diff --git a/Lrp/etc/init.d/shorewall b/Lrp/etc/init.d/shorewall index 9d29a8717..8d0424eb2 100755 --- a/Lrp/etc/init.d/shorewall +++ b/Lrp/etc/init.d/shorewall @@ -435,7 +435,7 @@ determine_hosts() { done } - recalculate_hosts() + recalculate_interfaces() { interfaces= @@ -457,12 +457,18 @@ determine_hosts() { hosts=`find_hosts $zone` hosts=`echo $hosts` # Remove extra trash - if [ -n "$hosts" ]; then + if [ -n "MERGE_HOSTS" ]; then + #################################################################### + # Zone will be the union of its host and interface definitions + # + do_a_zone + recalculate_interfaces + elif [ -n "$hosts" ]; then #################################################################### # Zone is defined in terms of hosts -- derive the interface list # from the host list # - recalculate_hosts + recalculate_interfacess else #################################################################### # If no hosts are defined for a zone then the zone consists of any @@ -658,6 +664,14 @@ validate_rule() { case "$logtarget" in REJECT) target=reject + [ -n "$servport" ] && \ + startup_error "Error: server port may not be specified in a REJECT rule;"\ + "rule: \"$rule\"" + ;; + ACCEPT) + [ -n "$servport" ] && \ + startup_error "Error: server port may not be specified in an ACCEPT rule;"\ + "rule: \"$rule\"" ;; REDIRECT) [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ @@ -747,6 +761,8 @@ validate_rule() { else clientzone="${clients%:*}" clients="${clients#*:}" + [ -z "$clientzone" -o -z "$clients" ] && \ + startup_error "Error: Empty source zone or qualifier: rule \"$rule\"" fi if [ "$clientzone" = "${clientzone%\!*}" ]; then @@ -782,8 +798,12 @@ validate_rule() { if [ "$servers" != "${servers%:*}" ] ; then serverport="${servers#*:}" servers="${servers%:*}" + [ -z "$serverzone" -o -z "$serverport" ] && \ + startup_error "Error: Empty destination zone or server port: rule \"$rule\"" else serverport= + [ -z "$serverzone" -o -z "$servers" ] && \ + startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" fi fi ############################################################################ @@ -1297,31 +1317,8 @@ setup_nat() { fi if [ -n "$ADD_IP_ALIASES" ]; then - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from the primary address - # - # Get all of the lines that contain inet addresses with broadcast - # - val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null - - if [ -n "$val" ] ; then - # - # Hack off the leading 'inet ' (actually cut off the - # "/" as well but add it back in). - # - val="/${val#*/}" - # - # Now get the VLSM, "brd" and the broadcast address - # - val=${val%% scope*} - fi - - run_ip addr add ${external}${val} dev $interface - echo "$external $interface" >> ${STATEDIR}/nat + list_search $external $aliases_to_add || \ + aliases_to_add="$aliases_to_add $external $interface" fi echo " Host $internal NAT $external on $interface" @@ -1678,10 +1675,16 @@ add_a_rule() case "$logtarget" in REJECT) target=reject + [ -n "$servport" ] && \ + fatal_error "Error: server port may not be specified in a REJECT rule;"\ + "rule: \"$rule\"" ;; REDIRECT) [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ " specify a server IP; rule: \"$rule\"" + [ -n "$servport" ] && \ + startup_error "Error: server port may not be specified in an ACCEPT rule;" \ + "rule: \"$rule\"" servport=${servport:=$port} ;; DNAT) @@ -1790,6 +1793,8 @@ process_rule() { else clientzone="${clients%:*}" clients="${clients#*:}" + [ -z "$clientzone" -o -z "$clients" ] && \ + fatal_error "Error: Empty source zone or qualifier: rule \"$rule\"" fi if [ "$clientzone" = "${clientzone%\!