Bring trunk up to date with 4.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7376 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -12,6 +12,31 @@ Changes in 4.0.4
 
 6)  Make compile-time check for iptables-restore.
 
+7)  Fix dup chain name test for actions.
+
+8)  Improve KLUDGEFREE detection.
+
+9)  Remove unused functions from Chains module.
+
+10) Allow 'TC_ENABLED=internal' as specified (Only 'Internal' is
+    currently allowed).
+
+11) Correct 'loose' handling.
+
+12) Correct handling of 'bridge' and accounting.
+
+13) Fix SHOREWALL_DIR fiasco.
+
+14) Avoid deleting wrong routing rule.
+
+15) Allow provider number in route_rules with Shorewall-shell.
+
+16) Add DELETE_THEN_ADD option.
+
+17) Add warning about 'detectnets' going away.
+
+18) Fix off-by-one bug in Tc.pm
+
 Changes in 4.0.3
 
 1)  Streamline the checking for builtin chains in the accounting file.

Shorewall-common/firewall

@@ -424,8 +424,8 @@ delete_proxy_arp() {
 	while read address interface external haveroute; do
 	    qt arp -i $external -d $address pub
 	    [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
-	    interface=/proc/sys/net/ipv4/conf/$interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
     fi
 

Shorewall-common/lib.base

@@ -1008,13 +1008,21 @@ determine_capabilities() {
     NFQUEUE_TARGET=
 
     qt $IPTABLES -N fooX1234
-    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
+
-    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
+    if qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT; then
-    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT     && POLICY_MATCH=Yes
+	MULTIPORT=Yes
+	qt $IPTABLES -A fooX1234 -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
+    fi
+
+    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
+    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
 
     if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
 	PHYSDEV_MATCH=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
+	fi
     fi
 
     if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then

Shorewall-common/lib.config

@@ -1745,7 +1745,7 @@ do_initialize() {
     OPTIMIZE=
     EXPORTPARAMS=
     KEEP_TC_RULES=
-
+    DELETE_THEN_ADD=
     #
     # Packet Disposition
     #
@@ -2021,6 +2021,7 @@ do_initialize() {
     USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
     EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS)
     KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES)
+    DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD)
 
     [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
 

Shorewall-common/releasenotes.txt

@@ -1,4 +1,8 @@
 Shorewall 4.0 Patch release 4
+
+WARNING: Suppport for the 'detectnets' option will be removed from
+Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below.
+
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 0  H I G H L I G H T S
 ----------------------------------------------------------------------------
@@ -63,9 +67,103 @@ Problems Corrected in Shorewall 4.0.4
     iptables executable specified by IPTABLES in shorewall.conf or
     located by the PATH in the event that IPTABLES is not specified.
 
+7)  When using Shorewall-perl, if an action was invoked with more than
+    10 different combinations of log-levels/tags, some of those
+    invocations with have incorrect logging.
+
+8)  Previously, when 'shorewall restore' was executed, the
+    iptables-restore utility was always located using the PATH setting
+    rather than the IPTABLES setting.
+
+    With Shorewall-perl, the IPTABLES setting is now used to locate
+    this utility during 'restore' as it is during the processing of
+    other commands.
+
+9)  Although the shorewall.conf manpage indicates that the value
+    'internal' is allowed for TC_ENABLED, that value was previously
+    rejected ('Internal' was accepted).
+
+10) The meaning of the 'loose' provider option was accidentally reversed
+    in Shorewall-perl. Rather than causing certain routing rules to be
+    omitted when specified, it actually caused them to be added (these
+    rules were omitted when the option was NOT specified).
+
+11) If the 'bridge' option was specified on an interface but there were
+    no bport zones, then traffic originating on the firewall was not
+    passed through the accounting chain.
+
+12) In commands such as:
+
+       shorewall compile <directory>
+       shorewall restart <directory>
+       shorewall check <directory>
+
+    if the name of the <directory> contained a period ("."), then
+    Shorewall-perl would incorrectly substitute the current working
+    directory for the name.
+
+13) Previously, if the following sequence of routing rules was
+    specified, then the first rule would always be omitted.
+
+    #SOURCE    DEST      PROVIDER     PRIORITY
+    $SRC_A     $DESTIP1  ISP1         1000
+    $SRC_A     $DESTIP2  SOMEISP      1000
+    $SRC_A     -         ISP2         1000
+
+    The reason for this omission was that Shorewall uses a
+    delete-before-add approach and attempting to delete the third rule
+    resulted in the deletion of the first one instead. 
+
+    This problem occurred with both compilers.
+
+14) When using Shorewall-shell, provider numbers were not recognized in
+    the PROVIDER column of /etc/shorewall/route_rules.
+
+15) An off-by-one problem in Shorewall-perl caused the value 255 to be
+    rejected in the MARK column of /etc/shorewall/tcclasses.
+
 Other Changes in Shorewall 4.0.4
 
