diff --git a/Samples/Universal/rules b/Samples/Universal/rules index 1517c7db8..026aa2420 100644 --- a/Samples/Universal/rules +++ b/Samples/Universal/rules @@ -9,6 +9,7 @@ #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL #SECTION ESTABLISHED #SECTION RELATED SECTION NEW diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index afdf49d62..2315bdfe7 100644 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -13,6 +13,10 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index 8ca2cc232..8383d173f 100644 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -13,6 +13,14 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW + +# Don't allow connection pickup from the net +# +Invalid(DROP) net all # # Accept DNS connections from the firewall to the Internet # diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 4dcec9128..28fe38462 100644 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -13,6 +13,14 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW + +# Don't allow connection pickup from the net +# +Invalid(DROP) net all # # Accept DNS connections from the firewall to the network # diff --git a/Samples6/Universal/rules b/Samples6/Universal/rules index 1517c7db8..026aa2420 100644 --- a/Samples6/Universal/rules +++ b/Samples6/Universal/rules @@ -9,6 +9,7 @@ #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL #SECTION ESTABLISHED #SECTION RELATED SECTION NEW diff --git a/Samples6/one-interface/rules b/Samples6/one-interface/rules index 408bb4aa2..57a2365cb 100644 --- a/Samples6/one-interface/rules +++ b/Samples6/one-interface/rules @@ -13,6 +13,10 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. diff --git a/Samples6/three-interfaces/rules b/Samples6/three-interfaces/rules index 77cc9ed09..6a55c7231 100644 --- a/Samples6/three-interfaces/rules +++ b/Samples6/three-interfaces/rules @@ -13,6 +13,14 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW + +# Don't allow connection pickup from the net +# +Invalid(DROP) net all # # Accept DNS connections from the firewall to the Internet # diff --git a/Samples6/two-interfaces/rules b/Samples6/two-interfaces/rules index 75065698e..6091118e6 100644 --- a/Samples6/two-interfaces/rules +++ b/Samples6/two-interfaces/rules @@ -13,6 +13,14 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW + +# Don't allow connection pickup from the net +# +Invalid(DROP) net all # # Accept DNS connections from the firewall to the network # diff --git a/Shorewall-init/init.fedora.sh b/Shorewall-init/init.fedora.sh new file mode 100644 index 000000000..a9bd23565 --- /dev/null +++ b/Shorewall-init/init.fedora.sh @@ -0,0 +1,121 @@ +#! /bin/bash +# +# chkconfig: - 09 91 +# description: Initialize the shorewall firewall at boot time +# +### BEGIN INIT INFO +# Provides: shorewall-init +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: +# Default-Stop: 0 1 2 3 4 5 6 +# Short-Description: Initialize the shorewall firewall at boot time +# Description: Place the firewall in a safe state at boot time +# prior to bringing up the network. +### END INIT INFO +prog="shorewall-init" +logger="logger -i -t $prog" +lockfile="/var/lock/subsys/shorewall-init" + +# Source function library. +. /etc/rc.d/init.d/functions + +# Get startup options (override default) +OPTIONS= + +# check if shorewall-init is configured or not +if [ -f "/etc/sysconfig/shorewall-init" ]; then + . /etc/sysconfig/shorewall-init +else + echo "/etc/sysconfig/shorewall-init not found" + exit 6 +fi + +# Initialize the firewall +start () { + local product + local vardir + + if [ -z "$PRODUCTS" ]; then + echo "No firewalls configured for shorewall-init" + failure + return 6 #Not configured + fi + + echo -n "Initializing \"Shorewall-based firewalls\": " + for product in $PRODUCTS; do + vardir=/var/lib/$product + [ -f /etc/$product/vardir ] && . /etc/$product/vardir + if [ -x ${vardir}/firewall ]; then + ${vardir}/firewall stop 2>&1 | $logger + retval=${PIPESTATUS[0]} + [ retval -ne 0 ] && break + fi + done + + if [ retval -eq 0 ]; then + touch $lockfile + success + else + failure + fi + echo + return $retval +} + +# Clear the firewall +stop () { + local product + local vardir + + echo -n "Clearing \"Shorewall-based firewalls\": " + for product in $PRODUCTS; do + vardir=/var/lib/$product + [ -f /etc/$product/vardir ] && . /etc/$product/vardir + if [ -x ${vardir}/firewall ]; then + ${vardir}/firewall clear 2>&1 | $logger + retval=${PIPESTATUS[0]} + [ retval -ne 0 ] && break + fi + done + + if [ retval -eq 0 ]; then + rm -f $lockfile + success + else + failure + fi + echo + return $retval +} + +status_q() { + status > /dev/null 2>&1 +} + +case "$1" in + start) + status_q && exit 0 + $1 + ;; + stop) + status_q || exit 0 + $1 + ;; + restart|reload|force-reload) + echo "Not implemented" + exit 3 + ;; + condrestart|try-restart) + echo "Not implemented" + exit 3 + ;; + status) + status $prog + ;; + *) + echo "Usage: /etc/init.d/shorewall-init {start|stop}" + exit 1 +esac + +exit 0 diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 2cbaf292f..57c0c5649 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -160,6 +160,8 @@ elif [ -f /etc/debian_version ]; then DEBIAN=yes elif [ -f /etc/SuSE-release ]; then SUSE=Yes +elif [ -f /etc/redhat-release ]; then + FEDORA=Yes elif [ -f /etc/slackware-version ] ; then echo "Shorewall-init is currently not supported on Slackware" >&2 exit 1 @@ -181,6 +183,14 @@ else exit 1 fi +if [ -z "$DESTDIR" ]; then + if [ -f /lib/systemd/system ]; then + SYSTEMD=Yes + fi +elif [ -n "$SYSTEMD" ]; then + mkdir -p ${DESTDIR}/lib/systemd/system +fi + # # Change to the directory containing this script # @@ -202,6 +212,8 @@ fi # if [ -n "$DEBIAN" ]; then install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544 +elif [ -n "$FEDORA" ]; then + install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544 #elif [ -n "$ARCHLINUX" ]; then # install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544 else @@ -210,6 +222,14 @@ fi echo "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT" +# +# Install the .service file +# +if [ -n "$SYSTEMD" ]; then + run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service + echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service" +fi + # # Create /usr/share/shorewall-init if needed # @@ -297,7 +317,11 @@ if [ -z "$DESTDIR" ]; then echo "Shorewall Init will start automatically at boot" else - if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if [ -n "$SYSTEMD" ]; then + if systemctl enable shorewall-init; then + echo "Shorewall Init will start automatically at boot" + fi + elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if insserv /etc/init.d/shorewall-init ; then echo "Shorewall Init will start automatically at boot" else diff --git a/Shorewall-init/shorewall-init.service b/Shorewall-init/shorewall-init.service new file mode 100644 index 000000000..d9484de5e --- /dev/null +++ b/Shorewall-init/shorewall-init.service @@ -0,0 +1,21 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4 +# +# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com) +# +[Unit] +Description=Shorewall IPv4 firewall +After=syslog.target +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/sysconfig/shorewall-init +StandardOutput=syslog +ExecStart=/sbin/shorewall-init $OPTIONS start +ExecReload=/sbin/shorewall-init $OPTIONS restart +ExecStop=/sbin/shorewall-init $OPTIONS stop + +[Install] +WantedBy=multi-user.target diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index 586d6ba22..180645691 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -73,6 +73,8 @@ if [ -n "$INITSCRIPT" ]; then insserv -r $INITSCRIPT elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then chkconfig --del $(basename $INITSCRIPT) + elif [ -x /sbin/systemctl ]; then + systemctl disable shorewall-init else rm -f /etc/rc*.d/*$(basename $INITSCRIPT) fi @@ -93,6 +95,7 @@ remove_file /etc/network/if-down.d/shorewall remove_file /etc/sysconfig/network/if-up.d/shorewall remove_file /etc/sysconfig/network/if-down.d/shorewall +remove_file /lib/systemd/system/shorewall.service if [ -d /etc/ppp ]; then for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do diff --git a/Shorewall-lite/init.fedora.sh b/Shorewall-lite/init.fedora.sh new file mode 100644 index 000000000..c18529976 --- /dev/null +++ b/Shorewall-lite/init.fedora.sh @@ -0,0 +1,112 @@ +#!/bin/sh +# +# Shorewall init script +# +# chkconfig: - 28 90 +# description: Packet filtering firewall + +### BEGIN INIT INFO +# Provides: shorewall-lite +# Required-Start: $local_fs $remote_fs $syslog $network +# Should-Start: VMware $time $named +# Required-Stop: +# Default-Start: +# Default-Stop: 0 1 2 3 4 5 6 +# Short-Description: Packet filtering firewall +# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a +# Netfilter (iptables) based firewall +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +prog="shorewall-lite" +shorewall="/sbin/$prog" +logger="logger -i -t $prog" +lockfile="/var/lock/subsys/$prog" + +# Get startup options (override default) +OPTIONS= + +if [ -f /etc/sysconfig/$prog ]; then + . /etc/sysconfig/$prog +fi + +start() { + echo -n $"Starting Shorewall: " + $shorewall $OPTIONS start 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else + failure + fi + echo + return $retval +} + +stop() { + echo -n $"Stopping Shorewall: " + $shorewall $OPTIONS stop 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + rm -f $lockfile + success + else + failure + fi + echo + return $retval +} + +restart() { +# Note that we don't simply stop and start since shorewall has a built in +# restart which stops the firewall if running and then starts it. + echo -n $"Restarting Shorewall: " + $shorewall $OPTIONS restart 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else # Failed to start, clean up lock file if present + rm -f $lockfile + failure + fi + echo + return $retval +} + +status(){ + $shorewall status + return $? +} + +status_q() { + status > /dev/null 2>&1 +} + +case "$1" in + start) + status_q && exit 0 + $1 + ;; + stop) + status_q || exit 0 + $1 + ;; + restart|reload|force-reload) + restart + ;; + condrestart|try-restart) + status_q || exit 0 + restart + ;; + status) + $1 + ;; + *) + echo "Usage: $0 start|stop|reload|restart|force-reload|status" + exit 1 + ;; +esac diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index a4901f439..39a949c1e 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -136,7 +136,6 @@ esac # # Determine where to install the firewall script # -DEBIAN= CYGWIN= INSTALLD='-D' T='-T' @@ -173,6 +172,8 @@ if [ -n "$DESTDIR" ]; then install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST} elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then DEBIAN=yes +elif [ -f /etc/redhat-release ]; then + FEDORA=yes elif [ -f /etc/slackware-version ] ; then DEST="/etc/rc.d" INIT="rc.firewall" @@ -182,6 +183,14 @@ elif [ -f /etc/arch-release ] ; then ARCHLINUX=yes fi +if [ -z "$DESTDIR" ]; then + if [ -f /lib/systemd/system ]; then + SYSTEMD=Yes + fi +elif [ -n "$SYSTEMD" ]; then + mkdir -p ${DESTDIR}/lib/systemd/system +fi + # # Change to the directory containing this script # @@ -223,12 +232,13 @@ echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite # Install the Firewall Script # if [ -n "$DEBIAN" ]; then - install_file init.debian.sh /etc/init.d/shorewall-lite 0544 + install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544 +elif [ -n "$FEDORA" ]; then + install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544 elif [ -n "$ARCHLINUX" ]; then - install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544 - + install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544 else - install_file init.sh ${DESTDIR}${DEST}/$INIT 0544 + install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544 fi echo "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT" @@ -249,6 +259,14 @@ if [ -n "$DESTDIR" ]; then chmod 755 ${DESTDIR}/etc/logrotate.d fi +# +# Install the .service file +# +if [ -n "$SYSTEMD" ]; then + run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service + echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service" +fi + # # Install the config file # @@ -389,7 +407,11 @@ if [ -z "$DESTDIR" ]; then echo "Shorewall Lite will start automatically at boot" else - if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if [ -n "$SYSTEMD" ]; then + if systemctl enable shorewall-lite; then + echo "Shorewall Lite will start automatically at boot" + fi + elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if insserv /etc/init.d/shorewall-lite ; then echo "Shorewall Lite will start automatically at boot" else diff --git a/Shorewall-lite/shorewall-lite.service b/Shorewall-lite/shorewall-lite.service new file mode 100644 index 000000000..b999bebdd --- /dev/null +++ b/Shorewall-lite/shorewall-lite.service @@ -0,0 +1,21 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4 +# +# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com) +# +[Unit] +Description=Shorewall IPv4 firewall (lite) +After=syslog.target +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/sysconfig/shorewall-lite +StandardOutput=syslog +ExecStart=/sbin/shorewall-lite $OPTIONS start +ExecReload=/sbin/shorewall-lite $OPTIONS restart +ExecStop=/sbin/shorewall-lite $OPTIONS stop + +[Install] +WantedBy=multi-user.target diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 73f67148f..d49430e82 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then insserv -r $FIREWALL elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then chkconfig --del $(basename $FIREWALL) + elif [ -x /sbin/systemctl ]; then + systemctl disable shorewall-lite else rm -f /etc/rc*.d/*$(basename $FIREWALL) fi @@ -112,6 +114,7 @@ rm -rf /usr/share/shorewall-lite rm -rf ${LIBEXEC}/shorewall-lite rm -rf /usr/share/shorewall-lite-*.bkout rm -f /etc/logrotate.d/shorewall-lite +rm -f /lib/systemd/system/shorewall-lite.service echo "Shorewall Lite Uninstalled" diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 4f6043a49..402842341 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -63,6 +63,7 @@ our @EXPORT = qw( %chain_table $raw_table + $rawpost_table $nat_table $mangle_table $filter_table @@ -113,6 +114,8 @@ our %EXPORT_TAGS = ( zone_input_chain use_input_chain output_chain + prerouting_chain + postrouting_chain zone_output_chain use_output_chain masq_chain @@ -132,6 +135,7 @@ our %EXPORT_TAGS = ( ensure_mangle_chain ensure_nat_chain ensure_raw_chain + ensure_rawpost_chain new_standard_chain new_builtin_chain new_nat_chain @@ -143,10 +147,13 @@ our %EXPORT_TAGS = ( newexclusionchain newnonatchain source_exclusion + source_iexclusion dest_exclusion + dest_iexclusion clearrule port_count do_proto + do_iproto do_mac do_imac verify_mark @@ -262,6 +269,7 @@ our $VERSION = 'MODULEVERSION'; # our %chain_table; our $raw_table; +our $rawpost_table; our $nat_table; our $mangle_table; our $filter_table; @@ -438,31 +446,33 @@ use constant { UNIQUE => 1, MATCH => 8, CONTROL => 16 }; -my %opttype = ( rule => CONTROL, - cmd => CONTROL, +my %opttype = ( rule => CONTROL, + cmd => CONTROL, - dhcp => UNIQUE, + dhcp => UNIQUE, - mode => CONTROL, - cmdlevel => CONTROL, - simple => CONTROL, + mode => CONTROL, + cmdlevel => CONTROL, + simple => CONTROL, - i => UNIQUE, - s => UNIQUE, - o => UNIQUE, - d => UNIQUE, - p => UNIQUE, - dport => UNIQUE, - sport => UNIQUE, + i => UNIQUE, + s => UNIQUE, + o => UNIQUE, + d => UNIQUE, + p => UNIQUE, + dport => UNIQUE, + sport => UNIQUE, + 'icmp-type' => UNIQUE, + 'icmpv6-type' => UNIQUE, - comment => CONTROL, + comment => CONTROL, - policy => MATCH, - state => EXCLUSIVE, + policy => MATCH, + state => EXCLUSIVE, - jump => TARGET, - target => TARGET, - targetopts => TARGET, + jump => TARGET, + target => TARGET, + targetopts => TARGET, ); my %aliases = ( protocol => 'p', @@ -474,9 +484,11 @@ my %aliases = ( protocol => 'p', 'out-interface' => 'o', dport => 'dport', sport => 'sport', + 'icmp-type' => 'icmp-type', + 'icmpv6-type' => 'icmpv6-type', ); -my @unique_options = ( qw/p dport sport s d i o/ ); +my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ ); # # Rather than initializing globals in an INIT block or during declaration, @@ -491,16 +503,18 @@ my @unique_options = ( qw/p dport sport s d i o/ ); sub initialize( $$$ ) { ( $family, my $hard, $export ) = @_; - %chain_table = ( raw => {}, - mangle => {}, - nat => {}, - filter => {} ); + %chain_table = ( raw => {}, + rawpost => {}, + mangle => {}, + nat => {}, + filter => {} ); - $raw_table = $chain_table{raw}; - $nat_table = $chain_table{nat}; - $mangle_table = $chain_table{mangle}; - $filter_table = $chain_table{filter}; - %renamed = (); + $raw_table = $chain_table{raw}; + $rawpost_table = $chain_table{rawpost}; + $nat_table = $chain_table{nat}; + $mangle_table = $chain_table{mangle}; + $filter_table = $chain_table{filter}; + %renamed = (); # # Contents of last COMMENT line. # @@ -1582,6 +1596,22 @@ sub output_chain($) $_[0] . '_out'; } +# +# Prerouting Chain for an interface +# +sub prerouting_chain($) +{ + $_[0] . '_pre'; +} + +# +# Prerouting Chain for an interface +# +sub postrouting_chain($) +{ + $_[0] . '_post'; +} + # # Output Chain for a zone # @@ -2044,6 +2074,14 @@ sub ensure_raw_chain($) { $chainref; } +sub ensure_rawpost_chain($) { + my $chain = $_[0]; + + my $chainref = ensure_chain 'rawpost', $chain; + $chainref->{referenced} = 1; + $chainref; +} + # # Add a builtin chain # @@ -2110,7 +2148,7 @@ sub ensure_audit_chain( $;$$ ) { $tgt ||= $action; - add_ijump $ref, j => 'AUDIT --type ' . lc $action; + add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action; if ( $tgt eq 'REJECT' ) { add_ijump $ref , g => 'reject'; @@ -2200,6 +2238,8 @@ sub initialize_chain_table($) { new_builtin_chain 'raw', $chain, 'ACCEPT'; } + new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT'; + for my $chain ( qw(INPUT OUTPUT FORWARD) ) { new_builtin_chain 'filter', $chain, 'DROP'; } @@ -2243,6 +2283,8 @@ sub initialize_chain_table($) { new_builtin_chain 'raw', $chain, 'ACCEPT'; } + new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT'; + for my $chain ( qw(INPUT OUTPUT FORWARD) ) { new_builtin_chain 'filter', $chain, 'DROP'; } @@ -2718,7 +2760,7 @@ sub optimize_level8( $$$ ) { } sub optimize_ruleset() { - for my $table ( qw/raw mangle nat filter/ ) { + for my $table ( qw/raw rawpost mangle nat filter/ ) { next if $family == F_IPV6 && $table eq 'nat'; @@ -2862,6 +2904,42 @@ sub source_exclusion( $$ ) { reftype $target ? $chainref : $chainref->{name}; } +sub source_iexclusion( $$$$$;@ ) { + my $chainref = shift; + my $jump = shift; + my $target = shift; + my $targetopts = shift; + my $source = shift; + my $table = $chainref->{table}; + + my @exclusion; + + if ( $source =~ /^([^!]+)!([^!]+)$/ ) { + $source = $1; + @exclusion = mysplit( $2 ); + + my $chainref1 = new_chain( $table , newexclusionchain( $table ) ); + + add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion; + + if ( $targetopts ) { + add_ijump( $chainref1, $jump => $target, targetopts => $targetopts ); + } else { + add_ijump( $chainref1, $jump => $target ); + } + + add_ijump( $chainref , j => $chainref1, imatch_source_net( $source ), @_ ); + } elsif ( $targetopts ) { + add_ijump( $chainref, + $jump => $target, + targetopts => $targetopts, + imatch_source_net( $source ), + @_ ); + } else { + add_ijump( $chainref, $jump => $target, imatch_source_net( $source ), @_ ); + } +} + sub dest_exclusion( $$ ) { my ( $exclusions, $target ) = @_; @@ -2877,6 +2955,38 @@ sub dest_exclusion( $$ ) { reftype $target ? $chainref : $chainref->{name}; } +sub dest_iexclusion( $$$$$;@ ) { + my $chainref = shift; + my $jump = shift; + my $target = shift; + my $targetopts = shift; + my $dest = shift; + my $table = $chainref->{table}; + + my @exclusion; + + if ( $dest =~ /^([^!]+)!([^!]