From 2285dce4d1bf9dfeca3b6c579b05de4a88749b92 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 3 Sep 2011 13:58:05 -0700 Subject: [PATCH 1/4] Fix debugging of ipv6 ruleset Signed-off-by: Tom Eastep --- Shorewall/Perl/prog.header6 | 3 +++ Shorewall/lib.common | 4 ++-- Shorewall6/lib.common | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index e6ad5b847..617611b2a 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -822,6 +822,9 @@ debug_restore_input() { '*'raw) table=raw ;; + '*'rawpost) + table=rawpost + ;; '*'mangle) table=mangle ;; diff --git a/Shorewall/lib.common b/Shorewall/lib.common index 1f61b77ba..80bc0c9a7 100644 --- a/Shorewall/lib.common +++ b/Shorewall/lib.common @@ -294,7 +294,7 @@ reload_kernel_modules() { uname=$(uname -r) && \ MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset - MODULES=$(lsmod | cut -d ' ' -f1) + [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" @@ -340,7 +340,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules) if [ -f $modules -a -n "$moduledirectories" ]; then - MODULES=$(lsmod | cut -d ' ' -f1) + [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) progress_message "Loading Modules..." . $modules if [ $savemoduleinfo = Yes ]; then diff --git a/Shorewall6/lib.common b/Shorewall6/lib.common index dfe2c700d..2c84d0f9a 100644 --- a/Shorewall6/lib.common +++ b/Shorewall6/lib.common @@ -312,7 +312,7 @@ reload_kernel_modules() { [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ] [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched - MODULES=$(lsmod | cut -d ' ' -f1) + [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" @@ -356,7 +356,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules) if [ -f $modules -a -n "$moduledirectories" ]; then - MODULES=$(lsmod | cut -d ' ' -f1) + [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) progress_message "Loading Modules..." . $modules if [ $savemoduleinfo = Yes ]; then From 02009ee0602ca49e62aa8703e6c11d0887bf7fac Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 5 Sep 2011 06:23:18 -0700 Subject: [PATCH 2/4] Set 'use_..._chain' on interfaces with sfilters Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 5367ae11c..140218d3c 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -554,9 +554,11 @@ sub add_common_rules() { if ( @filters ) { add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; + $interfaceref->{options}{use_forward_chain} = 1; } elsif ( $interfaceref->{bridge} eq $interface ) { add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter} || $interfaceref->{physical} eq '+'; + $interfaceref->{options}{use_forward_chain} = 1; } add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT}; @@ -566,6 +568,7 @@ sub add_common_rules() { if ( @filters ) { add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; + $interfaceref->{options}{use_input_chain} = 1; } add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT}; From 43260e27fbf562639ac6ce29a328e15df4dcf89e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 5 Sep 2011 12:41:57 -0700 Subject: [PATCH 3/4] Correct netmap manpage Signed-off-by: Tom Eastep --- manpages/shorewall-netmap.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manpages/shorewall-netmap.xml b/manpages/shorewall-netmap.xml index ce4b6166e..8a37e2454 100644 --- a/manpages/shorewall-netmap.xml +++ b/manpages/shorewall-netmap.xml @@ -62,9 +62,9 @@ NET1 has its destination address rewritten to the corresponding address in NET2. - If SNAT:T, traffic leaving via INTERFACE with a source address - in NET1 has it's source address rewritten to the corresponding - address in NET2. + If SNAT:P, traffic entering via INTERFACE with a destination + address in NET1 has it's source address rewritten to the + corresponding address in NET2. If SNAT:O, traffic originating on the firewall and leaving via INTERFACE with a source address in NET1 has it's source address From a16986ddc3412b372130cfcf58dfc4b75abc2887 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 5 Sep 2011 17:24:42 -0700 Subject: [PATCH 4/4] s /filter/sfilter/ in FAQ 17 Signed-off-by: Tom Eastep --- docs/FAQ.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 8bb37055b..16a72ff5a 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -1596,7 +1596,7 @@ teastep@ursa:~$ The first number determines the maximum log - filter + sfilter On systems running Shorewall 4.4.20 or later, either the @@ -1604,7 +1604,7 @@ teastep@ursa:~$ The first number determines the maximum log url="manpages/shorewall-interfaces.html">interface option or it is being routed out of the same interface on which it arrived and the interface does not have the - routeback or interface option.