From d949824f94800ac841f30001d12dca8a31149e62 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 6 Aug 2015 10:15:57 -0700 Subject: [PATCH 01/49] Correct shorewall-mangle(5) examples Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-mangle.xml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index a61b8ac0f..b2e837aea 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -1283,12 +1283,12 @@ Normal-Service => 0x00 #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST # PORT(S) - 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request - 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply + MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request + MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 - 4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all - SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 + MARK(4):T 0.0.0.0/0 0.0.0.0/0 ipp2p:all + SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 If a packet hasn't been classified (packet mark is 0), copy the connection mark to the packet mark. If the packet mark is set, @@ -1307,9 +1307,9 @@ Normal-Service => 0x00 /etc/shorewall/tcrules: - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST - # PORT(S) - 1-3:CF 192.168.1.0/24 eth0 ; state=NEW + #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST + # PORT(S) + CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW /etc/shorewall/masq: From 4c4c5a436adcd0ff140ea77ef0406ddab1bd9f67 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 7 Aug 2015 14:09:08 -0700 Subject: [PATCH 02/49] Allow zero-valued options on multi-zoned interfaces Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Zones.pm | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 64f7e07d2..fe2de2292 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1208,18 +1208,20 @@ sub process_interface( $$ ) { fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option}; - if ( $zone ) { - fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER ); - } else { - fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY; - } - my $hostopt = $type & IF_OPTION_HOST; - fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt; - $type &= MASK_IF_OPTION; + unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) { + if ( $zone ) { + fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER ); + } else { + fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY; + } + } + + fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt; + if ( $type == SIMPLE_IF_OPTION ) { fatal_error "Option $option does not take a value" if defined $value; if ( $option eq 'blacklist' ) { From 3b59e4679969c695d377ea8a0ee7be60dd232b10 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 12 Aug 2015 10:19:07 -0700 Subject: [PATCH 03/49] Restore Debian-specific service files Signed-off-by: Tom Eastep --- Shorewall-core/shorewallrc.debian.systemd | 3 +-- .../shorewall-init.service.214.debian | 1 + Shorewall-init/shorewall-init.service.debian | 1 + Shorewall-lite/shorewall-lite.service.debian | 22 +++++++++++++++++++ Shorewall/shorewall.service.debian | 22 +++++++++++++++++++ .../shorewall6-lite.service.debian | 21 ++++++++++++++++++ Shorewall6/shorewall6.service.debian | 22 +++++++++++++++++++ 7 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 Shorewall-lite/shorewall-lite.service.debian create mode 100644 Shorewall/shorewall.service.debian create mode 100644 Shorewall6-lite/shorewall6-lite.service.debian create mode 100644 Shorewall6/shorewall6.service.debian diff --git a/Shorewall-core/shorewallrc.debian.systemd b/Shorewall-core/shorewallrc.debian.systemd index 0a5c84c2e..6a8e3f47e 100644 --- a/Shorewall-core/shorewallrc.debian.systemd +++ b/Shorewall-core/shorewallrc.debian.systemd @@ -15,8 +15,7 @@ INITFILE= #Name of the product's installed SysV init script INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR -SERVICEFILE=shorewall-init.service.debian - #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service +SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR diff --git a/Shorewall-init/shorewall-init.service.214.debian b/Shorewall-init/shorewall-init.service.214.debian index bcf363cae..a292e97a7 100644 --- a/Shorewall-init/shorewall-init.service.214.debian +++ b/Shorewall-init/shorewall-init.service.214.debian @@ -2,6 +2,7 @@ # The Shoreline Firewall (Shorewall) Packet Filtering Firewall # # Copyright 2011 Jonathan Underwood +# Copyright 2015 Tom Eastep # [Unit] Description=Shorewall firewall (bootup security) diff --git a/Shorewall-init/shorewall-init.service.debian b/Shorewall-init/shorewall-init.service.debian index eaaa92556..efd55e286 100644 --- a/Shorewall-init/shorewall-init.service.debian +++ b/Shorewall-init/shorewall-init.service.debian @@ -2,6 +2,7 @@ # The Shoreline Firewall (Shorewall) Packet Filtering Firewall # # Copyright 2011 Jonathan Underwood +# Copyright 2015 Tom Eastep # [Unit] Description=Shorewall firewall (bootup security) diff --git a/Shorewall-lite/shorewall-lite.service.debian b/Shorewall-lite/shorewall-lite.service.debian new file mode 100644 index 000000000..615b0877a --- /dev/null +++ b/Shorewall-lite/shorewall-lite.service.debian @@ -0,0 +1,22 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood +# Copyright 2015 Tom Eastep +# +[Unit] +Description=Shorewall IPv4 firewall (lite) +Wants=network-online.target +After=network-online.target +Conflicts=iptables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall-lite +StandardOutput=syslog +ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall-lite $OPTIONS stop + +[Install] +WantedBy=basic.target diff --git a/Shorewall/shorewall.service.debian b/Shorewall/shorewall.service.debian new file mode 100644 index 000000000..46436f707 --- /dev/null +++ b/Shorewall/shorewall.service.debian @@ -0,0 +1,22 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood +# Copyright 2015 Tom Eastep +# +[Unit] +Description=Shorewall IPv4 firewall +Wants=network-online.target +After=network-online.target +Conflicts=iptables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall +StandardOutput=syslog +ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall $OPTIONS stop + +[Install] +WantedBy=basic.target diff --git a/Shorewall6-lite/shorewall6-lite.service.debian b/Shorewall6-lite/shorewall6-lite.service.debian new file mode 100644 index 000000000..151bb2d5c --- /dev/null +++ b/Shorewall6-lite/shorewall6-lite.service.debian @@ -0,0 +1,21 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood +# +[Unit] +Description=Shorewall IPv6 firewall (lite) +Wants=network-online.target +After=network-online.target +Conflicts=ip6tables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/sysconfig/shorewall6-lite +StandardOutput=syslog +ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall6-lite $OPTIONS stop + +[Install] +WantedBy=basic.target diff --git a/Shorewall6/shorewall6.service.debian b/Shorewall6/shorewall6.service.debian new file mode 100644 index 000000000..914381751 --- /dev/null +++ b/Shorewall6/shorewall6.service.debian @@ -0,0 +1,22 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood +# Copyright 2015 Tom Eastep +# +[Unit] +Description=Shorewall IPv6 firewall +Wants=network-online.target +After=network-online.target +Conflicts=ip6tables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall6 +StandardOutput=syslog +ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall6 $OPTIONS stop + +[Install] +WantedBy=basic.target From af2b7910bd7b53e097d2f2227b12bdaf54f69c0c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 12 Aug 2015 12:33:09 -0700 Subject: [PATCH 04/49] Port update changes from 5.0.0 Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 4 +- Shorewall/Perl/Shorewall/Compiler.pm | 21 +-- Shorewall/Perl/Shorewall/Config.pm | 9 +- Shorewall/Perl/Shorewall/Misc.pm | 189 +++++++++++++++++++++++++-- Shorewall/Perl/Shorewall/Raw.pm | 69 +++++++++- Shorewall/Perl/Shorewall/Tc.pm | 21 ++- Shorewall/Perl/compiler.pl | 8 ++ Shorewall/lib.cli-std | 12 ++ 8 files changed, 300 insertions(+), 33 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 28b36b2b3..5588b419b 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3974,7 +3974,7 @@ usage() # $1 = exit status echo " status [ -i ]" echo " stop" ecko " try [ ]" - ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ ]" + ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ ]" echo " version [ -a ]" echo exit $1 @@ -4027,6 +4027,8 @@ shorewall_cli() { g_counters= g_loopback= g_compiled= + g_routestopped= + g_notrack= VERBOSE= VERBOSITY=1 diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 301d49ae0..0a8cf7edd 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -592,8 +592,8 @@ EOF # sub compiler { - my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules ) = - ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 ); + my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) = + ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 , 0 , 0 ); $export = 0; $test = 0; @@ -634,6 +634,8 @@ sub compiler { inline => { store => \$inline, validate=> \&validate_boolean } , directives => { store => \$directives, validate=> \&validate_boolean } , tcrules => { store => \$tcrules, validate=> \&validate_boolean } , + routestopped => { store => \$routestopped, validate=> \&validate_boolean } , + notrack => { store => \$notrack, validate=> \&validate_boolean } , config_path => { store => \$config_path } , shorewallrc => { store => \$shorewallrc } , shorewallrc1 => { store => \$shorewallrc1 } , @@ -737,7 +739,7 @@ sub compiler { # # Do all of the zone-independent stuff (mostly /proc) # - add_common_rules( $convert, $tcrules ); + add_common_rules( $convert, $tcrules , $routestopped ); # # More /proc # @@ -844,7 +846,7 @@ sub compiler { # # Process the conntrack file # - setup_conntrack; + setup_conntrack( $notrack ); # # Add Tunnel rules. # @@ -911,7 +913,7 @@ sub compiler { # S T O P _ F I R E W A L L # (Writes the stop_firewall() function to the compiled script) # - compile_stop_firewall( $test, $export , $have_arptables ); + compile_stop_firewall( $test, $export , $have_arptables, $routestopped ); # # U P D O W N # (Writes the updown() function to the compiled script) @@ -976,14 +978,15 @@ sub compiler { initialize_chain_table(0); if ( $debug ) { - compile_stop_firewall( $test, $export, $have_arptables ); + compile_stop_firewall( $test, $export, $have_arptables, $routestopped ); disable_script; } else { # - # compile_stop_firewall() also validates the routestopped file. Since we don't - # call that function during normal 'check', we must validate routestopped here. + # compile_stop_firewall() also validates the stoppedrules file. Since we don't + # call that function during normal 'check', we must validate stoppedrules here. # - process_routestopped unless process_stoppedrules; + convert_routestopped if $routestopped; + process_stoppedrules; } # # Report used/required capabilities diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 276b60613..cd5b38f06 