Move 4.2 to trunk

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9468 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-21 17:21:51 +00:00
parent 54478f3757
commit f4b2f68ea0
57 changed files with 1502 additions and 944 deletions

View File

@ -1 +1 @@
This is the Shorewall-common Development 4.2 branch of SVN.
This is the Shorewall-common Stable 4.2 branch of SVN.

View File

@ -1,3 +1,47 @@
Changes in Shorewall 4.2.7
1) Added /etc/shorewall/notrack.
2) Added new columns to the routestopped file.
3) Moved tunnel rules back to the front of the NEW section.
4) Handle long sport lists.
Changes in Shorewall 4.2.6
1) Added macro.BitTorrent32
2) Add COUNT action.
3) Add swping
4) Add RESTORE_DEFAULT_ROUTE option
5) Use dhcpcd's database to detect dynamic gateways.
6) Fix TCP_FLAGS_DISPOSITION=REJECT
7) Allow protocol and port inversion.
8) Don't check for "-m state" until after modules are loaded
9) Fix Shorewall6[-lite]/Makefile
10) Reorganized generated script to be more like 4.3.
11) Added 'restored' script.
12) Another ctorigdstport fix.
13) Allow 'here documents' in extension scripts
14) Another ctorigdst fix.
15) Add flow key support.
16) Fix 'show connections'.
Changes in Shorewall 4.2.5
1) Add 'fallback' providers option.
@ -11,6 +55,12 @@ Changes in Shorewall 4.2.5
5) Added macro.Git.
6) Fix running of tcclear script.
7) Added macro.IRC.
8) Fix --ctorigport usage
Changes in Shorewall 4.2.4.6
1) Fix hosts exclusion in DNAT/REDIRECT.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{
@ -438,6 +438,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi
#
# Install the Notrack file
#
run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall/configfiles/notrack
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/notrack ]; then
run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall/notrack
echo "Notrack file installed as ${PREFIX}/etc/shorewall/notrack"
fi
#
# Install the Modules file
#
run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall/modules

View File

@ -1,9 +1,17 @@
#
# Shorewall version 4 - 'isusable' sample script
#
# /etc/shorewall/isusable
#
# This script is a companion to the 'swping' script described at
# http://www.shorewall.net/MultiISP.html#swping.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
local status=0
case $1 in
$EXT_IF|$COM_IF)
[ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status)
;;
esac
return $status

View File

@ -462,7 +462,7 @@ show_command() {
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
echo
[ -f /proc/net/ip_conntrack ] && /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
@ -471,6 +471,13 @@ show_command() {
show_reset
$IPTABLES -t nat -L $IPT_OPTIONS
;;
raw)
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version RAW Table at $HOSTNAME - $(date)"
echo
show_reset
$IPTABLES -t raw -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)"

View File

@ -3,14 +3,10 @@
#
# /usr/share/shorewall/macro.BitTorrent
#
# This macro handles BitTorrent traffic.
#
# If you are running a more modern BitTorrent client, then you may need
# to tweak the open port range. This can be done by copying the below
# rules into /etc/shorewall and making the necessary edits there:
#
# Replace 6881:6889 with 6881:6899
# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
#
# If you are running BitTorrent 3.2 or later, you should use the
# BitTorrent32 macro.
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP

View File

@ -1,4 +1,4 @@
Shorewall 4.2.5
Shorewall 4.2.7
----------------------------------------------------------------------------
R E L E A S E 4 . 2 H I G H L I G H T S
@ -27,51 +27,9 @@ Shorewall 4.2.5
- Perl 5.10 if you wish to use DNS names in your IPv6 config files.
In that case you will also have to install Perl Socket6 support.
Problems corrected in 4.2.5
Problems corrected in 4.2.7
1) If exclusion is used to define a zone in /etc/shorewall/hosts and
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
then Shorewall-perl can generated invalid iptables-restore input.
2) A bug in the Perl Cwd module (see
http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
Shorewall-perl compiler to fail if it doesn't have at least read
access to its current working directory. 4.2.5 contains a
workaround.
3) If 'critical' was specified on an entry in
/etc/shorewall/routestopped, Shorewall6 (Shorewall-perl) would
generate an error.
4) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate incorrect iptables-restore input.
5) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate invalid iptables-restore input.
6) The 'shorewall6 refresh' command runs iptables_restore rather than
ip6tables_restore.
7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
'shorewall6 restore' were previously broken.
8) The Debian init script was checking $startup in
/etc/default/shorewall rather than in /etc/default/shorweall6
9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
unconverted Shorewall scripts.
10) When 'detect' is used in the GATEWAY column of
/etc/shorewall/providers, Shorewall-perl now ensures that the
gateway was successfully detected. If the gateway cannot be
detected, action is taken depending on whether the provider is
'optional' or not. If the provider is optional, it's configuration
is skipped; if the provider is not optional, the current operation
is aborted.
11) The command 'shorewall6 debug start' would previously fail with
ERROR: Command "/sbin/ip6tables -t nat -F" Failed
None.
Known Problems Remaiining:
@ -84,74 +42,106 @@ Known Problems Remaiining:
norfc1918
tcpflags
New Feature in Shorewall 4.2.5
New Features in Shorewall 4.2.7
1) A new 'fallback' option is added in
/etc/shorewall/providers. The option works similar to 'balance'
except that the default route is added in the default routing table
(253) rather than in the main table (254).
1) Prior to Shorewall version 3.0.0, rules generated by
/etc/shorewall/tunnels were traversed before those generated by
/etc/shorewall/rules. When SECTIONs were added to the rules file in
3.0.0, traversal of the tunnel rules was deferred until after those
generated by the NEW section of the rules file.
The option can be used by itself or followed by =<number> (e.g,
fallback=2).
Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
where they started -- right before the first rule generated by the
NEW section of /etc/shorewall/rules.
When the option is used by itself, a separate (not balanced)
default route is added with a metric equal to the provider's NUMBER.
2) To allow bypassing of connection tracking for certain traffic,
/etc/shorewall/notrack and /etc/shorewall6/notrack files have been
added.
When the option is used with a number, a balanced route is added
with the weight set to the specified number.
Columns in the file are:
'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
is only available with Shorewall-perl.
SOURCE - <zone>[:<interface>][:<address list>]
'fallback' is useful in situations where:
DEST - [<address list>]
- You want all traffic to be sent via one primary provider unless
there is a compelling reason to use a different provider
PROTO - <protocol name or number>
- If the primary provider is down, then you want to balance the
outgoing traffic among a set of other providers or to a
ordered list of providers.
DEST PORT(S) - <port number list>
In this case:
SOURCE PORT(S) - <port number list>
- Do not specify 'balance' on any of the providers.
- Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
- Specify 'fallback' on those providers that you want to use if
the primary is down.
- Only the primary provider should have a default route in the main
routing table.
USER/GROUP - [<user>][:<group>]
See http://www.shorewall.net/MultiISP.html#Complete for an example
of this option's use.
May only be specified if the SOURCE <zone> is $FW.
2) Shorewall-perl now transparently handles the xtables-addon version
of ipp2p. Shorewall detects whether the installed ipp2p is from
patch-o-matic-ng or from xtables-addon and proceeds accordingly.
Traffic that matches all given criteria will not be subject to
connection tracking. For such traffic, your policies and/or rules
must deal with ALL of the packets involved, in both the original
and the opposite directions. All untracked traffic is passed
through the relevant rules in the NEW section of the rules
file. Untracked encapsulated tunnel traffic can be handled by
entries in /etc/shorewall/tunnels just like tracked traffic
is. Because every packet of an untracked connection must pass
through the NEW section rules, it is suggested that rules that deal
with untracked traffic should appear at the top of the file.
If the patch-o-matic-ng version is installed:
Example:
a) If no DEST PORT is supplied, the default is "--ipp2p".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--ipp2p".
/etc/shorewall/tunnels:
If the xtables-addons version is installed:
#TYPE ZONE GATEWAY
6to4 net
a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
--kazaa".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--edk --gnu --dc --kazaa".
/etc/shorewall/notrack
Shorewall-perl now also accepts a comma-separated list of options
(e.g., "edk,gnu,dc,kazaa).
#SOURCE DEST PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
net:!192.88.99.1 - 41
Additionally, Shorewall now looks for modules in /lib/modules/$(uname
-r)/extra and in /lib/modules/$(uname -r)/extra/ipset
Given that 192.88.99.1 is an anycast address, many hosts can
respond to outward traffic to that address. The entry in
/etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
/etc/shorewall/notrack prevents the inbound traffic from creating
additional useless conntrack entries.
This change introduced a new capability ("Old IPP2P Match Syntax")
so if you use a capabilities file, be sure to re-generate the
file(s) after you have installed 4.2.5.
As part of this change, the 'show' command is enhanced to support a
'show raw' command that is an alias for 'show -t raw'. The raw
table is where NOTRACK rules are created.
3) There is now a macro.Git, which opens git-daemon's port (9418/tcp).
3) Shorewall-perl supports three additional columns in the
/etc/shorewall/routestopped file:
PROTO -- Protocol name or number
DEST PORT(S) -- comma-separated list of service names and/or port
numbers
SOURCE PORT(S) -- comma-separated list of service names and/or port
numbers.
These columns are only meaningful when the "-f" option to
'shorewall stop' is used.
As part of this change, the "-f" option to the 'stop' and 'clear'
commands is now the default when FAST_STOP=Yes in shorewall.conf.
To override this default, use the "-s" option:
shorewall stop -s
Note that if you have entries with one or more of the new columns,
the -s option will result in warning messages.
gateway:~ # shorewall stop -s
Stopping Shorewall...
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
WARNING: Unknown routestopped option ignored: notrack
WARNING: Unknown routestopped option ignored: 41
done.
gateway:~ #
4) Shorewall-perl now handles SOURCE PORT lists of more than 15
entries by breaking the containing rule into multiple rules.
Migration Issues.
@ -1331,3 +1321,244 @@ Problems Corrected in 4.2.4
Other changes in 4.2.4
1) Support for IPv6 was added -- see above.
Problems corrected in 4.2.5
1) If exclusion is used to define a zone in /etc/shorewall/hosts and
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
then Shorewall-perl can generate invalid iptables-restore input.
2) A bug in the Perl Cwd module (see
http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
Shorewall-perl compiler to fail if it doesn't have at least read
access to its current working directory. 4.2.5 contains a
workaround.
3) If 'critical' was specified on an entry in
/etc/shorewall6/routestopped, Shorewall6 (Shorewall-perl) would
generate an error.
4) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate incorrect iptables-restore input.
5) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate invalid iptables-restore input.
6) The 'shorewall6 refresh' command runs iptables_restore rather than
ip6tables_restore.
7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
'shorewall6 restore' were previously broken.
8) The Debian init script was checking $startup in
/etc/default/shorewall rather than in /etc/default/shorweall6
9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
unconverted Shorewall scripts.
10) When 'detect' is used in the GATEWAY column of
/etc/shorewall/providers, Shorewall-perl now ensures that the
gateway was successfully detected. If the gateway cannot be
detected, action is taken depending on whether the provider is
'optional' or not. If the provider is optional, it's configuration
is skipped; if the provider is not optional, the current operation
is aborted.
11) The command 'shorewall6 debug start' would previously fail with
ERROR: Command "/sbin/ip6tables -t nat -F" Failed
12) Both ipv4 and ipv6 compiled programs attempt to run the tcclear
script itself at run time rather than running the copy of the
file in the compiled script. This usually isn't noticable unless
you are running Shorewall Lite or Shorewall6 Lite in which case,
the script doesn't get run (since it is on the administrative
system and not the firewall system).
13) If your iptables/kernel included "Extended Connection Tracking
Match support" (see the output of "shorewall show capabilities"),
then a REDIRECT rule that specified a port list or range would
cause Shorewall-perl to create invalid iptables-restore input:
Running /usr/sbin/iptables-restore...
iptables-restore v1.4.2-rc1: conntrack: Bad value for
"--ctorigdstport" option: "1025:65535"
Error occurred at line: 191
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
New Feature in Shorewall 4.2.5
1) A new 'fallback' option is added in
/etc/shorewall/providers. The option works similar to 'balance'
except that the default route is added in the default routing table
(253) rather than in the main table (254).
The option can be used by itself or followed by =<number> (e.g,
fallback=2).
When the option is used by itself, a separate (not balanced)
default route is added with a metric equal to the provider's NUMBER.
When the option is used with a number, a balanced route is added
with the weight set to the specified number.
'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
is only available with Shorewall-perl.
'fallback' is useful in situations where:
- You want all traffic to be sent via one primary provider unless
there is a compelling reason to use a different provider
- If the primary provider is down, then you want to balance the
outgoing traffic among a set of other providers or to a
ordered list of providers.
In this case:
- Do not specify 'balance' on any of the providers.
- Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
- Specify 'fallback' on those providers that you want to use if
the primary is down.
- Only the primary provider should have a default route in the main
routing table.
See http://www.shorewall.net/MultiISP.html#Complete for an example
of this option's use.
2) Shorewall-perl now transparently handles the xtables-addon version
of ipp2p. Shorewall detects whether the installed ipp2p is from
patch-o-matic-ng or from xtables-addon and proceeds accordingly.
If the patch-o-matic-ng version is installed:
a) If no DEST PORT is supplied, the default is "--ipp2p".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--ipp2p".
If the xtables-addons version is installed:
a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
--kazaa".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--edk --gnu --dc --kazaa".
Shorewall-perl now also accepts a comma-separated list of options
(e.g., "edk,gnu,dc,kazaa).
Additionally, Shorewall now looks for modules in /lib/modules/$(uname
-r)/extra and in /lib/modules/$(uname -r)/extra/ipset
This change introduced a new capability ("Old IPP2P Match Syntax")
so if you use a capabilities file, be sure to re-generate the
file(s) after you have installed 4.2.5.
3) There is now a macro.Git, which opens git-daemon's port (9418/tcp).
4) There is also a macro.IRC which open's the Internet Relay Chat port
(6667/tcp).
Problems corrected in 4.2.6
1) The CONFIG_PATH in the two- and three-interface Shorewall6 sample
configurations was incorrect with the result that this error
occurred on 'shorewall6 check' or 'shorewall6 start'.
ERROR: No IP zones defined
2) Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell
and Shorewall-perl to create invalid iptables commands. This has
been corrected but we still strongly recommend against that
setting; TCP_FLAGS_DISPOSITION=DROP is preferred.
3) Shorewall-perl was generating code that checked for state match
before kernel modules were loaded. This caused start/restart to
fail on systems without kernel module loading.
4) The Shorewall6 and Shorewall6-lite Makefiles were incorrect.
5) If a service name is used in a port-mapping rule (a DNAT or
REDIRECT rule that changes the destination port), and if the
kernel and iptables include Extended Connection Match support, then
invalid iptables-restore input is produced by Shorewall-perl.
6) If iptables 1.4.1 or later was installed, Shorewall-perl generated
incorrect iptables-restore input if exclusion was used in the
ORIGINAL DEST field of a DNAT or REDIRECT rule.
7) On kernels earlier than 2.6.20, the 'shorewall show connections'
command fails.
New Features in Shorewall 4.2.6
1) A BitTorrent32 macro has been added. This macro matches the
extended TCP port range used by BitTorrent 3.2 and later.
2) A new COUNT action has been added to Shorewall-perl. This action
creates an iptables (ip6tables) rule with no target. Connections
matching such a rule are simply counted and the packet is passed on
to the next rule.
Shorewall-shell ignores COUNT in actions and macros, thus allowing
the standard actions (action.Drop and action.Reject) to have a
COUNT rule as their first entry.
3) A new RESTORE_DEFAULT_ROUTE option has been added to
shorewall.conf. It is used to determine whether to restore the
default route saved when there are 'balance' providers defined but
all of them are down.
The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
pre-4.2.6 behavior.
RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
default route in the main table (USE_DEFAULT_RT=No) or in the
default table (USE_DEFAULT_RT=Yes) when there are no balance
providers available. In that case, RESTORE_DEFAULT_ROUTE=No
will cause any default route in the relevant table to be deleted.
4) IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's
database when trying to detect the gateway for an interface
("detect" in the GATEAWAY column in /etc/shorewall/interfaces).
As part of this change, it is now permitted to specify 'detect'
when USE_DEFAULT_RT=Yes; in that case, the script will only detect
gateways for point-to-point devices and for devices configured by
dhcpcd.
5) Shorewall-perl now supports port inversion. A port number or list
of port numbers may be preceded by '!" which will cause the rule to
match all ports EXCEPT those listed:
Example: To blacklist 206.124.146.176 for all tcp ports except 80:
ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 tcp !80
6) Shorewall-perl now supports protocol inversion. A protocol name or
number may be preceded by '!' to specify all protocols except the
one following '!'.
Example: To blacklist 206.124.146.176 for all protocols except
UDP:
ADDRESS/SUBNET PROTO PORT(S)
206.124.146.177 !udp
Note that ports may not be specified when protocol inversion
is used.
7) When using Shorewall-perl, neither the 'start' nor 'started'
extension script is run during processing of the 'restore'
command. To allow extension of that command, we have added a
'restored' extension script that runs at the successful completion
of 'restore'. This script is only available with Shorewall-perl.
With Shorewall-shell, both scripts are run during 'restore' but in
that case, the run_iptables() function does nothing. So any
run_iptables() calls in the 'start' script are effectively ignored.
8) Shorewall-perl now correctly handles 'here documents' quoting
(<<EOF .... EOF) in run-time extension scripts.

View File

@ -4,7 +4,7 @@
# /etc/shorewall/restored
#
# Add commands below that you want to be executed after shorewall has
# been completed a 'restore' command.
# completed a 'restore' command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

View File

@ -10,5 +10,6 @@
# information.
#
###############################################################################
#INTERFACE HOST(S) OPTIONS
#INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE
# PORT(S) PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -216,9 +216,6 @@ get_config() {
No|NO|no)
TC_ENABLED=
;;
RTC)
NORTC=Yes
;;
esac
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
@ -299,6 +296,20 @@ get_config() {
fi
;;
esac
case $FAST_STOP in
Yes|yes)
;;
No|no)
FAST_STOP=
;;
*)
if [ -n "$FAST_STOP" ]; then
echo " ERROR: Invalid FAST_STOP setting ($FAST_STOP)" >&2
exit 2
fi
;;
esac
}
#
@ -483,16 +494,6 @@ start_command() {
DEBUG=Yes
option=${option#d}
;;
n*)
NORTC=Yes
RTCONLY=
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
f*)
FAST=Yes
option=${option#f}
@ -537,8 +538,7 @@ start_command() {
;;
esac
export NORTC
export RTCONLY
export NOROUTES
export PURGE
if [ -n "$FAST" ]; then
@ -780,15 +780,9 @@ restart_command() {
option=${option#f}
;;
n*)
NORTC=Yes
RTCONLY=
NOROUTES=Yes
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
C)
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
SHOREWALL_COMPILER=$2
@ -838,8 +832,7 @@ restart_command() {
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
export NORTC
export RTCONLY
export NOROUTES
export PURGE
if [ -z "$FAST" ]; then
@ -917,8 +910,7 @@ refresh_command() {
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
export NORTC
export RTCONLY
export NOROUTES
progress_message3 "Compiling..."
@ -961,15 +953,9 @@ safe_commands() {
option=
;;
n*)
NORTC=Yes
RTCONLY=
NOROUTES=Yes
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
C)
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
SHOREWALL_COMPILER=$2
@ -1116,15 +1102,9 @@ try_command() {
option=
;;
n*)
NORTC=Yes
RTCONLY=
NOROUTES=Yes
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
C)
[ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name"
SHOREWALL_COMPILER=$2
@ -1485,7 +1465,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ -p ] [ -f ] [ -C {shell|perl} ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
echo " start [ -f ] [ -n ] [ -p ] [ -C {shell|perl} ] [ <directory> ]"
echo " stop [ -f ]"
echo " status"
@ -1519,8 +1499,7 @@ IPT_OPTIONS="-nv"
FAST=
VERBOSE_OFFSET=0
USE_VERBOSITY=
NORTC=
RTC=
NOROUTES=
PURGE=
EXPORT=
export TIMESTAMP=
@ -1597,15 +1576,9 @@ while [ $finished -eq 0 ]; do
esac
;;
n*)
NORTC=Yes
RTCONLY=
NOROUTES=Yes
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
t*)
TIMESTAMP=Yes
option=${option#t}
@ -1758,23 +1731,28 @@ case "$COMMAND" in
start_command $@
;;
stop|clear)
if [ "x$2" = x-f ]; then
get_config
if [ "x$2" = x-s ]; then
shift
else
if [ "x$2" = x-f -o "$FAST_STOP" ]; then
[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
shift;
if [ "x$2" = x-f ]; then
shift
fi
fi
fi
[ $# -ne 1 ] && usage 1
get_config
export NORTC
export RTCONLY
export NOROUTES
mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
mutex_off
;;
reset)
get_config
export NORTC
export RTCONLY
export NOROUTES
shift
mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock reset $@

