From c44a5af6892d9a7d00c452e9fc1dfbd216a040be Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 21 May 2004 18:52:52 +0000 Subject: [PATCH] Shorewall-2.0.2c git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1348 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp2/usr/share/shorewall/firewall | 146 +++++++++++++++++++++------- Lrp2/usr/share/shorewall/version | 2 +- Lrp2/var/lib/lrpkg/shorwall.version | 2 +- Shorewall-docs2/errata.xml | 13 ++- 4 files changed, 125 insertions(+), 38 deletions(-) diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall index 1eb1dd7a8..96711dec2 100755 --- a/Lrp2/usr/share/shorewall/firewall +++ b/Lrp2/usr/share/shorewall/firewall @@ -51,11 +51,6 @@ my_mutex_off() { [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } } -progress_message() # $* = Message -{ - [ -n "$QUIET" ] || echo "$@" -} - # # Message to stderr # @@ -136,9 +131,9 @@ ensure_and_save_command() # Append a file to /var/lib/shorewall/restore-$$ # append_file() { - save_command "cat > $STATEDIR/$1 << EOF" + save_command "cat > $STATEDIR/$1 << __EOF__" cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ - save_command EOF + save_command __EOF__ } # @@ -576,7 +571,7 @@ known_interface() # $1 = interface name match_source_dev() { if [ -n "$BRIDGING" ]; then - known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1" + list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1 else echo -i $1 fi @@ -585,12 +580,17 @@ match_source_dev() match_dest_dev() { if [ -n "$BRIDGING" ]; then - known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1" + list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1 else echo -o $1 fi } +verify_interface() +{ + known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; } +} + # # # Find hosts in a given zone @@ -798,6 +798,13 @@ validate_interfaces_file() { validate_hosts_file() { local z hosts options r interface host option port ports + check_bridge_port() + { + list_search $1 $ports || ports="$ports $1" + list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" + list_search $1 $all_ports || all_ports="$all_ports $1" + } + while read z hosts options; do expandv z hosts options r="$z $hosts $options" @@ -820,17 +827,14 @@ validate_hosts_file() { *:*) known_interface ${host%:*} && \ startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - port=${host%%:*} - list_search $port $ports || ports="$ports $port" - list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}" + check_bridge_port ${host%%:*} ;; *.*.*.*) ;; *) known_interface $host && \ startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - list_search $host $ports || ports="$ports $host" - list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}" + check_bridge_port $host ;; esac @@ -855,6 +859,8 @@ validate_hosts_file() { fi done < $TMP_DIR/hosts + + [ -n "$all_ports" ] && echo " Bridge ports are: $all_ports" } # @@ -1178,6 +1184,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING # setup_forwarding() { + + save_command "progress_message Restoring IP Forwarding..." + case "$IP_FORWARDING" in [Oo][Nn]) run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" @@ -1198,6 +1207,7 @@ disable_ipv6() { if [ -n "$foo" ]; then if qt which ip6tables; then + save_command "progress_message Disabling IPV6..." ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP @@ -1640,6 +1650,8 @@ setup_proxy_arp() { > ${STATEDIR}/proxyarp + save_command "progress_message Restoring Proxy ARP..." + while read address interface external haveroute persistent; do expandv address interface external haveroute persistent setup_one_proxy_arp @@ -1840,6 +1852,8 @@ setup_nat() { # > ${STATEDIR}/nat + save_command "progress_message Restoring one-to-one NAT..." + while read external interface internal allints localnat; do expandv external interface internal allints localnat @@ -1995,10 +2009,8 @@ process_tc_rule() chain=tcout ;; *) - if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then - fatal_error "Unknown interface $source in rule \"$rule\"" - fi - + + verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" r="$(match_source_dev) $source " ;; esac @@ -2023,7 +2035,11 @@ process_tc_rule() esac fi - [ "x$dest" = "x-" ] || r="${r}-d $dest " + if [ "x$dest" != "x-" ]; then + verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" + r="${r}$(match_dest_dev $dest) " + fi + [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$sport" = "x-" ] || r="${r}--sport $sport " @@ -2095,6 +2111,8 @@ setup_tc1() { run_iptables -t mangle -A OUTPUT -j tcout run_user_exit tcstart + + save_command "progress_message Restoring Traffic Control..." save_command . $(find_file tcstart) } @@ -2144,6 +2162,14 @@ process_accounting_rule() { error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport } + accounting_interface_error() { + error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport + } + + accounting_interface_verify() { + verify_interface $1 || accounting_interface_error $1 + } + jump_to_chain() { if ! havechain $jumpchain; then if ! createchain2 $jumpchain No; then @@ -2157,6 +2183,7 @@ process_accounting_rule() { case $source in *:*) + accounting_interface_verify ${source%:*} rule="-s ${source#*:} $(match_source_dev ${source%:*})" ;; *.*.*.*) @@ -2165,12 +2192,16 @@ process_accounting_rule() { -|all|any) ;; *) - [ -n "$source" ] && rule="$(match_source_dev $source)" + if [ -n "$source" ]; then + accounting_interface_verify $source + rule="$(match_source_dev $source)" + fi ;; esac [ -n "$dest" ] && case $dest in *:*) + accounting_interface_verify ${dest%:*} rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" ;; *.*.*.*) @@ -2179,6 +2210,7 @@ process_accounting_rule() { -|all|any) ;; *) + accounting_interface_verify $dest rule="$rule $(match_dest_dev $dest)" ;; esac @@ -2233,8 +2265,8 @@ process_accounting_rule() { ensurechain1 $chain - if iptables -A $chain $rule ; then - [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 + if iptables -A $chain $(fix_bang $rule) ; then + [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error @@ -2411,6 +2443,16 @@ add_an_action() fi } + interface_error() + { + fatal_error "Unknown interface $1 in rule: \"$rule\"" + } + + action_interface_verify() + { + verify_interface $1 || interface_error $1 + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -2419,6 +2461,7 @@ add_an_action() -) ;; *:*) + action_interface_verify ${client%:*} cli="$(match_source_dev ${client%:*}) -s ${client#*:}" ;; *.*.*) @@ -2428,7 +2471,10 @@ add_an_action() cli=$(mac_match $client) ;; *) - [ -n "$client" ] && cli="$(match_source_dev $client)" + if [ -n "$client" ]; then + action_interface_verify $client + cli="$(match_source_dev $client)" + fi ;; esac @@ -2447,7 +2493,10 @@ add_an_action() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - [ -n "$server" ] && dest_interface="$(match_dest_dev $server)" + if [ -n "$server" ]; then + action_interface_verify $server + dest_interface="$(match_dest_dev $server)" + fi ;; esac @@ -3091,6 +3140,16 @@ add_a_rule() fi } + interface_error() + { + fatal_error "Unknown interface $1 in rule: \"$rule\"" + } + + rule_interface_verify() + { + verify_interface $1 || interface_error $1 + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -3099,6 +3158,7 @@ add_a_rule() -) ;; *:*) + rule_interface_verify ${client%:*} cli="$(match_source_dev ${client%:*}) -s ${client#*:}" ;; *.*.