mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-26 16:18:57 +01:00
Shorewall 4.4.19 Changes
This commit is contained in:
parent
2029978050
commit
cc633c5bd9
@ -23,7 +23,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -124,6 +124,7 @@ done
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
@ -259,9 +260,9 @@ fi
|
||||
# Install the ifupdown script
|
||||
#
|
||||
|
||||
mkdir -p ${DESTDIR}/usr/share/shorewall-init
|
||||
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-init
|
||||
|
||||
install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
|
||||
install_file ifupdown.sh ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown 0544
|
||||
|
||||
if [ -d ${DESTDIR}/etc/NetworkManager ]; then
|
||||
install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
|
||||
@ -332,7 +333,7 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
|
||||
if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
|
||||
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
|
||||
mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
|
||||
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
|
||||
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
|
||||
done
|
||||
elif [ -n "$REDHAT" ]; then
|
||||
#
|
||||
@ -342,13 +343,13 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
|
||||
FILE=${DESTDIR}/etc/ppp/$file
|
||||
if [ -f $FILE ]; then
|
||||
if fgrep -q Shorewall-based $FILE ; then
|
||||
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
|
||||
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE
|
||||
else
|
||||
echo "$FILE already exists -- ppp devices will not be handled"
|
||||
break
|
||||
fi
|
||||
else
|
||||
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
|
||||
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-init
|
||||
%define version 4.4.18
|
||||
%define release 1
|
||||
%define version 4.4.19
|
||||
%define release 0Beta4
|
||||
|
||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||
Name: %{name}
|
||||
@ -119,10 +119,12 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta4
|
||||
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta3
|
||||
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta1
|
||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-0base
|
||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -60,6 +60,8 @@ else
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
|
||||
echo "Uninstalling Shorewall Init $VERSION"
|
||||
|
||||
INITSCRIPT=/etc/init.d/shorewall-init
|
||||
@ -105,6 +107,7 @@ if [ -d /etc/ppp ]; then
|
||||
fi
|
||||
|
||||
rm -rf /usr/share/shorewall-init
|
||||
rm -rf /usr/${LIBEXEC}/shorewall-init
|
||||
|
||||
echo "Shorewall Init Uninstalled"
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -123,6 +123,7 @@ done
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
@ -189,6 +190,7 @@ else
|
||||
rm -rf ${DESTDIR}/etc/shorewall-lite
|
||||
rm -rf ${DESTDIR}/usr/share/shorewall-lite
|
||||
rm -rf ${DESTDIR}/var/lib/shorewall-lite
|
||||
[ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
|
||||
fi
|
||||
|
||||
#
|
||||
@ -204,6 +206,8 @@ delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
|
||||
|
||||
install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
|
||||
|
||||
eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
|
||||
|
||||
echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
|
||||
|
||||
#
|
||||
@ -225,6 +229,7 @@ echo "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
|
||||
#
|
||||
mkdir -p ${DESTDIR}/etc/shorewall-lite
|
||||
mkdir -p ${DESTDIR}/usr/share/shorewall-lite
|
||||
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite
|
||||
mkdir -p ${DESTDIR}/var/lib/shorewall-lite
|
||||
|
||||
chmod 755 ${DESTDIR}/etc/shorewall-lite
|
||||
@ -277,20 +282,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functi
|
||||
# Install Shorecap
|
||||
#
|
||||
|
||||
install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
|
||||
install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap 0755
|
||||
|
||||
echo
|
||||
echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
|
||||
echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap"
|
||||
|
||||
#
|
||||
# Install wait4ifup
|
||||
#
|
||||
|
||||
if [ -f wait4ifup ]; then
|
||||
install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
|
||||
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup 0755
|
||||
|
||||
echo
|
||||
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
|
||||
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup"
|
||||
fi
|
||||
|
||||
#
|
||||
|
@ -570,6 +570,7 @@ MUTEX_TIMEOUT=
|
||||
SHAREDIR=/usr/share/shorewall-lite
|
||||
CONFDIR=/etc/shorewall-lite
|
||||
g_product="Shorewall Lite"
|
||||
g_libexec=share
|
||||
|
||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.4.18
|
||||
%define release 1
|
||||
%define version 4.4.19
|
||||
%define release 0Beta4
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -103,10 +103,12 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta4
|
||||
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta3
|
||||
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta1
|
||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-0base
|
||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -72,6 +72,8 @@ else
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
|
||||
echo "Uninstalling Shorewall Lite $VERSION"
|
||||
|
||||
if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
|
||||
@ -107,6 +109,7 @@ rm -rf /etc/shorewall-lite-*.bkout
|
||||
rm -rf /var/lib/shorewall-lite
|
||||
rm -rf /var/lib/shorewall-lite-*.bkout
|
||||
rm -rf /usr/share/shorewall-lite
|
||||
rm -rf /usr/${LIBEXEC}/shorewall-lite
|
||||
rm -rf /usr/share/shorewall-lite-*.bkout
|
||||
rm -f /etc/logrotate.d/shorewall-lite
|
||||
|
||||
|
@ -78,6 +78,7 @@ our %EXPORT_TAGS = (
|
||||
|
||||
initialize_chain_table
|
||||
add_commands
|
||||
copy_rules
|
||||
move_rules
|
||||
insert_rule1
|
||||
delete_jumps
|
||||
@ -187,7 +188,7 @@ our %EXPORT_TAGS = (
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
|
||||
our $VERSION = '4.4_18';
|
||||
our $VERSION = '4.4_19';
|
||||
|
||||
#
|
||||
# Chain Table
|
||||
@ -387,8 +388,8 @@ our %builtin_target = ( ACCEPT => 1,
|
||||
# 2. The compiler can run multiple times in the same process so it has to be
|
||||
# able to re-initialize its dependent modules' state.
|
||||
#
|
||||
sub initialize( $ ) {
|
||||
$family = shift;
|
||||
sub initialize( $$ ) {
|
||||
( $family, my $hard ) = @_;
|
||||
|
||||
%chain_table = ( raw => {},
|
||||
mangle => {},
|
||||
@ -428,7 +429,7 @@ sub initialize( $ ) {
|
||||
$idiotcount1 = 0;
|
||||
$warningcount = 0;
|
||||
$hashlimitset = 0;
|
||||
$ipset_rules = 0;
|
||||
$ipset_rules = 0 if $hard;
|
||||
#
|
||||
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
|
||||
#
|
||||
@ -616,6 +617,16 @@ sub handle_port_list( $$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# This much simpler function splits a rule with an icmp type list into discrete rules
|
||||
#
|
||||
|
||||
sub handle_icmptype_list( $$$$ ) {
|
||||
my ($chainref, $first, $types, $rest) = @_;
|
||||
my @ports = split ',', $types;
|
||||
push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ) while @ports;
|
||||
}
|
||||
|
||||
#
|
||||
# Add a rule to a chain. Arguments are:
|
||||
#
|
||||
@ -645,6 +656,17 @@ sub add_rule($$;$) {
|
||||
# Rule has a --sports specification
|
||||
#
|
||||
handle_port_list( $chainref, $rule, 0, $1, $2, $3 )
|
||||
} elsif ( $rule =~ /^(.* --icmp(?:v6)?-type\s*)([^ ]+)(.*)$/ ) {
|
||||
#
|
||||
# ICMP rule -- split it up if necessary
|
||||
#
|
||||
my ( $first, $types, $rest ) = ($1, $2, $3 );
|
||||
|
||||
if ( $types =~ /,/ ) {
|
||||
handle_icmptype_list( $chainref, $first, $types, $rest );
|
||||
} else {
|
||||
push_rule( $chainref, $rule );
|
||||
}
|
||||
} else {
|
||||
push_rule ( $chainref, $rule );
