extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 4.4.19 Changes

Browse Source
This commit is contained in:
Tom Eastep 2011-04-03 09:56:30 -07:00
parent 2029978050
commit cc633c5bd9
38 changed files with 889 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Shorewall-init/install.sh
View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -124,6 +124,7 @@ done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ -n "${LIBEXEC:=share}" ]
#
# Determine where to install the firewall script
#
@ -259,9 +260,9 @@ fi
# Install the ifupdown script
#
mkdir -p ${DESTDIR}/usr/share/shorewall-init
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-init
install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
install_file ifupdown.sh ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown 0544
if [ -d ${DESTDIR}/etc/NetworkManager ]; then
install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
@ -332,7 +333,7 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
done
elif [ -n "$REDHAT" ]; then
#
@ -342,13 +343,13 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
FILE=${DESTDIR}/etc/ppp/$file
if [ -f $FILE ]; then
if fgrep -q Shorewall-based $FILE ; then
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE
else
echo "$FILE already exists -- ppp devices will not be handled"
break
fi
else
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE
fi
done
fi

14
Shorewall-init/shorewall-init.spec
View File

@ -1,6 +1,6 @@
%define name shorewall-init
%define version 4.4.18
%define release 1
%define version 4.4.19
%define release 0Beta4
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@ -119,10 +119,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net

5
Shorewall-init/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -60,6 +60,8 @@ else
VERSION=""
fi
[ -n "${LIBEXEC:=share}" ]
echo "Uninstalling Shorewall Init $VERSION"
INITSCRIPT=/etc/init.d/shorewall-init
@ -105,6 +107,7 @@ if [ -d /etc/ppp ]; then
fi
rm -rf /usr/share/shorewall-init
rm -rf /usr/${LIBEXEC}/shorewall-init
echo "Shorewall Init Uninstalled"

15
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -123,6 +123,7 @@ done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ -n "${LIBEXEC:=share}" ]
#
# Determine where to install the firewall script
#
@ -189,6 +190,7 @@ else
rm -rf ${DESTDIR}/etc/shorewall-lite
rm -rf ${DESTDIR}/usr/share/shorewall-lite
rm -rf ${DESTDIR}/var/lib/shorewall-lite
[ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
fi
#
@ -204,6 +206,8 @@ delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
#
@ -225,6 +229,7 @@ echo "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
#
mkdir -p ${DESTDIR}/etc/shorewall-lite
mkdir -p ${DESTDIR}/usr/share/shorewall-lite
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite
mkdir -p ${DESTDIR}/var/lib/shorewall-lite
chmod 755 ${DESTDIR}/etc/shorewall-lite
@ -277,20 +282,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functi
# Install Shorecap
#
install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap 0755
echo
echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap"
#
# Install wait4ifup
#
if [ -f wait4ifup ]; then
install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup 0755
echo
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup"
fi
#

1
Shorewall-lite/shorewall-lite
View File

@ -570,6 +570,7 @@ MUTEX_TIMEOUT=
SHAREDIR=/usr/share/shorewall-lite
CONFDIR=/etc/shorewall-lite
g_product="Shorewall Lite"
g_libexec=share
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]

14
Shorewall-lite/shorewall-lite.spec
View File

@ -1,6 +1,6 @@
%define name shorewall-lite
%define version 4.4.18
%define release 1
%define version 4.4.19
%define release 0Beta4
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
Name: %{name}
@ -103,10 +103,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net

5
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -72,6 +72,8 @@ else
VERSION=""
fi
[ -n "${LIBEXEC:=share}" ]
echo "Uninstalling Shorewall Lite $VERSION"
if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
@ -107,6 +109,7 @@ rm -rf /etc/shorewall-lite-*.bkout
rm -rf /var/lib/shorewall-lite
rm -rf /var/lib/shorewall-lite-*.bkout
rm -rf /usr/share/shorewall-lite
rm -rf /usr/${LIBEXEC}/shorewall-lite
rm -rf /usr/share/shorewall-lite-*.bkout
rm -f /etc/logrotate.d/shorewall-lite