*}" ]; then @@ -1822,8 +1827,12 @@ process_rule() { if [ "$servers" != "${servers%:*}" ] ; then serverport="${servers#*:}" servers="${servers%:*}" + [ -z "$serverzone" -o -z "$serverport" ] && \ + fatal_error "Error: Empty destination zone or server port: rule \"$rule\"" else serverport= + [ -z "$serverzone" -o -z "$servers" ] && \ + startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" fi fi @@ -2403,16 +2412,8 @@ setup_masq() esac if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then - qt ip addr del $address dev $interface - - val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null - if [ -n "$val" ] ; then - val="/${val#*/}" - val=${val%% scope*} - fi - run_ip addr add ${address}${val} dev $interface - - echo "$address $interface" >> ${STATEDIR}/nat + list_search $address $aliases_to_add || \ + aliases_to_add="$aliases_to_add $external $address" fi destination=$destnet @@ -2574,6 +2575,49 @@ verify_os_version() { esac } +################################################################################ +# Add IP Aliases # +################################################################################ +add_ip_aliases() # $* = addresses and devices +{ + do_one() + { + # + # Folks feel uneasy if they don't see all of the same + # decoration on these IP addresses that they see when their + # distro's net config tool adds them. In an attempt to reduce + # the anxiety level, we have the following code which sets + # the VLSM and BRD from the primary address + # + # Get all of the lines that contain inet addresses with broadcast + # + val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null + + if [ -n "$val" ] ; then + # + # Hack off the leading 'inet ' (actually cut off the + # "/" as well but add it back in). + # + val="/${val#*/}" + # + # Now get the VLSM, "brd" and the broadcast address + # + val=${val%% scope*} + fi + + run_ip addr add ${external}${val} dev $interface + echo "$external $interface" >> ${STATEDIR}/nat + echo " IP Address $external added to interface $interface" + } + + while [ $# -gt 0 ]; do + external=$1 + interface=$2 + shift;shift + do_one + done +} + ################################################################################ # Load kernel modules required for Shorewall # ################################################################################ @@ -3143,10 +3187,16 @@ define_firewall() # $1 = Command (Start or Restart) activate_rules + [ -n "$aliases_to_add" ] && \ + echo "Adding IP Addresses..." && \ + add_ip_aliases $aliases_to_add + run_user_exit start createchain shorewall no + date > /var/lib/shorewall/restarted + report "Shorewall ${1}ed" rm -rf $TMP_DIR @@ -3322,10 +3372,13 @@ do_initialize() { NAT_BEFORE_RULES= MULTIPORT= DETECT_DNAT_IPADDRS= + MERGE_HOSTS= + MUTEX_TIMEOUT= stopping= have_mutex= masq_seq=1 nonat_seq=1 + aliases_to_add= TMP_DIR=/tmp/shorewall-$$ rm -rf $TMP_DIR @@ -3396,6 +3449,7 @@ do_initialize() { NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` + MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` } ################################################################################ @@ -3469,6 +3523,7 @@ case "$command" in reset) iptables -L -n -Z -v report "Shorewall Counters Reset" + date > /var/lib/shorewall/restarted ;; refresh) diff --git a/Lrp/etc/shorewall/rules b/Lrp/etc/shorewall/rules index 274648997..8e686d040 100644 --- a/Lrp/etc/shorewall/rules +++ b/Lrp/etc/shorewall/rules @@ -71,14 +71,15 @@ # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the -# destination port. +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. # # Example: loc:192.168.1.3:3128 specifies a local # server at IP address 192.168.1.3 and listening on port # 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # -# if the RESULT is REDIRECT, this column needs only to +# if the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # @@ -92,6 +93,8 @@ # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # +# A port range is expressed as :. +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf index 815c16285..221c84350 100644 --- a/Lrp/etc/shorewall/shorewall.conf +++ b/Lrp/etc/shorewall/shorewall.conf @@ -228,8 +228,6 @@ NAT_BEFORE_RULES=Yes MULTIPORT=No -MULTIPORT=No - # DNAT IP Address Detection # # Normally when Shorewall encounters the following rule: @@ -261,4 +259,51 @@ MULTIPORT=No DETECT_DNAT_IPADDRS=No +# Merge Hosts File +# +# The traditional behavior of the /etc/shorewall/hosts file has been that +# if that file has ANY entry