From f4b2f68ea06afe3693b7a02b6a4f6af27ee5bf5b Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 21 Feb 2009 17:21:51 +0000 Subject: [PATCH] Move 4.2 to trunk git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9468 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/README.txt | 2 +- Shorewall-common/changelog.txt | 50 ++ Shorewall-common/fallback.sh | 2 +- Shorewall-common/install.sh | 11 +- Shorewall-common/isusable | 18 +- Shorewall-common/lib.cli | 9 +- Shorewall-common/macro.BitTorrent | 10 +- Shorewall-common/releasenotes.txt | 417 +++++++++--- Shorewall-common/restored | 2 +- Shorewall-common/routestopped | 3 +- Shorewall-common/shorewall | 94 ++- Shorewall-common/shorewall-common.spec | 4 +- Shorewall-common/shorewall.conf | 4 + Shorewall-common/swping | 2 + Shorewall-common/uninstall.sh | 2 +- Shorewall-lite/README.txt | 2 +- Shorewall-lite/fallback.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 8 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall-perl/README.txt | 2 +- Shorewall-perl/Shorewall/Accounting.pm | 6 +- Shorewall-perl/Shorewall/Chains.pm | 214 +++++-- Shorewall-perl/Shorewall/Compiler.pm | 835 ++++++++++++++----------- Shorewall-perl/Shorewall/Config.pm | 92 ++- Shorewall-perl/Shorewall/Proc.pm | 2 +- Shorewall-perl/Shorewall/Proxyarp.pm | 2 +- Shorewall-perl/Shorewall/Rules.pm | 126 ++-- Shorewall-perl/Shorewall/Tc.pm | 81 ++- Shorewall-perl/Shorewall/Tunnels.pm | 70 +-- Shorewall-perl/Shorewall/Zones.pm | 2 +- Shorewall-perl/compiler.pl | 10 +- Shorewall-perl/install.sh | 2 +- Shorewall-perl/prog.footer | 63 +- Shorewall-perl/prog.footer6 | 90 +-- Shorewall-perl/prog.functions | 32 +- Shorewall-perl/prog.functions6 | 18 +- Shorewall-perl/prog.header | 9 +- Shorewall-perl/shorewall-perl.spec | 8 +- Shorewall-shell/README.txt | 2 +- Shorewall-shell/install.sh | 2 +- Shorewall-shell/shorewall-shell.spec | 8 +- Shorewall6-lite/Makefile | 14 +- Shorewall6-lite/README.txt | 2 +- Shorewall6-lite/fallback.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 8 +- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/Makefile | 8 +- Shorewall6/README.txt | 2 +- Shorewall6/fallback.sh | 2 +- Shorewall6/install.sh | 11 +- Shorewall6/lib.cli | 7 + Shorewall6/restored | 2 +- Shorewall6/shorewall6 | 56 +- Shorewall6/shorewall6.spec | 4 +- Shorewall6/uninstall.sh | 2 +- 57 files changed, 1502 insertions(+), 944 deletions(-) diff --git a/Shorewall-common/README.txt b/Shorewall-common/README.txt index 189c4ab93..c5eeee4ce 100644 --- a/Shorewall-common/README.txt +++ b/Shorewall-common/README.txt @@ -1 +1 @@ -This is the Shorewall-common Development 4.2 branch of SVN. +This is the Shorewall-common Stable 4.2 branch of SVN. diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index ca1ebf4ee..7f52d1212 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,47 @@ +Changes in Shorewall 4.2.7 + +1) Added /etc/shorewall/notrack. + +2) Added new columns to the routestopped file. + +3) Moved tunnel rules back to the front of the NEW section. + +4) Handle long sport lists. + +Changes in Shorewall 4.2.6 + +1) Added macro.BitTorrent32 + +2) Add COUNT action. + +3) Add swping + +4) Add RESTORE_DEFAULT_ROUTE option + +5) Use dhcpcd's database to detect dynamic gateways. + +6) Fix TCP_FLAGS_DISPOSITION=REJECT + +7) Allow protocol and port inversion. + +8) Don't check for "-m state" until after modules are loaded + +9) Fix Shorewall6[-lite]/Makefile + +10) Reorganized generated script to be more like 4.3. + +11) Added 'restored' script. + +12) Another ctorigdstport fix. + +13) Allow 'here documents' in extension scripts + +14) Another ctorigdst fix. + +15) Add flow key support. + +16) Fix 'show connections'. + Changes in Shorewall 4.2.5 1) Add 'fallback' providers option. @@ -11,6 +55,12 @@ Changes in Shorewall 4.2.5 5) Added macro.Git. +6) Fix running of tcclear script. + +7) Added macro.IRC. + +8) Fix --ctorigport usage + Changes in Shorewall 4.2.4.6 1) Fix hosts exclusion in DNAT/REDIRECT. diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index 4a00dd932..de1d740d1 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index b46c4a7c0..e16dc24f2 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { @@ -438,6 +438,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq" fi # +# Install the Notrack file +# +run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall/configfiles/notrack + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/notrack ]; then + run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall/notrack + echo "Notrack file installed as ${PREFIX}/etc/shorewall/notrack" +fi +# # Install the Modules file # run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules diff --git a/Shorewall-common/isusable b/Shorewall-common/isusable index 6e43400d6..4043aaf1f 100644 --- a/Shorewall-common/isusable +++ b/Shorewall-common/isusable @@ -1,9 +1,17 @@ +# +# Shorewall version 4 - 'isusable' sample script +# +# /etc/shorewall/isusable +# +# This script is a companion to the 'swping' script described at +# http://www.shorewall.net/MultiISP.html#swping. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### local status=0 -case $1 in - $EXT_IF|$COM_IF) - [ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status) - ;; -esac +[ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status) return $status diff --git a/Shorewall-common/lib.cli b/Shorewall-common/lib.cli index 685d8c657..7bb86a109 100644 --- a/Shorewall-common/lib.cli +++ b/Shorewall-common/lib.cli @@ -462,7 +462,7 @@ show_command() { [ $# -gt 1 ] && usage 1 echo "$PRODUCT $version Connections at $HOSTNAME - $(date)" echo - [ -f /proc/net/ip_conntrack ] && /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack + [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack ;; nat) [ $# -gt 1 ] && usage 1 @@ -471,6 +471,13 @@ show_command() { show_reset $IPTABLES -t nat -L $IPT_OPTIONS ;; + raw) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version RAW Table at $HOSTNAME - $(date)" + echo + show_reset + $IPTABLES -t raw -L $IPT_OPTIONS + ;; tos|mangle) [ $# -gt 1 ] && usage 1 echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)" diff --git a/Shorewall-common/macro.BitTorrent b/Shorewall-common/macro.BitTorrent index 96147dfaa..d81b7f544 100644 --- a/Shorewall-common/macro.BitTorrent +++ b/Shorewall-common/macro.BitTorrent @@ -3,14 +3,10 @@ # # /usr/share/shorewall/macro.BitTorrent # -# This macro handles BitTorrent traffic. -# -# If you are running a more modern BitTorrent client, then you may need -# to tweak the open port range. This can be done by copying the below -# rules into /etc/shorewall and making the necessary edits there: -# -# Replace 6881:6889 with 6881:6899 +# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier. # +# If you are running BitTorrent 3.2 or later, you should use the +# BitTorrent32 macro. ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index f2f1febeb..003cdfc18 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.2.5 +Shorewall 4.2.7 ---------------------------------------------------------------------------- R E L E A S E 4 . 2 H I G H L I G H T S @@ -27,51 +27,9 @@ Shorewall 4.2.5 - Perl 5.10 if you wish to use DNS names in your IPv6 config files. In that case you will also have to install Perl Socket6 support. -Problems corrected in 4.2.5 +Problems corrected in 4.2.7 -1) If exclusion is used to define a zone in /etc/shorewall/hosts and - that zone is used as the SOURCE zone in a DNAT or REDIRECT rule, - then Shorewall-perl can generated invalid iptables-restore input. - -2) A bug in the Perl Cwd module (see - http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the - Shorewall-perl compiler to fail if it doesn't have at least read - access to its current working directory. 4.2.5 contains a - workaround. - -3) If 'critical' was specified on an entry in - /etc/shorewall/routestopped, Shorewall6 (Shorewall-perl) would - generate an error. - -4) In certain cases where exclusion occurred in /etc/shorewall/hosts, - Shorewall-perl would generate incorrect iptables-restore input. - -5) In certain cases where exclusion occurred in /etc/shorewall/hosts, - Shorewall-perl would generate invalid iptables-restore input. - -6) The 'shorewall6 refresh' command runs iptables_restore rather than - ip6tables_restore. - -7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and - 'shorewall6 restore' were previously broken. - -8) The Debian init script was checking $startup in - /etc/default/shorewall rather than in /etc/default/shorweall6 - -9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were - unconverted Shorewall scripts. - -10) When 'detect' is used in the GATEWAY column of - /etc/shorewall/providers, Shorewall-perl now ensures that the - gateway was successfully detected. If the gateway cannot be - detected, action is taken depending on whether the provider is - 'optional' or not. If the provider is optional, it's configuration - is skipped; if the provider is not optional, the current operation - is aborted. - -11) The command 'shorewall6 debug start' would previously fail with - - ERROR: Command "/sbin/ip6tables -t nat -F" Failed +None. Known Problems Remaiining: @@ -84,74 +42,106 @@ Known Problems Remaiining: norfc1918 tcpflags -New Feature in Shorewall 4.2.5 +New Features in Shorewall 4.2.7 -1) A new 'fallback' option is added in - /etc/shorewall/providers. The option works similar to 'balance' - except that the default route is added in the default routing table - (253) rather than in the main table (254). +1) Prior to Shorewall version 3.0.0, rules generated by + /etc/shorewall/tunnels were traversed before those generated by + /etc/shorewall/rules. When SECTIONs were added to the rules file in + 3.0.0, traversal of the tunnel rules was deferred until after those + generated by the NEW section of the rules file. - The option can be used by itself or followed by = (e.g, - fallback=2). + Beginning with Shorewall-perl 4.2.7, the tunnel rules are back + where they started -- right before the first rule generated by the + NEW section of /etc/shorewall/rules. - When the option is used by itself, a separate (not balanced) - default route is added with a metric equal to the provider's NUMBER. +2) To allow bypassing of connection tracking for certain traffic, + /etc/shorewall/notrack and /etc/shorewall6/notrack files have been + added. - When the option is used with a number, a balanced route is added - with the weight set to the specified number. + Columns in the file are: - 'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and - is only available with Shorewall-perl. + SOURCE - [:][:
] - 'fallback' is useful in situations where: + DEST - [
] - - You want all traffic to be sent via one primary provider unless - there is a compelling reason to use a different provider + PROTO - - - If the primary provider is down, then you want to balance the - outgoing traffic among a set of other providers or to a - ordered list of providers. + DEST PORT(S) - - In this case: + SOURCE PORT(S) - - - Do not specify 'balance' on any of the providers. - - Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf). - - Specify 'fallback' on those providers that you want to use if - the primary is down. - - Only the primary provider should have a default route in the main - routing table. + USER/GROUP - [][:] - See http://www.shorewall.net/MultiISP.html#Complete for an example - of this option's use. + May only be specified if the SOURCE is $FW. -2) Shorewall-perl now transparently handles the xtables-addon version - of ipp2p. Shorewall detects whether the installed ipp2p is from - patch-o-matic-ng or from xtables-addon and proceeds accordingly. + Traffic that matches all given criteria will not be subject to + connection tracking. For such traffic, your policies and/or rules + must deal with ALL of the packets involved, in both the original + and the opposite directions. All untracked traffic is passed + through the relevant rules in the NEW section of the rules + file. Untracked encapsulated tunnel traffic can be handled by + entries in /etc/shorewall/tunnels just like tracked traffic + is. Because every packet of an untracked connection must pass + through the NEW section rules, it is suggested that rules that deal + with untracked traffic should appear at the top of the file. - If the patch-o-matic-ng version is installed: + Example: - a) If no DEST PORT is supplied, the default is "--ipp2p". - b) If "ipp2p" is supplied as the DEST PORT, it will be passed to - iptables-restore as "--ipp2p". + /etc/shorewall/tunnels: - If the xtables-addons version is installed: + #TYPE ZONE GATEWAY + 6to4 net - a) If no DEST PORT is supplied, the default is "--edk --gnu --dc - --kazaa". - b) If "ipp2p" is supplied as the DEST PORT, it will be passed to - iptables-restore as "--edk --gnu --dc --kazaa". + /etc/shorewall/notrack - Shorewall-perl now also accepts a comma-separated list of options - (e.g., "edk,gnu,dc,kazaa). + #SOURCE DEST PROTO DEST SOURCE USER/ + # PORT(S) PORT(S) GROUP + net:!192.88.99.1 - 41 - Additionally, Shorewall now looks for modules in /lib/modules/$(uname - -r)/extra and in /lib/modules/$(uname -r)/extra/ipset + Given that 192.88.99.1 is an anycast address, many hosts can + respond to outward traffic to that address. The entry in + /etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in + /etc/shorewall/notrack prevents the inbound traffic from creating + additional useless conntrack entries. - This change introduced a new capability ("Old IPP2P Match Syntax") - so if you use a capabilities file, be sure to re-generate the - file(s) after you have installed 4.2.5. + As part of this change, the 'show' command is enhanced to support a + 'show raw' command that is an alias for 'show -t raw'. The raw + table is where NOTRACK rules are created. -3) There is now a macro.Git, which opens git-daemon's port (9418/tcp). +3) Shorewall-perl supports three additional columns in the + /etc/shorewall/routestopped file: + + PROTO -- Protocol name or number + + DEST PORT(S) -- comma-separated list of service names and/or port + numbers + + SOURCE PORT(S) -- comma-separated list of service names and/or port + numbers. + + These columns are only meaningful when the "-f" option to + 'shorewall stop' is used. + + As part of this change, the "-f" option to the 'stop' and 'clear' + commands is now the default when FAST_STOP=Yes in shorewall.conf. + To override this default, use the "-s" option: + + shorewall stop -s + + Note that if you have entries with one or more of the new columns, + the -s option will result in warning messages. + + gateway:~ # shorewall stop -s + Stopping Shorewall... + WARNING: Unknown routestopped option ignored: notrack + WARNING: Unknown routestopped option ignored: 41 + WARNING: Unknown routestopped option ignored: notrack + WARNING: Unknown routestopped option ignored: 41 + done. + gateway:~ # + +4) Shorewall-perl now handles SOURCE PORT lists of more than 15 + entries by breaking the containing rule into multiple rules. Migration Issues. @@ -1331,3 +1321,244 @@ Problems Corrected in 4.2.4 Other changes in 4.2.4 1) Support for IPv6 was added -- see above. + +Problems corrected in 4.2.5 + +1) If exclusion is used to define a zone in /etc/shorewall/hosts and + that zone is used as the SOURCE zone in a DNAT or REDIRECT rule, + then Shorewall-perl can generate invalid iptables-restore input. + +2) A bug in the Perl Cwd module (see + http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the + Shorewall-perl compiler to fail if it doesn't have at least read + access to its current working directory. 