extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-12 04:37:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Move 4.2 to trunk

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9468 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-21 17:21:51 +00:00
parent 54478f3757
commit f4b2f68ea0
57 changed files with 1502 additions and 944 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/README.txt
View File

@ -1 +1 @@
This is the Shorewall-common Development 4.2 branch of SVN. This is the Shorewall-common Stable 4.2 branch of SVN.

50
Shorewall-common/changelog.txt
View File

@ -1,3 +1,47 @@
Changes in Shorewall 4.2.7
1) Added /etc/shorewall/notrack.
2) Added new columns to the routestopped file.
3) Moved tunnel rules back to the front of the NEW section.
4) Handle long sport lists.
Changes in Shorewall 4.2.6
1) Added macro.BitTorrent32
2) Add COUNT action.
3) Add swping
4) Add RESTORE_DEFAULT_ROUTE option
5) Use dhcpcd's database to detect dynamic gateways.
6) Fix TCP_FLAGS_DISPOSITION=REJECT
7) Allow protocol and port inversion.
8) Don't check for "-m state" until after modules are loaded
9) Fix Shorewall6[-lite]/Makefile
10) Reorganized generated script to be more like 4.3.
11) Added 'restored' script.
12) Another ctorigdstport fix.
13) Allow 'here documents' in extension scripts
14) Another ctorigdst fix.
15) Add flow key support.
16) Fix 'show connections'.
Changes in Shorewall 4.2.5 Changes in Shorewall 4.2.5
1) Add 'fallback' providers option. 1) Add 'fallback' providers option.
@ -11,6 +55,12 @@ Changes in Shorewall 4.2.5
5) Added macro.Git. 5) Added macro.Git.
6) Fix running of tcclear script.
7) Added macro.IRC.
8) Fix --ctorigport usage
Changes in Shorewall 4.2.4.6 Changes in Shorewall 4.2.4.6
1) Fix hosts exclusion in DNAT/REDIRECT. 1) Fix hosts exclusion in DNAT/REDIRECT.

2
Shorewall-common/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

11
Shorewall-common/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -438,6 +438,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq" echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi fi
# #
# Install the Notrack file
#
run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall/configfiles/notrack
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/notrack ]; then
run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall/notrack
echo "Notrack file installed as ${PREFIX}/etc/shorewall/notrack"
fi
#
# Install the Modules file # Install the Modules file
# #
run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules

18
Shorewall-common/isusable
View File

@ -1,9 +1,17 @@
#
# Shorewall version 4 - 'isusable' sample script
#
# /etc/shorewall/isusable
#
# This script is a companion to the 'swping' script described at
# http://www.shorewall.net/MultiISP.html#swping.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
local status=0 local status=0
case $1 in [ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status)
$EXT_IF|$COM_IF)
[ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status)
;;
esac
return $status return $status

9
Shorewall-common/lib.cli
View File

@ -462,7 +462,7 @@ show_command() {
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Connections at $HOSTNAME - $(date)" echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
echo echo
[ -f /proc/net/ip_conntrack ] && /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
;; ;;
nat) nat)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
@ -471,6 +471,13 @@ show_command() {
show_reset show_reset
$IPTABLES -t nat -L $IPT_OPTIONS $IPTABLES -t nat -L $IPT_OPTIONS
;; ;;
raw)
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version RAW Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t raw -L $IPT_OPTIONS
;;
tos|mangle) tos|mangle)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)" echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)"

10
Shorewall-common/macro.BitTorrent
View File

@ -3,14 +3,10 @@
# #
# /usr/share/shorewall/macro.BitTorrent # /usr/share/shorewall/macro.BitTorrent
# #
# This macro handles BitTorrent traffic. # This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
#
# If you are running a more modern BitTorrent client, then you may need
# to tweak the open port range. This can be done by copying the below
# rules into /etc/shorewall and making the necessary edits there:
#
# Replace 6881:6889 with 6881:6899
# #
# If you are running BitTorrent 3.2 or later, you should use the
# BitTorrent32 macro.
############################################################################### ###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP # PORT(S) PORT(S) LIMIT GROUP

