From e545329eb96fec649e9e373822c62420266a4406 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 8 Aug 2014 10:34:29 -0700 Subject: [PATCH 01/12] Modify the preceding fix to work with wildcard interfaces Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 49d81e4d0..d48bbd617 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -457,14 +457,30 @@ sub process_a_provider( $ ) { my $interfaceref = known_interface( $interface ); fatal_error "Unknown Interface ($interface)" unless $interfaceref; - # - # Switch to the logical name if a physical name was passed - # - $interface = $interfaceref->{name}; fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface; - my $physical = get_physical $interface; + # + # Switch to the logical name if a physical name was passed + # + my $physical; + + if ( $interface eq $interfaceref->{name} ) { + # + # The logical interface name was specified + # + $physical = get_physical $interface; + } else { + # + # A Physical name was specified + # + $physical = $interface; + # + # Switch to the logical name unless it is a wildcard + # + $interface = $interfaceref->{name} unless $interfaceref->{name} =~ /\+$/; + } + my $gatewaycase = ''; if ( $physical =~ /\+$/ ) { From 6f777098d7b1bae12b7e50ade1cde39d87c1d583 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 11 Aug 2014 08:30:44 -0700 Subject: [PATCH 02/12] Add 'wildcard' member to the interface table Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 4 ++-- Shorewall/Perl/Shorewall/Zones.pm | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index d48bbd617..1775955b2 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -469,7 +469,7 @@ sub process_a_provider( $ ) { # # The logical interface name was specified # - $physical = get_physical $interface; + $physical = $interfaceref->{physical}; } else { # # A Physical name was specified @@ -478,7 +478,7 @@ sub process_a_provider( $ ) { # # Switch to the logical name unless it is a wildcard # - $interface = $interfaceref->{name} unless $interfaceref->{name} =~ /\+$/; + $interface = $interfaceref->{name} unless $interfaceref->{wildcard}; } my $gatewaycase = ''; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 0fb336554..78bd882a5 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -193,6 +193,7 @@ our %reservedName = ( all => 1, # physical => # base => # provider => +# wildcard => undef|1 # Wildcard Name # zones => { zone1 => 1, ... } # } # } @@ -1375,6 +1376,7 @@ sub process_interface( $$ ) { base => var_base( $physical ), zones => {}, origin => shortlineinfo(''), + wildcard => $wildcard, }; if ( $zone ) { @@ -1531,6 +1533,7 @@ sub known_interface($) number => $interfaceref->{number} , physical => $physical , base => var_base( $physical ) , + wildcard => $interfaceref->{wildcard} , zones => $interfaceref->{zones} , }; } @@ -1768,7 +1771,7 @@ sub find_interfaces_by_option1( $ ) { my $optionsref = $interfaceref->{options}; if ( $optionsref && defined $optionsref->{$option} ) { - $wild ||= ( $interfaceref->{physical} =~ /\+$/ ); + $wild ||= $interfaceref->{wildcard}; push @ints , $interface } } From bf5be7198b294055e45b48dcf623341d1af98f0f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 12 Aug 2014 16:18:42 -0700 Subject: [PATCH 03/12] Make dump work correctly on RHEL5 Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 9cb05f8c2..94b2ff65a 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1470,10 +1470,22 @@ do_dump_command() { $g_tool -t rawpost -L $g_ipt_options fi - local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) - local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + local count + local max - heading "Conntrack Table ($count out of $max)" + if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then + count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) + max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + + heading "Conntrack Table ($count out of $max)" + elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then + count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count) + max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max) + + heading "Conntrack Table ($count out of $max)" + else + heading "Conntrack Table" + fi if [ $g_family -eq 4 ]; then [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack From 8236ce572e2edecd17408b871d229b75894ed866 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 12 Aug 2014 16:39:52 -0700 Subject: [PATCH 04/12] Apply Louis Lagendijk's patch for