|
||||
}
|
||||
@ -851,8 +873,8 @@ sub move_rules( $$ ) {
|
||||
# Replace the jump at the end of one chain (chain2) with the rules from another chain (chain1).
|
||||
#
|
||||
|
||||
sub copy_rules( $$ ) {
|
||||
my ($chain1, $chain2 ) = @_;
|
||||
sub copy_rules( $$;$ ) {
|
||||
my ($chain1, $chain2, $nojump ) = @_;
|
||||
|
||||
my $name1 = $chain1->{name};
|
||||
my $name = $name1;
|
||||
@ -868,7 +890,7 @@ sub copy_rules( $$ ) {
|
||||
#
|
||||
$name1 =~ s/\+/\\+/;
|
||||
|
||||
my $last = pop @$rules2; # Delete the jump to chain1
|
||||
pop @$rules2 unless $nojump; # Delete the jump to chain1
|
||||
|
||||
if ( $blacklist2 && $blacklist1 ) {
|
||||
#
|
||||
@ -948,12 +970,21 @@ sub zone_forward_chain($) {
|
||||
sub use_forward_chain($$) {
|
||||
my ( $interface, $chainref ) = @_;
|
||||
my $interfaceref = find_interface($interface);
|
||||
my $nets = $interfaceref->{nets};
|
||||
|
||||
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
||||
#
|
||||
# We must use the interfaces's chain if the interface is associated with multiple nets
|
||||
# We must use the interfaces's chain if the interface is associated with multiple zones
|
||||
#
|
||||
return 1 if $interfaceref->{nets} > 1;
|
||||
return 1 if ( keys %{interface_zones $interface} ) > 1;
|
||||
#
|
||||
# Use interface's chain if there are multiple nets on the interface
|
||||
#
|
||||
return 1 if $nets > 1;
|
||||
#
|
||||
# Use interface's chain if it is a bridge with ports
|
||||
#
|
||||
return 1 if $interfaceref->{ports};
|
||||
|
||||
my $zone = $interfaceref->{zone};
|
||||
|
||||
@ -990,10 +1021,18 @@ sub use_input_chain($$) {
|
||||
|
||||
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
||||
#
|
||||
# We must use the interfaces's chain if the interface is associated with multiple nets
|
||||
# We must use the interfaces's chain if the interface is associated with multiple Zones
|
||||
#
|
||||
return 1 if ( keys %{interface_zones $interface} ) > 1;
|
||||
#
|
||||
# Use interface's chain if there are multiple nets on the interface
|
||||
#
|
||||
return 1 if $nets > 1;
|
||||
#
|
||||
# Use interface's chain if it is a bridge with ports
|
||||
#
|
||||
return 1 if $interfaceref->{ports};
|
||||
#
|
||||
# Don't need it if it isn't associated with any zone
|
||||
#
|
||||
return 0 unless $nets;
|
||||
@ -1043,10 +1082,18 @@ sub use_output_chain($$) {
|
||||
|
||||
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
||||
#
|
||||
# We must use the interfaces's chain if the interface is associated with multiple nets
|
||||
# We must use the interfaces's chain if the interface is associated with multiple Zones
|
||||
#
|
||||
return 1 if ( keys %{interface_zones $interface} ) > 1;
|
||||
#
|
||||
# Use interface's chain if there are multiple nets on the interface
|
||||
#
|
||||
return 1 if $nets > 1;
|
||||
#
|
||||
# Use interface's chain if it is a bridge with ports
|
||||
#
|
||||
return 1 if $interfaceref->{ports};
|
||||
#
|
||||
# Don't need it if it isn't associated with any zone
|
||||
#
|
||||
return 0 unless $nets;
|
||||
@ -2203,7 +2250,15 @@ sub do_proto( $$$;$ )
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;
|
||||
|
||||
if ( port_count ( $ports ) > 15 ) {
|
||||
if ( $restricted ) {
|
||||
fatal_error "A port list in this file may only have up to 15 ports";
|
||||
} elsif ( $invert ) {
|
||||
fatal_error "An inverted port list may only have up to 15 ports";
|
||||
}
|
||||
}
|
||||
|
||||
$ports = validate_port_list $pname , $ports;
|
||||
$output .= "-m multiport ${invert}--dports ${ports} ";
|
||||
$multiport = 1;
|
||||
@ -2218,7 +2273,15 @@ sub do_proto( $$$;$ )
|
||||
if ( $sports ne '' ) {
|
||||
$invert = $sports =~ s/^!// ? '! ' : '';
|
||||
if ( $multiport ) {
|
||||
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $sports ) > 15;
|
||||
|
||||
if ( port_count( $sports ) > 15 ) {
|
||||
if ( $restricted ) {
|
||||
fatal_error "A port list in this file may only have up to 15 ports";
|
||||
} elsif ( $invert ) {
|
||||
fatal_error "An inverted port list may only have up to 15 ports";
|
||||
}
|
||||
}
|
||||
|
||||
$sports = validate_port_list $pname , $sports;
|
||||
$output .= "-m multiport ${invert}--sports ${sports} ";
|
||||
} else {
|
||||
@ -2233,9 +2296,20 @@ sub do_proto( $$$;$ )
|
||||
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
||||
$ports = validate_icmp $ports;
|
||||
$output .= "${invert}--icmp-type ${ports} ";
|
||||
|
||||
my $types;
|
||||
|
||||
if ( $ports =~ /,/ ) {
|
||||
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||
$types = '';
|
||||
for my $type ( split_list( $ports, 'ICMP type list' ) ) {
|
||||
$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
|
||||
}
|
||||
} else {
|
||||
$types = validate_icmp $ports;
|
||||
}
|
||||
|
||||
$output .= "${invert}--icmp-type ${types} ";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
|
||||
@ -2246,9 +2320,20 @@ sub do_proto( $$$;$ )
|
||||
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
||||
$ports = validate_icmp6 $ports;
|
||||
$output .= "${invert}--icmpv6-type ${ports} ";
|
||||
|
||||
my $types;
|
||||
|
||||
if ( $ports =~ /,/ ) {
|
||||
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||
$types = '';
|
||||
for my $type ( list_split( $ports, 'ICMP type list' ) ) {
|
||||
$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
|
||||
}
|
||||
} else {
|
||||
$types = validate_icmp6 $ports;
|
||||
}
|
||||
|
||||
$output .= "${invert}--icmpv6-type ${types} ";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
||||
@ -2651,13 +2736,18 @@ sub do_headers( $ ) {
|
||||
#
|
||||
# Match Source Interface
|
||||
#
|
||||
sub match_source_dev( $ ) {
|
||||
my $interface = shift;
|
||||
sub match_source_dev( $;$ ) {
|
||||
my ( $interface, $nodev ) = @_;;
|
||||
my $interfaceref = known_interface( $interface );
|
||||
$interface = $interfaceref->{physical} if $interfaceref;
|
||||
return '' if $interface eq '+';
|
||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
|
||||
if ( $nodev ) {
|
||||
"-m physdev --physdev-in $interface ";
|
||||
} else {
|
||||
my $bridgeref = find_interface $interfaceref->{bridge};
|
||||
"-i $bridgeref->{physical} -m physdev --physdev-in $interface ";
|
||||
}
|
||||
} else {
|
||||
"-i $interface ";
|
||||
}
|
||||
@ -2666,16 +2756,26 @@ sub match_source_dev( $ ) {
|
||||
#
|
||||
# Match Dest device
|
||||
#
|
||||
sub match_dest_dev( $ ) {
|
||||
my $interface = shift;
|
||||
sub match_dest_dev( $;$ ) {
|
||||
my ( $interface, $nodev ) = @_;;
|
||||
my $interfaceref = known_interface( $interface );
|
||||
$interface = $interfaceref->{physical} if $interfaceref;
|
||||
return '' if $interface eq '+';
|
||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||
"-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
|
||||
if ( $nodev ) {
|
||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||
"-m physdev --physdev-is-bridged --physdev-out $interface ";
|
||||
} else {
|
||||
"-m physdev --physdev-out $interface ";
|
||||
}
|
||||
} else {
|
||||
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
|
||||
my $bridgeref = find_interface $interfaceref->{bridge};
|
||||
|
||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||
"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface ";
|
||||
} else {
|
||||
"-o $bridgeref->{physical} -m physdev --physdev-out $interface ";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
"-o $interface ";
|
||||
|
@ -55,7 +55,7 @@ our $family;
|
||||
#
|
||||
sub initialize_package_globals() {
|
||||
Shorewall::Config::initialize($family);
|
||||
Shorewall::Chains::initialize ($family);
|
||||
Shorewall::Chains::initialize ($family, 1);
|
||||
Shorewall::Zones::initialize ($family);
|
||||
Shorewall::Nat::initialize;
|
||||
Shorewall::Providers::initialize($family);
|
||||
@ -818,7 +818,7 @@ sub compiler {
|
||||
# We must reinitialize Shorewall::Chains before generating the iptables-restore input
|
||||
# for stopping the firewall
|
||||
#
|
||||
Shorewall::Chains::initialize( $family );
|
||||
Shorewall::Chains::initialize( $family, 0 );
|
||||
initialize_chain_table;
|
||||
#
|
||||
# S T O P _ F I R E W A L L
|
||||
@ -882,7 +882,7 @@ sub compiler {
|
||||
# Re-initialize the chain table so that process_routestopped() has the same
|
||||
# environment that it would when called by compile_stop_firewall().
|
||||
#
|
||||
Shorewall::Chains::initialize( $family );
|
||||
Shorewall::Chains::initialize( $family , 0 );
|
||||
initialize_chain_table;
|
||||
|
||||
if ( $debug ) {
|
||||
|
@ -37,6 +37,7 @@ use File::Temp qw/ tempfile tempdir /;
|
||||
use Cwd qw(abs_path getcwd);
|
||||
use autouse 'Carp' => qw(longmess confess);
|
||||
use Scalar::Util 'reftype';
|
||||
use FindBin;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
#
|
||||
@ -137,7 +138,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
|
||||
our $VERSION = '4.4_18';
|
||||
our $VERSION = '4.4_19';