-None.
+1)  The detection of 'Repeat Match' has been improved. 'Repeat Match'
+    is not a match at all but rather is a feature of recent versions of
+    iptables that allows a particular match to be used multiple times
+    within a single rule.
+
+    Example:
+
+      -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
+
+    When using Shorewall-shell, the availability of 'Repeat Match' can
+    speed up compilation very slightly.
+
+2)  Apparently recent Fedora releases are broken. The
+    following sequence of commands demonstrates the problem:
+
+    ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
+    ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
+    ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
+
+    The third command should fail but doesn't; instead, it incorrectly
+    removes the rule added by the first command.
+
+    To work around this issue, you can set DELETE_THEN_ADD=No in
+    shorewall.conf which prevents Shorewall from deleting ip rules
+    before attempting to add a similar rule.
+
+3)  When using Shorewall-perl, the following message is now issued if
+    the 'detectnets' option is specified in /etc/shorewall/interfaces:
+
+    WARNING: Support for the 'detectnets' option will be removed from
+    Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians
+
+    The 'detect' options has always been rather silly. On input, it
+    duplicates the function of 'routefilter'. On output, it is a no-op
+    since traffic that doesn't match a route out of an interface won't
+    be sent through that interface (duh!).
+
+    Beginning with Shorewall 4.0.5, the warning message will read:
+
+    WARNING: Support for the 'detectnets' option has been removed
 
 Migration Considerations:
 

Shorewall-common/shorewall.conf

@@ -167,6 +167,8 @@ EXPAND_POLICIES=Yes
 
 KEEP_RT_TABLES=No
 
+DELETE_THEN_ADD=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-perl/Shorewall/Actions.pm

@@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
 		  %macros
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.03';
+our $VERSION = '4.04';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.

Shorewall-perl/Shorewall/Chains.pm

@@ -59,7 +59,6 @@ our @EXPORT = qw( STANDARD
 		  add_command
 		  add_commands
 		  mark_referenced
-		  add_file
 		  add_rule
 		  insert_rule
 		  chain_base
@@ -371,32 +370,6 @@ sub mark_referenced( $ ) {
     $_[0]->{referenced} = 1;
 }
 
-#
-# Copy a file into a chain's rules as a set of run-time commands
-#
-
-sub add_file( $$ ) {
-    my $chainref = $_[0];
-    my $file     = find_file $_[1];
-
-    if ( -f $file ) {
-	open EF , '<', $file or fatal_error "Unable to open $file: $!";
-
-	add_commands( $chainref,
-		      qq(progress_message "Processing $file..."),
-		      '' );
-
-	while ( my $line = <EF> ) {
-	    chomp $line;
-	    add_command $chainref, $line;
-	}
-
-	add_command $chainref, '';
-
-	close EF;
-    }
-}
-
 #
 # Add a rule to a chain. Arguments are:
 #
@@ -584,16 +557,6 @@ sub new_chain($$)
 				     cmdlevel  => 0 };
 }
 