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -4837,7 +4837,8 @@ sub update_config_file( $$ ) { # $fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf"; } - if ( -f $fn ) { + + if ( -f $fn ) { my ( $template, $output ); open $template, '<' , $fn or fatal_error "Unable to open $fn: $!"; @@ -4925,8 +4926,10 @@ EOF } exit 0 unless ( $directives || - -f find_file 'blacklist' || - -f find_file 'tcrules' ); + -f find_file 'blacklist' || + -f find_file 'tcrules' || + -f find_file 'routestopped' + ); } } else { fatal_error "$fn does not exist"; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 1e18f38b7..d194869e9 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -44,6 +44,7 @@ our @EXPORT = qw( process_tos setup_mac_lists process_routestopped process_stoppedrules + convert_routestopped compile_stop_firewall generate_matrix ); @@ -360,14 +361,16 @@ sub remove_blacklist( $ ) { while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) { my ( $rule, $comment ) = split '#', $currentline, 2; - if ( $rule =~ /blacklist/ ) { + if ( $rule && $rule =~ /blacklist/ ) { $changed = 1; if ( $comment ) { - $comment =~ s/^/ / while $rule =~ s/blacklist,//; + $comment =~ s/^/ / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//; $rule =~ s/blacklist/ /g; $currentline = join( '#', $rule, $comment ); } else { + $currentline =~ s/blacklist,//g; + $currentline =~ s/,blacklist//g; $currentline =~ s/blacklist/ /g; } } @@ -385,7 +388,7 @@ sub remove_blacklist( $ ) { } # -# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist +# Convert a pre-4.4.25 blacklist to a 4.4.25 blrules file # sub convert_blacklist() { my $zones = find_zones_by_option 'blacklist', 'in'; @@ -403,7 +406,19 @@ sub convert_blacklist() { $target = verify_audit( $disposition ); } - my $fn = open_file 'blacklist'; + my $fn = open_file( 'blacklist' ); + + unless ( $fn ) { + if ( -f ( $fn = find_file( 'blacklist' ) ) ) { + if ( unlink( $fn ) ) { + warning_message "Empty blacklist file ($fn) removed"; + } else { + warning_message "Unable to remove empty blacklist file $fn: $!"; + } + } + + return 0; + } first_entry "Converting $fn..."; @@ -682,6 +697,153 @@ sub process_routestopped() { } } +sub convert_routestopped() { + + if ( my $fn = open_file 'routestopped' ) { + my ( @allhosts, %source, %dest , %notrack, @rule ); + + my $seq = 0; + + my ( $stoppedrules, $fn1 ); + + if ( -f ( $fn1 = find_file( 'stoppedrules' ) ) ) { + open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!"; + } else { + open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!"; + print $stoppedrules <<'EOF'; +# +# Shorewall version 4 - Stopped Rules File +# +# For information about entries in this file, type "man shorewall-stoppedrules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-stoppedrules.html +# +# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE +# PORT(S) PORT(S) +EOF + } + + first_entry "$doing $fn..."; + + while ( read_a_line ( NORMAL_READ ) ) { + + my ($interface, $hosts, $options , $proto, $ports, $sports ) = + split_line( 'routestopped file', + { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } ); + + my $interfaceref; + + fatal_error 'INTERFACE must be specified' if $interface eq '-'; + fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface; + $hosts = ALLIP unless $hosts && $hosts ne '-'; + + my $routeback = 0; + + my @hosts; + + $seq++; + + my $rule = "$proto\t$ports\t$sports"; + + $hosts = ALLIP if $hosts eq '-'; + + for my $host ( split /,/, $hosts ) { + fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS}; + validate_host $host, 1; + push @hosts, "$interface|$host|$seq"; + push @rule, $rule; + } + + + unless ( $options eq '-' ) { + for my $option (split /,/, $options ) { + if ( $option eq 'routeback' ) { + if ( $routeback ) { + warning_message "Duplicate 'routeback' option ignored"; + } else { + $routeback = 1; + } + } elsif ( $option eq 'source' ) { + for my $host ( split /,/, $hosts ) { + $source{"$interface|$host|$seq"} = 1; + } + } elsif ( $option eq 'dest' ) { + for my $host ( split /,/, $hosts ) { + $dest{"$interface|$host|$seq"} = 1; + } + } elsif ( $option eq 'notrack' ) { + for my $host ( split /,/, $hosts ) { + $notrack{"$interface|$host|$seq"} = 1; + } + } else { + warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical'; + warning_message "The 'critical' option is no longer supported (or needed)"; + } + } + } + + if ( $routeback || $interfaceref->{options}{routeback} ) { + my $chainref = $filter_table->{FORWARD}; + + for my $host ( split /,/, $hosts ) { + print $stoppedrules "ACCEPT\t$interface:$host\t$interface:$host\n"; + } + } + + push @allhosts, @hosts; + } + + for my $host ( @allhosts ) { + my ( $interface, $h, $seq ) = split /\|/, $host; + my $rule = shift @rule; + + print $stoppedrules "ACCEPT\t$interface:$h\t\$FW\t$rule\n"; + print $stoppedrules "ACCEPT\t\$FW\t$interface:$h\t$rule\n" unless $config{ADMINISABSENTMINDED}; + + my $matched = 0; + + if ( $source{$host} ) { + print $stoppedrules "ACCEPT\t$interface:$h\t-\t$rule\n"; + $matched = 1; + } + + if ( $dest{$host} ) { + print $stoppedrules "ACCEPT\t-\t$interface:$h\t$rule\n"; + $matched = 1; + } + + if ( $notrack{$host} ) { + print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n"; + print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n"; + } + + unless ( $matched ) { + for my $host1 ( @allhosts ) { + unless ( $host eq $host1 ) { + my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1; + print $stoppedrules "ACCEPT\t$interface:$h\t$interface1:$h1\t$rule\n"; + } + } + } + } + + rename $fn, "$fn.bak"; + progress_message2 "Routestopped file $fn saved in $fn.bak"; + close $stoppedrules; + } elsif ( -f ( my $fn1 = find_file( 'routestopped' ) ) ) { + if ( unlink( $fn1 ) ) { + warning_message "Empty routestopped file ($fn1) removed"; + } else { + warning_message "Unable to remove empty routestopped file $fn1: $!"; + } + } +} + # # Process the stoppedrules file. Returns true if the file was non-empty. # @@ -774,8 +936,8 @@ sub process_stoppedrules() { sub setup_mss(); -sub add_common_rules ( $$ ) { - my ( $upgrade_blacklist, $upgrade_tcrules ) = @_; +sub add_common_rules ( $$$ ) { + my ( $upgrade_blacklist, $upgrade_tcrules , $upgrade_routestopped ) = @_; my $interface; my $chainref; my $target; @@ -946,7 +1108,7 @@ sub add_common_rules ( $$ ) { run_user_exit1 'initdone'; if ( $upgrade_blacklist ) { - exit 0 unless convert_blacklist || $upgrade_tcrules; + exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped; } else { setup_blacklist; } @@ -1826,7 +1988,7 @@ sub add_output_jumps( $$$$$$$ ) { our @vservers; our %output_jump_added; - my $chain1 = rules_target firewall_zone , $zone; + my $chain1 = rules_target( firewall_zone , $zone ); my $chain1ref = $filter_table->{$chain1}; my $nextchain = dest_exclusion( $exclusions, $chain1 ); my $outputref; @@ -2408,8 +2570,8 @@ sub setup_mss( ) { # # Compile the stop_firewall() function # -sub compile_stop_firewall( $$$ ) { - my ( $test, $export, $have_arptables ) = @_; +sub compile_stop_firewall( $$$$ ) { + my ( $test, $export, $have_arptables, $routestopped ) = @_; my $input = $filter_table->{INPUT}; my $output = $filter_table->{OUTPUT}; @@ -2598,7 +2760,12 @@ EOF } } - process_routestopped unless process_stoppedrules; + if ( $routestopped ) { + convert_routestopped; + process_stoppedrules; + } else { + process_routestopped unless process_stoppedrules; + } if ( have_capability 'IFACE_MATCH' ) { add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback'; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 87b867856..d99e37a5d 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -275,11 +275,14 @@ sub process_format( $ ) { $file_format = $format; } -sub setup_conntrack() { +sub setup_conntrack($) { + my $convert = shift; + my $fn; + my @files = $convert ? ( qw/notrack conntrack/ ) : ( 'conntrack' ); - for my $name ( qw/notrack conntrack/ ) { + for my $name ( @files ) { - my $fn = open_file( $name, 3 , 1 ); + $fn = open_file( $name, 3 , 1 ); if ( $fn ) { @@ -341,12 +344,70 @@ sub setup_conntrack() { } else { warning_message "Unable to remove empty notrack file ($fn): $!"; } + $convert = undef; + } + } + } elsif ( $name eq 'notrack' ) { + $convert = undef; + + if ( -f ( my $fn1 = find_file( $name ) ) ) { + if ( unlink( $fn1 ) ) { + warning_message "Empty notrack file ($fn1) removed"; } else { - warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file"; + warning_message "Unable to remove empty notrack file ($fn1): $!"; } } } } + + if ( $convert ) { + my $conntrack; + my $empty = 1; + + if ( $fn ) { + open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!"; + } else { + open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!"; + + print $conntrack <<'EOF'; +# +# Shorewall version 5 - conntrack File +# +# For information about entries in this file, type "man shorewall-conntrack" +# +############################################################################################################## +EOF + print $conntrack '?' . "FORMAT 3\n"; + + print $conntrack <<'EOF'; +#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH +# PORT(S) PORT(S) GROUP +EOF + } + + $fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!"; + + while ( read_a_line( PLAIN_READ ) ) { + # + # Don't copy the header comments from the old notrack file + # + next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ ); + + if ( $empty ) { + # + # First non-commentary line + # + $empty = undef; + + print $conntrack '?' . "FORMAT 1\n" unless $currentline =~ /^\s*\??FORMAT/i; + } + + print $conntrack "$currentline\n"; + } + + rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!"; + progress_message2 "notrack file $fn saved in $fn.bak" + } } 1; diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index f16ff6935..eab2a021b 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -27,7 +27,7 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, see . # -# This module deals with Traffic Shaping and the tcrules file. +# This module deals with Traffic Shaping and the mangle file. # package Shorewall::Tc; require Exporter; @@ -3162,7 +3162,7 @@ sub process_secmark_rule() { } # -# Process the tcrules file and setup traffic shaping +# Process the mangle file and setup traffic shaping # sub setup_tc( $ ) { $tcrules = $_[0]; @@ -3243,11 +3243,22 @@ sub setup_tc( $ ) { fatal_error "Cannot Rename $fn to $fn.bak: $!"; } } else { - warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'"; + if ( unlink $fn ) { + warning_message "Empty tcrules file ($fn) removed"; + } else { + warning_message "Unable to remove empty tcrules file $fn: $!"; + } + } + + close $mangle, directive_callback( 0 ) if $tcrules; + + } elsif ( $tcrules && -f ( my $fn = find_file( 'tcrules' ) ) ) { + if ( unlink $fn ) { + warning_message "Empty tcrules file ($fn) removed"; + } else { + warning_message "Unable to remove empty tcrules file $fn: $!"; } } - - close $mangle, directive_callback( 0 ) if $tcrules; } if ( my $fn = open_file( 'mangle', 1, 1 ) ) { diff --git