From cc633c5bd9df5cee94f8b5edca485c324501717e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 3 Apr 2011 09:56:30 -0700 Subject: [PATCH] Shorewall 4.4.19 Changes --- Shorewall-init/install.sh | 13 +- Shorewall-init/shorewall-init.spec | 14 +- Shorewall-init/uninstall.sh | 5 +- Shorewall-lite/install.sh | 15 +- Shorewall-lite/shorewall-lite | 1 + Shorewall-lite/shorewall-lite.spec | 14 +- Shorewall-lite/uninstall.sh | 5 +- Shorewall/Perl/Shorewall/Chains.pm | 154 ++++++++++-- Shorewall/Perl/Shorewall/Compiler.pm | 6 +- Shorewall/Perl/Shorewall/Config.pm | 12 +- Shorewall/Perl/Shorewall/Misc.pm | 142 +++++++++-- Shorewall/Perl/Shorewall/Rules.pm | 41 +-- Shorewall/Perl/Shorewall/Tc.pm | 10 +- Shorewall/Perl/Shorewall/Zones.pm | 39 ++- Shorewall/changelog.txt | 40 ++- Shorewall/install.sh | 23 +- Shorewall/known_problems.txt | 23 -- Shorewall/lib.cli | 13 +- Shorewall/releasenotes.txt | 358 ++++++++++++++++----------- Shorewall/shorewall | 16 +- Shorewall/shorewall.spec | 14 +- Shorewall/uninstall.sh | 7 +- Shorewall6-lite/install.sh | 15 +- Shorewall6-lite/shorewall6-lite | 1 + Shorewall6-lite/shorewall6-lite.spec | 14 +- Shorewall6-lite/uninstall.sh | 5 +- Shorewall6/install.sh | 15 +- Shorewall6/lib.base | 1 - Shorewall6/lib.cli | 13 +- Shorewall6/shorewall6 | 18 +- Shorewall6/shorewall6.spec | 14 +- Shorewall6/uninstall.sh | 5 +- docs/Install.xml | 74 ++++++ docs/LennyToSqueeze.xml | 25 +- docs/configuration_file_basics.xml | 25 +- docs/fallback.xml | 6 + manpages/shorewall-rules.xml | 8 +- manpages6/shorewall6-rules.xml | 8 +- 38 files changed, 889 insertions(+), 323 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index b4474ac3c..7aecf945a 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -124,6 +124,7 @@ done PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +[ -n "${LIBEXEC:=share}" ] # # Determine where to install the firewall script # @@ -259,9 +260,9 @@ fi # Install the ifupdown script # -mkdir -p ${DESTDIR}/usr/share/shorewall-init +mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-init -install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544 +install_file ifupdown.sh ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown 0544 if [ -d ${DESTDIR}/etc/NetworkManager ]; then install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544 @@ -332,7 +333,7 @@ if [ -f ${DESTDIR}/etc/ppp ]; then if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories - cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall + cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall done elif [ -n "$REDHAT" ]; then # @@ -342,13 +343,13 @@ if [ -f ${DESTDIR}/etc/ppp ]; then FILE=${DESTDIR}/etc/ppp/$file if [ -f $FILE ]; then if fgrep -q Shorewall-based $FILE ; then - cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE + cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE else echo "$FILE already exists -- ppp devices will not be handled" break fi else - cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE + cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE fi done fi diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index b91a040d5..2edbcf81b 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init -%define version 4.4.18 -%define release 1 +%define version 4.4.19 +%define release 0Beta4 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -119,10 +119,12 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Sat Mar 19 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 -* Sun Mar 13 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 +* Sat Apr 02 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta4 +* Sat Mar 26 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta3 +* Sat Mar 05 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta1 * Wed Mar 02 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.18-0base * Mon Feb 28 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index b798e5cc0..4aef715d1 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -60,6 +60,8 @@ else VERSION="" fi +[ -n "${LIBEXEC:=share}" ] + echo "Uninstalling Shorewall Init $VERSION" INITSCRIPT=/etc/init.d/shorewall-init @@ -105,6 +107,7 @@ if [ -d /etc/ppp ]; then fi rm -rf /usr/share/shorewall-init +rm -rf /usr/${LIBEXEC}/shorewall-init echo "Shorewall Init Uninstalled" diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 340a421dd..a9d4df16a 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -123,6 +123,7 @@ done PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +[ -n "${LIBEXEC:=share}" ] # # Determine where to install the firewall script # @@ -189,6 +190,7 @@ else rm -rf ${DESTDIR}/etc/shorewall-lite rm -rf ${DESTDIR}/usr/share/shorewall-lite rm -rf ${DESTDIR}/var/lib/shorewall-lite + [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap fi # @@ -204,6 +206,8 @@ delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544 +eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite + echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite" # @@ -225,6 +229,7 @@ echo "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT" # mkdir -p ${DESTDIR}/etc/shorewall-lite mkdir -p ${DESTDIR}/usr/share/shorewall-lite +mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite mkdir -p ${DESTDIR}/var/lib/shorewall-lite chmod 755 ${DESTDIR}/etc/shorewall-lite @@ -277,20 +282,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functi # Install Shorecap # -install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755 +install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap 0755 echo -echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap" +echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap" # # Install wait4ifup # if [ -f wait4ifup ]; then - install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755 + install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup 0755 echo - echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup" + echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup" fi # diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index e6d65b951..937bb39ee 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -570,6 +570,7 @@ MUTEX_TIMEOUT= SHAREDIR=/usr/share/shorewall-lite CONFDIR=/etc/shorewall-lite g_product="Shorewall Lite" +g_libexec=share [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ] diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 5e2eba053..6256fef62 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.4.18 -%define release 1 +%define version 4.4.19 +%define release 0Beta4 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -103,10 +103,12 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Sat Mar 19 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 -* Sun Mar 13 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 +* Sat Apr 02 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta4 +* Sat Mar 26 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta3 +* Sat Mar 05 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta1 * Wed Mar 02 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.18-0base * Mon Feb 28 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index ff75dd615..e8da63f5f 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -72,6 +72,8 @@ else VERSION="" fi +[ -n "${LIBEXEC:=share}" ] + echo "Uninstalling Shorewall Lite $VERSION" if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then @@ -107,6 +109,7 @@ rm -rf /etc/shorewall-lite-*.bkout rm -rf /var/lib/shorewall-lite rm -rf /var/lib/shorewall-lite-*.bkout rm -rf /usr/share/shorewall-lite +rm -rf /usr/${LIBEXEC}/shorewall-lite rm -rf /usr/share/shorewall-lite-*.bkout rm -f /etc/logrotate.d/shorewall-lite diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 42d6c6484..c1e7b11d2 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -78,6 +78,7 @@ our %EXPORT_TAGS = ( initialize_chain_table add_commands + copy_rules move_rules insert_rule1 delete_jumps @@ -187,7 +188,7 @@ our %EXPORT_TAGS = ( Exporter::export_ok_tags('internal'); -our $VERSION = '4.4_18'; +our $VERSION = '4.4_19'; # # Chain Table @@ -387,8 +388,8 @@ our %builtin_target = ( ACCEPT => 1, # 2. The compiler can run multiple times in the same process so it has to be # able to re-initialize its dependent modules' state. # -sub initialize( $ ) { - $family = shift; +sub initialize( $$ ) { + ( $family, my $hard ) = @_; %chain_table = ( raw => {}, mangle => {}, @@ -428,7 +429,7 @@ sub initialize( $ ) { $idiotcount1 = 0; $warningcount = 0; $hashlimitset = 0; - $ipset_rules = 0; + $ipset_rules = 0 if $hard; # # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined. # @@ -616,6 +617,16 @@ sub handle_port_list( $$$$$$ ) { } } +# +# This much simpler function splits a rule with an icmp type list into discrete rules +# + +sub handle_icmptype_list( $$$$ ) { + my ($chainref, $first, $types, $rest) = @_; + my @ports = split ',', $types; + push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ) while @ports; +} + # # Add a rule to a chain. Arguments are: # @@ -645,6 +656,17 @@ sub add_rule($$;$) { # Rule has a --sports specification # handle_port_list( $chainref, $rule, 0, $1, $2, $3 ) + } elsif ( $rule =~ /^(.* --icmp(?:v6)?