-#
-# Create an anonymous chain
-#
-sub new_anon_chain( $ ) {
-    my $chainref = $_[0];
-    my $seq      = $chainseq++;
-    new_chain( $chainref->{table}, 'chain' . "$seq" );
-}
-
-#
 #
 # Create a chain if it doesn't exist already
 #
@@ -1166,7 +1129,7 @@ sub get_set_flags( $$ ) {
 }
 
 #
-# Match a Source. Currently only handles IP addresses and ranges
+# Match a Source. Handles IP addresses and ranges and MAC addresses
 #
 sub match_source_net( $ ) {
     my $net = $_[0];
@@ -1185,10 +1148,10 @@ sub match_source_net( $ ) {
 	join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
     } elsif ( $net =~ /^!/ ) {
 	$net =~ s/!//;
-	validate_net $net;
+	validate_net $net, 1;
 	"-s ! $net ";
     } else {
-	validate_net $net;
+	validate_net $net, 1;
 	$net eq ALLIPv4 ? '' : "-s $net ";
     }
 }
@@ -1209,10 +1172,10 @@ sub match_dest_net( $ ) {
 	join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
     } elsif ( $net =~ /^!/ ) {
 	$net =~ s/!//;
-	validate_net $net;
+	validate_net $net, 1;
 	"-d ! $net ";
     } else {
-	validate_net $net;
+	validate_net $net, 1;
 	$net eq ALLIPv4 ? '' : "-d $net ";
     }
 }
@@ -1228,10 +1191,10 @@ sub match_orig_dest ( $ ) {
 
     if ( $net =~ /^!/ ) {
 	$net =~ s/!//;
-	validate_net $net;
+	validate_net $net, 1;
 	"-m conntrack --ctorigdst ! $net ";
     } else {
-	validate_net $net;
+	validate_net $net, 1;
 	$net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net ";
     }
 }

Shorewall-perl/Shorewall/Compiler.pm

@@ -328,8 +328,8 @@ EOF
 	while read address interface external haveroute; do
 	    qt arp -i $external -d $address pub
 	    [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
-            interface=/proc/sys/net/ipv4/conf/$interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
     fi
 

Shorewall-perl/Shorewall/Config.pm

@@ -322,6 +322,7 @@ sub initialize() {
 		SHOREWALL_COMPILER => undef,
 		EXPAND_POLICIES => undef,
 		KEEP_RT_TABLES => undef,
+		DELETE_THEN_ADD => undef,
 		#
 		# Packet Disposition
 		#
@@ -1137,10 +1138,21 @@ sub determine_capabilities( $ ) {
     qt( "$iptables -N $sillyname" );
 
     $capabilities{CONNTRACK_MATCH} = qt( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
-    $capabilities{MULTIPORT}       = qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" );
+    
+    if ( qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
+	$capabilities{MULTIPORT}  = 1;
+	$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
+    }
+
     $capabilities{XMULTIPORT}      = qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
     $capabilities{POLICY_MATCH}    = qt( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
-    $capabilities{PHYSDEV_MATCH}   = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" );
+
+    if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
+	$capabilities{PHYSDEV_MATCH} = 1;
+	unless ( $capabilities{KLUDGEFREE} ) {
+	    $capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
+	}
+    }
 
     if ( qt( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
 	$capabilities{IPRANGE_MATCH} = 1;
@@ -1254,7 +1266,7 @@ sub ensure_config_path() {
     }
 
     if ( $shorewall_dir ) {
-	$shorewall_dir = getcwd if $shorewall_dir =~ m|(\./*)+|;
+	$shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|;
 	$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
 	unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
 	$config{CONFIG_PATH} = join ':', @config_path;
@@ -1454,8 +1466,9 @@ sub get_configuration( $ ) {
     default_yes_no 'EXPORTPARAMS'               , '';
     default_yes_no 'EXPAND_POLICIES'            , '';
     default_yes_no 'KEEP_RT_TABLES'             , '';
+    default_yes_no 'DELETE_THEN_ADD'            , 'Yes';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-
+    
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
 
     default 'BLACKLIST_DISPOSITION'             , 'DROP';
@@ -1509,7 +1522,9 @@ sub get_configuration( $ ) {
 	my $file = find_file 'tcstart';
 	fatal_error "Unable to find tcstart file" unless -f $file;
 	$globals{TC_SCRIPT} = $file;
-    } elsif ( $val ne 'internal' ) {
+    } elsif ( $val eq 'internal' ) {
+	$config{TC_ENABLED} = 'Internal';
+    } else {
 	fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no';
 	$config{TC_ENABLED} = '';
     }