152
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -78,6 +78,7 @@ our %EXPORT_TAGS = (
initialize_chain_table
add_commands
copy_rules
move_rules
insert_rule1
delete_jumps
@ -187,7 +188,7 @@ our %EXPORT_TAGS = (
Exporter::export_ok_tags('internal');
our $VERSION = '4.4_18';
our $VERSION = '4.4_19';
#
# Chain Table
@ -387,8 +388,8 @@ our %builtin_target = ( ACCEPT => 1,
# 2. The compiler can run multiple times in the same process so it has to be
# able to re-initialize its dependent modules' state.
#
sub initialize( $ ) {
$family = shift;
sub initialize( $$ ) {
( $family, my $hard ) = @_;
%chain_table = ( raw => {},
mangle => {},
@ -428,7 +429,7 @@ sub initialize( $ ) {
$idiotcount1 = 0;
$warningcount = 0;
$hashlimitset = 0;
$ipset_rules = 0;
$ipset_rules = 0 if $hard;
#
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
#
@ -616,6 +617,16 @@ sub handle_port_list( $$$$$$ ) {
}
}
#
# This much simpler function splits a rule with an icmp type list into discrete rules
#
sub handle_icmptype_list( $$$$ ) {
my ($chainref, $first, $types, $rest) = @_;
my @ports = split ',', $types;
push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ) while @ports;
}
#
# Add a rule to a chain. Arguments are:
#
@ -645,6 +656,17 @@ sub add_rule($$;$) {
# Rule has a --sports specification
#
handle_port_list( $chainref, $rule, 0, $1, $2, $3 )
} elsif ( $rule =~ /^(.* --icmp(?:v6)?-type\s*)([^ ]+)(.*)$/ ) {
#
# ICMP rule -- split it up if necessary
#
my ( $first, $types, $rest ) = ($1, $2, $3 );
if ( $types =~ /,/ ) {
handle_icmptype_list( $chainref, $first, $types, $rest );
} else {
push_rule( $chainref, $rule );
}
} else {
push_rule ( $chainref, $rule );
}
@ -851,8 +873,8 @@ sub move_rules( $$ ) {
# Replace the jump at the end of one chain (chain2) with the rules from another chain (chain1).
#
sub copy_rules( $$ ) {
my ($chain1, $chain2 ) = @_;
sub copy_rules( $$;$ ) {
my ($chain1, $chain2, $nojump ) = @_;
my $name1 = $chain1->{name};
my $name = $name1;
@ -868,7 +890,7 @@ sub copy_rules( $$ ) {
#
$name1 =~ s/\+/\\+/;
my $last = pop @$rules2; # Delete the jump to chain1
pop @$rules2 unless $nojump; # Delete the jump to chain1
if ( $blacklist2 && $blacklist1 ) {
#
@ -948,12 +970,21 @@ sub zone_forward_chain($) {
sub use_forward_chain($$) {
my ( $interface, $chainref ) = @_;
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
#
# We must use the interfaces's chain if the interface is associated with multiple nets
# We must use the interfaces's chain if the interface is associated with multiple zones
#
return 1 if $interfaceref->{nets} > 1;
return 1 if ( keys %{interface_zones $interface} ) > 1;
#
# Use interface's chain if there are multiple nets on the interface
#
return 1 if $nets > 1;
#
# Use interface's chain if it is a bridge with ports
#
return 1 if $interfaceref->{ports};
my $zone = $interfaceref->{zone};
@ -990,10 +1021,18 @@ sub use_input_chain($$) {
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
#
# We must use the interfaces's chain if the interface is associated with multiple nets
# We must use the interfaces's chain if the interface is associated with multiple Zones
#
return 1 if ( keys %{interface_zones $interface} ) > 1;
#
# Use interface's chain if there are multiple nets on the interface
#
return 1 if $nets > 1;
#
# Use interface's chain if it is a bridge with ports
#
return 1 if $interfaceref->{ports};
#
# Don't need it if it isn't associated with any zone
#
return 0 unless $nets;
@ -1043,10 +1082,18 @@ sub use_output_chain($$) {
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
#
# We must use the interfaces's chain if the interface is associated with multiple nets
# We must use the interfaces's chain if the interface is associated with multiple Zones
#
return 1 if ( keys %{interface_zones $interface} ) > 1;
#
# Use interface's chain if there are multiple nets on the interface
#
return 1 if $nets > 1;
#
# Use interface's chain if it is a bridge with ports
#
return 1 if $interfaceref->{ports};
#
# Don't need it if it isn't associated with any zone
#
return 0 unless $nets;
@ -2203,7 +2250,15 @@ sub do_proto( $$$;$ )
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;
if ( port_count ( $ports ) > 15 ) {
if ( $restricted ) {
fatal_error "A port list in this file may only have up to 15 ports";
} elsif ( $invert ) {
fatal_error "An inverted port list may only have up to 15 ports";
}
}
$ports = validate_port_list $pname , $ports;
$output .= "-m multiport ${invert}--dports ${ports} ";
$multiport = 1;
@ -2218,7 +2273,15 @@ sub do_proto( $$$;$ )
if ( $sports ne '' ) {
$invert = $sports =~ s/^!// ? '! ' : '';
if ( $multiport ) {
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $sports ) > 15;
if ( port_count( $sports ) > 15 ) {
if ( $restricted ) {
fatal_error "A port list in this file may only have up to 15 ports";
} elsif ( $invert ) {
fatal_error "An inverted port list may only have up to 15 ports";
}
}
$sports = validate_port_list $pname , $sports;
$output .= "-m multiport ${invert}--sports ${sports} ";
} else {
@ -2233,9 +2296,20 @@ sub do_proto( $$$;$ )
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : '';
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
$ports = validate_icmp $ports;
$output .= "${invert}--icmp-type ${ports} ";
my $types;
if ( $ports =~ /,/ ) {
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
$types = '';
for my $type ( split_list( $ports, 'ICMP type list' ) ) {
$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
}
} else {
$types = validate_icmp $ports;
}
$output .= "${invert}--icmp-type ${types} ";
}
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
@ -2246,9 +2320,20 @@ sub do_proto( $$$;$ )
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : '';
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
$ports = validate_icmp6 $ports;
$output .= "${invert}--icmpv6-type ${ports} ";
my $types;
if ( $ports =~ /,/ ) {
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
$types = '';
for my $type ( list_split( $ports, 'ICMP type list' ) ) {
$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
}
} else {
$types = validate_icmp6 $ports;
}
$output .= "${invert}--icmpv6-type ${types} ";
}
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
@ -2651,13 +2736,18 @@ sub do_headers( $ ) {
#
# Match Source Interface
#
sub match_source_dev( $ ) {
my $interface = shift;
sub match_source_dev( $;$ ) {
my ( $interface, $nodev ) = @_;;
my $interfaceref = known_interface( $interface );
$interface = $interfaceref->{physical} if $interfaceref;
return '' if $interface eq '+';
if ( $interfaceref && $interfaceref->{options}{port} ) {
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
if ( $nodev ) {
"-m physdev --physdev-in $interface ";
} else {
my $bridgeref = find_interface $interfaceref->{bridge};
"-i $bridgeref->{physical} -m physdev --physdev-in $interface ";
}
} else {
"-i $interface ";
}
@ -2666,16 +2756,26 @@ sub match_source_dev( $ ) {
#
# Match Dest device
#
sub match_dest_dev( $ ) {
my $interface = shift;
sub match_dest_dev( $;$ ) {
my ( $interface, $nodev ) = @_;;
my $interfaceref = known_interface( $interface );
$interface = $interfaceref->{physical} if $interfaceref;
return '' if $interface eq '+';
if ( $interfaceref && $interfaceref->{options}{port} ) {
if ( $nodev ) {
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
"-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
"-m physdev --physdev-is-bridged --physdev-out $interface ";
} else {
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
"-m physdev --physdev-out $interface ";
}
} else {
my $bridgeref = find_interface $interfaceref->{bridge};
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface ";
} else {
"-o $bridgeref->{physical} -m physdev --physdev-out $interface ";
}
}
} else {
"-o $interface ";

6
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -55,7 +55,7 @@ our $family;
#
sub initialize_package_globals() {
Shorewall::Config::initialize($family);
Shorewall::Chains::initialize ($family);
Shorewall::Chains::initialize ($family, 1);
Shorewall::Zones::initialize ($family);
Shorewall::Nat::initialize;
Shorewall::Providers::initialize($family);
@ -818,7 +818,7 @@ sub compiler {
# We must reinitialize Shorewall::Chains before generating the iptables-restore input
# for stopping the firewall
#
Shorewall::Chains::initialize( $family );
Shorewall::Chains::initialize( $family, 0 );
initialize_chain_table;
#
# S T O P _ F I R E W A L L
@ -882,7 +882,7 @@ sub compiler {
# Re-initialize the chain table so that process_routestopped() has the same
# environment that it would when called by compile_stop_firewall().
#
Shorewall::Chains::initialize( $family );
Shorewall::Chains::initialize( $family , 0 );
initialize_chain_table;
if ( $debug ) {

12
Shorewall/Perl/Shorewall/Config.pm
View File

@ -37,6 +37,7 @@ use File::Temp qw/ tempfile tempdir /;
use Cwd qw(abs_path getcwd);
use autouse 'Carp' => qw(longmess confess);
use Scalar::Util 'reftype';
use FindBin;
our @ISA = qw(Exporter);
#
@ -137,7 +138,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal');
our $VERSION = '4.4_18';
our $VERSION = '4.4_19';
#
# describe the current command, it's present progressive, and it's completion.
@ -410,7 +411,7 @@ sub initialize( $ ) {
EXPORT => 0,
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.18.1",
VERSION => "4.4.19-Beta4",
CAPVERSION => 40417 ,
);
#
@ -2906,7 +2907,7 @@ sub get_params() {
if ( -f $fn ) {
progress_message2 "Processing $fn ...";
my $command = "$globals{SHAREDIRPL}/getparams $fn " . join( ':', @config_path );
my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path );
#
# getparams silently sources the params file under 'set -a', then executes 'export -p'
#
@ -2947,7 +2948,7 @@ sub get_params() {
}
}
}
} elsif ( $params[0] =~ /^export (.*?)="/ || $params[0] =~ /^export ([^\s=]+)\s*$/ ) {
} elsif ( $params[0] =~ /^export .*?="/ || $params[0] =~ /^export [^\s=]+\s*$/ ) {
#
# getparams interpreted by older (e.g., RHEL 5) Bash
#
@ -3004,7 +3005,7 @@ sub get_params() {
print "PARAMS:\n";
my $value;
while ( ($variable, $value ) = each %params ) {
print " $variable='$value'\n";
print " $variable='$value'\n" unless $compiler_params{$variable};
}
}
}
@ -3084,6 +3085,7 @@ sub get_configuration( $ ) {
get_capabilities( $export );
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
if ( my $rate = $config{LOGLIMIT} ) {