-type\s*)([^ ]+)(.*)$/ ) { + # + # ICMP rule -- split it up if necessary + # + my ( $first, $types, $rest ) = ($1, $2, $3 ); + + if ( $types =~ /,/ ) { + handle_icmptype_list( $chainref, $first, $types, $rest ); + } else { + push_rule( $chainref, $rule ); + } } else { push_rule ( $chainref, $rule ); } @@ -851,8 +873,8 @@ sub move_rules( $$ ) { # Replace the jump at the end of one chain (chain2) with the rules from another chain (chain1). # -sub copy_rules( $$ ) { - my ($chain1, $chain2 ) = @_; +sub copy_rules( $$;$ ) { + my ($chain1, $chain2, $nojump ) = @_; my $name1 = $chain1->{name}; my $name = $name1; @@ -868,7 +890,7 @@ sub copy_rules( $$ ) { # $name1 =~ s/\+/\\+/; - my $last = pop @$rules2; # Delete the jump to chain1 + pop @$rules2 unless $nojump; # Delete the jump to chain1 if ( $blacklist2 && $blacklist1 ) { # @@ -948,12 +970,21 @@ sub zone_forward_chain($) { sub use_forward_chain($$) { my ( $interface, $chainref ) = @_; my $interfaceref = find_interface($interface); + my $nets = $interfaceref->{nets}; return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 ); # - # We must use the interfaces's chain if the interface is associated with multiple nets + # We must use the interfaces's chain if the interface is associated with multiple zones # - return 1 if $interfaceref->{nets} > 1; + return 1 if ( keys %{interface_zones $interface} ) > 1; + # + # Use interface's chain if there are multiple nets on the interface + # + return 1 if $nets > 1; + # + # Use interface's chain if it is a bridge with ports + # + return 1 if $interfaceref->{ports}; my $zone = $interfaceref->{zone}; @@ -990,10 +1021,18 @@ sub use_input_chain($$) { return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 ); # - # We must use the interfaces's chain if the interface is associated with multiple nets + # We must use the interfaces's chain if the interface is associated with multiple Zones + # + return 1 if ( keys %{interface_zones $interface} ) > 1; + # + # Use interface's chain if there are multiple nets on the interface # return 1 if $nets > 1; # + # Use interface's chain if it is a bridge with ports + # + return 1 if $interfaceref->{ports}; + # # Don't need it if it isn't associated with any zone # return 0 unless $nets; @@ -1043,10 +1082,18 @@ sub use_output_chain($$) { return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 ); # - # We must use the interfaces's chain if the interface is associated with multiple nets + # We must use the interfaces's chain if the interface is associated with multiple Zones + # + return 1 if ( keys %{interface_zones $interface} ) > 1; + # + # Use interface's chain if there are multiple nets on the interface # return 1 if $nets > 1; # + # Use interface's chain if it is a bridge with ports + # + return 1 if $interfaceref->{ports}; + # # Don't need it if it isn't associated with any zone # return 0 unless $nets; @@ -2203,7 +2250,15 @@ sub do_proto( $$$;$ ) if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' ); fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; - fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15; + + if ( port_count ( $ports ) > 15 ) { + if ( $restricted ) { + fatal_error "A port list in this file may only have up to 15 ports"; + } elsif ( $invert ) { + fatal_error "An inverted port list may only have up to 15 ports"; + } + } + $ports = validate_port_list $pname , $ports; $output .= "-m multiport ${invert}--dports ${ports} "; $multiport = 1; @@ -2218,7 +2273,15 @@ sub do_proto( $$$;$ ) if ( $sports ne '' ) { $invert = $sports =~ s/^!// ? '! ' : ''; if ( $multiport ) { - fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $sports ) > 15; + + if ( port_count( $sports ) > 15 ) { + if ( $restricted ) { + fatal_error "A port list in this file may only have up to 15 ports"; + } elsif ( $invert ) { + fatal_error "An inverted port list may only have up to 15 ports"; + } + } + $sports = validate_port_list $pname , $sports; $output .= "-m multiport ${invert}--sports ${sports} "; } else { @@ -2233,9 +2296,20 @@ sub do_proto( $$$;$ ) fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp' if ( $ports ne '' ) { $invert = $ports =~ s/^!// ? '! ' : ''; - fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; - $ports = validate_icmp $ports; - $output .= "${invert}--icmp-type ${ports} "; + + my $types; + + if ( $ports =~ /,/ ) { + fatal_error "An inverted ICMP list may only contain a single type" if $invert; + $types = ''; + for my $type ( split_list( $ports, 'ICMP type list' ) ) { + $types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type; + } + } else { + $types = validate_icmp $ports; + } + + $output .= "${invert}--icmp-type ${types} "; } fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; @@ -2246,9 +2320,20 @@ sub do_proto( $$$;$ ) fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4; if ( $ports ne '' ) { $invert = $ports =~ s/^!// ? '! ' : ''; - fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; - $ports = validate_icmp6 $ports; - $output .= "${invert}--icmpv6-type ${ports} "; + + my $types; + + if ( $ports =~ /,/ ) { + fatal_error "An inverted ICMP list may only contain a single type" if $invert; + $types = ''; + for my $type ( list_split( $ports, 'ICMP type list' ) ) { + $types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type; + } + } else { + $types = validate_icmp6 $ports; + } + + $output .= "${invert}--icmpv6-type ${types} "; } fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne ''; @@ -2651,13 +2736,18 @@ sub do_headers( $ ) { # # Match Source Interface # -sub match_source_dev( $ ) { - my $interface = shift; +sub match_source_dev( $;$ ) { + my ( $interface, $nodev ) = @_;; my $interfaceref = known_interface( $interface ); $interface = $interfaceref->{physical} if $interfaceref; return '' if $interface eq '+'; if ( $interfaceref && $interfaceref->{options}{port} ) { - "-i $interfaceref->{bridge} -m physdev --physdev-in $interface "; + if ( $nodev ) { + "-m physdev --physdev-in $interface "; + } else { + my $bridgeref = find_interface $interfaceref->{bridge}; + "-i $bridgeref->{physical} -m physdev --physdev-in $interface "; + } } else { "-i $interface "; } @@ -2666,16 +2756,26 @@ sub match_source_dev( $ ) { # # Match Dest device # -sub match_dest_dev( $ ) { - my $interface = shift; +sub match_dest_dev( $;$ ) { + my ( $interface, $nodev ) = @_;; my $interfaceref = known_interface( $interface ); $interface = $interfaceref->{physical} if $interfaceref; return '' if $interface eq '+'; if ( $interfaceref && $interfaceref->{options}{port} ) { - if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { - "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface "; + if ( $nodev ) { + if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { + "-m physdev --physdev-is-bridged --physdev-out $interface "; + } else { + "-m physdev --physdev-out $interface "; + } } else { - "-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; + my $bridgeref = find_interface $interfaceref->{bridge}; + + if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { + "-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface "; + } else { + "-o $bridgeref->{physical} -m physdev --physdev-out $interface "; + } } } else { "-o $interface "; diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 0aa1ba640..88cc8986a 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -55,7 +55,7 @@ our $family; # sub initialize_package_globals() { Shorewall::Config::initialize($family); - Shorewall::Chains::initialize ($family); + Shorewall::Chains::initialize ($family, 1); Shorewall::Zones::initialize ($family); Shorewall::Nat::initialize; Shorewall::Providers::initialize($family); @@ -818,7 +818,7 @@ sub compiler { # We must reinitialize Shorewall::Chains before generating the iptables-restore input # for stopping the firewall # - Shorewall::Chains::initialize( $family ); + Shorewall::Chains::initialize( $family, 0 ); initialize_chain_table; # # S T O P _ F I R E W A L L @@ -882,7 +882,7 @@ sub compiler { # Re-initialize the chain table so that process_routestopped() has the same # environment that it would when called by compile_stop_firewall(). # - Shorewall::Chains::initialize( $family ); + Shorewall::Chains::initialize( $family , 0 ); initialize_chain_table; if ( $debug ) { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index e9ed3b482..1efa4a3d9 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -37,6 +37,7 @@ use File::Temp qw/ tempfile tempdir /; use Cwd qw(abs_path getcwd); use autouse 'Carp' => qw(longmess confess); use Scalar::Util 'reftype'; +use FindBin; our @ISA = qw(Exporter); # @@ -137,7 +138,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script Exporter::export_ok_tags('internal'); -our $VERSION = '4.4_18'; +our $VERSION = '4.4_19'; # # describe the current command, it's present progressive, and it's completion. @@ -410,7 +411,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.18.1", + VERSION => "4.4.19-Beta4", CAPVERSION => 40417 , ); # @@ -2906,7 +2907,7 @@ sub get_params() { if ( -f $fn ) { progress_message2 "Processing $fn ..."; - my $command = "$globals{SHAREDIRPL}/getparams $fn " . join( ':', @config_path ); + my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path ); # # getparams silently sources the params file under 'set -a', then executes 'export -p' # @@ -2947,7 +2948,7 @@ sub get_params() { } } } - } elsif ( $params[0] =~ /^export (.