Update for 2.1.7

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1587 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

LrpN/etc/shorewall/accounting

@@ -61,13 +61,33 @@
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17).
 #
+#	USER/GROUP	This column may only be non-empty if the CHAIN is
+#			OUTPUT.
+#			
+#			The column may contain:
+#
+#			   [!][<user name or number>][:<group name or number>]
+#
+#			When this column is non-empty, the rule applies only
+#			if the program generating the output is running under
+#			the effective <user> and/or <group> specified (or is
+#			NOT running under that id if "!" is given).
+#
+#			Examples:
+#
+#				joe	#program must be run by joe
+#				:kids	#program must be run by a member of
+#					#the 'kids' group
+#				!:kids  #program must not be run by a member
+#					#of the 'kids' group
+#
 #	In all of the above columns except ACTION and CHAIN, the values "-",
 #	"any" and "all" may be used as wildcards
 #
 #	Please see http://shorewall.net/Accounting.html for examples and 
 #	additional information about how to use this file.
 #
-#ACTION	CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE
+#ACTION	CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE	USER/
-#							PORT		PORT
+#							PORT		PORT	GROUP
 #
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

LrpN/etc/shorewall/masq

@@ -73,6 +73,19 @@
 #
 #				This column may not contain DNS Names.
 #
+#				Normally, Netfilter will attempt to retain
+#				the source port number. You may cause 
+#				netfilter to remap the source port by following
+#				an address or range (if any) by ":" and
+#				a port range with the format <low port>-
+#				<high port>. If this is done, you must 
+#				specify "tcp" or "udp" in the PROTO column.
+#				
+#				Examples:
+#
+#					192.0.2.4:5000-6000
+#					:4000-5000
+#
 #				If you want to leave this column empty
 #				but you need to specify the next column then
 #				place a hyphen ("-") here.

LrpN/sbin/shorewall

@@ -134,6 +134,24 @@ showchain() # $1 = name of chain
     fi
 }
 
+#
+# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
+#
+
+iptablesbug()
+{
+    if qt which awk ; then
+	awk 'BEGIN           {sline=""; };\
+             /^-j/           { print sline $0; next };\
+             /-m policy.*-j/ { print $0; next };\
+             /-m policy/     { sline=$0; next };\
+                             {print ; sline="" }'
+    else
+	echo "   Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
+	cat
+    fi
+}
+
 #
 # Validate the value of RESTOREFILE
 #
@@ -1093,10 +1111,7 @@ case "$1" in
 			    echo "   Dynamic Rules Saved"
 			    if [ -f /var/lib/shorewall/restore-base ]; then
 				cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
-				#
+				if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
-				# The 'awk' hack compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
-				#
-				if iptables-save | awk 'BEGIN {sline=""; }; /^-j/ { print sline $0; next }; /-m policy/ { sline=$0; next }; {print ; sline="" }' >> /var/lib/shorewall/restore-$$ ; then
 				    echo __EOF__ >> /var/lib/shorewall/restore-$$
 				    mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
 				    chmod +x $RESTOREPATH

LrpN/usr/share/shorewall/bogons

@@ -22,6 +22,7 @@
 #
 ###############################################################################
 #SUBNET			TARGET
+0.0.0.0			RETURN		# Stop the DHCP whining
 255.255.255.255		RETURN		# We need to allow limited broadcast
 169.254.0.0/16		DROP		# DHCP autoconfig
 192.0.2.0/24		logdrop		# Example addresses (RFC 3330)
@@ -46,8 +47,9 @@
 49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 58.0.0.0/7		logdrop		# Reserved
-71.0.0.0/8		logdrop		# Reserved
+73.0.0.0/8		logdrop		# Reserved
-72.0.0.0/5		logdrop		# Reserved
+74.0.0.0/7		logdrop		# Reserved
+76.0.0.0/6		logdrop		# Reserved
 89.0.0.0/8		logdrop		# Reserved
 90.0.0.0/7		logdrop		# Reserved
 92.0.0.0/6		logdrop		# Reserved

