diff --git a/Shorewall/actions b/Shorewall/actions index 213b76b36..867a73c0a 100644 --- a/Shorewall/actions +++ b/Shorewall/actions @@ -17,19 +17,8 @@ # begin with a letter and be composed of letters, digits and # underscore characters). # -# If you follow the action name with ":DROP", ":REJECT" or -# :ACCEPT then the action will be taken before a DROP, REJECT or -# ACCEPT policy respectively is enforced. If you specify ":DROP", -# ":REJECT" or ":ACCEPT" on more than one action then only the -# last such action will be taken. -# -# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by -# itself, the associated policy will have no common action. -# # Please see http://shorewall.net/Actions.html for additional information. # ############################################################################### #ACTION -Drop:DROP # Default action for DROP -Reject:REJECT # Default action for REJECT #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/compiler b/Shorewall/compiler index 5504692cd..a36b423bb 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -427,6 +427,7 @@ validate_policy() local synparams local parents local default + local var print_policy() # $1 = source zone, $2 = destination zone { @@ -436,6 +437,21 @@ validate_policy() progress_message " Policy for $1 to $2 is $policy using chain $chain" } + for var in DROP_DEFAULT REJECT_DEFAULT; do + eval default=\$$var + + case $default in + none) + ;; + *) + if ! list_search $default USEDACTIONS; then + if [ ! -f $(find_file macro.$default) ]; then + fatal_error "Default Action/Macro $var=$default not found" + fi + fi + esac + done + ALL_POLICY_CHAINS= for zone in $ZONES $FW; do @@ -519,11 +535,11 @@ validate_policy() case ${policy%:*} in ACCEPT|CONTINUE|QUEUE) ;; - REJECT|DROP) - if [ -n "$default" ]; then - error_message "WARNING: Policy has no default action or macro: $client $server $policy $loglevel $synparams" - error_message " Please see http://www.shorewall.net/DefaultActionsandMacros.html" - fi + DROP) + [ -n "${default:=$DROP_DEFAULT}" ] + ;; + REJECT) + [ -n "${default:=$REJECT_DEFAULT}" ] ;; NONE) [ "$client" = "$FW" -o "$server" = "$FW" ] && \ @@ -989,7 +1005,7 @@ __EOF__ save_progress_message "Refreshing Traffic Shaping" run_user_exit $TC_SCRIPT elif [ -n "$TC_ENABLED" ]; then - setup_traffic_shaping + [ -n "$LIB_tc_LOADED" ] && setup_traffic_shaping fi } @@ -3091,28 +3107,6 @@ policy_rules() # $1 = chain to add rules to if [ -n "$default" ]; then [ "$default" = none ] || run_iptables -A $1 -j $default - else - case "$target" in - ACCEPT) - [ -n "$ACCEPT_default" ] && run_iptables -A $1 -j $ACCEPT_default - ;; - DROP) - [ -n "$DROP_default" ] && run_iptables -A $1 -j $DROP_default - ;; - REJECT) - [ -n "$REJECT_default" ] && run_iptables -A $1 -j $REJECT_default - target=reject - ;; - QUEUE) - [ -n "$QUEUE_default" ] && run_iptables -A $1 -j $QUEUE_default - ;; - CONTINUE) - target= - ;; - *) - fatal_error "Invalid policy ($policy) for $1" - ;; - esac fi if [ $# -eq 3 -a "x${3}" != "x-" ]; then diff --git a/Shorewall/functions b/Shorewall/functions index f388069e4..7c96bcade 100644 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -2916,6 +2916,8 @@ do_initialize() { MACLIST_TABLE= FASTACCEPT= USE_ACTIONS= + DROP_DEFAULT= + REJECT_DEFAULT= LOGLIMIT= LOGPARMS= @@ -3176,6 +3178,18 @@ do_initialize() { [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" [ -n "${RESTOREFILE:=restore}" ] + case "${DROP_DEFAULT:=Drop}" in + None) + DROP_DEFAULT=none + ;; + esac + + case "${REJECT_DEFAULT:=Reject}" in + None) + REJECT_DEFAULT=none + ;; + esac + # # Strip the files that we use often # diff --git a/Shorewall/policy b/Shorewall/policy index 576a5f570..6a9672149 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -59,13 +59,12 @@ # contain the firewall zone ($FW) or # "all". # -# If the policy is ACCEPT, DROP, REJECT or QUEUE then -# the policy should be followed by ":" and one of the -# following: +# If the policy is DROP or REJECT then the policy should +# be followed by ":" and one of the following: # # a) The word "None" or "none". This causes any default -# action define in /etc/shorewall/actions to be -# omitted for this policy. +# action defined in /etc/shorewall/shorewall.conf to +# be omitted for this policy. # b) The name of an action (requires that USE_ACTIONS=Yes # in shorewall.conf). That action will be invoked # before the policy is enforced. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index de3e175f6..4cd3f195d 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -38,6 +38,11 @@ Problems Corrected in 3.3.1 option was ignored unless there were also entries in /etc/shorewall/proxyarp. +2) If both /etc/shorewall/tcdevices and /etc/shorewall/tcclasses were + empty then the compiler would fail with: + + setup_traffic_shaping: command not found + Other changes in 3.3.1 None. @@ -60,7 +65,8 @@ Migration Considerations: In prior Shorewall versions, default actions (action.Drop and action.Reject) were defined for DROP and REJECT policies in - /usr/share/shorewall/actions.std. + /usr/share/shorewall/actions.std. These could be overridden in + /etc/shorewall/actions. This approach has two drawbacks: @@ -71,15 +77,10 @@ Migration Considerations: Features section below), we need a way to define default rules for a policy. - If you are happy with the way that things worked in prior releases, - then simply add these two lines to your /etc/shorewall/actions file - if they are not already there (and you have not defined different - default actions for DROP and/or REJECT): - - Drop:DROP - Reject:REJECT - - Otherwise, please read item 3) in the New Features section below. + If you have not overridden the defaults using entries in + /etc/shorewall/actions then you need make no changes to migrate to + Shorewall version 3.3. Otherwise, please see item 3) in the New + Features below. New Features: @@ -160,11 +161,42 @@ New Features: b) Now that we have modularized action processing, we need a way to define default rules for a policy. - The solution is to extend the POLICY column in - /etc/shorewall/policy. + The solution is two-fold: - When the POLICY is ACCEPT, DROP, REJECT or QUEUE then the policy - may be followed by ":" and one of the following: + - Two new options have been added to the + /etc/shorewall/shorewall.conf file that allow specifying the + default action for DROP and REJECT. + + The options are DROP_DEFAULT and REJECT_DEFAULT. + + DROP_DEFAULT describes the rules to be applied before a + connection request is dropped by a DROP policy; REJECT_DEFAULT + describes the rules to be applied if a connection request is + rejected by a REJECT policy. + + The value assigned to these may be: + + a) The name of an action. + b) The name of a macro + c) 'None' or 'none' + + The default values are: + + DROP_DEFAULT="Drop" + REJECT_DEFAULT="Reject" + + If USE_ACTIONS=Yes, then these values refer to action.Drop and + action.Reject respectively. If USE_ACTIONS=No, then these values + refer to macro.Drop and macro.Reject. + + If you set the value of either option to "None" then no default + action will be used and the default action or macro must be + specified in /etc/shorewall/policy + + - The POLICY column in /etc/shorewall/policy has been extended. + + In /etc/shorewall/policy, when the POLICY is DROP or REJECT then + the policy may be followed by ":" and one of the following: a) The word "None" or "none". This causes any default action define in /etc/shorewall/actions.std or @@ -187,12 +219,3 @@ New Features: # THE FOLLOWING POLICY MUST BE LAST # all all REJECT:Reject info - - With USE_ACTIONS=Yes, the above will work the same way that the - pre-3.3 setup did. The 'Drop' and 'Reject' actions will be invoked - before the DROP and REJECT policies are enforced. - - With USE_ACTION=No, there will be no Drop or Reject actions so - Shorewall will look for macros by that name; as described in item - 2) above, these macros are provided as part of the Shorewall 3.3 - release. diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index d9deadfcb..ba331c938 100644 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -377,6 +377,42 @@ RESTOREFILE= IPSECFILE=zones +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### +# +# In earlier Shorewall versions, a "default action" for DROP and REJECT +# policies was specified in the file /usr/share/shorewall/actions.std. +# +# To allow for default rules to be applied when USE_ACTIONS=No, the +# DROP_DEFAULT and REJECT_DEFAULT options have been added. +# +# DROP_DEFAULT describes the rules to be applied before a connection request +# is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be applied +# if a connection request is rejected by a REJECT policy. +# +# The value applied to these may be: +# +# a) The name of an action. +# b) The name of a macro +# c) 'None' or 'none' +# +# The default values are: +# +# DROP_DEFAULT="Drop" +# REJECT_DEFAULT="Reject" +# +# If USE_ACTIONS=Yes, then these values refer to action.Drop and action.Reject +# respectively. If USE_ACTIONS=No, then these values refer to macro.Drop and +# macro.Reject. +# +# If you set the value of either option to "None" then no default action +# will be used and the default action or macro must be specified in +# /etc/shorewall/policy + +DROP_DEFAULT="Drop" +REJECT_DEFAULT="Reject" + ############################################################################### # F I R E W A L L O P T I O N S ###############################################################################