet Mangling', + MULTIPORT => 'Multi-port Match' , + XMULTIPORT => 'Extended Multi-port Match', + CONNTRACK_MATCH => 'Connection Tracking Match', + USEPKTTYPE => 'Packet Type Match', + POLICY_MATCH => 'Policy Match', + PHYSDEV_MATCH => 'Physdev Match', + LENGTH_MATCH => 'Packet length Match', + IPRANGE_MATCH => 'IP Range Match', + RECENT_MATCH => 'Recent Match', + OWNER_MATCH => 'Owner Match', + IPSET_MATCH => 'Ipset Match', + CONNMARK => 'CONNMARK Target', + XCONNMARK => 'Extended CONNMARK Target', + CONNMARK_MATCH => 'Connmark Match', + XCONNMARK_MATCH => 'Extended Connmark Match', + RAW_TABLE => 'Raw Table', + IPP2P_MATCH => 'IPP2P Match', + CLASSIFY_TARGET => 'CLASSIFY Target', + ENHANCED_REJECT => 'Extended Reject', + KLUDGEFREE => 'Repeat match', + MARK => 'MARK Target', + XMARK => 'Extended Mark Target', + MANGLE_FORWARD => 'Mangle FORWARD Chain', + COMMENTS => 'Comments', + ADDRTYPE => 'Address Type Match', + TCPMSS_MATCH => 'TCPMSS Match', + HASHLIMIT_MATCH => 'Hashlimit Match', + NFQUEUE_TARGET => 'NFQUEUE Target', + CAPVERSION => 'Capability Version', + ); # # Directories to search for configuration files # @@ -198,7 +230,7 @@ sub initialize() { ORIGINAL_POLICY_MATCH => '', LOGPARMS => '', TC_SCRIPT => '', - VERSION => '4.0.3', + VERSION => '4.0.4', CAPVERSION => 40003 , ); # @@ -335,41 +367,6 @@ sub initialize() { CAPVERSION => undef, ); # - # Capabilities - # - %capdesc = ( NAT_ENABLED => 'NAT', - MANGLE_ENABLED => 'Packet Mangling', - MULTIPORT => 'Multi-port Match' , - XMULTIPORT => 'Extended Multi-port Match', - CONNTRACK_MATCH => 'Connection Tracking Match', - USEPKTTYPE => 'Packet Type Match', - POLICY_MATCH => 'Policy Match', - PHYSDEV_MATCH => 'Physdev Match', - LENGTH_MATCH => 'Packet length Match', - IPRANGE_MATCH => 'IP Range Match', - RECENT_MATCH => 'Recent Match', - OWNER_MATCH => 'Owner Match', - IPSET_MATCH => 'Ipset Match', - CONNMARK => 'CONNMARK Target', - XCONNMARK => 'Extended CONNMARK Target', - CONNMARK_MATCH => 'Connmark Match', - XCONNMARK_MATCH => 'Extended Connmark Match', - RAW_TABLE => 'Raw Table', - IPP2P_MATCH => 'IPP2P Match', - CLASSIFY_TARGET => 'CLASSIFY Target', - ENHANCED_REJECT => 'Extended Reject', - KLUDGEFREE => 'Repeat match', - MARK => 'MARK Target', - XMARK => 'Extended Mark Target', - MANGLE_FORWARD => 'Mangle FORWARD Chain', - COMMENTS => 'Comments', - ADDRTYPE => 'Address Type Match', - TCPMSS_MATCH => 'TCPMSS Match', - HASHLIMIT_MATCH => 'Hashlimit Match', - NFQUEUE_TARGET => 'NFQUEUE Target', - CAPVERSION => 'Capability Version', - ); - # # Directories to search for configuration files # @config_path = (); @@ -401,7 +398,8 @@ INIT { # sub warning_message { - my $currentlineinfo = $currentfile ? " : $currentfilename (line $currentlinenumber)" : ''; + my $linenumber = $currentlinenumber || 1; + my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; if ( $debug ) { print STDERR longmess( " WARNING: @_$currentlineinfo" ); @@ -414,7 +412,8 @@ sub warning_message # Issue fatal error message and die # sub fatal_error { - my $currentlineinfo = $currentfile ? " : $currentfilename (line $currentlinenumber)" : ''; + my $linenumber = $currentlinenumber || 1; + my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; confess " ERROR: @_$currentlineinfo" if $debug; die " ERROR: @_$currentlineinfo\n"; } @@ -480,12 +479,18 @@ sub set_verbose( $ ) { $verbose = shift; } +# +# Set $command, $doing and $done +# +sub set_command( $$$ ) { + ($command, $doing, $done) = @_; +} + # # Print the current TOD to STDOUT. # sub timestamp() { - my ($sec, $min, $hr) = ( localtime ) [0,1,2]; - printf '%02d:%02d:%02d ', $hr, $min, $sec; + printf '%02d:%02d:%02d ', ( localtime ) [2,1,0]; } # @@ -649,7 +654,7 @@ sub finalize_aux_config() { } # -# Set $globals{CONFIG_PATH} +# Set $config{CONFIG_PATH} # sub set_config_path( $ ) { $config{CONFIG_PATH} = shift; @@ -839,9 +844,12 @@ sub read_a_line() { while ( $currentfile ) { $currentline = ''; + $currentlinenumber = 0; while ( <$currentfile> ) { + $currentlinenumber = $. unless $currentlinenumber; + chomp; # # Continuation @@ -856,7 +864,6 @@ sub read_a_line() { # $currentline = '', next if $currentline =~ /^\s*$/; - $currentlinenumber = $.; # # Expand Shell Variables using %ENV # @@ -883,6 +890,8 @@ sub read_a_line() { push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; $currentfile = undef; do_open_file $filename; + } else { + $currentlinenumber = 0; } $currentline = ''; @@ -1026,17 +1035,19 @@ sub report_capabilities() { } } - print "Shorewall has detected the following capabilities:\n"; + if ( $verbose > 1 ) { + print "Shorewall has detected the following capabilities:\n"; - for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) { - report_capability $cap; + for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) { + report_capability $cap; + } } } # # Search the current PATH for the passed executable # -sub mywhich( $ ) { +sub which( $ ) { my $prog = $_[0]; for my $dir ( split /:/, $config{PATH} ) { @@ -1050,7 +1061,7 @@ sub mywhich( $ ) { # Load the kernel modules defined in the 'modules' file. # sub load_kernel_modules( ) { - my $moduleloader = mywhich 'modprobe' ? 'modprobe' : 'insmod'; + my $moduleloader = which( 'modprobe' ) || ( which 'insmod' ); my $modulesdir = $config{MODULESDIR}; @@ -1063,7 +1074,7 @@ sub load_kernel_modules( ) { my @moduledirectories = split /:/, $modulesdir; - if ( @moduledirectories && open_file 'modules' ) { + if ( $moduleloader && open_file 'modules' ) { my %loadedmodules; progress_message "Loading Modules..."; @@ -1114,9 +1125,9 @@ sub qt( $ ) { # # Determine which optional facilities are supported by iptables/netfilter # -sub determine_capabilities() { +sub determine_capabilities( $ ) { - my $iptables = $config{IPTABLES}; + my $iptables = $_[0]; my $pid = $$; my $sillyname = "fooX$pid"; @@ -1173,7 +1184,7 @@ sub determine_capabilities() { $capabilities{RAW_TABLE} = qt( "$iptables -t raw -L -n" ); - if ( mywhich 'ipset' ) { + if ( which 'ipset' ) { qt( "ipset -X $sillyname" ); if ( qt( "ipset -N $sillyname iphash" ) ) { @@ -1243,8 +1254,10 @@ sub ensure_config_path() { } if ( $shorewall_dir ) { + $shorewall_dir = getcwd if $shorewall_dir =~ m|(\./*)+|; $shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|; unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0]; + $config{CONFIG_PATH} = join ':', @config_path; } } @@ -1287,32 +1300,10 @@ sub process_shorewall_conf() { } } -sub get_capabilities( $ ) { - my $export = $_[0]; - - if ( ! $export && $> == 0 ) { # $> == $EUID - unless ( $config{IPTABLES} ) { - fatal_error "Can't find iptables executable" unless $config{IPTABLES} = mywhich 'iptables'; - } else { - fatal_error "\$IPTABLES=$config{IPTABLES} does not exist or is not executable" unless -x $config{IPTABLES}; - } - - load_kernel_modules; - - unless ( open_file 'capabilities' ) { - determine_capabilities; - } - } else { - unless ( open_file 'capabilities' ) { - fatal_error "The -e flag requires a capabilities file" if $export; - fatal_error "Compiling under non-root uid requires a capabilities file"; - } - } - - # - # If we successfully called open_file above, then this loop will read the capabilities file. - # Otherwise, the first call to read_a_line() below will return false - # +# +# Process the records in the capabilities file +# +sub read_capabilities() { while ( read_a_line1 ) { if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) { my ($var, $val) = ($1, $2); @@ -1334,6 +1325,42 @@ sub get_capabilities( $ ) { } } +# +# Get the system's capabilities, either by probing or by reading a capabilities file +# +sub get_capabilities( $ ) { + my $export = $_[0]; + + if ( ! $export && $> == 0 ) { # $> == $EUID + my $iptables = $config{IPTABLES}; + + if ( $iptables ) { + fatal_error "IPTABLES=$iptables does not exist or is not executable" unless -x $iptables; + } else { + fatal_error "Can't find iptables executable" unless $iptables = which 'iptables'; + } + + my $iptables_restore=$iptables . '-restore'; + + fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore; + + load_kernel_modules; + + if ( open_file 'capabilities' ) { + read_capabilities; + } else { + determine_capabilities $iptables; + } + } else { + unless ( open_file 'capabilities' ) { + fatal_error "The -e compiler option requires a capabilities file" if $export; + fatal_error "Compiling under non-root uid requires a capabilities file"; + } + + read_capabilities; + } +} + # # - Read the shorewall.conf file # - Read the capabilities file, if any diff --git a/Shorewall-perl/Shorewall/FallbackPorts.pm b/Shorewall-perl/Shorewall/FallbackPorts.pm index 1ff432dc9..d647a0825 100644 --- a/Shorewall-perl/Shorewall/FallbackPorts.pm +++ b/Shorewall-perl/Shorewall/FallbackPorts.pm @@ -33,7 +33,7 @@ use warnings; our @ISA = qw(Exporter); our @EXPORT = qw( %protocols %services ); our @EXPORT_OK = qw(); -our $VERSION = 4.00; +our $VERSION = '4.00'; our %protocols = ( ip => 0, diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index 06e5489f5..fadd2a2b7 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -36,12 +36,11 @@ our @EXPORT = qw( ALLIPv4 validate_host validate_range ip_range_explicit - - @allipv4 - @rfc1918_networks + allipv4 + rfc1918_neworks ); our @EXPORT_OK = qw( ); -our $VERSION = 4.03; +our $VERSION = '4.03'; # # Some IPv4 useful stuff @@ -161,4 +160,12 @@ sub validate_host( $ ) { } } +sub allipv4() { + @allipv4; +} + +sub rfc1918_networks() { + @rfc1918_networks +} + 1; diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index 4cdc0986c..321a7bcbd 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -36,7 +36,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses ); our @EXPORT_OK = (); -our $VERSION = 4.03; +our $VERSION = '4.03'; our @addresses_to_add; our %addresses_to_add; @@ -169,7 +169,7 @@ sub setup_one_masq($$$$$$$) # ( my $interface = $fullinterface ) =~ s/:.*//; - fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; + fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root}; my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface); # @@ -305,7 +305,7 @@ sub setup_masq() } } - $comment = ''; + clear_comment; } @@ -417,7 +417,7 @@ sub setup_nat() { } - $comment = ''; + clear_comment; } # diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index d63adcce5..46e882574 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -34,7 +34,28 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); our @EXPORT_OK = qw( ); -our $VERSION = 4.03; +our $VERSION = '4.03'; + +# @policy_chains is a list of references to policy chains in the filter table + +our @policy_chains; + +# +# Initialize globals -- we take this novel approach to globals initialization to allow +# the compiler to run multiple times in the same process. The +# initialize() function does globals initialization for this +# module and is called from an INIT block below. The function is +# also called by Shorewall::Compiler::compiler at the beginning of +# the second and subsequent calls to that function. +# + +sub initialize() { + @policy_chains = (); +} + +INIT { + initialize; +} # # Convert a chain into a policy chain. @@ -104,20 +125,36 @@ sub set_policy_chain($$$$$) # # Process the policy file # +use constant { OPTIONAL => 1 }; + +sub add_or_modify_policy_chain( $$ ) { + my ( $zone, $zone1 ) = @_; + my $chain = "${zone}2${zone1}"; + my $chainref = $filter_table->{$chain}; + + if ( $chainref ) { + unless( $chainref->{is_policy} ) { + convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL ); + push @policy_chains, $chainref; + } + } else { + push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); + } +} + +sub print_policy($$$$) { + my ( $source, $dest, $policy , $chain ) = @_; + unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) { + if ( $policy eq 'CONTINUE' ) { + my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) ); + warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} ); + } + progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest; + } +} + sub validate_policy() { - sub print_policy($$$$) - { - my ( $source, $dest, $policy , $chain ) = @_; - unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) { - if ( $policy eq 'CONTINUE' ) { - my ( $sourceref, $destref ) = @zones{$source,$dest}; - warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} ); - } - progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest; - } - } - my %validpolicies = ( ACCEPT => undef, REJECT => undef, @@ -136,8 +173,6 @@ sub validate_policy() my $zone; - use constant { OPTIONAL => 1 }; - for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ { my $action = $config{$option}; next if $action eq 'none'; @@ -157,14 +192,15 @@ sub validate_policy() $default_actions{$map{$option}} = $action; } - for $zone ( @zones ) { + for $zone ( all_zones ) { push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL ); - if ( $config{IMPLICIT_CONTINUE} && ( @{$zones{$zone}{parents}} ) ) { - for my $zone1 ( @zones ) { - next if $zone eq $zone1; - push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); - push @policy_chains, ( new_policy_chain $zone1, $zone, 'CONTINUE', OPTIONAL ); + if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) { + for my $zone1 ( all_zones ) { + unless( $zone eq $zone1 ) { + add_or_modify_policy_chain( $zone, $zone1 ); + add_or_modify_policy_chain( $zone1, $zone ); + } } } } @@ -187,11 +223,11 @@ sub validate_policy() my $clientwild = ( "\L$client" eq 'all' ); - fatal_error "Undefined zone $client" unless $clientwild || $zones{$client}; + fatal_error "Undefined zone $client" unless $clientwild || defined_zone( $client ); my $serverwild = ( "\L$server" eq 'all' ); - fatal_error "Undefined zone $server" unless $serverwild || $zones{$server}; + fatal_error "Undefined zone $server" unless $serverwild || defined_zone( $server ); ( $policy , my ( $default, $remainder ) ) = split( /:/, $policy, 3 ); @@ -230,13 +266,13 @@ sub validate_policy() fatal_error "NONE policy not allowed with \"all\"" if $clientwild || $serverwild; fatal_error "NONE policy not allowed to/from firewall zone" - if ( $zones{$client}{type} eq 'firewall' ) || ( $zones{$server}{type} eq 'firewall' ); + if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' ); } unless ( $clientwild || $serverwild ) { - if ( $zones{$server}{type} eq 'bport4' ) { + if ( zone_type( $server ) eq 'bport4' ) { fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge" - unless $zones{$client}{bridge} eq $zones{$server}{bridge} || single_interface( $client ) eq $zones{$server}{bridge}; + unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge}; } } @@ -275,20 +311,20 @@ sub validate_policy() if ( $clientwild ) { if ( $serverwild ) { - for my $zone ( @zones , 'all' ) { - for my $zone1 ( @zones , 'all' ) { + for my $zone ( all_zones , 'all' ) { + for my $zone1 ( all_zones , 'all' ) { set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy; print_policy $zone, $zone1, $policy, $chain; } } } else { - for my $zone ( @zones ) { + for my $zone ( all_zones ) { set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy; print_policy $zone, $server, $policy, $chain; } } } elsif ( $serverwild ) { - for my $zone ( @zones , 'all' ) { + for my $zone ( all_zones , 'all' ) { set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy; print_policy $client, $zone, $policy, $chain; } @@ -382,8 +418,8 @@ sub apply_policy_rules() { } } - for my $zone ( @zones ) { - for my $zone1 ( @zones ) { + for my $zone ( all_zones ) { + for my $zone1 ( all_zones ) { my $chainref = $filter_table->{"${zone}2${zone1}"}; if ( $chainref->{referenced} ) { diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index e6ece7aeb..23917fa41 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -42,7 +42,7 @@ our @EXPORT = qw( setup_forwarding ); our @EXPORT_OK = qw( ); -our $VERSION = 4.01; +our $VERSION = '4.01'; # # ARP Filtering diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 66edaf007..6c421f246 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_providers @routemarked_interfaces); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.03; +our $VERSION = '4.03'; use constant { LOCAL_NUMBER => 255, MAIN_NUMBER => 254, diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm index d7e544c0d..d10555af2 100644 --- a/Shorewall-perl/Shorewall/Proxyarp.pm +++ b/Shorewall-perl/Shorewall/Proxyarp.pm @@ -35,7 +35,7 @@ our @EXPORT = qw( ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.01; +our $VERSION = '4.01'; our @proxyarp; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index d13772321..e4d21e120 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos dump_rule_chains ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = 4.03; +our $VERSION = '4.03'; # # Keep track of chains for the /var/lib/shorewall[-lite]/chains file @@ -125,7 +125,7 @@ sub process_tos() { fatal_error "Invalid SOURCE" if defined $remainder; - if ( $srczone eq $firewall_zone ) { + if ( $srczone eq firewall_zone ) { $chainref = $outtosref; $src = $source || '-'; $restriction = OUTPUT_RESTRICT; @@ -519,7 +519,7 @@ sub add_common_rules() { my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - for $interface ( @interfaces ) { + for $interface ( all_interfaces ) { for $chain ( @{first_chains $interface} ) { add_rule new_standard_chain( $chain ) , "$state -j dynamic"; } @@ -593,7 +593,7 @@ sub add_common_rules() { add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT'; } - add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if $interfaces{$interface}{options}{bridge}; + add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' ); } } @@ -649,7 +649,7 @@ sub add_common_rules() { } if ( $config{DYNAMIC_ZONES} ) { - for $interface ( @interfaces) { + for $interface ( all_interfaces ) { for $chain ( @{dynamic_chains $interface} ) { new_standard_chain $chain; } @@ -713,7 +713,7 @@ sub setup_mac_lists( $ ) { my $chainref = new_chain $table , mac_chain $interface; add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' - if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp}; + if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' ); if ( $ttl ) { my $chain1ref = new_chain $table, macrecent_target $interface; @@ -782,7 +782,7 @@ sub setup_mac_lists( $ ) { } } - $comment = ''; + clear_comment; # # Generate jumps from the input and forward chains # @@ -806,7 +806,7 @@ sub setup_mac_lists( $ ) { my $chain = $chainref->{name}; if ( $level ne '' || $disposition ne 'ACCEPT' ) { - my $variable = get_interface_addresses $interfaces{$interface}{bridge}; + my $variable = get_interface_addresses source_port_to_bridge( $interface ); if ( $capabilities{ADDRTYPE} ) { add_commands( $chainref, @@ -815,8 +815,8 @@ sub setup_mac_lists( $ ) { " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3", 'done' ); } else { - my $bridge = $interfaces{$interface}{bridge}; - my $bridgeref = $interfaces{$bridge}; + my $bridge = source_port_to_bridge( $interface ); + my $bridgeref = find_interface( $bridge ); add_commands( $chainref, "for address in $variable; do" ); @@ -1001,9 +1001,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # if ( $actiontype & REDIRECT ) { if ( $dest eq '-' ) { - $dest = "$firewall_zone"; + $dest = "firewall_zone"; } else { - $dest = join( '', $firewall_zone, '::', $dest ); + $dest = join( '', firewall_zone, '::', $dest ); } } elsif ( $action eq 'REJECT' ) { $action = 'reject'; @@ -1017,6 +1017,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # my $sourcezone; my $destzone; + my $sourceref; + my $destref; if ( $source =~ /^(.+?):(.*)/ ) { $sourcezone = $1; @@ -1035,22 +1037,22 @@ sub process_rule1 ( $$$$$$$$$$$ ) { } fatal_error "Missing source zone" if $sourcezone eq '-'; - fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone}; + fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); fatal_error "Missing destination zone" if $destzone eq '-'; - fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone}; + fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone ); my $restriction = NO_RESTRICT; - if ( $sourcezone eq $firewall_zone ) { - $restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT; + if ( $sourcezone eq firewall_zone ) { + $restriction = $destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT; } else { - $restriction = INPUT_RESTRICT if $destzone eq $firewall_zone; + $restriction = INPUT_RESTRICT if $destzone eq firewall_zone; } # # Check for illegal bridge port rule # - if ( $zones{$destzone}->{type} eq 'bport4' ) { - unless ( $zones{$sourcezone}{bridge} eq $zones{$destzone}{bridge} || single_interface( $sourcezone ) eq $zones{$destzone}{bridge} ) { + if ( $destref->{type} eq 'bport4' ) { + unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) { return 1 if $wildcard; fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; } @@ -1135,8 +1137,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) { if ( $origdest eq '' || $origdest eq '-' ) { $origdest = ALLIPv4; } elsif ( $origdest eq 'detect' ) { - if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne $firewall_zone ) { - my $interfacesref = $zones{$sourcezone}{interfaces}; + if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { + my $interfacesref = $sourceref->{interfaces}; my @interfaces = keys %$interfacesref; $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; } else { @@ -1146,7 +1148,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { } else { if ( $action eq 'SAME' ) { fatal_error 'Port mapping not allowed in SAME rules' if $serverport; - fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq $firewall_zone; + fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone; $target = '-j SAME '; for my $serv ( split /,/, $server ) { $target .