for a zone then the zone must be defined +# entirely in the hosts file. This is counter-intuitive and has caused +# people some problems. +# +# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file +# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file +# are added to the contents described in the /etc/shorewall/interfaces file. +# +# Example: Suppose that we have the following interfaces and hosts files: +# +# Interfaces: +# +# net eth0 +# loc eth1 +# - ppp+ +# +# Hosts: +# +# loc ppp+:192.168.1.0/24 +# wrk ppp+:!192.168.1.0/24 +# +# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just +# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be +# ppp+:192.168.1.0 and eth1:0.0.0.0/0 +# +# If this variable is not set or is set to the empty value, "No" is assumed. + +MERGE_HOSTS=Yes + +# +# Mutex Timeout +# +# The value of this variable determines the number of seconds that programs +# will wait for exclusive access to the Shorewall lock file. After the number +# of seconds corresponding to the value of this variable, programs will assume +# that the last program to hold the lock died without releasing the lock. +# +# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. +# +# An appropriate value for this parameter would be twice the length of time +# that it takes your firewall system to process a "shorewall restart" command. + +MUTEX_TIMEOUT=60 + #LAST LINE -- DO NOT REMOVE diff --git a/Lrp/sbin/shorewall b/Lrp/sbin/shorewall index 917e5cdf6..a06ded68c 100755 --- a/Lrp/sbin/shorewall +++ b/Lrp/sbin/shorewall @@ -432,6 +432,14 @@ usage() # $1 = exit status exit $1 } +################################################################################# +# Display the time that the counters were last reset # +################################################################################# +show_reset() { + [ -f /var/lib/shorewall/restarted ] && \ + echo -e "Counters reset `cat /var/lib/shorewall/restarted`\\n" +} + ################################################################################# # Execution begins here # ################################################################################# @@ -533,10 +541,12 @@ case "$1" in ;; nat) echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n" + show_reset iptables -t nat -L -n -v ;; tos|mangle) echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" + show_reset iptables -t mangle -L -n -v ;; log) @@ -551,6 +561,7 @@ case "$1" in ;; *) echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" + show_reset iptables -L $2 -n -v ;; esac @@ -569,6 +580,7 @@ case "$1" in get_config clear echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" + show_reset host=`echo $HOSTNAME | sed 's/\..*$//'` iptables -L -n -v echo diff --git a/Lrp/var/lib/shorewall/functions b/Lrp/var/lib/shorewall/functions index 6e3bf64b2..46b6b01b5 100644 --- a/Lrp/var/lib/shorewall/functions +++ b/Lrp/var/lib/shorewall/functions @@ -1,5 +1,5 @@ # -# Shorewall 1.3 -- /etc/shorewall/functions +# Shorewall 1.3 -- /var/lib/shorewall/functions # # Suppress all output for a command @@ -92,6 +92,8 @@ determine_zones() ############################################################################### get_statedir() { + MUTEX_TIMEOUT= + local config=`find_file shorewall.conf` if [ -f $config ]; then @@ -116,15 +118,19 @@ get_statedir() mutex_on() { local try=0 - local max=15 - local int=2 + local max= + local int=1 local lockf=$STATEDIR/lock + MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} + + max=${MUTEX_TIMEOUT} + [ -d $STATEDIR ] || mkdir -p $STATEDIR if qt which lockfile; then - lockfile -030 -r1 ${lockf} || exit 2 + lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} else while [ -f ${lockf} -a ${try} -lt ${max} ] ; do sleep ${int} @@ -136,7 +142,6 @@ mutex_on() echo $$ > ${lockf} else echo "Giving up on lock file ${lockf}" >&2 - exit 2 fi fi } diff --git a/Lrp/var/lib/shorewall/version b/Lrp/var/lib/shorewall/version index d0149fef7..80e78df68 100644 --- a/Lrp/var/lib/shorewall/version +++ b/Lrp/var/lib/shorewall/version @@ -1 +1 @@ -1.3.4 +1.3.5