417
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.2.5 Shorewall 4.2.7
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E 4 . 2 H I G H L I G H T S R E L E A S E 4 . 2 H I G H L I G H T S
@ -27,51 +27,9 @@ Shorewall 4.2.5
- Perl 5.10 if you wish to use DNS names in your IPv6 config files. - Perl 5.10 if you wish to use DNS names in your IPv6 config files.
In that case you will also have to install Perl Socket6 support. In that case you will also have to install Perl Socket6 support.
Problems corrected in 4.2.5 Problems corrected in 4.2.7
1) If exclusion is used to define a zone in /etc/shorewall/hosts and None.
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
then Shorewall-perl can generated invalid iptables-restore input.
2) A bug in the Perl Cwd module (see
http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
Shorewall-perl compiler to fail if it doesn't have at least read
access to its current working directory. 4.2.5 contains a
workaround.
3) If 'critical' was specified on an entry in
/etc/shorewall/routestopped, Shorewall6 (Shorewall-perl) would
generate an error.
4) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate incorrect iptables-restore input.
5) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate invalid iptables-restore input.
6) The 'shorewall6 refresh' command runs iptables_restore rather than
ip6tables_restore.
7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
'shorewall6 restore' were previously broken.
8) The Debian init script was checking $startup in
/etc/default/shorewall rather than in /etc/default/shorweall6
9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
unconverted Shorewall scripts.
10) When 'detect' is used in the GATEWAY column of
/etc/shorewall/providers, Shorewall-perl now ensures that the
gateway was successfully detected. If the gateway cannot be
detected, action is taken depending on whether the provider is
'optional' or not. If the provider is optional, it's configuration
is skipped; if the provider is not optional, the current operation
is aborted.
11) The command 'shorewall6 debug start' would previously fail with
ERROR: Command "/sbin/ip6tables -t nat -F" Failed
Known Problems Remaiining: Known Problems Remaiining:
@ -84,74 +42,106 @@ Known Problems Remaiining:
norfc1918 norfc1918
tcpflags tcpflags
New Feature in Shorewall 4.2.5 New Features in Shorewall 4.2.7
1) A new 'fallback' option is added in 1) Prior to Shorewall version 3.0.0, rules generated by
/etc/shorewall/providers. The option works similar to 'balance' /etc/shorewall/tunnels were traversed before those generated by
except that the default route is added in the default routing table /etc/shorewall/rules. When SECTIONs were added to the rules file in
(253) rather than in the main table (254). 3.0.0, traversal of the tunnel rules was deferred until after those
generated by the NEW section of the rules file.
The option can be used by itself or followed by =<number> (e.g, Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
fallback=2). where they started -- right before the first rule generated by the
NEW section of /etc/shorewall/rules.
When the option is used by itself, a separate (not balanced) 2) To allow bypassing of connection tracking for certain traffic,
default route is added with a metric equal to the provider's NUMBER. /etc/shorewall/notrack and /etc/shorewall6/notrack files have been
added.
When the option is used with a number, a balanced route is added Columns in the file are:
with the weight set to the specified number.
'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and SOURCE - <zone>[:<interface>][:<address list>]
is only available with Shorewall-perl.
'fallback' is useful in situations where: DEST - [<address list>]
- You want all traffic to be sent via one primary provider unless PROTO - <protocol name or number>
there is a compelling reason to use a different provider
- If the primary provider is down, then you want to balance the DEST PORT(S) - <port number list>
outgoing traffic among a set of other providers or to a
ordered list of providers.
In this case: SOURCE PORT(S) - <port number list>
- Do not specify 'balance' on any of the providers. USER/GROUP - [<user>][:<group>]
- Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
- Specify 'fallback' on those providers that you want to use if
the primary is down.
- Only the primary provider should have a default route in the main
routing table.
See http://www.shorewall.net/MultiISP.html#Complete for an example May only be specified if the SOURCE <zone> is $FW.
of this option's use.
2) Shorewall-perl now transparently handles the xtables-addon version Traffic that matches all given criteria will not be subject to
of ipp2p. Shorewall detects whether the installed ipp2p is from connection tracking. For such traffic, your policies and/or rules
patch-o-matic-ng or from xtables-addon and proceeds accordingly. must deal with ALL of the packets involved, in both the original
and the opposite directions. All untracked traffic is passed
through the relevant rules in the NEW section of the rules
file. Untracked encapsulated tunnel traffic can be handled by
entries in /etc/shorewall/tunnels just like tracked traffic
is. Because every packet of an untracked connection must pass
through the NEW section rules, it is suggested that rules that deal
with untracked traffic should appear at the top of the file.
If the patch-o-matic-ng version is installed: Example:
a) If no DEST PORT is supplied, the default is "--ipp2p". /etc/shorewall/tunnels:
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--ipp2p".
If the xtables-addons version is installed: #TYPE ZONE GATEWAY
6to4 net
a) If no DEST PORT is supplied, the default is "--edk --gnu --dc /etc/shorewall/notrack
--kazaa".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--edk --gnu --dc --kazaa".
Shorewall-perl now also accepts a comma-separated list of options #SOURCE DEST PROTO DEST SOURCE USER/
(e.g., "edk,gnu,dc,kazaa). # PORT(S) PORT(S) GROUP
net:!192.88.99.1 - 41
Additionally, Shorewall now looks for modules in /lib/modules/$(uname Given that 192.88.99.1 is an anycast address, many hosts can
-r)/extra and in /lib/modules/$(uname -r)/extra/ipset respond to outward traffic to that address. The entry in
/etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
/etc/shorewall/notrack prevents the inbound traffic from creating
additional useless conntrack entries.
This change introduced a new capability ("Old IPP2P Match Syntax") As part of this change, the 'show' command is enhanced to support a
so if you use a capabilities file, be sure to re-generate the 'show raw' command that is an alias for 'show -t raw'. The raw
file(s) after you have installed 4.2.5. table is where NOTRACK rules are created.
3) There is now a macro.Git, which opens git-daemon's port (9418/tcp). 3) Shorewall-perl supports three additional columns in the
/etc/shorewall/routestopped file:
PROTO -- Protocol name or number
DEST PORT(S) -- comma-separated list of service names and/or port
numbers
SOURCE PORT(S) -- comma-separated list of service names and/or port
numbers.
These columns are only meaningful when the "-f" option to
'shorewall stop' is used.
As part of this change, the "-f" option to the 'stop' and 'clear'
commands is now the default when FAST_STOP=Yes in shorewall.conf.
To override this default, use the "-s" option:
shorewall stop -s
Note that if you have entries with one or more of the new columns,
the -s option will result in warning messages.
gateway:~ # shorewall stop -s
Stopping Shorewall...
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
done.
gateway:~ #
4) Shorewall-perl now handles SOURCE PORT lists of more than 15
entries by breaking the containing rule into multiple rules.
Migration Issues. Migration Issues.
@ -1331,3 +1321,244 @@ Problems Corrected in 4.2.4
Other changes in 4.2.4 Other changes in 4.2.4
1) Support for IPv6 was added -- see above. 1) Support for IPv6 was added -- see above.
Problems corrected in 4.2.5
1) If exclusion is used to define a zone in /etc/shorewall/hosts and
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
then Shorewall-perl can generate invalid iptables-restore input.
2) A bug in the Perl Cwd module (see
http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
Shorewall-perl compiler to fail if it doesn't have at least read
access to its current working directory. 4.2.5 contains a
workaround.
3) If 'critical' was specified on an entry in
/etc/shorewall6/routestopped, Shorewall6 (Shorewall-perl) would
generate an error.
4) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate incorrect iptables-restore input.
5) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate invalid iptables-restore input.
6) The 'shorewall6 refresh' command runs iptables_restore rather than
ip6tables_restore.
7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
'shorewall6 restore' were previously broken.
8) The Debian init script was checking $startup in
/etc/default/shorewall rather than in /etc/default/shorweall6
9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
unconverted Shorewall scripts.
10) When 'detect' is used in the GATEWAY column of
/etc/shorewall/providers, Shorewall-perl now ensures that the
gateway was successfully detected. If the gateway cannot be
detected, action is taken depending on whether the provider is
'optional' or not. If the provider is optional, it's configuration
is skipped; if the provider is not optional, the current operation
is aborted.
11) The command 'shorewall6 debug start' would previously fail with
ERROR: Command "/sbin/ip6tables -t nat -F" Failed
12) Both ipv4 and ipv6 compiled programs attempt to run the tcclear
script itself at run time rather than running the copy of the
file in the compiled script. This usually isn't noticable unless
you are running Shorewall Lite or Shorewall6 Lite in which case,
the script doesn't get run (since it is on the administrative
system and not the firewall system).
13) If your iptables/kernel included "Extended Connection Tracking
Match support" (see the output of "shorewall show capabilities"),
then a REDIRECT rule that specified a port list or range would
cause Shorewall-perl to create invalid iptables-restore input:
Running /usr/sbin/iptables-restore...
iptables-restore v1.4.2-rc1: conntrack: Bad value for
"--ctorigdstport" option: "1025:65535"
Error occurred at line: 191
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
New Feature in Shorewall 4.2.5
1) A new 'fallback' option is added in
/etc/shorewall/providers. The option works similar to 'balance'
except that the default route is added in the default routing table
(253) rather than in the main table (254).
The option can be used by itself or followed by =<number> (e.g,
fallback=2).
When the option is used by itself, a separate (not balanced)
default route is added with a metric equal to the provider's NUMBER.
When the option is used with a number, a balanced route is added
with the weight set to the specified number.
'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
is only available with Shorewall-perl.
'fallback' is useful in situations where:
- You want all traffic to be sent via one primary provider unless
there is a compelling reason to use a different provider
- If the primary provider is down, then you want to balance the
outgoing traffic among a set of other providers or to a
ordered list of providers.
In this case:
- Do not specify 'balance' on any of the providers.
- Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
- Specify 'fallback' on those providers that you want to use if
the primary is down.
- Only the primary provider should have a default route in the main
routing table.
See http://www.shorewall.net/MultiISP.html#Complete for an example
of this option's use.
2) Shorewall-perl now transparently handles the xtables-addon version
of ipp2p. Shorewall detects whether the installed ipp2p is from
patch-o-matic-ng or from xtables-addon and proceeds accordingly.
If the patch-o-matic-ng version is installed:
a) If no DEST PORT is supplied, the default is "--ipp2p".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--ipp2p".
If the xtables-addons version is installed:
a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
--kazaa".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--edk --gnu --dc --kazaa".
Shorewall-perl now also accepts a comma-separated list of options
(e.g., "edk,gnu,dc,kazaa).
Additionally, Shorewall now looks for modules in /lib/modules/$(uname
-r)/extra and in /lib/modules/$(uname -r)/extra/ipset
This change introduced a new capability ("Old IPP2P Match Syntax")
so if you use a capabilities file, be sure to re-generate the
file(s) after you have installed 4.2.5.
3) There is now a macro.Git, which opens git-daemon's port (9418/tcp).
4) There is also a macro.IRC which open's the Internet Relay Chat port
(6667/tcp).
Problems corrected in 4.2.6
1) The CONFIG_PATH in the two- and three-interface Shorewall6 sample
configurations was incorrect with the result that this error
occurred on 'shorewall6 check' or 'shorewall6 start'.
ERROR: No IP zones defined
2) Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell
and Shorewall-perl to create invalid iptables commands. This has
been corrected but we still strongly recommend against that
setting; TCP_FLAGS_DISPOSITION=DROP is preferred.
3) Shorewall-perl was generating code that checked for state match
before kernel modules were loaded. This caused start/restart to
fail on systems without kernel module loading.
4) The Shorewall6 and Shorewall6-lite Makefiles were incorrect.
5) If a service name is used in a port-mapping rule (a DNAT or
REDIRECT rule that changes the destination port), and if the
kernel and iptables include Extended Connection Match support, then
invalid iptables-restore input is produced by Shorewall-perl.
6) If iptables 1.4.1 or later was installed, Shorewall-perl generated
incorrect iptables-restore input if exclusion was used in the
ORIGINAL DEST field of a DNAT or REDIRECT rule.
7) On kernels earlier than 2.6.20, the 'shorewall show connections'
command fails.
New Features in Shorewall 4.2.6
1) A BitTorrent32 macro has been added. This macro matches the
extended TCP port range used by BitTorrent 3.2 and later.
2) A new COUNT action has been added to Shorewall-perl. This action
creates an iptables (ip6tables) rule with no target. Connections
matching such a rule are simply counted and the packet is passed on
to the next rule.
Shorewall-shell ignores COUNT in actions and macros, thus allowing
the standard actions (action.Drop and action.Reject) to have a
COUNT rule as their first entry.
3) A new RESTORE_DEFAULT_ROUTE option has been added to
shorewall.conf. It is used to determine whether to restore the
default route saved when there are 'balance' providers defined but
all of them are down.
The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
pre-4.2.6 behavior.
RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
default route in the main table (USE_DEFAULT_RT=No) or in the
default table (USE_DEFAULT_RT=Yes) when there are no balance
providers available. In that case, RESTORE_DEFAULT_ROUTE=No
will cause any default route in the relevant table to be deleted.
4) IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's
database when trying to detect the gateway for an interface
("detect" in the GATEAWAY column in /etc/shorewall/interfaces).
As part of this change, it is now permitted to specify 'detect'
when USE_DEFAULT_RT=Yes; in that case, the script will only detect
gateways for point-to-point devices and for devices configured by
dhcpcd.
5) Shorewall-perl now supports port inversion. A port number or list
of port numbers may be preceded by '!" which will cause the rule to
match all ports EXCEPT those listed:
Example: To blacklist 206.124.146.176 for all tcp ports except 80:
ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 tcp !80
6) Shorewall-perl now supports protocol inversion. A protocol name or
number may be preceded by '!' to specify all protocols except the
one following '!'.
Example: To blacklist 206.124.146.176 for all protocols except
UDP:
ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 !udp
Note that ports may not be specified when protocol inversion
is used.
7) When using Shorewall-perl, neither the 'start' nor 'started'
extension script is run during processing of the 'restore'
command. To allow extension of that command, we have added a
'restored' extension script that runs at the successful completion
of 'restore'. This script is only available with Shorewall-perl.
With Shorewall-shell, both scripts are run during 'restore' but in
that case, the run_iptables() function does nothing. So any
run_iptables() calls in the 'start' script are effectively ignored.
8) Shorewall-perl now correctly handles 'here documents' quoting
(<<EOF .... EOF) in run-time extension scripts.

2
Shorewall-common/restored
View File

@ -4,7 +4,7 @@
# /etc/shorewall/restored # /etc/shorewall/restored
# #
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# been completed a 'restore' command. # completed a 'restore' command.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.

3
Shorewall-common/routestopped
View File

@ -10,5 +10,6 @@
# information. # information.
# #
############################################################################### ###############################################################################
#INTERFACE HOST(S) OPTIONS #INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE
# PORT(S) PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

94
Shorewall-common/shorewall
View File

@ -216,9 +216,6 @@ get_config() {
No|NO|no) No|NO|no)
TC_ENABLED= TC_ENABLED=
;; ;;
RTC)
NORTC=Yes
;;
esac esac
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
@ -299,6 +296,20 @@ get_config() {
fi fi
;; ;;
esac esac
case $FAST_STOP in
Yes|yes)
;;
No|no)
FAST_STOP=
;;
*)
if [ -n "$FAST_STOP" ]; then
echo " ERROR: Invalid FAST_STOP setting ($FAST_STOP)" >&2
exit 2
fi
;;
esac
} }
# #
@ -483,16 +494,6 @@ start_command() {
DEBUG=Yes DEBUG=Yes
option=${option#d} option=${option#d}
;; ;;
n*)
NORTC=Yes
RTCONLY=
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
f*) f*)
FAST=Yes FAST=Yes
option=${option#f} option=${option#f}
@ -537,8 +538,7 @@ start_command() {
;; ;;
esac esac
export NORTC export NOROUTES
export RTCONLY
export PURGE export PURGE
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
@ -780,15 +780,9 @@ restart_command() {
option=${option#f} option=${option#f}
;; ;;
n*) n*)
NORTC=Yes NOROUTES=Yes
RTCONLY=
option=${option#n} option=${option#n}
;; ;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
C) C)
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
SHOREWALL_COMPILER=$2 SHOREWALL_COMPILER=$2
@ -838,8 +832,7 @@ restart_command() {
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
export NORTC export NOROUTES
export RTCONLY
export PURGE export PURGE
if [ -z "$FAST" ]; then if [ -z "$FAST" ]; then
@ -917,8 +910,7 @@ refresh_command() {
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
export NORTC export NOROUTES
export RTCONLY
progress_message3 "Compiling..." progress_message3 "Compiling..."
@ -961,15 +953,9 @@ safe_commands() {
option= option=
;; ;;
n*) n*)
NORTC=Yes NOROUTES=Yes
RTCONLY=
option=${option#n} option=${option#n}
;; ;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
C) C)
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
SHOREWALL_COMPILER=$2 SHOREWALL_COMPILER=$2
@ -1116,15 +1102,9 @@ try_command() {
option= option=
;; ;;
n*) n*)
NORTC=Yes NOROUTES=Yes
RTCONLY=
option=${option#n} option=${option#n}
;; ;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
C) C)
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
SHOREWALL_COMPILER=$2 SHOREWALL_COMPILER=$2
@ -1485,7 +1465,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ -p ] [ -f ] [ -C {shell|perl} ] [ <directory> ]" echo " restart [ -n ] [ -p ] [ -f ] [ -C {shell|perl} ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
echo " start [ -f ] [ -n ] [ -p ] [ -C {shell|perl} ] [ <directory> ]" echo " start [ -f ] [ -n ] [ -p ] [ -C {shell|perl} ] [ <directory> ]"
echo " stop [ -f ]" echo " stop [ -f ]"
echo " status" echo " status"
@ -1519,8 +1499,7 @@ IPT_OPTIONS="-nv"
FAST= FAST=
VERBOSE_OFFSET=0 VERBOSE_OFFSET=0
USE_VERBOSITY= USE_VERBOSITY=
NORTC= NOROUTES=
RTC=
PURGE= PURGE=
EXPORT= EXPORT=
export TIMESTAMP= export TIMESTAMP=
@ -1597,15 +1576,9 @@ while [ $finished -eq 0 ]; do
esac esac
;; ;;
n*) n*)
NORTC=Yes NOROUTES=Yes
RTCONLY=
option=${option#n} option=${option#n}
;; ;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
t*) t*)
TIMESTAMP=Yes TIMESTAMP=Yes
option=${option#t} option=${option#t}
@ -1758,23 +1731,28 @@ case "$COMMAND" in
start_command $@ start_command $@
;; ;;
stop|clear) stop|clear)
if [ "x$2" = x-f ]; then get_config
[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore if [ "x$2" = x-s ]; then
shift; shift
else
if [ "x$2" = x-f -o "$FAST_STOP" ]; then
[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
if [ "x$2" = x-f ]; then
shift
fi
fi
fi fi
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
get_config export NOROUTES
export NORTC
export RTCONLY
mutex_on mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
mutex_off mutex_off
;; ;;
reset) reset)
get_config get_config
export NORTC export NOROUTES
export RTCONLY
shift shift
mutex_on mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock reset $@ $SHOREWALL_SHELL $FIREWALL $debugging $nolock reset $@