= "--to $serv "; @@ -1160,8 +1162,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) { } unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) { - if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne $firewall_zone ) { - my $interfacesref = $zones{$sourcezone}{interfaces}; + if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) { + my $interfacesref = $sourceref->{interfaces}; my @interfaces = keys %$interfacesref; $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4; } else { @@ -1173,7 +1175,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # # And generate the nat table rule(s) # - expand_rule ( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ), + expand_rule ( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ), PREROUTE_RESTRICT , $rule , $source , @@ -1205,12 +1207,12 @@ sub process_rule1 ( $$$$$$$$$$$ ) { $origdest = '' unless $origdest and $origdest ne '-'; if ( $origdest eq 'detect' ) { - my $interfacesref = $zones{$sourcezone}{interfaces}; + my $interfacesref = $sourceref->{interfaces}; my $interfaces = "@$interfacesref"; $origdest = $interfaces ? "detect:$interfaces" : ALLIPv4; } - expand_rule( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , + expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) , PREROUTE_RESTRICT , $rule , $source , @@ -1312,11 +1314,11 @@ sub process_rule ( $$$$$$$$$$ ) { fatal_error "Invalid or missing ACTION ($target)" unless defined $action; if ( $source eq 'all' ) { - for my $zone ( @zones ) { - if ( $includesrcfw || ( $zones{$zone}{type} ne 'firewall' ) ) { + for my $zone ( all_zones ) { + if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) { if ( $dest eq 'all' ) { - for my $zone1 ( @zones ) { - if ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall' ) ) { + for my $zone1 ( all_zones ) { + if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) { if ( $intrazone || ( $zone ne $zone1 ) ) { process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1; } @@ -1324,7 +1326,7 @@ sub process_rule ( $$$$$$$$$$ ) { } } else { my $destzone = (split( /:/, $dest, 2 ) )[0]; - $destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid + $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid if ( $intrazone || ( $zone ne $destzone ) ) { process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1; } @@ -1332,9 +1334,9 @@ sub process_rule ( $$$$$$$$$$ ) { } } } elsif ( $dest eq 'all' ) { - for my $zone ( @zones ) { + for my $zone ( all_zones ) { my $sourcezone = ( split( /:/, $source, 2 ) )[0]; - if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { + if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1; } } @@ -1392,7 +1394,7 @@ sub process_rules() { } } - $comment = ''; + clear_comment; $section = 'DONE'; } @@ -1481,6 +1483,7 @@ sub generate_matrix() { my $exclusion_seq = 1; my %chain_exclusions; my %policy_exclusions; + my @interfaces = ( all_interfaces ); for my $interface ( @interfaces ) { addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface ); @@ -1503,9 +1506,9 @@ sub generate_matrix() { # # Special processing for complex zones # - for my $zone ( grep $zones{$_}{options}{complex} , @zones ) { + for my $zone ( complex_zones ) { my $frwd_ref = new_standard_chain "${zone}_frwd"; - my $zoneref = $zones{$zone}; + my $zoneref = find_zone( $zone ); my $exclusions = $zoneref->{exclusions}; if ( @$exclusions ) { @@ -1549,11 +1552,11 @@ sub generate_matrix() { # # Main source-zone matrix-generation loop # - for my $zone ( grep ( $zones{$_}{type} ne 'firewall' , @zones ) ) { - my $zoneref = $zones{$zone}; + for my $zone ( non_firewall_zones ) { + my $zoneref = find_zone( $zone ); my $source_hosts_ref = $zoneref->{hosts}; - my $chain1 = rules_target $firewall_zone , $zone; - my $chain2 = rules_target $zone, $firewall_zone; + my $chain1 = rules_target firewall_zone , $zone; + my $chain2 = rules_target $zone, firewall_zone; my $chain3 = rules_target $zone, $zone; my $complex = $zoneref->{options}{complex} || 0; my $type = $zoneref->{type}; @@ -1571,8 +1574,8 @@ sub generate_matrix() { } if ( $config{DYNAMIC_ZONES} ) { - push @rule_chains , [ $firewall_zone , $zone , $chain1 ] if $chain1; - push @rule_chains , [ $zone , $firewall_zone , $chain2 ]; + push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1; + push @rule_chains , [ $zone , firewall_zone , $chain2 ]; } # @@ -1623,7 +1626,7 @@ sub generate_matrix() { if ( $capabilities{ADDRTYPE} ) { add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1"; } else { - my $interfaceref = $interfaces{$interface}; + my $interfaceref = find_interface( $interface ); my $chain = output_chain $interface; my $chainref = $filter_table->{$chain}; @@ -1654,8 +1657,8 @@ sub generate_matrix() { my @temp_zones; ZONE1: - for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) { - my $zone1ref = $zones{$zone1}; + for my $zone1 ( non_firewall_zones ) { + my $zone1ref = find_zone( $zone1 ); my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; next if $policy eq 'NONE'; @@ -1695,7 +1698,7 @@ sub generate_matrix() { $last_chain = ''; } } else { - @dest_zones = grep $zones{$_}{type} ne 'firewall' , @zones ; + @dest_zones = non_firewall_zones ; } # # Here it is -- THE BIG UGLY!!!!!!!!!!!! @@ -1705,7 +1708,7 @@ sub generate_matrix() { # ZONE1: for my $zone1 ( @dest_zones ) { - my $zone1ref = $zones{$zone1}; + my $zone1ref = find_zone( $zone1 ); my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; next if $policy eq 'NONE'; @@ -1841,11 +1844,12 @@ sub generate_matrix() { for my $interface ( @interfaces ) { add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface; add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface; - add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless $interfaces{$interface}{options}{port}; + add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' ); addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface ); } - my $chainref = $filter_table->{"${firewall_zone}2${firewall_zone}"}; + my $fw = firewall_zone; + my $chainref = $filter_table->{"${fw}2${fw}"}; add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' ); add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT'; @@ -1854,8 +1858,8 @@ sub generate_matrix() { nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); - complete_standard_chain $filter_table->{INPUT} , 'all' , $firewall_zone; - complete_standard_chain $filter_table->{OUTPUT} , $firewall_zone , 'all'; + complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone; + complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all'; complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all'; if ( $config{LOGALLNEW} ) { @@ -1913,7 +1917,7 @@ sub setup_mss( ) { } for ( @$interfaces ) { - my $mss = $interfaces{$_}{options}{mss}; + my $mss = get_interface_option( $_, 'mss' ); my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; add_rule $chainref, "-o $_ -j RETURN" if $clampmss; diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index f7a3e103b..4a1f654e7 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -39,7 +39,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = 4.03; +our $VERSION = '4.04'; our %tcs = ( T => { chain => 'tcpost', connmark => 0, @@ -150,7 +150,7 @@ our %tcdevices; our @tcclasses; our %tcclasses; -our $prefix = '1'; +our $prefix; # # Initialize globals -- we take this novel approach to globals