*?)="/ || $params[0] =~ /^export ([^\s=]+)\s*$/ ) { + } elsif ( $params[0] =~ /^export .*?="/ || $params[0] =~ /^export [^\s=]+\s*$/ ) { # # getparams interpreted by older (e.g., RHEL 5) Bash # @@ -3004,7 +3005,7 @@ sub get_params() { print "PARAMS:\n"; my $value; while ( ($variable, $value ) = each %params ) { - print " $variable='$value'\n"; + print " $variable='$value'\n" unless $compiler_params{$variable}; } } } @@ -3084,6 +3085,7 @@ sub get_configuration( $ ) { get_capabilities( $export ); + $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH'; if ( my $rate = $config{LOGLIMIT} ) { diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 733e5ef30..0b0e29f83 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -45,7 +45,7 @@ our @EXPORT = qw( process_tos generate_matrix ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.4_18'; +our $VERSION = '4.4_19'; our $family; @@ -1036,13 +1036,40 @@ sub add_interface_jumps { my $outputref = $filter_table->{output_chain $interface}; my $interfaceref = find_interface($interface); - add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge}; + if ( $interfaceref->{options}{port} ) { + my $bridge = $interfaceref->{bridge}; + add_rule ( $filter_table->{forward_chain $bridge}, + match_source_dev( $interface, 1) . match_dest_dev( $interface, 1) . '-j ACCEPT' + ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge}; - add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref; - add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref; + add_jump( $filter_table->{forward_chain $bridge} , + $forwardref , + 0, + match_source_dev( $interface, 1 ) + ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref; - unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) { - add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ); + add_jump( $filter_table->{input_chain $bridge }, + $inputref , + 0, + match_source_dev( $interface, 1 ) + ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref; + + unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) { + add_jump( $filter_table->{output_chain $bridge} , + $outputref , + 0 , + match_dest_dev( $interface, 1 ) ) + unless get_interface_option( $interface, 'port' ); + } + } else { + add_rule ( $filter_table->{FORWAR}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge}; + + add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref; + add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref; + + unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) { + add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ); + } } } @@ -1077,6 +1104,7 @@ sub generate_matrix() { our %input_jump_added = (); our %output_jump_added = (); our %forward_jump_added = (); + my %ipsec_jump_added = (); progress_message2 'Generating Rule Matrix...'; progress_message ' Handling blacklisting and complex zones...'; @@ -1143,12 +1171,31 @@ sub generate_matrix() { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { my $sourcechainref = $filter_table->{forward_chain $interface}; my $interfacematch = ''; + my $interfaceref = find_interface $interface; if ( use_forward_chain( $interface, $sourcechainref ) ) { - add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; + if ( $interfaceref->{ports} && $interfaceref->{options}{bridge} ) { + $interfacematch = match_source_dev $interface; + copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++; + $sourcechainref = $filter_table->{FORWARD}; + } elsif ( $interfaceref->{options}{port} ) { + add_jump( $filter_table->{ forward_chain $interfaceref->{bridge} } , + $sourcechainref , + 0 , + match_source_dev( $interface , 1 ) ) + unless $forward_jump_added{$interface}++; + } else { + add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; + } } else { - $sourcechainref = $filter_table->{FORWARD}; - $interfacematch = match_source_dev $interface; + if ( $interfaceref->{options}{port} ) { + $sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} }; + $interfacematch = match_source_dev $interface, 1; + } else { + $sourcechainref = $filter_table->{FORWARD}; + $interfacematch = match_source_dev $interface; + } + move_rules( $filter_table->{forward_chain $interface} , $frwd_ref ); } @@ -1235,6 +1282,9 @@ sub generate_matrix() { for my $typeref ( values %$source_hosts_ref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { my $arrayref = $typeref->{$interface}; + my $interfaceref = find_interface $interface; + my $isport = $interfaceref->{options}{port}; + my $bridge = $interfaceref->{bridge}; if ( get_physical( $interface ) eq '+' ) { # @@ -1261,7 +1311,17 @@ sub generate_matrix() { if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) { $outputref = $interfacechainref; - add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; + + if ( $isport ) { + add_jump( $filter_table->{ output_chain $bridge }, + $outputref , + 0 , + match_dest_dev( $interface, 1 ) ) + unless $output_jump_added{$interface}++; + } else { + add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; + } + $use_output = 1; unless ( lc $net eq IPv6_LINKLOCAL ) { @@ -1269,6 +1329,9 @@ sub generate_matrix() { generate_source_rules ( $outputref, $vzone, $zone, $dest ); } } + } elsif ( $isport ) { + $outputref = $filter_table->{ output_chain $bridge }; + $interfacematch = match_dest_dev $interface, 1; } else { $outputref = $filter_table->{OUTPUT}; $interfacematch = match_dest_dev $interface; @@ -1323,7 +1386,17 @@ sub generate_matrix() { if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) { $inputchainref = $interfacechainref; - add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++; + + if ( $isport ) { + add_jump( $filter_table->{ input_chain $bridge }, + $inputchainref , + 0 , + match_source_dev($interface, 1) ) + unless $input_jump_added{$interface}++; + } else { + add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++; + } + $use_input = 1; unless ( lc $net eq IPv6_LINKLOCAL ) { @@ -1332,6 +1405,9 @@ sub generate_matrix() { generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target; } } + } elsif ( $isport ) { + $inputchainref = $filter_table->{ input_chain $bridge }; + $interfacematch = match_source_dev $interface, 1; } else { $inputchainref = $filter_table->{INPUT}; $interfacematch = match_source_dev $interface; @@ -1345,11 +1421,29 @@ sub generate_matrix() { if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { my $ref = source_exclusion( $exclusions, $frwd_ref ); my $forwardref = $filter_table->{forward_chain $interface}; + if ( use_forward_chain $interface, $forwardref ) { add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match ); - add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; + + if ( $isport ) { + add_jump( $filter_table->{ forward_chain $bridge } , + $forwardref , + 0 , + match_source_dev( $interface , 1 ) ) + unless $forward_jump_added{$interface}++; + } else { + add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; + } } else { - add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match ); + if ( $isport ) { + add_jump( $filter_table->{ forward_chain $bridge } , + $ref , + 0 , + join( '', match_source_dev( $interface, 1 ) , $source, $ipsec_in_match ) ); + } else { + add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match ); + } + move_rules ( $forwardref , $frwd_ref ); } } @@ -1461,6 +1555,7 @@ sub generate_matrix() { # for my $typeref ( values %$source_hosts_ref ) { for my $interface ( keys %$typeref ) { + my $interfaceref = find_interface $interface; my $chain3ref; my $match_source_dev = ''; my $forwardchainref = $filter_table->{forward_chain $interface}; @@ -1470,13 +1565,28 @@ sub generate_matrix() { # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them # $chain3ref = $forwardchainref; - add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; + + if ( $interfaceref->{options}{port} ) { + add_jump( $filter_table->{ forward_chain $interfaceref->{bridge} } , + $chain3ref, + 0 , + match_source_dev( $interface , 1 ) ) + unless $forward_jump_added{$interface}++; + } else { + add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; + } } else { # # Don't use the interface's forward chain -- move any rules in that chain to this rules chain # - $chain3ref = $filter_table->{FORWARD}; - $match_source_dev = match_source_dev $interface; + if ( $interfaceref->{options}{port} ) { + $chain3ref = $filter_table->{ forward_chain $interfaceref->{bridge} }; + $match_source_dev = match_source_dev $interface, 1; + } else { + $chain3ref = $filter_table->{FORWARD}; + $match_source_dev = match_source_dev $interface; + } + move_rules $forwardchainref, $chainref; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index c1128981f..be4c8e824 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2235,7 +2235,7 @@ sub build_zone_list( $$$\$\$ ) { # Process a Record in the rules file # sub process_rule ( ) { - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands; + my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands; process_comment, return 