114
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -45,7 +45,7 @@ our @EXPORT = qw( process_tos
generate_matrix
);
our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_18';
our $VERSION = '4.4_19';
our $family;
@ -1036,7 +1036,33 @@ sub add_interface_jumps {
my $outputref = $filter_table->{output_chain $interface};
my $interfaceref = find_interface($interface);
add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
if ( $interfaceref->{options}{port} ) {
my $bridge = $interfaceref->{bridge};
add_rule ( $filter_table->{forward_chain $bridge},
match_source_dev( $interface, 1) . match_dest_dev( $interface, 1) . '-j ACCEPT'
) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
add_jump( $filter_table->{forward_chain $bridge} ,
$forwardref ,
0,
match_source_dev( $interface, 1 )
) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
add_jump( $filter_table->{input_chain $bridge },
$inputref ,
0,
match_source_dev( $interface, 1 )
) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
add_jump( $filter_table->{output_chain $bridge} ,
$outputref ,
0 ,
match_dest_dev( $interface, 1 ) )
unless get_interface_option( $interface, 'port' );
}
} else {
add_rule ( $filter_table->{FORWAR}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
@ -1045,6 +1071,7 @@ sub add_interface_jumps {
add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
}
}
}
handle_loopback_traffic;
}
@ -1077,6 +1104,7 @@ sub generate_matrix() {
our %input_jump_added = ();
our %output_jump_added = ();
our %forward_jump_added = ();
my %ipsec_jump_added = ();
progress_message2 'Generating Rule Matrix...';
progress_message ' Handling blacklisting and complex zones...';
@ -1143,12 +1171,31 @@ sub generate_matrix() {
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
my $sourcechainref = $filter_table->{forward_chain $interface};
my $interfacematch = '';
my $interfaceref = find_interface $interface;
if ( use_forward_chain( $interface, $sourcechainref ) ) {
if ( $interfaceref->{ports} && $interfaceref->{options}{bridge} ) {
$interfacematch = match_source_dev $interface;
copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++;
$sourcechainref = $filter_table->{FORWARD};
} elsif ( $interfaceref->{options}{port} ) {
add_jump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
$sourcechainref ,
0 ,
match_source_dev( $interface , 1 ) )
unless $forward_jump_added{$interface}++;
} else {
add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
}
} else {
if ( $interfaceref->{options}{port} ) {
$sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} };
$interfacematch = match_source_dev $interface, 1;
} else {
$sourcechainref = $filter_table->{FORWARD};
$interfacematch = match_source_dev $interface;
}
move_rules( $filter_table->{forward_chain $interface} , $frwd_ref );
}
@ -1235,6 +1282,9 @@ sub generate_matrix() {
for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
my $arrayref = $typeref->{$interface};
my $interfaceref = find_interface $interface;
my $isport = $interfaceref->{options}{port};
my $bridge = $interfaceref->{bridge};
if ( get_physical( $interface ) eq '+' ) {
#
@ -1261,7 +1311,17 @@ sub generate_matrix() {
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
$outputref = $interfacechainref;
if ( $isport ) {
add_jump( $filter_table->{ output_chain $bridge },
$outputref ,
0 ,
match_dest_dev( $interface, 1 ) )
unless $output_jump_added{$interface}++;
} else {
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
}
$use_output = 1;
unless ( lc $net eq IPv6_LINKLOCAL ) {
@ -1269,6 +1329,9 @@ sub generate_matrix() {
generate_source_rules ( $outputref, $vzone, $zone, $dest );
}
}
} elsif ( $isport ) {
$outputref = $filter_table->{ output_chain $bridge };
$interfacematch = match_dest_dev $interface, 1;
} else {
$outputref = $filter_table->{OUTPUT};
$interfacematch = match_dest_dev $interface;
@ -1323,7 +1386,17 @@ sub generate_matrix() {
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
$inputchainref = $interfacechainref;
if ( $isport ) {
add_jump( $filter_table->{ input_chain $bridge },
$inputchainref ,
0 ,
match_source_dev($interface, 1) )
unless $input_jump_added{$interface}++;
} else {
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
}
$use_input = 1;
unless ( lc $net eq IPv6_LINKLOCAL ) {
@ -1332,6 +1405,9 @@ sub generate_matrix() {
generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target;
}
}
} elsif ( $isport ) {
$inputchainref = $filter_table->{ input_chain $bridge };
$interfacematch = match_source_dev $interface, 1;
} else {
$inputchainref = $filter_table->{INPUT};
$interfacematch = match_source_dev $interface;
@ -1345,11 +1421,29 @@ sub generate_matrix() {
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
my $ref = source_exclusion( $exclusions, $frwd_ref );
my $forwardref = $filter_table->{forward_chain $interface};
if ( use_forward_chain $interface, $forwardref ) {
add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
if ( $isport ) {
add_jump( $filter_table->{ forward_chain $bridge } ,
$forwardref ,
0 ,
match_source_dev( $interface , 1 ) )
unless $forward_jump_added{$interface}++;
} else {
add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
}
} else {
if ( $isport ) {
add_jump( $filter_table->{ forward_chain $bridge } ,
$ref ,
0 ,
join( '', match_source_dev( $interface, 1 ) , $source, $ipsec_in_match ) );
} else {
add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
}
move_rules ( $forwardref , $frwd_ref );
}
}
@ -1461,6 +1555,7 @@ sub generate_matrix() {
#
for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( keys %$typeref ) {
my $interfaceref = find_interface $interface;
my $chain3ref;
my $match_source_dev = '';
my $forwardchainref = $filter_table->{forward_chain $interface};
@ -1470,13 +1565,28 @@ sub generate_matrix() {
# Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
#
$chain3ref = $forwardchainref;
if ( $interfaceref->{options}{port} ) {
add_jump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
$chain3ref,
0 ,
match_source_dev( $interface , 1 ) )
unless $forward_jump_added{$interface}++;
} else {
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
}
} else {
#
# Don't use the interface's forward chain -- move any rules in that chain to this rules chain
#
if ( $interfaceref->{options}{port} ) {
$chain3ref = $filter_table->{ forward_chain $interfaceref->{bridge} };
$match_source_dev = match_source_dev $interface, 1;
} else {
$chain3ref = $filter_table->{FORWARD};
$match_source_dev = match_source_dev $interface;
}
move_rules $forwardchainref, $chainref;
}

9
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2235,7 +2235,7 @@ sub build_zone_list( $$$\$\$ ) {
# Process a Record in the rules file
#
sub process_rule ( ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands;
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands;
process_comment, return 1 if $target eq 'COMMENT';
process_section( $source ), return 1 if $target eq 'SECTION';
@ -2257,16 +2257,22 @@ sub process_rule ( ) {
my $fw = firewall_zone;
my @source = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild );
my @dest = build_zone_list ( $fw, $dest, 'DEST' , $intrazone, $wild );
my @protos = split_list1 $protos, 'Protocol';
my $generated = 0;
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
if ( @protos > 1 ) {
fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
}
for $source ( @source ) {
for $dest ( @dest ) {
my $sourcezone = (split( /:/, $source, 2 ) )[0];
my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
for my $proto ( @protos ) {
$generated |= process_rule1( undef,
$target,
'',
@ -2286,6 +2292,7 @@ sub process_rule ( ) {
}
}
}
}
warning_message qq(Entry generated no $toolname rules) unless $generated;

