diff --git a/Lrp2/etc/shorewall/actions b/Lrp2/etc/shorewall/actions index 4ddb30e91..c057929d5 100644 --- a/Lrp2/etc/shorewall/actions +++ b/Lrp2/etc/shorewall/actions @@ -8,7 +8,7 @@ # # ACTION names should begin with an upper-case letter to # distinguish them from Shorewall-generated chain names and -# they must need the requirements of a Netfilter chain. If +# they must meet the requirements of a Netfilter chain. If # you intend to log from the action then the name must be # no longer than 11 character in length. Names must also # meet the requirements for a Bourne Shell identifier (must @@ -22,7 +22,10 @@ # last such action will be taken. # # If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by -# itself, the associated policy will have no common action. +# itself, the associated policy will have no common action. +# +# Please see http://shorewall.net/Actions.html for additional +# information. # #ACTION diff --git a/Lrp2/etc/shorewall/blacklist b/Lrp2/etc/shorewall/blacklist index 4cb06756d..8511c3137 100644 --- a/Lrp2/etc/shorewall/blacklist +++ b/Lrp2/etc/shorewall/blacklist @@ -38,6 +38,9 @@ # ADDRESS/SUBNET PROTOCOL PORT # 192.0.2.126 udp 53 # +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# ############################################################################### #ADDRESS/SUBNET PROTOCOL PORT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/continue b/Lrp2/etc/shorewall/continue index e608ca4ed..d1300c577 100644 --- a/Lrp2/etc/shorewall/continue +++ b/Lrp2/etc/shorewall/continue @@ -4,3 +4,5 @@ # Add commands below that you want to be executed after shorewall has # cleared any existing Netfilter rules and has enabled existing connections. # +# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm +# diff --git a/Lrp2/etc/shorewall/ecn b/Lrp2/etc/shorewall/ecn index e09e32540..77b981b76 100644 --- a/Lrp2/etc/shorewall/ecn +++ b/Lrp2/etc/shorewall/ecn @@ -15,6 +15,8 @@ # 0.0.0.0/0 is assumed. If your kernel and iptables # include iprange match support then IP address ranges # are also permitted. +# +# For additional information, see http://shorewall.net/Documentation.htm#ECN ############################################################################## #INTERFACE HOST(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/hosts b/Lrp2/etc/shorewall/hosts index 1fbd5e51c..0016f976d 100644 --- a/Lrp2/etc/shorewall/hosts +++ b/Lrp2/etc/shorewall/hosts @@ -135,5 +135,7 @@ # /etc/shorewall/ipsec file then you do NOT # need to specify the 'ipsec' option here. # +# For additional information, see http://shorewall.net/Documentation.htm#Hosts +# #ZONE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/init b/Lrp2/etc/shorewall/init index 7fb3988e1..571a9b31d 100644 --- a/Lrp2/etc/shorewall/init +++ b/Lrp2/etc/shorewall/init @@ -4,3 +4,5 @@ # Add commands below that you want to be executed at the beginning of # a "shorewall start" or "shorewall restart" command. # +# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm +# diff --git a/Lrp2/etc/shorewall/initdone b/Lrp2/etc/shorewall/initdone index efd2be5d2..74460af0e 100644 --- a/Lrp2/etc/shorewall/initdone +++ b/Lrp2/etc/shorewall/initdone @@ -5,3 +5,5 @@ # "shorewall start" or "shorewall restart" commands at the point where # Shorewall has not yet added any perminent rules to the builtin chains. # +# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm +# diff --git a/Lrp2/etc/shorewall/interfaces b/Lrp2/etc/shorewall/interfaces index 74080d3c3..88f2a800b 100644 --- a/Lrp2/etc/shorewall/interfaces +++ b/Lrp2/etc/shorewall/interfaces @@ -201,6 +201,9 @@ # connections. # # net ppp0 - +# +# For additional information, see http://shorewall.net/Documentation.htm#Interfaces +# ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS # diff --git a/Lrp2/etc/shorewall/maclist b/Lrp2/etc/shorewall/maclist index b200ddda2..f364048cd 100644 --- a/Lrp2/etc/shorewall/maclist +++ b/Lrp2/etc/shorewall/maclist @@ -1,6 +1,11 @@ # # Shorewall 2.2 - MAC list file # +# This file is used to define the MAC addresses and optionally their +# associated IP addresses to be allowed to use the specified interface. +# The feature is enabled by using the maclist option in the interfaces +# or hosts configuration file. +# # /etc/shorewall/maclist # # Columns are: @@ -18,6 +23,9 @@ # list of host and/or subnet addresses. If