1 if $target eq 'COMMENT'; process_section( $source ), return 1 if $target eq 'SECTION'; @@ -2257,32 +2257,39 @@ sub process_rule ( ) { my $fw = firewall_zone; my @source = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild ); my @dest = build_zone_list ( $fw, $dest, 'DEST' , $intrazone, $wild ); + my @protos = split_list1 $protos, 'Protocol'; my $generated = 0; fatal_error "Invalid or missing ACTION ($target)" unless defined $action; + if ( @protos > 1 ) { + fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/; + } + for $source ( @source ) { for $dest ( @dest ) { my $sourcezone = (split( /:/, $source, 2 ) )[0]; my $destzone = (split( /:/, $dest, 2 ) )[0]; $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone; if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) { - $generated |= process_rule1( undef, - $target, - '', - $source, - $dest, - $proto, - $ports, - $sports, - $origdest, - $ratelimit, - $user, - $mark, - $connlimit, - $time, - $headers, - $wild ); + for my $proto ( @protos ) { + $generated |= process_rule1( undef, + $target, + '', + $source, + $dest, + $proto, + $ports, + $sports, + $origdest, + $ratelimit, + $user, + $mark, + $connlimit, + $time, + $headers, + $wild ); + } } } } diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index d2f9f67b4..94550b55f 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -40,7 +40,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = '4.4_18'; +our $VERSION = '4.4_19'; our %tcs = ( T => { chain => 'tcpost', connmark => 0, @@ -476,6 +476,8 @@ sub process_simple_device() { my $number = in_hexp( $tcdevices{$device} = ++$devnum ); + my $ip32 = $family == F_IPV4 ? 'ip' : 'ip6'; + fatal_error "Unknown interface( $device )" unless known_interface $device; my $physical = physical_name $device; @@ -517,7 +519,7 @@ sub process_simple_device() { ); emit ( "run_tc qdisc add dev $physical handle ffff: ingress", - "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n" + "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src " . ALLIP . " police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n" ) if $in_bandwidth; if ( $out_part ne '-' ) { @@ -566,10 +568,12 @@ sub process_simple_device() { for ( my $i = 1; $i <= 3; $i++ ) { emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10"; - emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i"; + emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i"; emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER'; emit ''; } + + emit "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32 match $ip32 protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $number:1\n"; save_progress_message_short qq(" TC Device $physical defined."); diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 0b1cc512f..389259b9f 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -74,6 +74,7 @@ our @EXPORT = qw( NOTHING find_interfaces_by_option1 get_interface_option set_interface_option + interface_zones verify_required_interfaces compile_updown validate_hosts_file @@ -84,7 +85,7 @@ our @EXPORT = qw( NOTHING ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.4_17'; +our $VERSION = '4.4_19'; # # IPSEC Option types @@ -146,16 +147,20 @@ our %reservedName = ( all => 1, # %interfaces { => { name => # root => # options => { port => undef|1 -# = , #See %validinterfaceoptions +# { } => , #See %validinterfaceoptions # ... # } # zone => +# multizone => undef|1 #More than one zone interfaces through this interface # nets => # bridge => +# ports => +# ipsec => undef|1 # Has an ipsec host group # broadcasts => 'none', 'detect' or [ , , ... ] # number => # physical => # base => +# zones => { zone1 => 1, ... } # } # } # @@ -668,6 +673,7 @@ sub add_group_to_zone($$$$$) my $interfaceref; my $zoneref = $zones{$zone}; my $zonetype = $zoneref->{type}; + $zoneref->{interfaces}{$interface} = 1; @@ -680,6 +686,8 @@ sub add_group_to_zone($$$$$) for my $host ( @$networks ) { $interfaceref = $interfaces{$interface}; + $interfaceref->{zones}{$zone} = 1; + $interfaceref->{nets}++; fatal_error "Invalid Host List" unless defined $host and $host ne ''; @@ -883,6 +891,7 @@ sub process_interface( $$ ) { fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; + $interfaces{$interface}{ports}++; fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT; if ( $zone ) { @@ -1100,7 +1109,8 @@ sub process_interface( $$ ) { options => \%options , zone => '', physical => $physical , - base => chain_base( $physical ) + base => chain_base( $physical ), + zones => {}, }; if ( $zone ) { @@ -1306,6 +1316,16 @@ sub source_port_to_bridge( $ ) { return $portref ? $portref->{bridge} : ''; } + +# +# Returns a hash reference for the zones interface through the interface +# +sub interface_zones( $ ) { + my $interfaceref = $interfaces{(shift)}; + + $interfaceref->{zones}; +} + # # Return the 'optional' setting of the passed interface # @@ -1690,7 +1710,7 @@ sub process_host( ) { fatal_error "Unknown ZONE ($zone)" unless $type; fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL; - my $interface; + my ( $interface, $interfaceref ); if ( $family == F_IPV4 ) { if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) { @@ -1703,7 +1723,7 @@ sub process_host( ) { fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/; } - fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; + fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root}; } else { fatal_error "Invalid HOST(S) column contents: $hosts"; } @@ -1711,16 +1731,16 @@ sub process_host( ) { $interface = $1; $hosts = $2; $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/; - fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root}; + fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root}; } else { fatal_error "Invalid HOST(S) column contents: $hosts"; } if ( $type == BPORT ) { if ( $zoneref->{bridge} eq '' ) { - fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port}; + fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port}; $zoneref->{bridge} = $interfaces{$interface}{bridge}; - } elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) { + } elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) { fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}"; } } @@ -1736,7 +1756,7 @@ sub process_host( ) { require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's'; $type = IPSEC; $zoneref->{options}{complex} = 1; - $ipsec = 1; + $ipsec = $interfaceref->{ipsec} = 1; } elsif ( $option eq 'norfc1918' ) { warning_message "The 'norfc1918' host option is no longer supported" } elsif ( $option eq 'blacklist' ) { @@ -1778,6 +1798,7 @@ sub process_host( ) { $ipsets{"${zone}_${physical}"} = 1; } + # # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers. # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 64f744cf3..ec34a8704 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,10 +1,42 @@ -Changes in Shorewall 4.4.18.1 +Changes in Shorewall 4.4.19 RC 1 -1) Fix params processing bug. +1) Fix logical naming and bridge. -2) Tighten editing of TC_PRIOMAP value. +Changes in Shorewall 4.4.19 Beta 4 -3) Fix the Lite installers +1) Handle mis-configured ipsec host group on a bridge. + +2) Significantly improve bridge/ports handling. + +3) Allow port-lists in /etc/shorewall/rules. + +Changes in Shorewall 4.4.19 Beta 3 + +1) Allow /usr executables to be installed in a designated location. + +2) Allow Shorewall perl modules to be installed in a designated + location. + +Changes in Shorewall 4.4.19 Beta 2 + +1) Minor rework of init-log creation in the installer. + +2) Add VRRP macro. + +3) Fix more params processing bugs. + +4) Do a better job of editing ICMP type lists. + +5) Allow /usr executables to be installed in a designated location. + +6) Allow Shorewall perl modules to be installed in a designated + location. + +Changes in Shorewall 4.4.19 Beta 1 + +1) Place ACK packets in the highest priority band. + +2) Break ICMP lists into individual rules. Changes in Shorewall 4.4.18 Final diff --git a/Shorewall/install.sh b/Shorewall/install.sh index e01f7ddad..5edb1c7b5 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -107,6 +107,9 @@ fi SPARSE= MANDIR=${MANDIR:-"/usr/share/man"} +[ -n "${LIBEXEC:=share}" ] +[ -n "${PERLLIB:=share/shorewall}" ] + INSTALLD='-D' case $(uname) in @@ -233,9 +236,13 @@ fi if [ -z "$CYGWIN" ]; then install_file shorewall ${DESTDIR}/sbin/shorewall 0755 echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall" + eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall + eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall else install_file shorewall ${DESTDIR}/bin/shorewall 0755 echo "shorewall control program installed in ${DESTDIR}/bin/shorewall" + eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall + eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall fi # @@ -258,7 +265,8 @@ fi # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed # mkdir -p ${DESTDIR}/etc/shorewall -mkdir -p ${DESTDIR}/usr/share/shorewall +mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall +mkdir -p ${DESTDIR}/usr/${PERLLIB}/Shorewall mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles mkdir -p ${DESTDIR}/var/lib/shorewall @@ -326,7 +334,7 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755 echo -echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall/wait4ifup" +echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup" # # Install the policy file @@ -816,14 +824,14 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall # cd Perl -install_file compiler.pl ${DESTDIR}/usr/share/shorewall/compiler.pl 0755 +install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755 echo echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl" # # Install the params file helper # -install_file getparams ${DESTDIR}/usr/share/shorewall/getparams 0755 +install_file getparams ${DESTDIR}/usr/${LIBEXEC}/shorewall/getparams 0755 echo echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams" @@ -831,8 +839,8 @@ echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams" # Install the libraries # for f in Shorewall/*.pm ; do - install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644 - echo "Module ${f%.