Slightly less horrible Hack to make the Tunnels file still work with the sectioned Rules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2569 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-18 15:46:55 +02:00 · 2005-08-27 14:50:33 +00:00 · 2005-08-27 14:50:33 +00:00 · 739db31efb
commit 739db31efb
parent 2a55b70b32
3 changed files with 43 additions and 30 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -15,6 +15,8 @@ Changes in 2.5.3
 7) Section the rules file.
 8) Fixed tunnels/rules interaction problems.
 Changes in 2.5.2
 1) Allow port lists in /etc/sorewall/accounting.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -2192,7 +2192,7 @@ setup_tunnels() # $1 = name of tunnels file
 {
    local inchain
    local outchain
-    local options="-m state --state NEW,INVALID -j ACCEPT"
+
    setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
    {
@ -2208,16 +2208,16 @@ setup_tunnels() # $1 = name of tunnels file
 	[ $kind = IPSEC ] && kind=ipsec
-
+	options="-m state --state NEW -j ACCEPT"
-	addrule2 $inchain	  -p 50	 $(source_ip_range $1) $options
+	addrule2 $inchain	  -p 50	 $(source_ip_range $1) -j ACCEPT
-	addrule2 $outchain	  -p 50	 $(dest_ip_range $1)   $options
+	addrule2 $outchain	  -p 50	 $(dest_ip_range $1)   -j ACCEPT
 	if [ -z "$noah" ]; then
-	    run_iptables -A $inchain  -p 51 $(source_ip_range $1) $options
+	    run_iptables -A $inchain  -p 51 $(source_ip_range $1) -j ACCEPT
-	    run_iptables -A $outchain -p 51 $(dest_ip_range $1)   $options
+	    run_iptables -A $outchain -p 51 $(dest_ip_range $1)   -j ACCEPT
 	fi
-	run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options 
+	run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
 	if [ $kind = ipsec ]; then
 	    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
@ -2245,26 +2245,26 @@ setup_tunnels() # $1 = name of tunnels file
    setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
    {
-	addrule2 $inchain  -p $3 $(source_ip_range $2) $options
+	addrule2 $inchain  -p $3 $(source_ip_range $2) -j ACCEPT
-	addrule2 $outchain -p $3 $(dest_ip_range $2)   $options
+	addrule2 $outchain -p $3 $(dest_ip_range $2) -j ACCEPT
 	progress_message "   $1 tunnel to $2 defined."
    }
    setup_pptp_client() # $1 = gateway
    {
-	addrule2 $outchain -p 47               $(dest_ip_range $1)   $options
+	addrule2 $outchain -p 47               $(dest_ip_range $1)   -j ACCEPT
-	addrule2 $inchain  -p 47               $(source_ip_range $1) $options
+	addrule2 $inchain  -p 47               $(source_ip_range $1) -j ACCEPT
-	addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1)   $options
+	addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1)   -j ACCEPT
 	progress_message "   PPTP tunnel to $1 defined."
    }
    setup_pptp_server() # $1 = gateway
    {
-	addrule2 $inchain  -p 47               $(source_ip_range $1) $options
+	addrule2 $inchain  -p 47               $(source_ip_range $1) -j ACCEPT
-	addrule2 $outchain -p 47               $(dest_ip_range $1)   $options
+	addrule2 $outchain -p 47               $(dest_ip_range $1)   -j ACCEPT
-	addrule2 $inchain  -p tcp --dport 1723 $(source_ip_range $1) $options
+	addrule2 $inchain  -p tcp --dport 1723 $(source_ip_range $1) -j ACCEPT
 	progress_message "   PPTP server defined."
    }
@ -2285,8 +2285,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
-	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dport $p $options
+	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT
-	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --dport $p $options
+	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --dport $p -j ACCEPT
 	progress_message "   OPENVPN tunnel to $1:$protocol:$p defined."
    }
@ -2307,8 +2307,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
-	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dport $p $options
+	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT
-	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --sport $p $options
+	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --sport $p -j ACCEPT
 	progress_message "   OPENVPN server tunnel from $1:$protocol:$p defined."
    }
@ -2329,8 +2329,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
-	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dsport $p $options
+	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dsport $p -j ACCEPT
-	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --dport  $p $options
+	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --dport  $p -j ACCEPT
 	progress_message "   OPENVPN client tunnel to $1:$protocol:$p defined."
    }
@ -2357,15 +2357,15 @@ setup_tunnels() # $1 = name of tunnels file
 	p=${p:+--dport $p}
-	addrule2 $inchain  -p $protocol $(source_ip_range $1) $p $options
+	addrule2 $inchain  -p $protocol $(source_ip_range $1) $p -j ACCEPT
-	addrule2 $outchain -p $protocol $(dest_ip_range $1)   $p $options
+	addrule2 $outchain -p $protocol $(dest_ip_range $1)   $p -j ACCEPT
 	for z in $(separate_list $3); do
 	    if validate_zone $z; then
-		addrule ${FW}2${z} -p $protocol $p $options
+		addrule ${FW}2${z} -p $protocol $p -j ACCEPT
-		addrule ${z}2${FW} -p $protocol $p $options
+		addrule ${z}2${FW} -p $protocol $p -j ACCEPT
 	    else
-		error_message "WARNING: Invalid gateway zone ($z)" \
+		error_message "Warning: Invalid gateway zone ($z)" \
 		" -- Tunnel \"$tunnel\" may encounter problems"
 	    fi
 	done
@ -8249,16 +8249,17 @@ define_firewall() # $1 = Command (Start or Restart)
    setup_syn_flood_chains
    tunnels=$(find_file tunnels)
    [ -f $tunnels ] && \
 	echo "Processing $tunnels..." &&       setup_tunnels $tunnels
    setup_ipsec
    maclist_hosts=$(find_hosts_by_option maclist)
    [ -n "$maclist_hosts" ] &&                 setup_mac_lists
    echo "Processing $(find_file rules)...";   process_rules
    tunnels=$(find_file tunnels)
    [ -f $tunnels ] && \
 	echo "Processing $tunnels..." &&       setup_tunnels $tunnels
    echo "Processing Actions...";              process_actions2
                                               process_actions3
    echo "Processing $(find_file policy)...";  apply_policy_rules
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -255,6 +255,16 @@ Migration Considerations:
 8) The "shorewall forget" command now removes the dynamic blacklist
   save file (/var/lib/shorewall/save).
 9) In previous versions of Shorewall, the rules generated by entries in
   /etc/shorewall/tunnels preceded those rules generated by entries in
   /etc/shorewall/rules. Beginning with this release, the entries
   generated by entries in the tunnels file will appear *AFTER* the
   rules generated by the rules file. This may cause you problems if
   you have REJECT, DENY or CONTINUE rules in your rules file that
   would cause the tunnel transport packets to not reach the rules that
   ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
   information on the rules generated by entries in the tunnels file.
 New Features in Shorewall 2.5.*
 1) Error and warning messages are made easier to spot by using