4
Shorewall-common/shorewall-common.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-common %define name shorewall-common
%define version 4.3.6 %define version 4.2.6
%define release 0base %define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -177,8 +177,6 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable
%changelog %changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Thu Feb 05 2009 Tom Eastep tom@shorewall.net * Thu Feb 05 2009 Tom Eastep tom@shorewall.net
- Add 'restored' script - Add 'restored' script
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net * Wed Feb 04 2009 Tom Eastep tom@shorewall.net

4
Shorewall-common/shorewall.conf
View File

@ -186,6 +186,10 @@ MANGLE_ENABLED=Yes
USE_DEFAULT_RT=No USE_DEFAULT_RT=No
RESTORE_DEFAULT_ROUTE=Yes
FAST_STOP=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Shorewall-common/swping
View File

@ -21,6 +21,8 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# For information about this script, see http://www.shorewall.net/MultiISP.html#swping.
#
########################################################################################### ###########################################################################################
# #
# IP Family == 4 or 6 # IP Family == 4 or 6

2
Shorewall-common/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall-lite/README.txt
View File

@ -1 +1 @@
This is the Shorewall-lite Development 4.1 branch of SVN. This is the Shorewall-lite stable 4.2 branch of SVN.

2
Shorewall-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

8
Shorewall-lite/shorewall-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-lite %define name shorewall-lite
%define version 4.3.6 %define version 4.2.6
%define release 0base %define release 0base
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,8 +98,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net * Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base - Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net * Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base - Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net * Thu Dec 25 2008 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall-perl/README.txt
View File

@ -1,2 +1,2 @@
This is the Shorewall-perl development 4.3 branch of SVN. This is the Shorewall-perl stable 4.2 branch of SVN.

6
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -201,17 +201,17 @@ sub setup_accounting() {
if ( have_bridges ) { if ( have_bridges ) {
if ( $filter_table->{accounting} ) { if ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD/ ) { for my $chain ( qw/INPUT FORWARD/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting'; insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
} }
} }
if ( $filter_table->{accountout} ) { if ( $filter_table->{accountout} ) {
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout'; insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
} }
} else { } else {
if ( $filter_table->{accounting} ) { if ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting'; insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
} }
} }
} }

214
Shorewall-perl/Shorewall/Chains.pm
View File

@ -44,6 +44,7 @@ our @EXPORT = qw(
log_rule_limit log_rule_limit
%chain_table %chain_table
$raw_table
$nat_table $nat_table
$mangle_table $mangle_table
$filter_table $filter_table
@ -71,6 +72,8 @@ our %EXPORT_TAGS = (
add_command add_command
add_commands add_commands
move_rules move_rules
insert_rule1
add_tunnel_rule
process_comment process_comment
no_comment no_comment
macro_comment macro_comment
@ -94,11 +97,13 @@ our %EXPORT_TAGS = (
dnat_chain dnat_chain
snat_chain snat_chain
ecn_chain ecn_chain
notrack_chain
first_chains first_chains
ensure_chain ensure_chain
ensure_accounting_chain ensure_accounting_chain
ensure_mangle_chain ensure_mangle_chain
ensure_nat_chain ensure_nat_chain
ensure_raw_chain
new_standard_chain new_standard_chain
new_builtin_chain new_builtin_chain
new_nat_chain new_nat_chain
@ -135,6 +140,7 @@ our %EXPORT_TAGS = (
match_ipsec_out match_ipsec_out
log_rule log_rule
expand_rule expand_rule
addrawjump
addnatjump addnatjump
get_interface_address get_interface_address
get_interface_addresses get_interface_addresses
@ -175,6 +181,7 @@ our $VERSION = 4.2.4;
# synchain => <name of synparam chain> # synchain => <name of synparam chain>
# default => <default action> # default => <default action>
# cmdlevel => <number of open loops or blocks in runtime commands> # cmdlevel => <number of open loops or blocks in runtime commands>
# new => undef|<index into @$rules where NEW section starts>
# rules => [ <rule1> # rules => [ <rule1>
# <rule2> # <rule2>
# ... # ...
@ -192,6 +199,7 @@ our $VERSION = 4.2.4;
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. # 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
# #
our %chain_table; our %chain_table;
our $raw_table;
our $nat_table; our $nat_table;
our $mangle_table; our $mangle_table;
our $filter_table; our $filter_table;
@ -290,6 +298,7 @@ sub initialize( $ ) {
nat => {}, nat => {},
filter => {} ); filter => {} );
$raw_table = $chain_table{raw};
$nat_table = $chain_table{nat}; $nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle}; $mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter}; $filter_table = $chain_table{filter};
@ -427,6 +436,100 @@ sub push_rule( $$ ) {
} }
} }
#
# Post-process a rule having an sport list. Split the rule into multiple rules if necessary
# to work within the 15-element limit imposed by iptables/Netfilter.
#
sub handle_sport_list( $$$$$ ) {
my ($chainref, $rule, $first, $ports, $rest) = @_;
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
#
# More than 15 ports specified
#
my @ports = split '([,:])', $ports;
while ( @ports ) {
my $count = 0;
my $newports = '';
while ( @ports && $count < 15 ) {
my ($port, $separator) = ( shift @ports, shift @ports );
$separator ||= '';
if ( ++$count == 15 ) {
if ( $separator eq ':' ) {
unshift @ports, $port, ':';
chop $newports;
last;
} else {
$newports .= $port;
}
} else {
$newports .= "${port}${separator}";
}
}
push_rule ( $chainref, join( '', $first, $newports, $rest ) );
}
} else {
push_rule ( $chainref, $rule );
}
}
#
# Post-process a rule having an dport list. Split the rule into multiple rules if necessary
# to work within the 15-element limit imposed by iptables/Netfilter.
#
sub handle_dport_list( $$$$$ ) {
my ($chainref, $rule, $first, $ports, $rest) = @_;
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
#
# More than 15 ports specified
#
my @ports = split '([,:])', $ports;
while ( @ports ) {
my $count = 0;
my $newports = '';
while ( @ports && $count < 15 ) {
my ($port, $separator) = ( shift @ports, shift @ports );
$separator ||= '';
if ( ++$count == 15 ) {
if ( $separator eq ':' ) {
unshift @ports, $port, ':';
chop $newports;
last;
} else {
$newports .= $port;
}
} else {
$newports .= "${port}${separator}";
}
}
my $newrule = join( '', $first, $newports, $rest );
if ( $newrule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
handle_sport_list( $chainref, $newrule, $1, $2, $3 );
} else {
push_rule ( $chainref, $newrule );
}
}
} elsif ( $rule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
handle_sport_list( $chainref, $rule, $1, $2, $3 );
} else {
push_rule ( $chainref, $rule );
}
}
# #
# Add a rule to a chain. Arguments are: # Add a rule to a chain. Arguments are:
# #
@ -445,54 +548,26 @@ sub add_rule($$;$)
# #
# By post-processing each rule generated by expand_rule(), we avoid all of that # By post-processing each rule generated by expand_rule(), we avoid all of that
# messiness and replace it with the following localized messiness. # messiness and replace it with the following localized messiness.
#
# Because source ports are seldom specified and source port lists are rarer still, if ( $expandports ) {
# we only worry about the destination ports. if ( $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) {
#
if ( $expandports && $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) {
#
# Rule has a --dports specification
#
my ($first, $ports, $rest) = ( $1, $2, $3 );
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
# #
# More than 15 ports specified # Rule has a --dports specification
# #
my @ports = split '([,:])', $ports; handle_dport_list( $chainref, $rule, $1, $2, $3 )
} elsif ( $rule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
while ( @ports ) { #
my $count = 0; # Rule has a --sports specification
my $newports = ''; #
handle_sport_list( $chainref, $rule, $1, $2, $3 )
while ( @ports && $count < 15 ) {
my ($port, $separator) = ( shift @ports, shift @ports );
$separator ||= '';
if ( ++$count == 15 ) {
if ( $separator eq ':' ) {
unshift @ports, $port, ':';
chop $newports;
last;
} else {
$newports .= $port;
}
} else {
$newports .= "${port}${separator}";
}
}
push_rule ( $chainref, join( '', $first, $newports, $rest ) );
}
} else { } else {
push_rule ( $chainref, $rule ); push_rule ( $chainref, $rule );
} }
} else { } else {
push_rule ( $chainref, $rule ); push_rule( $chainref, $rule );
} }
} }
# #
# Add a jump from the chain represented by the reference in the first argument to # Add a jump from the chain represented by the reference in the first argument to
# the target in the second argument. The optional third argument specifies any # the target in the second argument. The optional third argument specifies any
@ -533,7 +608,7 @@ sub add_jump( $$$;$ ) {
# #
# Chain reference , Rule Number, Rule # Chain reference , Rule Number, Rule
# #
sub insert_rule($$$) sub insert_rule1($$$)
{ {
my ($chainref, $number, $rule) = @_; my ($chainref, $number, $rule) = @_;
@ -541,13 +616,29 @@ sub insert_rule($$$)
$rule .= "-m comment --comment \"$comment\"" if $comment; $rule .= "-m comment --comment \"$comment\"" if $comment;
splice( @{$chainref->{rules}}, $number - 1, 0, join( ' ', '-A', $rule ) ); splice( @{$chainref->{rules}}, $number, 0, join( ' ', '-A', $rule ) );
$iprangematch = 0; $iprangematch = 0;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
} }
sub insert_rule($$$) {
my ($chainref, $number, $rule) = @_;
insert_rule1( $chainref, $number - 1, $rule );
}
#
# Insert a tunnel rule into the passed chain. Tunnel rules are inserted sequentially
# at the beginning of the 'NEW' section.
#
sub add_tunnel_rule( $$ ) {
my ( $chainref, $rule ) = @_;
insert_rule1( $chainref, $chainref->{new}++, $rule );
}
# #
# Move the rules from one chain to another # Move the rules from one chain to another
# #
@ -756,6 +847,14 @@ sub dnat_chain( $ )
$_[0] . '_dnat'; $_[0] . '_dnat';
} }
#
# Notrack Chain from a zone
#
sub notrack_chain( $ )
{
$_[0] . '_notrk';
}
# #
# SNAT Chain to an interface # SNAT Chain to an interface
# #
@ -881,6 +980,16 @@ sub ensure_nat_chain($) {
$chainref; $chainref;
} }
sub ensure_raw_chain($) {
my $chain = $_[0];
my $chainref = ensure_chain 'raw', $chain;
$chainref->{referenced} = 1;
$chainref;
}
# #
# Add a builtin chain # Add a builtin chain
# #
@ -1060,6 +1169,9 @@ sub finish_chain_section ($$) {
add_jump $chainref, $synchainref, 0, "-p tcp --syn "; add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
} }
} }
$chainref->{new} = @{$chainref->{rules}};
} }
$comment = $savecomment; $comment = $savecomment;
@ -1092,7 +1204,7 @@ sub set_mss1( $$ ) {
if ( $chainref->{policy} ne 'NONE' ) { if ( $chainref->{policy} ne 'NONE' ) {
my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss" insert_rule1 $chainref, 0, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
} }
} }
@ -1817,7 +1929,7 @@ sub log_rule_limit( $$$$$$$$ ) {
if ( $command eq 'add' ) { if ( $command eq 'add' ) {
add_rule ( $chainref, $predicates . $prefix , 1 ); add_rule ( $chainref, $predicates . $prefix , 1 );
} else { } else {
insert_rule ( $chainref , 1 , $predicates . $prefix ); insert_rule1 ( $chainref , 0 , $predicates . $prefix );
} }
} }
@ -1935,7 +2047,7 @@ sub get_interface_gateway ( $ ) {
my $variable = interface_gateway( $interface ); my $variable = interface_gateway( $interface );
my $routine = $config{USE_DEFAULT_RT} ? 'detect_gateway' : 'detect_dynamic_gateway'; my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
if ( interface_is_optional $interface ) { if ( interface_is_optional $interface ) {
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n); $interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
@ -2457,6 +2569,18 @@ sub expand_rule( $$$$$$$$$$$ )
# #
# If the destination chain exists, then at the end of the source chain add a jump to the destination. # If the destination chain exists, then at the end of the source chain add a jump to the destination.
# #
sub addrawjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_;
my $destref = $raw_table->{$dest} || {};
if ( $destref->{referenced} ) {
add_rule $raw_table->{$source} , $predicates . "-j $dest";
} else {
clearrule;
}
}
sub addnatjump( $$$ ) { sub addnatjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_; my ( $source , $dest, $predicates ) = @_;