View File

@ -1,5 +1,5 @@
%define name shorewall-common
%define version 4.3.6
%define version 4.2.6
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -177,8 +177,6 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable
%changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Thu Feb 05 2009 Tom Eastep tom@shorewall.net
- Add 'restored' script
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net

View File

@ -186,6 +186,10 @@ MANGLE_ENABLED=Yes
USE_DEFAULT_RT=No
RESTORE_DEFAULT_ROUTE=Yes
FAST_STOP=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################

View File

@ -21,6 +21,8 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# For information about this script, see http://www.shorewall.net/MultiISP.html#swping.
#
###########################################################################################
#
# IP Family == 4 or 6

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -1 +1 @@
This is the Shorewall-lite Development 4.1 branch of SVN.
This is the Shorewall-lite stable 4.2 branch of SVN.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -1,5 +1,5 @@
%define name shorewall-lite
%define version 4.3.6
%define version 4.2.6
%define release 0base
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,8 +98,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -1,2 +1,2 @@
This is the Shorewall-perl development 4.3 branch of SVN.
This is the Shorewall-perl stable 4.2 branch of SVN.

View File

@ -201,17 +201,17 @@ sub setup_accounting() {
if ( have_bridges ) {
if ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting';
insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
}
}
if ( $filter_table->{accountout} ) {
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout';
insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
}
} else {
if ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting';
insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
}
}
}

View File

@ -44,6 +44,7 @@ our @EXPORT = qw(
log_rule_limit
%chain_table
$raw_table
$nat_table
$mangle_table
$filter_table
@ -71,6 +72,8 @@ our %EXPORT_TAGS = (
add_command
add_commands
move_rules
insert_rule1
add_tunnel_rule
process_comment
no_comment
macro_comment
@ -94,11 +97,13 @@ our %EXPORT_TAGS = (
dnat_chain
snat_chain
ecn_chain
notrack_chain
first_chains
ensure_chain
ensure_accounting_chain
ensure_mangle_chain
ensure_nat_chain
ensure_raw_chain
new_standard_chain
new_builtin_chain
new_nat_chain
@ -135,6 +140,7 @@ our %EXPORT_TAGS = (
match_ipsec_out
log_rule
expand_rule
addrawjump
addnatjump
get_interface_address
get_interface_addresses
@ -175,6 +181,7 @@ our $VERSION = 4.2.4;
# synchain => <name of synparam chain>
# default => <default action>
# cmdlevel => <number of open loops or blocks in runtime commands>
# new => undef|<index into @$rules where NEW section starts>
# rules => [ <rule1>
# <rule2>
# ...
@ -192,6 +199,7 @@ our $VERSION = 4.2.4;
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
#
our %chain_table;
our $raw_table;
our $nat_table;
our $mangle_table;
our $filter_table;
@ -290,6 +298,7 @@ sub initialize( $ ) {
nat => {},
filter => {} );
$raw_table = $chain_table{raw};
$nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter};
@ -428,32 +437,12 @@ sub push_rule( $$ ) {
}
#
# Add a rule to a chain. Arguments are:
# Post-process a rule having an sport list. Split the rule into multiple rules if necessary
# to work within the 15-element limit imposed by iptables/Netfilter.
#
# Chain reference , Rule [, Expand-long-dest-port-lists ]
#
sub add_rule($$;$)
{
my ($chainref, $rule, $expandports) = @_;
fatal_error 'Internal Error in add_rule()' if reftype $rule;
$iprangematch = 0;
#
# Pre-processing the port lists as was done in Shorewall-shell results in port-list
# processing driving the rest of rule generation.
#
# By post-processing each rule generated by expand_rule(), we avoid all of that
# messiness and replace it with the following localized messiness.
#
# Because source ports are seldom specified and source port lists are rarer still,
# we only worry about the destination ports.
#
if ( $expandports && $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) {
#
# Rule has a --dports specification
#
my ($first, $ports, $rest) = ( $1, $2, $3 );
sub handle_sport_list( $$$$$ ) {
my ($chainref, $rule, $first, $ports, $rest) = @_;
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
#
@ -488,6 +477,92 @@ sub add_rule($$;$)
} else {
push_rule ( $chainref, $rule );
}
}
#
# Post-process a rule having an dport list. Split the rule into multiple rules if necessary
# to work within the 15-element limit imposed by iptables/Netfilter.
#
sub handle_dport_list( $$$$$ ) {
my ($chainref, $rule, $first, $ports, $rest) = @_;
if ( ( $ports =~ tr/:,/:,/ ) > 14 ) {
#
# More than 15 ports specified
#
my @ports = split '([,:])', $ports;
while ( @ports ) {
my $count = 0;
my $newports = '';
while ( @ports && $count < 15 ) {
my ($port, $separator) = ( shift @ports, shift @ports );
$separator ||= '';
if ( ++$count == 15 ) {
if ( $separator eq ':' ) {
unshift @ports, $port, ':';
chop $newports;
last;
} else {
$newports .= $port;
}
} else {
$newports .= "${port}${separator}";
}
}
my $newrule = join( '', $first, $newports, $rest );
if ( $newrule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
handle_sport_list( $chainref, $newrule, $1, $2, $3 );
} else {
push_rule ( $chainref, $newrule );
}
}
} elsif ( $rule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
handle_sport_list( $chainref, $rule, $1, $2, $3 );
} else {
push_rule ( $chainref, $rule );
}
}
#
# Add a rule to a chain. Arguments are:
#
# Chain reference , Rule [, Expand-long-dest-port-lists ]
#
sub add_rule($$;$)
{
my ($chainref, $rule, $expandports) = @_;
fatal_error 'Internal Error in add_rule()' if reftype $rule;
$iprangematch = 0;
#
# Pre-processing the port lists as was done in Shorewall-shell results in port-list
# processing driving the rest of rule generation.
#
# By post-processing each rule generated by expand_rule(), we avoid all of that
# messiness and replace it with the following localized messiness.
if ( $expandports ) {
if ( $rule =~ /^(.* --dports\s+)([^ ]+)(.*)$/ ) {
#
# Rule has a --dports specification
#
handle_dport_list( $chainref, $rule, $1, $2, $3 )
} elsif ( $rule =~ /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
#
# Rule has a --sports specification
#
handle_sport_list( $chainref, $rule, $1, $2, $3 )
} else {
push_rule ( $chainref, $rule );
}
} else {
push_rule( $chainref, $rule );
}
@ -533,7 +608,7 @@ sub add_jump( $$$;$ ) {
#
# Chain reference , Rule Number, Rule
#
sub insert_rule($$$)
sub insert_rule1($$$)
{
my ($chainref, $number, $rule) = @_;
@ -541,13 +616,29 @@ sub insert_rule($$$)
$rule .= "-m comment --comment \"$comment\"" if $comment;
splice( @{$chainref->{rules}}, $number - 1, 0, join( ' ', '-A', $rule ) );
splice( @{$chainref->{rules}}, $number, 0, join( ' ', '-A', $rule ) );
$iprangematch = 0;
$chainref->{referenced} = 1;
}
sub insert_rule($$$) {
my ($chainref, $number, $rule) = @_;
insert_rule1( $chainref, $number - 1, $rule );
}
#
# Insert a tunnel rule into the passed chain. Tunnel rules are inserted sequentially
# at the beginning of the 'NEW' section.
#
sub add_tunnel_rule( $$ ) {
my ( $chainref, $rule ) = @_;
insert_rule1( $chainref, $chainref->{new}++, $rule );
}
#
# Move the rules from one chain to another
#
@ -756,6 +847,14 @@ sub dnat_chain( $ )
$_[0] . '_dnat';
}
#
# Notrack Chain from a zone
#
sub notrack_chain( $ )
{
$_[0] . '_notrk';
}
#
# SNAT Chain to an interface
#
@ -881,6 +980,16 @@ sub ensure_nat_chain($) {
$chainref;
}
sub ensure_raw_chain($) {
my $chain = $_[0];
my $chainref = ensure_chain 'raw', $chain;
$chainref->{referenced} = 1;
$chainref;
}
#
# Add a builtin chain
#
@ -1060,6 +1169,9 @@ sub finish_chain_section ($$) {
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
}
$chainref->{new} = @{$chainref->{rules}};
}
$comment = $savecomment;
@ -1092,7 +1204,7 @@ sub set_mss1( $$ ) {
if ( $chainref->{policy} ne 'NONE' ) {
my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
insert_rule1 $chainref, 0, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
}
}
@ -1817,7 +1929,7 @@ sub log_rule_limit( $$$$$$$$ ) {
if ( $command eq 'add' ) {
add_rule ( $chainref, $predicates . $prefix , 1 );
} else {
insert_rule ( $chainref , 1 , $predicates . $prefix );
insert_rule1 ( $chainref , 0 , $predicates . $prefix );
}
}
@ -1935,7 +2047,7 @@ sub get_interface_gateway ( $ ) {
my $variable = interface_gateway( $interface );
my $routine = $config{USE_DEFAULT_RT} ? 'detect_gateway' : 'detect_dynamic_gateway';
my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';
if ( interface_is_optional $interface ) {
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
@ -2457,6 +2569,18 @@ sub expand_rule( $$$$$$$$$$$ )
#
# If the destination chain exists, then at the end of the source chain add a jump to the destination.
#
sub addrawjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_;
my $destref = $raw_table->{$dest} || {};
if ( $destref->{referenced} ) {
add_rule $raw_table->{$source} , $predicates . "-j $dest";
} else {
clearrule;
}
}
sub addnatjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_;