|
||||
|
||||
#
|
||||
# describe the current command, it's present progressive, and it's completion.
|
||||
@ -410,7 +411,7 @@ sub initialize( $ ) {
|
||||
EXPORT => 0,
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.18.1",
|
||||
VERSION => "4.4.19-Beta4",
|
||||
CAPVERSION => 40417 ,
|
||||
);
|
||||
#
|
||||
@ -2906,7 +2907,7 @@ sub get_params() {
|
||||
if ( -f $fn ) {
|
||||
progress_message2 "Processing $fn ...";
|
||||
|
||||
my $command = "$globals{SHAREDIRPL}/getparams $fn " . join( ':', @config_path );
|
||||
my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path );
|
||||
#
|
||||
# getparams silently sources the params file under 'set -a', then executes 'export -p'
|
||||
#
|
||||
@ -2947,7 +2948,7 @@ sub get_params() {
|
||||
}
|
||||
}
|
||||
}
|
||||
} elsif ( $params[0] =~ /^export (.*?)="/ || $params[0] =~ /^export ([^\s=]+)\s*$/ ) {
|
||||
} elsif ( $params[0] =~ /^export .*?="/ || $params[0] =~ /^export [^\s=]+\s*$/ ) {
|
||||
#
|
||||
# getparams interpreted by older (e.g., RHEL 5) Bash
|
||||
#
|
||||
@ -3004,7 +3005,7 @@ sub get_params() {
|
||||
print "PARAMS:\n";
|
||||
my $value;
|
||||
while ( ($variable, $value ) = each %params ) {
|
||||
print " $variable='$value'\n";
|
||||
print " $variable='$value'\n" unless $compiler_params{$variable};
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -3084,6 +3085,7 @@ sub get_configuration( $ ) {
|
||||
|
||||
get_capabilities( $export );
|
||||
|
||||
|
||||
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
|
||||
|
||||
if ( my $rate = $config{LOGLIMIT} ) {
|
||||
|
@ -45,7 +45,7 @@ our @EXPORT = qw( process_tos
|
||||
generate_matrix
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.4_18';
|
||||
our $VERSION = '4.4_19';
|
||||
|
||||
our $family;
|
||||
|
||||
@ -1036,13 +1036,40 @@ sub add_interface_jumps {
|
||||
my $outputref = $filter_table->{output_chain $interface};
|
||||
my $interfaceref = find_interface($interface);
|
||||
|
||||
add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
||||
if ( $interfaceref->{options}{port} ) {
|
||||
my $bridge = $interfaceref->{bridge};
|
||||
add_rule ( $filter_table->{forward_chain $bridge},
|
||||
match_source_dev( $interface, 1) . match_dest_dev( $interface, 1) . '-j ACCEPT'
|
||||
) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
||||
|
||||
add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
|
||||
add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
|
||||
add_jump( $filter_table->{forward_chain $bridge} ,
|
||||
$forwardref ,
|
||||
0,
|
||||
match_source_dev( $interface, 1 )
|
||||
) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
|
||||
|
||||
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
|
||||
add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
|
||||
add_jump( $filter_table->{input_chain $bridge },
|
||||
$inputref ,
|
||||
0,
|
||||
match_source_dev( $interface, 1 )
|
||||
) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
|
||||
|
||||
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
|
||||
add_jump( $filter_table->{output_chain $bridge} ,
|
||||
$outputref ,
|
||||
0 ,
|
||||
match_dest_dev( $interface, 1 ) )
|
||||
unless get_interface_option( $interface, 'port' );
|
||||
}
|
||||
} else {
|
||||
add_rule ( $filter_table->{FORWAR}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
||||
|
||||
add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
|
||||
add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
|
||||
|
||||
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
|
||||
add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1077,6 +1104,7 @@ sub generate_matrix() {
|
||||
our %input_jump_added = ();
|
||||
our %output_jump_added = ();
|
||||
our %forward_jump_added = ();
|
||||
my %ipsec_jump_added = ();
|
||||
|
||||
progress_message2 'Generating Rule Matrix...';
|
||||
progress_message ' Handling blacklisting and complex zones...';
|
||||
@ -1143,12 +1171,31 @@ sub generate_matrix() {
|
||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
|
||||
my $sourcechainref = $filter_table->{forward_chain $interface};
|
||||
my $interfacematch = '';
|
||||
my $interfaceref = find_interface $interface;
|
||||
|
||||
if ( use_forward_chain( $interface, $sourcechainref ) ) {
|
||||
add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||
if ( $interfaceref->{ports} && $interfaceref->{options}{bridge} ) {
|
||||
$interfacematch = match_source_dev $interface;
|
||||
copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++;
|
||||
$sourcechainref = $filter_table->{FORWARD};
|
||||
} elsif ( $interfaceref->{options}{port} ) {
|
||||
add_jump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
|
||||
$sourcechainref ,
|
||||
0 ,
|
||||
match_source_dev( $interface , 1 ) )
|
||||
unless $forward_jump_added{$interface}++;
|
||||
} else {
|
||||
add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||
}
|
||||
} else {
|
||||
$sourcechainref = $filter_table->{FORWARD};
|
||||
$interfacematch = match_source_dev $interface;
|
||||
if ( $interfaceref->{options}{port} ) {
|
||||
$sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} };
|
||||
$interfacematch = match_source_dev $interface, 1;
|
||||
} else {
|
||||
$sourcechainref = $filter_table->{FORWARD};
|
||||
$interfacematch = match_source_dev $interface;
|
||||
}
|
||||
|
||||
move_rules( $filter_table->{forward_chain $interface} , $frwd_ref );
|
||||
}
|
||||
|
||||
@ -1235,6 +1282,9 @@ sub generate_matrix() {
|
||||
for my $typeref ( values %$source_hosts_ref ) {
|
||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
|
||||
my $arrayref = $typeref->{$interface};
|
||||
my $interfaceref = find_interface $interface;
|
||||
my $isport = $interfaceref->{options}{port};
|
||||
my $bridge = $interfaceref->{bridge};
|
||||
|
||||
if ( get_physical( $interface ) eq '+' ) {
|
||||
#
|
||||
@ -1261,7 +1311,17 @@ sub generate_matrix() {
|
||||
|
||||
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
|
||||
$outputref = $interfacechainref;
|
||||
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||
|
||||
if ( $isport ) {
|
||||
add_jump( $filter_table->{ output_chain $bridge },
|
||||
$outputref ,
|
||||
0 ,
|
||||
match_dest_dev( $interface, 1 ) )
|
||||
unless $output_jump_added{$interface}++;
|
||||
} else {
|
||||
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||
}
|
||||
|
||||
$use_output = 1;
|
||||
|
||||
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
||||
@ -1269,6 +1329,9 @@ sub generate_matrix() {
|
||||
generate_source_rules ( $outputref, $vzone, $zone, $dest );
|
||||
}
|
||||
}
|
||||
} elsif ( $isport ) {
|
||||
$outputref = $filter_table->{ output_chain $bridge };
|
||||
$interfacematch = match_dest_dev $interface, 1;
|
||||
} else {
|
||||
$outputref = $filter_table->{OUTPUT};
|
||||
$interfacematch = match_dest_dev $interface;
|
||||
@ -1323,7 +1386,17 @@ sub generate_matrix() {
|
||||
|
||||
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
|
||||
$inputchainref = $interfacechainref;
|
||||
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
|
||||
|
||||
if ( $isport ) {
|
||||
add_jump( $filter_table->{ input_chain $bridge },
|
||||
$inputchainref ,
|
||||
0 ,
|
||||
match_source_dev($interface, 1) )
|
||||
unless $input_jump_added{$interface}++;
|
||||
} else {
|
||||
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
|
||||
}
|
||||
|
||||
$use_input = 1;
|
||||
|
||||
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
||||
@ -1332,6 +1405,9 @@ sub generate_matrix() {
|
||||
generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target;
|
||||
}
|
||||
}
|
||||
} elsif ( $isport ) {
|
||||
$inputchainref = $filter_table->{ input_chain $bridge };
|
||||
$interfacematch = match_source_dev $interface, 1;
|
||||
} else {
|
||||
$inputchainref = $filter_table->{INPUT};
|
||||
$interfacematch = match_source_dev $interface;
|
||||
@ -1345,11 +1421,29 @@ sub generate_matrix() {
|
||||
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
|
||||
my $ref = source_exclusion( $exclusions, $frwd_ref );
|
||||
my $forwardref = $filter_table->{forward_chain $interface};
|
||||
|
||||
if ( use_forward_chain $interface, $forwardref ) {
|
||||
add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
|
||||
add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||
|
||||
if ( $isport ) {
|
||||
add_jump( $filter_table->{ forward_chain $bridge } ,
|
||||
$forwardref ,
|
||||
0 ,
|
||||
match_source_dev( $interface , 1 ) )
|
||||
unless $forward_jump_added{$interface}++;
|
||||
} else {
|
||||
add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||
}
|
||||
} else {
|
||||
add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
|
||||
if ( $isport ) {
|
||||
add_jump( $filter_table->{ forward_chain $bridge } ,
|
||||
$ref ,
|
||||
0 ,
|
||||
join( '', match_source_dev( $interface, 1 ) , $source, $ipsec_in_match ) );
|
||||
} else {
|
||||
add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
|
||||
}
|
||||
|
||||
move_rules ( $forwardref , $frwd_ref );
|
||||
}
|
||||
}
|
||||
@ -1461,6 +1555,7 @@ sub generate_matrix() {
|
||||
#
|
||||
for my $typeref ( values %$source_hosts_ref ) {
|
||||
for my $interface ( keys %$typeref ) {
|
||||
my $interfaceref = find_interface $interface;
|
||||
my $chain3ref;
|
||||
my $match_source_dev = '';
|
||||
my $forwardchainref = $filter_table->{forward_chain $interface};
|
||||
@ -1470,13 +1565,28 @@ sub generate_matrix() {
|
||||
# Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
|
||||
#
|
||||
$chain3ref = $forwardchainref;
|
||||
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||
|
||||
if ( $interfaceref->{options}{port} ) {
|
||||
add_jump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
|
||||
$chain3ref,
|
||||
0 ,
|
||||
match_source_dev( $interface , 1 ) )
|
||||
unless $forward_jump_added{$interface}++;
|
||||
} else {
|
||||
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# Don't use the interface's forward chain -- move any rules in that chain to this rules chain
|
||||
#
|
||||
$chain3ref = $filter_table->{FORWARD};
|
||||
$match_source_dev = match_source_dev $interface;
|
||||
if ( $interfaceref->{options}{port} ) {
|
||||
$chain3ref = $filter_table->{ forward_chain $interfaceref->{bridge} };
|
||||
$match_source_dev = match_source_dev $interface, 1;
|
||||
} else {
|
||||
$chain3ref = $filter_table->{FORWARD};
|
||||
$match_source_dev = match_source_dev $interface;
|
||||
}
|
||||
|
||||
move_rules $forwardchainref, $chainref;
|
||||
}
|
||||
|
||||
|
@ -2235,7 +2235,7 @@ sub build_zone_list( $$$\$\$ ) {
|
||||
# Process a Record in the rules file
|
||||
#
|
||||
sub process_rule ( ) {
|
||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands;
|
||||
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands;
|
||||
|
||||
process_comment, return 1 if $target eq 'COMMENT';
|
||||
process_section( $source ), return 1 if $target eq 'SECTION';
|
||||
@ -2257,32 +2257,39 @@ sub process_rule ( ) {
|
||||
my $fw = firewall_zone;
|
||||
my @source = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild );
|
||||
my @dest = build_zone_list ( $fw, $dest, 'DEST' , $intrazone, $wild );
|
||||
my @protos = split_list1 $protos, 'Protocol';
|
||||
my $generated = 0;
|
||||
|
||||
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
|
||||
|
||||
if ( @protos > 1 ) {
|
||||
fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
|
||||
}
|
||||
|
||||
for $source ( @source ) {
|
||||
for $dest ( @dest ) {
|
||||
my $sourcezone = (split( /:/, $source, 2 ) )[0];
|
||||
my $destzone = (split( /:/, $dest, 2 ) )[0];
|
||||
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
|
||||
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
|
||||
$generated |= process_rule1( undef,
|
||||
$target,
|
||||
'',
|
||||
$source,
|
||||
$dest,
|
||||
$proto,
|
||||
$ports,
|
||||
$sports,
|
||||
$origdest,
|
||||
$ratelimit,
|
||||
$user,
|
||||
$mark,
|
||||
$connlimit,
|
||||
$time,
|
||||
$headers,
|
||||
$wild );
|
||||
for my $proto ( @protos ) {
|
||||
$generated |= process_rule1( undef,
|
||||
$target,
|
||||
'',
|
||||
$source,
|
||||
$dest,
|
||||
$proto,
|
||||
$ports,
|
||||
$sports,
|
||||
$origdest,
|
||||
$ratelimit,
|
||||
$user,
|
||||
$mark,
|
||||
$connlimit,
|
||||
$time,
|
||||
$headers,
|
||||
$wild );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tc );
|
||||
our @EXPORT_OK = qw( process_tc_rule initialize );
|
||||
our $VERSION = '4.4_18';
|
||||
our $VERSION = '4.4_19';
|
||||
|
||||
our %tcs = ( T => { chain => 'tcpost',
|
||||
connmark => 0,
|
||||
@ -476,6 +476,8 @@ sub process_simple_device() {
|
||||
|
||||
my $number = in_hexp( $tcdevices{$device} = ++$devnum );
|
||||
|
||||
my $ip32 = $family == F_IPV4 ? 'ip' : 'ip6';
|
||||
|
||||
fatal_error "Unknown interface( $device )" unless known_interface $device;
|
||||
|
||||
my $physical = physical_name $device;
|
||||
@ -517,7 +519,7 @@ sub process_simple_device() {
|
||||
);
|
||||
|
||||
emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
|
||||
"run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
|
||||
"run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src " . ALLIP . " police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
|
||||
) if $in_bandwidth;
|
||||
|
||||
if ( $out_part ne '-' ) {
|
||||
@ -566,10 +568,12 @@ sub process_simple_device() {
|
||||
|
||||
for ( my $i = 1; $i <= 3; $i++ ) {
|
||||
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
||||
emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
|
||||
emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i";
|
||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||
emit '';
|
||||
}
|
||||
|
||||
emit "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32 match $ip32 protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $number:1\n";
|
||||
|
||||
save_progress_message_short qq(" TC Device $physical defined.");
|
||||
|
||||
|
@ -74,6 +74,7 @@ our @EXPORT = qw( NOTHING
|
||||
find_interfaces_by_option1
|
||||
get_interface_option
|
||||
set_interface_option
|
||||
interface_zones
|
||||
verify_required_interfaces
|
||||
compile_updown
|
||||
validate_hosts_file
|
||||
@ -84,7 +85,7 @@ our @EXPORT = qw( NOTHING
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.4_17';
|
||||
our $VERSION = '4.4_19';