835
Shorewall-perl/Shorewall/Compiler.pm
View File

File diff suppressed because it is too large Load Diff

92
Shorewall-perl/Shorewall/Config.pm
View File

@ -54,6 +54,8 @@ our @EXPORT = qw(
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall); our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
our %EXPORT_TAGS = ( internal => [ qw( create_temp_object our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
disable_object
enable_object
finalize_object finalize_object
numeric_value numeric_value
numeric_value1 numeric_value1
@ -80,6 +82,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
set_debug set_debug
find_file find_file
split_list split_list
split_list1
split_line split_line
split_line1 split_line1
first_entry first_entry
@ -142,6 +145,8 @@ our $timestamp;
# Object file handle # Object file handle
# #
our $object; our $object;
our $object_enabled;
# #
# True, if last line emitted is blank # True, if last line emitted is blank
# #
@ -293,6 +298,7 @@ sub initialize( $ ) {
$log_verbose = -1; # Verbosity of log. $log_verbose = -1; # Verbosity of log.
$timestamp = ''; # If true, we are to timestamp each progress message $timestamp = ''; # If true, we are to timestamp each progress message
$object = 0; # Object (script) file Handle Reference $object = 0; # Object (script) file Handle Reference
$object_enabled = 0; # Write to object file is disabled.
$lastlineblank = 0; # Avoid extra blank lines in the output $lastlineblank = 0; # Avoid extra blank lines in the output
$indent1 = ''; # Current indentation $indent1 = ''; # Current indentation
$indent2 = ''; # Current indentation $indent2 = ''; # Current indentation
@ -310,7 +316,8 @@ sub initialize( $ ) {
LOGPARMS => '', LOGPARMS => '',
TC_SCRIPT => '', TC_SCRIPT => '',
EXPORT => 0, EXPORT => 0,
VERSION => "4.3.6", UNTRACKED => 0,
VERSION => "4.2.6",
CAPVERSION => 40205 , CAPVERSION => 40205 ,
); );
@ -416,6 +423,7 @@ sub initialize( $ ) {
NULL_ROUTE_RFC1918 => undef , NULL_ROUTE_RFC1918 => undef ,
USE_DEFAULT_RT => undef , USE_DEFAULT_RT => undef ,
RESTORE_DEFAULT_ROUTE => undef , RESTORE_DEFAULT_ROUTE => undef ,
FAST_STOP => undef ,
# #
# Packet Disposition # Packet Disposition
# #
@ -738,6 +746,8 @@ sub in_hex8( $ ) {
# Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines. # Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines.
# #
sub emit { sub emit {
fatal_error 'Internal Error in emit' unless $object_enabled;
if ( $object ) { if ( $object ) {
# #
# 'compile' as opposed to 'check' # 'compile' as opposed to 'check'
@ -762,6 +772,7 @@ sub emit {
# Write passed message to the object with newline but no indentation. # Write passed message to the object with newline but no indentation.
# #
sub emit_unindented( $ ) { sub emit_unindented( $ ) {
fatal_error 'Internal Error in emit_unindented' unless $object_enabled;
print $object "$_[0]\n" if $object; print $object "$_[0]\n" if $object;
} }
@ -840,26 +851,28 @@ sub timestamp() {
sub progress_message { sub progress_message {
my $havelocaltime = 0; my $havelocaltime = 0;
if ( $verbose > 1 ) { if ( $verbose > 1 || $log_verbose > 1 ) {
timestamp, $havelocaltime = 1 if $timestamp;
#
# We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
# The following makes such messages look more readable and uniform
#
my $line = "@_"; my $line = "@_";
my $leading = $line =~ /^(\s+)/ ? $1 : '';
$line =~ s/\s+/ /g; $line =~ s/\s+/ /g;
print "$line\n";
}
if ( $log_verbose > 1 ) { if ( $verbose > 1 ) {
our @localtime; timestamp, $havelocaltime = 1 if $timestamp;
#
# We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
# The following makes such messages look more readable and uniform
#
print "${leading}${line}\n";
}
@localtime = localtime unless $havelocaltime; if ( $log_verbose > 1 ) {
our @localtime;
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; @localtime = localtime unless $havelocaltime;
my $line = "@_";
$line =~ s/\s+/ /g; printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "$line\n"; print $log "${leading}${line}\n";
}
} }
} }
@ -951,6 +964,8 @@ sub pop_indent() {
# Functions for copying files into the object # Functions for copying files into the object
# #
sub copy( $ ) { sub copy( $ ) {
fatal_error 'Internal Error in copy' unless $object_enabled;
if ( $object ) { if ( $object ) {
my $file = $_[0]; my $file = $_[0];
@ -981,6 +996,8 @@ sub copy( $ ) {
# This one handles line continuation and 'here documents' # This one handles line continuation and 'here documents'
sub copy1( $ ) { sub copy1( $ ) {
fatal_error 'Internal Error in copy1' unless $object_enabled;
if ( $object ) { if ( $object ) {
my $file = $_[0]; my $file = $_[0];
@ -1058,6 +1075,20 @@ sub create_temp_object( $$ ) {
} }
#
# Enable writing to object
#
sub enable_object() {
$object_enabled = 1;
}
#
# Disable writing to object
#
sub disable_object() {
$object_enabled = 0;
}
# #
# Finalize the object file # Finalize the object file
# #
@ -1132,6 +1163,33 @@ sub split_list( $$ ) {
split /,/, $list; split /,/, $list;
} }
sub split_list1( $$ ) {
my ($list, $type ) = @_;
fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
my @list1 = split /,/, $list;
my @list2;
my $element = '';
for ( @list1 ) {
if ( /\(/ ) {
fatal_error "Invalid $type list ($list)" if $element;
$element = $_;
} elsif ( /\)$/ ) {
fatal_error "Invalid $type list ($list)" unless $element;
push @list2, join ',', $element, $_;
$element = '';
} elsif ( $element ) {
$element = join ',', $element , $_;
} else {
push @list2 , $_;
}
}
@list2;
}
# #
# Pre-process a line from a configuration file. # Pre-process a line from a configuration file.
@ -2229,8 +2287,6 @@ sub get_configuration( $ ) {
$globals{TC_SCRIPT} = $file; $globals{TC_SCRIPT} = $file;
} elsif ( $val eq 'internal' ) { } elsif ( $val eq 'internal' ) {
$config{TC_ENABLED} = 'Internal'; $config{TC_ENABLED} = 'Internal';
} elsif ( $val eq 'rtc' ) {
$config{TC_ENABLED} = 'RTC';
} else { } else {
fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no'; fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no';
$config{TC_ENABLED} = ''; $config{TC_ENABLED} = '';

2
Shorewall-perl/Shorewall/Proc.pm
View File

@ -123,7 +123,7 @@ sub setup_route_filtering() {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
} }
emit "[ -n \"\$NORTC\" ] || ip -4 route flush cache"; emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache";
} }
} }

2
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -79,7 +79,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
} }
unless ( $haveroute ) { unless ( $haveroute ) {
emit "run_ip route replace $address dev $interface"; emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
$haveroute = 1 if $persistent; $haveroute = 1 if $persistent;
} }