View File

@ -38,11 +38,12 @@ use Shorewall::Rules;
use Shorewall::Proc;
use Shorewall::Proxyarp;
use Shorewall::IPAddrs;
use Shorewall::Raw;
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
our @EXPORT_OK = qw( $export );
our $VERSION = 4.2.4;
our $VERSION = 4.2.6;
our $export;
@ -52,6 +53,10 @@ our $reused = 0;
our $family = F_IPV4;
our $rtc;
use constant { NORTC => 1, RTCONLY => 2 };
#
# Reinitilize the package-globals in the other modules
#
@ -284,7 +289,6 @@ EOF
;;
esac
if [ -z "$RTCONLY" ]; then
if [ "$RESTOREFILE" = NONE ]; then
COMMAND=clear
clear_firewall
@ -324,7 +328,6 @@ EOF
exit 2
fi
fi
fi
;;
esac
@ -333,18 +336,7 @@ EOF
STOPPING="Yes"
TERMINATOR=
EOF
emit ' if [ -n "$RTCONLY" ]; then';
push_indent;
emit( ' delete_tc1' ) if $config{CLEAR_TC};
emit( ' undo_routing',
' restore_default_route'
);
pop_indent;
emit <<'EOF';
else
deletechain shorewall
run_stop_exit
@ -394,7 +386,7 @@ EOF
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NORTC}" ] && qt ip route del $address dev $interface
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
@ -404,7 +396,6 @@ EOF
EOF
}
push_indent;
push_indent;
emit 'delete_tc1' if $config{CLEAR_TC};
@ -428,7 +419,7 @@ EOF
);
for my $hosts ( @$criticalhosts ) {
my ( $interface, $host ) = ( split /\|/, $hosts );
my ( $interface, $host, $seq ) = ( split /\|/, $hosts );
my $source = match_source_net $host;
my $dest = match_dest_net $host;
@ -454,7 +445,7 @@ EOF
);
for my $hosts ( @$criticalhosts ) {
my ( $interface, $host ) = ( split /:/, $hosts );
my ( $interface, $host , $seq ) = ( split /|/, $hosts );
my $source = match_source_net $host;
my $dest = match_dest_net $host;
@ -558,14 +549,12 @@ EOF
}
}
emit( '',
'run_stopped_exit' ,
'set_state "Stopped"' );
emit 'run_stopped_exit';
pop_indent;
pop_indent;
emit ' fi
emit '
set_state "Stopped"
logger -p kern.info "$PRODUCT Stopped"
@ -586,63 +575,76 @@ EOF
}
#
# Second Phase of Script Generation
# Compile stop_rtc()
#
# copies the 'prog.functions' file into the script and generates
# the first part of 'setup_common_rules()'
#
# The bulk of that function is produced by the various config file
# parsing routines that are called directly out of 'compiler()'.
#
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
# than those related to writing to the object file.
#
sub generate_script_2 () {
sub compile_stop_rtc() {
unless ( $test ) {
if ( $family == F_IPV4 ) {
copy $globals{SHAREDIRPL} . 'prog.functions';
} else {
copy $globals{SHAREDIRPL} . 'prog.functions6';
}
}
emit <<'EOF';
#
# Stop/restore RTC after an error or because of a 'stop' or 'clear' command
#
stop_rtc() {
emit( "\n#",
'# Setup Common Rules (/proc)',
'#',
'setup_common_rules() {'
);
case $COMMAND in
stop|clear|restore)
;;
*)
set +x
case $COMMAND in
start)
logger -p kern.err "ERROR:$PRODUCT start failed"
;;
restart)
logger -p kern.err "ERROR:$PRODUCT restart failed"
;;
restore)
logger -p kern.err "ERROR:$PRODUCT restore failed"
;;
esac
;;
esac
STOPPING="Yes"
TERMINATOR=
run_stop_exit
EOF
push_indent;
}
emit 'delete_tc1';
#
# Third step of script generation
#
# - End the setup_common() function
# - Start setup_routing_and_traffic_shaping()
#
sub generate_script_3 () {
emit( 'undo_routing',
'restore_default_route'
);
emit 'run_stopped_exit';
pop_indent;
emit '}';
emit '
logger -p kern.info "$PRODUCT Stopped"
emit( "\n#",
'# Setup routing and traffic shaping',
'#',
'setup_routing_and_traffic_shaping() {'
);
push_indent;
case $COMMAND in
stop|clear)
;;
*)
#
# RTC is being stopped when we were trying to do something
# else. Kill the shell in case we\'re running in a subshell
#
kill $$
;;
esac
}
';
}
#
# Fourth (final) stage of script generation.
# Final stage of script generation.
#
# Generate the end of 'setup_routing_and_traffic_shaping()':
# Generate code for loading the various files in /var/lib/shorewall[-lite]
# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
#
@ -652,12 +654,9 @@ sub generate_script_3 () {
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
# than those related to writing to the object file.
#
sub generate_script_4($) {
pop_indent;
emit "}\n";
sub generate_script_2($) {
unless ( $rtc == RTCONLY ) {
if ( $family == F_IPV4 ) {
progress_message2 "Creating iptables-restore input...";
} else {
@ -666,9 +665,16 @@ sub generate_script_4($) {
create_netfilter_load( $test );
create_chainlist_reload( $_[0] );
}
emit "#\n# Start/Restart the Firewall\n#";
if ( $rtc == RTCONLY ) {
emit 'define_rtc() {';
} else {
emit 'define_firewall() {';
}
push_indent;
save_progress_message 'Initializing...';
@ -692,13 +698,7 @@ sub generate_script_4($) {
emit 'load_kernel_modules Yes';
}
emit ( '',
'if [ -n "$RTCONLY" ]; then' ,
' delete_tc1' ,
'else' );
push_indent;
unless ( $rtc == RTCONLY ) {
if ( $family == F_IPV4 ) {
emit ( '#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
@ -762,25 +762,21 @@ sub generate_script_4($) {
);
}
}
emit qq([ -n "\$NORTC" ] && delete_tc1\n) if $config{CLEAR_TC};
pop_indent;
emit 'fi';
unless ( $rtc == NORTC ) {
emit qq(delete_tc1\n) if $config{CLEAR_TC};
}
set_global_variables;
emit '';
emit( '[ -n "$RTCONLY" ] || setup_common_rules',
'',
'[ -n "$NORTC" ] || setup_routing_and_traffic_shaping',
'',
'if [ -z "$RTCONLY" ]; then' );
emit( 'setup_common_rules', '' ) unless $rtc == RTCONLY;
push_indent;
emit( 'setup_routing_and_traffic_shaping', '' ) unless $rtc == NORTC;
unless ( $rtc == RTCONLY ) {
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
dump_proxy_arp;
emit_unindented '__EOF__';
@ -848,14 +844,12 @@ EOF
[ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore
fi
date > ${VARDIR}/restarted
EOF
pop_indent;
}
emit 'fi';
emit<<'EOF';
date > ${VARDIR}/restarted
case $COMMAND in
start)
@ -898,6 +892,7 @@ sub compiler {
$export = 0;
$test = 0;
$rtc = 1;
sub edit_boolean( $ ) {
my $val = numeric_value( shift );
@ -914,6 +909,11 @@ sub compiler {
defined($val) && ($val == F_IPV4 || $val == F_IPV6);
}
sub edit_rtc( $ ) {
my $val = numberic_value( shift );
defined($val) && ($val == 0 || $val == NORTC || $val == RTCONLY);
}
my %parms = ( object => { store => \$objectfile },
directory => { store => \$directory },
family => { store => \$family , edit => \&edit_family } ,
@ -925,8 +925,11 @@ sub compiler {
log => { store => \$log },
log_verbosity => { store => \$log_verbosity, edit => \&edit_verbosity } ,
test => { store => \$test },
rtc => { store => \$rtc , edit => \&edit_rtc } ,
);
#
# P A R A M E T E R P R O C E S S I N G
#
while ( defined ( my $name = shift ) ) {
fatal_error "Unknown parameter ($name)" unless my $ref = $parms{$name};
fatal_error "Undefined value supplied for parameter $name" unless defined ( my $val = shift ) ;
@ -949,7 +952,7 @@ sub compiler {
set_timestamp( $timestamp );
set_debug( $debug );
#
# Get shorewall.conf and capabilities.
# S H O R E W A L L . C O N F A N D C A P A B I L I T I E S
#
get_configuration( $export );
@ -967,7 +970,6 @@ sub compiler {
unless ( $command eq 'check' ) {
create_temp_object( $objectfile , $export );
generate_script_1;
}
#
@ -975,8 +977,10 @@ sub compiler {
#
run_user_exit1 'compile';
#
# Process the zones file.
# Z O N E D E F I N I T I O N
# (Produces no output to the compiled script)
#
unless ( $rtc == RTCONLY ) {
determine_zones;
#
# Process the interfaces file.
@ -995,17 +999,59 @@ sub compiler {
#
process_actions1;
#
# Process the Policy File.
# P O L I C Y
# (Produces no output to the compiled script)
#
validate_policy;
}
#
# Compile the 'stop_firewall()' function
# I N I T I A L I Z E
# (Writes the initialize() function to the compiled script)
#
unless ( $command eq 'check' ) {
enable_object;
generate_script_1;
disable_object;
}
#
# S T O P _ F I R E W A L L
# (Writes the stop_firewall() function to the compiled script)
#
unless ( $command eq 'check' ) {
enable_object;
if ( $rtc == RTCONLY ) {
compile_stop_rtc;
} else {
compile_stop_firewall;
}
disable_object;
}
#
# Start Second Part of script -- Begin setup_common_rules() {
# C O M M O N _ R U L E S
# (Writes the setup_common_rules() function to the compiled script)
#
generate_script_2 unless $command eq 'check';
if ( $rtc != RTCONLY ) {
enable_object;
unless ( $command eq 'check' ) {
unless ( $test ) {
if ( $family == F_IPV4 ) {
copy $globals{SHAREDIRPL} . 'prog.functions';
} else {
copy $globals{SHAREDIRPL} . 'prog.functions6';
}
}
emit( "\n#",
'# Setup Common Rules (/proc)',
'#',
'setup_common_rules() {'
);
push_indent;
}
#
# Do all of the zone-independent stuff
#
@ -1028,17 +1074,51 @@ sub compiler {
# Handle MSS setings in the zones file
#
setup_zone_mss;
unless ( $command eq 'check' ) {
pop_indent;
emit '}';
}
disable_object;
}
#
# Finish setup_common_rules() and start setup_routing_and_traffic_shaping() {
# R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
# (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
#
generate_script_3;
unless ( $rtc == NORTC ) {
enable_object;
unless ( $command eq 'check' ) {
emit( "\n#",
'# Setup routing and traffic shaping',
'#',
'setup_routing_and_traffic_shaping() {'
);
push_indent;
}
#
# [Re-]establish Routing
#
setup_providers;
#
# TOS
# TCRules and Traffic Shaping
#
setup_tc;
unless ( $command eq 'check' ) {
pop_indent;
emit "}\n";
}
disable_object;
}
#
# N E T F I L T E R
# (Produces no output to the compiled script)
#
unless ( $rtc == RTCONLY ) {
process_tos;
if ( $family == F_IPV4 ) {
@ -1077,10 +1157,8 @@ sub compiler {
# Apply Policies
#
apply_policy_rules;
#
# TCRules and Traffic Shaping
#
setup_tc;
if ( $family == F_IPV4 ) {
#
# Setup Nat
#
@ -1089,6 +1167,7 @@ sub compiler {
# Setup NETMAP
#
setup_netmap;
}
#
# Accounting.
#
@ -1098,6 +1177,7 @@ sub compiler {
# a compile of the script won't blow up during that step.
#
generate_matrix;
}
if ( $command eq 'check' ) {
if ( $family == F_IPV4 ) {
@ -1109,7 +1189,8 @@ sub compiler {
#
# Finish the script.
#
generate_script_4( $chains );
enable_object;
generate_script_2( $chains );
finalize_object ( $export );
#
# And generate the auxilary config file