LrpN/usr/share/shorewall/firewall

@@ -1654,6 +1654,12 @@ setup_ipsec() {
 		mode=*)        newoptions="$newoptions --mode ${option#*=}" ;;
 		tunnel-src=*)  newoptions="$newoptions --tunnel-src ${option#*=}" ;;
 		tunnel-dst=*)  newoptions="$newoptions --tunnel-dst ${option#*=}" ;;
+		reqid!=*)      newoptions="$newoptions ! --reqid ${option#*=}" ;;
+		spi!=*)        newoptions="$newoptions ! --spi ${option#*=}" ;;
+		proto!=*)      newoptions="$newoptions ! --proto ${option#*=}" ;;
+		mode!=*)       newoptions="$newoptions ! --mode ${option#*=}" ;;
+		tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;;
+		tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;;
 		*)             fatal_error "Invalid option \"$option\" for zone $zone" ;;
 	    esac
 	done
@@ -1952,8 +1958,8 @@ delete_proxy_arp() {
 
     [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp
 
-    for f in $(ls /proc/sys/net/ipv4/conf/*/proxy_arp); do
+    for f in /proc/sys/net/ipv4/conf/*; do
-	echo 0 > $f
+	[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
     done
 }
 
@@ -2318,11 +2324,11 @@ process_accounting_rule() {
     jumpchain=
 	
     accounting_error() {
-	error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
+	error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user
     }
 
     accounting_interface_error() {
-	error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
+	error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user
     }
 
     accounting_interface_verify() {
@@ -2398,6 +2404,25 @@ process_accounting_rule() {
 	    ;;
     esac
 
+    [ -n "$user" ] && case $user in
+	-|any|all)
+	    ;;
+	*:*)
+	    [ "$chain" != OUTPUT ] && \
+		fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
+	    rule="$rule -m owner"
+	    temp="${user%:*}"
+	    [ -n "$temp" ] && rule="$rule --uid-owner $temp " 
+	    temp="${user#*:}"
+	    [ -n "$temp" ] && rule="$rule --gid-owner $temp "
+	    ;;
+	*)
+	    [ "$chain" != OUTPUT ] && \
+		fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
+	    rule="$rule -m owner --uid-owner $user "
+	    ;;
+    esac
+
     case $action in
 	COUNT)
 	    ;;
@@ -2426,7 +2451,7 @@ process_accounting_rule() {
 
     if iptables -A $chain $(fix_bang $rule) ; then
 	[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
-	progress_message "   Accounting rule" $action $chain $source $dest $proto $port $sport Added
+	progress_message "   Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
     else
 	accounting_error
     fi
@@ -2442,8 +2467,8 @@ setup_accounting() # $1 = Name of accounting file
 
     strip_file accounting $1
 
-    while read action chain source dest proto port sport ; do
+    while read action chain source dest proto port sport user ; do
-	expandv action chain source dest proto port sport
+	expandv action chain source dest proto port sport user
 	process_accounting_rule
     done < $TMP_DIR/accounting
 
@@ -4577,6 +4602,12 @@ setup_masq()
 		mode=*)         policy="$policy --mode ${option#*=}" ;;
 		tunnel-src=*)   policy="$policy --tunnel-src ${option#*=}" ;;
 		tunnel-dst=*)   policy="$policy --tunnel-dst ${option#*=}" ;;
+		reqid!=*)       policy="$policy ! --reqid ${option#*=}" ;;
+		spi!=*)         policy="$policy ! --spi ${option#*=}" ;;
+		proto!=*)       policy="$policy ! --proto ${option#*=}" ;;
+		mode!=*)        policy="$policy ! --mode ${option#*=}" ;;
+		tunnel-src!=*)  policy="$policy ! --tunnel-src ${option#*=}" ;;
+		tunnel-dst!=*)  policy="$policy ! --tunnel-dst ${option#*=}" ;;
 		*)              fatal_error "Invalid IPSEC option \"$option\"" ;;
 	    esac
 	done
@@ -4675,7 +4706,9 @@ setup_masq()
 
 	if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
 	    for address in $(separate_list $addresses); do
-		for addr in $(ip_range_explicit $address) ; do
+		address=${address%:)}
+		if [ -n "$address" ]; then
+		    for addr in $(ip_range_explicit ${address%:*}) ; do
 			if ! list_search $addr $aliases_to_add; then
 			    save_command qt ip addr del $addr dev $interface 
 			    aliases_to_add="$aliases_to_add $addr $fullinterface"
@@ -4686,6 +4719,7 @@ setup_masq()
 			    esac
 			fi
 		    done
+		fi
 	    done
 	fi
 
