From 2b2200145f2723054fee4036f3247497c6934e0d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 22 Jul 2011 06:36:59 -0700 Subject: [PATCH 01/11] Clean up push_irule() after branching 4.4. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 747c25d2f..6813bf7d0 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1069,17 +1069,11 @@ sub push_irule( $$$;@ ) { $chainref->{referenced} = 1; - if ( $ruleref->{simple} = ! @matches ) { - push @{$chainref->{rules}}, $ruleref; - - } else { - # - # In the future, we can expand port lists here - # + unless ( $ruleref->{simple} = ! @matches ) { $chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches ); - push @{$chainref->{rules}}, $ruleref; } + push @{$chainref->{rules}}, $ruleref; trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug; From 49918b654e229b988af28175b2fbab65df0ee8bf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 4 Mar 2013 09:56:10 -0800 Subject: [PATCH 02/11] Support '=' in SOURCE PORT(S) columns Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 24 ++++++++++++----- Shorewall/manpages/shorewall-accounting.xml | 6 +++++ Shorewall/manpages/shorewall-conntrack.xml | 6 +++++ Shorewall/manpages/shorewall-routestopped.xml | 6 +++++ Shorewall/manpages/shorewall-rules.xml | 26 +++++++++++-------- Shorewall/manpages/shorewall-stoppedrules.xml | 6 +++++ Shorewall6/manpages/shorewall6-accounting.xml | 6 +++++ Shorewall6/manpages/shorewall6-conntrack.xml | 6 +++++ Shorewall6/manpages/shorewall6-rules.xml | 24 ++++++++++------- Shorewall6/manpages/shorewall6-secmarks.xml | 6 +++++ .../manpages/shorewall6-stoppedrules.xml | 6 +++++ Shorewall6/manpages/shorewall6-tcrules.xml | 6 +++++ 12 files changed, 101 insertions(+), 27 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 91c8bbd2f..03efdb744 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4158,9 +4158,12 @@ sub do_proto( $$$;$ ) { if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) { my $multiport = 0; + my $srcndst = 0; if ( $ports ne '' ) { $invert = $ports =~ s/^!// ? '! ' : ''; + $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' ); + if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 ); fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; @@ -4174,18 +4177,19 @@ sub do_proto( $$$;$ ) } $ports = validate_port_list $pname , $ports; - $output .= "-m multiport ${invert}--dports ${ports} "; + $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " ); $multiport = 1; } else { fatal_error "Missing DEST PORT" unless supplied $ports; $ports = validate_portpair $pname , $ports; - $output .= "${invert}--dport ${ports} "; + $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " ); } } else { $multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE ); } if ( $sports ne '' ) { + fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '='; $invert = $sports =~ s/^!// ? '! ' : ''; if ( $multiport ) { @@ -4348,9 +4352,12 @@ sub do_iproto( $$$ ) { if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) { my $multiport = 0; + my $srcndst = 0; if ( $ports ne '' ) { - $invert = $ports =~ s/^!// ? '! ' : ''; + $invert = $ports =~ s/^!// ? '! ' : ''; + $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' ); + if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 ); fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; @@ -4364,18 +4371,24 @@ sub do_iproto( $$$ ) } $ports = validate_port_list $pname , $ports; - push @output, multiport => "${invert}--dports ${ports}"; + push @output, multiport => ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " ); $multiport = 1; } else { fatal_error "Missing DEST PORT" unless supplied $ports; $ports = validate_portpair $pname , $ports; - push @output, dport => "${invert}${ports}"; + + if ( $srcndst ) { + push @output, multiport => "${invert}--ports ${ports}"; + } else { + push @output, dport => "${invert}${ports}"; + } } } else { $multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE ); } if ( $sports ne '' ) { + fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '='; $invert = $sports =~ s/^!// ? '! ' : ''; if ( $multiport ) { @@ -4448,7 +4461,6 @@ sub do_iproto( $$$ ) last PROTO; } - fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne ''; } # PROTO diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index b4990f2fe..e21ffca2c 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -452,6 +452,12 @@ You may place a comma-separated list of port numbers in this column if your kernel and iptables include multiport match support. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index efbfba528..dc5a8bee5 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -384,6 +384,12 @@ ranges of the form low-port:high-port if your kernel and iptables include port range support. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). diff --git a/Shorewall/manpages/shorewall-routestopped.xml b/Shorewall/manpages/shorewall-routestopped.xml index ff5e267ff..d5b1ebece 100644 --- a/Shorewall/manpages/shorewall-routestopped.xml +++ b/Shorewall/manpages/shorewall-routestopped.xml @@ -161,6 +161,12 @@ include port ranges of the form low-port:high-port if your kernel and iptables include port range support. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index b2b7bae46..770bb9335 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -1045,6 +1045,12 @@ port is acceptable. Specified as a comma- separated list of port names, port numbers or port ranges. + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). + Unless you really understand IP, you should leave this column empty or place a dash (-) @@ -1052,20 +1058,18 @@ wrong. -
- If you don't want to restrict client ports but need to - specify an ORIGINAL DEST in the - next column, then place "-" in this column. + If you don't want to restrict client ports but need to specify + an ORIGINAL DEST in the next + column, then place "-" in this column. - If your kernel contains multi-port match support, then only - a single Netfilter rule will be generated if in this list and the - DEST PORT(S) list above: + If your kernel contains multi-port match support, then only a + single Netfilter rule will be generated if in this list and the + DEST PORT(S) list above: - 1. There are 15 or less ports listed. + 1. There are 15 or less ports listed. - 2. No port ranges are included or your kernel and iptables - contain extended multiport match support. -
+ 2. No port ranges are included or your kernel and iptables + contain extended multiport match support. diff --git a/Shorewall/manpages/shorewall-stoppedrules.xml b/Shorewall/manpages/shorewall-stoppedrules.xml index 29cc18768..29d3ee03c 100644 --- a/Shorewall/manpages/shorewall-stoppedrules.xml +++ b/Shorewall/manpages/shorewall-stoppedrules.xml @@ -125,6 +125,12 @@ include port ranges of the form low-port:high-port if your kernel and iptables include port range support. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml index ffcb10274..24487b8a6 100644 --- a/Shorewall6/manpages/shorewall6-accounting.xml +++ b/Shorewall6/manpages/shorewall6-accounting.xml @@ -393,6 +393,12 @@ You may place a comma-separated list of port numbers in this column if your kernel and ip6tables include multiport match support. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index 25bd14464..f504252a7 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -276,6 +276,12 @@ ranges of the form low-port:high-port if your kernel and iptables include port range support. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index a3c07b53d..12cddbc32 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -998,6 +998,12 @@ acceptable. Specified as a comma- separated list of port names, port numbers or port ranges. + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). + Unless you really understand IP, you should leave this column empty or place a dash (-) @@ -1005,19 +1011,17 @@ wrong. -
- If you don't want to restrict client ports but need to - specify a later column, then place "-" in this column. + If you don't want to restrict client ports but need to specify + a later column, then place "-" in this column. - If your kernel contains multi-port match support, then only - a single Netfilter rule will be generated if in this list and the - DEST PORT(S) list above: + If your kernel contains multi-port match support, then only a + single Netfilter rule will be generated if in this list and the + DEST PORT(S) list above: - 1. There are 15 or less ports listed. + 1. There are 15 or less ports listed. - 2. No port ranges are included or your kernel and ip6tables - contain extended multiport match support. -