View File

@ -54,6 +54,8 @@ our @EXPORT = qw(
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
disable_object
enable_object
finalize_object
numeric_value
numeric_value1
@ -80,6 +82,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
set_debug
find_file
split_list
split_list1
split_line
split_line1
first_entry
@ -142,6 +145,8 @@ our $timestamp;
# Object file handle
#
our $object;
our $object_enabled;
#
# True, if last line emitted is blank
#
@ -293,6 +298,7 @@ sub initialize( $ ) {
$log_verbose = -1; # Verbosity of log.
$timestamp = ''; # If true, we are to timestamp each progress message
$object = 0; # Object (script) file Handle Reference
$object_enabled = 0; # Write to object file is disabled.
$lastlineblank = 0; # Avoid extra blank lines in the output
$indent1 = ''; # Current indentation
$indent2 = ''; # Current indentation
@ -310,7 +316,8 @@ sub initialize( $ ) {
LOGPARMS => '',
TC_SCRIPT => '',
EXPORT => 0,
VERSION => "4.3.6",
UNTRACKED => 0,
VERSION => "4.2.6",
CAPVERSION => 40205 ,
);
@ -416,6 +423,7 @@ sub initialize( $ ) {
NULL_ROUTE_RFC1918 => undef ,
USE_DEFAULT_RT => undef ,
RESTORE_DEFAULT_ROUTE => undef ,
FAST_STOP => undef ,
#
# Packet Disposition
#
@ -738,6 +746,8 @@ sub in_hex8( $ ) {
# Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines.
#
sub emit {
fatal_error 'Internal Error in emit' unless $object_enabled;
if ( $object ) {
#
# 'compile' as opposed to 'check'
@ -762,6 +772,7 @@ sub emit {
# Write passed message to the object with newline but no indentation.
#
sub emit_unindented( $ ) {
fatal_error 'Internal Error in emit_unindented' unless $object_enabled;
print $object "$_[0]\n" if $object;
}
@ -840,15 +851,18 @@ sub timestamp() {
sub progress_message {
my $havelocaltime = 0;
if ( $verbose > 1 || $log_verbose > 1 ) {
my $line = "@_";
my $leading = $line =~ /^(\s+)/ ? $1 : '';
$line =~ s/\s+/ /g;
if ( $verbose > 1 ) {
timestamp, $havelocaltime = 1 if $timestamp;
#
# We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
# The following makes such messages look more readable and uniform
#
my $line = "@_";
$line =~ s/\s+/ /g;
print "$line\n";
print "${leading}${line}\n";
}
if ( $log_verbose > 1 ) {
@ -857,9 +871,8 @@ sub progress_message {
@localtime = localtime unless $havelocaltime;
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
my $line = "@_";
$line =~ s/\s+/ /g;
print $log "$line\n";
print $log "${leading}${line}\n";
}
}
}
@ -951,6 +964,8 @@ sub pop_indent() {
# Functions for copying files into the object
#
sub copy( $ ) {
fatal_error 'Internal Error in copy' unless $object_enabled;
if ( $object ) {
my $file = $_[0];
@ -981,6 +996,8 @@ sub copy( $ ) {
# This one handles line continuation and 'here documents'
sub copy1( $ ) {
fatal_error 'Internal Error in copy1' unless $object_enabled;
if ( $object ) {
my $file = $_[0];
@ -1058,6 +1075,20 @@ sub create_temp_object( $$ ) {
}
#
# Enable writing to object
#
sub enable_object() {
$object_enabled = 1;
}
#
# Disable writing to object
#
sub disable_object() {
$object_enabled = 0;
}
#
# Finalize the object file
#
@ -1132,6 +1163,33 @@ sub split_list( $$ ) {
split /,/, $list;
}
sub split_list1( $$ ) {
my ($list, $type ) = @_;
fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
my @list1 = split /,/, $list;
my @list2;
my $element = '';
for ( @list1 ) {
if ( /\(/ ) {
fatal_error "Invalid $type list ($list)" if $element;
$element = $_;
} elsif ( /\)$/ ) {
fatal_error "Invalid $type list ($list)" unless $element;
push @list2, join ',', $element, $_;
$element = '';
} elsif ( $element ) {
$element = join ',', $element , $_;
} else {
push @list2 , $_;
}
}
@list2;
}
#
# Pre-process a line from a configuration file.
@ -2229,8 +2287,6 @@ sub get_configuration( $ ) {
$globals{TC_SCRIPT} = $file;
} elsif ( $val eq 'internal' ) {
$config{TC_ENABLED} = 'Internal';
} elsif ( $val eq 'rtc' ) {
$config{TC_ENABLED} = 'RTC';
} else {
fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no';
$config{TC_ENABLED} = '';

View File

@ -123,7 +123,7 @@ sub setup_route_filtering() {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
}
emit "[ -n \"\$NORTC\" ] || ip -4 route flush cache";
emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache";
}
}

View File

@ -79,7 +79,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
}
unless ( $haveroute ) {
emit "run_ip route replace $address dev $interface";
emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
$haveroute = 1 if $persistent;
}