4.2.5 contains a + workaround. + +3) If 'critical' was specified on an entry in + /etc/shorewall6/routestopped, Shorewall6 (Shorewall-perl) would + generate an error. + +4) In certain cases where exclusion occurred in /etc/shorewall/hosts, + Shorewall-perl would generate incorrect iptables-restore input. + +5) In certain cases where exclusion occurred in /etc/shorewall/hosts, + Shorewall-perl would generate invalid iptables-restore input. + +6) The 'shorewall6 refresh' command runs iptables_restore rather than + ip6tables_restore. + +7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and + 'shorewall6 restore' were previously broken. + +8) The Debian init script was checking $startup in + /etc/default/shorewall rather than in /etc/default/shorweall6 + +9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were + unconverted Shorewall scripts. + +10) When 'detect' is used in the GATEWAY column of + /etc/shorewall/providers, Shorewall-perl now ensures that the + gateway was successfully detected. If the gateway cannot be + detected, action is taken depending on whether the provider is + 'optional' or not. If the provider is optional, it's configuration + is skipped; if the provider is not optional, the current operation + is aborted. + +11) The command 'shorewall6 debug start' would previously fail with + + ERROR: Command "/sbin/ip6tables -t nat -F" Failed + +12) Both ipv4 and ipv6 compiled programs attempt to run the tcclear + script itself at run time rather than running the copy of the + file in the compiled script. This usually isn't noticable unless + you are running Shorewall Lite or Shorewall6 Lite in which case, + the script doesn't get run (since it is on the administrative + system and not the firewall system). + +13) If your iptables/kernel included "Extended Connection Tracking + Match support" (see the output of "shorewall show capabilities"), + then a REDIRECT rule that specified a port list or range would + cause Shorewall-perl to create invalid iptables-restore input: + + Running /usr/sbin/iptables-restore... + iptables-restore v1.4.2-rc1: conntrack: Bad value for + "--ctorigdstport" option: "1025:65535" + Error occurred at line: 191 + Try `iptables-restore -h' or 'iptables-restore --help' for more information. + ERROR: iptables-restore Failed. Input is in + /var/lib/shorewall/.iptables-restore-input + +New Feature in Shorewall 4.2.5 + +1) A new 'fallback' option is added in + /etc/shorewall/providers. The option works similar to 'balance' + except that the default route is added in the default routing table + (253) rather than in the main table (254). + + The option can be used by itself or followed by = (e.g, + fallback=2). + + When the option is used by itself, a separate (not balanced) + default route is added with a metric equal to the provider's NUMBER. + + When the option is used with a number, a balanced route is added + with the weight set to the specified number. + + 'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and + is only available with Shorewall-perl. + + 'fallback' is useful in situations where: + + - You want all traffic to be sent via one primary provider unless + there is a compelling reason to use a different provider + + - If the primary provider is down, then you want to balance the + outgoing traffic among a set of other providers or to a + ordered list of providers. + + In this case: + + - Do not specify 'balance' on any of the providers. + - Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf). + - Specify 'fallback' on those providers that you want to use if + the primary is down. + - Only the primary provider should have a default route in the main + routing table. + + See http://www.shorewall.net/MultiISP.html#Complete for an example + of this option's use. + +2) Shorewall-perl now transparently handles the xtables-addon version + of ipp2p. Shorewall detects whether the installed ipp2p is from + patch-o-matic-ng or from xtables-addon and proceeds accordingly. + + If the patch-o-matic-ng version is installed: + + a) If no DEST PORT is supplied, the default is "--ipp2p". + b) If "ipp2p" is supplied as the DEST PORT, it will be passed to + iptables-restore as "--ipp2p". + + If the xtables-addons version is installed: + + a) If no DEST PORT is supplied, the default is "--edk --gnu --dc + --kazaa". + b) If "ipp2p" is supplied as the DEST PORT, it will be passed to + iptables-restore as "--edk --gnu --dc --kazaa". + + Shorewall-perl now also accepts a comma-separated list of options + (e.g., "edk,gnu,dc,kazaa). + + Additionally, Shorewall now looks for modules in /lib/modules/$(uname + -r)/extra and in /lib/modules/$(uname -r)/extra/ipset + + This change introduced a new capability ("Old IPP2P Match Syntax") + so if you use a capabilities file, be sure to re-generate the + file(s) after you have installed 4.2.5. + +3) There is now a macro.Git, which opens git-daemon's port (9418/tcp). + +4) There is also a macro.IRC which open's the Internet Relay Chat port + (6667/tcp). + +Problems corrected in 4.2.6 + +1) The CONFIG_PATH in the two- and three-interface Shorewall6 sample + configurations was incorrect with the result that this error + occurred on 'shorewall6 check' or 'shorewall6 start'. + + ERROR: No IP zones defined + +2) Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell + and Shorewall-perl to create invalid iptables commands. This has + been corrected but we still strongly recommend against that + setting; TCP_FLAGS_DISPOSITION=DROP is preferred. + +3) Shorewall-perl was generating code that checked for state match + before kernel modules were loaded. This caused start/restart to + fail on systems without kernel module loading. + +4) The Shorewall6 and Shorewall6-lite Makefiles were incorrect. + +5) If a service name is used in a port-mapping rule (a DNAT or + REDIRECT rule that changes the destination port), and if the + kernel and iptables include Extended Connection Match support, then + invalid iptables-restore input is produced by Shorewall-perl. + +6) If iptables 1.4.1 or later was installed, Shorewall-perl generated + incorrect iptables-restore input if exclusion was used in the + ORIGINAL DEST field of a DNAT or REDIRECT rule. + +7) On kernels earlier than 2.6.20, the 'shorewall show connections' + command fails. + +New Features in Shorewall 4.2.6 + +1) A BitTorrent32 macro has been added. This macro matches the + extended TCP port range used by BitTorrent 3.2 and later. + +2) A new COUNT action has been added to Shorewall-perl. This action + creates an iptables (ip6tables) rule with no target. Connections + matching such a rule are simply counted and the packet is passed on + to the next rule. + + Shorewall-shell ignores COUNT in actions and macros, thus allowing + the standard actions (action.Drop and action.Reject) to have a + COUNT rule as their first entry. + +3) A new RESTORE_DEFAULT_ROUTE option has been added to + shorewall.conf. It is used to determine whether to restore the + default route saved when there are 'balance' providers defined but + all of them are down. + + The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the + pre-4.2.6 behavior. + + RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a + default route in the main table (USE_DEFAULT_RT=No) or in the + default table (USE_DEFAULT_RT=Yes) when there are no balance + providers available. In that case, RESTORE_DEFAULT_ROUTE=No + will cause any default route in the relevant table to be deleted. + +4) IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's + database when trying to detect the gateway for an interface + ("detect" in the GATEAWAY column in /etc/shorewall/interfaces). + + As part of this change, it is now permitted to specify 'detect' + when USE_DEFAULT_RT=Yes; in that case, the script will only detect + gateways for point-to-point devices and for devices configured by + dhcpcd. + +5) Shorewall-perl now supports port inversion. A port number or list + of port numbers may be preceded by '!" which will cause the rule to + match all ports EXCEPT those listed: + + Example: To blacklist 206.124.146.176 for all tcp ports except 80: + + ADDRESS/SUBNET PROTO PORT(S) + 206.124.146.177 tcp !80 + +6) Shorewall-perl now supports protocol inversion. A protocol name or + number may be preceded by '!' to specify all protocols except the + one following '!'. + + Example: To blacklist 206.124.146.176 for all protocols except + UDP: + + ADDRESS/SUBNET PROTO PORT(S) + 206.124.146.177 !udp + + Note that ports may not be specified when protocol inversion + is used. + +7) When using Shorewall-perl, neither the 'start' nor 'started' + extension script is run during processing of the 'restore' + command. To allow extension of that command, we have added a + 'restored' extension script that runs at the successful completion + of 'restore'. This script is only available with Shorewall-perl. + + With Shorewall-shell, both scripts are run during 'restore' but in + that case, the run_iptables() function does nothing. So any + run_iptables() calls in the 'start' script are effectively ignored. + +8) Shorewall-perl now correctly handles 'here documents' quoting + (<&2 + exit 2 + fi + ;; + esac } # @@ -483,16 +494,6 @@ start_command() { DEBUG=Yes option=${option#d} ;; - n*) - NORTC=Yes - RTCONLY= - option=${option#n} - ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; f*) FAST=Yes option=${option#f} @@ -537,8 +538,7 @@ start_command() { ;; esac - export NORTC - export RTCONLY + export NOROUTES export PURGE if [ -n "$FAST" ]; then @@ -780,15 +780,9 @@ restart_command() { option=${option#f} ;; n*) - NORTC=Yes - RTCONLY= + NOROUTES=Yes option=${option#n} ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; C) [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" SHOREWALL_COMPILER=$2 @@ -838,8 +832,7 @@ restart_command() { [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - export NORTC - export RTCONLY + export NOROUTES export PURGE if [ -z "$FAST" ]; then @@ -917,8 +910,7 @@ refresh_command() { [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - export NORTC - export RTCONLY + export NOROUTES progress_message3 "Compiling..." @@ -961,15 +953,9 @@ safe_commands() { option= ;; n*) - NORTC=Yes - RTCONLY= + NOROUTES=Yes option=${option#n} ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; C) [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" SHOREWALL_COMPILER=$2 @@ -1116,15 +1102,9 @@ try_command() { option= ;; n*) - NORTC=Yes - RTCONLY= + NOROUTES=Yes option=${option#n} ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; C) [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" SHOREWALL_COMPILER=$2 @@ -1485,7 +1465,7 @@ usage() # $1 = exit status echo " restart [ -n ] [ -p ] [ -f ] [ -C {shell|perl} ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" + echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]" echo " start [ -f ] [ -n ] [ -p ] [ -C {shell|perl} ] [ ]" echo " stop [ -f ]" echo " status" @@ -1519,8 +1499,7 @@ IPT_OPTIONS="-nv" FAST= VERBOSE_OFFSET=0 USE_VERBOSITY= -NORTC= -RTC= +NOROUTES= PURGE= EXPORT= export TIMESTAMP= @@ -1597,15 +1576,9 @@ while [ $finished -eq 0 ]; do esac ;; n*) - NORTC=Yes - RTCONLY= + NOROUTES=Yes option=${option#n} ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; t*) TIMESTAMP=Yes option=${option#t} @@ -1758,23 +1731,28 @@ case "$COMMAND" in start_command $@ ;; stop|clear) - if [ "x$2" = x-f ]; then - [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore - shift; + get_config + if [ "x$2" = x-s ]; then + shift + else + if [ "x$2" = x-f -o "$FAST_STOP" ]; then + [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore + + if [ "x$2" = x-f ]; then + shift + fi + fi fi [ $# -ne 1 ] && usage 1 - get_config - export NORTC - export RTCONLY + export NOROUTES mutex_on $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND mutex_off ;; reset) get_config - export NORTC - export RTCONLY + export NOROUTES shift mutex_on $SHOREWALL_SHELL $FIREWALL $debugging $nolock reset $@ diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index 2c2bfc5c8..647a499ae 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.3.6 +%define version 4.2.6 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -177,8 +177,6 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable %changelog -* Fri Feb 06 2009 Tom Eastep tom@shorewall.net -- Updated to 4.3.6-0base * Thu Feb 05 2009 Tom Eastep tom@shorewall.net - Add 'restored' script * Wed Feb 04 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf index 134c93801..30bb052ed 100644 --- a/Shorewall-common/shorewall.conf +++ b/Shorewall-common/shorewall.conf @@ -186,6 +186,10 @@ MANGLE_ENABLED=Yes USE_DEFAULT_RT=No +RESTORE_DEFAULT_ROUTE=Yes + +FAST_STOP=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall-common/swping b/Shorewall-common/swping index ac7e1c4f4..7eab17beb 100644 --- a/Shorewall-common/swping +++ b/Shorewall-common/swping @@ -21,6 +21,8 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # +# For information about this script, see http://www.shorewall.net/MultiISP.html#swping. +# ########################################################################################### # # IP Family == 4 or 6 diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index 306577366..0c05aebb9 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall-lite/README.txt b/Shorewall-lite/README.txt index 559e49156..b75a33580 100644 --- a/Shorewall-lite/README.txt +++ b/Shorewall-lite/README.txt @@ -1 +1 @@ -This is the Shorewall-lite Development 4.1 branch of SVN. +This is the Shorewall-lite stable 4.2 branch of SVN. diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 0d1c8516c..4d148f1c3 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 866a71f98..1275c3c20 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index c8879363b..6c029b030 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.3.6 +%define version 4.2.6 %define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,8 +98,10 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Fri Feb 06 2009 Tom Eastep tom@shorewall.net -- Updated to 4.3.6-0base +* Wed Feb 04 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.6-0base +* Thu Jan 29 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.6-0base * Tue Jan 06 2009 Tom Eastep tom@shorewall.net - Updated to 4.2.5-0base * Thu Dec 25 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index b0409c925..f43f8d063 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall-perl/README.txt b/Shorewall-perl/README.txt index c3e698aba..5a2cc54b9 100644 --- a/Shorewall-perl/README.txt +++ b/Shorewall-perl/README.txt @@ -1,2 +1,2 @@ -This is the Shorewall-perl development 4.3 branch of SVN. +This is the Shorewall-perl stable 4.2 branch of SVN. diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index 8064b0dd4..bfcabb07a 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -201,17 +201,17 @@ sub setup_accounting() { if ( have_bridges ) { if ( $filter_table->{accounting} ) { for my $chain ( qw/INPUT FORWARD/ ) { - insert_rule $filter_table->{$chain}, 1, '-j accounting'; + insert_rule1 $filter_table->{$chain}, 0, '-j accounting'; } } if ( $filter_table->{accountout} ) { - insert_rule $filter_table->{OUTPUT}, 1, '-j accountout'; + insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout'; } } else { if ( $filter_table->{accounting} ) { for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { - insert_rule $filter_table->{$chain}, 1, '-j accounting'; + insert_rule1 $filter_table->{$chain}, 0, '-j accounting'; } } } diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 2a6f788c5..6e793b8dc 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -44,6 +44,7 @@ our @EXPORT = qw( log_rule_limit %chain_table + $raw_table $nat_table $mangle_table $filter_table @@ -71,6 +72,8 @@ our %EXPORT_TAGS = ( add_command add_commands move_rules + insert_rule1 + add_tunnel_rule process_comment no_comment macro_comment @@ -94,11 +97,13 @@ our %EXPORT_TAGS = ( dnat_chain snat_chain ecn_chain + notrack_chain first_chains ensure_chain ensure_accounting_chain ensure_mangle_chain ensure_nat_chain + ensure_raw_chain new_standard_chain new_builtin_chain new_nat_chain @@ -135,6 +140,7 @@ our %EXPORT_TAGS = ( match_ipsec_out log_rule expand_rule + addrawjump addnatjump get_interface_address get_interface_addresses @@ -175,6 +181,7 @@ our $VERSION = 4.2.4; # synchain => # default => # cmdlevel => +# new => undef| # rules => [ # # ... @@ -192,6 +199,7 @@ our $VERSION = 4.2.4; # 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. # our %chain_table; +our $raw_table; our $nat_table; our $mangle_table; our $filter_table; @@ -290,6 +298,7 @@ sub initialize( $ ) { nat => {}, filter => {} ); + $raw_table = $chain_table{raw}; $nat_table = $chain_table{nat}; $mangle_table = $chain_table{mangle}; $filter_table = $chain_table{filter}; @@ -427,6 +436,100 @@ sub push_rule( $$ ) { } } +# +# Post-process a rule having an sport list. Split the rule into multiple rules if necessary +# to work within the 15-element limit imposed by iptables/Netfilter. +# + +sub handle_sport_list( $$$$$ ) { + my ($chainref, $rule, $first, $ports, $rest) = @_; + + if ( ( $ports =~ tr/:,/:,/ ) > 14 ) { + # + # More than 15 ports specified + # + my @ports = split '([,:])', $ports; + + while ( @ports ) { + my $count = 0; + my $newports = ''; + + while ( @ports && $count < 15 ) { + my ($port, $separator) = ( shift @ports, shift @ports ); + + $separator ||= ''; + + if ( ++$count == 15 ) { + if ( $separator eq ':' ) { + unshift @ports, $port, ':'; + chop $newports; + last; + } else { + $newports .= $port; + } + } else { + $newports .= "${port}${separator}"; + } + } + + push_rule ( $chainref, join( '', $first, $newports, $rest ) ); + } + } else { + push_rule ( $chainref, $rule ); + } +} + +# +# Post-process a rule having an dport list. Split the rule into multiple rules if necessary +# to work within the 15-element limit imposed by iptables/Netfilter. +# + +sub handle_dport_list( $$$$$ ) { + my ($chainref, $rule, $first, $ports, $rest) = @_; + + if ( ( $ports =~ tr/:,/:,/ ) > 14 ) { + # + # More than 15 ports specified + # + my @ports = split '([,:])', $ports; + + while ( @ports ) { + my $count = 0; + my $newports = ''; + + while ( @ports && $count < 15 ) { + my ($port, $separator) = ( shift @ports, shift @ports ); + + $separator ||= ''; + + if ( ++$count == 15 ) { + if ( $separator eq ':' ) { + unshift @ports, $port, ':'; + chop $newports; + last; + } else { + $newports .= $port; + } + } else { + $newports .= "${port}${separator}"; + } + } + + my $newrule = join( '', $first, $newports, $rest ); + + if ( $newrule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) { + handle_sport_list( $chainref, $newrule, $1, $2, $3 ); + } else { + push_rule ( $chainref, $newrule ); + } + } + } elsif ( $rule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) { + handle_sport_list( $chainref, $rule, $1, $2, $3 ); + } else { + push_rule ( $chainref, $rule ); + } +} + # # Add a rule to a chain. Arguments are: # @@ -445,54 +548,26 @@ sub add_rule($$;$) # # By post-processing each rule generated by expand_rule(), we avoid all of that # messiness and replace it with the following localized messiness. - # - # Because source ports are seldom specified and source port lists are rarer still, - # we only worry about the destination ports. - # - if ( $expandports && $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) { - # - # Rule has a --dports specification - # - my ($first, $ports, $rest) = ( $1, $2, $3 ); - - if ( ( $ports =~ tr/:,/:,/ ) > 14 ) { + + if ( $expandports ) { + if ( $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) { # - # More than 15 ports specified + # Rule has a --dports specification # - my @ports = split '([,:])', $ports; - - while ( @ports ) { - my $count = 0; - my $newports = ''; - - while ( @ports && $count < 15 ) { - my ($port, $separator) = ( shift @ports, shift @ports ); - - $separator ||= ''; - - if ( ++$count == 15 ) { - if ( $separator eq ':' ) { - unshift @ports, $port, ':'; - chop $newports; - last; - } else { - $newports .= $port; - } - } else { - $newports .= "${port}${separator}"; - } - } - - push_rule ( $chainref, join( '', $first, $newports, $rest ) ); - } + handle_dport_list( $chainref, $rule, $1, $2, $3 ) + } elsif ( $rule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) { + # + # Rule has a --sports specification + # + handle_sport_list( $chainref, $rule, $1, $2, $3 ) } else { push_rule ( $chainref, $rule ); } } else { - push_rule ( $chainref, $rule ); + push_rule( $chainref, $rule ); } } - + # # Add a jump from the chain represented by the reference in the first argument to # the target in the second argument. The optional third argument specifies any @@ -533,7 +608,7 @@ sub add_jump( $$$;$ ) { # # Chain reference , Rule Number, Rule # -sub insert_rule($$$) +sub insert_rule1($$$) { my ($chainref, $number, $rule) = @_; @@ -541,13 +616,29 @@ sub insert_rule($$$) $rule .= "-m comment --comment \"$comment\"" if $comment; - splice( @{$chainref->{rules}}, $number - 1, 0, join( ' ', '-A', $rule ) ); + splice( @{$chainref->{rules}}, $number, 0, join( ' ', '-A', $rule ) ); $iprangematch = 0; $chainref->{referenced} = 1; } +sub insert_rule($$$) { + my ($chainref, $number, $rule) = @_; + + insert_rule1( $chainref, $number - 1, $rule ); +} + +# +# Insert a tunnel rule into the passed chain. Tunnel rules are inserted sequentially +# at the beginning of the 'NEW' section. +# +sub add_tunnel_rule( $$ ) { + my ( $chainref, $rule ) = @_; + + insert_rule1( $chainref, $chainref->{new}++, $rule ); +} + # # Move the rules from one chain to another # @@ -756,6 +847,14 @@ sub dnat_chain( $ ) $_[0] . '_dnat'; } +# +# Notrack Chain from a zone +# +sub notrack_chain( $ ) +{ + $_[0] . '_notrk'; +} + # # SNAT Chain to an interface # @@ -881,6 +980,16 @@ sub ensure_nat_chain($) { $chainref; } +sub ensure_raw_chain($) { + my $chain = $_[0]; + + my $chainref = ensure_chain 'raw', $chain; + + $chainref->{referenced} = 1; + + $chainref; +} + # # Add a builtin chain # @@ -1060,6 +1169,9 @@ sub finish_chain_section ($$) { add_jump $chainref, $synchainref, 0, "-p tcp --syn "; } } + + $chainref->{new} = @{$chainref->{rules}}; + } $comment = $savecomment; @@ -1092,7 +1204,7 @@ sub set_mss1( $$ ) { if ( $chainref->{policy} ne 'NONE' ) { my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; - insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss" + insert_rule1 $chainref, 0, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss" } } @@ -1817,7 +1929,7 @@ sub log_rule_limit( $$$$$$$$ ) { if ( $command eq 'add' ) { add_rule ( $chainref, $predicates . $prefix , 1 ); } else { - insert_rule ( $chainref , 1 , $predicates . $prefix ); + insert_rule1 ( $chainref , 0 , $predicates . $prefix ); } } @@ -1935,7 +2047,7 @@ sub get_interface_gateway ( $ ) { my $variable = interface_gateway( $interface ); - my $routine = $config{USE_DEFAULT_RT} ? 'detect_gateway' : 'detect_dynamic_gateway'; + my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway'; if ( interface_is_optional $interface ) { $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n); @@ -2457,6 +2569,18 @@ sub expand_rule( $$$$$$$$$$$ ) # # If the destination chain exists, then at the end of the source chain add a jump to the destination. # +sub addrawjump( $$$ ) { + my ( $source , $dest, $predicates ) = @_; + + my $destref = $raw_table->{$dest} || {}; + + if ( $destref->{referenced} ) { + add_rule $raw_table->{$source} , $predicates . "-j $dest"; + } else { + clearrule; + } +} + sub addnatjump( $$$ ) { my ( $source , $dest, $predicates ) = @_; diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index b911e3c0b..ac76de363 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -38,11 +38,12 @@ use Shorewall::Rules; use Shorewall::Proc; use Shorewall::Proxyarp; use Shorewall::IPAddrs; +use Shorewall::Raw; our @ISA = qw(Exporter); our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG ); our @EXPORT_OK = qw( $export ); -our $VERSION = 4.2.4; +our $VERSION = 4.2.6; our $export; @@ -52,6 +53,10 @@ our $reused = 0; our $family = F_IPV4; +our $rtc; + +use constant { NORTC => 1, RTCONLY => 2 }; + # # Reinitilize the package-globals in the other modules # @@ -284,45 +289,43 @@ EOF ;; esac - if [ -z "$RTCONLY" ]; then - if [ "$RESTOREFILE" = NONE ]; then - COMMAND=clear - clear_firewall - echo "$PRODUCT Cleared" + if [ "$RESTOREFILE" = NONE ]; then + COMMAND=clear + clear_firewall + echo "$PRODUCT Cleared" + + kill $$ + exit 2 + else + RESTOREPATH=${VARDIR}/$RESTOREFILE + + if [ -x $RESTOREPATH ]; then + + if [ -x ${RESTOREPATH}-ipsets ]; then + progress_message2 Restoring Ipsets... + # + # We must purge iptables to be sure that there are no + # references to ipsets + # + for table in mangle nat filter; do + do_iptables -t $table -F + do_iptables -t $table -X + done + + ${RESTOREPATH}-ipsets + fi + + echo Restoring ${PRODUCT:=Shorewall}... + + if $RESTOREPATH restore; then + echo "$PRODUCT restored from $RESTOREPATH" + set_state "Started" + else + set_state "Unknown" + fi kill $$ exit 2 - else - RESTOREPATH=${VARDIR}/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - - if [ -x ${RESTOREPATH}-ipsets ]; then - progress_message2 Restoring Ipsets... - # - # We must purge iptables to be sure that there are no - # references to ipsets - # - for table in mangle nat filter; do - do_iptables -t $table -F - do_iptables -t $table -X - done - - ${RESTOREPATH}-ipsets - fi - - echo Restoring ${PRODUCT:=Shorewall}... - - if $RESTOREPATH restore; then - echo "$PRODUCT restored from $RESTOREPATH" - set_state "Started" - else - set_state "Unknown" - fi - - kill $$ - exit 2 - fi fi fi ;; @@ -333,78 +336,66 @@ EOF STOPPING="Yes" TERMINATOR= -EOF - emit ' if [ -n "$RTCONLY" ]; then'; - push_indent; - emit( ' delete_tc1' ) if $config{CLEAR_TC}; + deletechain shorewall - emit( ' undo_routing', - ' restore_default_route' - ); - pop_indent; - emit <<'EOF'; - else - deletechain shorewall - - run_stop_exit + run_stop_exit EOF if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) { emit <<'EOF'; - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt1 $IPTABLES -t mangle -P $chain ACCEPT - done + run_iptables -t mangle -F + run_iptables -t mangle -X + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt1 $IPTABLES -t mangle -P $chain ACCEPT + done EOF } if ( $capabilities{RAW_TABLE} ) { if ( $family == F_IPV4 ) { emit <<'EOF'; - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt1 $IPTABLES -t raw -P $chain ACCEPT - done + run_iptables -t raw -F + run_iptables -t raw -X + for chain in PREROUTING OUTPUT; do + qt1 $IPTABLES -t raw -P $chain ACCEPT + done EOF } else { emit <<'EOF'; - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt1 $IP6TABLES -t raw -P $chain ACCEPT - done + run_iptables -t raw -F + run_iptables -t raw -X + for chain in PREROUTING OUTPUT; do + qt1 $IP6TABLES -t raw -P $chain ACCEPT + done EOF } } if ( $capabilities{NAT_ENABLED} ) { emit <<'EOF'; - delete_nat - for chain in PREROUTING POSTROUTING OUTPUT; do - qt1 $IPTABLES -t nat -P $chain ACCEPT - done + delete_nat + for chain in PREROUTING POSTROUTING OUTPUT; do + qt1 $IPTABLES -t nat -P $chain ACCEPT + done EOF } if ( $family == F_IPV4 ) { emit <<'EOF'; - if [ -f ${VARDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i $external -d $address pub - [ -z "${haveroute}${NORTC}" ] && qt ip route del $address dev $interface - f=/proc/sys/net/ipv4/conf/$interface/proxy_arp - [ -f $f ] && echo 0 > $f - done < ${VARDIR}/proxyarp - fi + if [ -f ${VARDIR}/proxyarp ]; then + while read address interface external haveroute; do + qt arp -i $external -d $address pub + [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + f=/proc/sys/net/ipv4/conf/$interface/proxy_arp + [ -f $f ] && echo 0 > $f + done < ${VARDIR}/proxyarp + fi - rm -f ${VARDIR}/proxyarp + rm -f ${VARDIR}/proxyarp EOF } - push_indent; push_indent; emit 'delete_tc1' if $config{CLEAR_TC}; @@ -428,7 +419,7 @@ EOF ); for my $hosts ( @$criticalhosts ) { - my ( $interface, $host ) = ( split /\|/, $hosts ); + my ( $interface, $host, $seq ) = ( split /\|/, $hosts ); my $source = match_source_net $host; my $dest = match_dest_net $host; @@ -454,7 +445,7 @@ EOF ); for my $hosts ( @$criticalhosts ) { - my ( $interface, $host ) = ( split /:/, $hosts ); + my ( $interface, $host , $seq ) = ( split /|/, $hosts ); my $source = match_source_net $host; my $dest = match_dest_net $host; @@ -558,14 +549,12 @@ EOF } } - emit( '', - 'run_stopped_exit' , - 'set_state "Stopped"' ); + emit 'run_stopped_exit'; pop_indent; - pop_indent; - emit ' fi + emit ' + set_state "Stopped" logger -p kern.info "$PRODUCT Stopped" @@ -586,65 +575,78 @@ EOF } # -# Second Phase of Script Generation +# Compile stop_rtc() # -# copies the 'prog.functions' file into the script and generates -# the first part of 'setup_common_rules()' -# -# The bulk of that function is produced by the various config file -# parsing routines that are called directly out of 'compiler()'. -# -# Note: This function is not called when $command eq 'check'. So it must have no side effects other -# than those related to writing to the object file. -# -sub generate_script_2 () { +sub compile_stop_rtc() { - unless ( $test ) { - if ( $family == F_IPV4 ) { - copy $globals{SHAREDIRPL} . 'prog.functions'; - } else { - copy $globals{SHAREDIRPL} . 'prog.functions6'; - } - } + emit <<'EOF'; +# +# Stop/restore RTC after an error or because of a 'stop' or 'clear' command +# +stop_rtc() { - emit( "\n#", - '# Setup Common Rules (/proc)', - '#', - 'setup_common_rules() {' - ); + case $COMMAND in + stop|clear|restore) + ;; + *) + set +x + case $COMMAND in + start) + logger -p kern.err "ERROR:$PRODUCT start failed" + ;; + restart) + logger -p kern.err "ERROR:$PRODUCT restart failed" + ;; + restore) + logger -p kern.err "ERROR:$PRODUCT restore failed" + ;; + esac + ;; + esac + + STOPPING="Yes" + + TERMINATOR= + + run_stop_exit +EOF push_indent; -} + emit 'delete_tc1'; -# -# Third step of script generation -# -# - End the setup_common() function -# - Start setup_routing_and_traffic_shaping() -# -sub generate_script_3 () { + emit( 'undo_routing', + 'restore_default_route' + ); + + emit 'run_stopped_exit'; pop_indent; - emit '}'; + emit ' + logger -p kern.info "$PRODUCT Stopped" - emit( "\n#", - '# Setup routing and traffic shaping', - '#', - 'setup_routing_and_traffic_shaping() {' - ); - - push_indent; + case $COMMAND in + stop|clear) + ;; + *) + # + # RTC is being stopped when we were trying to do something + # else. Kill the shell in case we\'re running in a subshell + # + kill $$ + ;; + esac +} +'; } # -# Fourth (final) stage of script generation. +# Final stage of script generation. # -# Generate the end of 'setup_routing_and_traffic_shaping()': -# Generate code for loading the various files in /var/lib/shorewall[-lite] -# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES +# Generate code for loading the various files in /var/lib/shorewall[-lite] +# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES # # Generate the 'setup_netfilter()' function that runs iptables-restore. # Generate the 'define_firewall()' function. @@ -652,23 +654,27 @@ sub generate_script_3 () { # Note: This function is not called when $command eq 'check'. So it must have no side effects other # than those related to writing to the object file. # -sub generate_script_4($) { +sub generate_script_2($) { - pop_indent; + unless ( $rtc == RTCONLY ) { + if ( $family == F_IPV4 ) { + progress_message2 "Creating iptables-restore input..."; + } else { + progress_message2 "Creating ip6tables-restore input..."; + } - emit "}\n"; - - if ( $family == F_IPV4 ) { - progress_message2 "Creating iptables-restore input..."; - } else { - progress_message2 "Creating ip6tables-restore input..."; + create_netfilter_load( $test ); + create_chainlist_reload( $_[0] ); } - create_netfilter_load( $test ); - create_chainlist_reload( $_[0] ); - emit "#\n# Start/Restart the Firewall\n#"; - emit 'define_firewall() {'; + + if ( $rtc == RTCONLY ) { + emit 'define_rtc() {'; + } else { + emit 'define_firewall() {'; + } + push_indent; save_progress_message 'Initializing...'; @@ -692,144 +698,134 @@ sub generate_script_4($) { emit 'load_kernel_modules Yes'; } - emit ( '', - 'if [ -n "$RTCONLY" ]; then' , - ' delete_tc1' , - 'else' ); + unless ( $rtc == RTCONLY ) { + if ( $family == F_IPV4 ) { + emit ( '#', + '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', + '#', + 'qt1 $IPTABLES -N foox1234', + 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', + 'result=$?', + 'qt1 $IPTABLES -F foox1234', + 'qt1 $IPTABLES -X foox1234', + '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', + '' ); - push_indent; - - if ( $family == F_IPV4 ) { - emit ( '#', - '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', - '#', - 'qt1 $IPTABLES -N foox1234', - 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', - 'result=$?', - 'qt1 $IPTABLES -F foox1234', - 'qt1 $IPTABLES -X foox1234', - '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', - '' ); - - for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { - emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", - 'if [ -n "$addr" ]; then', - ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', - ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', - ' if in_network $addr $network; then', - " error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", - ' fi', - ' done', - "fi\n" ); - } + for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { + emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", + 'if [ -n "$addr" ]; then', + ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', + ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', + ' if in_network $addr $network; then', + " error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", + ' fi', + ' done', + "fi\n" ); + } - emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', - '', - 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', - '', - 'delete_proxyarp', - '' - ); - - if ( $capabilities{NAT_ENABLED} ) { - emit( 'if [ -f ${VARDIR}/nat ]; then', - ' while read external interface; do', - ' del_ip_addr $external $interface', - ' done < ${VARDIR}/nat', + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', '', - ' rm -f ${VARDIR}/nat', - "fi\n" ); + 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', + '', + 'delete_proxyarp', + '' + ); + + if ( $capabilities{NAT_ENABLED} ) { + emit( 'if [ -f ${VARDIR}/nat ]; then', + ' while read external interface; do', + ' del_ip_addr $external $interface', + ' done < ${VARDIR}/nat', + '', + ' rm -f ${VARDIR}/nat', + "fi\n" ); + } + + emit "disable_ipv6\n" if $config{DISABLE_IPV6}; + + } else { + emit ( '#', + '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', + '#', + 'qt1 $IP6TABLES -N foox1234', + 'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', + 'result=$?', + 'qt1 $IP6TABLES -F foox1234', + 'qt1 $IP6TABLES -X foox1234', + '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"', + '' ); + + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', + '', + 'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall', + '' + ); + } - - emit "disable_ipv6\n" if $config{DISABLE_IPV6}; - - } else { - emit ( '#', - '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', - '#', - 'qt1 $IP6TABLES -N foox1234', - 'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', - 'result=$?', - 'qt1 $IP6TABLES -F foox1234', - 'qt1 $IP6TABLES -X foox1234', - '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"', - '' ); - - emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', - '', - 'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall', - '' - ); - } - emit qq([ -n "\$NORTC" ] && delete_tc1\n) if $config{CLEAR_TC}; - - pop_indent; - - emit 'fi'; + unless ( $rtc == NORTC ) { + emit qq(delete_tc1\n) if $config{CLEAR_TC}; + } set_global_variables; emit ''; - emit( '[ -n "$RTCONLY" ] || setup_common_rules', - '', - '[ -n "$NORTC" ] || setup_routing_and_traffic_shaping', - '', - 'if [ -z "$RTCONLY" ]; then' ); + emit( 'setup_common_rules', '' ) unless $rtc == RTCONLY; - push_indent; + emit( 'setup_routing_and_traffic_shaping', '' ) unless $rtc == NORTC; - emit 'cat > ${VARDIR}/proxyarp << __EOF__'; - dump_proxy_arp; - emit_unindented '__EOF__'; + unless ( $rtc == RTCONLY ) { + emit 'cat > ${VARDIR}/proxyarp << __EOF__'; + dump_proxy_arp; + emit_unindented '__EOF__'; + + emit( '', + 'if [ "$COMMAND" != refresh ]; then' ); + + push_indent; + + emit 'cat > ${VARDIR}/zones << __EOF__'; + dump_zone_contents; + emit_unindented '__EOF__'; - emit( '', - 'if [ "$COMMAND" != refresh ]; then' ); - - push_indent; - - emit 'cat > ${VARDIR}/zones << __EOF__'; - dump_zone_contents; - emit_unindented '__EOF__'; + pop_indent; - pop_indent; + emit "fi\n"; - emit "fi\n"; + emit '> ${VARDIR}/nat'; - emit '> ${VARDIR}/nat'; - - add_addresses; + add_addresses; - emit( '', - 'if [ $COMMAND = restore ]; then', - ' iptables_save_file=${VARDIR}/$(basename $0)-iptables', - ' if [ -f $iptables_save_file ]; then' ); - - if ( $family == F_IPV4 ) { - emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' - } else { - emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux' - } - - emit<<'EOF'; + emit( '', + 'if [ $COMMAND = restore ]; then', + ' iptables_save_file=${VARDIR}/$(basename $0)-iptables', + ' if [ -f $iptables_save_file ]; then' ); + + if ( $family == F_IPV4 ) { + emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' + } else { + emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux' + } + + emit<<'EOF'; else fatal_error "$iptables_save_file does not exist" fi EOF - pop_indent; - setup_forwarding( $family ); - push_indent; - emit<<'EOF'; + pop_indent; + setup_forwarding( $family ); + push_indent; + emit<<'EOF'; set_state "Started" run_restored_exit else if [ $COMMAND = refresh ]; then chainlist_reload EOF - setup_forwarding( $family ); - emit<<'EOF'; + setup_forwarding( $family ); + emit<<'EOF'; run_refreshed_exit do_iptables -N shorewall set_state "Started" @@ -838,8 +834,8 @@ EOF restore_dynamic_rules conditionally_flush_conntrack EOF - setup_forwarding( $family ); - emit<<'EOF'; + setup_forwarding( $family ); + emit<<'EOF'; run_start_exit do_iptables -N shorewall set_state "Started" @@ -848,14 +844,12 @@ EOF [ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore fi - -date > ${VARDIR}/restarted EOF - pop_indent; + } - emit 'fi'; emit<<'EOF'; + date > ${VARDIR}/restarted case $COMMAND in start) @@ -898,6 +892,7 @@ sub compiler { $export = 0; $test = 0; + $rtc = 1; sub edit_boolean( $ ) { my $val = numeric_value( shift ); @@ -914,6 +909,11 @@ sub compiler { defined($val) && ($val == F_IPV4 || $val == F_IPV6); } + sub edit_rtc( $ ) { + my $val = numberic_value( shift ); + defined($val) && ($val == 0 || $val == NORTC || $val == RTCONLY); + } + my %parms = ( object => { store => \$objectfile }, directory => { store => \$directory }, family => { store => \$family , edit => \&edit_family } , @@ -925,18 +925,21 @@ sub compiler { log => { store => \$log }, log_verbosity => { store => \$log_verbosity, edit => \&edit_verbosity } , test => { store => \$test }, + rtc => { store => \$rtc , edit => \&edit_rtc } , ); - + # + # P A R A M E T E R P R O C E S S I N G + # while ( defined ( my $name = shift ) ) { fatal_error "Unknown parameter ($name)" unless my $ref = $parms{$name}; fatal_error "Undefined value supplied for parameter $name" unless defined ( my $val = shift ) ; if ( $ref->{edit} ) { fatal_error "Invalid value ( $val ) supplied for parameter $name" unless $ref->{edit}->($val); } - + ${$ref->{store}} = $val; } - + reinitialize if $reused++ || $family == F_IPV6; if ( $directory ne '' ) { @@ -949,7 +952,7 @@ sub compiler { set_timestamp( $timestamp ); set_debug( $debug ); # - # Get shorewall.conf and capabilities. + # S H O R E W A L L . C O N F A N D C A P A B I L I T I E S # get_configuration( $export ); @@ -960,14 +963,13 @@ sub compiler { require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS}; require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT}; - + set_command( 'check', 'Checking', 'Checked' ) unless $objectfile; initialize_chain_table; unless ( $command eq 'check' ) { create_temp_object( $objectfile , $export ); - generate_script_1; } # @@ -975,129 +977,207 @@ sub compiler { # run_user_exit1 'compile'; # - # Process the zones file. + # Z O N E D E F I N I T I O N + # (Produces no output to the compiled script) # - determine_zones; - # - # Process the interfaces file. - # - validate_interfaces_file ( $export ); - # - # Process the hosts file. - # - validate_hosts_file; - # - # Report zone contents - # - zone_report; - # - # Do action pre-processing. - # - process_actions1; - # - # Process the Policy File. - # - validate_policy; - # - # Compile the 'stop_firewall()' function - # - compile_stop_firewall; - # - # Start Second Part of script -- Begin setup_common_rules() { - # - generate_script_2 unless $command eq 'check'; - # - # Do all of the zone-independent stuff - # - add_common_rules; - # - # /proc stuff - # - if ( $family == F_IPV4 ) { - setup_arp_filtering; - setup_route_filtering; - setup_martian_logging; + unless ( $rtc == RTCONLY ) { + determine_zones; + # + # Process the interfaces file. + # + validate_interfaces_file ( $export ); + # + # Process the hosts file. + # + validate_hosts_file; + # + # Report zone contents + # + zone_report; + # + # Do action pre-processing. + # + process_actions1; + # + # P O L I C Y + # (Produces no output to the compiled script) + # + validate_policy; } - - setup_source_routing($family); # - # Proxy Arp/Ndp + # I N I T I A L I Z E + # (Writes the initialize() function to the compiled script) # - setup_proxy_arp; - # - # Handle MSS setings in the zones file - # - setup_zone_mss; - # - # Finish setup_common_rules() and start setup_routing_and_traffic_shaping() { - # - generate_script_3; - # - # [Re-]establish Routing - # - setup_providers; - # - # TOS - # - process_tos; - - if ( $family == F_IPV4 ) { - # - # ECN - # - setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - # - # Setup Masquerading/SNAT - # - setup_masq; + unless ( $command eq 'check' ) { + enable_object; + generate_script_1; + disable_object; } + # + # S T O P _ F I R E W A L L + # (Writes the stop_firewall() function to the compiled script) + # + unless ( $command eq 'check' ) { + enable_object; + + if ( $rtc == RTCONLY ) { + compile_stop_rtc; + } else { + compile_stop_firewall; + } + + disable_object; + } + # + # C O M M O N _ R U L E S + # (Writes the setup_common_rules() function to the compiled script) + # + if ( $rtc != RTCONLY ) { + enable_object; + unless ( $command eq 'check' ) { + unless ( $test ) { + if ( $family == F_IPV4 ) { + copy $globals{SHAREDIRPL} . 'prog.functions'; + } else { + copy $globals{SHAREDIRPL} . 'prog.functions6'; + } + } + + emit( "\n#", + '# Setup Common Rules (/proc)', + '#', + 'setup_common_rules() {' + ); + + push_indent; + } + # + # Do all of the zone-independent stuff + # + add_common_rules; + # + # /proc stuff + # + if ( $family == F_IPV4 ) { + setup_arp_filtering; + setup_route_filtering; + setup_martian_logging; + } + + setup_source_routing($family); + # + # Proxy Arp/Ndp + # + setup_proxy_arp; + # + # Handle MSS setings in the zones file + # + setup_zone_mss; + + unless ( $command eq 'check' ) { + pop_indent; + emit '}'; + } + + disable_object; + } # - # MACLIST Filtration + # R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G + # (Writes the setup_routing_and_traffic_shaping() function to the compiled script) # - setup_mac_lists 1; + unless ( $rtc == NORTC ) { + enable_object; + + unless ( $command eq 'check' ) { + emit( "\n#", + '# Setup routing and traffic shaping', + '#', + 'setup_routing_and_traffic_shaping() {' + ); + + push_indent; + } + # + # [Re-]establish Routing + # + setup_providers; + # + # TCRules and Traffic Shaping + # + setup_tc; + + unless ( $command eq 'check' ) { + pop_indent; + emit "}\n"; + } + + disable_object; + } # - # Process the rules file. + # N E T F I L T E R + # (Produces no output to the compiled script) # - process_rules; - # - # Add Tunnel rules. - # - setup_tunnels; - # - # Post-rules action processing. - # - process_actions2; - process_actions3; - # - # MACLIST Filtration again - # - setup_mac_lists 2; - # - # Apply Policies - # - apply_policy_rules; - # - # TCRules and Traffic Shaping - # - setup_tc; - # - # Setup Nat - # - setup_nat; - # - # Setup NETMAP - # - setup_netmap; - # - # Accounting. - # - setup_accounting; - # - # We generate the matrix even though we don't write out the rules. That way, we insure that - # a compile of the script won't blow up during that step. - # - generate_matrix; + unless ( $rtc == RTCONLY ) { + process_tos; + + if ( $family == F_IPV4 ) { + # + # ECN + # + setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; + # + # Setup Masquerading/SNAT + # + setup_masq; + } + + # + # MACLIST Filtration + # + setup_mac_lists 1; + # + # Process the rules file. + # + process_rules; + # + # Add Tunnel rules. + # + setup_tunnels; + # + # Post-rules action processing. + # + process_actions2; + process_actions3; + # + # MACLIST Filtration again + # + setup_mac_lists 2; + # + # Apply Policies + # + apply_policy_rules; + + if ( $family == F_IPV4 ) { + # + # Setup Nat + # + setup_nat; + # + # Setup NETMAP + # + setup_netmap; + } + # + # Accounting. + # + setup_accounting; + # + # We generate the matrix even though we don't write out the rules. That way, we insure that + # a compile of the script won't blow up during that step. + # + generate_matrix; + } if ( $command eq 'check' ) { if ( $family == F_IPV4 ) { @@ -1109,7 +1189,8 @@ sub compiler { # # Finish the script. # - generate_script_4( $chains ); + enable_object; + generate_script_2( $chains ); finalize_object ( $export ); # # And generate the auxilary config file diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 19ede128f..b5c78e2d1 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -54,6 +54,8 @@ our @EXPORT = qw( our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall); our %EXPORT_TAGS = ( internal => [ qw( create_temp_object + disable_object + enable_object finalize_object numeric_value numeric_value1 @@ -80,6 +82,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object set_debug find_file split_list + split_list1 split_line split_line1 first_entry @@ -142,6 +145,8 @@ our $timestamp; # Object file handle # our $object; + +our $object_enabled; # # True, if last line emitted is blank # @@ -293,6 +298,7 @@ sub initialize( $ ) { $log_verbose = -1; # Verbosity of log. $timestamp = ''; # If true, we are to timestamp each progress message $object = 0; # Object (script) file Handle Reference + $object_enabled = 0; # Write to object file is disabled. $lastlineblank = 0; # Avoid extra blank lines in the output $indent1 = ''; # Current indentation $indent2 = ''; # Current indentation @@ -310,7 +316,8 @@ sub initialize( $ ) { LOGPARMS => '', TC_SCRIPT => '', EXPORT => 0, - VERSION => "4.3.6", + UNTRACKED => 0, + VERSION => "4.2.6", CAPVERSION => 40205 , ); @@ -416,6 +423,7 @@ sub initialize( $ ) { NULL_ROUTE_RFC1918 => undef , USE_DEFAULT_RT => undef , RESTORE_DEFAULT_ROUTE => undef , + FAST_STOP => undef , # # Packet Disposition # @@ -738,6 +746,8 @@ sub in_hex8( $ ) { # Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines. # sub emit { + fatal_error 'Internal Error in emit' unless $object_enabled; + if ( $object ) { # # 'compile' as opposed to 'check' @@ -762,6 +772,7 @@ sub emit { # Write passed message to the object with newline but no indentation. # sub emit_unindented( $ ) { + fatal_error 'Internal Error in emit_unindented' unless $object_enabled; print $object "$_[0]\n" if $object; } @@ -840,26 +851,28 @@ sub timestamp() { sub progress_message { my $havelocaltime = 0; - if ( $verbose > 1 ) { - timestamp, $havelocaltime = 1 if $timestamp; - # - # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession). - # The following makes such messages look more readable and uniform - # + if ( $verbose > 1 || $log_verbose > 1 ) { my $line = "@_"; + my $leading = $line =~ /^(\s+)/ ? $1 : ''; $line =~ s/\s+/ /g; - print "$line\n"; - } - if ( $log_verbose > 1 ) { - our @localtime; + if ( $verbose > 1 ) { + timestamp, $havelocaltime = 1 if $timestamp; + # + # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession). + # The following makes such messages look more readable and uniform + # + print "${leading}${line}\n"; + } - @localtime = localtime unless $havelocaltime; + if ( $log_verbose > 1 ) { + our @localtime; - printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; - my $line = "@_"; - $line =~ s/\s+/ /g; - print $log "$line\n"; + @localtime = localtime unless $havelocaltime; + + printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; + print $log "${leading}${line}\n"; + } } } @@ -951,6 +964,8 @@ sub pop_indent() { # Functions for copying files into the object # sub copy( $ ) { + fatal_error 'Internal Error in copy' unless $object_enabled; + if ( $object ) { my $file = $_[0]; @@ -981,6 +996,8 @@ sub copy( $ ) { # This one handles line continuation and 'here documents' sub copy1( $ ) { + fatal_error 'Internal Error in copy1' unless $object_enabled; + if ( $object ) { my $file = $_[0]; @@ -1058,6 +1075,20 @@ sub create_temp_object( $$ ) { } +# +# Enable writing to object +# +sub enable_object() { + $object_enabled = 1; +} + +# +# Disable writing to object +# +sub disable_object() { + $object_enabled = 0; +} + # # Finalize the object file # @@ -1132,6 +1163,33 @@ sub split_list( $$ ) { split /,/, $list; } +sub split_list1( $$ ) { + my ($list, $type ) = @_; + + fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/; + + my @list1 = split /,/, $list; + my @list2; + my $element = ''; + + for ( @list1 ) { + if ( /\(/ ) { + fatal_error "Invalid $type list ($list)" if $element; + $element = $_; + } elsif ( /\)$/ ) { + fatal_error "Invalid $type list ($list)" unless $element; + push @list2, join ',', $element, $_; + $element = ''; + } elsif ( $element ) { + $element = join ',', $element , $_; + } else { + push @list2 , $_; + } + } + + @list2; +} + # # Pre-process a line from a configuration file. @@ -2229,8 +2287,6 @@ sub get_configuration( $ ) { $globals{TC_SCRIPT} = $file; } elsif ( $val eq 'internal' ) { $config{TC_ENABLED} = 'Internal'; - } elsif ( $val eq 'rtc' ) { - $config{TC_ENABLED} = 'RTC'; } else { fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no'; $config{TC_ENABLED} = ''; diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index d0598a2e0..5e7f23ca2 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -123,7 +123,7 @@ sub setup_route_filtering() { emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; } - emit "[ -n \"\$NORTC\" ] || ip -4 route flush cache"; + emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache"; } } diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm index 15d5b2d70..85059a27f 100644 --- a/Shorewall-perl/Shorewall/Proxyarp.pm +++ b/Shorewall-perl/Shorewall/Proxyarp.pm @@ -79,7 +79,7 @@ sub setup_one_proxy_arp( $$$$$ ) { } unless ( $haveroute ) { - emit "run_ip route replace $address dev $interface"; + emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"; $haveroute = 1 if $persistent; } diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 1e63961b9..402df9267 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -267,12 +267,14 @@ sub setup_rfc1918_filteration( $ ) { add_rule $norfc1918ref , '-j rfc1918d' if $config{RFC1918_STRICT}; + my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW'; + for my $hostref ( @$listref ) { my $interface = $hostref->[0]; my $ipsec = $hostref->[1]; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; for my $chain ( first_chains $interface ) { - add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); + add_rule $filter_table->{$chain} , join( '', "-m state --state $state ", match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); } set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; @@ -335,11 +337,11 @@ sub setup_blacklist() { $disposition , '' ); - progress_message " \"$currentline\" added to blacklist"; + progress_message " \"$currentline\" added to blacklist"; } } - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; + my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : ''; for my $hostref ( @$hosts ) { my $interface = $hostref->[0]; @@ -356,7 +358,7 @@ sub setup_blacklist() { set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; - progress_message " Blacklisting enabled on ${interface}:${network}"; + progress_message " Blacklisting enabled on ${interface}:${network}"; } } } @@ -367,13 +369,15 @@ sub