a/Shorewall/Perl/compiler.pl b/Shorewall/Perl/compiler.pl index 94dd2b8d5..a2a71a220 100755 --- a/Shorewall/Perl/compiler.pl +++ b/Shorewall/Perl/compiler.pl @@ -42,6 +42,8 @@ # --config_path= # Search path for config files # --inline # Update alternative column specifications # --tcrules # Create mangle from tcrules +# --routestopped # Create stoppedrules from routestopped +# --notrack # Create conntrack from notrack # use strict; use FindBin; @@ -77,6 +79,8 @@ usage: compiler.pl [ - The -i option was added in Shorewall 4.6.0 and causes a - warning message to be issued if the current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall.conf(5). The option was added in Shorewall 4.6.0. @@ -2350,9 +2354,24 @@ + The option was added in Shorewall 4.6.12. + When specified, causes shorewall-routestopped(5) + to be converted to shorewall-stoppedrules(5). + The old file is renamed with a .bak suffix. + + The option was added in Shorewall 4.6.12. + When specified, causes shorewall-notrack(5) + to be converted to shorewall-conntrack(5). + The old file is renamed with a .bak suffix. + The option was added in Shorewall 4.6.0 and is equivalent to specifying the , - and the options. + , and + the options. For a description of the other options, see the check command above. diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index b7e851568..ebb1d2e9c 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -755,6 +755,10 @@ + + + + directory @@ -2133,24 +2137,24 @@ - update [-] + update [-] [-] [-] [-] [-] [-] [-] - [-] [-] [ + [-] [-r] [-n][-] [ directory ] Added in Shorewall 4.4.21 and causes the compiler to update - /etc/shorewall6/shorewall6.conf then validate - the configuration. The update will add options not present in the - existing file with their default values, and will move deprecated + /etc/shorewall/shorewall.conf then validate the + configuration. The update will add options not present in + the old file with their default values, and will move deprecated options with non-defaults to a deprecated options section at the bottom of the file. Your existing - shorewall6.conf file is renamed - shorewall6.conf.bak. + shorewall.conf file is renamed + shorewall.conf.bak. The option causes the updated - shorewall6.conf file to be annotated with + shorewall.conf file to be annotated with documentation. The option was added in Shorewall 4.4.26 @@ -2169,7 +2173,7 @@ The option was added in Shorewall 4.5.11. When this option is specified, the compiler will walk through the directories in the CONFIG_PATH replacing FORMAT and COMMENT entries - to compiler directives (e.g., ?FORMAT and ?COMMENT). When a file is + to compiler directives (e.g., ?FORMAT and ?COMMENT. When a file is updated, the original is saved in a .bak file in the same directory. @@ -2178,7 +2182,7 @@ contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall6.conf(5). + url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). The option was added in Shorewall 4.6.0. When specified, causes mangle file; if there is no mangle file in the CONFIG_PATH, one will be created in /etc/shorewall6. + class="directory">/etc/shorewall. @@ -2219,9 +2223,24 @@ + The option was added in Shorewall 4.6.12. + When specified, causes shorewall6-routestopped(5) + to be converted to shorewall6-stoppedrules(5). + The old file is renamed with a .bak suffix. + + The option was added in Shorewall 4.6.12. + When specified, causes shorewall6-notrack(5) + to be converted to shorewall6-conntrack(5). + The old file is renamed with a .bak suffix. + The option was added in Shorewall 4.6.0 and is equivalent to specifying the , - and the options. + , and + the options. For a description of the other options, see the check command above. From 7c2a969de02ffbd07678bb9ea70677ca53212cde Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 14 Aug 2015 09:26:45 -0700 Subject: [PATCH 10/49] Correct handling of notrack file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Raw.pm | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index ac7864d24..c8340fc35 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -278,9 +278,8 @@ sub process_format( $ ) { sub setup_conntrack($) { my $convert = shift; my $fn; - my @files = $convert ? ( qw/notrack conntrack/ ) : ( 'conntrack' ); - for my $name ( @files ) { + for my $name ( qw/notrack conntrack/ ) { $fn = open_file( $name, 3 , 1 ); From 9d3f35a22d2d8b1d1f470a9f97c5fc6e12bb19fc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 16 Aug 2015 11:57:36 -0700 Subject: [PATCH 11/49] Enable new update options in compiler.pl Signed-off-by: Tom Eastep --- Shorewall/Perl/compiler.pl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Shorewall/Perl/compiler.pl b/Shorewall/Perl/compiler.pl index a2a71a220..19b26bef9 100755 --- a/Shorewall/Perl/compiler.pl +++ b/Shorewall/Perl/compiler.pl @@ -179,4 +179,6 @@ compiler( script => $ARGV[0] || '', shorewallrc1 => $shorewallrc1, inline => $inline, tcrules => $tcrules, + routestopped => $routestopped, + notrack => $notrack, ); From 3b1ad1e284f6d81d30566b69b07b49e5f6febf50 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 17 Aug 2015 06:40:36 -0700 Subject: [PATCH 12/49] Delete 'conflicts=' from Shorewall-init .service files Signed-off-by: Tom Eastep --- Shorewall-init/shorewall-init.service | 1 - Shorewall-init/shorewall-init.service.214 | 1 - Shorewall-init/shorewall-init.service.214.debian | 1 - Shorewall-init/shorewall-init.service.debian | 1 - 4 files changed, 4 deletions(-) diff --git a/Shorewall-init/shorewall-init.service b/Shorewall-init/shorewall-init.service index 6842aa531..d64562763 100644 --- a/Shorewall-init/shorewall-init.service +++ b/Shorewall-init/shorewall-init.service @@ -6,7 +6,6 @@ [Unit] Description=Shorewall firewall (bootup security) Before=network.target -Conflicts=iptables.service ip6tables.service firewalld.service [Service] Type=oneshot diff --git a/Shorewall-init/shorewall-init.service.214 b/Shorewall-init/shorewall-init.service.214 index 5c86e99e9..01cf13f93 100644 --- a/Shorewall-init/shorewall-init.service.214 +++ b/Shorewall-init/shorewall-init.service.214 @@ -7,7 +7,6 @@ Description=Shorewall firewall (bootup security) Before=network-pre.target Wants=network-pre.target -Conflicts=iptables.service firewalld.service [Service] Type=oneshot diff --git a/Shorewall-init/shorewall-init.service.214.debian b/Shorewall-init/shorewall-init.service.214.debian index a292e97a7..cf2b14381 100644 --- a/Shorewall-init/shorewall-init.service.214.debian +++ b/Shorewall-init/shorewall-init.service.214.debian @@ -8,7 +8,6 @@ Description=Shorewall firewall (bootup security) Before=network-pre.target Wants=network-pre.target -Conflicts=iptables.service firewalld.service [Service] Type=oneshot diff --git a/Shorewall-init/shorewall-init.service.debian b/Shorewall-init/shorewall-init.service.debian index efd55e286..5ce68bcc7 100644 --- a/Shorewall-init/shorewall-init.service.debian +++ b/Shorewall-init/shorewall-init.service.debian @@ -7,7 +7,6 @@ [Unit] Description=Shorewall firewall (bootup security) Before=network.target -Conflicts=iptables.service ip6tables.service firewalld.service [Service] Type=oneshot From 537f53f611b52de0fe67ad82265df9a772301fb8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 17 Aug 2015 07:41:15 -0700 Subject: [PATCH 13/49] Restore [Install] section in the Debian .service files Signed-off-by: Tom Eastep --- Shorewall-init/shorewall-init.service.214.debian | 3 +++ Shorewall-init/shorewall-init.service.debian | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/Shorewall-init/shorewall-init.service.214.debian b/Shorewall-init/shorewall-init.service.214.debian index cf2b14381..6e42b3cca 100644 --- a/Shorewall-init/shorewall-init.service.214.debian +++ b/Shorewall-init/shorewall-init.service.214.debian @@ -16,3 +16,6 @@ EnvironmentFile=-/etc/default/shorewall-init StandardOutput=syslog ExecStart=/sbin/shorewall-init start ExecStop=/sbin/shorewall-init stop + +[Install] +WantedBy=basic.target diff --git a/Shorewall-init/shorewall-init.service.debian b/Shorewall-init/shorewall-init.service.debian index 5ce68bcc7..dd4adb010 100644 --- a/Shorewall-init/shorewall-init.service.debian +++ b/Shorewall-init/shorewall-init.service.debian @@ -6,6 +6,7 @@ # [Unit] Description=Shorewall firewall (bootup security) +Wants=network.target Before=network.target [Service] @@ -15,3 +16,6 @@ EnvironmentFile=-/etc/default/shorewall-init StandardOutput=syslog ExecStart=/sbin/shorewall-init start ExecStop=/sbin/shorewall-init stop + +[Install] +WantedBy=basic.target From 0e67357d63c30241dcc063606fa5ce6ff0e6e59f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 18 Aug 2015 16:00:37 -0700 Subject: [PATCH 14/49] Rewrite the trace/debugging section of the start/stop article Signed-off-by: Tom Eastep --- docs/starting_and_stopping_shorewall.xml | 105 +++++++++-------------- 1 file changed, 42 insertions(+), 63 deletions(-) diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index a25eaa013..317db0f03 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -204,78 +204,57 @@
Tracing Command Execution and other Debugging Aids - If you include the word trace as - the first parameter to an /sbin/shorewall command - that transfers control to - /usr/share/shorewall/firewall, execution of the - latter program will be traced to STDERR. + Shorewall includes features for tracing and debugging. Commands + involving the compiler can have the word trace inserted immediately after the + command. - - Tracing <command>shorewall start</command> + Example: - To trace the execution of shorewall start and - write the trace to the file /tmp/trace, you would - enter:shorewall trace start 2> /tmp/trace - The trace keyword does not - result in a trace of the execution of the Shorewall rules compiler. - It rather causes additional diagnostic information to be included in - warning and error messages generated by the compiler. - + shorewall trace check -r - You may also include the word debug as the first argument to the - /sbin/shorewall and - /sbin/shorewall-lite commands.shorewall debug restartIn - most cases, debug is a synonym for - trace. The exceptions are: + This produces a large amount of diagnostic output to standard out + during the compilation step. If entered on a command that doesn't invoke + the compiler, trace is ignored. + + Commands that invoke a compiled fireawll script can have the word + debug inserted immediately after the command. + + Example: + + shorewall debug restart + + debug causes altered behavior of + scripts generated by the Shorewall compiler. These scripts normally use + ip[6]tables-restore to install the Netfilter ruleset, but with debug, the + commands normally passed to iptables-restore in its input file are passed + individually to ip[6]tables. This is a diagnostic aid which allows + identifying the individual command that is causing ip[6]tables-restore to + fail; it should be used when ip[6]tables-restore fails when executing a + COMMIT command. + + + The debug feature is strictly for problem analysis. When debug is + used: - debug is ignored by the - Shorewall-perl compiler. + The firewall is made 'wide open' before the rules are + applied. - debug causes altered behavior - of scripts generated by the Shorewall-perl compiler. These scripts - normally use iptables-restore to install the - Netfilter ruleset but with debug, - the commands normally passed to iptables-restore - in its input file are passed individually to - iptables. This is a diagnostic aid which allows - identifying the individual command that is causing - iptables-restore to fail; it should be used when - iptables-restore fails when executing a COMMIT - command. + The stoppedrules file is not + consulted. + + + + The rules are applied in the canonical ip[6]tables-restore + order. So if you need critical hosts to be always available during + start/restart, you may not be able to use debug. - - - The debug feature is strictly - for problem analysis. When debug is - used: - - - - The firewall is made 'wide open' before the rules are - applied. - - - - The routestopped file is not - consulted. - - - - The rules are applied in the canonical - iptables-restore order. So if you need - critical hosts to be always available during start/restart, you - may not be able to use debug. - - - - +