*) @@ -3108,7 +3168,10 @@ add_a_rule() cli=$(mac_match $client) ;; *) - [ -n "$client" ] && cli="$(match_source_dev $client)" + if [ -n "$client" ]; then + rule_interface_verify $client + cli="$(match_source_dev $client)" + fi ;; esac @@ -3128,7 +3191,8 @@ add_a_rule() ;; *) if [ -n "$server" ]; then - [ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget" + [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget" + rule_interface_verify $server dest_interface="$(match_dest_dev $server)" fi ;; @@ -3708,6 +3772,11 @@ process_tos_rule() { # # Assume that this is a device name # + if ! verify_interface $src ; then + error_message "Warning: Unknown Interface in rule \"$rule\" ignored" + return + fi + src="$(match_source_dev $src)" ;; esac @@ -4285,7 +4354,7 @@ setup_masq() strip_file masq $1 - [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" + [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_command "progress_message Restoring Masquerading/SNAT..." while read fullinterface networks addresses proto ports; do expandv fullinterface networks addresses proto ports @@ -4507,6 +4576,8 @@ add_ip_aliases() set -- $aliases_to_add + save_command "progress_message Restoring IP Addresses..." + while [ $# -gt 0 ]; do external=$1 interface=$2 @@ -4539,7 +4610,9 @@ load_kernel_modules() { . $modules if [ "$command" != check ]; then - save_command "reload_kernel_modules < $f" done @@ -5041,6 +5116,8 @@ add_common_rules() { if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then echo "Setting up Kernel Route Filtering..." + save_command "progress_message Restoring Route Filtering..." + for f in /proc/sys/net/ipv4/conf/*/rp_filter; do run_and_save_command "echo 0 > $f" done @@ -5194,7 +5271,7 @@ activate_rules() # Add jumps for dynamic nat chains # [ -n "$DYNAMIC_ZONES" ] && for interface in $all_interfaces ; do - addrulejump PREROUTING $(dynamic_in $interface) + addrulejump PREROUTING $(dynamic_in $interface) -i $interface done # # Add jumps from the builtin chains to the nat chains @@ -5405,7 +5482,8 @@ define_firewall() # $1 = Command (Start or Restart) [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall echo '#bin/sh' > /var/lib/shorewall/restore-$$ - echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$ + save_command "# Restore base file generated $(date)" + save_command ". /usr/share/shorewall/functions" save_command "MODULESDIR=\"$MODULESDIR\"" save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" @@ -5462,7 +5540,9 @@ define_firewall() # $1 = Command (Start or Restart) save_command "date > $STATEDIR/restarted" - save_command 'iptables-restore << EOF' + save_command "progress_message Restoring Netfilter Configuration..." + + save_command 'iptables-restore << __EOF__' # 'shorewall save' appends the iptables-save output and 'EOF' @@ -5938,7 +6018,7 @@ do_initialize() { determine_capabilities [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - + [ -d $STATEDIR ] || mkdir -p $STATEDIR [ -z "$FW" ] && FW=fw diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version index 370625a59..ddcd0db02 100644 --- a/Lrp2/usr/share/shorewall/version +++ b/Lrp2/usr/share/shorewall/version @@ -1 +1 @@ -2.0.2b +2.0.2c diff --git a/Lrp2/var/lib/lrpkg/shorwall.version b/Lrp2/var/lib/lrpkg/shorwall.version index 370625a59..ddcd0db02 100644 --- a/Lrp2/var/lib/lrpkg/shorwall.version +++ b/Lrp2/var/lib/lrpkg/shorwall.version @@ -1 +1 @@ -2.0.2b +2.0.2c diff --git a/Shorewall-docs2/errata.xml b/Shorewall-docs2/errata.xml index 3c899de0b..f7fe4676b 100644 --- a/Shorewall-docs2/errata.xml +++ b/Shorewall-docs2/errata.xml @@ -13,7 +13,7 @@ - 2004-05-17 + 2004-05-21 2001-2004 @@ -111,6 +111,11 @@ If /var/lib/shorewall does not exist, shorewall start fails. + + + DNAT rules work incorrectly with dynamic zones in that the + source interface is not included in the nat table DNAT rule. + These problems are corrected by the firewall @@ -120,7 +125,8 @@ as described above. The first two problems are also corrected in Shorewall version - 2.0.2a while all four problems are corrected in 2.0.2b. + 2.0.2a, the first four problems are corrected in 2.0.2b and all five + problems are corrected in 2.0.2c.
@@ -237,7 +243,8 @@ Revision History - 1.162004-05-17TEAdded + 1.172004-05-21TEAdded + DNAT dynamic zone bug.1.162004-05-17TEAdded null common action bug.1.152004-05-16TEAdded 2.0.2 bugs1.142004-05-10TEAdd link to Netfilter CVS1.132004-05-04TEAdd