diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 1949ede6e..a183dd23b 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1143,16 +1143,30 @@ sub set_rule_option( $$$ ) { # # Consider each subtype as a separate type # - my ( $invert, $subtype, $val, $rest ) = split ' ', $value; + if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) { + my ( $subtype, $invert, $val, $rest ) = split ' ', $value; - if ( $invert eq '!' ) { - assert( ! supplied $rest ); - $option = join( ' ', $option, $invert, $subtype ); - $value = $val; + if ( $invert eq '!' ) { + assert( ! supplied $rest ); + $option = join( ' ', $option, $subtype ); + $value = join( ' ', $invert, $val ); + } else { + assert( ! supplied $val ); + $option = join( ' ', $invert , $option ); + $value = $invert; + } } else { - assert( ! supplied $val ); - $option = join( ' ', $option, $invert ); - $value = $subtype; + my ( $invert, $subtype, $val, $rest ) = split ' ', $value; + + if ( $invert eq '!' ) { + assert( ! supplied $rest ); + $option = join( ' ', $option, $invert, $subtype ); + $value = $val; + } else { + assert( ! supplied $val ); + $option = join( ' ', $option, $invert ); + $value = $subtype; + } } $opttype = EXCLUSIVE; @@ -3369,13 +3383,13 @@ sub initialize_chain_table($) { add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' ); $chainref = new_standard_chain( 'DOCKER-INGRESS' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' ); - $chainref = new_standard_chain( 'DOCKER-USER' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' ); + $chainref = new_standard_chain( 'DOCKER-USER' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' ); $chainref = new_standard_chain( 'DOCKER-ISOLATION' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); $chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' ); @@ -8718,20 +8732,15 @@ sub save_docker_rules($) { qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT), qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING), qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER), - qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), - qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER), + qq( rm -f \${VARDIR}/.filter_DOCKER-*), + qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), + qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER), + qq( [ -n "\$g_dockeriso" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION), qq(), - qq( case "\$g_dockernetwork" in), - qq( One\)), - qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*), - qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION), - qq( ;;), - qq( Two\)), - qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*), - qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1), - qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2), - qq( ;;), - qq( esac), + qq( if [ -n "\$g_dockerisostage" ]; then), + qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1), + qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2), + qq( fi), qq(), ); @@ -9252,10 +9261,10 @@ sub create_netfilter_load( $ ) { emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode; - emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode; - emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + emit( qq([ "\$g_dockerisostage" = Two ] && echo ":$name - [0:0]" >&3) ); } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode; emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); @@ -9367,11 +9376,11 @@ sub preview_netfilter_load() { print "\n"; } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode1; - print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); print "\n"; - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode1; - print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) ); print "\n"; } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode1; @@ -9468,10 +9477,10 @@ sub create_stop_load( $ ) { emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode; - emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode; - emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) ); } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode; emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 9a2f91d0d..35cd497c9 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -268,13 +268,10 @@ sub generate_script_2() { emit( '', 'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes', ); - emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' ); - emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' ); - emit( 'if chain_exists DOCKER-ISOLATION; then', - ' g_dockernetwork=One', - 'elif chain_exists DOCKER-ISOLATION-STAGE-1; then', - ' g_dockernetwork=Two', - 'fi' ); + emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' ); + emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' ); + emit( 'chain_exists DOCKER-ISOLATION && dockeriso=Yes' ); + emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && dockerisostage=Yes' ); } pop_indent; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 40d8d654a..7e25c03fa 