@@ -629,7 +608,7 @@ The Shorewall State Diagram is depicted below. - + @@ -725,7 +704,7 @@ unsuccessful then firewall start (standard configuration) If timeout then firewall restart (standard configuration) - + From d525419c656fdc7b7c10fe1db4abfc69ef633558 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 19 Aug 2015 10:44:00 -0700 Subject: [PATCH 15/49] Correct wording of an error message Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 445567450..fa1070a92 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -797,7 +797,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { if ( $commandref->{maxparams} == 1 ) { fatal_error "The $cmd requires a parameter"; } else { - fatal_error "The $cmd ACTION only requires at least $commandref->{maxparams} parmeters"; + fatal_error "The $cmd ACTION requires at least $commandref->{maxparams} parmeters"; } } if ( $state ne '-' ) { From cd8fe38c8558c5586049ead0da1670eff9e7492a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 19 Aug 2015 10:44:37 -0700 Subject: [PATCH 16/49] Delete host routes added to the main routing table for providers Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 2209772a1..d98de2b22 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -846,12 +846,14 @@ CEOF if ( $hostroute ) { if ( $family == F_IPV4 ) { - emit "run_ip route replace $gateway src $address dev $physical ${mtu}"; - emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm"; + emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}); + emit qq(echo "\$IP route del $gateway src $address dev $physical > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing); + emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm); } else { - emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}"; - emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm"; - emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm"; + emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu}); + emit qq(echo "\$IP route del $gateway src $address dev $physical > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing); + emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm); + emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm); } } From 1c33717cf50f3698746195b6c37bd44e659ffdc7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 19 Aug 2015 11:06:28 -0700 Subject: [PATCH 17/49] Reverse the change to delete host routes Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 2 -- 1 file changed, 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index d98de2b22..4cf466e2f 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -847,11 +847,9 @@ CEOF if ( $hostroute ) { if ( $family == F_IPV4 ) { emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}); - emit qq(echo "\$IP route del $gateway src $address dev $physical > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing); emit qq(run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm); } else { emit qq(qt \$IP -6 route add $gateway src $address dev $physical ${mtu}); - emit qq(echo "\$IP route del $gateway src $address dev $physical > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing); emit qq(qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm); emit qq(run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm); } From 2b1f33c39137fe45a13e3663ced35d8ee340cc6f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 19 Aug 2015 11:48:23 -0700 Subject: [PATCH 18/49] Don't unlink the tcrules file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index fa1070a92..24ffc854f 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -3242,18 +3242,13 @@ sub setup_tc( $ ) { } else { fatal_error "Cannot Rename $fn to $fn.bak: $!"; } + + close $mangle, directive_callback( 0 ); } else { - if ( unlink $fn ) { - warning_message "Empty tcrules file ($fn) removed"; - } else { - warning_message "Unable to remove empty tcrules file $fn: $!"; - } + warning_message "The tcrules file is deprecated in favor of the mangle file -- consider running '$product upgrade -t'"; } - - close $mangle, directive_callback( 0 ) if $tcrules; - } elsif ( $tcrules ) { - close $mangle, directive_callback( 0 ) if $tcrules; + close $mangle, directive_callback( 0 ); if ( -f ( my $fn = find_file( 'tcrules' ) ) ) { if ( unlink $fn ) { From 39982c20c413f9d84040f18978ca1db06b9faf11 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 19 Aug 2015 12:34:35 -0700 Subject: [PATCH 19/49] Restore the text of tcrules warning message Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 24ffc854f..d92296781 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -3245,7 +3245,7 @@ sub setup_tc( $ ) { close $mangle, directive_callback( 0 ); } else { - warning_message "The tcrules file is deprecated in favor of the mangle file -- consider running '$product upgrade -t'"; + warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'"; } } elsif ( $tcrules ) { close $mangle, directive_callback( 0 ); From 67aef659b5781083050a5fb8a0f82b0ef5151f25 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 19 Aug 2015 12:57:36 -0700 Subject: [PATCH 20/49] Tweak tcrules references Signed-off-by: Tom Eastep --- docs/MultiISP.xml | 12 +++++++----- docs/Shorewall_Squid_Usage.xml | 5 ++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index e799362e2..d67dce2b0 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -911,7 +911,7 @@ eth1 0.0.0.0/0 130.252.99.27 Now suppose that you want to route all outgoing SMTP traffic from your local network through ISP 2. If you are running Shorewall 4.6.0 or later, you would make this entry in /etc/shorewall/mangle. + url="manpages/shorewall-mangle.html">/etc/shorewall/mangle. #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) @@ -1950,9 +1950,9 @@ ONBOOT=yes url="manpages/shorewall-providers.html">shorewall-providers (5) is available in the form of a PROBABILITY column in shorewall-mangle(5) (shorewall-tcrules) (5). This feature requires the - Statistic Match capability in your iptables and - kernel. + url="manpages/shorewall-tcrules.html">shorewall-tcrules) (5). + This feature requires the Statistic Match + capability in your iptables and kernel. This method works when there are multiple links to the same ISP where both links have the same default gateway. @@ -2579,7 +2579,9 @@ MARK(2) $FW 0.0.0.0/0 tcp 21 MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp MARK(2) $FW 0.0.0.0/0 tcp 119 - Here are the equivalent tcrules entries: + If you are still using a tcrules file, you should consider + switching to using a mangle file (shorewall update -t + will do that for you). Here are the equivalent tcrules entries: #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml index d997f578e..b300aee67 100644 --- a/docs/Shorewall_Squid_Usage.xml +++ b/docs/Shorewall_Squid_Usage.xml @@ -246,7 +246,10 @@ Squid 1 202 - eth1 192.168.1.3 loose,no # PORT(S) MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80 - Corresponding /etc/shorewall/tcrules entries are: + If you are still using a tcrules file, you should consider + switching to using a mangle file (shorewall update + -t will do that for you). Corresponding + /etc/shorewall/tcrules entries are: #MARK SOURCE DEST PROTO DEST # PORT(S) From 4b003163d6fb44dabf901d0ef9f7c56a32a24e60 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 19 Aug 2015 14:05:15 -0700 Subject: [PATCH 21/49] Use NYTProf for profiling. Signed-off-by: Tom Eastep --- Shorewall/lib.cli-std | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 7a6841574..aa71a5b83 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -414,7 +414,7 @@ compiler() { debugflags="-w" [ -n "$g_debug" ] && debugflags='-wd' - [ -n "$g_profile" ] && debugflags='-wd:DProf' + [ -n "$g_profile" ] && debugflags='-wd:NYTProf' # Perl compiler only takes the output file as a argument From 7956c5f6e04133d766f0777a9750c4c438c6e9a7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 20 Aug 2015 14:48:29 -0700 Subject: [PATCH 22/49] Update a message to refer to the 'mangle' file rather than 'tcrules' Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 03db2f20b..d6f9f571f 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -77,7 +77,7 @@ sub process_tos() { my ( $pretosref, $outtosref ); first_entry( sub { progress_message2 "$doing $fn..."; - warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules"; + warning_message "Use of the tos file is deprecated in favor of the TOS target in the 'mangle' file"; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } From a709395949fdbdee8c9ffd226ed688d1d0b73a39 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 21 Aug 2015 13:39:25 -0700 Subject: [PATCH 23/49] Allow 'none' in the log level argument to AutoBL Signed-off-by: Tom Eastep --- Shorewall/action.AutoBL | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/action.AutoBL b/Shorewall/action.AutoBL index c5e0f77b6..cddd04b50 100644 --- a/Shorewall/action.AutoBL +++ b/Shorewall/action.AutoBL @@ -33,7 +33,7 @@ fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $ fatal_error "Invalid packet count ($count) passed to AutoBL" unless $count =~ /^\d+$/ && $count; fatal_error "Invalid blacklist time ($bltime) passed to AutoBL" unless $bltime =~ /^\d+$/ && $bltime; validate_level( $level ); - +1; ?end perl ############################################################################### #TARGET SOURCE DEST PROTO DPORT SPORT From 05f9f926c4b52a3dfc260dfb9ae786117dddca8b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 21 Aug 2015 14:19:20 -0700 Subject: [PATCH 24/49] Move fatal_error() to lib.base Signed-off-by: Tom Eastep Conflicts: Shorewall-core/lib.common --- Shorewall-core/lib.base | 18 ++++++++++++++++++ Shorewall-core/lib.common | 18 ------------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Shorewall-core/lib.base