|
||||
|
||||
#
|
||||
# IPSEC Option types
|
||||
@ -146,16 +147,20 @@ our %reservedName = ( all => 1,
|
||||
# %interfaces { <interface1> => { name => <name of interface>
|
||||
# root => <name without trailing '+'>
|
||||
# options => { port => undef|1
|
||||
# <option1> = <val1> , #See %validinterfaceoptions
|
||||
# { <option1> } => <val1> , #See %validinterfaceoptions
|
||||
# ...
|
||||
# }
|
||||
# zone => <zone name>
|
||||
# multizone => undef|1 #More than one zone interfaces through this interface
|
||||
# nets => <number of nets in interface/hosts records referring to this interface>
|
||||
# bridge => <bridge>
|
||||
# ports => <number of port on this bridge>
|
||||
# ipsec => undef|1 # Has an ipsec host group
|
||||
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
|
||||
# number => <ordinal position in the interfaces file>
|
||||
# physical => <physical interface name>
|
||||
# base => <shell variable base representing this interface>
|
||||
# zones => { zone1 => 1, ... }
|
||||
# }
|
||||
# }
|
||||
#
|
||||
@ -668,6 +673,7 @@ sub add_group_to_zone($$$$$)
|
||||
my $interfaceref;
|
||||
my $zoneref = $zones{$zone};
|
||||
my $zonetype = $zoneref->{type};
|
||||
|
||||
|
||||
$zoneref->{interfaces}{$interface} = 1;
|
||||
|
||||
@ -680,6 +686,8 @@ sub add_group_to_zone($$$$$)
|
||||
for my $host ( @$networks ) {
|
||||
$interfaceref = $interfaces{$interface};
|
||||
|
||||
$interfaceref->{zones}{$zone} = 1;
|
||||
|
||||
$interfaceref->{nets}++;
|
||||
|
||||
fatal_error "Invalid Host List" unless defined $host and $host ne '';
|
||||
@ -883,6 +891,7 @@ sub process_interface( $$ ) {
|
||||
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
|
||||
|
||||
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
|
||||
$interfaces{$interface}{ports}++;
|
||||
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
|
||||
|
||||
if ( $zone ) {
|
||||
@ -1100,7 +1109,8 @@ sub process_interface( $$ ) {
|
||||
options => \%options ,
|
||||
zone => '',
|
||||
physical => $physical ,
|
||||
base => chain_base( $physical )
|
||||
base => chain_base( $physical ),
|
||||
zones => {},
|
||||
};
|
||||
|
||||
if ( $zone ) {
|
||||
@ -1306,6 +1316,16 @@ sub source_port_to_bridge( $ ) {
|
||||
return $portref ? $portref->{bridge} : '';
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Returns a hash reference for the zones interface through the interface
|
||||
#
|
||||
sub interface_zones( $ ) {
|
||||
my $interfaceref = $interfaces{(shift)};
|
||||
|
||||
$interfaceref->{zones};
|
||||
}
|
||||
|
||||
#
|
||||
# Return the 'optional' setting of the passed interface
|
||||
#
|
||||
@ -1690,7 +1710,7 @@ sub process_host( ) {
|
||||
fatal_error "Unknown ZONE ($zone)" unless $type;
|
||||
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
|
||||
|
||||
my $interface;
|
||||
my ( $interface, $interfaceref );
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
||||
@ -1703,7 +1723,7 @@ sub process_host( ) {
|
||||
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
|
||||
}
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
||||
} else {
|
||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||
}
|
||||
@ -1711,16 +1731,16 @@ sub process_host( ) {
|
||||
$interface = $1;
|
||||
$hosts = $2;
|
||||
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
||||
} else {
|
||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||
}
|
||||
|
||||
if ( $type == BPORT ) {
|
||||
if ( $zoneref->{bridge} eq '' ) {
|
||||
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
|
||||
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
|
||||
$zoneref->{bridge} = $interfaces{$interface}{bridge};
|
||||
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
|
||||
} elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) {
|
||||
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
|
||||
}
|
||||
}
|
||||
@ -1736,7 +1756,7 @@ sub process_host( ) {
|
||||
require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
|
||||
$type = IPSEC;
|
||||
$zoneref->{options}{complex} = 1;
|
||||
$ipsec = 1;
|
||||
$ipsec = $interfaceref->{ipsec} = 1;
|
||||
} elsif ( $option eq 'norfc1918' ) {
|
||||
warning_message "The 'norfc1918' host option is no longer supported"
|
||||
} elsif ( $option eq 'blacklist' ) {
|
||||
@ -1778,6 +1798,7 @@ sub process_host( ) {
|
||||
$ipsets{"${zone}_${physical}"} = 1;
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
|
||||
#
|
||||
|
@ -1,10 +1,42 @@
|
||||
Changes in Shorewall 4.4.18.1
|
||||
Changes in Shorewall 4.4.19 RC 1
|
||||
|
||||
1) Fix params processing bug.
|
||||
1) Fix logical naming and bridge.
|
||||
|
||||
2) Tighten editing of TC_PRIOMAP value.
|
||||
Changes in Shorewall 4.4.19 Beta 4
|
||||
|
||||
3) Fix the Lite installers
|
||||
1) Handle mis-configured ipsec host group on a bridge.
|
||||
|
||||
2) Significantly improve bridge/ports handling.
|
||||
|
||||
3) Allow port-lists in /etc/shorewall/rules.
|
||||
|
||||
Changes in Shorewall 4.4.19 Beta 3
|
||||
|
||||
1) Allow /usr executables to be installed in a designated location.
|
||||
|
||||
2) Allow Shorewall perl modules to be installed in a designated
|
||||
location.
|
||||
|
||||
Changes in Shorewall 4.4.19 Beta 2
|
||||
|
||||
1) Minor rework of init-log creation in the installer.
|
||||
|
||||
2) Add VRRP macro.
|
||||
|
||||
3) Fix more params processing bugs.
|
||||
|
||||
4) Do a better job of editing ICMP type lists.
|
||||
|
||||
5) Allow /usr executables to be installed in a designated location.
|
||||
|
||||
6) Allow Shorewall perl modules to be installed in a designated
|
||||
location.
|
||||
|
||||
Changes in Shorewall 4.4.19 Beta 1
|
||||
|
||||
1) Place ACK packets in the highest priority band.
|
||||
|
||||
2) Break ICMP lists into individual rules.
