Updates for 1.3.4

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@134 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp/etc/init.d/shorewall

@@ -422,7 +422,7 @@ determine_interfaces() {
 # Determine the defined hosts in each zone and generate report		       #
 ################################################################################
 determine_hosts() {
-    do_a_zone() # $1 = zone name
+    do_a_zone()
     {
 	eval interfaces=\$${zone}_interfaces
 
@@ -435,16 +435,40 @@ determine_hosts() {
 	done
     }
 
+    recalculate_hosts()
+    {
+	interfaces=
+	
+	for host in $hosts; do
+	    interface=${host%:*}
+	    if ! list_search $interface $interfaces; then
+		if [ -z "$interfaces" ]; then
+		    interfaces=$interface
+		else
+		    interfaces="$interfaces $interface"
+		fi
+	    fi
+	done
+
+	eval ${zone}_interfaces="\$interfaces"
+    }
+
     for zone in $zones; do
 	hosts=`find_hosts $zone`
 	hosts=`echo $hosts` # Remove extra trash
 
-	if [ -z "$hosts" ]; then
+	if [ -n "$hosts" ]; then
+	    ####################################################################
+	    # Zone is defined in terms of hosts -- derive the interface list
+	    # from the host list
+	    #
+	    recalculate_hosts
+	else
 	    ####################################################################
 	    # If no hosts are defined for a zone then the zone consists of any
 	    # host that can send us messages via the interfaces to the zone
 	    #
-	    do_a_zone $zone
+	    do_a_zone
 	fi
 
 	eval ${zone}_hosts="\$hosts"
@@ -698,7 +722,7 @@ validate_rule() {
     case $target in
     DNAT)
 	target=ACCEPT
-	address=${address:=all}
+	address=${address:=detect}
 	;;
     REDIRECT)
 	target=ACCEPT
@@ -854,8 +878,6 @@ validate_policy()
 	    ;;
 	esac
 
-	echo "	 Policy \"$client $server $policy $loglevel\" Validated"
-
     done < $TMP_DIR/policy
 }
 
@@ -878,6 +900,27 @@ find_broadcasts() {
     done < $TMP_DIR/interfaces
 }
 
+################################################################################
+# Find interface address--returns the first IP address assigned to the passed  #
+# device								       #
+################################################################################
+find_interface_address() # $1 = interface
+{
+    # 
+    # get the line of output containing the first IP address
+    #
+    addr=`ip addr show $1 2> /dev/null | grep inet | head -n1`
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
+}
+
 ################################################################################
 # Find interfaces that have the passed option specified			       #
 ################################################################################
@@ -972,6 +1015,14 @@ stop_firewall() {
 
     hosts="`find_hosts_by_option routestopped`"
 
+    strip_file routestopped 
+
+    while read interface host; do
+	expandv interface host
+	[ "x$host" = "x-" ] && host=
+	hosts="$hosts $interface:${host:-0.0.0.0/0}"
+    done < $TMP_DIR/routestopped
+
     for host in $hosts; do
 	interface=${host%:*}
 	subnet=${host#*:}
@@ -1003,6 +1054,8 @@ stop_firewall() {
 	;;
     esac
 
+    run_user_exit stopped
+
     logger "Shorewall Stopped"
 
     rm -rf $TMP_DIR
@@ -1170,8 +1223,8 @@ setup_syn_flood_chain ()
 
     run_iptables -N @$chain
     run_iptables -A @$chain \
-	      -m limit --limit $limit --limit-burst $limit_burst \
+	-m limit --limit $limit --limit-burst $limit_burst \
-	      -j RETURN
+	-j RETURN
     run_iptables -A @$chain -j DROP
 }
 
@@ -1439,7 +1492,22 @@ add_nat_rule() {
 
     # Set original destination address
 
-    [ "$addr" = "all" ] && addr= || addr=${addr:+-d $addr}
+    case $addr in
+	all)
+	    addr=
+	    ;;
+	detect)
+	   addr=
+           if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
+	       eval interfaces=\$${source}_interfaces
+	       for interface in $interfaces; do
+		   addr="`find_interface_address $interface` $addr"
+	       done
+	   fi
+	   ;;
+    esac
+
+    addr=${addr:-0.0.0.0/0}
 