126
Shorewall-perl/Shorewall/Rules.pm
View File

@ -267,12 +267,14 @@ sub setup_rfc1918_filteration( $ ) {
add_rule $norfc1918ref , '-j rfc1918d' if $config{RFC1918_STRICT}; add_rule $norfc1918ref , '-j rfc1918d' if $config{RFC1918_STRICT};
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
for my $hostref ( @$listref ) { for my $hostref ( @$listref ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for my $chain ( first_chains $interface ) { for my $chain ( first_chains $interface ) {
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); add_rule $filter_table->{$chain} , join( '', "-m state --state $state ", match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
} }
set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1; set_interface_option $interface, 'use_forward_chain', 1;
@ -335,11 +337,11 @@ sub setup_blacklist() {
$disposition , $disposition ,
'' ); '' );
progress_message " \"$currentline\" added to blacklist"; progress_message " \"$currentline\" added to blacklist";
} }
} }
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
for my $hostref ( @$hosts ) { for my $hostref ( @$hosts ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
@ -356,7 +358,7 @@ sub setup_blacklist() {
set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1; set_interface_option $interface, 'use_forward_chain', 1;
progress_message " Blacklisting enabled on ${interface}:${network}"; progress_message " Blacklisting enabled on ${interface}:${network}";
} }
} }
} }
@ -367,13 +369,15 @@ sub process_criticalhosts() {
my $fn = open_file 'routestopped'; my $fn = open_file 'routestopped';
my $seq = 0;
first_entry "$doing $fn for critical hosts..."; first_entry "$doing $fn for critical hosts...";
while ( read_a_line ) { while ( read_a_line ) {
my $routeback = 0; my $routeback = 0;
my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; my ($interface, $hosts, $options, $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
fatal_error "Unknown interface ($interface)" unless known_interface $interface; fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@ -381,15 +385,18 @@ sub process_criticalhosts() {
my @hosts; my @hosts;
$seq++;
for my $host ( split_list $hosts, 'host' ) { for my $host ( split_list $hosts, 'host' ) {
validate_host $host, 1; validate_host $host, 1;
push @hosts, "$interface|$host"; push @hosts, "$interface|$host|$seq";
} }
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
for my $option (split_list $options, 'option' ) { for my $option (split_list $options, 'option' ) {
unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) { unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' || $option eq 'notrack' ) {
if ( $option eq 'critical' ) { if ( $option eq 'critical' ) {
fatal_error "PROTO may not be specified with 'critical'" if $proto ne '-';
push @critical, @hosts; push @critical, @hosts;
} else { } else {
warning_message "Unknown routestopped option ( $option ) ignored"; warning_message "Unknown routestopped option ( $option ) ignored";
@ -404,17 +411,19 @@ sub process_criticalhosts() {
sub process_routestopped() { sub process_routestopped() {
my ( @allhosts, %source, %dest ); my ( @allhosts, %source, %dest , %notrack, @rule );
my $fn = open_file 'routestopped'; my $fn = open_file 'routestopped';
my $seq = 0;
first_entry "$doing $fn..."; first_entry "$doing $fn...";
while ( read_a_line ) { while ( read_a_line ) {
my $routeback = 0; my $routeback = 0;
my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
fatal_error "Unknown interface ($interface)" unless known_interface $interface; fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@ -422,9 +431,14 @@ sub process_routestopped() {
my @hosts; my @hosts;
$seq++;
my $rule = do_proto( $proto, $ports, $sports );
for my $host ( split /,/, $hosts ) { for my $host ( split /,/, $hosts ) {
validate_host $host, 1; validate_host $host, 1;
push @hosts, "$interface|$host"; push @hosts, "$interface|$host|$seq";
push @rule, $rule;
} }
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
@ -445,11 +459,15 @@ sub process_routestopped() {
} }
} elsif ( $option eq 'source' ) { } elsif ( $option eq 'source' ) {
for my $host ( split /,/, $hosts ) { for my $host ( split /,/, $hosts ) {
$source{"$interface|$host"} = 1; $source{"$interface|$host|$seq"} = 1;
} }
} elsif ( $option eq 'dest' ) { } elsif ( $option eq 'dest' ) {
for my $host ( split /,/, $hosts ) { for my $host ( split /,/, $hosts ) {
$dest{"$interface|$host"} = 1; $dest{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'notrack' ) {
for my $host ( split /,/, $hosts ) {
$notrack{"$interface|$host|$seq"} = 1;
} }
} else { } else {
warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical'; warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
@ -463,34 +481,40 @@ sub process_routestopped() {
my $tool = $family == F_IPV4 ? '$IPTABLES' : '$IP6TABLES'; my $tool = $family == F_IPV4 ? '$IPTABLES' : '$IP6TABLES';
for my $host ( @allhosts ) { for my $host ( @allhosts ) {
my ( $interface, $h ) = split /\|/, $host; my ( $interface, $h, $seq ) = split /\|/, $host;
my $source = match_source_net $h; my $source = match_source_net $h;
my $dest = match_dest_net $h; my $dest = match_dest_net $h;
my $sourcei = match_source_dev $interface; my $sourcei = match_source_dev $interface;
my $desti = match_dest_dev $interface; my $desti = match_dest_dev $interface;
my $rule = shift @rule;
emit "$tool -A INPUT $sourcei $source -j ACCEPT"; emit "$tool -A INPUT $sourcei $source $rule -j ACCEPT";
emit "$tool -A OUTPUT $desti $dest -j ACCEPT" unless $config{ADMINISABSENTMINDED}; emit "$tool -A OUTPUT $desti $dest $rule -j ACCEPT" unless $config{ADMINISABSENTMINDED};
my $matched = 0; my $matched = 0;
if ( $source{$host} ) { if ( $source{$host} ) {
emit "$tool -A FORWARD $sourcei $source -j ACCEPT"; emit "$tool -A FORWARD $sourcei $source $rule -j ACCEPT";
$matched = 1; $matched = 1;
} }
if ( $dest{$host} ) { if ( $dest{$host} ) {
emit "$tool -A FORWARD $desti $dest -j ACCEPT"; emit "$tool -A FORWARD $desti $dest $rule -j ACCEPT";
$matched = 1; $matched = 1;
} }
if ( $notrack{$host} ) {
emit "$tool -t raw -A PREROUTING $sourcei $source $rule -j NOTRACK";
emit "$tool -t raw -A OUTPUT $desti $dest $rule -j NOTRACK";
}
unless ( $matched ) { unless ( $matched ) {
for my $host1 ( @allhosts ) { for my $host1 ( @allhosts ) {
unless ( $host eq $host1 ) { unless ( $host eq $host1 ) {
my ( $interface1, $h1 ) = split /\|/, $host1; my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
my $dest1 = match_dest_net $h1; my $dest1 = match_dest_net $h1;
my $desti1 = match_dest_dev $interface1; my $desti1 = match_dest_dev $interface1;
emit "$tool -A FORWARD $sourcei $desti1 $source $dest1 -j ACCEPT"; emit "$tool -A FORWARD $sourcei $desti1 $source $dest1 $rule -j ACCEPT";
clearrule; clearrule;
} }
} }
@ -511,7 +535,7 @@ sub add_common_rules() {
new_standard_chain 'dynamic'; new_standard_chain 'dynamic';
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD ); add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD );
@ -586,6 +610,9 @@ sub add_common_rules() {
if ( @$list ) { if ( @$list ) {
progress_message2 'Adding Anti-smurf Rules'; progress_message2 'Adding Anti-smurf Rules';
my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
$interface = $hostref->[0]; $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
@ -593,7 +620,7 @@ sub add_common_rules() {
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
for $chain ( first_chains $interface ) { for $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), $policy ); add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy );
} }
set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_input_chain', 1;
@ -696,7 +723,7 @@ sub add_common_rules() {
$list = find_interfaces_by_option 'upnp'; $list = find_interfaces_by_option 'upnp';
if ( @$list ) { if ( @$list ) {
progress_message2 '$doing UPnP'; progress_message2 "$doing UPnP";
new_nat_chain( 'UPnP' ); new_nat_chain( 'UPnP' );
@ -737,8 +764,6 @@ sub setup_mac_lists( $ ) {
my @maclist_interfaces = ( sort keys %maclist_interfaces ); my @maclist_interfaces = ( sort keys %maclist_interfaces );
progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase...";
if ( $phase == 1 ) { if ( $phase == 1 ) {
for my $interface ( @maclist_interfaces ) { for my $interface ( @maclist_interfaces ) {
@ -828,18 +853,20 @@ sub setup_mac_lists( $ ) {
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
my $source = match_source_net $hostref->[2]; my $source = match_source_net $hostref->[2];
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
if ( $table eq 'filter' ) { if ( $table eq 'filter' ) {
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} ); my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
for my $chain ( first_chains $interface ) { for my $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state NEW ${policy}"; add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}";
} }
set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1; set_interface_option $interface, 'use_forward_chain', 1;
} else { } else {
my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} ); my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}"; add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state ${state} ${policy}";
} }
} }
} else { } else {
@ -1614,7 +1641,7 @@ sub generate_matrix() {
fatal_error "No policy defined for zone $zone to zone $zone1"; fatal_error "No policy defined for zone $zone to zone $zone1";
} }
''; ''; # CONTINUE policy
} }
# #
@ -1632,6 +1659,7 @@ sub generate_matrix() {
my @interfaces = ( all_interfaces ); my @interfaces = ( all_interfaces );
my $preroutingref = ensure_chain 'nat', 'dnat'; my $preroutingref = ensure_chain 'nat', 'dnat';
my $fw = firewall_zone; my $fw = firewall_zone;
my $notrackref = $raw_table->{notrack_chain $fw};
my @zones = non_firewall_zones; my @zones = non_firewall_zones;
my $interface_jumps_added = 0; my $interface_jumps_added = 0;
@ -1677,7 +1705,11 @@ sub generate_matrix() {
} }
} }
} }
#
# NOTRACK from firewall
#
add_rule $raw_table->{OUTPUT}, "-j $notrackref->{name}" if $notrackref->{referenced};
# #
# Main source-zone matrix-generation loop # Main source-zone matrix-generation loop
# #
@ -1692,31 +1724,36 @@ sub generate_matrix() {
my $frwd_ref = $filter_table->{zone_forward_chain $zone}; my $frwd_ref = $filter_table->{zone_forward_chain $zone};
my $chain = 0; my $chain = 0;
my $dnatref = ensure_chain 'nat' , dnat_chain( $zone ); my $dnatref = ensure_chain 'nat' , dnat_chain( $zone );
my $notrackref = ensure_chain 'raw' , notrack_chain( $zone );
my $nested = $zoneref->{options}{nested}; my $nested = $zoneref->{options}{nested};
my $parenthasnat = 0;
my $parenthasnotrack = 0;
if ( $nested ) { if ( $nested ) {
# #
# This is a sub-zone. We need to determine if # This is a sub-zone. We need to determine if
# #
# a) A parent zone defines DNAT/REDIRECT rules; and # a) A parent zone defines DNAT/REDIRECT or notrack rules; and
# b) The current zone has a CONTINUE policy to some other zone. # b) The current zone has a CONTINUE policy to some other zone.
# #
# If a) but not b), then we must avoid sending packets from this # If a) but not b), then we must avoid sending packets from this
# zone through the DNAT/REDIRECT chain for the parent. # zone through the DNAT/REDIRECT or notrack chain for the parent.
# #
my $parenthasnat = 0;
for my $parent ( @{$zoneref->{parents}} ) { for my $parent ( @{$zoneref->{parents}} ) {
my $ref = $nat_table->{dnat_chain $parent} || {}; my $ref1 = $nat_table->{dnat_chain $parent} || {};
$parenthasnat = 1, last if $ref->{referenced}; my $ref2 = $raw_table->{notrack_chain $parent} || {};
$parenthasnat = 1 if $ref1->{referenced};
$parenthasnotrack = 1 if $ref2->{referenced};
last if $parenthasnat && $parenthasnotrack;
} }
if ( $parenthasnat ) { if ( $parenthasnat || $parenthasnotrack ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) { if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
# #
# This zone has a continue policy to another zone. We must # This zone has a continue policy to another zone. We must
# send packets from this zone through the parent's DNAT/REDIRECT chain. # send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
# #
$nested = 0; $nested = 0;
last; last;
@ -1724,7 +1761,7 @@ sub generate_matrix() {
} }
} else { } else {
# #
# No parent has DNAT so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' chain. # No parent has DNAT or notrack so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' or 'notrack' chain.
# #
$nested = 0; $nested = 0;
} }
@ -1784,11 +1821,22 @@ sub generate_matrix() {
# #
add_jump $preroutingref, source_exclusion( $exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match ); add_jump $preroutingref, source_exclusion( $exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
} }
if ( $notrackref->{referenced} ) {
#
# There are notrack rules with this zone as the source.
# Add a jump from this source network to this zone's notrack chain
#
add_jump $raw_table->{PREROUTING}, source_exclusion( $exclusions, $notrackref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
}
# #
# If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
# then add a RETURN jump for this source network. # then add a RETURN jump for this source network.
# #
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested; if ( $nested ) {
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnat;
add_rule $raw_table->{PREROUTING}, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnotrack;
}
my $inputchainref; my $inputchainref;
my $interfacematch = ''; my $interfacematch = '';