View File

@ -267,12 +267,14 @@ sub setup_rfc1918_filteration( $ ) {
add_rule $norfc1918ref , '-j rfc1918d' if $config{RFC1918_STRICT};
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
for my $hostref ( @$listref ) {
my $interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for my $chain ( first_chains $interface ) {
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
add_rule $filter_table->{$chain} , join( '', "-m state --state $state ", match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
}
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
@ -339,7 +341,7 @@ sub setup_blacklist() {
}
}
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
for my $hostref ( @$hosts ) {
my $interface = $hostref->[0];
@ -367,13 +369,15 @@ sub process_criticalhosts() {
my $fn = open_file 'routestopped';
my $seq = 0;
first_entry "$doing $fn for critical hosts...";
while ( read_a_line ) {
my $routeback = 0;
my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
my ($interface, $hosts, $options, $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@ -381,15 +385,18 @@ sub process_criticalhosts() {
my @hosts;
$seq++;
for my $host ( split_list $hosts, 'host' ) {
validate_host $host, 1;
push @hosts, "$interface|$host";
push @hosts, "$interface|$host|$seq";
}
unless ( $options eq '-' ) {
for my $option (split_list $options, 'option' ) {
unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' ) {
unless ( $option eq 'routeback' || $option eq 'source' || $option eq 'dest' || $option eq 'notrack' ) {
if ( $option eq 'critical' ) {
fatal_error "PROTO may not be specified with 'critical'" if $proto ne '-';
push @critical, @hosts;
} else {
warning_message "Unknown routestopped option ( $option ) ignored";
@ -404,17 +411,19 @@ sub process_criticalhosts() {
sub process_routestopped() {
my ( @allhosts, %source, %dest );
my ( @allhosts, %source, %dest , %notrack, @rule );
my $fn = open_file 'routestopped';
my $seq = 0;
first_entry "$doing $fn...";
while ( read_a_line ) {
my $routeback = 0;
my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@ -422,9 +431,14 @@ sub process_routestopped() {
my @hosts;
$seq++;
my $rule = do_proto( $proto, $ports, $sports );
for my $host ( split /,/, $hosts ) {
validate_host $host, 1;
push @hosts, "$interface|$host";
push @hosts, "$interface|$host|$seq";
push @rule, $rule;
}
unless ( $options eq '-' ) {
@ -445,11 +459,15 @@ sub process_routestopped() {
}
} elsif ( $option eq 'source' ) {
for my $host ( split /,/, $hosts ) {
$source{"$interface|$host"} = 1;
$source{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'dest' ) {
for my $host ( split /,/, $hosts ) {
$dest{"$interface|$host"} = 1;
$dest{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'notrack' ) {
for my $host ( split /,/, $hosts ) {
$notrack{"$interface|$host|$seq"} = 1;
}
} else {
warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
@ -463,34 +481,40 @@ sub process_routestopped() {
my $tool = $family == F_IPV4 ? '$IPTABLES' : '$IP6TABLES';
for my $host ( @allhosts ) {
my ( $interface, $h ) = split /\|/, $host;
my ( $interface, $h, $seq ) = split /\|/, $host;
my $source = match_source_net $h;
my $dest = match_dest_net $h;
my $sourcei = match_source_dev $interface;
my $desti = match_dest_dev $interface;
my $rule = shift @rule;
emit "$tool -A INPUT $sourcei $source -j ACCEPT";
emit "$tool -A OUTPUT $desti $dest -j ACCEPT" unless $config{ADMINISABSENTMINDED};
emit "$tool -A INPUT $sourcei $source $rule -j ACCEPT";
emit "$tool -A OUTPUT $desti $dest $rule -j ACCEPT" unless $config{ADMINISABSENTMINDED};
my $matched = 0;
if ( $source{$host} ) {
emit "$tool -A FORWARD $sourcei $source -j ACCEPT";
emit "$tool -A FORWARD $sourcei $source $rule -j ACCEPT";
$matched = 1;
}
if ( $dest{$host} ) {
emit "$tool -A FORWARD $desti $dest -j ACCEPT";
emit "$tool -A FORWARD $desti $dest $rule -j ACCEPT";
$matched = 1;
}
if ( $notrack{$host} ) {
emit "$tool -t raw -A PREROUTING $sourcei $source $rule -j NOTRACK";
emit "$tool -t raw -A OUTPUT $desti $dest $rule -j NOTRACK";
}
unless ( $matched ) {
for my $host1 ( @allhosts ) {
unless ( $host eq $host1 ) {
my ( $interface1, $h1 ) = split /\|/, $host1;
my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
my $dest1 = match_dest_net $h1;
my $desti1 = match_dest_dev $interface1;
emit "$tool -A FORWARD $sourcei $desti1 $source $dest1 -j ACCEPT";
emit "$tool -A FORWARD $sourcei $desti1 $source $dest1 $rule -j ACCEPT";
clearrule;
}
}
@ -511,7 +535,7 @@ sub add_common_rules() {
new_standard_chain 'dynamic';
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD );
@ -586,6 +610,9 @@ sub add_common_rules() {
if ( @$list ) {
progress_message2 'Adding Anti-smurf Rules';
my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
for my $hostref ( @$list ) {
$interface = $hostref->[0];
my $ipsec = $hostref->[1];
@ -593,7 +620,7 @@ sub add_common_rules() {
my $target = source_exclusion( $hostref->[3], $chainref );
for $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), $policy );
add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ), $policy );
}
set_interface_option $interface, 'use_input_chain', 1;
@ -696,7 +723,7 @@ sub add_common_rules() {
$list = find_interfaces_by_option 'upnp';
if ( @$list ) {
progress_message2 '$doing UPnP';
progress_message2 "$doing UPnP";
new_nat_chain( 'UPnP' );
@ -737,8 +764,6 @@ sub setup_mac_lists( $ ) {
my @maclist_interfaces = ( sort keys %maclist_interfaces );
progress_message " $doing MAC Verification for @maclist_interfaces -- Phase $phase...";
if ( $phase == 1 ) {
for my $interface ( @maclist_interfaces ) {
@ -828,18 +853,20 @@ sub setup_mac_lists( $ ) {
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
my $source = match_source_net $hostref->[2];
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
if ( $table eq 'filter' ) {
my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
for my $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state NEW ${policy}";
add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}";
}
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
} else {
my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}";
add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state ${state} ${policy}";
}
}
} else {
@ -1614,7 +1641,7 @@ sub generate_matrix() {
fatal_error "No policy defined for zone $zone to zone $zone1";
}
'';
''; # CONTINUE policy
}
#
@ -1632,6 +1659,7 @@ sub generate_matrix() {
my @interfaces = ( all_interfaces );
my $preroutingref = ensure_chain 'nat', 'dnat';
my $fw = firewall_zone;
my $notrackref = $raw_table->{notrack_chain $fw};
my @zones = non_firewall_zones;
my $interface_jumps_added = 0;
@ -1678,6 +1706,10 @@ sub generate_matrix() {
}
}
#
# NOTRACK from firewall
#
add_rule $raw_table->{OUTPUT}, "-j $notrackref->{name}" if $notrackref->{referenced};
#
# Main source-zone matrix-generation loop
#
@ -1692,31 +1724,36 @@ sub generate_matrix() {
my $frwd_ref = $filter_table->{zone_forward_chain $zone};
my $chain = 0;
my $dnatref = ensure_chain 'nat' , dnat_chain( $zone );
my $notrackref = ensure_chain 'raw' , notrack_chain( $zone );
my $nested = $zoneref->{options}{nested};
my $parenthasnat = 0;
my $parenthasnotrack = 0;
if ( $nested ) {
#
# This is a sub-zone. We need to determine if
#
# a) A parent zone defines DNAT/REDIRECT rules; and
# a) A parent zone defines DNAT/REDIRECT or notrack rules; and
# b) The current zone has a CONTINUE policy to some other zone.
#
# If a) but not b), then we must avoid sending packets from this
# zone through the DNAT/REDIRECT chain for the parent.
# zone through the DNAT/REDIRECT or notrack chain for the parent.
#
my $parenthasnat = 0;
for my $parent ( @{$zoneref->{parents}} ) {
my $ref = $nat_table->{dnat_chain $parent} || {};
$parenthasnat = 1, last if $ref->{referenced};
my $ref1 = $nat_table->{dnat_chain $parent} || {};
my $ref2 = $raw_table->{notrack_chain $parent} || {};
$parenthasnat = 1 if $ref1->{referenced};
$parenthasnotrack = 1 if $ref2->{referenced};
last if $parenthasnat && $parenthasnotrack;
}
if ( $parenthasnat ) {
if ( $parenthasnat || $parenthasnotrack ) {
for my $zone1 ( all_zones ) {
if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
#
# This zone has a continue policy to another zone. We must
# send packets from this zone through the parent's DNAT/REDIRECT chain.
# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
#
$nested = 0;
last;
@ -1724,7 +1761,7 @@ sub generate_matrix() {
}
} else {
#
# No parent has DNAT so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' chain.
# No parent has DNAT or notrack so there is nothing to worry about. Don't bother to generate needless RETURN rules in the 'dnat' or 'notrack' chain.
#
$nested = 0;
}
@ -1784,11 +1821,22 @@ sub generate_matrix() {
#
add_jump $preroutingref, source_exclusion( $exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
}
if ( $notrackref->{referenced} ) {
#
# If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source
# There are notrack rules with this zone as the source.
# Add a jump from this source network to this zone's notrack chain
#
add_jump $raw_table->{PREROUTING}, source_exclusion( $exclusions, $notrackref), 0, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
}
#
# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
# then add a RETURN jump for this source network.
#
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested;
if ( $nested ) {
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnat;
add_rule $raw_table->{PREROUTING}, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnotrack;
}
my $inputchainref;
my $interfacematch = '';

View File

@ -109,6 +109,24 @@ our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
}
);
our %flow_keys = ( 'src' => 1,
'dst' => 1,
'proto' => 1,
'proto-src' => 1,
'proto-dst' => 1,
'iif' => 1,
'priority' => 1,
'mark' => 1,
'nfct' => 1,
'nfct-src' => 1,
'nfct-dst' => 1,
'nfct-proto-src' => 1,
'nfct-proto-dst' => 1,
'rt-classid' => 1,
'sk-uid' => 1,
'sk-gid' => 1,
'vlan-tag' => 1 );
our %classids;
our @deferred_rules;
@ -337,6 +355,20 @@ sub calculate_quantum( $$ ) {
int( ( $rate * 125 ) / $r2q );
}
sub process_flow($) {
my $flow = shift;
$flow =~ s/^\(// if $flow =~ s/\)$//;
my @flow = split /,/, $flow;
for ( @flow ) {
fatal_error "Invalid flow key ($_)" unless $flow_keys{$_};
}
$flow;
}
sub validate_tc_device( $$$$$ ) {
my ( $device, $inband, $outband , $options , $redirected ) = @_;
@ -364,12 +396,18 @@ sub validate_tc_device( $$$$$ ) {
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
my $classify = 0;
my ( $classify, $pfifo, $flow) = (0, 0, '' );
if ( $options ne '-' ) {
for my $option ( split_list $options, 'option' ) {
for my $option ( split_list1 $options, 'option' ) {
if ( $option eq 'classify' ) {
$classify = 1;
} elsif ( $option =~ /^flow=(.*)$/ ) {
fatal_error "The 'flow' option is not allowed with 'pfifo'" if $pfifo;
$flow = process_flow $1;
} elsif ( $option eq 'pfifo' ) {
fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $flow;
$pfifo = 1;
} else {
fatal_error "Unknown device option ($option)";
}
@ -396,6 +434,8 @@ sub validate_tc_device( $$$$$ ) {
out_bandwidth => rate_to_kbit( $outband ) . 'kbit' ,
number => $devnumber,
classify => $classify ,
flow => $flow ,
pfifo => $pfifo ,
tablenumber => 1 ,
redirected => \@redirected ,
} ,
@ -410,7 +450,6 @@ sub convert_rate( $$$ ) {
if ( $rate =~ /\bfull\b/ ) {
$rate =~ s/\bfull\b/$full/g;
progress_message " Compiling $column $_[1]";
fatal_error "Invalid $column ($_[1])" if $rate =~ m{[^0-9*/+()-]};
no warnings;
$rate = eval "int( $rate )";
@ -507,7 +546,9 @@ sub validate_tc_class( $$$$$$ ) {
rate => convert_rate( $full, $rate, 'RATE' ) ,
ceiling => convert_rate( $full, $ceil, 'CEIL' ) ,
priority => $prio eq '-' ? 1 : $prio ,
mark => $markval
mark => $markval ,
flow => '' ,
pfifo => 0
};
$tcref = $tcref->{$classnumber};
@ -515,7 +556,7 @@ sub validate_tc_class( $$$$$$ ) {
fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling};
unless ( $options eq '-' ) {
for my $option ( split_list "\L$options", 'option' ) {
for my $option ( split_list1 "\L$options", 'option' ) {
my $optval = $tosoptions{$option};
$option = $optval if $optval;
@ -531,12 +572,21 @@ sub validate_tc_class( $$$$$$ ) {
} elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
( undef, $option ) = split /=/, $option;
push @{$tcref->{tos}}, $option;
} elsif ( $option =~ /^flow=(.*)$/ ) {
fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
$tcref->{flow} = process_flow $1;
} elsif ( $option eq 'pfifo' ) {
fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
$tcref->{pfifo} = 1;
} else {
fatal_error "Unknown option ($option)";
}
}
}
$tcref->{flow} = $devref->{flow} unless $tcref->{flow};
$tcref->{pfifo} = $devref->{pfifo} unless $tcref->{flow} || $tcref->{pfifo};
push @tcclasses, "$device:$classnumber";
progress_message " Tcclass \"$currentline\" $done.";
}
@ -803,13 +853,14 @@ sub setup_traffic_shaping() {
}
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum",
"run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum",
"run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq perturb 10"
);
"run_tc class add dev $device parent $devref->{number}:1 classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) unless $tcref->{pfifo};
#
# add filters
#
emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio 1 handle $mark fw classid $classid" unless $devref->{classify};
emit "run_tc filter add dev $device protocol ip pref 1 parent $classnum: handle 1 flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
#
#options
#
@ -879,7 +930,7 @@ sub setup_tc() {
if ( $config{HIGH_ROUTE_MARKS} ) {
for my $chain qw(INPUT FORWARD POSTROUTING) {
insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark 0xFF';
insert_rule1 $mangle_table->{$chain}, 0, '-j MARK --and-mark 0xFF';
}
}
}