@@ -4805,38 +4839,45 @@ setup_masq()
 	esac
 
 	addrlist=
+	target=MASQUERADE
 
 	if [ -n "$addresses" ]; then
 	    for address in $(separate_list $addresses); do
+		case $address in
+		    *.*.*.*)
+			target=SNAT
 			addrlist="$addrlist --to-source $address"
+			;;
+		    *)
+			addrlist="$addrlist --to-ports ${address#:}"
+			;;
+		esac
 	    done
 	fi
 
 	if [ -n "$networks" ]; then
-	    for s in $networks; do
+	    for network in $networks; do
+		for destnet in $(separate_list $destnets); do
+		    addnatrule $chain -s $network -d $destnet $proto $ports $policy -j $target $addrlist
+		done
+
 		if [ -n "$addresses" ]; then
-		    for destnet in $(separate_list $destnets); do
+		    progress_message "   To $destination $displayproto from $network through ${interface} using $addresses"
-			addnatrule $chain -s $s -d $destnet $proto $ports $policy -j SNAT $addrlist
-		    done
-		    progress_message "   To $destination $displayproto from $s through ${interface} using $addresses"
 		else
-		    for destnet in $(separate_list $destnets); do
+		    progress_message "   To $destination $displayproto from $network through ${interface}"
-			addnatrule $chain -s $s -d $destnet $proto $ports $policy -j MASQUERADE
-		    done
-		    progress_message "   To $destination $displayproto from $s through ${interface}"
 		fi
 	    done
-	elif [ -n "$addresses" ]; then
-	    for destnet in $(separate_list $destnets); do
-		addnatrule $chain -d $destnet $proto $ports $policy -j SNAT $addrlist
-	    done
-	    echo "   To $destination $displayproto from $source through ${interface} using $addresses"
 	else
 	    for destnet in $(separate_list $destnets); do
-		addnatrule $chain -d $destnet $proto $ports $policy -j MASQUERADE
+		addnatrule $chain -d $destnet $proto $ports $policy -j $target $addrlist
 	    done
+	    
+	    if [ -n "$addresses" ]; then
+		progress_message "   To $destination $displayproto from $source through ${interface} using $addresses"
+	    else
 		progress_message "   To $destination $displayproto from $source through ${interface}"
 	    fi
+	fi
 
     }
 
@@ -5254,6 +5295,9 @@ initialize_netfilter () {
 
     echo "Deleting user chains..."
 
+    exists_INPUT=Yes
+    exists_OUTPUT=Yes
+    exists_FORWARD=Yes
     setpolicy INPUT DROP
     setpolicy OUTPUT DROP
     setpolicy FORWARD DROP
@@ -5646,8 +5690,8 @@ add_common_rules() {
     #
     save_progress_message "Restoring ARP filtering..."
 
-    for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
+    for f in /proc/sys/net/ipv4/conf/*; do
-	run_and_save_command "echo 0 > $f"
+	run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_filter"
     done
 
     interfaces=$(find_interfaces_by_option arp_filter)
@@ -5675,8 +5719,8 @@ add_common_rules() {
 
 	save_progress_message "Restoring Route Filtering..."
 