*} installed as ${DESTDIR}/usr/share/shorewall/$f" + install_file $f ${DESTDIR}/usr/${PERLLIB}/$f 0644 + echo "Module ${f%.*} installed as ${DESTDIR}/usr/${PERLLIB}/$f" done # # Install the program skeleton files @@ -893,6 +901,7 @@ fi if [ -z "$DESTDIR" ]; then rm -rf /usr/share/shorewall-perl rm -rf /usr/share/shorewall-shell + [ "$PERLLIB" != share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall fi if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 092e6e180..e521b4c56 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1,26 +1,3 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. -2) An issue with params processing on RHEL6 manifested as the - following type of warning: - - - WARNING: Param line (export OLDPWD) ignored at - /usr/share/shorewall/Shorewall/Config.pm line - 2993. - - Corrected in Shorewall 4.4.18.1 - -3) The Shorewall Lite and Shorewall6 Lite installers fail to install - the 'helpers' modules file, with the result that both - 'shorewall[6]-lite show capabilities' and 'shorecap' fail. - - Workaround: Copy the 'helpers' file from the Administrative System - to the firewall system. - - Corrected in Shorewall 4.4.18.1 - -4) If an icmp or icmp6 type/code is specified in the tcfilters file, a - run-time error occurs. - - Corrected in Shorewall 4.4.18.1 diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 0a858e1fc..c323ddd95 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -687,8 +687,17 @@ show_command() { ;; config) . ${SHAREDIR}/configpath - echo "Default CONFIG_PATH is $CONFIG_PATH" - [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR" + if [ -n "$g_filemode" ]; then + echo "CONFIG_PATH=$CONFIG_PATH" + echo "VARDIR=$VARDIR" + echo "LIBEXEC=$g_libexec" + [ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR" + else + echo "Default CONFIG_PATH is $CONFIG_PATH" + echo "Default VARDIR is $VARDIR" + echo "LIBEXEC is $g_libexec" + [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR" + fi ;; chain) shift diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 2ef4c4d94..10f0704b8 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,6 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 8 . 1 + S H O R E W A L L 4 . 4 . 1 9 + B E T A 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,78 +14,41 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -4.4.18.1 +RC 1 -1) An issue with params processing on RHEL6 has been corrected. The +1) Correct a problem introduced in Beta 4 whereby incorrect Netfilter + rules were generated when a bridge with ports was given a logical + name. + +Beta 4 + +1) If a bridge interface had subordinate ports defined in + /etc/shorewall/interface, then an ipsec entry (either ipsec zone or + the 'ipsec' option specified) in /etc/shorewall/hosts resulted in + the compiler generating an incorrect Netfilter configuration. + +Beta 3 + +None. + +Beta 2 + +1) A correction to the Beta 1 fix for params processing has been + included. + +2) Editing of ICMP type lists has been improved. + +Beta 1 + +1) Previously /var/log/shorewall*-init.log was created in the wrong + Selinux context. The rpm's have been modified to correct that + issue. + +2) An issue with params processing on RHEL6 has been corrected. The problem manifested as the following type of warning: WARNING: Param line (export OLDPWD) ignored at - /usr/share/shorewall/Shorewall/Config.pm line - 2993. - -2) The editing of the value of the TC_PRIOMAP option has been - tightened. Previously, many invalid settings were allowed, - resulting in run-time tc command failures. - -3) The Shorewall Lite and Shorewall6 Lite installers now install the - 'helpers' modules file. Previously, this file was not installed - with the result that both 'shorewall[6]-lite show capabilities' and - 'shorecap' failed. - -4) Previously, if an icmp or icmp6 type which included both a type and - a code was used in the tcfilters file, 'start' and 'restart' would - fail with a 'tc' error. - -4.4.18 Final - -1) Previously, if an IPv6 host address (no "/") was used in a - context where a network address is allowed, the compiler failed to - supply the default of 128. This could lead to startup errors - and/or Perl errors such as: - - Use of uninitialized value $mask in concatenation (.) or - string at /usr/share/shorewall/Shorewall/Tc.pm line 979, - <$currentfile> line 11. - -2) The option for the IN-BANDWIDTH column of tcdevices was - previously not recognized. That functionality has been restored. - -3) If an interface mentioned in the tcfilters file was not up when - Shorewall was started or restarted, then the command would fail - at run-time with a 'tc' error message. - -4.4.18 RC 1 - -1) None. - -4.4.18 Beta 4 - -1) Edting of the MARK column has been tighened to catch errors at - compile time rather than at run time. - -2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz" - to get the most common suffixes at the front of the list. It is - still recommended that you modify this setting to include only the - suffix(es) used on your system. Current distributions use 'ko' - almost exclusively. - -4.4.18 Beta 2 - -1) Previously, the 'local' option in /etc/shorewall6/providers would - produce an 'ip route add' command containing an IPv4 address. It now - correctly uses the equivalent IPv6 address. Note that this option - is still undocumented for use with IPv6. - -2) When optimize level 4 was set, the optimizer mis-handled rules of the - form: - - -A -j -m comment ... - - when such a rule was the only rule in a chain. - -4.4.18 Beta 1 - -None. + /usr/share/shorewall/Shorewall/Config.pm line 2993. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -97,87 +61,62 @@ None. I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The modules files are now just a driver that INCLUDEs several new - files and one old file: +1) When TC_ENABLED=Simple, ACK packets are now placed in the highest + priority class. An ACK packet is a TCP packet with the ACK flag set + and no data payload. - - /usr/share/shorewall[6]/modules.essential # Essential modules - - /usr/share/shorewall[6]/modules.xtables # xt_ modules - - /usr/share/shorewall[6]/helpers # Existing file - - /usr/share/shorewall/ipset # ipset modules - - /usr/share/shorewall[6]/modules.tc # Traffic Shaping - - /usr/share/shorewall[6]/modules.extensions # Other extensions + Rationale: Entries in /etc/shorewall[6]/tcpri affect both incoming + and outgoing connections. If a particular application, SMTP for + example, is placed in priority class 3, then outgoing ACK packets + for incoming email were previously placed in priority class 3 as + well. This could have the effect of slowing down incoming mail when + the goal was to give outgoing mail a lower priority. By + unconditionally placing ACK packets in priority class 1, this issue + is avoided. - This should make it easier to configure your own - /etc/shorewall[6]/modules file that won't be obsolete when you - upgrade your Shorewall/Shorewall6 installation. +2) Up to this point, the Perl-based rules compiler has not accepted + ICMP type lists. This is in contrast to the shell-based compiler + which did support such lists. - For example, if you don't use traffic shaping or ipsets, you can - remove those from your copy of the modules file (copy in - /etc/shorewall/). + Support for ICMP (and ICMPv6) type lists has now been restored. -2) Traditionally, the root of the Shorewall accounting rules has been - the 'accounting' chain. Having a single root chain has drawbacks: +3) Distributions have different philosophies about the proper file + hierarchy. Two issures are particularly contentious: - - Many rules are traversed needlessly (they could not possibly - match traffic). - - At any time, the Netfilter team could begin generating errors - when loading those same rules. - - MAC addresses may not be used in the accounting rules. - - The 'accounting' chain cannot be optimized when - OPTIMIZE_ACCOUNTING=Yes. + - Executable files in /usr/share/shorewall*. These include; - In addition, currently the rules may be defined in any order so the - rules compiler