Add iptrace/noiptrace commands

Shorewall/changelog.txt

@@ -14,6 +14,10 @@ Changes in Shorewall 4.4.0-Beta2
 
 5)  Add 'upnpclient' interface option.
 
+6)  Fix handling of optional interfaces.
+
+7)  Add 'iptrace' and 'noiptrace' command.
+
 Changes in Shorewall 4.4.0-Beta1
 
 1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.

Shorewall/releasenotes.txt

@@ -149,6 +149,33 @@ None.
     that, like all aspects of UPnP, this is a security hole so use this
     option at your own risk.
 
+2)  'iptrace' and 'noiptrace' commands have been added to both
+    /sbin/shorewall and /sbin/shorewall6.
+
+    These are low-level debugging commands that cause
+    iptables/ip6tables TRACE log messages to be generated. See 'man
+    iptables' and 'man ip6tables' for details.
+
+    The syntax for the commands is:
+
+    	iptrace <iptables/ip6tables match expression>
+    	noiptrace <iptables/ip6tables match expression>
+
+    iptrace starts the trace; noiptrace turns it off.
+
+    The  match expression must be an expression that is legal in both
+    the raw table OUTPUT and PREROUTING chains.
+
+    Examaple:
+
+	To trace all packets desinted for IP address 206.124.146.176:
+
+	   shorewall iptrace -d 206.124.146.176
+
+	To turn that trace off:
+
+	   shorewall noiptrace -d 206.124.146.176
+	
 ----------------------------------------------------------------------------
                  N E W   F E A T U R E S   IN   4 . 4
 ----------------------------------------------------------------------------

Shorewall/shorewall

@@ -1454,10 +1454,12 @@ usage() # $1 = exit status
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
+    echo "   iptrace <iptables match expression>"
     echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
+    echo "   noiptrace <iptables match expression>"
     echo "   refresh [ <chain>... ]"
     echo "   reject <address> ..."
     echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@@ -2012,6 +2014,26 @@ case "$COMMAND" in
 	shift
 	safe_commands $@
 	;;
+    iptrace)
+	get_config
+	shift
+	if shorewall_is_started ; then
+	    $IPTABLES -t raw -A PREROUTING $@ -j TRACE
+	    $IPTABLES -t raw -A OUTPUT $@ -j TRACE
+	else
+	    fatal_error "Shorewall is not started"
+	fi
+	;;	
+     noiptrace)
+	get_config
+	shift
+	if shorewall_is_started ; then
+	    $IPTABLES -t raw -D PREROUTING $@ -j TRACE
+	    $IPTABLES -t raw -D OUTPUT $@ -j TRACE
+	else
+	    fatal_error "Shorewall is not started"
+	fi
+	;;	
     *)
 	usage 1
 	;;

Shorewall6/shorewall6

@@ -1371,10 +1371,12 @@ usage() # $1 = exit status
     echo "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
     echo "   forget [ <file name> ]"
     echo "   help"
+    echo "   iptrace <ip6tables match expression>"
     echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
+    echo "   noiptrace <ip6tables match expression>"
     echo "   refresh [ <chain>... ]"
     echo "   reject <address> ..."
     echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@@ -1857,7 +1859,26 @@ case "$COMMAND" in
 	shift
 	safe_commands $@
 	;;
-    *)
+    iptrace)
+	get_config
+	shift
+	if shorewall_is_started ; then
+	    $IP6TABLES -t raw -A PREROUTING $@ -j TRACE
+	    $IP6TABLES -t raw -A OUTPUT $@ -j TRACE
+	else
+	    fatal_error "Shorewall6 is not started"
+	fi
+	;;	
+     noiptrace)
+	get_config
+	shift
+	if shorewall_is_started ; then
+	    $IP6TABLES -t raw -D PREROUTING $@ -j TRACE
+	    $IP6TABLES -t raw -D OUTPUT $@ -j TRACE
+	else
+	    fatal_error "Shorewall6 is not started"
+	fi
+	;;	    *)
 	usage 1
 	;;
 

manpages/shorewall-masq.xml

@@ -119,11 +119,12 @@
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this
           as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis> (use of an interface is deprecated).
+          <emphasis>interface</emphasis> (use of an
-          If you give the name of an interface, the interface must be up
+          <emphasis>interface</emphasis> is deprecated). If you give the name
-          before you start the firewall and the Shorewall rules compiler will
+          of an interface, the interface must be up before you start the
-          warn you of that fact. (Shorewall will use your main routing table
+          firewall and the Shorewall rules compiler will warn you of that
-          to determine the appropriate addresses to masquerade).</para>
+          fact. (Shorewall will use your main routing table to determine the
+          appropriate addresses to masquerade).</para>
 
           <para>In order to exclude a address of the specified SOURCE, you may
           append an <emphasis>exclusion</emphasis> ("!" and a comma-separated

manpages/shorewall.xml

@@ -219,6 +219,19 @@
       choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -279,6 +292,19 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>noiptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall</command>
 
@@ -835,6 +861,19 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that causes iptables
+          TRACE log records to be created. See iptables(8) for details.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one or more matches that may appear in both the raw table OUTPUT
+          and raw table PREROUTING chains.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">load</emphasis></term>
 
@@ -919,6 +958,19 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that cancels a trace
+          started by a preceding <command>iptrace</command> command.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one given in the <command>iptrace</command> command being
+          cancelled.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">refresh</emphasis></term>
 

manpages6/shorewall6.xml

@@ -144,6 +144,19 @@
       <arg choice="plain"><option>help</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -204,6 +217,19 @@
       <arg choice="plain"><replaceable>address</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall6</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>noiptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall6</command>
 
@@ -670,12 +696,16 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">hits</emphasis></term>
+        <term><emphasis role="bold">iptrace</emphasis></term>
 
         <listitem>
-          <para>Generates several reports from Shorewall6 log messages in the
+          <para>This is a low-level debugging command that causes iptables
-          current log file. If the <option>-t</option> option is included, the
+          TRACE log records to be created. See ip6tables(8) for
-          reports are restricted to log messages generated today.</para>
+          details.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one or more matches that may appear in both the raw table OUTPUT
+          and raw table PREROUTING chains.</para>
         </listitem>
       </varlistentry>
 
@@ -763,6 +793,19 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that cancels a trace
+          started by a preceding <command>iptrace</command> command.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one given in the <command>iptrace</command> command being
+          cancelled.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">refresh</emphasis></term>