initialization to allow @@ -168,6 +168,11 @@ sub initialize() { %tcdevices = (); @tcclasses = (); %tcclasses = (); + $prefix = '1'; +} + +INIT { + initialize; } sub process_tc_rule( $$$$$$$$$$ ) { @@ -185,13 +190,14 @@ sub process_tc_rule( $$$$$$$$$$ ) { my $connmark = 0; my $classid = 0; my $device = ''; + my $fw = firewall_zone; if ( $source ) { - if ( $source eq $firewall_zone ) { + if ( $source eq $fw ) { $chain = 'tcout'; $source = ''; } else { - $chain = 'tcout' if $source =~ s/^($firewall_zone)://; + $chain = 'tcout' if $source =~ s/^($fw)://; } } @@ -200,7 +206,7 @@ sub process_tc_rule( $$$$$$$$$$ ) { if ( $tcsref ) { if ( $chain eq 'tcout' ) { - fatal_error "Invalid chain designator for source $firewall_zone" unless $tcsref->{fw}; + fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw}; } $chain = $tcsref->{chain} if $tcsref->{chain}; @@ -609,8 +615,8 @@ sub setup_tc() { } } - - $comment = ''; + + clear_comment; } for ( @deferred_rules ) { diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 751704550..0e19c0680 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -33,13 +33,15 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tunnels ); our @EXPORT_OK = ( ); -our $VERSION = 4.00; +our $VERSION = '4.03'; # # Here starts the tunnel stuff -- we really should get rid of this crap... # sub setup_tunnels() { + our $fw = firewall_zone; + sub setup_one_ipsec { my ($inchainref, $outchainref, $kind, $source, $dest, $gatewayzones) = @_; @@ -79,11 +81,10 @@ sub setup_tunnels() { unless ( $gatewayzones eq '-' ) { for my $zone ( split /,/, $gatewayzones ) { - fatal_error "Unknown zone ($zone)" unless $zones{$zone}; - my $type = $zones{$zone}{type}; + my $type = zone_type( $zone ); fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4'; - $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1; - $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1; + $inchainref = ensure_filter_chain "${zone}2${fw}", 1; + $outchainref = ensure_filter_chain "${fw}2${zone}", 1; unless ( $capabilities{POLICY_MATCH} ) { add_rule $inchainref, "-p 50 $source -j ACCEPT"; @@ -225,14 +226,12 @@ sub setup_tunnels() { sub setup_one_tunnel($$$$) { my ( $kind , $zone, $gateway, $gatewayzones ) = @_; - fatal_error "Unknown zone ($zone)" unless $zones{$zone}; - - my $zonetype = $zones{$zone}{type}; + my $zonetype = zone_type( $zone ); fatal_error "Invalid zone ($zone) for tunnel ZONE" if $zonetype eq 'firewall' || $zonetype eq 'bport4'; - my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1; - my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1; + my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; + my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; my $source = match_source_net $gateway; my $dest = match_dest_net $gateway; @@ -286,7 +285,7 @@ sub setup_tunnels() { } } - $comment = ''; + clear_comment; } 1; diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 29884dc71..ee9f54866 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -41,9 +41,19 @@ our @EXPORT = qw( NOTHING determine_zones zone_report dump_zone_contents + find_zone + firewall_zone + defined_zone + zone_type + all_zones + complex_zones + non_firewall_zones single_interface validate_interfaces_file + all_interfaces + find_interface known_interface + have_bridges port_to_bridge source_port_to_bridge interface_is_optional @@ -51,16 +61,10 @@ our @EXPORT = qw( NOTHING get_interface_option validate_hosts_file find_hosts_by_option - - @zones - %zones - $firewall_zone - %interfaces - @interfaces - @bridges ); + ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.03; +our $VERSION = '4.03'; # # IPSEC Option types @@ -312,24 +316,24 @@ sub determine_zones() fatal_error "No firewall zone defined" unless $firewall_zone; - my $pushed = 1; my %ordered; - while ( $pushed ) + PUSHED: { - $pushed = 0; ZONE: for my $zone ( @z ) { unless ( $ordered{$zone} ) { - for my $child ( @{$zones{$zone}{children}} ) { - next ZONE unless $ordered{$child}; + for ( @{$zones{$zone}{children}} ) { + next ZONE unless $ordered{$_}; } $ordered{$zone} = 1; push @zones, $zone; - $pushed = 1; + redo PUSHED; } } } + + fatal_error "Internal error in determine_zones()" unless scalar @zones == scalar @z; } # @@ -504,6 +508,44 @@ sub add_group_to_zone($$$$$) ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' }; } +# +# Verify that the passed zone name represents a declared zone. Return a +# reference to its zone table entry. +# +sub find_zone( $ ) { + my $zone = $_[0]; + + my $zoneref = $zones{$zone}; + + fatal_error "Unknown zone" unless $zoneref; + + $zoneref; +} + +sub zone_type( $ ) { + find_zone( $_[0] )->{type}; +} + +sub defined_zone( $ ) { + $zones{$_[0]}; +} + +sub all_zones() { + @zones; +} + +sub non_firewall_zones() { + grep ( $zones{$_}{type} ne 'firewall' , @zones ); +} + +sub complex_zones() { + grep( $zones{$_}{options}{complex} , @zones ); +} + +sub firewall_zone() { + $firewall_zone; +} + # # Return a list of networks routed out of the passed interface # @@ -724,7 +766,7 @@ sub validate_interfaces_file( $ ) fatal_error "No routes found through 'detectnets' interface $interface" unless @networks || $options{optional}; delete $options{maclist} unless @networks; } else { - @networks = @allipv4; + @networks = allipv4; } add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks; @@ -782,6 +824,32 @@ sub known_interface($) 0; } +# +# Return the interfaces list +# +sub all_interfaces() { + @interfaces; +} + +# +# Return a reference to the interfaces table entry for an interface +# +sub find_interface( $ ) { + my $interface = $_[0]; + my $interfaceref = $interfaces{ $interface }; + + fatal_error "Unknown Interface ($interface)" unless $interfaceref; + + $interfaceref; +} + +# +# Returns true if there are bridges defined in the config +# +sub have_bridges() { + @bridges > 0; +} + # # Return the bridge associated with the passed interface. If the interface is not a bridge port, # return '' diff --git a/Shorewall-perl/buildports.pl b/Shorewall-perl/buildports.pl index 0e96b1afe..9704c1cc3 100755 --- a/Shorewall-perl/buildports.pl +++ b/Shorewall-perl/buildports.pl @@ -123,8 +123,11 @@ use warnings; our @ISA = qw(Exporter); our @EXPORT = qw( %protocols %services ); our @EXPORT_OK = qw(); -our $VERSION = '1.00'; +EOF +print "our \$VERSION = '$globals{VERSION}';\n"; + +print <<'EOF'; our %protocols = ( EOF diff --git a/Shorewall-perl/compiler.pl b/Shorewall-perl/compiler.pl index 5bb8c62e6..ee88ee983 100755 --- a/Shorewall-perl/compiler.pl +++ b/Shorewall-perl/compiler.pl @@ -32,6 +32,7 @@ # --directory= # Directory where configuration resides (default is /etc/shorewall) # --timestamp # Timestamp all progress messages # --debug # Print stack trace on warnings and fatal error. +# --refresh= # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'. # use strict; use FindBin; @@ -40,7 +41,7 @@ use Shorewall::Compiler; use Getopt::Long; sub usage() { - print STDERR "usage: compiler.pl [ --export ] [ --directory= ] [ --verbose={0-2} ] [ --timestamp ] [ -- debuging ] [ ]\n"; + print STDERR "usage: compiler.pl [ --export ] [ --directory= ] [ --verbose={0-2} ] [ --timestamp ] [ -- debuging ] [ --refresh= ] [ ]\n"; exit 1; } @@ -52,6 +53,7 @@ my $shorewall_dir = ''; my $verbose = 0; my $timestamp = ''; my $debug = 0; +my $chains = ''; Getopt::Long::Configure ('bundling'); @@ -63,7 +65,9 @@ my $result = GetOptions('export' => \$export, 'v=i' => \$verbose, 'timestamp' => \$timestamp, 't' => \$timestamp, - 'debug' => \$debug + 'debug' => \$debug, + 'r=s' => \$chains, + 'refresh=s' => \$chains ); usage unless $result && @ARGV < 2; @@ -74,4 +78,4 @@ $options |= EXPORT if $export; $options |= TIMESTAMP if $timestamp; $options |= DEBUG if $debug; -compiler $ARGV[0], $shorewall_dir, $verbose, $options; +compiler $ARGV[0], $shorewall_dir, $verbose, $options, $chains; diff --git a/Shorewall-perl/diff-4.0-lib.base b/Shorewall-perl/diff-4.0-lib.base deleted file mode 100644 index d4268443d..000000000 --- a/Shorewall-perl/diff-4.0-lib.base +++ /dev/null @@ -1,788 +0,0 @@ ---- ../Shorewall-common/lib.base 2007-07-22 06:29:50.000000000 -0700 -+++ prog.header 2007-07-22 06:29:50.000000000 -0700 -@@ -1,48 +1,27 @@ --#!