your kernel # and iptables have iprange match support then IP # address ranges are also allowed. +# +# For additional information, see http://shorewall.net/MAC_Validation.html +# ############################################################################## #INTERFACE MAC IP ADDRESSES (Optional) #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/masq b/Lrp2/etc/shorewall/masq index 34e81d93d..f5e1cea76 100644 --- a/Lrp2/etc/shorewall/masq +++ b/Lrp2/etc/shorewall/masq @@ -86,6 +86,20 @@ # 192.0.2.4:5000-6000 # :4000-5000 # +# You can invoke the SAME target using the +# following in this column: +# +# SAME:[nodst:][,...] +# +# The may be single addresses. +# +# SAME works like SNAT with the exception that the +# same local IP address is assigned to each connection +# from a local address to a given remote address. If +# the 'nodst:' option is included, then the same source +# address is used for a given internal system regardless +# of which remote system is involved. +# # If you want to leave this column empty # but you need to specify the next column then # place a hyphen ("-") here. @@ -195,6 +209,8 @@ # # THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! # +# For additional information, see http://shorewall.net/Documentation.htm#Masq +# ############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 diff --git a/Lrp2/etc/shorewall/modules b/Lrp2/etc/shorewall/modules index f658e3576..4b969b4bb 100644 --- a/Lrp2/etc/shorewall/modules +++ b/Lrp2/etc/shorewall/modules @@ -7,6 +7,7 @@ # dependency order. i.e., if M2 depends on M1 then you must load M1 before # you load M2. # +# For additional information, see http://shorewall.net/Documentation.htm#modules loadmodule ip_tables loadmodule iptable_filter diff --git a/Lrp2/etc/shorewall/nat b/Lrp2/etc/shorewall/nat index 76991ebdd..5078bec21 100644 --- a/Lrp2/etc/shorewall/nat +++ b/Lrp2/etc/shorewall/nat @@ -38,6 +38,8 @@ # # LOCAL If Yes or yes, NAT will be effective from the firewall # system +# +# For additional information, see http://shorewall.net/NAT.htm ############################################################################## #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES diff --git a/Lrp2/etc/shorewall/policy b/Lrp2/etc/shorewall/policy index bb08500c0..49ebf8e62 100644 --- a/Lrp2/etc/shorewall/policy +++ b/Lrp2/etc/shorewall/policy @@ -75,6 +75,8 @@ # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. +# +# See http://shorewall.net/Documentation.htm#Policy for additional information. ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL diff --git a/Lrp2/etc/shorewall/proxyarp b/Lrp2/etc/shorewall/proxyarp index c80c1b21c..a48fefc53 100644 --- a/Lrp2/etc/shorewall/proxyarp +++ b/Lrp2/etc/shorewall/proxyarp @@ -39,6 +39,8 @@ # # #ADDRESS INTERFACE EXTERNAL # 155.186.235.6 eth1 eth0 +# +# See http://shorewall.net/ProxyARP.htm for additional information. ############################################################################## #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/routestopped b/Lrp2/etc/shorewall/routestopped index d59da15be..64b0fe504 100644 --- a/Lrp2/etc/shorewall/routestopped +++ b/Lrp2/etc/shorewall/routestopped @@ -31,6 +31,10 @@ # eth2 192.168.1.0/24 # eth0 192.0.2.44 # br0 - routeback +# +# See http://shorewall.net/Documentation.htm#Routestopped and +# http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. ############################################################################## #INTERFACE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/rules b/Lrp2/etc/shorewall/rules index d2ac03837..7944e01d4 100644 --- a/Lrp2/etc/shorewall/rules +++ b/Lrp2/etc/shorewall/rules @@ -42,6 +42,16 @@ # Like DNAT but only generates the # DNAT iptables rule and not # the companion ACCEPT rule. +# SAME -- Similar to DNAT except that the +# port may not be remapped and when +# multiple server addresses are +# listed, all requests from a given +# remote system go to the same +# server. +# SAME- -- Advanced users only. +# Like SAME but only generates the +# NAT iptables rule and not +# the companion ACCEPT rule. # REDIRECT -- Redirect the request to a local # port on the firewall. # REDIRECT- @@ -102,11 +112,14 @@ # # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, or "all" If the ACTION is DNAT or +# firewall itself, "all" or "none" If the ACTION is DNAT or # REDIRECT, sub-zones of the specified zone may be # excluded from the rule by following the zone name with # "!' and a comma-separated list of sub-zone names. # +# When "none" is used either in the SOURCE or DEST column, +# the rule is ignored. +# # When "all" is used either in the SOURCE or DEST column # intra-zone traffic is not affected. You must add # separate rules to handle that traffic. @@ -147,7 +160,10 @@ # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones, $FW to indicate the firewall -# itself or "all" +# itself, "all" or "none". +# +# When "none" is used either in the SOURCE or DEST column, +# the rule is ignored. # # When "all" is used either in the SOURCE or DEST column # intra-zone traffic is not affected. You must add @@ -352,6 +368,4 @@ ACCEPT fw net icmp # allow loc to fw tcp/80 for weblet to work ACCEPT loc fw udp 53 ACCEPT loc fw tcp 80 -# uncomment to use dnsmasq's dhcpd in your LAN -#ACCEPT loc fw udp 67,68 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/start b/Lrp2/etc/shorewall/start index 37077dfb6..646b4eea9 100644 --- a/Lrp2/etc/shorewall/start +++ b/Lrp2/etc/shorewall/start @@ -4,7 +4,9 @@ # Add commands below that you want to be executed after shorewall has # been started or restarted. # +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# for file in /etc/shorewall/start.d/* ; do run_user_exit $file done - diff --git a/Lrp2/etc/shorewall/stop b/Lrp2/etc/shorewall/stop index ab48d5961..25491b367 100644 --- a/Lrp2/etc/shorewall/stop +++ b/Lrp2/etc/shorewall/stop @@ -4,7 +4,8 @@ # Add commands below that you want to be executed at the beginning of a # "shorewall stop" command. # +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. for file in /etc/shorewall/stop.d/* ; do - run_user_exit $file + run_user_exit $file done - diff --git a/Lrp2/etc/shorewall/stopped b/Lrp2/etc/shorewall/stopped index d31d023c7..b1aa78ab4 100644 --- a/Lrp2/etc/shorewall/stopped +++ b/Lrp2/etc/shorewall/stopped @@ -4,3 +4,5 @@ # Add commands below that you want to be executed at the completion of a # "shorewall stop" command. # +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. diff --git a/Lrp2/etc/shorewall/tcrules b/Lrp2/etc/shorewall/tcrules index 4c2009af0..3a758b262 100644 --- a/Lrp2/etc/shorewall/tcrules +++ b/Lrp2/etc/shorewall/tcrules @@ -147,6 +147,8 @@ # testing # :C Designates a connection mark. If omitted, # the packet mark's value is tested. +# +# See http://shorewall.net/traffic_shaping.htm for additional information. ############################################################################## #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) diff --git a/Lrp2/etc/shorewall/tunnels b/Lrp2/etc/shorewall/tunnels index c764d63ba..83a4d7949 100644 --- a/Lrp2/etc/shorewall/tunnels +++ b/Lrp2/etc/shorewall/tunnels @@ -108,6 +108,10 @@ # # generic:udp:4444 net 4.3.99.124 # +# +# See http://shorewall.net/Documentation.htm#Tunnels for additional information. +# # TYPE ZONE GATEWAY GATEWAY # ZONE +# #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/zones b/Lrp2/etc/shorewall/zones index 74c828682..b7b3e45fa 100755 --- a/Lrp2/etc/shorewall/zones +++ b/Lrp2/etc/shorewall/zones @@ -4,6 +4,8 @@ # This file determines your network zones. Columns are: # # ZONE Short name of the zone (5 Characters or less in length). +# The names "all" and "none" are reserved and may not be +# used as zone names. # DISPLAY Display name of the zone # COMMENTS Comments about the zone # diff --git a/Lrp2/sbin/shorewall b/Lrp2/sbin/shorewall index 85079da45..5c19408da 100755 --- a/Lrp2/sbin/shorewall +++ b/Lrp2/sbin/shorewall @@ -58,6 +58,7 @@ # shorewall show {mangle|tos} Display the rules in the mangle table # shorewall show tc Display traffic control info # shorewall show classifiers Display classifiers +# shorewall show capabilities Display iptables/kernel capabilities # shorewall version Display the installed version id # shorewall check Verify the more heavily-used # configuration files. @@ -353,11 +354,18 @@ packet_log() # $1 = number of messages [ -n "$realtail" ] && options="-n$1" - grep "${LOGFORMAT}" $LOGFILE | \ - sed s/" kernel:"// | \ - sed s/" $host $LOGFORMAT"/" "/ | \ - sed 's/MAC=.* SRC=/SRC=/' | \ - tail $options + if [ -n "$VERBOSE" ]; then + grep "${LOGFORMAT}" $LOGFILE | \ + sed s/" kernel:"// | \ + sed s/" $host $LOGFORMAT"/" "/ | \ + tail $options + else + grep "${LOGFORMAT}" $LOGFILE | \ + sed s/" kernel:"// | \ + sed s/" $host $LOGFORMAT"/" "/ | \ + sed 's/MAC=.* SRC=/SRC=/' | \ + tail $options + fi } # @@ -595,7 +603,7 @@ help() # usage() # $1 = exit status { - echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] [ -f ] " + echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] " echo "where is one of:" echo " add [:{[:]|}[,...]] ... " echo " allow
