Commit Graph

8028 Commits

Author SHA1 Message Date
Tom Eastep
fba5847fa3 Merge branch 'master' of ssh://gitlab.com/shorewall/code
Merge remaining requests to the 5.2.9 path
2024-04-15 20:06:34 -07:00
Tom Eastep
2673e6e60c Merge branch 'busybox-shell-fixes/v1' into 'master'
lib.cli-std: fix two shell errors when AUTOMAKE is false

See merge request shorewall/code!14
2024-04-16 03:05:57 +00:00
Tom Eastep
d1a8c19712 Merge branch 'support-SAFESTOP-under-systemd-in-debian/v1' into 'master'
Support `SAFESTOP` under systemd in Debian

See merge request shorewall/code!11
2024-04-16 02:59:32 +00:00
Tom Eastep
3c77d83260 Merge branch 'clean-test-ipset' into 'master'
Destroy the temporary IP set in the cleanup function

See merge request shorewall/code!13
2024-04-16 02:46:50 +00:00
Tom Eastep
c94c3c5720 Merge branch 'master' of ssh://gitlab.com/shorewall/code
Merge Socket6 patch into 5.2.9
2024-04-15 15:58:31 -07:00
Tom Eastep
d8e43cee2b Merge branch 'master' into 'master'
Rewrite gethostbyname2 and inet_ntop to newer getaddrinfo and getnameinfo

See merge request shorewall/code!5
2024-04-15 22:57:24 +00:00
Tom Eastep
17d77ddc84 Merge branch 'master' of ssh://gitlab.com/shorewall/code
Merge from Master
2024-04-15 14:42:14 -07:00
Tom Eastep
d3f3a59d6f Merge branch 'master' of ssh://gitlab.com/shorewall/code
Merge changes that occurred while I was inactive
2024-04-15 14:29:10 -07:00
Tom Eastep
b619f1333e Correct status of optional interface during 'disable'
- If <interface>.status contains 0 but the interface's routing table has
  been deleted, then 'disable' would not correct the file.

- This simple change corrects that problem.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-04-15 13:29:08 -07:00
Tom Eastep
90444bdc44 Correct comment
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-29 15:48:45 -07:00
Tuomo Soini
5a66c1d9d6 AllowICMPs: certificate path advertisment source must be fe80::/10
Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tuomo Soini
de23e641f7 AllowICMPs: certificate path solicitation source must be :: or fe80::/10
Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tuomo Soini
a8294ed495 AllowICMPs: listener report v2 source must be :: or fe80::/10
rfc3810 section-5

Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tuomo Soini
393cd5043d AllowICMPs: router-advertisment source must be fe80::/10
Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tuomo Soini
0de5e88018 AllowICMPs: allowing redirects is a security issue and not required
Also redirect source must be fe80::/10

Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tom Eastep
44671e906d Correct typo
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-13 18:16:51 -07:00
Tom Eastep
160c259866 Silly documentation change
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-11 12:32:45 -07:00
Tom Eastep
8f826ce70d Avoid 'ip' error messages due to missing optional interface
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-10 12:55:34 -07:00
Tom Eastep
895428c7c1 Handle the case where a single host exclusion specifies multiple nets
Also reorganize the exclusion code to make it self-contained within
add_common_rules()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-10 10:30:33 -07:00
Tom Eastep
0855bc4187 Create /etc/iproute2/rt_tables if it doesn't exist
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-09 15:52:49 -08:00
Tom Eastep
3e52a6c005 Remove interface status files during 'stop/clear' processing
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-08 16:13:05 -08:00
Tom Eastep
8ce3f23464 Set AUTOHELPERS=No in the samples
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-08 13:27:47 -08:00
Tom Eastep
467cc4c252 Correct src-dst single exclusion
Match the destination address in the output chain

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-08 11:50:49 -08:00
Tom Eastep
a9359d2610 Update $globals{VERSION}
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-07 15:41:15 -08:00
Tom Eastep
9479b83c48 Correct add_dbl_exclution_ijump()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-07 14:18:06 -08:00
Tom Eastep
f37a74a667 Add a comment
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-07 12:30:37 -08:00
Tom Eastep
0ecf0703dc Correct classic blacklisting
- No filtering in the OUTPUT chain
- Correct ipsec filtering

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-07 12:26:59 -08:00
Tom Eastep
f1317f919f Handle ipsec correctly in ipset-based dynamic blacklisting
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-06 20:26:58 -08:00
Tom Eastep
cbe2935fce Handle 'nodbl' in complex host definitions
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-06 17:18:50 -08:00
Tom Eastep
a8718b9867 Clearify 'ip' in shorewall-hosts(5)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-05 15:21:26 -08:00
Tom Eastep
a9c2ee3a76 Major cleanup of DYNAMIC_BLACKLIST code
1) Avoid having to parse the setting in the Zones, Misc and rules modules
2) Apply ipset match rule after dealing with exclusions rather than before
3) Correct handling of src-dst