process_criticalhosts() { my $fn = open_file 'routestopped'; + my $seq = 0; + first_entry "$doing $fn for critical hosts..."; while ( read_a_line ) { my $routeback = 0; - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; + my ($interface, $hosts, $options, $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file'; fatal_error "Unknown interface ($interface)" unless known_interface $interface; @@ -381,15 +385,18 @@ sub process_criticalhosts() { my @hosts; + $seq++; + for my $host ( split_list $hosts, 'host' ) { validate_host $host, 1; - push @hosts, "$interface|$host"; + push @hosts, "$interface|$host|$seq"; } unless ( $options eq '-' ) { for my $option (split_list $options, 'option' ) { - unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) { + unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' || $option eq 'notrack' ) { if ( $option eq 'critical' ) { + fatal_error "PROTO may not be specified with 'critical'" if $proto ne '-'; push @critical, @hosts; } else { warning_message "Unknown routestopped option ( $option ) ignored"; @@ -404,17 +411,19 @@ sub process_criticalhosts() { sub process_routestopped() { - my ( @allhosts, %source, %dest ); + my ( @allhosts, %source, %dest , %notrack, @rule ); my $fn = open_file 'routestopped'; + my $seq = 0; + first_entry "$doing $fn..."; while ( read_a_line ) { my $routeback = 0; - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; + my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file'; fatal_error "Unknown interface ($interface)" unless known_interface $interface; @@ -422,9 +431,14 @@ sub process_routestopped() { my @hosts; + $seq++; + + my $rule = do_proto( $proto, $ports, $sports ); + for my $host ( split /,/, $hosts ) { validate_host $host, 1; - push @hosts, "$interface|$host"; + push @hosts, "$interface|$host|$seq"; + push @rule, $rule; } unless ( $options eq '-' ) { @@ -445,11 +459,15 @@ sub process_routestopped() { } } elsif ( $option eq 'source' ) { for my $host ( split /,/, $hosts ) { - $source{"$interface|$host"} = 1; + $source{"$interface|$host|$seq"} = 1; } } elsif ( $option eq 'dest' ) { for my $host ( split /,/, $hosts ) { - $dest{"$interface|$host"} = 1; + $dest{"$interface|$host|$seq"} = 1; + } + } elsif ( $option eq 'notrack' ) { + for my $host ( split /,/, $hosts ) { + $notrack{"$interface|$host|$seq"} = 1; } } else { warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical'; @@ -463,34 +481,40 @@ sub process_routestopped() { my $tool = $family == F_IPV4 ? '$IPTABLES' : '$IP6TABLES'; for my $host ( @allhosts ) { - my ( $interface, $h ) = split /\|/, $host; + my ( $interface, $h, $seq ) = split /\|/, $host; my $source = match_source_net $h; my $dest = match_dest_net $h; my $sourcei = match_source_dev $interface; my $desti = match_dest_dev $interface; + my $rule = shift @rule; - emit "$tool -A INPUT $sourcei $source -j ACCEPT"; - emit "$tool -A OUTPUT $desti $dest -j ACCEPT" unless $config{ADMINISABSENTMINDED}; + emit "$tool -A INPUT $sourcei $source $rule -j ACCEPT"; + emit "$tool -A OUTPUT $desti $dest $rule -j ACCEPT" unless $config{ADMINISABSENTMINDED}; my $matched = 0; if ( $source{$host} ) { - emit "$tool -A FORWARD $sourcei $source -j ACCEPT"; + emit "$tool -A FORWARD $sourcei $source $rule -j ACCEPT"; $matched = 1; } if ( $dest{$host} ) { - emit "$tool -A FORWARD $desti $dest -j ACCEPT"; + emit "$tool -A FORWARD $desti $dest $rule -j ACCEPT"; $matched = 1; } + if ( $notrack{$host} ) { + emit "$tool -t raw -A PREROUTING $sourcei $source $rule -j NOTRACK"; + emit "$tool -t raw -A OUTPUT $desti $dest $rule -j NOTRACK"; + } + unless ( $matched ) { for my $host1 ( @allhosts ) { unless ( $host eq $host1 ) { - my ( $interface1, $h1 ) = split /\|/, $host1; + my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1; my $dest1 = match_dest_net $h1; my $desti1 = match_dest_dev $interface1; - emit "$tool -A FORWARD $sourcei $desti1 $source $dest1 -j ACCEPT"; + emit "$tool -A FORWARD $sourcei $desti1 $source $dest1 $rule -j ACCEPT"; clearrule; } } @@ -511,7 +535,7 @@ sub add_common_rules() { new_standard_chain 'dynamic'; - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; + my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : ''; add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD ); @@ -586,6 +610,9 @@ sub add_common_rules() { if ( @$list ) { progress_message2 'Adding Anti-smurf Rules'; + + my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID'; + for my $hostref ( @$list ) { $interface = $hostref->[0]; my $ipsec = $hostref->[1]; @@ -593,7 +620,7 @@ sub add_common_rules() { my $target = source_exclusion( $hostref->[3], $chainref ); for $chain ( first_chains $interface ) { - add_jump $filter_table->{$chain} , $target, 0, join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), $policy ); + add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy ); } set_interface_option $interface, 'use_input_chain', 1; @@ -696,7 +723,7 @@ sub add_common_rules() { $list = find_interfaces_by_option 'upnp'; if ( @$list ) { - progress_message2 '$doing UPnP'; + progress_message2 "$doing UPnP"; new_nat_chain( 'UPnP' ); @@ -737,8 +764,6 @@ sub setup_mac_lists( $ ) { my @maclist_interfaces = ( sort keys %maclist_interfaces ); - progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase..."; - if ( $phase == 1 ) { for my $interface ( @maclist_interfaces ) { @@ -828,18 +853,20 @@ sub setup_mac_lists( $ ) { my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $source = match_source_net $hostref->[2]; + my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW'; + if ( $table eq 'filter' ) { my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} ); for my $chain ( first_chains $interface ) { - add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state NEW ${policy}"; + add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}"; } set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_forward_chain', 1; } else { my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} ); - add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}"; + add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state ${state} ${policy}"; } } } else { @@ -1614,7 +1641,7 @@ sub generate_matrix() { fatal_error "No policy defined for zone $zone to zone $zone1"; } - ''; + ''; # CONTINUE policy } # @@ -1632,6 +1659,7 @@ sub generate_matrix() { my @interfaces = ( all_interfaces ); my $preroutingref = ensure_chain 'nat', 'dnat'; my $fw = firewall_zone; + my $notrackref = $raw_table->{notrack_chain $fw}; my @zones = non_firewall_zones; my $interface_jumps_added = 0; @@ -1677,7 +1705,11 @@ sub generate_matrix() { } } } - + + # + # NOTRACK from firewall + # + add_rule $raw_table->{OUTPUT}, "-j $notrackref->{name}" if $notrackref->{referenced}; # # Main source-zone matrix-generation loop # @@ -1692,31 +1724,36 @@ sub generate_matrix() { my $frwd_ref = $filter_table->{zone_forward_chain $zone}; my $chain = 0; my $dnatref = ensure_chain 'nat' , dnat_chain( $zone ); + my $notrackref = ensure_chain 'raw' , notrack_chain( $zone ); my $nested = $zoneref->{options}{nested}; + my $parenthasnat = 0; + my $parenthasnotrack = 0; + if ( $nested ) { # # This is a sub-zone. We need to determine if # - # a) A parent zone defines DNAT/REDIRECT rules; and + # a) A parent zone defines DNAT/REDIRECT or notrack rules; and # b) The current zone has a CONTINUE policy to some other zone. # # If a) but not b), then we must avoid sending packets from this - # zone through the DNAT/REDIRECT chain for the parent. + # zone through the DNAT/REDIRECT or notrack chain for the parent. # - my $parenthasnat = 0; - for my $parent ( @{$zoneref->{parents}} ) { - my $ref = $nat_table->{dnat_chain $parent} || {}; - $parenthasnat = 1, last if $ref->{referenced}; + my $ref1 = $nat_table->{dnat_chain $parent} || {}; + my $ref2 = $raw_table->{notrack_chain $parent} || {}; + $parenthasnat = 1 if $ref1->{referenced}; + $parenthasnotrack = 1 if $ref2->{referenced}; + last if $parenthasnat && $parenthasnotrack; } - if ( $parenthasnat ) { + if ( $parenthasnat || $parenthasnotrack ) { for my $zone1 ( all_zones ) { if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) { # # This zone has a continue policy to another zone. We must - # send packets from this zone through the parent's DNAT/REDIRECT chain. + # send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain. # $nested = 0; last; @@ -1724,7 +1761,7 @@ sub generate_matrix() { } } else { # - # No parent has DNAT so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' chain. + # No parent has DNAT or notrack so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' or 'notrack' chain. # $nested = 0; } @@ -1784,11 +1821,22 @@ sub generate_matrix() { # add_jump $preroutingref, source_exclusion( $exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match ); } + + if ( $notrackref->{referenced} ) { + # + # There are notrack rules with this zone as the source. + # Add a jump from this source network to this zone's notrack chain + # + add_jump $raw_table->{PREROUTING}, source_exclusion( $exclusions, $notrackref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match ); + } # - # If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source + # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source # then add a RETURN jump for this source network. # - add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested; + if ( $nested ) { + add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnat; + add_rule $raw_table->{PREROUTING}, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnotrack; + } my $inputchainref; my $interfacematch = ''; diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index c0935e3eb..37dd3047a 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -109,6 +109,24 @@ our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , } ); +our %flow_keys = ( 'src' => 1, + 'dst' => 1, + 'proto' => 1, + 'proto-src' => 1, + 'proto-dst' => 1, + 'iif' => 1, + 'priority' => 1, + 'mark' => 1, + 'nfct' => 1, + 'nfct-src' => 1, + 'nfct-dst' => 1, + 'nfct-proto-src' => 1, + 'nfct-proto-dst' => 1, + 'rt-classid' => 1, + 'sk-uid' => 1, + 'sk-gid' => 1, + 'vlan-tag' => 1 ); + our %classids; our @deferred_rules; @@ -309,7 +327,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) { fatal_error "Class Id $originalmark is not associated with device $result" if $device ne $result; } - progress_message " TC Rule \"$currentline\" $done"; + progress_message " TC Rule \"$currentline\" $done"; } @@ -337,6 +355,20 @@ sub calculate_quantum( $$ ) { int( ( $rate * 125 ) / $r2q ); } +sub process_flow($) { + my $flow = shift; + + $flow =~ s/^\(// if $flow =~ s/\)$//; + + my @flow = split /,/, $flow; + + for ( @flow ) { + fatal_error "Invalid flow key ($_)" unless $flow_keys{$_}; + } + + $flow; +} + sub validate_tc_device( $$$$$ ) { my ( $device, $inband, $outband , $options , $redirected ) = @_; @@ -364,12 +396,18 @@ sub validate_tc_device( $$$$$ ) { fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device}; fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/; - my $classify = 0; + my ( $classify, $pfifo, $flow) = (0, 0, '' ); if ( $options ne '-' ) { - for my $option ( split_list $options, 'option' ) { + for my $option ( split_list1 $options, 'option' ) { if ( $option eq 'classify' ) { $classify = 1; + } elsif ( $option =~ /^flow=(.*)$/ ) { + fatal_error "The 'flow' option is not allowed with 'pfifo'" if $pfifo; + $flow = process_flow $1; + } elsif ( $option eq 'pfifo' ) { + fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $flow; + $pfifo = 1; } else { fatal_error "Unknown device option ($option)"; } @@ -395,14 +433,16 @@ sub validate_tc_device( $$$$$ ) { $tcdevices{$device} = { in_bandwidth => rate_to_kbit( $inband ) . 'kbit' , out_bandwidth => rate_to_kbit( $outband ) . 'kbit' , number => $devnumber, - classify => $classify , + classify => $classify , + flow => $flow , + pfifo => $pfifo , tablenumber => 1 , redirected => \@redirected , } , push @tcdevices, $device; - progress_message " Tcdevice \"$currentline\" $done."; + progress_message " Tcdevice \"$currentline\" $done."; } sub convert_rate( $$$ ) { @@ -410,7 +450,6 @@ sub convert_rate( $$$ ) { if ( $rate =~ /\bfull\b/ ) { $rate =~ s/\bfull\b/$full/g; - progress_message " Compiling $column $_[1]"; fatal_error "Invalid $column ($_[1])" if $rate =~ m{[^0-9*/+()-]}; no warnings; $rate = eval "int( $rate )"; @@ -444,7 +483,7 @@ sub dev_by_number( $ ) { ( $dev , $devref ); } - + sub validate_tc_class( $$$$$$ ) { my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = @_; @@ -507,7 +546,9 @@ sub validate_tc_class( $$$$$$ ) { rate => convert_rate( $full, $rate, 'RATE' ) , ceiling => convert_rate( $full, $ceil, 'CEIL' ) , priority => $prio eq '-' ? 1 : $prio , - mark => $markval + mark => $markval , + flow => '' , + pfifo => 0 }; $tcref = $tcref->{$classnumber}; @@ -515,7 +556,7 @@ sub validate_tc_class( $$$$$$ ) { fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling}; unless ( $options eq '-' ) { - for my $option ( split_list "\L$options", 'option' ) { + for my $option ( split_list1 "\L$options", 'option' ) { my $optval = $tosoptions{$option}; $option = $optval if $optval; @@ -531,14 +572,23 @@ sub validate_tc_class( $$$$$$ ) { } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) { ( undef, $option ) = split /=/, $option; push @{$tcref->{tos}}, $option; + } elsif ( $option =~ /^flow=(.