81
Shorewall-perl/Shorewall/Tc.pm
View File

@ -109,6 +109,24 @@ our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
} }
); );
our %flow_keys = ( 'src' => 1,
'dst' => 1,
'proto' => 1,
'proto-src' => 1,
'proto-dst' => 1,
'iif' => 1,
'priority' => 1,
'mark' => 1,
'nfct' => 1,
'nfct-src' => 1,
'nfct-dst' => 1,
'nfct-proto-src' => 1,
'nfct-proto-dst' => 1,
'rt-classid' => 1,
'sk-uid' => 1,
'sk-gid' => 1,
'vlan-tag' => 1 );
our %classids; our %classids;
our @deferred_rules; our @deferred_rules;
@ -309,7 +327,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
fatal_error "Class Id $originalmark is not associated with device $result" if $device ne $result; fatal_error "Class Id $originalmark is not associated with device $result" if $device ne $result;
} }
progress_message " TC Rule \"$currentline\" $done"; progress_message " TC Rule \"$currentline\" $done";
} }
@ -337,6 +355,20 @@ sub calculate_quantum( $$ ) {
int( ( $rate * 125 ) / $r2q ); int( ( $rate * 125 ) / $r2q );
} }
sub process_flow($) {
my $flow = shift;
$flow =~ s/^\(// if $flow =~ s/\)$//;
my @flow = split /,/, $flow;
for ( @flow ) {
fatal_error "Invalid flow key ($_)" unless $flow_keys{$_};
}
$flow;
}
sub validate_tc_device( $$$$$ ) { sub validate_tc_device( $$$$$ ) {
my ( $device, $inband, $outband , $options , $redirected ) = @_; my ( $device, $inband, $outband , $options , $redirected ) = @_;
@ -364,12 +396,18 @@ sub validate_tc_device( $$$$$ ) {
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device}; fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/; fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
my $classify = 0; my ( $classify, $pfifo, $flow) = (0, 0, '' );
if ( $options ne '-' ) { if ( $options ne '-' ) {
for my $option ( split_list $options, 'option' ) { for my $option ( split_list1 $options, 'option' ) {
if ( $option eq 'classify' ) { if ( $option eq 'classify' ) {
$classify = 1; $classify = 1;
} elsif ( $option =~ /^flow=(.*)$/ ) {
fatal_error "The 'flow' option is not allowed with 'pfifo'" if $pfifo;
$flow = process_flow $1;
} elsif ( $option eq 'pfifo' ) {
fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $flow;
$pfifo = 1;
} else { } else {
fatal_error "Unknown device option ($option)"; fatal_error "Unknown device option ($option)";
} }
@ -395,14 +433,16 @@ sub validate_tc_device( $$$$$ ) {
$tcdevices{$device} = { in_bandwidth => rate_to_kbit( $inband ) . 'kbit' , $tcdevices{$device} = { in_bandwidth => rate_to_kbit( $inband ) . 'kbit' ,
out_bandwidth => rate_to_kbit( $outband ) . 'kbit' , out_bandwidth => rate_to_kbit( $outband ) . 'kbit' ,
number => $devnumber, number => $devnumber,
classify => $classify , classify => $classify ,
flow => $flow ,
pfifo => $pfifo ,
tablenumber => 1 , tablenumber => 1 ,
redirected => \@redirected , redirected => \@redirected ,
} , } ,
push @tcdevices, $device; push @tcdevices, $device;
progress_message " Tcdevice \"$currentline\" $done."; progress_message " Tcdevice \"$currentline\" $done.";
} }
sub convert_rate( $$$ ) { sub convert_rate( $$$ ) {
@ -410,7 +450,6 @@ sub convert_rate( $$$ ) {
if ( $rate =~ /\bfull\b/ ) { if ( $rate =~ /\bfull\b/ ) {
$rate =~ s/\bfull\b/$full/g; $rate =~ s/\bfull\b/$full/g;
progress_message " Compiling $column $_[1]";
fatal_error "Invalid $column ($_[1])" if $rate =~ m{[^0-9*/+()-]}; fatal_error "Invalid $column ($_[1])" if $rate =~ m{[^0-9*/+()-]};
no warnings; no warnings;
$rate = eval "int( $rate )"; $rate = eval "int( $rate )";
@ -444,7 +483,7 @@ sub dev_by_number( $ ) {
( $dev , $devref ); ( $dev , $devref );
} }
sub validate_tc_class( $$$$$$ ) { sub validate_tc_class( $$$$$$ ) {
my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = @_; my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = @_;
@ -507,7 +546,9 @@ sub validate_tc_class( $$$$$$ ) {
rate => convert_rate( $full, $rate, 'RATE' ) , rate => convert_rate( $full, $rate, 'RATE' ) ,
ceiling => convert_rate( $full, $ceil, 'CEIL' ) , ceiling => convert_rate( $full, $ceil, 'CEIL' ) ,
priority => $prio eq '-' ? 1 : $prio , priority => $prio eq '-' ? 1 : $prio ,
mark => $markval mark => $markval ,
flow => '' ,
pfifo => 0
}; };
$tcref = $tcref->{$classnumber}; $tcref = $tcref->{$classnumber};
@ -515,7 +556,7 @@ sub validate_tc_class( $$$$$$ ) {
fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling}; fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling};
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
for my $option ( split_list "\L$options", 'option' ) { for my $option ( split_list1 "\L$options", 'option' ) {
my $optval = $tosoptions{$option}; my $optval = $tosoptions{$option};
$option = $optval if $optval; $option = $optval if $optval;
@ -531,14 +572,23 @@ sub validate_tc_class( $$$$$$ ) {
} elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) { } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
( undef, $option ) = split /=/, $option; ( undef, $option ) = split /=/, $option;
push @{$tcref->{tos}}, $option; push @{$tcref->{tos}}, $option;
} elsif ( $option =~ /^flow=(.*)$/ ) {
fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
$tcref->{flow} = process_flow $1;
} elsif ( $option eq 'pfifo' ) {
fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
$tcref->{pfifo} = 1;
} else { } else {
fatal_error "Unknown option ($option)"; fatal_error "Unknown option ($option)";
} }
} }
} }
$tcref->{flow} = $devref->{flow} unless $tcref->{flow};
$tcref->{pfifo} = $devref->{pfifo} unless $tcref->{flow} || $tcref->{pfifo};
push @tcclasses, "$device:$classnumber"; push @tcclasses, "$device:$classnumber";
progress_message " Tcclass \"$currentline\" $done."; progress_message " Tcclass \"$currentline\" $done.";
} }
# #
@ -688,7 +738,7 @@ sub process_tc_filter( $$$$$$ ) {
emit ''; emit '';
progress_message " TC Filter \"$currentline\" $done"; progress_message " TC Filter \"$currentline\" $done";
$currentline =~ s/\s+/ /g; $currentline =~ s/\s+/ /g;
@ -803,13 +853,14 @@ sub setup_traffic_shaping() {
} }
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum", emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum",
"run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum", "run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
"run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq perturb 10"
); emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) unless $tcref->{pfifo};
# #
# add filters # add filters
# #
emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio 1 handle $mark fw classid $classid" unless $devref->{classify}; emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio 1 handle $mark fw classid $classid" unless $devref->{classify};
emit "run_tc filter add dev $device protocol ip pref 1 parent $classnum: handle 1 flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
# #
#options #options
# #
@ -879,7 +930,7 @@ sub setup_tc() {
if ( $config{HIGH_ROUTE_MARKS} ) { if ( $config{HIGH_ROUTE_MARKS} ) {
for my $chain qw(INPUT FORWARD POSTROUTING) { for my $chain qw(INPUT FORWARD POSTROUTING) {
insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark 0xFF'; insert_rule1 $mangle_table->{$chain}, 0, '-j MARK --and-mark 0xFF';
} }
} }
} }

70
Shorewall-perl/Shorewall/Tunnels.pm
View File

@ -61,22 +61,22 @@ sub setup_tunnels() {
} }
} }
my $options = '-m state --state NEW -j ACCEPT'; my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';
add_rule $inchainref, "-p 50 $source -j ACCEPT"; add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT"; add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) { unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT"; add_tunnel_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT"; add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
} }
if ( $kind eq 'ipsec' ) { if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport 500 $options"; add_tunnel_rule $inchainref, "-p udp $source --dport 500 $options";
add_rule $outchainref, "-p udp $dest --dport 500 $options"; add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
} else { } else {
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; add_tunnel_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
} }
unless ( $gatewayzones eq '-' ) { unless ( $gatewayzones eq '-' ) {
@ -87,21 +87,21 @@ sub setup_tunnels() {
$outchainref = ensure_filter_chain "${fw}2${zone}", 1; $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
unless ( $capabilities{POLICY_MATCH} ) { unless ( $capabilities{POLICY_MATCH} ) {
add_rule $inchainref, "-p 50 $source -j ACCEPT"; add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT"; add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) { unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT"; add_tunnel_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT"; add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
} }
} }
if ( $kind eq 'ipsec' ) { if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport 500 $options"; add_tunnel_rule $inchainref, "-p udp $source --dport 500 $options";
add_rule $outchainref, "-p udp $dest --dport 500 $options"; add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
} else { } else {
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; add_tunnel_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
} }
} }
} }
@ -110,24 +110,24 @@ sub setup_tunnels() {
sub setup_one_other { sub setup_one_other {
my ($inchainref, $outchainref, $source, $dest , $protocol) = @_; my ($inchainref, $outchainref, $source, $dest , $protocol) = @_;
add_rule $inchainref , "-p $protocol $source -j ACCEPT"; add_tunnel_rule $inchainref , "-p $protocol $source -j ACCEPT";
add_rule $outchainref , "-p $protocol $dest -j ACCEPT"; add_tunnel_rule $outchainref , "-p $protocol $dest -j ACCEPT";
} }
sub setup_pptp_client { sub setup_pptp_client {
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
add_rule $outchainref, "-p 47 $dest -j ACCEPT"; add_tunnel_rule $outchainref, "-p 47 $dest -j ACCEPT";
add_rule $inchainref, "-p 47 $source -j ACCEPT"; add_tunnel_rule $inchainref, "-p 47 $source -j ACCEPT";
add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT" add_tunnel_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
} }
sub setup_pptp_server { sub setup_pptp_server {
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_; my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
add_rule $inchainref, "-p 47 $dest -j ACCEPT"; add_tunnel_rule $inchainref, "-p 47 $dest -j ACCEPT";
add_rule $outchainref, "-p 47 $source -j ACCEPT"; add_tunnel_rule $outchainref, "-p 47 $source -j ACCEPT";
add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT" add_tunnel_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
} }
sub setup_one_openvpn { sub setup_one_openvpn {
@ -151,8 +151,8 @@ sub setup_tunnels() {
} }
} }
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; add_tunnel_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
} }
sub setup_one_openvpn_client { sub setup_one_openvpn_client {
@ -176,8 +176,8 @@ sub setup_tunnels() {
} }
} }
add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT"; add_tunnel_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT"; add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
} }
sub setup_one_openvpn_server { sub setup_one_openvpn_server {
@ -201,8 +201,8 @@ sub setup_tunnels() {
} }
} }
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT"; add_tunnel_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT"; add_tunnel_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
} }
sub setup_one_l2tp { sub setup_one_l2tp {
@ -210,8 +210,8 @@ sub setup_tunnels() {
fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/; fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/;
add_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT"; add_tunnel_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
add_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT"; add_tunnel_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT";
} }
sub setup_one_generic { sub setup_one_generic {
@ -228,8 +228,8 @@ sub setup_tunnels() {
( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/; ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
} }
add_rule $inchainref, "-p $protocol $source $port -j ACCEPT"; add_tunnel_rule $inchainref, "-p $protocol $source $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT"; add_tunnel_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
} }
sub setup_one_tunnel($$$$) { sub setup_one_tunnel($$$$) {