Shorewall-perl/Shorewall/IPAddrs.pm

@@ -40,7 +40,7 @@ our @EXPORT = qw( ALLIPv4
 		  rfc1918_neworks
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.03';
+our $VERSION = '4.04';
 
 #
 # Some IPv4 useful stuff
@@ -63,16 +63,18 @@ sub valid_address( $ ) {
     1;
 }
 
-sub validate_address( $ ) {
+sub validate_address( $$ ) {
-    my $addr = $_[0];
+    my ( $addr, $allow_name ) =  @_;
 
     unless ( valid_address $addr ) {
+	fatal_error "Invalid IP Address ($addr)" unless $allow_name;
 	fatal_error "Unknown Host ($addr)" unless defined gethostbyname $addr;
     }
 }
 
-sub validate_net( $ ) {
+sub validate_net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
+    my $allow_name = $_[1];
 
     fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
 
@@ -82,7 +84,7 @@ sub validate_net( $ ) {
 	fatal_error "Invalid IP address ($net)"       unless valid_address $net;
     } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
-	validate_address $net;
+	validate_address $net, $_[1];
     }
 }
 
@@ -115,8 +117,8 @@ sub encodeaddr( $ ) {
 sub validate_range( $$ ) {
     my ( $low, $high ) = @_;
 
-    fatal_error "Invalid IP address ($low)" unless valid_address $low;
+    validate_address $low, 0;
-    fatal_error "Invalid IP address ($high)" unless valid_address $high;
+    validate_address $high, 0;
 
     my $first = decodeaddr $low;
     my $last  = decodeaddr $high;
@@ -130,12 +132,12 @@ sub ip_range_explicit( $ ) {
 
     my ( $low, $high ) = split /-/, $range;
 
-    fatal_error "Invalid IP address ($low)" unless valid_address $low;
+    validate_address $low, 0;
 
     push @result, $low;
 
     if ( defined $high ) {
-	fatal_error "Invalid IP address ($high)" unless valid_address $high;
+	validate_address $high, 0;
 
 	my $first = decodeaddr $low;
 	my $last  = decodeaddr $high;
@@ -156,7 +158,7 @@ sub validate_host( $ ) {
     if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
 	validate_range $1, $2;
     } else {
-	validate_net( $host );
+	validate_net( $host, 0 );
     }
 }
 

Shorewall-perl/Shorewall/Providers.pm

@@ -165,6 +165,8 @@ sub add_a_provider( $$$$$$$$ ) {
 
     fatal_error "Duplicate provider ($table)" if $providers{$table};
 
+    $number = numeric_value $number;
+
     for my $providerref ( values %providers  ) {
 	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
     }
@@ -207,7 +209,7 @@ sub add_a_provider( $$$$$$$$ ) {
 		"fi\n" );
 	$gateway = '$gateway';
     } elsif ( $gateway && $gateway ne '-' ) {
-	validate_address $gateway;
+	validate_address $gateway, 0;
 	my $variable = get_interface_address $interface;
 	emit "run_ip route replace $gateway src $variable dev $interface table $number";
 	emit "run_ip route add default via $gateway dev $interface table $number";
@@ -234,18 +236,15 @@ sub add_a_provider( $$$$$$$$ ) {
 	    fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
 	}
 
-	my $pref = 10000 + $val;
+	my $pref = 10000 + $number - 1;
 