/bin/sh --# --# Shorewall 4.0 -- /usr/share/shorewall/lib.base --# - # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] - # - # (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) - # --# Complete documentation is available at http://shorewall.net -+# Options are: - # --# This program is free software; you can redistribute it and/or modify --# it under the terms of Version 2 of the GNU General Public License --# as published by the Free Software Foundation. --# --# This program is distributed in the hope that it will be useful, --# but WITHOUT ANY WARRANTY; without even the implied warranty of --# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --# GNU General Public License for more details. --# --# You should have received a copy of the GNU General Public License --# along with this program; if not, write to the Free Software --# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --# --# This library contains the code common to all Shorewall components. --# --# - It is copied into the compiled script with the -e compiler flag is specified to --# shorewall-shell. --# - It is loaded by /sbin/shorewall. --# - It is loaded by /usr/share/shorewall/firewall. --# - It is loaded by /usr/share/shorewall-shell/compiler. --# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite --# and /usr/share/shorewall-lite/shorecap. --# - It is released as part of Shorewall Perl where it is copied into the compiled script --# by the compiler. --# -- --SHOREWALL_LIBVERSION=40000 --SHOREWALL_CAPVERSION=30405 -- --[ -n "${VARDIR:=/var/lib/shorewall}" ] --[ -n "${SHAREDIR:=/usr/share/shorewall}" ] --[ -n "${CONFDIR:=/etc/shorewall}" ] --SHELLSHAREDIR=/usr/share/shorewall-shell --PERLSHAREDIR=/usr/share/shorewall-perl -- -+# -n Don't alter Routing -+# -v and -q Standard Shorewall Verbosity control -+# -+# Commands are: -+# -+# start Starts the firewall -+# refresh Refresh the firewall -+# restart Restarts the firewall -+# reload Reload the firewall -+# clear Removes all firewall rules -+# stop Stops the firewall -+# status Displays firewall status -+# version Displays the version of Shorewall that -+# generated this program -+# -+################################################################################ -+# Functions imported from /usr/share/shorewall/lib.base -+################################################################################ - # - # Message to stderr - # -@@ -111,20 +90,6 @@ - } - - # --# Undo the effect of 'separate_list()' --# --combine_list() --{ -- local f o= -- -- for f in $* ; do -- o="${o:+$o,}$f" -- done -- -- echo $o --} -- --# - # Suppress all output for a command - # - qt() -@@ -310,83 +275,6 @@ - } - - # --# Call this function to assert mutual exclusion with Shorewall. If you invoke the --# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as --# the first argument. Example "shorewall nolock refresh" --# --# This function uses the lockfile utility from procmail if it exists. --# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the --# behavior of lockfile. --# --mutex_on() --{ -- local try=0 -- local lockf=${LOCKFILE:=${VARDIR}/lock} -- -- MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} -- -- if [ $MUTEX_TIMEOUT -gt 0 ]; then -- -- [ -d ${VARDIR} ] || mkdir -p ${VARDIR} -- -- if qt mywhich lockfile; then -- lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} -- else -- while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do -- sleep 1 -- try=$((${try} + 1)) -- done -- -- if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then -- # Create the lockfile -- echo $$ > ${lockf} -- else -- echo "Giving up on lock file ${lockf}" >&2 -- fi -- fi -- fi --} -- --# --# Call this function to release mutual exclusion --# --mutex_off() --{ -- rm -f ${LOCKFILE:=${VARDIR}/lock} --} -- --# --# Load an optional library --# --lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found --{ -- local lib=${SHAREDIR}/lib.$1 -- local loaded -- -- eval loaded=\$LIB_${1}_LOADED -- -- if [ -z "$loaded" ]; then -- [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1 -- -- if [ -f $lib ]; then -- progress_message "Loading library $lib..." -- . $lib -- eval LIB_${1}_LOADED=Yes -- else -- startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed" -- fi -- fi --} -- --# --# Determine if an optional library is available --# --lib_avail() # $1 = Name of the Library --{ -- [ -f ${SHAREDIR}/lib.$1 ] --} -- --# - # Note: The following set of IP address manipulation functions have anomalous - # behavior when the shell only supports 32-bit signed arithmetic and - # the IP address is 128.0.0.0 or 128.0.0.1. -@@ -395,32 +283,6 @@ - LEFTSHIFT='<<' - - # --# Validate an IP address --# --valid_address() { -- local x y -- local ifs=$IFS -- -- IFS=. -- -- for x in $1; do -- case $x in -- [0-9]|[0-9][0-9]|[1-2][0-9][0-9]) -- [ $x -lt 256 ] || { IFS=$ifs; return 2; } -- ;; -- *) -- IFS=$ifs -- return 2 -- ;; -- esac -- done -- -- IFS=$ifs -- -- return 0 --} -- --# - # Convert an IP address in dot quad format to an integer - # - decodeaddr() { -@@ -456,88 +318,6 @@ - } - - # --# Enumerate the members of an IP range -- When using a shell supporting only --# 32-bit signed arithmetic, the range cannot span 128.0.0.0. --# --# Comes in two flavors: --# --# ip_range() - produces a mimimal list of network/host addresses that spans --# the range. --# --# ip_range_explicit() - explicitly enumerates the range. --# --ip_range() { -- local first last l x y z vlsm -- -- case $1 in -- !*) -- # -- # Let iptables complain if it's a range -- # -- echo $1 -- return -- ;; -- [0-9]*.*.*.*-*.*.*.*) -- ;; -- *) -- echo $1 -- return -- ;; -- esac -- -- first=$(decodeaddr ${1%-*}) -- last=$(decodeaddr ${1#*-}) -- -- if [ $first -gt $last ]; then -- fatal_error "Invalid IP address range: $1" -- fi -- -- l=$(( $last + 1 )) -- -- while [ $first -le $last ]; do -- vlsm= -- x=31 -- y=2 -- z=1 -- -- while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do -- vlsm=/$x -- x=$(( $x - 1 )) -- z=$y -- y=$(( $y * 2 )) -- done -- -- echo $(encodeaddr $first)$vlsm -- first=$(($first + $z)) -- done --} -- --ip_range_explicit() { -- local first last -- -- case $1 in -- [0-9]*.*.*.*-*.*.*.