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -4603,7 +4603,11 @@ sub New_Conntrack_Match() { } sub Old_Conntrack_Match() { - ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" ); + if ( $family == F_IPV4 ) { + ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" ); + } else { + ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" ); + } } sub Multiport() { diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 0de55c4a4..b392b974b 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -679,18 +679,10 @@ sub create_docker_rules() { my $chainref = $filter_table->{FORWARD}; - add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', ); - add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', ); - add_commands( $chainref , - '', - 'case "$g_dockernetwork" in', - ' One)', - ' echo "-A FORWARD -j DOCKER-ISOLATION" >&3', - ' ;;', - ' Two)', - ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3', - ' ;;', - 'esac' ); + add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3' ); + add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3' ); + add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' ); + add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' ); if ( my $dockerref = known_interface('docker0') ) { add_commands( $chainref, 'if [ -n "$g_docker" ]; then' ); diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index e4e0fec81..bda08389b 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1180,14 +1180,14 @@ CEOF emit "fi\n"; if ( get_interface_option( $interface, 'used_address_variable' ) ) { - my $variable = interface_address( $interface ); + my $variable = get_interface_address( $interface ); - emit( "echo \$$variable > \${VARDIR}/${physical}.address" ); + emit( "echo $variable > \${VARDIR}/${physical}.address" ); } if ( get_interface_option( $interface, 'used_gateway_variable' ) ) { - my $variable = interface_gateway( $interface ); - emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) ); + my $variable = get_interface_gateway( $interface ); + emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) ); } } else { emit( qq(progress_message "Provider $table ($number) Started") ); @@ -2323,22 +2323,22 @@ sub handle_optional_interfaces() { emit( 'fi' ); if ( get_interface_option( $interface, 'used_address_variable' ) ) { - my $variable = interface_address( $interface ); + my $variable = get_interface_address( $interface ); emit( '', "if [ -f \${VARDIR}/${physical}.address ]; then", - " if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then", + " if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then", ' g_forcereload=Yes', ' fi', 'fi' ); } if ( get_interface_option( $interface, 'used_gateway_variable' ) ) { - my $variable = interface_gateway( $interface ); + my $variable = get_interface_gateway( $interface ); emit( '', "if [ -f \${VARDIR}/${physical}.gateway ]; then", - " if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then", + " if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then", ' g_forcereload=Yes', ' fi', 'fi' ); diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index f72f648c9..5b5ccba01 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -148,7 +148,8 @@ g_compiled= g_file= g_docker= g_dockeringress= -g_dockernetwork= +g_dockeriso= +g_dockerisostage= g_forcereload= g_fallback= diff --git a/docs/Build.xml b/docs/Build.xml index a8019e438..faae33368 100644 --- a/docs/Build.xml +++ b/docs/Build.xml @@ -113,7 +113,6 @@ - tools/files @@ -122,7 +121,6 @@ - tools/testing diff --git a/docs/Introduction.xml b/docs/Introduction.xml index f90efb101..9278ae885 100644 --- a/docs/Introduction.xml +++ b/docs/Introduction.xml @@ -16,7 +16,7 @@ - 2003-2015 + 2003-2020 2019 @@ -173,18 +173,22 @@ dmz ipv4 file. In the three-interface sample, the three zones are defined using that file as follows: - #ZONE INTERFACE OPTIONS -net NET_IF dhcp,routefilter -loc LOC_IF -dmz DMZ_IF + #ZONE INTERFACE OPTIONS +net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0 +loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1 +dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2 The above file defines the net zone as all IPv4 hosts interfacing to the firewall through NET_IF, the loc zone as all IPv4 hosts interfacing through LOC_IF and the dmz as all IPv4 hosts interfacing through - DMZ_IF. It is important to note that the composition of a zone is defined - in terms of a combination of addresses and interfaces. When using the + logical names which are used throughout the configuration to + refer to the individual interfaces. The actual interface names are + specified using the physical option. It + is important to note that the composition of a zone is defined in terms of + a combination of addresses and + interfaces. When using the /etc/shorewall/interfaces file to define a zone, all addresses are included; when you want to define a zone that contains a limited subset of the IPv4 address space, you use @@ -193,10 +197,12 @@ dmz DMZ_IF file or you may use the nets= option in /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -net NET_IF detect dhcp,routefilter,nets=(!192.168.0.0/23),physical=eth0 -loc LOC_IF detect nets=(192.168.0.0/24),physical=eth1 -dmz DMZ_IF detect nets=(192.168.1.0/24),physical=eth2 + #ZONE INTERFACE OPTIONS +net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0 +loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1,nets=172.20.1.0/24 +dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2 + The above file defines the net zone as all IPv4 hosts interfacing to the firewall through eth0 except diff --git a/docs/html.css b/docs/html.css index b42f2f9ea..db17dd1f2 100644 --- a/docs/html.css +++ b/docs/html.css @@ -1,48 +1,188 @@ -div.informalexample { background-color: #d5dee3; - border-top-width: 2px; - border-top-style: double; - border-top-color: #d3d3d3; - border-bottom-width: 2px; - border-bottom-style: double; - border-bottom-color: #d3d3d3; - padding: 4px; - margin: 0em; - margin-left: 2em; - } +/* global styles */ +body { + font-family: sans-serif; +} +div { + border: 0; + padding: 0.5em; +} +img { + border: 0; +} +hr { + color: #8b8b8b; +} +h4 { + text-align: center; + font-weight: bold; + padding: 0.25em 0.5em; + margin: 0 0 1px; +} +.quote { + font-style: italic; + text-align: center; +} +.strong { + font-weight: bold; +} +.warning { + font-weight: bold; + color: #ff0000; +} +a { + display: block; + border-width: 0; + text-decoration: none; + color: #0060b5; + background: #ffffff; +} +a:hover { + color: #ffffff; + background: #0060b5; +} +/* header styles */ +div#header { + position: absolute; + font-size: small; + top: 0; + left: 0; + height: 100px; + width: 95%; + margin: 10px; +} +div#header p { + text-align: center; +} +div#header div#search-form { + float: left; + margin: 0; + padding: 0; +} +div#header div#search-form input#search-text { + background-color: #ffffff; + color: #0060b5; + font-size: small; + border: 1px solid; + vertical-align: middle; +} +div#header div#search-form input#submit-button { + background-color: #ffffff; + color: #0060b5; + font-size: small; + font-weight: bold; + -moz-border-radius: 5px; + -webkit-border-radius: 5px; + border-radius:6px; + text-decoration: none; + cursor: pointer; + border: 1px solid; + vertical-align: middle; +} +div#header div#search-form input#submit-button:hover { + border: 1px solid; + background-color: #0060b5; + color: #ffffff; + box-shadow: 0px 0px 1px #777; +} +div#header div#ml-search { + float: right; + margin: 0; + padding: 0; +} +div#header div#logo { + margin: 0; + padding: 0; + clear: both; +} +/* sidebar styles */ +div#sidebar { + position: fixed; + top: 125px; + left: 0; + width: 15%; + margin: 10px; + font-size: small; +} +div#sidebar:hover { + background-position: 0px 0px; +} +div#sidebar a { + text-align: center; + -moz-border-radius: 5px; + -webkit-border-radius: 5px; + border-radius:6px; +} +/* menu styles */ +/* main panel styles */ +div#main { + position: absolute; + top: 150px; + left: 16%; + width: 62%; + margin: 10px; +} +div#main a { + display: inline; + padding: 0; +} +div#main a:hover { + color: #0060b5; + background: #ffffff; + text-decoration: underline; +} +/* content styles */ +div#content div { + padding: 0; +} +div#content code, pre { + font: 100% monospace; +} +div#content table { + width: 100%; +} +div#content table#changelog { + font-size: x-small; +} +/* footer styles */ +div#footer p { + text-align: center; + font-size: small; +} +div#footer table { + margin-left: auto; + margin-right: auto; +} +/* doc panel styles */ +div#doc { + float: right; + top: 125px; + left: 80%; + width: 15%; + margin: 125px 10px 10px 10px; + font-size: small; +} +div#doc:hover { + background-position: 0px 0px; +} +div#doc a { + padding: 0 5px 0 5px; + -moz-border-radius: 5px; + -webkit-border-radius: 5px; + border-radius:6px; +} +div#doc p.go-top, div#doc p.go-top a, div#doc p.go-top a:hover { + opacity: 0.75; + filter:alpha(opacity=75); /* For IE8 and earlier */ + position: fixed; + bottom: 0.5em; + right: 0.5em; + text-decoration: none; + font-size: small; + padding: 0; + display: block; +} +div#doc p.go-top a:hover { + opacity: 1.0; + filter:alpha(opacity=100); /* For IE8 and earlier */ +} -pre.programlisting { whitespace: pre; - font-family: monospace; - background-color: #BEE1F6; - border-top-width: 1px; - border-top-style: single; - border-top-color: #d3d3d3; - border-bottom-width: 1px; - border-bottom-style: single; - border-bottom-color: #d3d3d3; - padding: 4px; - margin: 0em; - } - -div.sidebar { whitespace: pre; - font-family: monospace; - background-color: #A6D5EC; - border-top-width: 1px; - border-top-style: single; - border-top-color: #d3d3d3; - border-bottom-width: 1px; - border-bottom-style: single; - border-bottom-color: #d3d3d3; - padding: 4px; - margin: 0em; - } - -div.informalexample pre { whitespace: pre; - font-family: monospace; - border-top-width: 0px; - border-bottom-width: 0px; - padding: 0px; - } - -div.caution h3 { color:#CC3333; } - -div.note h3 { color:#000066; } \ No newline at end of file