-	emit ( "qt ip rule del fwmark $mark",
+	emit ( "qt ip rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
-	       "run_ip rule add fwmark $mark pref $pref table $number",
+
+	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
 	       "echo \"qt ip rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
 	     );
     }
 
-    $providers{$table}         = {};
-    $providers{$table}{number} = $number;
-    $providers{$table}{mark}   = $val;
-
     my ( $loose, $optional ) = (0,0);
 
     unless ( $options eq '-' ) {
@@ -269,28 +268,30 @@ sub add_a_provider( $$$$$$$$ ) {
 	}
     }
 
-    $providers{$table}{optional} = $optional;
+    $providers{$table} = { number => $number , mark => $val , optional => $optional };
 
     if ( $loose ) {
+	if ( $config{DELETE_THEN_ADD} ) {
+	    emit ( "\nfind_interface_addresses $interface | while read address; do",
+		   '    qt ip rule del from $address',
+		   'done'
+		 );
+	}
+    } else {
 	my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
 
 	emit "\nrulenum=0\n";
 
-	emit  ( "find_interface_addresses $interface | while read address; do",
+	emit  ( "find_interface_addresses $interface | while read address; do" );
-		'    qt ip rule del from $address',
+	emit  (	'    qt ip rule del from $address' ) if $config{DELETE_THEN_ADD};
-		"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
+	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
 		'    rulenum=$(($rulenum + 1))',
 		'done'
 	      );
-    } else {
-	emit ( "\nfind_interface_addresses $interface | while read address; do",
-	       '    qt ip rule del from $address',
-	       'done'
-	     );
     }
 
-    emit "\nprogress_message \"   Provider $table ($number) Added\"\n";
+    emit qq(\nprogress_message "   Provider $table ($number) Added"\n);
 
     emit ( "${provider}_is_up=Yes" ) if $optional;
 
@@ -330,17 +331,25 @@ sub add_an_rtrule( $$$$ ) {
 
     fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
 
-    $dest = $dest eq '-' ? '' : "to $dest";
+
+    if ( $dest eq '-' ) {
+	$dest = 'to ' . ALLIPv4; 
+    } else {
+	validate_net( $dest, 0 );
+	$dest = "to $dest";
+    }
 
     if ( $source eq '-' ) {
-	$source = '';
+	$source = 'from ' . ALLIPv4;
     } elsif ( $source =~ /:/ ) {
 	( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	fatal_error "Invalid SOURCE" if defined $remainder;
+	validate_net ( $source, 0 );
 	$source = "iif $interface from $source";
     } elsif ( $source =~ /\..*\..*/ ) {
 	$source = "from $source";
     } else {
+	validate_net ( $source, 0 );
 	$source = "iif $source";
     }
 
@@ -348,7 +357,7 @@ sub add_an_rtrule( $$$$ ) {
 
     $priority = "priority $priority";
 
-    emit ( "qt ip rule del $source $dest $priority" );
+    emit ( "qt ip rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
 
     my ( $base, $optional, $number ) = ( chain_base( $provider ), $providers{$provider}{optional} , $providers{$provider}{number} );
 

Shorewall-perl/Shorewall/Rules.pm

@@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
 		  dump_rule_chains
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.03';
+our $VERSION = '4.04';
 
 #
 # Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@@ -373,7 +373,7 @@ sub process_criticalhosts() {
 	my @hosts;
 
 	for my $host ( split /,/, $hosts ) {
-	    validate_net $host;
+	    validate_net $host, 1;
 	    push @hosts, "$interface:$host";
 	}
 
@@ -419,7 +419,7 @@ sub process_routestopped() {
 	my @hosts;
 
 	for my $host ( split /,/, $hosts ) {
-	    validate_net $host;
+	    validate_net $host, 1;
 	    push @hosts, "$interface:$host";
 	}
 
@@ -1399,10 +1399,10 @@ sub process_rules() {
 }
 
 #
-# To quote an old comment, "generate_matrix makes a sows ear out of a silk purse".
+# To quote an old comment, "generate_matrix makes a sow's ear out of a silk purse".
 #
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
-# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this functions and the rules that it generates.
+# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
 # The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
 #