10
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -40,7 +40,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize );
our $VERSION = '4.4_18';
our $VERSION = '4.4_19';
our %tcs = ( T => { chain => 'tcpost',
connmark => 0,
@ -476,6 +476,8 @@ sub process_simple_device() {
my $number = in_hexp( $tcdevices{$device} = ++$devnum );
my $ip32 = $family == F_IPV4 ? 'ip' : 'ip6';
fatal_error "Unknown interface( $device )" unless known_interface $device;
my $physical = physical_name $device;
@ -517,7 +519,7 @@ sub process_simple_device() {
);
emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
"run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
"run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src " . ALLIP . " police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
) if $in_bandwidth;
if ( $out_part ne '-' ) {
@ -566,11 +568,13 @@ sub process_simple_device() {
for ( my $i = 1; $i <= 3; $i++ ) {
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i";
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
emit '';
}
emit "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32 match $ip32 protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $number:1\n";
save_progress_message_short qq(" TC Device $physical defined.");
pop_indent;

39
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -74,6 +74,7 @@ our @EXPORT = qw( NOTHING
find_interfaces_by_option1
get_interface_option
set_interface_option
interface_zones
verify_required_interfaces
compile_updown
validate_hosts_file
@ -84,7 +85,7 @@ our @EXPORT = qw( NOTHING
);
our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_17';
our $VERSION = '4.4_19';
#
# IPSEC Option types
@ -146,16 +147,20 @@ our %reservedName = ( all => 1,
# %interfaces { <interface1> => { name => <name of interface>
# root => <name without trailing '+'>
# options => { port => undef|1
# <option1> = <val1> , #See %validinterfaceoptions
# { <option1> } => <val1> , #See %validinterfaceoptions
# ...
# }
# zone => <zone name>
# multizone => undef|1 #More than one zone interfaces through this interface
# nets => <number of nets in interface/hosts records referring to this interface>
# bridge => <bridge>
# ports => <number of port on this bridge>
# ipsec => undef|1 # Has an ipsec host group
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
# number => <ordinal position in the interfaces file>
# physical => <physical interface name>
# base => <shell variable base representing this interface>
# zones => { zone1 => 1, ... }
# }
# }
#
@ -669,6 +674,7 @@ sub add_group_to_zone($$$$$)
my $zoneref = $zones{$zone};
my $zonetype = $zoneref->{type};
$zoneref->{interfaces}{$interface} = 1;
my @newnetworks;
@ -680,6 +686,8 @@ sub add_group_to_zone($$$$$)
for my $host ( @$networks ) {
$interfaceref = $interfaces{$interface};
$interfaceref->{zones}{$zone} = 1;
$interfaceref->{nets}++;
fatal_error "Invalid Host List" unless defined $host and $host ne '';
@ -883,6 +891,7 @@ sub process_interface( $$ ) {
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
$interfaces{$interface}{ports}++;
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
if ( $zone ) {
@ -1100,7 +1109,8 @@ sub process_interface( $$ ) {
options => \%options ,
zone => '',
physical => $physical ,
base => chain_base( $physical )
base => chain_base( $physical ),
zones => {},
};
if ( $zone ) {
@ -1306,6 +1316,16 @@ sub source_port_to_bridge( $ ) {
return $portref ? $portref->{bridge} : '';
}
#
# Returns a hash reference for the zones interface through the interface
#
sub interface_zones( $ ) {
my $interfaceref = $interfaces{(shift)};
$interfaceref->{zones};
}
#
# Return the 'optional' setting of the passed interface
#
@ -1690,7 +1710,7 @@ sub process_host( ) {
fatal_error "Unknown ZONE ($zone)" unless $type;
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
my $interface;
my ( $interface, $interfaceref );
if ( $family == F_IPV4 ) {
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
@ -1703,7 +1723,7 @@ sub process_host( ) {
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
}
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts";
}
@ -1711,16 +1731,16 @@ sub process_host( ) {
$interface = $1;
$hosts = $2;
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
} else {
fatal_error "Invalid HOST(S) column contents: $hosts";
}
if ( $type == BPORT ) {
if ( $zoneref->{bridge} eq '' ) {
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
$zoneref->{bridge} = $interfaces{$interface}{bridge};
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
} elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) {
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
}
}
@ -1736,7 +1756,7 @@ sub process_host( ) {
require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
$type = IPSEC;
$zoneref->{options}{complex} = 1;
$ipsec = 1;
$ipsec = $interfaceref->{ipsec} = 1;
} elsif ( $option eq 'norfc1918' ) {
warning_message "The 'norfc1918' host option is no longer supported"
} elsif ( $option eq 'blacklist' ) {
@ -1778,6 +1798,7 @@ sub process_host( ) {
$ipsets{"${zone}_${physical}"} = 1;
}
#
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
#

40
Shorewall/changelog.txt
View File

@ -1,10 +1,42 @@
Changes in Shorewall 4.4.18.1
Changes in Shorewall 4.4.19 RC 1
1) Fix params processing bug.
1) Fix logical naming and bridge.
2) Tighten editing of TC_PRIOMAP value.
Changes in Shorewall 4.4.19 Beta 4
3) Fix the Lite installers
1) Handle mis-configured ipsec host group on a bridge.
2) Significantly improve bridge/ports handling.
3) Allow port-lists in /etc/shorewall/rules.
Changes in Shorewall 4.4.19 Beta 3
1) Allow /usr executables to be installed in a designated location.
2) Allow Shorewall perl modules to be installed in a designated
location.
Changes in Shorewall 4.4.19 Beta 2
1) Minor rework of init-log creation in the installer.
2) Add VRRP macro.
3) Fix more params processing bugs.
4) Do a better job of editing ICMP type lists.
5) Allow /usr executables to be installed in a designated location.
6) Allow Shorewall perl modules to be installed in a designated
location.
Changes in Shorewall 4.4.19 Beta 1
1) Place ACK packets in the highest priority band.
2) Break ICMP lists into individual rules.
Changes in Shorewall 4.4.18 Final

23
Shorewall/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -107,6 +107,9 @@ fi
SPARSE=
MANDIR=${MANDIR:-"/usr/share/man"}
[ -n "${LIBEXEC:=share}" ]
[ -n "${PERLLIB:=share/shorewall}" ]
INSTALLD='-D'
case $(uname) in
@ -233,9 +236,13 @@ fi
if [ -z "$CYGWIN" ]; then
install_file shorewall ${DESTDIR}/sbin/shorewall 0755
echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
else
install_file shorewall ${DESTDIR}/bin/shorewall 0755
echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall
fi
#
@ -258,7 +265,8 @@ fi
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
#
mkdir -p ${DESTDIR}/etc/shorewall
mkdir -p ${DESTDIR}/usr/share/shorewall
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall
mkdir -p ${DESTDIR}/usr/${PERLLIB}/Shorewall
mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
mkdir -p ${DESTDIR}/var/lib/shorewall
@ -326,7 +334,7 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755
echo
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall/wait4ifup"
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup"
#
# Install the policy file
@ -816,14 +824,14 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall
#
cd Perl
install_file compiler.pl ${DESTDIR}/usr/share/shorewall/compiler.pl 0755
install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755
echo
echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
#
# Install the params file helper
#
install_file getparams ${DESTDIR}/usr/share/shorewall/getparams 0755
install_file getparams ${DESTDIR}/usr/${LIBEXEC}/shorewall/getparams 0755
echo
echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
@ -831,8 +839,8 @@ echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
# Install the libraries
#
for f in Shorewall/*.pm ; do
install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
echo "Module ${f%.*} installed as ${DESTDIR}/usr/share/shorewall/$f"
install_file $f ${DESTDIR}/usr/${PERLLIB}/$f 0644
echo "Module ${f%.*} installed as ${DESTDIR}/usr/${PERLLIB}/$f"
done
#
# Install the program skeleton files
@ -893,6 +901,7 @@ fi
if [ -z "$DESTDIR" ]; then
rm -rf /usr/share/shorewall-perl
rm -rf /usr/share/shorewall-shell
[ "$PERLLIB" != share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
fi
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then

