From 8263ea131296ca554f10877bc3b1c63a937f46ec Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 25 Nov 2009 12:18:08 -0800 Subject: [PATCH 01/11] Limit providers to 15 --- Shorewall/Perl/Shorewall/Providers.pm | 1 + Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 8 ++++++++ 3 files changed, 11 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index f47b6d58d..ad3a76980 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -311,6 +311,7 @@ sub add_a_provider( ) { } } else { fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS}; + fatal_error "Invalid Mark Value ($mark)" if $val > 0xf0000; } for my $providerref ( values %providers ) { diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 043074171..ffd4e6f7e 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,6 +12,8 @@ Changes in Shorewall 4.4.5 6) Fix 'show policies' in Shorewall6. +7) Limit the maximum provider mark to 0xf0000. + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 8702f35cf..b5f8bc31a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -173,6 +173,10 @@ Shorewall 4.4.5 default. If, for some reason, you don't want 'track' then specify 'notrack' for the provider. +14) With HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes, the maximum + provider mark value is 0xf0000. This limits the number of providers + to 15. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ---------------------------------------------------------------------------- @@ -230,6 +234,10 @@ None. $FW dmz REJECT info $FW all ACCEPT +3) With HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes, the maximum + provider mark value is now 0xf0000. This limits the number of + providers to 15. + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ---------------------------------------------------------------------------- From 8ff4d004c05ea7b6a89feb6a345fbfa3559843b8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 25 Nov 2009 18:14:14 -0800 Subject: [PATCH 02/11] Better virtual zone implementation --- Shorewall/Perl/Shorewall/Chains.pm | 13 +++++++++-- Shorewall/Perl/Shorewall/Config.pm | 9 +++++--- Shorewall/Perl/Shorewall/Policy.pm | 12 ++++++++-- Shorewall/Perl/Shorewall/Rules.pm | 24 ++++++++++++++++--- Shorewall/Perl/Shorewall/Tc.pm | 5 ++-- Shorewall/Perl/Shorewall/Zones.pm | 37 +++++++++++++++++++++++++++--- Shorewall/changelog.txt | 2 +- Shorewall/lib.base | 6 ++++- Shorewall/releasenotes.txt | 8 ------- Shorewall6/lib.base | 4 +++- 10 files changed, 94 insertions(+), 26 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index cbc8fbc09..47a3ca8b6 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -167,7 +167,7 @@ our %EXPORT_TAGS = ( Exporter::export_ok_tags('internal'); -our $VERSION = '4.4_4'; +our $VERSION = '4.4_5'; # # Chain Table @@ -1185,9 +1185,18 @@ sub finish_section ( $ ) { $sections{$_} = 1 for split /,/, $sections; for my $zone ( all_zones ) { + my $mark = defined_zone( $zone )->{mark}; for my $zone1 ( all_zones ) { + my $mark1 = ( defined_zone( $zone1 )->{mark} || 0 ) << VIRTUAL_BITS; my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )}; - finish_chain_section $chainref, $sections if $chainref->{referenced}; + + finish_chain_section $chainref, $sections if $chainref->{referenced} || $mark || $mark1; + + if ( $sections{RELATED} ) { + add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark; + add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1; + } + } } } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 6aa6264f8..4a4456c24 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script Exporter::export_ok_tags('internal'); -our $VERSION = '4.4_4'; +our $VERSION = '4.4_5'; # # describe the current command, it's present progressive, and it's completion. @@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', IPMARK_TARGET => 'IPMARK Target', PERSISTENT_SNAT => 'Persistent SNAT', OLD_HL_MATCH => 'Old Hash Limit Match', + MARK_IN_FILTER => 'MARK in Filter Table', CAPVERSION => 'Capability Version', ); # @@ -327,8 +328,8 @@ sub initialize( $ ) { TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.5.0", - CAPVERSION => 40402 , + VERSION => "4.4.5", + CAPVERSION => 40405 , ); # @@ -619,6 +620,7 @@ sub initialize( $ ) { LOG_TARGET => 1, # Assume that we have it. PERSISTENT_SNAT => undef, OLD_HL_MATCH => undef, + MARK_IN_FILTER => undef, CAPVERSION => undef, ); # @@ -2031,6 +2033,7 @@ sub determine_capabilities( $ ) { $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); + $capabilities{MARK_IN_FILTER} = qt1( "$iptables -A $sillyname -j MARK --set-mark 1" ); $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ); diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 99d34da14..9454bc9d9 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -348,8 +348,16 @@ sub validate_policy() add_or_modify_policy_chain( $zone1, $zone ); } } - } - } + } elsif ( defined_zone( $zone )->{virtual} ) { + for my $zone1 ( @{defined_zone( $zone )->{children}} ) { + for my $zone2 ( all_zones ) { + unless ( $zone1 eq $zone2 ) { + add_or_modify_policy_chain( $zone1, $zone2 ); + add_or_modify_policy_chain( $zone2, $zone1 ); + } + } + } + } } my $fn = open_file 'policy'; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index ad85061b1..7eea22ea4 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1724,10 +1724,11 @@ sub generate_matrix() { for my $hostref ( @{$arrayref} ) { my $ipsec_match = match_ipsec_in $zone , $hostref; + my $exclusion = source_exclusion( $hostref->{exclusions}, $frwd_ref ); for my $net ( @{$hostref->{hosts}} ) { add_jump( $sourcechainref, - source_exclusion( $hostref->{exclusions}, $frwd_ref ), + $exclusion, ! @{$zoneref->{parents}}, join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) ); @@ -1759,6 +1760,7 @@ sub generate_matrix() { my $nested = $zoneref->{options}{nested}; my $parenthasnat = 0; my $parenthasnotrack = 0; + my $virtual = $zoneref->{virtual}; if ( $nested ) { # @@ -1823,6 +1825,8 @@ sub generate_matrix() { my $outputref; my $interfacematch = ''; + add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; + if ( use_output_chain $interface ) { $outputref = $filter_table->{output_chain $interface}; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; @@ -1881,6 +1885,7 @@ sub generate_matrix() { } if ( $chain2 ) { + add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match ); move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface; } @@ -1953,6 +1958,11 @@ sub generate_matrix() { } else { @dest_zones = @zones ; } + + if ( $frwd_ref ) { + add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; + } + # # Here it is -- THE BIG UGLY!!!!!!!!!!!! # @@ -1961,6 +1971,7 @@ sub generate_matrix() { # for my $zone1 ( @dest_zones ) { my $zone1ref = find_zone( $zone1 ); + my $virtual1 = $zone1ref->{virtual}; next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE'; @@ -1990,8 +2001,9 @@ sub generate_matrix() { next if $hostref->{options}{sourceonly}; if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; + my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain); for my $net ( @{$hostref->{hosts}} ) { - add_jump $frwd_ref, dest_exclusion( $hostref->{exclusions}, $chain), 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ); + add_jump( $frwd_ref, $exclusion, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ) ); } } } @@ -2032,6 +2044,7 @@ sub generate_matrix() { for my $host1ref ( @$array1ref ) { next if $host1ref->{options}{sourceonly}; my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; + my $exclusion = dest_exclusion( $host1ref->{exclusions}, $chain ); for my $net1 ( @{$host1ref->{hosts}} ) { unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { # @@ -2039,7 +2052,7 @@ sub generate_matrix() { # add_jump( $excl3ref , - dest_exclusion( $host1ref->{exclusions}, $chain ), + $exclusion, 0, join( '', $match_source_dev, @@ -2048,6 +2061,11 @@ sub generate_matrix() { match_dest_net($net1), $ipsec_out_match ) ); + add_jump($excl3ref , + $exclusion, + 0, + "-m mark ! --mark 0/" . in_hex($virtual1) ) if $virtual1; + } } } diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index e83618af6..25d8a09c5 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -40,7 +40,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = '4.4_4'; +our $VERSION = '4.4_5'; our %tcs = ( T => { chain => 'tcpost', connmark => 0, @@ -1235,6 +1235,7 @@ sub setup_tc() { if ( $capabilities{MANGLE_FORWARD} ) { add_rule $mangle_table->{FORWARD} , '-j tcfor'; + add_rule $mangle_table->{POSTROUTING}, '-j MARK --and-mark 0xffffff'; # Clear virtual marks add_rule $mangle_table->{POSTROUTING} , '-j tcpost'; } @@ -1246,7 +1247,7 @@ sub setup_tc() { # In POSTROUTING, we only want to clear routing mark and not IPMARK. # insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0'; - } + } } if ( $globals{TC_SCRIPT} ) { diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 7496b0cec..215784284 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -40,6 +40,7 @@ our @EXPORT = qw( NOTHING IP BPORT IPSEC + VIRTUAL_BITS determine_zones zone_report @@ -75,7 +76,7 @@ our @EXPORT = qw( NOTHING ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.4_4'; +our $VERSION = '4.4_5'; # # IPSEC Option types @@ -104,6 +105,8 @@ use constant { NOTHING => 'NOTHING', # children => [ ] # interfaces => { => 1, ... } # bridge => +# virtual => +# mark => # hosts { } => [ { => { ipsec => 'ipsec'|'none' # options => { => # ... @@ -156,6 +159,7 @@ our @bport_zones; our %ipsets; our %physical; our $family; +our $virtualmark; use constant { FIREWALL => 1, IP => 2, @@ -176,6 +180,11 @@ use constant { SIMPLE_IF_OPTION => 1, IF_OPTION_HOST => 16, }; +use constant { VIRTUAL_BASE => 0x1000000 , + VIRTUAL_LIMIT => 0x8000000 , + VIRTUAL_BITS => 4 #Bits for virtual MASK numbers + }; + our %validinterfaceoptions; our %validhostoptions; @@ -201,6 +210,7 @@ sub initialize( $ ) { @bport_zones = (); %ipsets = (); %physical = (); + $virtualmark = VIRTUAL_BASE; if ( $family == F_IPV4 ) { %validinterfaceoptions = (arp_filter => BINARY_IF_OPTION, @@ -353,6 +363,8 @@ sub process_zone( \$ ) { my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; + my $mark = 0; + if ( $zone =~ /(\w+):([\w,]+)/ ) { $zone = $1; @parents = split_list $2, 'zone'; @@ -361,6 +373,7 @@ sub process_zone( \$ ) { fatal_error "Invalid Parent List ($2)" unless $p; fatal_error "Unknown parent zone ($p)" unless $zones{$p}; fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL; + $mark |= $zones{$p}{virtual}; push @{$zones{$p}{children}}, $zone; } } @@ -402,6 +415,17 @@ sub process_zone( \$ ) { } } + my $virtual = 0; + + if ( $options eq 'virtual' ) { + require_capability 'MARK_IN_FILTER' , 'virtual zones', ''; + fatal_error "Only ipv${family} zones may be virtual" unless $type == IP; + fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT; + $virtual = $virtualmark; + $virtualmark = $virtualmark << 1; + $options = ''; + } + for ( $options, $in_options, $out_options ) { $_ = '' if $_ eq '-'; } @@ -409,6 +433,8 @@ sub process_zone( \$ ) { $zones{$zone} = { type => $type, parents => \@parents, bridge => '', + virtual => $virtual, + mark => $mark , options => { in_out => parse_zone_option_list( $options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) , @@ -530,9 +556,8 @@ sub zone_report() unless ( $printed ) { fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge}; - warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL; + warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $zoneref->{virtual} && @{$zoneref->{children}} ); } - } } @@ -587,6 +612,12 @@ sub dump_zone_contents() } } + if ( $zoneref->{virtual} && @{$zoneref->{children}} ) { + $entry .= " ("; + $entry .= "$_," for @{$zoneref->{children}}; + $entry =~ s/,$/) /; + } + emit_unindented $entry; } } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ffd4e6f7e..17048eacd 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,7 +12,7 @@ Changes in Shorewall 4.4.5 6) Fix 'show policies' in Shorewall6. -7) Limit the maximum provider mark to 0xf0000. +7) Limit the maximum provider mark to 0xff0000. Changes in Shorewall 4.4.4 diff --git a/Shorewall/lib.base b/Shorewall/lib.base index ebcabc735..bdeb2fbd2 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -30,7 +30,7 @@ # SHOREWALL_LIBVERSION=40000 -SHOREWALL_CAPVERSION=40402 +SHOREWALL_CAPVERSION=40405 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -828,6 +828,7 @@ determine_capabilities() { IPMARK_TARGET= LOG_TARGET=Yes PERSISTENT_SNAT= + MARK_IN_FILTER= chain=fooX$$ @@ -958,6 +959,7 @@ determine_capabilities() { qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes qt $IPTABLES -A $chain -j LOG || LOG_TARGET= + qt $IPTABLES -A $chain -j MARK --set-mark 1 && MARK_IN_FILTER=Yes qt $IPTABLES -F $chain qt $IPTABLES -X $chain @@ -1026,6 +1028,7 @@ report_capabilities() { report_capability "IPMARK Target" $IPMARK_TARGET report_capability "LOG Target" $LOG_TARGET report_capability "Persistent SNAT" $PERSISTENT_SNAT + report_capability "Mark in Filter Table" $MARK_IN_FILTER fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1085,6 +1088,7 @@ report_capabilities1() { report_capability1 IPMARK_TARGET report_capability1 LOG_TARGET report_capability1 PERSISTENT_SNAT + report_capability1 MARK_IN_FILTER echo CAPVERSION=$SHOREWALL_CAPVERSION } diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b5f8bc31a..8702f35cf 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -173,10 +173,6 @@ Shorewall 4.4.5 default. If, for some reason, you don't want 'track' then specify 'notrack' for the provider. -14) With HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes, the maximum - provider mark value is 0xf0000. This limits the number of providers - to 15. - ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ---------------------------------------------------------------------------- @@ -234,10 +230,6 @@ None. $FW dmz REJECT info $FW all ACCEPT -3) With HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes, the maximum - provider mark value is now 0xf0000. This limits the number of - providers to 15. - ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ---------------------------------------------------------------------------- diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index 8e846624b..75fd3eaf0 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40300 -SHOREWALL_CAPVERSION=40402 +SHOREWALL_CAPVERSION=40405 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] @@ -737,6 +737,7 @@ determine_capabilities() { GOTO_TARGET= IPMARK_TARGET= LOG_TARGET=Yes + MARK_IN_FILTER=Yes chain=fooX$$ @@ -864,6 +865,7 @@ determine_capabilities() { qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes + qt $IP6TABLES -A $chain -j MARK --set-mark 1 && MARK_IN_FILTER=Yes qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= qt $IP6TABLES -F $chain From 222c8cf88f3c0c7e8f60341e8b66f15c7a2ab423 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 26 Nov 2009 12:14:58 -0800 Subject: [PATCH 03/11] Finish Virtual Zones --- Shorewall/Perl/Shorewall/Chains.pm | 10 +---- Shorewall/Perl/Shorewall/Policy.pm | 9 ++++- Shorewall/Perl/Shorewall/Rules.pm | 12 +++--- Shorewall/changelog.txt | 2 +- Shorewall/releasenotes.txt | 36 ++++++++++++++++++ manpages/shorewall-nesting.xml | 60 ++++++++++++++++++++++++++++-- manpages6/shorewall6-nesting.xml | 54 +++++++++++++++++++++++++++ 7 files changed, 164 insertions(+), 19 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 47a3ca8b6..1626e11b7 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1185,18 +1185,10 @@ sub finish_section ( $ ) { $sections{$_} = 1 for split /,/, $sections; for my $zone ( all_zones ) { - my $mark = defined_zone( $zone )->{mark}; for my $zone1 ( all_zones ) { - my $mark1 = ( defined_zone( $zone1 )->{mark} || 0 ) << VIRTUAL_BITS; my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )}; - finish_chain_section $chainref, $sections if $chainref->{referenced} || $mark || $mark1; - - if ( $sections{RELATED} ) { - add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark; - add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1; - } - + finish_chain_section $chainref, $sections if $chainref->{referenced}; } } } diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 9454bc9d9..b8d69d85a 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -129,8 +129,15 @@ sub add_or_modify_policy_chain( $$ ) { push @policy_chains, $chainref; } } else { - push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); + push @policy_chains, ( $chainref = new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); } + + unless ( $chainref->{marked} ) { + my $mark = defined_zone( $zone )->{mark} | ( defined_zone( $zone1 )->{mark} << VIRTUAL_BITS ); + add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark; + $chainref->{marked} = 1; + } + } sub print_policy($$$$) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 7eea22ea4..81cdb9199 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1801,6 +1801,11 @@ sub generate_matrix() { # # Take care of PREROUTING, INPUT and OUTPUT jumps # + if ( $virtual ) { + add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark ! --mark 0/" . in_hex($virtual << VIRTUAL_BITS) . ' ' if $chain1; + add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $chain2; + } + for my $typeref ( values %$source_hosts_ref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { my $arrayref = $typeref->{$interface}; @@ -1825,8 +1830,6 @@ sub generate_matrix() { my $outputref; my $interfacematch = ''; - add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; - if ( use_output_chain $interface ) { $outputref = $filter_table->{output_chain $interface}; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; @@ -1885,7 +1888,6 @@ sub generate_matrix() { } if ( $chain2 ) { - add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match ); move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface; } @@ -1960,7 +1962,7 @@ sub generate_matrix() { } if ( $frwd_ref ) { - add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual; + add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark ! --mark 0/" . in_hex($virtual) . ' ' if $virtual; } # @@ -2064,7 +2066,7 @@ sub generate_matrix() { add_jump($excl3ref , $exclusion, 0, - "-m mark ! --mark 0/" . in_hex($virtual1) ) if $virtual1; + "-m mark ! --mark 0/" . in_hex($virtual1) . ' ') if $virtual1; } } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 17048eacd..1bb5c4392 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,7 +12,7 @@ Changes in Shorewall 4.4.5 6) Fix 'show policies' in Shorewall6. -7) Limit the maximum provider mark to 0xff0000. +7) Implement 'virtual' zones. Changes in Shorewall 4.4.4 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 8702f35cf..da6bc884e 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -230,6 +230,42 @@ None. $FW dmz REJECT info $FW all ACCEPT +3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used + to group together a set of sub-zones. A virtual zone must by an + ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared + with the 'virtual' OPTION in /etc/shorewall/zones. + + Example: + + virt ipv4 virtual + + The virtual zone must have no definition in + /etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones + can themselves be nested in other virtual zones but there is a + limit of four virtual zones per configuration (that limitation + derives from the fact that each virtual zone requires 2 bits in the + packet mark). + + Virtual zones are use as parent zones for other zones using the + : syntax in /etc/shorewall/zones: + + Example: + + virt ipv4 virtual + loc:virt ipv4 + vpn:virt ipsec + + As shown in that example, a virtual zone may be a parent for + multiple zone types. + + Virtual zones are intended to be used with + IMPLICIT_CONTINUE=No. They provide semantic behavior similar to + IMPLICIT_CONTINUE=Yes in that connections that do not match rules + for the sub-zone are applied to the parent zone. + + For more information, see + http://www.shorewall.net/manpages/shorewall-nesting.html + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ---------------------------------------------------------------------------- diff --git a/manpages/shorewall-nesting.xml b/manpages/shorewall-nesting.xml index 1884696e0..405b8f4bc 100644 --- a/manpages/shorewall-nesting.xml +++ b/manpages/shorewall-nesting.xml @@ -154,14 +154,14 @@ to change the 'net' interface to something other than ppp0. That way, it won't match ppp+. - If you are running Shorewall version 4.1.4 or later, a second way is - to simply make the nested zones explicit: #ZONE TYPE OPTION + A second way is to simply make the nested zones + explicit: #ZONE TYPE OPTION fw firewall loc ipv4 net:loc ipv4 dmz ipv4 - If you take this approach, be sure to set IMPLICIT_CONTINUE=No in + If you take this approach, be sure to set IMPLICIT_CONTINUE=Yes in shorewall.conf. When using other Shorewall versions, another way is to rewrite the @@ -183,6 +183,60 @@ loc ppp+:192.168.2.0/23 + + Virtual Zones + + Beginning with Shorewall 4.4.5, Shorewall allows the declaration of + virtual zones. A virtual zone has no definition in + /etc/shorewall/interfaces or in + /etc/shorewall/hosts. Rather, it is used as a parent + zone for other zones in /etc/shorewall/zones. + + Example: + + /etc/shorewall/zones: + + #ZONE TYPE OPTIONS + fw firewall + net ipv4 + loc ipv4 virtual + loc1:loc ipv4 + loc2:loc ipv4 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians + - eth1 detect tcpflags,nosmurfs,routefilter,logmartians + + /etc/shorewall/hosts: + + #ZONE HOST(S) OPTIONS + loc1 eth1:192.168.1.0/24 + loc2 eth1:192.168.2.0/24 + + There are several restrictions on virtual zones: + + + + They must have type . + + + + A maximum of four virtual zones may be defined. + + + + They should not be used with IMPLICIT_CONTINUE=Yes in shorewall.conf(5). + + + + When a connection request to/from a sub-zone of a virtual zone does + not match the rules for the sub-zone, the connection is compared against + the rules (and policies) for the parent virtual zone. + + FILES diff --git a/manpages6/shorewall6-nesting.xml b/manpages6/shorewall6-nesting.xml index 7edbea347..307a1220c 100644 --- a/manpages6/shorewall6-nesting.xml +++ b/manpages6/shorewall6-nesting.xml @@ -87,6 +87,60 @@ significant. + + Virtual Zones + + Beginning with Shorewall 4.4.5, Shorewall allows the declaration of + virtual zones. A virtual zone has no definition in + /etc/shorewall6/interfaces or in + /etc/shorewall6/hosts. Rather, it is used as a parent + zone for other zones in /etc/shorewall6/zones. + + Example: + + /etc/shorewall6/zones: + + #ZONE TYPE OPTIONS + fw firewall + net ipv6 + loc ipv6 virtual + loc1:loc ipv6 + loc2:loc ipv6 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + net eth0 detect dhcp,tcpflags + - eth1 detect tcpflags + + /etc/shorewall/hosts: + + #ZONE HOST(S) OPTIONS + loc1 eth1:2001:19f0:feee:1::/48 + loc2 eth1:2001:19f0:feee:2::/48 + + There are several restrictions on virtual zones: + + + + They must have type . + + + + A maximum of four virtual zones may be defined. + + + + They should not be used with IMPLICIT_CONTINUE=Yes in shorewall6.conf(5). + + + + When a connection request to/from a sub-zone of a virtual zone does + not match the rules for the sub-zone, the connection is compared against + the rules (and policies) for the parent virtual zone. + + FILES From 22991ac9dd3030c0d918e77efee4f5bc1d266b43 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 26 Nov 2009 14:19:10 -0800 Subject: [PATCH 04/11] Fix a couple of bugs in virtual zones --- Shorewall/Perl/Shorewall/Rules.pm | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 81cdb9199..662f88a51 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1692,7 +1692,7 @@ sub generate_matrix() { for my $zone ( @zones ) { my $zoneref = find_zone( $zone ); - next if @zones <= 2 && ! $zoneref->{options}{complex}; + next if @zones <= 2 && ! ( $zoneref->{options}{complex} || $zoneref->{virtual} || $zoneref->{mark} ); # # Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain # @@ -1973,7 +1973,7 @@ sub generate_matrix() { # for my $zone1 ( @dest_zones ) { my $zone1ref = find_zone( $zone1 ); - my $virtual1 = $zone1ref->{virtual}; + my $virtual1 = $zone1ref->{virtual} << VIRTUAL_BITS; next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE'; @@ -2011,6 +2011,8 @@ sub generate_matrix() { } } } + + add_jump( $frwd_ref, $chain, 0, '-m mark ! --mark 0/' . in_hex( $virtual1 ) . ' ' ) if $virtual1; } else { # # More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain @@ -2062,14 +2064,18 @@ sub generate_matrix() { match_source_net($net), match_dest_net($net1), $ipsec_out_match ) - ); - add_jump($excl3ref , - $exclusion, - 0, - "-m mark ! --mark 0/" . in_hex($virtual1) . ' ') if $virtual1; - + ); } } + + add_rule ( $excl3ref, + $chain, + join( '', + $match_source_dev, + match_source_net($net), + '-m mark ! --mark 0/', + in_hex( $virtual1 ), + ' ' ) ) if $virtual1; } } } From 251d7116c86d549b0928bc6fa8b57a812c6c3cc5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 26 Nov 2009 14:48:46 -0800 Subject: [PATCH 05/11] Small optimization in virtual zones --- Shorewall/Perl/Shorewall/Policy.pm | 8 ++++++-- Shorewall/Perl/Shorewall/Rules.pm | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index b8d69d85a..71ce02b62 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -133,8 +133,12 @@ sub add_or_modify_policy_chain( $$ ) { } unless ( $chainref->{marked} ) { - my $mark = defined_zone( $zone )->{mark} | ( defined_zone( $zone1 )->{mark} << VIRTUAL_BITS ); - add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark; + my $mark = defined_zone( $zone )->{mark}; + my $mark1 = defined_zone( $zone1 )->{mark} << VIRTUAL_BITS; + + add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark && $zone1 eq firewall_zone; + add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1; + $chainref->{marked} = 1; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 662f88a51..b5f4588ec 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1698,6 +1698,8 @@ sub generate_matrix() { # my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); + add_rule $frwd_ref, '-j MARK --set-mark ' . in_hex( $zoneref->{mark} ) if $zoneref->{mark}; + if ( $capabilities{POLICY_MATCH} ) { # # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the From 1699d8e941db82b55192ece0de1164189095b89b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 26 Nov 2009 17:12:11 -0800 Subject: [PATCH 06/11] Match section rules to the number of mark rules --- Shorewall/Perl/Shorewall/Chains.pm | 12 +++++++++++- Shorewall/Perl/Shorewall/Policy.pm | 6 ++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 1626e11b7..1137477c7 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1148,7 +1148,17 @@ sub finish_chain_section ($$) { $comment = ''; - add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; + unless ( $config{FASTACCEPT} ) { + if ( $chainref->{marked} ) { + if ( $chainref->{marked} == @{$chainref->{rules}} ) { + insert_rule( $chainref, 0, "-m state --state $state -j ACCEPT" ); + } else { + add_rule $chainref, "-m state --state $state -j ACCEPT"; + } + } else { + add_rule $chainref, "-m state --state $state -j ACCEPT"; + } + } if ($sections{NEW} ) { if ( $chainref->{is_policy} ) { diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 71ce02b62..3969ba737 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -136,10 +136,8 @@ sub add_or_modify_policy_chain( $$ ) { my $mark = defined_zone( $zone )->{mark}; my $mark1 = defined_zone( $zone1 )->{mark} << VIRTUAL_BITS; - add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark && $zone1 eq firewall_zone; - add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1; - - $chainref->{marked} = 1; + $chainref->{marked} = 1, add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark && $zone1 eq firewall_zone; + $chainref->{marked}++ , add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1; } } From 18eedf7e3490b2f49422ea53ac119e07693d0e71 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 27 Nov 2009 08:17:18 -0800 Subject: [PATCH 07/11] Make 'virtual' a zone type rather than an option --- Shorewall/Perl/Shorewall/Policy.pm | 2 +- Shorewall/Perl/Shorewall/Zones.pm | 48 ++++++++++++++---------------- Shorewall/releasenotes.txt | 9 +++--- manpages/shorewall-nesting.xml | 6 +--- manpages6/shorewall6-nesting.xml | 6 +--- manpages6/shorewall6-zones.xml | 11 +++++++ 6 files changed, 40 insertions(+), 42 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 3969ba737..a922702ba 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -357,7 +357,7 @@ sub validate_policy() add_or_modify_policy_chain( $zone1, $zone ); } } - } elsif ( defined_zone( $zone )->{virtual} ) { + } elsif ( zone_type( $zone ) == VIRTUAL ) { for my $zone1 ( @{defined_zone( $zone )->{children}} ) { for my $zone2 ( all_zones ) { unless ( $zone1 eq $zone2 ) { diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 215784284..4f5f5db68 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -40,6 +40,7 @@ our @EXPORT = qw( NOTHING IP BPORT IPSEC + VIRTUAL VIRTUAL_BITS determine_zones @@ -164,7 +165,8 @@ our $virtualmark; use constant { FIREWALL => 1, IP => 2, BPORT => 3, - IPSEC => 4 }; + IPSEC => 4, + VIRTUAL => 5 }; use constant { SIMPLE_IF_OPTION => 1, BINARY_IF_OPTION => 2, @@ -364,6 +366,7 @@ sub process_zone( \$ ) { my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; my $mark = 0; + my $virtual = 0; if ( $zone =~ /(\w+):([\w,]+)/ ) { $zone = $1; @@ -389,6 +392,12 @@ sub process_zone( \$ ) { } elsif ( $type =~ /^ipsec([46])?$/i ) { fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; $type = IPSEC; + + for ( @parents ) { + unless ( $zones{$_}{type} == IPSEC ) { + set_super( $zones{$_} ); + } + } } elsif ( $type =~ /^bport([46])?$/i ) { fatal_error "Invalid zone type ($type)" if $1 && $1 != $family; warning_message "Bridge Port zones should have a parent zone" unless @parents; @@ -400,6 +409,12 @@ sub process_zone( \$ ) { $firewall_zone = $zone; $ENV{FW} = $zone; $type = FIREWALL; + } elsif ( $type eq 'virtual' ) { + require_capability 'MARK_IN_FILTER' , 'virtual zones', ''; + fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT; + $virtual = $virtualmark; + $virtualmark = $virtualmark << 1; + $type = VIRTUAL; } elsif ( $type eq '-' ) { $type = IP; $$ip = 1; @@ -407,25 +422,6 @@ sub process_zone( \$ ) { fatal_error "Invalid zone type ($type)" ; } - if ( $type eq IPSEC ) { - for ( @parents ) { - unless ( $zones{$_}{type} == IPSEC ) { - set_super( $zones{$_} ); - } - } - } - - my $virtual = 0; - - if ( $options eq 'virtual' ) { - require_capability 'MARK_IN_FILTER' , 'virtual zones', ''; - fatal_error "Only ipv${family} zones may be virtual" unless $type == IP; - fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT; - $virtual = $virtualmark; - $virtualmark = $virtualmark << 1; - $options = ''; - } - for ( $options, $in_options, $out_options ) { $_ = '' if $_ eq '-'; } @@ -511,9 +507,9 @@ sub zone_report() my @translate; if ( $family == F_IPV4 ) { - @translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); + @translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' ); } else { - @translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); + @translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' ); } for my $zone ( @zones ) @@ -556,7 +552,7 @@ sub zone_report() unless ( $printed ) { fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge}; - warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $zoneref->{virtual} && @{$zoneref->{children}} ); + warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $type == VIRTUAL && @{$zoneref->{children}} ); } } } @@ -569,9 +565,9 @@ sub dump_zone_contents() my @xlate; if ( $family == F_IPV4 ) { - @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' ); + @xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' ); } else { - @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' ); + @xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' ); } for my $zone ( @zones ) @@ -612,7 +608,7 @@ sub dump_zone_contents() } } - if ( $zoneref->{virtual} && @{$zoneref->{children}} ) { + if ( $type == VIRTUAL && @{$zoneref->{children}} ) { $entry .