|
||||
|
||||
Changes in Shorewall 4.4.18 Final
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -107,6 +107,9 @@ fi
|
||||
|
||||
SPARSE=
|
||||
MANDIR=${MANDIR:-"/usr/share/man"}
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
[ -n "${PERLLIB:=share/shorewall}" ]
|
||||
|
||||
INSTALLD='-D'
|
||||
|
||||
case $(uname) in
|
||||
@ -233,9 +236,13 @@ fi
|
||||
if [ -z "$CYGWIN" ]; then
|
||||
install_file shorewall ${DESTDIR}/sbin/shorewall 0755
|
||||
echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
|
||||
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
|
||||
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
|
||||
else
|
||||
install_file shorewall ${DESTDIR}/bin/shorewall 0755
|
||||
echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
|
||||
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall
|
||||
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall
|
||||
fi
|
||||
|
||||
#
|
||||
@ -258,7 +265,8 @@ fi
|
||||
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
|
||||
#
|
||||
mkdir -p ${DESTDIR}/etc/shorewall
|
||||
mkdir -p ${DESTDIR}/usr/share/shorewall
|
||||
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall
|
||||
mkdir -p ${DESTDIR}/usr/${PERLLIB}/Shorewall
|
||||
mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
|
||||
mkdir -p ${DESTDIR}/var/lib/shorewall
|
||||
|
||||
@ -326,7 +334,7 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
|
||||
install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755
|
||||
|
||||
echo
|
||||
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall/wait4ifup"
|
||||
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup"
|
||||
|
||||
#
|
||||
# Install the policy file
|
||||
@ -816,14 +824,14 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall
|
||||
#
|
||||
cd Perl
|
||||
|
||||
install_file compiler.pl ${DESTDIR}/usr/share/shorewall/compiler.pl 0755
|
||||
install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755
|
||||
|
||||
echo
|
||||
echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
|
||||
#
|
||||
# Install the params file helper
|
||||
#
|
||||
install_file getparams ${DESTDIR}/usr/share/shorewall/getparams 0755
|
||||
install_file getparams ${DESTDIR}/usr/${LIBEXEC}/shorewall/getparams 0755
|
||||
|
||||
echo
|
||||
echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
|
||||
@ -831,8 +839,8 @@ echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
|
||||
# Install the libraries
|
||||
#
|
||||
for f in Shorewall/*.pm ; do
|
||||
install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
|
||||
echo "Module ${f%.*} installed as ${DESTDIR}/usr/share/shorewall/$f"
|
||||
install_file $f ${DESTDIR}/usr/${PERLLIB}/$f 0644
|
||||
echo "Module ${f%.*} installed as ${DESTDIR}/usr/${PERLLIB}/$f"
|
||||
done
|
||||
#
|
||||
# Install the program skeleton files
|
||||
@ -893,6 +901,7 @@ fi
|
||||
if [ -z "$DESTDIR" ]; then
|
||||
rm -rf /usr/share/shorewall-perl
|
||||
rm -rf /usr/share/shorewall-shell
|
||||
[ "$PERLLIB" != share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
|
||||
fi
|
||||
|
||||
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
||||
|
@ -1,26 +1,3 @@
|
||||
1) On systems running Upstart, shorewall-init cannot reliably secure
|
||||
the firewall before interfaces are brought up.
|
||||
|
||||
2) An issue with params processing on RHEL6 manifested as the
|
||||
following type of warning:
|
||||
|
||||
|
||||
WARNING: Param line (export OLDPWD) ignored at
|
||||
/usr/share/shorewall/Shorewall/Config.pm line
|
||||
2993.
|
||||
|
||||
Corrected in Shorewall 4.4.18.1
|
||||
|
||||
3) The Shorewall Lite and Shorewall6 Lite installers fail to install
|
||||
the 'helpers' modules file, with the result that both
|
||||
'shorewall[6]-lite show capabilities' and 'shorecap' fail.
|
||||
|
||||
Workaround: Copy the 'helpers' file from the Administrative System
|
||||
to the firewall system.
|
||||
|
||||
Corrected in Shorewall 4.4.18.1
|
||||
|
||||
4) If an icmp or icmp6 type/code is specified in the tcfilters file, a
|
||||
run-time error occurs.
|
||||
|
||||
Corrected in Shorewall 4.4.18.1
|
||||
|
@ -687,8 +687,17 @@ show_command() {
|
||||
;;
|
||||
config)
|
||||
. ${SHAREDIR}/configpath
|
||||
echo "Default CONFIG_PATH is $CONFIG_PATH"
|
||||
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
|
||||
if [ -n "$g_filemode" ]; then
|
||||
echo "CONFIG_PATH=$CONFIG_PATH"
|
||||
echo "VARDIR=$VARDIR"
|
||||
echo "LIBEXEC=$g_libexec"
|
||||
[ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR"
|
||||
else
|
||||
echo "Default CONFIG_PATH is $CONFIG_PATH"
|
||||
echo "Default VARDIR is $VARDIR"
|
||||
echo "LIBEXEC is $g_libexec"
|
||||
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
|
||||
fi
|
||||
;;
|
||||
chain)
|
||||
shift
|
||||
|
@ -1,5 +1,6 @@
|
||||
----------------------------------------------------------------------------
|
||||
S H O R E W A L L 4 . 4 . 1 8 . 1
|
||||
S H O R E W A L L 4 . 4 . 1 9
|
||||
B E T A 4
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
I. PROBLEMS CORRECTED IN THIS RELEASE
|
||||
@ -13,78 +14,41 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
4.4.18.1
|
||||
RC 1
|
||||
|
||||
1) An issue with params processing on RHEL6 has been corrected. The
|
||||
1) Correct a problem introduced in Beta 4 whereby incorrect Netfilter
|
||||
rules were generated when a bridge with ports was given a logical
|
||||
name.
|
||||
|
||||
Beta 4
|
||||
|
||||
1) If a bridge interface had subordinate ports defined in
|
||||
/etc/shorewall/interface, then an ipsec entry (either ipsec zone or
|
||||
the 'ipsec' option specified) in /etc/shorewall/hosts resulted in
|
||||
the compiler generating an incorrect Netfilter configuration.
|
||||
|
||||
Beta 3
|
||||
|
||||
None.
|
||||
|
||||
Beta 2
|
||||
|
||||
1) A correction to the Beta 1 fix for params processing has been
|
||||
included.
|
||||
|
||||
2) Editing of ICMP type lists has been improved.
|
||||
|
||||
Beta 1
|
||||
|
||||
1) Previously /var/log/shorewall*-init.log was created in the wrong
|
||||
Selinux context. The rpm's have been modified to correct that
|
||||
issue.
|
||||
|
||||
2) An issue with params processing on RHEL6 has been corrected. The
|
||||
problem manifested as the following type of warning:
|
||||
|
||||
WARNING: Param line (export OLDPWD) ignored at
|
||||
/usr/share/shorewall/Shorewall/Config.pm line
|
||||
2993.
|
||||
|
||||
2) The editing of the value of the TC_PRIOMAP option has been
|
||||
tightened. Previously, many invalid settings were allowed,
|
||||
resulting in run-time tc command failures.
|
||||
|
||||
3) The Shorewall Lite and Shorewall6 Lite installers now install the
|
||||
'helpers' modules file. Previously, this file was not installed
|
||||
with the result that both 'shorewall[6]-lite show capabilities' and
|
||||
'shorecap' failed.
|
||||
|
||||
4) Previously, if an icmp or icmp6 type which included both a type and
|
||||
a code was used in the tcfilters file, 'start' and 'restart' would
|
||||
fail with a 'tc' error.
|
||||
|
||||
4.4.18 Final
|
||||
|
||||
1) Previously, if an IPv6 host address (no "/<vlsm>") was used in a
|
||||
context where a network address is allowed, the compiler failed to
|
||||
supply the default <vlsm> of 128. This could lead to startup errors
|
||||
and/or Perl errors such as:
|
||||
|
||||
Use of uninitialized value $mask in concatenation (.) or
|
||||
string at /usr/share/shorewall/Shorewall/Tc.pm line 979,
|
||||
<$currentfile> line 11.
|
||||
|
||||
2) The <burst> option for the IN-BANDWIDTH column of tcdevices was
|
||||
previously not recognized. That functionality has been restored.
|
||||
|
||||
3) If an interface mentioned in the tcfilters file was not up when
|
||||
Shorewall was started or restarted, then the command would fail
|
||||
at run-time with a 'tc' error message.
|
||||
|
||||
4.4.18 RC 1
|
||||
|
||||
1) None.
|
||||
|
||||
4.4.18 Beta 4
|
||||
|
||||
1) Edting of the MARK column has been tighened to catch errors at
|
||||
compile time rather than at run time.
|
||||
|
||||
2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz"
|
||||
to get the most common suffixes at the front of the list. It is
|
||||
still recommended that you modify this setting to include only the
|
||||
suffix(es) used on your system. Current distributions use 'ko'
|
||||
almost exclusively.
|
||||
|
||||
4.4.18 Beta 2
|
||||
|
||||
1) Previously, the 'local' option in /etc/shorewall6/providers would
|
||||
produce an 'ip route add' command containing an IPv4 address. It now
|
||||
correctly uses the equivalent IPv6 address. Note that this option
|
||||
is still undocumented for use with IPv6.
|
||||
|
||||
2) When optimize level 4 was set, the optimizer mis-handled rules of the
|
||||
form:
|
||||
|
||||
-A <chain1> -j <chain2> -m comment ...
|
||||
|
||||
when such a rule was the only rule in a chain.
|
||||
|
||||
4.4.18 Beta 1
|
||||
|
||||
None.
|
||||
/usr/share/shorewall/Shorewall/Config.pm line 2993.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I I. K N O W N P R O B L E M S R E M A I N I N G
|
||||
@ -97,87 +61,62 @@ None.
|
||||
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) The modules files are now just a driver that INCLUDEs several new
|
||||
files and one old file:
|
||||
1) When TC_ENABLED=Simple, ACK packets are now placed in the highest
|
||||
priority class. An ACK packet is a TCP packet with the ACK flag set
|
||||
and no data payload.
|
||||
|
||||
- /usr/share/shorewall[6]/modules.essential # Essential modules
|
||||
- /usr/share/shorewall[6]/modules.xtables # xt_ modules
|
||||
- /usr/share/shorewall[6]/helpers # Existing file
|
||||
- /usr/share/shorewall/ipset # ipset modules
|
||||
- /usr/share/shorewall[6]/modules.tc # Traffic Shaping
|
||||
- /usr/share/shorewall[6]/modules.extensions # Other extensions
|
||||
Rationale: Entries in /etc/shorewall[6]/tcpri affect both incoming
|
||||
and outgoing connections. If a particular application, SMTP for
|
||||
example, is placed in priority class 3, then outgoing ACK packets
|
||||
for incoming email were previously placed in priority class 3 as
|
||||
well. This could have the effect of slowing down incoming mail when
|
||||
the goal was to give outgoing mail a lower priority. By
|
||||
unconditionally placing ACK packets in priority class 1, this issue
|
||||
is avoided.
|
||||
|
||||
This should make it easier to configure your own
|
||||
/etc/shorewall[6]/modules file that won't be obsolete when you
|
||||
upgrade your Shorewall/Shorewall6 installation.
|
||||
2) Up to this point, the Perl-based rules compiler has not accepted
|
||||
ICMP type lists. This is in contrast to the shell-based compiler
|
||||
which did support such lists.
