holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch '4.5.12'

Browse Source 
Conflicts:
	Shorewall/Perl/Shorewall/Chains.pm

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-10 17:21:02 -08:00
commit 20b551a1da
8 changed files with 148 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/ARP.pm
View File

@ -278,7 +278,7 @@ sub create_arptables_load( $ ) {
'if [ $? != 0 ]; then', 'if [ $? != 0 ]; then',
qq( fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"), qq( fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"),
"fi\n", "fi\n",
"run_ip neigh flush nud noarp nud stale nud reachable\n", "run_ip neigh flush nud stale nud reachable\n",
); );
pop_indent; pop_indent;

37
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -407,7 +407,7 @@ use constant {
use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK }; use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 }; use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
our %dscpmap = ( CS0 => 0x00, our %dscpmap = ( CS0 => 0x00,
CS1 => 0x08, CS1 => 0x08,
@ -462,6 +462,9 @@ use constant { NULL_MODE => 0 , # Emitting neither shell commands nor iptables
CMD_MODE => 2 }; # Emitting shell commands. CMD_MODE => 2 }; # Emitting shell commands.
our $mode; our $mode;
#
# A reference to this rule is returned when we try to push a rule onto a 'complete' chain
#
our $dummyrule = { simple => 1, mode => CAT_MODE }; our $dummyrule = { simple => 1, mode => CAT_MODE };
# #
@ -664,9 +667,7 @@ sub initialize( $$$ ) {
%isocodes = (); %isocodes = ();
%nfobjects = (); %nfobjects = ();
%switches = (); %switches = ();
#
# Initialize this here so we can make it dynamic without moving the initialization
#
%terminating = ( ACCEPT => 1, %terminating = ( ACCEPT => 1,
DROP => 1, DROP => 1,
RETURN => 1, RETURN => 1,
@ -680,6 +681,7 @@ sub initialize( $$$ ) {
NOTRACK => 1, NOTRACK => 1,
REDIRECT => 1, REDIRECT => 1,
RAWDNAT => 1, RAWDNAT => 1,
RAWSNAT => 1,
REJECT => 1, REJECT => 1,
SAME => 1, SAME => 1,
SNAT => 1, SNAT => 1,
@ -1036,7 +1038,7 @@ sub push_rule( $$ ) {
push @{$chainref->{rules}}, $ruleref; push @{$chainref->{rules}}, $ruleref;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug; trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug;
$chainref->{complete} = 1 if $complete; $chainref->{complete} = 1 if $complete;
@ -1053,7 +1055,7 @@ sub add_trule( $$ ) {
assert( reftype $ruleref , $ruleref ); assert( reftype $ruleref , $ruleref );
push @{$chainref->{rules}}, $ruleref; push @{$chainref->{rules}}, $ruleref;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref->{optflags} |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN'; $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug; trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug;
@ -1233,7 +1235,7 @@ sub push_irule( $$$;@ ) {
if ( $jump ) { if ( $jump ) {
$ruleref->{jump} = $jump; $ruleref->{jump} = $jump;
$ruleref->{target} = $target; $ruleref->{target} = $target;
$chainref->{optflags} |= DONT_MOVE if $target eq 'RETURN'; $chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
$ruleref->{targetopts} = $targetopts if $targetopts; $ruleref->{targetopts} = $targetopts if $targetopts;
} else { } else {
$ruleref->{target} = ''; $ruleref->{target} = '';
@ -2850,6 +2852,7 @@ sub optimize_level4( $$ ) {
# The search continues until no short chains remain # The search continues until no short chains remain
# Chains with 'DONT_OPTIMIZE' are exempted from optimization # Chains with 'DONT_OPTIMIZE' are exempted from optimization
# #
while ( $progress ) { while ( $progress ) {
$progress = 0; $progress = 0;
$passes++; $passes++;
@ -2888,11 +2891,23 @@ sub optimize_level4( $$ ) {
delete_references $chainref; delete_references $chainref;
$progress = 1; $progress = 1;
} }
} elsif ( $numrules == 1) { } else {
my $firstrule = $chainref->{rules}[0]; #
# The chain has rules -- determine if it is terminating
#
my $name = $chainref->{name};
my $lastref = $chainref->{rules}[-1];
unless ( $chainref->{optflags} & RETURNS || $terminating{$name} ) {
$progress = 1 if $terminating{$name} = ( ( $terminating{$lastref->{target} || ''} ) || ( $lastref->{jump} || '' ) eq 'g' );
}
if ( $numrules == 1) {
# #
# Chain has a single rule # Chain has a single rule
# #
my $firstrule = $lastref;
if ( $firstrule ->{simple} ) { if ( $firstrule ->{simple} ) {
# #
# Easy case -- the rule is a simple jump # Easy case -- the rule is a simple jump
@ -2948,7 +2963,6 @@ sub optimize_level4( $$ ) {
# all immediately preceding rules that have the same target # all immediately preceding rules that have the same target
# #
my $rulesref = $chainref->{rules}; my $rulesref = $chainref->{rules};
my $lastref = $rulesref->[-1];
if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) { if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
my $target = $lastref->{target}; my $target = $lastref->{target};
@ -2981,7 +2995,8 @@ sub optimize_level4( $$ ) {
$count++; $count++;
} }
progress_message " $count $target rules deleted from chain $chainref->{name}" if $count; progress_message " $count $target rules deleted from chain $name" if $count;
}
} }
} }
} }