must post-process the ruleset to alert the user to - unreferenced chains. + getparams + compiler.pl + wait4ifup + shorecap + ifupdown - Beginning with Shorewall 4.4.18, the accounting structure can be - created with three root chains: + - Perl Modules in /usr/share/shorewall/Shorewall. - - accountin: Rules that are valid in the INPUT chain (may not - specify an output interface). - - accountout: Rules that are valid in the OUTPUT chain (may not - specify an input interface or a MAC address). - - accountfwd: Other rules. + To allow distributions to designate alternate locations for these + files, the installers (install.sh) now support the following + environmental variables: - The new structure is enabled by sectioning the accounting file in a - manner similar to the rules file. + LIBEXEC -- determines where in /usr getparams, compiler.pl, + wait4ifup, shorecap and ifupdown are installed. Shorewall and + Shorewall6 must be installed with the same value of LIBEXEC. The + listed executables are installed in /usr/${LIBEXEC}/shorewall*. The + default value of LIBEXEC is 'share'. LIBEXEC is recognized by all + installers and uninstallers. - The sections are INPUT, OUTPUT and FORWARD and must appear in that - order (although any of them may be omitted). The first - non-commentary record in the accounting file must be a section - header when sectioning is used. + PERLLIB -- determines where in /usr the Shorewall perl modules are + installed. Shorewall and Shorewall6 must be installed with the same + value of PERLLIB. The modules are installed in + /usr/${PERLLIB}/Shorewall. The default value of PERLLIB is + 'share/shorewall'. PERLLIB is only recognized by the Shorewall and + Shorewall6 installers and the same value must be passed to both + installers. - When sections are enabled: +4) Bridge/ports handling has been significantly improved, resulting in + packets to/from bridges traversing fewer rules. - - You must jump to a user-defined accounting chain before you can - add rules to that chain. This eliminates the possibility of - unreferenced chains. - - You may not specify an output interface in the INPUT section. - - In the OUTPUT section: - - You may not specify an input interface - - You may not jump to a chain defined in the INPUT section that - specifies an input interface - - You may not specify a MAC address - - You may not jump to a chain defined in the INPUT section that - specifies specifies a MAC address. - - The default value of the CHAIN column is: - - 'accountin' in the INPUT section - - 'accountout' in the OUTPUT section - - 'accountfwd' in the FORWARD section - - Traffic addressed to the firewall goes through the rules defined - in the INPUT section. - - Traffic originating on the firewall goes through the rules - defined in the OUTPUT section. - - Traffic being forwarded through the firewall goes through the - rules defined in the FORWARD section. - - As part of this change, the USER/GROUP column must now be empty - except in the OUTPUT section. This is consistent with recent - Netfilter releases which disallow the owner match in rules - reachable from the INPUT and FORWARD hooks. - -3) Internals Change: The Policy.pm module has been merged into the - Rules.pm module. +5) A list of protocols is now permitted in the PROTO column of the + rules file. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S @@ -408,6 +347,147 @@ None. ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 8 +---------------------------------------------------------------------------- + +4.4.18 Final + +1) Previously, if an IPv6 host address (no "/") was used in a + context where a network address is allowed, the compiler failed to + supply the default of 128. This could lead to startup errors + and/or Perl errors such as: + + Use of uninitialized value $mask in concatenation (.) or + string at /usr/share/shorewall/Shorewall/Tc.pm line 979, + <$currentfile> line 11. + +2) The option for the IN-BANDWIDTH column of tcdevices was + previously not recognized. That functionality has been restored. + +3) If an interface mentioned in the tcfilters file was not up when + Shorewall was started or restarted, then the command would fail + at run-time with a 'tc' error message. + +4.4.18 RC 1 + +1) None. + +4.4.18 Beta 4 + +1) Edting of the MARK column has been tighened to catch errors at + compile time rather than at run time. + +2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz" + to get the most common suffixes at the front of the list. It is + still recommended that you modify this setting to include only the + suffix(es) used on your system. Current distributions use 'ko' + almost exclusively. + +4.4.18 Beta 2 + +1) Previously, the 'local' option in /etc/shorewall6/providers would + produce an 'ip route add' command containing an IPv4 address. It now + correctly uses the equivalent IPv6 address. Note that this option + is still undocumented for use with IPv6. + +2) When optimize level 4 was set, the optimizer mis-handled rules of the + form: + + -A -j -m comment ... + + when such a rule was the only rule in a chain. + +4.4.18 Beta 1 + +None. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 1 8 +---------------------------------------------------------------------------- + +1) The modules files are now just a driver that INCLUDEs several new + files and one old file: + + - /usr/share/shorewall[6]/modules.essential # Essential modules + - /usr/share/shorewall[6]/modules.xtables # xt_ modules + - /usr/share/shorewall[6]/helpers # Existing file + - /usr/share/shorewall/ipset # ipset modules + - /usr/share/shorewall[6]/modules.tc # Traffic Shaping + - /usr/share/shorewall[6]/modules.extensions # Other extensions + + This should make it easier to configure your own + /etc/shorewall[6]/modules file that won't be obsolete when you + upgrade your Shorewall/Shorewall6 installation. + + For example, if you don't use traffic shaping or ipsets, you can + remove those from your copy of the modules file (copy in + /etc/shorewall/). + +2) Traditionally, the root of the Shorewall accounting rules has been + the 'accounting' chain. Having a single root chain has drawbacks: + + - Many rules are traversed needlessly (they could not possibly + match traffic). + - At any time, the Netfilter team could begin generating errors + when loading those same rules. + - MAC addresses may not be used in the accounting rules. + - The 'accounting' chain cannot be optimized when + OPTIMIZE_ACCOUNTING=Yes. + + In addition, currently the rules may be defined in any order so the + rules compiler must post-process the ruleset to alert the user to + unreferenced chains. + + Beginning with Shorewall 4.4.18, the accounting structure can be + created with three root chains: + + - accountin: Rules that are valid in the INPUT chain (may not + specify an output interface). + - accountout: Rules that are valid in the OUTPUT chain (may not + specify an input interface or a MAC address). + - accountfwd: Other rules. + + The new structure is enabled by sectioning the accounting file in a + manner similar to the rules file. + + The sections are INPUT, OUTPUT and FORWARD and must appear in that + order (although any of them may be omitted). The first + non-commentary record in the accounting file must be a section + header when sectioning is used. + + When sections are enabled: + + - You must jump to a user-defined accounting chain before you can + add rules to that chain. This eliminates the possibility of + unreferenced chains. + - You may not specify an output interface in the INPUT section. + - In the OUTPUT section: + - You may not specify an input interface + - You may not jump to a chain defined in the INPUT section that + specifies an input interface + - You may not specify a MAC address + - You may not jump to a chain defined in the INPUT section that + specifies specifies a MAC address. + - The default value of the CHAIN column is: + - 'accountin' in the INPUT section + - 'accountout' in the OUTPUT section + - 'accountfwd' in the FORWARD section + - Traffic addressed to the firewall goes through the rules defined + in the INPUT section. + - Traffic originating on the firewall goes through the rules + defined in the OUTPUT section. + - Traffic being forwarded through the firewall goes through the + rules defined in the FORWARD section. + + As part of this change, the USER/GROUP column must now be empty + except in the OUTPUT section. This is consistent with recent + Netfilter releases which disallow the owner match in rules + reachable from the INPUT and FORWARD hooks. + +3) Internals Change: The Policy.pm module has been merged into the + Rules.pm module. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 7 ---------------------------------------------------------------------------- @@ -3103,7 +3183,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S hence will now start successfully when running on that kernel. 