+ 2. No port ranges are included or your kernel and ip6tables + contain extended multiport match support. diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml index 547683b45..6bf1a59cc 100644 --- a/Shorewall6/manpages/shorewall6-secmarks.xml +++ b/Shorewall6/manpages/shorewall6-secmarks.xml @@ -269,6 +269,12 @@ Optional source port(s). If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). diff --git a/Shorewall6/manpages/shorewall6-stoppedrules.xml b/Shorewall6/manpages/shorewall6-stoppedrules.xml index f3250def5..008916b87 100644 --- a/Shorewall6/manpages/shorewall6-stoppedrules.xml +++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml @@ -125,6 +125,12 @@ include port ranges of the form low-port:high-port if your kernel and iptables include port range support. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index 6ac580ee4..227d08a1e 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -809,6 +809,12 @@ Normal-Service => 0x00 An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following fields is supplied. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). From 631c1ac843f6d29b663c7518c091bc63b33eec28 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 4 Mar 2013 12:53:00 -0800 Subject: [PATCH 03/11] Mention the multiport match requirement for '=' Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-accounting.xml | 3 ++- Shorewall/manpages/shorewall-conntrack.xml | 3 ++- Shorewall/manpages/shorewall-routestopped.xml | 3 ++- Shorewall/manpages/shorewall-rules.xml | 3 ++- Shorewall/manpages/shorewall-stoppedrules.xml | 3 ++- Shorewall6/manpages/shorewall6-accounting.xml | 3 ++- Shorewall6/manpages/shorewall6-rules.xml | 3 ++- Shorewall6/manpages/shorewall6-secmarks.xml | 3 ++- Shorewall6/manpages/shorewall6-stoppedrules.xml | 3 ++- Shorewall6/manpages/shorewall6-tcrules.xml | 3 ++- 10 files changed, 20 insertions(+), 10 deletions(-) diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index e21ffca2c..974e1e136 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -457,7 +457,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index dc5a8bee5..0b41e1f30 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -389,7 +389,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. diff --git a/Shorewall/manpages/shorewall-routestopped.xml b/Shorewall/manpages/shorewall-routestopped.xml index d5b1ebece..ce2cd3087 100644 --- a/Shorewall/manpages/shorewall-routestopped.xml +++ b/Shorewall/manpages/shorewall-routestopped.xml @@ -166,7 +166,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 770bb9335..9182eeb52 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -1049,7 +1049,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. Unless you really understand IP, you should leave this diff --git a/Shorewall/manpages/shorewall-stoppedrules.xml b/Shorewall/manpages/shorewall-stoppedrules.xml index 29d3ee03c..0046b2f37 100644 --- a/Shorewall/manpages/shorewall-stoppedrules.xml +++ b/Shorewall/manpages/shorewall-stoppedrules.xml @@ -130,7 +130,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml index 24487b8a6..38c34592c 100644 --- a/Shorewall6/manpages/shorewall6-accounting.xml +++ b/Shorewall6/manpages/shorewall6-accounting.xml @@ -398,7 +398,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 12cddbc32..0ed504394 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -1002,7 +1002,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. Unless you really understand IP, you should leave this diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml index 6bf1a59cc..ec6d36b83 100644 --- a/Shorewall6/manpages/shorewall6-secmarks.xml +++ b/Shorewall6/manpages/shorewall6-secmarks.xml @@ -274,7 +274,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. diff --git a/Shorewall6/manpages/shorewall6-stoppedrules.xml b/Shorewall6/manpages/shorewall6-stoppedrules.xml index 008916b87..c129d1d13 100644 --- a/Shorewall6/manpages/shorewall6-stoppedrules.xml +++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml @@ -130,7 +130,8 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index 227d08a1e..f40b27337 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -814,7 +814,8 @@ Normal-Service => 0x00 column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. From 6ffedae4fba812fe6c14a941ef9b18aae7e5b44f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 5 Mar 2013 08:39:14 -0800 Subject: [PATCH 04/11] Document '=' in the SOURCE PORT(S) column of shorewall-tcrules(5) Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-tcrules.