diff --git a/Lrp/etc/shorewall/rules b/Lrp/etc/shorewall/rules index 42f88d437..463368608 100644 --- a/Lrp/etc/shorewall/rules +++ b/Lrp/etc/shorewall/rules @@ -46,6 +46,8 @@ # to the rules defined for that # (those) zone(s). # LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as p2pwall. # # You may rate-limit the rule by optionally # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf index fbfbda3e1..b67a9d9bc 100644 --- a/Lrp/etc/shorewall/shorewall.conf +++ b/Lrp/etc/shorewall/shorewall.conf @@ -350,11 +350,12 @@ CLAMPMSS=No # ROUTE FILTERING # # Set this variable to "Yes" or "yes" if you want kernel route filtering on all -# interfaces (anti-spoofing measure). +# interfaces started while Shorewall is started (anti-spoofing measure). # # If this variable is not set or is set to the empty value, "No" is assumed. -# In that case, you can still enable route filtering on individual interfaces -# in the /etc/shorewall/interfaces file. +# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering +# on individual interfaces using the 'routefilter' option in the +# /etc/shorewall/interfaces file. ROUTE_FILTER=No @@ -463,6 +464,28 @@ NEWNOTSYN=No # ADMINISABSENTMINDED=Yes +# +# BLACKLIST Behavior +# +# Shorewall offers two types of blacklisting: +# +# - static blacklisting through the /etc/shorewall/blacklist file together +# with the 'blacklist' interface option. +# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. +# +# The following variable determines whether the blacklist is checked for each +# packet or for each new connection. +# +# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection +# requests +# +# BLACKLISTNEWONLY=No Consult blacklists for all packets. +# +# If the BLACKLISTNEWONLY option is not set or is set to the empty value then +# BLACKLISTNEWONLY=No is assumed. +# +BLACKLISTNEWONLY=Yes + ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/Lrp/usr/share/shorewall/firewall b/Lrp/usr/share/shorewall/firewall index e6b432736..482d17f68 100755 --- a/Lrp/usr/share/shorewall/firewall +++ b/Lrp/usr/share/shorewall/firewall @@ -57,14 +57,18 @@ list_search() # $1 = element to search for , $2-$n = list } # -# Function to count list elements +# Functions to count list elements +# - - - - - - - - - - - - - - - - +# Whitespace-separated list +# +list_count1() { + echo $# +} +# +# Comma-separated list # list_count() { - arg_count() { - echo $# - } - - arg_count `separate_list $1` + list_count1 `separate_list $1` } # @@ -225,11 +229,13 @@ run_tc() { # # If the chain isn't one of the common chains then add a rule to the chain # allowing packets that are part of an established connection. Create a -# variable ${1}_exists and set its value to Yes to indicate that the chain now +# variable exists_${1} and set its value to Yes to indicate that the chain now # exists. # createchain() # $1 = chain name, $2 = If "yes", create default rules { + local c=`chain_base $1` + run_iptables -N $1 if [ $2 = yes ]; then @@ -238,11 +244,13 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi - eval ${1}_exists=Yes + eval exists_${c}=Yes } createchain2() # $1 = chain name, $2 = If "yes", create default rules { + local c=`chain_base $1` + if iptables -N $1; then if [ $2 = yes ]; then @@ -251,20 +259,22 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi - eval ${1}_exists=Yes + eval exists_${c}=Yes fi } # # Determine if a chain exists # -# When we create a chain "chain", we create a variable named chain_exists and -# set its value to Yes. This function tests for the "_exists" variable +# When we create a chain "chain", we create a variable named exists_chain and +# set its value to Yes. This function tests for the "exists_" variable # corresponding to the passed chain having the value of "Yes". # havechain() # $1 = name of chain { - eval test \"\$${1}_exists\" = Yes + local c=`chain_base $1` + + eval test \"\$exists_${c}\" = Yes } # @@ -303,26 +313,26 @@ addrule() # $1 = chain name, remainder of arguments specify the rule # # Create a nat chain # -# Create a variable ${1}_nat_exists and set its value to Yes to indicate that +# Create a variable exists_nat_${1} and set its value to Yes to indicate that # the chain now exists. # createnatchain() # $1 = chain name { run_iptables -t nat -N $1 - eval ${1}_nat_exists=Yes + eval exists_nat_${1}=Yes } # # Determine if a nat chain exists # -# When we create a chain "chain", we create a variable named chain_nat_exists -# and set its value to Yes. This function tests for the "_exists" variable +# When we create a chain "chain", we create a variable named exists_nat_chain +# and set its value to Yes. This function tests for the "exists_" variable # corresponding to the passed chain having the value of "Yes". # havenatchain() # $1 = name of chain { - eval test \"\$${1}_nat_exists\" = Yes + eval test \"\$exists_nat_${1}\" = Yes } # @@ -626,11 +636,11 @@ validate_interfaces_file() { all_interfaces="$all_interfaces $interface" options=`separate_list $options` - interface=`chain_base $interface` + iface=`chain_base $interface` - eval ${interface}_broadcast="$subnet" - eval ${interface}_zone="$z" - eval ${interface}_options=\"$options\" + eval ${iface}_broadcast="$subnet" + eval ${iface}_zone="$z" + eval ${iface}_options=\"$options\" for option in $options; do case $option in @@ -753,7 +763,14 @@ validate_policy() esac case $policy in - ACCEPT|REJECT|DROP|CONTINUE|NONE) + ACCEPT|REJECT|DROP|CONTINUE) + ;; + NONE) + [ "$client" = "$FW" -o "$server" = "$FW" ] && \ + startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" + + [ -n "$clientwild" -o -n "$serverwild" ] && \ + startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" ;; *) startup_error "Invalid policy $policy" @@ -771,8 +788,6 @@ validate_policy() [ "x$loglevel" = "x-" ] && loglevel= - chain=${client}2${server} - [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" eval ${chain}_is_policy=Yes @@ -960,7 +975,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi local chain=$2 local disposition=$3 local rulenum= - local limit=${4:-$LOGLIMIT} + local limit="${4:-$LOGLIMIT}" shift;shift;shift;shift @@ -1452,28 +1467,19 @@ setup_mac_lists() { # for interface in $maclist_interfaces; do chain=`mac_chain $interface` - blob=`ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'` + + blob=`ip link show $interface 2> /dev/null` [ -z "$blob" ] && \ fatal_error "Interface $interface must be up before Shorewall can start" - set -- $blob - - while [ $# -gt 0 ]; do - address=${1%/*} - - case $1 in - */32) - ;; - *) - run_iptables -A $chain -s $address -d $2 -j RETURN - shift - ;; - esac + ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do + if [ -n "$broadcast" ]; then + run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN + fi run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN - shift done if [ -n "$MACLIST_LOG_LEVEL" ]; then @@ -1668,9 +1674,10 @@ setup_ecn() # $1 = file name # process_tc_rule() { + chain=$marking_chain + add_a_tc_rule() { r= - chain=$marking_chain if [ "x$source" != "x-" ]; then case $source in @@ -1693,26 +1700,6 @@ process_tc_rule() esac fi - if [ "$mark" != "${mark%:*}" ]; then - - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - - case "${mark#*:}" in - p|P) - chain=tcpre - ;; - f|F) - chain=tcfor - ;; - *) - fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" - ;; - esac - - mark="${mark%:*}" - fi - [ "x$dest" = "x-" ] || r="${r}-d $dest " [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " @@ -1722,6 +1709,26 @@ process_tc_rule() } + if [ "$mark" != "${mark%:*}" ]; then + + [ "$chain" = tcout ] && \ + fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" + + case "${mark#*:}" in + p|P) + chain=tcpre + ;; + f|F) + chain=tcfor + ;; + *) + fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" + ;; + esac + + mark="${mark%:*}" + fi + for source in `separate_list ${sources:=-}`; do for dest in `separate_list ${dests:=-}`; do for port in `separate_list ${ports:=-}`; do @@ -2315,6 +2322,26 @@ add_a_rule() { local natrule= + do_ports() { + if [ -n "$port" ]; then + dports="--dport" + if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then + multiport="$multioption" + dports="--dports" + fi + dports="$dports $port" + fi + + if [ -n "$cport" ]; then + sports="--sport" + if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then + multiport="$multioption" + sports="--sports" + fi + sports="$sports $cport" + fi + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -2369,25 +2396,13 @@ add_a_rule() [ x$cport = x- ] && cport= case $proto in - tcp|udp|TCP|UDP|6|17) - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - ;; + tcp|TCP|6) + do_ports + [ "$target" = QUEUE ] && proto="$proto --syn" + ;; + udp|UDP|17) + do_ports + ;; icmp|ICMP|1) [ -n "$port" ] && dports="--icmp-type $port" state= @@ -2761,10 +2776,13 @@ process_rule() # $1 = target # Generate Netfilter rule(s) + protocol=${protocol:=all} + case $logtarget in DNAT*) - if [ -n "$MULTIPORT" -a \ - "$ports" = "${ports%:*}" -a \ + if [ -n "$MULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ `list_count $ports` -le 15 -a \ `list_count $cports` -le 15 ] @@ -2800,8 +2818,9 @@ process_rule() # $1 = target ;; *) - if [ -n "$MULTIPORT" -a \ - "$ports" = "${ports%:*}" -a \ + if [ -n "$MULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ `list_count $ports` -le 15 -a \ `list_count $cports` -le 15 ] @@ -2869,7 +2888,7 @@ process_rules() while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do temp="${xtarget%:*}" case "${temp%<*}" in - ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE) + ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset if [ "x$xclients" = xall ]; then @@ -3387,7 +3406,7 @@ setup_masq() ;; *) subnets=`get_routed_subnets $subnet` - [ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet" + [ -z "$subnets" ] && fatal_error "Unable to determine the routes through interface $subnet" subnet="$subnets" ;; esac @@ -3578,9 +3597,11 @@ setup_blacklist() { createchain blacklst no + [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= + for interface in $interfaces; do for chain in `first_chains $interface`; do - run_iptables -A $chain -j blacklst + run_iptables -A $chain $state -j blacklst done echo " Blacklisting enabled on $interface" @@ -3899,13 +3920,15 @@ initialize_netfilter () { fi fi + [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= + echo "Creating Interface Chains..." for interface in $all_interfaces; do createchain `forward_chain $interface` no - run_iptables -A `forward_chain $interface` -j dynamic + run_iptables -A `forward_chain $interface` $state -j dynamic createchain `input_chain $interface` no - run_iptables -A `input_chain $interface` -j dynamic + run_iptables -A `input_chain $interface` $state -j dynamic done } @@ -4003,7 +4026,7 @@ add_common_rules() { if [ -n "$interfaces" ]; then createchain logpkt no - [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info + [ -z "$LOGUNCLEAN" ] && LOGUNCLEAN=info LOGPARMS="$LOGPARMS --log-ip-options" @@ -4175,6 +4198,7 @@ add_common_rules() { if [ -n "$interfaces" ]; then echo "Setting up ARP Filtering..." + for interface in $interfaces; do file=/proc/sys/net/ipv4/conf/$interface/arp_filter if [ -f $file ]; then @@ -4188,28 +4212,28 @@ add_common_rules() { # # Route Filtering # - for f in /proc/sys/net/ipv4/conf/*/rp_filter; do - echo 0 > $f - done - interfaces="`find_interfaces_by_option routefilter`" if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then echo "Setting up Kernel Route Filtering..." - if [ -n "$ROUTE_FILTER" ]; then - echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter - else - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/rp_filter - if [ -f $file ]; then - echo 1 > $file - else - error_message \ - "Warning: Cannot set route filtering on $interface" - fi - done - fi + for f in /proc/sys/net/ipv4/conf/*/rp_filter; do + echo 0 > $f + done + + for interface in $interfaces; do + file=/proc/sys/net/ipv4/conf/$interface/rp_filter + if [ -f $file ]; then + echo 1 > $file + else + error_message \ + "Warning: Cannot set route filtering on $interface" + fi + done + + echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter + [ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter + run_ip route flush cache fi # # IP Forwarding @@ -4381,6 +4405,7 @@ activate_rules() [ -n "$complex" ] && \ run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain + done for zone1 in $zones; do @@ -4401,24 +4426,34 @@ activate_rules() routeback= fi - for host in $source_hosts; do - interface=${host%:*} - - if [ -n "$complex" ]; then - chain1=$frwd_chain - else - chain1=`forward_chain $interface` - fi - + if [ -n "$complex" ]; then for host1 in $dest_hosts; do interface1=${host1%:*} subnet1=${host1#*:} - - if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain + if [ `list_count1 $source_hosts` -eq 1 -a "$source_hosts" = "$host1" ]; then + if list_search $host1 $routeback; then + run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain + fi + else + run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain fi done - done + else + for host in $source_hosts; do + interface=${host%:*} + + chain1=`forward_chain $interface` + + for host1 in $dest_hosts; do + interface1=${host1%:*} + subnet1=${host1#*:} + + if [ "$host" != "$host1" ] || list_search $host $routeback; then + run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain + fi + done + done + fi done done @@ -5021,6 +5056,7 @@ do_initialize() { LOGFORMAT= LOGRULENUMBERS= ADMINISABSENTMINDED= + BLACKLISTNEWONLY= stopping= have_mutex= @@ -5170,6 +5206,7 @@ do_initialize() { LOGFORMAT="Shorewall:%s:%s:" fi ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED` + BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY` # # Strip the files that we use often # diff --git a/Lrp/usr/share/shorewall/functions b/Lrp/usr/share/shorewall/functions index 170fa6402..657762330 100644 --- a/Lrp/usr/share/shorewall/functions +++ b/Lrp/usr/share/shorewall/functions @@ -425,6 +425,9 @@ chain_base() #$1 = interface *.*) c="${c%.*}_${c##*.}" ;; + *-*) + c="${c%-*}_${c##*-}" + ;; *) echo ${c:=common} return diff --git a/Lrp/usr/share/shorewall/version b/Lrp/usr/share/shorewall/version index be05bba98..b2e46d185 100644 --- a/Lrp/usr/share/shorewall/version +++ b/Lrp/usr/share/shorewall/version @@ -1 +1 @@ -1.4.7 +1.4.8 diff --git a/Lrp/var/lib/lrpkg/shorwall.version b/Lrp/var/lib/lrpkg/shorwall.version index be05bba98..b2e46d185 100644 --- a/Lrp/var/lib/lrpkg/shorwall.version +++ b/Lrp/var/lib/lrpkg/shorwall.version @@ -1 +1 @@ -1.4.7 +1.4.8