diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 48cff1929..8ba0df0c9 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -47,3 +47,7 @@ Changes since 1.3.14 21. Improved parsing of comma-separated lists. +22. Add ECN Removal support + +23. Add TCP ports 445 and 139 to the common silent list. + diff --git a/Shorewall/common.def b/Shorewall/common.def index e22931b0c..dfa0d3204 100644 --- a/Shorewall/common.def +++ b/Shorewall/common.def @@ -22,6 +22,8 @@ run_iptables -A common -m state -p tcp --state INVALID -j DROP # run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT +run_iptables -A common -p tcp --dport 139 -j REJECT +run_iptables -A common -p tcp --dport 445 -j REJECT run_iptables -A common -p tcp --dport 135 -j reject ############################################################################ # UPnP diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh index 3f8b41185..5f149f8cb 100755 --- a/Shorewall/fallback.sh +++ b/Shorewall/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.0-Beta1 +VERSION=1.4.0-Beta2 usage() # $1 = exit status { @@ -131,6 +131,8 @@ restore_file /etc/shorewall/stop restore_file /etc/shorewall/stopped +restore_file /etc/shorewall/ecn + if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then restore_file /usr/lib/shorewall/version oldversion="`cat /usr/lib/shorewall/version`" diff --git a/Shorewall/firewall b/Shorewall/firewall index 2a8ac02f9..24f25f9b8 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -366,6 +366,14 @@ flushnat() # $1 = name of chain run_iptables -t nat -F $1 } +# +# Flush one of the Mangle table chains +# +flushmangle() # $1 = name of chain +{ + run_iptables -t mangle -F $1 +} + # # Chain name base for an interface # @@ -455,7 +463,15 @@ dnat_chain() # $1 = zone # snat_chain() # $1 = zone { - echo ${1}_snat + echo `chain_base $1`_snat +} + +# +# ECN Chain to an interface +# +ecn_chain() # $1 = interface +{ + echo ${1}_ecn } # @@ -1766,6 +1782,52 @@ delete_nat() { [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat } +# +# Setup ECN disabling rules +# +setup_ecn() # $1 = file name +{ + local interfaces + local hosts + local h + + strip_file ecn $1 + + while read interface host; do + expandv interface host + list_search $interface $all_interfaces || \ + startup_error "Unknown interface $interface" + list_search $interface $interfaces || \ + interfaces="$interfaces $interface" + [ "x$host" = "x-" ] && host=0.0.0.0/0 + for h in `separate_list $host`; do + hosts="$hosts $interface:$h" + done + done < $TMP_DIR/ecn + + if [ -n "$interfaces" ]; then + echo "Setting up ECN control on${interfaces}..." + + for interface in $interfaces; do + chain=`ecn_chain $interface` + if mangle_chain_exists $chain; then + flushmangle $chain + else + run_iptables -t mangle -N $chain + run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain + run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain + fi + done + + for host in $hosts; do + interface=${host%:*} + h=${host#*:} + run_iptables -t mangle -A `ecn_chain $interface` -p tcp -d $h -j ECN --ecn-tcp-remove + echo " ECN Disabled to $h through $interface" + done + fi +} + # # Process a TC Rule - $marking_chain is assumed to contain the name of the # default marking chain @@ -4004,6 +4066,10 @@ define_firewall() # $1 = Command (Start or Restart) [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos + ecn=`find_file ecn` + + [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn + [ -n "$TC_ENABLED" ] && setup_tc echo "Activating Rules..." @@ -4099,6 +4165,9 @@ refresh_firewall() # refresh_blacklist + ecn=`find_file ecn` + + [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn # # Refresh Traffic Control # diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 3a5fa2442..0169ef969 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.0-Beta1 +VERSION=1.4.0-Beta2 usage() # $1 = exit status { @@ -538,6 +538,16 @@ else echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped" fi # +# Install the ECN file +# +if [ -f ${PREFIX}/etc/shorewall/ecn ]; then + backup_file /etc/shorewall/ecn +else + run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn + echo + echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" +fi +# # Backup the version file # if [ -z "$PREFIX" ]; then diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e2dacc00d..c547a25c8 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -65,6 +65,16 @@ Changes for 1.4 include: 8. IMPORTANT: Shorewall now REQUIRES the iproute package ('ip' utility). +9. Explicit Congestion Notification (ECN - RFC 3168) may now be turned + off on a host or network basis using the new /etc/shorewall/ecn + file. To use this facility: + + a) You must be running kernel 2.4.20 + b) You must have applied the patch in + http://www.shorewall/net/pub/shorewall/ecn/patch. + c) You must have iptables 1.2.7a installed. + + diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 1bff0ad83..a1489756a 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 1.4.0 -%define release 0Beta1 +%define release 0Beta2 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -97,6 +97,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/start %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn %attr(0544,root,root) /sbin/shorewall %attr(0444,root,root) /usr/share/shorewall/functions %attr(0544,root,root) /usr/share/shorewall/firewall @@ -104,6 +105,10 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Mon Feb 24 2003 Tom Eastep +- Changed version to 1.4.0-0Beta2 +* Sun Feb 23 2003 Tom Eastep +- Add ecn file * Fri Feb 21 2003 Tom Eastep - Changes version to 1.4.0-0Beta1 * Thu Feb 06 2003 Tom Eastep diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 63a8a0be5..77834e4b2 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.0-Beta1 +VERSION=1.4.0-Beta2 usage() # $1 = exit status {