*) -- ;; -- *) -- echo $1 -- return -- ;; -- esac -- -- first=$(decodeaddr ${1%-*}) -- last=$(decodeaddr ${1#*-}) -- -- if [ $first -gt $last ]; then -- fatal_error "Invalid IP address range: $1" -- fi -- -- while [ $first -le $last ]; do -- echo $(encodeaddr $first) -- first=$(($first + 1)) -- done --} -- --# - # Netmask from CIDR - # - ip_netmask() { -@@ -588,60 +368,6 @@ - } - - # --# Netmask to VLSM --# --ip_vlsm() { -- local mask=$(decodeaddr $1) -- local vlsm=0 -- local x=$(( 128 << 24 )) # 0x80000000 -- -- while [ $(( $x & $mask )) -ne 0 ]; do -- [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. -- vlsm=$(($vlsm + 1)) -- done -- -- if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff -- echo "Invalid net mask: $1" >&2 -- else -- echo $vlsm -- fi --} -- -- --# --# Chain name base for an interface -- replace all periods with underscores in the passed name. --# The result is echoed (less trailing "+"). --# --chain_base() #$1 = interface --{ -- local c=${1%%+} -- -- while true; do -- case $c in -- @*) -- c=at_${c#@} -- ;; -- *.*) -- c="${c%.*}_${c##*.}" -- ;; -- *-*) -- c="${c%-*}_${c##*-}" -- ;; -- *%*) -- c="${c%\%*}_${c##*%}" -- ;; -- *@*) -- c="${c%@*}_${c##*@}" -- ;; -- *) -- echo ${c:=common} -- return -- ;; -- esac -- done --} -- --# - # Query NetFilter about the existence of a filter chain - # - chain_exists() # $1 = chain name -@@ -879,21 +605,6 @@ - } - - # --# Set default config path --# --ensure_config_path() { -- local F=${SHAREDIR}/configpath -- if [ -z "$CONFIG_PATH" ]; then -- [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } -- . $F -- fi -- -- if [ -n "$SHOREWALL_DIR" ]; then -- [ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH -- fi --} -- --# - # Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR} - # - find_file() -@@ -918,54 +629,6 @@ - } - - # --# Get fully-qualified name of file --# --resolve_file() # $1 = file name --{ -- local pwd=$PWD -- -- case $1 in -- /*) -- echo $1 -- ;; -- .) -- echo $pwd -- ;; -- ./*) -- echo ${pwd}${1#.} -- ;; -- ..) -- cd .. -- echo $PWD -- cd $pwd -- ;; -- ../*) -- cd .. -- resolve_file ${1#../} -- cd $pwd -- ;; -- *) -- echo $pwd/$1 -- ;; -- esac --} -- --# --# Perform variable substitution on the passed argument and echo the result --# --expand() # $@ = contents of variable which may be the name of another variable --{ -- eval echo \"$@\" --} -- --# --# Function for including one file into another --# --INCLUDE() { -- . $(find_file $(expand $@)) --} -- --# - # Set the Shorewall state - # - set_state () # $1 = state -@@ -974,200 +637,6 @@ - } - - # --# Determine which optional facilities are supported by iptables/netfilter --# --determine_capabilities() { -- qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= -- qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= -- -- CONNTRACK_MATCH= -- MULTIPORT= -- XMULTIPORT= -- POLICY_MATCH= -- PHYSDEV_MATCH= -- IPRANGE_MATCH= -- RECENT_MATCH= -- OWNER_MATCH= -- IPSET_MATCH= -- CONNMARK= -- XCONNMARK= -- CONNMARK_MATCH= -- XCONNMARK_MATCH= -- RAW_TABLE= -- IPP2P_MATCH= -- LENGTH_MATCH= -- CLASSIFY_TARGET= -- ENHANCED_REJECT= -- USEPKTTYPE= -- KLUDGEFREE= -- MARK= -- XMARK= -- MANGLE_FORWARD= -- COMMENTS= -- ADDRTYPE= -- TCPMSS_MATCH= -- -- qt $IPTABLES -N fooX1234 -- qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes -- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes -- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes -- qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes -- -- if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then -- PHYSDEV_MATCH=Yes -- fi -- -- if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then -- IPRANGE_MATCH=Yes -- if [ -z "${KLUDGEFREE}" ]; then -- qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes -- fi -- fi -- -- qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes -- qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes -- -- if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then -- CONNMARK_MATCH=Yes -- qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes -- fi -- -- qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes -- qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes -- qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes -- -- qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes -- -- if [ -n "$MANGLE_ENABLED" ]; then -- qt $IPTABLES -t mangle -N fooX1234 -- -- if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then -- MARK=Yes -- qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes -- fi -- -- if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then -- CONNMARK=Yes -- qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes -- fi -- -- qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes -- qt $IPTABLES -t mangle -F fooX1234 -- qt $IPTABLES -t mangle -X fooX1234 -- qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes -- fi -- -- qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes -- -- if qt mywhich ipset; then -- qt ipset -X fooX1234 # Just in case something went wrong the last time -- -- if qt ipset -N fooX1234 iphash ; then -- if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then -- qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT -- IPSET_MATCH=Yes -- fi -- qt ipset -X fooX1234 -- fi -- fi -- -- qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes -- qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes -- qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes -- -- qt $IPTABLES -F fooX1234 -- qt $IPTABLES -X fooX1234 -- -- CAPVERSION=$SHOREWALL_CAPVERSION --} -- --report_capabilities() { -- report_capability() # $1 = Capability Description , $2 Capability Setting (if any) -- { -- local setting= -- -- [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" -- -- echo " " $1: $setting -- } -- -- if [ $VERBOSE -gt 1 ]; then -- echo "Shorewall has detected the following iptables/netfilter capabilities:" -- report_capability "NAT" $NAT_ENABLED -- report_capability "Packet Mangling" $MANGLE_ENABLED -- report_capability "Multi-port Match" $MULTIPORT -- [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT -- report_capability "Connection Tracking Match" $CONNTRACK_MATCH -- report_capability "Packet Type Match" $USEPKTTYPE -- report_capability "Policy Match" $POLICY_MATCH -- report_capability "Physdev Match" $PHYSDEV_MATCH -- report_capability "Packet length Match" $LENGTH_MATCH -- report_capability "IP range Match" $IPRANGE_MATCH -- report_capability "Recent Match" $RECENT_MATCH -- report_capability "Owner Match" $OWNER_MATCH -- report_capability "Ipset Match" $IPSET_MATCH -- report_capability "CONNMARK Target" $CONNMARK -- [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK -- report_capability "Connmark Match" $CONNMARK_MATCH -- [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH -- report_capability "Raw Table" $RAW_TABLE -- report_capability "IPP2P Match" $IPP2P_MATCH -- report_capability "CLASSIFY Target" $CLASSIFY_TARGET -- report_capability "Extended REJECT" $ENHANCED_REJECT -- report_capability "Repeat match" $KLUDGEFREE -- report_capability "MARK Target" $MARK -- [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK -- report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD -- report_capability "Comments" $COMMENTS -- report_capability "Address Type Match" $ADDRTYPE -- report_capability "TCPMSS Match" $TCPMSS_MATCH -- fi -- -- [ -n "$PKTTYPE" ] || USEPKTTYPE= -- --} -- --report_capabilities1() { -- report_capability1() # $1 = Capability -- { -- eval echo $1=\$$1 -- } -- -- echo "#" -- echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" -- echo "#" -- report_capability1 NAT_ENABLED -- report_capability1 MANGLE_ENABLED -- report_capability1 MULTIPORT -- report_capability1 XMULTIPORT -- report_capability1 CONNTRACK_MATCH -- report_capability1 USEPKTTYPE -- report_capability1 POLICY_MATCH -- report_capability1 PHYSDEV_MATCH -- report_capability1 LENGTH_MATCH -- report_capability1 IPRANGE_MATCH -- report_capability1 RECENT_MATCH -- report_capability1 OWNER_MATCH -- report_capability1 IPSET_MATCH -- report_capability1 CONNMARK -- report_capability1 XCONNMARK -- report_capability1 CONNMARK_MATCH -- report_capability1 XCONNMARK_MATCH -- report_capability1 RAW_TABLE -- report_capability1 IPP2P_MATCH -- report_capability1 CLASSIFY_TARGET -- report_capability1 ENHANCED_REJECT -- report_capability1 KLUDGEFREE -- report_capability1 MARK -- report_capability1 XMARK -- report_capability1 MANGLE_FORWARD -- report_capability1 COMMENTS -- report_capability1 ADDRTYPE -- -- echo CAPVERSION=$SHOREWALL_CAPVERSION --} -- --# - # Delete IP address - # - del_ip_addr() # $1 = address, $2 = interface -@@ -1286,82 +755,6 @@ - cut -b -${1} - } - --# --# Add a logging rule. --# --do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule --{ -- local level=$1 -- local chain=$2 -- local displayChain=$3 -- local disposition=$4 -- local rulenum= -- local limit= -- local tag= -- local command= -- local prefix -- local base=$(chain_base $displayChain) -- local pf -- -- limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. -- tag=${6:+$6 } -- command=${7:--A} -- -- shift 7 -- -- if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then -- displayChain=$tag -- tag= -- fi -- -- if [ -n "$LOGRULENUMBERS" ]; then -- # -- # Hack for broken printf on some lightweight shells -- # -- [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf) -- -- eval rulenum=\$${base}_logrules -- -- rulenum=${rulenum:-1} -- -- prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" -- -- rulenum=$(($rulenum + 1)) -- eval ${base}_logrules=$rulenum -- else -- prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" -- fi -- -- if [ ${#prefix} -gt 29 ]; then -- prefix=`echo "$prefix" | truncate 29` -- error_message "WARNING: Log Prefix shortened to \"$prefix\"" -- fi -- -- case $level in -- ULOG) -- $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" -- ;; -- *) -- $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" -- ;; -- esac -- -- if [ $? -ne 0 ] ; then -- [ -z "$STOPPING" ] && { stop_firewall; exit 2; } -- fi --} -- --do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule --{ -- local level=$1 -- local chain=$2 -- local disposition=$3 -- -- shift 3 -- -- do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ --} -- - delete_tc1() - { - clear_one_tc() { -@@ -1496,65 +889,6 @@ - - echo echo - } -- --# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: --# --# None - No mktemp --# BSD - BSD mktemp (Mandrake) --# STD - mktemp.org mktemp --# --find_mktemp() { -- local mktemp=`mywhich mktemp 2> /dev/null` -- -- if [ -n "$mktemp" ]; then -- if qt mktemp -V ; then -- MKTEMP=STD -- else -- MKTEMP=BSD -- fi -- else -- MKTEMP=None -- fi --} -- --# --# create a temporary file. If a directory name is passed, the file will be created in --# that directory. Otherwise, it will be created in a temporary directory. --# --mktempfile() { -- -- [ -z "$MKTEMP" ] && find_mktemp -- -- if [ $# -gt 0 ]; then -- case "$MKTEMP" in -- BSD) -- mktemp $1/shorewall.XXXXXX -- ;; -- STD) -- mktemp -p $1 shorewall.XXXXXX -- ;; -- None) -- > $1/shorewall-$$ && echo $1/shorewall-$$ -- ;; -- *) -- error_message "ERROR:Internal error in mktempfile" -- ;; -- esac -- else -- case "$MKTEMP" in -- BSD) -- mktemp /tmp/shorewall.XXXXXX -- ;; -- STD) -- mktemp -t shorewall.XXXXXX -- ;; -- None) -- rm -f /tmp/shorewall-$$ -- > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ -- ;; -- *) -- error_message "ERROR:Internal error in mktempfile" -- ;; -- esac -- fi --} -+################################################################################ -+# End of functions imported from /usr/share/shorewall/lib.base -+################################################################################ diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index b5699880f..4fa2f5e81 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.3 +VERSION=4.0.4 usage() # $1 = exit status { diff --git a/Shorewall-perl/prog.functions b/Shorewall-perl/prog.functions index 86051f2b1..65cd51598 100644 --- a/Shorewall-perl/prog.functions +++ b/Shorewall-perl/prog.functions @@ -6,11 +6,9 @@ delete_proxyarp() { while read address interface external haveroute; do qt arp -i $external -d $address pub [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + interface=/proc/sys/net/ipv4/conf/$interface + [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp done < ${VARDIR}/proxyarp - - for f in /proc/sys/net/ipv4/conf/*; do - [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp - done fi rm -f ${VARDIR}/proxyarp diff --git a/Shorewall-perl/prog.header b/Shorewall-perl/prog.header index 75f88165a..5befe75cf 100644 --- a/Shorewall-perl/prog.header +++ b/Shorewall-perl/prog.header @@ -636,6 +636,21 @@ set_state () # $1 = state echo "$1 ($(date))" > ${VARDIR}/state } +# +# Perform variable substitution on the passed argument and echo the result +# +expand() # $@ = contents of variable which may be the name of another variable +{ + eval echo \"$@\" +} + +# +# Function for including one file into another +# +INCLUDE() { + . $(find_file $(expand $@)) +} + # # Delete IP address # diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index f33d1b09b..7fc814caa 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,5 +1,5 @@ %define name shorewall-perl -%define version 4.0.3 +%define version 4.0.4 %define release 1 Summary: Shoreline Firewall Perl-based compiler. @@ -72,6 +72,8 @@ fi %doc COPYING releasenotes.txt %changelog +* Wed Sep 05 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.4-1 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.3-1 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-shell/README.txt b/Shorewall-shell/README.txt index 92ed43b45..342969c96 100644 --- a/Shorewall-shell/README.txt +++ b/Shorewall-shell/README.txt @@ -1 +1 @@ -This is the Shorewall-shell Development 4.1 branch of SVN. +This is the Shorewall-shell Stable 4.0 branch of SVN. diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index e7323cd20..6a0165af8 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.3 +VERSION=4.0.4 usage() # $1 = exit status { diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index e52192929..f335bf07c 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,5 +1,5 @@ %define name shorewall-shell -%define version 4.0.3 +%define version 4.0.4 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -81,6 +81,8 @@ fi %doc COPYING INSTALL %changelog +* Wed Sep 05 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.4-1 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.3-1 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net