..." @@ -616,14 +624,13 @@ usage() # $1 = exit status echo " restart [ ]" echo " restore [ ]" echo " save [ ]" - echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos|zones]" + echo " show [ [ ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]" echo " start [ ]" echo " stop" echo " status" echo " try [ ]" echo " version" echo - echo "The -c and -f options may not be specified with a in the start, restart and check commands" exit $1 } @@ -664,6 +671,7 @@ SHOREWALL_DIR= QUIET= IPT_OPTIONS="-nv" FAST= +VERBOSE= done=0 @@ -705,6 +713,10 @@ while [ $done -eq 0 ]; do FAST=Yes option=${option#f} ;; + v*) + VERBOSE=Yes + option=${option#v} + ;; *) usage 1 ;; @@ -938,6 +950,9 @@ case "$1" in exit 1 fi ;; + capabilities) + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities + ;; *) shift diff --git a/Lrp2/usr/share/shorewall/action.AllowICMPs b/Lrp2/usr/share/shorewall/action.AllowICMPs index 7235d8dff..91e462913 100644 --- a/Lrp2/usr/share/shorewall/action.AllowICMPs +++ b/Lrp2/usr/share/shorewall/action.AllowICMPs @@ -1,5 +1,5 @@ # -# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs +# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs # # ACCEPT needed ICMP types # diff --git a/Lrp2/usr/share/shorewall/action.template b/Lrp2/usr/share/shorewall/action.template index 80152daa5..a5bbce819 100644 --- a/Lrp2/usr/share/shorewall/action.template +++ b/Lrp2/usr/share/shorewall/action.template @@ -11,6 +11,9 @@ # 2. Copy this file to /etc/shorewall/action. # 3. Add the desired rules to that file. # +# Please see http://shorewall.net/Actions.html for additional +# information. +# # Columns are: # # diff --git a/Lrp2/usr/share/shorewall/actions.std b/Lrp2/usr/share/shorewall/actions.std index 47779a38b..7dfb23fcc 100644 --- a/Lrp2/usr/share/shorewall/actions.std +++ b/Lrp2/usr/share/shorewall/actions.std @@ -1,6 +1,8 @@ # # Shorewall 2.2 /usr/share/shorewall/actions.std # +# Please see http://shorewall.net/Actions.html for additional +# information. # # Builtin Actions are: # @@ -12,6 +14,10 @@ # #conntrack state. # allowInvalid #Accept packets that are in the INVALID # #conntrack state. +# allowoutUPnP #Allow traffic from local command 'upnpd' +# allowinUPnP #Allow UPnP inbound (to firewall) traffic +# forwardUPnP #Allow traffic that upnpd has redirected from +# #'upnp' interfaces. # #ACTION diff --git a/Lrp2/usr/share/shorewall/bogons b/Lrp2/usr/share/shorewall/bogons index 43c37b1f2..294071162 100644 --- a/Lrp2/usr/share/shorewall/bogons +++ b/Lrp2/usr/share/shorewall/bogons @@ -44,11 +44,9 @@ 31.0.0.0/8 logdrop # Reserved 36.0.0.0/7 logdrop # Reserved 39.0.0.0/8 logdrop # Reserved -41.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 -73.0.0.0/8 logdrop # Reserved 74.0.0.0/7 logdrop # Reserved 76.0.0.0/6 logdrop # Reserved 89.0.0.0/8 logdrop # Reserved diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index 304a8558a..66392de8d 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -937,7 +937,7 @@ validate_interfaces_file() { for option in $options; do case $option in - dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-) + dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) ;; detectnets) [ -n "$wildcard" ] && \ @@ -975,13 +975,21 @@ validate_hosts_file() { r="$z $hosts $options" validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" - interface=${hosts%%:*} - iface=$(chain_base $interface) + case $hosts in + *:*) - list_search $interface $ALL_INTERFACES || \ - startup_error "Unknown interface ($interface) in record \"$r\"" + interface=${hosts%%:*} + iface=$(chain_base $interface) - hosts=${hosts#*:} + list_search $interface $ALL_INTERFACES || \ + startup_error "Unknown interface ($interface) in record \"$r\"" + + hosts=${hosts#*:} + ;; + *) + fatal_error "Invalid HOST(S) column contents: $hosts" + ;; + esac eval ports=\$${iface}_ports eval zports=\$${z}_ports @@ -2826,6 +2834,12 @@ check_config() { [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" fi + [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= + + if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + fi + echo "Determining Zones..." determine_zones @@ -3473,7 +3487,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which # process_actions1() { - ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid" + ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP" + USEDACTIONS= strip_file actions @@ -3544,6 +3559,15 @@ process_actions1() { process_actions2() { + local interfaces="$(find_interfaces_by_option upnp)" + + if [ -n "$interfaces" ]; then + if ! list_search forwardUPnP $USEDACTIONS; then + error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)" + USEDACTIONS="$USEDACTIONS forwardUPnP" + fi + fi + progress_message " Generating Transitive Closure of Used-action List..." changed=Yes @@ -3695,6 +3719,26 @@ process_actions3() { run_iptables -A $xchain -m state --state INVALID -j ACCEPT fi ;; + forwardUPnP) + ;; + allowinUPnP) + if [ "$COMMAND" != check ]; then + if [ -n "$xlevel" ]; then + log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900 + log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152 + fi + + run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT + run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT + fi + ;; + allowoutUPnP) + if [ "$COMMAND" != check ]; then + [ -n "$xlevel" ] && \ + log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd + run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT + fi + ;; *) # # Not a builtin @@ -3802,7 +3846,14 @@ add_nat_rule() { # Select target - if [ -n "$serv" ]; then + if [ "$logtarget" = SAME ]; then + [ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules" + serv1= + for srv in $(separate_list $serv); do + serv1="$serv1 --to ${srv}" + done + target1="SAME $serv1" + elif [ -n "$serv" ]; then servport="${servport:+:$servport}" serv1= for srv in $(separate_list $serv); do @@ -4065,9 +4116,9 @@ add_a_rule() servport=${servport:=$port} natrule=Yes ;; - DNAT) + DNAT|SAME) [ -n "$serv" ] || \ - fatal_error "DNAT rules require a server address; rule: \"$rule\"" + fatal_error "$logtarget rules require a server address; rule: \"$rule\"" natrule=Yes ;; LOG) @@ -4084,7 +4135,7 @@ add_a_rule() if [ -n "$natrule" ]; then add_nat_rule elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then - fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\"" + fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\"" fi if [ -z "$dnat_only" ]; then @@ -4139,7 +4190,7 @@ add_a_rule() [ -n "$addr" ] && fatal_error \ "An ORIGINAL DESTINATION ($addr) is only allowed in" \ - " a DNAT or REDIRECT: \"$rule\"" + " a DNAT, SAME or REDIRECT: \"$rule\"" if [ $COMMAND != check ]; then if [ -n "$loglevel" ]; then @@ -4289,7 +4340,7 @@ process_rule() # $1 = target CONTINUE) target=RETURN ;; - DNAT*) + DNAT*|SAME*) target=ACCEPT address=${address:=detect} ;; @@ -4322,8 +4373,13 @@ process_rule() # $1 = target excludezones="${clientzone#*!}" clientzone="${clientzone%!*}" - [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - fatal_error "Exclude list only allowed with DNAT or REDIRECT" + case $logtarget in + DNAT|REDIRECT|SAME) + ;; + *) + fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT" + ;; + esac fi validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" @@ -4386,7 +4442,7 @@ process_rule() # $1 = target protocol=${protocol:=all} case $logtarget in - DNAT*) + DNAT*|SAME) if [ -n "$XMULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ @@ -4540,7 +4596,7 @@ process_rules() } do_it() { - expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec + expandv xprotocol xports xcports xaddress xratelimit xuserspec if [ "x$xclients" = xall ]; then xclients="$zones $FW" @@ -4548,13 +4604,13 @@ process_rules() xservers="$zones $FW" fi process_wildcard_rule - continue + return fi if [ "x$xservers" = xall ]; then xservers="$zones $FW" process_wildcard_rule - continue + return fi rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" @@ -4562,10 +4618,16 @@ process_rules() } while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - expandv xtarget + expandv xtarget xclients xservers + + if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then + rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" + progress_message " Rule \"$rule\" ignored." + continue + fi case "${xtarget%%:*}" in - ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) + ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-) do_it ;; *) @@ -4971,7 +5033,7 @@ rules_chain() # $1 = source zone, $2 = destination zone [ -n "$chain" ] && { echo $chain; return; } - fatal_error "No appropriate chain for zone $1 to zone $2" + fatal_error "No policy defined for zone $1 to zone $2" } # @@ -5116,6 +5178,8 @@ setup_masq() [ "x$addresses" = x- ] && addresses= + + if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then for address in $(separate_list $addresses); do address=${address%:)} @@ -5262,17 +5326,35 @@ setup_masq() target=MASQUERADE if [ -n "$addresses" ]; then - for address in $(separate_list $addresses); do - case $address in - *.*.*.*) - target=SNAT - addrlist="$addrlist --to-source $address" - ;; - *) - addrlist="$addrlist --to-ports ${address#:}" - ;; - esac - done + case "$addresses" in + SAME:nodst:*) + target="SAME --nodst" + addresses=${addresses#SAME:nodst:} + for address in $(separate_list $addresses); do + addrlist="$addrlist --to $address"; + done + ;; + SAME:*) + target="SAME" + addresses=${addresses#SAME:} + for address in $(separate_list $addresses); do + addrlist="$addrlist --to $address"; + done + ;; + *) + for address in $(separate_list $addresses); do + case $address in + *.*.*.*) + target=SNAT + addrlist="$addrlist --to-source $address" + ;; + *) + addrlist="$addrlist --to-ports ${address#:}" + ;; + esac + done + ;; + esac fi if [ -n "$networks" ]; then @@ -5621,6 +5703,7 @@ determine_capabilities() { PHYSDEV_MATCH= IPRANGE_MATCH= RECENT_MATCH= + OWNER_MATCH= qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes @@ -5630,6 +5713,7 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes + qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes if [ -n "$PKTTYPE" ]; then qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= @@ -5660,6 +5744,7 @@ report_capabilities() { report_capability "Physdev Match" $PHYSDEV_MATCH report_capability "IP range Match" $IPRANGE_MATCH report_capability "Recent Match" $RECENT_MATCH + report_capability "Owner Match" $OWNER_MATCH } # @@ -5678,6 +5763,11 @@ initialize_netfilter () { [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" fi + [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= + + if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + fi [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ startup_error "RFC1918_STRICT=Yes requires Connection Tracking match" @@ -6290,6 +6380,20 @@ add_common_rules() { run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) done fi + # + # UPnP + # + interfaces=$(find_interfaces_by_option upnp) + + if [ -n "$interfaces" ]; then + echo "Setting up UPnP..." + + createnatchain UPnP + + for interface in $interfaces; do + run_iptables -t nat -A PREROUTING -i $interface -j UPnP + done + fi setup_forwarding } @@ -6767,6 +6871,7 @@ define_firewall() # $1 = Command (Start or Restart) mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base mv -f $RESTOREBASE /var/lib/shorewall/restore-tail + run_user_exit started } # @@ -7482,12 +7587,6 @@ do_initialize() { LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - - [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= - - if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" - fi # # Strip the files that we use often # @@ -7672,6 +7771,10 @@ case "$COMMAND" in EMPTY= $@ ;; + capabilities) + do_initialize + report_capabilities + ;; *) usage ;; diff --git a/Lrp2/usr/share/shorewall/help b/Lrp2/usr/share/shorewall/help index 56d8de5e3..1ec86f6c0 100755 --- a/Lrp2/usr/share/shorewall/help +++ b/Lrp2/usr/share/shorewall/help @@ -5,7 +5,7 @@ # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # -# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net) +# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net) # Steve Herber (herber@thing.com) # # This file should be placed in /usr/share/shorewall/help @@ -254,6 +254,8 @@ show) shorewall show zones - displays the contents of all zones. + shorewall show capabilities - displays your kernel/iptables capabilities + When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version index 585940699..530cdd91a 100644 --- a/Lrp2/usr/share/shorewall/version +++ b/Lrp2/usr/share/shorewall/version @@ -1 +1 @@ -2.2.3 +2.2.4