23
Shorewall/known_problems.txt
View File

@ -1,26 +1,3 @@
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) An issue with params processing on RHEL6 manifested as the
following type of warning:
WARNING: Param line (export OLDPWD) ignored at
/usr/share/shorewall/Shorewall/Config.pm line
2993.
Corrected in Shorewall 4.4.18.1
3) The Shorewall Lite and Shorewall6 Lite installers fail to install
the 'helpers' modules file, with the result that both
'shorewall[6]-lite show capabilities' and 'shorecap' fail.
Workaround: Copy the 'helpers' file from the Administrative System
to the firewall system.
Corrected in Shorewall 4.4.18.1
4) If an icmp or icmp6 type/code is specified in the tcfilters file, a
run-time error occurs.
Corrected in Shorewall 4.4.18.1

9
Shorewall/lib.cli
View File

@ -687,8 +687,17 @@ show_command() {
;;
config)
. ${SHAREDIR}/configpath
if [ -n "$g_filemode" ]; then
echo "CONFIG_PATH=$CONFIG_PATH"
echo "VARDIR=$VARDIR"
echo "LIBEXEC=$g_libexec"
[ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR"
else
echo "Default CONFIG_PATH is $CONFIG_PATH"
echo "Default VARDIR is $VARDIR"
echo "LIBEXEC is $g_libexec"
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
fi
;;
chain)
shift