= " ("; $entry .= "$_," for @{$zoneref->{children}}; $entry =~ s/,$/) /; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index da6bc884e..bbf58a8d2 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -231,13 +231,12 @@ None. $FW all ACCEPT 3) Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used - to group together a set of sub-zones. A virtual zone must by an - ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared - with the 'virtual' OPTION in /etc/shorewall/zones. + to group together a set of sub-zones. A virtual zone is declared + as TYPE 'virtual' in /etc/shorewall/zones. Example: - virt ipv4 virtual + virt virtual The virtual zone must have no definition in /etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones @@ -251,7 +250,7 @@ None. Example: - virt ipv4 virtual + virt virtual loc:virt ipv4 vpn:virt ipsec diff --git a/manpages/shorewall-nesting.xml b/manpages/shorewall-nesting.xml index 405b8f4bc..63b004608 100644 --- a/manpages/shorewall-nesting.xml +++ b/manpages/shorewall-nesting.xml @@ -199,7 +199,7 @@ #ZONE TYPE OPTIONS fw firewall net ipv4 - loc ipv4 virtual + loc virtual #Virtual Zone loc1:loc ipv4 loc2:loc ipv4 @@ -218,10 +218,6 @@ There are several restrictions on virtual zones: - - They must have type . - - A maximum of four virtual zones may be defined. diff --git a/manpages6/shorewall6-nesting.xml b/manpages6/shorewall6-nesting.xml index 307a1220c..aa8b80655 100644 --- a/manpages6/shorewall6-nesting.xml +++ b/manpages6/shorewall6-nesting.xml @@ -103,7 +103,7 @@ #ZONE TYPE OPTIONS fw firewall net ipv6 - loc ipv6 virtual + loc virtual #Virtual Zone loc1:loc ipv6 loc2:loc ipv6 @@ -122,10 +122,6 @@ There are several restrictions on virtual zones: - - They must have type . - - A maximum of four virtual zones may be defined. diff --git a/manpages6/shorewall6-zones.xml b/manpages6/shorewall6-zones.xml index a97c23df6..c6b358e77 100644 --- a/manpages6/shorewall6-zones.xml +++ b/manpages6/shorewall6-zones.xml @@ -169,6 +169,17 @@ c:a,b ipv6 single bridge. + + + virtual + + + Added in Shorewall 4.4.5. Virtual zones are containers + for other zones. See shorewall6-nesting (5) + for details. + + From a37e56d823ea9959e362026836fa0541df9a6210 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 27 Nov 2009 08:49:00 -0800 Subject: [PATCH 08/11] More doc updates for virtual zones --- Shorewall/releasenotes.txt | 4 ++-- manpages/shorewall-zones.xml | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index bbf58a8d2..baa61f92f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -245,7 +245,7 @@ None. derives from the fact that each virtual zone requires 2 bits in the packet mark). - Virtual zones are use as parent zones for other zones using the + Virtual zones are used as parent zones for other zones using the : syntax in /etc/shorewall/zones: Example: @@ -254,7 +254,7 @@ None. loc:virt ipv4 vpn:virt ipsec - As shown in that example, a virtual zone may be a parent for + As shown in the example, a virtual zone may be a parent for multiple zone types. Virtual zones are intended to be used with diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml index dbbdc2e3a..ac9057b06 100644 --- a/manpages/shorewall-zones.xml +++ b/manpages/shorewall-zones.xml @@ -169,6 +169,17 @@ c:a,b ipv4 single bridge. + + + virtual + + + Added in Shorewall 4.4.5. Virtual zones are containers + for other zones. See shorewall-nesting (5) for + details. + + From 7f16e961676dad431b413d51ef2ed8c14144bf75 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 27 Nov 2009 08:52:37 -0800 Subject: [PATCH 09/11] Set version to 4.4.5 Beta1 --- Shorewall-lite/fallback.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 6 ++++-- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/install.sh | 2 +- Shorewall/shorewall.spec | 6 ++++-- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/fallback.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 6 ++++-- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/fallback.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 6 ++++-- Shorewall6/uninstall.sh | 2 +- 16 files changed, 28 insertions(+), 20 deletions(-) diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 4a34395bf..f11af0660 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 04441fc79..07978a4f8 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index c1bb7064a..81c03b132 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.5.0 -%define release 0base +%define version 4.4.5 +%define release 0Beta1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -100,6 +100,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Nov 27 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0Beta1 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net - Updated to 4.5.0-0base * Sat Nov 21 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 9b76b60c9..e7b2b24bb 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4a4456c24..8a5f7d697 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -328,7 +328,7 @@ sub initialize( $ ) { TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.4.5", + VERSION => "4.4.5-Beta1", CAPVERSION => 40405 , ); diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 8b7446c48..0695ec3ec 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index cbebc6597..629efc1d7 