+)$/ ) { + $dest = $1; + @exclusion = mysplit( $2 ); + + my $chainref1 = new_chain( $table , newexclusionchain( $table ) ); + + add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion; + + if ( $targetopts ) { + add_ijump( $chainref1, $jump => $target, targetopts => $targetopts, @_ ); + } else { + add_ijump( $chainref1, $jump => $target, @_ ); + } + + add_ijump( $chainref , j => $chainref1, imatch_dest_net( $dest ), @_ ); + } elsif ( $targetopts ) { + add_ijump( $chainref, $jump => $target, imatch_dest_net( $dest ), targetopts => $targetopts , @_ ); + } else { + add_ijump( $chainref, $jump => $target, imatch_dest_net( $dest ), @_ ); + } +} + sub clearrule() { $iprangematch = 0; } @@ -2894,7 +3004,9 @@ sub port_count( $ ) { sub state_imatch( $ ) { my $state = shift; - have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => $state ); + unless ( $state eq 'ALL' ) { + have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" ); + } } # @@ -3000,6 +3112,7 @@ sub do_proto( $$$;$ ) if ( $ports =~ /,/ ) { fatal_error "An inverted ICMP list may only contain a single type" if $invert; + fatal_error "An ICMP type list is not allowed in this context" if $restricted; $types = ''; for my $type ( split_list( $ports, 'ICMP type list' ) ) { $types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type; @@ -3024,6 +3137,7 @@ sub do_proto( $$$;$ ) if ( $ports =~ /,/ ) { fatal_error "An inverted ICMP list may only contain a single type" if $invert; + fatal_error "An ICMP type list is not allowed in this context" if $restricted; $types = ''; for my $type ( list_split( $ports, 'ICMP type list' ) ) { $types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type; @@ -3088,6 +3202,183 @@ sub do_mac( $ ) { "-m mac ${invert}--mac-source $mac "; } +sub do_iproto( $$$ ) +{ + my ($proto, $ports, $sports ) = @_; + + my @output = (); + + my $restricted = 1; + + $proto = '' if $proto eq '-'; + $ports = '' if $ports eq '-'; + $sports = '' if $sports eq '-'; + + if ( $proto ne '' ) { + + my $synonly = ( $proto =~ s/:syn$//i ); + my $invert = ( $proto =~ s/^!// ? '! ' : '' ); + my $protonum = resolve_proto $proto; + + if ( defined $protonum ) { + # + # Protocol is numeric and <= 255 or is defined in /etc/protocols or NSS equivalent + # + fatal_error "'!0' not allowed in the PROTO column" if $invert && ! $protonum; + + my $pname = proto_name( $proto = $protonum ); + # + # $proto now contains the protocol number and $pname contains the canonical name of the protocol + # + unless ( $synonly ) { + @output = ( p => "${invert}${proto}" ); + } else { + fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert; + @output = ( p => "$proto --syn" ); + } + + fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne ''); + + PROTO: + { + if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) { + my $multiport = 0; + + if ( $ports ne '' ) { + $invert = $ports =~ s/^!// ? '! ' : ''; + if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { + fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' ); + fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; + + if ( port_count ( $ports ) > 15 ) { + if ( $restricted ) { + fatal_error "A port list in this file may only have up to 15 ports"; + } elsif ( $invert ) { + fatal_error "An inverted port list may only have up to 15 ports"; + } + } + + $ports = validate_port_list $pname , $ports; + push @output, multiport => "${invert}--dports ${ports}"; + $multiport = 1; + } else { + fatal_error "Missing DEST PORT" unless supplied $ports; + $ports = validate_portpair $pname , $ports; + push @output, dport => "${invert}${ports}"; + } + } else { + $multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE ); + } + + if ( $sports ne '' ) { + $invert = $sports =~ s/^!// ? '! ' : ''; + if ( $multiport ) { + + if ( port_count( $sports ) > 15 ) { + if ( $restricted ) { + fatal_error "A port list in this file may only have up to 15 ports"; + } elsif ( $invert ) { + fatal_error "An inverted port list may only have up to 15 ports"; + } + } + + $sports = validate_port_list $pname , $sports; + push @output, multiport => "${invert}--sports ${sports}"; + } else { + fatal_error "Missing SOURCE PORT" unless supplied $sports; + $sports = validate_portpair $pname , $sports; + push @output, sport => "${invert}${sports}"; + } + } + + last PROTO; } + + if ( $proto == ICMP ) { + fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp' + if ( $ports ne '' ) { + $invert = $ports =~ s/^!// ? '! ' : ''; + + my $types; + + if ( $ports =~ /,/ ) { + fatal_error "An inverted ICMP list may only contain a single type" if $invert; + fatal_error "An ICMP type list is not allowed in this context" if $restricted; + $types = ''; + for my $type ( split_list( $ports, 'ICMP type list' ) ) { + $types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type; + } + } else { + $types = validate_icmp $ports; + } + + push @output, 'icmp-type' => "${invert}${types}"; + } + + fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; + + last PROTO; } + + if ( $proto == IPv6_ICMP ) { + fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4; + if ( $ports ne '' ) { + $invert = $ports =~ s/^!// ? '! ' : ''; + + my $types; + + if ( $ports =~ /,/ ) { + fatal_error "An inverted ICMP list may only contain a single type" if $invert; + fatal_error "An ICMP type list is not allowed in this context" if $restricted; + $types = ''; + for my $type ( split_list( $ports, 'ICMP type list' ) ) { + $types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type; + } + } else { + $types = validate_icmp6 $ports; + } + + push @output, 'icmpv6-type' => "${invert}${types}"; + } + + fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne ''; + + last PROTO; } + + + fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne ''; + + } # PROTO + + } else { + fatal_error '":syn" is only allowed with tcp' if $synonly; + + if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) { + my $p = $2 ? lc $3 : 'tcp'; + require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' ); + $proto = '-p ' . proto_name($p) . ' '; + + my $options = ''; + + if ( $ports ne 'ipp2p' ) { + $options .= " --$_" for split /,/, $ports; + } + + $options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options; + + push @output, ipp2p => "${proto}${options}"; + } else { + fatal_error "Invalid/Unknown protocol ($proto)" + } + } + } else { + # + # No protocol + # + fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne ''; + } + + @output; +} + sub do_imac( $ ) { my $mac = $_[0]; @@ -3101,7 +3392,7 @@ sub do_imac( $ ) { } # -# Mark validatation functions +# Mark validation functions # sub verify_mark( $ ) { my $mark = $_[0]; @@ -4786,7 +5077,7 @@ sub expand_rule( $$$$$$$$$$;$ ) if ( $origdest ) { if ( $origdest eq '-' || ! have_capability( 'CONNTRACK_MATCH' ) ) { - $origdest = ''; + $onets = $oexcl = ''; } elsif ( $origdest =~ /^detect:(.*)$/ ) { # # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column @@ -4816,7 +5107,7 @@ sub expand_rule( $$$$$$$$$$;$ ) $rule .= "-m conntrack --ctorigdst $variable "; } - $origdest = ''; + $onets = $oexcl = ''; } else { fatal_error "Invalid ORIGINAL DEST" if $origdest =~ /^([^!]+)?,!([^!]+)$/ || $origdest =~ /.*!.*!/; @@ -4903,7 +5194,7 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Clear the exclusion bit # - add_ijump $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff ); + add_ijump $chainref , j => 'MARK', targetopts => '--and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff ); # # Mark packet if it matches any of the exclusions # @@ -5432,9 +5723,10 @@ sub create_netfilter_load( $ ) { my @table_list; - push @table_list, 'raw' if have_capability( 'RAW_TABLE' ); - push @table_list, 'nat' if have_capability( 'NAT_ENABLED' ); - push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; + push @table_list, 'raw' if have_capability( 'RAW_TABLE' ); + push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' ); + push @table_list, 'nat' if have_capability( 'NAT_ENABLED' ); + push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; push @table_list, 'filter'; $mode = NULL_MODE; @@ -5534,9 +5826,10 @@ sub preview_netfilter_load() { my @table_list; - push @table_list, 'raw' if have_capability( 'RAW_TABLE' ); - push @table_list, 'nat' if have_capability( 'NAT_ENABLED' ); - push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; + push @table_list, 'raw' if have_capability( 'RAW_TABLE' ); + push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' ); + push @table_list, 'nat' if have_capability( 'NAT_ENABLED' ); + push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; push @table_list, 'filter'; $mode = NULL_MODE; @@ -5644,7 +5937,7 @@ sub create_chainlist_reload($) { for my $chain ( @chains ) { ( $table , $chain ) = split ':', $chain if $chain =~ /:/; - fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/; + fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/; $chains{$table} = {} unless $chains{$table}; @@ -5673,7 +5966,7 @@ sub create_chainlist_reload($) { enter_cat_mode; - for $table ( qw(raw nat mangle filter) ) { + for $table ( qw(raw rawpost nat mangle filter) ) { my $tableref=$chains{$table}; next unless $tableref; @@ -5748,9 +6041,10 @@ sub create_stop_load( $ ) { my @table_list; - push @table_list, 'raw' if have_capability( 'RAW_TABLE' ); - push @table_list, 'nat' if have_capability( 'NAT_ENABLED' ); - push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; + push @table_list, 'raw' if have_capability( 'RAW_TABLE' ); + push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' ); + push @table_list, 'nat' if have_capability( 'NAT_ENABLED' ); + push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; push @table_list, 'filter'; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index d00338b16..a182d8412 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -38,6 +38,8 @@ use Shorewall::IPAddrs; use Shorewall::Raw; use Shorewall::Misc; +use strict; + our @ISA = qw(Exporter); our @EXPORT = qw( compiler ); our @EXPORT_OK = qw( $export ); @@ -263,9 +265,9 @@ sub generate_script_2() { push_indent; if ( $global_variables & NOT_RESTORE ) { - emit( 'start|restart|refresh)' ); + emit( 'start|restart|refresh|disable|enable)' ); } else { - emit( 'start|restart|refresh|restore)' ); + emit( 'start|restart|refresh|disable|enable|restore)' ); } push_indent; @@ -613,7 +615,6 @@ sub compiler { # shorewall.conf has been processed and the capabilities have been determined. # initialize_chain_table(1); - # # Allow user to load Perl modules # @@ -695,7 +696,7 @@ sub compiler { if ( $scriptfilename || $debug ) { emit 'return 0'; pop_indent; - emit '}'; + emit '}'; # End of setup_common_rules() } disable_script; @@ -704,7 +705,17 @@ sub compiler { # (Writes the setup_routing_and_traffic_shaping() function to the compiled script) # enable_script; - + # + # Validate the TC files so that the providers will know what interfaces have TC + # + my $tcinterfaces = process_tc; + # + # Generate a function to bring up each provider + # + process_providers( $tcinterfaces ); + # + # [Re-]establish Routing + # if ( $scriptfilename || $debug ) { emit( "\n#", '# Setup routing and traffic shaping', @@ -714,9 +725,7 @@ sub compiler { push_indent; } - # - # [Re-]establish Routing - # + setup_providers; # # TCRules and Traffic Shaping @@ -725,7 +734,7 @@ sub compiler { if ( $scriptfilename || $debug ) { pop_indent; - emit "}\n"; + emit "}\n"; # End of setup_routing_and_traffic_shaping() } disable_script; @@ -748,12 +757,12 @@ sub compiler { # Setup Nat # setup_nat; - # - # Setup NETMAP - # - setup_netmap; } + # + # Setup NETMAP + # + setup_netmap; # # MACLIST Filtration # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index e7e6c1b9e..26c7f3c93 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -279,6 +279,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT', HEADER_MATCH => 'Header Match', ACCOUNT_TARGET => 'ACCOUNT Target', AUDIT_TARGET => 'AUDIT Target', + RAWPOST_TABLE => 'Rawpost Table', CAPVERSION => 'Capability Version', KERNELVERSION => 'Kernel Version', ); @@ -306,6 +307,7 @@ our %config_files = ( #accounting => 1, refresh => 1, refreshed => 1, restored => 1, + rawnat => 1, route_rules => 1, routes => 1, routestopped => 1, @@ -381,6 +383,12 @@ my $iptables; # Path to iptables/ip6tables my $tc; # Path to tc my $ip; # Path to ip +my $shell; # Type of shell that processed the params file + +use constant { BASH => 1, + OLDBASH => 2, + ASH => 3 }; + use constant { MIN_VERBOSITY => -1, MAX_VERBOSITY => 2 , F_IPV4 => 4, @@ -436,7 +444,7 @@ sub initialize( $ ) { STATEMATCH => '-m state --state', UNTRACKED => 0, VERSION => "4.4.22.1", - CAPVERSION => 40421 , + CAPVERSION => 40423 , ); # # From shorewall.conf file @@ -624,6 +632,7 @@ sub initialize( $ ) { CONNMARK_MATCH => undef, XCONNMARK_MATCH => undef, RAW_TABLE => undef, + RAWPOST_TABLE => undef, IPP2P_MATCH => undef, OLD_IPP2P_MATCH => undef, CLASSIFY_TARGET => undef, @@ -2525,6 +2534,10 @@ sub Raw_Table() { qt1( "$iptables -t raw -L -n" ); } +sub Rawpost_Table() { + qt1( "$iptables -t rawpost -L -n" ); +} + sub Old_IPSet_Match() { my $ipset = $config{IPSET} || 'ipset'; my $result = 0; @@ -2707,6 +2720,7 @@ our %detect_capability = PHYSDEV_MATCH => \&Physdev_Match, POLICY_MATCH => \&Policy_Match, RAW_TABLE => \&Raw_Table, + RAWPOST_TABLE => \&Rawpost_Table, REALM_MATCH => \&Realm_Match, RECENT_MATCH => \&Recent_Match, TCPMSS_MATCH => \&Tcpmss_Match, @@ -2820,6 +2834,7 @@ sub determine_capabilities() { $capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' ); $capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' ); + $capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' ); $capabilities{IPSET_MATCH} = detect_capability( 'IPSET_MATCH' ); $capabilities{USEPKTTYPE} = detect_capability( 'USEPKTTYPE' ); $capabilities{ADDRTYPE} = detect_capability( 'ADDRTYPE' ); @@ -3054,8 +3069,19 @@ EOF fatal_error "Can't rename $configfile to $configfile.bak: $!" unless rename $configfile, "$configfile.bak"; fatal_error "Can't rename $configfile.updated to $configfile: $!" unless rename "$configfile.updated", $configfile; + + if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) { + progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak"; + } else { + if ( unlink "$configfile.bak" ) { + progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved"; + } else { + warning_message "Unable to unlink $configfile.bak"; + progress_message3 "No update required to configuration file $configfile; $configfile.b"; + } - progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak"; + exit 0; + } } else { fatal_error "$fn does not exist"; } @@ -3249,6 +3275,8 @@ sub get_params() { # - Embedded double quotes are escaped with '\\' # - Valueless variables are supported (e.g., 'declare -x foo') # + $shell = BASH; + for ( @params ) { if ( /^declare -x (.*?)="(.*[^\\])"$/ ) { $params{$1} = $2 unless $1 eq '_'; @@ -3257,11 +3285,11 @@ sub get_params() { } elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) { $params{$1} = ''; } else { + chomp; if ($variable) { s/"$//; $params{$variable} .= $_; } else { - chomp; warning_message "Param line ($_) ignored" unless $bug++; } } @@ -3275,6 +3303,8 @@ sub get_params() { # - Embedded single quotes are escaped with '\' # - Valueless variables ( e.g., 'export foo') are supported # + $shell = OLDBASH; + for ( @params ) { if ( /^export (.*?)="(.*[^\\])"$/ ) { $params{$1} = $2 unless $1 eq '_'; @@ -3283,11 +3313,11 @@ sub get_params() { } elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) { $params{$1} = ''; } else { + chomp; if ($variable) { s/"$//; $params{$variable} .= $_; } else { - chomp; warning_message "Param line ($_) ignored" unless $bug++; } } @@ -3300,6 +3330,8 @@ sub get_params() { # - Param values are delimited by single quotes. # - Embedded single quotes are transformed to the five characters '"'"' # + $shell = ASH; + for ( @params ) { if ( /^export (.*?)='(.*'"'"')$/ ) { $params{$variable=$1}="${2}\n"; @@ -3308,11 +3340,11 @@ sub get_params() { } elsif ( /^export (.*?)='(.*)$/ ) { $params{$variable=$1}="${2}\n"; } else { + chomp; if ($variable) { s/'$//; $params{$variable} .= $_; } else { - chomp; warning_message "Param line ($_) ignored" unless $bug++; } } @@ -3351,15 +3383,29 @@ sub export_params() { # next if exists $compiler_params{$param}; # + # Values in %params are generated from the output of 'export -p'. + # The different shells have different conventions for delimiting + # the value and for escaping embedded instances of the delimiter. + # The following logic removes the escape characters. + # + if ( $shell == BASH ) { + $value =~ s/\\"/"/g; + } elsif ( $shell == OLDBASH ) { + $value =~ s/\\'/'/g; + } else { + $value =~ s/'"'"'/'/g; + } + # # Don't export pairs from %ENV # - if ( exists $ENV{$param} && defined $ENV{$param} ) { - next if $value eq $ENV{$param}; - } + next if defined $ENV{$param} && $value eq $ENV{$param}; emit "#\n# From the params file\n#" unless $count++; - - if ( $value =~ /[\s()[]/ ) { + # + # We will use double quotes and escape embedded quotes with \. + # + if ( $value =~ /[\s()['"]/ ) { + $value =~ s/"/\\"/g; emit "$param='$value'"; } else { emit "$param=$value"; @@ -3368,9 +3414,10 @@ sub export_params() { } # +# - Process the params file # - Read the shorewall.conf file # - Read the capabilities file, if any -# - establish global hashes %config , %globals and %capabilities +# - establish global hashes %params, %config , %globals and %capabilities # sub get_configuration( $$$ ) { diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 6d9bb7682..8129049f0 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -152,7 +152,10 @@ sub setup_ecn() if ( my $fn = open_file 'ecn' ) { - first_entry "$doing $fn..."; + first_entry( sub { progress_message2 "$doing $fn..."; + require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', ''; + warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD'; + } ); while ( read_a_line ) { @@ -178,12 +181,12 @@ sub setup_ecn() for my $interface ( @interfaces ) { my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); - add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface ); + add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD'; add_ijump $mangle_table->{OUTPUT}, j => $chainref, p => 'tcp', imatch_dest_dev( $interface ); } for my $host ( @hosts ) { - add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN --ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) ); + add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[1] ) ); } } } @@ -223,7 +226,7 @@ sub setup_blacklist() { log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); - add_ijump( $logchainref, j => 'AUDIT --type ' . lc $target ) if $audit; + add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; add_ijump( $logchainref, g => $target ); $target = 'blacklog'; @@ -498,34 +501,45 @@ sub add_common_rules() { my $audit = $policy =~ s/^A_//; my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : (); - if ( $level || $audit || @ipsec ) { + if ( $level || $audit ) { + # + # Create a chain to log and/or audit and apply the policy + # $chainref = new_standard_chain 'sfilter'; log_rule $level , $chainref , $policy , '' if $level ne ''; - add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit; + add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; $target = 'sfilter'; - - if ( @ipsec ) { - $chainref = new_standard_chain 'sfilter1'; - - add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); - log_rule $level , $chainref , $policy , '' if $level ne ''; - - add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit; - - add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; - - $target1 = 'sfilter1'; - } - } elsif ( ( $target = $policy ) eq 'REJECT' ) { - $target = 'reject'; + } else { + $target = $policy eq 'REJECT' ? 'reject' : $policy; } - $target1 = $target unless $target1; + if ( @ipsec ) { + # + # sfilter1 will be used in the FORWARD chain where we allow traffic entering the interface + # to leave the interface encrypted. We need a separate chain because '--dir out' cannot be + # used in the input chain + # + $chainref = new_standard_chain 'sfilter1'; + + add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' ); + log_rule $level , $chainref , $policy , '' if $level ne ''; + + add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit; + + add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; + + $target1 = 'sfilter1'; + } else { + # + # No IPSEC -- use the same target in both INPUT and FORWARD + # + $target1 = $target; + } for $interface ( grep $_ ne '%vserver%', all_interfaces ) { ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ); @@ -540,9 +554,15 @@ sub add_common_rules() { if ( @filters ) { add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; + $interfaceref->{options}{use_forward_chain} = 1; } elsif ( $interfaceref->{bridge} eq $interface ) { add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++ - unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter} || $interfaceref->{physical} eq '+'; + unless( $config{ROUTE_FILTER} eq 'on' || + $interfaceref->{options}{routeback} || + $interfaceref->{options}{routefilter} || + $interfaceref->{physical} eq '+' ); + + $interfaceref->{options}{use_forward_chain} = 1; } add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT}; @@ -552,6 +572,7 @@ sub add_common_rules() { if ( @filters ) { add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; + $interfaceref->{options}{use_input_chain} = 1; } add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT}; @@ -592,7 +613,7 @@ sub add_common_rules() { '', 'add', '' ); - add_ijump( $smurfref, j => 'AUDIT --type drop' ) if $smurfdest eq 'A_DROP'; + add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP'; add_ijump( $smurfref, j => 'DROP' ); $smurfdest = 'smurflog'; @@ -666,7 +687,7 @@ sub add_common_rules() { } add_ijump $rejectref , j => 'DROP', p => 2; - add_ijump $rejectref , j => 'REJECT --reject-with tcp-reset', p => 6; + add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6; if ( have_capability( 'ENHANCED_REJECT' ) ) { add_ijump $rejectref , j => 'REJECT', p => 17; @@ -729,11 +750,11 @@ sub add_common_rules() { if ( $audit ) { $disposition =~ s/^A_//; - add_ijump( $logflagsref, j => 'AUDIT --type ' . lc $disposition ); + add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition ); } if ( $disposition eq 'REJECT' ) { - add_ijump $logflagsref , j => 'REJECT --reject-with tcp-reset', p => 6; + add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6; } else { add_ijump $logflagsref , j => $disposition; } @@ -906,14 +927,14 @@ sub setup_mac_lists( $ ) { log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" if supplied $level; - add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; + add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" ); } } else { log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac if supplied $level; - add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; + add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT'; add_jump ( $chainref , $targetref->{target}, 0, "$mac" ); } @@ -1163,6 +1184,12 @@ sub add_interface_jumps { addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface ); addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface ); addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface ); + + if ( have_capability 'RAWPOST_TABLE' ) { + insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface}; + insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface}; + insert_ijump ( $raw_table->{OUTPUT}, j => output_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $raw_table->{output_chain $interface}; + } } # # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT @@ -1821,10 +1848,10 @@ sub setup_mss( ) { if ( $clampmss ) { if ( "\L$clampmss" eq 'yes' ) { - $option = ' --clamp-mss-to-pmtu'; + $option = '--clamp-mss-to-pmtu'; } else { @match = ( tcpmss => "--mss $clampmss:" ) if have_capability( 'TCPMSS_MATCH' ); - $option = " --set-mss $clampmss"; + $option = "--set-mss $clampmss"; } push @match, ( policy => '--pol none --dir out' ) if have_ipsec; @@ -1855,14 +1882,14 @@ sub setup_mss( ) { my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : (); my @source = imatch_source_dev $_; my @dest = imatch_dest_dev $_; - add_ijump $chainref, j => "TCPMSS --set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match; + add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @dest, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match; add_ijump $chainref, j => 'RETURN', @dest if $clampmss; - add_ijump $chainref, j => "TCPMSS --set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match; + add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match; add_ijump $chainref, j => 'RETURN', @source if $clampmss; } } - add_ijump $chainref , j => "TCPMSS${option}", p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss; + add_ijump $chainref , j => 'TCPMSS', targetopts => $option, p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss; } # @@ -1928,6 +1955,9 @@ EOF refresh) logger -p kern.err "ERROR:$g_product refresh failed" ;; + enable) + logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed" + ;; esac if [ "$RESTOREFILE" = NONE ]; then diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index d4c52a416..424fdcee5 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -403,36 +403,101 @@ sub setup_netmap() { if ( my $fn = open_file 'netmap' ) { - first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } ); + first_entry "$doing $fn..."; while ( read_a_line ) { - my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file'; + my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 4, 8, 'netmap file'; $net3 = ALLIP if $net3 eq '-'; for my $interface ( split_list $interfacelist, 'interface' ) { - my @rulein; - my @ruleout; my $iface = $interface; fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); - unless ( $interfaceref->{root} ) { - @rulein = imatch_source_dev( $interface ); - @ruleout = imatch_dest_dev( $interface ); - $interface = $interfaceref->{name}; - } + my @rule = do_iproto( $proto, $dport, $sport ); - if ( $type eq 'DNAT' ) { - add_ijump ensure_chain( 'nat' , input_chain $interface ) , j => "NETMAP --to $net2", @rulein , imatch_source_net( $net3 ), d => $net1; - } elsif ( $type eq 'SNAT' ) { - add_ijump ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) , s => $net1; + unless ( $type =~ /:/ ) { + my @rulein; + my @ruleout; + + validate_net $net1, 0; + validate_net $net2, 0; + + unless ( $interfaceref->{root} ) { + @rulein = imatch_source_dev( $interface ); + @ruleout = imatch_dest_dev( $interface ); + $interface = $interfaceref->{name}; + } + + require_capability 'NAT_ENABLED', 'Stateful NAT Entries', ''; + + if ( $type eq 'DNAT' ) { + dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) , + j => 'NETMAP' , + "--to $net2", + $net1 , + @rulein , + imatch_source_net( $net3 ) ); + } elsif ( $type eq 'SNAT' ) { + source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) , + j => 'NETMAP' , + "--to $net2" , + $net1 , + @ruleout , + imatch_dest_net( $net3 ) ); + } else { + fatal_error "Invalid type ($type)"; + } + } elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) { + my ( $target , $chain ) = ( $1, $2 ); + my $table = 'raw'; + my @match; + + require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', ''; + + unless ( $interfaceref->{root} ) { + @match = imatch_dest_dev( $interface ); + $interface = $interfaceref->{name}; + } + + if ( $chain eq 'P' ) { + $chain = prerouting_chain $interface; + @match = imatch_source_dev( $iface ) unless $iface eq $interface; + } elsif ( $chain eq 'O' ) { + $chain = output_chain $interface; + } else { + $chain = postrouting_chain $interface; + $table = 'rawpost'; + } + + my $chainref = ensure_chain( $table, $chain ); + + + if ( $target eq 'DNAT' ) { + dest_iexclusion( $chainref , + j => 'RAWDNAT' , + "--to-dest $net2" , + $net1 , + imatch_source_net( $net3 ) , + @rule , + @match + ); + } else { + source_iexclusion( $chainref , + j => 'RAWSNAT' , + "--to-source $net2" , + $net1 , + imatch_dest_net( $net3 ) , + @rule , + @match ); + } } else { fatal_error "Invalid type ($type)"; } - + progress_message " Network $net1 on $iface mapped to $net2 ($type)"; } } diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm index 196325d9d..a236461f2 100644 --- a/Shorewall/Perl/Shorewall/Proc.pm +++ b/Shorewall/Perl/Shorewall/Proc.pm @@ -40,7 +40,7 @@ our @EXPORT = qw( setup_source_routing setup_forwarding ); -our @EXPORT_OK = qw( ); +our @EXPORT_OK = qw( setup_interface_proc ); our $VERSION = 'MODULEVERSION'; # @@ -277,4 +277,45 @@ sub setup_forwarding( $$ ) { } } +sub setup_interface_proc( $ ) { + my $interface = shift; + my $physical = get_physical $interface; + my $value; + my @emitted; + + if ( interface_has_option( $interface, 'arp_filter' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter"; + } + + if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore"; + } + + if ( interface_has_option( $interface, 'routefilter' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter"; + } + + if ( interface_has_option( $interface, 'logmartians' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians"; + } + + if ( interface_has_option( $interface, 'sourceroute' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route"; + } + + if ( interface_has_option( $interface, 'sourceroute' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route"; + } + + if ( @emitted ) { + emit( '', + 'if [ $COMMAND = enable ]; then' ); + push_indent; + emit "$_" for @emitted; + pop_indent; + emit "fi\n"; + } +} + + 1; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 3e5f3a513..155067cee 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -29,11 +29,16 @@ use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::IPAddrs; use Shorewall::Zones; use Shorewall::Chains qw(:DEFAULT :internal); +use Shorewall::Proc qw( setup_interface_proc ); use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces ); +our @EXPORT = qw( process_providers + setup_providers + @routemarked_interfaces + handle_stickiness + handle_optional_interfaces ); our @EXPORT_OK = qw( initialize lookup_provider ); our $VERSION = 'MODULEVERSION'; @@ -85,10 +90,10 @@ sub initialize( $ ) { $first_default_route = 1; $first_fallback_route = 1; - %providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 } , - main => { number => MAIN_TABLE , mark => 0 , optional => 0 } , - default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } , - unspec => { number => UNSPEC_TABLE , mark => 0 , optional => 0 } ); + %providers = ( local => { number => LOCAL_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } , + main => { number => MAIN_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } , + default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } , + unspec => { number => UNSPEC_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ); @providers = (); } @@ -100,7 +105,7 @@ sub setup_route_marking() { require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/; - add_ijump $mangle_table->{$_} , j => "CONNMARK --restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/; + add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/; my $chainref = new_chain 'mangle', 'routemark'; my $chainref1 = new_chain 'mangle', 'setsticky'; @@ -122,14 +127,14 @@ sub setup_route_marking() { if ( $providerref->{shared} ) { add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; - add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}"; + add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}"; decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional}; } else { - add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ); + add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ); } } - add_ijump $chainref, j => "CONNMARK --save-mark --mask $mask", mark => "! --mark 0/$mask"; + add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask"; } sub copy_table( $$$ ) { @@ -139,6 +144,8 @@ sub copy_table( $$$ ) { # my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : ''; + emit ''; + if ( $realm ) { emit ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) } else { @@ -170,6 +177,8 @@ sub copy_and_edit_table( $$$$ ) { # Shell and iptables use a different wildcard character # $copy =~ s/\+/*/; + + emit ''; if ( $realm ) { emit ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" ) @@ -242,21 +251,28 @@ sub balance_fallback_route( $$$$ ) { sub start_provider( $$$ ) { my ($table, $number, $test ) = @_; + emit "\n#\n# Add Provider $table ($number)\n#"; + + emit "start_provider_$table() {"; + push_indent; emit $test; push_indent; - emit "#\n# Add Provider $table ($number)\n#"; - emit "qt ip -$family route flush table $number"; - emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing"; + emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing"; } -sub add_a_provider( ) { +# +# Process a record in the providers file +# +sub process_a_provider() { my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = split_line 6, 8, 'providers file'; fatal_error "Duplicate provider ($table)" if $providers{$table}; + fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/; + my $num = numeric_value $number; fatal_error "Invalid Provider number ($number)" unless defined $num; @@ -281,7 +297,6 @@ sub add_a_provider( ) { fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface; my $physical = get_physical $interface; - my $base = uc chain_base $physical; my $gatewaycase = ''; if ( $gateway eq 'detect' ) { @@ -303,6 +318,7 @@ sub add_a_provider( ) { unless ( $options eq '-' ) { for my $option ( split_list $options, 'option' ) { if ( $option eq 'track' ) { + require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' ); $track = 1; } elsif ( $option eq 'notrack' ) { $track = 0; @@ -351,6 +367,13 @@ sub add_a_provider( ) { fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default; + if ( $local ) { + fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none'; + fatal_error "'track' not valid with 'local'" if $track; + fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-'; + fatal_error "MARK required with 'local'" unless $mark; + } + my $val = 0; my $pref; @@ -358,6 +381,8 @@ sub add_a_provider( ) { if ( $mark ne '-' ) { + require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' ); + $val = numeric_value $mark; fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val; @@ -385,8 +410,18 @@ sub add_a_provider( ) { $balance = $default_balance unless $balance; + fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; + + if ( $duplicate ne '-' ) { + fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; + } elsif ( $copy ne '-' ) { + fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; + fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column'; + } + $providers{$table} = { provider => $table, number => $number , + rawmark => $mark , mark => $val ? in_hex($val) : $val , interface => $interface , physical => $physical , @@ -394,7 +429,19 @@ sub add_a_provider( ) { gateway => $gateway , gatewaycase => $gatewaycase , shared => $shared , - default => $default }; + default => $default , + copy => $copy , + balance => $balance , + pref => $pref , + mtu => $mtu , + track => $track , + loose => $loose , + duplicate => $duplicate , + address => $address , + local => $local , + rules => [] , + routes => [] , + }; if ( $track ) { fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-'; @@ -410,9 +457,39 @@ sub add_a_provider( ) { push @routemarked_providers, $providers{$table}; } - my $realm = ''; + push @providers, $table; - fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table}; +} + +# +# Generate the start_provider_...() function for the passed provider +# +sub add_a_provider( $$ ) { + + my ( $providerref, $tcdevices ) = @_; + + my $table = $providerref->{provider}; + my $number = $providerref->{number}; + my $mark = $providerref->{rawmark}; + my $interface = $providerref->{interface}; + my $physical = $providerref->{physical}; + my $optional = $providerref->{optional}; + my $gateway = $providerref->{gateway}; + my $gatewaycase = $providerref->{gatewaycase}; + my $shared = $providerref->{shared}; + my $default = $providerref->{default}; + my $copy = $providerref->{copy}; + my $balance = $providerref->{balance}; + my $pref = $providerref->{pref}; + my $mtu = $providerref->{mtu}; + my $track = $providerref->{track}; + my $loose = $providerref->{loose}; + my $duplicate = $providerref->{duplicate}; + my $address = $providerref->{address}; + my $local = $providerref->{local}; + my $dev = chain_base $physical; + my $base = uc $dev; + my $realm = ''; if ( $shared ) { my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); @@ -426,7 +503,6 @@ sub add_a_provider( ) { } else { start_provider( $table, $number, "if interface_is_usable $physical; then" ); } - $provider_interfaces{$interface} = $table; if ( $gatewaycase eq 'none' ) { @@ -437,6 +513,11 @@ sub add_a_provider( ) { } } } + + # + # /proc for this interface + # + setup_interface_proc( $interface ); if ( $mark ne '-' ) { my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : ''; @@ -444,12 +525,11 @@ sub add_a_provider( ) { emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD}; emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number", - "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing" + "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing" ); } if ( $duplicate ne '-' ) { - fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; if ( $copy eq '-' ) { copy_table ( $duplicate, $number, $realm ); } else { @@ -461,9 +541,6 @@ sub add_a_provider( ) { copy_and_edit_table( $duplicate, $number ,$copy , $realm); } - } elsif ( $copy ne '-' ) { - fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; - fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column'; } if ( $gateway ) { @@ -479,12 +556,12 @@ sub add_a_provider( ) { } emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm"; - } + } - balance_default_route $balance , $gateway, $physical, $realm if $balance; + balance_default_route( $balance , $gateway, $physical, $realm ) if $balance; if ( $default > 0 ) { - balance_fallback_route $default , $gateway, $physical, $realm; + balance_fallback_route( $default , $gateway, $physical, $realm ); } elsif ( $default ) { emit ''; if ( $gateway ) { @@ -494,90 +571,163 @@ sub add_a_provider( ) { emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number); emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number); } - emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); + emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing); } else { emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number); - emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); + emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing); } } - if ( $local ) { - fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none'; - fatal_error "'track' not valid with 'local'" if $track; - fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-'; - fatal_error "MARK required with 'local'" unless $mark; - } elsif ( $loose ) { - if ( $config{DELETE_THEN_ADD} ) { - emit ( "\nfind_interface_addresses $physical | while read address; do", - " qt \$IP -$family rule del from \$address", - 'done' - ); + unless ( $local ) { + if ( $loose ) { + if ( $config{DELETE_THEN_ADD} ) { + emit ( "\nfind_interface_addresses $physical | while read address; do", + " qt \$IP -$family rule del from \$address", + 'done' + ); + } + } elsif ( $shared ) { + emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD}; + emit( "run_ip rule add from $address pref 20000 table $number" , + "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" ); + } else { + my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); + + emit "\nrulenum=$rulebase\n"; + + emit ( "find_interface_addresses $physical | while read address; do" ); + emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; + emit ( " run_ip rule add from \$address pref \$rulenum table $number", + " echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_${table}_routing", + ' rulenum=$(($rulenum + 1))', + 'done' + ); } - } elsif ( $shared ) { - emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD}; - emit( "run_ip rule add from $address pref 20000 table $number" , - "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" ); + } + + if ( @{$providerref->{rules}} ) { + emit ''; + emit $_ for @{$providers{$table}->{rules}}; + } + + if ( @{$providerref->{routes}} ) { + emit ''; + emit $_ for @{$providers{$table}->{routes}}; + } + + emit( '' ); + + my ( $tbl, $weight ); + + if ( $optional ) { + emit( 'if [ $COMMAND = enable ]; then' ); + + push_indent; + + if ( $balance || $default ) { + $tbl = $default || $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE; + $weight = $balance ? $balance : $default; + + if ( $gateway ) { + emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl; + } else { + emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl; + } + + } else { + $weight = 1; + } + + emit( "setup_${dev}_tc" ) if $tcdevices->{$interface}; + + emit ( qq(progress_message2 " Provider $table ($number) Started") ); + + pop_indent; + + emit( 'else' , + qq( echo $weight > \${VARDIR}/${physical}_weight) , + qq( progress_message " Provider $table ($number) Started"), + qq(fi\n) + ); } else { - my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); - - emit "\nrulenum=0\n"; - - emit ( "find_interface_addresses $physical | while read address; do" ); - emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; - emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", - " echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing", - ' rulenum=$(($rulenum + 1))', - 'done' - ); + emit( qq(progress_message "Provider $table ($number) Started") ); } - - emit qq(\nprogress_message " Provider $table ($number) Added"\n); - + pop_indent; + emit 'else'; + push_indent; + if ( $optional ) { if ( $shared ) { - emit ( " error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" ); + emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" ); } else { - emit ( " error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" ); + emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" ); } } else { if ( $shared ) { - emit( " fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" ); + emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" ); } else { - emit( " fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" ); + emit( "fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Started\"" ); } } - emit "fi\n"; + pop_indent; - push @providers, $table; + emit 'fi'; + + pop_indent; + + emit '}'; # End of start_provider_$table(); + + if ( $optional ) { + emit( '', + '#', + "# Stop provider $table", + '#', + "stop_provider_$table() {" ); + + push_indent; + + my $undo = "\${VARDIR}/undo_${table}_routing"; + + emit( "if [ -f $undo ]; then", + " . $undo", + " > $undo" ); + + if ( $balance || $default ) { + $tbl = $fallback || ( $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE ); + $weight = $balance ? $balance : $default; + + my $via = 'via'; + + $via .= " $gateway" if $gateway; + $via .= " dev $physical"; + $via .= " weight $weight"; + $via .= " $realm" if $realm; + + emit( qq( delete_gateway "$via" $tbl $physical) ); + } + + emit( '', + " qt \$TC qdisc del dev $physical root", + " qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface}; + + emit( " progress_message2 \"Provider $table stopped\"", + 'else', + " startup_error \"$undo does not exist\"", + 'fi' + ); + + pop_indent; + + emit '}'; + } progress_message " Provider \"$currentline\" $done"; } -# -# Begin an 'if' statement testing whether the passed interface is available -# -sub start_new_if( $ ) { - our $current_if = shift; - - emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) ); - push_indent; -} - -# -# Complete any current 'if' statement in the output script -# -sub finish_current_if() { - if ( our $current_if ) { - pop_indent; - emit ( "fi\n" ); - $current_if = ''; - } -} - sub add_an_rtrule( ) { my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file'; @@ -601,6 +751,11 @@ sub add_an_rtrule( ) { fatal_error "Unknown provider ($provider)" unless $found; } + my $providerref = $providers{$provider}; + + my $number = $providerref->{number}; + + fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE; fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-'; if ( $dest eq '-' ) { @@ -641,20 +796,9 @@ sub add_an_rtrule( ) { $priority = "priority $priority"; - finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; - - my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); - - if ( $optional ) { - my $base = uc chain_base( $providers{$provider}{physical} ); - finish_current_if if $base ne $current_if; - start_new_if( $base ) unless $current_if; - } else { - finish_current_if; - } - - emit ( "run_ip rule add $source $dest $priority table $number", - "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); + push @{$providerref->{rules}}, "qt \$IP -$family rule del $source $dest $priority" if $config{DELETE_THEN_ADD}; + push @{$providerref->{rules}}, "run_ip rule add $source $dest $priority table $number"; + push @{$providerref->{rules}}, "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_${provider}_routing"; progress_message " Routing rule \"$currentline\" $done"; } @@ -673,7 +817,6 @@ sub add_a_route( ) { for ( keys %providers ) { if ( $providers{$_}{number} == $provider_number ) { $provider = $_; - fatal_error "You may not add routes to the $provider table" if $provider_number == LOCAL_TABLE || $provider_number == UNSPEC_TABLE; $found = 1; last; } @@ -687,30 +830,25 @@ sub add_a_route( ) { validate_address ( $gateway, 1 ) if $gateway ne '-'; - my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); - + my $providerref = $providers{$provider}; + my $number = $providerref->{number}; my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device ); - - if ( $providers{$provider}{optional} ) { - my $base = uc chain_base( $physical ); - finish_current_if if $base ne $current_if; - start_new_if ( $base ) unless $current_if; - } else { - finish_current_if; - } + my $routes = $providerref->{routes}; + fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE; + if ( $gateway ne '-' ) { if ( $device ne '-' ) { - emit qq(run_ip route add $dest via $gateway dev $physical table $number); - emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE; + push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number); + emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } else { - emit qq(run_ip route add $dest via $gateway table $number); - emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE; + push @$routes, qq(run_ip route add $dest via $gateway table $number); + emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } } else { fatal_error "You must specify a device for this route" unless $physical; - emit qq(run_ip route add $dest dev $physical table $number); - emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE; + push @$routes, qq(run_ip route add $dest dev $physical table $number); + emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; } progress_message " Route \"$currentline\" $done"; @@ -718,17 +856,16 @@ sub add_a_route( ) { sub setup_null_routing() { save_progress_message "Null Routing the RFC 1918 subnets"; + emit "> \${VARDIR}undo_rfc1918_routing\n"; for ( rfc1918_networks ) { emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then), qq( run_ip route replace unreachable $_), - qq( echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing), + qq( echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_rfc1918_routing), qq(fi\n) ); } } sub start_providers() { - require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' ); - emit ( '#', '# Undo any changes made since the last time that we [re]started -- this will not restore the default route', '#', @@ -746,17 +883,22 @@ sub start_providers() { emit ( '#', '# Capture the default route(s) if we don\'t have it (them) already.', '#', - "[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route", - '#', - '# Initialize the file that holds \'undo\' commands', - '#', - '> ${VARDIR}/undo_routing' ); + "[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route" ); save_progress_message 'Adding Providers...'; emit 'DEFAULT_ROUTE='; emit 'FALLBACK_ROUTE='; emit ''; + + for my $provider ( qw/main default/ ) { + emit ''; + emit qq(> \${VARDIR}/undo_${provider}_routing ); + emit ''; + emit $_ for @{$providers{$provider}{routes}}; + emit ''; + emit $_ for @{$providers{$provider}{rules}}; + } } sub finish_providers() { @@ -766,8 +908,8 @@ sub finish_providers() { if ( $config{USE_DEFAULT_RT} ) { emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999', "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766', - qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', - qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', + qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_main_routing', + qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_main_routing', '' ); $table = DEFAULT_TABLE; } @@ -844,58 +986,136 @@ sub finish_providers() { } } -sub setup_providers() { - my $providers = 0; +sub process_providers( $ ) { + my $tcdevices = shift; + + our $providers = 0; $lastmark = 0; if ( my $fn = open_file 'providers' ) { - - first_entry sub() { - progress_message2 "$doing $fn..."; - emit "\nif [ -z \"\$g_noroutes\" ]; then"; - push_indent; - start_providers; }; - - add_a_provider, $providers++ while read_a_line; + first_entry "$doing $fn..."; + process_a_provider, $providers++ while read_a_line; } if ( $providers ) { - finish_providers; - - my $fn = open_file 'routes'; + my $fn = open_file 'route_rules'; if ( $fn ) { - our $current_if = ''; - first_entry "$doing $fn..."; - - emit ''; - - add_a_route while read_a_line; - - finish_current_if; - } - - $fn = open_file 'route_rules'; - - if ( $fn ) { - our $current_if = ''; - - first_entry "$doing $fn..."; - + emit ''; add_an_rtrule while read_a_line; - - finish_current_if; } + $fn = open_file 'routes'; + + if ( $fn ) { + first_entry "$doing $fn..."; + emit ''; + add_a_route while read_a_line; + } + } + + add_a_provider( $providers{$_}, $tcdevices ) for @providers; + + emit << 'EOF';; + +# +# Enable an optional provider +# +enable_provider() { + g_interface=$1; + + case $g_interface in +EOF + + push_indent; + push_indent; + + for my $provider (@providers ) { + my $providerref = $providers{$provider}; + + emit( "$providerref->{physical})", + " if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", + " start_provider_$provider", + ' else', + ' startup_error "Interface $g_interface is already enabled"', + ' fi', + ' ;;' + ) if $providerref->{optional}; + } + + pop_indent; + pop_indent; + + emit << 'EOF';; + *) + startup_error "$g_interface is not an optional provider interface" + ;; + esac +} + +# +# Disable an optional provider +# +disable_provider() { + g_interface=$1; + + case $g_interface in +EOF + + push_indent; + push_indent; + + for my $provider (@providers ) { + my $providerref = $providers{$provider}; + + emit( "$providerref->{physical})", + " if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", + " stop_provider_$provider", + ' else', + ' startup_error "Interface $g_interface is already disabled"', + ' fi', + ' ;;' + ) if $providerref->{optional}; + } + + pop_indent; + pop_indent; + + emit << 'EOF';; + *) + startup_error "$g_interface is not an optional provider interface" + ;; + esac +} +EOF + +} + +sub setup_providers() { + our $providers; + + if ( $providers ) { + emit "\nif [ -z \"\$g_noroutes\" ]; then"; + + push_indent; + + start_providers; + + emit ''; + + emit "start_provider_$_" for @providers; + + emit ''; + + finish_providers; + setup_null_routing if $config{NULL_ROUTE_RFC1918}; emit "\nrun_ip route flush cache"; - # - # This completes the if-block begun in the first_entry closure above - # + pop_indent; emit "fi\n"; @@ -909,10 +1129,6 @@ sub setup_providers() { emit "restore_default_route $config{USE_DEFAULT_RT}"; if ( $config{NULL_ROUTE_RFC1918} ) { - emit ( '#', - '# Initialize the file that holds \'undo\' commands', - '#', - '> ${VARDIR}/undo_routing' ); setup_null_routing; emit "\nrun_ip route flush cache"; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 0eaaee635..1de930d26 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -130,7 +130,8 @@ sub initialize( $ ) { # # These are set to 1 as sections are encountered. # - %sections = ( ESTABLISHED => 0, + %sections = ( ALL => 0, + ESTABLISHED => 0, RELATED => 0, NEW => 0 ); @@ -533,7 +534,7 @@ sub policy_rules( $$$$$ ) { log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; fatal_error "Null target in policy_rules()" unless $target; - add_ijump( $chainref , j => 'AUDIT --type ' . lc $target ) if $chainref->{audit}; + add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit}; add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE'; } } @@ -1940,7 +1941,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) { unless ( $section eq 'NEW' || $inaction ) { fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); - $rule .= "$globals{STATEMATCH} $section " + $rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL'; } # @@ -2230,11 +2231,13 @@ sub process_section ($) { fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect}; $sections{$sect} = 1; - if ( $sect eq 'RELATED' ) { - $sections{ESTABLISHED} = 1; + if ( $sect eq 'ESTABLISHED' ) { + $sections{ALL} = 1; + } elsif ( $sect eq 'RELATED' ) { + @sections{'ALL','ESTABLISHED'} = ( 1, 1); finish_section 'ESTABLISHED'; } elsif ( $sect eq 'NEW' ) { - @sections{'ESTABLISHED','RELATED'} = ( 1, 1 ); + @sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 ); finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); } diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 8a710a641..84b589fd3 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -38,7 +38,7 @@ use Shorewall::Providers; use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( setup_tc ); +our @EXPORT = qw( process_tc setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); our $VERSION = 'MODULEVERSION'; @@ -151,8 +151,8 @@ my $ipp2p; # leaf => 0|1 # guarantee => # options => { tos => [ , , ... ]; -# tcp_ack => 1 , -# ... +# tcp_ack => 1 , +# filters => [ filter list ] # } # } # } @@ -504,6 +504,8 @@ sub process_simple_device() { my $physical = physical_name $device; my $dev = chain_base( $physical ); + push @tcdevices, $device; + if ( $type ne '-' ) { if ( lc $type eq 'external' ) { $type = 'nfct-src'; @@ -530,6 +532,15 @@ sub process_simple_device() { $in_bandwidth = rate_to_kbit( $in_bandwidth ); } + emit( '', + '#', + "# Setup Simple Traffic Shaping for $physical", + '#', + "setup_${dev}_tc() {" + ); + + push_indent; + emit "if interface_is_up $physical; then"; push_indent; @@ -607,7 +618,9 @@ sub process_simple_device() { emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped"); emit "${dev}_exists="; pop_indent; - emit "fi\n"; + emit 'fi'; + pop_indent; + emit "}\n"; progress_message " Simple tcdevice \"$currentline\" $done."; } @@ -711,7 +724,8 @@ sub validate_tc_device( ) { qdisc => $qdisc, guarantee => 0, name => $device, - physical => physical_name $device + physical => physical_name $device, + filters => [] } , push @tcdevices, $device; @@ -1018,6 +1032,8 @@ sub process_tc_filter() { my $tcref = $tcclasses{$device}; + my $filtersref = $devref->{filters}; + fatal_error "No Classes were defined for INTERFACE $device" unless $tcref; my $classnum = hex_value $class; @@ -1036,17 +1052,6 @@ sub process_tc_filter() { my $have_rule = 0; - if ( $devref->{physical} ne $lastdevice ) { - if ( $lastdevice ) { - pop_indent; - emit "fi\n"; - } - - $lastdevice = $devref->{physical}; - emit "if interface_is_up $lastdevice; then"; - push_indent; - } - my $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio u32"; if ( $source ne '-' ) { @@ -1101,9 +1106,9 @@ sub process_tc_filter() { if ( $portlist eq '-' && $sportlist eq '-' ) { if ( $have_rule ) { - emit( "\nrun_tc $rule\\" , - " flowid $devnum:$class" , - '' ); + push @$filtersref , ( "\nrun_tc $rule\\" , + " flowid $devnum:$class" , + '' ); } else { warning_message "Degenerate tcfilter ignored"; } @@ -1129,17 +1134,17 @@ sub process_tc_filter() { $lasttnum = $tnum; $lastrule = $rule; - emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" ); + push @$filtersref, ( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" ); } # # And link to it using the current contents of $rule # if ( $family == F_IPV4 ) { - emit( "\nrun_tc $rule\\" , - " link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" ); + push @$filtersref, ( "\nrun_tc $rule\\" , + " link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" ); } else { - emit( "\nrun_tc $rule\\" , - " link $tnum:0 offset plus 40 eat" ); + push @$filtersref, ( "\nrun_tc $rule\\" , + " link $tnum:0 offset plus 40 eat" ); } # # The rule to match the port(s) will be inserted into the new table @@ -1165,9 +1170,9 @@ sub process_tc_filter() { $rule1 = "match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0" , } - emit( "\nrun_tc $rule\\" , - " $rule1\\" , - " flowid $devnum:$class" ); + push @$filtersref, ( "\nrun_tc $rule\\" , + " $rule1\\" , + " flowid $devnum:$class" ); } } } else { @@ -1183,9 +1188,9 @@ sub process_tc_filter() { my $rule1 = " match icmp type $icmptype 0xff"; $rule1 .= "\\\n match icmp code $icmpcode 0xff" if defined $icmpcode; - emit( "\nrun_tc ${rule}\\" , - "$rule1\\" , - " flowid $devnum:$class" ); + push @$filtersref, ( "\nrun_tc ${rule}\\" , + "$rule1\\" , + " flowid $devnum:$class" ); } elsif ( $protonumber == IPv6_ICMP ) { fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4; fatal_error "SOURCE PORT(S) are not allowed with IPv6 ICMP" if $sportlist ne '-'; @@ -1194,9 +1199,9 @@ sub process_tc_filter() { my $rule1 = " match icmp6 type $icmptype 0xff"; $rule1 .= "\\\n match icmp6 code $icmpcode 0xff" if defined $icmpcode; - emit( "\nrun_tc ${rule}\\" , - "$rule1\\" , - " flowid $devnum:$class" ); + push @$filtersref, ( "\nrun_tc ${rule}\\" , + "$rule1\\" , + " flowid $devnum:$class" ); } else { my @portlist = expand_port_range $protonumber , $portrange; @@ -1214,9 +1219,9 @@ sub process_tc_filter() { } if ( $sportlist eq '-' ) { - emit( "\nrun_tc ${rule}\\" , - " $rule1\\" , - " flowid $devnum:$class" ); + push @$filtersref, ( "\nrun_tc ${rule}\\" , + " $rule1\\" , + " flowid $devnum:$class" ); } else { for my $sportrange ( split_list $sportlist , 'port list' ) { my @sportlist = expand_port_range $protonumber , $sportrange; @@ -1234,10 +1239,10 @@ sub process_tc_filter() { $rule2 = "match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0" , } - emit( "\nrun_tc ${rule}\\", - " $rule1\\" , - " $rule2\\" , - " flowid $devnum:$class" ); + push @$filtersref, ( "\nrun_tc ${rule}\\", + " $rule1\\" , + " $rule2\\" , + " flowid $devnum:$class" ); } } } @@ -1254,30 +1259,27 @@ sub process_tc_filter() { progress_message " IPv4 TC Filter \"$currentline\" $done"; $currentline =~ s/\s+/ /g; - - save_progress_message_short qq(' IPv4 TC Filter \"$currentline\" defined.'); } else { progress_message " IPv6 TC Filter \"$currentline\" $done"; $currentline =~ s/\s+/ /g; - - save_progress_message_short qq(' IPv6 TC Filter \"$currentline\" defined.'); } emit ''; } +# +# Process the tcfilter file storing the compiled filters in the %tcdevices table +# sub process_tcfilters() { my $fn = open_file 'tcfilters'; - our $lastdevice = ''; - if ( $fn ) { my @family = ( $family ); - first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } ); + first_entry( "$doing $fn..." ); while ( read_a_line ) { if ( $currentline =~ /^\s*IPV4\s*$/ ) { @@ -1301,15 +1303,12 @@ sub process_tcfilters() { } Shorewall::IPAddrs::initialize( $family = pop @family ); - - if ( $lastdevice ) { - pop_indent; - emit "fi\n"; - } - } } +# +# Process a tcpri record +# sub process_tc_priority() { my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri'; @@ -1371,27 +1370,31 @@ sub process_tc_priority() { } } -sub setup_simple_traffic_shaping() { - my $interfaces; - - save_progress_message q("Setting up Traffic Control..."); +# +# Process tcinterfaces +# +sub process_tcinterfaces() { my $fn = open_file 'tcinterfaces'; if ( $fn ) { first_entry "$doing $fn..."; - process_simple_device, $interfaces++ while read_a_line; - } else { - $fn = find_file 'tcinterfaces'; + process_simple_device while read_a_line; } +} +# +# Process tcpri +# +sub process_tcpri() { + my $fn = find_file 'tcinterfaces'; my $fn1 = open_file 'tcpri'; if ( $fn1 ) { first_entry sub { progress_message2 "$doing $fn1..."; - warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces || $family == F_IPV6; + warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6; }; process_tc_priority while read_a_line; @@ -1413,10 +1416,12 @@ sub setup_simple_traffic_shaping() { } } -sub setup_traffic_shaping() { - our $lastrule = ''; +# +# Process the compilex traffic shaping files storing the configuration in %tcdevices and %tcclasses +# +sub process_traffic_shaping() { - save_progress_message q("Setting up Traffic Control..."); + our $lastrule = ''; my $fn = open_file 'tcdevices'; @@ -1426,9 +1431,6 @@ sub setup_traffic_shaping() { validate_tc_device while read_a_line; } - my $sfq = 0; - my $sfqinhex; - $devnum = $devnum > 10 ? 10 : 1; $fn = open_file 'tcclasses'; @@ -1439,6 +1441,11 @@ sub setup_traffic_shaping() { validate_tc_class while read_a_line; } + process_tcfilters; + + my $sfq = 0; + my $sfqinhex; + for my $device ( @tcdevices ) { my $devref = $tcdevices{$device}; my $defmark = in_hexp ( $devref->{default} || 0 ); @@ -1449,10 +1456,18 @@ sub setup_traffic_shaping() { $device = physical_name $device; - my $dev = chain_base( $device ); - unless ( $config{TC_ENABLED} eq 'Shared' ) { + my $dev = chain_base( $device ); + + emit( '', + '#', + "# Configure Traffic Shaping for $device", + '#', + "setup_${dev}_tc() {" ); + + push_indent; + emit "if interface_is_up $device; then"; push_indent; @@ -1500,6 +1515,85 @@ sub setup_traffic_shaping() { emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" ); } + for my $class ( @tcclasses ) { + # + # The class number in the tcclasses array is expressed in decimal. + # + my ( $d, $decimalclassnum ) = split /:/, $class; + + next unless $d eq $device; + # + # For inclusion in 'tc' commands, we also need the hex representation + # + my $classnum = in_hexp $decimalclassnum; + # + # The decimal value of the class number is also used as the key for the hash at $tcclasses{$device} + # + my $tcref = $tcclasses{$device}{$decimalclassnum}; + my $mark = $tcref->{mark}; + my $devicenumber = in_hexp $devref->{number}; + my $classid = join( ':', $devicenumber, $classnum); + my $rate = "$tcref->{rate}kbit"; + my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} ); + + $classids{$classid}=$device; + $device = physical_name $device; + + my $priority = $tcref->{priority} << 8; + my $parent = in_hexp $tcref->{parent}; + + emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" ); + + if ( $devref->{qdisc} eq 'htb' ) { + emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" ); + } else { + my $dmax = $tcref->{dmax}; + + if ( $dmax ) { + my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b"; + emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" ); + } else { + emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" ); + } + } + + if ( $tcref->{leaf} && ! $tcref->{pfifo} ) { + 1 while $devnums[++$sfq]; + + $sfqinhex = in_hexp( $sfq); + if ( $devref->{qdisc} eq 'htb' ) { + emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ); + } else { + emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" ); + } + } + # + # add filters + # + unless ( $devref->{classify} ) { + emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1; + } + + emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; + # + # options + # + emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack}; + + for my $tospair ( @{$tcref->{tos}} ) { + my ( $tos, $mask ) = split q(/), $tospair; + emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid"; + } + + save_progress_message_short qq(" TC Class $classid defined."); + emit ''; + + } + + emit ''; + + emit "$_" for @{$devref->{filters}}; + save_progress_message_short qq(" TC Device $device defined."); pop_indent; @@ -1510,106 +1604,44 @@ sub setup_traffic_shaping() { emit "${dev}_exists="; pop_indent; emit "fi\n"; + + pop_indent; + emit "}\n"; } } +} - my $lastdevice = ''; - - for my $class ( @tcclasses ) { - # - # The class number in the tcclasses array is expressed in decimal. - # - my ( $device, $decimalclassnum ) = split /:/, $class; - # - # For inclusion in 'tc' commands, we also need the hex representation - # - my $classnum = in_hexp $decimalclassnum; - my $devref = $tcdevices{$device}; - # - # The decimal value of the class number is also used as the key for the hash at $tcclasses{$device} - # - my $tcref = $tcclasses{$device}{$decimalclassnum}; - my $mark = $tcref->{mark}; - my $devicenumber = in_hexp $devref->{number}; - my $classid = join( ':', $devicenumber, $classnum); - my $rate = "$tcref->{rate}kbit"; - my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} ); - - $classids{$classid}=$device; - $device = physical_name $device; - - unless ( $config{TC_ENABLED} eq 'Shared' ) { - my $dev = chain_base $device; - my $priority = $tcref->{priority} << 8; - my $parent = in_hexp $tcref->{parent}; - - if ( $lastdevice ne $device ) { - if ( $lastdevice ) { - pop_indent; - emit "fi\n"; - } - - emit qq(if [ -n "\$${dev}_exists" ]; then); - push_indent; - $lastdevice = $device; - } - - emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" ); - - if ( $devref->{qdisc} eq 'htb' ) { - emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" ); - } else { - my $dmax = $tcref->{dmax}; - - if ( $dmax ) { - my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b"; - emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" ); - } else { - emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" ); - } - } - - if ( $tcref->{leaf} && ! $tcref->{pfifo} ) { - 1 while $devnums[++$sfq]; - - $sfqinhex = in_hexp( $sfq); - if ( $devref->{qdisc} eq 'htb' ) { - emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ); - } else { - emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" ); - } - } - # - # add filters - # - unless ( $devref->{classify} ) { - emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1; - } - - emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; - # - # options - # - emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack}; - - for my $tospair ( @{$tcref->{tos}} ) { - my ( $tos, $mask ) = split q(/), $tospair; - emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid"; - } - - save_progress_message_short qq(" TC Class $classid defined."); - emit ''; - - } - +# +# Validate the TC configuration storing basic information in %tcdevices and %tcdevices +# +sub process_tc() { + if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) { + process_traffic_shaping; + } elsif ( $config{TC_ENABLED} eq 'Simple' ) { + process_tcinterfaces; } + # + # The Providers module needs to know which devices are tc-enabled so that + # it can call the appropriate 'setup_x_tc" function when the device is + # enabled. - if ( $lastdevice ) { - pop_indent; - emit "fi\n"; + my %empty; + + $config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices; +} + +# +# Call the setup_${dev}_tc functions +# +sub setup_traffic_shaping() { + save_progress_message q("Setting up Traffic Control..."); + + for my $device ( @tcdevices ) { + my $interfaceref = known_interface( $device ); + my $dev = chain_base( $interfaceref ? $interfaceref->{physical} : $device ); + + emit "setup_${dev}_tc"; } - - process_tcfilters; } # @@ -1723,10 +1755,9 @@ sub setup_tc() { if ( $globals{TC_SCRIPT} ) { save_progress_message q('Setting up Traffic Control...'); append_file $globals{TC_SCRIPT}; - } elsif ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) { - setup_traffic_shaping; - } elsif ( $config{TC_ENABLED} eq 'Simple' ) { - setup_simple_traffic_shaping; + } else { + process_tcpri if $config{TC_ENABLED} eq 'Simple'; + setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared'; } if ( $config{TC_ENABLED} ) { diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 2660e2a6a..720b5e26a 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -73,6 +73,7 @@ our @EXPORT = qw( NOTHING find_interfaces_by_option find_interfaces_by_option1 get_interface_option + interface_has_option set_interface_option interface_zones verify_required_interfaces @@ -1375,8 +1376,7 @@ sub find_interfaces_by_option1( $ ) { my @ints = (); my $wild = 0; - for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } - ( grep $interfaces{$_}{root}, keys %interfaces ) ) { + for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) { my $interfaceref = $interfaces{$interface}; next unless defined $interfaceref->{physical}; @@ -1410,6 +1410,22 @@ sub get_interface_option( $$ ) { } +# +# Return the value of an option for an interface +# +sub interface_has_option( $$\$ ) { + my ( $interface, $option, $value ) = @_; + + my $ref = $interfaces{$interface}; + + $ref = known_interface( $interface ) unless $ref; + + if ( exists $ref->{options}{$option} ) { + $$value = $ref->{options}{$option}; + 1; + } +} + # # Set an option for an interface # diff --git a/Shorewall/Perl/getparams b/Shorewall/Perl/getparams index 8716a792d..ced3ed5dc 100755 --- a/Shorewall/Perl/getparams +++ b/Shorewall/Perl/getparams @@ -20,7 +20,13 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - +# +# Parameters: +# +# $1 = Path name of params file +# $2 = $CONFIG_PATH +# $3 = Address family (4 o4 6) +# if [ "$3" = 6 ]; then . /usr/share/shorewall6/lib.base . /usr/share/shorewall6/lib.cli diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 7dd772331..e2e56f3b2 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -5,7 +5,21 @@ # Give Usage Information # usage() { - echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]" + echo "Usage: $0 [ options ] " + echo + echo " is one of:" + echo " start" + echo " stop" + echo " clear" + echo " disable " + echo " down " + echo " enable " + echo " reset" + echo " refresh" + echo " restart" + echo " status" + echo " up " + echo " version" echo echo "Options are:" echo @@ -295,6 +309,26 @@ case "$COMMAND" in updown $@ status=0; ;; + enable) + [ $# -eq 1 ] && exit 0 + shift + [ $# -ne 1 ] && usage 2 + if shorewall_is_started; then + detect_configuration + enable_provider $1 + fi + status=0 + ;; + disable) + [ $# -eq 1 ] && exit 0 + shift + [ $# -ne 1 ] && usage 2 + if shorewall_is_started; then + detect_configuration + disable_provider $1 + fi + status=0 + ;; version) [ $# -ne 1 ] && usage 2 echo $SHOREWALL_VERSION diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 8e021ac02..8f9ed401b 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -111,6 +111,17 @@ find_device() { done } +# +# Find the value 'weight' in the passed arguments then echo the next value +# + +find_weight() { + while [ $# -gt 1 ]; do + [ "x$1" = xweight ] && echo $2 && return + shift + done +} + # # Find the value 'via' in the passed arguments then echo the next value # @@ -481,6 +492,8 @@ get_device_mtu1() # $1 = device # Undo changes to routing # undo_routing() { + local undofiles + local f if [ -z "$g_noroutes" ]; then # @@ -493,10 +506,16 @@ undo_routing() { # # Restore the rest of the routing table # - if [ -f ${VARDIR}/undo_routing ]; then - . ${VARDIR}/undo_routing - progress_message "Shorewall-generated routing tables and routing rules removed" - rm -f ${VARDIR}/undo_routing + undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)" + + if [ -n "$undofiles" ]; then + for f in $undofiles; do + . $f + done + + rm -f $undofiles + + progress_message "Shorewall-generated routing tables and routing rules removed" fi fi @@ -581,6 +600,60 @@ restore_default_route() # $1 = USE_DEFAULT_RT return $result } +# +# Add an additional gateway to the default route +# +add_gateway() # $1 = Delta $2 = Table Number +{ + local route + local weight + local delta + local dev + + route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'` + + if [ -z "$route" ]; then + run_ip route add default scope global table $2 $1 + else + delta=$1 + + if ! echo $route | fgrep -q ' nexthop '; then + route=`echo $route | sed 's/via/nexthop via/'` + dev=$(find_device $route) + if [ -f ${VARDIR}/${dev}_weight ]; then + weight=`cat ${VARDIR}/${dev}_weight` + route="$route weight $weight" + fi + fi + + run_ip route replace default scope global table $2 $route $delta + fi +} + +# +# Remove a gateway from the default route +# +delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device +{ + local route + local gateway + local dev + + route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'` + gateway=$1 + + if [ -n "$route" ]; then + if echo $route | fgrep -q ' nexthop '; then + gateway="nexthop $gateway" + eval route=\`echo $route \| sed \'s/$gateway/ /\'\` + run_ip route replace table $2 $route + else + dev=$(find_device $route) + [ "$dev" = "$3" ] && run_ip route delete default table $2 + fi + fi +} + # # Determine the MAC address of the passed IP through the passed interface # @@ -803,13 +876,17 @@ debug_restore_input() { qt1 $IPTABLES -t mangle -P $chain ACCEPT done - qt1 $IPTABLES -t raw -F - qt1 $IPTABLES -t raw -X + qt1 $IPTABLES -t raw -F + qt1 $IPTABLES -t raw -X + qt1 $IPTABLES -t rawpost -F + qt1 $IPTABLES -t rawpost -X for chain in PREROUTING OUTPUT; do qt1 $IPTABLES -t raw -P $chain ACCEPT done + qt1 $iptables -T rawpost -P POSTROUTING ACCEPT + run_iptables -t nat -F run_iptables -t nat -X @@ -859,6 +936,9 @@ debug_restore_input() { '*'raw) table=raw ;; + '*'rawpost) + table=rawpost + ;; '*'mangle) table=mangle ;; diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index b1b1c7256..617611b2a 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -484,7 +484,7 @@ undo_routing() { if [ -f ${VARDIR}/undo_routing ]; then . ${VARDIR}/undo_routing progress_message "Shorewall-generated routing tables and routing rules removed" - rm -f ${VARDIR}/undo_routing + rm -f ${VARDIR}/undo_*routing fi fi @@ -822,6 +822,9 @@ debug_restore_input() { '*'raw) table=raw ;; + '*'rawpost) + table=rawpost + ;; '*'mangle) table=mangle ;; diff --git a/Shorewall/configfiles/netmap b/Shorewall/configfiles/netmap index cf0a04682..f444f2a62 100644 --- a/Shorewall/configfiles/netmap +++ b/Shorewall/configfiles/netmap @@ -6,5 +6,6 @@ # See http://shorewall.net/netmap.html for an example and usage # information. # -############################################################################### -#TYPE NET1 INTERFACE NET2 NET3 +############################################################################################## +#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE +# PORT(S) PORT(S) diff --git a/Shorewall/configfiles/rules b/Shorewall/configfiles/rules index 2da088fc7..79fae68cf 100644 --- a/Shorewall/configfiles/rules +++ b/Shorewall/configfiles/rules @@ -9,6 +9,7 @@ #################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL #SECTION ESTABLISHED #SECTION RELATED SECTION NEW diff --git a/Shorewall/init.fedora.sh b/Shorewall/init.fedora.sh new file mode 100644 index 000000000..14bf9830c --- /dev/null +++ b/Shorewall/init.fedora.sh @@ -0,0 +1,112 @@ +#!/bin/sh +# +# Shorewall init script +# +# chkconfig: - 28 90 +# description: Packet filtering firewall + +### BEGIN INIT INFO +# Provides: shorewall +# Required-Start: $local_fs $remote_fs $syslog $network +# Should-Start: VMware $time $named +# Required-Stop: +# Default-Start: +# Default-Stop: 0 1 2 3 4 5 6 +# Short-Description: Packet filtering firewall +# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a +# Netfilter (iptables) based firewall +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +prog="shorewall" +shorewall="/sbin/$prog" +logger="logger -i -t $prog" +lockfile="/var/lock/subsys/$prog" + +# Get startup options (override default) +OPTIONS= + +if [ -f /etc/sysconfig/$prog ]; then + . /etc/sysconfig/$prog +fi + +start() { + echo -n $"Starting Shorewall: " + $shorewall $OPTIONS start 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else + failure + fi + echo + return $retval +} + +stop() { + echo -n $"Stopping Shorewall: " + $shorewall $OPTIONS stop 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + rm -f $lockfile + success + else + failure + fi + echo + return $retval +} + +restart() { +# Note that we don't simply stop and start since shorewall has a built in +# restart which stops the firewall if running and then starts it. + echo -n $"Restarting Shorewall: " + $shorewall $OPTIONS restart 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else # Failed to start, clean up lock file if present + rm -f $lockfile + failure + fi + echo + return $retval +} + +status(){ + $shorewall status + return $? +} + +status_q() { + status > /dev/null 2>&1 +} + +case "$1" in + start) + status_q && exit 0 + $1 + ;; + stop) + status_q || exit 0 + $1 + ;; + restart|reload|force-reload) + restart + ;; + condrestart|try-restart) + status_q || exit 0 + restart + ;; + status) + $1 + ;; + *) + echo "Usage: $0 start|stop|reload|restart|force-reload|status" + exit 1 + ;; +esac diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 110d0be1b..dc9db04a4 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -248,6 +248,9 @@ else echo "Installing Debian-specific configuration..." DEBIAN=yes SPARSE=yes + elif [ -f /etc/redhat-release ]; then + echo "Installing Redhat/Fedora-specific configuration..." + FEDORA=yes elif [ -f /etc/slackware-version ] ; then echo "Installing Slackware-specific configuration..." DEST="/etc/rc.d" @@ -262,6 +265,14 @@ else fi fi +if [ -z "$DESTDIR" ]; then + if [ -f /lib/systemd/system ]; then + SYSTEMD=Yes + fi +elif [ -n "$SYSTEMD" ]; then + mkdir -p ${DESTDIR}/lib/systemd/system +fi + # # Change to the directory containing this script # @@ -301,6 +312,8 @@ fi # if [ -n "$DEBIAN" ]; then install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall 0544 +elif [ -n "$FEDORA" ]; then + install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall 0544 elif [ -n "$ARCHLINUX" ]; then install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544 elif [ -n "$SLACKWARE" ]; then @@ -333,6 +346,14 @@ if [ -n "$DESTDIR" ]; then chmod 755 ${DESTDIR}/etc/logrotate.d fi +# +# Install the .service file +# +if [ -n "$SYSTEMD" ]; then + run_install $OWNERSHIP -m 600 shorewall.service ${DESTDIR}/lib/systemd/system/shorewall.service + echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall.service" +fi + if [ -n "$ANNOTATED" ]; then suffix=.annotated else @@ -997,7 +1018,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then touch /var/log/shorewall-init.log perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf else - if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if [ -n "$SYSTEMD" ]; then + if systemctl enable shorewall; then + echo "Shorewall will start automatically at boot" + fi + elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if insserv /etc/init.d/shorewall ; then echo "shorewall will start automatically at boot" echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable" diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index c37ca7c1b..a669db3c0 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -525,7 +525,7 @@ show_command() { [ $# -eq 1 ] && usage 1 case $2 in - mangle|nat|filter|raw) + mangle|nat|filter|raw|rawpost) table=$2 table_given=Yes ;; @@ -602,6 +602,13 @@ show_command() { show_reset $IPTABLES -t raw -L $g_ipt_options ;; + rawpost) + [ $# -gt 1 ] && usage 1 + echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)" + echo + show_reset + $IPTABLES -t rawpost -L $g_ipt_options + ;; tos|mangle) [ $# -gt 1 ] && usage 1 echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)" @@ -1500,6 +1507,7 @@ hits_command() { $g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ t s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do + [ -z "$port" ] && port=0 printf '%7d %-15s %d\n' $count $address $port done @@ -1690,6 +1698,7 @@ determine_capabilities() { CONNMARK_MATCH= XCONNMARK_MATCH= RAW_TABLE= + RAWPOST_TABLE= IPP2P_MATCH= OLD_IPP2P_MATCH= LENGTH_MATCH= @@ -1722,7 +1731,6 @@ determine_capabilities() { HEADER_MATCH= ACCOUNT_TARGET= AUDIT_TARGET= - QUOTA_MATCH= chain=fooX$$ @@ -1826,7 +1834,8 @@ determine_capabilities() { qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes fi - qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes + qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes + qt $IPTABLES -t rawpost -L -n && RAWPOST_TABLE=Yes if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time @@ -1872,7 +1881,6 @@ determine_capabilities() { qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes - qt $IPTABLES -A $chain -m quota --quota 1000 & QUOTA_MATCH=Yes qt $IPTABLES -F $chain qt $IPTABLES -X $chain qt $IPTABLES -F $chain1 @@ -1934,6 +1942,7 @@ report_capabilities() { report_capability "Connmark Match" $CONNMARK_MATCH [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH report_capability "Raw Table" $RAW_TABLE + report_capability "Rawpost Table" $RAWPOST_TABLE report_capability "IPP2P Match" $IPP2P_MATCH [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH report_capability "CLASSIFY Target" $CLASSIFY_TARGET @@ -1965,7 +1974,6 @@ report_capabilities() { report_capability "Header Match" $HEADER_MATCH report_capability "ACCOUNT Target" $ACCOUNT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET - report_capability "Quota Match" $QUOTA_MATCH report_capability "ipset V5" $IPSET_V5 fi @@ -2004,6 +2012,7 @@ report_capabilities1() { report_capability1 CONNMARK_MATCH report_capability1 XCONNMARK_MATCH report_capability1 RAW_TABLE + report_capability1 RAWPOST_TABLE report_capability1 IPP2P_MATCH report_capability1 OLD_IPP2P_MATCH report_capability1 CLASSIFY_TARGET @@ -2035,7 +2044,6 @@ report_capabilities1() { report_capability1 HEADER_MATCH report_capability1 ACCOUNT_TARGET report_capability1 AUDIT_TARGET - report_capability1 QUOTA_MATCH report_capability1 IPSET_V5 echo CAPVERSION=$SHOREWALL_CAPVERSION diff --git a/Shorewall/lib.common b/Shorewall/lib.common index ef7b8b11e..007946bf5 100644 --- a/Shorewall/lib.common +++ b/Shorewall/lib.common @@ -225,7 +225,31 @@ loadmodule() # $1 = module name, $2 - * arguments local modulefile local suffix - if ! list_search $modulename $DONT_LOAD $MODULES; then + if [ -d /sys/module/ ]; then + if ! list_search $modulename $DONT_LOAD; then + if [ ! -d /sys/module/$modulename ]; then + shift + + for suffix in $MODULE_SUFFIX ; do + for directory in $moduledirectories; do + modulefile=$directory/${modulename}.${suffix} + + if [ -f $modulefile ]; then + case $moduleloader in + insmod) + insmod $modulefile $* + ;; + *) + modprobe $modulename $* + ;; + esac + break 2 + fi + done + done + fi + fi + elif ! list_search $modulename $DONT_LOAD $MODULES; then shift for suffix in $MODULE_SUFFIX ; do @@ -272,7 +296,7 @@ reload_kernel_modules() { uname=$(uname -r) && \ MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset - MODULES=$(lsmod | cut -d ' ' -f1) + [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" @@ -318,7 +342,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules) if [ -f $modules -a -n "$moduledirectories" ]; then - MODULES=$(lsmod | cut -d ' ' -f1) + [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) progress_message "Loading Modules..." . $modules if [ $savemoduleinfo = Yes ]; then diff --git a/Shorewall/shorewall b/Shorewall/shorewall index cf5fbe5c8..f41a30def 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1435,7 +1435,7 @@ usage() # $1 = exit status echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]" + echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [ [ ... ]" echo " show actions" echo " show [ -f ] capabilities" echo " show classifiers" @@ -1448,7 +1448,7 @@ usage() # $1 = exit status echo " show [ -m ] log []" echo " show macro " echo " show macros" - echo " show [ -x ] mangle|nat|raw|routing" + echo " show [ -x ] mangle|nat|raw|rawpost|routing" echo " show policies" echo " show tc [ device ]" echo " show vardir" diff --git a/Shorewall/shorewall.service b/Shorewall/shorewall.service new file mode 100644 index 000000000..0a2cd4a38 --- /dev/null +++ b/Shorewall/shorewall.service @@ -0,0 +1,20 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4 +# +# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com) +# +[Unit] +Description=Shorewall IPv4 firewall +After=syslog.target + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/sysconfig/shorewall +StandardOutput=syslog +ExecStart=/sbin/shorewall $OPTIONS start +ExecReload=/sbin/shorewall $OPTIONS restart +ExecStop=/sbin/shorewall $OPTIONS stop + +[Install] +WantedBy=multi-user.target diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index f5505fd00..c765e0a8a 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -92,6 +92,8 @@ if [ -n "$FIREWALL" ]; then updaterc.d shorewall remove elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then insserv -r $FIREWALL + elif [ -x /sbin/systemctl ]; then + systemctl disable shorewall elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then chkconfig --del $(basename $FIREWALL) else @@ -116,6 +118,7 @@ rm -rf /usr/share/shorewall-*.bkout rm -rf /usr/share/man/man5/shorewall* rm -rf /usr/share/man/man8/shorewall* rm -f /etc/logrotate.d/shorewall +rm -f /lib/systemd/system/shorewall.service echo "Shorewall Uninstalled" diff --git a/Shorewall6-lite/init.fedora.sh b/Shorewall6-lite/init.fedora.sh new file mode 100644 index 000000000..13a7019bb --- /dev/null +++ b/Shorewall6-lite/init.fedora.sh @@ -0,0 +1,112 @@ +#!/bin/sh +# +# Shorewall init script +# +# chkconfig: - 28 90 +# description: Packet filtering firewall + +### BEGIN INIT INFO +# Provides: shorewall6-lite +# Required-Start: $local_fs $remote_fs $syslog $network +# Should-Start: VMware $time $named +# Required-Stop: +# Default-Start: +# Default-Stop: 0 1 2 3 4 5 6 +# Short-Description: Packet filtering firewall +# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a +# Netfilter (iptables) based firewall +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +prog="shorewall6-lite" +shorewall="/sbin/$prog" +logger="logger -i -t $prog" +lockfile="/var/lock/subsys/$prog" + +# Get startup options (override default) +OPTIONS= + +if [ -f /etc/sysconfig/$prog ]; then + . /etc/sysconfig/$prog +fi + +start() { + echo -n $"Starting Shorewall: " + $shorewall $OPTIONS start 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else + failure + fi + echo + return $retval +} + +stop() { + echo -n $"Stopping Shorewall: " + $shorewall $OPTIONS stop 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + rm -f $lockfile + success + else + failure + fi + echo + return $retval +} + +restart() { +# Note that we don't simply stop and start since shorewall has a built in +# restart which stops the firewall if running and then starts it. + echo -n $"Restarting Shorewall: " + $shorewall $OPTIONS restart 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else # Failed to start, clean up lock file if present + rm -f $lockfile + failure + fi + echo + return $retval +} + +status(){ + $shorewall status + return $? +} + +status_q() { + status > /dev/null 2>&1 +} + +case "$1" in + start) + status_q && exit 0 + $1 + ;; + stop) + status_q || exit 0 + $1 + ;; + restart|reload|force-reload) + restart + ;; + condrestart|try-restart) + status_q || exit 0 + restart + ;; + status) + $1 + ;; + *) + echo "Usage: $0 start|stop|reload|restart|force-reload|status" + exit 1 + ;; +esac diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 0ce0b7da7..e02de234c 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -171,6 +171,8 @@ if [ -n "$DESTDIR" ]; then install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST} elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then DEBIAN=yes +elif [ -f /etc/redhat-release ]; then + FEDORA=yes elif [ -f /etc/slackware-version ] ; then DEST="/etc/rc.d" INIT="rc.firewall" @@ -180,6 +182,14 @@ elif [ -f /etc/arch-release ] ; then ARCHLINUX=yes fi +if [ -z "$DESTDIR" ]; then + if [ -f /lib/systemd/system ]; then + SYSTEMD=Yes + fi +elif [ -n "$SYSTEMD" ]; then + mkdir -p ${DESTDIR}/lib/systemd/system +fi + # # Change to the directory containing this script # @@ -222,6 +232,8 @@ echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-li # if [ -n "$DEBIAN" ]; then install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544 +elif [ -n "$FEDORA" ]; then + install_file init.fedora.sh /etc/init.d/shorewall6-lite 0544 elif [ -n "$ARCHLINUX" ]; then install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544 @@ -247,6 +259,14 @@ if [ -n "$DESTDIR" ]; then chmod 755 ${DESTDIR}/etc/logrotate.d fi +# +# Install the .service file +# +if [ -n "$SYSTEMD" ]; then + run_install $OWNERSHIP -m 600 shorewall6-lite.service ${DESTDIR}/lib/systemd/system/shorewall6-lite.service + echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6-lite.service" +fi + # # Install the config file # @@ -380,7 +400,11 @@ if [ -z "$DESTDIR" ]; then echo "Shorewall6 Lite will start automatically at boot" else - if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if [ -n "$SYSTEMD" ]; then + if systemctl enable shorewall6-lite; then + echo "Shorewall6 Lite will start automatically at boot" + fi + elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if insserv /etc/init.d/shorewall6-lite ; then echo "Shorewall6 Lite will start automatically at boot" else diff --git a/Shorewall6-lite/shorewall6-lite.service b/Shorewall6-lite/shorewall6-lite.service new file mode 100644 index 000000000..6e9008068 --- /dev/null +++ b/Shorewall6-lite/shorewall6-lite.service @@ -0,0 +1,21 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4 +# +# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com) +# +[Unit] +Description=Shorewall IPv6 firewall (lite) +After=syslog.target +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/sysconfig/shorewall6-lite +StandardOutput=syslog +ExecStart=/sbin/shorewall6-lite $OPTIONS start +ExecReload=/sbin/shorewall6-lite $OPTIONS restart +ExecStop=/sbin/shorewall6-lite $OPTIONS stop + +[Install] +WantedBy=multi-user.target diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 36a731ede..032dafdec 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -81,6 +81,8 @@ if [ -n "$FIREWALL" ]; then insserv -r $FIREWALL elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then chkconfig --del $(basename $FIREWALL) + elif [ -x /sbin/systemctl ]; then + systemctl disable shorewall6-lite else rm -f /etc/rc*.d/*$(basename $FIREWALL) fi @@ -100,6 +102,7 @@ rm -rf /usr/share/shorewall6-lite rm -rf ${LIBEXEC}/shorewall6-lite rm -rf /usr/share/shorewall6-lite-*.bkout rm -f /etc/logrotate.d/shorewall6-lite +rm -f /lib/systemd/system/shorewall6-lite.service echo "Shorewall6 Lite Uninstalled" diff --git a/Shorewall6/action.Broadcast b/Shorewall6/action.Broadcast index 10d2e4252..443b3e7a7 100644 --- a/Shorewall6/action.Broadcast +++ b/Shorewall6/action.Broadcast @@ -62,7 +62,7 @@ if ( have_capability( 'ADDRTYPE' ) ) { decr_cmd_level $chainref; add_commands $chainref, 'done'; } - + log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne ''; add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' ); diff --git a/Shorewall6/configfiles/netmap b/Shorewall6/configfiles/netmap new file mode 100644 index 000000000..efc14111a --- /dev/null +++ b/Shorewall6/configfiles/netmap @@ -0,0 +1,11 @@ +# +# Shorewall6 version 4 - Netmap File +# +# For information about entries in this file, type "man shorewall-netmap" +# +# See http://shorewall.net/netmap.html for an example and usage +# information. +# +############################################################################################## +#TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE +# PORT(S) PORT(S) diff --git a/Shorewall6/configfiles/rules b/Shorewall6/configfiles/rules index a4ae986f9..ba9607de5 100644 --- a/Shorewall6/configfiles/rules +++ b/Shorewall6/configfiles/rules @@ -9,6 +9,7 @@ ####################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL #SECTION ESTABLISHED #SECTION RELATED SECTION NEW diff --git a/Shorewall6/init.fedora.sh b/Shorewall6/init.fedora.sh new file mode 100644 index 000000000..cd5896f7b --- /dev/null +++ b/Shorewall6/init.fedora.sh @@ -0,0 +1,112 @@ +#!/bin/sh +# +# Shorewall init script +# +# chkconfig: - 28 90 +# description: Packet filtering firewall + +### BEGIN INIT INFO +# Provides: shorewall6 +# Required-Start: $local_fs $remote_fs $syslog $network +# Should-Start: VMware $time $named +# Required-Stop: +# Default-Start: +# Default-Stop: 0 1 2 3 4 5 6 +# Short-Description: Packet filtering firewall +# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a +# Netfilter (iptables) based firewall +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +prog="shorewall6" +shorewall="/sbin/$prog" +logger="logger -i -t $prog" +lockfile="/var/lock/subsys/$prog" + +# Get startup options (override default) +OPTIONS= + +if [ -f /etc/sysconfig/$prog ]; then + . /etc/sysconfig/$prog +fi + +start() { + echo -n $"Starting Shorewall: " + $shorewall $OPTIONS start 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else + failure + fi + echo + return $retval +} + +stop() { + echo -n $"Stopping Shorewall: " + $shorewall $OPTIONS stop 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + rm -f $lockfile + success + else + failure + fi + echo + return $retval +} + +restart() { +# Note that we don't simply stop and start since shorewall has a built in +# restart which stops the firewall if running and then starts it. + echo -n $"Restarting Shorewall: " + $shorewall $OPTIONS restart 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else # Failed to start, clean up lock file if present + rm -f $lockfile + failure + fi + echo + return $retval +} + +status(){ + $shorewall status + return $? +} + +status_q() { + status > /dev/null 2>&1 +} + +case "$1" in + start) + status_q && exit 0 + $1 + ;; + stop) + status_q || exit 0 + $1 + ;; + restart|reload|force-reload) + restart + ;; + condrestart|try-restart) + status_q || exit 0 + restart + ;; + status) + $1 + ;; + *) + echo "Usage: $0 start|stop|reload|restart|force-reload|status" + exit 1 + ;; +esac diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index a9e4b65e4..983a24cc7 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -107,7 +107,6 @@ if [ -z "$INIT" ] ; then fi ANNOTATED= -DEBIAN= CYGWIN= MAC= MACHOST= @@ -242,6 +241,9 @@ else echo "Installing Debian-specific configuration..." DEBIAN=yes SPARSE=yes + elif [ -f /etc/redhat-release ]; then + echo "Installing Redhat/Fedora-specific configuration..." + FEDORA=yes elif [ -f /etc/slackware-version ] ; then echo "Installing Slackware-specific configuration..." DEST="/etc/rc.d" @@ -256,6 +258,14 @@ else fi fi +if [ -z "$DESTDIR" ]; then + if [ -f /lib/systemd/system ]; then + SYSTEMD=Yes + fi +elif [ -n "$SYSTEMD" ]; then + mkdir -p ${DESTDIR}/lib/systemd/system +fi + # # Change to the directory containing this script # @@ -295,6 +305,8 @@ fi # if [ -n "$DEBIAN" ]; then install_file init.debian.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout +elif [ -n "$FEDORA" ]; then + install_file init.fedora.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout elif [ -n "$SLACKWARE" ]; then install_file init.slackware.shorewall6.sh ${DESTDIR}${DEST}/rc.shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout elif [ -n "$ARCHLINUX" ]; then @@ -323,6 +335,14 @@ if [ -n "$DESTDIR" ]; then chmod 755 ${DESTDIR}/etc/logrotate.d fi +# +# Install the .service file +# +if [ -n "$SYSTEMD" ]; then + run_install $OWNERSHIP -m 600 shorewall6.service ${DESTDIR}/lib/systemd/system/shorewall6.service + echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6.service" +fi + delete_file ${DESTDIR}/usr/share/shorewall6/compiler delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions @@ -874,7 +894,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then touch /var/log/shorewall6-init.log perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall6/shorewall6.conf else - if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if [ -n "$SYSTEMD" ]; then + if systemctl enable shorewall6; then + echo "Shorewall6 will start automatically at boot" + fi + elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if insserv /etc/init.d/shorewall6 ; then echo "shorewall6 will start automatically at boot" echo "Set STARTUP_ENABLED=Yes in /etc/shorewall6/shorewall6.conf to enable" diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index c3634d59f..8fc9f5113 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -510,7 +510,7 @@ show_command() { [ $# -eq 1 ] && usage 1 case $2 in - mangle|nat|filter|raw) + mangle|nat|filter|raw|rawpost) table=$2 table_given=Yes ;; @@ -575,6 +575,13 @@ show_command() { show_reset $IP6TABLES -t raw -L $g_ipt_options ;; + rawpost) + [ $# -gt 1 ] && usage 1 + echo "$g_product $SHOREWALL_VERSION rawpost Table at $g_hostname - $(date)" + echo + show_reset + $IP6TABLES -t rawpost -L $g_ipt_options + ;; log) [ $# -gt 2 ] && usage 1 @@ -1519,6 +1526,7 @@ determine_capabilities() { CONNMARK_MATCH= XCONNMARK_MATCH= RAW_TABLE= + RAWPOST_TABLE= IPP2P_MATCH= OLD_IPP2P_MATCH= LENGTH_MATCH= @@ -1549,7 +1557,6 @@ determine_capabilities() { HEADER_MATCH= ACCOUNT_TARGET= AUDIT_TARGET= - QUOTA_MATCH= IPSET_V5= chain=fooX$$ @@ -1664,6 +1671,7 @@ determine_capabilities() { fi qt $IP6TABLES -t raw -L -n && RAW_TABLE=Yes + qt $IP6TABLES -t rawpost -L -n && RAWPOST_TABLE=Yes if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time @@ -1701,7 +1709,6 @@ determine_capabilities() { qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes - qt $IP6TABLES -A $chain -m quota --quota 1000 && QUOTA_MATCH=Yes qt $IP6TABLES -F $chain @@ -1764,6 +1771,7 @@ report_capabilities() { report_capability "Connmark Match" $CONNMARK_MATCH [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH report_capability "Raw Table" $RAW_TABLE + report_capability "Rawpost Table" $RAWPOST_TABLE report_capability "IPP2P Match" $IPP2P_MATCH [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH report_capability "CLASSIFY Target" $CLASSIFY_TARGET @@ -1793,7 +1801,6 @@ report_capabilities() { report_capability "Header Match" $HEADER_MATCH report_capability "ACCOUNT Target" $ACCOUNT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET - report_capability "Quota Match" $QUOTA_MATCH report_capability "ipset V5" $IPSET_V5 fi @@ -1831,6 +1838,7 @@ report_capabilities1() { report_capability1 CONNMARK_MATCH report_capability1 XCONNMARK_MATCH report_capability1 RAW_TABLE + report_capability1 RAWPOST_TABLE report_capability1 IPP2P_MATCH report_capability1 OLD_IPP2P_MATCH report_capability1 CLASSIFY_TARGET @@ -1860,7 +1868,6 @@ report_capabilities1() { report_capability1 HEADER_MATCH report_capability1 ACCOUNT_TARGET report_capability1 AUDIT_TARGET - report_capability1 QUOTA_MATCH report_capability1 IPSET_V5 echo CAPVERSION=$SHOREWALL_CAPVERSION diff --git a/Shorewall6/lib.common b/Shorewall6/lib.common index 115a2f956..572e8fe1a 100644 --- a/Shorewall6/lib.common +++ b/Shorewall6/lib.common @@ -247,7 +247,31 @@ loadmodule() # $1 = module name, $2 - * arguments local modulefile local suffix - if ! list_search $modulename $MODULES $DONT_LOAD ; then + if [ -d /sys/module/ ]; then + if ! list_search $modulename $DONT_LOAD; then + if [ ! -d /sys/module/$modulename ]; then + shift + + for suffix in $MODULE_SUFFIX ; do + for directory in $moduledirectories; do + modulefile=$directory/${modulename}.${suffix} + + if [ -f $modulefile ]; then + case $moduleloader in + insmod) + insmod $modulefile $* + ;; + *) + modprobe $modulename $* + ;; + esac + break 2 + fi + done + done + fi + fi + elif ! list_search $modulename $MODULES $DONT_LOAD ; then shift for suffix in $MODULE_SUFFIX ; do @@ -290,7 +314,7 @@ reload_kernel_modules() { [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ] [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched - MODULES=$(lsmod | cut -d ' ' -f1) + [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" @@ -334,7 +358,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules) if [ -f $modules -a -n "$moduledirectories" ]; then - MODULES=$(lsmod | cut -d ' ' -f1) + [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1) progress_message "Loading Modules..." . $modules if [ $savemoduleinfo = Yes ]; then diff --git a/Shorewall6/shorewall6.service b/Shorewall6/shorewall6.service new file mode 100644 index 000000000..2bad879ee --- /dev/null +++ b/Shorewall6/shorewall6.service @@ -0,0 +1,21 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4 +# +# Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com) +# +[Unit] +Description=Shorewall IPv6 firewall +After=syslog.target +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/sysconfig/shorewall6 +StandardOutput=syslog +ExecStart=/sbin/shorewall6 $OPTIONS start +ExecReload=/sbin/shorewall6 $OPTIONS restart +ExecStop=/sbin/shorewall6 $OPTIONS stop + +[Install] +WantedBy=multi-user.target diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 54cd8f382..92f970274 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then insserv -r $FIREWALL elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then chkconfig --del $(basename $FIREWALL) + elif [ -x /sbin/systemctl ]; then + systemctl disable shorewall6 else rm -f /etc/rc*.d/*$(basename $FIREWALL) fi @@ -114,6 +116,7 @@ rm -rf /usr/share/shorewall6-*.bkout rm -rf /usr/share/man/man5/shorewall6* rm -rf /usr/share/man/man8/shorewall6* rm -f /etc/logrotate.d/shorewall6 +rm -f /lib/systemd/system/shorewall6.service echo "Shorewall6 Uninstalled" diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index d9fb65247..fce2d4d09 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -18,7 +18,7 @@ - 2001-2010 + 2001-2011 Thomas M. Eastep @@ -57,16 +57,17 @@ 6to4 and 6in4 Tunnels - Linux-vserver + Linux Containers + (LXC) - + Shorewall on a + Laptop Accounting - Limiting Connection - Rates + Linux-vserver Shorewall Perl @@ -75,7 +76,8 @@ Actions - Logging + Limiting Connection + Rates Shorewall Setup Guide @@ -85,7 +87,7 @@ Aliased (virtual) Interfaces (e.g., eth0:0) - Macros + Logging SMB @@ -94,8 +96,7 @@ Anatomy of Shorewall - MAC - Verification + Macros SNAT (Source Network Address @@ -106,7 +107,8 @@ AUDIT Target support - Man Pages + MAC + Verification Split DNS the Easy Way @@ -116,8 +118,7 @@ Bandwidth Control - Manual - Chains + Man Pages Squid with Shorewall @@ -127,8 +128,8 @@ Blacklisting/Whitelisting - Masquerading + Manual + Chains Starting/stopping the @@ -139,9 +140,8 @@ Bridge: Bridge/Firewall - Multiple Internet Connections - from a Single Firewall (Russian) + Masquerading Static (one-to-one) NAT @@ -151,8 +151,8 @@ Bridge: No firewalling of traffic between bridge port - Multiple Zones Through One - Interface + Multiple Internet Connections + from a Single Firewall Support @@ -161,8 +161,8 @@ Building Shorewall from GIT - My Shorewall - Configuration + Multiple Zones Through One + Interface Tips and Hints @@ -172,8 +172,8 @@ Commands - Netfilter - Overview + My Shorewall + Configuration Traffic Accounting @@ -183,7 +183,8 @@ Compiled Firewall Programs - Network Mapping + Netfilter + Overview Traffic Shaping/QOS - Simple @@ -193,8 +194,7 @@ Configuration File Basics - One-to-one NAT (Static - NAT) + Network Mapping Traffic Shaping/QOS - Complex @@ -204,7 +204,7 @@ DHCP OpenVPN + url="NAT.htm">One-to-one NAT (Static NAT) Transparent Proxy @@ -215,7 +215,7 @@ url="two-interface.htm#DNAT">DNAT (Destination Network Address Translation) - OpenVZ + OpenVPN UPnP @@ -223,8 +223,7 @@ Dynamic Zones - Operating - Shorewall + OpenVZ OpenVZ @@ -233,8 +232,8 @@ ECN Disabling by host or subnet - Packet - Marking + Operating + Shorewall Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) @@ -245,8 +244,8 @@ url="shorewall_extension_scripts.htm">Extension Scripts (User Exits) - Packet Processing in a - Shorewall-based Firewall + Packet + Marking VPN @@ -255,7 +254,8 @@ Fallback/Uninstall - 'Ping' Management + Packet Processing in a + Shorewall-based Firewall VPN Passthrough @@ -263,8 +263,7 @@ FAQs - Port - Forwarding + 'Ping' Management White List Creation @@ -274,7 +273,8 @@ Features - Port Information + Port + Forwarding Xen - Shorewall in a Bridged Xen DomU @@ -284,8 +284,7 @@ Forwarding Traffic on the Same Interface - Port Knocking and Other Uses - of the 'Recent Match' + Port Information Xen - Shorewall in Routed Xen Dom0 @@ -294,7 +293,8 @@ FTP and Shorewall - PPTP + Port Knocking and Other Uses + of the 'Recent Match' @@ -303,7 +303,7 @@ Fool's Firewall - Proxy ARP + PPTP @@ -312,8 +312,7 @@ Getting help or answers to questions - QuickStart - Guides + Proxy ARP @@ -322,7 +321,8 @@ Installation/Upgrade - Release Model + QuickStart + Guides @@ -330,6 +330,14 @@ IPP2P + Release Model + + + + + + IPSEC + Requirements @@ -337,7 +345,7 @@ - IPSEC + Ipsets Routing and Shorewall @@ -346,7 +354,7 @@ - Ipsets + IPv6 Support Routing on One Interface @@ -354,20 +362,11 @@ - - IPv6 Support - - Samba - - - - Kazaa Filtering - Shorewall - Init + Samba @@ -376,8 +375,8 @@ Kernel Configuration - Shorewall - Lite + Shorewall + Init @@ -386,8 +385,8 @@ KVM (Kernel-mode Virtual Machine) - Shorewall on a - Laptop + Shorewall + Lite diff --git a/docs/FAQ.xml b/docs/FAQ.xml index b5bf6ad83..16a72ff5a 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -1596,7 +1596,7 @@ teastep@ursa:~$ The first number determines the maximum log - filter + sfilter On systems running Shorewall 4.4.20 or later, either the @@ -1604,7 +1604,7 @@ teastep@ursa:~$ The first number determines the maximum log url="manpages/shorewall-interfaces.html">interface option or it is being routed out of the same interface on which it arrived and the interface does not have the - routeback or interface option. @@ -2000,7 +2000,11 @@ Creating input Chains... Beginning with Shorewall 4.4, when the Shorewall tarballs are installed on a Debian (or derivative) system, the /etc/init.d/shorewall file is the same as would be - installed by the .deb. + installed by the .deb. The behavior of /etc/init.d/shorewall + stop is controlled by the setting of SAFESTOP in + /etc/default/shorewall. When set to 0 (the + default), the firewall is cleared; when set to 1, the firewall is placed + in a safe state.
@@ -2188,6 +2192,47 @@ We have an error talking to the kernel sch_sfq
+ +
+ (FAQ 97) I enable Shorewall traffic shaping and now my upload + rate is way below what I specified + + Answer: This is likely due to TCP + Segmentation Offload (TSO) and/or Generic Segmentation Offload (GSO) + being enabled in the network adapter. To verify, install the + ethtool package and use the -k command: + + root@gateway:~# ethtool -k eth1 +Offload parameters for eth1: +rx-checksumming: on +tx-checksumming: on +scatter-gather: on +tcp-segmentation-offload: on +udp-fragmentation-offload: off +generic-segmentation-offload: on +generic-receive-offload: off +large-receive-offload: off +ntuple-filters: off +receive-hashing: off +root@gateway:~# + + If that is the case, you can correct the problem by adjusting the + minburst setting in + /etc/shorewall/tcinterfaces (complex traffic shaping) or + /etc/shorewall/tcdevices (simple traffic shaping). We suggest starting + at 10-12kb and adjust as necessary. Example (simple traffic + shaping): + + #INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH +eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:10kb + + + Alternatively, you can turn off TSO and GSO using this command in + /etc/shorewall/init: + + ethtool -k ethN tso off gso off +
diff --git a/docs/Macros.xml b/docs/Macros.xml index c51f18b1e..4257cad42 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -70,9 +70,9 @@ Standard Macros. These macros are released as part of Shorewall. - They are defined in macros.* files in /usr/share/shorewall. Each - macros.* file has a comment at the beginning of + macro.* file has a comment at the beginning of the file that describes what the macro does. As an example, here is the definition of the SMB standard macro. @@ -101,8 +101,8 @@ PARAM - - tcp 135,139,445 User-defined Macros. These macros are created by end-users. They - are defined in macros.* files in /etc/shorewall or in another - directory listed in your CONFIG_PATH (defined in /etc/shorewall/shorewall.conf). diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 6da942918..86bf3f2e8 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1726,7 +1726,7 @@ defaults { min_successive_pkts_rcvd=10 interval_ms=2000 timeout_ms=2000 - warn_email=teastep@shorewall.net + warn_email=you@yourdomain.com check_arp=0 sourceip= ttl=0 @@ -1803,7 +1803,81 @@ echo $state > ${VARDIR}/${DEVICE}.status exit 0 -#EOF: +#EOFBeginning with Shorewall 4.4.23, it is not necessary to + restart the firewall when an interface transitions between the usable + and unusable + states./etc/lsm/script#!/bin/sh +# +# (C) 2009 Mika Ilmaranta <ilmis@nullnet.fi> +# (C) 2009 Tom Eastep <teastep@shorewall.net> +# +# License: GPLv2 +# + +STATE=${1} +NAME=${2} +CHECKIP=${3} +DEVICE=${4} +WARN_EMAIL=${5} +REPLIED=${6} +WAITING=${7} +TIMEOUT=${8} +REPLY_LATE=${9} +CONS_RCVD=${10} +CONS_WAIT=${11} +CONS_MISS=${12} +AVG_RTT=${13} + +if [ -f /usr/share/shorewall-lite/lib.base ]; then + VARDIR=/var/lib/shorewall-lite + STATEDIR=/etc/shorewall-lite +else + VARDIR=/var/lib/shorewall + STATEDIR=/etc/shorewall +fi + +[ -f ${STATEDIR}/vardir ] && . ${STATEDIR}/vardir + +cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL} + +Hi, + +Connection ${NAME} is now ${STATE}. + +Following parameters were passed: +newstate = ${STATE} +name = ${NAME} +checkip = ${CHECKIP} +device = ${DEVICE} +warn_email = ${WARN_EMAIL} + +Packet counters: +replied = ${REPLIED} packets replied +waiting = ${WAITING} packets waiting for reply +timeout = ${TIMEOUT} packets that have timed out (= packet loss) +reply_late = ${REPLY_LATE} packets that received a reply after timeout +cons_rcvd = ${CONS_RCVD} consecutively received replies in sequence +cons_wait = ${CONS_WAIT} consecutive packets waiting for reply +cons_miss = ${CONS_MISS} consecutive packets that have timed out +avg_rtt = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this + +Your LSM Daemon + +EOM + +if [ ${STATE} = up ]; then + echo 0 > ${VARDIR}/${DEVICE}.status + ${VARDIR}/firewall enable ${DEVICE} +else + echo 1 > ${VARDIR}/${DEVICE}.status + ${VARDIR}/firewall disable ${DEVICE} +fi + +/sbin/shorewall show routing >> /var/log/lsm + +exit 0 + +#EOF
diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml index 8363f3674..e52c5c47b 100644 --- a/docs/PortKnocking.xml +++ b/docs/PortKnocking.xml @@ -108,7 +108,7 @@ if ( $level ) { '', $tag, 'add', - '-p tcp --dport ! 22 ' ); + '-p tcp ! --dport 22 ' ); } add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' ); diff --git a/docs/ProxyARP.xml b/docs/ProxyARP.xml index fdafc17f5..38fc2ac8a 100644 --- a/docs/ProxyARP.xml +++ b/docs/ProxyARP.xml @@ -305,7 +305,7 @@ shorewall start IPv6 - Proxy NDP The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery - Protocol). Begiinning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP + Protocol). Beginning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP in a manner similar to Proxy ARP support in Shorewall: @@ -328,8 +328,8 @@ shorewall start discoverey requests for IPv6 addresses configured on the interface receiving the request. So if eth0 has address 2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to - neighbor discovery requests for 2001:470:b:227::44, the following entry in - /etc/shorewall6/proxyndp is required: + neighbor discoverey requests for 2001:470:b:227::44, the following entry + in /etc/shorewall6/proxyndp is required: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 2001:470:b:227::44 - eth1 Yes diff --git a/docs/images/Network2011a.dia b/docs/images/Network2011a.dia index 47cf54ee0..c60b3c555 100644 Binary files a/docs/images/Network2011a.dia and b/docs/images/Network2011a.dia differ diff --git a/docs/images/Network2011a.png b/docs/images/Network2011a.png new file mode 100644 index 000000000..e79543797 Binary files /dev/null and b/docs/images/Network2011a.png differ diff --git a/docs/images/Network2011b.dia b/docs/images/Network2011b.dia new file mode 100644 index 000000000..f26e5bd04 Binary files /dev/null and b/docs/images/Network2011b.dia differ diff --git a/docs/images/Network2011b.png b/docs/images/Network2011b.png new file mode 100644 index 000000000..2cc207c4f Binary files /dev/null and b/docs/images/Network2011b.png differ diff --git a/docs/netmap.xml b/docs/netmap.xml index fa8deedee..b00e62290 100644 --- a/docs/netmap.xml +++ b/docs/netmap.xml @@ -22,6 +22,8 @@ 2007 + 2011 + Thomas M. Eastep @@ -113,8 +115,10 @@ NET1 - Must be expressed in CIDR format (e.g., - 192.168.1.0/24). + Must be expressed in CIDR format (e.g., 192.168.1.0/24). + Beginning with Shorewall 4.4.24, exclusion is + supported. @@ -135,6 +139,71 @@ A second network expressed in CIDR format. + + + NET3 (Optional) - + network-address + + + Added in Shorewall 4.4.11. If specified, qualifies INTERFACE. + It specifies a SOURCE network for DNAT rules and a DESTINATON + network for SNAT rules. + + + + + PROTO (Optional - Added in Shorewall + 4.4.23.2) - + protocol-number-or-name + + + Only packets specifying this protocol will have their IP + header modified. + + + + + DEST PORT(S) (Optional - Added in + Shorewall 4.4.23.2) - + port-number-or-name-list + + + Destination Ports. A comma-separated list of Port names (from + services(5)), port numbers or port + ranges; if the protocol is icmp, this column is interpreted as the + destination icmp-type(s). ICMP types may be specified as a numeric + type, a numberic type and code separated by a slash (e.g., 3/4), or + a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + + If the protocol is ipp2p, + this column is interpreted as an ipp2p option without the leading + "--" (example bit for bit-torrent). + If no PORT is given, ipp2p is + assumed. + + An entry in this field requires that the PROTO column specify + icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if + any of the following field is supplied. + + + + + DEST PORT(S) (Optional - Added in + Shorewall 4.4.23.2) - + port-number-or-name-list + + + Source port(s). If omitted, any source port is acceptable. + Specified as a comma-separated list of port names, port numbers or + port ranges. + + An entry in this field requires that the PROTO column specify + tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of + the following fields is supplied. + + Referring to the figure above, lets suppose that systems in the top @@ -165,155 +234,234 @@ firewall 1. - The entries in - /etc/shorewall/netmap in - firewall1 would be as follows: + - #TYPE NET1 INTERFACE NET2 +
+ If you are running Shorewall 4.4.22 or Earlier + + The entries in + /etc/shorewall/netmap in + firewall1 would be as follows: + + #TYPE NET1 INTERFACE NET2 SNAT 192.168.1.0/24 vpn 10.10.11.0/24 #RULE 1A DNAT 10.10.11.0/24 vpn 192.168.1.0/24 #RULE 1B - The entry in /etc/shorewall/netmap in firewall2 - would be: + The entry in /etc/shorewall/netmap in + firewall2 would be: - #TYPE NET1 INTERFACE NET2 + #TYPE NET1 INTERFACE NET2 DNAT 10.10.10.0/24 vpn 192.168.1.0/24 #RULE 2A SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B - - 192.168.1.4 in the top cloud connects to 192.168.1.27 in the - bottom cloud + + 192.168.1.4 in the top cloud connects to 192.168.1.27 in the + bottom cloud - In order to make this connection, the client attempts a connection - to 10.10.10.27. The following table shows how the source and destination - IP addresses are modified as requests are sent and replies are returned. - The RULE column refers to the above - /etc/shorewall/netmap entries and gives the rule - which transforms the source and destination IP addresses to those shown - on the next line. - - - - FROM + In order to make this connection, the client attempts a + connection to 10.10.10.27. The following table shows how the source + and destination IP addresses are modified as requests are sent and + replies are returned. The RULE column refers to the above + /etc/shorewall/netmap entries and gives the rule + which transforms the source and destination IP addresses to those + shown on the next line. + + + + FROM - TO + TO - SOURCE IP ADDRESS + SOURCE IP ADDRESS - DESTINATION IP ADDRESS + DESTINATION IP ADDRESS - RULE - - + RULE + + - - - 192.168.1.4 in upper cloud + + + 192.168.1.4 in upper cloud - Firewall 1 + Firewall 1 - 192.168.1.4 + 192.168.1.4 - 10.10.10.27 + 10.10.10.27 - 1A - + 1A + - - Firewall 1 + + Firewall 1 - Firewall 2 + Firewall 2 - 10.10.11.4 + 10.10.11.4 - 10.10.10.27 + 10.10.10.27 - 2A - + 2A + - - Firewall 2 + + Firewall 2 - 192.168.1.27 in lower cloud + 192.168.1.27 in lower cloud - 10.10.11.4 + 10.10.11.4 - 192.168.1.27 + 192.168.1.27 - - + + - - 192.168.1.27 in the lower cloud + + 192.168.1.27 in the lower cloud - Firewall 2 + Firewall 2 - 192.168.1.27 + 192.168.1.27 - 10.10.11.4 + 10.10.11.4 - 2B - + 2B + - - Firewall 2 + + Firewall 2 - Firewall 1 + Firewall 1 - 10.10.10.27 + 10.10.10.27 - 10.10.11.4 + 10.10.11.4 - 1B - + 1B + - - Firewall 1 + + Firewall 1 - 192.168.1.4 in upper cloud + 192.168.1.4 in upper cloud - 10.10.10.27 + 10.10.10.27 - 192.168.1.4 + 192.168.1.4 - - - - - - + + + + + + + See the OpenVPN documentation + for a solution contributed by Nicola Moretti for resolving duplicate + networks in a roadwarrior VPN environment. + +
+ +
+ If you are running Shorewall 4.4.23 or Later + + Beginning with Shorewall 4.4.23, you can + bridge two duplicate networks with one router, provided that your kernel + and iptables include Rawpost Table Support. That + support is used to implement Stateless NAT which allows for performing + DNAT in the rawpost table POSTROUTING and OUTPUT chains and for + performing SNAT in the raw table PREROUTING chain. Using this support, + only firewall1 requires /etc/shorewall/netmap. Two + additional entries are added. + + #TYPE NET1 INTERFACE NET2 +SNAT 192.168.1.0/24 vpn 10.10.11.0/24 +DNAT 10.10.11.0/24 vpn 192.168.1.0/24 +SNAT:P 192.168.1.0/24 vpn 10.10.10.0/24 +DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24 + + The last two entries define Stateless NAT + by specifying a chain designator (:P for PREROUTING and :T for + POSTROUTING respectively). See shorewall-netmap (5) for + details. +
-
- Author's Notes +
+ IPv6 - This could all be made a bit simpler by eliminating the TYPE field - and have Shorewall generate both the SNAT and DNAT rules from a single - entry. I have chosen to include the TYPE in order to make the - implementation a bit more flexible. If you find cases where you can use an - SNAT or DNAT entry by itself, please let me know and I'll add the - example to this page. + Beginning with Shorewall6 4.4.24, IPv6 support for Netmap is + included. This provides a way to use private IPv6 addresses internally and + still have access to the IPv6 internet. - In the previous section, the table in the example contains a bit of - a lie. Because of Netfilter's connection tracking, rules 2B and 1B aren't - needed to handle the replies. They ARE needed though for hosts in the - bottom cloud to be able to establish connections with the 192.168.1.0/24 - network in the top cloud. -
+ + IPv6 netmap is stateless which means that + there are no Netfilter helpers for applications that need them. As a + consequence, applications that require a helper (FTP, IRC, etc.) may + experience issues. + -
- Can't I do this with one router? Why do I need two? + For IPv6, the chain designator (:P for PREROUTING or :T for + POSTROUTING) is required in the TYPE column. Normally SNAT rules are + placed in the POSTROUTING chain while DNAT rules are placed in + PREROUTING. - I wrote this article before Shorewall included multiple provider support. You should be able - to accomplish the same thing with just one router through careful use of - /etc/shorewall/netmap and multiple - providers. If you try it and get it working, please contribute an - update to this article. + To use IPv6 Netmap, your kernel and iptables must include + Rawpost Table Support. - See the OpenVPN documentation for - a solution contributed by Nicola Moretti for resolving duplicate networks - in a roadwarrior VPN environment. + IPv6 Netmap has been verified at shorewall.net using the + configuration shown below. + + + + IPv6 support is supplied from Hurricane Electric; the IPv6 address + block is 2001:470:b:227::/64. + + Because of the limitations of IPv6 NETMAP (no Netfilter helpers), + the servers in the DMZ have public addresses in the block + 2001:470:b:227::/112. The local LAN uses the private network + fd00:470:b:227::/64 with the hosts autoconfigured using radvd. This block + is allocated from the range (fc00::/7) reserved for Unique Local + Addresses. + + The /etc/shorewall6/netmap file is as follows: + + #TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE +# PORT(S) PORT(S) +SNAT:T fd00:470:b:227::/64 HE_IF 2001:470:b:227::/64 +DNAT:P 2001:470:b:227::/64!2001:470:b:227::/112\ + HE_IF fd00:470:b:227::/64 + + + HE_IF is the logical name for interface sit1. On output, the private + address block is mapped to the public block. Because autoconfiguration is + used, none of the local addresses falls into the range + fd00:470:b:227::/112. That range can therefore be excluded from + DNAT. + + + While the site local network that was used is very similar to the + public network (only the first word is different), that isn't a + requirement. We could have just as well used + fd00:bad:dead:beef::/64 + + + + The MacBook Pro running OS X Lion refused to autoconfigure when + radvd advertised a site-local network + (fec0:470:b:227/64) but worked fine with the unique-local network + (fd00:470:b:227::/64). Note that site-local addresses were deprecated in + RFC3879. + + + + This whole scheme isn't quite as useful as it might appear. Many + IPv6-enabled applications (web browsers, for example) are smart enough + to recognize unique local addresses and will only use IPv6 to + communicate with other such local addresses. +
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index ef033d7e6..48148fe69 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -1308,7 +1308,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - - Set TC_ENABLED=SHARED in Set TC_ENABLED=Shared in shorewall6.conf (5). diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index 3acfce9f5..76b252c8e 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -520,8 +520,10 @@ loc eth2 - the wildcard. Beginning with Shorewall 4.4.20, if you specify this - option, then you should also specify ; - see above. + option, then you should also specify either + (see below) or + on all interfaces (see + below). diff --git a/manpages/shorewall-netmap.xml b/manpages/shorewall-netmap.xml index 9399285db..343a14c4a 100644 --- a/manpages/shorewall-netmap.xml +++ b/manpages/shorewall-netmap.xml @@ -36,19 +36,39 @@ TYPE - DNAT|SNAT + role="bold">{DNAT|SNAT}[:{P|O|T}] - Must be DNAT or SNAT. + Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be + optionally followed by :P, :O or :T to perform stateless + NAT. Stateless NAT requires Rawpost Table + support in your kernel and iptables (see the output of + shorewall show capabilities). - If DNAT, traffic entering INTERFACE and addressed to NET1 has - its destination address rewritten to the corresponding address in - NET2. + If DNAT or DNAT:P, traffic entering INTERFACE and addressed to + NET1 has its destination address rewritten to the corresponding + address in NET2. - If SNAT, traffic leaving INTERFACE with a source address in - NET1 has it's source address rewritten to the corresponding address - in NET2. + If SNAT or SNAT:T, traffic leaving INTERFACE with a source + address in NET1 has it's source address rewritten to the + corresponding address in NET2. + + If DNAT:O, traffic originating on the firewall and leaving via + INTERFACE and addressed to NET1 has its destination address + rewritten to the corresponding address in NET2. + + If DNAT:P, traffic entering via INTERFACE and addressed to + NET1 has its destination address rewritten to the corresponding + address in NET2. + + If SNAT:P, traffic entering via INTERFACE with a destination + address in NET1 has it's source address rewritten to the + corresponding address in NET2. + + If SNAT:O, traffic originating on the firewall and leaving via + INTERFACE with a source address in NET1 has it's source address + rewritten to the corresponding address in NET2. @@ -57,7 +77,10 @@ network-address - Network in CIDR format (e.g., 192.168.1.0/24). + Network in CIDR format (e.g., 192.168.1.0/24). Beginning with + Shorewall 4.4.24, exclusion is + supported. @@ -98,6 +121,60 @@ network for SNAT rules. + + + PROTO (Optional - Added in Shorewall + 4.4.23.2) - + protocol-number-or-name + + + Only packets specifying this protocol will have their IP + header modified. + + + + + DEST PORT(S) (Optional - Added in + Shorewall 4.4.23.2) - + port-number-or-name-list + + + Destination Ports. A comma-separated list of Port names (from + services(5)), port numbers or port + ranges; if the protocol is icmp, this column is interpreted as the + destination icmp-type(s). ICMP types may be specified as a numeric + type, a numberic type and code separated by a slash (e.g., 3/4), or + a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + + If the protocol is ipp2p, + this column is interpreted as an ipp2p option without the leading + "--" (example bit for bit-torrent). + If no PORT is given, ipp2p is + assumed. + + An entry in this field requires that the PROTO column specify + icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if + any of the following field is supplied. + + + + + DEST PORT(S) (Optional - Added in + Shorewall 4.4.23.2) - + port-number-or-name-list + + + Source port(s). If omitted, any source port is acceptable. + Specified as a comma-separated list of port names, port numbers or + port ranges. + + An entry in this field requires that the PROTO column specify + tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of + the following fields is supplied. + + @@ -114,12 +191,13 @@ url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html shorewall(8), shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), - shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), - shorewall-params(5), shorewall-policy(5), shorewall-providers(5), - shorewall-proxyarp(5), shorewall-route_rules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), + shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-params(5), shorewall-policy(5), + shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), + shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), + shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), + shorewall-zones(5) diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index 118d8ce51..aa46d1e67 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -46,6 +46,16 @@ Sections are as follows and must appear in the order listed: + + ALL + + + This section was added in Shorewall 4.4.23. rules in this + section are applied, regardless of the connection tracking state of + the packet. + + + ESTABLISHED diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 8a3dba6b0..581504288 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -463,7 +463,7 @@ - {|||} + {|||} chain @@ -520,7 +520,7 @@ - + diff --git a/manpages6/shorewall6-accounting.xml b/manpages6/shorewall6-accounting.xml index 09a84420c..ae7f7529d 100644 --- a/manpages6/shorewall6-accounting.xml +++ b/manpages6/shorewall6-accounting.xml @@ -730,7 +730,7 @@ shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-actions.xml b/manpages6/shorewall6-actions.xml index 789f9c351..19313cabb 100644 --- a/manpages6/shorewall6-actions.xml +++ b/manpages6/shorewall6-actions.xml @@ -49,7 +49,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-blacklist.xml b/manpages6/shorewall6-blacklist.xml index a899b4424..7823bd33a 100644 --- a/manpages6/shorewall6-blacklist.xml +++ b/manpages6/shorewall6-blacklist.xml @@ -196,7 +196,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-exclusion.xml b/manpages6/shorewall6-exclusion.xml index f27790654..a5d8e13a2 100644 --- a/manpages6/shorewall6-exclusion.xml +++ b/manpages6/shorewall6-exclusion.xml @@ -103,7 +103,7 @@ ACCEPT all!z2 net tcp 22 shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-hosts.xml b/manpages6/shorewall6-hosts.xml index 5c6830fd0..5dcec2898 100644 --- a/manpages6/shorewall6-hosts.xml +++ b/manpages6/shorewall6-hosts.xml @@ -192,7 +192,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index 1084d1abe..1d889669a 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -96,7 +96,7 @@ loc eth2 - - UNICAST - ANYCAST - - @@ -318,8 +318,8 @@ loc eth2 - the wildcard. Beginning with Shorewall 4.4.20, if you specify this - option, then you should also specify ; - see above. + option, then you should also specify + (see below). @@ -459,7 +459,7 @@ dmz eth2 - shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-ipsets.xml b/manpages6/shorewall6-ipsets.xml index 417cb604b..94b962a3f 100644 --- a/manpages6/shorewall6-ipsets.xml +++ b/manpages6/shorewall6-ipsets.xml @@ -116,7 +116,7 @@ shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-maclist.xml b/manpages6/shorewall6-maclist.xml index ca3c05cea..e630b88a0 100644 --- a/manpages6/shorewall6-maclist.xml +++ b/manpages6/shorewall6-maclist.xml @@ -103,7 +103,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), diff --git a/manpages6/shorewall6-modules.xml b/manpages6/shorewall6-modules.xml index 92360a2f2..47fbdd955 100644 --- a/manpages6/shorewall6-modules.xml +++ b/manpages6/shorewall6-modules.xml @@ -86,7 +86,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), diff --git a/manpages6/shorewall6-nesting.xml b/manpages6/shorewall6-nesting.xml index b225cb13f..07efc0e13 100644 --- a/manpages6/shorewall6-nesting.xml +++ b/manpages6/shorewall6-nesting.xml @@ -109,7 +109,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-netmap.xml b/manpages6/shorewall6-netmap.xml new file mode 100644 index 000000000..1d2a0126e --- /dev/null +++ b/manpages6/shorewall6-netmap.xml @@ -0,0 +1,193 @@ + + + + + shorewall6-netmap + + 5 + + + + netmap + + Shorewall6 NETMAP definition file + + + + + /etc/shorewall/netmap + + + + + Description + + This file is used to map addresses in one network to corresponding + addresses in a second network. It was added in Shorewall6 iin + 4.4.23.3. + + + To use this file, your kernel and ip6tables must have RAWPOST + table support included. + + + The columns in the file are as follows. + + + + TYPE - {DNAT|SNAT}:{P|O|T} + + + Must be DNAT or SNAT followed by :P, :O or :T to perform + stateless NAT. Stateless NAT requires + Rawpost Table support in your kernel and + iptables (see the output of shorewall6 show + capabilities). + + If DNAT:P, traffic entering INTERFACE and addressed to NET1 + has its destination address rewritten to the corresponding address + in NET2. + + If SNAT:T, traffic leaving INTERFACE with a source address in + NET1 has it's source address rewritten to the corresponding address + in NET2. + + If DNAT:O, traffic originating on the firewall and leaving via + INTERFACE and addressed to NET1 has its destination address + rewritten to the corresponding address in NET2. + + If DNAT:P, traffic entering via INTERFACE and addressed to + NET1 has its destination address rewritten to the corresponding + address in NET2. + + If SNAT:P, traffic entering via INTERFACE with a destination + address in NET1 has it's source address rewritten to the + corresponding address in NET2. + + If SNAT:O, traffic originating on the firewall and leaving via + INTERFACE with a source address in NET1 has it's source address + rewritten to the corresponding address in NET2. + + + + + NET1 - + network-address + + + Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in + Shorewall6 4.4.24, exclusion is + supported. + + + + + INTERFACE - + interface + + + The name of a network interface. The interface must be defined + in shorewall6-interfaces(5). + Shorewall allows loose matches to wildcard entries in shorewall6-interfaces(5). + For example, ppp0 in this + file will match a shorewall6-interfaces(8) + entry that defines ppp+. + + + + + NET2 - + network-address + + + Network in CIDR format + + + + + NET3 (Optional) - + network-address + + + Added in Shorewall 4.4.11. If specified, qualifies INTERFACE. + It specifies a SOURCE network for DNAT rules and a DESTINATON + network for SNAT rules. + + + + + PROTO (Optional - + protocol-number-or-name + + + Only packets specifying this protocol will have their IP + header modified. + + + + + DEST PORT(S) - + port-number-or-name-list + + + Destination Ports. A comma-separated list of Port names (from + services(5)), port numbers or port + ranges; if the protocol is icmp, this column is interpreted as the + destination icmp-type(s). ICMP types may be specified as a numeric + type, a numberic type and code separated by a slash (e.g., 3/4), or + a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + + If the protocol is ipp2p, + this column is interpreted as an ipp2p option without the leading + "--" (example bit for bit-torrent). + If no PORT is given, ipp2p is + assumed. + + An entry in this field requires that the PROTO column specify + icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if + any of the following field is supplied. + + + + + DEST PORT(S) - + port-number-or-name-list + + + Source port(s). If omitted, any source port is acceptable. + Specified as a comma-separated list of port names, port numbers or + port ranges. + + An entry in this field requires that the PROTO column specify + tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of + the following fields is supplied. + + + + + + + FILES + + /etc/shorewall/netmap + + + + See ALSO + + http://shorewall.net/netmap.html + + + + diff --git a/manpages6/shorewall6-notrack.xml b/manpages6/shorewall6-notrack.xml index 519b4a437..07b0f301f 100644 --- a/manpages6/shorewall6-notrack.xml +++ b/manpages6/shorewall6-notrack.xml @@ -131,7 +131,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-ipsec(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-ipsec(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), diff --git a/manpages6/shorewall6-params.xml b/manpages6/shorewall6-params.xml index 4eebf5d84..1c007dd9e 100644 --- a/manpages6/shorewall6-params.xml +++ b/manpages6/shorewall6-params.xml @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - shorewall6-params + shoewall6-netmap(5),shorewall6-params 5 diff --git a/manpages6/shorewall6-policy.xml b/manpages6/shorewall6-policy.xml index 8aab0e2ac..c240145fd 100644 --- a/manpages6/shorewall6-policy.xml +++ b/manpages6/shorewall6-policy.xml @@ -315,7 +315,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5), - shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5), + shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), diff --git a/manpages6/shorewall6-providers.xml b/manpages6/shorewall6-providers.xml index 2fb331480..b98422580 100644 --- a/manpages6/shorewall6-providers.xml +++ b/manpages6/shorewall6-providers.xml @@ -290,7 +290,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), diff --git a/manpages6/shorewall6-proxyndp.xml b/manpages6/shorewall6-proxyndp.xml index e1645fbe2..c830f749f 100644 --- a/manpages6/shorewall6-proxyndp.xml +++ b/manpages6/shorewall6-proxyndp.xml @@ -135,7 +135,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-route_rules.xml b/manpages6/shorewall6-route_rules.xml index 36a36ae55..6a22b8970 100644 --- a/manpages6/shorewall6-route_rules.xml +++ b/manpages6/shorewall6-route_rules.xml @@ -149,7 +149,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), diff --git a/manpages6/shorewall6-routes.xml b/manpages6/shorewall6-routes.xml index d29c1313e..0b9fe660a 100644 --- a/manpages6/shorewall6-routes.xml +++ b/manpages6/shorewall6-routes.xml @@ -80,7 +80,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-routestopped.xml b/manpages6/shorewall6-routestopped.xml index 27ff60ce7..242b98915 100644 --- a/manpages6/shorewall6-routestopped.xml +++ b/manpages6/shorewall6-routestopped.xml @@ -179,7 +179,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml index fcf484f00..11ff82842 100644 --- a/manpages6/shorewall6-rules.xml +++ b/manpages6/shorewall6-rules.xml @@ -39,6 +39,16 @@ Sections are as follows and must appear in the order listed: + + ALL + + + This section was added in Shorewall 4.4.23. rules in this + section are applied, regardless of the connection tracking state of + the packet. + + + ESTABLISHED @@ -1152,7 +1162,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml index 7a62c0150..f3a7ec599 100644 --- a/manpages6/shorewall6-secmarks.xml +++ b/manpages6/shorewall6-secmarks.xml @@ -380,7 +380,7 @@ RESTORE I:ER shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), diff --git a/manpages6/shorewall6-tcclasses.xml b/manpages6/shorewall6-tcclasses.xml index c7ead115c..fac9eaa67 100644 --- a/manpages6/shorewall6-tcclasses.xml +++ b/manpages6/shorewall6-tcclasses.xml @@ -453,7 +453,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-tcdevices.xml b/manpages6/shorewall6-tcdevices.xml index 7fdcd020b..93751f9d9 100644 --- a/manpages6/shorewall6-tcdevices.xml +++ b/manpages6/shorewall6-tcdevices.xml @@ -229,7 +229,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-tcinterfaces.xml b/manpages6/shorewall6-tcinterfaces.xml index df65fe5f7..1992ac20d 100644 --- a/manpages6/shorewall6-tcinterfaces.xml +++ b/manpages6/shorewall6-tcinterfaces.xml @@ -204,7 +204,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcpri, shorewall6-tos(5), shorewall6-tunnels(5), diff --git a/manpages6/shorewall6-tcpri.xml b/manpages6/shorewall6-tcpri.xml index bee128d54..d90ba8ded 100644 --- a/manpages6/shorewall6-tcpri.xml +++ b/manpages6/shorewall6-tcpri.xml @@ -149,7 +149,7 @@ PRIO(8), shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5), diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index a139e8aa3..3c727747b 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -794,7 +794,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443 shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tos(5), diff --git a/manpages6/shorewall6-template.xml b/manpages6/shorewall6-template.xml index eee8714b3..d3899142c 100644 --- a/manpages6/shorewall6-template.xml +++ b/manpages6/shorewall6-template.xml @@ -54,7 +54,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5), - shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), diff --git a/manpages6/shorewall6-tos.xml b/manpages6/shorewall6-tos.xml index 52a26914e..f6409ce31 100644 --- a/manpages6/shorewall6-tos.xml +++ b/manpages6/shorewall6-tos.xml @@ -161,7 +161,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-tunnels.xml b/manpages6/shorewall6-tunnels.xml index cef348982..4ca9c1b72 100644 --- a/manpages6/shorewall6-tunnels.xml +++ b/manpages6/shorewall6-tunnels.xml @@ -227,7 +227,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-vardir.xml b/manpages6/shorewall6-vardir.xml index 6260fe9fc..d8ae0f420 100644 --- a/manpages6/shorewall6-vardir.xml +++ b/manpages6/shorewall6-vardir.xml @@ -55,7 +55,7 @@ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), diff --git a/manpages6/shorewall6-zones.xml b/manpages6/shorewall6-zones.xml index 4c63892f3..1651a640b 100644 --- a/manpages6/shorewall6-zones.xml +++ b/manpages6/shorewall6-zones.xml @@ -337,7 +337,7 @@ c:a,b ipv6 shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-nesting(8), shorewall6-params(5), + shorewall6-maclist(5), shorewall6-nesting(8), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index 37712e41f..ede211abb 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -1691,7 +1691,7 @@ net all DROP infothen the chain name is 'net2all' shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5), - shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5), + shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index 2f401ad32..78cff55e9 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -1404,7 +1404,7 @@ shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),