358
Shorewall/releasenotes.txt
View File

@ -1,5 +1,6 @@
----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 8 . 1
S H O R E W A L L 4 . 4 . 1 9
B E T A 4
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@ -13,78 +14,41 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
4.4.18.1
RC 1
1) An issue with params processing on RHEL6 has been corrected. The
1) Correct a problem introduced in Beta 4 whereby incorrect Netfilter
rules were generated when a bridge with ports was given a logical
name.
Beta 4
1) If a bridge interface had subordinate ports defined in
/etc/shorewall/interface, then an ipsec entry (either ipsec zone or
the 'ipsec' option specified) in /etc/shorewall/hosts resulted in
the compiler generating an incorrect Netfilter configuration.
Beta 3
None.
Beta 2
1) A correction to the Beta 1 fix for params processing has been
included.
2) Editing of ICMP type lists has been improved.
Beta 1
1) Previously /var/log/shorewall*-init.log was created in the wrong
Selinux context. The rpm's have been modified to correct that
issue.
2) An issue with params processing on RHEL6 has been corrected. The
problem manifested as the following type of warning:
WARNING: Param line (export OLDPWD) ignored at
/usr/share/shorewall/Shorewall/Config.pm line
2993.
2) The editing of the value of the TC_PRIOMAP option has been
tightened. Previously, many invalid settings were allowed,
resulting in run-time tc command failures.
3) The Shorewall Lite and Shorewall6 Lite installers now install the
'helpers' modules file. Previously, this file was not installed
with the result that both 'shorewall[6]-lite show capabilities' and
'shorecap' failed.
4) Previously, if an icmp or icmp6 type which included both a type and
a code was used in the tcfilters file, 'start' and 'restart' would
fail with a 'tc' error.
4.4.18 Final
1) Previously, if an IPv6 host address (no "/<vlsm>") was used in a
context where a network address is allowed, the compiler failed to
supply the default <vlsm> of 128. This could lead to startup errors
and/or Perl errors such as:
Use of uninitialized value $mask in concatenation (.) or
string at /usr/share/shorewall/Shorewall/Tc.pm line 979,
<$currentfile> line 11.
2) The <burst> option for the IN-BANDWIDTH column of tcdevices was
previously not recognized. That functionality has been restored.
3) If an interface mentioned in the tcfilters file was not up when
Shorewall was started or restarted, then the command would fail
at run-time with a 'tc' error message.
4.4.18 RC 1
1) None.
4.4.18 Beta 4
1) Edting of the MARK column has been tighened to catch errors at
compile time rather than at run time.
2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz"
to get the most common suffixes at the front of the list. It is
still recommended that you modify this setting to include only the
suffix(es) used on your system. Current distributions use 'ko'
almost exclusively.
4.4.18 Beta 2
1) Previously, the 'local' option in /etc/shorewall6/providers would
produce an 'ip route add' command containing an IPv4 address. It now
correctly uses the equivalent IPv6 address. Note that this option
is still undocumented for use with IPv6.
2) When optimize level 4 was set, the optimizer mis-handled rules of the
form:
-A <chain1> -j <chain2> -m comment ...
when such a rule was the only rule in a chain.
4.4.18 Beta 1
None.
/usr/share/shorewall/Shorewall/Config.pm line 2993.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@ -97,87 +61,62 @@ None.
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The modules files are now just a driver that INCLUDEs several new
files and one old file:
1) When TC_ENABLED=Simple, ACK packets are now placed in the highest
priority class. An ACK packet is a TCP packet with the ACK flag set
and no data payload.
- /usr/share/shorewall[6]/modules.essential # Essential modules
- /usr/share/shorewall[6]/modules.xtables # xt_ modules
- /usr/share/shorewall[6]/helpers # Existing file
- /usr/share/shorewall/ipset # ipset modules
- /usr/share/shorewall[6]/modules.tc # Traffic Shaping
- /usr/share/shorewall[6]/modules.extensions # Other extensions
Rationale: Entries in /etc/shorewall[6]/tcpri affect both incoming
and outgoing connections. If a particular application, SMTP for
example, is placed in priority class 3, then outgoing ACK packets
for incoming email were previously placed in priority class 3 as
well. This could have the effect of slowing down incoming mail when
the goal was to give outgoing mail a lower priority. By
unconditionally placing ACK packets in priority class 1, this issue
is avoided.
This should make it easier to configure your own
/etc/shorewall[6]/modules file that won't be obsolete when you
upgrade your Shorewall/Shorewall6 installation.
2) Up to this point, the Perl-based rules compiler has not accepted
ICMP type lists. This is in contrast to the shell-based compiler
which did support such lists.
For example, if you don't use traffic shaping or ipsets, you can
remove those from your copy of the modules file (copy in
/etc/shorewall/).
Support for ICMP (and ICMPv6) type lists has now been restored.
2) Traditionally, the root of the Shorewall accounting rules has been
the 'accounting' chain. Having a single root chain has drawbacks:
3) Distributions have different philosophies about the proper file
hierarchy. Two issures are particularly contentious:
- Many rules are traversed needlessly (they could not possibly
match traffic).
- At any time, the Netfilter team could begin generating errors
when loading those same rules.
- MAC addresses may not be used in the accounting rules.
- The 'accounting' chain cannot be optimized when
OPTIMIZE_ACCOUNTING=Yes.
- Executable files in /usr/share/shorewall*. These include;
In addition, currently the rules may be defined in any order so the
rules compiler must post-process the ruleset to alert the user to
unreferenced chains.
getparams
compiler.pl
wait4ifup
shorecap
ifupdown
Beginning with Shorewall 4.4.18, the accounting structure can be
created with three root chains:
- Perl Modules in /usr/share/shorewall/Shorewall.
- accountin: Rules that are valid in the INPUT chain (may not
specify an output interface).
- accountout: Rules that are valid in the OUTPUT chain (may not
specify an input interface or a MAC address).
- accountfwd: Other rules.
To allow distributions to designate alternate locations for these
files, the installers (install.sh) now support the following
environmental variables:
The new structure is enabled by sectioning the accounting file in a
manner similar to the rules file.
LIBEXEC -- determines where in /usr getparams, compiler.pl,
wait4ifup, shorecap and ifupdown are installed. Shorewall and
Shorewall6 must be installed with the same value of LIBEXEC. The
listed executables are installed in /usr/${LIBEXEC}/shorewall*. The
default value of LIBEXEC is 'share'. LIBEXEC is recognized by all
installers and uninstallers.
The sections are INPUT, OUTPUT and FORWARD and must appear in that
order (although any of them may be omitted). The first
non-commentary record in the accounting file must be a section
header when sectioning is used.
PERLLIB -- determines where in /usr the Shorewall perl modules are
installed. Shorewall and Shorewall6 must be installed with the same
value of PERLLIB. The modules are installed in
/usr/${PERLLIB}/Shorewall. The default value of PERLLIB is
'share/shorewall'. PERLLIB is only recognized by the Shorewall and
Shorewall6 installers and the same value must be passed to both
installers.
When sections are enabled:
4) Bridge/ports handling has been significantly improved, resulting in
packets to/from bridges traversing fewer rules.
- You must jump to a user-defined accounting chain before you can
add rules to that chain. This eliminates the possibility of
unreferenced chains.
- You may not specify an output interface in the INPUT section.
- In the OUTPUT section:
- You may not specify an input interface
- You may not jump to a chain defined in the INPUT section that
specifies an input interface
- You may not specify a MAC address
- You may not jump to a chain defined in the INPUT section that
specifies specifies a MAC address.
- The default value of the CHAIN column is:
- 'accountin' in the INPUT section
- 'accountout' in the OUTPUT section
- 'accountfwd' in the FORWARD section
- Traffic addressed to the firewall goes through the rules defined
in the INPUT section.
- Traffic originating on the firewall goes through the rules
defined in the OUTPUT section.
- Traffic being forwarded through the firewall goes through the
rules defined in the FORWARD section.
As part of this change, the USER/GROUP column must now be empty
except in the OUTPUT section. This is consistent with recent
Netfilter releases which disallow the owner match in rules
reachable from the INPUT and FORWARD hooks.
3) Internals Change: The Policy.pm module has been merged into the
Rules.pm module.
5) A list of protocols is now permitted in the PROTO column of the
rules file.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
@ -408,6 +347,147 @@ None.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 8
----------------------------------------------------------------------------
4.4.18 Final
1) Previously, if an IPv6 host address (no "/<vlsm>") was used in a
context where a network address is allowed, the compiler failed to
supply the default <vlsm> of 128. This could lead to startup errors
and/or Perl errors such as:
Use of uninitialized value $mask in concatenation (.) or
string at /usr/share/shorewall/Shorewall/Tc.pm line 979,
<$currentfile> line 11.
2) The <burst> option for the IN-BANDWIDTH column of tcdevices was
previously not recognized. That functionality has been restored.
3) If an interface mentioned in the tcfilters file was not up when
Shorewall was started or restarted, then the command would fail
at run-time with a 'tc' error message.
4.4.18 RC 1
1) None.
4.4.18 Beta 4
1) Edting of the MARK column has been tighened to catch errors at
compile time rather than at run time.
2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz"
to get the most common suffixes at the front of the list. It is
still recommended that you modify this setting to include only the
suffix(es) used on your system. Current distributions use 'ko'
almost exclusively.
4.4.18 Beta 2
1) Previously, the 'local' option in /etc/shorewall6/providers would
produce an 'ip route add' command containing an IPv4 address. It now
correctly uses the equivalent IPv6 address. Note that this option
is still undocumented for use with IPv6.
2) When optimize level 4 was set, the optimizer mis-handled rules of the
form:
-A <chain1> -j <chain2> -m comment ...
when such a rule was the only rule in a chain.
4.4.18 Beta 1
None.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 1 8
----------------------------------------------------------------------------
1) The modules files are now just a driver that INCLUDEs several new
files and one old file:
- /usr/share/shorewall[6]/modules.essential # Essential modules
- /usr/share/shorewall[6]/modules.xtables # xt_ modules
- /usr/share/shorewall[6]/helpers # Existing file
- /usr/share/shorewall/ipset # ipset modules
- /usr/share/shorewall[6]/modules.tc # Traffic Shaping
- /usr/share/shorewall[6]/modules.extensions # Other extensions
This should make it easier to configure your own
/etc/shorewall[6]/modules file that won't be obsolete when you
upgrade your Shorewall/Shorewall6 installation.
For example, if you don't use traffic shaping or ipsets, you can
remove those from your copy of the modules file (copy in
/etc/shorewall/).
2) Traditionally, the root of the Shorewall accounting rules has been
the 'accounting' chain. Having a single root chain has drawbacks:
- Many rules are traversed needlessly (they could not possibly
match traffic).
- At any time, the Netfilter team could begin generating errors
when loading those same rules.
- MAC addresses may not be used in the accounting rules.
- The 'accounting' chain cannot be optimized when
OPTIMIZE_ACCOUNTING=Yes.
In addition, currently the rules may be defined in any order so the
rules compiler must post-process the ruleset to alert the user to
unreferenced chains.
Beginning with Shorewall 4.4.18, the accounting structure can be
created with three root chains:
- accountin: Rules that are valid in the INPUT chain (may not
specify an output interface).
- accountout: Rules that are valid in the OUTPUT chain (may not
specify an input interface or a MAC address).
- accountfwd: Other rules.
The new structure is enabled by sectioning the accounting file in a
manner similar to the rules file.
The sections are INPUT, OUTPUT and FORWARD and must appear in that
order (although any of them may be omitted). The first
non-commentary record in the accounting file must be a section
header when sectioning is used.
When sections are enabled:
- You must jump to a user-defined accounting chain before you can
add rules to that chain. This eliminates the possibility of
unreferenced chains.
- You may not specify an output interface in the INPUT section.
- In the OUTPUT section:
- You may not specify an input interface
- You may not jump to a chain defined in the INPUT section that
specifies an input interface
- You may not specify a MAC address
- You may not jump to a chain defined in the INPUT section that
specifies specifies a MAC address.
- The default value of the CHAIN column is:
- 'accountin' in the INPUT section
- 'accountout' in the OUTPUT section
- 'accountfwd' in the FORWARD section
- Traffic addressed to the firewall goes through the rules defined
in the INPUT section.
- Traffic originating on the firewall goes through the rules
defined in the OUTPUT section.
- Traffic being forwarded through the firewall goes through the
rules defined in the FORWARD section.
As part of this change, the USER/GROUP column must now be empty
except in the OUTPUT section. This is consistent with recent
Netfilter releases which disallow the owner match in rules
reachable from the INPUT and FORWARD hooks.
3) Internals Change: The Policy.pm module has been merged into the
Rules.pm module.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 7
----------------------------------------------------------------------------
@ -3103,7 +3183,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
hence will now start successfully when running on that kernel.
14) Three new options (IP, TC and IPSET) have been added to
shorewall.conf and shorwall6.conf. These options specify the name
shorewall.conf and shorewall6.conf. These options specify the name
of the executable for the 'ip', 'tc' and 'ipset' utilities
respectively.