|
||||
|
||||
For example, if you don't use traffic shaping or ipsets, you can
|
||||
remove those from your copy of the modules file (copy in
|
||||
/etc/shorewall/).
|
||||
Support for ICMP (and ICMPv6) type lists has now been restored.
|
||||
|
||||
2) Traditionally, the root of the Shorewall accounting rules has been
|
||||
the 'accounting' chain. Having a single root chain has drawbacks:
|
||||
3) Distributions have different philosophies about the proper file
|
||||
hierarchy. Two issures are particularly contentious:
|
||||
|
||||
- Many rules are traversed needlessly (they could not possibly
|
||||
match traffic).
|
||||
- At any time, the Netfilter team could begin generating errors
|
||||
when loading those same rules.
|
||||
- MAC addresses may not be used in the accounting rules.
|
||||
- The 'accounting' chain cannot be optimized when
|
||||
OPTIMIZE_ACCOUNTING=Yes.
|
||||
- Executable files in /usr/share/shorewall*. These include;
|
||||
|
||||
In addition, currently the rules may be defined in any order so the
|
||||
rules compiler must post-process the ruleset to alert the user to
|
||||
unreferenced chains.
|
||||
getparams
|
||||
compiler.pl
|
||||
wait4ifup
|
||||
shorecap
|
||||
ifupdown
|
||||
|
||||
Beginning with Shorewall 4.4.18, the accounting structure can be
|
||||
created with three root chains:
|
||||
- Perl Modules in /usr/share/shorewall/Shorewall.
|
||||
|
||||
- accountin: Rules that are valid in the INPUT chain (may not
|
||||
specify an output interface).
|
||||
- accountout: Rules that are valid in the OUTPUT chain (may not
|
||||
specify an input interface or a MAC address).
|
||||
- accountfwd: Other rules.
|
||||
To allow distributions to designate alternate locations for these
|
||||
files, the installers (install.sh) now support the following
|
||||
environmental variables:
|
||||
|
||||
The new structure is enabled by sectioning the accounting file in a
|
||||
manner similar to the rules file.
|
||||
LIBEXEC -- determines where in /usr getparams, compiler.pl,
|
||||
wait4ifup, shorecap and ifupdown are installed. Shorewall and
|
||||
Shorewall6 must be installed with the same value of LIBEXEC. The
|
||||
listed executables are installed in /usr/${LIBEXEC}/shorewall*. The
|
||||
default value of LIBEXEC is 'share'. LIBEXEC is recognized by all
|
||||
installers and uninstallers.
|
||||
|
||||
The sections are INPUT, OUTPUT and FORWARD and must appear in that
|
||||
order (although any of them may be omitted). The first
|
||||
non-commentary record in the accounting file must be a section
|
||||
header when sectioning is used.
|
||||
PERLLIB -- determines where in /usr the Shorewall perl modules are
|
||||
installed. Shorewall and Shorewall6 must be installed with the same
|
||||
value of PERLLIB. The modules are installed in
|
||||
/usr/${PERLLIB}/Shorewall. The default value of PERLLIB is
|
||||
'share/shorewall'. PERLLIB is only recognized by the Shorewall and
|
||||
Shorewall6 installers and the same value must be passed to both
|
||||
installers.
|
||||
|
||||
When sections are enabled:
|
||||
4) Bridge/ports handling has been significantly improved, resulting in
|
||||
packets to/from bridges traversing fewer rules.
|
||||
|
||||
- You must jump to a user-defined accounting chain before you can
|
||||
add rules to that chain. This eliminates the possibility of
|
||||
unreferenced chains.
|
||||
- You may not specify an output interface in the INPUT section.
|
||||
- In the OUTPUT section:
|
||||
- You may not specify an input interface
|
||||
- You may not jump to a chain defined in the INPUT section that
|
||||
specifies an input interface
|
||||
- You may not specify a MAC address
|
||||
- You may not jump to a chain defined in the INPUT section that
|
||||
specifies specifies a MAC address.
|
||||
- The default value of the CHAIN column is:
|
||||
- 'accountin' in the INPUT section
|
||||
- 'accountout' in the OUTPUT section
|
||||
- 'accountfwd' in the FORWARD section
|
||||
- Traffic addressed to the firewall goes through the rules defined
|
||||
in the INPUT section.
|
||||
- Traffic originating on the firewall goes through the rules
|
||||
defined in the OUTPUT section.
|
||||
- Traffic being forwarded through the firewall goes through the
|
||||
rules defined in the FORWARD section.
|
||||
|
||||
As part of this change, the USER/GROUP column must now be empty
|
||||
except in the OUTPUT section. This is consistent with recent
|
||||
Netfilter releases which disallow the owner match in rules
|
||||
reachable from the INPUT and FORWARD hooks.
|
||||
|
||||
3) Internals Change: The Policy.pm module has been merged into the
|
||||
Rules.pm module.
|
||||
5) A list of protocols is now permitted in the PROTO column of the
|
||||
rules file.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
@ -408,6 +347,147 @@ None.
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
I N P R I O R R E L E A S E S
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 8
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
4.4.18 Final
|
||||
|
||||
1) Previously, if an IPv6 host address (no "/<vlsm>") was used in a
|
||||
context where a network address is allowed, the compiler failed to
|
||||
supply the default <vlsm> of 128. This could lead to startup errors
|
||||
and/or Perl errors such as:
|
||||
|
||||
Use of uninitialized value $mask in concatenation (.) or
|
||||
string at /usr/share/shorewall/Shorewall/Tc.pm line 979,
|
||||
<$currentfile> line 11.
|
||||
|
||||
2) The <burst> option for the IN-BANDWIDTH column of tcdevices was
|
||||
previously not recognized. That functionality has been restored.
|
||||
|
||||
3) If an interface mentioned in the tcfilters file was not up when
|
||||
Shorewall was started or restarted, then the command would fail
|
||||
at run-time with a 'tc' error message.
|
||||
|
||||
4.4.18 RC 1
|
||||
|
||||
1) None.
|
||||
|
||||
4.4.18 Beta 4
|
||||
|
||||
1) Edting of the MARK column has been tighened to catch errors at
|
||||
compile time rather than at run time.
|
||||
|
||||
2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz"
|
||||
to get the most common suffixes at the front of the list. It is
|
||||
still recommended that you modify this setting to include only the
|
||||
suffix(es) used on your system. Current distributions use 'ko'
|
||||
almost exclusively.
|
||||
|
||||
4.4.18 Beta 2
|
||||
|
||||
1) Previously, the 'local' option in /etc/shorewall6/providers would
|
||||
produce an 'ip route add' command containing an IPv4 address. It now
|
||||
correctly uses the equivalent IPv6 address. Note that this option
|
||||
is still undocumented for use with IPv6.
|
||||
|
||||
2) When optimize level 4 was set, the optimizer mis-handled rules of the
|
||||
form:
|
||||
|
||||
-A <chain1> -j <chain2> -m comment ...
|
||||
|
||||
when such a rule was the only rule in a chain.
|
||||
|
||||
4.4.18 Beta 1
|
||||
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S I N 4 . 4 . 1 8
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) The modules files are now just a driver that INCLUDEs several new
|
||||
files and one old file:
|
||||
|
||||
- /usr/share/shorewall[6]/modules.essential # Essential modules
|
||||
- /usr/share/shorewall[6]/modules.xtables # xt_ modules
|
||||
- /usr/share/shorewall[6]/helpers # Existing file
|
||||
- /usr/share/shorewall/ipset # ipset modules
|
||||
- /usr/share/shorewall[6]/modules.tc # Traffic Shaping
|
||||
- /usr/share/shorewall[6]/modules.extensions # Other extensions
|
||||
|
||||
This should make it easier to configure your own
|
||||
/etc/shorewall[6]/modules file that won't be obsolete when you
|
||||
upgrade your Shorewall/Shorewall6 installation.
|
||||
|
||||
For example, if you don't use traffic shaping or ipsets, you can
|
||||
remove those from your copy of the modules file (copy in
|
||||
/etc/shorewall/).
|
||||
|
||||
2) Traditionally, the root of the Shorewall accounting rules has been
|
||||
the 'accounting' chain. Having a single root chain has drawbacks:
|
||||
|
||||
- Many rules are traversed needlessly (they could not possibly
|
||||
match traffic).
|
||||
- At any time, the Netfilter team could begin generating errors
|
||||
when loading those same rules.
|
||||
- MAC addresses may not be used in the accounting rules.
|
||||
- The 'accounting' chain cannot be optimized when
|
||||
OPTIMIZE_ACCOUNTING=Yes.
|
||||
|
||||
In addition, currently the rules may be defined in any order so the
|
||||
rules compiler must post-process the ruleset to alert the user to
|
||||
unreferenced chains.
|
||||
|
||||
Beginning with Shorewall 4.4.18, the accounting structure can be
|
||||
created with three root chains:
|
||||
|
||||
- accountin: Rules that are valid in the INPUT chain (may not
|
||||
specify an output interface).
|
||||
- accountout: Rules that are valid in the OUTPUT chain (may not
|
||||
specify an input interface or a MAC address).
|
||||
- accountfwd: Other rules.
|
||||
|
||||
The new structure is enabled by sectioning the accounting file in a
|
||||
manner similar to the rules file.
|
||||
|
||||
The sections are INPUT, OUTPUT and FORWARD and must appear in that
|
||||
order (although any of them may be omitted). The first
|
||||
non-commentary record in the accounting file must be a section
|
||||
header when sectioning is used.
|
||||
|
||||
When sections are enabled:
|
||||
|
||||
- You must jump to a user-defined accounting chain before you can
|
||||
add rules to that chain. This eliminates the possibility of
|
||||
unreferenced chains.
|
||||
- You may not specify an output interface in the INPUT section.
|
||||
- In the OUTPUT section:
|
||||
- You may not specify an input interface
|
||||
- You may not jump to a chain defined in the INPUT section that
|
||||
specifies an input interface
|
||||
- You may not specify a MAC address
|
||||
- You may not jump to a chain defined in the INPUT section that
|
||||
specifies specifies a MAC address.