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall -%define version 4.5.0 -%define release 0base +%define version 4.4.5 +%define release 0Beta1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -106,6 +106,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Fri Nov 27 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0Beta1 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net - Updated to 4.5.0-0base * Sat Nov 21 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 2fde18a89..22fa6c551 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/fallback.sh b/Shorewall6-lite/fallback.sh index 4a34395bf..f11af0660 100755 --- a/Shorewall6-lite/fallback.sh +++ b/Shorewall6-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 2cc756b00..07a0e39aa 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 2b0b0bb8f..a12855a2b 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite -%define version 4.5.0 -%define release 0base +%define version 4.4.5 +%define release 0Beta1 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -91,6 +91,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Nov 27 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0Beta1 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net - Updated to 4.5.0-0base * Sat Nov 21 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 544fee8b1..1b85f1699 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6/fallback.sh b/Shorewall6/fallback.sh index eb68f5506..dbfc03602 100755 --- a/Shorewall6/fallback.sh +++ b/Shorewall6/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index dd3a6a55d..e2d465540 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 30ac9e778..795fe535b 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 -%define version 4.5.0 -%define release 0base +%define version 4.4.5 +%define release 0Beta1 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -95,6 +95,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Fri Nov 27 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0Beta1 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net - Updated to 4.5.0-0base * Sat Nov 21 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 933dc7baa..c9bdaa7b5 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.5.0 +VERSION=4.4.5-Beta1 usage() # $1 = exit status { From 543af8bccb3f5e123858c39455eda61eba80e1e1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 27 Nov 2009 08:56:23 -0800 Subject: [PATCH 10/11] Fix off-by-one problem --- Shorewall/Perl/Shorewall/Zones.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 4f5f5db68..e96c6959f 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -183,7 +183,7 @@ use constant { SIMPLE_IF_OPTION => 1, }; use constant { VIRTUAL_BASE => 0x1000000 , - VIRTUAL_LIMIT => 0x8000000 , + VIRTUAL_MASK => 0xf000000 , VIRTUAL_BITS => 4 #Bits for virtual MASK numbers }; @@ -411,7 +411,7 @@ sub process_zone( \$ ) { $type = FIREWALL; } elsif ( $type eq 'virtual' ) { require_capability 'MARK_IN_FILTER' , 'virtual zones', ''; - fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT; + fatal_error "Too many virtual zones" unless $virtualmark & VIRTUAL_MASK; $virtual = $virtualmark; $virtualmark = $virtualmark << 1; $type = VIRTUAL; From 8297db4c5942df751bb0e6b1c37f35cbc70cc602 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 27 Nov 2009 11:41:14 -0800 Subject: [PATCH 11/11] Fix .spec history to omit false steps --- Shorewall-lite/shorewall-lite.spec | 4 ---- Shorewall/shorewall.spec | 4 ---- Shorewall6-lite/shorewall6-lite.spec | 4 ---- Shorewall6/shorewall6.spec | 4 ---- 4 files changed, 16 deletions(-) diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 81c03b132..40e68bc54 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -103,10 +103,6 @@ fi * Fri Nov 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.5-0Beta1 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net -- Updated to 4.5.0-0base -* Sat Nov 21 2009 Tom Eastep tom@shorewall.net -- Updated to 4.4.5-0base -* Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0Beta2 diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 629efc1d7..1bad9014c 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -109,10 +109,6 @@ fi * Fri Nov 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.5-0Beta1 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net -- Updated to 4.5.0-0base -* Sat Nov 21 2009 Tom Eastep tom@shorewall.net -- Updated to 4.4.5-0base -* Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0Beta2 diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index a12855a2b..149a9066f 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -94,10 +94,6 @@ fi * Fri Nov 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.5-0Beta1 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net -- Updated to 4.5.0-0base -* Sat Nov 21 2009 Tom Eastep tom@shorewall.net -- Updated to 4.4.5-0base -* Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0Beta2 diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 795fe535b..0288a6587 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -98,10 +98,6 @@ fi * Fri Nov 27 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.5-0Beta1 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net -- Updated to 4.5.0-0base -* Sat Nov 21 2009 Tom Eastep tom@shorewall.net -- Updated to 4.4.5-0base -* Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0Beta2