View File

@ -61,22 +61,22 @@ sub setup_tunnels() {
}
}
my $options = '-m state --state NEW -j ACCEPT';
my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';
add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
add_tunnel_rule $inchainref, "-p 51 $source -j ACCEPT";
add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
}
if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport 500 $options";
add_rule $outchainref, "-p udp $dest --dport 500 $options";
add_tunnel_rule $inchainref, "-p udp $source --dport 500 $options";
add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
} else {
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
add_tunnel_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
}
unless ( $gatewayzones eq '-' ) {
@ -87,21 +87,21 @@ sub setup_tunnels() {
$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
unless ( $capabilities{POLICY_MATCH} ) {
add_rule $inchainref, "-p 50 $source -j ACCEPT";
add_rule $outchainref, "-p 50 $dest -j ACCEPT";
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
unless ( $noah ) {
add_rule $inchainref, "-p 51 $source -j ACCEPT";
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
add_tunnel_rule $inchainref, "-p 51 $source -j ACCEPT";
add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
}
}
if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport 500 $options";
add_rule $outchainref, "-p udp $dest --dport 500 $options";
add_tunnel_rule $inchainref, "-p udp $source --dport 500 $options";
add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
} else {
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
add_tunnel_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
}
}
}
@ -110,24 +110,24 @@ sub setup_tunnels() {
sub setup_one_other {
my ($inchainref, $outchainref, $source, $dest , $protocol) = @_;
add_rule $inchainref , "-p $protocol $source -j ACCEPT";
add_rule $outchainref , "-p $protocol $dest -j ACCEPT";
add_tunnel_rule $inchainref , "-p $protocol $source -j ACCEPT";
add_tunnel_rule $outchainref , "-p $protocol $dest -j ACCEPT";
}
sub setup_pptp_client {
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
add_rule $outchainref, "-p 47 $dest -j ACCEPT";
add_rule $inchainref, "-p 47 $source -j ACCEPT";
add_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
add_tunnel_rule $outchainref, "-p 47 $dest -j ACCEPT";
add_tunnel_rule $inchainref, "-p 47 $source -j ACCEPT";
add_tunnel_rule $outchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
}
sub setup_pptp_server {
my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
add_rule $inchainref, "-p 47 $dest -j ACCEPT";
add_rule $outchainref, "-p 47 $source -j ACCEPT";
add_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
add_tunnel_rule $inchainref, "-p 47 $dest -j ACCEPT";
add_tunnel_rule $outchainref, "-p 47 $source -j ACCEPT";
add_tunnel_rule $inchainref, "-p tcp --dport 1723 $dest -j ACCEPT"
}
sub setup_one_openvpn {
@ -151,8 +151,8 @@ sub setup_tunnels() {
}
}
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
add_tunnel_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
}
sub setup_one_openvpn_client {
@ -176,8 +176,8 @@ sub setup_tunnels() {
}
}
add_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
add_tunnel_rule $inchainref, "-p $protocol $source --sport $port -j ACCEPT";
add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
}
sub setup_one_openvpn_server {
@ -201,8 +201,8 @@ sub setup_tunnels() {
}
}
add_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
add_tunnel_rule $inchainref, "-p $protocol $source --dport $port -j ACCEPT";
add_tunnel_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
}
sub setup_one_l2tp {
@ -210,8 +210,8 @@ sub setup_tunnels() {
fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/;
add_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
add_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT";
add_tunnel_rule $inchainref, "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
add_tunnel_rule $outchainref, "-p udp $dest --sport 1701 --dport 1701 -j ACCEPT";
}
sub setup_one_generic {
@ -228,8 +228,8 @@ sub setup_tunnels() {
( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
}
add_rule $inchainref, "-p $protocol $source $port -j ACCEPT";
add_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
add_tunnel_rule $inchainref, "-p $protocol $source $port -j ACCEPT";
add_tunnel_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
}
sub setup_one_tunnel($$$$) {

View File

@ -35,7 +35,10 @@
# --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
# --log=<filename> # Log file
# --log_verbosity=<number> # Log Verbosity range -1 to 2
# --family=<number> # IP family; 4 = IPv4, 6 = IPv6
# --family=<number> # IP family; 4 = IPv4 (default), 6 = IPv6
# --rtc # 0 = Generate Routing and Traffic shaping + Normal Netfilter logic (default)
# # 1 = Do not Generate Routing and Traffic shaping
# # 2 = Generate only the Routing and Traffic shaping part
#
use strict;
use FindBin;
@ -75,6 +78,7 @@ my $log_verbose = 0;
my $help = 0;
my $test = 0;
my $family = 4; # F_IPV4
my $rtc = 0;
Getopt::Long::Configure ('bundling');
@ -97,6 +101,7 @@ my $result = GetOptions('h' => \$help,
'test' => \$test,
'f=i' => \$family,
'family=i' => \$family,
'rtc=i' => \$rtc,
);
usage(1) unless $result && @ARGV < 2;
@ -112,4 +117,5 @@ compiler( object => defined $ARGV[0] ? $ARGV[0] : '',
log => $log,
log_verbosity => $log_verbose,
test => $test,
family => $family );
family => $family ,
rtc => $rtc );

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -2,7 +2,7 @@
# Give Usage Information
#
usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -r ] [ start|stop|clear|reset|refresh|restart|status|version ]"
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1
}
################################################################################
@ -23,8 +23,6 @@ fi
initialize
[ -n "${PRODUCT:=Shorewall}" ]
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
@ -45,23 +43,8 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
r*)
if [ -n "$NORTC" ]; then
error_message "The -n and -r options are mutually exclusive"
exit 1
fi
RTCONLY=Yes
option=${option#r}
PRODUCT="$PRODUCT Traffic Control and Routing"
;;
n*)
if [ -n "$RTCONLY" ]; then
error_message "The -n and -r options are mutually exclusive"
exit 1
fi
NORTC=Yes
NOROUTES=Yes
option=${option#n}
;;
*)
@ -79,15 +62,12 @@ done
COMMAND="$1"
[ -n "${PRODUCT:=Shorewall}" ]
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
if [ -n "$RTCONLY" ]; then
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
elif shorewall6_is_started; then
if shorewall_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
@ -103,14 +83,11 @@ case "$COMMAND" in
progress_message3 "Stopping $PRODUCT...."
stop_firewall
status=0
[ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
if [ -n "${NORTC}$"{RTCONLY} ]; then
error_message "The -n and -r options may not be used with 'reset'"
status=1
elif ! shorewall_is_started ; then
if ! shorewall_is_started ; then
error_message "$PRODUCT is not running"
status=2
elif [ $# -eq 1 ]; then
@ -149,17 +126,14 @@ case "$COMMAND" in
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
progress_message3 "done."
;;
refresh)
[ $# -ne 1 ] && usage 2
if [ -n "${NORTC}$"{RTCONLY} ]; then
error_message "The -n and -r options may not be used with 'refresh'"
status=1
elif shorewall_is_started; then
if shorewall_is_started; then
progress_message3 "Refreshing $PRODUCT...."
define_firewall
status=$?
@ -171,23 +145,18 @@ case "$COMMAND" in
;;
restore)
[ $# -ne 1 ] && usage 2
if [ -n "${NORTC}$"{RTCONLY} ]; then
error_message "The -n and -r options may not be used with 'restart'"
status=1
else
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;;
clear)
[ $# -ne 1 ] && usage 2
progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
status)