Shorewall-perl/Shorewall/Tc.pm

@@ -274,17 +274,16 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 	}
     }
 
-    if ( ( my $result = expand_rule(
+    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				    ensure_chain( 'mangle' , $chain ) ,
+				     NO_RESTRICT ,
-				    NO_RESTRICT ,
+				     do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) ,
-				    do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) ,
+				     $source ,
-				    $source ,
+				     $dest ,
-				    $dest ,
+				     '' ,
-				    '' ,
+				     "-j $target $mark" ,
-				    "-j $target $mark" ,
+				     '' ,
-				  '' ,
+				     '' ,
-				    '' ,
+				     '' ) )
-				    '' ) ) 
 	  && $device ) {
 	#
 	# expand_rule() returns destination device if any
@@ -316,7 +315,7 @@ sub calculate_r2q( $ ) {
 sub calculate_quantum( $$ ) {
     my ( $rate, $r2q ) = @_;
     $rate = rate_to_kbit $rate;
-    eval "int( ( $rate * 125 ) / $r2q )";
+    int( ( $rate * 125 ) / $r2q );
 }
 
 sub validate_tc_device( $$$ ) {
@@ -325,12 +324,9 @@ sub validate_tc_device( $$$ ) {
     fatal_error "Duplicate device ($device)"    if $tcdevices{$device};
     fatal_error "Invalid device name ($device)" if $device =~ /[:+]/;
 
-    rate_to_kbit $inband;
-    rate_to_kbit $outband;
-
     $tcdevices{$device} = {};
-    $tcdevices{$device}{in_bandwidth}  = $inband;
+    $tcdevices{$device}{in_bandwidth}  = rate_to_kbit( $inband ) . 'kbit';
-    $tcdevices{$device}{out_bandwidth} = $outband;
+    $tcdevices{$device}{out_bandwidth} = rate_to_kbit( $outband ) . 'kbit';
 
     push @tcdevices, $device;
 
@@ -366,7 +362,7 @@ sub validate_tc_class( $$$$$$ ) {
     $tcclasses{$device} = {} unless $tcclasses{$device};
     my $tcref = $tcclasses{$device};
 
-    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ && numeric_value( $mark ) < 0xff;
+    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ && numeric_value( $mark ) <= 0xff;
 
     my $markval = numeric_value( $mark );
     fatal_error "Duplicate Mark ($mark)" if $tcref->{$markval};

Shorewall-perl/Shorewall/Zones.pm

@@ -64,7 +64,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.03';
+our $VERSION = '4.04';
 
 #
 # IPSEC Option types
@@ -132,7 +132,7 @@ our %reservedName = ( all => 1,
 #
 our @interfaces;
 our %interfaces;
-our @bridges;
+our @bport_zones;
 
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
@@ -150,7 +150,7 @@ sub initialize() {
 
     @interfaces = ();
     %interfaces = ();
-    @bridges    = ();
+    @bport_zones = ();
 }
 
 INIT {
@@ -283,6 +283,7 @@ sub determine_zones()
 	} elsif ( $type =~ /^bport4?$/i ) {
 	    warning_message "Bridge Port zones should have a parent zone" unless @parents;
 	    $type = 'bport4';
+	    push @bport_zones, $zone;
 	} elsif ( $type eq 'firewall' ) {
 	    fatal_error 'Firewall zone may not be nested' if @parents;
 	    fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
@@ -746,7 +747,6 @@ sub validate_interfaces_file( $ )
 	    if ( $options{bridge} ) {
 		require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 		fatal_error "Bridges may not have wildcard names" if $wildcard;
-		push @bridges, $interface;
 	    }
 	} elsif ( $port ) {
 	    $options{port} = 1;
@@ -759,6 +759,7 @@ sub validate_interfaces_file( $ )
 	my @networks;
 
 	if ( $options{detectnets} ) {
+	    warning_message "Support for the 'detectnets' option will be removed from Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians'"; 
 	    fatal_error "The 'detectnets' option is not allowed on a multi-zone interface" unless $zone;
 	    fatal_error "The 'detectnets' option may not be used with a wild-card interface name" if $wildcard;
 	    fatal_error "The 'detectnets' option may not be used with the '-e' compiler option" if $export;
@@ -844,10 +845,10 @@ sub find_interface( $ ) {
 }
 