*)$/ ) { + fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo}; + $tcref->{flow} = process_flow $1; + } elsif ( $option eq 'pfifo' ) { + fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow}; + $tcref->{pfifo} = 1; } else { fatal_error "Unknown option ($option)"; } } } + $tcref->{flow} = $devref->{flow} unless $tcref->{flow}; + $tcref->{pfifo} = $devref->{pfifo} unless $tcref->{flow} || $tcref->{pfifo}; + push @tcclasses, "$device:$classnumber"; - progress_message " Tcclass \"$currentline\" $done."; + progress_message " Tcclass \"$currentline\" $done."; } # @@ -688,7 +738,7 @@ sub process_tc_filter( $$$$$$ ) { emit ''; - progress_message " TC Filter \"$currentline\" $done"; + progress_message " TC Filter \"$currentline\" $done"; $currentline =~ s/\s+/ /g; @@ -803,13 +853,14 @@ sub setup_traffic_shaping() { } emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum", - "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum", - "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq perturb 10" - ); + "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" ); + + emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) unless $tcref->{pfifo}; # # add filters # emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio 1 handle $mark fw classid $classid" unless $devref->{classify}; + emit "run_tc filter add dev $device protocol ip pref 1 parent $classnum: handle 1 flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; # #options # @@ -879,7 +930,7 @@ sub setup_tc() { if ( $config{HIGH_ROUTE_MARKS} ) { for my $chain qw(INPUT FORWARD POSTROUTING) { - insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark 0xFF'; + insert_rule1 $mangle_table->{$chain}, 0, '-j MARK --and-mark 0xFF'; } } } diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 345c40486..804173fa1 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -61,22 +61,22 @@ sub setup_tunnels() { } } - my $options = '-m state --state NEW -j ACCEPT'; + my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT'; - add_rule $inchainref, "-p 50 $source -j ACCEPT"; - add_rule $outchainref, "-p 50 $dest -j ACCEPT"; + add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT"; + add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT"; unless ( $noah ) { - add_rule $inchainref, "-p 51 $source -j ACCEPT"; - add_rule $outchainref, "-p 51 $dest -j ACCEPT"; + add_tunnel_rule $inchainref, "-p 51 $source -j ACCEPT"; + add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT"; } if ( $kind eq 'ipsec' ) { - add_rule $inchainref, "-p udp $source --dport 500 $options"; - add_rule $outchainref, "-p udp $dest --dport 500 $options"; + add_tunnel_rule $inchainref, "-p udp $source --dport 500 $options"; + add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options"; } else { - add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; - add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; + add_tunnel_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; + add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; } unless ( $gatewayzones eq '-' ) { @@ -87,21 +87,21 @@ sub setup_tunnels() { $outchainref = ensure_filter_chain "${fw}2${zone}", 1; unless ( $capabilities{POLICY_MATCH} ) { - add_rule $inchainref, "-p 50 $source -j ACCEPT"; - add_rule $outchainref, "-p 50 $dest -j ACCEPT"; + add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT"; + add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT"; unless ( $noah ) { - add_rule $inchainref, "-p 51 $source -j ACCEPT"; - add_rule $outchainref, "-p 51 $dest -j ACCEPT"; + add_tunnel_rule $inchainref, "-p 51 $source -j ACCEPT"; + add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT"; } } if ( $kind eq 'ipsec' ) { - add_rule $inchainref, "-p udp $source --dport 500 $options"; - add_rule $outchainref, "-p udp $dest --dport 500 $options"; + add_tunnel_rule $inchainref, "-p udp $source --dport 500 $options"; + add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options"; } else { - add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; - add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; + add_tunnel_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; + add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; } } } @@ -110,24 +110,24 @@ sub setup_tunnels() { sub setup_one_other { my ($inchainref, $outchainref, $source, $dest , $protocol) = @_; - add_rule $inchainref , "-p $protocol $source -j ACCEPT"; - add_rule $outchainref , "-p $protocol $dest -j ACCEPT"; + add_tunnel_rule $inchainref , "-p $protocol $source -j ACCEPT"; + add_tunnel_rule $outchainref , "-p $protocol $dest -j ACCEPT"; } sub setup_pptp_client { my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; - add_rule $outchainref, "-p 47 $dest -j ACCEPT"; - add_rule $inchainref, "-p 47 $source -j ACCEPT"; - add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT" + add_tunnel_rule $outchainref, "-p 47 $dest -j ACCEPT"; + add_tunnel_rule $inchainref, "-p 47 $source -j ACCEPT"; + add_tunnel_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT" } sub setup_pptp_server { my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; - add_rule $inchainref, "-p 47 $dest -j ACCEPT"; - add_rule $outchainref, "-p 47 $source -j ACCEPT"; - add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT" + add_tunnel_rule $inchainref, "-p 47 $dest -j ACCEPT"; + add_tunnel_rule $outchainref, "-p 47 $source -j ACCEPT"; + add_tunnel_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT" } sub setup_one_openvpn { @@ -151,8 +151,8 @@ sub setup_tunnels() { } } - add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; + add_tunnel_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; + add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; } sub setup_one_openvpn_client { @@ -176,8 +176,8 @@ sub setup_tunnels() { } } - add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; + add_tunnel_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT"; + add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; } sub setup_one_openvpn_server { @@ -201,8 +201,8 @@ sub setup_tunnels() { } } - add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT"; + add_tunnel_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; + add_tunnel_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT"; } sub setup_one_l2tp { @@ -210,8 +210,8 @@ sub setup_tunnels() { fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/; - add_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT"; - add_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT"; + add_tunnel_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT"; + add_tunnel_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT"; } sub setup_one_generic { @@ -228,8 +228,8 @@ sub setup_tunnels() { ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/; } - add_rule $inchainref, "-p $protocol $source $port -j ACCEPT"; - add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT"; + add_tunnel_rule $inchainref, "-p $protocol $source $port -j ACCEPT"; + add_tunnel_rule $outchainref, "-p $protocol $dest $port -j ACCEPT"; } sub setup_one_tunnel($$$$) { diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index c4502e0ac..9babae63a 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -809,7 +809,7 @@ sub validate_interfaces_file( $ ) $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() - progress_message " Interface \"$currentline\" Validated"; + progress_message " Interface \"$currentline\" Validated"; } diff --git a/Shorewall-perl/compiler.pl b/Shorewall-perl/compiler.pl index bf5959c9c..fff4dead6 100755 --- a/Shorewall-perl/compiler.pl +++ b/Shorewall-perl/compiler.pl @@ -35,7 +35,10 @@ # --refresh= # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'. # --log= # Log file # --log_verbosity= # Log Verbosity range -1 to 2 -# --family= # IP family; 4 = IPv4, 6 = IPv6 +# --family= # IP family; 4 = IPv4 (default), 6 = IPv6 +# --rtc # 0 = Generate Routing and Traffic shaping + Normal Netfilter logic (default) +# # 1 = Do not Generate Routing and Traffic shaping +# # 2 = Generate only the Routing and Traffic shaping part # use strict; use FindBin; @@ -75,6 +78,7 @@ my $log_verbose = 0; my $help = 0; my $test = 0; my $family = 4; # F_IPV4 +my $rtc = 0; Getopt::Long::Configure ('bundling'); @@ -97,6 +101,7 @@ my $result = GetOptions('h' => \$help, 'test' => \$test, 'f=i' => \$family, 'family=i' => \$family, + 'rtc=i' => \$rtc, ); usage(1) unless $result && @ARGV < 2; @@ -112,4 +117,5 @@ compiler( object => defined $ARGV[0] ? $ARGV[0] : '', log => $log, log_verbosity => $log_verbose, test => $test, - family => $family ); + family => $family , + rtc => $rtc ); diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index bde7e5fb4..754e9faee 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall-perl/prog.footer b/Shorewall-perl/prog.footer index 3115ccaa4..92cc5d453 100644 --- a/Shorewall-perl/prog.footer +++ b/Shorewall-perl/prog.footer @@ -1,8 +1,8 @@ - # +# # Give Usage Information # usage() { - echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -r ] [ start|stop|clear|reset|refresh|restart|status|version ]" + echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]" exit $1 } ################################################################################ @@ -23,8 +23,6 @@ fi initialize -[ -n "${PRODUCT:=Shorewall}" ] - finished=0 while [ $finished -eq 0 -a $# -gt 0 ]; do @@ -45,23 +43,8 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do VERBOSE=$(($VERBOSE - 1 )) option=${option#q} ;; - r*) - if [ -n "$NORTC" ]; then - error_message "The -n and -r options are mutually exclusive" - exit 1 - fi - - RTCONLY=Yes - option=${option#r} - PRODUCT="$PRODUCT Traffic Control and Routing" - ;; n*) - if [ -n "$RTCONLY" ]; then - error_message "The -n and -r options are mutually exclusive" - exit 1 - fi - - NORTC=Yes + NOROUTES=Yes option=${option#n} ;; *) @@ -79,15 +62,12 @@ done COMMAND="$1" +[ -n "${PRODUCT:=Shorewall}" ] + case "$COMMAND" in start) [ $# -ne 1 ] && usage 2 - if [ -n "$RTCONLY" ]; then - progress_message3 "Starting $PRODUCT...." - define_firewall - status=$? - progress_message3 "done." - elif shorewall6_is_started; then + if shorewall_is_started; then error_message "$PRODUCT is already Running" status=0 else @@ -103,14 +83,11 @@ case "$COMMAND" in progress_message3 "Stopping $PRODUCT...." stop_firewall status=0 - [ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK progress_message3 "done." ;; reset) - if [ -n "${NORTC}$"{RTCONLY} ]; then - error_message "The -n and -r options may not be used with 'reset'" - status=1 - elif ! shorewall_is_started ; then + if ! shorewall_is_started ; then error_message "$PRODUCT is not running" status=2 elif [ $# -eq 1 ]; then @@ -149,17 +126,14 @@ case "$COMMAND" in define_firewall status=$? - if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then + if [ -n "$SUBSYSLOCK" ]; then [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK fi progress_message3 "done." ;; refresh) [ $# -ne 1 ] && usage 2 - if [ -n "${NORTC}$"{RTCONLY} ]; then - error_message "The -n and -r options may not be used with 'refresh'" - status=1 - elif shorewall_is_started; then + if shorewall_is_started; then progress_message3 "Refreshing $PRODUCT...." define_firewall status=$? @@ -171,23 +145,18 @@ case "$COMMAND" in ;; restore) [ $# -ne 1 ] && usage 2 - if [ -n "${NORTC}$"{RTCONLY} ]; then - error_message "The -n and -r options may not be used with 'restart'" - status=1 - else - define_firewall - status=$? - if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi - fi + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi ;; clear) [ $# -ne 1 ] && usage 2 progress_message3 "Clearing $PRODUCT...." clear_firewall status=0 - [ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK progress_message3 "done." ;; status) diff --git a/Shorewall-perl/prog.footer6 b/Shorewall-perl/prog.footer6 index cfff01b96..4060c0431 100644 --- a/Shorewall-perl/prog.footer6 +++ b/Shorewall-perl/prog.footer6 @@ -2,7 +2,7 @@ # Give Usage Information # usage() { - echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -r ] [ start|stop|clear|reset|refresh|restart|status|version ]" + echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]" exit $1 } ################################################################################ @@ -23,8 +23,6 @@ fi initialize -[ -n "${PRODUCT:=Shorewall6}" ] - finished=0 while [ $finished -eq 0 -a $# -gt 0 ]; do @@ -45,23 +43,8 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do VERBOSE=$(($VERBOSE - 1 )) option=${option#q} ;; - r*) - if [ -n "$NORTC" ]; then - error_message "The -n and -r options are mutually exclusive" - exit 1 - fi - - RTCONLY=Yes - option=${option#r} - PRODUCT="$PRODUCT Traffic Control and Routing" - ;; n*) - if [ -n "$RTCONLY" ]; then - error_message "The -n and -r options are mutually exclusive" - exit 1 - fi - - NORTC=Yes + NOROUTES=Yes option=${option#n} ;; *) @@ -79,6 +62,8 @@ done COMMAND="$1" +[ -n "${PRODUCT:=Shorewall6}" ] + kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1) if [ $kernel -lt 20625 ]; then error_message "ERROR: $PRODUCT requires Linux kernel 2.6.25 or later" @@ -87,12 +72,7 @@ else case "$COMMAND" in start) [ $# -ne 1 ] && usage 2 - if [ -n "$RTCONLY" ]; then - progress_message3 "Starting $PRODUCT...." - define_firewall - status=$? - progress_message3 "done." - elif shorewall6_is_started; then + if shorewall6_is_started; then error_message "$PRODUCT is already Running" status=0 else @@ -106,20 +86,13 @@ else stop) [ $# -ne 1 ] && usage 2 progress_message3 "Stopping $PRODUCT...." - if [ -n "$RTCONLY" ]; then - delete_tc1 - else - stop_firewall - fi + stop_firewall status=0 - [ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK progress_message3 "done." ;; reset) - if [ -n "${NORTC}$"{RTCONLY} ]; then - error_message "The -n and -r options may not be used with 'reset'" - status=1 - elif ! shorewall6_is_started ; then + if ! shorewall6_is_started ; then error_message "$PRODUCT is not running" status=2 elif [ $# -eq 1 ]; then @@ -148,33 +121,23 @@ else ;; restart) [ $# -ne 1 ] && usage 2 - if [ -n "$RTCONLY" ]; then + if shorewall6_is_started; then progress_message3 "Restarting $PRODUCT...." - define_firewall - status=$? else - if shorewall6_is_started; then - progress_message3 "Restarting $PRODUCT...." - else - error_message "$PRODUCT is not running" - progress_message3 "Starting $PRODUCT...." - fi - - define_firewall - status=$? - if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi + error_message "$PRODUCT is not running" + progress_message3 "Starting $PRODUCT...." fi - + + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi progress_message3 "done." ;; refresh) [ $# -ne 1 ] && usage 2 - if [ -n "${NORTC}$"{RTCONLY} ]; then - error_message "The -n and -r options may not be used with 'refresh'" - status=1 - elif shorewall6_is_started; then + if shorewall6_is_started; then progress_message3 "Refreshing $PRODUCT...." define_firewall status=$? @@ -186,23 +149,18 @@ else ;; restore) [ $# -ne 1 ] && usage 2 - if [ -n "${NORTC}$"{RTCONLY} ]; then - error_message "The -n and -r options may not be used with 'restore'" - status=1 - else - define_firewall - status=$? - if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi - fi + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi ;; clear) [ $# -ne 1 ] && usage 2 progress_message3 "Clearing $PRODUCT...." clear_firewall status=0 - [ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK progress_message3 "done." ;; status) diff --git a/Shorewall-perl/prog.functions b/Shorewall-perl/prog.functions index 843c0b30e..a94977027 100644 --- a/Shorewall-perl/prog.functions +++ b/Shorewall-perl/prog.functions @@ -20,28 +20,26 @@ delete_proxyarp() { clear_firewall() { stop_firewall - if [ -z "$RTCONLY" ]; then - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT + setpolicy INPUT ACCEPT + setpolicy FORWARD ACCEPT + setpolicy OUTPUT ACCEPT - run_iptables -F + run_iptables -F - echo 1 > /proc/sys/net/ipv4/ip_forward - - if [ -n "$DISABLE_IPV6" ]; then - if qt mywhich ip6tables; then - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null - fi + echo 1 > /proc/sys/net/ipv4/ip_forward + + if [ -n "$DISABLE_IPV6" ]; then + if qt mywhich ip6tables; then + ip6tables -P INPUT ACCEPT 2> /dev/null + ip6tables -P OUTPUT ACCEPT 2> /dev/null + ip6tables -P FORWARD ACCEPT 2> /dev/null fi - - run_clear_exit - - set_state "Cleared" fi + run_clear_exit + + set_state "Cleared" + logger -p kern.info "$PRODUCT Cleared" } diff --git a/Shorewall-perl/prog.functions6 b/Shorewall-perl/prog.functions6 index e32d8749c..0625701bb 100644 --- a/Shorewall-perl/prog.functions6 +++ b/Shorewall-perl/prog.functions6 @@ -4,19 +4,17 @@ clear_firewall() { stop_firewall - if [ -z "$RTCONLY" ]; then - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT + setpolicy INPUT ACCEPT + setpolicy FORWARD ACCEPT + setpolicy OUTPUT ACCEPT - run_iptables -F + run_iptables -F - echo 1 > /proc/sys/net/ipv6/conf/all/forwarding - - run_clear_exit + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding - set_state "Cleared" - fi + run_clear_exit + + set_state "Cleared" logger -p kern.info "$PRODUCT Cleared" } diff --git a/Shorewall-perl/prog.header b/Shorewall-perl/prog.header index f34f2c999..4049962b6 100644 --- a/Shorewall-perl/prog.header +++ b/Shorewall-perl/prog.header @@ -821,19 +821,16 @@ detect_gateway() # $1 = interface { local interface interface=$1 + local gateway # - # First assume that this is some sort of point-to-point interface + # First assume that this is some sort of dynamic interface # - gateway=$( find_peer $(ip addr list $interface ) ) + gateway=$( detect_dynamic_gateway $interface ) # # Maybe there's a default route through this gateway already # [ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default)) # - # Next try dhcpcd's info file for the interface - # - [ -n "$gateway" ] || gateway=$(get_dhcp_gateway) - # # Last hope -- is there a load-balancing route through the interface? # [ -n "$gateway" ] || gateway=$(find_nexthop $interface) diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index 8ea26054c..8b6217969 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,5 +1,5 @@ %define name shorewall-perl -%define version 4.3.6 +%define version 4.2.6 %define release 0base Summary: Shoreline Firewall Perl-based compiler. @@ -62,8 +62,10 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING releasenotes.txt %changelog -* Fri Feb 06 2009 Tom Eastep tom@shorewall.net -- Updated to 4.3.6-0base +* Wed Feb 04 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.6-0base +* Thu Jan 29 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.6-0base * Tue Jan 06 2009 Tom Eastep tom@shorewall.net - Updated to 4.2.5-0base * Thu Dec 25 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall-shell/README.txt b/Shorewall-shell/README.txt index 9d4015b80..0f0ff527c 100644 --- a/Shorewall-shell/README.txt +++ b/Shorewall-shell/README.txt @@ -1 +1 @@ -This is the Shorewall-shell Development 4.2 branch of SVN. +This is the Shorewall-shell Stable 4.2 branch of SVN. diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index 42e0ae7e2..8715292f6 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index 6cdd14417..bb511f6fd 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,5 +1,5 @@ %define name shorewall-shell -%define version 4.3.6 +%define version 4.2.6 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -81,8 +81,10 @@ fi %doc COPYING INSTALL %changelog -* Fri Feb 06 2009 Tom Eastep tom@shorewall.net -- Updated to 4.3.6-0base +* Wed Feb 04 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.6-0base +* Thu Jan 29 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.6-0base * Tue Jan 06 2009 Tom Eastep tom@shorewall.net - Updated to 4.2.5-0base * Thu Dec 25 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/Makefile b/Shorewall6-lite/Makefile index c30ccb88b..1c672e43e 100644 --- a/Shorewall6-lite/Makefile +++ b/Shorewall6-lite/Makefile @@ -1,18 +1,18 @@ -# Shorewall Lite Makefile to restart if firewall script is newer than last restart -VARDIR=$(shell /sbin/shorewall-lite show vardir) -SHAREDIR=/usr/share/shorewall-lite +# Shorewall6 Lite Makefile to restart if firewall script is newer than last restart +VARDIR=$(shell /sbin/shorewall6-lite show vardir) +SHAREDIR=/usr/share/shorewall6-lite RESTOREFILE?=.restore all: $(VARDIR)/${RESTOREFILE} $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall - @/sbin/shorewall-lite -q save >/dev/null; \ + @/sbin/shorewall6-lite -q save >/dev/null; \ if \ - /sbin/shorewall-lite -q restart >/dev/null 2>&1; \ + /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \ then \ - /sbin/shorewall-lite -q save >/dev/null; \ + /sbin/shorewall6-lite -q save >/dev/null; \ else \ - /sbin/shorewall-lite -q restart 2>&1 | tail >&2; \ + /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; \ fi # EOF diff --git a/Shorewall6-lite/README.txt b/Shorewall6-lite/README.txt index 559e49156..b0f878cff 100644 --- a/Shorewall6-lite/README.txt +++ b/Shorewall6-lite/README.txt @@ -1 +1 @@ -This is the Shorewall-lite Development 4.1 branch of SVN. +This is the Shorewall-lite Stable 4.2 branch of SVN. diff --git a/Shorewall6-lite/fallback.sh b/Shorewall6-lite/fallback.sh index 0d1c8516c..4d148f1c3 100755 --- a/Shorewall6-lite/fallback.sh +++ b/Shorewall6-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 98118cb2e..b25149d32 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 047d6a0d5..eeb68ac28 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,5 +1,5 @@ %define name shorewall6-lite -%define version 4.3.6 +%define version 4.2.6 %define release 0base Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. @@ -89,8 +89,10 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Fri Feb 06 2009 Tom Eastep tom@shorewall.net -- Updated to 4.3.6-0base +* Wed Feb 04 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.6-0base +* Thu Jan 29 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.6-0base * Tue Jan 06 2009 Tom Eastep tom@shorewall.net - Updated to 4.2.5-0base * Thu Dec 25 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index afae2215a..8673320ff 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall6/Makefile b/Shorewall6/Makefile index f59dcde95..48ecebacc 100644 --- a/Shorewall6/Makefile +++ b/Shorewall6/Makefile @@ -5,13 +5,13 @@ RESTOREFILE?=.restore all: $(VARDIR)/${RESTOREFILE} $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/* - @/sbin/shorewall -q save >/dev/null; \ + @/sbin/shorewall6 -q save >/dev/null; \ if \ - /sbin/shorewall -q restart >/dev/null 2>&1; \ + /sbin/shorewall6 -q restart >/dev/null 2>&1; \ then \ - /sbin/shorewall -q save >/dev/null; \ + /sbin/shorewall6 -q save >/dev/null; \ else \ - /sbin/shorewall -q restart 2>&1 | tail >&2; \ + /sbin/shorewall6 -q restart 2>&1 | tail >&2; \ fi # EOF diff --git a/Shorewall6/README.txt b/Shorewall6/README.txt index 189c4ab93..c5eeee4ce 100644 --- a/Shorewall6/README.txt +++ b/Shorewall6/README.txt @@ -1 +1 @@ -This is the Shorewall-common Development 4.2 branch of SVN. +This is the Shorewall-common Stable 4.2 branch of SVN. diff --git a/Shorewall6/fallback.sh b/Shorewall6/fallback.sh index c8a2aa3b8..f32b69316 100755 --- a/Shorewall6/fallback.sh +++ b/Shorewall6/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 3965393d8..0baa4fbe3 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status { @@ -475,6 +475,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices" fi +# +# Install the Notrack file +# +run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewal6/configfiles/notrack + +if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then + run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack + echo "Notrack file installed as ${PREFIX}/etc/shorewall6/notrack" +fi # # Install the default config path file # diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index e6011f8df..18596d724 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -413,6 +413,13 @@ show_command() { show_reset $IP6TABLES -t mangle -L $IPT_OPTIONS ;; + raw) + [ $# -gt 1 ] && usage 1 + echo "$PRODUCT $version raw Table at $HOSTNAME - $(date)" + echo + show_reset + $IP6TABLES -t raw -L $IPT_OPTIONS + ;; log) [ $# -gt 1 ] && usage 1 echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)" diff --git a/Shorewall6/restored b/Shorewall6/restored index 4147d93db..cfc26c14f 100644 --- a/Shorewall6/restored +++ b/Shorewall6/restored @@ -4,7 +4,7 @@ # /etc/shorewall6/restored # # Add commands below that you want to be executed after shorewall6 has -# been completed a 'restore' command. +# completed a 'restore' command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index 6af415e0d..35dce695a 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -216,10 +216,6 @@ get_config() { No|NO|no) TC_ENABLED= ;; - RTC) - NORTC=Yes - RTCONLY= - ;; esac [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" @@ -470,8 +466,7 @@ start_command() { ;; esac - export NORTC - export RTCONLY + export NOROUTES export PURGE if [ -n "$FAST" ]; then @@ -690,15 +685,9 @@ restart_command() { option=${option#f} ;; n*) - NORTC=Yes - RTCONLY= + NOROUTES=Yes option=${option#n} ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; p*) [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" PURGE=Yes @@ -742,8 +731,7 @@ restart_command() { [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - export NORTC - export RTCONLY + export NOROUTES export PURGE if [ -z "$FAST" ]; then @@ -815,8 +803,7 @@ refresh_command() { [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" - export NORTC - export RTCONLY + export NOROUTES progress_message3 "Compiling..." @@ -859,15 +846,9 @@ safe_commands() { option= ;; n*) - NORTC=Yes - RTCONLY= + NOROUTES=Yes option=${option#n} ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; *) usage 1 ;; @@ -1008,15 +989,9 @@ try_command() { option= ;; n*) - NORTC=Yes - RTCONLY= + NOROUTES=Yes option=${option#n} ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; *) usage 1 ;; @@ -1355,7 +1330,7 @@ usage() # $1 = exit status echo " restart [ -n ] [ -p ] [ -f ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" + echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]" echo " start [ -f ] [ -n ] [ -p ] [ ]" echo " stop [ -f ]" echo " status" @@ -1389,8 +1364,7 @@ IPT_OPTIONS="-nv" FAST= VERBOSE_OFFSET=0 USE_VERBOSITY= -NORTC= -RTCONLY= +NOROUTES= PURGE= EXPORT= export TIMESTAMP= @@ -1467,15 +1441,9 @@ while [ $finished -eq 0 ]; do esac ;; n*) - NORTC=Yes - RTCONLY= + NOROUTES=Yes option=${option#n} ;; - r*) - RTCONLY=Yes - NORTC= - option=${option#r} - ;; t*) TIMESTAMP=Yes option=${option#t} @@ -1615,16 +1583,14 @@ case "$COMMAND" in [ $# -ne 1 ] && usage 1 get_config [ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started" - export NORTC - export RTCONLY + export NOROUTES mutex_on $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND mutex_off ;; reset) get_config - export NORTC - export RTCONLY + export NOROUTES shift mutex_on [ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started" diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index a8e37d783..289f4fa35 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.3.6 +%define version 4.2.6 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -142,8 +142,6 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog -* Fri Feb 06 2009 Tom Eastep tom@shorewall.net -- Updated to 4.3.6-0base * Wed Feb 05 2009 Tom Eastep tom@shorewall.net - Added 'restored' script * Wed Feb 04 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 83375c490..607a1fe6a 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.3.6 +VERSION=4.2.6 usage() # $1 = exit status {