From 144c9ab576eca9cbb56a51456f6e9374cd95c48c Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 31 Dec 2002 01:10:28 +0000 Subject: [PATCH] Add DNAT- action; 'shorewall check' prints policies git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 43 +++--------------------------- Shorewall/firewall | 42 ++++++++++++++++++++++++----- Shorewall/releasenotes.txt | 54 +++++++++++++++++--------------------- Shorewall/rules | 4 +++ 4 files changed, 67 insertions(+), 76 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c8272f626..4921ca591 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,43 +1,6 @@ -Changes since 1.3.11 +Changes since 1.3.12 -1. Fixed DNAT/REDIRECT bug with excluded sub-zones. +1. Added 'DNAT-' target. -2. "shorewall refresh" now refreshes the traffic shaping rules +2. Print policies in 'check' command. -3. Turned off debugging after error. - -4. Removed drop of INVALID state output ICMP packets. - -5. Replaced 'sed' invocation in separate_list() by shell code (speedup). - -6. Replaced 'wc' invocation in list_count() by shell code (speedup) - -7. Replaced 'sed' invocation in run_iptables() by shell code and - optomized (speedup) - -8. Only read the interfaces file once (speedup) - -9. Only read the policy file once (speedup) - -10. Removed redundant function input_chains() (duplicate of first_chains()) - -11. Generated an error if 'lo' is defined in the interfaces file. - -12. Clarified error message where ORIGINAL DEST is specified on an - ACCEPT, DROP or REJECT rule. - -13. Added "shorewall show classifiers" command and added packet - classification filter display to "shorewall monitor" - -14. Added an error message when the destination in a rule contained a - MAC address. - -15. Added ULOG target support. - -16. Add MARK_IN_FORWARD option. - -17. General Cleanup for Release - -18. Release changes and add init, start, stop and stopped files. - -19. Add headings to NAT and Mangle tables in "shorewall status" output diff --git a/Shorewall/firewall b/Shorewall/firewall index fbbab24f3..2d055cc3a 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -833,6 +833,11 @@ validate_rule() { target=ACCEPT address=${address:=detect} ;; + DNAT-) + target=ACCEPT + address=${address:=detect} + logtarget=DNAT + ;; REDIRECT) target=ACCEPT address=${address:=all} @@ -983,6 +988,17 @@ validate_policy() local zone1 local pc local chain + local policy + local loglevel + local synparams + + print_policy() # $1 = source zone, $2 = destination zone + { + [ $command != check ] || \ + [ $1 = all ] || \ + [ $2 = all ] || \ + echo " Policy for $1 to $2 is $policy" + } all_policy_chains= @@ -1048,27 +1064,34 @@ validate_policy() for zone1 in $zones $FW all; do eval pc=\$${zone}2${zone1}_policychain - [ -n "$pc" ] || \ + if [ -z "$pc" ]; then eval ${zone}2${zone1}_policychain=$chain + print_policy $zone $zone1 + fi done done else for zone in $zones $FW all; do eval pc=\$${zone}2${server}_policychain - [ -n "$pc" ] || \ + if [ -z "$pc" ]; then eval ${zone}2${server}_policychain=$chain + print_policy $zone $server + fi done fi elif [ -n "$serverwild" ]; then for zone in $zones $FW all; do eval pc=\$${client}2${zone}_policychain - [ -n "$pc" ] || \ - eval ${client}2${zone}_policychain=$chain + if [ -z "$pc" ]; then + eval ${client}2${zone}_policychain=$chain + print_policy $client $zone + fi done else eval ${chain}_policychain=${chain} + print_policy $client $server fi done < $TMP_DIR/policy @@ -2152,7 +2175,7 @@ add_a_rule() add_nat_rule fi - if [ $chain != ${FW}2${FW} ]; then + if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then serv="${serv:+-d $serv}" if [ -n "$loglevel" ]; then @@ -2229,6 +2252,7 @@ process_rule() # $1 = target fi logtarget="$target" + dnat_only= # Convert 1.3 Rule formats to 1.2 format @@ -2237,6 +2261,12 @@ process_rule() # $1 = target target=ACCEPT address=${address:=detect} ;; + DNAT-) + target=ACCEPT + address=${address:=detect} + dnat_only=Yes + logtarget=DNAT + ;; REDIRECT) target=ACCEPT address=${address:=all} @@ -2379,7 +2409,7 @@ process_rules() # $1 = name of rules file while read xtarget xclients xservers xprotocol xports xcports xaddress; do case "$xtarget" in - ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*) + ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*) expandv xclients xservers xprotocol xports xcports xaddress if [ "x$xclients" = xall ]; then diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index ce2580b87..92d4fab1a 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -2,39 +2,33 @@ This is a minor release of Shorewall that has a couple of new features. New features include: -1) "shorewall refresh" now reloads the traffic shaping rules (tcrules - and tcstart). +1) A new 'DNAT-' action has been added for entries in the + /etc/shorewall/rules file. DNAT- is intended for advanced users who + wish to minimize the number of rules that connection requests must + traverse. + + A Shorewall DNAT rule actually generates two iptables rules: an + address rewriting rule in the 'nat' table and an ACCEPT rule in the + 'filter' table. A DNAT- rule only generates the first of these + rules. This is handy when you have several DNAT rules that would + generate the same ACCEPT rule. -2) "shorewall debug [re]start" now turns off debugging after an error - occurs. This places the point of the failure near the end of the - trace rather than up in the middle of it. + Here are three rules from my previous rules file: + + DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178 + DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179 + ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,... -3) "shorewall [re]start" has been speeded up by more than 40% with - my configuration. Your milage may vary. + These three rules ended up generating _three_ copies of -4) A "shorewall show classifiers" command has been added which shows - the current packet classification filters. The output from this - command is also added as a separate page in "shorewall monitor" + ACCEPT net dmz:206.124.146.177 tcp smtp -5) ULOG (must be all caps) is now accepted as a valid syslog level and - causes the subject packets to be logged using the ULOG target rather - than the LOG target. This allows you to run ulogd (available from - www.gnumonks.org/projects/ulogd) and log all Shorewall messages to - a separate log file. + By writing the rules this way, I end up with only one copy of the + ACCEPT rule. -6) If you are running a kernel that has a FORWARD chain in the mangle - table ("shorewall show mangle" will show you the chains in the - mangle table), you can set MARK_IN_FORWARD=Yes in - shorewall.conf. This allows for marking inbound packets based on - their destination even when you are using Masquerading or SNAT. + DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178 + DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179 + ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,... -7) I have cluttered up the /etc/shorewall directory with empty 'init', - 'start', 'stop' and 'stopped' files. If you already have a file with - one of these names, don't worry -- the upgrade process won't - overwrite your file. - -8) I have added a new RFC1918_LOG_LEVEL variable to - shorewall.conf. This variable specifies the syslog level at which - packets are logged as a result of entries in the - /etc/shorewall/rfc1918 file. Previously, these packets were always - logged at the 'info' level. +2) The 'shorewall check' command now prints out the applicable policy + between each pair of zones. diff --git a/Shorewall/rules b/Shorewall/rules index 8554645d9..8a6244f55 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -24,6 +24,10 @@ # DNAT -- Forward the request to another # system (and optionally another # port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. # REDIRECT -- Redirect the request to a local # port on the firewall. #