|
||||
- The default value of the CHAIN column is:
|
||||
- 'accountin' in the INPUT section
|
||||
- 'accountout' in the OUTPUT section
|
||||
- 'accountfwd' in the FORWARD section
|
||||
- Traffic addressed to the firewall goes through the rules defined
|
||||
in the INPUT section.
|
||||
- Traffic originating on the firewall goes through the rules
|
||||
defined in the OUTPUT section.
|
||||
- Traffic being forwarded through the firewall goes through the
|
||||
rules defined in the FORWARD section.
|
||||
|
||||
As part of this change, the USER/GROUP column must now be empty
|
||||
except in the OUTPUT section. This is consistent with recent
|
||||
Netfilter releases which disallow the owner match in rules
|
||||
reachable from the INPUT and FORWARD hooks.
|
||||
|
||||
3) Internals Change: The Policy.pm module has been merged into the
|
||||
Rules.pm module.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 7
|
||||
----------------------------------------------------------------------------
|
||||
@ -3103,7 +3183,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
hence will now start successfully when running on that kernel.
|
||||
|
||||
14) Three new options (IP, TC and IPSET) have been added to
|
||||
shorewall.conf and shorwall6.conf. These options specify the name
|
||||
shorewall.conf and shorewall6.conf. These options specify the name
|
||||
of the executable for the 'ip', 'tc' and 'ipset' utilities
|
||||
respectively.
|
||||
|
||||
|
@ -363,7 +363,11 @@ compiler() {
|
||||
PERL=/usr/bin/perl
|
||||
fi
|
||||
|
||||
$PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
|
||||
if [ $g_perllib = share/shorewall ]; then
|
||||
$PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
|
||||
else
|
||||
PERL5LIB=$g_perllib $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
@ -1135,6 +1139,8 @@ reload_command() # $* = original arguments less the command.
|
||||
getcaps=
|
||||
local root
|
||||
root=root
|
||||
local libexec
|
||||
libexec=share
|
||||
|
||||
litedir=/var/lib/shorewall-lite
|
||||
|
||||
@ -1195,6 +1201,10 @@ reload_command() # $* = original arguments less the command.
|
||||
|
||||
[ -n "$temp" ] && litedir="$temp"
|
||||
|
||||
temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
|
||||
|
||||
[ -n "$temp" ] && libexec="$temp"
|
||||
|
||||
if [ -z "$getcaps" ]; then
|
||||
SHOREWALL_DIR=$(resolve_file $directory)
|
||||
ensure_config_path
|
||||
@ -1211,7 +1221,7 @@ reload_command() # $* = original arguments less the command.
|
||||
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
|
||||
|
||||
progress_message "Getting Capabilities on system $system..."
|
||||
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
|
||||
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/$libexec/shorewall-lite/shorecap" > $directory/capabilities; then
|
||||
fatal_error "ERROR: Capturing capabilities on system $system failed"
|
||||
fi
|
||||
fi
|
||||
@ -1574,6 +1584,8 @@ CONFDIR=/etc/shorewall
|
||||
g_product="Shorewall"
|
||||
g_recovering=
|
||||
g_timestamp=
|
||||
g_libexec=share
|
||||
g_perllib=share/shorewall
|
||||
|
||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 4.4.18
|
||||
%define release 1
|
||||
%define version 4.4.19
|
||||
%define release 0Beta4
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -109,10 +109,12 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||
|
||||
%changelog
|
||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta4
|
||||
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta3
|
||||
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta1
|
||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-0base
|
||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -72,6 +72,9 @@ else
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
[ -n "${PERLLIB:=share/shorewall}" ]
|
||||
|
||||
echo "Uninstalling shorewall $VERSION"
|
||||
|
||||
if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
|
||||
@ -106,6 +109,8 @@ rm -rf /etc/shorewall
|
||||
rm -rf /etc/shorewall-*.bkout
|
||||
rm -rf /var/lib/shorewall
|
||||
rm -rf /var/lib/shorewall-*.bkout
|
||||
rm -rf /usr/$PERLLIB}/Shorewall/*
|
||||
rm -rf /usr/${LIBEXEC}/shorewall
|
||||
rm -rf /usr/share/shorewall
|
||||
rm -rf /usr/share/shorewall-*.bkout
|
||||
rm -rf /usr/share/man/man5/shorewall*
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -123,6 +123,7 @@ done
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
#
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
@ -187,6 +188,7 @@ else
|
||||
rm -rf ${DESTDIR}/etc/shorewall6-lite
|
||||
rm -rf ${DESTDIR}/usr/share/shorewall6-lite
|
||||
rm -rf ${DESTDIR}/var/lib/shorewall6-lite
|
||||
[ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall6-lite/wait4ifup /usr/share/shorewall6-lite/shorecap
|
||||
fi
|
||||
|
||||
#
|
||||
@ -202,6 +204,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules
|
||||
|
||||
install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
|
||||
|
||||
eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6-lite
|
||||
|
||||
echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
|
||||
|
||||
#
|
||||
@ -223,6 +227,7 @@ echo "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
|
||||
#
|
||||
mkdir -p ${DESTDIR}/etc/shorewall6-lite
|
||||
mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
|
||||
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite
|
||||
mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
|
||||
|
||||
chmod 755 ${DESTDIR}/etc/shorewall6-lite
|
||||
@ -275,20 +280,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/funct
|
||||
# Install Shorecap
|
||||
#
|
||||
|
||||
install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755
|
||||
install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap 0755
|
||||
|
||||
echo
|
||||
echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"
|
||||
echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap"
|
||||
|
||||
#
|
||||
# Install wait4ifup
|
||||
#
|
||||
|
||||
if [ -f wait4ifup ]; then
|
||||
install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755
|
||||
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup 0755
|
||||
|
||||
echo
|
||||
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
|
||||
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup"
|
||||
fi
|
||||
|
||||
#
|
||||
|
@ -554,6 +554,7 @@ MUTEX_TIMEOUT=
|
||||
SHAREDIR=/usr/share/shorewall6-lite
|
||||
CONFDIR=/etc/shorewall6-lite
|
||||
g_product="Shorewall6 Lite"
|
||||
g_libexec=share
|
||||
|
||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6-lite
|
||||
%define version 4.4.18
|
||||
%define release 1
|
||||
%define version 4.4.19
|
||||
%define release 0Beta4
|
||||
|
||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -94,10 +94,12 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta4
|
||||
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta3
|
||||
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta1
|
||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-0base
|
||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -60,6 +60,8 @@ else
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
|
||||
echo "Uninstalling Shorewall Lite $VERSION"
|
||||
|
||||
if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
|
||||
@ -95,6 +97,7 @@ rm -rf /etc/shorewall6-lite-*.bkout
|
||||
rm -rf /var/lib/shorewall6-lite
|
||||
rm -rf /var/lib/shorewall6-lite-*.bkout
|
||||
rm -rf /usr/share/shorewall6-lite
|
||||
rm -rf /usr/${LIBEXEC}/shorewall6-lite
|
||||
rm -rf /usr/share/shorewall6-lite-*.bkout
|
||||
rm -f /etc/logrotate.d/shorewall6-lite
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -110,6 +110,8 @@ MAC=
|
||||
MANDIR=${MANDIR:-"/usr/share/man"}
|
||||
SPARSE=
|
||||
INSTALLD='-D'
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
[ -n "${PERLLIB:=share/shoreall}" ]
|
||||
|
||||
case $(uname) in
|
||||
CYGWIN*)
|
||||
@ -226,9 +228,13 @@ fi
|
||||
|
||||
if [ -z "$CYGWIN" ]; then
|
||||
install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
|
||||
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6
|
||||
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall6
|
||||
echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
|
||||
else
|
||||
install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
|
||||
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall6
|
||||
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall6
|
||||
echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6"
|
||||
fi
|
||||
|
||||
@ -252,7 +258,8 @@ fi
|
||||
# Create /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall6 if needed
|
||||
#
|
||||
mkdir -p ${DESTDIR}/etc/shorewall6
|
||||
mkdir -p ${DESTDIR}/usr/share/shorewall6
|
||||
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6
|
||||
mkdir -p ${DESTDIR}/usr/${PERLLIB}/
|
||||
mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles
|
||||
mkdir -p ${DESTDIR}/var/lib/shorewall6
|
||||
|
||||
@ -318,10 +325,10 @@ delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
|
||||
# Install wait4ifup
|
||||
#
|
||||
|
||||
install_file wait4ifup ${DESTDIR}/usr/share/shorewall6/wait4ifup 0755
|
||||
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6/wait4ifup 0755
|
||||
|
||||
echo
|
||||
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6/wait4ifup"
|
||||
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6/wait4ifup"
|
||||
|
||||
#
|
||||
# Install the policy file
|
||||
|
@ -38,7 +38,6 @@ SHOREWALL_CAPVERSION=40417
|
||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||
[ -n "${CONFDIR:=/etc/shorewall6}" ]
|
||||
[ -n "${PERLSHAREDIR:=/usr/share/shorewall}" ]
|
||||
|
||||
#
|
||||
# Conditionally produce message
|
||||
|
@ -591,8 +591,17 @@ show_command() {
|
||||
;;
|
||||
config)
|
||||
. ${SHAREDIR}/configpath
|
||||
echo "Default CONFIG_PATH is $CONFIG_PATH"
|
||||
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
|
||||
if [ -n "$g_filemode" ]; then
|
||||
echo "CONFIG_PATH=$CONFIG_PATH"
|
||||
echo "VARDIR=$VARDIR"
|
||||
echo "LIBEXEC=$g_libexec"
|
||||
[ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR"
|
||||
else
|
||||
echo "Default CONFIG_PATH is $CONFIG_PATH"
|
||||
echo "Default VARDIR is $VARDIR"
|
||||
echo "LIBEXEC is $g_libexec"
|
||||
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
|
||||
fi
|
||||
;;
|
||||
chain)
|
||||
shift
|
||||
|
@ -239,7 +239,7 @@ startup_error() {
|
||||
# Run the appropriate compiler
|
||||
#
|
||||
compiler() {
|
||||
pc=${PERLSHAREDIR}/compiler.pl
|
||||
pc=/usr/$g_libexec/shorewall/compiler.pl
|
||||
|
||||
local command
|
||||
command=$1
|
||||
@ -300,7 +300,11 @@ compiler() {
|
||||
PERL=/usr/bin/perl
|
||||
fi
|
||||
|
||||
$command $PERL $debugflags $pc $options $@
|
||||
if [ $g_perllib = share/shorewall ]; then
|
||||
$command $PERL $debugflags $pc $options $@
|
||||
else
|
||||
$command PERL5LIB=$g_perllib $PERL $debugflags $pc $options $@
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
@ -1068,6 +1072,8 @@ reload_command() # $* = original arguments less the command.
|
||||
root=root
|
||||
local compiler
|
||||
compiler=
|
||||
local libexec
|
||||
libexec=share
|
||||
|
||||
litedir=/var/lib/shorewall6-lite
|
||||
|
||||
@ -1128,6 +1134,10 @@ reload_command() # $* = original arguments less the command.
|
||||
|
||||
[ -n "$temp" ] && litedir=$temp
|
||||
|
||||
temp=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
|
||||
|
||||
[ -n "$temp" ] && libexec=$temp
|
||||
|
||||
if [ -z "$getcaps" ]; then
|
||||
SHOREWALL_DIR=$(resolve_file $directory)
|
||||
ensure_config_path
|
||||
@ -1142,7 +1152,7 @@ reload_command() # $* = original arguments less the command.
|
||||
fi
|
||||
|
||||
progress_message "Getting Capabilities on system $system..."
|
||||
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES /usr/share/shorewall6-lite/shorecap" > $directory/capabilities; then
|
||||
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES /usr/$libexec/shorewall6-lite/shorecap" > $directory/capabilities; then
|
||||
fatal_error "ERROR: Capturing capabilities on system $system failed"
|
||||
fi
|
||||
fi
|
||||
@ -1484,6 +1494,8 @@ SHAREDIR=/usr/share/shorewall6
|
||||
CONFDIR=/etc/shorewall6
|
||||
g_product="Shorewall6"
|
||||
g_recovering=
|
||||
g_libexec=share
|
||||
g_perllib=share/shorewall
|
||||
|
||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6
|
||||
%define version 4.4.18
|
||||
%define release 1
|
||||
%define version 4.4.19
|
||||
%define release 0Beta4
|
||||
|
||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -98,10 +98,12 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||
|
||||
%changelog
|
||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-1
|
||||
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta4
|
||||
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta3
|
||||
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-0Beta1
|
||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.18-0base
|
||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.18.1
|
||||
VERSION=4.4.19-Beta4
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -72,6 +72,8 @@ else
|
||||
VERSION=""
|
||||
fi
|
||||
|
||||
[ -n "${LIBEXEC:=share}" ]
|
||||
|
||||
echo "Uninstalling shorewall6 $VERSION"
|
||||
|
||||
if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
|
||||
@ -106,6 +108,7 @@ rm -rf /etc/shorewall6
|
||||
rm -rf /etc/shorewall6-*.bkout
|
||||
rm -rf /var/lib/shorewall6
|
||||
rm -rf /var/lib/shorewall6-*.bkout
|
||||
rm -rf /usr/${LIBEXEC}/shorewall6
|
||||
rm -rf /usr/share/shorewall6
|
||||
rm -rf /usr/share/shorewall6-*.bkout
|
||||
rm -rf /usr/share/man/man5/shorewall6*
|
||||
|
@ -173,6 +173,80 @@
|
||||
instructions</ulink>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<section>
|
||||
<title>Executables in /usr and Perl Modules</title>
|
||||
|
||||
<para>Distributions have different philosophies about the proper file
|
||||
hierarchy. Two issures are particularly contentious:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Executable files in
|
||||
<filename>/usr/share/shorewall*</filename>. These include;</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>getparams</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>compiler.pl</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>wait4ifup</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>shorecap</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ifupdown</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Perl Modules in
|
||||
<filename>/usr/share/shorewall/Shorewall</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>To allow distributions to designate alternate locations for these
|
||||
files, the installers (install.sh) from 4.4.19 onward support the
|
||||
following environmental variables:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>LIBEXEC</term>
|
||||
|
||||
<listitem>
|
||||
<para>Determines where in /usr getparams, compiler.pl, wait4ifup,
|
||||
shorecap and ifupdown are installed. Shorewall and Shorewall6 must
|
||||
be installed with the same value of LIBEXEC. The listed
|
||||
executables are installed in
|
||||
<filename>/usr/${LIBEXEC}/shorewall*</filename>. The default value
|
||||
of LIBEXEC is 'share'. LIBEXEC is recognized by all installers and
|
||||
uninstallers.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>PERLLIB</term>
|
||||
|
||||
<listitem>
|
||||
<para> Determines where in <filename>/usr </filename>the Shorewall
|
||||
perl modules are installed. Shorewall and Shorewall6 must be
|
||||
installed with the same value of PERLLIB. The modules are
|
||||
installed in <filename>/usr/${PERLLIB}/Shorewall</filename>. The
|
||||
default value of PERLLIB is 'share/shorewall'. PERLLIB is only
|
||||
recognized by the Shorewall and Shorewall6 installers.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Debian">
|
||||
|
@ -647,14 +647,35 @@ eth0 <emphasis role="bold">172.20.1.0/24</emphasis></programl
|
||||
<para>Before:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
NONAT loc net tcp 80</programlisting>
|
||||
|
||||
<para>After:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
NONAT loc - tcp 80</programlisting>
|
||||
|
||||
<para>Shorewall 4.4 versions prior to 4.4.19 do not support icmp type
|
||||
lists in the DEST PORT(S) column. Only a single ICMP type may be listed.
|
||||
If you have a shell variable with a list of ICMP types that you use in a
|
||||
rule, you can work around this limitation as follows. Replace this
|
||||
rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
ACCEPT z1 z2 icmp $ITYPES</programlisting>
|
||||
|
||||
<para>with:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
|
||||
BEGIN SHELL
|
||||
for type in $ITYPES; do
|
||||
ACCEPT z1 z2 icmp $type
|
||||
done
|
||||
END SHELL</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="routestopped">
|
||||
|
@ -790,6 +790,13 @@ gateway:/etc/shorewall # </programlisting></para>
|
||||
|
||||
<para>/etc/shorewall/rules:<programlisting>SECTION NEW
|
||||
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
|
||||
|
||||
<para>If you are the sort to put such an entry in your rules file even
|
||||
though /etc/shorewall/rules.d might not exist or might be empty, then
|
||||
you probably want:</para>
|
||||
|
||||
<programlisting>SECTION NEW
|
||||
SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
@ -1308,13 +1315,26 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Compliment">
|
||||
<title>Complementing an Address or Subnet</title>
|
||||
<title>Complementing an Address, Subnet, Protocol or Port List</title>
|
||||
|
||||
<para>Where specifying an IP address, a subnet or an interface, you can
|
||||
precede the item with <quote>!</quote> to specify the complement of the
|
||||
item. For example, !192.168.1.4 means <quote>any host but
|
||||
192.168.1.4</quote>. There must be no white space following the
|
||||
<quote>!</quote>.</para>
|
||||
|
||||
<para>Similarly, in columns that specify an IP protocol, you can preceed
|
||||
the protocol name or number by "!". For example, !tcp means "any protocol
|
||||
except tcp".</para>
|
||||
|
||||
<para>This also works with port lists, providing that the list contains 15
|
||||
or fewer ports (where a <link linkend="Ranges">port range</link> counts as
|
||||
two ports). For example !ssh,smtp means "any port except 22 and
|
||||
25".</para>
|
||||
|
||||
<para>In Shorewall 4.4.19 and later, icmp type lists are supported but
|
||||
complementing an icmp type list is <emphasis>not</emphasis> supported. You
|
||||
may, however, complement a single icmp (icmp6) type.</para>
|
||||
</section>
|
||||
|
||||
<section id="Exclusion">
|
||||
@ -1454,6 +1474,9 @@ router-advertisement => 134
|
||||
neighbour-solicitation => 135
|
||||
neighbour-advertisement => 136
|
||||
redirect => 137</programlisting>
|
||||
|
||||
<para>Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to
|
||||
Shorewall 4.4.19.</para>
|
||||
</section>
|
||||
|
||||
<section id="Ranges">
|
||||
|
@ -81,5 +81,11 @@
|
||||
|
||||
<para>If you installed using an rpm, at a root shell prompt type
|
||||
<quote>rpm -e shorewall</quote>.</para>
|
||||
|
||||
<note>
|
||||
<para>If you specified LIBEXEC and/or PERLLIB when you installed
|
||||
Shorewall, you must specify the same value to the uninstall script.
|
||||
e.g., LIBEXEC=libexec ./uninstall.sh.</para>
|
||||
</note>
|
||||
</section>
|
||||
</article>
|
||||
|
@ -821,6 +821,10 @@
|
||||
role="bold">tcp:syn</emphasis> implies <emphasis
|
||||
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
||||
RST,ACK and FIN flags must be reset.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.19, this column can contain a
|
||||
comma-separated list of protocol-numbers and/or protocol
|
||||
names.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -837,7 +841,9 @@
|
||||
the destination icmp-type(s). ICMP types may be specified as a
|
||||
numeric type, a numberic type and code separated by a slash (e.g.,
|
||||
3/4), or a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||
Note that prior to Shorewall 4.4.19, only a single ICMP type may be
|
||||
listsed.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
|
@ -624,6 +624,10 @@
|
||||
role="bold">tcp:syn</emphasis> implies <emphasis
|
||||
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
||||
RST,ACK and FIN flags must be reset.</para>
|
||||
|
||||
<para>Beginning with Shorewall6 4.4.19, this column can contain a
|
||||
comma-separated list of protocol-numbers and/or protocol names
|
||||
(e.g., <emphasis role="bold">tcp,udp</emphasis>).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -640,7 +644,9 @@
|
||||
the destination icmp-type(s). ICMP types may be specified as a
|
||||
numeric type, a numberic type and code separated by a slash (e.g.,
|
||||
3/4), or a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
|
||||
listsed.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
this column is interpreted as an ipp2p option without the leading
|
||||
|
Loading…
Reference in New Issue
Block a user