2
Shorewall-perl/Shorewall/Zones.pm
View File

@ -809,7 +809,7 @@ sub validate_interfaces_file( $ )
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
progress_message " Interface \"$currentline\" Validated"; progress_message " Interface \"$currentline\" Validated";
} }

10
Shorewall-perl/compiler.pl
View File

@ -35,7 +35,10 @@
# --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'. # --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
# --log=<filename> # Log file # --log=<filename> # Log file
# --log_verbosity=<number> # Log Verbosity range -1 to 2 # --log_verbosity=<number> # Log Verbosity range -1 to 2
# --family=<number> # IP family; 4 = IPv4, 6 = IPv6 # --family=<number> # IP family; 4 = IPv4 (default), 6 = IPv6
# --rtc # 0 = Generate Routing and Traffic shaping + Normal Netfilter logic (default)
# # 1 = Do not Generate Routing and Traffic shaping
# # 2 = Generate only the Routing and Traffic shaping part
# #
use strict; use strict;
use FindBin; use FindBin;
@ -75,6 +78,7 @@ my $log_verbose = 0;
my $help = 0; my $help = 0;
my $test = 0; my $test = 0;
my $family = 4; # F_IPV4 my $family = 4; # F_IPV4
my $rtc = 0;
Getopt::Long::Configure ('bundling'); Getopt::Long::Configure ('bundling');
@ -97,6 +101,7 @@ my $result = GetOptions('h' => \$help,
'test' => \$test, 'test' => \$test,
'f=i' => \$family, 'f=i' => \$family,
'family=i' => \$family, 'family=i' => \$family,
'rtc=i' => \$rtc,
); );
usage(1) unless $result && @ARGV < 2; usage(1) unless $result && @ARGV < 2;
@ -112,4 +117,5 @@ compiler( object => defined $ARGV[0] ? $ARGV[0] : '',
log => $log, log => $log,
log_verbosity => $log_verbose, log_verbosity => $log_verbose,
test => $test, test => $test,
family => $family ); family => $family ,
rtc => $rtc );

2
Shorewall-perl/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

63
Shorewall-perl/prog.footer
View File

@ -1,8 +1,8 @@
# #
# Give Usage Information # Give Usage Information
# #
usage() { usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -r ] [ start|stop|clear|reset|refresh|restart|status|version ]" echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1 exit $1
} }
################################################################################ ################################################################################
@ -23,8 +23,6 @@ fi
initialize initialize
[ -n "${PRODUCT:=Shorewall}" ]
finished=0 finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
@ -45,23 +43,8 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 )) VERBOSE=$(($VERBOSE - 1 ))
option=${option#q} option=${option#q}
;; ;;
r*)
if [ -n "$NORTC" ]; then
error_message "The -n and -r options are mutually exclusive"
exit 1
fi
RTCONLY=Yes
option=${option#r}
PRODUCT="$PRODUCT Traffic Control and Routing"
;;
n*) n*)
if [ -n "$RTCONLY" ]; then NOROUTES=Yes
error_message "The -n and -r options are mutually exclusive"
exit 1
fi
NORTC=Yes
option=${option#n} option=${option#n}
;; ;;
*) *)
@ -79,15 +62,12 @@ done
COMMAND="$1" COMMAND="$1"
[ -n "${PRODUCT:=Shorewall}" ]
case "$COMMAND" in case "$COMMAND" in
start) start)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if [ -n "$RTCONLY" ]; then if shorewall_is_started; then
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
elif shorewall6_is_started; then
error_message "$PRODUCT is already Running" error_message "$PRODUCT is already Running"
status=0 status=0
else else
@ -103,14 +83,11 @@ case "$COMMAND" in
progress_message3 "Stopping $PRODUCT...." progress_message3 "Stopping $PRODUCT...."
stop_firewall stop_firewall
status=0 status=0
[ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done." progress_message3 "done."
;; ;;
reset) reset)
if [ -n "${NORTC}$"{RTCONLY} ]; then if ! shorewall_is_started ; then
error_message "The -n and -r options may not be used with 'reset'"
status=1
elif ! shorewall_is_started ; then
error_message "$PRODUCT is not running" error_message "$PRODUCT is not running"
status=2 status=2
elif [ $# -eq 1 ]; then elif [ $# -eq 1 ]; then
@ -149,17 +126,14 @@ case "$COMMAND" in
define_firewall define_firewall
status=$? status=$?
if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi fi
progress_message3 "done." progress_message3 "done."
;; ;;
refresh) refresh)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if [ -n "${NORTC}$"{RTCONLY} ]; then if shorewall_is_started; then
error_message "The -n and -r options may not be used with 'refresh'"
status=1
elif shorewall_is_started; then
progress_message3 "Refreshing $PRODUCT...." progress_message3 "Refreshing $PRODUCT...."
define_firewall define_firewall
status=$? status=$?
@ -171,23 +145,18 @@ case "$COMMAND" in
;; ;;
restore) restore)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if [ -n "${NORTC}$"{RTCONLY} ]; then define_firewall
error_message "The -n and -r options may not be used with 'restart'" status=$?
status=1 if [ -n "$SUBSYSLOCK" ]; then
else [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
define_firewall fi
status=$?
if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;; ;;
clear) clear)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
progress_message3 "Clearing $PRODUCT...." progress_message3 "Clearing $PRODUCT...."
clear_firewall clear_firewall
status=0 status=0
[ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done." progress_message3 "done."
;; ;;
status) status)

90
Shorewall-perl/prog.footer6
View File

@ -2,7 +2,7 @@
# Give Usage Information # Give Usage Information
# #
usage() { usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -r ] [ start|stop|clear|reset|refresh|restart|status|version ]" echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1 exit $1
} }
################################################################################ ################################################################################
@ -23,8 +23,6 @@ fi
initialize initialize
[ -n "${PRODUCT:=Shorewall6}" ]
finished=0 finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
@ -45,23 +43,8 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 )) VERBOSE=$(($VERBOSE - 1 ))
option=${option#q} option=${option#q}
;; ;;
r*)
if [ -n "$NORTC" ]; then
error_message "The -n and -r options are mutually exclusive"
exit 1
fi
RTCONLY=Yes
option=${option#r}
PRODUCT="$PRODUCT Traffic Control and Routing"
;;
n*) n*)
if [ -n "$RTCONLY" ]; then NOROUTES=Yes
error_message "The -n and -r options are mutually exclusive"
exit 1
fi
NORTC=Yes
option=${option#n} option=${option#n}
;; ;;
*) *)
@ -79,6 +62,8 @@ done
COMMAND="$1" COMMAND="$1"
[ -n "${PRODUCT:=Shorewall6}" ]
kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1) kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
if [ $kernel -lt 20625 ]; then if [ $kernel -lt 20625 ]; then
error_message "ERROR: $PRODUCT requires Linux kernel 2.6.25 or later" error_message "ERROR: $PRODUCT requires Linux kernel 2.6.25 or later"
@ -87,12 +72,7 @@ else
case "$COMMAND" in case "$COMMAND" in
start) start)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if [ -n "$RTCONLY" ]; then if shorewall6_is_started; then
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
elif shorewall6_is_started; then
error_message "$PRODUCT is already Running" error_message "$PRODUCT is already Running"
status=0 status=0
else else
@ -106,20 +86,13 @@ else
stop) stop)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...." progress_message3 "Stopping $PRODUCT...."
if [ -n "$RTCONLY" ]; then stop_firewall
delete_tc1
else
stop_firewall
fi
status=0 status=0
[ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done." progress_message3 "done."
;; ;;
reset) reset)
if [ -n "${NORTC}$"{RTCONLY} ]; then if ! shorewall6_is_started ; then
error_message "The -n and -r options may not be used with 'reset'"
status=1
elif ! shorewall6_is_started ; then
error_message "$PRODUCT is not running" error_message "$PRODUCT is not running"
status=2 status=2
elif [ $# -eq 1 ]; then elif [ $# -eq 1 ]; then
@ -148,33 +121,23 @@ else
;; ;;
restart) restart)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if [ -n "$RTCONLY" ]; then if shorewall6_is_started; then
progress_message3 "Restarting $PRODUCT...." progress_message3 "Restarting $PRODUCT...."
define_firewall
status=$?
else else
if shorewall6_is_started; then error_message "$PRODUCT is not running"
progress_message3 "Restarting $PRODUCT...." progress_message3 "Starting $PRODUCT...."
else
error_message "$PRODUCT is not running"
progress_message3 "Starting $PRODUCT...."
fi
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi fi
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
progress_message3 "done." progress_message3 "done."
;; ;;
refresh) refresh)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if [ -n "${NORTC}$"{RTCONLY} ]; then if shorewall6_is_started; then
error_message "The -n and -r options may not be used with 'refresh'"
status=1
elif shorewall6_is_started; then
progress_message3 "Refreshing $PRODUCT...." progress_message3 "Refreshing $PRODUCT...."
define_firewall define_firewall
status=$? status=$?
@ -186,23 +149,18 @@ else
;; ;;
restore) restore)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if [ -n "${NORTC}$"{RTCONLY} ]; then define_firewall
error_message "The -n and -r options may not be used with 'restore'" status=$?
status=1 if [ -n "$SUBSYSLOCK" ]; then
else [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
define_firewall fi
status=$?
if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;; ;;
clear) clear)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
progress_message3 "Clearing $PRODUCT...." progress_message3 "Clearing $PRODUCT...."
clear_firewall clear_firewall
status=0 status=0
[ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done." progress_message3 "done."
;; ;;
status) status)

32
Shorewall-perl/prog.functions
View File

@ -20,28 +20,26 @@ delete_proxyarp() {
clear_firewall() { clear_firewall() {
stop_firewall stop_firewall
if [ -z "$RTCONLY" ]; then setpolicy INPUT ACCEPT
setpolicy INPUT ACCEPT setpolicy FORWARD ACCEPT
setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then if [ -n "$DISABLE_IPV6" ]; then
if qt mywhich ip6tables; then if qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null ip6tables -P FORWARD ACCEPT 2> /dev/null
fi
fi fi
run_clear_exit
set_state "Cleared"
fi fi
run_clear_exit
set_state "Cleared"
logger -p kern.info "$PRODUCT Cleared" logger -p kern.info "$PRODUCT Cleared"
} }

18
Shorewall-perl/prog.functions6
View File

@ -4,19 +4,17 @@
clear_firewall() { clear_firewall() {
stop_firewall stop_firewall
if [ -z "$RTCONLY" ]; then setpolicy INPUT ACCEPT
setpolicy INPUT ACCEPT setpolicy FORWARD ACCEPT
setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F run_iptables -F
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
run_clear_exit
set_state "Cleared" run_clear_exit
fi
set_state "Cleared"
logger -p kern.info "$PRODUCT Cleared" logger -p kern.info "$PRODUCT Cleared"
} }

9
Shorewall-perl/prog.header
View File

@ -821,19 +821,16 @@ detect_gateway() # $1 = interface
{ {
local interface local interface
interface=$1 interface=$1
local gateway
# #
# First assume that this is some sort of point-to-point interface # First assume that this is some sort of dynamic interface
# #
gateway=$( find_peer $(ip addr list $interface ) ) gateway=$( detect_dynamic_gateway $interface )
# #
# Maybe there's a default route through this gateway already # Maybe there's a default route through this gateway already
# #
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default)) [ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default))
# #
# Next try dhcpcd's info file for the interface
#
[ -n "$gateway" ] || gateway=$(get_dhcp_gateway)
#
# Last hope -- is there a load-balancing route through the interface? # Last hope -- is there a load-balancing route through the interface?
# #
[ -n "$gateway" ] || gateway=$(find_nexthop $interface) [ -n "$gateway" ] || gateway=$(find_nexthop $interface)

8
Shorewall-perl/shorewall-perl.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-perl %define name shorewall-perl
%define version 4.3.6 %define version 4.2.6
%define release 0base %define release 0base
Summary: Shoreline Firewall Perl-based compiler. Summary: Shoreline Firewall Perl-based compiler.
@ -62,8 +62,10 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING releasenotes.txt %doc COPYING releasenotes.txt
%changelog %changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net * Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base - Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net * Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base - Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net * Thu Dec 25 2008 Tom Eastep tom@shorewall.net

2
Shorewall-shell/README.txt
View File

@ -1 +1 @@
This is the Shorewall-shell Development 4.2 branch of SVN. This is the Shorewall-shell Stable 4.2 branch of SVN.

2
Shorewall-shell/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

8
Shorewall-shell/shorewall-shell.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-shell %define name shorewall-shell
%define version 4.3.6 %define version 4.2.6
%define release 0base %define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -81,8 +81,10 @@ fi
%doc COPYING INSTALL %doc COPYING INSTALL
%changelog %changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net * Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base - Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net * Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base - Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net * Thu Dec 25 2008 Tom Eastep tom@shorewall.net

14
Shorewall6-lite/Makefile
View File

@ -1,18 +1,18 @@
# Shorewall Lite Makefile to restart if firewall script is newer than last restart # Shorewall6 Lite Makefile to restart if firewall script is newer than last restart
VARDIR=$(shell /sbin/shorewall-lite show vardir) VARDIR=$(shell /sbin/shorewall6-lite show vardir)
SHAREDIR=/usr/share/shorewall-lite SHAREDIR=/usr/share/shorewall6-lite
RESTOREFILE?=.restore RESTOREFILE?=.restore
all: $(VARDIR)/${RESTOREFILE} all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
@/sbin/shorewall-lite -q save >/dev/null; \ @/sbin/shorewall6-lite -q save >/dev/null; \
if \ if \
/sbin/shorewall-lite -q restart >/dev/null 2>&1; \ /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
then \ then \
/sbin/shorewall-lite -q save >/dev/null; \ /sbin/shorewall6-lite -q save >/dev/null; \
else \ else \
/sbin/shorewall-lite -q restart 2>&1 | tail >&2; \ /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; \
fi fi
# EOF # EOF

2
Shorewall6-lite/README.txt
View File

@ -1 +1 @@
This is the Shorewall-lite Development 4.1 branch of SVN. This is the Shorewall-lite Stable 4.2 branch of SVN.

2
Shorewall6-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall6-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

8
Shorewall6-lite/shorewall6-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall6-lite %define name shorewall6-lite
%define version 4.3.6 %define version 4.2.6
%define release 0base %define release 0base
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@ -89,8 +89,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net * Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base - Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net * Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base - Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net * Thu Dec 25 2008 Tom Eastep tom@shorewall.net

2
Shorewall6-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

8
Shorewall6/Makefile
View File

@ -5,13 +5,13 @@ RESTOREFILE?=.restore
all: $(VARDIR)/${RESTOREFILE} all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/* $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@/sbin/shorewall -q save >/dev/null; \ @/sbin/shorewall6 -q save >/dev/null; \
if \ if \
/sbin/shorewall -q restart >/dev/null 2>&1; \ /sbin/shorewall6 -q restart >/dev/null 2>&1; \
then \ then \
/sbin/shorewall -q save >/dev/null; \ /sbin/shorewall6 -q save >/dev/null; \
else \ else \
/sbin/shorewall -q restart 2>&1 | tail >&2; \ /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
fi fi
# EOF # EOF

2
Shorewall6/README.txt
View File

@ -1 +1 @@
This is the Shorewall-common Development 4.2 branch of SVN. This is the Shorewall-common Stable 4.2 branch of SVN.

2
Shorewall6/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

11
Shorewall6/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -475,6 +475,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then
echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices" echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices"
fi fi
#
# Install the Notrack file
#
run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewal6/configfiles/notrack
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack
echo "Notrack file installed as ${PREFIX}/etc/shorewall6/notrack"
fi
# #
# Install the default config path file # Install the default config path file
# #

7
Shorewall6/lib.cli
View File

@ -413,6 +413,13 @@ show_command() {
show_reset show_reset
$IP6TABLES -t mangle -L $IPT_OPTIONS $IP6TABLES -t mangle -L $IPT_OPTIONS
;; ;;
raw)
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version raw Table at $HOSTNAME - $(date)"
echo
show_reset
$IP6TABLES -t raw -L $IPT_OPTIONS
;;
log) log)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)" echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)"

2
Shorewall6/restored
View File

@ -4,7 +4,7 @@
# /etc/shorewall6/restored # /etc/shorewall6/restored
# #
# Add commands below that you want to be executed after shorewall6 has # Add commands below that you want to be executed after shorewall6 has
# been completed a 'restore' command. # completed a 'restore' command.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.

56
Shorewall6/shorewall6
View File

@ -216,10 +216,6 @@ get_config() {
No|NO|no) No|NO|no)
TC_ENABLED= TC_ENABLED=
;; ;;
RTC)
NORTC=Yes
RTCONLY=
;;
esac esac
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
@ -470,8 +466,7 @@ start_command() {
;; ;;
esac esac
export NORTC export NOROUTES
export RTCONLY
export PURGE export PURGE
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
@ -690,15 +685,9 @@ restart_command() {
option=${option#f} option=${option#f}
;; ;;
n*) n*)
NORTC=Yes NOROUTES=Yes
RTCONLY=
option=${option#n} option=${option#n}
;; ;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
p*) p*)
[ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
PURGE=Yes PURGE=Yes
@ -742,8 +731,7 @@ restart_command() {
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
export NORTC export NOROUTES
export RTCONLY
export PURGE export PURGE
if [ -z "$FAST" ]; then if [ -z "$FAST" ]; then
@ -815,8 +803,7 @@ refresh_command() {
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
export NORTC export NOROUTES
export RTCONLY
progress_message3 "Compiling..." progress_message3 "Compiling..."
@ -859,15 +846,9 @@ safe_commands() {
option= option=
;; ;;
n*) n*)
NORTC=Yes NOROUTES=Yes
RTCONLY=
option=${option#n} option=${option#n}
;; ;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
*) *)
usage 1 usage 1
;; ;;
@ -1008,15 +989,9 @@ try_command() {
option= option=
;; ;;
n*) n*)
NORTC=Yes NOROUTES=Yes
RTCONLY=
option=${option#n} option=${option#n}
;; ;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
*) *)
usage 1 usage 1
;; ;;
@ -1355,7 +1330,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]" echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
echo " start [ -f ] [ -n ] [ -p ] [ <directory> ]" echo " start [ -f ] [ -n ] [ -p ] [ <directory> ]"
echo " stop [ -f ]" echo " stop [ -f ]"
echo " status" echo " status"
@ -1389,8 +1364,7 @@ IPT_OPTIONS="-nv"
FAST= FAST=
VERBOSE_OFFSET=0 VERBOSE_OFFSET=0
USE_VERBOSITY= USE_VERBOSITY=
NORTC= NOROUTES=
RTCONLY=
PURGE= PURGE=
EXPORT= EXPORT=
export TIMESTAMP= export TIMESTAMP=
@ -1467,15 +1441,9 @@ while [ $finished -eq 0 ]; do
esac esac
;; ;;
n*) n*)
NORTC=Yes NOROUTES=Yes
RTCONLY=
option=${option#n} option=${option#n}
;; ;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
t*) t*)
TIMESTAMP=Yes TIMESTAMP=Yes
option=${option#t} option=${option#t}
@ -1615,16 +1583,14 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
get_config get_config
[ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started" [ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started"
export NORTC export NOROUTES
export RTCONLY
mutex_on mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
mutex_off mutex_off
;; ;;
reset) reset)
get_config get_config
export NORTC export NOROUTES
export RTCONLY
shift shift
mutex_on mutex_on
[ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started" [ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started"

4
Shorewall6/shorewall6.spec
View File

@ -1,5 +1,5 @@
%define name shorewall6 %define name shorewall6
%define version 4.3.6 %define version 4.2.6
%define release 0base %define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@ -142,8 +142,6 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog %changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Wed Feb 05 2009 Tom Eastep tom@shorewall.net * Wed Feb 05 2009 Tom Eastep tom@shorewall.net
- Added 'restored' script - Added 'restored' script
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net * Wed Feb 04 2009 Tom Eastep tom@shorewall.net

2
Shorewall6/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6 VERSION=4.2.6
usage() # $1 = exit status usage() # $1 = exit status
{ {