Shorewall-init Signed-off-by: Tom Eastep --- Shorewall-init/shorewall-init | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Shorewall-init/shorewall-init b/Shorewall-init/shorewall-init index dea336538..52b1e6426 100644 --- a/Shorewall-init/shorewall-init +++ b/Shorewall-init/shorewall-init @@ -63,18 +63,19 @@ shorewall_start () { for PRODUCT in $PRODUCTS; do setstatedir - if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then + if [ -x ${STATEDIR}/firewall ]; then # # Run in a sub-shell to avoid name collisions # ( - if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then - ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1 + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 else exit 1 fi ) else + echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! exit 1 fi done @@ -95,8 +96,8 @@ shorewall_stop () { for PRODUCT in $PRODUCTS; do setstatedir - if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then - ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1 + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 fi done From 9e039e30e5d01886c9fa61ead51fab8f97b05e26 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 2 Sep 2014 08:11:33 -0700 Subject: [PATCH 05/12] Issue warning message when /etc/iproute2/rt_tables is not writeable Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 7bfa883d0..580484966 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1293,9 +1293,11 @@ sub start_providers() { emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo}; } - emit_unindented "EOF\n"; + emit_unindented 'EOF'; - emit "fi\n"; + emit( 'else', + ' error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"', + "fi\n" ); } emit ( '#', From fc58dab66d505428b4eb690095b1e8fe5ed83e2b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 2 Sep 2014 12:57:04 -0700 Subject: [PATCH 06/12] Remove redundant 'run' command from help output Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 1 - 1 file changed, 1 deletion(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 0e6b24572..9ed7ca1c8 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3583,7 +3583,6 @@ usage() # $1 = exit status echo " start [ -f ] [ -p ] [ ]" echo " stop" echo " status [ -i ]" - echo " run [ function ... ]" echo " version [ -a ]" echo exit $1 From feb747260d37eef92dbf69c63560df7cefd4dce1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 3 Sep 2014 06:59:37 -0700 Subject: [PATCH 07/12] Add /etc/shorewall/params to the multi-ISP LSM example Signed-off-by: Tom Eastep --- docs/MultiISP.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index fb6b93be5..8dceec00d 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -2123,6 +2123,11 @@ net eth1 detect optional< later. + /etc/shorewall/params: + + EXT_IF=eth0 +COM_IF=eth1 + /etc/shorewall/isusable: local status=0 From 9947f4d9683e46da00a842c2c12738b6d5ac6369 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 10 Sep 2014 12:53:08 -0700 Subject: [PATCH 08/12] Re-enable SECTION PREROUTING in the accounting file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Accounting.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 69c62574d..add7313af 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_; - $acctable = $config{ACCOUNTING_TABLE}; - $jumpchainref = 0; $asection = LEGACY if $asection < 0; @@ -453,6 +451,8 @@ sub setup_accounting() { set_section_function( &process_section ); + $acctable = $config{ACCOUNTING_TABLE}; + first_entry "$doing $fn..."; my $nonEmpty = 0; From 988ee64621a7c0799abc3c7ad31211074fcf4a8d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 11 Sep 2014 10:17:01 -0700 Subject: [PATCH 09/12] Eliminate Redundant Rules Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 7 ++++--- Shorewall/Perl/Shorewall/Zones.pm | 23 ++++++++++++++--------- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index e0a3fb662..8f43fde7a 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -994,7 +994,7 @@ sub add_common_rules ( $$ ) { for my $hostref ( @$list ) { $interface = $hostref->[0]; my $ipsec = $hostref->[1]; - my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); + my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); my $target = source_exclusion( $hostref->[3], $chainref ); for $chain ( option_chains $interface ) { @@ -1118,7 +1118,8 @@ sub add_common_rules ( $$ ) { for my $hostref ( @$list ) { my $interface = $hostref->[0]; my $target = source_exclusion( $hostref->[3], $chainref ); - my @policy = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : (); + my $ipsec = $hostref->[1]; + my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); for $chain ( option_chains $interface ) { add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy ); @@ -1289,7 +1290,7 @@ sub setup_mac_lists( $ ) { for my $hostref ( @$maclist_hosts ) { my $interface = $hostref->[0]; my $ipsec = $hostref->[1]; - my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); + my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); my @source = imatch_source_net $hostref->[2]; my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index df3848f91..ee53460ac 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -2121,14 +2121,25 @@ sub have_ipsec() { sub find_hosts_by_option( $ ) { my $option = $_[0]; my @hosts; + my %done; + + for my $interface ( @interfaces ) { + if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) { + push @hosts, [ $interface, '', ALLIP , [] ]; + $done{$interface} = 1; + } + } for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) { while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { for my $host ( @{$arrayref} ) { - if ( my $value = $host->{options}{$option} ) { - for my $net ( @{$host->{hosts}} ) { - push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ]; + my $ipsec = $host->{ipsec}; + unless ( $done{$interface} ) { + if ( my $value = $host->{options}{$option} ) { + for my $net ( @{$host->{hosts}} ) { + push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ]; + } } } } @@ -2136,12 +2147,6 @@ sub find_hosts_by_option( $ ) { } } - for my $interface ( @interfaces ) { - if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) { - push @hosts, [ $interface, 'none', ALLIP , [] ]; - } - } - \@hosts; } From a7bdfcc47b88a34eb34d530cda2bb3b3d84815e1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 11 Sep 2014 20:58:01 -0700 Subject: [PATCH 10/12] Refine the rule reduction fix Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Zones.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index ee53460ac..98b323c67 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -2124,8 +2124,9 @@ sub find_hosts_by_option( $ ) { my %done; for my $interface ( @interfaces ) { - if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) { - push @hosts, [ $interface, '', ALLIP , [] ]; + my $value = $interfaces{$interface}{options}{$option}; + if ( ! $interfaces{$interface}{zone} && $value ) { + push @hosts, [ $interface, '', ALLIP , [], $value ]; $done{$interface} = 1; } } From 0d23b9c542580ba46de0ec169029375e66a888cb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 14 Sep 2014 09:29:04 -0700 Subject: [PATCH 11/12] Don't verify required interfaces during 'stop' or 'clear'. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 5 +++-- Shorewall/Perl/Shorewall/Providers.pm | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index a0ce20821..5330e45a9 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -308,13 +308,14 @@ sub generate_script_2() { set_global_variables(1); - handle_optional_interfaces(0); - if ( $global_variables & NOT_RESTORE ) { + handle_optional_interfaces(0); emit ';;'; pop_indent; pop_indent; emit ( 'esac' ); + } else { + handle_optional_interfaces(1); } } else { emit( 'true' ) unless handle_optional_interfaces(1); diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 580484966..cd7cafdf4 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1894,8 +1894,10 @@ sub handle_optional_interfaces( $ ) { if ( @$interfaces ) { my $require = $config{REQUIRE_INTERFACE}; + my $gencase = shift; - verify_required_interfaces( shift ); + verify_required_interfaces( $gencase ); + emit '' if $gencase; emit( 'HAVE_INTERFACE=', '' ) if $require; # From a69cec5228cff2145b775e3e51530c0c01f40758 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 23 Sep 2014 07:09:56 -0700 Subject: [PATCH 12/12] Add link to Events article Signed-off-by: Tom Eastep --- docs/Events.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/Events.xml b/docs/Events.xml index f820b0c81..cf41ae00a 100644 --- a/docs/Events.xml +++ b/docs/Events.xml @@ -705,8 +705,9 @@ Knock net $FW tcp 22,1599-1601
Stateful Port Knocking (knock with a sequence of ports) - Gerhard Wiesinger has contributed a Perl module that allows you to - define portknocking sequences. Download Gerhard Wiesinger + has contributed a Perl module that allows you to define portknocking + sequences. Download the module and copy it into your site_perl directory.