2
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -724,8 +724,6 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
} }
} }
set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
expand_rule( $nonat_chain , expand_rule( $nonat_chain ,
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
$rule , $rule ,

2
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2475,8 +2475,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
if ( $actiontype & ACTION ) { if ( $actiontype & ACTION ) {
$action = $usedactions{$normalized_target}{name}; $action = $usedactions{$normalized_target}{name};
$loglevel = ''; $loglevel = '';
} else {
set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
} }
if ( $origdest ) { if ( $origdest ) {

4
Shorewall/Perl/lib.core
View File

@ -216,8 +216,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
delete_tc1() delete_tc1()
{ {
clear_one_tc() { clear_one_tc() {
$TC qdisc del dev $1 root 2> /dev/null $TC qdisc del dev ${1%@*} root 2> /dev/null
$TC qdisc del dev $1 ingress 2> /dev/null $TC qdisc del dev ${1%@*} ingress 2> /dev/null
} }

8
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -1051,10 +1051,10 @@ Normal-Service =&gt; 0x00</programlisting>
role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term> role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>
<listitem> <listitem>
<para>Optional - packet Length. This field, if present allow you to <para>Optional - packet payload length. This field, if present allow
match the length of a packet against a specific value or range of you to match the length of a packet payload (Layer 4 data ) against
values. You must have iptables length support for this to work. A a specific value or range of values. You must have iptables length
range is specified in the form support for this to work. A range is specified in the form
<emphasis>min</emphasis>:<emphasis>max</emphasis> where either <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
<emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both) <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is

8
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -913,10 +913,10 @@ Normal-Service =&gt; 0x00</programlisting>
role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term> role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>
<listitem> <listitem>
<para>Optional packet Length. This field, if present allow you to <para>Optional - packet payload length. This field, if present allow
match the length of a packet against a specific value or range of you to match the length of a packet payload (Layer 4 data ) against
values. You must have ip6tables length support for this to work. A a specific value or range of values. You must have iptables length
range is specified in the form support for this to work. A range is specified in the form
<emphasis>min</emphasis>:<emphasis>max</emphasis> where either <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
<emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both) <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is

32
docs/configuration_file_basics.xml
View File

@ -142,10 +142,16 @@
</listitem> </listitem>
<listitem> <listitem>
<para><filename>/etc/shorewall/blacklist</filename> - lists <para><filename>/etc/shorewall/blacklist</filename> - Deprecated in
favor of <filename>/etc/shorewall/blrules</filename>. Lists
blacklisted IP/subnet/MAC addresses.</para> blacklisted IP/subnet/MAC addresses.</para>
</listitem> </listitem>
<listitem>
<para><filename>/etc/shorewall/blrules</filename> — Added in
Shorewall 4.5.0. Define blacklisting and whitelisting.</para>
</listitem>
<listitem> <listitem>
<para><filename>/etc/shorewall/init</filename> - commands that you <para><filename>/etc/shorewall/init</filename> - commands that you
wish to execute at the beginning of a <quote>shorewall start</quote> wish to execute at the beginning of a <quote>shorewall start</quote>
@ -258,6 +264,11 @@
start/restart when LOAD_HELPERS_ONLY=Yes in start/restart when LOAD_HELPERS_ONLY=Yes in
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
</listitem> </listitem>
<listitem>
<para><filename>/usr/share/arprules</filename> — Added in Shorewall
4.5.12. Allows specification of arptables rules.</para>
</listitem>
</itemizedlist></para> </itemizedlist></para>
<para><emphasis role="bold">If you need to change a file in <para><emphasis role="bold">If you need to change a file in
@ -297,6 +308,12 @@
<programlisting># This is a comment <programlisting># This is a comment
ACCEPT net $FW tcp www #This is an end-of-line comment</programlisting> ACCEPT net $FW tcp www #This is an end-of-line comment</programlisting>
</example> </example>
<important>
<para>If a comment ends with a backslash ("\"), the next line will also
be treated as a comment. See <link linkend="Continuation">Line
Continuation</link> below.</para>
</important>
</section> </section>
<section id="Names"> <section id="Names">
@ -516,6 +533,19 @@ ACCEPT net:\
continuation line does not end with a comma or colon, the leading white continuation line does not end with a comma or colon, the leading white
space in the last line is not ignored.</para> space in the last line is not ignored.</para>
</example> </example>
<important>
<para>A trailing backslash is not ignored in a comment. So the continued
rule above can be commented out with a single '#' as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<emphasis role="bold">#</emphasis>ACCEPT net:\
206.124.146.177,\
206.124.146.178,\
206.124.146.180\
dmz tcp 873</programlisting>
</important>
</section> </section>
<section id="Pairs"> <section id="Pairs">