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index a2f8d4aa0..fa3e5bd7b 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -933,6 +933,13 @@ Normal-Service => 0x00 An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following fields is supplied. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). Use of '=' requires multiport match in your iptables + and kernel. From 0bb62ed2908739f6e7b95dfbe17ce2df72916897 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 06:12:43 -0800 Subject: [PATCH 05/11] Avoid duplicate echo command in generated script. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 233cf42dc..41c6a5ada 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -867,7 +867,6 @@ CEOF emit "fi\n"; } else { - emit( qq(echo 0 > \${VARDIR}/${physical}.status) ); emit( qq(progress_message "Provider $table ($number) Started") ); } From 32b2030e59adc2ae0b8fd51058787e6a7f68771b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 07:03:41 -0800 Subject: [PATCH 06/11] Remove duplicate interface names in generated case statement. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 41c6a5ada..c419fcfe6 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -221,10 +221,21 @@ sub copy_and_edit_table( $$$$ ) { my ( $duplicate, $number, $copy, $realm) = @_; my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : ''; + my %copied; + my @copy; + # + # Remove duplicates + # + for ( split ',', $copy ) { + unless ( $copied{$_} ) { + push @copy, $_; + $copied{$_} = 1; + } + } # # Map physical names in $copy to logical names # - $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) ); + $copy = join( '|' , map( physical_name($_) , @copy ) ); # # Shell and iptables use a different wildcard character # From ef291b79d54b07dbf54fe9bd04fbdea5198b316d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 07:56:42 -0800 Subject: [PATCH 07/11] Correct COPY description in the multi-ISP document. Signed-off-by: Tom Eastep --- docs/MultiISP.xml | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 726b20bd4..ad3b84d5f 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -279,9 +279,10 @@ Gives the name or number of a routing table to duplicate. May be 'main' or the name or number of a previously declared - provider. For most applications, you want to specify 'main' here. - This field should be be specified as '-' when USE_DEFAULT_RT=Yes - in shorewall.conf + provider. This field should be be specified as '-' when + USE_DEFAULT_RT=Yes in shorewall.conf. When + USE_DEFAULT_RT=No (not recommended), this column is normally + specified as . @@ -563,16 +564,12 @@ COPY - A comma-separated list of interface names. Wildcards - specified using an asterisk ("*") are permitted (e.g., tun* - ). - - When you specify an existing table in the DUPLICATE column, - Shorewall copies all routes through the interface specified in the - INTERFACE column plus the interfaces listed in this column. - Normally, you will list all interfaces on your firewall in this - column except those Internet interfaces specified in the INTERFACE - column of entries in this file. + A comma-separated list of other interfaces on your firewall. + Wildcards specified using an asterisk ("*") are permitted (e.g., + tun* ). Usually used only when DUPLICATE is . + Only copy routes through INTERFACE and through interfaces listed + here. If you only wish to copy routes through INTERFACE, enter + in this column. Beginning with Shorewall 4.4.15, provider routing tables From 216029c3a9d05642e214a6adb4eede69792786b0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 11:04:23 -0800 Subject: [PATCH 08/11] Copy blackhole routes to secondary tables. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index c419fcfe6..3c5915753 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -269,6 +269,9 @@ sub copy_and_edit_table( $$$$ ) { } emit ( ' ;;', + ' *)', + " [ \$net = blackhole ] && run_ip route add table $number \$net \$route $realm", + ' ;;', ' esac', ' ;;', ' esac', From 06e7f297f7d4ef044772f1a96ecd0d63a5cc2080 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 11:48:09 -0800 Subject: [PATCH 09/11] Allow addition of blackhole routes. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 9 ++++++++- Shorewall/manpages/shorewall-routes.xml | 8 ++++++-- Shorewall6/manpages/shorewall6-routes.xml | 8 ++++++-- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 3c5915753..54788c25b 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1104,7 +1104,11 @@ sub add_a_route( ) { fatal_error 'DEST must be specified' if $dest eq '-'; $dest = validate_net ( $dest, 0 ); - validate_address ( $gateway, 1 ) if $gateway ne '-'; + if ( $gateway eq 'blackhole' ) { + fatal_error q('blackhole' routes may not specify a DEVICE) unless $device eq '-'; + } else { + validate_address ( $gateway, 1 ) if $gateway ne '-'; + } my $providerref = $providers{$provider}; my $number = $providerref->{number}; @@ -1117,6 +1121,9 @@ sub add_a_route( ) { if ( $device ne '-' ) { push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number); emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; + } elsif ( $gateway eq 'blackhole' ) { + push @$routes, qq(run_ip route add blackhole $dest table $number); + emit qq(echo "\$IP -$family route del blackhole $dest table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } else { push @$routes, qq(run_ip route add $dest via $gateway table $number); emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; diff --git a/Shorewall/manpages/shorewall-routes.xml b/Shorewall/manpages/shorewall-routes.xml index e033ffa2d..f8e653a7e 100644 --- a/Shorewall/manpages/shorewall-routes.xml +++ b/Shorewall/manpages/shorewall-routes.xml @@ -53,6 +53,9 @@ If specified, gives the IP address of the gateway to the DEST. + + Beginning with Shorewall 4.5.15, you may specify blackhole in + this column to create a route. @@ -62,8 +65,9 @@ Specifies the device route. If neither DEVICE nor GATEWAY is given, then the INTERFACE specified for the PROVIDER in shorewall-providers - (5). + url="shorewall-providers.html">shorewall-providers (5). This + column must be omitted if is specified in + the GATEWAY column. diff --git a/Shorewall6/manpages/shorewall6-routes.xml b/Shorewall6/manpages/shorewall6-routes.xml index a3077f473..1db3850e4 100644 --- a/Shorewall6/manpages/shorewall6-routes.xml +++ b/Shorewall6/manpages/shorewall6-routes.xml @@ -53,6 +53,9 @@ If specified, gives the IP address of the gateway to the DEST. + + Beginning with Shorewall 4.5.15, you may specify blackhole in + this column to create a route. @@ -62,8 +65,9 @@ Specifies the device route. If neither DEVICE nor GATEWAY is given, then the INTERFACE specified for the PROVIDER in shorewall6-providers - (5). + url="shorewall6-providers.html">shorewall6-providers (5). + This column must be omitted if is + specified in the GATEWAY column. From 5e0749da3c71463bdacbe1cb250eee807cf1f507 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Mar 2013 20:02:48 -0800 Subject: [PATCH 10/11] New approach to copying blackhole routes to secondary routing tables. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 54788c25b..51bcde5ed 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -252,6 +252,9 @@ sub copy_and_edit_table( $$$$ ) { emit ( ' case $net in', ' default)', ' ;;', + ' blackhole)', + " run_ip route add table $number blackhole \$route $realm", + ' ;;', ' *)', ' case $(find_device $route) in', " $copy)" ); @@ -269,9 +272,6 @@ sub copy_and_edit_table( $$$$ ) { } emit ( ' ;;', - ' *)', - " [ \$net = blackhole ] && run_ip route add table $number \$net \$route $realm", - ' ;;', ' esac', ' ;;', ' esac', From 5aa731e9634a6e35cce0f5d2308f33f41da66237 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Mar 2013 06:52:16 -0800 Subject: [PATCH 11/11] Additional change to copy blackhole routes. - Add 'blackhole' to the outer case statement - Add RFC1918 blackhole routes before starting providers. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 54788c25b..f19f60988 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -252,6 +252,9 @@ sub copy_and_edit_table( $$$$ ) { emit ( ' case $net in', ' default)', ' ;;', + ' blackhole)', + " run_ip route add table $number blackhole \$route $realm", + ' ;;', ' *)', ' case $(find_device $route) in', " $copy)" ); @@ -269,9 +272,6 @@ sub copy_and_edit_table( $$$$ ) { } emit ( ' ;;', - ' *)', - " [ \$net = blackhole ] && run_ip route add table $number \$net \$route $realm", - ' ;;', ' esac', ' ;;', ' esac', @@ -1456,6 +1456,8 @@ sub setup_providers() { start_providers; + setup_null_routing if $config{NULL_ROUTE_RFC1918}; + emit ''; emit "start_$providers{$_}->{what}_$_" for @providers; @@ -1464,7 +1466,6 @@ sub setup_providers() { finish_providers; - setup_null_routing if $config{NULL_ROUTE_RFC1918}; emit "\nrun_ip route flush cache"; pop_indent;