From 84af786df4b9fe985606758c13f70f18763c3014 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 30 Sep 2005 16:54:24 +0000 Subject: [PATCH] Add capabilities report to 'shorewall dump' output git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 ++ Shorewall/firewall | 97 ----------------------------- Shorewall/functions | 104 +++++++++++++++++++++++++++++-- Shorewall/releasenotes.txt | 124 +++++++++---------------------------- Shorewall/shorewall | 45 ++++++++------ 5 files changed, 157 insertions(+), 217 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index fd3af614b..74044987f 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,10 @@ Changes in 2.5.7 1) Fix ADMINISABSENTMINDED=Yes vs. entries in /etc/shorewall/routestopped. +2) Fix traffic shaping and "shorewall refresh" + +3) Add capabilities report to "shorewall dump". + Changes in 2.5.6 1) Finish install/fallback cleanup. diff --git a/Shorewall/firewall b/Shorewall/firewall index d86b073ae..c05017dfe 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -7234,97 +7234,6 @@ verify_ip() { startup_error "Shorewall $version requires the iproute package ('ip' utility)" } -# -# Determine which optional facilities are supported by iptables/netfilter -# -determine_capabilities() { - qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= - qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= - - CONNTRACK_MATCH= - MULTIPORT= - XMULTIPORT= - POLICY_MATCH= - PHYSDEV_MATCH= - IPRANGE_MATCH= - RECENT_MATCH= - OWNER_MATCH= - IPSET_MATCH= - ROUTE_TARGET= - XMARK= - CONNMARK= - CONNMARK_MATCH= - RAW_TABLE= - - qt $IPTABLES -N fooX1234 - qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes - qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes - qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes - qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes - qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes - qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes - qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes - - qt $IPTABLES -t mangle -N fooX1234 - qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes - qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes - qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes - qt $IPTABLES -t mangle -F fooX1234 - qt $IPTABLES -t mangle -X fooX1234 - - qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes - - if qt mywhich ipset; then - qt ipset -X fooX1234 # Just in case something went wrong the last time - - if qt ipset -N fooX1234 iphash ; then - if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then - qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT - IPSET_MATCH=Yes - fi - qt ipset -X fooX1234 - fi - fi - - qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes - - qt $IPTABLES -F fooX1234 - qt $IPTABLES -X fooX1234 -} - -report_capability() # $1 = Capability Description , $2 Capability Setting (if any) -{ - local setting= - - [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - - echo " " $1: $setting -} - -report_capabilities() { - echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability "NAT" $NAT_ENABLED - report_capability "Packet Mangling" $MANGLE_ENABLED - report_capability "Multi-port Match" $MULTIPORT - [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT - report_capability "Connection Tracking Match" $CONNTRACK_MATCH - report_capability "Packet Type Match" $USEPKTTYPE - [ -n "$PKTTYPE" ] || USEPKTTYPE= - report_capability "Policy Match" $POLICY_MATCH - report_capability "Physdev Match" $PHYSDEV_MATCH - report_capability "IP range Match" $IPRANGE_MATCH - report_capability "Recent Match" $RECENT_MATCH - report_capability "Owner Match" $OWNER_MATCH - report_capability "Ipset Match" $IPSET_MATCH - report_capability "ROUTE Target" $ROUTE_TARGET - report_capability "Extended MARK Target" $XMARK - report_capability "CONNMARK Target" $CONNMARK - report_capability "Connmark Match" $CONNMARK_MATCH - report_capability "Raw Table" $RAW_TABLE -} - # # Perform Initialization # - Delete all old rules @@ -9372,12 +9281,6 @@ case "$COMMAND" in $@ ;; - capabilities) - [ $# -ne 1 ] && usage - do_initialize - report_capabilities - ;; - *) usage ;; diff --git a/Shorewall/functions b/Shorewall/functions index d062eb965..f47b3b217 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -153,9 +153,9 @@ find_file() return fi done - + IFS=$saveifs - + echo /etc/shorewall/$1 fi ;; @@ -185,7 +185,7 @@ resolve_file() # $1 = file name echo $pwd/$1 ;; esac -} +} # # Replace commas with spaces and echo the result @@ -234,7 +234,7 @@ separate_list() { ;; *) case $firstpart in - *\,) + *\,) echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)" ;; *) @@ -276,7 +276,7 @@ loadmodule() # $1 = module name, $2 - * arguments if [ -z "$(lsmod | grep $modulename)" ]; then shift - + for suffix in $MODULE_SUFFIX ; do modulefile=$MODULESDIR/${modulename}.