b/Shorewall-core/lib.base index 602e1c3b6..33f79dcb3 100644 --- a/Shorewall-core/lib.base +++ b/Shorewall-core/lib.base @@ -75,6 +75,24 @@ elif [ -z "${VARDIR}" ]; then VARDIR="${VARLIB}/${PRODUCT}" fi +# +# Fatal Error +# +fatal_error() # $@ = Message +{ + echo " ERROR: $@" >&2 + exit 2 +} + +# +# Not configured Error +# +not_configured_error() # $@ = Message +{ + echo " ERROR: $@" >&2 + exit 6 +} + # # Conditionally produce message # diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index e1d29ae64..a61bfcd03 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -70,24 +70,6 @@ startup_error() # $* = Error Message exit 2 } -# -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " ERROR: $@" >&2 - exit 2 -} - -# -# Not configured Error -# -not_configured_error() # $@ = Message -{ - echo " ERROR: $@" >&2 - exit 6 -} - # # Get the Shorewall version of the passed script # From eae492cef51ec35dd09244895193f7c1c5aa8502 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 22 Aug 2015 08:27:52 -0700 Subject: [PATCH 25/49] Some rules manpage updates Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-rules.xml | 31 ++++++++++++++++-------- Shorewall6/manpages/shorewall6-rules.xml | 28 +++++++++++++-------- 2 files changed, 39 insertions(+), 20 deletions(-) diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 5e84772a4..aea47bcf7 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -129,8 +129,10 @@ NEW - Packets in the NEW, INVALID and UNTRACKED states are processed - by rules in this section. + Packets in the NEW state are processed by rules in this + section. If the INVALID and/or UNTRACKED sections are empty or not + included, then the packets in the corresponding state(s) are also + processed in this section. @@ -264,7 +266,8 @@ - AUDIT[(accept|drop|reject)] + AUDIT[(accept|drop|reject)] Added in Shorewall 4.5.10. Audits the packet with the @@ -275,7 +278,11 @@ - A_ACCEPT, A_ACCEPT+ and A_ACCEPT! + A_ACCEPT, A_ACCEPT+ and A_ACCEPT! Added in Shorewall 4.4.20. Audited versions of ACCEPT, @@ -285,7 +292,8 @@ - A_DROP and A_DROP! + A_DROP and A_DROP! Added in Shorewall 4.4.20. Audited versions of DROP and @@ -295,7 +303,8 @@ - A_REJECT AND A_REJECT! + A_REJECT AND A_REJECT! Added in Shorewall 4.4.20. Audited versions of REJECT @@ -422,7 +431,7 @@ - HELPER + HELPER Added in Shorewall 4.5.7. This action requires that the @@ -476,7 +485,8 @@ - IPTABLES({iptables-target + IPTABLES({iptables-target [option ...]) @@ -665,8 +675,9 @@ - TARPIT [(tarpit | - honeypot | TARPIT [(tarpit | honeypot | reset)] diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 2c0f50ab6..264b8426d 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -122,8 +122,10 @@ NEW - Packets in the NEW, INVALID and UNTRACKED states are processed - by rules in this section. + Packets in the NEW state are processed by rules in this + section. If the INVALID and/or UNTRACKED sections are empty or not + included, then the packets in the corresponding state(s) are also + processed in this section. @@ -237,7 +239,8 @@ - AUDIT[(accept|drop|reject)] + AUDIT[(accept|drop|reject)] Added in Shorewall 4.5.10. Audits the packet with the @@ -248,7 +251,8 @@ - A_ACCEPT, and A_ACCEPT! + A_ACCEPT, and A_ACCEPT! Added in Shorewall 4.4.20. Audited versions of ACCEPT @@ -258,7 +262,8 @@ - A_DROP and A_DROP! + A_DROP and A_DROP! Added in Shorewall 4.4.20. Audited versions of DROP and @@ -268,7 +273,8 @@ - A_REJECT AND A_REJECT! + A_REJECT AND A_REJECT! Added in Shorewall 4.4.20. Audited versions of REJECT @@ -396,7 +402,7 @@ - HELPER + HELPER Added in Shorewall 4.5.7. This action requires that the @@ -450,7 +456,8 @@ - IP6TABLES({ip6tables-target + IP6TABLES({ip6tables-target [option ...]) @@ -642,8 +649,9 @@ - TARPIT [(tarpit | - honeypot | TARPIT [(tarpit | honeypot | reset)] From ad06ec3eef5ff4c5bde9fb4a3f956b158bfc1f9c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 26 Aug 2015 11:51:29 -0700 Subject: [PATCH 26/49] Correct IPV6 range parsing Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/IPAddrs.pm | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index edf18e236..d6d9c0ab2 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -779,6 +779,18 @@ sub normalize_6addr( $ ) { sub validate_6range( $$ ) { my ( $low, $high ) = @_; + if ( $low =~ /^\[(.+)\]$/ ) { + $low = $1; + } elsif ( $low =~ /^\[(.+)\]\/(\d+)$/ ) { + $low = join( '/', $1, $2 ); + } + + if ( $high =~ /^\[(.+)\]$/ ) { + $high = $1; + } elsif ( $high =~ /^\[(.+)\]\/(\d+)$/ ) { + $high = join( '/', $1, $2 ); + } + validate_6address $low, 0; validate_6address $high, 0; From 1d8873d3d56f99a275d46efb62984e85f96f45cf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 26 Aug 2015 12:28:57 -0700 Subject: [PATCH 27/49] Correct the shorewall6-hosts man page Signed-off-by: Tom Eastep --- Shorewall6/manpages/shorewall6-hosts.xml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/Shorewall6/manpages/shorewall6-hosts.xml b/Shorewall6/manpages/shorewall6-hosts.xml index 71cc69f35..1b9e53bd4 100644 --- a/Shorewall6/manpages/shorewall6-hosts.xml +++ b/Shorewall6/manpages/shorewall6-hosts.xml @@ -65,9 +65,7 @@ HOST(S) (hosts)- - interface:{[{address-or-range[,address-or-range]...|+ipset}[exclusion] + interface:{address-or-range[,address-or-range]...|+ipset|}[exclusion] The name of an interface defined in the An IP address range of the form - low.address-high.address. + [low.address]-[high.address]. Your kernel and ip6tables must have iprange match support. From 28df894add4719cc503eb024c3d7ee7779c5a73b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 26 Aug 2015 12:50:56 -0700 Subject: [PATCH 28/49] Improve 'update' - convert BLACKLISTNEWONLY - convert LOGRATE and LOGBURST - default USE_DEFAULT_RT to No Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 41 ++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 008085d63..3fead0ff4 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -618,6 +618,8 @@ our %deprecated = ( LOGRATE => '' , our %converted = ( WIDE_TC_MARKS => 1, HIGH_ROUTE_MARKS => 1, BLACKLISTNEWONLY => 1, + LOGRATE => 1, + LOGBURST => 1, ); # # Variables involved in ?IF, ?ELSE ?ENDIF processing @@ -4824,6 +4826,45 @@ sub update_config_file( $$ ) { $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET}; $config{PROVIDER_BITS} = 8 unless defined $config{PROVIDER_BITS}; + unless ( supplied $config{LOGLIMIT} ) { + if ( $config{LOGRATE} || $config{LOGBURST} ) { + my $limit; + + if ( supplied $config{LOGRATE} ) { + fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/; + $limit = $config{LOGRATE}; + } + + if ( supplied $config{LOGBURST} ) { + fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/; + $limit .= ":$config{LOGBURST}"; + } + + $config{LOGLIMIT} = $limit; + + $config{LOGRATE} = $config{LOGBURST} = undef; + } + } + + unless ( supplied $config{BLACKLIST} ) { + if ( $config{BLACKLISTNEWONLY} ) { + default_yes_no 'BLACKLISTNEWONLY' , ''; + fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY}; + + if ( have_capability 'RAW_TABLE' ) { + $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED'; + } else { + $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID'; + } + + $config{BLACKLIST} = $globals{BLACKLIST_STATES}; + + $config{BLACKLISTNEWONLY} = undef; + } + } + + $config{USE_DEFAULT_RT} = 'No' unless defined $config{USE_DEFAULT_RT}; + my $fn; unless ( -d "$globals{SHAREDIR}/configfiles/" ) { From e0734a45ee1c7feca2a06f171be796dab72886af Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 26 Aug 2015 12:53:36 -0700 Subject: [PATCH 29/49] Allow 'seconds' and 'minutes' in LOGLIMIT specifications Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 3fead0ff4..da8a344a0 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5549,13 +5549,13 @@ sub get_configuration( $$$$$ ) { my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto'; my $units; - if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) { + if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|seconds|minutes|hour|day))):(\d+)$/ ) { fatal_error "Invalid rate ($1)" unless $2; fatal_error "Invalid burst value ($5)" unless $5; $limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode "; $units = $4; - } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) { + } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|seconds|minutes|hour|day))?)$/ ) { fatal_error "Invalid rate ($1)" unless $2; $limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode "; $units = $4; @@ -5575,11 +5575,11 @@ sub get_configuration( $$$$$ ) { $limit .= "--hashlimit-htable-expire $expire "; } - } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) { + } elsif ( $rate =~ /^((\d+)(\/(sec|min|seconds|minutes|hour|day))):(\d+)$/ ) { fatal_error "Invalid rate ($1)" unless $2; fatal_error "Invalid burst value ($5)" unless $5; $limit = "-m limit --limit $1 --limit-burst $5 "; - } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ ) { + } elsif ( $rate =~ /^(\d+)(\/(sec|min|seconds|minutes|hour|day))?$/ ) { fatal_error "Invalid rate (${1}${2})" unless $1; $limit = "-m limit --limit $rate "; } else { From dc2406d25b5c83ce87e06d534ffaa83c20145c86 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 26 Aug 2015 13:51:02 -0700 Subject: [PATCH 30/49] update -t also converts the 'tos' file Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 13 ++-- Shorewall/Perl/Shorewall/Tc.pm | 119 +++++++++++++++++++++++++---- Shorewall/manpages/shorewall.xml | 10 ++- Shorewall6/manpages/shorewall6.xml | 10 ++- 4 files changed, 125 insertions(+), 27 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index da8a344a0..29a6b5bc4 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -2145,7 +2145,7 @@ sub split_line2( $$;$$$ ) { # # This file supports INLINE or IPTABLES # - if ( $currentline =~ /^\s*INLINE(?:\(.*\)|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) { + if ( $currentline =~ /^\s*INLINE(?:\(.*\)(:.*)?|:.*)?\s/ || $currentline =~ /^\s*IP6?TABLES(?:\(.*\)|:.*)?\s/ ) { $inline_matches = $pairs; if ( $columns =~ /^(\s*|.*[^&@%]){(.*)}\s*$/ ) { @@ -4970,7 +4970,8 @@ EOF -f find_file 'blacklist' || -f find_file 'tcrules' || -f find_file 'routestopped' || - -f find_file 'notrack' + -f find_file 'notrack' || + -f find_file 'tos' ); } } else { @@ -5549,13 +5550,13 @@ sub get_configuration( $$$$$ ) { my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto'; my $units; - if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|seconds|minutes|hour|day))):(\d+)$/ ) { + if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) { fatal_error "Invalid rate ($1)" unless $2; fatal_error "Invalid burst value ($5)" unless $5; $limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode "; $units = $4; - } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|seconds|minutes|hour|day))?)$/ ) { + } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|second|minute|hour|day))?)$/ ) { fatal_error "Invalid rate ($1)" unless $2; $limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode "; $units = $4; @@ -5575,11 +5576,11 @@ sub get_configuration( $$$$$ ) { $limit .= "--hashlimit-htable-expire $expire "; } - } elsif ( $rate =~ /^((\d+)(\/(sec|min|seconds|minutes|hour|day))):(\d+)$/ ) { + } elsif ( $rate =~ /^((\d+)(\/(sec|min|second|minute|hour|day))):(\d+)$/ ) { fatal_error "Invalid rate ($1)" unless $2; fatal_error "Invalid burst value ($5)" unless $5; $limit = "-m limit --limit $1 --limit-burst $5 "; - } elsif ( $rate =~ /^(\d+)(\/(sec|min|seconds|minutes|hour|day))?$/ ) { + } elsif ( $rate =~ /^(\d+)(\/(sec|min|second|minute|hour|day))?$/ ) { fatal_error "Invalid rate (${1}${2})" unless $1; $limit = "-m limit --limit $rate "; } else { diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index d92296781..904ece70e 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -3161,11 +3161,90 @@ sub process_secmark_rule() { } } +sub convert_tos($$) { + my ( $mangle, $fn1 ) = @_; + + my $have_tos = 0; + + sub unlink_tos( $ ) { + my $fn = shift; + + if ( unlink $fn ) { + warning_message "Empty tos file ($fn) removed"; + } else { + warning_message "Unable to remove empty tos file $fn: $!"; + } + } + + if ( my $fn = open_file 'tos' ) { + while ( read_a_line( NORMAL_READ ) ) { + + $have_tos = 1; + + my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = + split_line( 'tos file entry', + { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ); + + my $chain_designator = 'P'; + + decode_tos($tos, 1); + + my ( $srczone , $source , $remainder ); + + if ( $family == F_IPV4 ) { + ( $srczone , $source , $remainder ) = split( /:/, $src, 3 ); + fatal_error 'Invalid SOURCE' if defined $remainder; + } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) { + $srczone = $1; + $source = $2; + } else { + $srczone = $src; + } + + if ( $srczone eq firewall_zone ) { + $chain_designator = 'O'; + $src = $source || '-'; + } else { + $src =~ s/^all:?//; + } + + $dst =~ s/^all:?//; + + $src = '-' unless supplied $src; + $dst = '-' unless supplied $dst; + $proto = '-' unless supplied $proto; + $ports = '-' unless supplied $ports; + $sports = '-' unless supplied $sports; + $mark = '-' unless supplied $mark; + + print $mangle "TOS($tos):$chain_designator\t$src\t$dst\t$proto\t$ports\t$sports\t-\t$mark\n" + + } + + if ( $have_tos ) { + progress_message2 "Converted $fn to $fn1"; + if ( rename $fn, "$fn.bak" ) { + progress_message2 "$fn renamed $fn.bak"; + } else { + fatal_error "Cannot Rename $fn to $fn.bak: $!"; + } + } else { + unlink_tos( $fn ); + } + } elsif ( -f ( $fn = find_file( 'tos' ) ) ) { + if ( unlink $fn ) { + warning_message "Empty tos file ($fn) removed"; + } else { + warning_message "Unable to remove empty tos file $fn: $!"; + } + } +} + # # Process the mangle file and setup traffic shaping # sub setup_tc( $ ) { - $tcrules = $_[0]; + my $convert = $_[0]; if ( $config{MANGLE_ENABLED} ) { ensure_mangle_chain 'tcpre'; @@ -3221,7 +3300,7 @@ sub setup_tc( $ ) { if ( $fn = open_file( 'tcrules' , 2, 1 ) ) { my $fn1; - if ( $tcrules ) { + if ( $convert ) { # # We are going to convert this tcrules file to the equivalent mangle file # @@ -3234,29 +3313,43 @@ sub setup_tc( $ ) { process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ ); - if ( $have_tcrules ) { - if ( $mangle ) { + if ( $convert ) { + if ( $have_tcrules ) { progress_message2 "Converted $fn to $fn1"; if ( rename $fn, "$fn.bak" ) { progress_message2 "$fn renamed $fn.bak"; } else { fatal_error "Cannot Rename $fn to $fn.bak: $!"; } - - close $mangle, directive_callback( 0 ); - } else { - warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'"; - } - } elsif ( $tcrules ) { - close $mangle, directive_callback( 0 ); - - if ( -f ( my $fn = find_file( 'tcrules' ) ) ) { + } elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) { if ( unlink $fn ) { warning_message "Empty tcrules file ($fn) removed"; } else { warning_message "Unable to remove empty tcrules file $fn: $!"; } } + + convert_tos( $mangle, $fn1 ); + + close $mangle, directive_callback( 0 ); + } + } elsif ( $convert ) { + if ( -f ( my $fn = find_file( 'tcrules' ) ) ) { + if ( unlink $fn ) { + warning_message "Empty tcrules file ($fn) removed"; + } else { + warning_message "Unable to remove empty tcrules file $fn: $!"; + } + } + + if ( -f ( my $fn = find_file( 'tos' ) ) ) { + my $fn1; + # + # We are going to convert this tosfile to the equivalent mangle file + # + open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!"; + convert_tos( $mangle, $fn1 ); + close $mangle; } } diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 2b5d70f42..260f1d1a9 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -2316,11 +2316,13 @@ url="/manpages/shorewall.conf.html">shorewall.conf(5). The option was added in Shorewall 4.6.0. - When specified, causes shorewall-tcrules(5) to be - converted to -t causes the tcrules file to be converted to shorewall-mangle(5). The old - file is renamed with a .bak suffix. + file is renamed with a .bak suffix. Beginning with Shorewall + 4.6.12.2, this option also causes the tos file to be converted to shorewall-mangle(5). There are some notable restrictions with the diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index ebb1d2e9c..40c724247 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -2185,11 +2185,13 @@ url="/manpages6/shorewall6.conf.html">shorewall6.conf(5). The option was added in Shorewall 4.6.0. - When specified, causes shorewall6-tcrules(5) to be - converted to -t causes the tcrules file to be converted to shorewall6-mangle(5). The old - file is renamed with a .bak suffix. + file is renamed with a .bak suffix. Beginning with Shorewall + 4.6.12.2, this option also causes the tos file to be converted to shorewall6-mangle(5). There are some notable restrictions with the From af1e2f6c8b13a5623c72fdab3398a305befc2bf4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 27 Aug 2015 11:26:26 -0700 Subject: [PATCH 31/49] Read capabilities file before the .conf file Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 101 ++++++++++++++++------------- 1 file changed, 55 insertions(+), 46 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 29a6b5bc4..6fa825724 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5084,56 +5084,41 @@ sub read_capabilities() { } # -# Get the system's capabilities, either by probing or by reading a capabilities file +# Get the system's capabilities by probing # -sub get_capabilities( $ ) +sub get_capabilities($) { - my $export = $_[0]; + $iptables = $config{$toolNAME}; - if ( ! $export && $> == 0 ) { # $> == $EUID - $iptables = $config{$toolNAME}; - - if ( $iptables ) { - fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables; - } else { - fatal_error "Can't find $toolname executable" unless $iptables = which $toolname; - } - # - # Determine if iptables supports the -w option - # - $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : ''; - - my $iptables_restore=$iptables . '-restore'; - - fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore; - - $tc = $config{TC} || which 'tc'; - - if ( $tc ) { - fatal_error "TC=$tc does not exist or is not executable" unless -x $tc; - } - - $ip = $config{IP} || which 'ip'; - - if ( $ip ) { - fatal_error "IP=$ip does not exist or is not executable" unless -x $ip; - } - - load_kernel_modules; - - if ( open_file 'capabilities' ) { - read_capabilities; - } else { - determine_capabilities; - } + if ( $iptables ) { + fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables; } else { - unless ( open_file 'capabilities' ) { - fatal_error "The -e compiler option requires a capabilities file" if $export; - fatal_error "Compiling under non-root uid requires a capabilities file"; - } - - read_capabilities; + fatal_error "Can't find $toolname executable" unless $iptables = which $toolname; } + # + # Determine if iptables supports the -w option + # + $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : ''; + + my $iptables_restore=$iptables . '-restore'; + + fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore; + + $tc = $config{TC} || which 'tc'; + + if ( $tc ) { + fatal_error "TC=$tc does not exist or is not executable" unless -x $tc; + } + + $ip = $config{IP} || which 'ip'; + + if ( $ip ) { + fatal_error "IP=$ip does not exist or is not executable" unless -x $ip; + } + + load_kernel_modules; + + determine_capabilities unless $_[0]; } # @@ -5454,6 +5439,28 @@ sub get_configuration( $$$$$ ) { $ENV{PATH} = $default_path; } + my $have_capabilities; + + if ( $export || $> != 0 ) { + # + # Compiling for export or user not root -- must use a capabilties file + # We read it before processing the .conf file so that 'update' has + # the capabilities. + # + unless ( open_file 'capabilities' ) { + fatal_error "The -e compiler option requires a capabilities file" if $export; + fatal_error "Compiling under non-root uid requires a capabilities file"; + } + + read_capabilities; + + $have_capabilities = 1; + } elsif ( open_file 'capabilities' ) { + read_capabilities; + + $have_capabilities = 1; + } + get_params( $export ); process_shorewall_conf( $update, $annotate, $directives ); @@ -5470,7 +5477,9 @@ sub get_configuration( $$$$$ ) { default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz'; default_yes_no 'LOAD_HELPERS_ONLY' , 'Yes'; - get_capabilities( $export ); + if ( ! $export && $> == 0 ) { + get_capabilities($have_capabilities); + } my ( $val, $all ); From de74273dbbbfeed7b12c282c69359771889a74a1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 27 Aug 2015 15:15:03 -0700 Subject: [PATCH 32/49] Assume EXPORTMODULES=No if it doesn't exist in old file during update Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 6fa825724..e5d34cf0a 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -4865,6 +4865,8 @@ sub update_config_file( $$ ) { $config{USE_DEFAULT_RT} = 'No' unless defined $config{USE_DEFAULT_RT}; + $config{EXPORTMODULES} = 'No' unless defined $config{EXPORTMODULES}; + my $fn; unless ( -d "$globals{SHAREDIR}/configfiles/" ) { From 10cda4cee76af1d888a0e4b29dc58953087ed0af Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 27 Aug 2015 15:49:59 -0700 Subject: [PATCH 33/49] Update man pages for 'minute' and 'second' in LOGLIMIT specifications Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall.conf.xml | 8 ++++++-- Shorewall6/manpages/shorewall6.conf.xml | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index a6896d89d..7ea073be1 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -1507,8 +1507,8 @@ net all DROP infothen the chain name is 'net-all' role="bold">d}:]rate/{sec|min|hour|second|min|minute|hour|day}[:burst]] @@ -1522,6 +1522,10 @@ net all DROP infothen the chain name is 'net-all' If burst is not specified, then a value of 5 is assumed. + + The keywords second and + minute are accepted beginning with + Shorewall 4.6.13. diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index bd4327850..144b3be3a 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -1322,8 +1322,8 @@ net all DROP infothen the chain name is 'net-all' role="bold">d}:]rate/{sec|min|hour|second|min|minute|hour|day}[:burst]] @@ -1337,6 +1337,10 @@ net all DROP infothen the chain name is 'net-all' If burst is not specified, then a value of 5 is assumed. + + The keywords second and + minute are accepted beginning with + Shorewall 4.6.13. From 55ab498291f81ea1b162356c5b171510219b4bbc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 29 Aug 2015 12:51:52 -0700 Subject: [PATCH 34/49] Don't enforce FASTACCEPT/BLACKLISTNEWONLY on convert Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index e5d34cf0a..4c13325f7 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -4849,7 +4849,6 @@ sub update_config_file( $$ ) { unless ( supplied $config{BLACKLIST} ) { if ( $config{BLACKLISTNEWONLY} ) { default_yes_no 'BLACKLISTNEWONLY' , ''; - fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY}; if ( have_capability 'RAW_TABLE' ) { $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED'; From ab260dc5b1ebd595d2e4f035952c240c3501d798 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 29 Aug 2015 12:52:21 -0700 Subject: [PATCH 35/49] Place a header in a created mangle file during update -t Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 35 ++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 904ece70e..021ad9cae 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -3240,6 +3240,34 @@ sub convert_tos($$) { } } +sub open_mangle_for_output() { + my ( $mangle, $fn1 ); + + if ( -f ( find_file( 'mangle' ) ) ) { + open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!"; + } else { + open( $mangle , '>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!"; + print $mangle <<'EOF'; +# +# Shorewall version 4 - Mangle File +# +# For information about entries in this file, type "man shorewall-mangle" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +# See http://shorewall.net/PacketMarking.html for a detailed description of +# the Netfilter/Shorewall packet marking mechanism. +#################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP +# PORT(S) PORT(S) +EOF + } + + return ( $mangle, $fn1 ); +} + # # Process the mangle file and setup traffic shaping # @@ -3304,7 +3332,7 @@ sub setup_tc( $ ) { # # We are going to convert this tcrules file to the equivalent mangle file # - open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!"; + ( $mangle, $fn1 ) = open_mangle_for_output; directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } ); } @@ -3343,11 +3371,10 @@ sub setup_tc( $ ) { } if ( -f ( my $fn = find_file( 'tos' ) ) ) { - my $fn1; # - # We are going to convert this tosfile to the equivalent mangle file + # We are going to convert this tos file to the equivalent mangle file # - open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!"; + ( $mangle, my $fn1 ) = open_mangle_for_output; convert_tos( $mangle, $fn1 ); close $mangle; } From 6e303aef69d97c24c48ec4e4df84f611341a8df3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 29 Aug 2015 18:52:11 -0700 Subject: [PATCH 36/49] Fix $convert/$tcrules mess Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 021ad9cae..be1f5e6fc 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -135,7 +135,7 @@ our %restrictions = ( tcpre => PREROUTE_RESTRICT , our $family; -our $tcrules; +our $convert; our $mangle; @@ -998,7 +998,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { } } - if ( $tcrules ) { + if ( $convert ) { $command = ( $command ? "$command($mark)" : $mark ) . $designator; my $line = ( $family == F_IPV6 ? "$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" : @@ -3272,7 +3272,7 @@ EOF # Process the mangle file and setup traffic shaping # sub setup_tc( $ ) { - my $convert = $_[0]; + $convert = $_[0]; if ( $config{MANGLE_ENABLED} ) { ensure_mangle_chain 'tcpre'; From f42dc6def1ecc3d4e6068eda34dafa28ac705913 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 30 Aug 2015 15:35:05 -0700 Subject: [PATCH 37/49] Uniform mechanism for inserting conversion comments Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 26 ++++++++++++++++++++++--- Shorewall/Perl/Shorewall/Misc.pm | 20 +++++++++++-------- Shorewall/Perl/Shorewall/Tc.pm | 31 ++++++++++++++++++++++++++---- 3 files changed, 62 insertions(+), 15 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4c13325f7..d556e1194 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -124,6 +124,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script set_shorewall_dir set_debug find_file + find_writable_file split_list split_list1 split_list2 @@ -1869,6 +1870,20 @@ sub find_file($) "$config_path[0]$filename"; } +sub find_writable_file($) { + my ( $filename, $nosearch ) = @_; + + return $filename if $filename =~ '/'; + + for my $directory ( @config_path ) { + next if $directory =~ m|^$globals{SHAREDIR}/configfiles/?$| || $directory =~ m|^$shorewallrc{SHAREDIR}/doc/default-config/?$|; + my $file = "$directory$filename"; + return $file if -f $file && -w _; + } + + "$config_path[0]$filename"; +} + # # Split a comma-separated list into a Perl array # @@ -4807,6 +4822,12 @@ sub conditional_quote( $ ) { # # Update the shorewall[6].conf file. Save the current file with a .bak suffix. # +sub update_default($$) { + my ( $var, $val ) = @_; + + $config{$var} = $val unless defined $config{$var}; +} + sub update_config_file( $$ ) { my ( $annotate, $directives ) = @_; @@ -4862,9 +4883,8 @@ sub update_config_file( $$ ) { } } - $config{USE_DEFAULT_RT} = 'No' unless defined $config{USE_DEFAULT_RT}; - - $config{EXPORTMODULES} = 'No' unless defined $config{EXPORTMODULES}; + update_default( 'USE_DEFAULT_RT', 'No' ); + update_default( 'EXPORTMODULES', 'No' ); my $fn; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index d6f9f571f..717de54b9 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -480,7 +480,7 @@ sub convert_blacklist() { } if ( @rules ) { - my $fn1 = find_file( 'blrules' ); + my $fn1 = find_writable_file( 'blrules' ); my $blrules; my $date = localtime; @@ -701,7 +701,7 @@ sub convert_routestopped() { my ( $stoppedrules, $fn1 ); - if ( -f ( $fn1 = find_file( 'stoppedrules' ) ) ) { + if ( -f ( $fn1 = find_writable_file( 'stoppedrules' ) ) ) { open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!"; } else { open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!"; @@ -723,12 +723,16 @@ sub convert_routestopped() { EOF } - print( $stoppedrules - "#\n" , - "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" , - "#\n" ); - - first_entry "$doing $fn..."; + first_entry( + sub { + my $date = localtime; + progress_message2 "$doing $fn..."; + print( $stoppedrules + "#\n" , + "# Rules generated from routestopped file $fn by Shorewall $globals{VERSION} - $date\n" , + "#\n" ); + } + ); while ( read_a_line ( NORMAL_READ ) ) { diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index be1f5e6fc..516c15426 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -3177,6 +3177,16 @@ sub convert_tos($$) { } if ( my $fn = open_file 'tos' ) { + first_entry + sub { + my $date = localtime; + progress_message2 "Converting $fn..."; + print( $mangle + "#\n" , + "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" , + "#\n" ); + }; + while ( read_a_line( NORMAL_READ ) ) { $have_tos = 1; @@ -3243,10 +3253,10 @@ sub convert_tos($$) { sub open_mangle_for_output() { my ( $mangle, $fn1 ); - if ( -f ( find_file( 'mangle' ) ) ) { - open( $mangle , '>>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!"; + if ( -f ( $fn1 = find_writeable_file( 'mangle' ) ) ) { + open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!"; } else { - open( $mangle , '>', $fn1 = find_file('mangle') ) || fatal_error "Unable to open $fn1:$!"; + open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!"; print $mangle <<'EOF'; # # Shorewall version 4 - Mangle File @@ -3337,7 +3347,20 @@ sub setup_tc( $ ) { directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } ); } - first_entry "$doing $fn..."; + + first_entry + sub { + if ( $convert ) { + my $date = localtime; + progress_message2 "Converting $fn..."; + print( $mangle + "#\n" , + "# Rules generated from tcrules file $fn by Shorewall $globals{VERSION} - $date\n" , + "#\n" ); + } else { + progress_message2 "$doing $fn..."; + } + }; process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ ); From 656eaabce907229fa0e6bebb8e979eb97dca4fa2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 31 Aug 2015 09:39:40 -0700 Subject: [PATCH 38/49] Correct a typo Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 516c15426..24a4e626a 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -3253,7 +3253,7 @@ sub convert_tos($$) { sub open_mangle_for_output() { my ( $mangle, $fn1 ); - if ( -f ( $fn1 = find_writeable_file( 'mangle' ) ) ) { + if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) { open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!"; } else { open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!"; From e15a6f452ee5b3224ad1cf9d8b488740fa9b7345 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 31 Aug 2015 10:54:30 -0700 Subject: [PATCH 39/49] Cosmetic changes to first_entry() calls Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 47 +++++++++++++++++----------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 24a4e626a..ef454625a 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -3177,15 +3177,16 @@ sub convert_tos($$) { } if ( my $fn = open_file 'tos' ) { - first_entry - sub { - my $date = localtime; - progress_message2 "Converting $fn..."; - print( $mangle - "#\n" , - "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" , - "#\n" ); - }; + first_entry( + sub { + my $date = localtime; + progress_message2 "Converting $fn..."; + print( $mangle + "#\n" , + "# Rules generated from tos file $fn by Shorewall $globals{VERSION} - $date\n" , + "#\n" ); + } + ); while ( read_a_line( NORMAL_READ ) ) { @@ -3347,20 +3348,20 @@ sub setup_tc( $ ) { directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } ); } - - first_entry - sub { - if ( $convert ) { - my $date = localtime; - progress_message2 "Converting $fn..."; - print( $mangle - "#\n" , - "# Rules generated from tcrules file $fn by Shorewall $globals{VERSION} - $date\n" , - "#\n" ); - } else { - progress_message2 "$doing $fn..."; - } - }; + first_entry( + sub { + if ( $convert ) { + my $date = localtime; + progress_message2 "Converting $fn..."; + print( $mangle + "#\n" , + "# Rules generated from tcrules file $fn by Shorewall $globals{VERSION} - $date\n" , + "#\n" ); + } else { + progress_message2 "$doing $fn..."; + } + } + ); process_tc_rule, $have_tcrules++ while read_a_line( NORMAL_READ ); From dea1f853ea9e1e4110aca60e88e54902182beae2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 1 Sep 2015 11:57:28 -0700 Subject: [PATCH 40/49] Correct progress messages Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index d556e1194..a9441aa1e 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5378,7 +5378,7 @@ sub convert_to_directives() { my $dirtest = qr|^$sharedir/+shorewall6?(?:/.*)?$|; - progress_message3 "Converting 'FORMAT' and 'COMMENT' lines to compiler directives..."; + progress_message3 "Converting 'FORMAT', 'SECTION' and 'COMMENT' lines to compiler directives..."; for my $dir ( @path ) { unless ( $dir =~ /$dirtest/ ) { @@ -5413,6 +5413,7 @@ EOF if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) { progress_message3 " File $file updated - old file renamed ${file}.bak"; } elsif ( rename "${file}.bak" , $file ) { + progress_message " File $file not updated -- no bare 'COMMENT', 'SECTION' or 'FORMAT' lines found"; progress_message " File $file not updated -- no bare 'COMMENT' or 'FORMAT' lines found"; } else { warning message "Unable to rename ${file}.bak to $file:$!"; From 582755edf4ffaf1361496ae102c402d08a2bd4e7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 2 Sep 2015 08:02:02 -0700 Subject: [PATCH 41/49] Unconditionally get inline matches Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Nat.pm | 2 +- Shorewall/Perl/Shorewall/Rules.pm | 2 +- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 954da6ca3..baba7f270 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -80,7 +80,7 @@ sub process_one_masq1( $$$$$$$$$$ ) if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) { $interfacelist = $1; $inlinematches = get_inline_matches(0); - } elsif ( $config{INLINE_MATCHES} ) { + } else { $inlinematches = get_inline_matches(0); } # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 3a32c924b..e1e2a707f 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2284,7 +2284,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { if ( $basictarget eq 'INLINE' ) { ( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel ); - } elsif ( $config{INLINE_MATCHES} ) { + } else { $raw_matches = get_inline_matches(0); } # diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index ef454625a..dde22293e 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -749,7 +749,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { if ( $cmd eq 'INLINE' ) { ( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' ); - } elsif ( $config{INLINE_MATCHES} ) { + } else { $raw_matches = get_inline_matches(0); } From 9e98d30c92ae50fa7f74950c1da138bd9637e917 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 2 Sep 2015 08:55:18 -0700 Subject: [PATCH 42/49] Correct handling of log levels with default actions Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index e1e2a707f..f9493040b 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -455,13 +455,12 @@ sub process_default_action( $$$$ ) { } elsif ( ( $targets{$def} || 0 ) == INLINE ) { $default = $def; $default = "$def($param)" if supplied $param; + $default = join( ':', $default, $level ) if $level ne 'none'; } elsif ( $default_option ) { fatal_error "Unknown Action ($default) in $policy setting"; } else { fatal_error "Unknown Default Action ($default)"; } - - $default = join( ':', $default, $level ) if $level ne 'none'; } else { $default = $default_actions{$policy} || 'none'; } From 682a449e7bbc20da715e2eaa81bb0aeffecf6efb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 2 Sep 2015 13:07:20 -0700 Subject: [PATCH 43/49] Correct more Mangle examples Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-mangle.xml | 12 ++++++------ Shorewall6/manpages/shorewall6-mangle.xml | 16 ++++++++-------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index b2e837aea..3fc158408 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -351,18 +351,18 @@ The following rules are equivalent: - 2:P eth0 - tcp 22 -INLINE(2):P eth0 - tcp 22 -INLINE(2):P eth0 - ; -p tcp -INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 -INLINE eth0 - ; -p tcp -j MARK --set-mark 2 + 2:P eth0 - tcp 22 +INLINE(MARK(2)):P eth0 - tcp 22 +INLINE(MARK(2)):P eth0 - ; -p tcp +INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 +INLINE eth0 - ; -p tcp -j MARK --set-mark 2 If INLINE_MATCHES=Yes in shorewall6.conf(5) then the third rule above can be specified as follows: - 2:P eth0 - ; -p tcp + MARK(2):P eth0 - ; -p tcp diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index f52db8668..44c457f24 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -347,23 +347,23 @@ specified at the end of the rule. If the target is not one known to Shorewall, then it must be defined as a builtin action in shorewall6-actions + url="/manpages/shorewall-actions.html">shorewall-actions (5). The following rules are equivalent: - 2:P eth0 - tcp 22 -INLINE(2):P eth0 - tcp 22 -INLINE(2):P eth0 - ; -p tcp -INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 -INLINE eth0 - ; -p tcp -j MARK --set-mark 2 + 2:P eth0 - tcp 22 +INLINE(MARK(2)):P eth0 - tcp 22 +INLINE(MARK(2)):P eth0 - ; -p tcp +INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 +INLINE eth0 - ; -p tcp -j MARK --set-mark 2 If INLINE_MATCHES=Yes in shorewall6.conf(5) + url="/manpages/shorewall.conf.html">shorewall6.conf(5) then the third rule above can be specified as follows: - 2:P eth0 - ; -p tcp + MARK(2):P eth0 - ; -p tcp From 1bf13e5fda0c74499bcaa4960a23be725de9218e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 6 Sep 2015 10:28:44 -0700 Subject: [PATCH 44/49] Provide default for SHOREWALL_SHELL Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index a9441aa1e..08403af7c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5677,7 +5677,8 @@ sub get_configuration( $$$$$ ) { fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on'; } - default 'STARTUP_LOG' , ''; + default 'STARTUP_LOG' , ''; + default 'SHOREWALL_SHELL', '/bin/sh'; if ( $config{STARTUP_LOG} ne '' ) { if ( supplied $config{LOG_VERBOSITY} ) { From eddd58d45976584c342fab0e9848a545595a1d07 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 6 Sep 2015 10:33:09 -0700 Subject: [PATCH 45/49] Move a line of code Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 08403af7c..766f26199 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5677,9 +5677,10 @@ sub get_configuration( $$$$$ ) { fatal_error "LOG_MARTIANS=On is not supported in IPv6" if $config{LOG_MARTIANS} eq 'on'; } - default 'STARTUP_LOG' , ''; default 'SHOREWALL_SHELL', '/bin/sh'; + default 'STARTUP_LOG' , ''; + if ( $config{STARTUP_LOG} ne '' ) { if ( supplied $config{LOG_VERBOSITY} ) { if ( $config{LOG_VERBOSITY} eq '' ) { From 0aa5cb5086575e7605c39488e12afb7a585003fd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 7 Sep 2015 11:29:24 -0700 Subject: [PATCH 46/49] Allow non-experts to use the user bits in the fw mark Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- Shorewall/Perl/Shorewall/Config.pm | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index ca564d328..32b919fee 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4855,7 +4855,7 @@ sub validate_mark( $ ) { sub verify_small_mark( $ ) { my $val = validate_mark ( (my $mark) = $_[0] ); - fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX}; + fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{SMALL_MASK}; $val; } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 766f26199..4331bea47 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5902,6 +5902,10 @@ sub get_configuration( $$$$$ ) { $globals{USER_MASK} = $globals{USER_BITS} = 0; } + $val = $config{PROVIDER_OFFSET}; + + $globals{SMALL_MASK} = $val ? make_mask( $val ) : $globals{TC_MASK}; + if ( supplied ( $val = $config{ZONE2ZONE} ) ) { fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/; } else { From 426636458c33b7fdca3f7b528a7a4ec6442e56d4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Sep 2015 12:25:59 -0700 Subject: [PATCH 47/49] Correct shorewall6 mangle man page - Replace 'TTL' by 'HL' Signed-off-by: Tom Eastep --- Shorewall6/manpages/shorewall6-mangle.xml | 68 ++++++++--------------- 1 file changed, 22 insertions(+), 46 deletions(-) diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index 44c457f24..69c19649c 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -320,6 +320,28 @@ + + HL([-|+]number)[:P] + + + If + is included, + packets matching the rule will have their hop limit + incremented by number. Similarly, + if - is included, matching + packets have their hop limit decremented by + number. If neither + nor - is given, the hop limit of matching + packets is set to number. The valid + range of values for number is + 1-255. If :P is included, the rule is placed in the mangle + PREROUTING chain -- otherwise, it is placed in the FORWARD + chain. + + + IMQ(number) @@ -665,53 +687,7 @@ Normal-Service => 0x00 - - - TTL([-|+]number) - - - If + is included, - packets matching the rule will have their TTL incremented by - number. Similarly, if - is included, matching packets have - their TTL decremented by number. If - neither + nor - is given, the TTL of matching packets - is set to number. The valid range - of values for number is - 1-255. - - - - - - TTL([-|+]number) - - Added in Shorewall 4.4.24. - - Prior to Shorewall 4.5.7.2, may be optionally followed by - :F but the resulting rule is - always added to the FORWARD chain. Beginning with Shorewall - 4.5.7.s, it may be optionally followed by :P, in which case the rule is added to - the PREROUTING chain. - - If + is included, packets - matching the rule will have their TTL incremented by - number. Similarly, if - is included, matching packets have - their TTL decremented by number. If - neither + nor - is given, the TTL of matching packets - is set to number. The valid range of - values for number is 1-255. - - From 03d99de8d549460ac4ef73dcae0764eb208be48f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 11 Sep 2015 15:02:32 -0700 Subject: [PATCH 48/49] Correct handling of reset Signed-off-by: Tom Eastep --- Shorewall/Perl/prog.footer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index eb712759e..432240eeb 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -267,7 +267,7 @@ case "$COMMAND" in status=0 for chain in $@; do if chain_exists $chain; then - if qt $g_tool-Z $chain; then + if qt $g_tool -Z $chain; then progress_message3 "Filter $chain Counters Reset" else error_message "ERROR: Reset of chain $chain failed" From 85e44c70ebc01fba41600ecf81c886f4cca6ec97 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 17 Sep 2015 09:16:33 -0700 Subject: [PATCH 49/49] Add the Meta-connection to Tinc - Both the macro and the tunnel type are updated Signed-off-by: Tom Eastep --- Shorewall/Macros/macro.Tinc | 1 + Shorewall/Perl/Shorewall/Tunnels.pm | 2 ++ 2 files changed, 3 insertions(+) diff --git a/Shorewall/Macros/macro.Tinc b/Shorewall/Macros/macro.Tinc index a64f645cc..a6f686f2e 100644 --- a/Shorewall/Macros/macro.Tinc +++ b/Shorewall/Macros/macro.Tinc @@ -9,3 +9,4 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 655 +PARAM - - tcp 655 diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index 843164018..a8e9178f1 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -137,6 +137,8 @@ sub setup_tunnels() { add_tunnel_rule $inchainref, p => 'udp --dport 655', @$source; add_tunnel_rule $outchainref, p => 'udp --dport 655', @$dest; + add_tunnel_rule $inchainref, p => 'tcp --dport 655', @$source; + add_tunnel_rule $outchainref, p => 'tcp --dport 655', @$dest; } sub setup_one_openvpn {