extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 19:51:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Take advantage of --ctorigdstport

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8795 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-10-22 02:14:45 +00:00
parent dcb0861a45
commit b0e9a0ce22
10 changed files with 44 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/changelog.txt
View File

@ -12,4 +12,6 @@ Changes in Shorewall 4.2.1
6) Applied Lennart Sorensen's patch for length match. 6) Applied Lennart Sorensen's patch for length match.
7) Take advantage --ctorigdstport
Initial release of Shorewall 4.2.0. Initial release of Shorewall 4.2.0.

4
Shorewall-common/lib.base
View File

@ -1104,7 +1104,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
if [ -n "$CONNTRACK_MATCH" ]; then if [ -n "$CONNTRACK_MATCH" ]; then
qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
fi fi
if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
@ -1211,7 +1211,7 @@ report_capabilities() {
report_capability "Multi-port Match" $MULTIPORT report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "New Connection Tracking Match Syntax" $NEW_CONNTRACK_MATCH report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE report_capability "Packet Type Match" $USEPKTTYPE
report_capability "Policy Match" $POLICY_MATCH report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH

12
Shorewall-common/releasenotes.txt
View File

@ -90,7 +90,7 @@ Problems corrected in Shorewall 4.2.1
3) iptables 1.4.1 discontinued support of syntax generated by 3) iptables 1.4.1 discontinued support of syntax generated by
shorewall in some cases. Shorewall now detects when the new syntax shorewall in some cases. Shorewall now detects when the new syntax
is accepted and uses it instead. is required and uses it instead.
4) The Shorewall-perl implementation of the LENGTH column in 4) The Shorewall-perl implementation of the LENGTH column in
/etc/shorewall/tcrules was incomplete with the result that /etc/shorewall/tcrules was incomplete with the result that
@ -170,6 +170,16 @@ Other changes in Shorewall 4.2.1
Beginning November 1, 2008 at noon LCT. Beginning November 1, 2008 at noon LCT.
3) If your kernel and iptables support "-m conntrack --ctorigdstport"
then Shorewall will utilize that capability to ensure that when you
do port mapping (change the destination port but not the
destination IP address), the final destination port is not open.
To use this feature, you must be running Shorewall-perl and the
output of 'shorewall show capabilities' must show:
Extended Connection Tracking Match Support: Available
New Features in Shorewall 4.2. New Features in Shorewall 4.2.
1) Shorewall 4.2 contains support for multiple Internet providers 1) Shorewall 4.2 contains support for multiple Internet providers

3
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -131,6 +131,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
$source , $source ,
$dest = ALLIPv4 , $dest = ALLIPv4 ,
'' , '' ,
'' ,
$target , $target ,
'' , '' ,
$disposition , $disposition ,
@ -151,6 +152,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
$source , $source ,
$dest , $dest ,
'' , '' ,
'' ,
$target , $target ,
'' , '' ,
$disposition , $disposition ,
@ -167,6 +169,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
'' , '' ,
'' , '' ,
'' , '' ,
'' ,
'' ; '' ;
} }
} }

1
Shorewall-perl/Shorewall/Actions.pm
View File

@ -568,6 +568,7 @@ sub process_action( $$$$$$$$$$ ) {
$source , $source ,
$dest , $dest ,
'', #Original Dest '', #Original Dest
'', #Original Dest port
"-j $action" , "-j $action" ,
$level , $level ,
$action , $action ,