14) Three new options (IP, TC and IPSET) have been added to - shorewall.conf and shorwall6.conf. These options specify the name + shorewall.conf and shorewall6.conf. These options specify the name of the executable for the 'ip', 'tc' and 'ipset' utilities respectively. diff --git a/Shorewall/shorewall b/Shorewall/shorewall index d481b2896..44b00ef8b 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -363,7 +363,11 @@ compiler() { PERL=/usr/bin/perl fi - $PERL $debugflags /usr/share/shorewall/compiler.pl $options $@ + if [ $g_perllib = share/shorewall ]; then + $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@ + else + PERL5LIB=$g_perllib $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@ + fi } # @@ -1135,6 +1139,8 @@ reload_command() # $* = original arguments less the command. getcaps= local root root=root + local libexec + libexec=share litedir=/var/lib/shorewall-lite @@ -1195,6 +1201,10 @@ reload_command() # $* = original arguments less the command. [ -n "$temp" ] && litedir="$temp" + temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //') + + [ -n "$temp" ] && libexec="$temp" + if [ -z "$getcaps" ]; then SHOREWALL_DIR=$(resolve_file $directory) ensure_config_path @@ -1211,7 +1221,7 @@ reload_command() # $* = original arguments less the command. [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')" progress_message "Getting Capabilities on system $system..." - if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then + if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/$libexec/shorewall-lite/shorecap" > $directory/capabilities; then fatal_error "ERROR: Capturing capabilities on system $system failed" fi fi @@ -1574,6 +1584,8 @@ CONFDIR=/etc/shorewall g_product="Shorewall" g_recovering= g_timestamp= +g_libexec=share +g_perllib=share/shorewall [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 3486d60a9..524829a5e 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall -%define version 4.4.18 -%define release 1 +%define version 4.4.19 +%define release 0Beta4 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -109,10 +109,12 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog -* Sat Mar 19 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 -* Sun Mar 13 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 +* Sat Apr 02 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta4 +* Sat Mar 26 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta3 +* Sat Mar 05 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta1 * Wed Mar 02 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.18-0base * Mon Feb 28 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 3cfd58df2..c1d02b70a 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -72,6 +72,9 @@ else VERSION="" fi +[ -n "${LIBEXEC:=share}" ] +[ -n "${PERLLIB:=share/shorewall}" ] + echo "Uninstalling shorewall $VERSION" if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then @@ -106,6 +109,8 @@ rm -rf /etc/shorewall rm -rf /etc/shorewall-*.bkout rm -rf /var/lib/shorewall rm -rf /var/lib/shorewall-*.bkout +rm -rf /usr/$PERLLIB}/Shorewall/* +rm -rf /usr/${LIBEXEC}/shorewall rm -rf /usr/share/shorewall rm -rf /usr/share/shorewall-*.bkout rm -rf /usr/share/man/man5/shorewall* diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 6e52ff3ed..8ed023c8b 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -123,6 +123,7 @@ done PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +[ -n "${LIBEXEC:=share}" ] # # Determine where to install the firewall script # @@ -187,6 +188,7 @@ else rm -rf ${DESTDIR}/etc/shorewall6-lite rm -rf ${DESTDIR}/usr/share/shorewall6-lite rm -rf ${DESTDIR}/var/lib/shorewall6-lite + [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall6-lite/wait4ifup /usr/share/shorewall6-lite/shorecap fi # @@ -202,6 +204,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544 +eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6-lite + echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite" # @@ -223,6 +227,7 @@ echo "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT" # mkdir -p ${DESTDIR}/etc/shorewall6-lite mkdir -p ${DESTDIR}/usr/share/shorewall6-lite +mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite mkdir -p ${DESTDIR}/var/lib/shorewall6-lite chmod 755 ${DESTDIR}/etc/shorewall6-lite @@ -275,20 +280,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/funct # Install Shorecap # -install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755 +install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap 0755 echo -echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap" +echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap" # # Install wait4ifup # if [ -f wait4ifup ]; then - install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755 + install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup 0755 echo - echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup" + echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup" fi # diff --git a/Shorewall6-lite/shorewall6-lite b/Shorewall6-lite/shorewall6-lite index ff35c5663..2b813044c 100755 --- a/Shorewall6-lite/shorewall6-lite +++ b/Shorewall6-lite/shorewall6-lite @@ -554,6 +554,7 @@ MUTEX_TIMEOUT= SHAREDIR=/usr/share/shorewall6-lite CONFDIR=/etc/shorewall6-lite g_product="Shorewall6 Lite" +g_libexec=share [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ] diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 2e6c074d9..c7caf3c55 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite -%define version 4.4.18 -%define release 1 +%define version 4.4.19 +%define release 0Beta4 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -94,10 +94,12 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Sat Mar 19 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 -* Sun Mar 13 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 +* Sat Apr 02 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta4 +* Sat Mar 26 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta3 +* Sat Mar 05 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta1 * Wed Mar 02 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.18-0base * Mon Feb 28 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 8626f6e78..20645d2ed 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -60,6 +60,8 @@ else VERSION="" fi +[ -n "${LIBEXEC:=share}" ] + echo "Uninstalling Shorewall Lite $VERSION" if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then @@ -95,6 +97,7 @@ rm -rf /etc/shorewall6-lite-*.bkout rm -rf /var/lib/shorewall6-lite rm -rf /var/lib/shorewall6-lite-*.bkout rm -rf /usr/share/shorewall6-lite +rm -rf /usr/${LIBEXEC}/shorewall6-lite rm -rf /usr/share/shorewall6-lite-*.bkout rm -f /etc/logrotate.d/shorewall6-lite diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index fffb21bf6..152ed269f 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -110,6 +110,8 @@ MAC= MANDIR=${MANDIR:-"/usr/share/man"} SPARSE= INSTALLD='-D' +[ -n "${LIBEXEC:=share}" ] +[ -n "${PERLLIB:=share/shoreall}" ] case $(uname) in CYGWIN*) @@ -226,9 +228,13 @@ fi if [ -z "$CYGWIN" ]; then install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout + eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6 + eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall6 echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6" else install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout + eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall6 + eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall6 echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6" fi @@ -252,7 +258,8 @@ fi # Create /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall6 if needed # mkdir -p ${DESTDIR}/etc/shorewall6 -mkdir -p ${DESTDIR}/usr/share/shorewall6 +mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6 +mkdir -p ${DESTDIR}/usr/${PERLLIB}/ mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles mkdir -p ${DESTDIR}/var/lib/shorewall6 @@ -318,10 +325,10 @@ delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6 # Install wait4ifup # -install_file wait4ifup ${DESTDIR}/usr/share/shorewall6/wait4ifup 0755 +install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6/wait4ifup 0755 echo -echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6/wait4ifup" +echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6/wait4ifup" # # Install the policy file diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index 13736ab3e..d94cd828c 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -38,7 +38,6 @@ SHOREWALL_CAPVERSION=40417 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${CONFDIR:=/etc/shorewall6}" ] -[ -n "${PERLSHAREDIR:=/usr/share/shorewall}" ] # # Conditionally produce message diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 1285e3e4b..57ce5aebd 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -591,8 +591,17 @@ show_command() { ;; config) . ${SHAREDIR}/configpath - echo "Default CONFIG_PATH is $CONFIG_PATH" - [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR" + if [ -n "$g_filemode" ]; then + echo "CONFIG_PATH=$CONFIG_PATH" + echo "VARDIR=$VARDIR" + echo "LIBEXEC=$g_libexec" + [ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR" + else + echo "Default CONFIG_PATH is $CONFIG_PATH" + echo "Default VARDIR is $VARDIR" + echo "LIBEXEC is $g_libexec" + [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR" + fi ;; chain) shift diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index d1c078fda..c2b7ab386 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -239,7 +239,7 @@ startup_error() { # Run the appropriate compiler # compiler() { - pc=${PERLSHAREDIR}/compiler.pl + pc=/usr/$g_libexec/shorewall/compiler.pl local command command=$1 @@ -300,7 +300,11 @@ compiler() { PERL=/usr/bin/perl fi - $command $PERL $debugflags $pc $options $@ + if [ $g_perllib = share/shorewall ]; then + $command $PERL $debugflags $pc $options $@ + else + $command PERL5LIB=$g_perllib $PERL $debugflags $pc $options $@ + fi } # @@ -1068,6 +1072,8 @@ reload_command() # $* = original arguments less the command. root=root local compiler compiler= + local libexec + libexec=share litedir=/var/lib/shorewall6-lite @@ -1128,6 +1134,10 @@ reload_command() # $* = original arguments less the command. [ -n "$temp" ] && litedir=$temp + temp=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //') + + [ -n "$temp" ] && libexec=$temp + if [ -z "$getcaps" ]; then SHOREWALL_DIR=$(resolve_file $directory) ensure_config_path @@ -1142,7 +1152,7 @@ reload_command() # $* = original arguments less the command. fi progress_message "Getting Capabilities on system $system..." - if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES /usr/share/shorewall6-lite/shorecap" > $directory/capabilities; then + if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES /usr/$libexec/shorewall6-lite/shorecap" > $directory/capabilities; then fatal_error "ERROR: Capturing capabilities on system $system failed" fi fi @@ -1484,6 +1494,8 @@ SHAREDIR=/usr/share/shorewall6 CONFDIR=/etc/shorewall6 g_product="Shorewall6" g_recovering= +g_libexec=share +g_perllib=share/shorewall [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index d81fbd893..de354b1e5 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 -%define version 4.4.18 -%define release 1 +%define version 4.4.19 +%define release 0Beta4 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -98,10 +98,12 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog -* Sat Mar 19 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 -* Sun Mar 13 2011 Tom Eastep tom@shorewall.net -- Updated to 4.4.18-1 +* Sat Apr 02 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta4 +* Sat Mar 26 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta3 +* Sat Mar 05 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-0Beta1 * Wed Mar 02 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.18-0base * Mon Feb 28 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 442a3b768..c874e241f 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.18.1 +VERSION=4.4.19-Beta4 usage() # $1 = exit status { @@ -72,6 +72,8 @@ else VERSION="" fi +[ -n "${LIBEXEC:=share}" ] + echo "Uninstalling shorewall6 $VERSION" if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then @@ -106,6 +108,7 @@ rm -rf /etc/shorewall6 rm -rf /etc/shorewall6-*.bkout rm -rf /var/lib/shorewall6 rm -rf /var/lib/shorewall6-*.bkout +rm -rf /usr/${LIBEXEC}/shorewall6 rm -rf /usr/share/shorewall6 rm -rf /usr/share/shorewall6-*.bkout rm -rf /usr/share/man/man5/shorewall6* diff --git a/docs/Install.xml b/docs/Install.xml index 8f1f71f2c..09365b571 100644 --- a/docs/Install.xml +++ b/docs/Install.xml @@ -173,6 +173,80 @@ instructions. + +
+ Executables in /usr and Perl Modules + + Distributions have different philosophies about the proper file + hierarchy. Two issures are particularly contentious: + + + + Executable files in + /usr/share/shorewall*. These include; + + + + getparams + + + + compiler.pl + + + + wait4ifup + + + + shorecap + + + + ifupdown + + + + + + Perl Modules in + /usr/share/shorewall/Shorewall. + + + + To allow distributions to designate alternate locations for these + files, the installers (install.sh) from 4.4.19 onward support the + following environmental variables: + + + + LIBEXEC + + + Determines where in /usr getparams, compiler.pl, wait4ifup, + shorecap and ifupdown are installed. Shorewall and Shorewall6 must + be installed with the same value of LIBEXEC. The listed + executables are installed in + /usr/${LIBEXEC}/shorewall*. The default value + of LIBEXEC is 'share'. LIBEXEC is recognized by all installers and + uninstallers. + + + + + PERLLIB + + + Determines where in /usr the Shorewall + perl modules are installed. Shorewall and Shorewall6 must be + installed with the same value of PERLLIB. The modules are + installed in /usr/${PERLLIB}/Shorewall. The + default value of PERLLIB is 'share/shorewall'. PERLLIB is only + recognized by the Shorewall and Shorewall6 installers. + + + +
diff --git a/docs/LennyToSqueeze.xml b/docs/LennyToSqueeze.xml index 5ebeea32f..8f8eb71a2 100644 --- a/docs/LennyToSqueeze.xml +++ b/docs/LennyToSqueeze.xml @@ -647,14 +647,35 @@ eth0 172.20.1.0/24Before: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME -# PORT PORT(S) DEST LIMIT GROUP +# PORT(S) PORT(S) DEST LIMIT GROUP NONAT loc net tcp 80 After: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME -# PORT PORT(S) DEST LIMIT GROUP +# PORT(S) PORT(S) DEST LIMIT GROUP NONAT loc - tcp 80 + + Shorewall 4.4 versions prior to 4.4.19 do not support icmp type + lists in the DEST PORT(S) column. Only a single ICMP type may be listed. + If you have a shell variable with a list of ICMP types that you use in a + rule, you can work around this limitation as follows. Replace this + rule: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME +# PORT(S) PORT(S) DEST LIMIT GROUP +ACCEPT z1 z2 icmp $ITYPES + + with: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME +# PORT(S) PORT(S) DEST LIMIT GROUP + +BEGIN SHELL +for type in $ITYPES; do +ACCEPT z1 z2 icmp $type +done +END SHELL
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 2cfa9c753..2ee4a70fd 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -790,6 +790,13 @@ gateway:/etc/shorewall # /etc/shorewall/rules:SECTION NEW SHELL cat /etc/shorewall/rules.d/*.rules + + If you are the sort to put such an entry in your rules file even + though /etc/shorewall/rules.d might not exist or might be empty, then + you probably want: + + SECTION NEW +SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true
@@ -1308,13 +1315,26 @@ POP(ACCEPT) loc net:pop.gmail.com
- Complementing an Address or Subnet + Complementing an Address, Subnet, Protocol or Port List Where specifying an IP address, a subnet or an interface, you can precede the item with ! to specify the complement of the item. For example, !192.168.1.4 means any host but 192.168.1.4. There must be no white space following the !. + + Similarly, in columns that specify an IP protocol, you can preceed + the protocol name or number by "!". For example, !tcp means "any protocol + except tcp". + + This also works with port lists, providing that the list contains 15 + or fewer ports (where a port range counts as + two ports). For example !ssh,smtp means "any port except 22 and + 25". + + In Shorewall 4.4.19 and later, icmp type lists are supported but + complementing an icmp type list is not supported. You + may, however, complement a single icmp (icmp6) type.
@@ -1454,6 +1474,9 @@ router-advertisement => 134 neighbour-solicitation => 135 neighbour-advertisement => 136 redirect => 137 + + Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to + Shorewall 4.4.19.
diff --git a/docs/fallback.xml b/docs/fallback.xml index aa7e42e78..86b3c57e1 100644 --- a/docs/fallback.xml +++ b/docs/fallback.xml @@ -81,5 +81,11 @@ If you installed using an rpm, at a root shell prompt type rpm -e shorewall. + + + If you specified LIBEXEC and/or PERLLIB when you installed + Shorewall, you must specify the same value to the uninstall script. + e.g., LIBEXEC=libexec ./uninstall.sh. +
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index ce381c4a1..9f5b0d117 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -821,6 +821,10 @@ role="bold">tcp:syn implies tcp plus the SYN flag must be set and the RST,ACK and FIN flags must be reset. + + Beginning with Shorewall 4.4.19, this column can contain a + comma-separated list of protocol-numbers and/or protocol + names. @@ -837,7 +841,9 @@ the destination icmp-type(s). ICMP types may be specified as a numeric type, a numberic type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. + Note that prior to Shorewall 4.4.19, only a single ICMP type may be + listsed. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml index dd2f05f8a..fe695d7ac 100644 --- a/manpages6/shorewall6-rules.xml +++ b/manpages6/shorewall6-rules.xml @@ -624,6 +624,10 @@ role="bold">tcp:syn implies tcp plus the SYN flag must be set and the RST,ACK and FIN flags must be reset. + + Beginning with Shorewall6 4.4.19, this column can contain a + comma-separated list of protocol-numbers and/or protocol names + (e.g., tcp,udp). @@ -640,7 +644,9 @@ the destination icmp-type(s). ICMP types may be specified as a numeric type, a numberic type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP. + Note that prior to Shorewall6 4.4.19, only a single ICMP type may be + listsed. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading