From bb9c22cfe0427698f5359aebfe38f6648395ae6b Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 10 Feb 2006 19:33:31 +0000 Subject: [PATCH] Add shorecap git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3467 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 +- Shorewall/compiler | 3 +- Shorewall/modules | 1 + Shorewall/releasenotes.txt | 16 ++ Shorewall/shorecap | 314 +++++++++++++++++++++++++++++++++++++ Shorewall/shorewall.spec | 5 +- 6 files changed, 340 insertions(+), 3 deletions(-) create mode 100755 Shorewall/shorecap diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0f5d0bc83..4dc29d879 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -60,4 +60,6 @@ Changes in 3.1.x. 27) Fix TC bridge port handling. -28) Fix "check -e" +28) Fix/document "check -e" + +29) Automatically use capabilities file when non-root. diff --git a/Shorewall/compiler b/Shorewall/compiler index c7d38ee09..264b07956 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -8894,7 +8894,8 @@ do_initialize() { PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - if [ -z "$EXPORT" ]; then + + if [ -z "$EXPORT" -a "$(whoami)" = root ]; then load_kernel_modules diff --git a/Shorewall/modules b/Shorewall/modules index 9fe8e4ebd..25a0ae432 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -59,6 +59,7 @@ loadmodule ipt_ECN loadmodule ipt_esp loadmodule ipt_hashlimit loadmodule ipt_helper +loadmodule ipt_ipp2p loadmodule ipt_iprange loadmodule ipt_length loadmodule ipt_limit diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c6b326358..65f29a23b 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -72,6 +72,22 @@ Other changes in 3.1.6 /etc/shorewall/capabilities file to determine the capabilities of the target system. +3) When "shorewall check" or "shorewall compile" is run by a user other + than root, Shorewall now automatically uses the /etc/shorewall/capabilities + file to determine the capabilities of the target system. + +4) Shorewall now includes a 'shorecap' program. The RPM installs the + program in the documentation directory. The install.sh script does + not install the program. + + The shorecap program can be used to create an /etc/shorewall/capabilities + file on a remote system. The file can then be copied to the local + system where it can be used when compiling firewall programs targeted for + the remote system. + + For instructions about running shorecap, see the comments at the top + of the program file (it's a simple shell script). + Migration Considerations: 1) A number of macros have been split into two. The macros affected are: diff --git a/Shorewall/shorecap b/Shorewall/shorecap new file mode 100755 index 000000000..4fe635742 --- /dev/null +++ b/Shorewall/shorecap @@ -0,0 +1,314 @@ +#!/bin/sh +# +# Shorewall Packet Filtering Firewall Capabilities Detector +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# +# This file should be placed in /sbin/shorewall. +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# +# This program may be used to create a /etc/shorewall/capabilities file for +# use in compiling Shorewall firewalls on another system. +# +# On the target system (the system where the firewall program is to run): +# +# [ IPTABLES= ] [ MODULESDIR= ] shorecap > capabilities +# +# Now move the capabilities file to the compilation system. The file must +# be placed in a directory on the CONFIG_PATH to be used when compiling firewalls +# for the target system. +# +# Default values for the two variables are: +# +# IPTABLES - iptables +# MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter +# +# Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is +# used during firewall compilation, then the generated firewall program will likewise not +# require Shorewall to be installed. + +VERSION=3.1.6 + +# +# Suppress all output for a command +# +qt() +{ + "$@" >/dev/null 2>&1 +} + +# +# Split a colon-separated list into a space-separated list +# +split() { + local ifs=$IFS + IFS=: + set -- $1 + echo $* + IFS=$ifs +} + +# +# Internal version of 'which' +# +mywhich() { + local dir + + for dir in $(split $PATH); do + if [ -x $dir/$1 ]; then + echo $dir/$1 + return 0 + fi + done + + return 2 +} + +# +# Load a Kernel Module +# +loadmodule() # $1 = module name, $2 - * arguments +{ + local modulename=$1 + local modulefile + local suffix + moduleloader=modprobe + + if ! qt mywhich modprobe; then + moduleloader=insmod + fi + + if [ -z "$(lsmod | grep $modulename)" ]; then + shift + + for suffix in $MODULE_SUFFIX ; do + modulefile=$MODULESDIR/${modulename}.