15
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1859,7 +1859,7 @@ sub get_interface_mac( $$$ ) {
# #
# Returns the destination interface specified in the rule, if any. # Returns the destination interface specified in the rule, if any.
# #
sub expand_rule( $$$$$$$$$$ ) sub expand_rule( $$$$$$$$$$$ )
{ {
my ($chainref , # Chain my ($chainref , # Chain
$restriction, # Determines what to do with interface names in the SOURCE or DEST $restriction, # Determines what to do with interface names in the SOURCE or DEST
@ -1867,6 +1867,7 @@ sub expand_rule( $$$$$$$$$$ )
$source, # SOURCE $source, # SOURCE
$dest, # DEST $dest, # DEST
$origdest, # ORIGINAL DEST $origdest, # ORIGINAL DEST
$oport, # original destination port
$target, # Target ('-j' part of the rule) $target, # Target ('-j' part of the rule)
$loglevel , # Log level (and tag) $loglevel , # Log level (and tag)
$disposition, # Primative part of the target (RETURN, ACCEPT, ...) $disposition, # Primative part of the target (RETURN, ACCEPT, ...)
@ -2043,6 +2044,9 @@ sub expand_rule( $$$$$$$$$$ )
if ( $origdest ) { if ( $origdest ) {
if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) { if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
$origdest = ''; $origdest = '';
if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) {
$rule .= "-m conntrack --ctorigdstport $oport ";
}
} elsif ( $origdest =~ /^detect:(.*)$/ ) { } elsif ( $origdest =~ /^detect:(.*)$/ ) {
# #
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
@ -2063,6 +2067,7 @@ sub expand_rule( $$$$$$$$$$ )
push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional; push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
$rule .= '-m conntrack --ctorigdst $address '; $rule .= '-m conntrack --ctorigdst $address ';
$rule .= "--origdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
} else { } else {
my $interface = $interfaces[0]; my $interface = $interfaces[0];
my $variable = get_interface_address( $interface ); my $variable = get_interface_address( $interface );
@ -2070,6 +2075,7 @@ sub expand_rule( $$$$$$$$$$ )
push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface ); push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface );
$rule .= "-m conntrack --ctorigdst $variable "; $rule .= "-m conntrack --ctorigdst $variable ";
$rule .= "--origdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
} }
$origdest = ''; $origdest = '';
@ -2094,9 +2100,16 @@ sub expand_rule( $$$$$$$$$$ )
$oexcl = ''; $oexcl = '';
} }
} }
if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) {
$rule .= "-m conntrack --ctorigdstport $oport ";
}
} }
} else { } else {
$oexcl = ''; $oexcl = '';
if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) {
$rule .= "-m conntrack --ctorigdstport $oport ";
}
} }
# #

4
Shorewall-perl/Shorewall/Config.pm
View File

@ -178,7 +178,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
XMULTIPORT => 'Extended Multi-port Match', XMULTIPORT => 'Extended Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match', CONNTRACK_MATCH => 'Connection Tracking Match',
NEW_CONNTRACK_MATCH => NEW_CONNTRACK_MATCH =>
'New Connection Tracking Match syntax', 'Extended Connection Tracking Match',
USEPKTTYPE => 'Packet Type Match', USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match', POLICY_MATCH => 'Policy Match',
PHYSDEV_MATCH => 'Physdev Match', PHYSDEV_MATCH => 'Physdev Match',
@ -1558,7 +1558,7 @@ sub determine_capabilities( $ ) {
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
if ( $capabilities{CONNTRACL_MATCH} ) { if ( $capabilities{CONNTRACL_MATCH} ) {
$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT" ); $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
} }
if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {

1
Shorewall-perl/Shorewall/Nat.pm
View File

@ -278,6 +278,7 @@ sub setup_one_masq($$$$$$$)
$networks , $networks ,
$destnets , $destnets ,
'' , '' ,
'' ,
$target , $target ,
'' , '' ,
'' , '' ,

7
Shorewall-perl/Shorewall/Rules.pm
View File

@ -143,6 +143,7 @@ sub process_tos() {
$src , $src ,
$dst , $dst ,
'' , '' ,
'' ,
"-j TOS --set-tos $tos" , "-j TOS --set-tos $tos" ,
'' , '' ,
'' , '' ,
@ -316,6 +317,7 @@ sub setup_blacklist() {
$networks , $networks ,
'' , '' ,
'' , '' ,
'' ,
"-j $target" , "-j $target" ,
'' , '' ,
$disposition , $disposition ,
@ -1024,6 +1026,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $destzone; my $destzone;
my $sourceref; my $sourceref;
my $destref; my $destref;
my $origdstports;
if ( $source =~ /^(.+?):(.*)/ ) { if ( $source =~ /^(.+?):(.*)/ ) {
fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq ''; fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
@ -1135,6 +1138,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
# #
$server = $1; # May be empty $server = $1; # May be empty
$serverport = $3; # Not Empty due to RE $serverport = $3; # Not Empty due to RE
$origdstports = $ports;
if ( $serverport =~ /^(\d+)-(\d+)$/ ) { if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
# #
# Server Port Range # Server Port Range
@ -1227,6 +1231,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source , $source ,
$origdest , $origdest ,
'' , '' ,
'' ,
$target , $target ,
$loglevel , $loglevel ,
$action , $action ,
@ -1264,6 +1269,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source , $source ,
$dest , $dest ,
$origdest , $origdest ,
'',
'-j RETURN ' , '-j RETURN ' ,
$loglevel , $loglevel ,
$action , $action ,
@ -1292,6 +1298,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source , $source ,
$dest , $dest ,
$origdest , $origdest ,
$origdstports ,
"-j $action " , "-j $action " ,
$loglevel , $loglevel ,
$action , $action ,

1
Shorewall-perl/Shorewall/Tc.pm
View File

@ -294,6 +294,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
$source , $source ,
$dest , $dest ,
'' , '' ,
'' ,
"-j $target $mark" , "-j $target $mark" ,
'' , '' ,
'' , '' ,