${suffix} @@ -439,7 +439,7 @@ mktempdir() { echo " ERROR:Internal error in mktempdir" >&2 ;; esac -} +} # # Read a file and handle "INCLUDE" directives @@ -877,4 +877,96 @@ set_state () # $1 = state echo "$1 ($(date))" > /var/lib/shorewall/state } +# +# Determine which optional facilities are supported by iptables/netfilter +# +determine_capabilities() { + qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + + CONNTRACK_MATCH= + MULTIPORT= + XMULTIPORT= + POLICY_MATCH= + PHYSDEV_MATCH= + IPRANGE_MATCH= + RECENT_MATCH= + OWNER_MATCH= + IPSET_MATCH= + ROUTE_TARGET= + XMARK= + CONNMARK= + CONNMARK_MATCH= + RAW_TABLE= + + qt $IPTABLES -N fooX1234 + qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes + qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes + qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes + qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes + qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes + qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes + qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes + + qt $IPTABLES -t mangle -N fooX1234 + qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes + qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes + qt $IPTABLES -t mangle -F fooX1234 + qt $IPTABLES -t mangle -X fooX1234 + + qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes + + if qt mywhich ipset; then + qt ipset -X fooX1234 # Just in case something went wrong the last time + + if qt ipset -N fooX1234 iphash ; then + if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then + qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT + IPSET_MATCH=Yes + fi + qt ipset -X fooX1234 + fi + fi + + qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes + + qt $IPTABLES -F fooX1234 + qt $IPTABLES -X fooX1234 +} + +report_capability() # $1 = Capability Description , $2 Capability Setting (if any) +{ + local setting= + + [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" + + echo " " $1: $setting +} + +report_capabilities() { + echo "Shorewall has detected the following iptables/netfilter capabilities:" + report_capability "NAT" $NAT_ENABLED + report_capability "Packet Mangling" $MANGLE_ENABLED + report_capability "Multi-port Match" $MULTIPORT + [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT + report_capability "Connection Tracking Match" $CONNTRACK_MATCH + report_capability "Packet Type Match" $USEPKTTYPE + [ -n "$PKTTYPE" ] || USEPKTTYPE= + report_capability "Policy Match" $POLICY_MATCH + report_capability "Physdev Match" $PHYSDEV_MATCH + report_capability "IP range Match" $IPRANGE_MATCH + report_capability "Recent Match" $RECENT_MATCH + report_capability "Owner Match" $OWNER_MATCH + report_capability "Ipset Match" $IPSET_MATCH + report_capability "ROUTE Target" $ROUTE_TARGET + report_capability "Extended MARK Target" $XMARK + report_capability "CONNMARK Target" $CONNMARK + report_capability "Connmark Match" $CONNMARK_MATCH + report_capability "Raw Table" $RAW_TABLE +} + + SHOREWALL_LIBRARY=Loaded diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 4da9ea452..11b583789 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -11,94 +11,10 @@ Problems Corrected in 2.5.7: 2) The "shorewall refresh" command was clearing traffic shaping but not reconfiguring it. -Problems Corrected in 2.5.6: +New Features in 2.5.7: -1) The following fatal error could occur at startup: - - ERROR: Command "/sbin/iptables -A INPUT -j LOG --log-level NONE - --log-prefix "Shorewall:INPUT:ACCEPT:"" Failed - - That problem has been corrected. - -2) The Makefile is now unconditionally installed in /etc/shorewall - during an upgrade (the prior copy has been saved in - /etc/shorewall-.bkout/Makefile). - -New Features in 2.5.6: - -1) The install.sh script now does a much cleaner job of backing up the - current installation. It copies the directories /etc/shorewall, - /usr/share/shorewall and /var/lib/shorewall to a directory of the - same name with "-$VERSION.bkout" appended. The init script and - /sbin/shorewall are backed up to the /usr/share/shorewall and - /var/lib/shorewall directories respectively. This makes it very - simple to remove the backups: - - rm -rf /etc/shorewall-*.bkout - rm -rf /usr/share/shorewall-*.bkout - rm -rf /var/lib/shorewall-*.bkout - -2) A new '-n' option has been added to the "start", "restart", - "restore", "stop" and "try" commands. This option instructs - Shorewall to not alter the routing in any way. - - This option is useful when you have a multi-ISP environment because - it prevents the route cache from being flushed which preserves the - mapping of end-point address pairs to routes. - -Problems Corrected in 2.5.5: - -1) The install script now installs the correct Makefile. Previously, - the /etc/shorewall/actions file was identical to the Makefile. - -2) Error Handling was completely broken; operations such as - "shorewall start" would continue after what should have been fatal - errors. - -Problems Corrected in 2.5.4: - -1) Several serious problems associated with macros have been corrected. - -Problems Corrected in 2.5.3: - -1) The Netfilter 'raw' table is now cleared during "shorewall stop", - "shorewall [re]start" and "shorewall clear". - -Problems Corrected in 2.5.2: - -1) You may now include port lists in in the /etc/shorewall/accounting - file. - -2) The packet type match capability is now correctly reported when - PKTTYPE=No in /etc/shorewall/shorewall.conf. - -Problems Corrected in 2.5.1: - -1) Shorewall is no longer dependent on the 'which' utility. - -2) "shorewall add" no longer fails when the 'ipsec' option has appeared - in /etc/shorewall/hosts. - -3) The Makefile has been changed to compare the modification times of - the files in /etc/shorewall with - /var/lib/shorewall/restore-base. That file is modified each time - that Shorewall is [re]started whereas /var/lib/shorewall/restarted - is also modified by "shorewall reset" and "shorewall refresh". - -4) The handling of log levels passed to macros has been - corrected. Previously, passing a log level to a macro resulted in a - [re]start error. - -Problems Corrected in 2.5.0: - -1) The behavior of CONTINUE policies has been improved. Shorewall no - longer generates a useless policy chain corresponding to these - policies. - -2) The combining of the zones and ipsec files has now been made upward - compatible provided that the user doesn't do something idiotic such - as install the new shorewall.conf file then manually update it - with exactly the changes that had been applied to the old file. +1) The output of "shorewall dump" now includes a capabilities report + such as the one produced by "shorewall show capabilities". Migration Considerations: @@ -165,13 +81,13 @@ Migration Considerations: Your kernel and iptables must include policy match support. firewall - - Designates the firewall itself. You must have + - Designates the firewall itself. You must have exactly one 'firewall' zone. No options are permitted with a 'firewall' zone. OPTIONS, A comma-separated list of options as IN OPTIONS, follows: - OUT OPTIONS + OUT OPTIONS reqid= where is specified using setkey(8) using the 'unique: option for the SPD @@ -414,10 +330,10 @@ New Features in Shorewall 2.5.* ACCEPT loc all+ tcp 22 - would allow SSH traffic from loc->loc whereas + would allow SSH traffic from loc->loc whereas ACCEPT loc all tcp 22 - + does not. 7) A new FASTACCEPT option has been added to shorewall.conf. @@ -437,7 +353,7 @@ New Features in Shorewall 2.5.* specified for an interface with an RFC 1918 address. 9) You may now specify "!" followed by a list of addresses in the - SOURCE and DEST columns of entries in /etc/shorewall/rules, + SOURCE and DEST columns of entries in /etc/shorewall/rules, /etc/shorewall/tcrules and in action files and Shorewall will generate the rule that you expect. @@ -493,7 +409,7 @@ New Features in Shorewall 2.5.* 14) Prior to Shorewall 2.5.3, the rules file only controlled packets in the Netfilter states NEW and INVALID. Beginning with this release, the rules file can also deal with packets in the ESTABLISHED and - RELATED states. + RELATED states. The /etc/shorewall/rules file may now be divided into "sections". Each section is introduced by a line that begins with @@ -558,7 +474,7 @@ New Features in Shorewall 2.5.