${suffix} + + if [ -f $modulefile ]; then + case $moduleloader in + insmod) + insmod $modulefile $* + ;; + *) + modprobe $modulename $* + ;; + esac + + return + fi + done + fi +} + +# +# Load kernel modules required for Shorewall +# +load_kernel_modules() +{ + [ -z "$MODULESDIR" ] && \ + MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter + + # + # Essential Modules + # + loadmodule ip_tables + loadmodule iptable_filter + loadmodule ip_conntrack + # + # Helpers + # + loadmodule ip_conntrack_ftp + loadmodule ip_conntrack_tftp + loadmodule ip_conntrack_irc + loadmodule iptable_nat + loadmodule ip_nat_ftp + loadmodule ip_nat_tftp + loadmodule ip_nat_irc + loadmodule ip_set + loadmodule ip_set_iphash + loadmodule ip_set_ipmap + loadmodule ip_set_macipmap + loadmodule ip_set_portmap + # + # Traffic Shaping + # + loadmodule sch_sfq + loadmodule sch_ingress + loadmodule sch_htb + loadmodule cls_u32 + # + # Extensions + # + loadmodule ipt_addrtype + loadmodule ipt_ah + loadmodule ipt_CLASSIFY + loadmodule ipt_CLUSTERIP + loadmodule ipt_comment + loadmodule ipt_connmark + loadmodule ipt_CONNMARK + loadmodule ipt_conntrack + loadmodule ipt_dscp + loadmodule ipt_DSCP + loadmodule ipt_ecn + loadmodule ipt_ECN + loadmodule ipt_esp + loadmodule ipt_hashlimit + loadmodule ipt_helper + loadmodule ipt_ipp2p + loadmodule ipt_iprange + loadmodule ipt_length + loadmodule ipt_limit + loadmodule ipt_LOG + loadmodule ipt_mac + loadmodule ipt_mark + loadmodule ipt_MARK + loadmodule ipt_MASQUERADE + loadmodule ipt_multiport + loadmodule ipt_NETMAP + loadmodule ipt_NOTRACK + loadmodule ipt_owner + loadmodule ipt_physdev + loadmodule ipt_pkttype + loadmodule ipt_policy + loadmodule ipt_realm + loadmodule ipt_recent + loadmodule ipt_REDIRECT + loadmodule ipt_REJECT + loadmodule ipt_SAME + loadmodule ipt_sctp + loadmodule ipt_set + loadmodule ipt_state + loadmodule ipt_tcpmss + loadmodule ipt_TCPMSS + loadmodule ipt_tos + loadmodule ipt_TOS + loadmodule ipt_ttl + loadmodule ipt_TTL + loadmodule ipt_ULOG + +} + +# +# Determine which optional facilities are supported by iptables/netfilter +# +determine_capabilities() { + [ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) + + [ -z "$IPTABLES" ] && { echo "ERROR: Can't find IPTABLES executable" ; exit 2; } + + qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + + CONNTRACK_MATCH= + MULTIPORT= + XMULTIPORT= + POLICY_MATCH= + PHYSDEV_MATCH= + IPRANGE_MATCH= + RECENT_MATCH= + OWNER_MATCH= + IPSET_MATCH= + CONNMARK= + CONNMARK_MATCH= + RAW_TABLE= + IPP2P_MATCH= + LENGTH_MATCH= + CLASSIFY_TARGET= + ENHANCED_REJECT= + USEPKTTYPE= + + qt $IPTABLES -N fooX1234 + qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes + qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes + qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes + qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes + qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes + qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes + qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes + qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes + qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes + qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes + + qt $IPTABLES -t mangle -N fooX1234 + qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes + qt $IPTABLES -t mangle -F fooX1234 + qt $IPTABLES -t mangle -X fooX1234 + + qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes + + if qt mywhich ipset; then + qt ipset -X fooX1234 # Just in case something went wrong the last time + + if qt ipset -N fooX1234 iphash ; then + if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then + qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT + IPSET_MATCH=Yes + fi + qt ipset -X fooX1234 + fi + fi + + qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes + + qt $IPTABLES -F fooX1234 + qt $IPTABLES -X fooX1234 +} + +report_capability() # $1 = Capability +{ + local setting + + eval setting=\$$1 + + echo $1=$setting + +} + +report_capabilities() { + echo "#" + echo "#Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)" + echo "#" + report_capability NAT_ENABLED + report_capability MANGLE_ENABLED + report_capability MULTIPORT + [ -n "$MULTIPORT" ] && report_capability XMULTIPORT + report_capability CONNTRACK_MATCH + report_capability USEPKTTYPE + report_capability POLICY_MATCH + report_capability PHYSDEV_MATCH + report_capability LENGTH_MATCH + report_capability IPRANGE_MATCH + report_capability RECENT_MATCH + report_capability OWNER_MATCH + report_capability IPSET_MATCH + report_capability CONNMARK + report_capability CONNMARK_MATCH + report_capability RAW_TABLE + report_capability IPP2P_MATCH + report_capability CLASSIFY_TARGET + report_capability ENHANCED_REJECT +} + +load_kernel_modules +determine_capabilities +report_capabilities diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index fac8b2406..4469cfb6f 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -102,6 +102,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/Makefile %attr(05555,root,root) /sbin/shorewall +%attr(05555,root,root) /sbin/shorecap %attr(0644,root,root) /usr/share/shorewall/version %attr(0644,root,root) /usr/share/shorewall/actions.std @@ -170,9 +171,11 @@ fi %attr(0644,root,root) /usr/share/shorewall/rfc1918 %attr(0644,root,root) /usr/share/shorewall/configpath -%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples +%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples shorecap %changelog +* Fri Feb 10 2006 Tom Eastep tom@shorewall.net +- Added shorecap * Fri Feb 03 2006 Tom Eastep tom@shorewall.net - Updated to 3.1.5-1 - Added new program header/footer files