16
Shorewall/shorewall
View File

@ -363,7 +363,11 @@ compiler() {
PERL=/usr/bin/perl
fi
$PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
if [ $g_perllib = share/shorewall ]; then
$PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
else
PERL5LIB=$g_perllib $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
fi
}
#
@ -1135,6 +1139,8 @@ reload_command() # $* = original arguments less the command.
getcaps=
local root
root=root
local libexec
libexec=share
litedir=/var/lib/shorewall-lite
@ -1195,6 +1201,10 @@ reload_command() # $* = original arguments less the command.
[ -n "$temp" ] && litedir="$temp"
temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
[ -n "$temp" ] && libexec="$temp"
if [ -z "$getcaps" ]; then
SHOREWALL_DIR=$(resolve_file $directory)
ensure_config_path
@ -1211,7 +1221,7 @@ reload_command() # $* = original arguments less the command.
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
progress_message "Getting Capabilities on system $system..."
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/$libexec/shorewall-lite/shorecap" > $directory/capabilities; then
fatal_error "ERROR: Capturing capabilities on system $system failed"
fi
fi
@ -1574,6 +1584,8 @@ CONFDIR=/etc/shorewall
g_product="Shorewall"
g_recovering=
g_timestamp=
g_libexec=share
g_perllib=share/shorewall
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir

14
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 4.4.18
%define release 1
%define version 4.4.19
%define release 0Beta4
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@ -109,10 +109,12 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net

7
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -72,6 +72,9 @@ else
VERSION=""
fi
[ -n "${LIBEXEC:=share}" ]
[ -n "${PERLLIB:=share/shorewall}" ]
echo "Uninstalling shorewall $VERSION"
if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
@ -106,6 +109,8 @@ rm -rf /etc/shorewall
rm -rf /etc/shorewall-*.bkout
rm -rf /var/lib/shorewall
rm -rf /var/lib/shorewall-*.bkout
rm -rf /usr/$PERLLIB}/Shorewall/*
rm -rf /usr/${LIBEXEC}/shorewall
rm -rf /usr/share/shorewall
rm -rf /usr/share/shorewall-*.bkout
rm -rf /usr/share/man/man5/shorewall*

15
Shorewall6-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -123,6 +123,7 @@ done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ -n "${LIBEXEC:=share}" ]
#
# Determine where to install the firewall script
#
@ -187,6 +188,7 @@ else
rm -rf ${DESTDIR}/etc/shorewall6-lite
rm -rf ${DESTDIR}/usr/share/shorewall6-lite
rm -rf ${DESTDIR}/var/lib/shorewall6-lite
[ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall6-lite/wait4ifup /usr/share/shorewall6-lite/shorecap
fi
#
@ -202,6 +204,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules
install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6-lite
echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
#
@ -223,6 +227,7 @@ echo "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
#
mkdir -p ${DESTDIR}/etc/shorewall6-lite
mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite
mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
chmod 755 ${DESTDIR}/etc/shorewall6-lite
@ -275,20 +280,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/funct
# Install Shorecap
#
install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755
install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap 0755
echo
echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"
echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap"
#
# Install wait4ifup
#
if [ -f wait4ifup ]; then
install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup 0755
echo
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup"
fi
#

1
Shorewall6-lite/shorewall6-lite
View File

@ -554,6 +554,7 @@ MUTEX_TIMEOUT=
SHAREDIR=/usr/share/shorewall6-lite
CONFDIR=/etc/shorewall6-lite
g_product="Shorewall6 Lite"
g_libexec=share
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]

14
Shorewall6-lite/shorewall6-lite.spec
View File

@ -1,6 +1,6 @@
%define name shorewall6-lite
%define version 4.4.18
%define release 1
%define version 4.4.19
%define release 0Beta4
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -94,10 +94,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net

5
Shorewall6-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -60,6 +60,8 @@ else
VERSION=""
fi
[ -n "${LIBEXEC:=share}" ]
echo "Uninstalling Shorewall Lite $VERSION"
if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
@ -95,6 +97,7 @@ rm -rf /etc/shorewall6-lite-*.bkout
rm -rf /var/lib/shorewall6-lite
rm -rf /var/lib/shorewall6-lite-*.bkout
rm -rf /usr/share/shorewall6-lite
rm -rf /usr/${LIBEXEC}/shorewall6-lite
rm -rf /usr/share/shorewall6-lite-*.bkout
rm -f /etc/logrotate.d/shorewall6-lite

15
Shorewall6/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -110,6 +110,8 @@ MAC=
MANDIR=${MANDIR:-"/usr/share/man"}
SPARSE=
INSTALLD='-D'
[ -n "${LIBEXEC:=share}" ]
[ -n "${PERLLIB:=share/shoreall}" ]
case $(uname) in
CYGWIN*)
@ -226,9 +228,13 @@ fi
if [ -z "$CYGWIN" ]; then
install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall6
echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
else
install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall6
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall6
echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6"
fi
@ -252,7 +258,8 @@ fi
# Create /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall6 if needed
#
mkdir -p ${DESTDIR}/etc/shorewall6
mkdir -p ${DESTDIR}/usr/share/shorewall6
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6
mkdir -p ${DESTDIR}/usr/${PERLLIB}/
mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles
mkdir -p ${DESTDIR}/var/lib/shorewall6
@ -318,10 +325,10 @@ delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
# Install wait4ifup
#
install_file wait4ifup ${DESTDIR}/usr/share/shorewall6/wait4ifup 0755
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6/wait4ifup 0755
echo
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6/wait4ifup"
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6/wait4ifup"
#
# Install the policy file

1
Shorewall6/lib.base
View File

@ -38,7 +38,6 @@ SHOREWALL_CAPVERSION=40417
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
[ -n "${CONFDIR:=/etc/shorewall6}" ]
[ -n "${PERLSHAREDIR:=/usr/share/shorewall}" ]
#
# Conditionally produce message

9
Shorewall6/lib.cli
View File

@ -591,8 +591,17 @@ show_command() {
;;
config)
. ${SHAREDIR}/configpath
if [ -n "$g_filemode" ]; then
echo "CONFIG_PATH=$CONFIG_PATH"
echo "VARDIR=$VARDIR"
echo "LIBEXEC=$g_libexec"
[ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR"
else
echo "Default CONFIG_PATH is $CONFIG_PATH"
echo "Default VARDIR is $VARDIR"
echo "LIBEXEC is $g_libexec"
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
fi
;;
chain)
shift

16
Shorewall6/shorewall6
View File

@ -239,7 +239,7 @@ startup_error() {
# Run the appropriate compiler
#
compiler() {
pc=${PERLSHAREDIR}/compiler.pl
pc=/usr/$g_libexec/shorewall/compiler.pl
local command
command=$1
@ -300,7 +300,11 @@ compiler() {
PERL=/usr/bin/perl
fi
if [ $g_perllib = share/shorewall ]; then
$command $PERL $debugflags $pc $options $@
else
$command PERL5LIB=$g_perllib $PERL $debugflags $pc $options $@
fi
}
#
@ -1068,6 +1072,8 @@ reload_command() # $* = original arguments less the command.
root=root
local compiler
compiler=
local libexec
libexec=share
litedir=/var/lib/shorewall6-lite
@ -1128,6 +1134,10 @@ reload_command() # $* = original arguments less the command.
[ -n "$temp" ] && litedir=$temp
temp=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
[ -n "$temp" ] && libexec=$temp
if [ -z "$getcaps" ]; then
SHOREWALL_DIR=$(resolve_file $directory)
ensure_config_path
@ -1142,7 +1152,7 @@ reload_command() # $* = original arguments less the command.
fi
progress_message "Getting Capabilities on system $system..."
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES /usr/share/shorewall6-lite/shorecap" > $directory/capabilities; then
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES /usr/$libexec/shorewall6-lite/shorecap" > $directory/capabilities; then
fatal_error "ERROR: Capturing capabilities on system $system failed"
fi
fi
@ -1484,6 +1494,8 @@ SHAREDIR=/usr/share/shorewall6
CONFDIR=/etc/shorewall6
g_product="Shorewall6"
g_recovering=
g_libexec=share
g_perllib=share/shorewall
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir

14
Shorewall6/shorewall6.spec
View File

@ -1,6 +1,6 @@
%define name shorewall6
%define version 4.4.18
%define release 1
%define version 4.4.19
%define release 0Beta4
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -98,10 +98,12 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-1
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net

5
Shorewall6/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.18.1
VERSION=4.4.19-Beta4
usage() # $1 = exit status
{
@ -72,6 +72,8 @@ else
VERSION=""
fi
[ -n "${LIBEXEC:=share}" ]
echo "Uninstalling shorewall6 $VERSION"
if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
@ -106,6 +108,7 @@ rm -rf /etc/shorewall6
rm -rf /etc/shorewall6-*.bkout
rm -rf /var/lib/shorewall6
rm -rf /var/lib/shorewall6-*.bkout
rm -rf /usr/${LIBEXEC}/shorewall6
rm -rf /usr/share/shorewall6
rm -rf /usr/share/shorewall6-*.bkout
rm -rf /usr/share/man/man5/shorewall6*

74
docs/Install.xml
View File

@ -173,6 +173,80 @@
instructions</ulink>.</para>
</listitem>
</orderedlist>
<section>
<title>Executables in /usr and Perl Modules</title>
<para>Distributions have different philosophies about the proper file
hierarchy. Two issures are particularly contentious:</para>
<itemizedlist>
<listitem>
<para>Executable files in
<filename>/usr/share/shorewall*</filename>. These include;</para>
<itemizedlist>
<listitem>
<para>getparams</para>
</listitem>
<listitem>
<para>compiler.pl</para>
</listitem>
<listitem>
<para>wait4ifup</para>
</listitem>
<listitem>
<para>shorecap</para>
</listitem>
<listitem>
<para>ifupdown</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Perl Modules in
<filename>/usr/share/shorewall/Shorewall</filename>.</para>
</listitem>
</itemizedlist>
<para>To allow distributions to designate alternate locations for these
files, the installers (install.sh) from 4.4.19 onward support the
following environmental variables:</para>
<variablelist>
<varlistentry>
<term>LIBEXEC</term>
<listitem>
<para>Determines where in /usr getparams, compiler.pl, wait4ifup,
shorecap and ifupdown are installed. Shorewall and Shorewall6 must
be installed with the same value of LIBEXEC. The listed
executables are installed in
<filename>/usr/${LIBEXEC}/shorewall*</filename>. The default value
of LIBEXEC is 'share'. LIBEXEC is recognized by all installers and
uninstallers.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PERLLIB</term>
<listitem>
<para> Determines where in <filename>/usr </filename>the Shorewall
perl modules are installed. Shorewall and Shorewall6 must be
installed with the same value of PERLLIB. The modules are
installed in <filename>/usr/${PERLLIB}/Shorewall</filename>. The
default value of PERLLIB is 'share/shorewall'. PERLLIB is only
recognized by the Shorewall and Shorewall6 installers.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
</section>
<section id="Debian">

25
docs/LennyToSqueeze.xml
View File

@ -647,14 +647,35 @@ eth0 <emphasis role="bold">172.20.1.0/24</emphasis></programl
<para>Before:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
# PORT(S) PORT(S) DEST LIMIT GROUP
NONAT loc net tcp 80</programlisting>
<para>After:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
# PORT(S) PORT(S) DEST LIMIT GROUP
NONAT loc - tcp 80</programlisting>
<para>Shorewall 4.4 versions prior to 4.4.19 do not support icmp type
lists in the DEST PORT(S) column. Only a single ICMP type may be listed.
If you have a shell variable with a list of ICMP types that you use in a
rule, you can work around this limitation as follows. Replace this
rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT(S) PORT(S) DEST LIMIT GROUP
ACCEPT z1 z2 icmp $ITYPES</programlisting>
<para>with:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT(S) PORT(S) DEST LIMIT GROUP
BEGIN SHELL
for type in $ITYPES; do
ACCEPT z1 z2 icmp $type
done
END SHELL</programlisting>
</section>
<section id="routestopped">

25
docs/configuration_file_basics.xml
View File

@ -790,6 +790,13 @@ gateway:/etc/shorewall # </programlisting></para>
<para>/etc/shorewall/rules:<programlisting>SECTION NEW
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
<para>If you are the sort to put such an entry in your rules file even
though /etc/shorewall/rules.d might not exist or might be empty, then
you probably want:</para>
<programlisting>SECTION NEW
SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting>
</example>
</section>
@ -1308,13 +1315,26 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
</section>
<section id="Compliment">
<title>Complementing an Address or Subnet</title>
<title>Complementing an Address, Subnet, Protocol or Port List</title>
<para>Where specifying an IP address, a subnet or an interface, you can
precede the item with <quote>!</quote> to specify the complement of the
item. For example, !192.168.1.4 means <quote>any host but
192.168.1.4</quote>. There must be no white space following the
<quote>!</quote>.</para>
<para>Similarly, in columns that specify an IP protocol, you can preceed
the protocol name or number by "!". For example, !tcp means "any protocol
except tcp".</para>
<para>This also works with port lists, providing that the list contains 15
or fewer ports (where a <link linkend="Ranges">port range</link> counts as
two ports). For example !ssh,smtp means "any port except 22 and
25".</para>
<para>In Shorewall 4.4.19 and later, icmp type lists are supported but
complementing an icmp type list is <emphasis>not</emphasis> supported. You
may, however, complement a single icmp (icmp6) type.</para>
</section>
<section id="Exclusion">
@ -1454,6 +1474,9 @@ router-advertisement =&gt; 134
neighbour-solicitation =&gt; 135
neighbour-advertisement =&gt; 136
redirect =&gt; 137</programlisting>
<para>Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to
Shorewall 4.4.19.</para>
</section>
<section id="Ranges">

6
docs/fallback.xml
View File

@ -81,5 +81,11 @@
<para>If you installed using an rpm, at a root shell prompt type
<quote>rpm -e shorewall</quote>.</para>
<note>
<para>If you specified LIBEXEC and/or PERLLIB when you installed
Shorewall, you must specify the same value to the uninstall script.
e.g., LIBEXEC=libexec ./uninstall.sh.</para>
</note>
</section>
</article>

8
manpages/shorewall-rules.xml
View File

@ -821,6 +821,10 @@
role="bold">tcp:syn</emphasis> implies <emphasis
role="bold">tcp</emphasis> plus the SYN flag must be set and the
RST,ACK and FIN flags must be reset.</para>
<para>Beginning with Shorewall 4.4.19, this column can contain a
comma-separated list of protocol-numbers and/or protocol
names.</para>
</listitem>
</varlistentry>
@ -837,7 +841,9 @@
the destination icmp-type(s). ICMP types may be specified as a
numeric type, a numberic type and code separated by a slash (e.g.,
3/4), or a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
Note that prior to Shorewall 4.4.19, only a single ICMP type may be
listsed.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading

8
manpages6/shorewall6-rules.xml
View File

@ -624,6 +624,10 @@
role="bold">tcp:syn</emphasis> implies <emphasis
role="bold">tcp</emphasis> plus the SYN flag must be set and the
RST,ACK and FIN flags must be reset.</para>
<para>Beginning with Shorewall6 4.4.19, this column can contain a
comma-separated list of protocol-numbers and/or protocol names
(e.g., <emphasis role="bold">tcp,udp</emphasis>).</para>
</listitem>
</varlistentry>
@ -640,7 +644,9 @@
the destination icmp-type(s). ICMP types may be specified as a
numeric type, a numberic type and code separated by a slash (e.g.,
3/4), or a typename. See <ulink
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
listsed.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading