diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index ffb69fc78..2a1ecd533 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -17,6 +17,8 @@ Changes in 4.1.5 8) Add 'BROKEN_ROUTING' option. +9) Automatic macro comments. + Changes in 4.1.4 1) Fix do_test() to accept 0 and to use the same mask as diff --git a/Shorewall-common/macro.AllowICMPs b/Shorewall-common/macro.AllowICMPs index 9000e8511..81a9729dd 100644 --- a/Shorewall-common/macro.AllowICMPs +++ b/Shorewall-common/macro.AllowICMPs @@ -8,6 +8,9 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP + +COMMENT Needed ICMP types + ACCEPT - - icmp fragmentation-needed ACCEPT - - icmp time-exceeded #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DropDNSrep b/Shorewall-common/macro.DropDNSrep index 6e854079f..2828ec307 100644 --- a/Shorewall-common/macro.DropDNSrep +++ b/Shorewall-common/macro.DropDNSrep @@ -8,5 +8,8 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP + +COMMENT Late DNS Replies + DROP - - udp - 53 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DropUPnP b/Shorewall-common/macro.DropUPnP index 1bed9cf5a..9ad8a04a9 100644 --- a/Shorewall-common/macro.DropUPnP +++ b/Shorewall-common/macro.DropUPnP @@ -8,5 +8,8 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP + +COMMENT UPnP + DROP - - udp 1900 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 5d29fdb65..67d67dbfb 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -123,6 +123,18 @@ New Features in 4.1.5. 4) Shorewall-perl now generates an error when a MAC address appears in a traffic shaping rule in the OUTPUT or POSTROUTING chains. +5) Macros are now self-commenting. If there is not a current comment + when a macro is invoked, the behavior under Shorewall-perl is as if + the first line of the macro file was "COMMENT ". + + So, if you have this rule: + + SSH/ACCEPT loc fw + + then the generated netfilter rule will include "/* SSH */" when + viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall + dump'. + New Features in Shorewall 4.1. 1) Shorewall 4.1 contains experimental support for multiple Internet @@ -388,21 +400,19 @@ New Features in Shorewall 4.1. and third class and let the rest default to the second class. 10) COMMENT lines are now supported in macro bodies by Shorewall-perl - and are ignored by the Shorewall-shell compiler. The standard - macros (with the exception of macro.Drop and macro.Reject) have - been modified to include a COMMENT line describing the macro. - + and are ignored by the Shorewall-shell compiler. + COMMENT lines in macros work slightly differently from COMMENT lines in other files. COMMENT lines in macros are ignored if COMMENT support is not available or if there was a COMMENT in use when the top-level macro was invoked. This allows the following: - /usr/share/shorewall/macro.SSH: + /etc/shorewall/macro.SSH: #ACTION SOURCE PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP - COMMENT SSH + COMMENT My SSH Macro PARAM - - tcp 22 /etc/shorewall/rules: @@ -418,6 +428,10 @@ New Features in Shorewall 4.1. when displayed through the Shorewall show and dump commands. + If a macro is invoked and there is no current comment, then the + name of the macro automatically becomes the current comment. This + makes macros self-commenting. + 11) If the program named in SHOREWALL_SHELL doesn't exist or is not executable, Shorewall and Shorewall-lite now both fall back to /bin/sh after issuing a warning message. Previously, both diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 7d413e16a..1b8efb8ed 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -572,10 +572,14 @@ sub process_action( $$$$$$$$$$ ) { # Expand Macro in action files. # sub process_macro3( $$$$$$$$$$$ ) { - my ( $fn, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_; + my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_; my $nocomment = no_comment; + macro_comment $macro; + + my $fn = $macros{$macro}; + progress_message "..Expanding Macro $fn..."; push_open $fn; @@ -677,9 +681,7 @@ sub process_action3( $$$$$ ) { } if ( $action2type == MACRO ) { - fatal_error "Null Macro" unless my $fn = $macros{$action2}; - - process_macro3( $fn, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ); + process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ); } else { process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user; } diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 4e3360fe4..ff72eca08 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -71,6 +71,7 @@ our %EXPORT_TAGS = ( move_rules process_comment no_comment + macro_comment clear_comment incr_cmd_level decr_cmd_level @@ -368,6 +369,15 @@ sub clear_comment() { $comment = ''; } +# +# Set $comment to the passed unless there is a current comment +# +sub macro_comment( $ ) { + my $macro = $_[0]; + + $comment = $macro unless $comment || ! $capabilities{COMMENTS}; +} + # # Functions to manipulate cmdlevel # diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index c754f5630..6deec68ca 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -826,10 +826,14 @@ sub process_rule1 ( $$$$$$$$$$$ ); # Expand a macro rule from the rules file # sub process_macro ( $$$$$$$$$$$$$ ) { - my ($macrofile, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $wildcard ) = @_; + my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $wildcard ) = @_; my $nocomment = no_comment; + macro_comment $macro; + + my $macrofile = $macros{$macro}; + progress_message "..Expanding Macro $macrofile..."; push_open $macrofile; @@ -944,7 +948,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { $current_param = $param; } - process_macro( $macros{$basictarget}, + process_macro( $basictarget, $target , $current_param, $source, diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 03db6a47c..9598c8918 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -113,10 +113,10 @@ our @deferred_rules; # # TCDevices Table # -# %tcdevices { -> {in_bandwidth => , -# out_bandwidth => -# number => -# default => } +# %tcdevices { -> {in_bandwidth => , +# out_bandwidth => , +# number => , +# default => } # our @tcdevices; our %tcdevices; diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 6edd106af..b4548d558 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -927,6 +927,23 @@ all all REJECT info +
+ IPCOMP + + If your IPSEC tunnel or transport mode connection fails to work with + Shorewall started and you see log messages like the following when you try + to use the connection, the problem is that ip compression is being + used.Feb 18 23:43:52 vpngw kernel: Shorewall:vpn2fw:REJECT:IN=eth2 OUT= MAC=00:e0:81:32:b3:5e:00:18:de:12:e5:15:08:00 + SRC=172.29.59.58 DST=172.29.59.254 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=25600 DF PROTO=4The solution is to + add an IPCOMP tunnel to /etc/shorewall/tunnels as follows:#TYPE ZONE GATEWAY GATEWAY +# ZONE +ipip vpn 0.0.0.0/0The + above assumes that the name of your IPSEC vpn zone is + vpn. +
+
IPSEC and <trademark>Windows</trademark> XP diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml index 9797cb08b..ccfe076fb 100644 --- a/docs/Shorewall-4.xml +++ b/docs/Shorewall-4.xml @@ -286,9 +286,9 @@ Shorewall-common 4.0.7 - Shorewall-shell 4.0.5 - 4.0.8 + Shorewall-shell 4.0.5 - 4.0.9 - Shorewall-perl 4.0.5 - 4.0.8 + Shorewall-perl 4.0.5 - 4.0.9 Shorewall-perl 4.0.6 and later require Shorewall-lite 4.0.6 or later @@ -297,9 +297,20 @@ Shorewall-common 4.0.8 - Shorewall-shell 4.0.5 - 4.0.8 + Shorewall-shell 4.0.5 - 4.0.9 - Shorewall-perl 4.0.5 - 4.0.8 + Shorewall-perl 4.0.5 - 4.0.9 + Shorewall-perl 4.0.6 and later require Shorewall-lite + 4.0.6 or later + + + + + Shorewall-common 4.0.9 + + Shorewall-shell 4.0.5 - 4.0.9 + + Shorewall-perl 4.0.5 - 4.0.9 Shorewall-perl 4.0.6 and later require Shorewall-lite 4.0.6 or later