-	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+	for f in /proc/sys/net/ipv4/conf/*; do
-	    run_and_save_command "echo 0 > $f"
+	    run_and_save_command "[ -f $f/rp_filter ] && echo 0 > $f/rp_filter"
 	done
 
 	for interface in $interfaces; do
@@ -6054,6 +6098,12 @@ define_firewall() # $1 = Command (Start or Restart)
     save_command "#"
     save_command ". /usr/share/shorewall/functions"
 
+    f=$(find_file params)
+
+    [ -f $f ] && \
+	save_command ". $f"
+
+    save_command "#"
     save_command "MODULESDIR=\"$MODULESDIR\""
     save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
 
@@ -6203,15 +6253,23 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 
     validate_zone $zone || startup_error "Unknown zone: $zone"
 
+    f=$(find_file ipsec)
+    if [ -f $f ]; then
+	progress_message "Processing $f..."
+	setup_ipsec $f
+    fi
+
     [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
 
     eval is_ipsec=\$${zone}_is_ipsec
     eval options=\"\$${zone}_ipsec_options\"
+    eval in_options=\"\$${zone}_ipsec_in_options\"
+    eval out_options=\"\$${zone}_ipsec_out_options\"
 
     if [ -n "$is_ipsec" ]; then
 	[ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support"
-	policyin="-m policy --pol ipsec --dir in $options"
+	policyin="-m policy --pol ipsec --dir in $options $in_options"
-	policyout="-m policy --pol ipsec --dir out $options"
+	policyout="-m policy --pol ipsec --dir out $options $out_options"
     elif [ -n "$POLICY_MATCH" ]; then
  	policyin="-m policy --pol none --dir in"
 	policyout="-m policy --pol none --dir out"
@@ -6361,11 +6419,31 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     determine_zones
 
+    f=$(find_file ipsec)
+    if [ -f $f ]; then
+	progress_message "Processing $f..."
+	setup_ipsec $f
+    fi
+
     zone=$2
 
     validate_zone $zone || startup_error "Unknown zone: $zone"
 
     [ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone"
+
+    eval is_ipsec=\$${zone}_is_ipsec
+    eval options=\"\$${zone}_ipsec_options\"
+    eval in_options=\"\$${zone}_ipsec_in_options\"
+    eval out_options=\"\$${zone}_ipsec_out_options\"
+
+    if [ -n "$is_ipsec" ]; then
+	[ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support"
+	policyin="-m policy --pol ipsec --dir in $options $in_options"
+	policyout="-m policy --pol ipsec --dir out $options $out_options"
+    elif [ -n "$POLICY_MATCH" ]; then
+ 	policyin="-m policy --pol none --dir in"
+	policyout="-m policy --pol none --dir out"
+    fi   
     #
     # Be sure that Shorewall has been restarted using a DZ-aware version of the code
     #
@@ -6401,14 +6479,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # Delete any nat table entries for the host(s)
     #
-    qt iptables -t nat -D $(dynamic_in $interface) -s $host -j ${zone}_dnat
+    qt iptables -t nat -D $(dynamic_in $interface) -s $host $policyin -j ${zone}_dnat
     #
     # Delete rules rules the input chains for the passed interface
     #
     while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		qt iptables -D $(dynamic_in $interface) -s $host -j $chain
+		qt iptables -D $(dynamic_in $interface) -s $host $policyin -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@@ -6418,13 +6496,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
+			qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
 		    fi
 		done
 	    fi
 	elif [ "$z2" = "$zone" ]; then
 	    if [ "$z1" = "$FW" ]; then
-		qt iptables -D $(dynamic_out $interface) -d $host -j $chain
+		qt iptables -D $(dynamic_out $interface) -d $host $policyout -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
 		
@@ -6433,7 +6511,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain
+			qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain
 		    fi
 		done
 	    fi

LrpN/usr/share/shorewall/version

@@ -1 +1 @@
-2.1.6
+2.1.7

LrpN/var/lib/lrpkg/shorwall.conf

@@ -1,6 +1,7 @@
 /etc/shorewall/params		Params    Assign parameter values
 /etc/shorewall/zones		Zones     Partition the network into Zones
 /etc/shorewall/interfaces	Ifaces    Shorewall Networking Interfaces
+/etc/shorewall/ipsec		Ipsec     Define Zone IPSEC Properties
 /etc/shorewall/hosts		Hosts     Define specific zones
 /etc/shorewall/policy		Policy    Firewall high-level policy
 /etc/shorewall/rules		Rules     Exceptions to policy