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-05 14:45:41 -08:00
Tom Eastep
dfd40ee208 Factor out ipset match rule generateion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-04 13:44:23 -08:00
Tom Eastep
8d0dba349c Shorten DBL exclusion chain names
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-04 12:10:56 -08:00
Tom Eastep
f21d8b2a27 Correct parsing of the hosts file:
1) Fixed IPv6 parsing of the HOSTS column
2) Properly detect IPv4 loopback violations

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-03 09:54:33 -08:00
Tom Eastep
11fb1ab6cf Insert comments into add_common_rules()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 19:51:18 -08:00
Tom Eastep
e8f28fa564 Allow 'nodbl' for classic blacklisting
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 16:16:02 -08:00
Tom Eastep
337a4bd6ec Use shorter names for dbl exclusion chains
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 14:54:45 -08:00
Tom Eastep
91d5dbb7ba Fix some blacklisting bugs:
- src-dst didn't work
- typo in shorewall.conf(5)

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 13:53:31 -08:00
Tom Eastep
4ca77b109c Replace bizarre {dbl} encoding (what was I smoking when I wrote that code?)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 10:40:12 -08:00
Tom Eastep
a96656a509 Clean up shorewall.conf(5)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 09:52:16 -08:00
Tom Eastep
f928b4d6fc Add a comment
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 08:45:46 -08:00
Tom Eastep
a3abafa98b Add a 'nodbl' option for the hosts file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 08:33:36 -08:00
Jeremy Sowden
badf2fc9f0 Support SAFESTOP under systemd
By default, in Debian and its derivatives, stopping the Shorewall
service executes `/sbin/shorewall clear`.

The `SAFESTOP` setting in /etc/default/shorewall is intended to stop the
service by calling `/sbin/shorewall stop`.

However, the systemd service files do not support this.  Instead,
install a shell-script that sources /etc/default/shorewall and honours
`SAFESTOP` when stopping Shorewall and patch the service files to call
it.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
2023-09-09 12:48:07 +01:00
Jeremy Sowden
5e8ce7d073 lib.cli-std: fix two shell errors when AUTOMAKE is false
If `AUTOMAKE` is set to `no` in the config file, it is normalized to the
empty string.

This leads to two errors if `find` is provided by Busybox.

There is a conditional where `$AUTOMAKE` is not quoted when compared to
`recursive` leading to the following error:

  /usr/share/shorewall/lib.cli-std: line 398: [: =: unary operator expected

In contrast to the non-Busybox case, we don't check for an empty
`$AUTOMAKE` before passing it as an argument to `-maxdepth`, leading to:

  /usr/bin/find: Expected a positive decimal integer argument to -maxdepth, but got -type

Refactor the conditionals to eliminate code duplication and fix these two
bugs.

Link: https://gitlab.com/shorewall/code/-/issues/10
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
2023-09-04 21:06:30 +01:00
Glop
450a16f730 Destroy the temporary IP set in the cleanup function
In the IP set capability tests, there is a race condition which
might prevent the removal of the temporary IP set immediately
after flushing the chain that uses this IP set: even though the
rules which used the IP set were deleted, the IP set might still
appear to be “in use by a kernel component.”

In case this happens, we add an extra call to `ipset -X` in the
`cleanup_iptables()` function, just to be sure that the temporary
IP set is indeed destroyed when the compiler exits.
2023-03-03 16:12:04 +01:00
Paul Gear
aae5baedfd Merge branch 'idl0r_iptablesw' into 'master'
Improve iptables --wait check

See merge request shorewall/code!6
2023-02-01 02:47:31 +00:00
Paul Gear
95831e372f Merge branch 'tor_metrics' into 'master'
Add TorMetrics macro

See merge request shorewall/code!7
2023-02-01 02:41:22 +00:00
Jeremy Sowden
5637385507 Document related man-pages in Debian systemd service files
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
2023-01-31 22:50:18 +00:00
Vincas Dargis
c1e58f6faf Add TorMetrics macro
Add macro for Tor metrics port.

See
https://support.torproject.org/relay-operators/relay-bridge-overloaded/
2022-09-18 15:08:54 +03:00
Christian Ruppert
8b0d829531
Check for wait option if we don't have capabilities
Only check for iptables --wait option if we don't already have existing
capabilities. If we have some and they're not up2date / don't match,
it will issue a warning anyway.
If a valid capabilities file exists, it will already cover whether we
can use --wait or not, that's what WAIT_OPTION is for.

Signed-off-by: Christian Ruppert <idl0r@qasl.de>
2022-04-02 11:52:10 +02:00