View File

@ -2,7 +2,7 @@
# Give Usage Information
#
usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -r ] [ start|stop|clear|reset|refresh|restart|status|version ]"
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1
}
################################################################################
@ -23,8 +23,6 @@ fi
initialize
[ -n "${PRODUCT:=Shorewall6}" ]
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
@ -45,23 +43,8 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
r*)
if [ -n "$NORTC" ]; then
error_message "The -n and -r options are mutually exclusive"
exit 1
fi
RTCONLY=Yes
option=${option#r}
PRODUCT="$PRODUCT Traffic Control and Routing"
;;
n*)
if [ -n "$RTCONLY" ]; then
error_message "The -n and -r options are mutually exclusive"
exit 1
fi
NORTC=Yes
NOROUTES=Yes
option=${option#n}
;;
*)
@ -79,6 +62,8 @@ done
COMMAND="$1"
[ -n "${PRODUCT:=Shorewall6}" ]
kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
if [ $kernel -lt 20625 ]; then
error_message "ERROR: $PRODUCT requires Linux kernel 2.6.25 or later"
@ -87,12 +72,7 @@ else
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
if [ -n "$RTCONLY" ]; then
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
elif shorewall6_is_started; then
if shorewall6_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
@ -106,20 +86,13 @@ else
stop)
[ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...."
if [ -n "$RTCONLY" ]; then
delete_tc1
else
stop_firewall
fi
status=0
[ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
if [ -n "${NORTC}$"{RTCONLY} ]; then
error_message "The -n and -r options may not be used with 'reset'"
status=1
elif ! shorewall6_is_started ; then
if ! shorewall6_is_started ; then
error_message "$PRODUCT is not running"
status=2
elif [ $# -eq 1 ]; then
@ -148,11 +121,6 @@ else
;;
restart)
[ $# -ne 1 ] && usage 2
if [ -n "$RTCONLY" ]; then
progress_message3 "Restarting $PRODUCT...."
define_firewall
status=$?
else
if shorewall6_is_started; then
progress_message3 "Restarting $PRODUCT...."
else
@ -162,19 +130,14 @@ else
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
progress_message3 "done."
;;
refresh)
[ $# -ne 1 ] && usage 2
if [ -n "${NORTC}$"{RTCONLY} ]; then
error_message "The -n and -r options may not be used with 'refresh'"
status=1
elif shorewall6_is_started; then
if shorewall6_is_started; then
progress_message3 "Refreshing $PRODUCT...."
define_firewall
status=$?
@ -186,23 +149,18 @@ else
;;
restore)
[ $# -ne 1 ] && usage 2
if [ -n "${NORTC}$"{RTCONLY} ]; then
error_message "The -n and -r options may not be used with 'restore'"
status=1
else
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" -a -z "$RTCONLY" ]; then
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;;
clear)
[ $# -ne 1 ] && usage 2
progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && [ -z "$RTCONLY" ] && rm -f $SUBSYSLOCK
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
status)

View File

@ -20,7 +20,6 @@ delete_proxyarp() {
clear_firewall() {
stop_firewall
if [ -z "$RTCONLY" ]; then
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
@ -40,7 +39,6 @@ clear_firewall() {
run_clear_exit
set_state "Cleared"
fi
logger -p kern.info "$PRODUCT Cleared"
}

View File

@ -4,7 +4,6 @@
clear_firewall() {
stop_firewall
if [ -z "$RTCONLY" ]; then
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
@ -16,7 +15,6 @@ clear_firewall() {
run_clear_exit
set_state "Cleared"
fi
logger -p kern.info "$PRODUCT Cleared"
}

View File

@ -821,19 +821,16 @@ detect_gateway() # $1 = interface
{
local interface
interface=$1
local gateway
#
# First assume that this is some sort of point-to-point interface
# First assume that this is some sort of dynamic interface
#
gateway=$( find_peer $(ip addr list $interface ) )
gateway=$( detect_dynamic_gateway $interface )
#
# Maybe there's a default route through this gateway already
#
[ -n "$gateway" ] || gateway=$(find_gateway $(ip -4 route list dev $interface | grep ^default))
#
# Next try dhcpcd's info file for the interface
#
[ -n "$gateway" ] || gateway=$(get_dhcp_gateway)
#
# Last hope -- is there a load-balancing route through the interface?
#
[ -n "$gateway" ] || gateway=$(find_nexthop $interface)

View File

@ -1,5 +1,5 @@
%define name shorewall-perl
%define version 4.3.6
%define version 4.2.6
%define release 0base
Summary: Shoreline Firewall Perl-based compiler.
@ -62,8 +62,10 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING releasenotes.txt
%changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net

View File

@ -1 +1 @@
This is the Shorewall-shell Development 4.2 branch of SVN.
This is the Shorewall-shell Stable 4.2 branch of SVN.

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -1,5 +1,5 @@
%define name shorewall-shell
%define version 4.3.6
%define version 4.2.6
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -81,8 +81,10 @@ fi
%doc COPYING INSTALL
%changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net

View File

@ -1,18 +1,18 @@
# Shorewall Lite Makefile to restart if firewall script is newer than last restart
VARDIR=$(shell /sbin/shorewall-lite show vardir)
SHAREDIR=/usr/share/shorewall-lite
# Shorewall6 Lite Makefile to restart if firewall script is newer than last restart
VARDIR=$(shell /sbin/shorewall6-lite show vardir)
SHAREDIR=/usr/share/shorewall6-lite
RESTOREFILE?=.restore
all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
@/sbin/shorewall-lite -q save >/dev/null; \
@/sbin/shorewall6-lite -q save >/dev/null; \
if \
/sbin/shorewall-lite -q restart >/dev/null 2>&1; \
/sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
then \
/sbin/shorewall-lite -q save >/dev/null; \
/sbin/shorewall6-lite -q save >/dev/null; \
else \
/sbin/shorewall-lite -q restart 2>&1 | tail >&2; \
/sbin/shorewall6-lite -q restart 2>&1 | tail >&2; \
fi
# EOF

View File

@ -1 +1 @@
This is the Shorewall-lite Development 4.1 branch of SVN.
This is the Shorewall-lite Stable 4.2 branch of SVN.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -1,5 +1,5 @@
%define name shorewall6-lite
%define version 4.3.6
%define version 4.2.6
%define release 0base
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@ -89,8 +89,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -5,13 +5,13 @@ RESTOREFILE?=.restore
all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@/sbin/shorewall -q save >/dev/null; \
@/sbin/shorewall6 -q save >/dev/null; \
if \
/sbin/shorewall -q restart >/dev/null 2>&1; \
/sbin/shorewall6 -q restart >/dev/null 2>&1; \
then \
/sbin/shorewall -q save >/dev/null; \
/sbin/shorewall6 -q save >/dev/null; \
else \
/sbin/shorewall -q restart 2>&1 | tail >&2; \
/sbin/shorewall6 -q restart 2>&1 | tail >&2; \
fi
# EOF

View File

@ -1 +1 @@
This is the Shorewall-common Development 4.2 branch of SVN.
This is the Shorewall-common Stable 4.2 branch of SVN.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{
@ -475,6 +475,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then
echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices"
fi
#
# Install the Notrack file
#
run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewal6/configfiles/notrack
if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack
echo "Notrack file installed as ${PREFIX}/etc/shorewall6/notrack"
fi
#
# Install the default config path file
#

View File

@ -413,6 +413,13 @@ show_command() {
show_reset
$IP6TABLES -t mangle -L $IPT_OPTIONS
;;
raw)
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version raw Table at $HOSTNAME - $(date)"
echo
show_reset
$IP6TABLES -t raw -L $IPT_OPTIONS
;;
log)
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)"

View File

@ -4,7 +4,7 @@
# /etc/shorewall6/restored
#
# Add commands below that you want to be executed after shorewall6 has
# been completed a 'restore' command.
# completed a 'restore' command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

View File

@ -216,10 +216,6 @@ get_config() {
No|NO|no)
TC_ENABLED=
;;
RTC)
NORTC=Yes
RTCONLY=
;;
esac
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
@ -470,8 +466,7 @@ start_command() {
;;
esac
export NORTC
export RTCONLY
export NOROUTES
export PURGE
if [ -n "$FAST" ]; then
@ -690,15 +685,9 @@ restart_command() {
option=${option#f}
;;
n*)
NORTC=Yes
RTCONLY=
NOROUTES=Yes
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
p*)
[ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
PURGE=Yes
@ -742,8 +731,7 @@ restart_command() {
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
export NORTC
export RTCONLY
export NOROUTES
export PURGE
if [ -z "$FAST" ]; then
@ -815,8 +803,7 @@ refresh_command() {
[ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
export NORTC
export RTCONLY
export NOROUTES
progress_message3 "Compiling..."
@ -859,15 +846,9 @@ safe_commands() {
option=
;;
n*)
NORTC=Yes
RTCONLY=
NOROUTES=Yes
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
*)
usage 1
;;
@ -1008,15 +989,9 @@ try_command() {
option=
;;
n*)
NORTC=Yes
RTCONLY=
NOROUTES=Yes
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
*)
usage 1
;;
@ -1355,7 +1330,7 @@ usage() # $1 = exit status
echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]"
echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
echo " start [ -f ] [ -n ] [ -p ] [ <directory> ]"
echo " stop [ -f ]"
echo " status"
@ -1389,8 +1364,7 @@ IPT_OPTIONS="-nv"
FAST=
VERBOSE_OFFSET=0
USE_VERBOSITY=
NORTC=
RTCONLY=
NOROUTES=
PURGE=
EXPORT=
export TIMESTAMP=
@ -1467,15 +1441,9 @@ while [ $finished -eq 0 ]; do
esac
;;
n*)
NORTC=Yes
RTCONLY=
NOROUTES=Yes
option=${option#n}
;;
r*)
RTCONLY=Yes
NORTC=
option=${option#r}
;;
t*)
TIMESTAMP=Yes
option=${option#t}
@ -1615,16 +1583,14 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage 1
get_config
[ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started"
export NORTC
export RTCONLY
export NOROUTES
mutex_on
$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
mutex_off
;;
reset)
get_config
export NORTC
export RTCONLY
export NOROUTES
shift
mutex_on
[ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started"

View File

@ -1,5 +1,5 @@
%define name shorewall6
%define version 4.3.6
%define version 4.2.6
%define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@ -142,8 +142,6 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Fri Feb 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Wed Feb 05 2009 Tom Eastep tom@shorewall.net
- Added 'restored' script
* Wed Feb 04 2009 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6
VERSION=4.2.6
usage() # $1 = exit status
{