* Now, $1 = these, $2 = are and $3 = parameters 17) The "shorewall check" command now checks the /etc/shorewall/masq, - /etc/shorewall/blacklist, /etc/shorewall/proxyarp, + /etc/shorewall/blacklist, /etc/shorewall/proxyarp, /etc/shorewall/nat and /etc/shorewall/providers files. 18) Arne Bernin's "tc4shorewall" package has been integrated into @@ -575,3 +491,23 @@ New Features in Shorewall 2.5.* variable to determine if the library has been loaded into the current shell process. +20) The install.sh script now does a much cleaner job of backing up the + current installation. It copies the directories /etc/shorewall, + /usr/share/shorewall and /var/lib/shorewall to a directory of the + same name with "-$VERSION.bkout" appended. The init script and + /sbin/shorewall are backed up to the /usr/share/shorewall and + /var/lib/shorewall directories respectively. This makes it very + simple to remove the backups: + + rm -rf /etc/shorewall-*.bkout + rm -rf /usr/share/shorewall-*.bkout + rm -rf /var/lib/shorewall-*.bkout + +21) A new '-n' option has been added to the "start", "restart", + "restore", "stop" and "try" commands. This option instructs + Shorewall to not alter the routing in any way. + + This option is useful when you have a multi-ISP environment because + it prevents the route cache from being flushed which preserves the + mapping of end-point address pairs to routes. + diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 89526706b..a6ba1291e 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -401,7 +401,7 @@ save_config() { if shorewall_is_started ; then [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall - + if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" else @@ -421,9 +421,9 @@ save_config() { mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" - + rm -f ${RESTOREPATH}-ipsets - + case ${SAVE_IPSETS:-No} in [Yy][Ee][Ss]) RESTOREPATH=${RESTOREPATH}-ipsets @@ -604,7 +604,7 @@ while [ $done -eq 0 ]; do option=${option#-} [ -z "$option" ] && usage 1 - + while [ -n "$option" ]; do case $option in c) @@ -617,7 +617,7 @@ while [ $done -eq 0 ]; do echo "Directory $2 does not exist" >&2 && exit 2 fi fi - + SHOREWALL_DIR=$2 option= shift @@ -641,7 +641,7 @@ while [ $done -eq 0 ]; do n*) NOROUTES=Yes option=${option#n} - ;; + ;; *) usage 1 ;; @@ -755,7 +755,7 @@ case "$1" in echo "Directory $2 does not exist" >&2 && exit 2 fi fi - + SHOREWALL_DIR=$2 export SHOREWALL_DIR ;; @@ -765,14 +765,14 @@ case "$1" in esac export NOROUTES - + if [ -n "$FAST" ]; then if qt mywhich make; then make -qf /etc/shorewall/Makefile || FAST= fi if [ -n "$FAST" ]; then - + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then @@ -820,7 +820,7 @@ case "$1" in echo "Directory $2 does not exist" >&2 && exit 2 fi fi - + SHOREWALL_DIR=$2 export SHOREWALL_DIR ;; @@ -830,7 +830,7 @@ case "$1" in esac export NOROUTES - + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 ;; add|delete) @@ -898,7 +898,8 @@ case "$1" in fi ;; capabilities) - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities + determine_capabilities + report_capabilities ;; actions) echo "allowBcast #Silently Allow Broadcast/multicast" @@ -914,7 +915,7 @@ case "$1" in ;; *) shift - + echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" echo show_reset @@ -979,7 +980,7 @@ case "$1" in heading "IP Stats" ip -stat link ls - + if qt mywhich brctl; then heading "Bridges" brctl show @@ -1012,11 +1013,15 @@ case "$1" in heading "ARP" arp -na - + if qt mywhich lsmod; then heading "Modules" lsmod | grep -E '^ip_|^ipt_|^iptable_' fi + + determine_capabilities + echo + report_capabilities ;; hits) [ -n "$debugging" ] && set -x @@ -1191,7 +1196,7 @@ case "$1" in else usage 1 fi - + [ -z "$vlsm" ] && exit 2 [ "x$address" = "x$vlsm" ] && usage 2 [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 @@ -1290,7 +1295,7 @@ case "$1" in mutex_off exit 0 fi - + if [ "$1" = "safe-start" -o $running -ne 0 ] then # the command is safe-start or shorewall is not started yet @@ -1318,15 +1323,15 @@ case "$1" in # removed previous configuration rm /var/lib/shorewall/safe-start-restart fi - else + else if [ "$command" = "restart" ] then $0 nolock $debugging restore "safe-start-restart" rm /var/lib/shorewall/safe-start-restart - else + else $0 nolock $debugging clear fi - + mutex_off echo "New configuration has been rejected and the old one restored" exit 2