     # Select target
 
@@ -1453,7 +1521,7 @@ add_nat_rule() {
     # Generate nat table rules
 
     if [ "$source" = "$FW" ]; then
-	run_iptables -t nat -A OUTPUT $proto $sports $addr \
+	run_iptables -t nat -A OUTPUT $proto $sports -d addr
 	    $multiport $dports -j $target1
     else
 	chain=`dnat_chain $source`
@@ -1466,14 +1534,18 @@ add_nat_rule() {
 	    for z in $excludezones; do
 		eval hosts=\$${z}_hosts
 		for host in $hosts; do
-		    addnatrule $chain $proto -s ${host#*:} \
+		    for adr in $addr; do
-			$multiport $sports $addr $dports -j RETURN
+			addnatrule $chain $proto -s ${host#*:} \
+			    $multiport $sports -d $adr $dports -j RETURN
+		    done
 		done
 	    done
 	fi
-
+	
-	addnatrule $chain $proto $cli $sports \
+	for adr in $addr; do
-	    $multiport $addr $dports -j $target1
+	    addnatrule $chain $proto $cli $sports \
+		-d $adr $multiport $dports -j $target1
+	done
     fi
 
     # Replace destination port by the new destination port
@@ -1697,7 +1769,7 @@ process_rule() {
     case $target in
     DNAT)
 	target=ACCEPT
-	address=${address:=all}
+	address=${address:=detect}
 	;;
     REDIRECT)
 	target=ACCEPT
@@ -2544,6 +2616,10 @@ initialize_netfilter () {
 
     validate_hosts_file
 
+    echo "Validating Policy file..."
+
+    validate_policy
+
     echo "Determining Hosts in Zones..."
 
     determine_interfaces
@@ -2820,8 +2896,6 @@ apply_policy_rules() {
     #
     while read client server policy loglevel synparams; do
 	expandv client server policy loglevel synparams
-	validate_zone $client
-	validate_zone $server
 
 	chain=${client}2${server}
 
@@ -3053,8 +3127,6 @@ define_firewall() # $1 = Command (Start or Restart)
 
     echo "Processing $policy..."
 
-    strip_file policy $policy
-
     apply_policy_rules
 
     masq=`find_file masq`
@@ -3249,6 +3321,7 @@ do_initialize() {
     ROUTE_FILTER=
     NAT_BEFORE_RULES=
     MULTIPORT=
+    DETECT_DNAT_IPADDRS=
     stopping=
     have_mutex=
     masq_seq=1
@@ -3322,6 +3395,7 @@ do_initialize() {
     ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
     NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
     MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
+    DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
 }
 
 ################################################################################

Lrp/etc/shorewall/hosts

@@ -30,7 +30,9 @@
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:
 #
-#			routestopped - route messages to and from this
+#			routestopped - (Deprecated -- use
+#				       /etc/shorewall/routestopped)
+#				       route messages to and from this
 #				       member when the firewall is in the
 #				       stopped state
 #

Lrp/etc/shorewall/interfaces

@@ -48,7 +48,9 @@
 #				       requests. 'filterping' takes 
 #				       precedence over 'noping' if both are
 #				       given.
-#			routestopped - When the firewall is stopped, allow
+#			routestopped - (Deprecated -- use 
+#				       /etc/shorewall/routestopped)
+#				       When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.
 #			norfc1918    - This interface should not receive

Lrp/etc/shorewall/shorewall.conf

@@ -228,4 +228,37 @@ NAT_BEFORE_RULES=Yes
 
 MULTIPORT=No
 
+MULTIPORT=No
+
+# DNAT IP Address Detection
+#
+# Normally when Shorewall encounters the following rule:
+#
+#	DNAT	net	loc:192.168.1.3	tcp	80
+#
+# it will forward TCP port 80 connections from the net to 192.168.1.3
+# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is 
+# convenient for two reasons:
+#
+#	a) If the the network interface has a dynamic IP address, the
+#	   firewall configuration will work even when the address
+#	   changes.
+#
+#	b) It saves having to configure the IP address in the rule 
+#	   while still allowing the firewall to be started before the
+#	   internet interface is brought up.
+#
+# This default behavior can also have a negative effect. If the
+# internet interface has more than one IP address then the above 
+# rule will forward connection requests on all of these addresses; 
+# that may not be what is desired.
+#
+# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
+# only if the original destination address is the primary IP address of
+# one of the interfaces associated with the source zone. Note that this
+# requires all interfaces to the source zone to be up when the firewall
+# is [re]started. 
+
+DETECT_DNAT_IPADDRS=No
+
 #LAST LINE -- DO NOT REMOVE

Lrp/var/lib/shorewall/version

@@ -1 +1 @@
-1.3.3
+1.3.4