 #
-# Returns true if there are bridges defined in the config
+# Returns true if there are bridge port zones defined in the config
 #
 sub have_bridges() {
-    @bridges > 0;
+    @bport_zones > 0;
 }
 
 #

Shorewall-perl/prog.functions

@@ -6,8 +6,8 @@ delete_proxyarp() {
 	while read address interface external haveroute; do
 	    qt arp -i $external -d $address pub
 	    [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
-	    interface=/proc/sys/net/ipv4/conf/$interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
     fi
 

Shorewall-shell/lib.providers

@@ -178,8 +178,8 @@ __EOF__
 
 	    eval ${table}_mark=$mark
 
+	    [ -n "$DELETE_THEN_ADD" ] && qt ip rule del fwmark $mark
 	    indent >&3 << __EOF__
-qt ip rule del fwmark $mark
 run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number
 echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing
 __EOF__
@@ -225,13 +225,17 @@ __EOF__
 rulenum=0
 
 find_interface_addresses $interface | while read address; do
-    qt ip rule del from \$address
+__EOF__
+
+	    [ -n "$DELETE_THEN_ADD" ] && save_command "    qt ip rule del from \$address"
+
+	    indent >&3 << __EOF__
     run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number
     echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing
     rulenum=\$((\$rulenum + 1))
 done
 __EOF__
-	else
+	elif [ -n "$DELETE_THEN_ADD" ]; then
 	    indent >&3 << __EOF__
 
 find_interface_addresses $interface | while read address; do
@@ -269,7 +273,7 @@ __EOF__
 
 	for p in $PROVIDERS main; do
 	    [ "$p" = "$1" ] && return 0
-	    eval n=\$${p}_number}
+	    eval n=\$${p}_number
 	    [ "$n" = "$1" ] && return 0
 	done
 
@@ -285,17 +289,23 @@ __EOF__
 
 	[ -n "${source}${dest}" ] || fatal_error "You must specify either the source or destination in an rt rule: \"$rule\""
 
-	[ -n "$source" ] && case $source in
+	[ -n "${dest:=to 0.0.0.0/0}" ]
-	    *:*)
+
-		source="iif ${source%:*} from ${source#*:}"
+	if [ -n "$source" ]; then
-		;;
+	    case $source in
-	    *.*.*)
+		*:*)
-		source="from $source"
+		    source="iif ${source%:*} from ${source#*:}"
-		;;
+		    ;;
-	    *)
+		*.*.*)
-		source="iif $source"
+		    source="from $source"
-		;;
+		    ;;
-	esac
+		*)
+		    source="iif $source"
+		    ;;
+	    esac
+	else
+	    source='from 0.0.0.0/0'
+	fi
 
 	case "$priority" in
 	    [0-9][0-9][0-9][0-9]|[0-9][0-9][0-9][0-9][0-9])
@@ -307,7 +317,7 @@ __EOF__
 
 	priority="priority $priority"
 
-	save_command "qt ip rule del $source $dest $priority"
+	[ -n "$DELETE_THEN_ADD" ] && save_command "qt ip rule del $source $dest $priority"
 	save_command "run_ip rule add $source $dest $priority table $provider"
 	indent >&3 << __EOF__
 echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing

Shorewall6/Shorewall/IPAddrs.pm

@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module provides interfaces for dealing with IPv4 addresses.
+#   This module provides interfaces for dealing with IPv6 addresses.
 #
 package Shorewall::IPAddrs;
 require Exporter;